Text

Response to Lll Draft Rept
	ML20210S407
Person / Time
Site:	Seabrook
Issue date:	03/31/1986
From:	; PUBLIC SERVICE CO. OF NEW HAMPSHIRE
To:	;
Shared Package
ML20210S398	List: ML20210S393; ML20210S402; ML20210S407;
References
	NUDOCS 8605210296
	Download: ML20210S407 (225)
	v • d • e

--

i l

APPENDIX A RESPONSE TO LLNL DRAFT REPORT i

March 1986 9

Prepared by: New Hampshire Yankee (NHY)

Yankee Atomic Electric Company (YAEC)

Pickard, Lowe and Garrick, Inc. (PLG)

NTS Structural Mechanics Associates, Inc. (SMA) 860$210296 860517 3 PDR ADOCK 0500 A

APPENDIX A TABLE OF CONTENTS Page A1.0 EXECUTIVE

SUMMARY

................................................. A-1 A1.1 Internal Events............................................ A-2 A1.2 External Evente............................................ A-6 A

2.0 INTRODUCTION

...................................................... A-9 A2.1 Background................................................. A-9 A2.2 Scope...................................................... A-9 A2.3 Review Assumptions......................................... A-9 A3.0 INTERNAL EVENTS ANALYSIS.......................................... A-11 A3.1 Initiating Events.......................................... A-12 A3.2 Event Trees................................................ A-17 A3.3 Success Criteria........................................... A-44 A3.4 Systems.................................................... A-50 A3.5 Human Factors............................................ . A-70 A3.6 Failure Data............................................... A-85 A3.7 Operating Experience Analysis.............................. A-117 A3.8 Analysis Codes............................................. A-119 A3.9 Accident Sequences......................................... A-120 A3.10 Dependencies.......................................... .... A-129 A4.0 EXTERNAL EVENTS ANALYSIS.......................................... A-137 A4.1 Seismic Events............................................. A-139 A4.1.1 Seismic Hazard................................... A-139 A4.1.2 Seismic Hazard / Fragility Interface............... A-156 A4.1.3 Seismic Fragility Assessment..................... A-161 A4.1.4 References to 4.1................................ A-174 A4.2 Fire Events................................................ A-200 A4.3 Aircraft Crash Analysis.................................... A-200 A4.4 Internal Floods............................................ A-200 A4.5 External Flooding.......................................... A-201 A4.6 Hazardous Chemicals and Transportation Events.............. A-202 A4.7 Wind Events................................................ A-202 A4.8 Turbine Missile Hazard..................................... A-203 A5.0

SUMMARY

AND CONCLUSION............................................ A-204 AS.1 Problems and Omissions..................................... A-205 AS.2 Treatment of Uncertainty................................... A-211 AS.3 Overall Evaluation of SSPSA................................ A-212 A-il

APPENDIX A LIST OF TABLES Number Title Page 4.1-1 Earthquake Events A-177 4.1-2 Sumary Statistics for conversions A-180 4.1-3 Statistical Evaluation of Scale Factor Data A-181 4.1-4 Data Used in Developing Ductility Factors A-182 4.1-5 Seabrook Fragilities in Ascending Order A-183 k

A-lii

APPENDIX A LIST OF FIGURES Number Title Page 4.1-1 BEHC Per Seismicity Combined Over All Ground Motion Experts A-184 4.1-2 Seismic Zonation Base Map for Expert 5 A-185 4.1-3 Fractile Seismic Hazard Curves (Zonation) A-186 4.1-4 Magnitude versus Intensity A-187 4.1-5 Fractile seismic Hazard Curves (B-Value) A-188 4.1-6 Fractile Seismic Hazard Curves (Attenuation) A-189 4.1-7 Fractile Seismic Hazard Curves (Composite) A-190 4.1-8 Scale Factor, FH Versus Duration A-191 4.1-9 Elastic Response Spectrum Showing Effect of Frequency Shift on Response A-192 4.1-10 Effects of Actual Earthquake Records A-193 4.1-11 Effects of Actual Earthquake Records A-193 4.1-12 Effects of Actual Earthquake Records A-194 4.1-13 Effects of Actual Earthquake Records A-194 4.1-14 Effects of Actual Earthquake Records A-195 4.1-15 Effects of Actual Earthquake Records A-195 4.1-16 Effects of Actual Earthquake Records A-196 4.1-17 Effects of Actual Earthquake Records A-196 4.1-18 Effects of Actual Earthquake Records A-197 4.1-19 Effects of Actual Earthquake Records A-197 4.1-20 Effects of Actual Earthquake Records A-198 4.1-21 Effects of Actual Earthquake Records A-108 4.1-22 Approximate Pock and Fill Concrete Contour Under the Refueling Water Storage Tank A-199 A-iv

APPENDIX A List of Comments / Responses

Response

LLNL Comment Appendix A Number LLNL Page Subject Page 1.2-1 1-3 and 4 Complexity of Event Trees A-2 1.1-2 1-4 and 5 Difficulties with Systems Analysis A-3 1.1-3 1-6 Common cause Data Treatment A-4 1.1-4 1-6 LOSP Data and Maintenance Distributions A-5 1.2-1 1-7 Notable Disagreements A-6 1.2-2 1-7 and 8 Seismic Hazard - Uncertainty Documentation A-6 1.2-3 1-8 and 9 Conservatism of Seismic Results A-7 1.2-4 1-10 Fire-Induced Initiating Events A-7 1.2-5 1-12 Flooding A-8 2.1-1 2-1 General A-9 2.3-1 2-3 Conservative Analysis A-9 3.0-1 3-1 Inscrutability A-11 3.0-2 3-1 Initiating Event Selection A-11 3.1-1 3-4 General Transients Grouping A-12 3.1-2 3-8 and 11 Incore Instrument Tube Rupture A-13 3.1-3 3-11 and 12 Loss of Vital 120 V ac Bus A-14 3.1-4 3-12 Loss of Single Train of SW or PCC A-14 3.1-5 3-17 Isolable /Nonisolable Small LOCA A-15 3.1-6 3-17 General Transients Grouping A-16 3.1-7 3-17 Loss of Vital 120 V ac Bus A-16 3.1-8 3-18 Loss of Single Train of SW or PCC A-16 3.1-9 3-18 Interfacing System LOCA A-17 3.1-10 3-23 Loss of Instrument and Control Power A-17 3.2-1 3-25 to 27 Complexity of Event Trees A-17 3.2-2 3-27 and 28 Bleed and Feed Cooling A-18 3.2-3 3-28 Turbine Trip Top Event A-19 3.2-4 3-29 Transient-Induced Small LOCA A-20 3.2-5 3-29 and 30 Operator Actions OM and OP A-20 3.2-6 3-30 Operator Action ON A-21 3.2-7 3-31 Operator Action ON Delays CM A-21 3.2-8 3-31 and 32 Operator Action OM A-21 3.2-9 3-32 Operator Action ON - Small LOCA A-22 3.2-10 3-33 Recirculation with Small LOCA A-22 3.2-11 3-33 Depressurization A-23 3.2-12 3-34 Operator Action OM A-23 3.2-13 3-34 Early/ Late Core Melt - Medium LOCA A-24 3.2-14 3-35 High Pressure Injection A-25 3.2-15 3-35 Containment Isolation A-26 A-v 1

APPENDIX A List of Comments / Responses (Continued)

Response

LLNL Comment Appendix A Number LLNL Pete Subj ect Page 3.2-16 3-36 Hot Leg Recirculation /EAH A-26 3.2-17 3-37 Steam Line Break Outside Containment A-28 3.2-18 3-38 SLBI/SLB0 A-28 3.2-19 3-38 Boron Injection A-29 3.2-20 3-39 Recirculation for SLBI A-29 3.2-21 3-39 SLBI/SLB0 A-29 3.2-22 3-39 SGTR Event Tree A-30 3.2-23 3-40 SGTR - Control HPI A-31 3.2-24 3-40 SGTR - Event OR A-33 3.2-25 3-40 and 41 SGTR - Event ON A-33 3.2-26 3-41 and 42 SGTR - Event ON A-35 3.2-27 3-42 SGTR - Event OD A-35 3.2-28 3-42 and 43 SGTR - Event OR A-36 3.2-29 3-43 ATWS - Event Tree A-37 3.2-30 3-43 ATWS - Manual Scram A-37 3.2-31 3-44 ATWS - Manual Scram A-39 3.2-32 3-44 ATWS - Moderator Temperature Coefficient A-40 3.2-33 3-45 ATWS - Severe Overpressure A-40 3.2-34 3-45 ATWS - Diverse Turbine Trip A-41 3.2-35 3-45 ATWS - Operator Time A-42 3.2-36 3-46 ATWS - Events OH, HP, and ON A-42 3.2-37 3-46 ATWS - Bleed and Feed A-42 3.2-38 3-47 RCP Seal Leak A-43 3.2-39 3-48 Staticn Blackout A-44 3.2-40 3-50 Stuck Open Primary Safety / Relief A-44 3.3-1 3-52 Success Criteria Documentation A-44 3.3-2 3-53 Power Conversion System A-45 3.3-3 3-54 Small LOCA - SI Pumps A-45 3.3-4 3-54 and 55 Medium LOCA - Accumulators A-46 3.3-5 3-55 SLBI/SLB0 A-47 3.3-6 3-55 MSIV Success Criteria A-48 3.3-7 3-56 Operator Action ON A-48 3.3-8 3-56 Small LOCA - Closed Loop RHR Cooling A-49 3.3-9 3-56 SLBI/SLB0 Success Criteria A-49 3.3-10 3-56 SGTR - Long-Term Cooling A-49 3.3-11 3-57 SGTR .-- Operator Action A-50 3.4-1 3.4-2 Reliability Block Diagrams A-50 3.4-2 3.4-4 Cuts Sets A-51 3.4-3 3.4-4 and 5 Simplifications in Analysis A-51 3.4-4 3.4-5 Proprietary Data A-51 3.4-5 3.4-6 Errors A-52 A-vi

APPENDIX A List of Comments / Responses (Continued)

Response

LLNL Comment Appendix A Number LLNL Pate Subject Pate 3.4-6 3.4-10 UATs/ RATS A-52 3.4-7 3.4-11 Common Cause Failure - Electric Power A-53 3.4-8 3.4-11 and 12 Vital 120 V ac Bus A-53 3.4-9 3.4-14 SW A-53 3.4-10 3.4 t5 to 18 SW - SCC Isolation A-53 3.4-11 3.4-18 Overly conservative Assumptions A-54 3.4-12 3.4-22 and 23 PCC - Blocks C and C' A-54 3.4-13 3.4-24 PCC - Ventilation A-55 3.4-14 3.4-27 Instrument Air - Event EF A-56 3.4-15 3.4-28 Instrument Air A-57 3.4-16 3.4-28 Instrument Air - SCC A-57 3.4-17 3.4-32 and 33 SSPS/ESFAS A-58 3.4-18 3.4-37 SSPS - Parameter Channel A-S9 3.4-19 3.4-38 SSPS - Signal Amplifier A-60 3.4-20 3.4-40 SSPS - Power Supplies A-60 3.4-21 3.4-41 to 43 SSPS/ESFAS Model A-60 3.4-22 3.4-48 and 49 EAH - Blocks C and C' A-61 3.4-23 3.4-50 Ventilation Assumption A-61 3.4-24 3.4-60 and 61 HPI Success Criteria A-62 3.4-25 3.4-68 EFW - Test and Human Contribution A-62 3.4-26 3.4-68 EFW - Recovery Actions A-63 3.4-27 3.4-70 EFW and SC A-63 3.4-28 3.4-71 ATWS LOSP A-63 3.4-29 3.4-71 Startup Feed Pump A-64 3.4-30 3.4-73 Safety Valves - Fail to Clot e A-64 3.4-31 3.4-79 Chemical Shutdown A-65 3.4-32 3.4-83 Main Steam - Discrepancies A-6f 3.4-33 3.4-85 Safety Valve - ATWS A-66 3.4-34 3.4-85 Secondary Cooling A-66 3.4-35 3.4-85 SGTR - Steam Dump Valve A-67 3.4-36 3.4-86 Main Steam - Turbine Trip A-67 3.4-37 3.4-87 Atmospheric Relief Valves A-67 3.4-38 3.4-91 Containment Building Spray A-68 3.4-39 3.4-91 Containment Building Spray A-68 3.4-40 3.4-91 Containment Building Spray A-68 3.4-41 3.4-100 Control Room Ventilation A-69 3.5-1 3.5-1 Error of Commission A-70 3.5-2 3.5-2 Operator Misdiagnosis - Small LOCA A-70 3.5-3 3.5-2 Time Frames A-71 3.5-4 3.5-2 OAT Quantification A-71 3.5-5 3.5-3 Procedures A-72 A-vii

APPENDIX A List of Comments / Responses (Continued)

Response

LLNL Comunent Appendix A Number LLNL Pete Subject Page 3.5-6 3.5-4 Manual Reactor Trip A-72 3.5-7 3.5-4 OAT Diagnosis Time A-73 3.5-8 3.5-5 Operation Action OD2 A-74 3.5-9 3.5-5 Operator Actions OP and OM A-74 3.5-10 3.5-6 OM Tree A-74 3.5-11 3.5-6 Operator Action DM A-75 3.5-12 3.5-7 Operation Action OP - Feed and Bleed A-76 3.5-13 3.5-7 OP Tree - Redundant Branches A-76 3.5-14 3.5-8 operator Action OP A-77 3.5-15 3.5-8 Operator Action ON A-78 3.5-16 3.5-9 Time Frame for Bleed and Feed A-78 3.5-17 3.5-9 and 10 Operation Actions LR, HE, and HS A-78 3.5-18 3.5-10 Operator Action 03 A-79 3.5-19 3.5-11 and 12 SGTR Operator Actions A-79 3.5-20 3.5-12 SGTR Operator Action Times A-80 3.5-21 3.5-12 Operator Actions OR and OD A-81 3.5-22 3.5-13 Station Blackout Timing A-81 3.5-23 3.5-14 SW Recovery A-82 3.5-24 3.5-15 RCP Seal Leakage A-82 3.5-25 3.5-16 Electric Power Recovery Without Batteries A-83 3.5-26 3.5-17 Battery Lifetimes A-83 3.5-27 3.5-18 Diesel Generator Recovery A-84 3.6-1 3.6-1 Proprietary Data A-85 3.6-2 3.6-11 Butterfly Valve A-85 3.6-3 3.6-12 Storage Tank A-85 3.6-4 3.6-14 Circuit Breaker A-86 3.6-5 3.6-15 Pressure Transmitter A-86

3.6-6 3.6-15 DC Power Supply A-87 3.6-7 3.6-16 Pipe Rupture / Control Rod A-87 3.6-8 3.6-16 Typo A-88 3.6-9 3.6-17 and 18 Mean to Median Ratios A-88 3.6-10 3.6-24 Diesel Generator Beta Factor A-90 3.6-11 3.6-25 Common Cause - Batteries A-90 3.6-12 3.6-25 and 26 DC Power System A-92 3.6-13 3.6-27 Service Water A-93 3.6-14 3.6-28' SW Ventilation A-93 3.6-15 3.6-28 SW Ventilation A-94 3.6-16 3.6-28 SW Ventilation A-94 3.6-17 3.6-30 SW Common Cause A-95 3.6-18 3.6-30 PCC A-96 3.6-19 3.6-30 and 31 PCC Block C A-96 3.6-20 3.6-32 and 33 PCC Ventilation A-96 A-viii

APPENDIN A List of Comments / Responses (Continued)

Response

LLNL Comment AEpendix A Number LLNL Page Subject Page 3.6-21 3.6-33 and 34 PCC Pump Beta Factor A-97 3.6-22 3.6-34 to 36 PCC Valve Common Cause A-97 3.6-23 3.6-38 and 39 Reactor Trip Criteria A-97 3.6-24 3.6-38 and 39 RTS, SSPS, ESFAS A-98 3.6-25 3.6-40 Reactor Trip Quantification A-98 3.6-26 3.6-40 RTS Assumptions A-99 3.6-27 3.6-40 RTS Common cause A-99 3.6-28 3.6-43 and 44 SSPS Common Cause A-100 3.6-29 3.6-44 Pressure Sensor A-100 3.6-30 3.6-45 Lo5ic Channel Maintenance A-100 3.6-31 3.6-45 SSPS Testing A-100 3.6-32 3.6-46 ESFAS Success Criteria A-101 3.6-33 3.6-46 ESFAS Transients A-101 3.6-34 3.6-46 and 47 ESFAS Transients A-101 3.6-35 3.6-48 Enclosure Air Handlin5 A-102 3.6-36 3.6-48 and 49 EAH - Operator Action A-102 3.6-37 3.6-49 EAH - Boundary Conditions A-103 3.6-38 3.6-49 EAH A-103 3.6-39 3.6-49 EAH Common Cause A-104 3.6-40 3.6-50 ECCS Analysis A-104 3.6-41 3.6-55 ECCS Assumptions A-104 3.6-42 3.6-56 ECCS Medium LOCA Recirculation A-106 3.6-43 3.6-56 ECCS Beta Factors A-107 3.6-44 3.6-57 EFW A-107 3.6-45 3.6-58 Condensate Storage Tank A-108 3.6-46 3.6-58 EFW - Auto Isolation A-108 3.6-47 3.6-58 EFW - Actuation A-109 3.6-48 3.6-59 EFW - Turbine Pump A-109 3.6-49 3.6-59 Startup Feed Pump A-110 3.6-50 3.6-59 EFW - Fire Wall A-110 .

3.6-51 3.6-60 RCS Relief Valves A-111 3.6-52 3.6-61 PORVs - Feed and Bleed A-111 3.6-53 3.6-61 PORV Block Valves A-111 3.6-54 3.6-61 PORV Block Valves A-112 3.6-55 3.6-62 PORV Block Valves A-112 3.6-56 3.6-63 and 64 Main Steam A-112 3.6-57 3.6-64 ARV Common Cause A-113 3.6-58 3.6-64 and 65 MSIV Common cause A-113 3.6-59 3.6-65 Main Steam Safeties A-114 3.6-60 3.6-67 Control Room Ventilation A-114 3.6-61 3.6-67 Control Room Inlet Dampers A-114 3.6-62 3.6-67 Control Room Heatup A-115 3.6-63 3.6-67 Control Room Quantification A-116 A-ix

APPENDIX A List of Comments / Responses (Continued)

Response

LLNL Comument Appendix A Number LLNL Pete Subject Page 3.6-64 3.6-68 Emergency Cleanup Fans A-116 3.6-65 3.6-68 Control Room Common Cause A-116 3.6-66 3.6-69 and 70 Common cause A-117 3.7-1 3.7-5 LOSP Data A-117 3.7-2 3.7-8 Maintenance Distribution A-118 3.7-3 3.7-11 Proprietary Data A-118 3.8-1 3.8-6 MARCH Code A-119 3.8-2 3.8-6 DPD Code A-119 3.9-1 3.9-2 Zion / Indian Point A-120 3.9-2 3.9-2 In-Vessel Core Cooling A-120 3.9-3 3.9-2 and 3 Minimum Flow A-121 3.9-4 3.9-3 Severe Accident Phenomena A-121 3.9-5 3.9-3 Proprietary Computer Codes A-122 3.9-6 3.9-4 V-Sequence A-122 3.9-7 3.9-4 V-Sequence A-123 3.9-8 3.9-5 V-Sequence A-123 3.9-9 3.9-5 V-Sequence A-124 3.9-10 3.9-6 V-Sequence Procedure A-125 3.9-11 3.9-6 RCP Seal Leak A-125 3.9-12 3.9-6 and 7 Hydrogen A-126 3.9-13 3.9-7 Dominant Scenarios A-126 3.9-14 3.9-7 Core Recovery A-127 3.9-15 3.9-7 Station Blackout Timing A-127 3.9-16 3.9-8 Operator Actions A-128 3.9-17 3.9-8 Steam Generator Dryout A-128

~

3.10-1 3.10-3 and 4 Common Cause A-129 3.10-2 3.10-4 Beta Factors A-129 3.10-3 3.10-4 and 5 Spatial Interac,.. . A-130 3.10-4 3.10-6 Dependent Failures A-131 3.10-5 3.10-6 and 7 Beta Factor Equations A-131 3.10-6 3.10-7 Standby / Operating Pump Common Cause A-132 3.10-7 3.10-7 and 8 Beta Factors A-132 3.10-8 3.10-8 Passive Component Common Cause A-133 3.10-9 3.10-9 Beta Factor Equation A-134 3.10-10 3.10-9 Beta Factor Data A-134 3.10-11 3.10-9 Beta Factor Distribution A-135 3.10-12 3.10-11 Beta Factors A-135 3.10-13 3.10-11 Beta Factors A-135 3.10-14 3.10-11 and 12 Beta Factors A-136 3.10-15 3.10-12 Peta Factors A-136 A-x

APPENDIX A List of Comments / Responses (Continued)

Response

LLNL Comment Appendix A Number LLNL Pete Subject Pate 4.0-1 4-1 Seismic Hazard A-137 4.1-1 4.1-1 Systematic Evaluation Program A-139 4.1-2 4.1-4 Uncertainty / Expert Judgement A-140 4.1-3 4.1-4 and 5 Alternative Model Hypotheses A-141 4.1-4 4.1-5 Uncertainty A-141 4.1-5 4.1-4 to 6 Uncertainty Analysis A-142 4.1-6 4.1-7 Hypothesis Description A-142 4.1-7 4.1-8 Source Zones A-142 4.1-8 4.1-9 and 10 Uncertainty in Zone Description A-142 4.1-9 4.1-12 and 13 Record Completeness A-143 4.1-10 4.1-13 Converting Intensity to Magnitude A-143 4.1-11 4.1-14 Experts A-143 4.1-12 4.1-14 Uncertainty A-143 4.1-13 4.1-17 b-Value A-144 4.1-14 4.1-18 Expert Variability A-144 4.1-15 4.1-20 Attenuation Relationships A-144 4.1-16 4.1-20 and 21 Attenuation Relationships A-145 4.1-17 4.1-22 and 23 Comparison with Other Studies A-145 4.1-18 4.1-23 to 27 Overall Conclusions A-146 4.1-19 4.1-43 Ductility Factor A-156 4.1-20 4.1-51 and 52 Boolean Equation A-161 4.1-21 4.1-60 Fragility Cutoff Point A-161 4.1-22 4.1-62 Damping A-162 4.1-23 4.1-62 Modeling Uncertainty A-162 4.1-24 4.1-63 Serial Independent Failures A-163 4.1-25 4.1-63 Sliding of Structures A-164 4.1-26 4.1-64 Uncertainty on Spectral Shape A-165 4.1-27 4.1-65 Cooling Tower A-165 4.1-28 4.1-65 Tank Farm A-166 4.1-29 4.1-66 Turbine Building A-166 4.1-30 4.1-67 Diesel Oil Tank ,

A-167 4.1-31 4.1-67 to 69 Comparison with Other PRAs A-168 4.1-32 4.1-70 Degrees of Freedom A-172 4.1-33 4.1-71 to 76 Equipment Capacity A-173 4.1-34 4.1-75 Boolean Equation A-174 4.2-1 4.2-9 Fire Events / Plant Model A-200 4.4-1 4.4-3 Diesel Flooding A-200 4.4-2 4.4-4 Cooling Tower Flooding A-201 4.4-3 4.4-1, 4, 5 Qualitative Evaluation A-201 A-xi

l APPENDIX A List of Consnents/ Responses (Continued)

Response

LLNL Comument Appendix A Number LLNL Pete Subieet Page 4.5-1 4.5-3 and 4 External Flood Frequency A-201 4.1-1 4.7-4 Tornado Frequency A-202 4.7-2 4.7-4 and 5 Tornado Missile A-202 e

A-xii

APPENDIX A Response to LLNL Draft Report This appendix documents the response to the LLNL draft report. The sections of this appendix follow the identical section numbers in the LLNL report except the section numbers here are preceded by an "A." Dur approach beginning in Section A1.1 is to identify each comment made by LLNL. Each comment and response is identified by the LLNL report section and the page in the LLNL report is provided in parentheses. This approach is used to facilitate using our report simultaneously with the LLNL report. This report does not identify and document, in general, typographic errors and other minor errors in the LLNL report. The important comments and concerns identified by LLNL are addressed. A list of comments / responses, the subject of the comment, and reference page where the comment / response can be found is provided atove in the Appendix A Table of Contents.

A1.0 EXECUTIVE

SUMMARY

The LLNL discussion on Pages 1-1 and 1-2 regarding "... communication with PSNH was essentially nil ... lack of cooperation ... hindered the review ... " seems to be inaccurate, overstated and perhaps reflects a high level of f rustration. The following should be considered:

o Although the NRC was officially notified by PSNH that it did not plan to extend its contract with PLG to support the review effort, .

PSNH did indeed support the review effort. PSNH supported the review by hosting a plant visit, providing a simulator demonstration and supplying documentation and written answers to the LLNL questions. These responses were apparently received too late to meet the schedule set due to the financial concerns of the NRC and LLNL. (See response to Comment 2 in Section 3.0 of the main report.)

A-1

o PLG verbally offered assistance and suggested that LLNL and the staff call them when necessary. In addition, PSNH was available to answer questions by phone. This never happened.

o While the support from PSNH was limited, it appears that the short review schedule, more than anything else, hindered the review. The schedule apparently did not reflect the slower response from PSNH due to limited resources to support this review.

Page 3 refers to "several modeling errors ... that indicate ...

different understanding of ... systems ...." Specific comments regarding this summary statement are addressed in the specific sections later. (See responses to Comments 3.2-1, 3.2-22, 3.2-29, 3.4-21, etc., in Appendix A.) It should be recognized that a significant amount of time was expended by PLG to become familiar with the Seabrook systems, plant operations and plant response before the modeling even began. In addition, the PLG systems description and modeling effort was reviewed in detail by PSNH and YAEC. It is unlikely that any lab or organization, unless given a significant amount of time, could challenge our understanding of systems and their interactions. This is demonstrated throughout this appendix by our responses. Only a few minor errors and typographical errors were identified. Many of the comments are the unsubstantiated opinions of the reviewers and others are factually inaccurate.

A1.1 INTERNAL EVENTS ,

1.1-1 (Pares 1-3 and 4) Complexity of Event Trees

(

l LLNL Comment - We have identified several areas of disagreement with l

l the assumed phenomenology. We are also concerned that the requirement l to have each event on an event tree independent of the others has resulted in large and very complex trees which are difficult to follow and analyze. In addition, the large number of sequences effectively fragmented many accident scenarios. The usefulness of the event tree sequences as a means to obtain engineering insights was lost.

A-2 f

l

Response - The event trees have not proven to be inscrutable to those )

of us at PSNH and YAEC who understand the Seabrook design and :

modularized event tree methodology. To the contrary, with this knowledge, the details and insights are more scrutable than other l methodologies with a comparable level of completeness. The added l detail results in a risk model that more accurately describes the plant and reduces the need to rely on undocumented, hidden assumptions associated with simplistic models. The presentation of complete ,

sequences is provided in the SSPSA in two places; a simplified descLiption in SSPSA Section 2.0, and a detailed description in SSPSA Section 13. There are more equivalent " cut sets" presented in these tables than normally found in PRAs. When looking at the event trees in the SSPSA, it is far easier to visualize sequences than when looking at their counterparts - large-linked fault trees. We agree that without knowledge of the plant, these event trees are difficult to review.

That was the purpose of presenting event sequence diagrams.

1.1-2 (Pares 1-4 and 5) Difficulties with Systems Analysis LLNL Comment - The system's analysis is significantly different than any PRA which any of the reviewers had previously examined. The analysis does not provide cut sets which represent sequences. The use of the support states appears to place undue emphasis on the ability of the analyst to recognize dependencies. Conservative assumptions in combination with the support state evaluation process have the potential to mask important qualitative results.

Response - We consider the systems analysis a significant improvement over other PRAs. The logic expressions provided in each systems analysis are logically equivalent to cut sets. There are several important contributors and interactions such as common cause events and human errors in test and maintenance that are normally not modeled or are modeled in simplified ways in fault trees. Recognizing dependencies is crucial to really understanding the plant, its response and intersystem dependencies. The SSPSA made a significant effort to identify, model and document intersystem dependencies to the point A-3

that, apparently, the additional details made the study more difficult to comprehend. The treatment of intrasystem common cause events is more complete than in any fault tree based study. SSPSA Sections 5 3 and 5.4 should have been reviewed before the systems analyses review.to better understand the system boundary condition. The reviewers additional opinions about conservatisms and the potential to mask important qualitative results is not a problem if the PRA is used properly. Each PRA must be completed and documented for the first time. In order to do this without applying infinite resources, some conservatisms result. However, each time results of the PRA are used. l we have and will continue to evaluate the conservatisms associated with the portion of the model used. No decisions are made using numbers from the PRA at face value.

1.1-3 (Page 1-6) Common Cause Data Treatment LLNL Comment - The treatment of common cause data left us with some concern because of the exclusion of passive components and the use of very low beta factors for some components. Although no instance was identified that would significantly change the results, it was not possible to reach definitive conclusions in a few cases. .

Response - The criteria for applying the beta factor method are discussed in SSPSA Section 4.3. The result of the application of these .

criteria to the systems at Seabrook led to a greater coverage of common .

cause events than in any published PRA. This coverage extended generally to identically redundant active components and even included the auxiliary feedwater pumps with diverse drives. Most passive components are normally not modeled at all in any PRAs with the use of failure rates and beta factors. Passive comments are modeled, however, in the external events analysis (e.g., aircraft crash, seismic, etc.)

via explicit models for these events. In practice, some judgement is necessary to decide when to apply such a model to keep the analysis tractable. These judgements are justified when there are other common cause events modeled for components having higher failure rates in the same systems, or when common cause events are modeled explicitly.

A-4

All the beta factors were estimated from data and are comparable to any other published beta factors that were estimated from data. The project manager of the SSPSA authored the beta factor method and is not i aware of any higher beta factor values for any component that is substantiated by data. We note that another reviewer of the SSPSA in NUREG/CR-4229 found the treatment of dependent events to be more complete than any previously published PRA. See response to 3.10-8.

1.1-4 (Page 1-6) LOSP Data and Maintenance Distributions LLNL Comment - Two minor concerns are the use of nation-wide data to estimate the frequency of loss of off-site power and the use of only four categories to quantify the maintenance unavailabilities of all components at the plant.

Response -

a) Loss of Off-Site Power Initiating Event Frequency In the course of performing the SSPSA, a similar comment was made during the PSNH and YAEC reviews. It was determined that if the data base were confined to that from the northeastern United States, the mean frequency of loss of off-site power would not be substantially different. The events used to estimate this ,

frequency are well distributed throughout the United States with ,

the exception of Florida (see Reference 2 of the main report). See response to 3.7-1.

b) Maintenance Cate;ories Four distributions for maintenance frequency and maintenance duration were developed for use in the SSPSA. These distributions were compared to information from several operating plants for similar equipment and found to compare favorably. Based upon this review of information from operating plants, it was found that four maintenance frequencies with their corresponding distributions A-5 l

l l

adequately described the ranges of frequencies found for many components. The maintenance duration distributions used are based more upon the plant allowed out of service times than repair times. Again, four distributions adequately covered the range of possible allowed outage times based upon the plant Technical Specifications. The four frequency distributions and four duration distributions provided 16 possible distributions for maintenance unavailability. This was considered to be an adequate number of distributions for a plant with no operating experience. See response to 3.7-2.

A1.2 EXTERNAL EVENTS 1.2-1 (Page 1-7) Notable Disagreements LLNL Comment - There are notable disagreements in several areas. More detail is provided below for the various event types.

Response - We believe that these differences are technically insignificant and that some are incorrect opinions as noted below.

1.2-2 (Pazes 1-7 and 8) Seismic Hazard - Uncertainty Documentation LLNL Comment - We disagree with numerous applications of the ,

methodology in the SSPSA. In particular, the assessment of alternative ,

model hypotheses and the assignment of subjective probability weights are not adequately supported. The ad hoc procedure used to perform the uncertainty analysis failed to document the choices made and the uncertainty assigned to key parameters in the analysis. A review of individual parameters in the analysis and a comparison with the interim Seismic Hazard Characterization Program lead us to qualitatively conclude that the hazard analysis results may be optimistic and the uncertainty underestimated.

A-6

Response - As described in our responses to 4.0-1 and responses in Section A4.1.1, the above opinion is not very significant, the arguments technically flawed, and the conclusion overstated.

1.2-3 (Panes 1-8 and 9) Conservatism of Seismic Results LLNL Comment - Fragilities and seismic core melt results seem conservative, dominant contributors shoulu be re-evaluated.

Response - The opinion regarding the possibility of conservatisms in this area are noted. We also note that the SSPSA results showed that the risks as calculated were very low and met the NRC safety goals for individual and societal risk. The calculated risks exhibit small contributions from seismic events to core melt frequency and early health risks. Our efforts to evaluate possible conservatisms in this area will be at a priority commensurate with the results. No decision to modify the plant will be made without first re-evaluating dominant contributors in light of conservatism. Decisions will not be made using numbers at face value. This is discussed further in response to comments in Section A4.1.

1.2-4 (Page 1-10) Fire-Induced Initiating Events LLNL Comment - We have a concern about the manner in which the fire induced initiating events are processed through the plant matrix. It appears that these initiating events, which already include component or system failures, are being incorrectly combined with auxiliary and front-line event trees that have not explicitly considered these same failures.

Response - As described in our response to Comment 4.2-1, all common cause initiating events, including fires, are properly processed through the plant matrix. For example, fires that result in a total loss of ac power are processed through the plant event trees with a conditional unavailability of 1.0 for all equipment dependent on ac power. This is easily confirmed by reviewing SSPSA Sections 5.4 and l

A-7 t

13.2 (Table 13.2-12). The reviewer's comment stems from only having looked at a portion of t he report. Also, see Section 2.0 of the main report.

1.2-5 (Page 1-12) Flooding LLNL Comment - Although the frequency of flooding at the plant site due to hurricane precipitation is believed to be conservative, the absence of a probabilistic analysis that addresses all sources of flooding is considered to be a serious omission. The uncertainties in estimating the frequency of extreme flood events is believed to be much greater than that which was assumed.

Response - To the contrary, it is accepted practice to screen for importance with point estimates, especially using conservative bounding calculations. Wher. these estimates are used in decision making or contribute to the decision, there is a need to more carefully assess the quantification, its conservatism and include the uncertainty properly. We do not consider this procedure to be "ad hoc" or inappropriate for use in PRAs. This type of comment presumes there is an infinite resource available to perform PRAs.

l l

l A-8 l

l -

A

2.0 INTRODUCTION

A

2.1 BACKGROUND

2.1-1 (Pare 2-1) General LLNL Comment - Although the NRC did not require that a PRA be performed for this plant, one was requested by the State of New Hampshire. It was performed by a contractor for Public Service of New Hampshire (PSNH), the plant operator, and Yankee Atomic Electric Company (YAEC),

a part owner.

Response - Two clarifications: (1) the State of New Hampshire did not request the SSPSA but did-c~onsider requiring such a study and did review the SSPSA when it was completed; and (2) Yankee Atomic Electric Company is not a part owner but is a service company to PSNH.

A2.2 SCOPE (No Comments Requiring Response)

A2.3 REVIEW ASSUMPTIONS 2.3-1 (Pare 2-3) Conservative Analysis LLNL Comment - The application of a conservative approach to modeling does not necessarily provide an acceptable result. The selection of excessively conservative models or data may produce results that are essentially incorrect.

Response - It is not clear that this opinion is even relevent to this technical review. The reviewer does not seem to recognize that each PRA must be completed and documented for the first time. This has to be accomplished with finite resources and, therefore, conservatisms do occur. Before the results were finalized, the calculated risk A-9

contributors were evaluated to determine whether conservative assumptions were responsible for their apparent contribution and such !

conservatisms were eliminated when a more realistic treatment could be justified. As long as the conservatisms are documented properly in l text and in uncertainty distributions and the PRA is used properly, this is not considered a problem and was not a problem with the SSPSA.

Numerical results are not accepted at face value and are always re-evaluated in the decision process or PRA use. Also, whether a particular assumption is conservative or optimistic can be highly debateable. We may not be in full agreement with either the SSPSA reviewers or the SSPSA authors about how each assumption stacks up on the conservative versus optimistic scale.

A-10

A3.0 INTERNAL EVENTS ANALYSIS 3.0-1 (Page 3-1) Inscrutability LLNL Comment - The use of support state methodology in the SSPSA, in combination with very large and complex event trees, produced an analysis that is judged to be generally inscrutable and relatively useless to the reviewers for the determination of engineering insights.

Response - Inscrutability is clearly in the eye of the beholder.

Engineering insights are directly available in the SSPSA Section 13 for example. The use of large and complex event trees results from the attempt by PLG to accurately and fairly, completely model the response of a very complicated system, Seabrook Station. It is necessary to understand the modeling methodology and the station systems themselves to begin to understand the SSPSA. While the reviewers may have found it " useless" for determining engineering insights, we, the users of the study, have found quite to the contrary that the SSPSA has provided a wealth of insights. Also, as noted earlier (Response 3 in Section 3.0 of the main report), Professor Rasmussen found the report to be the most scrutable published to date.

3.0-2 (Page 3-1) Initiating Event Selection LLNL Comment - We concurred with the selection of initiating events except for the division of most of the general transients into several subclasses, which we believe is unnecessary and inappropriate. In addition, three initiators did not receive adequate discussion in the SSPSA, and it appears that at least two of these should have been considered as separate initiating event classes.

Response - As described in the response to Comments 3.1-1, 3.1-3, 3.1-4, etc., these comments are unnecessary and inappropriate to the extent that they are technically insignificant. The SSPSA made a '

significant effort to search for initiating events using a number of A-11

methods and probably has the most complete list of initiating events ever used in a PRA. There is a good reason why all the transients were not lumped together as in previous PRAs; that is, that each has a different impact on the plant event sequence model. This prevented the need for making unwarranted conservative assumptions (i.e., that all transients have the same impact as the most severe in the group). The comment confuses a result with an a priori assumption.

A3.1 INITIATING EVENTS 3.1-1 (Pate 3-4) General Transients Grouping LLNL comment - The division of most of the general transients into classes 7 through 16 is not necessary, since they do not actually represent differences in plant response or effect on mitigating systems. ... they are all nominally identical in plant response and the need for certain mitigating systems ... these ten initiating event classes need only to be separated into two, loss of PCS (power conversion system) and nonloss of PCS. Although the SSPSA separation of these transients into more classes than actually raquired is not incorrect, in a strict sense, it does serve to dilute the results and mask insights.

Response - We strongly disagree that the results are diluted and insights masked. Each of the 58 initiator groups that were quantified has a different impact on the plant and was quantified using a separate event tree quantification. Any further grouping must be accompanied with a corresponding argument as to why each of the differences can be neglected. Without such arguments; and the reviewers provide none, the grouping becomes a hidden assumption and possibly an oversimplification.

The following comments help to explain why the transient initiating events are grouped as they are in SSPSA Section 5.4. Assuming that auxiliary (support) systems are available:

A-12

(a) With successful turbine trip, the MSIVs will remain open for most initiators. When turbine trip is the initiating event, MSIVs are not questioned. If turbine trip fails, all four MSIVs will receive automatic isolation signals (see Table D.6-2 for MSIV closure signals).

(b) A safety injection signal is not expected as a direct result of Transient Initiators 7 through 16. The primary system is expected to remain intact. Therefore, there are no signals to initiate safety injection.

(c) For loss of feedwater initiators, if the startup feed pump is available, it starts automatically. For loss of off-site ac, condenser vacuum is lost, resulting in no credit for SDVs. SDVs are considered available for many initiators if turbine trip is successful.

(d) Reactor trip must be treated separately for proper treatment of ATWS. Events 8-20 are candidate initiators for ATWS but reactor trip, by definition, is not.

In addition, we believe it will not serve to dilute the results and mask insights if we do not regroup Categories 7 through 16. In contrast, by keeping them separate we have succeeded in quantifying significant dependencies between initiators and systems instead of hiding these dependencies in the grouping process. By properly specifying the particular initiating events, we can more clearly determine the appropriate conditional system unavailabilities for that l initiator. The burden of proof is on the justification for grouping,

! not on the justification for treating different events differently.

3.1-2 (pazes 3-8 and 11) Incore Instrument Tube Rupture LLNL Comment - Failure to consider incore instrument tube rupture as a separate event is apparently a matter of luck rather than an informed i rejection of this initiator by analysis within the SSPSA.

l A-13

Response - For the incore instrument tube rupture event, the LOCA would be discharging directly into the cavity. As described on SSPSA Pages 11.2-3 and 5.3-36, the cavity has a volume of about 14,700 ft.

and thus will accommodate about 30% of the water volume which is injected from the RWST. It is concluded that with the RWST injected into the containment, the reactor cavity will always be filled with water and the water level in the containment will be above the elevation of the reactor cavity curb. Thus, sufficient water will be available for recirculation.

We consider the phrasing of the above comment to be inappropriate for a technical document.

3.1-3 (Pares 3-11 and 12) Loss of Vital 120 V ac Bus LLNL Comment - Loss of a vital 120 V ac bus presentation is contradictory and incomplete. No investigation into whether the loss of a bus will result in a plant trip due to the effect on other equipment is made.

Response - The loss of a vital 120 V ac bus presentation is not contradictory. Loss of a single bus does not cause an initiating event as described on SSPSA Page 5.2-25. The impact on support systems and other mitigating systems is described on SSPSA Pages 5.3-108 and 109.

Loss of instrument buses are properly modeled in the SSPS and ESFAS ,

Systems analyses in SSPSA Appendix D. Failure of two buses will result in a reactor trip, but loss of a de bus envelopes both the frequency and the impact on systems.

3.1-4 (Page 3-12) Loss of Single Train of SW or PCC LLNL Comment - Loss of a single service water or component cooling water train is definitely a forced shutdown that must take place in the absence of one train of a support system. We believe that this is essentially equivalent to other support system transients, and that two new initiator classes should be added to account for these single train failure events.

A-14

Response - As described on SSPSA page 5.2-11, loss of single trains of support systems was considered including service water and PCC. They

< did not result in a plant trip, but would result in a reduced power condition or call for an orderly plant shutdown. As described on SSPSA Page 5.2-5, during a normal controlled shutdown the plant is near equilibrium, shutdown proceeds at a controlled rate, and standby systems are started before they are needed. In addition, the support state methodology that was used already included high frequency transient events followed by unavailability of single PCC and SW trains as well as all other combination of support states. Therefore, this class of event sequences was modeled explicitly without the need for a separate initiator. These and all controlled shutdowns are considered insignificant risk contributors.

A 3.1-5 (Page 3-17) Isolable /Nonisolable Small LOCA LLNL Comment - The comparison of values shown on the table indicates a large difference in this frequency between the various data sources.

This is based on whether a reactor coolant pump seal LOCA is isolable or nonisolable at a given plant. The frequency of the random Reactor Coolant Pump (RCP) LOCA is estimated at .02/ year based on data from the ANO-1 IREP. The Seabrook plant does not have primary loop isolation valves, thus this break should be considered nonisolable. This value would therefore apply to Seabrook for nonisolable small LOCAs, and is a -

factor of four higher than the SSPSA value utilized. This is a significant difference, and we feel the higher value should have been used in the analysis.

Response - The value for isolable and nonisolable LOCA reported by LLNL is accurate and reflects the results shown on SSPSA Page 6.6-13. The value used for quantifying the small LOCA initiating event was

~

1.73x10 as reported on SSPSA Pages 5.1-2 and 13.1-15. This is consistent with the .02 value recommended by LLNL. The small LOCA j frequency in the SSPSA was developed by conservatively considering half of the isolable LOCA's frequency to be nonisolable. (The other half was quantified as a general transient.) Thus, small LOCA frequency is A-15

equal to nonisolable LOCA frequency plus one-half the isolable LOCA frequency. This .orivation was not fully documented in the SSPSA, however, no small LOCAS were actually excluded in the analysis. The RCP seal LOCAs frequency is included in the nonisolable small LOCA frequency. There have been no RCP seal LOCAs; only large leaks resulting in a plant trip. Also, support system failures that lead to RCP seal LOCA are included in the model. See response to 3.2-4.

3.1-6 (Pare 3-17) General Transients Grouping LLNL Comment - Revised values for the general transients result from regrouping as discussed earlier.

Response - As described in the response to Comment 3.1-1 above, four groups could have been defined, but thia was a result at the end of the analysis and could not be determined a priori when the initiating events were being determined.

3.1-7 (Page 3-17) Loss of Vital 120 V ac Bus LLNL Comment - Loss of 120 V vital ac bus A or D. The value used for this new initiator is taken from the ANO-1 IREP data base.

Response - As described in the response to Comment 3.1-3 above, loss of 120 V vital ac Bus A or D is not an initiating event at Seabrook Station.

3.1-8 (Pare 3-18) Loss of Single Train of SW or PCC LLNL Comment - Loss of a single service water or primary component cooling train. The values for these new initiators are taken from EPRI NP-2230.

Response - As described in the response to Comment 3.1-4 above, loss of a single service water cr primary component cooling train is not considered an initiating event only a condition that would lead to an A-16

orderly plant shutdown. Also, these systems are plant specific so that it is inappropriate to apply generic data as a means of quantifying their initiators.

3.1-9 (Pane 3-18) Interfacing System LOCA LLNL Comment - In attempting to verify the plant-specific value determined for this initiator, we determined that it was not possible for us to duplicate the answer shown in the SSPSA using the values and equations presented therein.

l l

Renconse - As shown on SSPSA Page 6.6-4, some of the V sequences contain a lambda squared term in the calculation. When uncertainty distributions are propagated through such a model, the coupling of the failure rate distributions creates a mismatch between the mean of a squared term and the square of the mean.

In order to recreate the results by hand calculations, it is necessary to add the variance of the distribution to the mean value squared. For this calculation in particular, the data uncertainties are very large so that the error caused by not considering the variance can be large.

See SSPSA Appendix A.2 Equation A.2.12, 3.1-10 (Page 3-23) Loss of Instrument and Control Power LLNL Comment - Loss of instrument and control power, was not properly .

considered in the PSA.

Response - As described in Comment 3.1-3 above, loss of an instrument bus was analyzed properly.

A3.2 EVENT TREES 3.2-1 (Pages 3-25, 26 and 27) Complexity of Event Trees LLNL Comment - Our conclusion is that the event tree models used in the i

SSPSA, while not being incorrect in the strict sense of the word, do A-17

not represent an advance in the state-of-the-art over event trees constructed in a more traditional manner, particularly in terms of ]

their usefulness to the NRC in performing its review function. They are, because of their unnecessary complexity, virtually useless to the reviewers in the determination of insights concerning the effects of our conclusions regarding the differences in event phenomenology which are discussed below.

Response - The reviewers do not understand the event tree methodology that was used. The events are not required to be independent of the others but rather to be defined to facilitate the analysis of their interdependencies. We consider this expression of opinion an indication of the reviewers' lack of knowledge of the plant and PLG's methodology and totally inappropriate in a technical document. We are concerned that the reviewers were frustrated in their review and were biased against the PLG methodology in their writeups. Because of the complexities of the systems modeled, the event trees in the SSPSA are much more scrutable than correctly drawn linked fault trees would have been. The insights are available through the presentation of the dominant contributors in SSPSA Sections 2 and 13. See response to 3.0-1.

3.2-2 (Pages 3-27 and 28) Bleed and Feed Cooling LLNL Comment - The study is optimistic in the assumption that it is possible to avoid the need for recirculation in bleed and feed scenarios by initiating closed loop RHR cooling.

Response - SSPSA Page 5.3-22, Paragraph 4, states that with no loss of off-site power and " feed and bleed" cooling in progress, the plant will be cooled down to the point at which the RHR System may be operated in the normal shutdown cooling mode.

The question correctly notes that no credit is taken for this in the GT event tree (SSPSA Page 5.3-129); all " bleed and feed" sequences end in high pressure recirculation. No credit is taken because of the A-18

uncertainty of RCP operation which is needed to allow cooldown of the vessel internals and head. Without RCP operation, it is unlikely that cooldown would be quick enough to avoid depleting the RWST before normal RHR cooling can be used. The SSPSA text could have spelled this out more clearly. ,

3.2-3 (Pare 3-28) Turbine Trip Top Event LLNL Comment - There are concerns about top events TT and EF. They should have been structured with four events: turbine trip, power conversion system, MSIV closure, and emergency feedwater.

Response - Turbine trip combined with MSIV closure:

These two system responses are combined in order to simplify the GT event tree. It is assumed that successful operation of either system would alleviate the need to consider Pressurized Thermal Shock (PTS).

Also, the functions are coupled in that a turbine trip failure would lead to low steam line pressure or high steam pressure rate of change which would generate an auto MSIV isolation signal. See SSPSA Page 5.3-28. Top Event TT1.

For top event EF, two systems represent the feed (EFW and startup feed pump) and steam removal (ARV or the condenser steam dump valves) for ,

cooling the SCs. If either system fails, the function, Secondary Cooling, fails.

The comment "PCS would be considered only if turbine trip succeeded" is correct and is handled in the quantification. For example, see SSPSA Table 5.4-22a for the GT event tree (given reactor trip) quantification. Under Note 2 (SSPSA Page 5.4-56), EF failure is quantified to two cases, given Turbine Trip (TT) success and TT failure. For TT success, condenser dumps are included in the Secondary Cooling (SC) number; for TT fail, only the ARV's are included in SC quantification.

A-19

The comment seems to contradict earlier comments that there was too much detail in the event trees.

3.2-4 (Page 3-29) Transient-Induced Small LOCA LLNL Comment - The tree does not include an event for a transient-induced small LOCA, i.e., a stuck open PORV following a transient initiator. This event should be included.

Response - In quantifying the frequency of small LOCA initiating events, the data events were discriminated between isolable and nonisolable SLOCAs and between isolable SLOCAs that were isolated before and after reactor trip. Thus, isolable LOCAs which caused a reactor trip (assumed to be one-half of the isolable LOCA frequency) were included in the reactor trip frequency and were handled in the generalized transient tree and quantified in Table 5.4-22a " Reactor Trip." Nonisolable SLOCAs and one-half of the isolable SLOCAs were included in the data for SLOCA initiating events and are modeled in the SLOCA event tree. Thus, transient-induced small LOCA events have been included through the data base. See response to 3.1-5.

3.2-5 (Pages 3-29 and 30) Operator Actions OM and OP LLNL Comment - Events OM and OP should be combined into a single event.

Response - Considering events OM and OP separately allows for a success sequence (No. 62) where OM is successful and OP fails. If OM fails, then OP is assumed to fail; i.e., if the operators cannot control feedwater, then the likelihood of operator action to throttle HPI is very low (and assumed to be zero). See SSPSA Pages 5.3-28, 29, and 32.

Quantitatively. OM = OP = .022; thus, either operator action failure has the same effect (to threaten the vessel) with the same frequency.

Considering OM has very little quantitative effect. See SSPSA Page 5.4 - 54.

A-20

LLNL is arbitrarily challenging an arbitary modeling decision. The fact that the reviewer would model events differently is irrelevant to the question of appropriateness of the Seabrook study. It is curious that OM and OP are only questioned in the SLOCA event tree; the same model appears in E.ost ETs (e.g., GT, SSPSA Page 5.4-129).

3.2-6 (Pane 3-30) Operator Action ON LLNL Comment - ON is not required when emergency feedwater succeeds and there are no LOCAs.

Response - The event ON (plant stabilization and cooldown) is included for completeness, i.e., successfully bringing the plant to a stable state. It includes operato'r' actions such as assuring makeup to the CST, controlling EFW and HPI, etc.

3.2-7 (Page 3-31) Operator Action ON Delays CM LLNL Comment - RCP LOCA - In the absence of further analysis, we must conclude that event ON as presently defined is not capable of delaying core melt in this case. .

Response - This comment indicates a fundamental lack of understanding of basic fluid mechanics. The total time to completely shutdown and ,

depressurize to near atmospheric pressure conditions is about 1/3 of the calculated time to core uncovery due to a pump seal LOCA, (3 - 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months versus 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months or more). The transition to suberitical flow occurs far above atmospheric pressure. Hence, depressurization could very clearly extend the time for core uncovery.

3.2-8 (Pages 3-31 and 32) Operator Action OM LLNL Comment - Overcooling events were assumed to result in core melt and, therefore, the GT tree is incorrect.

A-21

Response - Operator failure to control EFW (OM failure) includes both overfeed (PTS concern) and overthrottle (EFW failure). In this sequence, the operator action modeled is overthrottle to the extent that SGs boil dry and/or EFW is lost due to pump overheating. See SSPSA Page 10.3-12, Paragraph 5.

This is assumed to preclude near-term cooling with SGs. (SSPSA Page 5.3-22, Paragraph 2.) Since HPI is also not available, early core melt results. Not all over cooling events are assumed to result in core melt. Many such events simply ask questions about reactor vessel integrity and, only a small fraction of these are assumed to result in core melt.

3.2-9 (Page 3-32) Operator Action ON - Small LOCA LLNL Comment - When both emergency feedwater and HPI are successful, the SSPSA assumes that a core melt will result if the operator fails to take this action (event ON). This is completely contrary to previous PRAc, NRC licensing requirements, and FSAR analysis.

Response - It has not been established that all previous PRAs are i

correct on this and any other point. See response to Comment 3.2-6.

~

3.2-10 (Pare 3-33) Recirculation With Small LOCA LLNL Comment - In the absence of justification to the contrary, we $

believe that recirculation should be required for all small LOCA events and that the only credit which should be allowed for the success of action ON is to reduce RCS pressure such that a failure of

! recirculation will lead to a low pressure melt instead of a high 1

pressure melt.

Response - Small LOCAs are in the size range of 0.5 to 2-inch diameter openings. In this range, leak rates are sufficiently low that the RWST would supply makeup for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . By that time, makeup to the RWST A-22 I

from the domineralized water supply could be in place. Also, the leak rate would decrease as the primary pressure was reduced.

From the W ERGS (Page TE-1-41), the leak rate after 30 minutes for a 2-inch break is about 40 lb/sec (287 spm) at 1000 psia. For the volume of 450,000 gallons in the RWST, a leak of 287 spm would drain the tank in 26 hours3.009259e-4 days 0.00722 hours 4.298942e-5 weeks 9.893e-6 months . The leak would decrease as the plant was cooled down and put on RHR shutdown cooling.

Thus, with successful ON, the plant can be cooled down by injection and RHR shutdown cooling indefinitely, until the leak stops or repairs can be made.

3.2-11 (Page 3-33) Depressurization LLNL Comment - With regard to blowing down the secondary to utilize low pressure injection, the SSPSA is optimistic regarding this scenario in one area; however, it assumes that if the operator performs the depressurization, but LPI is not available for some reason, a late melt 1

will occur. There is no justification provided for this and we are doubtful of the validity of this assumption.

Response - A late melt (>6 hours) is assumed for the sequences with HP

]

failure but EF and ON (depressurization) successful. This action is the operator rapidly depressurizing the RCS by overcooling with the steam generator to reduce the leak rate and the break flow.

Depressurization takes approximately three hours, which, by definition in this sequence, is successful. If depressurization is successful but the RHR pumps fall, core melt will occur sometime later and is assigned to late melt. At three hours after shutdown, decay heat is less than 1% and, thus, it would take considerable time until core melt.

3.2-12 (Pane 3-34) Operator Action OM 4

LLNL Comment - The SSPSA assumes that when TT fails (overcooling occurs) and the operator fails to control feedwater, that feedwater A-23

I will be lost. This leads to the assumption that if HPI is unavailable in this situation, a core melt will result. We consider this assumption conservative and do not agree that failing to control feedwater will result in its eventual lose.

Response - This is explained on SSPSA Page 10.3-12: Excessive throttling of the flow control valves will limit the cooldown rate (and is, therefore, successful [with regard to reactor vessel integrity]).

However, undesirable side effects occur, such as overheating the emergency feedwater pumps due to operation at shutoff head or boiling the SGs dry.

Thus, " fail to control EFW" (OM failure) includes both fail to throttle (PTS challenge) and overthrottle (EFW failure). See response to 3.2-8.

In addition, failure of turbine trip and failure of MSIVs to close (TT failure) causes the steam supply to be unavailable which fails the turbine-driven EFW pump. See SSPSA Page 5.3-43.

3.2-13 (Page 3-34) Early/ Late Core Melt - Medium LOCA LLNL Comment - The SSPSA assumes an early core melt results in cases where injection phase cooling succeeds and the RHR pumps fail. This is in contrast to the sequences where injection phase cooling succeeds and the RWST suction valves fail closed (which would also cause the RHR pumps to fail) where the SSPSA assumes that a late melt occurs.

Response - The difference in the timing of these sequences is based on the time to depletion of the RWST with and without the containment spray pumps operating. (Depletion of RWST is analyzed in SSPSA Appendix B.l.)

With all SI and charging pumps (450 spm/ pump) and containment spray pumps (3300 gpm/ pump), the RWST would be depleted in about 40 minutes.

Thus, this sequence, with recirculation failed, is an early melt.

A-24

i For the case where the RWST suction valves (CBS-V2 and CBS-VS) fail closed, containment spray fails. Thus, the only demand on the RWST comes from HPI (SI and charging pumps). With all four HPI pumps running, the RWST would be depleted in about 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . There is considerable time until core melt since the decay heat is reduced to less than 1%. See SSPSA Page B-8. Thus, this sequence is a late melt.

3.2-14 (Pate 3-35) High Pressure Injection LLNL Comment - There are functionally redundant or extraneous decision points when high pressure injection is available. If HPI is available, it is capable of supplying all the required cooling in the injection phase of the analysis. It is not necessary to consider other actions to provide injection phase cooling in these situations.

Response - Rapidly depressurizing the RCS with SGs is desirable if HPI is available since HP recirculation cooling would then not be required after switchover. See SSPSA Page 5.3-51.

Also, the nature of medium LOCAs is such that on the upper end (6 inches), the RCS may depressurize rapidly enough to go immediately onto LPI. In this size between small and large LOCA, the RCS will depressurize to a certain pressure just due to blowdown out of the opening. This operator action (OD) would be the logical step if the pressure had dropped significantly. Emergency feedwatee is considered because of the logical operator action to depressurize using the SGs (OD).

Also many apparently redundant questions, while not necessary to resolve whether core melt will occur, are necessary to either properly analyze dependencies or to assign plant damage states to the core melt sequences.

~

l l

l A-25 l

3.2-15 (Page 3-35) Containment Isolation LLNL Comment - The relationship between air purge isolation and containment isolation and the efCect of containment spray is not made clear in the long-term trea.

Response - SSPSA Sections 5.3.3 and 5.3.4 describe the modeling of containment isolation, air purge supply, and containment spray operation to maintain containment integrity.

Top event CI models the response of the plant containment isolation function and includes the air purge jaolation valves. If top event CI is successful, the air purge lines have successfully isolated and top event C2 is not questioned.

Top event C2 models the containment air purge penetrations. C2 is conditional on the status of CI and is included in the long-term plant response trees to more accurately model containment response to a core

, melt condition. C2 is thus the fraction of all CI failures which are caused by failure to isolate the containment air purge lines.

With the air purge lines open, and no containment spray, containment pressure will be maintained below the containment failure point.

These sequences are mapped to a "F" plant damage state for large containment leakage.

With containment spray operating, containment pressure is maintained at or near atmospheric pressure and top event C2 is not questioned. See SSPSA Section 11.4.

3.2-16 (Page 3-36) Hot Leg Recirculation /EAs.

LLNL Comment - Long term switch to hot leg recirculation should not have been included on the tree. EAH should not be included in the A-26 l

l 1

tree. Even if required, this is inconsistent and generates concern about the proper coordination of various parts of the study and concern about proper quantification (i.e., GF and 1.0).

Response - For certain large breaks, there is a possibility that boron precipitation within the reactor vessel could lead to coolant blockage. This is an area of uncertainty and the conservative assumption was made. This could have been treated probabilistically by estimating the likelihood of needing hot les recirculation. Instead, it was assumed that every LLOCA sequence required operator aligning the system for hot leg recirculation (HE). The action was estimated to be performed reliably because of the long time available. Also, this conservative modeling does not affect the study results. See SSPSA Page 5.3-62.

If the Containment Enclosure Building ventilation (top event CV) fails, RHR and CBS pumps fail in the long term (>6 hours). However, there is a possibility that both RHR pumps could fail early (for reasons not associated with CV failure), leading to an early melt. This is included in Sequences 100-102 (LL2 Event Tree, SSPSA Page 5.3-147).

Only in the large LOCA long-term tree is it possible to get an early melt due to RHR failure. Thus, CV failure was included explicitly to show the sequences that include CV failure which go to early melt.

According to SSPSA Page D.7-8, Paragraph 2, the requirement for l

ventilation would be evaluated later if the assumption of long-term ,

failure of ECCS pumps was a major contributor to system unavailability. Ventilation has a high reliability (2 x 10~ ) due to the 1-out-of-2 system configuration and is not an important contributor.

No study is available that analyzes the temperatures at which ECCS equipment fails.

A-27

3.2-17 (Page 3-37) Steam Line Break Outside Containment a

LLNL Comment - For the steam line break (outside) tree, HPI need not be questioned when MSIV closure and AFWs succeed.

Response - The decision point is unnecessary as stated on SSPSA Page 5.3-68, Paragraph 7:

HPI functioning or not functioning does not materially affect the outcome, however, since reactor trip has occurred.

HPI will be initiated from the SI signal (low steam line pressure).

According to SSPSA Page 5.3-68, Paragraph 2, boron injection (HPI) is needed to ensure reactor core suberiticality; however, the SLBO event tree does not model that.

While HPI is not needed, the existing model is correct and is correctly explained. The reviewers preferences are irrelevant, unnecessary, and tend to imply errors where none exist.

3.2-18 (Pate 3-38) SLBI/SLB0 6

LLNL Comment - There appears to be no real basis for expecting or modeling significant differences in plant response between these two events.

Response - The reviewers comment is rooted in the misperception that this is a Level I PRA and only the core melt frequency is being estimated. Without appropriate treatment of CBS, the plant damage states would be mistakenly assigned and this could have precluded a reliable risk estimate. Differences in plant response are described in response to 3.3-5. These differences are responsible for different event trees. See response to 3.2-20.

A-28

3.2-19 (Page 3-38) Boron Injection l

l LLNL Comment - Boron injection is required when auxiliary feedwater works. There is no justification provided for this, and it is not supported by analysis, or by assumptions in any other PRA which we are familiar with. We have no reason to believe that a return to criticality is possible considering all the excess negative reactivity inserted following reactor trip.

Response - Boron injection is required per plant procedures and was included as a conservative assumption. This was more cost effective than performing a more realistic analysis to support its removal. This had no effect on the final results.

3.2-20 (PaKe 3-39) Recirculation for SLBI LLNL Comment - A need for recirculation is assumed. This cannot be correct since there is no LOCA taking place. A steam line break, whether inside or outside containment, does not result in the loss of primary coolant. Therefore, there is no need for primary makeup and, hence, no requirement for recirculation.

Response - While primary coolant is not being lost (unless on feed and bleed cooling), containment spray is needed to cool the Containment Building. After about I hour at full spray flow (3300 gpm/ pump), the RWST would be drained, requiring sump recirculation. If these -

questions were not asked, there would be no way to determine the plant damage states for sequences involving core melt. Such questions are important for a Level III PRA. See response to 3.3-5.

3.2-21 (Pate 3-39) SLBI/SLB0 LLNL Comment - The differences between the steam line break inside and outside containment trees are not meaningful to this analysis.

A-29

Response - As noted in responses to 3.2-5, 3.2-18, and 3.2-20, the differences between the two trees are meaningful. These differences can be seen in the plant (M) matrix in SSpSA Section 13.1, which summarizes the results cf the event tree quantification.

3.2-22 (Pare 3-39) SGTR Event Tree LLNL Comment - We believe there are significant problems with this tree. The tree is poorly arranged and demonstrates a lack of understanding of a SGTR event. Major modifications must be made to the tree for it to accurately represent plant response to this initiator.

Response - The SGTR event trees developed for the SSPSA are more detailed and complicated because of the attempt to model the varied operator actions in a realistic manner and the need to model the releases in special categories because the release is outside containment. Several points should be noted. First, while operator actions are very important, the operator has much time in which to act. Second, the SGTR is similar to a general transient except for the operator actions needed and the much lower frequency of occurrence.

Third, SGTR contribution to core melt is 1.72 E-6 or 0.7%. Thus, while SGTR is an important licensing issue, it is not an important contributor to core melt or to health effects, based on the assumptions made about operator actions.

~

One reason for added detail is that, following Ginna SGTR, many .

questions were raised about the ability of operators to deal with this

" complex" event. Our detail shows that, although the SGTR procedures are complicated, there are sufficient alternative opportunities for success that the frequency of core damage from this event is not troublesome.

In this specific case, the reviewer's inappropriate choice of words concerning our " lack of understanding of the SGTR event" nust be soundly turned about. As the following responses will clearly show, A-30

the reviewer has not properly considered the physics of the real plant response to a tube rupture, but has focused on earlier, simplified PRA models of the event. Moreover, the reviewer demonstrates a lack of familiarity with current emergency procedures.

3.2-23 (Page 3-40) SGTR - Control HPI LLNL Comment - The SSPSA assumes in cases where HPI is available that it is not always necessary to control HPI flow in order to reduce pressure.

Response - The reviewer miscasts the SSPSA analysis. That it is obvious to us that some action to control the loss of coolant should have been clear from the opening paragraphs of the SGTR analysis:

The steam generator tube rupture initiating event is unique for several reasons. First, it is a small LOCA, in some ways more severe and in other ways less so than the small LOCA analyzed earlier. It is an interfacing system LOCA, releasing reactor coolant into the secondary steam system which provides several paths outside containment -- the normal path for noncondensible gases via the main steam lines to the turbine, condenser, and condenser exhaust; the main steam lines, turbine bypass, condenser, and condenser exhaust; the main steam line and steam generator atmospheric relief valve; the main steam line and steam generator safety valves; and the steam generator blowdown line.

Because the main steam system is a high pressure system, the loss of coolant can be controlled. If the secondary side of the ruptured steam generator is isolated by the operator, the leak is

stopped. All that remains is to reduce reactor coolant system pressure below the steam generator safety valve setpoint to maintain primary system integrity. However, these are both manual actions (except automatic isolation of blowdown on high radiation);

the operator must respond or the leak will continue and, unlike the

" normal" small LOCA, the lost water will be outside containment,

! unavailable for recirculation cooling.

What the reviewer apparently does not understand about the SGTR event is that opportunities exist over a long period of time to control the event. Continuing with the SSPSA discussion:

A-31

Again, on the positive side, the leak is small, limited both by the size of the tube rupture and the leakage mode from the steam generator. Thus the time available for successful operator action is long -- he has at least 15 minutes to well over 1 houg to control the break flow to avoid sticking open a steam generator safety valve, and many hours (8 to 24) to secure the leak, cool down, and depressurize.

In fact, analysis has shown that with a single double-ended tube rupture, a successful supply of auxiliary feedwater, and uncontrolled safety injection flow with a stuck-open steam generator safety valve, the RWST will not be emptied until about 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months have elapsed. At that time, the reactor coolant system would be fully cooled down and depressurized and effectively on a standpipe head filled to and vented at the stuck-open safety valve. Therefore, a stable condition could be maintained by instituting closed loop RHR cooling or continuing to cool the steam generators. With no additional cooling, several hours would be required before the reactor coolant system heated up and boiled off exposing the core to overheating. The point of all this is that if makeup water and cooling are available, there are long time windows for successful operator intervention before serious core damage

-occurs. Many technical resources beyond the operators on shift would be brought to bear en the problem -- plant technical staff, utility engineering staff, vendor experts, NRC staff, and others.

In this and the following four comments, the reviewer gives the impression that loss of RWST inventory and subsequent core damage occur quickly for the SGTR event. Such an impression is incorrect as indicated above.

Operator action to control HPI is also considered in event OR (operator controls the break flow). The operator depressurizes and stabilizes the RCS at a pressure below that of the ruptured S0. See SSPSA Page r.3-82.

OR success must occur within 30 minutes as quantified in SSPSA. Thus, success in OR permits early success, but failure of OR does not I

guarantee melt, because more than 24 additional hours are available for recovery.

The long-term control of HPI is included in event ON which models any operator actions needed for long-term stability. ON also includes A-32

operator action to makeup to the RWST if it were needed. Long-term operator actions are lumped together in ON because of the long time available (approximately 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ). See SSPSA Page 5.3 53.

3.2-24 (Pane 3-40) SGTR - Event OR LLNL Comment - The SSPSA also that failure of event OR does not necessarily lead to core melt. This assumption is optimistic since f ailure to reduce primary pressure prior to the depletion of the RWST means failure to terminate break flow,'Which means eventual loss of all coolant to the secondary and eventual core melt.

Response - The reviewer is mistaken. Because we modeled OR as early control of HPI in accordance'with plant emergency procedures, failure of OR does not always lead to core melt. The reviewers' preference for a different definition of OR is irrelevant to the issue of the correctness of the SSPSA model. We find mixing time frames within a single event model to be confusing and have generally preferred to

$ avoid that practice.

i 3.2-25 (Paaes 3-40 and 41) SGTR - Event ON LLNL Comment - Event ON - The purpose of long-term industry response with respect to the prevention of core melt is not made clear. This event provides an additional requirement to prevent core melt in already stable situations where the operator has successfully controlled RCS pressure and no steam leak is present (break flow stopped, auxiliary feedwater cooling) and no further action is required. This event is also apparently used incorrectly as a means of preventing core melt in situations where the operator fails to control pressure, or a steam leak occurs.

Response - Event ON adds a total of 21 additional sequences. See response to 3.2-25 for more details. ON allows the modeling of a success where OR or SL have failed because of the large amount of time available for operator action.

A-33

The confusion over*SGTR timing discussed in the previous two comments continues here. OR models early control of HPI as directed by the emergency procedures. The "short time remaining before core damage" modeled by ON (in the case of OR failure) is greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Sitccess in ON can occur in many ways:

o Control of HPI within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months due to:

- Independent decision of the operators

- Direction from advisors in the technical support center, the vendor, and the NRC, etc.

o Continuation of steam generator cooling o Shift to RHR when the cold plant depressuaizes due to loss of HPI pump head when the RWST empties Only the first of these success paths is quan+:t'icated in the SSPSA.

The reviewer should have been aware that emergency procedures (documented in the ERGS) describe methods for successfully controlling the SGTR event in case of a steam leak from the ruptured steam generator. We do not understand his statement of " insufficient justification." .

While "long-term industry response" is not expanded upon, the implication is the kind of support made available following the incidents at TMI, Ginna, etc. This might include technical support and/or spare parts. This response encompasses any support received by the utility 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and more after the incident. See SSPSA Page 5.3-83.

Event ON is clearly not extraneous once one understands the SGTR event in detail (rather than simplified earlier models of the event) and understands the SSPSA model.

A-34

l 3.2-26 (Pages 3-41 and 42) SGTR - Event ON j l

i LLNL Comment,- Event ON is also used as the basis for changing an early J melt to a late melt for the RCP LOCa case. As with the small LOCA I tree, we conclude that this is mildly optimistic at best and that taking credit for any perceived change in plant damage state is unjustified without additional supporting analysis.

Response - Top event ON is used to quantify the long-term operator actions necessary to stabilize plant conditions, (see previous comment). The ON top is also used to model an entirely different set of operator actions in the event of an RCP seal LOCA. Another top event could have been added to the plant event trees but this would have created unnecessarily more detail.

For these scquences with ON successful, core melt is assumed to be late

(>6 hours) based on the following. According to SSPSA Page 11.5-14, core melt will occur at 4.0 hours0 days 0 hours 0 weeks 0 months for station blackout (NL failure) with failure of EFW and no depressurization. Operator action ON includes actions to depressurize which would slow the leak and extend the time to core melt beyond 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

The only credit taken for " limiting damage done to seals" is in the timing of core damage for sequences involving seal LOCA (NL failure),

EFW failure (EF failure) and successful operator action (ON). For these sequences, core melt is assumed to be late (>6 hours). According to SSPSA Page 11.5-14, core melt will occur at 4.0 hours0 days 0 hours 0 weeks 0 months for station blackout (NL failure) with failure of EFW and no depressurization.

Operator action ON includes actions to depressurize which would slow the leak and extend the time to core melt beyond 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

3.2-27 (Pate 3-42) SGTR - Event OD LLNL Comment - Credit is taken for being able to avoid core melt in situations where HPI has failed and a steam leak occurs ... The A-35

l question in this case is whether the primary pressure can be reduced )

below atmospheric before the RWST is emptied since the occurrence of a steam leak creates a classic case of an interfacing systems LOCA.

Response - The reviewer confuses rapid blowdown through the large RHR drop lines, the " classic case of an interfacing system LOCA" with this case of a small path for blowdown and pump down. Here times are very long, plant response is very different, and wel- analyzed and tested procedures exist to guide the operator. The action te stop the break flow is modeled in operator action OD (SSPSA Page 5.?-83, Paragraph 3 -

Success of EF, Failure of HPI and Failure of SL). According to the ERGS, the operator will blow down the unfaulted SGs to atmospheric pressure. Performing secondary depressurization concurrent with a SGTR and no HPI will cause rapid depressurization of the RCS. At this point, RHR can provide low pressure injection to make up what is being lost out the ruptured tube.

This success path does depend on the nature of the steam leak and the operator's ability to repair the leak. However, the operator has a large amount of time to perform the necessary actions. In fact, as described in the SSPSA Page 5.3-78, if no action is taken until the RWST is emptied (some 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the initialing event). The RCS would be fully cooled down and depressurized and filled to the stuck-open safety valve of the ruptured steam generator.

3.2-28 (Pages 3-42 and 43) SGTR - Event OR LLNL Comment - The SSPSA assumes that failure of both auxiliary feedwater and bleed and feed will result in a late melt due to the

! effects of steam generator inventory. This is contradictory to the results of the identical sequences on the transient and small LOCA trees.

Response - The referenced statement is on SSPSA Page 5.3-90, Paragraph 4.

A-36

The event tree, Sequences 288-291, disagrees with the text at this point. Sequences 288 and 289 are " feed and bleed" with OR failure (operator fails to establish bleed) and go to late melts.

Sequences 292 and 293 are " feed and bleed" with HP failure and go to early melts. The text is incorrect, but the model is, in fact, correct. We regret any confusion caused by this error.

Thus, only if HPI is available do the sequences go to late melt. This is based on HPI continuing, eventually lifting the code safeties.

It is correct that the sequences with feed and bleed failure (failure of HP or OR) conservatively go to early melts in the GT and SLOCA trees.

3.2-29 (Page 3-43) ATWS Event Tree LLNL Coraments - Significant problems were identified in the ATWS tree.

The tree is poorly done and considered unacceptable. The entire tree must be redone in order to get a reasonable assessment of the frequency of the various plant damage states due to ATWS.

Response - We do not view the problems (responded to below) as significant, and disagree that the ATWS tree was poorly done. The intemperate and unprofessional comment of the reviewer is undefensible in light of the incomplete nature of his review as documented in our responses that follow.

3.2-30 (Page 3-43) ATWS - Manual Scram LLNL Comment - An action of this import (manual scram) should have been included explicitly on the tree. It is also important to make clear that this recovery action can only be applied to electrical failures of the RPS, so that RPS failures should have been divided into electrical and mechanical failures as in the ATWS rule.

A-37

1 Response - Manual scram is included in the quantification of the l reactor trip top event (RT) contained in the auxiliary system event tree because successful manual action to scram prevents an anticipated transient without scram (ATWS) but does not mitigate the original initiating event. By including the immediate operator action to manually scram in top event RT, those sequences with RT success, either automatic or manual, are sent to the correct main line event tree; those sequences with RT failure are sent to the ATWS tree where plant response to an ATWS event is modeled. This comment seems to contradict earlier comments that there was too much detail in the event trees.

The failure of reactor trip breakers dominates failure of top event RT. Reactor trip breaker failure data was developed by review of all trip breaker failures that had occurred prior to May 1983. The leading cause of reactor trip breaker failure in Westinghouse PWRs was failure of the undervoltage device to operate given a proper scram signal.

Energizing the shunt trip device bypasses all undervoltage device failures and is effectively what is modeled by operator action to manually scram. If the reactor trip breakers failed to function when the shunt trip device is energized, plant procedures call for de-energizing the control rod drive motor generator power supplier from the Control Room. This action would bypass any mechanical failures of the reactor trip breakers.

We question the quality of the review of the ATWS event sequence model. The information discussed above is not hidden in obscure places and any reviewer should have found it easily. ATWS is not an initiating event, but a failure of RTS following most other initiating events. So how do we get to the ATWS event tree? As described below in the introductory paragraphs of SSPSA Section 5.3, " Event Sequence Analysis:"

l Top Event RT. This top event depicts reactor trip operation.

Although not an auxiliary or support system, the quantification of i

I l

A-38

RT failure is more easily handled in the auxiliary systems event tree due to the interaction between SSPS or off-site power and the reactor trip function. Operator action to manually scram the reactor within 1 minute is modeled (see Section 10), as are the hardware failures of the rod drive mechanisms given a successful scram signal. All reactor trip failures result in a transfer to the ATWS event tree.

Failure of reactor trip results in an ATWS which is quantified in the ATWS event tree. In the generalized transient event tree, the entering boundary conditions to the model are that the initiating event being analyzed has occurred and reactor trip has been successful (or else transfer would have been made to the ATWS model discussed in SSPSA Section 5.3.12). Specific auxiliary system states are also entering boundary conditions which arc included in the quantification process by failing appropriate frontline systems, but they are not discussed here.

The Reactor Trip System (RTS) is modeled in the auxiliary systems event tree. RTS failure branches to the ATWS tree. To learn how event RT is modeled, the reader need only refer to the obvious SSPSA sections on RTS systems analysis and human actions analysis which are clearly identified in the Table of Contents. A truly professional review would have found these sections or, if the entire report were not available, would have acknowledged that fact.

3.2-31 (Page 3-44) ATWS - Manual Scram LLNL Comment - Since this analysis (Ringhal's PRA) is much more detailed than the one in the ATWS rule or the SSPSA, we feel its conclusions should be utilized, and a manual recovery credit applied to .

electrical failures only.

Response - In the first place, manual recovery credit was only applied to electrical failures as described in our response to 3.2-30. In the second place, using the results from a PRA on a different plant rather than the plant-specific SSPSA is indefensible. Finally, the SSPSA ATWS model is at the proper level of detail to model the ATWS event at Seatrook in a reasonable fashion as a complete review of the integrated SSPSA would have discovered.

A-39

3.2-32 (Pare 3-44) ATWS - Moderator Temperature Coefficient LLNL Comment - PL is not required since we assume all our initiators occur from 100% power. The SSPSA fails to consider that the Moderator Temperature Coefficient (NTC) changes with time, and that its effect on the pressure spike is dependent on turbine trip success or failure.

The SSPSA performed its pressure spike analysis assuming a moderator temperature coefficient valid over 95% of core life. It should have, instead, considered the fraction of time during the cycle life that the NTC is " unfavorable," that is, when it results in an unacceptably high pressure spike. This was done in the ATWS rule, and we consider it to

.be a more realistic approach. This fraction is dependent on the occurrence of turbine trip, so the turbine trip event must be considered first.

Response - Assuming that all initiators occur at 100% power sounds as if LLNL is defending their analysis rather than reviewing ours. Such an assumption is incorrect and conservative since it will overestimate the number of challenges to the RCS. It is irrelevant that they are content with a conservative assumption.

We disagree that PRA analyses of ATWS should be based on the ATWS rule. The assumption of a moderator temperature coefficient that is applicable 95% of the time is optimistic 5% of the time, but the effect of this assumption is ?. ore than offset by the SSPSA conservatisms that all initiating events that require a reactor trip have a plant response identical to a total loss of main feedwater, which produces the most severe pressure transient of the general transient initiator class.

3.2-33 (Pare 3-45) ATWS - Severe Overpressure LLNL Comment - The rule also concluded that whenever extreme overpressure occurred, defined as exceeding Service Level C, core melt would result. While this is likely to be conservative, the uncertainty of RCS performance at these pressures leads us to conclude that this is A-40

the most reasonable assumption to makc at this time, as opposed to the SSPSA assumption that severe overpressure results in a small LOCA.

Thus, all sequences where MTC is unfavorable lead to core melt.

Response - Again, the ATWS rule is not being modeled and such an assumption is outrageously conservative. The modeling of overpressure consequences as a small LOCA is based on extensive analysis performed by Westinghouse in evaluating the response of the RCS to ATWS pressure spikes. This assumption is documented in WCAP-8330.

3.2-34 (Pane 3-45) ATWS - Diverse Turbine Trip LLNL Comment - One additional point on the subject of turbine trip is that both the SSPSA and the ATWS rule assume that electrical failures of the RPS will result in failure of automatic turbine trip. This is not supported by the Ringhal's analysis. The SSPSA should also have assumed that Seabrook will have a diverse (independent of RPS) turbine trip, since the ATWS rule will require it. Thus, a turbine trip failure probability should be applied for all initiators under all conditions.

Response - SSPSA does not assume electrical failures of the RPS will result in failure of TT, it analyzes the RTS and IT systems. For the events of primary interest, the only TT signal comes from auxillary contacts of the RTBs.

Dominant failure of RPS is reactor trip breaker fail to open just as occurred at Salem. The reactor trip breaker provides the trip signal to the Turbine Trip System. If the breakers do not operate, no turbine trip signal is generated.

The Ringhal's analysis did not examine the Seabrook plant. It is not clear why the reviewers believe it models Seabrook better than the SSPSA!

A-41

i At the time of the Seabrook PRA, diverse turbine trip during an ATWS event was not included in the plant design.

3.2-35 (Pare 3-45) ATWS - Operator Time LLNL Comment - It is very conservative to assume 20 minutes for operator to shut down reactor after initial phase of ATWS.

Response - Twenty minutes is viewed as reasonable, though conservative most of the time, for completing such actions as emergency boration, and manual actions away from the Control Room to de-energize MG sets and locally trip the RT breaker.

3.2-36 (Page 3-46) ATWS - Events'0H', HP, and ON LLNL Comment - The use of three top events; OH, HP, and ON is confusing and better handled with one event OH, which would include HP.

Response - The reviewers' preference for modeling is not really relevant, however, events cannot be combined because failure of each has a different impact on the plant, and occurs at different time frames. In SSPSA Section 10 it can be seen that all have different values of failure frequency. Combining those events, therefore, is incorrect.

3.2-37 (Page 3-46) ATWS - Bleed and Feed LLNL Comment - The SSPSA also assumes that it is possible to mitigate an ATWS by using bleed and feed with HPI only if emergency feedwater fails.

Response - As described more fully in SSPSA Section 10.3, the charging pumps are in fact the ones assumed to affect emergency boration. The HP top event includes the charging pumps (1 out of 2 charging pumps).

During the 10-minute period in which emergency boration is considered, the RCS pressure decays to about 1600 psia after the initial pressure A-42

spike and, therefore, during most of the time interval, the pressure is significantly below operating pressure. Without emergency boration, operation of emergency feedwater will accelerate the process of recriticality. Failure of emergency boration (top event OH) is assumed to result in core melt in the ATWS tree. The SSPSA analysis is based on the ERGS and the way in which the operators are trained.

3.2-38 (Page 3-47) RCP Seal Leak LLNL Comment - It is not reasonable to assume a leak will occur immediately. Both actual experience and NRC analysis show the seals able to remain intact for 30 minutes. Experience also shows that the seals may be able to survive up to 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . A simple analysis was performed in the Millstone-3 PSS Review, and we feel that the conclusions therein are the most realistic way to represent the RCP LOCA.

Response - The SSPSA assumptions about RCP seal LOCA were based on Westinghouse's best understanding at the time the study was performed (SSPSA Reference B-2). There was no NRC analysis or experience that conclusively showed how the seals behave under total loss of seal injection and thermal barrier cooling conditions. Most PRAs previously assumed complete seal failure at t=0. Furthermore, it was fully understood by the SSPSA that the time of seal leakage was relatively unimportant in comparison with the time of assumed total seal failure - ,

which was 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months in the SSPSA. If one assumes the leak begins in 30 minutes, or 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , there is no appreciable difference in the time of f core melt and in the results.

A simple analysis performed for Millstone 3, and reviewed previously by LLNL, is not justification for concluding that the SSPSA analysis is not reasonable. The Millstone 3 simple analysis may be very conservative. In addition, we are not aware of any NRC RCP analysis.

Also see responses to 3.5-24 and 3.9-11.

A-43 l

t-

3.2-39 (Page 3-48) Station Blackout kkNL Comment - Core damage is more realistically assumed to occur two hours after the station blackout.

Response - The core melt times in the SSPSA were not assumed but were calculated by the reactor vendor, Westinghouse, based on a plant-specific, not generic model. These analyses are well documented in the report, but perhaps outside the reviewer's scope.

3.2-40 (Page 3-50) Stuck Open Primary Safety / Relief LLNL Comment - The stuck open prima'ty safety / relief valve event is not properly treated on any of the non-LOCA trees except the ATWS tree.

Response - Non-ATWS sequences involving stuck open primary safety and relief valves are fully accounted for via the isolable LOCA initiating event. Based on plant analyses of the initiating events, the primary safety valves are expected to open only on the ATWS initiating event.

A3.3 SUCCESS CRITERIA 3.3-1 (Page 3-52) Success Criteria Documentation LLNL Comment - The SSPSA did not display the various success criteria in a concise manner. The documentation in the SSPSA in many cases contained insufficient justification or references to support the criteria.

l Response - Success criteria are explicitly and fully documented in the systems analysis (SSPSA Appendix D) and the event sequence analysis (SSPSA Section 5.3). The most concise presentation is provided in the main text of SSPSA Section 5.3. The reader can address success criteria assumptions and bases in a " top down" fashion in this section and get a more detailed perspective in SSPSA Appendix D. The i A-44

justification for most of the success criteria is intuitively obvious.

For example, with two train systems it is rather difficult to back off from the FSAR criteria (1-out-of-2 required for success). In general, the FSAR and the Westinghouse Emergency Response Guidelines (and supporting analyses) were used to justify success criteria. The NRC should be very familiar with both.

3.3-2 (Page 3-53) Power Conversion System LLNL Comment - The SSPSA does not take proper credit for the use of the power conversion system to provide cooling during transients.

Response - Recovery of main feed or condensate could have been used when off-site ac is available. However, the SSPSA takes credit for bleed and feed cooling for sequences with EFW failure and an emergency ac bus available. As a result, these sequences become less significant to core melt risk. See response to 3.2-3.

3.3-3 (Page 3-54) Small LOCA - S1 Pumps LLNL Comment - Analysis in the Millstone-3 PSS indicated a potential problem with breaks at the small end of the size range which result in insufficient depressurization of the RCS, so that pressure remains above the shutoff head of the SI pumps.

Response - In the SSPSA, events of this type (i.e., insufficient depressurization rate to enable HP injection) were classified as "very small LOCA." These events were judged to be insignificant risk contributors. Small LOCAs by definition always lead to depressurization. For success criteria, refer to SSPSA Page 5.3-45 and Page D.8-95. For pump flow curve, refer to SSPSA Page 5.3-121. This comment is questioning the ability of EFW and an SI pump as success without opening a PORV.

A-45

For breaks up to about 1 inch in diameter with one HPI pump operating, the RCS will depressurize and an auto reactor trip and SI signal will be generated. With a secondary side heat sink, the RCS will reach an equilibrium pressure which corresponds to the pressure at which the liquid phase break flow rate equals the HPI flow rate. This is true with the hixh pressure SI pump at Seabrook. See Page TE-1-3 W ERG's E-1.

3.3-4 (Pares 3-54 and 55) Medium LOCA - Accumulators LLNL Comment - The SSPSA assures injection cooling during medium LOCAs can be accomplished without the need for accumulator injection, contrary to the assumptions of previous PRAs which have assumed that accumulators are required for break sizes in this range.

Response - The MLOCA success criteria is any 2-out-of-4 HPI pumps. In the event of a MLOCA, the primary system will depressurize to around 1000 psia (immediately for the 6-inch diameter break, after about 5 minutes for the 2-inch diameter break). At this pressure, the pump flow rates for SI and charging pumps are almost identical (about 500 spm per pump).

The break flow will exceed injection until the liquid level in the RCS drops below the break. At that point, the break will be passing steam at a mass rate which 2/4 HPI pumps can maintain. The RCS pressure stabilizes at a pressure where the safety injection flow is matching -

the break flow. See Page TE-1-121 W ERG's E-1.

The accumulators will activate for breaks of this size when the RCS depressurizes to 600 psia and will contribute to more rapid core recovery. However, this pressure will be reached much later than for a large LOCA, when the decay heat is much lower. (For example, for a 3-inch diameter break, the accunulators will discharge at about 20 minutes; decay heat is about 1%.) See Page TE-1-20.

A-46

The flow rates are shown on curves on SSPSA Page 5.3-121. The rates used in SSPSA Appendix B analyses are maximum values used to calculate time to depletion of RWST. For success criteria, the pumps' flow curves were used.

The medium LOCA success criteria assumed in the SSPSA assure that makeup flow will match or exceed break flow for the full range of break sizes in this category. Accumulators only provide a temporary supply of rakeup at their discharge pressure. Realistically, accumulators functioning or non-functioning, would never make the difference between a melt and a success path, even for a large LOCA. SSPSA uses FSAR criteria for large LOCAs that are believed to be conservative.

3.3-5 (Page 3-55) SLBI/SLB0 LLNL Comment - The SSPGA uses entirely different success criteria for steam line breaks inside and outside containment. This appears to result from an erroneous analysis of the inside containment case.

Response - There are fundamental differences between steam line breaks outside and steam line breaks inside the containment. These differences lead to different safety system actuation and different plant response.

1. SLB outside signals: high steam flow, steam pressure rate.

SLB inside signals: high steam flow, hi-hi containment pressure.

2. Plant response from SLB outside: normal cooldown occurs with MSIV .

isolation, and rapid uncontrolled cooldown occurs with MSIV's failed.

Plant response from doB inside: single steam generator blowdown with containment spray actuation on containment pressure, long-term l recirculation cooling required.

A-47

These differences are reflected by different plant event sequence models and are not erroneous. See response to 3.2-20.

3.3-6 (Page 3-55) MSIV Success Criteria LLNL Comment - The SSPSA states that in order to prevent multiple steam generator blowdown for this initiator, three-out-of-four MSIVs must close. This is incorrect. In this case, there is no way to prevent blowdown of the affected steam generator, and the only way to prevent multiple blowdown is to isolate the other three steam generators from the affected one. This means that the MSIV success criteria for this case should be closure of either one-out-of-one MSIV on the affected steam generator or three-out-of-three MSIVs on the unaffected steam generators.

Response - The success criteria used (3/4) was developed into a failure logic expression as MS(l) = 6 (MSIV) . See SSPSA Page D.ll-11.

The criteria proposed can be written as:

M3(1) = (MSIV) (MSIV + MSIV + MSIV) = 3 (MSIV)

Thus, the criteria used in the SSPSA is conservative by a factor of 2.

This function (MSIV isolation) is dominated by common cause failure so that a change in success criteria would have little effect on analysis results. See SSPSA Page D.ll-23.

3.3-7 (Page 3-56) Operator Action ON LLNL Comment - The SSPSA assumes a need for operator action a long time into secondary cooling for transients and steam line breaks in order to maintain secondary cooling ability. This assumption is overly conservative.

A-48 l

Response - The event ON (plant stabilization and cooldown) is included in the plant model for completeness, i.e., successfully bringing the plant to a stable state. It includes operator actions such as assuring makeup to CST, controlling EFW and HPI, etc. While this action has not been modeled in previous PRAs, these actions are "real" - actual actions that the operators must take to get to a stable state. It is agreed that the quantification is probably conservative because of the long time available for these actions.

3.3-8 (Pare 3-56) Small LOCA - Closed Loop RHR Cooling LLNL Comment - The SSPSA assumes that it is possible to avoid the need for recirculation for small LOCAs by providing cooling entirely through closed loop RHR cooling. This is an overly optimistic assumption.

Response - As described in response to 3.2-10, there are over 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months available to provide RHR cooling. It would be unreal not to model this and it certainly is not optimistic.

3.3-9 (Page 3-56) SLBI/SLB0 Success Criteria LLNL Comment - The steam line break inside containment success criteria should be eliminated in favor of the outside containment case for long-term cooling.

Response - See response to Comments 3.3-5, 3.2-18, and 3.2-20 for explanation of the basis of the differences in the SLBI and SLB0 success criteria.

3.3-10 (Page 3-56) SGTR - Long-Term Cooling LLNL Comment - The SSPSA assumes that it is possible to provide long-term cooling during SGTR with secondary steam leak conditions.

This is an overly optimistic assumption. The prevention of a late melt during SGTR should in all cases require that no secondary steam leak be present.

A-49

1 Response - Credit for long-term cooling is justified because after cooldown and depressurization, the leak will be of no real concern for maintenance of coolant inventory (i.e., the leak will either stop or be at such a low flow after the depressurization that continuous makeup to the NWST is sufficient to keep up with the lost inventory). See response to 3.2-27.

3.3-11 (Psae 3-57) SGTR - Operator Action LLNL Comment - The SSPSA assumes that operator actions to control various facets of the RCS and secondary pressures / flow rates are not always required (SGTR). This is not correct. It is also important to note that the "Op. Act." required in the SSPSA is not necessarily appropriate in form, timing or content.

Response - The SGTR event was modeled in great detail to include operator actions and plant response. The authors believe that this accurately models this complicated event, and that, specifically, proper credit was taken for' operator action, based on emergency procedures. For further details on operator actions modeled in the SGTR tree, see responses to Comments 3.2-22 through 3.2-28, and 3.5-19.

A3.4 SYSTEMS 3.4-1 (Paae 3.4-2) Reliability Block Diagram LLNL Comment - Each system was modeled using a Reliability Block Diagram (RBD) instead of the more traditional fault tree model.

Response - The authors of the SSPDS chose to use the Reliability Block Diagram method to derive the system failure logic expressions based on their experience in full scale PRA studies. This method is logically equivalent to generating failure cut sets from fault trees. The equivalence of RBD and FT is well documented in the literature.

A-50

r 3.4-2 (Page 3.4-4) Cut Sets LLNL Comment - There are no cut sets that represent system failure -

modes.

Response - The failure logic expressions provided for each system in the SSPSA Appendix D are equivalent to cut sets.

3.4-3 (Page 3.4-4 and 5) Simplifications in Analysis ,,

LLNL Comment - Simplifications to analysis cat'se conservatisms, eliminate components that should be considered, and attach undeserved significance to components that were included, d

Response - Every PRA contains conservatisms due to the uncertainties in the data and models and the limitation on resources that can be devoted to any project. Conservatisms were included, especially where it was clear that there was no effect on the results and where considerable resources would be needed to develop realistic analyses. Also, where the overall results were available, the conservatisms were examined again to see if any were now important. In several instances, recovery actions were added in order to make the final results more realistic.

In using the SSPSA, numerical results are not and will not be accepted at face value. The SSPSA and its assumptions will be carefully ,

scrutinized as it is used for engineering insights. Based on our responses to comments contained herein, we consider this comment to be unwarranted. It also displays a lack of reviewer understanding of how PRAs are conducted and used.

3.4-4 (Page 3.4-5) Proprietary Data LLNL Comment - The accuracy of numerical results were not verifiable because data is proprietary, and logical failure expressions produced results that were not reproducible using mean values.

A-51

Response - The data is not proprietary and is provided in SSPSA Section 6. The bases for development of the data is proprietary but is not required to verify accuracy of numerical results. In addition, the data base could have been made available as discussed in response t'o Comment 3.6-1. The response to Con. ment 3.1-9 may help in reproducing the point estimate mean values. Proper consideration of the uncertainty distribution propagation or convolution process is necessary to accurately reproduce the results.

3.4-5 (Page 3.4-6) Errors LLNL Comment - The text and tables contain numerous errors and leave serious doubts about the validity of the results.

Response - This is an overstatement of the evidence presented and an inappropriate conclusion. The reviewers have not produced a single significant example to suggest doubts about the validity of the results. We are aware of some minor errors, but none that significantly impact the results.

3.4-6 (Page 3.4-10) UATs/ RATS LLNL Comment - This representation of independence is not consistent with the description of the UATs nor is it consistent with the description of the RATS. The RBD, as constructed, includes redundancy (through the modeling of independence) which does not actually exist.

Response - UATs and RATS are not independent as represented in the model. Both UATs (or both RATS) trip on a single transformer protective relay actuation. The dependencies could have been treated using the beta factor model. However, in the risk important case of loss of off-site power, the UATs and RATS do not affect the emergency power availability. Also, the data for LOSP includes some dependent losses of power from trip of UATs and RATS due to protective relay actuation.

A-52

r 3.4-7 (Pate 3.4-11) Common Cause Failure - Electric Power LLNL Comment - The only common cause failure in the electric power.

system that was considered quantitatively is the failure of both diesel generators to start and run for 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This contribution was only calculated for State 2, even though State 1 also includes both diesel generators in its unavailability expression.

Response - On SSPSA Page D.2-44, common cause failure of both diesel generators is quantified for any state including State 1. It is obvious from the failure logic expression for State 1 (off-site ac available) that unavailability is dominated by the emergency bus (BES and BE6), not the diesel generators. Therefore, it was unnecessary to develop another expression for common cause failures.

3.4-8 (Pares 3.4-11 and 12) Vital 120 V ac Bus LLNL Comment - No modeling or quantification performed for the Class 1E 120 V ac Distribution System.

Response - The 120 V ac is modeled and quantified with the solid-state protection and engineered safety feature actuation systems in SSPSA Appendix D.6.

3.4-9 (Pate 3.4-14) SW ,

LLNL Comment - Hardware unavailability in Section 7 is different from Appendix D (Service Water System).

Response - We agree, the correct values are in Appendix D.

3.4-10 (Pages 3.4-16 through 18) SW - SCC 1 solation LLNL Comment - The failure assumptions regarding SCC isolation (V4 and VS) and ventilation are conservative.

A-53

r Response - These conservatisms have always been recognized. SSPSA Page D.3-14 discusses the ventilation conservatism. Also, the SCC isolation assumption is conservative since it affects the system when a safety injection or LOSP occurs. These conservatisms will be reconsidered since the Service Water System does appear in some of the dominant sequences.

3.4-11 (Paae 3.4-18) Overly Conservative Assumptions LLNL Comment - We have shown how the use of overly conservative assumptions can significantly increase the estimate of SWS unavailability and attach dominant importance to components such as SCC isolation valves and pumphouse ventilation fans. Such results could result in incorrect or inapp'ropriate decisions on potential system modifications or upgrades. This case is just one example of how the conservative philosophy used throughout the SSPSA system's analyses makes the quantitative results less meaningful and makes it more difficult to gain useful insights into system reliability.

Response - This comment presumes the SSPSA users will not consider documented assumptions, the analysis and contributions to the results.

We can assure you that no system modifications or upgrade will be considered until assumptions, data, and system importance to risk are evaluated. We find the systems analysis very meaningful, and we .

continue to gain useful insights. The reviewer's inference of "just one example..." is an overstatement, as demonstrated by our responses.

The degree of conservatism or optimism is debatable.

3.4-12 (Pares 3.4-22 and 23) PCC - Blocks C and C' LLNL Comment - Problems exist in the quantification of the blocks for C and C' (PCC System). The T signal was not included in boundary condition.

Response - The quantification of Blocks C and c' are correct in the SSPSA as explained below:

A-54

f I Boundary Condition lA (all support systems available, no P signal) and Boundary Condition 2A (only one train of SW available, no P signal) use Block C in the quantification. It is conservatively assumed for these BCs that a T signal is present but not a P signal. Thus, the success criteria for the heat loads for the BCs includes all containment isolation valves remain open, either waste processing building isolation valve closes, the inlet valve to the fuel storage building closes, and the letdown heat exchanger isolation valve closes. Thus, success for BCs lA and 2A include isolation of excess heat loads outside containment and continued cooling of containment loads. This quantification is conservative for sequences that do not initiate a T signal.

For all other boundary conditions, the system quantification is done with C' which includes, in the success criteria, isolation of all nonessential loads including containment heat loads. The quantification of Blocks C and C' is discussed further on SSPSA Page D.4-16. The success criteria for isolation of heat loads is conservative, especially for the fuel storage building and letdown heat exchanger because of the low heat loads and the opportunity for operator action. The differences between C and c' make very small differences quantitatively.

3.4-13 (Pare 3.4-24) PCC - Ventilation .

LLNL Comment - The assumption that ventilation (PAH) is required for PCC System success is overly conservative. A thermal analysis is needed.

Response - As stated on SSPSA Page D.4-11, the assumption of ventilation needed to avoid pump overheating in 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is judged to be conservative. However, ventilation was only considered and quantified for the boundary conditions of LOSP. This assumption was made based on the fact that normal PAH ventilation is available in A-55

f l addition to the emergency PAH ventilation when off-site power is available. (This is discussed on SSPSA Page D.4-1.) If future risk management shows this conservatism to be important, room heatup or operator action will be considered in more detail.

3.4-14 (Paae 3.4-27) Instrument Air - Event EF LLNL Comment - The event EF is included in many of the sequences that are significant contributors to both core melt frequency and health risk (instrument air contributes to EF).

Response - The failure of event EF is not included in many sequences that are significant in frequency to core melt or health risks. For example, SSPSA Table 13.2-12 lists only three sequences out of the top 43 sequences with failure of event EF. Two of the three sequences go to "A" plant damage states which end in containment intact, and thus, very low health risk.

A misconception appears evident in the LLNL review concerning the plant instrument air system. Instrument air does not perform any safety-related functions at Seabrook. Loss of instrument air results in a plant trip due to loss of feedwater flow. All air-operated valves in safety system fail in the " safe" position on loss of plant instrument air.

Instrument air was included in the quantification of the secondary cooling function because air is required for the operation of the condenser steam dump valves. Instrument air provides no services to the steam generator power-operated atmospheric relief valves.

The condenser steam dump valves are included in SSPSA to remove some of the conservatism in the secondary heat sink by taking credit for nonsafety-related components, when appropriate.

l l

A-56 r

r 3.4-15 (Paae 3.4-28) Instrument Air LLNL Comment - The analysis only considers failure of the air supply loops. There is no consideration for isolation valves and filters between the air supply and specific air-operated valve. For valves which are normally closed and fail closed, isolation valve failure, clogged filters and human error following test and maintenance should be considered.

Response - Once air gets to the common supply leaders, it is assumed that its path is unobstructed to the equipment it serves due to the very small failure rate attributable to piping. (SSPSA Page D.5-6.)

Also, the system contains check valves and normally open gate valves.

The failure rate for these valves to " transfer closed" is very low (1.0 E-8/ hour).

Because the IA System supports plant operation, there is no operator error included for mispositioning isolation valves. This error, if it occurs, could lead to a plant trip (which is quantified).

Isolation valves, filters, solenoid valves, etc., associated with a particular air-operated valve are included with the specific air-operated valve failure rate.

3.4-16 (Paae 3.4-28) Instrument Air - SCC LLNL Comment - The dependence of the Instrument Air System on the SCC System has not been adequately considered. The SCC System will become isolated from its cooling source given a safety injection signal and discontinue operation on loss of off-site power. These conditions would in turn cause the air compressors to stop due to high temperature. The SCC System is dependent on the Service Water System and the Engineered Safety Features Actuation System (ESFAf). These dependencies have an effect on the function of the Secondary Cooling System for sequences requiring decay heat removal for periods longer than two hours.

A-57

Response - As discussed on SSPSA Page D.5-4, it is conservatively assumed that Instrument Air (IA) is guaranteed to fail on LOSP and SI.

This is due to the fact that the Secondary Component Cooling (SCC).is isolated from service water on LOSP and SI initiation. For these initiating events, the failure of SCC fails only IA (of the system modeled) and this fails only the condenser steam dump valves (of the system functions modeled). This can be seen on SSPSA Page 5.4-67 for the LOSP initiating event. Note (2) explains that EF = EFl + SC2, where SC2 is failure of the secondary cooling function, atmospheric relief valves only.

SCC cools the Instrument Air System. This system is backed up by the plant Fire Protection System but operator action is required to line up this cooling water source. In the SSPSA, instrument air is assumed to fall (and the condenser steam dump valves are unavailable) for any ESFAS event, and for loss of off-site power events.

3.4-17 (Pages 3.4-32 and 33) SSPS/ESFAS LLNL Comment - The SSPSA does not provide an adequate description of the SSPS and ESFAS. In particular, there is no detailed discussion of .

the power supplies to the various components. In addition, there are some errors in the descriptions given.

Response - We feel the description is adequate as described here. Loss of a 120 V ac instrument bus will result in generation of a trip signal to the SSPS logic matrices for all signals except containment pressure Hi-3. Instrument power is required for the generation of a Hi-3 containment pressure signal because of the desire to avoid inadvertent containment spray. (SSPSA Page D.6-27.) Instrument buses are shown in SSPSA Figure D.6-5 for display purposes; they are correctly modeled in the SSPS logic expressions. See SSPSA Pages D.6-25 to 29.

SSPS and ESFAS trains are top events in the auxiliary system event tree. Failure of an SSPS train will disable the corresponding ESFAS A-58

1 train. The ESFAS master and slave relays are powered by the same !

l instrument bus in each train. ESFAS unavailability, including j contribution from 120 V ac instrument bus failures, was analyzed only I with SSPS trains successful. Also, loss of instrument Buses 3 and'A (rather than 2 and 3, as indicated on SSPSA Page D.6-30) will result in failure of ESFAS but will not fail SSPS. See responses to 3.4-18 through 3.4-21. Additice.a1 descriptions of the 120 V ac system can be found on Pages D.2-12, D.2-74, and 5.3-108.

3.4-18 (Paae 3.4-37) SSPS - Parameter Channel LLNL Comment - The RBD model of the parameter channel (PCla, etc.)

supercomponent blocks (SSPSA Figure D.6-7) does not accurately represent the system failure. The quantification of the parameter channel RBD underestimates the contribution to system failure due to the relays. This RBD should only consider the sensor, amplifier and bistable associated with each detector channel. The relays should be considered separately, as indicated on the main SSPS RBD. In addition, the relationship of the inverter blocks to the detector channels shown on the RBD is incorrect. The detector channels will trip on loss of power. There should be two redundant inverter blocks that power each train of the SSPS logic channels.

Response - The model for parameter channel (PCn) was intended to include the relays as a conservative approximation. However, the quantification shown on SSPSA Page D 6-36 should have a term (input .

relay) rather than (input relay) . Then the relays are modeled as a single element. This would increase PCp from 9.16 E-5 to 3.33 E-4.

However, PC shows up as a squared term or greater in system quantification, thus, the difference in PC quantification would have an insignificant effect on the quantification of SSPS. The relay could have been considered separately but the additional complication in modeling was not considered necessary.

A-59

SSPSA Figure D.6-5 is a diagram of the system showing how power supplies and relays tie together. It is not strictly a reliability block diagram but was used to generate the logic expressions. As noted on SSPSA Page D.6-27, for all signals except containment pressure Hi-3, loss of a 120 V ac instrument power bus results in generation of a trip signal to the SSPS logic matrices. This is included in the modeling.

3.4-19 (Pane 3.4-38) SSPS - Signal Amplifier LLNL Comment - There is no mention in the text that data for signal amplifier was used for the AMP block.

Response - This was an oversight to have lef t out the data for the signal amplifier. This data is in SSPSA Section 6.2, Component No. 49, 3.4-20 (Pate 3.4-40) SSPS - Power Supplies LLNL Comment - The power supplies to the slave relays were not properly included. The SSPSA indicates that these power supplies are accounted for in the SSPS analysis, but their accounting is not correct. The failure of a single power supply will not disable the matrix elements, but it could render the slave relays incapable of transmitting the ESF signals.

Response - The power supplies are properly included in the SSPS .

analysis. As indicated on SSPSA Page D.6-7, failure of a single 120 V ac instrument bus is assumed to fail a single SSPS train. This assumption was made because one train of output relays (ESFAS) is disabled on loss of one 120 V ac instrument bus. Thus, the effect of loss of instrument bus is conservatively modeled and accounted for in SSPS.

3.4-21 (Pages 3.4-41 throuth 43) SSPS/ESFAS Model LLNL Comment - The analysis of the Solid State Protection System and the Engineered Safety Features Actuation System contained many A-60

discrepancies concerned with the actual configuration and operation of these systems. The system descriptions given in the SSPSA did not indicate a good understanding of the workings of these systems. The system models did not accurately represent all of the possible system failures.

Response - Based on the comments received, it is evident that the reviewer did not fully understand the Solid State Protection System nor how it was modeled. It is acknowledged that it is a complicated system and the modeling was detailed in order to accurately account for all dependencies. Also, several small errors and perhaps incomplete documentation in some areas may have added to the difficulty in understanding this analysis.

3.4-22 (Pares 3.4-48 and 49) EAH - Blocks C and C' LLNL Comment - There are questions and inconsistencies in the quantification of Blocks C and C' in the equations for EAH.

Response - The difference between Blocks C and C' is clearly explained on SSPSA Page D.7-15. The unavailability of the isolation dampers for Block C is (3*Q DAMPER an c #

s 3*(QDAMPER' different system configurations.

3.4-23 (Page 3.4-50) Ventilation Assumption .

LLNL Comment - No further mention is made regarding the fundamental assumption about the need for ventilation. No explanations are given disputing the significance of ventilation as a contributor to the unavailabilities of other systems such as the Emergency Core Cooling System. Therefore, we believe an analysis is needed to establish the validity of the ventilation assumption.

Response - The effect of loss of ventilation is addressed in each system analysis. In general, it was assumed that loss of room A-61 l

ventilation results in long-term failure of equipment. It was not necessary to establish the precise time of equipment overheat because the event sequences simply differentiate between early core melt and late core melt. The assumption of long-term failure due to overheat was based on review of actual failure events from NPE.

Also, loss of ventilation does not show up as an important system failure leading to core melt due to its relatively low system unavailability.

3.4-24 (Pares 3.4-60 and 61) HPI Success Criteria LLNL Comment - We disagree with the high pressure injection success criteria used for the SLOCA/ transient initiating events.

Response - The ECCS success criteria was, in general, based on Westinghouse Emergency Response Guidelines and supporting documentation (see References b and c on SSPSA Page D.8-94). For SLOCA, the primary system pressure will be within SI pump range either initially if the leak is large enough or subsequent to cooldown and d1 pressurization with EFW. If EFW fails, the primary system can be d2 pressurized by

" bleeding" through the PORVs, if the leak is too small to depressurize. For either size leak (within the SLOCA category), the SI pumps serve as redundant to the charging pumps.

3.4-25 (Page 3.4-68) EFW - Test and Human Contribution -

LLNL Comment - The values given on SSPSA Page D.9-27 for the EFW pump unavailability due to test and human interaction were approximately two orders of magnitude lower.

Response - We agree and this has been corrected. As pointed out by LLNL, the contribution is still insignificant.

A-62 l

3.4-26 (Page 3.4-68) EFW - Recovery Actions LLNL Comment - No human recovery actions for this system (EFW) were considered in the SSPSA.

Response - Recovery actions for the turbine-driven EFW pump were considered as described in SSPSA Section 10.3.10. The results in SSPSA Table 13.2-12 also indicate this recovery as well as recovery of the startup feed pump. The SFP recovery and other recovery actions will be considered further, as necessary, as a part of future risk management activities.

3.4-27 (Page 3.4-70) EFW and SC LLNL Comment - Combination of EFW and SC should be explicitly included in the text, instead of a footnote.

Response - SSPSA Pages 5.3-23 (event 2) and 5.3-28 explicitly state that secondary cooling and EFW are part of event EF. SSPSA Page D.11-9 indicates explicitly that secondary cooling is part of top event EF.

Also, we consider the notes with the tables in SSPSA Section 5.4 an .

important part of the text crucial to understanding quantification of the plant model.

3.4-28 (Pare 3.4-71) ATWS LOSP LLNL Comment - There were some discrepancies between the values given in the SSPSA ATWS LOSP input coding table (5.4-25b) and the footnotes given for those values.

Responsa - There appears to be a misunderstanding of the footnotes for Top event EF in SSPSA Table 5.4-25b. The value shown in the table itself is for the Condition EF/0T, i.e., top event EF fails given top event OT successful. As can be seen from the table, this value remains A-63

the same for input Vectors O through 14, and the derivation of the value (6.16 E-4) is given in Footnote (29). Footnote (29) also shows the Condition EF/0T, i.e., top event EF fails given the top event OT fails. The value for Condition EF/OT changes for Footnote (30),

2.69E-2, and for Footnote (31), 1.00, but the value for EF/0T (not listed for (30) and (31)) remains the same as in Footnote (29).

3.4-29 (Paae 3.4-71) Startup Feed Pump LLNL Comment - SFP is considered available when there is a loss of all component cooling (PCC or SW) since it is being used for loss of main feedwater transients.

Response - The Startup Feed Pump (SFP) is correctly accounted for in SSPSA Table 5.4-22b for loss of PCC since the SFP is cooled by SCC (secondary component cooling) which is not affected by PCC. Thus, the value for EF in Footnote (2) for loss of PCC is correct. However, loss of SW fails SCC; thus, the SFP should not be considered functional.

This impact vector (4) is not important quantitatively because of the low frequency.

3.4-30 (Paae 3.4-73) Safety Valves - Fail to Close LLNL Comment - Failure of the safety valves to close would necessitate .

a transfer to the steam line break outside containment event tree for further consideration. The SSPSA has not considered these possible .

accident scenarios in the analysis.

Response - The steam safety valves are not expected to open on normal plant transients. They are included in SGTR and ATWS as described on SSPSA Page D.11-2. Also, the event " inadvertent opening of the main steam relief valves" is included in the list of initiating events and is modeled as a steam line break outside containment (see SSPSA Page 5.4-71).

A-64 l

l I

I i

4 I

l

)

The assumption that failure of the ARVs and the condenser bypass valves fails the secondary cooling function is conservative and leads to a requirement for feed and bleed cooling to prevent core damage.

Including the main steam safety valves as part of the secondary cooling function would have decreased the likelihood of failure of the secondary cooling function, but not significantly, as failure of this function is dominated by failure of emergency feedwater.

Including the main steam safety valves and subsequent failure of these valves to reseat does not significantly alter the plant response or the required actions.

If the main steam safety valves function correctly, the SSPSA is slightly conservative in the estimate of core damage. If a main steam safety valve (or several valves) fails to reseat with emergency feedwater available, a plant cooldown occurs (but not as severe as a steam line break). Significant time is available for operator control of this event and bleed-and-feed cooling would not be required.

Again, the SSPSA would be slightly conservative in the estimate of core damage. If the main steam safety valves failed to reseat and emergency feedwater failed, bleed-and-feed cooling is required and is modeled in the SSPSA.

The net effect of not including the main steam safety valves is that the SSPSA sequences containing failure of the secondary cooling function are slightly higher.

3.4-31 (Pare 3.4-79) Chemical Shutdown LLNL Comment - No success criteria nor failure logic expression is given chemical shutdown with a single PORV available. Its quantification is not discussed and it does not appear in the results in SSPSA Table 7.10-1.

A-65

Response - These results are provided in SSPSA Appendix D.

Section D.10 Table u.10-3. The quantification description for a single PORV opening to allow successful chemical shutdown was inadvertently omitted from the SSPSA analysis in Section D.10.

3.4-32 (Pane 3.4-83) Main Steam - Discrepancies LLNL Comment - There were, however, discrepancies in their presentation of the analysis.

Response - The discrepancies are discussed in the following responses.

A large number or review comments appear to assume that the Atmospheric Relief Valves (ARV) are air o'perated. They are, in fact, electrohydraulic as stated on SSPSA Page D.11-3.

3.4-3 (Page 3.4-85) Safety Valve - ATWS LLNL Comment - The calculations for the safety valve actuation for the ATWS event produced a value that is 30 times our value.

Response - Quantification contains a cubed term in the calculation.

When uncertainty distributions are propagated through such a model, the coupling of the failure rate distribution creates a mismatch between the mean of a cubed term and the cube of the mean. If this is taken .

into account, you car create SSPSA results by Monte Carlo or other propagation techniques.

3.4-34 (Page 3.4-85) Secondary Cooling LLNL Comment - The equations given on SSPSA Page D.11-16 in Section D.11.3.1.5, " Total Secondary Cooling Function Failure," are incorrect. The consideration of the ARVs was previously accounted for in the expression given in Section D.11.3.1.1.

A-66

Response - SSPSA Section D.11.3.1.1 accounts for independent hardware contribution. SSPSA Section D.11.3.1.5 accounts for the total which includes independent hardware in D.11.3.1.1 and common cause in D.11.3.1.3.

3.4-35 (Pare 3.4-85) SGTR - Steam Dump Valve LLNL Comment - The quantification of the steam generator isolation for a SGTR event considers only three SDVs failing to close on demand along with the failure of the NSIVs. It is not clear why only three valves were assumed open.

Response - As discussed on SSPSA Page D.11-5, during a primary plant cooldown, as would occur in response to a SGTR, the steam dump system is operated in the S/G pressure control mode using 3 out of the 12 steam dump valves.

3.4-36 (Page 3.4-86) Main Steam - Turbine Trip LLNL Comment - For the turbine trip event, the values given in SSPSA, Section D.11.3.6.1 for Qtsv-h and Qtev-h do not match Table D.11-3 entries.

Response - The data in SSPSA Table D.11-3 is used in the failure logic expression on SSPSA Page D.11-14 to obtain the values in SSPSA -

Section D.11.3.6.1. This is correctly explained in SSPSA .

Section D.11.3.6.1.

3.4-37 (Page 3.4-87) Atmospheric Relief Valves LLNL Comment - The ARVs will only operate for two hours after loss of off-site power. After this time, secondary cooling would have to rely on the opening of the safety valves for steam relief. No analysis was performed for utilizing the safety valves during secondary cooling.

A-67

Response - The Atmospheric Relief Valves (ARVs) are Electro-Hydraulically (E/H) operated; i.e., they do not depend on instrument air or on off-site power. Thus, they would be available following LOSP. In addition, success with the safety valves would be expected although'not credited.

3.4-38 (Pare 3.4-91) Containment Building Spray LLNL qpmment - System failure equations should have been given for the additional recirculation cases (X3/X4 and XA/XB).

Response - We agree that the system failure equations for XA/XB and X3/X4 should have been included in SSPSA Section D.12.

3.4-39 (Pate 3.4-91) Containment Building Spray LLNL Comment - There is an apparent error in the quantification of check valve failure for blocks SA/SB and PA'/PB' (SSPSA Section D.12.3.1.1 on Pages D.12-10 and D.12-11).

Response - We agree that there is an error, but it is on SSPSA Page D.12-24:

check valve' transfer closed = 1.04 x 10~ / hour

~

check valve reverse leakage = 5.36 x 10 / hour ~

l These correct values are found in SSPSA Section 6.2. The values used

! on Pages D.12-10 and 11 are the correct values (from SSPSA Section 6.2) for check valve transfer closed.

l i

l 3.4-40 (Pate 3.4-91) Containment Building Spray LLNL Comment - Another apparent error was found in the evaluation of l

i recirculation, case X3/X4(2 and 3) (Section D.12.3.4 on Page D.12-16).

l In the unavailabil}ty equation, the two terms representing the MOVs I should contain a "+" operator rather than the "x" operator as shown.

g. 9

/ A-6 8 -

4

Response - We agree that the "+" operator rather than "x" operator should be used in the cited equation. This is a typographical error.

We nave verified that the correct operator was used in quantification.

3.4-41 (3.4-100) Control Room Ventilation LLNL Comment - Two types of operator actions are identified:

(1) manually starting the standby ventilation train or opening discharge dampers; and (2) establishing alternate ventilation with portable fans when both trains are unavailable. Only the second operator action is quantified, while the failure probability of the first is arbitrarily set to zero for Boundary Conditions 1A, 2A, and 2B, and set to 1.0 for Boundary Condition 1B. This treatment is inconsistent. .

Response - This system was not used in plant sequence analysis because of the relatively high reliability of the system and long-term failures that result from failure of Control Room ventilation. The system analysis documented in SSPSA Section D.14 was sufficient to conclude that a more detailed analysis was not needed. However, it may be that the lack of detail led to difficulties in understanding the system modeling.

As-discussed on SSPSA Page D.14-9, the operator action analysis centers on the second action, providing alternate ventilation, because this action does not depend on the state of the ventilation equipment (restorable or not). As shown on SSPSA Page D.14-18, this operator action is included with BC 1A and IB, Control Room HVAC with and without off-site power. The other BCs, 2A and 2B, are for the emergency cleanup system and have no operator action modeled.

A-69

A3.5 HUMAN FACTORS 3.5-1 (Page 3.5-1) Error of Commission LLEL Comment - The analysis did not properly account for operator confusion resulting in his taking totally inappropriate action.

Although the study discusses this aspect of operator action, and provides an operator confusion matrix for the operator believing that the plant is experiencing a particular initiator when it is not, the analysis is not carried to its logical conclusion.

Response - The potential for inappropriate action was very carefully analyzed in a qualitative sense in the confusion matrix analysis and in the simulator experiments. In the simulator experiments, a set of dominant initiators and sequences were investigated for evaluating the potential for and consequences of numerous misdiagnoses. In general, it was found that because of the new approach to operator procedures based on the WOG ERGS, all analyzed misdiagnoses were inconsequential.

There are a limited number of accident scenarios that were analyzed in which failure to correctly diagnose the cause of the accident was a necessary and critical aspect of producing undesirable consequences.

Examples are the fire initiators, which would not proceed to core melt if the operator correctly diagnoses the fire and evacuates the Control Room, and the loss of off-site power sequences in which service water pumps fail, and failure to diagnose the cause leads to overheating of the diesels and irreparable damage.

3.5-2 (Page 3.5-2) Operator Misdiagnosis - Small LOCA LLNL Comment - The SSPSA does not treat operator misdiagnosis during a small LOCA where the operator believes that it is only a transient caused by an inadvertent safety injection signal and he terminates high pressure injection when the correct action would have been to do nothing.

l j A-70 l

Response - Because of the new approach to training and developing operator procedures based on the WOG ERGS, the potential for the misdiagnosis was judged to be insignificant. See response to 3.5-14.

3.5-3 (Pare 3.5-2) Time Frames LLNL Comment - In many cases, the time frames utilized are not justified by either analysis or reference to other PRAs.

Response - All time frames were adequately justified by supporting analysis. Because of plant-specific factors, referencing other PRAs is generally not a reliable approach to documentation.

3.5-4 (Pare 3.5-2) OAT Quantification LLNL Comment - The SSPSA does not make clear how the trees were quantified, especially with respect to the values used for each branch on the trees.

Response - The operator action trees are employed to develop (if required) additional operator action top events for the plant model ,

event trees, to define operator action end states (e.g., success, failure, etc.), and to estimate the probability of arriving at an end state (SSPSA Pages 10.2-7 and 10.2-8). The operator action trees, for example (SSPSA Page 10.2-8), were used to increase the richness and .

accuracy of the ATWS plant model event tree. The event trees used to model operator action did not use the " OAT" method of quantification.

Proper credit was given to the individual who first coined the phase "0AT" and used an event tree formulation for operator action analysis.

The treatment and emphasis on misdiagnosis and a strong knowledge of plant systems is an advanced technique that was developed and used for the first time in the SSPSA.

Each operator end state was quantified after a careful review of simulator information, draft operating procedures, time available, A-71

calibration with historical relevant information, etc., as described in SSPSA Section 10 and Appendix G. The operator action sequence error rate (SSPSA Table 10.1-1) are consistent with respect to time available, potential for misdiagnosis, and stress level. In one operator action sequence, top event OE - operators diagnose a steam e. .

generator tube rupture (SSPSA Page 10.3-24) - the operator error rate is bounded by the failure rate of the instrumentation.

3.5-5 (Page 3.5-3) Procedures LLNL Comment - It is extremely important to note that the procedures which pertain to the operator actions reviewed were not provided to us, although we requested them from PSNH through the NRC.

I t

Response - As discussed in the main report, all requested procedures and other information were transmitted (see Reference 6 of the main j report). In addition, as referenced in SSPSA Section 5.3, the Westinghouse Owners Group procedures were used and were being reviewed by NRC; therefore, they should have been easily obtainable.

1 3.5-6 (Paae 3.5-4) Manual Reactor Trip .

LLNL Comment - The analysis treats the manual trip action improperly.

f The manual trip action is a normal backup response for the operator.

' He does not evaluate the indications or make a diagnosis, but, rather, ,

responds automatically to the obvious plant upset without evaluating .

the precise situation. Second, failure of a diagnosis early in the event should not preclude the eventual shutdown of the reactor by event OH at a later time, i.e., RT and OH should not be completely dependent f

events as shown on the tree.

j Response - First, the time assumed for diagnosis is less than one minute. Thus, diagnosis is, in a very limited fashion, allowing for checking multiple parameters in the event of a disagreement.

A-72 i

Second, reactor trip is not a " reflex action" but is based on a short diagnosis time because of the consequences of a plant trip. In the case of "serio.us abnormal conditions" where there were multiple failures, it would be the operator's first action, i.e., diagnosis would be almost immediate. However, in general, a short diagnosis time is the proper operator model.

In response to the second part of the comment, RT and OH are dependent events, as described further. As explained in SSPSA Section 10.3.1, RT models operator action to manually trip the reactor within one minute when no automatic insertion has occurred. Top event OH models operator actions to trip and ensure reactor is shutdown after about 10 minutes following the ATWS. Thus, entry into the ATWS tree and asking top event OH is done only if RT is not successful. The event RT, as included in the auxiliary tree, includes the initial failure of automatic reactor trip plus manual trip within one minute, i.e., events A, B, and C in the tree in SSPSA Figure 10.3-2. Event OH is the action in event D (emergency boration). Thus, this tree is consistent with the top events RT and OH.

3.5-7 (Page 3.5-4) OAT Diagnosis Time LLNL Comment - The OAT should be quantified based on a diagnosis time of 60 minutes, rather than the 10 minutes used.

Response - SSPSA Page 10.3-3, Paragraph 2, explains that 10 minutes is -

a conservative time limit based on the initial time required for the reactor to become critical again because of the plant cooldown. SSPSA Figure 5.3-30 shows that the reactor power starts to increase about 8.5 minutes following the ATWS event.

As discussed on SSPSA Page 5.3-98, Westinghouse analysis done for the ERGS has shown that if a reactor trip is generated within 10 minutes, plus a turbine trip within 30 seconds (for LONF) and EFW within 60 seconds, acceptable consequences result. See ERG ECA 1 Background Information, Page 1.

A-73 i

1 l

l 3.5-8 (Pare 3.5-5) Operator Action OD2 LLNL Comment - We disagree with :he allowable time frame for OD2, which applies to all cases except medium LOCA. The time frame of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months used in this case, is contradictory to assumptions used in most past PRAs which allow only 30 minutes for action. Since the SSPSA offers no justification or analysis for the longer time frame, it is our opinion that 30 minutes should be used for all cases.

Response - As stated on SSPSA Page 10.3-10. Paragraph 2, event OD1 is operator action to depressurize SGs in 1/2 hour, event OD2, is the same action but in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . OD1 was used in event Tree ML and OD2 was used in SL, GT, SLB0 and SLBI. The SG inventory is the basis for the longer time frame in comparison to other plants.

3.5-9 (Page 3.5-5) Operator Actions OP and OM LLNL Comment - OP and OM should be considered as a single action, that of the operator preventing PTS, and it should have been modeled on a single tree.

Response - It can be seen from the general transient event tree on SSPSA Page 5.3-129 that OP and OM are different events. While both mitigate PTS, OP involves the HPI System and OM involves the EFW System. Combining these into a single event would unnecessarily complicate the analysis of dependencies. In fact, it would be impossible because failure of each of these top events has different impacts on the plant in addition to the potential for PTS.

3.5-10 (Page 3.5-6) OM Tree LLNL Comment - The OM tree structure results in two parts of the tree which contradict each other. It is not apparent how the MSIV position would makelany differIance.

A-74 t-

Response - According to SSPSA Page 10.3-12, Paragraph 5:

Excessive throttling of EFW will limit cooldown rate and is therefore successful. However, undesirable side effects can occur, such as overheating the EFW pumps due to operation at shutoff head or boiling dry the SGs.

Event OM is considered because of the potential for PTS if EFW is uncontrolled. Failure of OM is assumed to preclude near-term cooling with the SGs. See SSPSA Page 5.3-32 Paragraph 2.

Event ON is described as " operator re-establishes long-term feedwater control" (SSPSA Page 5.3-32, Paragraph 2) and models any operator action needed to provide long-term secondary cooling.

In the GT tree, Sequence 103 (SSPSA Page 5.3-129) is the only sequence with OM failure to end in success. Sequence 103 includes short-term cooling with successful HPI and long-term re-establishment of feedwater (ON successful).

3.5-11 (Page 3.5-6) Operator Action OM LLNL Comment - The occurrence of boil dry is the same as that which would occur during a total loss of feedwater sequence, and should be considered to result in a core melt. We would give no credit in this case for initiating bleed-and-feed cooling since it is unlikely that the operator would recover from his initial error by establishing this cooling mode.

Response - Overcooling and boil dry are considered in event OM to simplify the GT, SLUCA, SLBI and SLBO trees. OM failure is assumed to always cause loss of EFW in the short-term. This leads to early core melt in all the sequences except where HPI is available to provide short-term core cooling. For the sequences where OM fails, HPI successful and RV successful, the long-term operation of EFW is A-75 l l

questioned in event ON. If ON fails, core melt is late; ON successful ends in a success state or transfer to LT1. See SSPSA Page 5.3-32, Paragraph 2.

Overcooling is considered with OM failure only if HPI is also available.

1 5-12 (Pame 3.5-7) Operator Action OP - Feed and Bleed LLNL Comment - The SSPSA states indirectly that failure to control HPI results in a bleed-and-feed condition due to lifting of the PORVs due to charging pump flow. This is not a true bleed-and-feed situation, and has nothing to do with the outcome of the sequence. The sequence result depends only on the availability of feedwater and whether or not the PTS results in vessel rupture. If feedwater is available and vessel rupture does not occur, the plant will be sufficiently cooled whether or not HPI is on, off, or controlled.

Response - As stated on SSPSA Page 10.3-15:

"If the operators do not secure the HPI when it is not required, the system will pressurize to the point of lifting the PORVs and ,

safeties. Then, the sequence becomes a feed and bleed scenario.

3.5-13 (Page 3.5-7) OP Tree - Redundant Branches LLNL Comment - We also question the need for the branches on the "SI ".

not required" part of the tree which lead to hardware failure, since the failure of pumps that are not required has no effect on the final result of any accident sequences. Thus, these branches are redundant and should be removed.

Response - It should be clear from the event tree on SSPSA Page 10.3-40 that this node has a significant impact on the subsequent conditions required for " acceptable" consequences.

A-76 l

1 3.5-14(Page 3.5-8) Operator Action OP LLNL Comment - The failure branches on the OP tree (and State 3) properly represent operator errors resulting from the operator confusion with regard to believing he should be stabilizing HPI when he should not. It is proper to consider these errors; however, the SSPSA I

analysis does not make it clear if this is properly handled in their final analysis. We doubt that this was done correctly, based on our review. An example of one place where we believe this concept should be applied is the case of a small LOCA with both EFW and NPI operating.

! Response - Operator action OP (control HPI flow) is considered only in sequences where PTS is a concern, i.e., where turbine trip has failed leading to an overcooling event (see Event Trees: GT, SLOCA, SLBO, SLBI, SGTR). The operator action modeled by OP is throttling HPI to limit RCS repressurization during a severe overcooling condition. See SSPSA Page 5.3-45.

The operator action where "the LOCA is misdiagnosed as an inadvertent SI and action are taken accordingly" is modeled in the SLOCA tree.

(SSPSA Page 10.3-15, Paragraph 1.) While this action is not explicitly modeled, it can be considered to be included in event ON - operator action necessary to assure long-term stabilization of the plant.

The operator is guided in this action by the Critical Safety Function ,

Status Trees and Functional Recovery Procedures, part of the TMI -

mandated SPDS. These procedures guide the operators to maintain the plant within safety limits without hav'ing to first diagnose the problem. Thus, if the operator shuts off the HPI when it was needed

' for a SLOCA, the core cooling would indicate a "not satisfied" condition, instructing the operator to go to Procedure FR-C.1,

" response to Inadequate Core Cooling." The second step in this procedure is " verify ECCS flow in all trains." Thus, the operator is ,

guided to reinitiate HPI even though he may still not have diagnosed the SLOCA.

A-77

. + - - , - -

l l

3.5-15 (Page 3.5-81 Operator Action ON LLNL Comment - As discussed in Section 3.2.2, this action need not be considered for any case except for delaying core melt in conjunction with LPI for RCP LOCAs induced by loss of seal cooling. In this case, the action required is essentially identical to action OD1, so that the analysis of a separate action ON is not c'equired.

Response - The data presented in SSPSA Table 10.1-1 demonstrate that OD1 and ON have different time frames, different potential for misdiagnosis, different stress levels, and different results.

3.5.16 (Page 3.5-9) Time Frame for Bleed and Feed LLNL Comment - The SSPSA allows two hours to initiate bleed and feed cooling, apparently for all cases. Since the SSPSA does not provide any justification or analysis for its assumption, we believe that the above-mentioned shorter time frames, based on event timings for similar plants, should apply.

Response - For a core with no feedwater and no makeup, core cooling comes from the SG inventory and the RCS inventory above the core. The SGs will dry out after about 1-1/2 hours (SSPSA Page B-3) and for a 2-inch diameter primary leak (the PORV " bleed"), the core will uncover in about 1/2 hour. Thus, the operators have about 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to initiate bleed and feed.

3.5-17 (Pares 3.5-9 and 10) Operator Actions LR, HE, and HS LLNL Comment - Actions LR, HE and HS are not required.

Response - If Action LR is not performed, core melt will eventually result. Events HE and HS were included because they are required in the plant safety design basis due to concern for boron precipitation and flow blockage. We agree that such actions are probably not A-79

T' required to prevent core melt; however, it was more cost effective to include this insignificant conservatism than to perform the analysis required to substantiate its removal.

3.5-18 (Page 3.5-10) Operator Action 03 LLNL Comment - The OAT constructed for event 03 is a reasonable representation of the actions required, however, it appears that it was not actually utilized in the quantification. The position that this error of omission dominates is arguable, since there is also the possibility that the operator picks the wrong time to perform the action, or makes an error of commission in its performance. These errors should have been included in the quantification (they are accounted for on the OAT). Furthermore, the quantification contains an error in it. The SSPSA used data directly from NUREG/CR-1278 from a table which pertains to errors of omission in the use of procedures.

Response - The quantification of operator top event 03 (SSPSA Pages 10.2-21, and 10.2-22) makes use of the guidelines in the NRC handbook (NUREG/CR-1278) and additional relevant sources to produce a consensus distribution, not a single point estimate for the error rate. The quantification results, as stated in the text, are reasonably consistent with time curves for operator actions. In this way, the results of the SSPSA are consciously compared and benchmarked to other estimates of operator error rates thought to be somewhat relevant to the Seabrook plant. The SSPSA methodology goes beyond the simple formulas recommended in the handbook, especially when dealing with assessing the dependency of thought and action between operators, their shift supervisor, and their shift technical advisor.

3.5-19 (Pages 3.5-11 and 12) SGTR Operator Actions LLNL Comment - The SGTR operator actions are too broken up to be useful. OE, AI, OP and OG should be combined into a single OAT.

A-79 s

Response - The SGTR operator actions in SSPSA Section 5.3.11 are equivalent to actions in Section 10 as follows:

Event OR (operator controls the break flow) includes two operat'or actions:

OP41 - Operator depressurizes the RCS using pressurizer spray and nonfaulted SGs; OP42 - Operator depressurizes the RCS by " feed and bleed" of the primary. See SSPSA Page 5.3-82.

Event OD (operator depressurizes RCS and provides makeup) includes two operator actions:

OP51 - Operator continues to depressurize by " feed and bleed" to the point where RHR shutdown cooling is available; OP52 - Operator continues to depressurize the RCS using nonfaulted SGs, no HPI available.

Thus, in Sequence 1: OR = OP41 (SSPSA Page 5.3-87) in Sequence 31: OR = OP41, OD = OPS 2 (SSPSA Page 5.3-88) in Sequence 232: OR = OP42, OD = OP51 (SSPSA Page 5.3-90)

OPS 3 is a typographical error and should be deleted.

The value of 0.05 was used in quantifying operator actions OR and OD in SSPSA Section 5.4. As mentioned in response to earlier comments, combining top events makes it difficult to adequately treat the dependencies.

3.5-20 (Pane 3.5-12) SGTR Operator Action Times LLNL Comment - We also disagree with the time frames allotted for the actions involved. The SSPSA uses very short time frames - on the order of 30 minutes.

A-80

Response - The operator action sequence time interval for SGTR operator actions in the SSPSA is about 30 minutes, with the exception of the operator action to isolate a stuck-open steam generator atmospheric relief valve, which is 60 minutes.

The 30-minute time interval for initial diagnosis (as discussed on SSPSA Page 10.3-22) is based on the operator's early awareness of the event prior to automatic initiation of safety systems. Operator failure at early diagnosis does not preclude a successful stabilization of plant conditions. As described on SSPSA Page 10.3-23, operators diagnosed the steam generator tube rupture event at Ginna 3 minutes priot to a reactor trip. The SSPSA included a review of relevant operating experience within the industry. Credible human reliability analysis should include more .than just the development of an error rate.

A 30-minute time interval for the other events is conservative, and is based on preventing excessive radioactivity release and flooding of the ruptured steam generator in the worst case situation (see SSPSA Page 10.3-26).

3.5-21 (Page 3.5-12) Operator Actions OR and OD LLNL Comment - The OR event has only a passing resemblance to the event OR discussed in SSPSA Section 3.5.2.5; in this case it represents events OP41 and OP42. Similarly, event OD on the tree also has only a passing resemblance to the event OD discussed in SSPSA Section 3.5.2.2; .

in this case it represents events OPS 1 and OPS 2.

Response - We agree with the comment. See response to 3.5-19.

f 3.5-22 (Page 3.5-13) Station Blackout Timing LLNL Comment - Under station blackout conditions based on our revised analysis of station blackout timing, recovery of EFW would only mean A-81

that the time for occurrence of core damage would be extended from 1 to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , giving an additional hour to recover electric power and avert l core damage.

Response - When EFW is available, the time of core melt is dictatet by the RCP seal LOCA timing, which was assumed in the SSPSA to require about 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months to uncover the core. With EFW failed at t=0, the time to core melt is dictated by the time to boil the SGs dry and the time to " bleed" enough coolant out the PORV to uncover the core. See SSPSA Figure 11.5-10.

3.5-23 (Page 3.5-14) SW Recovery LLNL Comment - The 30-minute time frame seems reasonable but the four hours is suspect. Since loss of service water has a similar effect to loss of all ac power, at least from the standpoint of RCP LOCA and loss of high pressure injection, it should be treated similarly.

Response - We agree that the time frames allowed for recovery of service water are conservative and should have been the same as for the station blackout RCP seal LOCA scenarios.

3.5-24 (Page 3.5-15) RCP Scal Leakage LLNL Comment - As discussed in SSPSA Section 3.2.3.1, much credit is given to the ability of the RCP seals to maintain a low leak rate for extended periods of time under blackout conditions, and we consider this credit to be unjustified.

Response - The times for RCP seal LOCA were calculated by Westinghouse based on their best understanding at the time the SSPSA was performed (SSPSA Reference B-2). Subsequent tests in France have given credence to the RCP seal failure model used in the SSPSA. See responses to 3.2-38, 3.2-39, and 3.9-11.

A-82

at 3.5-25 (Page 3.5-16) Electric Power Recovery Without Batteries LLNL Comment - We believe that no credit should be given for the recovery of off-site power after the batteries are depleted, since control power to breakers, switchgear and other instrumentation circuits will have been lost, and significant " heroic" action will be required to restore off-site power to the plant.

Response - The potential recovery of electric power without de power is delayed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months from the time off-site power is available (SSPSA Page 10.4-23) in order to review the procedures to restore ac power in the time remaining before core melt. In most cases, therefore, core melt would have already occurred and naturally no credit for recovery would be permitted.

In the course of the SSPSA, the future operators and engineers of Seabrook and PLG payed particular attention to the site specific features of this plant. There may be some plants that cannot operate their larger ac breakers without de power in any manner. These actions at other plants may be truly heroic, as discovered by the reviewers.

The SSPSA calls attention to the manual breaker operation and assumes that periodic training will be performed to go the extra mile in the interest of safety.

The SSPSA (Page 10.4-26) calls out the requirement for procedures and instruments not dependent on ac or de power.

3.5-26 (Page 3.5-17) Battery Lifetimes LLNL Comment - This assignment was arbitrary and not based on any analysis of the operator actions required, and no justification was provided for these values. We believe that an OAT should have been developed with three end states representative of the three potential lifetimes.

A-83 l

Response - The extension of battery lifetime is not based on diagnosis of a loss of all ac power. An " OAT" is totally inappropriate. As described on SSPSA Page 10.4-21, the selection of a load level (and battery lifetime)'is based on the decision of the control room supervisory personnel and the availability of auxiliary operators to carry out the shedding procedure. The SSPSA calls out the requirement for de load shed procedures, SSPSA Pages 10.4-21, 10.4-22, and 10.4-26.

The battery lifetimes were based on calculations of battery discharge rates supplied by YAEC (see SSPSA Pages 10.4-20, 10.4-21, and 10.4-22). These calculations are best estimate and go beyond those required in FSAR licensing applications in accordance with the philosophy of learning as noch about the plant specific hardware and the human interaction as pos'sible. The reviewers did not read the study and/or believe that battery lifetime is only a function of operator actions and that the "0AT" methodology can solve all human reliability analysis problems.

3.5-27 (Page 3.5-18) Diesel Generator Recovery LLNL Comment - The diesel generator recovery curves were quite ,

optimistic when compared to information presented in NUREG/CR-3226 at least in the short term (the first four hours). The SSPSA values are claimed to be based on LER data and EPRI NP-2433.

Response - The SSPSA authors believe that the recovery curves used in the SSPSA are reasonable and the overall results of the recovery analysis are probably conservative. The smallest overall recovery factor that was calculated for nonrecovery of on-site and off-site

~

power was 3 x 10' . In other PRAs values as low as 1 x 10 have been published.

A-84

r A3.6 FAILURE DATA 3.6-1 (Pare 3.6-1) Proprietary Data LLNL Comment - PLG proprietary data was not made available.

Response - The data used for quantification is not proprietary and is provided in SSPSA Section 6, but PLG's raw data and methods are proprietary. PLG proprietary data would be made available for review with the signing of an appropriate proprietary agreement between the organizations. No request was ever received (oral or written) from LLNL for the proprietary data.

3.6-2 (Pare 3.6-11) Butterfly Valve LLNL Comment - Butterfly TCV transfer open/ closed data is lower than other data sources.

Response - Due to lack of data for butterfly TCV, the distribution for manual valves transfer open/ closed was used due to the similarity of butterfly design. It appears that this same assumption was made by the other data sources. The distribution for manual valves transfer open/ closed was developed from published estimates and from plant data, from plants similar to Seabrook which show no failures in tens of millions of operating hours. .

3.6-3 (Page 3.6-12) Storage Tank LLNL Comment - Storage tank rupture frequency not consistent (higher) with other data sources.

Response - The median of this distribution was the GCR Reliability Data Bank (General Atomic Company Report No. GA-A14839 and UC-77, dated July 1978). A range factor of 10 on a lognormal distribution was assumed due to a relatively high degree of uncertainty.

A-85

r Note that even with the potentially conservative rate used for storage tank rupture, the event was not a significant contributor to any risk scenario.

3.6-4 (Paae 3.6-14) Circuit Breaker LLNL Comment - Circuit breakers (<480 V) transfer open during operation frequency not consistent with other data sources.

Response - This distribution was based on the following three estimates:

Source Estimate - Assigned Error Factor IEEE-500 (Page 184) 2.48-8 5 recommended value IEEE-500 (Page 184) 2.67-7 5 maximum value NUREG/CR-1635 3.23-8 10 The methodology for combining the above estimates to develop a distribution for circuit breaker (<480) is described in SSPSA Section 6. The resulting distribution represents a weighted combination of the above estimates.

3.6-5 (Page 3.6-15) Pressure Transmitter LLNL Comment - Failure rate for pressure transmitters seems low compared to other values.

Response - This distribution was based on the following six estimates:

Assigned Source Component Estimate Error Factor Ihn:-500 Pressure Transmitter R = 3.01-6 3 IEEE-500 Pressure Transmitter M = 2.49-5 3 GCR Pressure Transmitter 1.00-5 5 RADC-NP-A Pressure Transmitter 6.76-6 5 RADC-NP-B Pressure Transmitter 1.99-6 5 NUREG/CR-1635 Pressure Transmitter 8.80-7 10 A-86

l 1

For a discussion about the method used for combining the above ;

estimates, see SSPSA Section 6. The resulting distribution is based on a weighted combination of these estimates with a spread representing the variability of the failure rate among the various sources as.well '

as the assigned error factor (or confidence factor).

3.6-6 (Page 3.6-15) DC Power Supply LLNL Connent - DC power supply components have significantly higher failure rates in SSPSA.

Response - This distribution was based on the following estimates:

. Assigned Source ' Component Estimate Error Factor IEEE-500 (Page 503) Power Supply R = 2.87-6 5 IEEE-500 (Page 503) Power Supply M = 1.32-5 5 W-1400 (Table III.2-1) Battery Charger 3.00-6 5 CE-ALO (Page 2B-13) Power Supply 1.55-5 10 CE-ALO (Page 2B-4) Power Supply 6.20-5 10 NUREG/CR-1635 (Page 375) Power Supply 3.05-7 10 See SSPSA Section 6 for a discussion of the method used to combine the above estimates. The resulting distribution represents the variability of the estimates as well as the assigned error factor.

3.6-7 (Paae 3.6-16) Pipe Rupture / Control Rod LLNL Comment - For pipe rupture and single control rod failure, mean to median ratio is larger than other data sources.

Response - The upper and lower bound for pipe rupture (5th and 95th) was taken directly from WASH-1400. Thus, if a lognormal distribution was assumed for the WASH-1400 distribution as it was for the SSPSA distribution, the mean/ median ratio should be the same.

A-87

r The distribution for " Single Control Rod - Fall to Insert on Demand" was based on review of Westinghouse plant operating history. The distribution represents a plant-to-plant variability model of the failure rate based on the number of demands counted for various Westinghouse plants and the fact that for the data collection period no !

failure was observed. For discussion of the methodology, see SSPSA Section 6.

3.6-8 (Paae 3.6-16) Typo LLNL Comment - SSPSA Table 6.2-1 had No. 59 missing.

Response - This is a typographical error. No. 60 should be replaced with 59.

3.6-9 (Paaes 3.6-17 and 18) Mean to Median Ratios LLNL Comment - SSPSA mean to median ratios do not seem consistent with the ranges for other sources and it is not obvious why the ratios are significantly larger for the identified five components.

Response

(1) In general, in the SSPSA, the distributions represent several sources of variability and uncertainty including plant-to-plant -

variability of data based on actual operating experience, the .

variability of estimates among various sources of data (expert opinion) and the associated confidence factors assigned by SSPSA.

In cases where only one source of data was used, the distribution was assumed to be lognormal with the available estimate tised as the median. Typically, the range factor (the ratio of the 95th percentile to the median) of the lognormal distributions were assessed to reflect plant-to-plant variability and potential overconfidence expressed by sources (experts) of data.

Consequently, the resulting lognormals have more spread than the typical distributions found in generic sources of data.

A-88 1 l

1 l

Since the SSPSA distributions are typically wider than those found in other data sources, then it is not surprising that the ratio of the mean to median values are larger. The mean/ median ratio is 1

strongly dependent on the type and spread of distribution I assumed. Also, note that while the mean/ median ratio gives some measure of the spread of the distribution, it does not have consistent meaning for different families of distributions. A more appropriate measure of the spread is the range factor which uses the upper and lower ranges.

(2) Table 3.6-2 from the LLNL report is difficult to read. It appears that entries into the table have been jumbled. It is not clear why certain data sources were chosen for comparison. Also, it is not clear what the final column (" Range factor") is and why it should be comparable to SSPSA mean/ median ratios.

(3) In general, the data used in the SSPSA is assumed to have more uncertainty for data estimates than the sources. This is in response to a general criticism by the Lewis Committee (and others) of WASH-1400 that the uncertainties seemed to be underestimated. Thus, for components with no plant-specific experience data, the range factor and mean/ median ratio will tend to be higher than other sources. This is conservative in that the mean increases with increasing uncertainty.

(4) Specifically, for the components listed in Table 3.6-2:

(a) Single control rod - see Comment / Response 3.6-7.

(b) Pipe rupture - see Comment / Response 3.6-7.

(c) Bus failure - This distribution, with mean of 5.0 E-7 and Range Factor (RF) of 3.6, was developed from available estimates (such as IEEE STD-500 metal enclosed bus, mean =

3.1 E-7, RF = 5) and data from several power plants (one A-89

r failure in more than 10 million operating hcurs). The plant data was responsible for reducing the range factor (and also the mean/ median factor).

(d) Relay failure - This distribution, with a mean of 2.4 E-4 and RF of 7.3 was developed from a number of available estimates (varying from 3 E-6 to 1 E-3) with assigned RFs of 5.

However, most of the estimates are between 1E-4 and 4E-4.

When the estimates are combined, the RF increased to 7.3.

3.6-10 (Paae 3.6-24) Diesel Generator Beta Factor LLNL Comment - Beta factors for diesel generator failures are low compared to alternate data sources and the generic beta factor.

Response - The beta factors for diesel failure to start and failure to run were developed from a detailed data search to catalogue diesel

) generator common cause incidents (actual and potential). This was used to update a uniform prior and yielded the distributions given in SSPSA l,

i- Section 6.3. Thus, these beta factors are based on actual data. The generic beta factor distribution was developed based on judgment of a conservative common cause factor that could be applied to any component besides the ones listed. This generic factor has no direct relation to the diesel beta factors.

3.6-11 (Paae 3.6-25) Common Cause - Batteries i

LLNL Comment - Common cause failure of batteries should be considered.

Response - The criteria for inclusion of a beta factor are discussed in SSPSA Section 4.3. One criterion used is that the group of components i

postulated to fall as a result of the most severe common cause event in that group constitutes a minimal cut set of the system. In the Seabrook de power system, a common cause failure of both sets of batteries would need to combine with independent or common cause A-90

failure of two battery charges to produce a system minimal cut set, i.e., to result in system failure. Hence, the criterion was not met for either batteries or battery charges. The remaining components in the de power (e.g., bus work) system were classified as passive.

The reviewers brought up a good point in that the criteria for applying a common cause model would be more complete if the requirement to produce a system level cut set were dropped. In subsequent studies at i

PLG, this requirement has been dropped and common cause events involving batteries, battery chargers, and inverters are now being modeled. However, it is important to note that inclusion of battery common cause events at Seabrook Station would have a negligible impact on the results in view of the diversity of that system.

The authors of the SSPSA agree that more guidance is needed for PRA analysts to decide when and whether to apply a common cause model. It is clear, however, that a fully complete treatment would be intractable. We note again that the coverage of common cause events via the beta factor model was far more complete than in any previously published PRA.

Other than operator errors during crosstle operation, no multiple failure of batteries on demand were found after a review of battery failures in operating power reactors. There is no manual crosstle between trains in the Seabrook design. ,

Degraded battery conditions (low or high level. ICU out of tolerance, corrosion of connectors, etc.) lead to failure of a battery to meet the design load requirements. This failure is considered in seabrook in the quantification of power restoration following a loss of off-site power by assuming that all batteries fail after a certain time, varying the times and assigning probabilities to the various times to failures.

A-91

3.6-12 (Panes 3.6-25 and 26) DC Power System LLNL Comment - DC power system failure rate is probably in the range of IE-5 (Reference 11: NUREG-0666).

Response - BUREG-0666 was reviewed during the performance of the system's analysis for the SSPSA.

Based upon the extremely conservative assumptions and design differences for the reference system analyzed in the NUREG-0666 study, the results were judged to be inappropriate for comparison to the Seabrook de power system.

Design differences include the NUREG-0666 two de trains (battery and charger) with a manual crosstie between the train (the leading contributors to de system failure involved this crosstie). Seabrook de power has two de trains, each train consisting of two batteries and two charges. No crosstle between trains.

Assumptinns used in NUREG-0666 judged inappropriate for the Seabrook de power system include the following:

1. Maintenance of a charger once per quarter for two hours. Too high a frequency based upon review of industry data.

2. Battery maintenance during power operation once per year for two .

hours. Too high a frequency based upon review of industry data.

3. Manual crosstle of trains during maintenance and tests. There is no crosstle at Seabrook due to design.

Finally, the conclusions and recommendations of NUREG-0666 have been implemented in the Seabrook de power system design.

A-92

3.6-13 (Pare 3.6-27) Service Water LLNL Comment - The value for SWS with off-site power available and no signal from SSPSA Table D.3-10 is not consistent with value shown in SSPSA Table 7.3-1.

Response - The comment is correct. In the process of iterating the numerical results during the final stages of the study, changes were made in SSPSA Appendix D.3 which did not get carried to Section 7.3.

In general, the values in Appendix D are more reliable (i.e., closer to the original output, and thus less subject to transcription errors) than values in Section 7. The results in Section 7 are for display purposes only and are not used in quantifying the sequences in Section 5.4. Thus, any errors in Section 7 were not propagated through the study.

3.6-14 (Paae 3.6-28) SW Ventilation LLNL Comment - Major deficiency: SWS analysis incorrectly assumed that ventilation would be nonoperating status at the beginning of the incident.

Response - As stated in the SSPSA Page D.3-14, the Pump House Ventilation System operation will depend on environmental temperature, i

It is possible that in winter the Ventilation System would not be l

l operable because the heat generated by the operating equipment is

- sufficient to heat the building. The conservative assumption was made that both fans are not running and are required to start and run (one-out-of-two-success). Thus, the quantification includes both fail-to-start and fail-to-run for the ventilation fans. The ventilation term contributes but does not dominate the unavailability of SWS. The conservatism, therefore, does not significantly affect the system results.

A-93

3.6-15 (Pane 3.6-28) SW Ventilation LLNL Comment - Major deficiency: Questionable assumption that common cause failure of ventilation fans and dampers is negligible.

l Response - The common cause failure of dampers is assumed to be negligible based on:

i (1) No common cause failures of dampers in the data base, and (2) In general, common cause failures of passive devices (such as dampers moving to the fail safe position) have not been observed, and mechanisms for common cause failures are not as prevalent as for active failures.

The common cause failure of the ventilation fa'ns is neglected due to low likelihood of common cause failure which would result in short-term failure of equipment (except for fire which is modeled explicitly).

Also, the ventilation failure is conservatively assumed to cause immediate failure of SW pumps. Because of these and other conservatisms discussed on SSPSA Page D.3-38, it was considered 3

inappropriate (i.e., overly conservative) to apply, on top of these, a generic beta factor for residual common cause.

3.6-16 (Pane 3.6-28) SW Ventilation ,

~, -

LLNL Comment - Pump House ventilation failure rate was improperly quantified.

Response - It is unclear where the improper quantification exists. The Service Water Pump House Ventilation System quantification (see SSPSA Pages D.3-20 to 23) was checked and no errors were discovered.

A-94

. .) '

n 3.6-17 (Paae 3.6-30) SW Common Cause LLNL Comment - Common'cause failures of service water have occurred (e.g., at Brunswick) in contrast to the statement in the SSPSA that no "true" common cause failures have been reported.

Response - The Brunswick events were considered and judged not to be applicable to the Seabrook design.

Several multiple failures of the RHRSW pumps at Brunswick have occurred. The RHRSW system is backed up by the conventional SW System, which, for all of the events found, provided backup cooling to the RHR i

heat exchangers.

Two identical causes for the loss of service water at Brunswick have been identified as follows:

1. Suction loop piping design inadequate. Air pockets in suction piping caused pumps to trip on low suction pressure.

2. Low suction pressure trip switch failures:

a. Loss of switch fluid,

b. Partial plugging of switch sensing line.

The Seabrook service water pumps are set in the SW pumphouse; no suction piping is required.

No low suction pressure trips exist on the Seabrook service water pumps.

No common cause has occurred that has failed the service water system at any U.S. Power reactor.

The statement that no "true" common cause failures have occurred is I 1

true for service water systems that are similar in design to Seabrook.

A-95

' ,zI r' " ' . - ..

1 Reference NPE: Volume BWR-2

q VIII.C.337 l II.E.717 -

II.E.723 3.6-18'(Page 3.6-30) PCC -

LLNy Comment - Totals for the blocks in Table D.4-7 were incorrectly summed.

Response - A recheck of the totals for the blocks in SSPSA Table D.4-7

,, reveals two slight disagreements. Block C (6.16E-4 rather than

.5.88E-4) and Block D (1.16E-4 rather than 1.07E-4). These slight

- changes have very little effect on the final results. One of the

~

difficulties in trying to reproduce raaults by hand calculation is that the quantification was done by aJcode (DPD) that factored in the data 3 depsndence with squarnd terms (i.e., the variance term).

3.16-19 (Pames 3.6-30 and 31) PCC Block C LLNL_ Comment - Why was " fail to transfer to the failed position" used for valves which isolate nonessential cooling loads inside and outside.

containments for off-site power available cases.

Response - It appears that " fail to operate on demand" mode should be used for SW-V341, V32. V426 and V427 in calculation of Block C. .

3.6-20 (Panes 3.6-32 and 33) PCC Ventilation i

LLNL Comment - It does not appear valid to ignore common cause ventilation fkn failures.

Response - The principal basis for not modeling common cause ventilation fan failure is that there are no such failures reported in nuclear experience data base. This would indicate that common cause failure makes a small contribution to system failure.

A-96

r 3.6-21 (Pazes 3.6-33 and 34) PCC Pump Beta Factor 1

LLNL Comment - The common cause PCC pump beta factors are considered questionable (too low).

Response - The common cause beta factors for PCC pump fail to start and fall to run were developed by detailed investigation of nuclear experience data for actual and potential common cause failures of similar pumps in similar systems.

3.6-22 (Pazes 3.6-34 to 36) PCC Valve Common Cause LLNL Comment - SSPSA incorrectly states that common cause failure of NOVs and A0Vs have a negligible contribution because the failure rates are so low.

Response - The only common cause valve failures which might be significant in the PCC System are between SW-V32 (A0V isolates Train A from spent fuel pool Heat Exchanger 15A) and SW-V445 (A0V isolates Train B from spent fuel pool Heat Exchanger ISB). All other valve failure combinations are (valve) x (other), and consequently are smaller than the above combination. Failure of each of these valves was conservatively assumed to cause failure of its train. In reality, this load is not likely to cause the water to overheat in the short I tern. Sufficient time is available for operator action.

I 3.6-23 (Pares 3.6-38 and 39) Reactor Trip Criteria LLNL Comment - The criteria for reactor trip system success (no more than one control rod failing to insert into the core upon demand) is conservative and not consistent with subsequent analysis, l

Response - The success criteria of not more than one control rod l

assembly failing to insert is equivalent to the top event failure criteria of two or more control rod assemblies failing to insert.

A-97

r There is no inconsistency with these statements. The success criteria comes from the NRC single failure criteria for reactor trip which calls for designed shutdown margin with the single highest worth control rod l assembly failing to insert. This is a conservative criteria, but the additional modeling needed to make the criteria more realistic is not justified based on the high reliability of control rod assemblies to insert.

3.6-24 (Panes 3.6-38 and 39) RTS, SSPS, ESFAS LLNL Comment - No explanation is given to aid in understanding Figure D.6-1.

Response - Figure D.6-1 shows the dependencies among RTS, ESFAS and SSPS (e.g., ESFASA depends on SSPSA, RTS depends on SSPSA and SSPSB, etc.). Failure of SSPSA causes guaranteed failure of ESFASA, etc.

3.6-25 (Pate 3.6-40) Reactor Trip Quantification LLNL Comment - Not possible to verify quantification of all possible combinations of 2 or more rods failing to insert on demand.

Response - The quantification is as follows: The summation of combinations of 57 rods taken 2 at a time, 3 at a time, etc.:

o Any two rods = (number of combinations of 57 rods taken 2 at a time) x (frequency of single control rod assembly fall to insert)

= 1596 x (3.26 E-5) = 1.70 E-6 Subsequent terms (any three rods + any four + etc.) are not quantitatively significant.

A-98

The difficulty of reproducing the exact numerical result is that the j code used to quantify these expressions combined distributions (rather than means) and took into account data dependence in the combination terms (a variance factor).

3.6-26 (Page 3.6-40) RTS Assumptions LLNL Comment - No basis is provided for the following assumptions:

30Hminute testing interval for each RTS train (Page D.6-41) maintenance duration of 15 minutes (Page D.6-47), and infrequent trip breaker maintenance (Page D.6-47).

Response - These assumptions were based on expert engineering judgment. The conclusions (quantitative and qualitative) resulting from these assumptions ar'e not sensitive to,the precise values assumed.

3.6-27 (Pare 3.6-40) RTS Commc.1 Cause LLNL Comment - No consideration is given to common cause failure of drive mechanism to release or rod assemblies to insert.

Response - The RTS hardware unavailability is dominated by failure of the reactor trip breakers.

BA

BB = 3.35 E-5 (Breakers) i r

CR = 5.43 E-6 (Control rods - mechanical)

The common cause failure of control rods mechanically is not significant in comparison to common cause breaker failure (beta factor of 0.11). The common cause failure of breakers dominates the unavailability of the RTS, consistent with experience (e.g., Salem breaker failures).

l l

A-99 l

l

r 3.6-28 (Pares 3.6-43 and 44) SSPS Common Cause LLNL Comment - Common cause contribution to SSPS appears invalid and incomplete.

Response - The common cause failures of logic channels, power supplies and inverters were not considered because it was judged that failure mode is very unlikely (very small beta factor) for electric equipment undergoing constant testing.

3.6-29 (Page 3.6-44) Pressure Sensor LLNL Comment - SSPSA pressure sensor failure rate was optimistic.

Response - See response to 3.6-5.

3.6-30 (Page 3.6-45) Logic Channel Maintenance LLNL Comment - The value for maintenance frequency for logic channel (equal to logic channel failure probability) is inconsistent between Pages D.6-48 and D.6-36).

Response - The value of 2.93 E-6/ hour is the correct value for failure frequency (from SSPSA Table 6.2-1). The value used on Page D.6-36 should be 2.93 E-6 rather than 2.70 E-6.

3.6-31 (Page 3.6-45) SSPS Testing LLNL Comment - The basis for distribution used for testing time intervals for the SSPS is not provided.

I Response - The basis for the distribution for the duration of testing time (0.6-15 minutes. 0.2-30 minutes 0.2-1 hour) is expert engineering judgment. The final result for testing is not very sensitive to this distribution.

A-100

3.6-32 (Page 3.6-46) ESFAS Success Criteria LLNL Comment - ESFAS success criteria is quite conservative.

Response - The ESFAS success criteria for some events, such as large LOCA, is conservative due to modeling the core cooling and the containment isolation and cooling relays together. However, to model this system more realistically would require additional modeling at the system level and would yield additional complexity at the event tree level. The additional modeling is not warranted because the effects make a small quantitative difference. For example, for a large LOCA, if just the core cooling function is modeled, with containment sprays, Phase B isolation and main steam isolation functions removed, this becomes the same as a small LOCA. Comparing the total large LOCA hardware (4.05 E-5) and small LOCA hardware (3.43 E-5) shows a very small, conservative increase for large LOCA. The effect for containment spray and isolation is much more conservative, but the contribution is not important to spray / isolation failure.

3.6-33 (Page 3.6-46) ESFAS - Transients LLNL Comment - The quantification for transient initiators for ESFAS contains an intermediate step that is incorrect.

Response - The last three terms were inadvertently left out in this intermediate quantification step. The next step was quantified correctly.

3.6-34 (Pages 3.6-46 and 47) ESFAS - Transients LLNL Comment - For ESFAS transient initiated accidents, the statement "no single cause of failure dominates, with common cause failures and random failures contributing about equally," is not correct.

A-101

F Response - The statement above is, in general, accurate for the "all support systems available" case for all initiating events except for transients.

1 3.6-35 (Page 3.6-48) Enclosure Air Handling LLNL Comment - The success criteria for enclosure air handling system that one train must operate for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is inconsistent with the assumptions for ECCS Pump Room cooling.

Response - The period for operation of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for this system is consistent with the operational time periods for other systems' success criteria. This time period was chosen for analysis as a point at which the incident would be under control and decay heat was low enough that there would be plenty of time for recovery if subsequent failures occur. Failure of the Air Cooling System is conservatively assumed to cause failure of ECCS components in the long term (>6 hours). This is based on an extended time period for room heatup from pump heat and assumes no operator intervention to open doors or use portable fans.

The distinction between early and late failure is necessary in order to map sequences to the proper plant damage states. Further resolution of failure time due to overheating does not add to the analysis.

3.6-36 (Pares 3.6-48 and 49) EAH Operator Action LLNL Comment - There are disagreements between SSPSA Pages D.7-10 and ,

D.7-18 regarding operator action for Enclosure Air Handling System and also, about time available to restore - 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months or 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

Response - SSPSA Page D.7-10 states that no credit was taken for operator actions to recover failed equipment. The operator action described on SSPSA Page D.7-18 is manual startup of the standby cooling train, not recovery of failed equipment. This is also stated on SSPSA Page D.7-8 in the first failure criteria: "only automatic operations of the ventilation trains are considered in the analysis except for l

A-102 l

l

manual startup of the standby unit on loss of PCC to the operating unit." No human error was modeled for this action because the operator diagnosis and the corrective action for this manual startup is not complex. Also, the probability of operators failing to switch cooling trains is considered insignificant with respect to the failure from other contributors because of the individual alarms indicative of inadequate ventilation. The time available for operator action is conservatively estimated to be at least 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . There is an additional period of time from the failure of a support train until indication is available to the operators to switch ventilation trains.

Together, these two periods are expected to be easily within the 6-hour time to overheat failure of ECCC equipment.

3.6-37 (Page 3.6-49) EAH Boundary Conditions LLNL Comment - The statement on Page D.7-18, which describes boundary conditions 2B, 2C and 2D as those states with one emergency bus and the other train of PCCW failed, is incorrect.

Response - This statement should be corrected to read: "This analysis considers the impact of the failure of one emergency bus or failure of one train of PCCW. These conditions are quantified as Boundary Conditions 2B, 2C and 2D." The discussion on SSPSA Pages D.7-9 and 10 correctly reflects the states considered.

3.6-38 (Page 3.6-49) EAH ,

LLNL Comment - Operability States G and H (one train of T signal fails and opposite train of PCC fails) are not considered failed states on Page D.7-10.

j Response - As described on SSPSA Page D.7-5, the T signal initiates isolation of the PAH System from the Containment EnclosLJe Cooling

! Systen by closing Isolation Dampers PAH-DP-35A, 35B, 36A and 36B.

These dampers are configured so that closure of Train A dampers or A-103

l Train B dampers will isolate the cooling system. Thus, failure of one train of the T signal (i.e., failure of one train of SSPS or ESFAS) will not cause failure to isolate; however, it does affect quantification. With both T signal trains operable, the dampers are paired (Block C = 1.53 E-5) and with one T signal operable, the dampers are singles (see Block D = 8.16 E-4). Thus, States G and H are not failed states and are correctly placed on Page D.7-10.

3.6-39 (Page 3.6-49) EAH Common Cause LLNL Comment - Common cause contribution from failures of standby train and operating train is not considered.

Response - Common cause failures between components in different operating modes (operating and standby) were initially not considered in the SSPSA because it is believed that the likelihood of such failures is small. According to SSPSA Page D.7-19, there have been no reports of common cause failures of ventilation systems similar to this system.

3.6-40 (Page 3.6-50) ECCS Analysis LLNL Comment - Assessment of ECCS is lengthy, comprehensive and complex,. confusing and difficult to review in detail.

Response - The ECCS is a complicated system with a number of subsystems that function in different modes - normal plant operation, core cooling injection and cooling recirculation. There are a number of automatic and manual actions that have been modeled in detail. By modeling such a complex system in a detailed manner the assessment is bound to be lengthy and complex, and require considerable 61me ta review.

3.6-41 (Page 3.6-55) ECCS Assumptions LLNL Comment - The bases for many assumptions and conditions are not provided. These include:

A-104

c o Failure of PCC cooling fails SI pump is 5 minutes. (Page D.8-5) o SI pumps assumed to fail "at some time longer than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months " if Containment Enclosure Cooling System fails. (Page D.8-5) o Failure of PCC during RHR miniflow "is assumed to fail RHR pumps within I hour." (Page D.8-8) o CVCS pumps will fail during recirculation "at some time longer than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months " if containment enclosure cooling fails.

(Page D.8-10) o Automatic valves (MOVs) failing by transferring open is not considered as a failure mode. (Page D.8-10) (A check of the failure rate fcr the mode as given in Table 3.6-1 herein indicates that this failure mode should not be a significant contributor.)

Response - The basis for the listed assumptions and conditions are as follows:

a) The assumption that failure of PCC cooling fails SI pump in five minutes was based on a review of pump failures due to overheating from NPE. One event was found in which a pump overheated and failed in a short time (length of time was not given explicitly).

This time period was judged to be five minutes, but the analysis is not sensitive to the exact time to overheat. ,

b) The assumption that SI pumps failed some time af ter six hours with loss of room cooling was based on a review of relevant events from NPE. It was judged that failure of the pumps due to room overheating would be a long-term failure due to the large sizes of the Pump Rooms and that the best estimate for the long time would be about 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Six hours is important for two reasons -

determining early and late core melt, and determining whether the RWST has injected or not. Thus, it was not necessary to specify long-term failure any more exact than " greater than six hours."

A-105

I c) The assumption that failure of PCC during RNR miniflow fails P.!IR pumps within one hour was based on a review of EPE. One relevant I

event was found in which a pump failed early due to overheat in the miniflow recirculation mode. The exact time to failure is not j critical to the analysis.

d) The assumption that CVCS pumps will fail some time longer than six hours with loss of room cooling is consistent with the assumption for SI pumps described in b) above.

e) The assumption that MOV failure by transferring open is not a credible failure mode is based on the physical construction of MOVs. MOVs installed upright vertically can transfer closed by gravity due to disconnect from the valve operator. However, the only fault causing MOV transferring open is a command fault. This is considered in two analyses - initiating events (inadvertent SI initiation - data would include such events) and fire analysis (cable fires causing hot shorts).

3.6-42 (Paae 3.6-56) ECCS Median LOCA Recirculation LLNL Comment - It does not appear that the ECCS failure mode for medium LOCA recirculation has been quantified. No failure expressions for this mode are provided in SSPSA Subsection D.8.2.3.2 and do not appear to be provided elsewhere.

Response - The ECCS failure mode for recirculation following medium LOCA is the same as large LOCA recirculation - Low Pressure Recirculation (LPR). The system success criteria given on SSPSA Page D.8-3 for MLOCA LPR and LLOCA LPR are almost identical (one RHR pump supplying two cold legs for 22 hours2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months and 23 hours2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months , respectively). This is due to the response of the primary system to depressurize following a MLOCA.

A-106

3.6-43 (Pare 3.6-56) ECCS Beta Factors LLNL Comment - B-factors used for two ECCS components appeared to be inconsistent with alternate sources and 61so with the " generic" B-factor (0.125) used in the SSPSA. These t,'o components were (1) the l high pressure injection pumps where a B-factor of 0.0588 was used for fail to start and 0.0640 for fail during operation, and (2) the RHR pumps where a B-factor of 0.0667 was used for fail to start.

T Response - The beta factors were developed for these specific pumps in the specific application based on data review and analysis. Other sources (alternate sources) tend to lump all pumps together in developing beta factors. In fact, the data reveals that beta factors are different for different pumps. The generic beta factor was chosen as a screening value and was used as an upper bound when data analysis was not justified to determine component-specific values.

3.6-44 (Page 3.6-57) EFW LLNL Comment - Emergency feedwater failure is a small contributor to CMP and not a dominant contributor to risk of fatalities. This result is not consistent with some other PRA results wherein Emergency (Auxiliary) Feedwater System failure was found to be a leading contributor to CMP in sequences involving loss of all ac power.

Response - EFW failure is a small contribution to risk primarily -

because of the credit given to feed and bleed cooling. This credit is justified based on detailed operator procedures and training which gives high confidence in operator success. In addition, due to the large steam generator inventory, sufficient time is available for the operator to diagnose loss of EFW and respond by initiating feed and bleed.

1 A-107

k 3.6-45 (Pare (3.6-58) Condensate Storage Tank LLNL Comment - The discussion on SSPSA Page D.9-2 regarding the prevention and detection of condensate storage tank freezing is vague and sketchy. The " methods" and " systems" available for detection and prevention are not defined, and failures are expected to be "probably" remedied. No discussion is provided for procedures and Technical Specification requirements, if any.

Resoonse - It was judged by the authors and reviewers of the study that additional detail was not needed for the following reasons. First, the operator will be aware of outside environmental conditions, when freezing is possible. Secondly, the CST is protected from freezing by a heating system that actuates automatically on low temperature (40 F). Thirdly, this is a slowly developing condition with ample time and opportunity for operator action. Fourthly, low temperature is 4

alarmed in the Control Room. Thus, the freezing of the CST is judged l

to be very unlikely and does not warrant a detailed write-up.

3.6-46 (Pare 3.6-58) EFW - Auto Isolation LLNL Comment - SSPSA Page D.9-3 discusses the automatic isolation feature of the Emergency Feedwater (EF) supply if flow exceeds i 450 spm. The possibility of this feature falling and putting the EF in an isolation condition does not appear to be considered in the subsequent system failure assessment. ,

Response - It was judged that failure of the auto isolation feature is unlikely and that if it did fail it would do so as an " announced failure." That is, if the flow sensor fails high, the auto isolation ,

feature will close the MOV in the related supply line. This valve closure will be apparent from the control board and the low flow will be announced in the VAS. The operator has sufficient time to respond to this event, due to the large steam generator capacity and can override the signal and open the isolation valve.

i A-108 e-- wa-,--w--a- -_,, _m_... ___

I 3.6-47 (Pare 3.6-58) EFW - Actuation LLNL Comment - The penultimate paragraph on SSPSA Page D.9-4 indicates that both trains of the Solid State Protection System (SSPS) are required to actuate both emergency feedwater trains. Further, Train B is required to actuate either EF train. This appears to disagree with the SSPS assessment wherein system success is defined as a signal from at least one SSPS train. (Page D.6-2)

Response - There is no disagreement between SSPSA Sections D.6 and D.9. System success for SSPS is at least one SSPS train sending a signal because one train of ESF is sufficient for core cooling (e.g.,

one train of EFW is sufficient to provide secondary cooling). In the event trees, system failures, by train, are traced through the sequences so that the conditions of failure of 0, 1, and 2 trains of SSPS are handled explicitly.

3.6-48 (Page 3.6-59) EFW - Turbine Pump LLNL Comment - SSPSA Page D.9-15 (1st paragraph) states that operation of the turbine-driven EF pump is not dependent on a source of power.

However, de power is usually required for monitoring and control. The potential de power dependence is not considered in the SSPSA.

Response - Based on operator input, it was judged that the turbine-driven EFW pump can be operated with manual action only, with no ac or de electric power. However, whether it is successful or not, the sequence goes to core melt. In the general transient tree, for example, with loss of all de and the turbine-driven EFW pump successful, the operator action to depressurize (OR) determines if the core melt is early or late. If the EFW pump fails, the end state is an early melt.

l l

A-109

s 3.6-49 (Pare 3.6-59) Startup Feed Pump LLNL Comment - The unavailability quantification on SSPSA Page D.9-16 includes a statement that failures of the startup prelube oil pump required for the startup feed pump are included "as failures of the startup feed pump". However, the startup feed pump failure rate used is the general rate for motor-driven pumps, most of which would not be expected to have a dependency on prelube oil pumps (although the SSPSA data base is proprietary and this cannot be confirmed). However, including a factor for prelube oil pump failure would not appear to have any significance on the failure of emergency feedwater.

Response - The generic data base for standby pumps includes all kinds of pumps including some pumps which have prelube oil pumps. There was no significant difference observed in the data base between pumps with and without prelube oil pumps. This is due to the fact that breaker failures on the large pumps were the most frequent cause of pump failure.

3.6-50 (Page 3.6-59) EFW - Fire Wall LLNL Comment - In assessing the common cause failure contributions, it is stated on SSPSA Page D.1-32 that a " fire wall partition" separates the two emergency feedwater pumps. In inspecting this area during the Seabrook plant tour on August 29, 1984, no such wall was found to exist. Further, plant personnel indicated that no plans exist to ,

construct such a wall. If this remains the case, fires, missiles or flooding caused by one pump failure could readily fail the second pump since they are very close together (a few feet).

Response - At the time the SSPSA was being performed, it was planned to have a fire wall partition. Since that time, it has been decided to not have such a wall. Thus, the SSPSA reflects the design of 1982-1983 time frame.

A-110

e l

However, as stated on SSPSA Page D.9-32, the fire wall is not l considered in the fire analysis for the EFW Pump House. Flooding is l also considered and is judged to be less important than fires. The l only time the wall is referenced is with regard to pump missiles. In addition to the wall, the pumps are perpendicular to each other. Thus, missile impingement is not a concern even without the wall. Thus, the analysis would remain unchanged without the wall.

3.6-51 (Pare 3.6-60) RCS Relief Valves LLNL Comment - Comparison with WASH-1400 indicates that reactor coolant pressure relief failure probability used in the SSPSA may be too high.

Response - The distributi.on used for reactor coolant pressure relief failure frequency is based on the best available data. This agrees well with EPRI relief valve data.

3.6-52 (Pane 3.6-61) PORVs - Feed and Bleed LLNL Comment - The feed and bleed success criteria (SSPSA Page D.10-1) assumes only that the two PORVs need to open. However, for some feed and bleed scenarios, cycling of these valves may be required.

Response - The procedure for feed and bleed cooling (FR-H.1) requires tha PORVs to be opened. These valves will remain open until secondary cooling is restored. Thus, the PORVs are not cycled.

3.6-53 (Pare 3.6-61) PORV Block Valves LLKL Comment - No basis is provided for the fraction of the time (0,1) a block valve is assumed to be closed due to PORV leakage (designated "f" on SSPSA Page D.10-5).

Response - The value used (0.1) for fraction of time a block valve is closed was based on engineering judgement and was judged to be an upper A-lli

bound. This was based on review of EPRI work on relief and safety valves and on review of Zion and Indian Point experience data.

3.6-54 (Page 3.6-61) PORV Block Valves LLNL Comment - No consideration was given in the SSPSA for the case where both block valves might be closed due to PORV leakage.

Response - The case of both block valves being closed was considered, for example, on SSPSA Page D.10-5. The factor of two in the quantification of feed and bleed response accounts for this case.

3.6-55 (Pare 3.6-62) PORV Block Valves LLNL Comment - According to SSPSA Page D.10-3, power must be removed from the block valves if they are closed following detection of PORY leakage. This power removal is, presumably, to prevent inadvertent reopening of the valves. However, depending on system logic and operator actions required, it may be difficult to open the valves, resulting in an increase in the probability of the valves failing to open. Such a consideration is not included in the SSPSA quantification for the case where block valves are closed. (SSPSA Page D.10-5)

Response - The operator action, closing the breaker to block valves, is rather simple and straightforward, and there is sufficient time for operator action. Also, the block valve motor is sized to open against '

i Pressure. Thus, it was considered appropriate to use the value for M0V failure to open on demand.

3.6-56 (Pares 3.6-63 and 64) Main Steam LLNL Comment - The SSPSA does not provide an adequate explanation in Section D.ll of the relationship between failure of the main steam system functions and the progression of severe accidents. In particular, the SSPSA definition of system success criteria i

A-ll2 1.

(Page D.ll-1) does not indicate the consequences of failure or what measure of success was actually used.

Response - The progression of severe accidents and the consequence of system failure are contained in the plant event trees given in SSPSA Section 5.3 and quantified in SSPSA Section 5.4. The failure to meet the system success criteria does not necessarily lead to core melt.

System success or failure determines the path throu;h the event trees which end in either success (core cooling) or failure (core melt).

3.6-57 (Page 3.6-64) ARV Cormon Cause LLNL Comment - In assessing the common cause contribution for Atmospheric Relief Valves (ARVs), the SSPSA assumes (Page D.11-15) that a B-factor of 4.23 E-2 is appropriate because "of the similar complexity of the control circuits of the ARVs and a typical MOV."

While this assumption may be valid, it appears questionable and not substantiated by data.

Response - The generic beta factor was used as a screening device and is generally judged to be an upper bound. The beta factor for MOVs is based on considerable data and has a relatively high confidence. It was judged that because the ARVs have a similar complexity in control circuitry to MOVs, that the beta factor would be more appropriate than the generic beta.

3.6-58 (Pares 3.6-64 and 65) MSIV Common Cause LLNL Comment - In assessing the common cause contribution from multiple i MSIV failures, the SSPSA assumes a B-factor of 0.0423 based on "similar complexity of the control circuits of the MSIV and a typical MOV."

Response - See response to Comment 3.6-57.

i A-ll3 i

3.6-59 (Pare 3.6-65) Main Steam Safeties LLNL Comment - The SSPSA argues (Section D.ll.3.4.2) that no common cause contribution is expected from multiple failures of main steam system safety valves. The argument is based on the premise that missetting of pressure setpoints would not have any effect because "the magnitude of a missetting error is limited by the spring selection on the safety valves. Also, an error as much as 100 pounds over design pressure does not affect system response in this event." The argument does not, however, indicate what the maximum missetting error actually is and whether this error is within the 100 pound margin. Further, no mechanical common cause contribution (such as multiple corrosion seizing of the valves) is considered.

Response - The springs used in safety valves usually have a capacity range of about 200 pounds and the setting is usually put near the middle of this range. Thus, the maximum error should be less than about 100 pounds. Also, based on data review of safety valves, no connon cause contribution such as corrosion was found.

3.6-60 (Page 3.6-67) Control Room Ventilation LLNL Comment - The Pontrol Room HVAC description provided in SSPSA Section D.14 is inadequate for an understanding of the system operation.

Response - The description of the Centrol Room HVAC is brief, but ,

appears to be adequate for the purp'se the analysis served. The conclusion of the analysis was that this system is not needed to function for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and that it is highly reliable. Thus, it is not used in the plant sequence analysis. Also, additional description is available in the references listed in SSPSA Section D.14, 3.6-61 (Page 3.6-67) Control Room Inlet Dampers LLNL Comment - It is not clear, as indicated on SSPSA Page D.14-3, why opening of DP-53A or DP-53B dampers is necessary to restore Control A-114

Room air conditioning on loss of off-site power. These dampers do not appear (SSPSA Figure D.14-1) to be associated with the air conditioning system.

Response - The Control Room Air Conditioning System uses a continuous air makeup system that is made operable following a LOSP by opening DP-53A or DP-53B. Without this makeup supply, the habitability requirements of the Control Room are assumed to be not satisfied. This is acknowledged to be a conservative assumption.

3.6-62 (Pare 3.6-67) Control Room Heatup LLNL Comment - There appears to be little or no basis for some assumptions given on SSPSA Page D.14-5. These include: ,

4 a) Failure of vital instrument and control systems is assumed to occur 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after Control Room high temperature alarms have initiated, b) During station blackout, vital instrumentation is assumed to last at least 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months without operator action. (A personal letter is referenced but not provided to support this assumption.)

1 Response - The bases for the assumptions listed are as follows:

a) Failure of vital instrument and control systems is assumed two hours after high Control Room temperatures based on data review of actual failures of solid state protection equipment due to overheat. This assumption is judged to be conservative.

b) Vital instrumentation is assumed to last at least eight hours during station blackout without operator action. This is based on a calculation of the heatup in the Control Room without ac power.

This calculation is available upon request.

A-ll5 i

3.6-63 (Paae 3.6-67) Control Room Quantification LLNL Comment - The quantification of system unavailability from hardware failures (SSPSA Section D.14.3.1) does not provide enough detail. A general formula to cover any number of components is provided, but the specific components considered, and their assumed failure rates, are not provided.

Response - It is agreed that less detail was provided for the quantification of Control Room cooling, compared with other systems in SSPSA Appendix D. However, the system was quantified to show why it was not included in the plant analysis. To be consistent with other systems that were considered and then not included in the plant analysis, this system should not have been included in Appendix D.

3.6-64 (Paae 3.6-68) Emergency Cleanup Fans LLNL Comment - The frequency of occurrence for maintenance for the emergency cleanup fans (approximately every four years) seems excessively infrequent. The basis is stated to be in SSPSA Table 6.4-1 (Type 4). However, these components are not listed in the table.

Response - The emergency cleanup fans are low failure rate components that are infrequently operated. Thus, this frequency of maintenance (a mean of about once per four years) seems appropriate and possibly even conservative for this component. ,

3.6-65 (Paae 3.6-68) Control Room Common Cause LLNL Comment - In assessing the common cause contribution to Control Room HVAC failures, it is assumed (SSPSA Page D.14-10) that there is no common cause link between failure of an operating air conditioning train and failure of an identical train (in standby) to start and operate.

A-ll6

r- 1 I

f Response - In general, no common cause beta factor is modeled between j trains for pumps in different modes due to the absence of a cause lino from the data analysis; e.g., Pump A failure to run and Pump B failure to start are unrelated. However, common cause is modeled between trains for the pumps in the same mode; e.g., Pump A failure to continue to run and Pump B failure to run after successful start.

3.6-66 (Pares 3.6-69 and 70) Common cause LLNL Comment - A persistent concern was found in the treatment of common cause failures. These concerns included: (1) exclusion of passive and other components from common cause failures, (2) use of very low beta factors for some components and (3) no common cause link between different operating modes.

Response -

a) There is no evidence of common cause failure of passive components from the data base except what is included explicitly in the external events analysis. For example, seismic risk is significantly affected by common cause failure of passive components - diesel generator fuel day tanks for instance.

b) The "very low beta factors" come from search of actual data for commen cause events. The diesel is an example of a component that has a low beta factor due to the extensive failure data available..

c) See response to 3.6-65.

A3.7 OPERATING EXPERIENCE ANALYSIS 3.7-1 (page 3.7-5) LOSp Data LLNL Comment - The use of nation-wide data for the quantification of the loss of off-site power initiator causes us a minor concern. In the context of the Bayesian procedure, the nation-wide data should be used A-117 l

1

r as the prior distribution and region-specific information should be used as the update. This procedure would account for the plants on the northeast intertie which experience a higher incidence of hurricanes and other severe weather. In light of this discussion, the frequency of the loss of off-site power initiating event could be optimistic.

Response - Based on the latest LOSP data (NSAC-80), the value used in the SSPSA (0.135/ year) is very pessimistic. Also, the siting of Seabrook and the switchyard design using SF 6 us uc s w preclude the salt-spray problems that have occurred in the northeast. Due to the lack of data (only about 46 LOSP nationwide), use of the nationwide data is judged to be a better data base. See response to 1.1-4.

3.7-2 (Pane 3.7-8) Maintenance Distribution LLNL Comment - We are concerned with the application of only four maintenance unavailabilities to the many and various components throughout the plant.

Response - There are four distributions for maintenance duration and four distributions for maintenance frequency. Thus, there are a possible 16 combinations of maintenance unavailability, although not all possible combinations are used. The eight distributions were developed based on data from operating plants. The distributions cover the range of maintenance unavailabilities observed. Also, with no plant-specific data at Seabrook, it was judged not appropriate to ,

extend the model. See response to 1.1-4, 3.7-3 (Pane 3.7-11) Proprietary Data LLNL Comment - We have reservations about the proprietary nature of the actual data used and analysis performed for determining the data base.

Without reviewing the actual analysis, we cannot make a complete assessment of its accuracy, validity and completeness.

A-118

Response - As stated previously, the proprietary data base is available for review upon request with the normal proprietary agreements in effect. No such request was received. In addition, the LLNL comparison with our data did not identify any significant concerns.

A3.8 ANALYSIS CODES 3.8-1 (Pare 3.8-6) MARCH Code LLNL Comment - The MARCH code was developed from the analysis performed in the Reactor Safety Study (WASH-1400) and contains limited detail and depth about the various phenomena analyzed. Care must be taken on specifying the input to this code, and the calculational results generally have large uncertainties.

Response - The analysis team is fully aware of the limitations of the MARCH code and in the subtleties of its use from previous experience.

These were reflected in the input data. Uncertainties in the predicted MARCH results were explicitly factored into the uncertainty analyses for the containment response.

3.8-2 (Pare 3.8-6) DPD Code LLNL Comment - The DPD arithmetic employed in the SSPSA provides an adequate method for combining probability distributions. The random ,

variable space, however, must be appropriately discretized in order to ,

give sufficient representation to the tails of the resultant distribution. If this is not tone.. discrepancies can result.

Response - The analysis team is fully aware of the need for care in using DPD arithmetic and proper attention was focused in this regard.

A-119

r A3.9 ACCIDENT SEQUENCES 3.9-1 (Pate 3.9-2) Zion / Indian Point LLNL Comment - According to SSPSA Section H.2.1, the Seabrook accident progression assessment rolles heavily on similar assessments provided for the Zion (3.9-1) and Indian Point (3.9-2) risk assessment studies and refers to these studies for further detail. These studies have been the subject of intensive NRC review, and discrepancies found in such reviews may also apply to the SSPSA analysis.

Response - Lessons learned from the Zion knd IP risk assessment studies, including the NRC reviews have been applied in the SSPSA.

This was one distinct advantage in using the Zion / Indian Point team for the Seabrook study.

3.9-2 (Page 3.9-2) In-Vessel Core Cooling LLNL Comment - Section 2.1.2 (In-Vessel Phenomena) - This section indicates that the potential for in-vessel core cooling with reduced flow rates was considered in the analysis. However, it is not clear how such analyses were included in the various scenarios or how such cooling was accounted for in the core melt probability determinations.

Response _ - An analysis was done to assess in-vessel core debris ,

cooling. It was concluded that the core debris could be quenched and ,

cooled if core cooling was recovered before more than about 10% of the core debris had relocated to the bottom of the reactor vessel.

However, the additional time gained between core uncovery and core slumping was so small, that the incremental gain in the probability to recover core cooling would be insignificant. The containment event tree top events address degraded core recovery and show that no credit was taken.

A-120

r' 3.9-3 (Pages 3.9-2 and 3) Minimum Flow LLNL Comment - Section 2.1.2 (In-Vessel Phenomena) - It is stated here that 150 gym could maintain the core water level at 1% decay heat levels. This value appears to be optimistic. A simple heat balance I indicates that about 210 gym are required to remove 1% of the core decay heat.

Response - The difference between 150 spa and 210 spa has no influence on the analysis since partial flow was not considered in the plant transient analysis. Either full flow or no flow was modeled for pump flow operation.

3.9-4 (Page 3.9-3) Severe Accident Phenomena LLNL Comment - Recent detailed analyses indicate that some severe accident phenomena could occur which might alter the SSPSA conclusions. For example, in a recent assessment (3.9-3), a high potential was found for establishing a recirculation path in the upper plenum during core heatup. One of the consequences of this phenomenon is expected to be more extensive metal-water reaction (due to recirculation of steam to hotter core regions).

Response - It is common knowledge that the issue addressed in this question was not identified until well after the completion of the ,

Seabrook PRA. However, large uncertainties in the quantity of hydrogen generated were acknowledged in the study and factored into the analysis in the form of uncertainty distributions. Ze reaction and the effect of H burning were considered in a parametric study with the full 2

range of Zr reaction from 0 to 100% (see SSPSA Section 11.7). For each plant damage state, a distinct probability distribution for the Zirconium's reaction fraction was defined to reflect these uncertainties.

A-121

w I

3.9-5 (Paae 3.9-3) Proprietary Computer Codes LLNL Comment - Many of the computer codes used for the analysis used in SSPSA Section H.2.2 were described as proprietary and are, therefore, (presumably) not available for review.

Response - In general, all proprietary material is available to NRC (and LLNL) for review upon request with the normal proprietary agreements in effect. No such request was received.

3.9-6 (Paae 3.9-4) V-Sequence LLNL Comment - The SSPSA analysis of the V-sequence progression is provided on SSPSA Pagec H.2.2-34 and H.2.2-44. The descriptio,n provided is quite sketchy and many details are not given. Further,"the assessment ignores the many possible alternative scenarios which may be more probable and produce smaller consequences.

Response - An evaluation of LOCA outside containment was performed for the SSPSA, examining each line which communicated with the RCS and penetrated the containment. Based on that evaluation, six lines were considered in detail - four RHR cold leg injection lines and two hot les suction lines. (See SSPSA section 6.6.3.2.1.) These are the classic "V-sequence" lines first discussed in WASH-1400.

This evaluation of LOCA outside containment was not documented -

explicitly in the SSPSA, but can be reconstructed from SSPSA Section D.13. Tabled.13-3containsalistofaIlthecontainment penetrations with the related isolation valves and affected system. In order to be of interest in the evaluation of LOCA outside containment, the line must not only penetrate the containment to the atmosphere, but also communicate with the RCS. e 4

This V-sequence analysis in Appendix H was performed to provide a point estimate of the source term for this accident category. In SSPSA 4

i i

A-122

- - - s v.,--- -y, w-w g-www. _w, ,~---~~-,7,-----ww-, -,-,w----,--. .,n,w-, --,,,w-- e--- ms -,w~,--- r--- -- -

F Chapter 11, uncertainties are assessed which account for different scenarios and other source term uncertainties. The frequency analyses of different scenarios and paths are found in SSPSA Section 6.6. See responses to 3.9-7 and 8. In addition, since the SSPSA was published the V sequence has been re-evaluated in detail and confirms our suspicion that the SSPSA results are very conservative.

3.9-7 (Paae 3.9-4) V-Sequence LLNL Comment - According to SSPSA Page H.2.2-34, the "best-estimate" V-sequence accident is expected to be a rupture of the two MOVs on the RHR suction side. However, according to SSPSA Section 6.6, the injection side RHR rupture (from check valve failure) has a higher probability. The difference is 1.03 E-6/ year for injection side failures and 8.12 E-7/ year for suction side.

Response - The distributions for the RHR injection versus suction side ]

I failures have a very large uncertainty spread - a range factor greater than 30. Thus, the difference between means of 1.03E-6 and 8.12E-7 is insignificant in light of the uncertainty spread and either failure path could have been chosen as the "best estimate." As noted, progression of the accident is not sensitive to the location for the simplified analysis done for the V-sequence. This analysis conservatively did not consider the possibility of a submerged rupture location. It was assumed that the rupture would occur in the RHR piping at the first elbow outside containment. ,

The possibility of a submerged rupture location was not considered in the SSPSA, but in a recent investigation, an update of the SSPSA V-sequence analysis has been performed. This thorough reanalysis addresses the possibility of submerged leaks in the RHR System.

3.9-8 (Pare 3.9-5) V-Sequence LLNL Comment - On SSPSA Page H.2.2-34 it is stated that the primary system transient is similar to that in the AL sequence. However, the A-123

, containment pressere is expected to be lower. The containment pressure is irrelevant for the V-sequence since the containment is bypassed.

Epsponse - The low containment pressure assurer, that containment. spray doas not automatically initiate, if this sequence were analyzed in more det.sil, the time to empty RWS't may become an important factor in detirmining time for recovery. 'the containment spray not initiating would allow longer times for Ry.9T injection. 'In the model in SSPSA, operat.or recovery actions were not considered.

The containment pressure is always relevant. For exaraple, it is needed to calculate containment leak rates and to evaluate the potential for multiple fission product pathways. After vessel malt-through, the containment communicates through the RHR pipe break to the environment.

3.9-9 (Paae 3.9-5) V-Sequence LLNL Comment - According to SSPSA Page H.2.2-44, core cooling is assumed to be lost in 29.3 minutes. The basis for this time estimate is not given, and it appears to be excessively short for most possible V-sequence scenarios.

Response - It is acknowledged that the 29.3 minutes until core cooling loss is a conservative estimate of the time to deplete RWST. However, the exact time is not significant-in the further analysis of the core ,

melt progression. , ,

The time dkfference noted is insignificant! The containment spray, RHR, and esiety injection pumps are all located at the bottom of the RHR vault'and wruld most'likely flood out' in any of the V-sequences l

l analyzed. Since the pump motors are not flood protected, they would short and fail early in the sequence.

l A-124 .

i

3.9-10 (Pane 3.9-6) V-Sequence Procedure LLNL Comment - The probability of appropriate operator action under V-sequence accident circumstances is unknown and not considered in the SSPSA. However, during the plant visit Seabrook operating personnel assured us that procedures exist for dealing with the V-sequence.

These procedures were requested but have not yet been received.

Response - Requests for emergency response procedures for PTS, SGTR, and termination of SI were received and sent to LLNL by letter, dated October 24, 1984. No request for the LOCA outside containment was received formally. If the need for these or any other procedures had been made known, they would have been transmitted. No such request was received.

3.9-11 (Pane 3.9-6) RCP Seal Leak LLNL Comment - The only basis given for the pump seal leakage rate is an internal Westinghouse memo. The rates quoted (20 gpm for 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months and 300 gpm thereafter) are not consistent with assumptions made for other PRAs (e.g., Zion and Millstone-3). This assumption could have a significant effect on the accident sequence progression, and its basis should, therefore, be provided in the SSPSA.

Response - The Westinghouse core and containment response analyses done '

in support of the SSPSA assumed a RCP seal leakage of 20 gpm/ pump for.'

the first 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months and 300 spm/ pump thereafter. This assumption was SSPSA based on the best available information available at the time.

References 11.5-3 and B-2 cite an expected leak rate of 10 to 13 spm/ pump, assumed for 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , with an upper bound leakage of j

300 spm/ pump. (Also see SSPSA Page 11.5-13.) This reference includes i

a proprietary Westinghouse report submitted to NRC. Also see responses to 3.2-38 and 3.5-24.

I

A-125 l

l i

E 3.9-12 (Petes 3.9-6 and 7) Hydrogen LLNL Comment - Figures 2.2.4-1N and 2.2.4-10 showing hydrogen accumulation for the Tg-sequence do not appear consistent with other figures describing the accident or the description of the TE-sequence on SSPSA Page H.2.2-35. For example, these curves show no hydrogen release until after about 350 minutes, but Page H.2.2-35 indicates core starts to melt at 283 minutes. Vessel melt-through is indicated on SSPSA Figures 2.2.4-1A at about 300 minutes. Significant hydrogen production would precede both of these events.

Response - The figures in SSPSA Appendix H regarding hydrogen production are internally consistent. Figure 2.2.4-1N shows the hydrogen production, and Figure 2.2.4-10 shows the steam release due to concrete penetration following vessel melt-through. The time axis on both these figures starts at the time of vessel melt-through (t = 0),

which corresponds to an accident clock time of 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . The hydrogen release starts 350 minutes after vessel melt-through because of the time required for debris quenching, reactor cavity dryout, and debris reheating. The accident clock time for the start of hydrogen release from concrete is approximately 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months . The total release of hydrogen to the containment is shown in Figure 2.2.4-1D for both the in-vessel release and the ex-vessel release. The in-vessel release of hydrogen to the containment starts at 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , the time of vessel breach. The ex-vessel release starts at about 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months , consistent with Figure 2.2.4-1N. Hydrogen is retained in the vessel until vessel breach since the primary coolant boundary is intact.

3.9-13 (Pase 3.9-7) Dominant Scenarios LLNL Comment - SSPSA Section 2.2.8 (Page H.2.2-69) provides an analysis of core recovery times and flow requirements. It is stated to be for "the more dominant scenarios." However, the analysis does not include the V-sequence which is the most dominant sequence for early fatalities and among the dominant contributions to latent fatalities.

A-126

Rosponse - The V-sequence is included in the scenario " injection failure late, 6" cold leg break" with regard to calculation of core recovery time window and flow requirements.

3.9-14 (Page 3.9-7) Core Recovery LLNL Comment - It is not clear whether or how the results of SSPSA Section 2.2.8 (Core Recovery Time Window and Flow Requirements) were used in the SSPSA. No indication could be found of such use or the significance of the considerations.

Response - The time windows documented in SSPSA Section H.2.2.8 are the results of first principal code analyses available for the Seabrook configuration. They were used to check the validity of the parametic knalyses documented in SSPSA Section 11.5.3, which are based on simplified analyses. The parametric results in SSPSA Section 11.5.3 were then used and referenced in SSPSA Section 10.4.4.1 (Time Windows Based on Plant Thermal-Hydraulics). SSPSA Section 10 is dedicated to operator actions and recovery actions.

3.9-15 (Page 3.9-7) Station Blackout Timing LLNL Comment - The results presented for the TE-sequence (loss of all ac power) on SSPSA Page H.2.2-35 are not consistent with a recent similar, independent analysis for the Seabrook plant. For example, the SSPSA shows steam generators boil dry in 8,220 seconds, while the Reference 3.9-4 result is 4,903 seconds (loss of effective heat sink).

Response - LLNL Reference 3.9-4 was not available at the time the SSPSA was performed. A review has identified several differences which, in the aggregate, account for the difference in the time to steam generator dryout. In terms of the integral decay heat in units of Full Power Seconds (FPS), the differences are as follows:

Integral Decay Heat to SG Dryout - SSPSA 108 FPS Integral Decay Heat to SG Dryout - EGG-NTP-6700 75 FPS Difference + 33 FPS Steam Generator Secondary Inventory + 12 FPS Primary Coolant System Temperature t 7 FPS A-127

i l

Delayed Main Feedwater Trip + 6 FPS Inltial Temperature of Secondary SG Inventory 0 to + 17 FPS Total Delay for SSPSA Steam Generator Dryout 25 to 42 FPS These differences are in two categories. Phenomenon which the SSPSA has taken credit for which will realistically extend the time for steam generator dryout account for 50% of the difference between the two analyses. The remaining 50% are due to the more detailed analysis model used in the EGG analysis. Our most realistic estimate for the integral decay heat to steam generator dryout then is 92 FPS, which corresponds to a time of 6,400 seconds. The difference between 6,400 seconds and 8,200 seconds for steam generator dryout has no significant impact on any subsequent calculations in the SSPSA model.

3.9-16 (Page 3.9-8) Operator Actions LLNL Comment - The SSPSA Section 11.5.3 analyses are stated (Page 11.5-12) to be used for estimating the time available for corrective actions. However, how the results were used and what correction actions are assumed are not stated or referenced to other sections in the SSPSA.

Response - The results from SSPSA Section 11.5.3 were used in SSPSA Section 10.4, " Operators Restore Electric Power Following a Loss of All AC Power," specifically in SSPSA Section 10.4.4.1, " Time Window Based on Plant Thermal-Hydraulics."

3.9-17 (PcRe 3.9-8) Steam Generator Dryout LLNL Comment - Only one discrepancy was found during the review of Appendix B. The analysis of steam generator dryout following scram with no feedwater indicated that dryout would occur in about 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . While this result is reasonably consistent with an independent analysis (Reference 3.9-4, 4.903 seconds), it is not consistent with other parts of the SSPSA. For example, both Section H.2.2 and Section 11.5.3 show dryout times of 2.98 hours0.00113 days 0.0272 hours 1.62037e-4 weeks 3.7289e-5 months for the TE accident sequence which appears to be the same case considered in Appendix D (simultaneous loss of ac power and auxiliary feedwater).

A-128

Response - See response to 3.9-15 whleh also provides the response to this comment.

A3.10 DEPgNDENCIES 3.10-1 (Paaes 3.10-3 and 4) Common Cause LLNL Consnent - The last paragraph on SSPSA Page 8.1-2 discussed common cause failures and concludes that explicitly modeled common failures did not, in most cases, produce a significant contribution in the SSPSA. It is further stated that an exception to this conclusion was the Service Water System in which plugged strainers was an important explicitly modeled common cause failure. This statament is incorrect in that the SSPSA analysis of Service Water System failure (SSPSA Section D.3, Volume 4)' concludes that strainer plugging is considered negligible in comparison with that of other hardware failure (SSPSA Page D.3-28) and loss of service water via this (strainer plugging) mechanism was found to be insignificant.

Response - The condition of " plugged strainers" was indeed modeled explicitly as a common cause failure mode. The service water reliability block diagram (SSPSA Page D.3-57) shows that the strainers (Block STR) were modeled as a single element even though separate strainers are in each train. However, as stated on SSPSA Page D.3-28, plugging of strainers was judged to be a negligible failure mode ,

j because of the time available and indications to operators during i clogging to effect recovery. Thus, strainers were initially considered potentially important, but on further thought, were judged to be negligible failures.

3.10-2 (Paae 3.10-4) Beta Factors LLNL Comment - SSPSA Page 8.1-3 discussed the derivation and use of ,

beta factors in quantifying common cause failures. The discussion j indicates that for some components, actual data were used to derive A-129

B-factors, while in other cases where no event data were available, a

" generic" beta factor distribution was used. It is further stated that use of this generic distribution is supported by the observation that beta factors tend to be relatively independent of component type. This contention appears to be unsupported and inconsistent with beta factors used in the SSPSA in that of only the nine componencs for which specific beta factors were derived (see Table 8.1-5 or 6.3-2), the mean values of the factors differed by a factor of 20. Furthermore, the beta factors for the six electric motor-driven pumps (fail during operation) vary by a factor of more than 12.

Response - The statement on SSPSA Page 8.1-3 that beta factors tend to be independent of component type was an earlier observation that has subsequently been shown to be incorrect. The beta factor distributions listed in SSPSA Section 6.3 were developed from actual failure data and illustrate the present understanding that beta factors are completely dependent on component type and function.

3.10-3 (Pages 3.10-4 and 5) Spatial Interactions LLNT Comment - SSPSA Section 8.2 is somewhat confusing and difficult to understand. The actual use and significance of the spatial interaction analyses is not clear. Furthermore, numerous assumptions and judgements were made (Pages 8.2-7, 11 and 13) which increase the uncertainty of the analysis.

Response - As acknowledged in NUREG/CR-4229, the SSPSA spatial interaction analysis represents a significant advance in dependent events analysis. As stated clearly in the sections, the purpose of spatial interactions was to determine important external event scenarios that are evaluated and quantified in SSPSA Section 9, and to evaluate systems interactions identified during walkdowns.

I 1

A-130 I

l 3.10-4 (Page 3.10-6) Dependent Failures i

LLNL Comment - It is stated (SSPSA Page 4.3-38, last paragraph) that, any missing dependent failures (i.e., those not adequately addre'ssed in i the SSPSA) would be those that make negligible contribution to risk. !

This appears to be an overstatement which cannot be substantiated.

While the SSPSA appears to have made a concerted and reasonably rigorous effort to identify and quantify important dependent failures, there is no way to prove that all such failures have been discovered.

Response - We agree there is no way to prove such a statement. We thought the statement might provoke reviewers to challenge the authors with counter examples. So far, none have surfaced.

3.10-5 (Pazes 3.10-6 and 7) Beta Factor Equations LLNL Comment - It is stated (on SSPSA Page 4.3-5) that, for $d ""

A n the order of 0.1 or less, the first term (of the equation on d

that page) can generally be neglected. This statement is incorrect.

In the first place, if $ "" are . , e st term d d contributes almost 50% to the total. Second, it is readily apparent that the first term becomes more significant as $ ec mes less Gan d

0.1. It is true, however, that for virtually all cases encountered in nuclear plant system reliability (with Xd= . r ess, and S d

approximately equal to 0.1), the first term can be neglected as it contributes less than 10%.

Response - The equation being discussed follows:

(1- #d d 1- Odd +Oh dd It is stated that for $ and A equal 0.1 or less ne & st W d d can be neglected. The first term being referred to is the factor i

(1-$)2 d rather than the (1-$d '2Ad 2( - dd expression. We agree that our terminology is confusing. Also, note A-131

that by neglecting either (1-$ )

d # (1~ dd 0A ) r both is conservative and usually insignificant.

3.10-6 (Pane 3.10-7) Standby / Operating Pump Common Cause LLNL Comment - The last paragraph on SSPSA Page 4.3-49 indicated that, it is reasonable to assume that common cause failures would impact the two standby pumps in the run mode, but not standby / operating 4

combinations. This conclusion appears somewhat questionable.

Typically, the operating / standby pump combination for a train is in close proximity (share the same local environment and share support systems, e.g., lube oil, lube oil cooling). This suggests the possibility of common cause failures even if the pumps are initially in different operating modes. While the extent of such common cause coupling is unknown, the possibility cannot be arbitrarily dismissed.

Response - Common cause is indeed modeled between the pump that is initially running and the pump that is in standby, but only when the pumps are in the same mode (beta pump run or, for LOSP sequences, where both pumps have to start, a beta pump start and beta pump run). Also, the shared support system dependencies are handled in the boundary conditions in the systems analysis.

Support systema are not regarded common cause events because they are modeled explicitly. Most location dependent common cause events are also modeled explicitly. What remains to be considered in the beta factor are primarily human-caused events. Operating experience indicates that these events are effectively decoupled by different operating modes.

3.10-7 (Paaes 3.10-7 and 8) Beta Factors LLNL Comment - The top of SSPSA Page 4.3-56 discussed the derivation of beta factors for selected components, and a comparison of these factors with an alternate source is presented in SSPSA Table 4.3-15 (SSPSA A-132

Page 4.3-86). However, the comparison shows that the Seabrook beta factors are consistently lower (nonconservative) than other values by a factor ranging from 2.3 to over 12 (for diesel generators). No specific explanation is provided for these differences.

Response - Seabrook beta factors are based on a much better data analysis and much more data than previous studies. This analysis, based on actual data, yielded results that may be generally smaller than previous estimates. This is not unexpected since previous estimates of beta factors were consciously made conservative because of the lack of data. For a component such as the diesel generators, for example, the beta factor is relatively small due in part to the extensive data available on diesel failures. The data used to develop the SSPSA beta factors was published in EPRI-NP-3967.

3.10-8 (Page 3.10-8) Passive Component Common cause LLNL Comment - SSPSA Section 4.3.5.5.5 indicates that passive components were assumed to be excluded from common cause failures. No justification is provided for the assumption. While it may be true for some passive components (e.g., pipes) wherein very low frequencies of common cause failures would be expected, it is not at all clear that the same conclusion exists for others which were apparently assumed to be passive (e.g., batteries, dampers, check valves). In fact, one of the highest beta factors found in the literature (Reference 3.10-1) is for strainers which would normally be considered passive components.

Response - It was not assumed that passive components are not subject to common cause failure. In fact, common cause failures of passive components are important in the dependent analysis (SSPSA Section 8) and external events analysis (SSPSA Section 9). Specifically, a seismic event is analyzed to be the common cause failure of passive I I

components such as the diesel fuel day tank. For the components listed in the comment:

A-133

r o Batteries - common cause failure was not considered because of the very conservative modeling of battery failure rate.

o Dampers, check Valves - there is no evidence of conunon cause failures of these components in the data base (except for check l valves in SW).

o Strainer - the strainers were modeled with an effective beta of 1; i.e., modeled as a single element in the reliability block diagram.

See response to 1.1-3.

3.10-9 (Page 3.10-9) Beta Factor Equation LLNL Comment - It is stated that, For $d ""d Ad n the order of 0.1 or less, the first term (of Equation 6.3.3) can generally be neglected. This statement is incorrect in that the first term is significant if $d "" are 0.1, and becomes more sign m cant as d

$ becomes smaller.

Response - See response to 3.10-5.

3.10-10 (Page 3.10-9) Beta Factor Data LLNL Comment - The actual data used and the specific process of categorizing the data, and the actual values used for the various factors and their basis, are not provided. This detail is stated to be provided (Page 6.3-6) in Reference 6.3-5, but this is listed vaguely as "Pickard, Lowe and Garrick, Inc., Proprietary Data." Some of the beta factors so derived are inconsistent with alternate data sources and appear questionable on other grounds as described in the following item.

Response - The proprietary data, which lists the actual data events, would have been available upon request with the proper proprietary agreement. This comment has been responded to in 3.7-3, 3.10-7, and A-134

others. Also, the beta factor data agrees well with the recently published EPRI common cause guide book.

3.10-11 (Paae 3.10-9) Beta Factor Distribution LLNL Comment - Table 6.3-2 presents the values used for beta factors in the SSPSA. Since details of the numerical derivation of these values are not provided in the report and are apparently proprietary (see !

previous item), a comparison was undertaken to determine if the SSPSA beta factors are consistent with alternate data sources.

Response - In general, comparisons with alternate data sources is not appropriate because alternate (previous) sources were estimates based on limited data analyses., The SSPSA beta factors are the result of a detailed analysis of actual common cause failures in a much larger data base.

3.10-12 (Page 3.10-11) Beta Factors LLNL Comments - The rather wide variation in beta factors between the components listed and the " generic component" (used for all components not listed) seems unusual and is not consistent with arguments elsewhere in the SSPSA to the effect that components tend to have similar beta factors.

Response - See responses to 3.10-2 and 3.10-7. .

3.10-13 (Page 3.10-11) Beta Factors LLNL Comment - The large beta factor variation among pumps is difficult to resolve, and no explanation is provided. It would be expected that pumps would have similar beta factors, but there is a factor of more than 10 between the highest and lowest values. Furthermore, there is a wide variation between beta factors for rtart and run (during operation) failures for the same pumps.

A-135

Response - The values for the beta factors for specific components were developed from a detailed search of actual failure data. In general,

. beta factors have been found to be component- and function-specific.

Thus, the variation among beta factors can be traced directly to the data - the way failures have occurred.

3.10-14 (Pages 3.10-11 and 12) Beta Factors LLNL Conunent - The SSPSA beta factors are frequently not consistent with values from other sources. The SSPSA generic beta factor (0.125) is comparable to the WASH-1400 value (0.1), but there is a significant difference for other SSPSA components and values from References 3.10-2 and 3.10-3. In all but one case, the SSPSA values are significantly lower. The SSPSA values for motor-operated valves are consistent with two NUREG sources (seventh and eighth columns), but the diesel generator failure to start beta factor is significantly lower than other sources (although there is a wide variation).

Responso - All the beta factors listed for specific components in SSPSA Section 6.3 were developed from a detailed search of actual failure data. The values for beta f actors used previously (e.g. , WASH-1400 value of 0.1) can be now seen to be conservative estimates as they were assumed to be. The generic beta factor used in the SSPSA was a conservative estimate used as a screening device to assess the importance of common cause contributions. The component-specific beta factors in the SSPSA also agree well with the recently published EPRI ,

common cause data.

3.10-15 (Pane 3.10-12) Beta Factors l

LLNL Comment - It is of concern that the SSPSA values are consistently lower (optimistic) with respect to other sources (which produces lower system failure rates) and that inconsistencies appear to exist among the SSPSA rates.

l Response - See responses to 3.10-12 through 3.10-14.

A-136

1 A4.0 EXTERNAL EVENTS ANALYSIS 4.0-1 (pate 4-1) Seismic Hazard LLNL Comment - SSPSA hazard assessment results are believed to be optimistic and the uncertainty underestimated. ;

Response - Based upon the evidence available, it is possible to understand how LLNL arrived at this opinion. It should be noted that the two pieces of evidence available, i.e., the Bernreuter, Appendix G, attachment to the Seabrook Safety Evaluation Report (SER) (Reference 4.1-10) and the latest LLNL report (Reference 4.1-1), may be flawed as is described below.

With respect to the comment that the results are considered optimistic, it is noted that the results presented in Appendix G of the Seabrook SER (Reference 4.1-10) are inappropriate for the Seabrook site for the following reasons:

b Seabrook is a rock site; attenuation model error term values of

~

1.

0.70 and 0.90 are inappropriate, see Chen and Bernreuter (Reference 4.1-9).

1 The resultant Unifonm Hazard Spectra (UHS) presented in this 2.

appendix is a weighted average of a skewed data set, not a median.

3. The Gupta-Nuttli attenuation is based upon isoseismals rather than individual intensity reports. Use of individual reports is the appropriate method to predict intensities at a site (Reference 4.1-15). When this attenuation model is combined with a 0.90 error term, the results are overly conservative.

4. Integration over the magnitude range is made from a lower bound of 3.75 to the upper bound. A lower bound value of 5.0 is more appropriate (Reference 4.1-12).

A-137

5. Seismicity parameters are suspect, see YAEC-1455 (Reference 4.1-11).

~

3 Based upon the above comments, it is not unreasonable to expect the 10~ PGA at the Seabrook site to be about 0.lg or lower. The strongest argument supporting this statement comes from Chen and l

Bernreuter (Reference 4.1-9) in that a reduction of sigma by 50%

reduces the ground notion estimates by about a factor of 2 and the probability estimates by about a factor of 10. Combine this with a lower bound magnitude of 4.5 or 5.0, which is more appropriate for events of concern in the eastern United States (Reference 4.1-12), and the SER results (Reference 4.1-10) presented by Bernreuter would easily come in line with the Appendix F results from the SSPSA. The increase in the lower bound from 3.75 to 4.5 or 5.0 is justified based on the observation that earthquakes less than this size, 4.5 to 5.0 range, are not documented as causing damage to engineered structures. Additional support for this contention can be found in testimony to the ACRS (March 12 and 13, 1986). This testimony had to do with the effects of the January 31, 1986 earthquake (Mb= 5.0) that occurred about 10 Km south of the Perry Nuclear Power plant. The event was shown to have no 1 impact on the plant. Therefore, in light of the above, the Appendix F results from the SSPSA are considered a realistic estimate of the seismic hazard at the Seabrook site.

The second comment by the reviewers is that the uncertainty is underestimated in the Appendix F results from the SSPSA. Turning this ,

s around, could it not be that the uncertainty in the LLNL study is overestimated. In particular, Appendix D.4 of the LLNL report (Reference 4.1-1) gives strong arguments with respect to fundamental inconsistencies between experts that represent more a lack of expertise, by an expert in a particular area, rather than a real lack of knowledge. For example, estimating seirmicity parameters for each source area is a statistical problem, yet it is doubtful that even one l of the scientists used in the LLNL study can be considered an expert in this area. This is a modeling uncertainty that can be reduced by '

A-138 l

l 1

either making a statistician available to consult with each expert or having an expert in statistics develop a methodology to compute all seismicity parameters. The present EPRI (Reference 4.1-7) study handles estimation of seismicity parameters by developing a consistent statistical methodology available to all expert teams. Also, unlike the LLNL study (Reference 4.1-1), a commonly agreed upon earthquake catalog is used by the experts.

What must be highlighted is that the large band of uncertainty presented in all the LLNL results is likely the product of incorrect knowledge, rather than real modeling uncertainty. In other words, if the experts were real experts in all the various disciplines required, the uncertainty bands would collapse significantly.

A4.1 SEISMIC EVENTS A4.1.1 Seismic Hazard Based upon the information provided herein, we conclude that the SSPSA seismic hazard analysis is valid and that incorporation of the LLNL recommendations would not significantly change the results shown in Appendix F of the SSPSA. This is substantiated by Figure 4.1-7 which shows the original seismic hazard results against the composite modified results using the modified weights presented herein on the zonations and the attenuation models and elimination of the b-value of 0.9.

4.1-1 (Page 4.1-1) Systematic Evaluation Program LLNL Compent - Reference is made to the Systematic Evaluation Program (SEP), whereby LLNL made specific probabilistic hazard estimates for the Seabrook Station.

Response - As described in response to 4.0-1 above, we believe the LLNL results are both outdated and seriously flawed.

A-139

4.1-2 (Paae 4.1-41 Uncertainty / Expert Judgement LLNL Comment - The SSPSA does not provide a specific discussion on the method used to quantify the uncertainty in key aspects of the hazard analysis. There is no definitive discussion of the approach taken to identify alternative hypotheses, solicit individual expert judgements, and combine the input from a group of experts.

Response - In effect, an implicit comparison is made by the reviewers between the LLNL study and the seismic hazard analysis conducted for the SSPSA. This comparison is inappropriate in that the magnitude, level of documentation, and intent of both studies are quite different. On the one hand, the LLNL study was a massive multi-year research project funded by the NRC with the intent of developing and documenting a methodology for use in defining the relative hazard at all eastern United States nuclear plants. On the other hand, the SSPSA seismic hazard analysis was a focused state-of-the-art site-specific study similar to those conducted at Zion, Indian Point, Limerick, and Millstone. Most importantly, it should be noted that this analysis is not a research project, but it is the implementation of an accepted methodology. Panels of experts were not explicitly queried, but as will be shown, implicitly they wcre. There were no experts, other tha'n those identified in the response to 4.1-18, actively solicited to provide input with respect to alternative zonations or seismicity parameters. This does not mean that expert opinions on these topics were not factored into the analysis. Since this is a site-specific

study, zonations that are in the literature can readily be compared with each other with respect to the host zone and, therefore, redundant zones eliminated. Therefore, even though experts are not actively solicited, their opinion is nonetheless incorporated in the analysis.

With respect to the scientific basis for individual zonation models used in the SSPSA, they are documented in the literature.

A-140

4.1-3 (Page 4.1-4 and 5) Alternative Model Hypotheses LLNL Comment - In the Seismic Hazard Analysis Report, limited documentation is provided regarding the assessment of subjective probabilities assigned to alternative model hypotheses.

There is inadequate documentation to support the probability distribution on the frequency of exceedance per year of ground shaking. In effect, the reader is expected to accept the modeling uncertainties which have been expressed on faith.

Response - This sequence of comments amplifies our continued objection to the reviewers comparison of a LLNL type study with the seismic hazard analysis conducted for the SSPSA. See response to 4.1-2.

4.1-4 (Page 4.1-5) Uncertainty LLNL Comment - A comparison between seismic hazard studies utilizing many experts and those using only one or two, show greater variability in the probability distribution on frequency.

Response - The only multiple expert study available when the review was conducted was the LLNL study. But, now'we have the EPRI (Reference 4.1-7) results, based upon six independent teams, of which each team consists of 4-8 experts. In this study, care was taken to avoid ,

erroneous spread in hazard curves that might result from different data ,

bases, definitions and understandings about the problem. Comparing the EPRI results, for a site in New Eng' land in close proximity to Seabrook, I with the LLNL results for the same site shows uncertainty bands that differ by about a factor of 10; i.e., the uncertainty bands for LLNL at 0.2g represent a factor of 100, whereas the uncertainty bands on the EPRI Study represent about a factor of 10. This factor of 10 found in the EPRI results is quite consistent with the factor of 10 shown in the SSPSA.

l A-141 I

4.1-5 (Pates 4.1-4 through 6) Uncertainty Analysis LLNL Comment - Study fails to thoroughly document essential aspects of analysis, and thus results of the uncertainty analysis are at least 1

partly unsupported.

Response - See responses to 4.1-2 through 4.

4.1-6 (Pate 4.1-7) Hypothesis Description LLNL Comment - The supporting basis provided for each hypothesis in the report is considered to be inadequate.

Response - The response to 4.1-18 provides additional discussion and references.

4.1-7 (Page 4.1-8) Source Zones LLNL Comment - In our opinion, the definition of source zones near the site, specifically the FSAR, FSAR-Combined, and the Ossipee-Cape Ann zones express greater detail than the state-of-knowledge warrants.

Response - Appendix D.2 of the LLNL report (Reference 4.1-1) provides a detailed review as to why Professor John Ebel of the Weston Observatory believes that the seismogenic zones shown in the LLNL report (Reference 4.1-1) are too large. ,

4.1-8 (Pazes 4.1-9 and 10) Uncertainty in Zone Description LLNL Comment - The SSPSA probably has not characterized the uncertainty in zone descriptions as discussed below. It is not apparent to what degree the subjective probability assignments were based on the credibility of the scientific attributes of each hypothesis. In part, it appears that indifference is shown towards three general zonation hypotheses, and a fourth is given considerably less credibility.

A-142 j i

l J

Response - See response to 4.1-18 for a detailed response to these concerns.

4.1-9 (Pages 4.1-12 and 13) Record Completeness l LLNL Conunent - The problem of record completeness was addressed in the SSPSA by identifying periods of completeness for various intensities.

No basis is given to support these estimates.

Response - See the response to 4.1-18 (Item 6).

4.1-10 (Pare 4.1-13) Converting Intensity to Magnitude LLNL Comment - Two concerns are raised with respect to the conversion of I, values to earthquake magnitude; first, the mb data exhibit considerable scatter abou&. a derived m - I, relation. The second concern deals with the adequacy of considering only one magnitude-intensity relation.

Response - See response to 4.1-18 (Item 5).

4.1-11 (Pare 4.1-14) Experts LLNL Comment - The experts who participated in the assessment of seismicity parameters were not identified. .

Response - See response to 4.1-18 (Item 1).

4.1-12 (Pate 4.1-14) Uncertainty LLNL Comment - No uncertainty in activity rates was considered in the assessment. Based on comments given under the discussion of Richter b-values, low credibility should be given to the seismic activity rates evaluated on the basis of an assumed b-value of 0.90.

Respense - See response to 4.1-18 (Item 5).

A-143

4.1-13 (Pare 4.1-17) b-Value LLNL Comment - The approach used in the SSPSA of assigning 0.50 to an assumed b-value, in our opinion, is not appropriate.

i Response - The default alternative b-value of 0.90 is supported by the results of Question 3-2 published in Volume 3 of Reference 4.1-19. For those experts that responded in terms of body wave magnitude to the question, "What in your opinion is the value of 'b' appropriate for the East?", the average b-value was 0.90.

4.1-14 (Pate 4.1-18) Expert Variability LLNL Comment - The SHCP results indicate greater variability in the opinions of the experts.

Response - With respect to seismogenic zones and upper bound magnitudes, the reviewers state in their general comments section, that the SSPSA values either bound or reflect those found in the SHCP.

Therefore, the greater variability, in the opinion of the SHCP experts, must be with respect to seismicity parameter estimates. Again, as stated in the last few paragraphs of Response 4.0-1, a large Portion of the variability may be due to their not being experts in statistics, resulting in wildly varying seismicity parameter estimates. Also see responses to 4.1-4 and 4.1-18, Item 1.

4.1-15 (Page 4.1-20) Attenuation Relationships LLNL Comment - The use of intensity-based attenuation relationships raises a number of concerns. Due to the two-step transformation required to predict peak ground accelerations, greater variability is incorporated in the prediction model. This added source of variability is ignored in the SSPSA.

Response - See response to 4.1-18 (Item 8).

A-144

4.1-16'(Pares 4.1-20 and 21) Attenuation Relationships LLNL Comment - From the review of the ground-motion models, we conclude that the credibility assigned to the AI and AID models may be high.

Based on a simple comparison to the best-estimate SHCP attenuation models, the four SSPSA attenuation relationships tend to predict lower accelerations in the distance range of principal interest to the calculations of seismic hazard at Seabrook.

Response - It is noted that the results given by the AID and AI attenuation appear to give results that are too low relative to attenuation models used in the LLNL study (Reference 4.1-1). However, these models were developed from Northeastern United States data. They are remarkably similar to the rock or stiff alluvium models developed for the EPRI study (Reference 4.1-7).

4.1-17 (Pares 4.1-22 and 23) Comparison With Other Studies LLNL Comment - LLNL comparison with results of other studies.

Response - A comparison is made between the SSPSA results and SEP results (Reference 4.1-10). Several comments are made in an attempt to identify the major factors that contribute to the factor of 10 difference in probabilities between studies. The SEP synthesis results for Seabrook are based upon the Gupta-Nuttli attenuation model with an .

attenuation model sigma of 0.90. By reducing this value alone to 0.45, which is appropriate for rock sites [Chen and Bernreuter (Reference 4.1-9)], the accelerations would roughly be halved at given probabilities. In other words, the 0.25g value at 10~ would become 0.125g at 10~ . Furthermore, combine this with an increase in the lower bound magnitude to 4.5 or 5.0 (Reference 4.1-12) from 3.75, and the SEP results would essentially overlay the SSPSA results. Also, there is a double confirmation of this result, in that, in the latest LLNL study (Reference 4.1-1), they have completed several sensitivity studies for the Maine Yankee site. Since Seabrook and Maine Yankee A-145 )

, occupy the same host zone for 7 of the 11 experts, the median Maine Yankee results should roughly apply to Seabrook. The sensitivity study of interest is that when the lower bound magnitude was increased to 5.0 for all experts and the Maine Yankee results were calculated.

~

Interestingly, the 10 PGA result is approximately 0.lg. If site

, condition was accounted for in this LLNL analysis, i.e., Seabrook is a rock site, the results would be essentially the same as put forth in the SSPSA.

j 4.1-18 (Paaes 4.1-23 throuah 27) Overall Conclusions b

LLNL Conment - LLNL conclusion and recommendations are made.

Response - These comments and conclusions have been addressed above in Items 4.1-1 through 17,'and the nine specific " Recommendations to the Applicant" are addressed below:

Item 1 - Identify the experts used in each phase of the study.

The principal investigator for this study was Dr. Robin K. McGuire. He is considered an expert in statistics I (i.e., seismicity parameter estimation), attenuation model development and in the computation of the actual seismic hazard.

He has functioned in this capacity on numerous seismic hazard

analyses. All actual hazard calculations were performed by Yankee Atomic Electric Company. Yankee Atomic has extensive experience',

in performing these calculations for sites throughout New England. The procedure to group the 144 hazard curves generated for input to the SSPSA was developed by Dr. D. Veneziano.

Determination of weights assigned to the various alternative input parameters was based upon the degree of support found in the literature and, therefore, the study implicitly incorporates the opinion of numerous experts.

I

! Item 2 - Incorporate a Charleston-type seismogenic zone in the i analysis, i

l

! A-146

1 l

l l

. _ . . .___ ___ _ a

l l

1 Appendix B to Appendix F of the SSPSA presents seismic hazard results for two Charleston-type seismogenic zones. The first Charleston-type zone encompasses seismicity along the eastern seaboard from Georgia to Maine. The second Charleston-type zone is similar to the first, but encompasses a larger portion of Canada and the continental shelf. Both zones allow for large earthquakes, mb = 7.0, to occur at the Seabrook site. The conclusion from these results is that a large zone which represents seismicity in the Eastern United States, and which allows large earthquakes to potentially occur at the Seabrook site, does not indicate seismic hazard significantly different from that already calculated and presented in the main body of the report.

A Charleston-type zone, as described above, is not included in the seismic hazard analysis because we believe such a zonation has very little credence. Supporting basis for the six zonations used in the SSPSA is presented under Item 4, below.

If, on the other hand, the reviewers consider large areal east coast seismogenic source zones with the upper bound magnitudes on the order of 6.8 to 7.0 to be Charleston-type seismogenic zones, then the results presented on Figure 4.1-1 (Figure 5.11.2 of the LLNL report (Reference 4.1-1)) for Expert 5 are directly r.pplicable to the Seabrook site.

Figure 4.1-2 is Expert 5's base map with an upper bound magnitude of intensity I or approximately magnitude 6.8-7.0 for source area number 1. As can be seen on Figure 4.1-1, the 10~ peak ground acceleration for Maine Yankee is about 0.11 to 0.12g. Since Seabrook is in the same host zone, the value will be similar for Seabrook. Recalling that the lower bound magnitude used in the LLNL study is 3.75, it would not be unreasonable to expect a value of about 0.lg at the Seabrook site if a lower bound

~

10 of 5.0 was used. Also, the best-estimate hazard curve shown on 1

l A-147 l l

1 i

l

Figure 4.1-1 for Expert 5 is a weighted average, not a median

-3 hazard curve, further supporting a value of about 0.lg at 10 ,

Item 3 - Assign lower weight to the FSAR, FSAR-Combined and Ossipee-Cape Ann zones.

The original weights assigned to each zonation and the modified weights to evaluate this recommendation are as follows:

Weights Zonstion Orlainal Modified FSAR 0.20 0.10 FSAR-Combined 0.10 0.05 Northern Appalachian 0.30 0.45 Ossipee-Cape Ann 0.15 0.07 White Mountain 0.15 0.23 Boston-Ottawa 0.10 0.10 As can be seen, the weights on the FSAR, FSAR-Combined and ,

ossipee-Cape Ann zonations have been halved, and the remaining ,

weight of 0.23 has been proportionally allocated to the Northern Appalachian and White Mountain zonations. No additional weight was given to the Boston-Ottawa zonation for reasons stated in Appendix F to the SSPSA and supported by Appendix A to Section 4.1 of the LLNL review. The results produced using the above modified weighting scheme are shown in Figure 4.1-3 with the original results. As can be seen, the median curve is slightly lower when using these revised weights.

.i A-148 l

, . . , . . . - , , - - - - . -- - - , . . . -. . , - - - ,. 7. , . - - .,,.r. . . _ , .,. , . , - . . , ,-----.-----w ~

r e

Item 4 - Document the supporting basis for each seismogenic zone.

The following information is provided to supplement the seismogenic zone descriptions contained in the SSPSA:

l FSAR and FSAR-Combined Zones Information documenting the basis for these two zonations comes from two sources. The first is taken from Section 2.5.2.2 of the Seabrook FSAR (Reference 4.1-2), and the second is taken from Appendix A to YAEC-1356 (Reference 4.1-3).

Northern Appalachian Zone The premise upon which this broad seismogenic zone is formulated is that neither the geologic provinces observed in the Northern Appalachians nor the observed pattern of historical seismicity can be reliably used to model future locations of seismic activity.

past and future seismic activity is, therefore, considered to be random for the entirety of the Northern Appalachians and each i location in this large area is, therefore, given an equal likelihood for observing important seismicity. Five of the " experts" from the LLNL study (Reference 4.1-1) provided zonations similar to this Northern Appalachian zone; specifically, Experts 1, 2, 5, 6 and 11.

' Ossipee-Cape Ann Zone ,

The Ossipee source zone is specified for the region of the Ossipee, New Hampshire, December 1940 earthquakes and the boundaries for the source are drawn to encompass the Ossipee i Mountain complex, an apparent collapsed caldera structure inferred from geological and geophysical data. Similarly, a seismic source is proposed for the region of the 1727 and 1755 Cape Ann 4

earthquakes. The boundaries of this source are drawn to encompass i

A-149

_,__v _ _ , , _ _ , _ . , _ . _ , _ _ _ c.-. . . _ ,. . . - . _ . _ , . . , , _ . _ _ , _ _ . _ _ . .

the region of intense thrust faulting which extends in northeastern Massachusetts from the northern border fault of the Boston basin to the Clinton-Newbury fault zone. Four LLNL experts (Reference 4.1-1) show some support for this zonation, in particular Experts 4, 7, 10 and 12. All six EPRI " expert teams" (Reference 4.1-7) show features similar to those for this zonation on their seismic source zone maps.

White Mountain Zone The basis for this zone is the spatial coincidence of seismicity with the areal distribution of mafic intrusive bodies of the White Mountain series. The White Mountain intrusives were emplaced in late Mesozoic time during the last major tectonic activity inferred for the Northeast. These intrusives, which have been identified by surface mapping and/or by geophysical studies, occur in eastern Quebec, New Hampshire, western Maine and offshore Massachusetts. Some af the more important earthquakes in the Northeast, including the Cape Ann earthquakes of 1727 and 1755, the Ossipee earthquakes of 1940 and the Quebec-Maine border

~

earthquake of 1973, are located near mafic intrusive bodles of the White Mountain series. Four LLNL experts (Reference 4.1-1) show -

support for this zonation, in particular, Experts 4, 7, 10 and

12. All six EPRI expert teams (Reference 4.1-7) show features similar to the White Mountain intrusives on their seismic source zone maps.

Item 5 - Revise the estimate of seismicity parameters incorporating the following:

o At least one additional earthquake catalog, o Alternative m -I relationships.

b e o Model uncertainty in Richter b-values that is zone-specific.

A-150

1 The first point deals with a concern raised in the LLNL review ]

about cross-checking the Chiburls catalog (Reference 4.1-4) used !

l in the analysis, with at least one other earthquake catalog; in particular, the catalog reported in the Seabrook FSAR. In Appendix D.1 of YAEC-1331 (Reference 4.1-5), a detailed comparison was made between the Chiburls catalog and the Weston Geophysical catalog to see if any systematic differences existed between the catalogs. The Weston Geophysical catalog is the catalog presented in the Seabrook FSAR. Results of this comparison showed little difference between the two catalogs. Within the bounds of the Seabrook FSAR catalog, latitude 39.0 N to 46.1 N and longitude 66.3 W to 75.3 W, 98 percent of the catalog entries agree.

The second point raises a concern that the sole use of the Weston Geophysical conversion (Reference 4.1-5) from intensity to wagnitude is inappropriate and may be nonconservative. The most appropriate equation to use to convert Modified Mercalli Intensity J

j (MMI) to body wave magnitude (m b

) in the northeast United States is not resolvable theoretically, because intensity is an observed, empirical quantity. Some insight into the appropriate conversion ~

can be obtained by examining all available earthquake data for the Northeast that have both an instrumentally measured magnitude (m ) and an assigned epicentral intensity. Table 4.1-1 is a b '

listing of events meeting this criterion. These events are compiled primarily from the Chiburis catalog (Reference 4.1-4) ,

with additional events from Street and Turcotte (Reference 4.1-6) and YAEC-1331 (Reference 4.1-5). The events from YAEC-1331 come from the Weston Geophysical Corporation (WGC) catalog and, in particular, are a subset of the events used in determination of the WGC conversion that are not found in either the Street and Turcotte or Chiburls data sets. Figure 4.1-4 shows a plot of epicentral intensity versus body wave magnitude (m b ) f r these events, along with the Nuttli (Reference 4.1-13), EPRI (Reference 4.1-7) and WGC (Reference 4.1-5) intensity to magnitude A-151 i

i

- - - - - ,- ,_.,. ., ..,- ,. . _ . , , , _ - , - . , . .,.,m.,. ,.g .,-,---n---.n. , _ . ,, . -

E conversions. The Nuttli, EPRI and WbC conversions were developed from data from the central, eastern and northeast United States, respectively.

.s Table 4.1-2 presents summary statistics for the entire data set

' and for specified subsets. These statistics describe how well the equation for each conversion fits the data. In the regression analysis, the explain *d sum of squares is defined by (y - y) , and the unexplained sum of squares is defined by (yg - y) , where y is the est imated magn i tu d e from the conversion, yy is the observed magnitude'and y is the aversge magnitude in the subset. How well the conversions fit can'be' determined by comparing the unexplained sums of squares for the Nuttli, EPRI and WGC conversions, and also by comparing the correlation coefficients, R for each conversion.

- While the results vary among the individual subsets of data, the overall conclusion is that the WGC conversion provides a better fit [ to the data than docs the Nuttli conversion. This is consistent with the idea that characteristics of northeast United States earthquakes, at least insofar as intensities are concerned, are different from those of'other earthquakes in the United States. The EPRI conversion provides a fit to the data about the

! same as the WGC conversion.

In addition to the above information, Appendix D1 of YAEC-1331 (Reference 4.1-5) presents a comparison of seismicity parameters *

'when either the WGC or Nuttli conversion is used. Finally, in YAEC-1455 (Reference 4.1-11), an arinlysis is presented in which frequency-magnitude relati'onships'were determined for several source areas in the Northeast, and then these relationships were used to predict the number of small magnitude events that should l

have occurred in the source area. Since the seismic network for New England is complete for magnitudes equal to or greater than 2.0 since 1976 (Reference 4.1-14), observed and predicted values can be compared for the tir.e frame from 1976 to 1982 using the two conversions. A conclusion'of these comparisons is that the A-152

\

l a4 a . _ .

i conversion method is important and that the use of the Nutt11 conversion results in overestimating the observed activity rates for instrumental data in the northeast United States.

As a result of these comparisons, it is concluded that the WGC conversion used in the SSPSA is appropriate for the Northeast. In addition, the data from New England do not support the use of the Nuttli conversion for the Seabrook site. Interestingly, it should also be noted that the I,- ab c nyersi n used in the EPRI study (Reference 4.1-7) is quite similar to the WGC conversion (see Figure 4.1-4).

The third point is that b-values be zone-specific. In other words, do not use a global default value of 0.9. By assigning zero weight to this hypothesis, the effect on the results of eliminating this hypothesis is shown in Figure 4.1-5. As can be seen, the median curve is slightly higher when the b-value of the 0.9 hypothesis is eliminated from the analysis.

Item 6 - Document the basis for the completeness factors used in the analysis.

The concept of completeness of earthquake catalogs, in general, implies the extent to which the actual seismicity of a region has been recorded either as historical accounts or as instrumental mecsurements. Secondarily, completeness also implies the extent to which all documentation of seismic events has been found and incorporated into catalogs. For example, intensive research, either of historical accounts or of older seismograms, invariably ;

reveals the existence of a few seismic events previously not !

cataloged. i For reasons outlined below, as a first approximation, completeness of the catalogs can be bounded at the largest magnitude, greater than 6.0, by the time frame of the early settlement of the northeastern United States and southeastern Canada.

A-153 l

The coastal areas and the major river valleys were first settled in the early to mid-1600s. Much of the interior was populated during the 1700s to early 1800s. Parts of Northern and Western Maine, however, remain sparsely populated even at the present time. Although the population was not dense in the earliest years, the widespread distribution of settlements allowed for the detection of large events due to their large perceptible areas

(>1,000,000 km ). In fact, the history of large events in the Northeast is contemporaneous with the earliest settlement of the region in the 1600s. Due to variations in the levels of earthquake intensities perceived between northern and southern settlements, reasonably accurate locations have been inferred for these oldest events. Therefore, on the basis of distribution of g population, the catalogs for the Northeast are assumed to be complete for large events on the order of magnitude 6 for the past 250-300 years.

Conversely, the completeness of catalogs for small events depends on dense populations and suitably configured seismograph

, networks. The present configuration of the Northeastern United States Seismic Network (NEUSSN) and the Canadian Seismograph Network (CSN), which includes approximately 50 stations in the New England states and approximately 20 more in adjacent regions of Canada, provides the most complete instrumental coverage achieved to date in the Northeast. The detection capability, therefore, ,

has been improved so that low magnitude events, i.e., 2.0 mb ' .

are now routinely located and coverage is considered to be complete (Reference 4.1-14).

These networks have evolved in time, and uniform dense coverage I

has only been achieved since NEUSSN was instituted in 1975.

During these most recent years, when networks have been expanded, the earthquake catalog is complete for events lirger than

! magnitude 2.0 (Reference 4.1-14) for the study region.

l' A-154

E I I

In summary, the completeness of catalogs for large events (>6.0) '

is assumed to be 250-300 years on the basis of early settlements, ;

and the completeness for small events (approximately 2.0) is about l

^

7 years on the basis of seismograph configuration. Completeness below magnitude 2.0 is likely not yet achieved for the entire study region. Completeness of intermediate magnitude ranges is more difficult to assess than bounding the complete intervals for low and high magnitudes because detection of these intermediate magnitudes is influenced by subtle changes in population distributions and early seismographic configurations and sensitivities which are difficult to track. Completeness of the intermediate magnitude range is, therefore, assessed using a technique that assumes completeness for intervals of the earthquake catalog, wherein the mean annual rate of earthquake occurrence is stable (Reference 4.1-8).

Further support for the completeness factors used in the analysis is found in Appendix D1 of YAEC-1331 (Reference 4.1-5) and Subsppendix Cl of YAEC-1356 (Reference 4.1-3).

Item 7 - Assign lower weight to the AI and AID attenuation models.

The original weights assigned to each attenuation model and the modified weights to evaluate this recommendation follow:

Weights ,

Attenuation Model Original Modified Nuttli-Hermann 0.25 0.34 Campbell 0.25 0.33 l

AI 0.25 0.16 AID 0.25 0.17 l

A-155

p The results produced using the above modified weighting scheme are shown in Figure 4.1-6 with the original results. As can be seen, there is a slight increase when using the modified weights on the attenuation models.

Item 6 - Include greater randomness about the AI and AID median attenuation functions.

l The concern here is that an added source of variability inherent in the intensity to peak ground acceleration conversion in the AI and AID attenuation models is ignored in the SSPSA. Uncertainty on the attenuation model consists of both modeling uncertainty and random uncertainty. To account for modeling uncertainty, various alternative attenuation models were used in the analysis. Random uncertainty is accounted for in the sigma term incorporated into the attenuation model. As shown in Table 3 of Appendix F of the SSPSA, a random uncertainty of 0.60 is a reasonable value. For Seabrook Station, which is a rock site, it may be more appropriate to use a sigma of about 0.45 (Reference 4.1-9) which would decrease the hazard at any given probability level.

Item 9 - Remove the acceleration truncation of the seismic hazard curves.

Since the truncation has little, if any, effect at PGA values less than about 0.3g and produces about the same net result as not truncating the hazard curves, but modifying the fragility curves to reflect a limit on damageability (refer to Page 4.1-21 of LLNL review of SSPSA), we see little sense in redoing the analysis without this truncation.

I A4.1.2 Seismic Hazard / Fragility Interface 4.1-19 (Pate 4.1-43) Ductility Factor LLNL Comment - Value of C and frequen y dependency of this factor.

D A-156

Response - A similar approach was used in establishing the ductility factor of safety to account for the magnitude (and, hence, duration) effects on the seismic fragilities for Seabrook as was done with Millstone-3, although somewhat different magnitude ranges were originally estimated to contribute the majority of seismic risk for the two plants.

As discussed in the Fragilities Evaluation Report (Reference 4.1-16),

including the effects of ductility at seismic response levels above yield is necessary to correctly predict the capacities for most structure and equipment modes of f ailure other than those controlled by brittle failures, elastic buckling or sliding. In determining the seismic fragilities for Seabrook, this was accomplished by use of the Riddell-Newmark ductility-modified response spectra approach (Reference 4.1-17), which is a sufficiently accurate alternative to conducting expensive and time-consuming nonlinear time history analyses for the many structures and equipment items required for the pRA. The Riddell-Newmark ductility-modified response spectra method is based on the results of time history analyses of single-degree-of-freedom systems with various damping ratios and resistance functions. It is appropriate for use in conjunction with relatively broadband response spectra such as the median ground response spectra for the Seabrook site or in the constant amplification range for more sharply peaked spectra.

In the Seabrook seismic fragilities evaluation, the ability of the structures and equipment to resist seismic response levels above those corresponding to yield through ductile behavior was accounted for by the inelastic energy absorption factor, Fp . The Riddell-Newmark ductility-modified response spectra approach can be used to predict the l inelastic energy absorption f actor, F , corresponding to some ductility ratio,9. in the following manner:

Fp= [(q + 1) p - q]#

f A-157

{

where:

i

~*

q = 3.0 7 in the amplified acceleration region. l

= 2.7 7 in the amplified velocity region.

~*

r = 0.487 in the amplified acceleration region.

= 0.66 7 in the amplified velocity region.

7 = percent of critical damping.

One drawback of the ductility-modified response spectra approach is that it does not reflect the relationship between earthquake magnitude and ductility. It is well known that lower magnitude earthquakes are not as damaging to structures and equipment as higher magnitude earthquakes with the same peak ground accelerations. The reason for -

this is that the lower magnitude response spectra have lower energy content and shorter durations which develop fewer strong respcase cycles. Structures and equipment are able to withstand larger deformations (i.e., higher ductility) for a few cycles compared to the

-larger number of cycles resulting from longer duration events.

The method used in the Seabrook fragilities evaluation to account for this effect was to develop a separate duration factor of safety, F '

D in conjunction with the ductility factor of safety, Fp , based on the Riddell-Newmark ductility modified spectra approach. A limited amount of research is available for use in developing F "" #8' "

D Reference 4.1-18, structures with elastic frequencies of approximately ,

2, 3, 5 and 8 Hz were subjected to 12 earthquake records scaled to ,

sufficient intensity to produce ductility ratios of approximately 1.9 and 4.3. Included was one artificial record which developed response spectra which envelope the USNRC Regulatory Guide 1.60 spectra. The F a es used in ne Seabrook fraghes evaluadon were based on D

the results from Reference 4.1-18. F s e ns dered to be D

frequency-independent based on these limited data.

The factor of safety resulting from ductility effects. F , is dependent on both duration and spectral shape. Figure 4.1-8 is reproduced from A-158

7.-

. Reference 4.1-18 and clearly shows the effect of strong motion duration

'for a ductility ratio of approximately 4.3. However, Fp is most strongly influenced by the spectral shape and the frequency of the structure. Table 4.1-3 is also reproduced from Reference 4.1-18 and shows the Fp factors for the various earthquake records and structure I

frequencies for the 4.3 ductility ratio.

A cursory review of Table 4.1-3 would typically indicate lower F factors associated with higher frequency structures compared with lower frequency structures for a given earthquake record. However, use of these results for application with the Riddell-Newmark method in conjunction with the broadband Seabrook site response spectra must be done with care. It is inappropriate to include results from Reference 4.1-18 for frequencies wh,1ch lie in a steeply rising or falling portion of a sharply peaked region of the response spectra. As a structure reaches significant levels of inelastic response, there is a decrease in the resonant frequency of the structure. If the elastic frequency of the structure is in a portion of the response spectrum where the frequency shift results in a lower response, a relatively higher Fp will be developed. Conceptually, this is shown in Region A in Figure 4.1-9. Conversely, if the elastic frequency of the structure lies in a region of the response spectrum where the frequency shift results in increased response, a relatively lower Fp will be predicted as shown in Region C of Figure 4.1-9. In general, this tends to be the case for most of the 8.5 Hz structures analyzed in Reference 4.1-18. A review of the data from Reference 4.1-18 indicates that many of the F ,p factors shown in Table 4.1 3 do, in fact, lie in steeply rising or falling regions of the response spectra. Figures 4.1-10 through 21 have been reproduced from Reference 4.1-18, which show this effect for the actual earthquake records used in that investigation.

The Seabrook median ground response spectra, however, are relatively broadband and conttin significant energy throughout the frequency range from approximately 2 Hz to over 15 Hz. Thus, even though a number of structures at Seabrook have relatively high fundamental elastic A-159

frequencies, it is incorrect to use all the Fp factors directly from the 8.5 Hz results from Reference 4.1-18 together with the Riddell-Newmark method and the Seabrook median spectra.

Table 4.1-4 shows the original Reference 4.1-18 results together with those F factors which result from structure response in relatively flat portions of the respective respcnse spectra and which are considered appropriate for use in the fragilities evaluation. Also shown in Table 4.1-4 are the approximate weighted averages considered appropriate for use in the fragilities evaluation. Because of several anomalies in the Parkfield and Goleta records, compared to expected East Coast earthquakes appropriate for the Seabrook site, these results were not included. However, for earthquakes in the magnitude 6.5 to 7.5 range represented by the first seven records, an average value of Fp of epproximately 2.1 is indicated. For the remaining earthquakes in the magnitude 4.5 to 6.0 range, the average value is about 2.9 for ductilities of about 4.3. **

This ratio of 2.9/2.1 = FD" retained as a separate factor of safety in the Seabrook fragilities evaluation in case the magnitude range contributing the majority of seismic risk was changed during or after the evaluation.

Thus, based on the limited research available to date, the value of F c ns W red to be N ependent of hequency, and We value of 1.4 D

used in the fragilities evaluation (Reference 4.1-16 and SSPSA Appendix F.2) is considered to be appropriate for the Seabrook site.

Any variations in this factor which could reasonably be expected are covered in the variability associated with F " * *#*""* *-

D The civil structures at Seabrook have very high seismic capacities. ]

Also, sensitivity studies conducted on changes in the overall seismic risk for variations of the FD a tor for another East Coast plant indicated negligible effects. Consequently, no modifications of the Seabrook fragilities in the ductility evaluations are considered j warranted. l A-160

T i

l A4.1.3 Seismic Fragility Assessment 4.1-20 (Pages 4.1-51 and 52) Boolean Equation LLNL Comument - The reviewer indicates here and elsewhere in the i document that there is no Boolean equation and that there was ;

inadequate information provided to identify the components that contribute most to seismic-initiated core melt so as to enable focusing attention on the fragility analyses for those components.

Response - Contrary to the criticism, Section 5 of the SSPSA describes the model used to identify the dominant sequences from all initiating events, including seismic, from which over four billion sequences were analyzed. SSPSA Section 13, Tables 13.2-12 and 13.2-13, describes all the major sequences determined from point estimates. Of these, those ,

that are dominated by seismic-initiated sequences contributing to core melt are seen to be in plant damage states 3F, 3FP and 7FP. Thus, the Boolean expressions presented on SSPSA Page 9.2-13 for these three plant damage states reflect the seismic and nonseismic component failures associated with dominant _ sequences. (The Boolean for 3FP should read Z

at the end - V EF I V ([))] but the calculations had been made with this added.) Therefore, the important components are seen in these Boolean expressions.

4.1-21 (Page 4.1-60) Fragility Cutoff Point LLNL Comment - The reviewer questions whether the fragility lower bound cutoff point recommended by SNA was in fact used in the integrated seismic hazard / fragility analysis.

Response - In lieu of utilizing the SNA recommended cutoff, which is less prescriptive in regard to seismic hazard levels of frequency, the SEIS code used in the analysis cuts off the convolution calculations of fragility and seismic hazard frequency only when the acceleration frequency is less than 1 x 10~ . This assures that unconditional 8 l i

A-161

.----,.,.-..m ,------v -,,----r,a,.-- - - - --av,----

,. - - - . , - - - , - - - , - - ----nn--,-. . , , , ~ _ _ ,

F I single component failures are retained in the calculations until their j mean annual frequencies are less than 1 x 10~ . Experience with PRAs indicates that core melt frequencies from all initiators are seldom

~

less than 1 x 10 to 1 x 10~ and, therefore, seismic initiated frequencies of single and, particularly, multiple event cut sets cannot significantly contribute to total core melt frequency.

3 I

4.1-22 (Page 4.1-62) Damping LLFL Comment - Concerning damping of civil structures at equipment failure levels.

Response - The final capacities of the equipment items include consideration of the response of the structure in which they are mounted. Included in the structure response is the expected damping of the structure at the acceleration capacity corresponding to failure of the equipment.

Section 5.1.1.3, Pages 5-22 and 5-23, of the SMA Fragility Report (SSPSA Appendix F.2), describe the damping values assumed for structural response that is elastic and when yield of the structure is anticipated. Five percent (5%) of critical damping was assumed for structures that remained elastic at the median failure level of the equipment. For structures that exceeded yield at the median equipment capacity level, the damping associated with structural fragility, was assumed. Table 5-3 in SSPSA Appendix F.2 lists the structural response factors used for cases of an elastic structure and an inelastic structure.

4.1-23 (Page 4.1-62) Modeling Uncertainty LLNL Comment - Values of p g for modeling uncertainty.

Response - We agree in principle that the uncertainty in response due to modeling error should be calculated explicitly by first examining A-162

r the uncertainty in frequency and then assessing the response uncertainty using the applicable response spectrum. If the slope of the response spectrum is very steep at the fundamental frequency of the equipment, a small error in stiffness causing an error in calculation of frequency can theoretically make a significant difference on computed elastic response. In actual fact, though, when the equipment reaches its yield level, the frequency will shift significantly making refinament of uncertainty on elastic response of questionable value.

It is difficult to imagine a frequency error that would result in response near the real peak of the response spectrum, since real peaks are very narrow and any inelastic response near the highly amplified

< peak will surely shift response even further to the soft side of the peak which may, in fact, result in lower response.

The real problem is very complex, and refinements of uncertainty predictionsformodelingbyexplicitlycalculating$g for each component on an elastic response basis do not seem warranted unless the component is a dominant contributor to risk, and a significantly more detailed evaluation is conducted for all variables that contribute to the final fragility description. Accurate values cannot be computed without explicitly accounting for inelastic response; thus, we feel that the generic uncertainty values used are warranted and reasonable relative to the uncertainties for other variables.

4.1-24 (Pare 4.1-63) Serial Independent Failures LLNL Comment - The reviewer notes that little attention has been given to the potential failure of independent sections of piping, conduits or cable trays whereoy if they are serial, the number of sections in a system or space could substantially increase the failure frequency over results when only a single section is considered.

Response - This condition was considered in the SSPSA. As seen in SSPSA Table 9.2-2, the median acceleration capacity of these individual component sections is greater than 2.0g. This means that even A-163

considering uncertainty, there is essentially no chance of individual sections failing, since from SSPSA Figure 9.2-1, it can be seen that annual frequencies of such accelerations are probably on the order of 1 x 10 ' to 1 x 10" or less. That being the case, there is

~

essentially no chance of any multiple sections failing. Further, if there were some small chance that failures could occur, there likely are at least partial failure dependencies among individual sections, particularly those in the same location, so that the failure logic is not serial and the number of sections involved does not linearly increase the failure probability as suggested by the reviewer.

4.1-25 (Page 4.1-63) Sliding of Structures LLNL Comment - Sliding of structures.

Response - Sliding of structures was not considered a credible failure mode for any of the Seabrook structures. The cooling tower has some backfill on the west side. However, the structure is embedded 28 feet below grade and is founded on rock. The base slab of the structure is effectively keyed into the rock. Similarly, sliding is not considered a credible failure mode for the foundation of either the Unit 1 or Unit 2 tank farms. The Unit 2 tank farm is structurally connected to 4

the Unit 2 Primary Auxiliary Building and was included in the dynamic analytical model of that structure (hence, the structural amplification

factors shown in Table 5-12 of Reference 4.1-16). The Unit 1 tank farm l foundation is not connected to the Unit 1 Auxiliary Building. However,,

the slab is founded on rock, and the rock profile appears to be very uneven which forms, in essence, a shear key for the structure l (Figure 4.1-22). Even if somehow the foundation should slide, sufficient motion to cause failure of the piping is not expected until median ground accelerations of from 1.2 to 1.6g with a lower bound j cutoff in excess of 0.7g. The median capacities of the RWST and the spray additive tanks are in the 0.75 to 0.86g range based on anchor bolt failure followed by tank wall buckling with assumed loss of contents. This mode of failure is expected to control the tanks' capacities rather than base slab sliding.

A-164

r 1 l

l 4.1-26 (paae 4.1-64) Uncertainty on Spectral Shape I

LLNL Comment - Regarding uncertainty on spectral shape, j l

Response-Theuncertaintygg equal to one-thkd og, is a i

subjective estimate which was felt to be reasonable for application to a site-specific spectrum. y ,is the more dominant indicator of response uncertainty as it directly represents the variation in the spectral acceleration scale factor relative to the zero period acceleration. The value of Sg could be higher or lower depending upon the relationship between the structural fundamental frequency and ,

slope transition points of the ground response spectrum. If the fundamental frequency corresponds to the flat portion of the spectrum, then changes in shape, i..e., shifts in the slope change transition points,havenoeffectand$g is emndally zero, derein, a frequency corresponding to a point of steep slope change on the spectrum might warrant a largerpg on ne basis Wat a change b We slope transition point could have a significant effect on the computed electic response. Therelationshipbetween$g and $ , was fen to be reasonable for the average case.

4.1-27 (Pare 4.1-65) Cooling Tower LLNL Corrunent - Masonry walls in the cooling tower.

Response - Failure of the masonry walls in the cooling tower was judged to have a very low probability of resulting in seismic damage to the plant. The masonry walls are located above gl. 53', but below any essential piping. No critical equipment is attached to the masonry walls. Therefore, collapse of the walls, while resulting in some debris falling to the base slab of the structure, is not expected to damage either the fans or essential piping located above the walls.

The service water pumps and other equipment and switchgear are all mounted in separate rooms which are separated from the masonry walls by 2-foot thick reinforced concrete walls. Similarly, the vertical shafts l

\

A-165

e of the service water pumps are completely separated from any possible falling debris down to El. (-)9' and by partial 2-foot thick concrete !

walls and columns down to the base slab. Although some debris may possibly and up in the vicinity of the pump nearest the masonry walls, sufficient blockage to prevent flow is not considered a probable failure mode. Furthermore, a redundant pump for each unit is located over 40 feet away (in plan) from the masonry walls. Debris from collapsed walls preventing operation of this pump is not considered credible. Since failure of the masonry walls is not considered to lead to credible failure modes of any eqttipment, it was considered unnecessary to evaluate the seismic capacities of these walls in detail.

4.1-28 (pare 4.1-65) Tank Farm LLNL Comment - Tank farm.

Response - The tank farm is a shear wall, reinforced concrete box structure. The only essential equipment within the structure are the spray additive tank and the refueling water storage tank. These tanks are located on the slab at El. 25'. Therefore, to affect these tanks, the structure in this area must collapse. This entails considerably higher ductility ratios than the other structures where failure is defined as sufficient structure degradation to possibly result in equipment failure due to relative and point motions, loss of anchorage of wall and floor slab-mounted equipment, etc. In view of the relatively low capacities of the two tanks, compared to the capacities, of the other civil structures evaluated for Seabrook, together with the expected higher capacity of the tank farm structure due to a very simple configuration, relatively light structure weight and higher ductility ratios for failure, it was judged unnecessary to perform a detailed evaluation of the Tank Farm Building.

l 4.1-29 (pare 4.1-66) Turbine Building LLNL Comment - Turbine Building failure.

A-166

Response - Although the weight of the crane is significant, it is

.normally not loaded substantially unless the plant is shut down. Even including the crane mass, the mass of the Turbine Building superstructure is relatively small. The adjacent safety-related structures are constructed of two-foot or thicker reinforced concrete walls and roof slabs. A portion of the Control Building (roof El. 98') 1 is adjacent to the southwest corner of the Turbine Building. The emergency feedwater pumphouse is located approximately 30 feet from the '

Turbine Building and a significant separation also exists between the Turbine Building and the condensate storage tank. Once the seismic capacity of the Turbine Building superstructure is exceeded, it is expected the mode of failure will be essentially vertical collapse due to p-Aeffects. Although the roof of the condensate storage tank is unprotected by concrete, the two-foot thick concrete wall surrounding the tank will retain the contents of the tank in the event of penetration of the tank from above. Although some damage to the exterior of the safety-related structures could be expected in the event of Turbine Building failure, this was judged to have a very unlikely probability of leading to failure of safety-related equipment within these structures.

4.1-30 (Paae 4.1-67) Diesel Oil Tank LLNL Comment - Diesel oil storage tank.

Response - The diesel oil storage tank design report was briefly ,

reviewed at a visit to the United Engineers and Constructors office.

The tank is mounted below grade in the Diesel Generator Building and is not subjected to highly amplified spectra. Based upon observations of the tank supports during the field walkdown and on a quick review of the tank design report in the Ug&C offices, it was subjectively judged that the diesel oil storage tank fragility would not be any lower than the day tank.

A-167

m 4.1-31 (Pare 4.1-67 through 69) Comparison With Other PRAs LLKL Comment - Fragility comparison with other PRAs.

Response - We agree that many of the equipment fragility predictions for seabrook are biased to the low side. As the documentation of earthquake experience data has become available, an excellent calibration tool now exists to perform critical tests of derived fragility descriptions. These experience data were, in fact, compared to derived Seabrook fragility estimates prior to the staff review of the applicant's PRA and our conclusions were that many of the predicted fragilities were considerably biased to the low side. Table 4.1-5 lists 24 Seabrook components in order of ascending capacity with their associated median ground acceleration capacities and randomness and uncertainty.

The most seismically vulnerable components fall into four general categories of equipment which may have unrealistic lower tails to the fragility curves. They are:

Pumps (Components 5, 6, 14, 15, 16)

Electrical Power Equipment (Components 8, 9, 10)

Vessels and Heat Exchangers (Components 7, 11, 12, 13)

Off-site Power (Components 1, 2, 3, 4)

Shown in Table 4.1-5 is the 5% nonexceedance probability, 95% ,

confidence value which we refer to as the high confidence, low probability of failure value. Intuition would tell us that the value should be above the SSE unless some unusual circumstances existed.

Upon examining Seabrook fragilities, we find that several high confidence, low probability of failure values are below the SSE.

Furthermore, they tend to be lower than for other plants, some of which had a much less comprehensive seismic qualification program. This l occurs for several reasons:

l A-168 1

I

t

1. As a reaction to critical review comments on prior PRAs, we have tended toward larger $U s without a corresponding increase in median capacities. This significantly distorts the lower portions of the fragility curves when using a l lognormal distribution. !

2. Many components had a generic derivation of fragility without benefit of reviewing their actual qualification documentation. This generally results in a low median capacity.

3. Based on the qualification test reports available at the time of the Seabrook PRA, several electrical components failed their qualification test for the SSE. We assumed that upon final qualification, the components would barely meet the specified test requirements.

Recent studies conducted by others have documented sufficient historical data to establish a lower bound on seismic-induced failures, but not necessarily a lower bound on electrical malfunctions. This lower bound is slightly above the Seabrook SSE, whereas the lower fragility tails that result from large pg , scoupled with a lognormal 4 distribution, dip significantly below these values.

We have dor.e some updating of some of the Seabrook fragilities using documented earthquake experience data as a lower bound to reduce the uncertainty. This does not affect the median values though. Median values might be increased if more specific qualification data were

' reviewed. Following is a discussion of the four general categories of equipment and some suggested revisions.

Pumps In the case of the emergency feed pumps, the fragility estimate is based upon a deflection of the pump shaft that would use up the l

A-169

^

r available clearance. Although this is considered a failure in a licensing environment, it is very unlikely that pump function would be J impaired significantly. Historical data would support a higher l capacity. For lack of more definitive data, a revised estimate of pump fragility for the emergency feed pumps, as well as the RHR, safety injection and charging pumps can be obtained by considering historical data in the following manner:

The 5% nonexceedance probability, 95% confidence value is about 0.3g.

The 5% nonexceedance probability, 50% confidence value is about 0.5g.

If the pR remains about the same, the revised estimates for both emergency feed pumps are:

)(=0.97s,pR" '

'O"*

U GenericpRs for the other three pumps were lower than for the emergency feed pumps; thus, if we applied the same logic, the median capacities would be lower than previously predicted, but with significantly reduced g's. We believe the best estimate, as long as the pump fragilities are generic, is to use the same value as for the emergency feed pumps.

Electrical Power Equipment The fragilities provided for active safety grade electrical gear are based upon relay chatter. The chatter failure code fragilities and their uncertainties for Seabrook reflect a small factor being applied to the achieved test levels or levels expected to be achieved to establish the lower bound capacity. For those cases mentioned previously where components had not passed their functional tests at the SSE level, we assumed that they would eventually pass, but with A-170

F very little margin. Assuming the lower bound capacity as being above the test level does not, however, result in a lower bound fragility above the SSE since uncertainties in response tend to place the tails well below the SSE. Realistically, the SSE should be a lower bound value. There are no data to indicate a higher median for relay chatter; thus, the uncertainty should be reduced to reflect the SSE as a lower bound.

Vessels and Heat Exchanters There are some vessels and heat exchangers listed in Table 4.1-5 which have their 5% NEP, 95% confidence value below the SSE. The spray additive tank and refueling water storage tank are flat-bottom tanks in the tank farm. Their fragility descriptions are based on extrapolations of design analysis, and the derivations and lower bounds look reasonable. In other PRAs, we have reanalyzed similar tanks and obtained similar results; thus, we see no compelling reason to modify the predicted fragility descriptions.

In the case of the PCC heat exchangers and the diesel fuel oil day tanks, anchor bolts were governing. The component manufacturer specified bolt size and minimum load capacity to the AE. Soft A307 bolts would meet the vendor requirements in each case, and the fragility derivation was based on A307 properties. If the AE used stronger bolts, the median capacity may be much greater. The p 's look i

reasonable, but the 5% NEP, 95% confidence value is about at the SSE ,

level. The uncertainty could be adjusted slightly to reflect a better historical performance record. If the 5% NEP, 95% confidence value is set at 0.3g, the resulting fragility description would be:

PCC Heat Exchanger - )I=0.99,$R"* 'hU=0.36 Diesel Fuel 011 Day Tank - )I = 1.03,$R " * h U "

i A-171

1 l

Off-Site Power )

l The classic ceramic insulator failure for loss of off-site power is not contained in the Seabrook PRA. The switchyard utilizes a duct arrangement that was estimated to have greater capacity than the cantilevered stacks of insulators. The governing switchyard elements were assumed to be transformers that were not anchored. Their capacity was estimated to be 0.3g and the 5% NEP, 95% confidence value was 0.07s. Loss of off-site power can occur at a substation many miles away and can be governed by ceramic insulators. Review of more recent data on ceramic insulator failure in seismic events would support a median value of about 0.35, which is comparable to what was used for the Seabrook switchyard transformers. The lower bound will be in the neighborhood of 0.1g as there is evidence of failure as low as 0.13g.

Our current (stinate for off-site power failure is:

li - 0.3g, p , - 0.25, p y - 0.50 The g for transformers should be reduced to about 0.5 from 0.62 so that they will have the same fragility description as ceramic insulators.

Conclusions There is no reason to believe that Seabrook components are weaker than in other plants for which PRAs have been conducted. We strongly feel ,

that many Seabrook component fragilities are biased on the low side for the reasons stated.

4.1-32 (Page 4.1-70) Degrees of Freedom LLNL Comment - Multi-Degree-Of-Freedom (KDOF) versus Single-Degree-Of-Freedom (SDOF) structure ductilities.

A-172

Response - The civil structures at Seabrook are founded on rock and have high natural frequencies. The horizontal fundamental frequency for the containment Building is over 4 Hz, the second horizontal frequency is approximately 12 Hz and the third is 24 Hz. Other -

structures all have higher frequencies, many of them substantially higher. Even for the lower frequency structures, only two modes occur-in the amplified range of the Seabrook response spectra for either direction, and in many cases, only a single mode occurs in this range.

Thus, most of the seismic response of the structures occur in one to two modes.

In the Seabrook evaluation, the ductility-modified response method developed by Newmark (Reference 4.1-17) was used. This method is based on a reduction of the elastic spectra, and was developed from time history response analyses conducted for SDOF models. However, the method is generally considered to be adequate for use with MDOF ctructures provided an appropriate system ductility is selected. The system ductility used in the evaluation of the Seabrook structures was substantially lower than that expected for the individual structural elements such as individual shear walls. Although a demand ductility calculation was not done for every shear wall, a general review of the distribution of reinforcing steel throughout the individual structures was conducted to identify the expected controlling areas; and this review indicated the ductility would be reasonably well distributed throughout the structures rather than be localized. The capacity evaluations, while concentrating on the expected controlling elements,.

do not imply that these elements are the only ones to experience inelastic response in a major earthquake. Thus, the selection of the system ductilities used in conjunction with the duration factors used for Seabrook are considered to be appropriate, and, short of extensive detailed nonlinear analyses, are believed to represent as accurate an evaluation as is feasible using currently available methods. j i

i 4.1-33 (pates 4.1-71 through 76) Equipment Capacity LLNL Comment - Equipment capacity.

A-173

Response - These comments are addressed in response to 4.1-31 above concerning comparisons with other PRAs.

4.1-14 (Page 4.1-75) Boolean Equation LLNL Comment - No Boolean equations.

Response - There are Boolean equations, as discussed above at 4.1-20.

A4.1.4 References to 4.1 4.1-1 Bernreuter D. L. , et al. , " Seismic Hazard Characterization of the Eastern United States: Methodology and Interim Results for Ten Sites,"

Lawrence Livermore National Laboratory, NUREG/CR-3756, April 1984.

4.1-2 Seabrook Station, Final Safety Analysis Report.

4.1-3 Yankee Atomic Electric Company "YAEC-1356, Maine Yankee Seismic Hazard Analysis," 1983.

4.1-4 Chiburis, E., " Seismicity, Recurrence Rates and Regionalization of the Northeastern United States and Adjacent Southeastern Canada,"

U.S. Nuclear Regulatory Commission, NUREG/CR-2309, 1981.

4.1-5 Yankee Atomic Electric Company. "YAEC-1331, Supplemental Seismic ,

Probabilistic Study, Yankee Atomic Electric Company, Rowe, ,

Massachusetts " Appendix D1 prepared by Weston Geophysical Corporation, 1982.

4.1-6 Street, R. L., and F. T. Turcotte, "A Study of Northeastern North American Spectral Moments, Magnitudes and Intensities," 1977.

4.1-7 Electric Power Research Institute, " Seismic Hazard Methodology for Nuclear Facilities in the Eastern United States," prepared by Dames &

Moore, 1985.

A-174 l

I l

\

I l

4.1-8 Stepp, J. C., " Analysis of Completeness of the Earthquake Sample in the Puget Sound Area and its Effect on Statistical Estimates of Earthquake Hazard," Proceedings of International Conference on Microzonation, V.2, pp. 897-910, 1972.

4 d ,9, Chen, J. C., and D. L. Bernreuter, " Assessment of the Need to Correct the Probabilistic Spectra Developed for the Big Rock Point Site to Account for the Site's Soil Column," U.S. Nuclear Regulatory Commission, not dated.

4.1-10 Safety Evaluation Report, Seabrook Station, NUREC-0896, 1983.

4.1-11 Yankee Atomic Electric Company "YAEC-1455. Review and Comment on NUREG/CR-3756," 1984. -

4.1-12 Safety Evaluation Report, Supplement 3, Seabrook Station, 1985.

4.1-13 Nuttli, O. W., and Hermann, R. B., " State-of-the-Art for Assessing Earthquake Hazards in the United States Report 12 - Credible Earthquakes for the Central United States: U.S. Army Engineers Waterways Experiment Station," Miscellaneous Paper S-73-1, 1978.

4.1-14 Ebel, J. E., " Statistical Aspects of New England Seismicity From 1975 to 1982 and Implications for Past and Future Earthquake Activities,"

BSSA, August, pp. 1311-1330, 1984.

4.1-15 McGuire, R. K., " Effects of Uncertainty in Seismicity on Estimates of Seismic Hazard for the East Coast of the United States," BSSA, Volume

67. No. 3. June 1977.

4.1-16 Wesley, D. A., et al., " Seismic Fragilities of Structures and Components at the Seabrook Generating Station, Units 1 and 2," prepared for Pickard, Lowe and Carrick Inc., Structural Mechanics Associates, Report No. 12911.01, September 1983.

A-175

r 4.1-17 Riddell, R., and N. M. Newmark, " Statistical Analysis of the Response of Nonlinear Systems Subjected to Earthquakes," Department of Civil Engineering, Report UILU 79-2016, Urbana, Illinois, August 1979.

4.1-18 Kennedy, R. P., et al., " Engineering Characterization of Ground Motion," NUREG/CR-3805, 1984.

4.1.19 Bernreuter, D. L., " Seismic Hazard Analysis Application of Methodology, Results, and Sensitivity Studies," Lawrence Livermore National Laboratory, NUREG/CR-1582, Vol. 1 - Vol. 5, October, 1981.

A-176

TABLE 4.1-1 (Sheet 1 of 3)

EARTHQUAKE EVENTS *

' YEAR LAT. LONG. g I 1924 47.60 69.70 5.50 6.00 1925 47.60 70.10 6.60 9.00 1929 42.90 78.40 5.20 8.00 1929 44.50 56.30 6.70 10.00 ST 1931 43.40 73.70 4.70 7.00 1935 46.78 79.07 6.20 7.00 1939 40.10 74.50 3.90 5.00 WGC 1939 47.SO 70.00 5.60 6.00 WGC 1940 41.60, 70.60 2.60 5.00 -

1940 43.60 71.30 5.50 7.00 1940 43.90 71.30 3.60 4.00 ST 1940 43.6:0 71.30 3.70 4.00 ST 1941 43.80 71.30 2.70 4.00 ST 1941 45.30 69.60 4.40 5.00 1944 45.00 74.90 5.90 8.00 1947 45.20 69.20 4.40 5.00 WGC 1949 44.30 70.50 4.50 5.00 1951 41.25 74.25 3.80 5.00 WGC 1952 48.00 69.60 4.70 5.00 ST 1957 43.60 69.60 4.60 6.00 1963 42.50 70.80 3.90 5.00 WGC 1963 42.70 70.80 2.40 5.00 WGC 1964 43.60 71.50 1.80 4.00 WGC 1964 43.30 71.90 2.60 5.00 WGC 1966 42.60 78.20 4.70 6.00 '

1967 42.90 73.20 3.90 6.00 1967 44.40 69.90 2.90 4.00 WGC -

1967 44.38 69.87 3.40 5.00 WGC 1968 37.30 60.80 4.10 4.00

!?68 34.00 61.50 3.70 4.00 1968 45.30 74.10 3.20 5.00 1969 41.40 72.50 3.30 5.00 1963 30.70 74.60 2.50 5.00 1969 36,10 83.70 3.50 5.00 1969 43.80 71.40 2.60 5.00 1969 43.30 78.20 2.60 4.00 1969 46.40 75.20 4.20 5.00 1070 45.80 66.10 3.30 3.00 to70 42.c0 71.90 2.60 4.00 1071 45.10 73.40 3.20 4.00 i

Earthquakes f rom Chiburis catalog, unless noted; ST f rom Street and j Turcotte, WGC from Weston Geophysical.

A-177

TABLE 4.1-1 (Sheet 2 of 3) 1971 43.80 74.50 3.90 5.00 1971 34.80 83.00 3.80 4.00 1971 45.70 75.20 3.20 4.00 1971 42.70 71.20 2.30 5.00 1971 50.20 66.40 3.20 4.00 1971 46.60 72.60 2.20 3.00 1971 45.80 76.60 3.00 4.00 _

1971 46.20 74.60 3.90 5.00 1972 37.60 77.70 L3.40 5.00 -

1972 46.20 77.60 3.20 4.00 1972 45.80 64.70 3.00 5.00 1972 45.50 74.30 2.60 3.00 1972 45.80 64.70 2.20 3.00 1972 45.80 75.20 3.90 4.00 x 1973 39.70 75.40 3.S0 5.00 1973 37.30 77.70 2.50 4.00

1 9 7.? 45.30 70.90 4.80 6.00 l

1974 41.60 75.90 3.30 6.00 1974 33.90 82.50 4.30 .5.00 1974 41.70 71.60 2.' 50 - 2.00 1975 44.90 74.60 2.50 4.00 1975 47.60 55.20 3.20 4.00 1975 45.70 74.20 3.10 4.00 1975 44.90 73.70 4.20 6.00 1975 43.40 79.S0 3.00 3.00 ,

1975 46.50 76.20 4.10 4.00 .

, 1975 41.40 73.60 2. '+0 3.00 '

! 1975 42.70 70.90 2.40 3.00 1975 44.10 70.20 2.20 3.00 l 1975 41.60 73.90 2.20 2.00 1975 43.90 74.60 3.90 4.00 1975 47.00 79.60 3.20 3.00

.1975 48.00 69.74 3.30 4.00 WGC 1976 41.60 71.20 2.90 5.00 1976 41.00 74.40 2.40 5.00 1976 41.70 70.00 2.80 5.00 1976 40.80 74.00 3.10 6.00 1976 44.20 70.10 2.40 3.00 l 1976 41.00 72.50 2.20 3.00 l 1076 41.50 71.00 2.70 4.00 l

l l A-178 i

{l TABLE 4.1-1 (sheet 3 of 3) 1976 45.20 74.10 2.90 4.00 1976 47.80 69.80 4.20 5.00 1976 41.50 72.10 2.20 2.00 1977 46.00 74.40 3.40 4.00 1977 49.30 67.10 3.90 4.00 1977 41.80 70.70 3.10 4.00 1977 43.20 71.70 3.20 4.00 1977 41.84 70.70 2.40 3.00 WGC 1978 44.00 70.50 3.20 4.00 -

1978 46.90 70.30 2.90 3.00 1978 46.30 74.10 4.20 5.00 1978 46.40 74.10 3.80 4.00 1978 43.50 79.70 2.10 2.00 1978 47.70 70.10 3.10 3.00 2978 41.10 74.00 2.90 4.00 1978 39.80 76.00 3.10 5.00 1978 45.70 74.40 3.80 4.00 1978 47.10 70.90 2.80 3.00 1978 47.60 70.10 2.90 3.00 1970 42.90 70.80 2.30 2.00 1978 42.50 71.50 2.00 2.00 1978 47.50 70.50 2.00 2.00 1978 47.60 70.40 2.70 3.00 1978 40.10 76.10 3.00 6.00 1978 45.00 69.50 2.20 2.00 1978 44.50 73.90 2.50 4.00 1979 44.80 73.20 2.80 2.00 '.

1979 40.30 74.30 -3.50 4.00 1979 40.70 74.50 3.10 3.00 1979 47.70 70.10 -3.10 3.00 1970 44.00 69.80 4.00 5.00 1979 45.20 66.00 3.20 4.00 1974 43.00 71.20 3.10 3.00 197* 43.30 70.40 3.50 4.00 1974 47.70 69.90 5.00 5.00 1970 41.00 73.70 2.20 3.00 1980 48.70 68.10 4.10 4.00 10G0 43.60 75.20 3.50 4.00 1 *:I 0 47.50 70.70 3.60 4.00 1*SO 42.10 S3.10 3.30 5.00 A-179

I TABLE 4.1-2 Summary Statistics for Conversions s i

, l Explained Unexplained j 1

Sum of Sum of Squares Squares Number - Average- - - 2'

' ' ' ~ ~ ~ ~

2 Conversion Subset of Events Narnitude dr - y) (vi - 9) __R__

Nutt11 Io1 2.0 120 3.40 95.49 79.72 0.74 WGC (all events) 110.52 49.57 0.83 EPRI 88.56 46.21 0.81 Nutt11 Ib 14.0 90 3.70 57.82 66.78 0.68 WGC 58.00 41.52 0.76 EPRI 46.77 40.77 0.73 Muttli In 1 6.0 17 4.90 7.74 11.42 0.64 WGC '

11.67 9.43 0.74 EPRI 9.01 9.21 0.70 lNuttli In 1 8.0 5 6.00 0.82 0.51 0.79 WGC -

1.68 0.67 0.85 EPRI 1.15 0.43 0.85 t

a 4

t l

4 )

[

A-180 4

e

TABLE 4. 1-3 STATISTICAL EVALUATION OF SCALE FACTOR DATA (Reference 3)

(el Saie r.n.r. (r,) w mi, wttist, nitis (s . s.rF) serv e n-ere

""'5'""*""'"""' m E: C.0.9.

(Cano) 8.54 m 5.34 na 3.20 Its 2.14 w < FD e e/ < F D Olyunta, uA., 1949 1 (RAM) 1.54 1.54 2.41 3.75 2.37 1.05 0.44 faft. Sem Co.,1962 2 (569t) I.25 1.65 2.05 3. 3 2 08 0.92 0.64 El Cant m Arrey me. 12 3 lagertal Valley. 1979.(140) 1.54 2.29 2.10 2.14 1.02 0.32 0.16 Arttttetal 4 (a.C. l.M) 1.39 1.as 2.M 2.75 2.34 0.53 0. 23 Pacetas one 5 San Femeres. 1971 (114W) 1.70 1.44 2.87 3.99 2.53 1.00 0.40 nettyumes Itersw Pt Let.

6 San Femenes.1971 (s95) 1.M 2.50 2. M 2.05 2.27 0.33 0.15 i (1 centre Arrey no. 5 2' lagertal valley. 1979.(140) 2.38 2. H 2.33 1.45 2.71 0.52 0.19 902 Geleta 8 Santa tarters.1978 (Im) 1.52 2.05 2.05 1.M l.90 0.25 0.13 6ttrey array no. 2. Cayete Lane.

9 1979. (050) 1.54 3.05 4. M 3.03 3.20 1.22 0.38 Cholam arrsy an. 2. Peref telt 10 1964 (n65t) 1.55 1.29 1.48 2.85 1.74 0.41 0.35 Gentlen College 11 nellister. 1974 (547V) 2. M 2.97 2.78 8.49 4.25 2.33 0.57 note.wy aance Bem. Deer valley.

12 1972 (n29st 1.09 5.44 5.16 3.34 3.97 1.67 0.42 seena. 4 4 1.8 2.5 2.75 3.41 Overell:

Std. Dee.. e 0.43 1.17 1.03 1.23 e rm

2.52 e

1.25 C.0.V.. eA h S.M 0.47 s.37 e.51 C.S.9.

0.49 A-181

r TABLE 4.1-4 DATA USED IN DEVELOPING THE DUCTILITY FACTORS FOR THE SEABROOK FRAGILITIES (Ref. 3)

Scale Factors (F g ) for High Ductility Ratio (p = 4.27) e mcture Regency Earth uake Record Weighted Comp) 2.14 Hz Average 8.54 Hz 5.34 Hz 3.20 Hz i 1 Olympia, WA., 1949 (N86E) 1.56 1.54* 2.61 3.75 2.0 2 Taft, Kern Co., 1952 (S69E) 1.25 1.65* 2.05* 3.38* 2.0 3 El Centro Array No. 12 Imperial Valley, 1979,(140) 1.56 2.29* 2.10 2.14* 2.1 4 Artificial (R.G. 1.60) 1.89* 1.88* 2.84* 2.75* 2.3 5 Pacoima Dam San Fernando, 1971 (S14W) 1.70* 1.86* 2.67* 3.89 2.2 6 Hollywood Storage PE Lot, San Fernando,1971 (N90E) 1.94* 2.50* 2.60 2.05 2.5 7 El Centro Array No. 5, Imperial Valley, 1979,(140) 2.38* 2.66* 2.33 3.45 2.5 ,

8 UCSB Goleta Santa Barbara, 1978 (180) 1.52 2.05 2.05 1.96 9 ,

Gilroy(Array 1979, 050) No. 2, Coyote Lake 1.56* 3.85* 4.36 3.03* 3.0 10 Cholame Array No. 2, Parkfield 1966 (N65E) 1.55 1,29 1.48 2.65 11 Gavilan College Hollister, 1974(567W) 2.84* 2.97* 2.71 8.49 2.8 12 Melendy Ranch Barn, Bear Valley ,

1972 (N29W) 1.89* 5.48* 5.16 3.36 >3

Values which result from relatively flat portions of the response spectra -

1 A-182 l

l l

\

r NW7d.Y-D SEABROOK FRAGILITIES IN ASCENDING ORDER Median Acceleration Hign Cacacity Confid enc e i V

O Low Prob. of Symbol Structure / Equipment A,G's R U Failure, G's h Reserv e Auxiliary Transfonners 0.30 0.25 0.62 .07 h Unit Auxiliary Transformers 0.30 0.25 0.62 .07 h Switchyard 0.40 0.25 0.54 .11 h Switchgear 0.41/1.52* 0.32 0.31/0.48 .14/.4 h Motor-0 riven E.mergency Feed Pumps 0.66 0.40 0.56 .14 h Steam-Driven Emergency Feed Pumps 0.66 0.40 0.56 .14 h Spray Additive Tank 0.75 0.40 0.32 .23 h 120V AC Instrument Buses 0.75 0.42 0.36 .21 h 480V Motor Control Centers 0.78/ 2* 0.36 0.61 .16 h 480V Transformers, Buses 0.79/ 2* 0.37 0.72 .13 h RWST 0.86 0.40 0.33 .26 h ROC Heat Exchangers .

0.99 0.37 0.49 .24 h Diesel Fuel Oil Day Tanks 1.03 0.39 0.48 .25 h RHR Pumos 1.07 0.34 0.65 .21 h Saf ety Injection Pumps 1.07 0.34 0.65 .21 ,

h Charging Pumps 1.07 O.34 0.65 .21 h Control Room Evaporator Units (diesel generator building) 1.18 0.16 0.50 40 h Reactor Internals 1.50 0.38 0.44 .39 h Diesel Generators 1.51 0.36 0.35 47 h Steam Generators 1.71 0.36 0.39 .50 l h Service Water Cooling Tower Fans 1.71 0.41 0.39 46 h Reactor Coolant Pumps 1.74 0.35 0.32 .58 h Reactor Building Crane 1.75 0.25 0.55 47 h MSIVs 1.86 0.41 0.41 48 A-183

l l

C U.S scisutC HAZARD CHARAC1CRIZat eOu INCLUQlNG $liC CORR [C1 tOH I

BCS1 CSTsuATC

-1 FOR THC SCISuICITY [xP[RIS 10 1

-2

\*

-3 N.

10 --

x 1

4 x

~

1

-6 10

-7

'i 10

-n n m * .n e r- e e w ACCELERAllON OVSIC'2 MAINE YANKEE Figure 5.11.2 BEHC per Seismicity Empert Combined Over All Ground Motion Caperts 5 111 FIGURE 4.1-1 A-184 l

1

e a < e- -W sx g

m. ,

"D# u . ~

5

)i

/,,

u

'N, N

\,

's t

' w% G k \

,8 .

5 j,

=9 1

/' s/ \ "a

}.

- 8,

\

s'

.m we % -

W \

8,

- s'. -

- e

.(*0 ^

( ---

A 88 4.1' i

uss i

7

,-------,-.-,en. ~

m n g w,,,m- ---

-ww

A =04 Til PERCENTILE SSPSA RESULTS 0)=50Tli PERCENTILE ~

El=16 TI! PERCENTILE RES ETS WI E MODIFIED I f --(12 ? ZONATION WEIGHTS g __

[i j ! --

t>

z 1 g_ -

( I _. l.

xe Iil l % Ds '

ti 1 i

- }~

u i -

s s til 1E-03 4 z

s - 'h s '

i,-

r h^ %sx _ -

ca 1 %,__ '

sx ss T _ _\ 's\ 'A h r; - )E '\

\

i til

!y

- - \ \h, s

\ s

-') -

s N

(

N s g to IF -

' s s m rr' f - -Z -

'h

'A "s

N t i. --

{ _

-~

__I _ _ 'A 'A X 9 l' --

'h 'h \

O I -

'\

'h \

[i. [ 'k '

I E- DIi 2 IE-02 i i i i i , . i . . . . . . t t rimm Tm rm , r- TT i i ,,,,,,,, ,,,,,,,,r rrm n . .k rT 1E-01 IE+00 PEAK GROUND ACCELERATION (G)

FRACTILE SEISMIC f f AZARD CURVES FIGItPE 4.1-3

2-Weston Ceophy. teal Corpor.tio.(1982) mb = 0.44 +.67 to o- .

A A

a a w

1:fa- a n.ec rie ro..e n....ren t..t it.t.

A (1985) h Mut t il-He r rmann(19 74) g - 1.790.5 T C ~ 3 4 ,

d !

a- A i .

A O . . . . . . . . .

. 1.0 P0 3D 4.0 EO &O 7D 8.0 0.0 10LO INTENSITY FIGURE 4.1-4

^=04Til PERCENTILE SSPSA RESULTS (D =50 Til PERCENT ILE '

El=1G Til PERCENTILE ' ',, RESUI.TS WMUT 1f-02 _ B - VALUE - 0.9

s gj $ __

()

Z

[ \ ^

_7 --

(1:

N s I g C1 s -

4- - '

la f til i

[ \'s y

\ A '

N s

(J !.

\

N

-m.

.~

\ s g

IE g ;.

til __ s

{ V '- Nx -

_ 2 i8- : _v. s - -

N

' r --

V- A '

i -

p \'g \', _ _

h,

~ -- _ 1 NN \ \

~

~'

til

.i i-

\ \, s \' 1, --

s s (3 -

N \

g,.j If-04 4: _ N. .N rrt I8 s

N s -

g _

x g'

- -_ t' \ \

?

__1 _ _ -

\ \\ \'.

fi:

l _

h M \\

) __

7

(-'

\

N -

k. i -

\

\ 3 I E - O fi - , , , , , , , , , , , , , , , , , , r r rm m Trri rm TT T , ,,,,,i,,, ,,,,,,i,r rim n Trrr i 3 ,- T lE-02 lE-01 i

IE+00 PEAK GROUND RCCELERATION (0)

FRACTILE SEISMIC llAZARD CURVES FIGtfRE 4.1-5

A=04Til PERCENTILE SSPSA RESULTS (D =50 Tli PERCENT iLE ~~~'

I'l= 16 Til PERCENT ILE ~

RESUS WIM MODIMED If-02 j --

ATTENUATION MODEL WEIGHTS 18 1

, o t] ; --

Z 3 1

N s___

N (I: I s s

[il i N s h- s til

(> { R ,

E Y s N 1i 1 [ -()3 d ' -

I W'-s rv Nsss -

,I- i _ _

y \__ \'_ \ (

o 1 _

q v. w xs w y '

Y

$ I _ _ ss Xs

'S j N's % %

til E .

i '

3 's ' N s

(3 Ii 1 1F i

'. 'sp, s y_

s rr' It I~

._-7 __

'x'1 s s

s

'us

's' s A s

}

As As i s

__I i - - _

- \' A Y. \\

a: h\

I

, \ s M1 Z

\\ '

f ], _\

I E - O f> -

1E-02

, i , , , , ,,, ,,,,,,,,1 trrmm Tm rm T T-T T IE-01 i . .. iiei siiiiiiir um h s

\

i

( mi e i Ir T lE+00 PEAK GROUND RCCELERATION (0)

FRACTILE SEISMIC IIAZARD CURVES FIG 1tRE 4.1-6

A =04 Til PERCENTILE ssesA assutTs 03:50 Til PERCENT ILE '

El=1GTil PERCENTILE ' , conrostre noorrita nesutTs 1E-02 E' s li j 5

s

t. .)

z

.?

K x s.

f t:

c)

I

'N 's la j !

sN s

's la j '

s

() i N 's X

\g

~

IE % 's til --

N s '. -- -

. v x. x IL.

__

\s \

s r, 1 v s s s _

b; >-

i h _

% N '

ds Ns- \ 's W

til

~

i

[

% 's % 's \ '

's s

s \

' s i3) .

's s N l) I I' - 0 4 -

u__ x x w s, s s tr' i z. z zz u 1 x s ii j - -

- - 33 x'us x ,

y xs y ,

% \\ \ \_

ii.,

l.. __ _ %-- Y \ '. ._

sz l \ h. \\

o. - \ 'g \

I E -O fi - iii,ii,si ...unu rrrmm Tm im i . T i i i i .isiis i s o nur Tim s

sin gmi ii w T

i 1E-02 lE-01 lE+00 PEAK GROUND ACCELERATION (G)

'F'RACTILE SEISMIC IIAZARD CURVES FIGURE 4.1-7

p = 4.3 9 . . . . . . .

l j

8*

7 .

,x c6 -

3 y e "5 e k Upper Bound of Data U

S4 ,

o a E v 0

0 e

- 3 - - 0 O ge O 8

9 O 2 g @g g Lower Bound ,

O O Of U^ ta 0 -

eoO M m 1

4 6 8 10 12 14 16 18 0 2 Strong Duration. Tg (sec.)

(f = 1.8 - 10 Hz)

FIGURE 4.1-8 SCALE FACTOR, F gVERSUS DURATION A-191

O 9

Range of Frequency Shift 8

s 2'

2 8

A m B . C g e :

frequency +

FIGURE 4.1-9 ELASTIC RESPONSE SPECTRUM SHOWING EFFECT OF FREQUENCY SHIFT ON RESPONSE A-192 l

_ I s' g 4 9 gq?gs;& g 3 g 9 s ? g s l 0' g g g s11s911

n. DAMPING 0.070 ,

, OUMPIR *

~ M .

sense et tree,vency syste.snitt

, , , rergr.4a .ita g *< .

s /n 4 .

sr [

y' Y S. - i .

'E -

S ::

/

vhl gb i

/ l .

~ly' i i i i i i i s 10'

< il 38AN 5 sii i siio' i i i i i i i s 10' FREQUENCT INERTI) tiaatte structure treeveacy. t = 2143.2o 5. 3s s . 54 FIGURE 4.1-10 36' i 4 9 s s ? gs;& ; 3 9 s s ? g s j a' ; 3 9 9 e ? s e 10'

"" DAMP!NG 0.070 ,

. TAFT M

.E.- O f #

e ".l s .

fe a4 , y e n N. *

.s .

e.J -- D ! g .

~

f

/ 3

/ Y .

E ' 1 e / '

8 ,. / N .

/ i f

/ - .

~ / ' ' \, .

16' i i i i i i i s I O' il 18 5 ili i eleiO' i i 5 ' s i f i s 10' FREQUENCY (HERits.

I I LI tientic structure frequency. f a 2.14 3.29 5.34 s.54 FIGURE 4.1-11 A-193

_ II' 1 I 1 5919838 1 1 1 s s ? 9 s ;0' q ; y s q ? s t ,18 EL CENTRO. RRRRY NO. 12 2

.N k Range of freeuency shif t "g ,:

for degradlag system with

". f, f , 4.3 :

g e. .

g .. ,

u~ , ^- n .

5 g~ > h,'g/ '

E 82.

. //

/ "N[/

/ -

n m. V* s-

'.s

=: . - -- v' :

':: -M [b

~ .- -

10* i k i siiestf i i i i ihes\g h h 4 .t+6s}$

FREGUENCY (HERT71 I

tiestic structure frequency,f .

a!sa 3!s s.38 a.54 FIGURE 4.1-12

. I g' g ; q s ( ? ss;& g 3 9 s s ? ss;d i ; g 4(19918 ORMPlNG 0.070 ,

u sange of free,mency

- for degredt. system intft sita

" * **3 3 O b* 7 g :: '. ' .

. .. t -

U

u U

en e * /s>Nw x

w .. [/ -

E / / .

i~ / }/

.b /b

/ r :

8:

E[ /h

/ y fN ,

.. i '

N, i ,. . . ...+.3, #M.i ..ii . + .n, i . . . 44.ie FREQUENCY tHERTIL Elastic structure fretweecy, f

FIGURE 4 1-13 A-194

1

_ t r*

i i veteviv i e , ,,?,,;v i , ,,;..at

_. ~

o racaina Oan -

u A%n x g

""""' 8 "' -

1 .

<NV-z

.- N >\i' -

4:d'.4

\ :

a.....:: \/ ,, 4 -

....e ., < t .

,- .r y 7. r.., ......, ,,.... ,,,,

. t.,.

)/,/ h t .

=- .- .s x-

.. %./ Y,'

e-

/[N 3 /s / 'l

" " ,/ .. -." I .<*

.r .

i

= ,

.b -

N)f .

~; I 5h. I NI I A%c g x, N :

~

1g' i i i s.iiijg i i i i 4 i ii'11 i i i i i tiild FREQUENCY tHERTZ1 E1.stte structure tr.quency, f =

I W 3.as S.M a. ts Figure 4.1-14

,, 3 6' 1 1 g sg?qs;& 1 ; q 9g?99;d ; ; 9 9 ggeofd

"' N0LLYuc00 STORACE ORMrlNG 0.070 ,

E ...... .,<r.....c, ,nitt z a f, r t.r 4.,r. dias irite. =ita

. = 4.J

,0, T

E. .. ::

5 -- AA :

SkK .

g- a A w

._ y W ~

i / a

.a / V 8? / y -

' ; /4 :

' /t/

4%X(

i i ,- . . 4 i ..s, i, 3, i i s . 1. s , , . . .....,,

FREQUENCY (MERTZ1 1 I El.stte structure fr.g..ecy, f

2.14 3.29 S.lM 8.M FIGURE 4.1-15 A-195

_ir i , , ,,,,,se i e , ,,1,,#W e , ,istivie Saar3"5 8 o

_- - Et Centro, 2RnEs Reno - -

e

~

8

- =2 '::':e'!;. ::r:;;id'!!!. O i/ "I :

=- . . . . i :

3 .. sr . _ _.._

Q .

5 N ~5 '/

/j g_

(f t- /n -

i /5 4 sk / h e ::

E ::

/d

/4 W[/ [b 5 7 l s' I j i 8iiEiIf 81 3 l 5 $lI i if IQ' 8 I 5 $ $ i 8 8 j Q' FREOUENCY IHERT21 El.stic structure frequency. f a 2.14 3. 3 $ . 34 8.54 FIGURE 4.1-16

,, I I i 1 1, , ? ,, J & 1 3 , 1 , ? ,s ; 0' 9 q g9?s91#

. ORMP!NG 0.070 ,

CoLETA

g. f, /,

. ':r:;;ia"!!!,

= .. :

." 1 6 ~

i.

/

y b -

I n Af \[ .-

W ::

/ -

/ y

~

,e , , . s. .,a

/ ,

Et

, . s . , . .w , , . .... ,e l

FREOUENCY tHERTZl '

steetts strestere t w . t = s!14s.se s!.m s.es FIGURE 4.1-17 A-196

, I I' i 4 919 ? qsjf g ; 1 1e?teJW g ; 1 g 919 91W -

_. M 0. 0M C0YSTE LArt .

1:!

E "o 's

,t. :

e.r ... . .r,......,

ee ..

% ._s.... .,.,.t.. .it -

2 3 .. 4 rr y ,

M- -

. . . j '

s s-

=

/h f

/'

oDI I E2 / j '

E1 -

/ 4 :

7 .

I 16' I $ 5 5Iiiii& il il i sl 4 i sjs IO' i I i i4idild FREQUENCY INERTZ1 ti.itic structure reeeveacr. , = 3 to 3,3e s ,3s e,y FIGURE 4.1-18

,17' i ? 1 19 t es;& g a 9 9 e?9e;W ; ; 9 s9?'911

ORMPlNG 0.070 ,

PAREFIELO u n..,. er v..c thirt e c.,...,..er..e.

. ir r..

s ita E =, N * * **'

,[ f t E. -

_m ,

W e -

u-

.~

/&(

/ /

V%

/ fV 8 / -

!~

aV i Vv ,4

.. / -

22 /

g:* A 4 1

\ 1

/

=

3 ,. . 3 e 46466g&

/ /h il sie sieieeir i

4*****1#

FREQUENCY (NCRTT) tie,.sts structuref ' r'e**"F* ' *

, ,, 2.14 3.2e S.38 s . 55 FIGURE 4 1-19 A-197

~

i..t s' ? I 9 s ! ? ? sit ? ? 1 19 ? ,,;d , ; 9 se?ss;d HOLLISTER ORMP]NC 0.070 .-

. f, ,

G .. ae.,......f r.

.treg.,i,it

.acy Shift N

.ita 2 ** < "

0*3 .**

2 'y +,

E c..

K 5

$,,., b, A b

= :: fY e 5":

g ..

y/ :"

y l ..

g ..

..- -- gI ..

l.

' ~

(.g9 .

$ l h / &Nx - i e

gg' i i . s s i e s)v i i i s s issig i i i s d issiv FREQUENCY LNEATZI tientic isr.cs.r. tre....cr. f - !w3.I n s!.34su i FIGURE 4.1-20

,16' ? s 9 s s ? e?;1 g 3 9 s s ies/d ; a 9 s9te,11 g

~

MELEN0Y RANCH

- /"N

=

E. ~

1 -

a. :.:.

g ..

g .. i .

E* t' t I

g* e.... .c <r......,inirt 'f ,

I '

a ter ..,r.eia , iris..

ita f s g ,,, . = 4.3 i i

.s . .

/

a ,,

E2 / A l

[

=

~

/ :

1 -

,/ c ,

.' ,,. . . , s . . s, 4 d. ......s ,

FREQUENCY (HERTZ). '

ti stic struct.re tr.e...cr. f = , .14 3 ze s as s.se 1

t FIGURE 4.1-21 l A-198 ;

)

I

O

,,4

- neveuw wun, -

n,,,og,,,

s ,,u. ,, .

I eronen tw= g .,2,. 3 (5-aism w ..~,3 x - . :. . .

, ,,p as

~~c= uwe nso . co.< ,o m.co .tno.~~

y y I 5 eno f GECTioM to3132;L rnzu sexe: r- to-o SECTION IO3737M sc2MINioso FIGURE 4.1-22 APPROXIMATE ROCK AND FILL CONCRETE CONT 0URS UNDER THE REFUELING WATER STORAGE TANK Ref. Dwg. 9763-F-103232 1

~~A4.2 FIRE EVENTS 4.2-1 .(Page 4.2-9) Fire Events / Plant Model ,~~

~~LLNL Consnent - We are concerned about the manner in which the fire-induced initiating events are processed through the plant matrix.~~

Although it is not absolutely clear, it appears that the SSPSA may not have considered the need to avoid multiplying the unavailability of an event that is failed by the external initiator (the fire) by the unavailability of the same event due to failure from internal initiators. If this did occur, the probabilities of the sequences involved would have been incorrectly evaluated and optimistic.

Response - Common cause initiating events, including the fire-induced events, are properly processed through the event tree model. This can be easily confirmed by reviewing the initiating event quantification through the event trees in SSPSA Section 5.4 and observing the sequences that dominate core melt (i.e., Sequences 23 and 24 in SSPSA Table 13.2-12).

~~A4.3 AIRCRAFT CRASH ANALYSIS (No Comments Requiring Response)~~

~~A4.4 INTERNAL FLOODS 4.4-1 (Page 4.4-3) Diesel Flooding LLNL Comment - A more extensive analysis of diesel flooding would be desirable.~~

Response - SSPSA Page D.2-42 states that no credible sources of flooding were found. A combination of low frequency of floods and none were found to cause an initiating event (i.e., loss of off-site ac) suggests that the unavailability due to floods is insignificant. The A-200

~~most likely floods that impact ac power (i.e., loss of off-site ac and Switchgear Rooms) are associated with the Turbine Building (SSPSA Section 9.5).~~

~~4.4-2 (Pare 4.4-4) Cooling Tower Flooding LLNL Comment - The effects of possible tower floods on nearby ~ buildings should be considered.~~

Response - The normal water level maintained in the service water cooling tower is approximately elevation 36'-0". The final grading plans for the area around the cooling tower insure that water runoff would be directed away from the plant, towards the revetment wall and marsh area. In addition to final grading directing water away from the plant structures, the safety related buildings in general have been designed with ground floor elevation above finish grade.

~~Thus, effects of flooding from cooling tower failure is assumed to be negligible.~~

~~4.4-3 (Panes 4.4-1. 4 and 5) Qualitative Evaluation LLNL Comment - Reference is made to qualitative evaluation and only quantitative evaluation was done for a flood in the Turbine Building.~~

~~Response - A quantitative screening was performed of possible floods throughout the plant, similar to the screening for fires (see SSPSA Section 8 and LLNL Section 4.2).~~

~~A4.5 EXTERNAL FLOODING~~

~~-4.5-1 (Panes 4.5-3 and 4) External Flood Frequency LLNL Comment - The frequency estimates reported are not supported by either a statistical or probabilistic analysis. An ad hoc.~~

~~A-201~~

~~point-estimate procedure was u ed. In general, this approach is l inappropriate for use in PRAs.~~

3esponse - To the contrary, it is accepted practice to screen importance with point estimates especially using conservative bounding calculations. When these estimates are used in decision making or contribute to the decision making, there is a need to more carefully assess the quantification and include the uncertainty properly. We do not consider this procedure to be "ad hoc" or inappropriate for use in PRAs. This type of thinking assumes there is an infinite resource available to perform PRAs.

~~A4.6 HAZARDOUS CHEMICALS AND TRANSPORTATION EVENTS (No Comments Requiring Response)~~

~~A4.7 WIND EVENTS~~

~~4. 7-1 (Page 4. 7-4) Tornado Frequency LLNL Comment - Based on a discrepancy, the frequency values in SSPSA Table 9.8-2 are low by a' factor of approximately 4.~~
Response - Based on the information given on Page 4.7-4 of the LLNL Review, we concur that the results given in SSPSA Table 9.8-2 are low by a factor of approximately four. However, as discussed in the next .
response below, the site-specific study referred to as Reference 5 in the LLNL Review now supersedes the original analysis presented in the SSPSA.
4.7-2 (Pares 4.7-4 and 5) Tornado Missile LLNL Comment - The number of missiles assumed in the EPRI study are low by a factor of 10 as compared to the missile population at the Seabrook site. It is not clear why the results of Reference 5 were not incorporated in the SSPSA.
l A-202
Response - Reference 5 was published in September 1983. In-house review however was not completed until December 1983. Obviously, even i
though the SSPSA was published in December 1983, the technical content l
was developed at an earlier date. Therefore, Reference 5 was not available in the time frame for inclusion in the SSPSA.
We do concur that the site-specific analysis presented in Reference 5 is more representative of the tornado missile risk at the Seabrook site and should take precedence over the original analysis presented in the SSPSA. Based on the site-specific study results, we concur that the failure of a safety-related component due to tornado missile impact is less than 1.0 x 10~ per year.
A4.8 TURBINE MISSILE HAZARD (No Comments Requiring Response) 9 A-203
AS.O
~~SUMMARY~~
AND CONCLUSIONS Our responses to LLNL comments in Section 5.0 are given below. In ,
general, the comments made in Section 5.0 were repeated from other sections of the report, so the responses are also referenced to earlier responses.
Documentation Based on our review of the LLNL Report, we believe that the reviewers had sufficient (and perhaps even too much) documentation rather than not enough. Many of our responses are extracted directly from the SSPSA. It was clear from our examination of the LLNL report that the review was fragmented and that the reviewers were not familiar with the SSPSA. We do agree that we, and our consultant, could have helped the review through training and responses to questions, if circumstances had allowed. Whatever documentation that was missing certainly was not essential to an overall review of the SSPSA. Also, the emergency response guides being developed by the Westinghouse Owners Group were available to NRC, since they were reviewing these documents. This report was written to provide the needed responses. (Also see response to Comment 3 in Section 3.0 of the main report.)
Lack of Cooperation The LLNL comments about communications with PSNH, and lack of -
cooperation hindering the review, seem to be inaccurate, overstated and perhaps reflects a level of frustration. The following should be considered:
o Although the NRC was officially notified by PSNH that it did not plan to extend its contract with PLG to support the review effort, j PSNH did indeed support the review effort. PSNH supported the review by hosting a plant visit, providing a simulator i demonstration and supplying documentation and written answers to A-204
the LLNL questions, apparently too late. (See response to Comment 2 in Section 3.0 of the main report.)
o PLG verbally offered assistance and suggested that LLNL and the staff call them when necessary. In addition, PSNH was available to answer questions by phone. This never happened.
o While the support from PSNH was limited, it appears that the short review schedule, more than anything else, hindered the review.
The schedule apparently did not reflect the slower response from PSNH due to limited resources to support this review.
A5.1 PROBLEMS AND OMISSIONS Section 5.1 of the LLNL report . tarts with general comments about the SSPSA scrutability and lists 12 specific problem areas. Each of these is responded to below:
Inscrutability The event trees have proven to be scrutable and highly useful to those ,
of us at PSNH and YAEC who understand the Seabrook design and modularized event tree methodology that was used. To the contrary, with this knowledge, the details and insights are more scrutable than other methodologies with a comparable level of completeness. The added detail results in a risk medel that more accurately describes the plant ,
and reduces the need to rely on undocumented, hidden assumptions associated with simplistic models. The presentation of complete sequences is provided in the SSPSA in two places; a simplified description in SSPSA Section 2.0, and a detailed description in SSPSA Section 13. There are more equivalent " cut sets" presented in these tables than normally found in PRAs. When looking at the event trees in the SSPSA, or the lists of dominant sequences provided, it is far easier to visualize sequences than when looking at their counterparts -
large-linked fault trees. We agree that without knowledge of the A-205
plant, these event trees are difficult to review. That was the purpose of presenting event sequence diagrams. (Also, see response to Comment 3 in Section 3.0 of the main report.)
Esalmiss Twelve items were listed in the LLNL report as examples of problems.
The responses to these demonstrate the reviewers were unfamiliar with Seabrook design, the overall SSPSA and the methodology. Each of the twelve items are responded to below with an overview response and by referencing responses to related comments in this Appendix:
1. In the opinion of Professor Rasmussen and ourselves, the analysis and documentation of initiating events represents a major strength of the SSPSA. Loss of a single vital 120 V ac bus and a single primary component cooling water train do not cause a plant trip at Seabrook Station. Loss of a single service water train was considered, qualitatively evaluated, and determined to be a negligible risk contributor in comparison with service water states already modeled, e.g., unavailability of a single service water train after a general transient event. The validity of the SSPSA is unaffected by this comment.
Related Responses in This Report 3.1-3 .
3.1-4 3.1-7 l
3.1-8
~~2. For each separate class of initiators in the SSPSA (58), a different event tree quantification was performed to reflect real physical differences in plant response. Although a more general I~~
grouping is possible, the equivalent of the results of these different quantifications would have to be provided to justify A-206
such a simplification. Many of the specific recommendations made by the reviewers for grouping (e.g., steam line break inside and outside the containment) indicate a lack of appreciation of the difference between a Level I and a Level III PRA. Extra separation of initiating events and extra detail in the event trees is needed to define appropriate plant damage states for the core melt sequences. Without this detail, very important dependencies between the plant event trees and the containment event trees cannot be properly taken into account.
Related Responses in This Report 3.1-1 3.1-6 3.0-1 3.0-2
3. The total frequency of small LOCAs that the reviewers suggested to be included in the analysis was, in fact, included in the analysis. 50% of the isolable small LOCAs were assigned to the small LOCA initiators, and the remaining 50% were analyzed as transient initiators. The 50% probability of isolation is viewed i Dy us as conservative. In addition, the RCP seal LOCAs that the reviewers referred to as being misapplied to the isolable LOCA category were extensively modeled explicitly in the SSPSA.
~~i Related Response in This Report 3.1-5~~
4. In our opinion, the SSPSA text in Section 5.3 and Appendix D and their references adequately document the event trees and success criteria. Professor Rasmussen, by contrast, noted that the SSPSA was the best documented PRA he had seen.
1 i
)
A-207
k' l
Related Responso in This Rer. ort
~
3.3-1
~~5. , 6. As noted above, it is clear from the specific examples given that the reviewers; failed to consider t.he difference between a Level I~~
~~- an'd Level III PRA. These differences justified auch of the added cosiplexity,'and a more thorough treatment of dependent events~~
' justifies the remainder. There was actually more information presented on risk contributors in the SSPSA than in the other PRAs they. cited as better examples. We have been able to develop very good engineering insights from the results. We did not ask PLG to fully document these insights in the SSPSA report.
~~Related Responses in This Report 1.1-1 3.0-1 3.2-1 3.2-3 3.2-5 3.2-6 3.2-7 3.2-8 3.2-9 .~~
~~7. In,6ur opinics, **ne treatment of operator actions such as these and all ',Pr ath', s are generally realistic and, in some cases, cons e rv61.'.ve .~~
~~Related Response in This Report 3.2-10 A-208~~
8. In responding to the specific points raised by the reviewers, we did not identify a single example where the SSPSA models were incorrect. Plant operations staff at Seabrook Station reviewed the event sequence diagrams for these events and concurred with the appropriateness of the SSPSA models. By contrast, we found in most cases the reviewers' understanding of these events and how they were modeled to be seriously flawed.
~~Related Responses in This Report 3.2-7 through 3.2-37 3.3-5 3.3-9 through 3.3-11~~
9. The SSPSA treatment of RCP seal LOCA, which is not as conservative as the standard 300 gpm per pump at 30 minutes assumption used in earlier PRAs, was realistic, adequately documented, and represented the best understanding of the component supplied by Westinghouse Electric Corporation, at the time the SSPSA was performed. Even so, the seals were not assumed to remain intact, the time of irrecoverable failure was moved from 30 minutes to almost 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months . More recent analyses and tests (letter from L.
~~D. Butterfield, Chairman Westinghouse Owners Group to Mr. Harold Denton, USNRC on December 30, 1985, OG-170,~~
~~Subject:~~
Reactor Coolant Pump Seal Integrity Issue) indicated that the SSPSA treatment is either very realistic or possibly even conservative.
Related Responses in This Report 3.2-38 3.2-39 3.5-22 3.5-24 3.9-11 3.9-15 A-209
10. The human factors analysis was conscientiously documented in the SSPSA, however, we agree that the large degree of subjectivity associated with the current state-of-the-art in this area makes it difficult to verify and reproduce the quantification. However, the quantification is consistent with the confusion matrix evaluation and the limited data that were available. The human factors analysis also reflects a good understanding of how the plant works, how the operators think and how they have been trained to cope with abnormal events.
~~Related Responses in This Report 3.5-1 through 3.5-27~~
~~11. Errors of commission were fully considered in the plant simulator exercise that was performed in support of the pRA and none were identified as significant.~~
~~Related Response in This Report 3.5-1~~
12. We strongly feel that any methodology competently applied requires the analyst to know certain critical factors, such as interdependencies between component, systems, and operators as a prerequisite to the development of a valid plant model. The analyst cannot model dependencies he is unaware of. It does not matter whether he incorporates them into event trees or fault trees. Both methodologies rely on having to guide the analyst to ask the right question - the difference is that different diagrams are used to help provide this guidance. This comment is indicativa of the general lack of understanding of the SSPSA methodology on the part of the reviewers.
A-210
Related Responses in This Report 3.0-1 3.2-1 1.1-1 1.1-2 3.4-1 3.4-2 A5.2 TREATMENT OF UNCERTAINTY Section 5.2 of the LLNL report includes a fairly complete and accurate summary of how and what uncertainties were quantified in the SSPSA.
There were two comments or' findings made on this topic: (1) that the SSPSA did not consider modeling uncertainties to be important and did not include them in the quantification; and (2) that much more should have been done in the area of performing sensitivity analyses, in part, to address completeness.
Modeling Uncertainties A limited amount of modeling uncertainty quantification was incorporated into the overall uncertainty quantification process in the SSPSA. Examples are: the use of different source term modeling assumptions in the quantification of source term uncertainties and different consequence modeling assumptions evaluated in the CRACIT consequence code. In general, however, only a single model was used for each part of the overall risk model. It is agreed that more could be done to quantify the effects of modeling assumptions, but the ability to accomplish this is severely limited by the current state-of-the-art.
Sensitivity Analysis It is agreed that appropriately focused sensitivity analyses can provide useful insights. While we did not emphasize the performance of A-211
r sensitivity calculation in setting the objectives of the SSPSA report, we have planned all along that our ongoing risk management program would utilize this approach as one tool to enhance our. perceptions of risk sensitive factors at the site. In fact, extensive sensitivity ~
calculations have been performed more recently in support of our technical specification optimization effort and other risk management activities. On the other hand, we find, of marginal value, unfocused sensitivity calculations that quantify the partial derivatives of every risk factor to every conceivable change to the risk model.
A5.3 OVERALL EVALUATION OF SSPSA LLNL overall conclusions are listed below with our responses:
o Conclusion - Risks described in the SSPSA are low.
Response - We agree, o Conclusion - Large number of accident sequences contribute to core melt.
Response - We agree.
o Conclusion - V-sequence accident totally dominates early fatality risk.
Response - We agree with results given in the SSPSA. This analysis was known to be conservative, and additional analysis is being done to more .
realistically model this event.
o Conclusion - External events are not important risk contributors.
Response - We disagree. As shown on SSPSA Page 13.2-49, seismic sequences are important in plant damage states IF, 3D, 3F, 3FP, and 7FP; fires and floods are important in plant damage states 7D and 8D.
External events are not dominant, but are important risk contributors.
A-212
o Conclusion - The most important initiating event to core melt is loss of off-site power.
Response - We agree.
o Conclusion . Dominant sequences generally appear to be_ reasonable (although conservative) in a quantitative sense.
Response - We agree. Conservatism is an inherent part of PRAs because of limitations in data, and resources are not unlimited. This is acceptable, if documents are properly used and the analysis is properly used.
o Conclusion - Significant differences in operator actions / errors, differences in success criteria, and use of less complex event trees are believed likely to provide j different quantitative results and, therefore, t
[ different insights.
1 Response - We agree that, if different modeling assumptions were made and simplistic event trees were used, the results and insights would be different. However, based on our review of LLNL comments, we see no basis for substantially changing any modeling assumptions. In addition, we believe that the more complex event trees allow for more realistic plant modeling and, thus, deeper insights into the risk from operating Seabrook. Future simplification will be considered only after careful consideration of its impact on all risk measures.
A-213
- - _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ - _ _ _ _

ML20210S407

Text

SUMMARY

2.0 INTRODUCTION

SUMMARY

Response

Response

Response

Response

Response

Response

Response

Response

SUMMARY

2.0 INTRODUCTION

2.1 BACKGROUND

Response

SUMMARY

Subject:

Navigation menu

Search