IR 05000333/2020012

Engineering

Changes

631895

JAF Technical Evaluation to Support Availability of HPCI

System due to Oil Leak in PCV-12

October 27,

20

Miscellaneous

Exelon Generation Company, LLC Quality Assurance

Program Manual

Miscellaneous

Vendor Report

006N1092

HPCI Control Valve Leakage Evaluation, GEH

DD233A3600P001

Procedures

AOP-10

Loss of Service Water Cooling

Procedures

AOP-11

Loss of Reactor Building Closed Loop Cooling

Procedures

Loss of 10500 Bus

Procedures

Loss of 10600 Bus

Procedures

Loss of Condenser Vacuum

Procedures

ARP 09-3-3-35

HPCI TURB BRG OIL PRESS LO

Procedures

RPV Control

Procedures

Isolation / Interlock Overrides

Procedures

MP-023.15

HPCI Lube Oil Balancing

Procedures

MP-101.11

HPCI Turbine and Pump Lubrication System

Procedures

NO-AA-10

Quality Assurance Topical Manual

High Pressure Coolant Injection

Procedures

OP-15

66A

Procedures

OP-25

Control Rod Drive Hydraulic System

Procedures

OP-37

Containment Atmosphere Dilution System

Procedures

OP-JF-103-102-

1002

Strategies for Successful Transient Mitigation at JAF

Procedures

Warehouse Operations

Procedures

Warehouse Operations

Procedures

Warehouse Operations

Procedures

HPCI Monthly Operability Test

Procedures

ST-4N

HPCI Quick Start and Flow Rate IST

Work Orders

04973475

ST-4N HPCI Quick Start and Flow Rate IST

December

10, 2019

Work Orders

04989094

ST-4N HPCI Quick Start and Flow Rate IST

March 4,

20

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

Work Orders

04997650

ST-4B HPCI Monthly Operability Test

February 12,

20

Work Orders

2700213

PM - Replace Valve Operator Diaphragm

November

17, 2017

Calculations

JAF-CALC-PC-

03044

Torus Air and Water Volume for EOP Support Calculations

Calculations

JAF-CALC-PC-

03322

Suppression Pool Temperature during a Small Break

Accident

Corrective

Action

Documents

01086768

(Limerick) - Limerick OPEX Review of GE Part 21 SC 10-09

Corrective

Action

Documents

04334315

HPCI Oil Leak from 23PCV-12

Corrective

Action

Documents

04346516

Proper Controls Were Note implemented on Q1 Cat ID in

2017

Drawings

FM-18A

Drywell Inerting (CAD) and Purge System System 27

Drawings

FM-25

Flow Diagram - HPCI Lube Oil System 23

Engineering

Evaluations

284-0063-RPT-

001

Independent Review of PCV-12 Oil Leak in JAF HPCI

System

Miscellaneous

Beck, S.B.M.,

Bagshaw, N.M

and Yates, J.R.,

Explicit Equations

for Leak Rates

Through Narrow

Cracks,

International

Journal of

Pressure Vessels

and Piping, 82(7).

pp. 565-570

2005

Miscellaneous

Browns Ferry

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

LERs 2009004,

2007001,

2012006

Miscellaneous

Brunswick LERs

2003-004, 2004-

2, 2006-001

Miscellaneous

Cooper LER

2005001

Miscellaneous

Duane Arnold

LERs 2018003,

2019001

Miscellaneous

FitzPatrick LERs

2003001,

2005005

Miscellaneous

Hatch LER

2008004

Miscellaneous

Hope Creek LER

2004010

Miscellaneous

JAF Drywell

Pressure Plot

January 1,

2019 -

January 1,

20

Miscellaneous

JAF FSAR, Final

Safety Analysis

Report

Miscellaneous

JAF HPCI Oil

Leak Presentation

October 23,

20

Miscellaneous

JAF HPCI

Quarterly Run PI

Traces

March 4,

20

Miscellaneous

JAF HPCI

Surveillance

History (Excel

Spreadsheet)

December

16, 2017 -

April 10,

20

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

Miscellaneous

JAF IR Leakage

Identification

Template,

10/23/2020

Miscellaneous

JAF Power

History Summary

December

2017 - April

20

Miscellaneous

JAF Reactor

Level

Instrumentation

Setpoint

Summary

Miscellaneous

JAF Suppression

Pool Pressure

Plot

January 1,

2019 -

January 1,

20

Miscellaneous

JAF TS,

Technical

Specification

24

Miscellaneous

JAF-RPT-05-

00047, Mitigating

System

Performance

Index Basis

Document

Miscellaneous

JAF-RPT-MISC-

211, JAF

Individual Plant

Examination of

External Events

June 1996

Miscellaneous

JF-PRA-021.11

JF FPRA Summary and Quantification Notebook

Miscellaneous

JF-SDP-002

HPCI INOP, dated 11/13/2020

Miscellaneous

LaSalle County

Station, Unit 2-

LER 2017-003-01

July 3, 2018

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

Transmittal of the

Final LaSalle

County Station,

Unit 2, Accident

Sequence

Precursor Report

(ML18157A263)

Miscellaneous

Limerick LERs

2007003,

2013001

Miscellaneous

MFN 10-192

GE-Hitachi Part 21 Reportable Condition Notification: Failure

of HPCI Turbine Overspeed Reset Control Valve Diaphragm

July 1, 2010

Miscellaneous

Mobil DTE-700

Series Oil

Specification

2019

Miscellaneous

Monticello LERs

2008005,

2015006

Miscellaneous

NUREG-1953

Confirmatory Thermal-Hydraulic Analysis to Support Specific

Success Criteria in the Standard Plant Analysis Risk Models

- Surry and Peach Bottom, including Errata

September

2011

Miscellaneous

NUREG/CR-6883

The SPAR-H Human Reliability Analysis Method

August 2005

Miscellaneous

Perry LERs

2014004,

2014005

Miscellaneous

PO 00637326,

Purchase Order

for Valve, Control

for HPCI Turbine,

with 2-Ply BUNA-

N

December

15, 2020

Miscellaneous

Susquehanna

LER 2010003

Miscellaneous

TR-105874 /

November

Inspection

Procedure

Type

Designation

Description or Title

Revision or

Date

016909-R1, EPRI

Terry Turbine

Maintenance

Guide, HPCI

Application

2002

Miscellaneous

USNRC

FitzPatrick SPAR

Model

Version 8.59

Procedures

AOP-1

Reactor Scram

Procedures

INL/EXT-10-

18533

SPAR-H Step-by-Step Guidance

Procedures

JF-PRA-004

Human Reliability Analysis (HRA)

Procedures

JF-PRA-012

Internal Flooding Analysis Notebook

Procedures

JF-PRA-013

PRA Summary Report 13515

Procedures

JF-PRA-014

Quantification Notebook 13516

Work Orders

04989099

ST-4B HPCI Monthly Operability Test

01/08/2020

ATTACHMENT: HPCI OIL PCV FAILURE DETAILED RISK EVALUATION

CONCLUSION

The total increase in core damage frequency (CDF) for the performance deficiency was

estimated to be Preliminary White, a finding of low to moderate safety significance. Based on

an initial best estimate considering the effect of the degraded condition on the high pressure

coolant injection (HPCI) system, and assumed exposure time, the change in CDF was

determined to be a nominal 3E-6/yr. This reflected the lower end of various sensitivity analyses

performed for the issue.

SYSTEM BACKGROUND

The HPCI system is a safety-related emergency core cooling system (ECCS) actuated by either

a low-low reactor water level (Level 2) or a high drywell (DW) pressure (2.7 psig). Its rated flow

capacity is 4,250 gpm. Initially, the system operates in an open loop mode, taking suction from

the condensate storage tank (CST), and injecting water into the reactor pressure vessel (RPV)

via one of the main feedwater lines. When the level in the CST reaches a low-level setpoint, the

HPCI pump suction is aligned to the suppression pool. To maintain reactor pressure vessel

level after the initial recovery, the HPCI system can be reduced via automatic flow control or

placed in manual control, which involves controlling turbine speed to control level while

maintaining turbine minimum revolutions per minute requirements. This could involve cycling

the injection motor-operated valve (MOV) with test return valves open, or complete HPCI stop-

start cycles. The HPCI system is designed to automatically start and stop to maintain reactor

pressure vessel level from low-level actuation (Level 2, 126.5 inches) to High-level trip (Level 8,

2.5 inches). The HPCI system can also be used manually to help control reactor pressure

following a transient. In this mode, the turbine-driven pump is operated manually with the

injection valve closed and the full-flow test line motor operated valves open. Turbine operation

with the injection line isolated and the test line open allows the turbine to draw steam from the

reactor pressure vessel, thereby reducing reactor pressure. If suction is from the torus instead

of the CST or an initiation signal is present, this full flow test line is interlocked closed and only

the injection mode is available. As noted above, operation of the system in the pressure control

mode may also occur with intermittent injection of coolant to the reactor pressure vessel. As

steam is being drawn off the reactor pressure vessel, the reactor pressure vessel water

inventory is reduced, resulting in the need for level restoration. When level restoration is

required, the injection valve is opened and the test line MOV is throttled closed. Upon

restoration of reactor pressure vessel water inventory, the system is returned to the pressure

control line-up. This is also referred as batch-addition. This cycling between injection and

pressure control can be repeated as necessary. FitzPatrick has established their design basis

mission time as 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months based on CST reserve capacity.

The reactor core isolation cooling (RCIC) system is another high pressure injection system

which is actuated, similar to HPCI, on lower reactor water level (Level 2). Its rated flow capacity

is 400 gpm. For non loss-of-coolant events it is the preferred system during reactor isolation

conditions to maintain reactor pressure vessel level, as HPCIs capacity is oversized for events

simply requiring decay heat and controlled depressurization makeup. For the non-loss of

coolant accident events, probabilistic risk assessment standard mission times are 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and

this is consistent with the Fitzpatrick Mitigating Systems Performance Index document. For

postulated events requiring injection, the control room operator would manually initiate the

system, or the systems would automatically start at the predetermined low-low reactor water

level setpoint. They inject at their design flowrates until operators diagnose the need for

injection to maintain adequate level and then take action to control level below a high level

(Level 8) trip setpoint.

Control rod drive (CRD) system pumps are also capable of high pressure injection. Normally

one pump is operating and the other is in standby. In this evaluation, early control rod drive

credit is applied for some events based on the availability of two control rod drive pumps.

However, the CST suction source has approximately 122,000 gpm above the control rod drive

suction piping which does not support the probabilistic risk assessment mission time.

Therefore, there must be a method for makeup to the CST to keep the control rod drive suction

requirements satisfied. This was a source of uncertainty because, for the various events,

different methods of addition are not available. This credit was not applied to loss of coolant

accident (LOCA) events based on reactor decay heat and timing of control rod drive

effectiveness. Early control rod drive also was not applied to loss of AC bus and loss of direct

current (DC) bus that would affect availably of two control rod drive trains. The base case also

did not credit this for loss of offsite power (LOOP) events, or loss of instrument air events where

makeup from the demineralized water storage tank could be challenged.

ISSUE BACKGROUND

2010 10 CFR Part 21

On July 1, 2010, Exelon was notified of a defective part when a vendor issued MFN 10-192

(ML101820160), Part 21 Reportable Condition Notification: Failure of HPCI Turbine Overspeed

Reset Control Valve Diaphragm. The Part 21 identified a vulnerability associated with the

HPCI system oil pressure control valve (PCV) actuator diaphragm due to a manufacturing error

that resulted in inadequate fabric reinforcement embedded in the diaphragm Buna-N rubber

material. The Buna-N rubber material was designed to have two layers of Dacron reinforcement

fabric over all pressure bearing surface areas of the diaphragm. Defective diaphragms had

either 1-ply or no fabric reinforcement. The fabric reinforcement is critical to ensure durability,

reliability, and prevent tearing of the diaphragm when used in the HPCI turbine lube oil system

as turbine trip and reset valves. The failure of the HPCI turbine-speed reset control valves

diaphragm results in a loss of HPCI turbine lube and control oil through the failed diaphragm.

Depending on the amount of oil lost and system demands, this oil loss could result in a failure of

the HPCI system.

The original defect occurred in the 2009 timeframe and the vendor became aware of this defect

after an estimated 0.25-0.5 gpm HPCI diaphragm oil leak was experienced by Browns Ferry

Unit 1 and reported to the NRC via Event Notification 45227 on July 24, 2009, and LER 05-259/

2009-004. The Browns Ferry Unit 1 diaphragm had been installed in the HPCI system PCV for

years and 8 months before failure. The vendor reported the aforementioned 10 CFR Part 21

notification on July 1, 2010.

FitzPatrick HPCI PCV (23PCV-12) History

As documented in purchase order 637326 on December 16, 2017, FitzPatrick accepted the

HPCI PCV (Valve, Control, For HPCI Turbine, With 2-Ply BUNA-N Diaphragm) assembly with

a Q product quality certification from Limerick Generating Station. The valve assembly had

been shelved 9 of its 10 allowed years. The PCV was installed and tested at FitzPatrick on

December 17, 2017. There were two instances of HPCI oil leaks (i.e. December 2017 and

November 2018, IR 04194946). There was no other history of oil leaking from the PCV until its

diaphragm failure on April 10, 2020. The analyst noted there has been less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of

HPCI runtime or less than the 24-hour mission time assumed for some events, since

installation. The last successful test was on March 4, 2020 (38 days from failure). The previous

HPCI turbine test prior to that date was December 10, 2019 (122 days from failure). There was

also a previous cycle of the PCV 59 days earlier during a similar monthly HPCI system test

using the auxiliary oil pump.

FitzPatrick HPCI Oil Leak on April 10, 2020

Exelon performs a monthly surveillance test, which in part, starts and stops the auxiliary oil

pump to evaluate the operation of the HPCI stop valve and control valve motion, without running

the turbine. As documented in FitzPatrick issue report 04334315, during performance of ST4B

HPCI Monthly Operability Test on April 10, 2020 at 0111, the auxiliary oil pump was started,

and during observation of the HPCI stop and control valve motion, a large leak was identified

and documented by the field operator from the HPCI trip system PCV (23PCV12). Operators

were not able to definitively quantify the initial leak. During a second run of the auxiliary oil

pump, operators estimated the leak to be 1.3 gpm. The pump was secured after approximately

a 1-minute runtime based on HOV-1/2 position switch position computer data. Plant operations

subsequently restarted the auxiliary oil pump (at 0300) after discussions with shift management

to attempt to more accurately quantify the leak rate. During this second auxiliary oil pump start,

the leakage was noted to be much larger resulting in the need to secure the pump in

approximately 30 seconds. Approximately 2.5 liters of oil were collected. This equates to

approximately 1.3 gpm.

The NRC analysts considered the initial leak rate estimate to be highly subjective and a source

of high uncertainty. This is based on the unpreparedness for seeing a sizable leak (was

documented as a large leak by the operator) with no quantification tools to measure it and

limited pump run time to ensure it had even stabilized. Additionally, the analysts noted that this

leak was identified with the auxiliary oil pump running which initially controls pressure at a

nominal 85 psig. During a normal HPCI turbine start-up, a shaft driven oil pump (SDOP)

provides oil pressure once the turbine is up and running. The SDOP provides a design

pressure of 110 psig and takes over for the auxiliary oil pump once the HPCI turbine starts

running. There is another PCV upstream (PCV-112) which will attempt to respond to this surge

in pressure and try to maintain control oil pressure at 38 psig downstream. However, it would

be expected that there would be some response time involved such that the initial pressure

surge from the shaft driven oil pump or stress on the diaphragm may have been higher as the

diaphragm would feel this increased pressure and stress. This simply increases the uncertainty

of the quantification of the leak rate due to the potential of additional stress on the diaphragm

and effect on the tear during an actual event where the turbine would start. The inspectors

determined during interviews that the initial leak rate was estimated by licensee staff from

0.06 gpm to 0.25 gpm. The inspectors also determined that operations staff characterized the

leak from minor to a large leak, further indicative of the uncertainty with the leak rate.

Additionally, the analysts concluded the second leak rate may be underestimated due to

quantifying it based on timing before pressurization (i.e. takes some time to pressurize the line

when the pump is started) and is another source of uncertainty. Factoring in pressurization time

may increase the 2nd leak into the 1.7 to 1.8 gpm range.

For all the reasons above, the analysts considered the first leak rate identified to be highly

uncertain and subjective, with the second leak rate to be a more accurate representation given it

was quantified. FitzPatrick replaced 23PCV-12 and restored HPCI to service at 2015 the same

day (April 10, 2020). This issue was reported to the NRC via Event Notification 54657 on

April 10, 2020, and LER 05-333/2020-003.

Licensee Cause Determination

The Initial valve disassembly was conducted by Exelon onsite and identified a damaged Teflon

O-ring seal within the valve bonnet. Initial evaluations focused on this area. FitzPatrick and

subsequent Exelon Power Labs evaluations focused on this damage concluding that it was the

apparent cause of the leakage (Exelon Power Labs report JAF-38488, dated April 28, 2020).

The analysts were aware of Exelons focus on the bonnet, stem, and bellows areas of the valve

because there was apparent video evidence of the leak (2nd leak quantification) indicating the

fault was in these valve part areas. Exelon requested support from the vendor to aid in the

evaluation. The vendor determined that neither the Teflon O-ring nor the bellows assembly was

the cause of the leak due to proper inference fit and bellows integrity. The vendor identified the

diaphragm on top of the valve to be the next likely source. Subsequently, further vendor

evaluation identified a diaphragm tear approximately 1 centimeter (cm) long along the

circumferential crest of maximum flexure. The vendor documented the area of the tear lacked

any fabric reinforcement, and since it was originally procured in 2008, it was susceptible to the

defect in the aforementioned 10 CFR Part 21. The vendor evaluation concluded that the tear in

the diaphragm occurred as a result of low-cycle fatigue (exacerbated by the edge of the

diaphragm case and valve yoke) from the operation or cycling of the valve. The vendor

concluded that significant tear extension with associated leakage growth would not have been

expected to occur between cycles if the valve was retained in the open position through the

systems operating mission time.

The analysts considered the PCVs integrity and stabilization of the leak rate to be a source of

uncertainty considering the diaphragm was a defective non-conforming component and had

significantly degraded (> 1.3 gpm leak rate) after one oil pressure cycle. As noted, the leak

rates were evaluated under static conditions without potential resonance vibration effects such

as turbine speed changes during operational conditions, or the potential for higher stress at

turbine startup as the shaft driven oil pump takes over. Most significantly, Exelons leak rate

initially had not considered the effect of actual turbine operation with respect to the heat-up of

the oil and increased leakage due to the kinematic viscosity changes.

Analyst Assessment of Leak Rate and Effect on HPCI Operations

A defective component was installed into a safety-related system for over a 2-year period. The

analysts considered the PCVs integrity and the licensees assumption of stabilization of the leak

rate to be a source of uncertainty considering the diaphragm was a defective non-conforming

component and had significantly degraded (> 1.3 gpm leak rate) after one oil pressure cycle.

As discussed, the analysts noted the leak rates were evaluated under static conditions without

potential resonance vibration effects such as turbine speed changes during operational

conditions, or the potential for slightly higher stress at startup as the SDOP takes over with

higher pressure requiring the main oil PCV to respond to maintain a nominal 38 psig. Most

significantly, Exelons evaluation of the leak rate had not considered the effect of actual turbine

operation with respect to the heat-up of the oil and increased leakage due to viscosity changes.

Additionally, the analysts noted that the defective diaphragm is located in a stagnant area of the

oil system and is not continuously cooled by the system lube oil heat exchanger. Therefore, the

analysts concluded Exelons initial documented determination that a 0.1 gpm leak rate would

have supported their stated HPCI 10-hour mission time to be technically flawed with high

uncertainty.

The analysts also considered that Exelons operational assumption that once the system is

started for all events, it would never be secured for any reason throughout all mission times,

was not supported by historical probabilistic data or industry operating experience. Based on

prior operating experience, such as review of licensee event reports (LERs) for the industry and

the Fitzpatrick station, it is not unreasonable for HPCI to start and stop for at least one cycle

after initiation, with the possibility of multiple HPCI start/stop cycles in response to evaluated

events. Historical repetitive trips on high level (Level 8) have been addressed through

procedure changes to give the ability to defeat this trip as post initiating event operator actions.

Notwithstanding this, throughout the industry there have been numerous system trips on failure

to control level early in an event, resulting in a trip on initial high level. In at least 50 percent of

LERs reviewed since 2003 where HPCI automatically started, HPCI was noted to have been

secured either through a trip on high level or because RCIC started successfully and therefore

HPCI was secured. The analysts noted in this case once HPCI system would be tripped with

this degraded condition of the PCV diaphragm, a severe leak would have developed, allowing

only a nominal 20 to 25 minutes of run time before loss of suction to the oil pumps. This would

have also resulted in an eventual trip of HPCI from low oil pressure and subsequent stop and

control valve closure with the auxiliary oil pump cavitating (operating with no oil suction).

Because the oil leak rate and exposure time of the degraded condition is potentially impacted by

the cycles of the system, and in this case one cycle would result in a significant leak rate after

temperature affects are considered, a probabilistic assessment with respect to an initial trip of

the system was performed. This provided a probabilistic weighted estimate of the leak rate for

this condition. The highly uncertain initial leak rate was used along with the second quantified

leak rate, which represented the rate after the probability that one cycle of PCV operation could

occur early. This was used to assess how long the system may be able to run before adversely

impacting the shaft driven and auxiliary oil pumps resulting in a failure to support continued

operation of the system. This primarily was used to inform an assessment on whether the

ability to recover the system should be considered (sensitivity) given the magnitude of leak rate,

considering the existing design of the oil system including potential cues relative to the

degraded condition. It should be noted there is some non-conservatism with this method,

because as noted, the HPCI system could be secured early if RCIC had a successful start. This

probability is much higher than a computed probabilistic early trip on high water level. This

sometimes would be associated with RCIC failure to run events, which are the dominant

contributors to core damage sequences within the NRC SPAR model. However, if RCIC

successfully starts and runs for a few minutes or less than an hour, it is typically considered a

failure to start on demand per discussions with Idaho National Labs data collection experts.

The analysts calculated a failure probability-weighted effective leak rate bounded by the lower

and upper leak rate estimates to gauge the effective time available for HPCI to perform its PRA

function. However, the cues to respond to this HPCI leak are identifying the leak while

monitoring HPCI oil level at the sight-glass (OP-15, Section E.2) or the main control room

annunciator for HPCI turbine bearing low oil pressure (ARP 09-3-3-35). Given the hydraulic

design of the system the upstream PCV-112 would likely mask this alarm, responding to even a

large leak by opening up to maintain pressure downstream to where this alarm comes off. The

spectrum of operator response can be bounded by these cues and upper/lower leak rates. At a

low leak rate (~0.3 gpm at 124F) the oil leak may be recognized if an operator walkdown occurs

early. Any change in HPCI operation that instigates the large leak rate (~4 gpm at 124F) would

not afford any time to mitigate it, and the alarm mentioned above may not alarm due to the

design of the hydraulics, giving no timely cue for diagnosis. There is no low oil level alarm

associated with the tank at FitzPatrick, and the bearing supply would likely be maintained until

failure of the shaft driven oil pump then auxiliary oil pump to maintain pressure due to total

suction loss.

INFLUENTIAL ASSUMPTIONS

This review consisted of determining the best estimate risk increase for the internal and external

postulated events for FitzPatrick. This required various key assumptions for this determination

including the following:

The degraded condition of the defective diaphragm and its ability to perform its function

under various HPCI system demands and operational modes is a source of high uncertainty.

The analysts evaluated the initial assumed leak rate and the subsequent quantified leak rate

and determined that temperature effects alone would not support the mission time for events

where HPCI is credited. Therefore, an analytical best-estimate probabilistic weighted-

average was used due to the high uncertainty with the initial unquantified leak rate to try to

provide some approximation of what the original leak rate may be in response to events.

A failure of the PCV diaphragm can have a significant impact on oil inventory and this would

result in required sump level not being maintained. Oil loss that results in a sump level of

8.5 from the top (approximate 63-gallon loss) would result in vortexing, cavitation, and loss

of suction to both the SDOP and auxiliary oil pump as noted in the vendor manual. The loss

of suction to the oil pumps would result in a trip of the system Stop Valve and Control valves

(internal gear pump loses suction pressure). Additionally, the auxiliary oil pump would

continue to run with inadequate suction resulting in a pump continuing to run while cavitating

as there is no automatic trip to protect this pump. It is uncertain if damage could occur to this

pump as well as a system trip. The oil loss condition was modeled as a HPCI failure to run

(FTR) with basic event, HCI-TDP-FR-TRAIN, set to TRUE.

The analytical probabilistic weighted oil leak and time to failure was assessed against

system design, such as the lack of oil sump low level alarms, existing makeup procedures

and their adequacy to address the size of the calculated oil leak, along with timing

considerations, to determine that this condition would not be recoverable. Therefore, basic

event, HCI-XHE-XL-FR, fail to recover HPCI failure to run, remained set to TRUE in the

SPAR model. However, sensitivity evaluations were performed to assess the effect of HPCI

recovery. There would be no alarm cues based on this condition until total loss of pump

head and cavitation. The analysts also noted that if the pumps lost suction head, this would

also lead to difficulty in even determining where a leak was coming from as no oil pressure

would be present in the system for continued leakage out of the PCV with up to 63 gallons

of oil present in the skid area.

Multiple HPCI starts/stops are possible during a 24-hour mission even with operators

manually controlling HPCI flow, given certain postulated events and potential scenarios,

including where pressure control mode is not available. Certain events could result in high

DW pressure and may result in cycling the system on and off to control reactor vessel water

level within the emergency operating procedure level band. Therefore, this was evaluated in

the condition case for postulated events, along with sensitivity analyses to increase

exposure time for this condition, as the assumption is that HPCI start/stop cycles degrade

the defective PCV diaphragm. It should be noted, the SPAR model does not credit the

HPCI pressure control mode or credit DW cooling for prevention of the loss of the pressure

control mode. The Fitzpatrick PRA model also does not credit these functions.

Early control rod drive high pressure injection credit was determined to be available and

credited in the risk assessment, except for LOCA type events, LOOP, loss of instrument air,

loss of AC or DC busses and the dominant fire area events. This was modeled by using a

surrogate FTR probability for RCIC (3.01E-2/year) and HPCI to represent early control rod

drive support for the applicable events. This resulted in an almost order of magnitude

reduction in the failure to run events.

Exposure Time Determination

As noted within the assumptions, RASP Handbook Volume I - Internal Events Appendix A gives

guidance that the failure duration should be based on the nature of the failure. For this

degraded condition, modeling the exposure time as a 24-hour runtime estimate may not be

appropriate given the uncertainties with the assumption that the degradation mechanism is

directly proportional to the run time of the turbine. Therefore, the conclusion that the number of

cycles affects the failure mode was taken into consideration in determining an exposure time

which best represents the length of time that the HPCI system would have been unavailable to

perform its mitigating function.

The exposure time is a source of uncertainty. The base case exposure time for a few of the

postulated events was set to 59 days (February 12 - April 10, 2020, plus repair time). This is

based on having a 2-cycle margin for HPCI operation (i.e. HPCI PCV demonstrated two

start/stop cycles without leaking or failure during the March test). Some events do not require

this margin and were set to 38 days (see Table 3). Several sensitivity evaluations were

performed to vary the exposure time. The front-stop exposure time (sensitivity) is determined to

be 38 days (since last successful monthly test plus repair time), based on RASP Volume I

handbook Section 2.3 since the PCV was a replacement part that passed initial operational

tests. However, using Section 2.3 may not be the best representation because it does not

account for the number of cycles the PCV may encounter which contribute to the nature of the

failure. Section 2.5, Exposure Time for Component Run Failures, is also relevant due to the

low-cycle fatigue degradation mechanism. The appropriate exposure time is based on RASP

Handbook Volume I, Appendix A as stated above. This states that the failure duration should

be based on the nature of the failure, which in this case is the number of cycles the PCV may

experience during postulated events. Therefore, this is the appropriate consideration for

exposure time and would indicate events where HPCI could be started and stopped more than a

few times result in a longer exposure time than 38 days. For events resulting in high DW

pressure, the number of cycles of HPCI required to respond to an event would be the

influencing factor for the exposure time. Considering the degraded condition and HPCI

start/stop cycles anticipated for various events and margin available (based on surveillance test

history), a 123-day exposure time (sensitivity) was also assessed. This is based on having a 4-

cycle margin for HPCI operation (i.e. HPCI PCV demonstrated four start/stop cycles without

leaking or failure). A maximum 1-year exposure time was assessed in a sensitivity review since

HPCI had not accumulated 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of runtime (only approximately 10 1/4 hours in the past 12

months) since the PCV installation in 2017. All reasonable sensitivity cases (i.e. less than one

year) confirm a preliminary White risk assessment.

For most events this would be from the last time the HPCI test was performed 38 days earlier.

However, the analysts noted potential considerations which would support increased exposure

time for certain scenarios such as loss of an AC bus or a fire scenario which may render one

complete division of DC power unavailable. Factors which would contribute to a higher

exposure time for these scenarios were considered in this review. The focus would be on the

potential for cycling of the HPCI system and PCVs.

Transient scenarios such as LOOP events, and loss of AC and DC busses would result in

elevating DW pressure (due to latent heat effects) from the normal 1.7 - 1.8 psig to 2.7 psig in a

relatively quick timeframe. For these scenarios and considering that the degraded condition

relative to this performance deficiency appears to be a function of PCV cycles and not just run

hours, the analyst considered cases where it would be assumed a nominal 3 or 4 cycles of

HPCI may occur before a leak would develop going back to February 2020 and even December

of 2019. This time is based on the fact that there was a proven total of 4 PCV cycles from the

January 2020 timeframe from testing before the leak rate occurred after the March test. The

February 2020 and December 2019 timeframe assumptions were based on obtaining an

estimate of plant potential response to this type of event including the following:

Appendix F from JF-PRA-004, Human Reliability Analyses, Appendix F provides a summary

of simulator scenarios to verify plant response, timing of cues, and effect of key actions.

Scenario 3, loss of high pressure injection with MSIVs closed indicates that a starting DW

pressure of a nominal 1.7 to 1.8 psig could result in reaching the high DW pressure signal of

2.7 psig in a short time after the event. This would result in loss of the pressure control

mode for HPCI and the potential for several cycles of the system while controlling within the

level band. The associated data plot showed that DW pressure would increase, with the

possibility of impacting HPCI pressure control mode availability. For the analyzed fire

events, it should be noted that only one RHR pump would be available for torus cooling,

limiting the cooling capability for the torus and creating a more challenging condition for

controlling DW pressure early.

An Accident Sequence Precursor Report, (ADAMS Accession No. ML18180A326) for

estimating the potential number of cycles for a High Pressure Injection system (HPCS)

referenced thermal-hydraulic calculations performed as part of NUREG-1953, Confirmatory

Thermal-Hydraulic Analysis to Support Specific Success Criteria in the SPAR models in part

for Peach Bottom, to use as an input in the number of potential injection valve cycles

anticipated during events. This study indicated that HPCI would cycle a nominal 5 times in

hours from an initiating event in a batch mode simulated operation if the pressure control

mode was not available.

For the case of a potential high DW pressure condition, the vendor manual instruction states

the pump should not be operated below 50 percent of rated flow for sustained periods of

time, as operation on minimum flow is intended for startup and shutdown. Severe internal

cavitation at high head conditions can result in pump damage. Therefore, a batch mode of

starting HPCI to slowly increase level, then securing the pump and restarting on low levels

would be consistent with the systems capability and the vendor manual intent for pump

operation.

If the DW pressure reaches 2.7 psig, the test return valves are closed, and pressure control

mode would be unavailable. If minimum flow operation would be used, the operators would

be pumping CST water (500 to 700 gpm) into the torus while waiting for level to reduce

boiloff to inject again. This would increase torus pressure while using the preferred source

of CST water and eliminating the suction source for the control rod drive system. It is likely

this could result in a batch mode of operation (start and secure system between range of

level band) to secure the transfer of CST water into the torus and eliminate severe cavitation

of the HPCI pump.

The NRC SPAR model does not credit DW pressure control or HPCI in the pressure control

mode and the Fitzpatrick PRA model also does not formally credit DW cooling or HPCI in

pressure control mode.

The above information was used to evaluate events where it is possible that more HPCI PCV

cycles may occur, such as the dominant fire scenario for this condition, loss of AC A division

and A DC division along with LOOP events. For this scenario, and assuming several system

cycles would be required, the exposure time would reasonably be set back to 59 days and as

far back as the December 2019 HPCI functional test, and hence a 123-day exposure time

sensitivity.

It is noted that HPCI is designed to be cycled automatically in response to events. The causal

analysis defined the failure as a function of PCV cyclical stress and movement. After the

December 2019 functional test (123 days before the observed failure) if this postulated fire

event had occurred the pump could have been started and stopped to maintain level up to 4

times before any leak would have developed. There would be no cue of any kind indicating a

problem with the system or this type of operation. As noted above, previous thermal hydraulic

studies have shown about 4 or 5 starts would be required to maintain a level band in a nominal

5-to 7-hour timeframe. While this may not meet the number of cycles required in a 24-hour

mission time, a cap on the exposure time of 123 days is a reasonable sensitivity given

uncertainties with decay heat, the cooldown expected, availability of low pressure systems, and

the ability to locally, manually vent containment later in the event.

While 38 days appears to be justified for some of the postulated events, given the potential

availability of the pressure control mode of the system or recovery of it, which would eliminate

the need of cycling the system, there is still some uncertainty with the conclusion that the

degradation mechanism for the diaphragm would not be directly proportional to the run time of

the turbine. The causal analysis of steady state pressure on the PCV during operation does not

support a 24-hour run time summation. Therefore, the base case is set to 59 days for some

events to account for a reasonable number of PCV cycles during the need for potential system

cycling. Notwithstanding this, additional sensitivity analysis was provided with different

assumptions for exposure times, including up to one year, to reflect the uncertainty with the

condition or failure mechanism.

While a strict interpretation that DW cooling or pressure control is not credited, the analysts

considered assumptions where batch mode injection would occur with 6 to 7 cycles, but this is

not a realistic as-operated estimate and hence limited the estimated exposure time.

LEAKRATE ASSESSMENT AND RECOVERY

Leak Rate Assessment

The leak rates observed on April 10, 2020, as reported from the licensee, have a high level of

uncertainty. The initial leak of 0.1 gpm was estimated without actual measurement since the

operators had no equipment to measure the leak and it was unexpected. The second start of

the auxiliary oil pump to quantify the leak was cut short (only a ~30 second run) based on a

much larger leak (>1.3 gpm) that overwhelmed the collection apparatus brought to measure the

oil quantity. The PCV leaked on the 1st start and became a very large quantified leak on the 2nd

start. This was observed at ambient room temperature. Adjusting for expected HPCI operating

temperatures results in a factor of three increase in observed leak rates based on the

characteristics of Mobil DTE-732 oil used in this system. Exelon agreed that temperature would

affect the leak rate in subsequent discussions with the analysts. It is not unreasonable to

conclude that the HPCI PCV failure could have developed into the larger leak after an initial

start of the HPCI turbine, if HPCI was demanded, during dynamic operation. Furthermore, it is

not uncommon for the system to either be tripped-off, if RCIC has level under control, or trip-off

based on the high level trip being reached considering level swell, RCIC and HPCI addition, and

the relatively quick response needed to control level on the initial system initiations.

The analysts considered a number of factors that resulted in using a probabilistic best estimate

of what the leak may represent analytically while running and/or system recovery. The factors

assessed included the following: 1. a high level of uncertainty estimated in the leak rate and

2. there is an unknown probability that the PCV would not develop into a large leak. This was

done by determining a probabilistic weighted average of what the effective leak would

analytically be in order to better assess and evaluate HPCI functional run time before failure and

the plausibility of recovery actions.

The analysts calculated temperature corrected leak rates based on the oil characteristics and

thermal-hydraulic response through cracks (Table 1). The analysts also reviewed

NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S.

Commercial Nuclear Power Plants. Sections C.2.2 and C.2.3 provide a discussion and

industry-average plant data to determine the probability of multiple injection cycles by HPCI and

RCIC (MOV-PMINJ). The NUREG provides a HPCI mean value of 1.5E-1 (NUREG/CR-6928,

Table C.2.2-4). This is also modeled as a basic event in the NRC SPAR (HCI-MULTIPLE-

INJECT = 1.5E-1). The analysts also noted that the industry-average data relevant to

probabilities that the RCIC turbine will have to restart (TDP-PRST, NUREG-6928, Table

C.2.3-4) after initiation, is the same value used for high pressure coolant valve multiple

injection data in the SPAR model. This is often due to the initial trip early in an event on high

reactor water level. This further supports the basis for using 0.15 as the probability that multiple

starts of the HPCI would be necessary.

The analysts reviewed data post-2002, reviewing at least 6 boiling water reactors with HPCI to

determine auto starts and how many events resulted in high water level trips or tripping off of

HPCI. A Bayesian update analysis for binomial data was performed on the informed prior

distribution within the NUREG/CR-6928 for required probability of RCIC restarts using the

gathered HPCI data. This analysis resulted in a Jefferies non-informed posterior distribution

mean of 0.27. The informed posterior resulted in a mean value of 0.20. This used the events

where HPCI auto started and tripped on high level early. This did not account for events where

HPCI was secured due to early success of RCIC as LER data indicated HPCI was secured

more than 50% of the time. Therefore, the 0.15 probability of restart was considered a

reasonable surrogate for an early trip of HPCI only on high level using a Bayes Binomial model

approach. This was simply performed to confirm the reasonableness of using a 0.15 value for a

best estimated weighted leak rate approach. As stated, this may be slightly nonconservative,

given events for sequences involving RCIC fail to run or RCIC fails within the first hour (failed to

start) where HPCI is often secured, which in this case, would have resulted in an immediate

severe oil leak. The RCIC fail to run are found in the SPAR model dominant cutsets.

As a sensitivity, the analysts performed a SPAR-H evaluation of the human error probability of

diagnosing reactor pressure vessel level response and taking action to take early control of

HPCI/RCIC to prevent a high-level trip signal (Level 8) after initiation. Failure probability

estimate results ranged from 0.105 to 0.21. This was consistent with the actual data provided

by the NUREG. The analysts used the data and estimates above to calculate an analytical

probability-weighted effective leakage as follows and summarized in Table 1.

Weighted Leak Rate Estimate = (probability of more than one injection cycle) x (large leak

rate observed and quantified after first PCV cycle) + (probability of one injection cycle only,

no trip) x (small leak rate only estimated with a larger uncertainty)

Weighted Leak Rate Estimate = (0.15) x (3.6 gpm) + (0.85) x (0.28 gpm) = 0.79 gpm

Time estimate loss for suction = 63 gallons lost (8.5 from top of sump) / leak rate (gpm)

Table 1 - Corrected Leak Rate and Weighted Estimate

NRC data / calculation

FitzPatrick

data / calculation

gpm at 124F*

min

hours

gpm at 120F

min

hours

(0.1) / 0.28

25.0

3.75

0.18**

341.1

5.69

(1.3) / 3.65

17.3

0.29

3.84***

16.4

0.27

LR weighted estimate

LR weighted estimate***

0.79

80.4

1.34

0.58

109.3

1.82

gpm

min

hours

gpm

min

hours

Exelon states steady-state oil temperature will reach less than 124F after 20 minutes.

- Exelon used 0.0625 gpm as their initial leak (based on an operator statement of

approximately 1 pint in 2 minutes; analysts noted HOV1/2 valve position computer data

would indicate less run time of about one minute further confirming the uncertainty with this

number or non-quantified estimate)

- - Licensee states high-leak rate would preliminarily be limited to 2.8 gpm based on piping and

flow restrictions. This value was used in the NRCs assessment of FitzPatricks data in the

leak rate weighted estimate.

The analytical leak rate results assume that the HPCI PCV did not excessively leak on the initial

HPCI turbine start cycle. The analysts noted there was large uncertainty with the no-trip leak

rate (0.1 gpm) as it was not quantified, and this estimate may not be conservative. From the

above data it is noted there is a possible 80 minutes before the oil pumps would lose suction.

All estimated times to failure are less than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . This simply confirms the probabilistic leak

rate would not have supported HPCIs function for any event. And as noted, this may be non-

conservative given the historical high rate of HPCI tripping off. It should be noted this is relevant

to the NRC SDP risk calculation, because the RCIC failure to run events are dominant given

their high failure rate over 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . (0.11 nominal)

Recovery Consideration

Considering there may be some time available to identify and recover HPCI before oil pump

suction is lost based on the analytical leak rate, a recovery failure probability was estimated for

sensitivity. The default value in SPAR is 1.0 (total failure). The analysts reviewed HPCI

operating procedure (OP-15) and special procedure section (G.10) that monitors oil level and

provides guidance to add oil during turbine operations. Based on this review, the analysts

concluded that the oil addition procedure gives appropriate guidance for low volume topping-off

to account for some variation in level during HPCI operations. However, it is not written to

support rapid high-volume makeup, as there is no direction for local high volume oil pump setup.

During subsequent discussions, the licensee provided insights into available resources,

operator / crew ingenuity, and skill of the craft to make-up or direct leakage flow back to the

sump. However, the analysts noted that neither the severe leak rate or probabilistic analytical

leak rates would allow adequate time to identify and respond.

Using information from the spectrum of leak rates and timing cues available, the analysts

evaluated the likelihood of operators failure to diagnose the oil leak, and its impact on HPCI

operation, and the action to mitigate the leak through the addition of oil. This was performed to

estimate a human error probability for sensitivity evaluations (CASE 3 and 4). The most

optimistic case resulted in 0.6 failure probability, however the best estimate resulted in 1.0 (total

failure) due to barely adequate available time. A HEP = 0.8 for the sensitivity run was applied

based on the 0.6 - 1.0 range.

The analysts reviewed INL/EX-19-54613, Enhanced Component Performance Study-Turbine

Driven Pumps, 2018 Updated, dated September 2019. Section 6.4, Engineering Analysis by

Failure Modes states that overall non-recovery probabilities for turbine-driven pumps is 6:1,

meaning 6 of every 7 failures were not recovered. This equates to a failure probability of 0.86.

This gives baseline data on industry failure data. A further review, which isolated the standby

turbine-driven pump data for non-recovery failure to run events (greater than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ), resulted in

a nominal 0.95 non-recovery probability. Therefore, the analysts concluded a sensitivity with a

HEP = 0.8 is considered reasonable. This also considered that FitzPatrick does not implement

a low-level sump alarm. In addition, although there is a pressure switch at the turbine thrust

bearing, an upstream PCV within the system would attempt to control pressure at 38 psig. This

would prevent this alarm from actuating until complete loss of suction to both of the oil pumps.

Even if the alarm did actuate, it would not provide adequate time to respond to the leak.

Additionally, for the various postulated events, such as fire, loss of AC and DC busses, and

LOCAs the operators would have multiple priorities. Hence, there would be additional

challenges to the success probability of identifying the PCV oil leak locally and implementing

actions in time to prevent damage and system failure. There would be no initial indications of

any problems with HPCI operation, and no operator cue for system priority until oil level loss

would impact the oil pumps. Lastly, the auxiliary oil pump would continue to run even after

suction is lost, with resultant cavitation and potential for pump damage as there is no automatic

pump trip on loss of oil pressure or level. This further provides additional uncertainty regarding

any kind of recovery credit for this event.

STANDARDIZED PLANT ANALYSIS RISK (SPAR) MODEL CHANGES AND SENSITIVITY

ANALYSES

The analysts used the FitzPatrick NRC SPAR model version 8.59 with Saphire version 8.2.2.

This SPAR model already included modifications to include FLEX modifications, which the

station had developed in response to NRC Order 12-049, Order to Modify Licenses with Regard

to Requirements for Mitigation Strategies for Beyond-Design-Basis External Events,

(ML12054A735) and were turned ON via a pre-build changeset. This model was used to

assess the internal and seismic events contribution to risk from this degraded condition. For fire

and internal flooding risk, since this is not modeled in the FitzPatrick SPAR, the analysts

reviewed Exelons PRA notebooks and IPEEE information.

For early control rod drive credit, the analysts assessed that a surrogate can be used that

represents the benefit of early control rod drive mapped to HPCI/RCIC fail to run events. This is

logically dominated by the compound basic event (BE) HCI/RCI-TDP-FTR and its compound

early and late terms. Adjusting the mission time for the late term (ZT-TDP-FR-L-HCI-RCI)

from 23 hours2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months to 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , a surrogate of 3.01E-2/yr FTR is developed. This value is substituted

for HPCI and RCIC FTR for the early control rod drive sensitivity base-case and for RCIC FTR

for the early control rod drive condition case.

Internal Event Conditional Risk

Internal events are a dominant contributor to risk. Sensitivities were run to explore the impact

on exposure time, early control rod drive, and HPCI recovery. The risk contribution from internal

events for an exposure of 59 days is estimated at 1.7E-6/yr (CDF) with FLEX and early control

rod drive credit applied. The dominant accident sequence cutsets for internal events involve an

initiating event of loss of condenser heat sink, failure of high-pressure injection (HPCI/RCIC),

and failure to manually depressurize the reactor. Tables 2a and 2b summarizes the internal

events CDF. Table 3 summarizes the event and exposure contribution to the total risk since

the 59-day and 123-day exposure calculations are hybrid and use 38-day contributions for some

events.

Case 2 is considered the best estimate case for this conditional HPCI failure evaluation.

Table 2a - Summary of Internal Events CDF modeled in SPAR (excluding internal flood)

Case and credits

days

23 days

year

Case 1 - FLEX

2.04E-5 2.12E-6

2.37E-6

3.12E-6

2.04E-5

Case 2 - FLEX, early CRD (BASE)

1.26E-5 1.46E-6

1.71E-6

2.47E-6

1.29E-5

Case 3 - FLEX, HPCI Recovery

1.71E-5 1.79E-6

2.02E-6

2.71E-6

1.72E-5

Case 4 - FLEX, early CRD,

HPCI Recovery

1.11E-5 1.27E-6

1.50E-6

2.18E-6

1.13E-5

Table 2b - Summary of Internal Events CDF modeled in SPAR (including internal flood)

Case and credits

LARGE EARLY RELEASE FREQUENCY

days

23 days

year

Internal Flooding Estimate

3.86E-7

4.02E-8

6.24E-8

1.30E-7

3.86E-7

Case 1 - FLEX

2.04E-5

2.16E-6

2.43E-6

3.25E-6

2.08E-5

Case 2 - FLEX, early CRD (BASE)

1.26E-5

1.50E-6

1.77E-6

2.60E-6

1.33E-5

Case 3 - FLEX, HPCI Recovery

1.71E-5

1.83E-6

2.08E-6

2.84E-6

1.76E-5

Case 4 - FLEX, early CRD,

HPCI Recovery

1.11E-5

1.31E-6

1.56E-6

2.31E-6

1.17E-5

Table 3 - Summary of Event and Exposure Contribution to 59 / 123-day SPAR Runs

(IE) EVENTs

59-day

23-day

(IE) EVENTs

59-day

23-day

early

CRD

XLOCA

NA

LOIAS

LLOCA

NA

TRANS

X

MBLOCA

LOMFW

X

SBLOCA

LOCHS

X

ISL-RHR

NA

LOOPGR

23

IORV

LOOPPC

23

LOACB-1

23

LOOPSC

23

LOACB-2

23

LOOPWR

23

LODCB-1

23

LOSWS

X

LODCB-2

NA

LOUHS

NA

Nominal Case Information

FitzPatrick SPAR Nominal CDF = 5.85E-6/yr

FitzPatrick SPAR Nominal CDF = 5.47E-6/yr, with FLEX credit (Nominal Case 1)

Change set FLX-XHE-XE-ELAP = 1E-2;

FitzPatrick SPAR Nominal CDF = 2.27E-6/yr with FLEX credit and early CRD (Nominal Case 2)

Change set FLX-XHE-XE-ELAP = 1E-2;

For events where CRD credit is appropriate

HCI-TDP-FR-TRAIN = 3.01E-2; early CRD surrogate

RCI-TDP-FR-TRAIN = 3.01E-2; early CRD surrogate

The CDF for each exposure time was calculated by the summation of the individual event

contributions from SAPHIRE multiplied by its exposure fraction for the year (see Table 3).

Based on the 38-day contribution to the 59-day and 123-day data, the overall summation for

each is less than a simple fractional year calculation.

Events XLOCA, LLOCA, ISL-RHR, LODCB-2, and LOUHS were found not to be impacted by

the degraded condition (no CDF) for any of the cases.

CASE 1 - (sensitivity) - HPCI FTR with FLEX credit (default, no early CRD)

Change set used FLX-XHE-XE-ELAP = 1E-2 and HCI-TDP-FR-TRAIN = TRUE.

Nominal Case 1 = 5.47E-6/yr and the conditional case = 2.59E-5/yr; CDF = 2.04E-5/yr

Sensitivity exposure times at 38 days, 122 days, and 1 year were performed, in addition to the

days base case exposure:

CDF for 38 days = 2.12E-6/yr

(monthly test on March 4, 2020) and is considered front-stop exposure time.

CDF for 59 days = 2.37E-6/yr

(monthly test on February 12, 2020), approximately 2 available HPCI start/stop cycles.

CDF for 123 days = 3.12E-6/yr

(quarterly test on December 10, 2019), approximately 4 available HPCI start/stop cycles.

CDF for 1 year = 2.04E-5/yr

(max backstop), approximately 19 available HPCI start/stop cycles.

The dominant core damage sequence is loss of condenser heat sink, failure of high-pressure

injection (HPI), and failure to manually depressurize the reactor.

CASE 2 - BASE CASE - HPCI FTR with FLEX credit and early CRD credit

The analysts noted that this case may be slightly non-conservative, because the CST has a

nominal 122,000 gallons above the top of the HPCI and RCIC dedicated standpipe suction. The

tank level would support 7 or 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months assuming HPCI isnt running in a minimum flow mode

removing water to the torus. If this would be the case, there would be even less time available

before the control rod drive suction would be uncovered. Therefore, makeup to the CST would

be required to support a 24-hour mission time for control rod drive. In some cases, the licensee

is crediting methods such as firewater to refill the CST, although it is not within the licensees

postulated events procedures for this issue. The fact that the CST needs to be refilled is not

included within the SPAR model and thus has uncertainty involved with this credit.

Change set used FLX-XHE-XE-ELAP = 1E-2, HCI-TDP-FR-TRAIN = TRUE,

RCI-TDP-FR-TRAIN = 3.01E-2 (early CRD surrogate).

The integrated nominal case (Nominal Case 1 and Nominal Case 2 based on early CRD) =

3.01E-6/yr. The integrated conditional case = 1.56E-5/yr. The integrated CDF = 1.26E-5/yr

Sensitivity exposure times at 38 days, 122 days, and 1 year were performed, in addition to the

days base case exposure:

CDF for 38 days = 1.46E-6/yr;

CDF for 59 days = 1.71E-6/yr;

CDF for 123 days = 2.47E-6/yr;

CDF for 1 year = 1.29E-5/yr.

The dominant core damage sequence is loss of condenser heat sink, failure of high-pressure

injection (HPI), and failure to manually depressurize the reactor.

CASE 3 - (sensitivity) - HPCI FTR with FLEX credit and HPCI Recovery

Change set used FLX-XHE-XE-ELAP = 1E-2, HCI-TDP-FR-TRAIN = TRUE, HCI-XHE-XL-FR

(operator fails to recover HPCI failure to run) = 0.8.

Nominal Case 1 = 5.47E-6/yr and the overall conditional case = 2.27E-5/yr; CDF = 1.71E-5/yr.

Sensitivity exposure times at 38 days, 122 days, and 1 year were performed, in addition to the

days base case exposure:

CDF for 38 days = 1.79E-6/yr;

CDF for 59 days = 2.02E-6/yr;

CDF for 123 days = 2.71E-6/yr;

CDF for 1 year = 1.72E-5/yr.

The dominant core damage sequence is loss of condenser heat sink, failure of high-pressure

injection (HPI), and failure to manually depressurize the reactor.

CASE 4 - (sensitivity) - HPCI FTR with FLEX, early CRD credit, and HPCI Recovery

Change set used FLX-XHE-XE-ELAP = 1E-2, HCI-TDP-FR-TRAIN = TRUE,

RCI-TDP-FR-TRAIN = 3.01E-2 (early CRD surrogate), and HCI-XHE-XL-FR (operator fails to

recover HPCI failure to run) = 0.8.

The integrated nominal case = 3.01E-6/yr. The integrated conditional case = 1.41E-5/yr. The

integrated CDF = 1.11E-5/yr

Sensitivity exposure times at 38 days, 122 days, and 1 year were performed, in addition to the

days base case exposure:

CDF for 38 days = 1.27E-6/yr;

CDF for 59 days = 1.50E-6/yr;

CDF for 123 days = 2.18E-6/yr;

CDF for 1 year = 1.13E-5/yr.

The dominant core damage sequence is loss of condenser heat sink, failure of high-pressure

injection (HPI), and failure to manually depressurize the reactor.

Internal Flooding Risk not included in NRC SPAR model

The Fitzpatrick NRC SPAR model does not include internal flooding risk. FitzPatricks flooding

PRA notebook estimated the overall internal flooding risk base case CDF to be 5.08E-7/yr.

The analyst noted that the baseline dominant risk significant flood area initiator was a service

water piping fault in the chiller room within the reactor building. The degraded HPCI condition

had no impact on these results as this flood impacts DC power to both HPCI and RCIC in the

base case. The analyst estimated that a flood in the 252-foot elevation of the turbine building,

%FLD-TB-1, was a bounding condition and the total frequency within the flooding notebook was

5.5E-3/yr for this area. The NRC SPAR model was used with a loss of condenser heat sink as

a surrogate event to determine a base case and the conditional case using HPCI fail to run.

The CCDP was calculated at 7E-5. Therefore 5.52E-3/yr x 7E-5 = 3.86E-7/yr. For a 59-day

exposure this would be a risk increase of 6.24E-8/yr.

A second notable area where HPCI was described to be available for many of the flood area

sequences was within the reactor building west crescent area. These floods could result in the

loss of RCIC and the A train of RHR and core spray. This contribution was considered bounded

by %FLD-TB-1 based on low initiating event frequencies.

Fire External Event Conditional Risk

An initial review of FitzPatrick Fire PRA notebook (JF-PRA-021.11) relative to the degraded

condition indicated that this fail to run event was considered a significant risk contributor based

on its risk importance measures (i.e. Fussel-Vesely and Birnbaum importance measures).

Therefore, the analyst reviewed the notebook, along with the IPEEE to evaluate the condition.

To evaluate the as-operated condition, a detailed review of abnormal operating procedure

(AOP-28), Operation During Plant Fires, (immediate and subsequent operator actions for

specific fire zones) was also performed. The analyst determined that HPCI was part of the safe

shutdown equipment for the west inner cable tunnel zone, the west electric bay fire zone, south

emergency switchgear room among various other areas. However, it was determined that the

most dominant fire areas which would be impacted by this condition were associated with BR-1,

the A battery charger room, SW1, Division 1 Switchgear, and TB1E252 turbine building fire

resulting in a LOOP event.

It was noted that a HPCI failure event was found in the top 100 cutsets for the base case CDF in

the notebook with fire area BR-1 being the applicable event. Therefore, this fire area (BR-1 full

zone fire) was assumed to provide the most significant contribution to risk for a HPCI failure.

The full zone fire ignition frequency for BR-1 from the notebook was 1.5E-3/yr as referenced in

Table B-1 of JF-PRA-021.11 revision 1. A review of the SW1 Switchgear area fires

(%F1_SW1_71H03) resulted in an estimated ignition frequency of 1E-3/yr. The ignition

frequency for turbine building fires (%F1_TB1E252_FIS_Y) which result in a LOOP event was

estimated at 1.89E-3/yr.

A Battery Charger Room Fire, BR-1

The analyst noted a fire in this area would have a SPAR model internal event surrogate of a

Loss of the A Train DC. This would impact A train equipment including the ability of RCIC to

perform its function. The SPAR model initiating event of loss of DC Bus 2A would be the

appropriate surrogate to analyze this fire event.

A change set was developed for the base case and conditional case for the SPAR model:

Base Case, IE-LODCB-1 (DC Bus 2A Div I) set to 1.0, ADS-XHE-XM-MDEPR set to 2E-3

(SPAR-H, using no diagnosis - only action with all nominal settings other than Stress taken to

high - given the fire event, impact on A DC train, and operators in multiple procedures). This

base case was run for IE-LODCB-1 with a CCDP of 7.94E-4.

Condition case is simply the above change set with the addition of HCI-TDP-FR-TRAIN set to

TRU

E. The resultant CCDP is 3.37E-3. Therefore, the delta CCDP is 2.58E-3.

Substituting the fire zone BR-1 full zone fire frequency provides for the following:

1.5E-3/yr x delta CCDP (2.58E-3) = 3.9E-6/yr. A minimum of 2 cycles was assumed taking the

exposure out to 59 days given the loss of all the equipment and likelihood of early high DW

pressure. Additionally, as noted prior, DW pressure control is not credited and it is likely that the

high DW pressure setpoint would be exceeded at some point during the event, resulting in the

potential need to batch-feed (pressure control mode lost) and start / stop the HPCI system.

The increase in fire risk for this condition was estimated at 3.9E-6/yr x (59/365) = 6.3E-7/yr

Division I Fire Area, SW1

The analyst noted a fire in this area would have a SPAR model internal event surrogate of a

Loss of the Division 1 AC Train. This would impact A train equipment including the ability of

RCIC to perform its long-term function. The SPAR model initiating event of loss of the 10500

Bus or LOACB-1 would be the surrogate to analyze this fire event.

A change set was developed for the base case and conditional case for the SPAR model:

Base Case, IE-LOACB-1 set to 1.0, ADS-XHE-XM-MDEPR set to 2E-3 (SPAR-H, using no

diagnosis - only action -with all nominal settings other than Stress taken to high - given the fire

event, impact on A AC train, and operators in multiple procedures). This base case was run for

IE-LOACB-1 with a CCDP of 4.49E-4.

Condition case is simply the above change set with the addition of HCI-TDP-FR-TRAIN set to

TRU

E. The resultant CCDP is 2.12E-3. Therefore, the delta CCDP is 1.7E-3. The fire ignition

frequencies were estimated to be 1E-3/yr and include high energy arc faults. These were

estimated from a review of Table B-1 from JF-PRA-021.11 notebook.

Substituting the fire zone SW1 fire frequencies which contribute to the conditional risk provides

for the following: 1E-3/yr x delta CCDP (1.7E-3) = 1.7E-6/yr

The increase in fire risk for this condition was estimated at 1.7E-6/yr x (59/365) = 2.7E-7/yr

Turbine Building Fires resulting in LOOP

The analyst noted a fire in this area would have a SPAR model internal event surrogate of a

LOOP event. The SPAR model initiating event of a LOOP event (IE-LOOPPC) would be the

appropriate surrogate to analyze this fire event.

A change set was developed for the base case and conditional case for the SPAR model:

Base Case, IE-LOOPPC was set to 1.0, ADS-XHE-XM-MDEPR set to 2E-3 (SPAR-H, using no

diagnosis - only action -with all nominal settings other than Stress taken to high - given the fire

event, and resultant LOOP event, and operators in multiple procedures). This base case was

run for IE-LOOPPC with a CCDP of 6.1E-5.

Condition case is simply the above change set with the addition of HCI-TDP-FR-TRAIN set to

TRU

E. The resultant CCDP is 3.45E-4. Therefore, the delta CCDP is 2.84E-4.

Substituting the turbine building fire frequency provides for the following:

1.89E-3/yr x delta CCDP (2.8E-4) = 5.4E-7/yr.

The increase in fire risk for this condition was estimated at 5.4E-7/yr x (59/365) = 8.7E-8yr

The total fire increase in CDF/yr for 59 days is 6.3E-7/yr + 2.7E-7/yr + 8.7E-8/yr = 9.9E-7/yr

Fire Sensitivity Analysis

Considering the degraded condition relative to this performance deficiency appears to be a

function of PCV cycles and not just service run hours, the analyst assumed fires, especially with

the loss of one division, may result in a high DW pressure condition with a nominal 4 or 5 cycles

of HPCI. These cycles are assumed to degrade the PCV such that if these postulated fires

were to occur after December of 2019, the PCV may have failed. This was based on the

discussion within the exposure time discussion of this DRE.

For the above fires the increase in risk was calculated at 3.9E-6/yr + 1.7E-6/yr + 5.4E-7/yr =

6.1E-6/yr. Therefore, for a sensitivity analyses of a 123-day exposure the increase in CDF/yr

would be 6.1E-6/yr x 123/365 days = 2.1E-6/yr.

The analyst noted the above does not consider other areas where HPCI is considered the safe

shutdown high pressure system within AOP-28 attachments and assumes there would be

insignificant contributions from these areas.

Lastly, the Fitzpatrick baseline fire risk is dominated by fires which result in evacuating the

control room and using alternate shutdown strategies. The procedure applicable to this

scenario, AOP-43, Plant Shutdown from Outside the Control Room, Revision 43, was reviewed

to confirm that this degraded condition had no impact on increased risk because the strategy is

to depressurize via the safety relief valves and use low pressure injection systems.

Other External Event Risk Contribution

Other external events were not considered to be significant risk contributors. The seismic risk

was calculated using the NRC FitzPatrick SPAR model and the increase in risk was determined

to be 9.3E-8/yr. For a 59-day exposure this would be 1.5E-8/yr or insignificant.

The analyst estimated that high winds would also have a negligible impact relative to this

degraded condition, due to the low initiating event frequencies.

The analysts reviewed portions of the FitzPatricks PRA summary notebook relative to the

analysis of large early release frequency (LERF). The licensee evaluated a Level 2

methodology analyzing issues such as magnitude and timing of calculated radionuclide releases

through level 2 containment event trees. The analysts noted that the licensee had used a LERF

multiplier for class IA events (e.g. HPCI FTR) CDF sequences of a nominal 1.12E-1. Other

class events also have factors less than 1.0, except containment bypass (Class V). Therefore,

this does not increase the LERF importance with respect to risk over or beyond that calculated

for the CDF/yr increase.

A bounding result was CASE 1 for the conditional change in CDF = 2.04E-5/yr annualized

increase in risk due to a degraded HPCI system. This would result in (2.04E-5/yr x 1.12E-1) x

days/365 days = 3.7E-7/yr increase in LERF due to the condition. This bounds any LERF

contribution from internal events and therefore the best estimate of risk is represented by the

estimated increase in total CDF/yr for the condition.

Also, per Inspection Manual Chapter 0609, Appendix H, Table 5.2, LERF factors of 1.0 and 0.6

are used for high pressure core damage accident sequences with the DW dry or flooded,

respectively. These Appendix H LERF factors are considered conservative bounding values.

More recent insights from an NRC Office of Research sponsored study by Energy Research,

Inc. (ERI/NRC-03-04), November 2003 indicates that without reactor coolant system (RCS)

injection during a station blackout (SBO), there is a high probability that the RCS would

subsequently depressurize as a result of either temperature-induced creep rupture of the steam

lines or a stuck-open safety relief valve (SRV) (due to high temperature cycling). Subsequent

State of the Art Reactor Consequence Analysis Project at Peach Bottom Nuclear Power Station

(NUREG/CR-7110) have identified that improved modeling and analysis of anticipated types

and sizes of reactor coolant ruptures, projected containment heating and fuel-coolant

interactions, and operator actions taken to flood containment in accordance with Severe

Accident Management Guidelines, significantly reduce the potential for containment breach and

the likelihood of a LERF.

The dominant core damage sequences would not significantly contribute to LERF risk due to

timing considerations. These sequences involve a failure of HPCI/RCIC and a failure to

depressurize the RCS, resulting in the failure of any injection to the RCS (i.e. no low pressure

injection from core spray or low pressure coolant injection systems). These sequences are

similar to the accident conditions that would be encountered during an SBO event without HPCI

availability.

Therefore, the above reports indicate a more benign containment response at the time of vessel

breach, in terms of direct containment heating and fuel-coolant interaction-induced containment

failure. As a result of the above considerations, the use of a LERF multiple based on a

depressurized RCS and a flooded DW floor would be appropriate. The analysts concluded that

the risk due to LERF is consistent and bounded by the CDF results, i.e. White.

MODEL COMPARISONS AND LICENSEE RISK PRELIMINARY METHODOLOGY

Exelons internal and external events analysis of the HPCI PCV failure resulted in a

determination of a very low safety significant issue. The result of 3E-7/yr total risk increase, was

based on a 38-day exposure, early control rod drive credit for events (nominal 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months ), and a

high success probability to prevent an early HPCI trip on high level. Their evaluation

acknowledged HPCI could be tripped off with early RCIC success but concluded it would have a

minimal effect. This is because Exelon uses a RCIC failure to run value of approximately 1E-2

per 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , which is an order of magnitude lower than the NRC SPAR model 1.19E-1. The

NRC SPAR model dominant cutsets include RCIC fail to run events.

The NRC analysts contacted Idaho National Labs to confirm the appropriateness of the HPCI

and RCIC failure to run probabilities and they confirmed the accuracy of them in the SPAR

model. This is a significant difference. Additionally, Exelons SDP evaluation concluded a very

high probability to identify and recover from both a small leak (0.18 gpm) and a large leak

(2.8 gpm) based on operator skill of the craft. A review of FitzPatricks SDP indicates an an

assumption of success 19 out of 20 times in identifying the leak in order to mitigate the oil loss

until control rod drive can be credited after 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . It is important to note that FitzPatricks SDP

is predicated on an assumption that the leak will remain low, and not degrade with machine

operation (no more than the 120°F temperature corrected leak rate of 0.18 gpm). This was

based on the 0.06 gpm leak rate that the analysts believe has a very large degree of uncertainty

with no evidence for its technical basis. The licensees methodology using their success

probabilities to prevent any large leak with operator actions to control level, reduces the

importance of their MBLOCA scenarios. Although DW cooling or HPCI pressure control is not

credited in the Fitzpatrick PRA model, Exelon is assuming that they could operate HPCI on

minimum flowrate, for up to 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , even with vendor documentation stating severe cavitation

would occur due to the nature of the design of the pump curve. This assumes operations would

not simply shut the turbine down and then restart it when needed at a lower reactor water level.

Exelon is also considering they would perform many skill of the craft actions such as using

firewater with no direct procedural direction for the applicable postulated event, to add to the

CST to support the control rod drive high pressure mission time even though HPCI and RCIC

may be functioning to cool the core while level drops to the standpipe.

Because the Exelon evaluation assumes that HPCI can continue to run for up to 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months or

greater than 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , they also re-evaluated their human actions for failure to depressurize

which is dominant in many core damage cutsets. This increased timing available resulted in

some notable revisions to lower the failure probability of this action. The NRC calculated a

probabilistic weighted nominal 90 minutes of run time, with a strong likelihood there would be a

severe oil leak through the failed PCV diaphragm if RCIC starts successfully with the RCIC

failure to run dominant cutsets. Therefore, the fail to depressurize human error probabilities will

be different as well.

The licensee also presented a proposed revised calculation for the available oil volume in the

HPCI sump that would add an additional 25 gallons, hence extending their proposed low-leak

mitigation time. The analysts dont consider this supported by the current data regarding normal

oil level and vendor low level requirements to maintain pump suction.

Also, as previously discussed, the analysts do not consider HPCI recovery plausible or feasible

and assigns a high failure probability (0.8 for sensitivity, see Case 3 and 4).

Licensee does not consider fire risk significant.

PRELIMINARY CONDITIONAL RISK INCREASE CALCULATION CDF/YR

Total risk is the sum of the internal + external events; CASE 1 is without control rod drive credit

or recovery. CASE 2 includes early control rod drive credit for some events and best represents

the event assessment. Also, the assessment exposure time is best represented from 38 to 123

days based on the cyclical failure mechanism and not necessarily proportional to the runtime of

HPCI. Tables 4a and 4b summarize the estimated total risk:

Table 4a - Summary of Total Risk (CDF) - BASE CASE (early CRD for some events)

Event

days

23 days

Internal and Flooding - Case 2

1.3E-5/yr

1.5E-6/yr

1.8E-6/yr

2.6E-6/yr

Fire

6.1E-6/yr

6.4E-7/yr

9.9E-7/yr

2.1E-6/yr

Seismic

9.3E-8/yr

9.7E-9/yr

1.5E-8/yr

3.1E-8/yr

Total CDF estimated:

2.1E-6/yr

2.8E-6/yr

4.7E-6/yr

Table 4b - Summary of Total Risk (CDF) - DEFAULT CASE (no early CRD)

Event