ML22067A232
| ML22067A232 | |
| Person / Time | |
|---|---|
| Issue date: | 04/05/2022 |
| From: | Alan Kuritzky NRC/RES/DRA/PRAB |
| To: | |
| Kuritzky, Alan - 301 415 1552 | |
| References | |
| Download: ML22067A232 (166) | |
Text
Office of Nuclear Regulatory Research U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project Volume 2: Background, Site and Plant Description, and Technical Approach U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project Volume 2: Background, Site and Plant Description, and Approach
U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project Volume 2: Background, Site and Plant Description, and Technical Approach Manuscript Completed: March 2022 Date Published: April 2022 A. Kuritzky, NRC Level 3 PRA Project Program Manager Office of Nuclear Regulatory Research
iii ABSTRACT The U.S. Nuclear Regulatory Commission (NRC) performed a full-scope site Level 3 probabilistic risk analysis (PRA) project (L3PRA project) for a two-unit pressurized-water reactor reference plant, responding to Commission direction in the staff requirements memorandum (SRM) (Agencywide Documents and Management System [ADAMS] Accession No. ML112640419) resulting from SECY-11-0089, Options for Proceeding with Future Level 3 Probabilistic Risk Assessment (PRA) Activities (ADAMS Accession No. ML11090A039).
As described in SECY-11-0089, the objectives of the L3PRA project are to:
Develop a Level 3 PRA, generally based on current state-of-practice methods, tools, and data,0F1 that (1) reflects technical advances since the last NRC-sponsored Level 3 PRAs (NUREG-11501F2), which were completed over 30 years ago, and (2) addresses scope considerations that were not previously considered (e.g., low power and shutdown [LPSD]
risk, multi-unit risk, other radiological sources)
Extract new insights to enhance regulatory decision making and to help focus limited NRC resources on issues most directly related to the agencys mission to protect public health and safety Enhance PRA staff capability and expertise and improve documentation practices to make PRA information more accessible, retrievable, and understandable Demonstrate technical feasibility and evaluate the realistic cost of developing new Level 3 PRAs The scope of the L3PRA project encompasses all major radiological sources on the site (i.e.,
reactors, spent fuel pools, and dry cask storage), all internal and external hazards, and all modes of plant operation. Fresh nuclear fuel, radiological waste, and minor radiological sources (e.g., calibration devices) are not included as part of the scope. In addition, deliberate malevolent acts (e.g., terrorism and sabotage) are excluded from the scope of this study.
This report, one of a series of reports documenting the models and analyses supporting the L3PRA project, provides a description of the project background, site and plant description, and approach for developing the various PRA models that make up the L3PRA project.
A full-scope site Level 3 PRA for a nuclear power plant site can provide valuable insights into the importance of various risk contributors by assessing accidents involving one or more reactor cores as well as other site radiological sources. Furthermore, some future advanced light water reactor (ALWR) and advanced non-light water reactor (NLWR) applicants may rely heavily on results of analyses similar to those used in the L3PRA project to establish their licensing basis and design basis by using the Licensing Modernization Project (LMP) (NEI 18-04, Rev. 1) which 1 State-of-practice methods, tools, and data refer to those that are routinely used by the NRC and industry or have acceptance in the PRA technical community. While the L3PRA project is intended to be a state-of-practice study, note that there are several technical areas within the project scope that necessitated advancements in the state-of-practice (e.g., modeling of multi-unit site risk, modeling of spent fuel in pools or casks, and of human reliability analysis for other than internal events and internal fires).
2 NUREG-1150, Severe Accident Risk: An Assessment for Five U.S. Nuclear Power Plants, December 1990.
iv was recently endorsed via RG 1.233. Licensees who use the LMP framework are required to perform Level 3 PRA analyses. Therefore, another potential use of the methodology and insights generated from this study is to inform regulatory, policy, and technical issues pertaining to ALWRs and NLWRs.
CAUTION:
While the L3PRA project is intended to be a state-of-practice study, due to limitations in time, resources, and plant information, some technical aspects of the study were subjected to simplifications or were not fully addressed. As such, inclusion of approaches in the L3PRA project documentation should not be viewed as an endorsement of these approaches for regulatory purposes.
v FOREWORD The U.S. Nuclear Regulatory Commission (NRC) performed a full-scope site Level 3 probabilistic risk analysis (PRA) project (L3PRA project) for a two-unit pressurized-water reactor reference plant, responding to Commission direction in the staff requirements memorandum (SRM) (Agencywide Documents and Management System [ADAMS] Accession No. ML112640419) resulting from SECY-11-0089, Options for Proceeding with Future Level 3 Probabilistic Risk Assessment (PRA) Activities (ADAMS Accession No. ML11090A039).
Licensee information used in performing the Level 3 PRA project was voluntarily provided based on a licensed, operating nuclear power plant. The information provided reflects the plant as it was designed and operated as of 2012 and does not reflect the plant as it is currently designed, licensed, operated, or maintained. In addition, the information provided for the reference plant was changed based on additional information, assumptions, practices, methods, and conventions used by the NRC in the development of plant-specific PRA models used in its regulatory decisionmaking. As such, use of L3PRA project reports to assess the risk from the reference plant is not appropriate and these reports will not be the basis for any regulatory decision associated with the reference plant.
Each set of L3PRA project reports covering the Level 1, 2, and 3 PRAs for a specific site radiological source, plant operating state, and hazard group is accompanied by an overview report. The overview reports summarize the results and insights from all three PRA levels.
In order to provide results and insights better aligned with the current design and operation of the reference plant, the overview reports also provide a reevaluation of the plant risk based on a set of new plant equipment and PRA model assumptions and compare the results of the reevaluation to the original study results. This reevaluation reflects the current reactor coolant pump (RCP) shutdown seal design at the reference plant, as well as the potential impact of FLEX strategies,2F3 both of which reduce the risk to the public.
A full-scope site Level 3 PRA for a nuclear power plant site can provide valuable insights into the importance of various risk contributors by assessing accidents involving one or more reactor cores as well as other site radiological sources (i.e., spent fuel in pools and dry storage casks).
These insights may be used to further enhance the regulatory framework and decisionmaking and to help focus limited agency resources on issues most directly related to the agencys mission to protect public health and safety. More specifically, potential future uses of the Level 3 PRA project can be categorized as follows (a more detailed list is provided in SECY 0123, Update on Staff Plans to Apply the Full-Scope Site Level 3 PRA Project Results to the NRCs Regulatory Framework, dated September 13, 2012):
enhancing the technical basis for the use of risk information (e.g., obtaining updated and enhanced understanding of plant risk as compared to the Commissions safety goals) improving the PRA state-of-practice (e.g., demonstrating new methods for site risk assessments, which may be particularly advantageous in addressing the risk from advanced reactor designs, or in supporting the evaluation of the potential impact that a multi-unit accident, or an accident involving spent fuel, may have on the efficacy of the emergency planning zone in protecting public health and safety) 3 FLEX refers to the U.S. nuclear power industry's proposed safety strategy, called Diverse and Flexible Mitigation Capability.
FLEX is intended to maintain long-term core and spent fuel cooling and containment integrity with installed plant equipment that is protected from natural hazards, as well as backup portable onsite equipment. If necessary, similar equipment can be brought from offsite.
vi identifying safety and regulatory improvements (e.g., identifying potential safety improvements that may lead to either regulatory improvements or voluntary implementation by licensees) supporting knowledge management (e.g., developing or enhancing in-house PRA technical capabilities)
In addition, the overall Level 3 PRA project model can be exercised to provide insights with regard to other issues not explicitly included in the current project scope (e.g., security-related events or the use of accident tolerant fuel). Furthermore, some future advanced light water reactor (ALWR) and advanced non-light water reactor (NLWR) applicants may rely heavily on the results of analyses similar to those used in the L3PRA project to establish their licensing basis and design basis by using the Licensing Modernization Project (LMP) (NEI 18-04, Rev. 1) which was recently endorsed via RG 1.233. Licensees who use the LMP framework are required to perform Level 3 PRA analyses. Therefore, another potential use of the methodology and insights generated from this study is to inform regulatory, policy, and technical issues pertaining to ALWRs and NLWRs.
The results and perspectives from all of the Level 3 PRA project reports will be incorporated into a summary report to be published after all technical work for the Level 3 PRA project has been completed.
vii ACKNOWLEDGMENTS This report is the result of a team effort. Acknowledgment goes to the following individuals:
Steven Wessels, Task Lead, formerly with the U.S. Nuclear Regulatory Commission (NRC)
Mary Drouin, QA Plan lead, formerly with the NRC Keith Compton, NRC Susan Cooper, NRC Kevin Coyne, NRC Jonathan DeJesus-Segara, NRC Anders Gilbertson, NRC Felix Gonzalez, formerly with the NRC Donald Helton, formerly with the NRC Chris Hunter, NRC Alan Kuritzky, NRC Nick Melly, NRC John Nakoski, NRC Jose Pires, NRC Selim Sancaktar, NRC Song-hua Shen, NRC Marty Stutzke, NRC Brian Wagner, NRC Jeffery Wood, NRC
ix Table of Contents (Not fully updated and does not yet include Appendix A)
ABSTRACT................................................................................................................................ iii FOREWORD.............................................................................................................................. v ABBREVIATIONS AND ACRONYMS..................................................................................... xvii
- 1.
INTRODUCTION...................................................................................................... 1
- 2.
SUMMARY
OF PLANT AND SITE DESIGN............................................................. 7 Accumulator Injection System............................................................................... 9 High-Pressure Injection System............................................................................ 9 High-Pressure Recirculation System....................................................................10 Low-Pressure Injection System............................................................................10 Low-Pressure Recirculation System....................................................................11 Power-Operated Relief Valves.............................................................................11 Residual Heat Removal System...........................................................................12 Main Feedwater System......................................................................................12 Auxiliary Feedwater System.................................................................................13 Reactor Protection System..................................................................................14 Auxiliary Component Cooling Water System........................................................14 Instrument Air System..........................................................................................15 Nuclear Service Cooling Water System...............................................................16 AC Electric Power................................................................................................18 125V DC Electric Power......................................................................................19 Component Cooling Water System......................................................................20 Circulating Water System.....................................................................................20 Turbine Plant Closed Cooling Water System.......................................................20
x Turbine Plant Cooling Water System...................................................................20 Containment Structure.........................................................................................21 Containment Cooling Unit System.......................................................................21 Containment Isolation System.............................................................................21 Containment Spray System.................................................................................21 System Overview.................................................................................................55 Spent Fuel Pool Cranes.......................................................................................56 Spent Fuel Pool Cooling and Purification System................................................57 Fuel Handling Building Heating, Ventilation, and Air Conditioning System...........59 Dry Cask Storage Siting.......................................................................................61 Description of HI-STORM-100 Dry Cask Storage System....................................62 Multipurpose Canister..........................................................................................62 HI-TRAC Transfer Cask.......................................................................................63 HI-STORM Storage Overpack.............................................................................63 Dry Cask Storage Operating Stages....................................................................63 SFPs and Cask Loading Pit.................................................................................65 Cask Washdown Area.........................................................................................66 Cask Transfer Facility..........................................................................................66 Independent Spent Fuel Storage Installation.......................................................66 Vertical Cask Transporter....................................................................................66 Alternate Cooling Water System..........................................................................67 Supplemental Cooling System.............................................................................67 Forced Helium Dehydration System.....................................................................68 Automated Welding System.................................................................................68 Low-Profile Transporter.......................................................................................68 Mating Device......................................................................................................69 Other Plant Dry Cask Storage Supporting Systems.............................................69
- 3.
SUMMARY
OF APPROACH...................................................................................71
xi Plant Familiarization.............................................................................................74 Hazard and Fragility Analyses.............................................................................78 Screening Analysis..............................................................................................79 Uncertainty Analysis............................................................................................79 Initiating Event Analysis.......................................................................................80 Accident Progression Analysis.............................................................................80 Systems Analysis.................................................................................................81 Parameter Estimation Analysis............................................................................81 Human Reliability Analysis...................................................................................82 Structural Analysis...............................................................................................82 Quantification Analysis.........................................................................................83 Source Term (Radiological Release) Analysis.....................................................83 Consequence Analysis........................................................................................83 Level 1 At-Power Conditions PRA Model.............................................................84 Level 2 At-Power Conditions PRA Model.............................................................90 Level 3 At-Power Conditions PRA Model.............................................................91 Reactor at Low Power and Shutdown Conditions for Internal Events PRA Model 92 SFP Level 1 and Level 2 PRA Model...................................................................94 SFP Level 3 PRA Model......................................................................................94 DCS Level 1 and Level 2 PRA Model..................................................................95 DCS Level 3 PRA Model......................................................................................95
- 4.
REFERENCES........................................................................................................97
xiii List of Figures Figure 1-1 PRA Scope Elements............................................................................................... 4 Figure 2-1 Schematic of Major Systems..................................................................................... 8 Figure 2-2 One-Line Diagram and Dependency Diagram Key...................................................22 Figure 2-3 Accumulator System................................................................................................23 Figure 2-4 Charging System.....................................................................................................24 Figure 2-5 Safety Injection (SI) System.....................................................................................25 Figure 2-6 HPI Dependency Diagram.......................................................................................26 Figure 2-7 Normal Charging Dependency Diagram...................................................................26 Figure 2-8 HPR Dependency Diagram......................................................................................27 Figure 2-9 LPI Dependency Diagram........................................................................................27 Figure 2-10 LPR Dependency Diagram....................................................................................28 Figure 2-11 Pressurizer Pressure Relief System.......................................................................29 Figure 2-12 Residual Heat Removal (RHR) System..................................................................30 Figure 2-13 RHR Dependency Diagram....................................................................................31 Figure 2-14 Main Feedwater (MFW) System.............................................................................32 Figure 2-15 Condensate System...............................................................................................33 Figure 2-16 Main Steam System-Steam Generator Atmospheric Dump and Safety Valves......34 Figure 2-17 Main Steam System-Turbine Bypass Valves..........................................................35 Figure 2-18 Auxiliary Feedwater (AFW) System........................................................................36 Figure 2-19 AFW Dependency Diagram...................................................................................37 Figure 2-20 Auxiliary Component Cooling Water (ACCW) System (Sheet 1)............................38 Figure 2-21 ACCW System (Sheet 2).......................................................................................39 Figure 2-22 ACCW Dependency Diagram.................................................................................40 Figure 2-23 Instrument Air System............................................................................................41 Figure 2-24 Nuclear Service Cooling Water (NSCW) System (Train A).....................................42 Figure 2-25 NSCW System (Train B)........................................................................................43 Figure 2-26 NSCW Dependency Diagram.................................................................................44 Figure 2-27 Electrical Distribution System-Offsite Power and Safety Related 4.16kV and 480V AC 45 Figure 2-28 EDG Dependency Diagram....................................................................................46 Figure 2-29 Electrical Distribution System-Safety Related 125V DC and 120V AC...................47 Figure 2-30 Component Cooling Water (CCW) System............................................................48 Figure 2-31 CCW Dependency Diagram...................................................................................49 Figure 2-32 Circulating Water System.......................................................................................50 Figure 2-33 Turbine Plant Closed Cooling Water (TPCCW) System.........................................51 Figure 2-34 Turbine Plant Cooling Water (TPCW) System........................................................52 Figure 2-35 Containment Cooling Unit (CCU) System...............................................................53 Figure 2-36 CCU Dependency Diagram....................................................................................54 Figure 2-37 Spent Fuel Pool Side View.....................................................................................55 Figure 2-38 Unit 1 & 2 Fuel Handling Layout.............................................................................56 Figure 2-39 Fuel Handling Machine..........................................................................................56 Figure 2-40 Spent Fuel Cask Bridge Crane...............................................................................57
xiv Figure 2-41 Spent Fuel Pool Cooling & Purification System......................................................58 Figure 2-42 Storage Overpack and Dry Cask Storage Pad.......................................................62 Figure 2-43 Multipurpose Canister............................................................................................63 Figure 2-44 Dry Cask Process Steps 3 - 18..............................................................................65 Figure 2-45 Vertical Cask Transporter......................................................................................67 Figure 2-46 Mating Device........................................................................................................69 Figure 3-1 Overall Approach to Level 3 PRA Model..................................................................71 Figure 3-2 Technical Elements..................................................................................................74 Figure 3-3 Review Process.......................................................................................................74
xv List of Tables Table 2-1 SFPCPS Components..............................................................................................58 Table 3-1 Areas Visited.............................................................................................................77 Table 3-2 Technical Areas and Issues Pursued.......................... Error! Bookmark not defined.
Table 3-3 Other Hazards Screening Criteria.............................................................................87 Table 3-4 Other Hazards and Their Analyzed Impacts..............................................................87
xvii ABBREVIATIONS AND ACRONYMS AC alternating current ACC accumulator ACCW auxiliary component cooling water ACRS Advisory Committee on Reactor Safeguards AFW auxiliary feedwater AMSAC anticipated transient without scram mitigation system actuation circuitry ANS American Nuclear Society ARV atmospheric relief valve ASME American Society of Mechanical Engineers ATWS anticipated transient without scram CCP centrifugal charging pump CCU containment cooling unit CCW component cooling water CHG charging CIS containment isolation system CL cold leg CS containment spray CSS containment spray system CST condensate storage tank CVCS chemical and volume control system DC direct current DCS dry cask storage ECCS emergency core cooling system EDG emergency diesel generator EDMG extensive damage mitigation guidance ESF engineered safety features ESFAS engineered safety features actuation system FHB fuel handling building FSAR final safety analysis report FW feedwater HEP human error probability HEPA high-efficiency particulate air HFE human failure event HL hot leg HPI high-pressure injection HPR high-pressure recirculation HVAC heating, ventilation and air conditioning IA instrument air ISFSI independent spent fuel storage installation ISR integrated site risk LOCA loss-of-coolant accident LOOP loss of offsite power LPI low-pressure injection LPR low-pressure recirculation LPSD low power and shutdown MOV motor-operated valve MCC motor control center
xviii MFIV main feedwater isolation valve MFW main feedwater MPC multipurpose canister MS main steam MSIV main steam isolation valve MSLB main steam line break MW megawatt NPSH net positive suction head NRC Nuclear Regulatory Commission NSCW nuclear service cooling water PORV power-operated relief valve POS plant operating state PRA probabilistic risk assessment PWR pressurized-water reactor PWROG PWR Owners Group PZR pressurizer RAT reserve auxiliary transformer RCP reactor coolant pump RCS reactor coolant system RES Office of Nuclear Regulatory Research RG regulatory guide RHR residual heat removal RPS reactor protection system RTB reactor trip breakers RWST reactor water storage tank SAMG severe accident mitigation guidelines SFP spent fuel pool SFPCPS spent fuel pool cooling and purification system SG steam generator SGTR steam generator tube rupture SI safety injection SLOCA small loss-of-coolant accident SRM staff requirements memorandum SRV safety-relief valve SSC structures, systems, and components SSPS solid-state protection system TBV turbine bypass valve TPCCW turbine plant closed cooling water TPCW turbine plant cooling water system UAT unit auxiliary transformer VCT volume control tank
1
- 1. INTRODUCTION This report provides a description of the background, site and plant description, and approach associated with the U.S. Nuclear Regulatory Commission (NRC) full-scope site Level 3 probabilistic risk assessment project (L3PRA project) for a two-unit pressurized-water reactor (PWR) reference plant. This section provides the background, objectives, and scope of the L3PRA project, as well as some key limitations and assumptions for the project. Section 2 provides some characteristics of the reference site and a summary of the reference plant design, including brief system descriptions and simplified schematics. Section 3 summarizes the approach used to develop and quantify the Level 3 PRA model.
The development of the various models and associated results for the L3PRA project will be documented in reports that will be issued as the work is completed in each specific area. At the completion of all of the technical work on the L3PRA project, a final integrated report will be published summarizing the results, key insights, and perspectives from the project. The series of reports for the L3PRA project are organized as follows:
Volume 1: Summary (to be published last)
Volume 2: Background, site and plant description, and technical approach Volume 3: Reactor, at-power, internal event and flood PRA Volume 3x: Overview Volume 3a: Level 1 PRA for internal events (Part 1 - Main Report; Part 2 - Appendices)
Volume 3b: Level 1 PRA for internal floods Volume 3c: Level 2 PRA for internal events and floods Volume 3d: Level 3 PRA for internal events and floods Volume 4: Reactor, at-power, internal fire and external event PRA Volume 4x: Overview Volume 4a: Level 1 PRA for internal fires Volume 4b: Level 1 PRA for seismic events Volume 4c: Level 1 PRA for high wind events and other hazards evaluation Volume 4d: Level 2 PRA for internal fires and seismic and wind-related events Volume 4e: Level 3 PRA for internal fires and seismic and wind-related events Volume 5: Reactor, low power and shutdown, internal event PRA Volume 5x: Overview Volume 5a: Level 1 PRA for internal events Volume 5b: Level 2 PRA for internal events Volume 5c: Level 3 PRA for internal events Volume 6: Spent fuel pool all hazards PRA Volume 6x: Overview Volume 6a: Level 1 and Level 2 PRA Volume 6b: Level 3 PRA Volume 7: Dry cask storage, all hazards, Level 1, Level 2, and Level 3 PRA Volume 8: Integrated site risk, all hazards, Level 1, Level 2, and Level 3 PRA
2
=
Background===
It has been more than three decades since the NRC last sponsored a Level 3 PRA study (NUREG-1150 [NRC, 1990]). Level 3 PRAs have since been performed to some extent within both the United States and international nuclear industries. Thirty-plus years of technical advances, as well as plant modifications, are not reflected in the NUREG-1150 PRA models. In SECY-11-0089, Options for Proceeding with Future Level 3 Probabilistic Risk Assessment (PRA) Activities (Agencywide Documents and Management System [ADAMS] Accession No. ML11090A039), the staff proposed various options for proceeding with Level 3 PRA activities, including scope considerations beyond those covered in the NUREG-1150 studies (e.g., low power and shutdown conditions, as well as the risk from accidents involving multiple reactor units on site and spent nuclear fuel). In the staff requirements memorandum (SRM) (ADAMS Accession No. ML112640419) resulting from SECY-11-0089, the Commission approved a modified version of Option 3 to conduct a full-scope site Level 3 PRA.
The SRM also requested staffs plans for applying project results to the NRCs regulatory framework - these are documented in SECY-12-0123, Update on Staff Plans to Apply the Full-Scope Site Level 3 PRA Project Results to the NRCs Regulatory Framework (ADAMS Accession No. ML12202B171).
In addition, SRM-SECY-11-0172, Staff Requirements - SECY-11-0172 - Response to Staff Requirements Memorandum COMGEA-11-0001, Utilization of Expert Judgment in Regulatory Decision Making (ADAMS Accession No. ML120380251) directed staff to pilot draft expert elicitation guidance as part of the L3PRA project.
Objectives As described in SECY-12-0123, the objectives of this study are:
Develop a Level 3 PRA, generally based on current state-of-practice methods, tools, and data,3F4 that (1) reflects technical advances since the last NRC-sponsored Level 3 PRAs (NUREG-1150), which were completed more than 30 years ago, and (2) addresses scope considerations that were not previously considered (e.g., low power and shutdown (LPSD) risk, multi-unit risk, other radiological sources).
Extract new insights to enhance regulatory decision making and to help focus limited NRC resources on issues most directly related to the agencys mission to protect public health and safety.
Enhance PRA staff capability and expertise and improve documentation practices to make PRA information more accessible, retrievable, and understandable.
Demonstrate technical feasibility and evaluate the realistic cost of developing new Level 3 PRAs.
Scope of the L3PRA Project The scope of the L3PRA project includes all major site radiological sources (i.e., reactor, spent fuel pool [SFP], dry cask storage), both internal and external hazards, and all modes of plant operation. Fresh nuclear fuel, radiological waste, and minor radiological sources (e.g.,
4 State-of-practice methods, tools, and data refer to those that are routinely used by the NRC and industry or have acceptance in the PRA technical community.
3 calibration devices) are not included as part of the scope. In addition, deliberate malevolent acts (e.g., terrorism and sabotage) are excluded from the scope of this study.
This scope exceeds that of the NUREG-1150 studies in several areas. As described in SECY-11-0089, the NUREG-1150 studies did not assess accidents involving other radiological sources, such as SFPs, dry storage casks, and other units on site. Also, the NUREG-1150 studies only addressed at-power operation (though subsequent studies for two of the NUREG-1150 plants involved a limited analysis of low power and shutdown modes of operation) and only partially addressed external hazards.
The L3PRA project also incorporates advances made in PRA technology since the completion of the NUREG-1150 studies, as well as more recent changes in nuclear power plant operational performance and safety.4F5 The scope of the L3PRA project covers the technical elements associated with a full-scope site Level 3 PRA, as described in Section 3. There are several major components that comprise the scope of a PRA, as illustrated in Figure 1-1 and discussed below.
A PRA can be used to quantify the associated risk from a variety of sources at the nuclear power plant site. These sources can include the reactor core (or cores), the SFP(s), and dry cask storage. For the L3PRA project, all these sources of risk are evaluated.
A PRA can be used to quantify either the on-site or off-site consequences, or both. For the L3PRA project, the focus is on the off-site consequences (i.e., the consequences to the public and the environment).
A PRA can be used to quantify the risk from the reactor while the reactor is at power or in a low-power or shutdown condition. For the L3PRA project, the risk during all plant operating states (POSs) is evaluated. The risk from the SFP and dry cask storage is also evaluated for different plant operating stages.
A PRA can be used to quantify the risk presented by challenges from (1) internal hazards, which include internal events, internal floods, and internal fires; (2) external hazards, which include seismic events, external floods, external fires, and high winds; or (3) other hazards, which can include transportation, aircraft, or others. For the L3PRA project, all hazards are considered.
The PRA can quantify different levels of risk. The quantified risk can include the frequency of fuel damage (e.g., core damage for reactors), referred to as Level 1; the frequency of radionuclide releases to the environment and characterization of the radiological source terms, referred to as Level 2; or the estimation of various radiological health effects and economic consequence measures, referred to as Level 3. For the L3PRA project, Level 1, 2, and 3 analyses are performed.
5 Note, certain plant features that have become more common in recent years, such as new reactor coolant pump seal designs and the implementation of FLEX equipment and strategies, are not included in the base case model for the L3PRA project, since they were not implemented at the reference plant by the project cutoff date (August 2012).
4 On-site Population Identify & select the potential hazards that can challenge the site
& cause the risk Identify & select the potential risk to be analyzed Identify & select the potential source of risk to be analyzed Identify & select population to be considered Identify & select the operating states under which the risk occurs At-Power Level 1 (fuel damage frequency)
Level 2 (radionuclide release frequency)
Level 3 (health effects analysis)
Reactor Core Spent Fuel Pool Dry Cask Storage Internal Events Internal Floods Internal Fires Seismic Events High Winds External Floods External Fires Transportation Aircraft Others Off-site Population Low Power Shutdown Transfer Loading Storage Reactor States SFP & DCS States Figure 1-1 PRA Scope Elements Figure 1-1 and the above discussion illustrate the scope for a risk evaluation by different sources; however, the risk for the L3PRA project has also been evaluated for the entire site.
Therefore, the scope for this study is also an integration of site risk contributors.
Assumptions and Limitations As is typical for modern PRAs, the following high-level boundary conditions are assumed for the study:
The plant is operating within its regulatory requirements.
The design, construction, and operation of the plant are adequate and satisfy the plants established design, construction, and operation criteria.
Also, due to limitations in the state-of-practice and available data, plant aging effects are not modeled; that is, constant equipment failure rates are assumed.
The L3PRA project is intended to be as complete and realistic as is practical; however, the scope and level of realism were balanced against resource and schedule limitations. Therefore, not all aspects of the study necessarily received the same level of analytical rigor, which was a function of their relative risk significance, level of effort, and current PRA state-of-practice. In addition, examples of some PRA technical elements absent from the current study, but which are good candidates for further research to advance the PRA state-of-the-practice, include:
Aqueous transport and dispersion of radioactive materials Effects of aging on structures, systems, and components (SSCs) reliability Consequential (linked) multiple initiating events for a single unit (e.g., seismically induced fires and floods)
Digital instrumentation and control, including software
5 Other candidates for future research were identified as the study progressed. These candidates are identified in the various technical reports issued as part of the L3PRA project and are captured collectively in the summary NUREG report (NRC, 2024). As discussed in Section 3, the staff used the currently available suite of PRA standards (e.g., the American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) PRA standard) and other NRC and industry guidance documents to guide many of the technical aspects of this study.
CAUTION:
As discussed above, while the L3PRA project is intended to be a state-of-practice study, due to limitations in time, resources, and plant information, some technical aspects of the study were subjected to simplifications or were not fully addressed. As such, inclusion of approaches in the L3PRA project documentation should not be viewed as an endorsement of these approaches for regulatory purposes.
7
- 2.
SUMMARY
OF PLANT AND SITE DESIGN Site Characteristics The reference site is in a sparsely populated part of the country, particularly within a 5-mile radius surrounding the site. The site topography consists of gently rolling hills with a soil composition of sand, clay, and clay marl. The reference site is sited in an active seismic portion of the United States, with low to moderate intensity. The weather at the reference site is known to have long hot summers contrasted by mild spring, fall, and winter weather. Tornado risk is considered low. While hurricanes pose little risk on the site, they can produce strong winds and large rainfall in short durations.
Reactor Plant Design The reference site has two operating units, each unit capable of producing on the order of 1,200 mega-watt (MW) of electricity when online. Each unit, designed by the Westinghouse Corporation, is a four-loop pressurized-water reactor (PWR) and is housed in a large dry pre-stressed post-tensioned containment structure. Figure 2-1 provides a simplified schematic of the reactor and its associated systems.
A summary of the modeled systems include:
Emergency Core Cooling System (ECCS) (per Unit)
Four accumulators, one on each cold leg High-pressure injection system with two trains and one centrifugal charging pump per train (normal charging pump is not part of ECCS)
Intermediate-pressure injection system with two trains and one safety injection pump per train Low-pressure injection and recirculation system with two trains and one residual heat removal pump per train (high-and intermediate-pressure pumps piggy-back on low-pressure pumps for high-pressure recirculation)
Containment cooling unit system with four trains and two fan cooler units per train (can provide heat sink for recirculated water in lieu of the residual heat removal heat exchangers)
Steam Generator Heat Removal System (per Unit)
Auxiliary feedwater (AFW) system with three trains; two with a motor-driven pump and one with a turbine-driven pump Reactivity Control Systems (per Unit)
Reactor protection system Chemical and volume control system (CVCS)
8 Key Support Systems (per Unit)
Two electrical divisions, each with a Class 1E diesel generator Nuclear service cooling water (NSCW) system with two trains and three pumps and four cooling tower fans per train Component cooling water (CCW) system with two trains and three pumps per train Auxiliary component cooling water (ACCW) system with two trains and one pump per train Instrument air (IA)
RWST M
To RCS Cold Legs To RCS Cold Legs SUMP SUMP CS-B CS-A CHG CHG-A CHG-B RHR-A RHR-B SI-B SI-A M
M M
M M
M M
M M
M M
M M
M M
M M
M AFW TDP-C AFW MDP-B AFW MDP-A To SG To SG To SG To SG To SG To SG To SG From Sumps Condenser Main Turbine MSIVs Turbine Stop Valve Condensate Pump Condensate Booster Pump CL CL HL HL Balance of Plant (BOP)
(One Train Shown)
Feedwater Pump To RCS Cold Legs River HX HX RCP M
A C
C RCP M
A C
C P
Z R
MS CL HL RCP M
A C
C MS CL HL RCP M
A C
C Cooling Tower CST M
M M
M M
M M
M FW SG MS FW SG MS FW SG FW SG R
E A
C T
O R
To CHG &
SI Pumps ACC - Accumulator AFW - Auxiliary feedwater CHG - Charging CL - Cold leg CS - Containment spray CST -Condensate storage tank FW - Feedwater HL - Hot leg MS - Main steam MSIV - Main steam isolation valve PZR - Pressurizer RCP - Reactor coolant pump RCS - Reactor coolant system RHR - Residual heat removal RWST - Refueling water storage tank SG - Steam generator SI - Safety injection Figure 2-1 Schematic of Major Systems Plant Systems A brief description for each reactor system and structure modeled is provided below, which includes a discussion of the:
Purpose and function Configuration Actuation
9 Success criteria Dependencies Accumulator Injection System The accumulators provide a means for the passive injection of borated water into the reactor vessel to preserve fuel integrity in the event of a loss-of-coolant accident (LOCA). Each of the four accumulators discharges through a separate line into a cold leg of the reactor coolant system (RCS). Each discharge line contains two check valves and one motor-operated valve (MOV) that is normally open with power removed at the motor control center (MCC). The MOVs receive a confirmatory safety injection (SI) signal to open. The accumulators contain borated water pressurized with a nitrogen blanket. The nitrogen pressure is used to propel the accumulator contents into the cold leg when RCS pressure drops below the accumulator pressure. A simplified schematic is shown in Figure 2-3 in Section 2.4.
High-Pressure Injection System The high-pressure injection (HPI) system provides coolant injection during normal operations for makeup and in the event of a LOCA. The HPI takes a suction from the reactor water storage tank (RWST) and injects into the RCS cold legs. The HPI function essentially combines two separate systems: the charging system (two centrifugal charging pumps (CCPs)) and SI system (two SI pumps). When an SI signal is generated, all four pumps start and take suction from the RWST and provide flow to the RCS cold legs. A SI signal is generated by any of the following conditions:
High containment pressure Low pressurizer pressure Low pressure in any main steam line Manual SI actuation The two motor-driven CCPs are mechanically arranged in parallel flow paths. The CCPs are normally aligned to receive water from the volume control tank (VCT) through two remotely operated valves (HPI-A and HPI-B) installed in series. An SI signal will close these valves and open two parallel valves (HPI-C and HPI-D) to align the CCP suction to the RWST for the injection phase of operation. Valves HPI-E and HPI-F are used to isolate the HPI common discharge header during normal plant conditions. These normally closed valves receive an SI signal to open, thereby aligning the CCP discharge to the RCS cold legs. Simultaneously, the normal charging flow discharge valves (HPI-G and HPI-H) are closed by the SI signal, thereby assuring injection flow to the cold legs.
Associated with the CCPs are minimum flow recirculation lines to the seal water heat exchanger and back to the pumps' suction manifold. These minimum flow lines are provided to prevent pump deadheading and to permit pump testing during power operations. Each minimum flow bypass line contains an isolation valve (HPI-I or HPI-J) that closes automatically upon receipt of an SI signal. A third isolation valve (HPI-K) is provided in the common header downstream of the two individual pump minimum flow lines. These are referred to as the normal minimum flow lines. An alternate minimum flow line is provided for each pump to prevent pump deadheading should RCS pressure rise following isolation of the normal minimum flow lines. An isolation valve (HPI-L or HPI-M) in each of these lines opens upon receipt of an SI signal. Each of these alternate minimum flow lines contains a relief valve, with flow being discharged to the RWST.
10 There are two motor-driven SI pumps that provide intermediate pressure injection flow to the RCS cold (or hot) legs during accident conditions. These pumps are mechanically arranged in redundant flow paths. Associated with the SI system are isolation valves that must be positioned to initiate injection flow during an accident. The SI pumps are aligned to receive water from the RWST through a normally open MOV HPI-N and valves HPI-O and HPI-P, for the injection phase of operation.
Each of the SI pumps utilizes a minimum flow recirculation line to maintain a sufficient pump flow rate to prevent over-heating during accidents or until RCS pressure is below the shutoff pressure of the pumps. The pump minimum flow recirculation flows through normally open bypass valves HPI-Q (pump A) and HPI-R (pump B) and then through HPI-S back to the RWST.
Simplified schematics and associated dependency diagrams are shown in Figure 2-4, Figure 2-5, Figure 2-6, and Figure 2-7 in Section 2.4.
High-Pressure Recirculation System The high-pressure recirculation (HPR) system provides coolant from the containment sump to the RCS cold legs. When the RWST contents have been reduced to the low-low level alarm set point either during HPI or feed and bleed, the suction of the HPI pumps (SI pumps or CCPs) must be switched to the containment sump. One of two RHR pumps is required to supply the fluid suction head to the SI pumps or the CCPs. The change from the injection phase to the cold leg recirculation phase is a manual/automatic process. When the water reaches the low-low level alarm point the RHR sump isolation valves HPR-A and HPR-B automatically open and the RHR pumps, the SI pumps, and the CCPs are sequentially shifted to the cold leg recirculation phase of operation. Operators are required to manually align the RHR pump discharge to the suction of the SI pumps or CCPs and isolate RWST from all three sets of pumps. The heat sink for the recirculation water is provided by either component cooling water (CCW) to one of two residual heat removal (RHR) heat exchangers (associated with a running RHR pump) or by four of eight containment cooling units (CCUs). A dependency diagram is shown in Figure 2-8 in Section 2.4.
Low-Pressure Injection System The low-pressure injection (LPI) system provides coolant injection in the event of a LOCA. This function is accomplished by using the RHR system to provide a low-pressure, high-volume water source to the RCS by supplying water from the RWST. When an SI signal is generated, both RHR pumps start. While in standby mode, most of the RHR valves required for LPI are already open. The RWST suction valves LPI-A and LPI-B, the pump flow control valves LPI-C and LPI-D, and the pump discharge isolation valves LPI-E and LPI-F are open. The only RHR valves that receive an SI signal are the sump isolation valves, which open given a concurrent low-low RWST level signal. An SI signal is generated by any of the following conditions:
High containment pressure Low pressurizer pressure Low pressure in any main steam line Manual SI actuation Two RHR pumps are installed in parallel flow paths in the RHR system. To ensure that the RHR pumps do not overheat when the discharge line is closed or discharge is prevented by high RCS pressure, a minimum flow line from the downstream side of each RHR heat exchanger to the pump suction line is provided. A control valve located in each minimum flow
11 line (LPI-G and LPI-H), which is controlled by the flow switch at the RHR pump discharge, opens to maintain an established minimum flow and closes when the RHR pump discharge flow exceeds an established maximum flow.
When the RCS pressure drops below the RHR pump shutoff head, water from the RWST is pumped into cold leg branch lines 1 and 2 by RHR pump A, and into cold leg branch lines 3 and 4 by RHR Pump B. The branch lines contain orifices that limit pump run out and equalize flow through the branch lines such that the amount of coolant leakage is minimized if one of the injection lines spills into the containment.
Train A and train B injection flow paths are cross-connected during the injection phase with Valves LPI-I and LPI-J open. Injection flow from the SI pumps discharges between the check valves in the branch lines leading to the cold legs. Flow control valves LPI-G and LPI-H automatically recirculate flow back to the suction of the respective RHR pump until injection flow increases above an established minimum flow rate. A dependency diagram is shown in Figure 2-9 in Section 2.4.
Low-Pressure Recirculation System The low-pressure recirculation (LPR) system provides coolant from the containment sump to the RCS cold legs. When the RWST contents have been reduced to the low-low level alarm set-point during LPI, the suction for LPI must be switched to the containment sump. One of two RHR pumps is required to supply at least one intact cold leg. The change from the injection phase to the cold leg recirculation phase is a manual/automatic process. When the water level reaches the low-low level alarm point in the RWST, the RHR Sump Isolation Valves, LPI-A and LPI-B, automatically open and the RHR pumps (along with the SI pumps and CCPs) are sequentially shifted to the cold leg recirculation phase of operation. Operators are required to manually isolate the RWST from the RHR pumps. The heat sink for the recirculation water is provided either by CCW to the RHR heat exchanger associated with a running RHR pump, or by four of eight CCUs. A dependency diagram is shown in Figure 2-10 in Section 2.4.
Power-Operated Relief Valves The power-operated relief valves (PORVs) provide protection against excessive pressure increases in the RCS, while minimizing the actuation of the safety valves. There are two PORVs (PR-A and PR-B) on the pressurizer. PORV PR-A is set to open at a slightly higher pressure than PORV PR-B as sensed by the pressurizer pressure instrumentation. These valves may also be opened by remote manual control. They close when pressure decreases below an established pressure. The PORVs are solenoid-operated and fail closed.
Each PORV has a normally open and remotely motor-operated isolation block valve (PR-C and PR-D) located upstream of the PORV that provides a positive shutoff capability should the PORV become inoperable. The PORVs and their associated block valves are interlocked by a pressurizer low-pressure interlock. Actuation of the interlock prevents the relief valves from opening and closes the block valves above an established setpoint. Manual control may override this interlock.
The pressurizer also has three spring-loaded, self-actuated, code safety valves (PR-E, PR-F, and PR-G) which operate to prevent RCS pressure from exceeding 110 percent of system design pressure.
If challenged during an initiating event, the PORV(s) should reclose if opened. If the PORV(s) fail to reclose, the associated block valve is designed to auto-close to isolate the relief path.
12 The pressurizer safety-relief valves (SRVs) are required to open only when the PORVs fail to open (except for anticipated transient without scram [ATWS] sequences). If the pressurizer SRVs are demanded to open, all SRVs should reclose after opening. If the PORV(s) or the SRVs stick open, a consequential small loss-of-coolant accident (SLOCA) occurs. A simplified schematic is shown in Figure 2-11 in Section 2.4.
Residual Heat Removal System The RHR system provides decay heat removal to the reactor. During a SLOCA, steam generator tube rupture (SGTR), or consequential SLOCA (reactor coolant pump (RCP) seal failure or stuck-open PORV/SRV), the shutdown cooling mode of RHR may be utilized once RCS pressure and hot-leg temperatures have been lowered to satisfy RHR design entry conditions. Success requires one of two trains of RHR to operate and remove decay heat for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. In addition, at least three of eight CCUs need to be successfully running to prevent high containment pressure actuation of the containment spray system.5F6 If six or more CCUs fail, the actuation of containment spray will cause the rapid depletion of RWST inventory, leaving insufficient time for operators to reach entry conditions for the shutdown cooling mode of RHR.
A simplified schematic and an associated dependency diagram are shown in Figure 2-12 and Figure 2-13, respectively, in Section 2.4.
Main Feedwater System The main feedwater (MFW) system provides heat removal to the reactor. The MFW system consists of two turbine-driven MFW pumps, feedwater regulating valves, feedwater isolation valves, piping, and other supporting instrumentation. The system receives condensate from the condensate system and pumps the water to the steam generators (SGs). It also provides additional preheating of the water and regulates feedwater flow to the SGs.
Two identical turbine-driven MFW pumps are provided for normal plant operation. Each pump is designed to provide 50 percent of required MFW flow. From the MFW pump, the MFW flows either through the main feed pump recirculation valves or to the MFW pump discharge isolation valves. Feedwater flow to each SG is automatically controlled by the feedwater regulating valve (or its associated feedwater regulating valve bypass valve). The bypass valve is used during plant startup and up to approximately 15 percent power; the feedwater regulating valve is used above this power level.
MFW is automatically isolated on a low Tavg signal following a reactor trip by closing the MFW isolation valves, the bypass feedwater isolation valves, and the feedwater regulating and bypass valves. If auxiliary feedwater (AFW) fails, operators are instructed (via the loss of secondary heat sink emergency operating procedure) to restart MFW with the corresponding valve alignments. Operators must re-establish MFW flow to at least one SG from one of two MFW pumps (at least one condensate pump must be running to provide suction to the MFW pumps).
Steam removal from the SGs fed with MFW is required by either: (1) three turbine bypass valves (TBVs) or (2) an atmospheric relief valve (ARV) or one of five SRVs for two of four SGs.
Simplified schematics are shown in Figure 2-14, Figure 2-15, Figure 2-16, and Figure 2-17 in Section 2.4.
6 During a SGTR, containment spray will not actuate; therefore, the CCUs are not required to operate to allow for sufficient time to reach entry conditions for shutdown cooling.
13 Auxiliary Feedwater System The AFW provides decay heat removal to the reactor. The AFW system is designed to supply feedwater from the condensate storage tanks (CSTs) to the SGs whenever the reactor coolant temperature is above the minimum required temperature and the MFW system is not in operation (i.e., during startup, cooldown, or emergency conditions resulting in a loss of MFW).
The AFW system automatically provides feedwater for the removal of reactor core decay heat following a loss of MFW. Main feedwater may be lost due to a loss of offsite AC power, or a secondary-side piping or component failure. The AFW system prevents damage to the reactor core until the reactor coolant temperature is brought from a condition of full power to the condition at which the RHR system may be placed in operation. The AFW system supplies feedwater to the SGs at a flow rate sufficient to support normal low power transients such as startup, cooldown, and hot standby.
Each unit has two train-oriented motor-driven AFW pumps and one turbine-driven AFW pump that take suction from one of the two CSTs per unit. Either CST-1 or CST-2 can be used, but the pumps are normally aligned to CST-1 and only one CST is in service at a given time. Each motor-driven AFW pump is sized to supply the feedwater flow required for removal of 100 percent of the decay heat from the reactor. The turbine-driven pump is sized to supply up to twice the capacity of a motor-driven pump. The nominal success criteria for the AFW system is one of two motor-driven AFW pumps or the turbine-driven AFW pump delivers an established minimum flow to at least two of four SGs. Steam removal from the SGs fed with AFW is required by either: (1) three TBVs or (2) an ARV or one of five SRVs for two of four SGs.6F7 The two motor-driven AFW pumps are automatically started by the reactor protection system (RPS), engineered safety features actuation system (ESFAS), ATWS mitigation system actuation circuitry (AMSAC), or MFW upon receipt of the following signals:
Two of four low-low level signals from any one SG (RPS)
Any loss of, or degraded, safety-related 4.16 kV AC bus voltage signal (ESFAS)
An AMSAC signal A signal resulting from the trip of both MFW pumps7F8 The two motor-driven pumps can also be started from the main control board and the remote shutdown panels. The turbine-driven pump is automatically started by the RPS, ESFAS, or AMSAC upon receipt of the following signals:
Two of four low-low level signals from any two SGs (RPS)
Any loss of, or degraded, safety-related 4.16 kV AC bus voltage signal (ESFAS)
An AMSAC signal 7
For SLOCA and SGTR initiating events, the success criterion for AFW flow and steam removal is 2 of 3 intact SGs.
8 Due to the negligible effect on the results, this start signal was also not included in the L3PRA project Level 1 model.
14 The turbine-driven pump can also be started and controlled from the main control board and the remote turbine-driven pump AFW panel.8F9 In addition, the MOVs in the steam supply line to the turbine can be operated from the main control board and the remote turbine-driven pump AFW panel. Simplified schematics and an associated dependency diagram are shown in Figure 2-18 and Figure 2-19, respectively, in Section 2.4.
Reactor Protection System The reactor protection system (RPS) provides the trip function for shutting down the reactor.
The RPS automatically keeps the reactor operating within a safe region by shutting down the reactor whenever the limits of the region are approached. The safe operating region is defined by several considerations, such as mechanical/hydraulic limitations on equipment and heat transfer phenomena. Therefore, the RPS keeps surveillance on process variables that are directly related to equipment mechanical limitations, such as pressure and pressurizer water level (to prevent water discharge through safety valves and uncovering heaters), and also on variables that directly affect the heat transfer capability of the reactor (e.g., flow and reactor coolant temperatures). Other parameters used in the RPS are calculated from various process variables. In any event, whenever a direct process or calculated variable exceeds a set-point, the reactor will be shut down in order to protect against either gross damage to fuel cladding or loss of system integrity that could lead to release of radioactive fission products into the containment. The following systems make up the RPS:
Process instrumentation and control system Nuclear instrumentation system Solid-state logic protection system Reactor trip switchgear Manual actuation circuit The RPS consists of sensors, which monitor various plant parameters when connected with analog circuitry consisting of two to four redundant channels, and of digital circuitry, consisting of two redundant logic trains, which receives inputs from the analog protection channels to complete the logic necessary to automatically open the reactor trip breakers (RTBs).
Either of the two trains, A or B, is capable of opening separate and independent RTBs, A and B, respectively. The two RTBs, in series, connect three-phase AC power from the rod drive motor-generator sets to the rod drive power cabinets. During plant power operation, a DC under-voltage coil on each RTB holds a trip plunger out against its spring, allowing the power to be available at the rod control power supply cabinets. For reactor trip, a loss of DC voltage to the under-voltage coil, as well as energization of the shunt trip coils, trips open the breaker.
When either RTB opens, power is interrupted to the rod drive power supply, and the control rods drop into the core. The control rods cannot be withdrawn until the RTBs are manually reset.
The RTBs cannot be reset until the abnormal condition that initiated the trip is corrected.
Auxiliary Component Cooling Water System The auxiliary component cooling water (ACCW) system provides cooling to auxiliary systems that handle reactor coolant. Each units ACCW system consists of two 100 percent-capacity ACCW heat exchangers, two 100 percent-capacity ACCW pumps, one ACCW surge tank, and 9
The turbine-driven AFW pump can also be operated locally if DC power is unavailable; however, local operation is only credited in the Level 2 portion of the L3PRA project model.
15 associated piping, valves, and instrumentation. The ACCW heat exchangers are horizontal, shell and tube, single pass, counter-flow type heat exchangers. The ACCW pumps are motor-driven horizontal, centrifugal type pumps. Motor cooling is provided by an air to water heat exchanger supplied by the discharge of the ACCW pumps. Each ACCW pump is powered from a separate safety-related 4.16kV AC bus.
The ACCW surge tank is a horizontal, cylindrical tank. The surge tank is connected to the main ACCW line on the suction side of the ACCW pumps; it functions to ensure that the system is kept filled and pump net positive suction head (NPSH) requirements are maintained. Makeup water is added to the surge tank as required from the demineralized makeup water system (normal source), the reactor makeup water system, or the component cooling water drain tank.
The ACCW system is designed so that the system can operate with either heat exchanger or pump in operation. The two ACCW heat exchangers are aligned in series and either will satisfy 100 percent of the ACCW cooling requirements. Each ACCW heat exchanger is in turn cooled by one NSCW train, one of which is always in service. Thus, ACCW cooling is available regardless of which NSCW train is in service. One ACCW pump is operated during normal operation. The second pump is in a standby mode of operation and is started upon low system pressure. These pumps are swapped in and out of service to equalize run times.
The ACCW system is essentially a closed loop system that circulates cooling water to the following components:
Normal charging pump motor cooler Letdown heat exchanger, excess letdown heat exchanger, and seal water heat exchanger RCP motor area coolers, thermal barrier heat exchangers, and lube oil coolers Miscellaneous components such as sampling system coolers A loss of a single train of ACCW will not cause a reactor trip and was not considered as a special initiating event. However, upon a total loss of ACCW to the RCPs (thermal barrier heat exchanger and motor area coolers), the RCPs must be shutdown (and the reactor manually tripped) within 10 minutes or sooner if the following RCP temperature limits are exceeded:
High RCP motor bearing temperature High stator winding temperature High seal water inlet temperature Simplified schematics and an associated dependency diagram are shown in Figure 2-20, Figure 2-21, and Figure 2-22, respectively, in Section 2.4.
Instrument Air System The instrument air (IA) system provides filtered, dry, oil-free air to be used as the motive force for operating pneumatic equipment throughout the plant. The plant is designed such that no plant equipment relies upon the compressed air system to perform its safety function and thus there is no safety design basis for the IA system. Although the IA system is not safety-related, proper operation of the plant is dependent on its availability. The key SSCs that instrument air supplies include the main steam isolation valves (MSIVs), main feedwater isolation valves (MFIVs), TBVs, and the CST makeup valve from the demineralizer water system.
Each unit has two rotary compressors and one reciprocating compressor (Unit 1 has two reciprocating air compressors, one dedicated to Unit 1 and the other a swing unit), each with its
16 own support equipment (aftercooler/moisture separator, and air receiver). They are each equipped with safety trip instrumentation (high lube temperature, low cooling water pressure, and high air/coolant receiver temperature). The rotary compressors can be started remote-manually by a master control switch on the main control panel or can be set on AUTO for control by the local master controller. An emergency stop push button is located on each compressor. Compressor oil coolers are cooled by the turbine plant closed cooling water (TPCCW) system. The reciprocating compressors are two-stage piston compressors. Each compressor motor is designed to trip on high intercooler condensate level, high lube oil temperature, low oil pressure, high discharge air pressure, or high discharge air temperature.
There are two types of mechanical aftercooler/separators that remove both moisture and oil.
The aftercooler sections consist of a straight-through tube heat exchanger with air on the tube side and TPCCW system water on the shell side. The air receivers are pulsation-dampening chambers and provide no significant storage capacity. Contaminant filters (two stages) are located on each rotary compressor head between the moisture separator and the air receiver to ensure that any lubricant escaping the compressor does not enter the air header system. Each stage has a differential pressure switch to indicate a dirty filter by an indicating light on the filter.
The instrument air dryers are the regenerative, desiccant type that provides outlet air dried to a very low dew point temperature at a pressure sufficient to meet system demands. One of the two dryers can handle the expected instrument air system capacity without overflow. Overflow is indicated by a high differential pressure using inlet and outlet pressure gages or by a high-humidity alarm. If this occurs, both dryers are required to be in operation. A simplified schematic is shown in Figure 2-23 in Section 2.4.
Nuclear Service Cooling Water System The nuclear service cooling water (NSCW) system provides cooling water to the containment cooling units (CCUs), CCW, ACCW, engineered safety features (ESF) pump coolers, standby diesel generator jacket water coolers, and other loads. The NSCW system is composed of two redundant, completely independent, full capacity flow trains comprised of cooling towers, pumps, piping, and valves. There are six train-oriented NSCW pumps per unit. Four of these pumps, two on each train, are running during normal operation. Two pumps, one on each train, are in standby during normal operation.9F10 The success of each NSCW train requires the operation of two of three pumps, though operator action (to strip loads) can be used to implement one pump operation.
The NSCW pumps take suction from the train-oriented cooling tower basins. The water level in the cooling tower basins is automatically maintained by the NSCW cooling tower makeup pumps, which take suction from the well water storage tank. The well water storage tank is automatically replenished by the well water pumps, which take suction from underground wells.
The combined capacity of the cooling water basins can provide cooling water under the worst-case heat load (design basis accident with loss of offsite power (LOOP) and power supplied by the emergency diesel generators (EDGs)) for nearly a month without makeup. As such, use of the cooling tower makeup pumps is outside of the PRA mission time; therefore, they are not modeled in the L3PRA project Level 1 model.
10 The L3PRA project Level 1 model assumes that pumps 1-4 are running with pumps 5 and 6 in standby.
Therefore, the test/maintenance for pumps 1-4 are not included in the applicable NSCW fault trees. In addition to the test/maintenance events for the standby pumps, the applicable NSCW fault trees also include the potential that all three NSCW pumps for a single train are unavailable due to test/maintenance.
17 Each NSCW train has an associated transfer pump in the opposite train basin. These transfer pumps serve to support long-term accident response by transferring additional water volume to an available NSCW train in the event of the unavailability of the other train. Since the use of the transfer pumps is outside of the mission time they are not modeled in the PRA.
The NSCW cooling towers are the ultimate heat sinks for the plant. After removing heat from the components that it serves, NSCW combines in a common train-oriented return header that has a return valve that operates in conjunction with a tower bypass valve for temperature control of the NSCW system. The cooling towers are not needed in cold weather conditions. When the return header temperature falls below an established temperature, the bypass valve will automatically open and the return valve will close. When the bypass valve is open, the tower is completely bypassed and the return water goes directly into the cooling tower basin. Bypassing the cooling tower raises the temperature of the NSCW system. When the return header temperature increases above an established temperature, the return isolation valve opens and the bypass valve closes and the normal flow path through the cooling tower is re-established.
Each train-oriented NSCW cooling tower has four fans, each of which automatically starts at a different NSCW return water temperature. One fan in each train-oriented tower is cycled on and off with return valve position.10F11 When the tower is bypassed as described above the fans are not needed. The other three fans are cycled according to the NSCW return header temperature. As temperature decreases the fans that start at higher temperatures automatically stop.
The following components are served by the NSCW system:
CCW motor coolers CCP oil coolers and motor coolers SI pump oil coolers and motor coolers Containment spray pump motor coolers RHR pump motor coolers ESF chiller condensers CCUs Reactor cavity cooling coils Containment auxiliary air coolers EDG jacket water coolers Control building, auxiliary building, and diesel building seismic fire hose stations CCW heat exchangers ACCW heat exchangers Piping penetration area coolers 11 The L3PRA project Level 1 model assumes that fan 1 is running in each NSCW cooling tower with the other fans in standby. Therefore, the test/maintenance for fan 1 is not included in the applicable NSCW fault trees. Note that the applicable NSCW fault trees also include the potential that all four NSCW fans are unavailable due to test/maintenance.
18 Simplified schematics and an associated dependency diagram are shown in Figure 2-24, Figure 2-25, and Figure 2-26 in Section 2.4.
AC Electric Power The AC electric power system provides reliable power for control and operation of plant systems and components. It is comprised of 120V, 480V, and 4.16kV AC distribution systems.
The 120V AC distribution system provides instrument and control power for the RPS, ESF system controls and indication, and the process instrumentation/control system. Four independent safety-related 120V AC power supplies are provided to supply the four channels of the protection systems and reactor control systems. Each safety-related instrument AC power supply consists of an inverter and a distribution panel. Trains A and B are provided with two inverters and two distribution panels (AC-A, AC-B, AC-C, and AC-D). Each distribution panel has two incoming breakers that are interlocked so that only one breaker can be closed at a time.
The normally closed breaker is the inverter supply. The normally open breaker is the backup supply from a 480/120V regulated transformer. Normally, the inverter is operating to supply the safety-related AC bus. Each inverter is supplied by the 125V DC system. If an inverter is inoperable or is to be removed from service, the safety-related AC bus can be supplied from the backup supply (480/120V regulated transformer) associated with the same load group by the operator repositioning the distribution panel input breakers.
The loss of a single safety-related 120V AC panel will require the operators to perform a controlled manual shutdown if it cannot be reenergized within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Manual shutdowns of this nature are not included in the L3PRA project Level 1 model.11F12 Loss of two safety-related 120V AC panels will cause a reactor trip due to the loss of two of four solid-state protection system (SSPS) channels. The most severe initiating event occurs if the panels AC-A and AC-C fail because all ESFAS slave relays are lost.
The 480V AC power system functions to distribute electrical power to the safety-related and non-safety-related 480V loads. These loads consist of valve motor operators and other motors rated less than 200 hp. The 480V AC power system also supplies power to the 125V DC systems through battery chargers, and to the 120V instrument AC power systems through regulated transformers. The 480V AC power system is divided into safety-related and non-safety-related systems. All of the safety-related 480V AC buses and two of the non-safety-related 480V AC buses (AC-E and AC-F) receive power from the safety-related 4.16kV AC buses.
There are two divisions of safety-related 480V AC buses, with three buses in each division.
There are 12 Class 1E safety-related 480V MCCs. The two non-safety-related 480V AC buses will automatically disconnect from the safety-related system on under-voltage (i.e., LOOP) or SI.
They will sequence back on during a LOOP event; during an SI event they can be manually reconnected to the safety-related 4.16kV AC buses under administrative procedure.
The important loads fed from these safety-related 480V AC buses include the EDG starting air compressors, the pressurizer heater panels, the containment building cavity cooling fans, and the main turbine turning gear (transfer switch).
There are thirteen 4.16kV AC buses at the plant (i.e., between both units) that receive power from both the unit auxiliary transformers (UATs) and reserve auxiliary transformers (RATs). The 4.16kV buses are further divided into two safety-related buses per unit, and nine non-12 Events that lead to the need for operators to initiate a manual reactor trip (as opposed to a controlled manual shutdown), such as a loss of ACCW or NSCW are included in the L3PRA project Level 1 model.
19 safety-related buses that distribute power to safety-related and non-safety-related loads throughout the plant. During operation, the non-safety-relate 4.16kV AC system can be supplied from the RAT or the UAT.
Normally, the UATs supply the non-safety-related system loads, and the RATs supply the safety-related buses. The safety-related electrical systems are laid out for maximum physical and electrical separation to increase system reliability and to ensure that no single credible accident will cause a loss of more than one safety-related power source. The safety-related 4.16kV AC electrical system is totally redundant so that if a complete loss of one safety-related electrical division occurs, the remaining division will supply all redundant safety-related equipment to ensure safe reactor shutdown and decay heat removal.
Each safety-related 4.16kV AC bus is equipped with feeder breakers from the RAT and the EDGs; no connections exist between units for the safety-related buses. Upon a loss of voltage on the safety-related 4.16kV buses, each bus will shed its loads, and the RAT feeder breakers to the safety-related buses will trip (open). Under-voltage on the safety-related 4.16kV AC buses will automatically start the train-associated EDG and close its output breaker to re-energize the bus. After the bus has been re-energized, the safety-related loads will be sequenced onto the buses by the safeguards sequencer. A simplified schematic and an associated dependency diagram are shown in Figure 2-27 and Figure 2-28, respectively, in Section 2.4.
There is also one standby auxiliary transformer (SAT) that receives power from a local substation. The SAT reduces the incoming 13.8kV voltage from the substation to 4.16kV for distribution to a Class 1E safety-related bus when its associated RAT is out of service. The SAT is only sized to provide power to one safety-related 4.16kV AC bus on one unit.
125V DC Electric Power The 125V DC power system provides DC power to start various equipment, open/close circuit breakers, and control/operate various valves. There are four safety-related 125V DC systems per unit (A, B, C, and D). Each system has a lead-calcium battery, switchgear, two redundant battery chargers, two inverters, and 125V DC distribution panels (molded case circuit breakers).
Systems A, B, and C each have a 125V DC motor control center for MOVs. There is no capability to connect the four DC systems between themselves, between Units 1 and 2, or between the safety-related and non-safety-related systems.
The safety-related 125V DC systems A, B, C, and D supply DC power to channels 1, 2, 3, and 4, respectively, and are designated as Class 1E equipment. They are designed so that no single failure in any 125V DC system will result in conditions that will prevent the safe shutdown of the reactor plant. All the components of the safety-related 125V DC systems are housed in Category 1 structures.
The safety-related batteries have sufficient capacity to supply the required loads for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> in a SBO following shedding of non-essential loads.12F13 Each safety-related 125V DC battery is provided with two battery chargers, each of which is sized to supply the continuous (long-term) demand on its associated DC system while providing sufficient power to replace 110 percent of the equivalent ampere-hours removed from the battery during a design basis battery discharge 13 In the L3PRA project Level 1 model, the time available for AC power recovery is limited by the 2-hour depletion time of the nonsafety-related turbine building batteries. Therefore, it is assumed that operator action is not required to shed non-essential loads from the safety-related batteries.
20 cycle within a 12-hour period after charger input power is restored. A single battery charger can handle the loads if the battery and the other battery charger are unavailable.
Each 125V DC MCC supplies power to safety-related MOVs. The safety-related 125V DC distribution panels supply power for ESF control, switching, and field flashing for the EDGs. The safety-related 125V DC bus CD1 provides all power required for successful operation of the turbine-driven AFW pump, except for the SG-to-AFW turbine MOVs (redundant valves), which are provided power from the DC system A and B MCCs.
The loss of safety-related 125V DC bus AD1 or BD1 causes a main steam line and MFW line isolation; therefore, they are modeled as special initiating events. The loss of safety-related DC bus CD1 or DD1 does not lead to a reactor trip; therefore, they are not included as special initiating events. A simplified schematic is shown in Figure 2-29 in Section 2.4.
Component Cooling Water System The component cooling water system (CCW) provides cooling to auxiliary systems that handle reactor coolant thus providing an additional barrier between the RCS and NSCW. The CCW consists of three pumps each with a 50 percent capacity as well as heat exchangers, surge tank, chemical addition tank, and associated valves and piping. Only one train is required during normal operations. Each CCW train provides cooling to the SFP heat exchanger, RHR heat exchanger, and the RHR seal cooler. A simplified schematic and an associated dependency diagram are shown in Figure 2-30 and Figure 2-31, respectively, in Section 2.4.
Circulating Water System The circulating water system provides heat removal for the main condenser and turbine plant cooling water system (TPCW) components. Being an open system, the circulating water system removes heat from the condenser and then is circulated through a natural draft cooling tower.
The system is comprised of the circulating water pumps, condenser, cooling tower, and associated valves and piping. A simplified schematic is shown in Figure 2-32 in Section 2.4.
Turbine Plant Closed Cooling Water System The turbine plant closed cooling water system (TPCCW) provides chemically treated demineralized water to non-nuclear components to the TPCW. The system consists of pumps, heat exchangers, surge tank, and piping. It cools many systems including: electro-hydraulic control (EHC) coolers, heater drain pump, motor bearings, lube oil coolers and stuffing box, condensate pump motor bearings and lube oil coolers, steam jet air ejector condensate sample cooler, sample cooler rack A and B, sample system chiller, auxiliary steam drain sample cooler, reciprocating air compressor 3 and 4, rotary air compressor 1 and 2, and radiation element sample cooler. A simplified schematic is shown in Figure 2-33 in Section 2.4.
Turbine Plant Cooling Water System The turbine plant cooling water system (TPCW) provides heat removal for the plant auxiliaries and some components from the control and auxiliary buildings. It cools the TPCCW that is used for secondary side equipment that require chemically treated demineralized water. TPCW consists of pumps, heat exchangers, and piping. TPCW is in turn cooled by the circulating water system intake, and once it has removed heat from its components, is sent through the cooling tower. A simplified schematic is shown in Figure 2-34 in Section 2.4.
21 Containment Structure The containment provides robust barrier protection to the release of radioactive materials in the event of a LOCA or main steam line break (MSLB) design basis accident. The containment is a right-cylinder with a dome top. Containing the reactor and RCS, the structure is a pre-stressed, post-tensioned, concrete structure. A vent stack runs along the containment structure and terminates above the containment dome.
Containment Cooling Unit System The containment cooling units (CCUs) provide cooling and pressure control of the containment structure in the event of a design basis LOCA or MSLB. The system consists of eight CCUs that each provide 25 percent capacity fan cooler units and maintain the temperature at or below an established high temperature limit during normal plant operations. The fan cooler units discard heat to the NSCW. A simplified schematic and an associated dependency diagram are shown in Figure 2-35 and Figure 2-36, respectively, in Section 2.4.
Containment Isolation System The containment isolation system (CIS) provides containment isolation and reduces the amount of fission products released during a design basis LOCA, steam line break, or fuel handling accident. The system consists of containment penetrations and valves that close upon an actuation signal. These valve positions are indicated in the control room and can be re-positioned following the initial actuation. The containment purge isolation system detects radiation levels and is isolated by the containment ventilation isolation signal. This signal is generated from a data processing module that collects input from gaseous, particulate, and iodine radiation monitors in containment.
Containment Spray System The containment spray system (CSS) provides cooling and pressure control of the containment structure in the event of a design basis LOCA or MSLB. The system is comprised of two independent, full capacity systems containing a pump, three spray ring headers with nozzle assemblies, and the associated valves and piping. The CSS is supplied borated water from the RWST. In the event of fuel damage and release to containment, Tri-Sodium Phosphate (TSP) is used in the containment sump to maintain the pH of the fluid to keep iodine in solution.
Reactor Schematics and Dependency Diagrams The various schematics and dependency diagrams for the systems described in Section 2.4 are below. Figure 2-2 provides a description of the symbols used.
22 AND Logic Symbol OR Logic Symbol Figure 2-2 One-Line Diagram and Dependency Diagram Key
23 S
S S
S S
S S
S LO FC LO FC LO FC LO FC FC Accumulator Tank Nitrogen Supply Accumulator Tank Accumulator Tank Accumulator Tank M
Cold Leg Loop 1 M
Cold Leg Loop 2 M
Cold Leg Loop 3 M
Cold Leg Loop 4 Accumulator Fill Line Figure 2-3 Accumulator System
M M
SI Pump Suction RHR HX, 001 Discharge Header Centrifugal Charging Pump B Boric Acid Transfer/Reactor Make-up Pumps M
M M
M M
M M
M M
M S
LO LO BIT M
M Cold Leg Loop 4 Cold Leg Loop 3 Cold Leg Loop 2 Cold Leg Loop 1 M
Seal Water HX Miniflow to VCT M
FO FO M
M LO M
Centrifugal Charging Pump A Normal Charging Pump LO SI Pumps Miniflow Regenerative HX RCP Seals M
M CVCS Alternate Charging to RCS Loop 4 CVCS Normal Charging to RCS Loop 1 VCT FC FC M
M 124 Boric Acid Transfer/Reactor Make-up Pumps Letdown Flow Boration Line VCT Auto Makeup Line Boric Acid Transfer/Reactor Make-up Pumps Safety Grade Charging B Pressurizer Aux Spray Seal Injection Back Flushable Filter RCP Seal Injection During Safety Grade Charging LO Seal Water HX LT LT LT LT M
S M
M X
Safety Grade Charging A X
HPI-H HPI-G HPI-E HPI-F HPI-K HPI-J HPI-I HPI-L HPI-M HPI-C HPI-D HPI-A HPI-B Figure 2-4 Charging System
25 M
M LO LO M
M M
Charging Pump Miniflow Line M
M M
Charging Pump Suction Header M
M M
M M
LT RHR Accumulator Tank Cold Leg Loop 1 LT Accumulator Tank Cold Leg Loop 2 LT Accumulator Tank Cold Leg Loop 3 LT Accumulator Tank Cold Leg Loop 4 LT Hot Leg Loop 1 LT Hot Leg Loop 4 LT Hot Leg Loop 2 LT Hot Leg Loop 3 RHR RHR RHR RHR RHR SI Pump B SI Pump A RHR HX Train B Discharge Note 1 Note 1 Note 1 LO LO HPI-S HPI-Q HPI-R HPI-O HPI-P HPI-N Figure 2-5 Safety Injection (SI) System
26 High Pressure Injection 4160V AC ESF Buses 125V DC Buses NSCW ESFAS A
B A
B A
B A
B SI-A CCP-B CCP-A SI-B N
M*
- Note: N/M Gate (required to fail HPI)
SLOCA: 4/4 MLOCA: 3/4 Figure 2-6 HPI Dependency Diagram Normal Charging Pump 4160V AC non-safety ACCW HX 1
2 PDP Figure 2-7 Normal Charging Dependency Diagram
27 High Pressure Recirculation CCP-A 4160V AC ESF Buses 125V DC Buses NSCW ESFAS A
B A
B A
B A
B CCW A
B SI-A LPR-A CCP-B SI-B LPR-B N
M*
- Note: N/M Gate (required to fail HPI)
SLOCA: 4/4 MLOCA: 3/4 Figure 2-8 HPR Dependency Diagram Low Pressure Injection A
4160V AC ESF Buses 125V DC Buses NSCW ESFAS B
A B
A B
A B
A B
Figure 2-9 LPI Dependency Diagram
28 Low Pressure Recirculation A
4160V AC ESF Buses 125V DC Buses NSCW ESFAS B
A B
A B
A B
A B
CCW*
A B
- Note: If CCW unavailable, 4 of 8 CCUs will meet the success criteria Figure 2-10 LPR Dependency Diagram
29 M
M RCP Discharge Loop 1 RCP Discharge Loop 4 Aux. Spray from Charging Pumps RCS Loop 4 S
S Pressurizer Relief Tank FC LO FC FC PORV PORV Isolation Block Valve Isolation Block Valve Safety Valve Safety Valve Safety Valve x
x x
x x
PR-E PR-F PR-G PR-B PR-A PR-C PR-D Figure 2-11 Pressurizer Pressure Relief System
30 Figure 2-12 Residual Heat Removal (RHR) System
31 Residual Heat Removal 4160V AC ESF Buses 125V DC Buses NSCW ESFAS A
B A
B A
B A
B A
B Note: During SLOCA, at least 3 of 8 CCUs are required to prevent containment spray actuation that would cause faster RWST depletion resulting in reaching recirculation requirements prior to entering conditions for shutdown RHR cooling.
Figure 2-13 RHR Dependency Diagram
32 To Condenser To Condenser AUX Feedwater AUX Feedwater AUX Feedwater AUX Feedwater To Condensate System Recirculation Start Up To Retention Basin LO LO 1
2 3
4 Steam Generators LO Heater 6B Heater 6A LO E/H E/H E/H E/H M
M Steam Generator Pump B Steam Generator Pump A Figure 2-14 Main Feedwater (MFW) System
33 M
M M
B A
X X
X 3A 2A 1A 3B 2B 1B 3C 2C 1C Miniflow to Condenser C B
A C
Condensate Demin Air Ejector Condensers Steam Packing Exauster Condenser To & From CST 1 & 2 M
4B 5B 4A 5A From HDTP B From HDTP A
B A
To Condenser To Condenser Exhaust Hood Spray Condensate Pumps M
M M
M M
M Steam Generator Feed Pumps Turbine Driven Cond. A Cond. B Cond. C M
M M
Figure 2-15 Condensate System
34 AFW Steam Turbine E/H E/H E/H FC FC FC FO FC FC AFW Steam Turbine E/H E/H E/H FC FC FC FO FC FC E/H E/H E/H FC FC FC FO FC FC E/H E/H E/H FC FC FC FO FC FC Atmospheric Relief Valves Safety Relief Valves LO LO LO LO LO LO LO LO Steam Dump Valves and Turbine Figure 2-16 Main Steam System-Steam Generator Atmospheric Dump and Safety Valves
35 Condenser C Condenser B Condenser A From Steam Generators Steam Dump Valves Figure 2-17 Main Steam System-Turbine Bypass Valves
36 CST CST A
B C
D C
B M
M M
M M
M M
M M
M M
M M
M A
LC LC LC LO LO LO FC FC LO LO LO LO LO LO LO 013 LO LO AFW MDP B AFW MDP A AFW TDP C To CST To CST NC DC E/H Steam Admission Valve Trip & Throttle Valve Speed Governing Valve AF Pump Turbine LO LO LO LO LO NC LO MFW MFW MFW MFW LO LO LO LO LO LO LO LO LO LO LO LO LO LO LO LO LO LO LO LO 023 HV5125 DC DC DC DC Demi. Water Storage Tank M
M NC NC DC DC DC LO LO LC LC M
D Figure 2-18 Auxiliary Feedwater (AFW) System
37 Auxiliary Feedwater System 4160V AC ESF Buses 125V DC Buses ESFAS A
B A
B A
B TDP MDP A MDP B C
General Note: Failure of ESFAS signal prevents auto start of applicable pump. Depending on location of failure, operator may or may not be able to initiate pump start signal.
Figure 2-19 AFW Dependency Diagram
38 M
ACCW Surge Tank To Discharge of Heat Loads This Sheet A
A C
B LO LO LO LO LO LO ACCW Pump ACCW Pump ACCW HX ACCW HX LO NO LO LO LC LO LO LC LO LO LO FO NO LO LO LO LO From Unit 2 From Unit 2 From Unit 2 From Unit 2 Letdown HX To Sheet 2 of 2 for detail Seal Water HX Sample & Detector Coolers Hydrogen Recombiner &
Waste Gas Compressor Waste Evaporator Package Normal Charging Pump &
Motor Coolers Recycle Evaporator Package Radiation Monitor LO M
LO From ACCW Pump Cooler Figure 2-20 Auxiliary Component Cooling Water (ACCW) System (Sheet 1)
39 From Sheet 1 of 2 B
LO LO NO LO LO Upper/Lower I.O. Cooler LO LO LO LO Upper/Lower I.O. Cooler LO LO LO LO Upper/Lower I.O. Cooler LO LO LO LO Upper/Lower I.O. Cooler LO C
To Sheet 1 of 2 LO LO LO LO Excess Letdown HX Reactor Drain Tank HX RCP NO M
LO M
M M
M M
M RCP RCP RCP Figure 2-21 ACCW System (Sheet 2)
40 Auxiliary Component Cooling Water 001 4160V AC ESF Buses 125V DC Buses NSCW ESFAS A
B A
B A
B A
B 002 Figure 2-22 ACCW Dependency Diagram
41 Air/Coolant Receiver F
Air Compressor 1 (Rotary)
X Aftercooler F
Air Receiver Intake Filter Moisture Separator F
Air Compressor 4 (Reciprocating)
Aftercooler Moisture Separator Air Receiver F
Air Compressor 3 (Reciprocating)
Aftercooler Moisture Separator Air Receiver Air/Coolant Receiver F
Air Compressor 2 (Rotary)
Aftercooler F
Air Receiver Intake Filter Moisture Separator FC Service Air Dryer F
F S
S S
S S
Afterfilter F
F F
S S
S S
S Afterfilter F
To Turbine Building To Aux/
Control Building To Aux/
Control Building Prefilter Prefilter Air Dryer Air Dryer Unit 2 X
Figure 2-23 Instrument Air System
42 Containment Cooler Containment Cooler Containment Cooler Containment Cooler Containment Building ESF Chiller RHR Pump Containment Spray Pump SI Pump & Motor CCW Pump Motor Cooler CCW Pump Motor Cooler Charging Pump & Motor CCW Pump Motor Cooler LO LO LO LO LO LO LO LO LO LO LO E/H NO LO LO LO LO LO LO LO LO LO LO LO LO LO LO LO NO NO From Train B Inter-tie ACCW HX EDG Cooler LO LC LO CCW HX LO To Train B Inter-tie To Fire Protection System NO NC To Train B Tower Basin NO NO LO NO Train A NSCW Pumps LO LO LO LO LO LO LO LO LO LO M
M M
M M
M M
M M NO NO Figure 2-24 Nuclear Service Cooling Water (NSCW) System (Train A)
43 Containment Cooler Containment Cooler Containment Cooler Containment Cooler Containment Cooler RHR Pump Containment Spray Pump SI Pump & Motor CCW Pump Motor Cooler CCW Pump Motor Cooler Charging Pump & Motor CCW Pump Motor Cooler LO LO LO LO LO LO LO LO LO LO LO E/H NO LO LO LO LO LO LO LO LO LO LO LO LO LO LO NO NO From Train A Inter-tie ACCW HX EDG Cooler LO LC LO CCW HX LO To Train A Inter-tie EDG BLDG FP System NO NC To Train A Tower Basin NO NO LO NO LO LO LO LO LO LO LO LO LO M
M M
M M
LO LO M
M M
M NO NO Train B NSCW Pumps Figure 2-25 NSCW System (Train B)
44 Nuclear Service Cooling Water 4160V AC ESF Buses 125V DC Buses ESFAS A
B A
B A
B 001 003 002 004 005 006 Figure 2-26 NSCW Dependency Diagram
45 Figure 2-27 Electrical Distribution System-Offsite Power and Safety Related 4.16kV and 480V AC
46 Emergency Diesel Generators 125V DC Buses NSCW ESFAS A
B A
B A
B EDG A EDG B Figure 2-28 EDG Dependency Diagram
47 120V AC 120V AC 120V AC 120V AC 120V AC 125V DC NC NO INV 125V DC MC 125V DC Panel FU 125V DC Bus BC BC 125V DC SB 480V MCC 480V MCC 480V MCC NC NO INV FU 480V MCC 125V DC MCC NO 480V MCC 125V DC Panel NC FU INV 125V DC Panel 125V DC Bus BC BC 125V DC SB 480V MCC 480V MCC 125V DC Panel NC INV NO 480V MCC 125V DC Panel NO NC INV BC BC 480V MCC 480V MCC 125V DC SB NO 480V MCC NC INV 125V DC Panel BC BC 480V MCC 480V MCC 125V DC SB 480V MCC FU FU FU 125V DC MCC 125 V DC BUS INV 125V DC Bus AC-A AC-B AC-D AC-C Figure 2-29 Electrical Distribution System-Safety Related 125V DC and 120V AC
48 CCW Surge Tank LO LO LO RHR Pump Seal Cooler RHR HX Spent Fuel Pit HX CCW HX NSCW NSCW LO LO LO LO LO LO LO LO LO LO CCW Surge Tank LO LO LO RHR Pump Seal Cooler RHR HX Spent Fuel Pit HX CCW HX NSCW NSCW LO LO LO LO LO LO LO LO LO LO LO LO CCW Pump CCW Pump LO LO CCW Pump CCW Pump CCW Pump CCW Pump Figure 2-30 Component Cooling Water (CCW) System
49 Component Cooling Water 001 003 002 004 005 4160V AC ESF Buses 125V DC Buses NSCW ESFAS 006 A
B A
B A
B A
B Figure 2-31 CCW Dependency Diagram
50 Condenser C M
M M
M M
M M
M M
M M
M Condenser B Condenser A M
M M
M M
M M
Circulating Water Pumps Stationary Screen From River Water Makeup Line From Turbine Plant Cooling Water A
B From Turbine Plant Cooling Water Cooling Tower Figure 2-32 Circulating Water System
51 TPCCW Makeup Storage Tank TPCCW HX TPCCW HX Motor Upper Bearing Motor Lower Bearing Cylinder TPCCW Drain Tank Intercooler Motor Upper Bearing Motor Lower Bearing Motor Upper Bearing Motor Lower Bearing X
X Air Compressor 1 Aftercooler Coolant HX S
Cylinder Intercooler S
Air Compressor 2 Aftercooler Coolant HX Air Compressor 3 Aftercooler Air Compressor 4 Aftercooler Condenser Pump A Condenser Pump B Condenser Pump C Air Compressor 3 Air Compressor 4 Figure 2-33 Turbine Plant Closed Cooling Water (TPCCW) System
52 To Other Heat Loads To Control Building To Circulating Water TPCW Pump TPCW Pump TPCCW Heat Exchangers SGFP B Lube Oil Coolers M
M Cooling Tower Basin SGFP A Lube Oil Coolers Figure 2-34 Turbine Plant Cooling Water (TPCW) System
53 Nuclear Service Cooling Water System Train A Containment Cooling Unit Containment Cooling Unit EA CCU Motor EA LO LO CCU Motor Nuclear Service Cooling Water System Train B Containment Cooling Unit Containment Cooling Unit EB CCU Motor EB LO LO CCU Motor Nuclear Service Cooling Water System Train A Containment Cooling Unit Containment Cooling Unit EA CCU Motor EA LO LO CCU Motor Nuclear Service Cooling Water System Train B Containment Cooling Unit Containment Cooling Unit EB CCU Motor EB LO LO CCU Motor M
M M
M M
M M
M Figure 2-35 Containment Cooling Unit (CCU) System
54 Containment Cooling Units 001 002 003 004 005 006 008 4160V AC ESF Buses 125V DC Buses NSCW ESFAS 007 A
B A
B A
B A
B A
B Figure 2-36 CCU Dependency Diagram
55 Spent Fuel Pool Storage System Overview Constructed with reinforced concrete and clad with stainless steel, the SFPs are in the fuel handling building (FHB) and are Seismic Category I structures (see Figure 2-37). The FHB is designed to remain intact through potential external events such as a tornado, hurricane, flood, earthquake, and external missiles. The SFP, itself, is also designed to remain intact following a safe shutdown earthquake, fire, internal missile, and potential pipe whip.
Each unit has its own SFP, however the cask loading area and washdown area are shared. The SFP provides storage of irradiated and new fuel, contained in spent fuel racks. The boron concentration, spent fuel spacing, and spent fuel racks maintain a sub-critical configuration of the SFP.
Each SFP connects to a fuel transfer canal, which in turn connects to a refueling cavity inside containment through a fuel transfer tube. All fuel handling maneuvers occur under a minimum water depth to provide adequate safety to the workers. Additionally, the SFPs can access the cask loading pit and cask washdown area, used to decontaminate casks before departure from the site. The backup water supply to the SFPs is the Seismic Category I RWST, with the water being pumped or gravity-fed. There are two area radiation monitors in the FHB, with alarms at two different settings to alert plant personnel in the event of deteriorating radiological conditions.
Unit 1 Refueling Cavity Unit 1 Spent Fuel Pool Unit 1 Transfer Canal Transfer Tube Unit 2 Refueling Cavity Unit 2 Spent Fuel Pool Unit 2 Transfer Canal Transfer Tube Cask Loading Pit Unit 1 Unit 2 Figure 2-37 Spent Fuel Pool Side View The site has two SFPs, one for Unit 1 and one for Unit 2, that are hydraulically connected through the cask loading pit (see Figure 2-38). The cask loading pit is connected to the SFPs via a set of two small canals, one for each SFP. These canals have gates that are normally open but can be isolated from the SFPs via a gate sealed by air inflatable seals. Spent fuel handling and loading of a transfer cask is performed underwater, using the SFP bridge crane and/or manual extension tools. The cask loading pit is isolated from the SFPs during cask loadings while the transfer cask is being lowered or raised, or during maintenance activities.
Cask handling over the SFP or the new fuel pit is prevented by interlocks and physical limitations to the spent fuel cask bridge crane (i.e., overhead crane) travel.
56 New Fuel Storage Pit Containment Unit 2 Unit 1 Refueling Cavity Unit 1 Reactor Vessel Transfer Canal Spent Fuel Pool Unit 1 Unit 2 Reactor Vessel Spent Fuel Pool Unit 2 Cask Loading Pit Transfer Tube Refueling Machine Spent Fuel Pool Bridge Crane Vertical Mast Upender Figure 2-38 Unit 1 & 2 Fuel Handling Layout Understanding the refueling process is necessary for analyzing potential fuel handling accidents. During defueling operations, one fuel assembly is removed from the core at a time via the refueling machine. The refueling machine is a bridge crane that has a vertical mast used to withdraw and insert fuel from the core and upender. The crane then traverses from the reactor vessel through the refueling cavity to the upender. The upender takes the fuel from a vertical position to a horizontal position, through the transfer tube into the transfer canal, and then back to the vertical position. Next, operators on the SFP bridge crane use the spent fuel handling tool, a device that latches onto the fuel assembly to move the assembly to a predetermined location in the spent fuel racks. This process is repeated until the entire core is offloaded to the SFP, and it is reversed to reload the core. All fuel handling maneuvers occur underwater to provide adequate radiation protection for the workers.
Spent Fuel Pool Cranes Fuel Handling Machine Only one fuel handling machine (i.e., the SFP bridge crane) is used to move fuel assemblies within the SFP of Units 1 and 2. The fuel handling machine is a wheeled walkway spanning the SFP that traverses on a set of tracks, depicted in Figure 2-39.
Figure 2-39 Fuel Handling Machine
57 Spent Fuel Cask Bridge Crane The spent fuel cask bridge crane, pictured in Figure 2-40, is primarily used for transporting new fuel containers, spent fuel casks, and other large equipment through the auxiliary building. By design the crane is incapable of traversing over the SFP with heavy loads eliminating the risk of a heavy load drop into the SFP.
Figure 2-40 Spent Fuel Cask Bridge Crane For drycask storage (DCS) operations, this crane is used for lifts and in-building transport of the transfer cask. The typical spent fuel cask lifts performed by the crane are transfer cask movements from the low-profile transporter to the cask loading pit, cask loading pit to the cask washdown area, cask washdown area to the low-profile transporter, and placement of the multi-purpose canister (MPC) lid at the cask loading pit. For lifts involving the transfer cask, the bridge crane uses a lift bracket attachment.
The spent fuel cask bridge crane has circuits installed on the machine for safety reasons, like over-travel limit switches, stop push buttons, and interlocks. These circuits are hard-wired in series to the master control relay so that when any one device opens, the master control relay is de-energized, thereby removing power to the machine. This safety circuit limits travel inside and outside a predefined restricted area.
Spent Fuel Pool Cooling and Purification System The SFP cooling and purification system (SFPCPS), a Seismic Category I system, removes decay heat produced from the SFP by pumping the hot SFP water through a heat exchanger and then returning it to the pool. In addition to the cooling aspect, the SFPCPS also purifies the SFP, transfer canal, and refueling water. After the heat exchangers, water can be directed to mixed bed demineralizers and filters. Surface skimmers also aid in the SFP purification process.
The boron concentration of the SFP is maintained at a fixed value. The SFPCPS has three sources of makeup water. Figure 2-41 is a schematic of the SFPCPS.
58 Spent Fuel Pool Transfer Canal Transfer Tube SFP HX-A Filter Mixed Bed Demineralizer SFP HX-B Refueling Cavity CCW IN CCW OUT CCW IN CCW OUT Refueling Cavity RMWST Demin Water RWST Filter Spent Fuel Pool Skimmer Pump Spent Fuel Pool Pit Pump A Spent Fuel Pool Pit Pump B Figure 2-41 Spent Fuel Pool Cooling & Purification System As with the RCS, SFPCPS valves and piping in contact with the SFP water are made of austenitic stainless steel or a comparable corrosion-resistant material. Major SFPCPS components are summarized in Table 2-1.
Table 2-1 SFPCPS Components System Component Description SFP pumps Transfer SFP water though heat exchangers and used to transfer and clean transfer canal water SFP skimmer pump Transfers water through two skimmer strainers and through a filter then pool SFP heat exchangers Shell and U-tube type heat exchangers used to cool the SFP water with the CCW system SFP demineralizer Helps remove particles, maintaining visual clarity SFP cartridge filter Removes insoluble particles, increasing visibility SFP skimmer filter Removes small insoluble particles SFP strainers Remove larger particles that could cause plugging in SFP demineralizers or damage to the SFP pumps SFP skimmer/strainers Remove debris and recirculate water from SFP surface
59 Although the SFPCPS is not directly linked to any one plant operating state, it is relied upon most during refueling outages.
To mitigate against a total loss of water in the SFP, the SFPCPS has a number of design features to limit water loss during various accidents. The following help protect the SFP water inventory:
SFP cooling pump suctions are near the top of the SFP, near the normal level, to prevent gravity draining of the SFP Antisiphon holes are used on all return lines to prevent gravity draining Skimmers and strainers are positioned near the nominal water level to limit movement in the vertical plane Makeup to the SFP is provided by the reactor makeup water storage tank, demineralized water storage tank, and the recycle holdup tanks. Leak detection is provided at all liner welds.
Fuel Handling Building Heating, Ventilation, and Air Conditioning System The FHB contains the Unit 1 and 2 SFPs and the cask loading pit (the cask washdown area is located in the auxiliary building, but in an area that is connected to the air space of the FHB).
The FHB is designed as a Seismic Category 1, reinforced concrete structure. The FHB heating, ventilation, and air conditioning (HVAC) system is divided into the FHB normal HVAC system and the FHB post-accident exhaust system. In case of a radiological release to the cavity of the FHB, the post-accident exhaust system filters radionuclides prior to discharge to the exhaust stack.
The FHB normal HVAC system provides the FHB (shared between Units 1 and 2) with ventilation and filtration and maintains a suitable atmosphere for personnel and equipment during normal operation. The boundaries of the normal HVAC system extend from the outside air intake through the normal air-conditioning units to the supply air distribution ductwork. The boundaries also extend from the exhaust air ductwork to the FHB normal exhaust units and to the post-accident filter units supply ductwork up to, but not including, the isolation dampers and from the FHB normal exhaust filters to the exhaust ductwork system of the FHB post-accident exhaust system. The normal HVAC system has no safety function. Double isolation valves in the supply and exhaust ducts are required for faulted conditions to support the operation of the FHB post-accident exhaust system. The normal HVAC system does not operate during accident conditions and is not designed to withstand seismic loading except within the vicinity of safety equipment. The normal exhaust units are draw-through type with carbon absorber, moisture separator, high-efficiency particulate air (HEPA) filters, and electric heating coils for moisture removal.
The FHB normal HVAC system is not essential for post-accident operation but may be used to provide additional post-accident air cleanup of potentially radioactive contaminants in the FHB.
The post-accident exhaust system is operated to maintain the building at a negative pressure while the FHB normal HVAC system is de-energized. The FHB normal HVAC system may be energized to collect FHB air and process it through the filters. The discharge of the FHB normal HVAC system is ducted back to the fuel pool area for recirculation.
The FHB post-accident exhaust systems primary function is to filter and exhaust air to maintain a negative pressure in the building following a fuel handling accident and to prevent the release of unfiltered airborne activity to the environment. The system has no normal function during LOOP, normal plant operation, and plant shutdown. The boundaries
60 of the FHB post-accident exhaust system extend from the filter units supply side isolation valves to the filter units and to the exhaust stack. The boundaries also include the ductwork and isolation valves connecting the FHB normal exhaust system discharge to the exhaust stack.
Following a postulated fuel handling accident that releases radioactivity, the FHB normal HVAC system is isolated and the FHB post-accident exhaust system starts automatically. The isolation valve located at the FHB boundary provides isolation in the event of high radiation levels sensed by radiation monitors at the discharge and in the FHB space. The isolation valves are integrated with the FHB isolation system. The FHB post-accident exhaust system consist of two 100-percent-redundant filter units. Each unit includes a fan, moisture eliminator, electric heater, HEPA filters, and carbon absorber. The system can be automatically actuated by the FHB isolation signal or may be started manually. The FHB post-accident exhaust system has redundant full-capacity flow trains.
The FHB post-accident exhaust system is composed of the following equipment:
Two pairs of pneumatic valves isolating the outside air intake supply side of the FHB HVAC system One pair of pneumatic valves isolating the upstream FHB normal exhaust Unit 1 (train A) and 2 (train B)
One pair of pneumatic valves isolating the downstream FHB normal exhaust Unit 1 (train A) and 2 (train B)
One pneumatic valve isolating the upstream post-accident filter Unit 1 (train A)
One pneumatic valve isolating the downstream post-accident filter Unit 1 (train A)
Post-accident filter Unit 1 (train A) fan One pneumatic valve isolating the upstream post-accident filter Unit 2 (train B)
One pneumatic valve isolating the downstream post-accident filter Unit 2 (train B)
Post-accident filter Unit 2 (train B) fan Associated piping, and ductwork of HVAC system 1541 and 1542 Post-accident filter units exhaust to the plant exhaust stack Under normal operation, the FHB ventilation system draws 100 percent outside air from the intake plenums. A minimum outside air purge of three volume air changes per hour is supplied to the SFP area. Supplementary recirculating units for the fuel pool areas (Units 1 and 2) are provided. Each recirculating unit consists of a fan, chilled water coils fed from the normal chilled water system, and duct-mounted electric reheat coils to carry the partial air-conditioning load off the normal air supply system. Exhaust air from the different areas of the FHB is collected through the ductwork system and processed through filter trains prior to exhaust to the Unit 1 plant stack. Filter trains and exhaust fans are sized to compensate for the air in-leakage to the building due to the design negative pressurization for confinement of potentially radioactive contaminants. Factoring the building in-leakage and the increases in filter resistance, the exhaust fans are fitted with flow control mechanisms. Two 100-percent supply air handling units and two 100-percent exhaust units are provided.
When high radiation levels are detected at the exhaust duct, a train-oriented FHB isolation signal (FHBI-A and FHBI-B) is initiated and the following actuations and events will follow:
61 The isolation dampers close at the interconnecting ductwork between the normal and emergency exhaust filter units.
The normal supply and exhaust isolation dampers close at the FHB pressure boundary duct penetrations.
The normal supply and exhaust fans automatically cease running, due to the low airflow resulting from the closure of the isolation dampers.
The FHBI signal will start the post-accident filtration system to provide continuity of negative pressurization during accident and post-accident conditions.
The fuel pool area recirculating unit has no immediate response to the FHB isolation signal and remains operative until manually reset. These units are sized for supplementary cooling only and do not have the capacity to control the temperature and humidity during accident or post-accident conditions when the normal system is not operating. The design of the HVAC system allows the normal exhaust system, if available, to be used in addition to the post-accident filtration system and for post-accident air cleanup of potentially radioactive contaminants inside the fuel building.
This post-accident operation involves manually starting the normal exhaust filtration system, which is otherwise de-energized by the FHB isolation signal, and opening of the associated dampers to initiate recirculation. Air is collected through the ductwork and directed to the air filtration system for processing. The discharge is ducted to the fuel pool area. Each SFP heat exchanger and pump room is provided with a dedicated recirculating unit consisting of a fan and two chilled water coils. One of the cooling coils is connected to the normal chilled water system and the other to the ESF chilled water system. These units operate under both normal and emergency conditions and are actuated by either a temperature switch (normal operation) or by the safety injection signal (emergency operation).
The railroad corridor and railroad unloading areas have separate recirculating fan-coil systems that maintain the areas at the designed level of cooling. No positive ventilation is provided, but ventilation occurs through in-leakage of outside air to the area created by the building negative pressurization. The air handling unit for this area is started manually or automatically by a high temperature limit switch. Supply air is distributed to the areas for even temperature control. The space is heated by wall-mounted infrared radiant heaters operated by a hand switch.
Dry Cask Storage Dry Cask Storage Siting This section describes the Independent Spent Fuel Storage Installation (ISFSI), also typically known as the storage pad. The ISFSI provides the physical space where storage casks are stored at the site. The ISFSIs location and physical characteristics play a role in determining hazards that might affect the storage casks (e.g., frequency and effects of an accidental aircraft impact). The storage pad also is the impact surface during storage cask tipover (e.g., due to a seismic event). The storage pad characteristics were considered when modeling events at the ISFSI.
The HI-STORM 100 dry cask storage (DCS) system is used as the reference design for dry storage of spent or used fuel. The HI-STORM 100 DCS system is composed of a welded canister, which in this case is the MPC-32 that holds 32 PWR fuel assemblies. Figure 2-42 depicts the storage overpack and associated grid assemblies. DCS loading campaigns can be conducted at power or during a refueling outage.
62 Description of HI-STORM-100 Dry Cask Storage System As described in HOLTEC HI-STORM 100 Certificate of Compliance (ADAMS Accession No. ML091680370), the HI-STORM 100 DCS system (the cask) consists of the following components:
Interchangeable MPC, which contains the fuel Storage overpack (HI-STORM), which contains the MPC during storage Transfer cask (HI-TRAC), which contains the MPC during loading, unloading, and transfer operations The HI-STORM 100S, Version B (218), overpack is the reference design used in this study.
The HI-STORM 100S is a shorter design than the original HI-STORM 100 overpack, with the vents incorporated into the overpack lid as opposed to the overpack body. A more detailed description of the cask components can be found in the HI-STORM 100 FSAR (ADAMS Accession No. ML19150A401).
Multipurpose Canister As mentioned previously, this study uses the HOLTEC HI-STORM 100S, MPC-32 that is composed of a welded stainless steel (304, 304LN, 316, or 316LN) canister that contains a maximum of 32 PWR fuel assemblies. The MPC consists of a honeycombed fuel basket (see Figure 2-43) for spent nuclear fuel storage, contained in a cylindrical canister shell that is welded to a baseplate, a lid with welded port cover plates, and a closure ring. All MPC welds are performed at the HOLTEC manufacturing facility, except for the lid, port cover plate, and closure ring welds, which are machine performed on site. The MPC uses Boral MetamicTM Classic panels as the neutron absorber. Figure 2-43 shows the MPC.
Figure 2-42 Storage Overpack and Dry Cask Storage Pad
63 For the reference design, the fuel assemblies have inserts (such as wet annular burnable assemblies, burnable poisons, or sources), such that the total length of the fuel assemblies vary based on the inserts. These are typically put in the center to minimize doses. The MPC has spacers at the bottom and in the inside of the lid to keep the fuel assemblies aligned with MPC neutron absorber panels (U.S. NRC, November 2014). Within the same MPC, the lid spacers can vary in length depending on the inserts of the fuel loaded. The MPC has a total free volume of 367.9 ft3 and a net free volume of 229 ft3 (6,484 liters) [Table 4.4.8 of (HOLTEC International, February 13, 2010)]. The MPC provides confinement boundary for the stored fuel and is defined by the MPC baseplate, shell, lid, port covers, and closure ring.
HI-TRAC Transfer Cask The HI-TRAC transfer cask holds, protects, and provides shielding and structural support to the MPC during MPC fuel loading, unloading, and on-site transfer operation stages. The transfer cask is a steel, lead, steel-layered cylinder with a water jacket and a solid HOLTITE (B4C) jacket as a neutron shield, attached to the exterior. The reference design uses the HI-TRAC 125D that has increased lead and water shielding and higher thermal resistance than the HI-TRAC 100.
The HI-TRAC 125D weighs approximately 125 tons when loaded with the MPC and fuel; the total weight of the non-loaded HI-TRAC and its components is approximately 73 tons.
HI-STORM Storage Overpack The HI-STORM storage overpack has a steel shell filled with concrete. The storage cask weighs approximately 180 tons when loaded and is designed to protect the MPC during storage at the ISFSI in a vertical orientation. The HI-STORM overpack provides the MPC with gamma and neutron shielding, ventilation passages, missile protection, and protection against natural phenomena and accidents. It contains four air inlets at the bottom and four outlets at the top for air flow. The reference site has a low seismicity, as such, the HI-STORM-100S, Version B, model does not use anchor bolts to secure the storage cask to the ISFSI surface.
Dry Cask Storage Operating Stages Before a cask loading campaign begins, preparations must occur including fuel selection, MPC loading into HI-TRAC, and preparation of the storage cask and the mating device at the cask Figure 2-43 Multipurpose Canister
64 transfer facility. In summary, the DCS process operations, depicted in Figure 2-44, are composed of the following main stages:
- 1.
Identification of suitable spent fuel for dry storage (typically, fuel cooled in SFP for more than three years)
- 2.
Procurement of DCS system and preparation of DCS system for fuel loading (e.g., receipt inspections, support system inspections, preparation of DCS system for fuel, and placement of transfer cask at cask loading pit)
- 3.
HI-TRAC submerged in cask loading pit and restrained to cask loading pit pedestal
- 4.
Movement of 32 PWR fuel assemblies from SFP to MPC-32 in transfer cask
- 5.
MPC lid installed underwater
- 6.
Loaded HI-TRAC lifted from cask loading pit, moved to cask washdown area for decontamination, and restrained to cask washdown area pedestal
- 7.
MPC lid welded in place at cask washdown area and weld tested (e.g., hydrostatic tests)
- 8.
MPC water drained
- 9.
MPC moisture removal by forced helium dehydration or vacuum drying
- 11. Movement of transfer cask to the low-profile transporter at auxiliary building railroad bay door exit
- 12. Low profile transporter moved through railroad bay doors to outside of auxiliary building
- 13. HI-TRAC lifted by vertical cask transporter and transported to cask transfer facility
- 14. HI-TRAC bolted to mating device
- 15. MPC download slings installed to vertical cask transporter and MPC, and MPC lifted while HI-TRAC bottom lid removed
- 16. MPC downloaded to HI-STORM storage overpack
- 17. HI-TRAC overpack removed from mating device and storage cask lid installed
- 18. Storage cask lifted from cask transfer facility and transported to ISFSI During these stages the cask and fuel are exposed to different hazards. Some of these hazards include events that could challenge the cask structurally (e.g., drops; cask tip over, such as could result from a seismic event; impacts from vehicles; or aircraft or wind-driven objects) and events that could challenge the cask thermally (e.g., fires or vent blockage). The analysis performed in this study evaluates the frequency of events that could compromise the cask and its contents; the reliability of current systems, controls, and design features of the DCS system and related operations; the probability of a fuel, cask, and containment breech; and potential consequences from events that could compromise the cask confinement.
65 Figure 2-44 Dry Cask Process Steps 3 - 18 SFPs and Cask Loading Pit Section 2.5 describes the arrangement of the SFPs, cask loading pit, and transfer canals for the reference site. Additional information on the cask loading pit is provided here. The cask loading pit is composed of a depth of 15.2 m (45 ft and 71/2 in.) of water. At the bottom of the cask loading pit, there is a seismic restraint system in combination with the cask loading pit pedestal. When the transfer cask is lowered and placed in the pedestal, the seismic restraint system engages four retractable arms on the top of the HI-TRAC to completely restrain the cask in case of a seismic event.
66 The fuel cask loading pit has a 3/4-in. line connected behind the fuel cask loading pit liner plate that drains to the FHB drain sump. The FHB sump collects normal and potentially radioactive drainage from equipment and floor drains. The sump pump discharges to the waste monitor tank. Also, the reference site has the ability, using staged pumps, to recirculate water directly between the two SFPs, even if they are isolated from the cask loading pit.
Cask Washdown Area The cask washdown area is adjacent to the cask loading pit and SFPs. The cask washdown area consists of a U-shaped concrete structure that facilitates the use of DCS operations supporting equipment. Examples of this supporting equipment include the forced helium dehydration system; the MPC lid automated welding system; the seismic restraint system; the cask pedestal; and connections to the supplemental cooling system, the helium supply line, demineralized water, service air, and electrical equipment (e.g., 120 VAC receptacles and the 120/240 VAC distribution panel).
Cask Transfer Facility The cask transfer facility is located adjacent to the ISFSI. This cask transfer facility is a reinforced concrete pad with a steel-lined recessed hole that fits approximately 4/5 of the height of the storage overpack. The main purpose is to facilitate the transfer of the MPC from the HI-TRAC cask to the HI-STORM overpack using and maintaining the stability of the Vertical Cask Transporter crane. The facility has a drain on the bottom and a port for inserting a sump pump to drain water if needed and helps maintain the stability of the Transfer/Storage cask stack-up configuration.
As defined in HOLTECs HI-STORM 100 Technical Specifications Amendment 7 (ML093620062), the cask transfer facility is an aboveground/underground system used during the transfer of a loaded MPC between a transfer cask and a storage overpack. The cask transfer facility includes the following components and equipment:
A cask transfer structure used to stabilize the overpack, transfer cask, and/or MPC during lifts involving spent fuel not bounded by the regulations of 10 CFR Part 50 Either a stationary lifting device or a mobile lifting device used in concert with the stationary structure to lift the overpack, transfer cask, and/or MPC Independent Spent Fuel Storage Installation Spent nuclear fuel in DCS is stored at the ISFSI according to the regulations and provisions of Title 10 of the Code of Federal Regulations (10 CFR) Part 72, Subpart K, General License for Storage of Spent Fuel at Power Reactor Sites.
Vertical Cask Transporter The vertical cask transporter, shown in Figure 2-45, is a crawler type tracked transporter used to move the HI-TRAC, loaded HI-TRAC, HI-STORM, and loaded HI-STORM. It is also used as the crane for the MPC downloads and uploads, and lifts involving the cask transfer facility. The vertical cask transporter is powered by a turbocharged diesel engine and weighs 209,550 lb.
The vertical cask transporter has an electric power generator that is directly connected to the flywheel of the main diesel engine and can provide 110 volt, 3-phase, 60 Hz, power to its outlets. The vertical cask transporter uses different slings and attachments to perform its lifting functions of the HI-TRAC and HI-STORM overpacks/casks and the download/upload of the
67 MPC during MPC transfer operations. It has telescopic booms made of high strength steel with solid steel bar attached on two sides that can extend from its retracted height to an extended height. Other features of the vertical cask transporter include emergency engine stop, Deadman button, cam locks, and emergency hydraulic power motor/pump.
Alternate Cooling Water System The alternate cooling water system provides an alternate cooling method (when the MPC is in the cask washdown area) to reduce MPC bulk temperature when desired or when approaching the maximum time limit for wet transfer operations (time-to-boil). The alternate cooling water system uses two submersible pumps with discharge hoses in the SFP, approximately 4 to 5 feet below the surface of the water. The alternate cooling water system procedure states that if the alternate cooling capability is lost, possible options to re-establish cooling flow include:
Backup pump, if pump failure has occurred Providing alternate power from a different source using any necessary additional cables Portable power supply Alternate cooling water system water circulation is required to be initiated at least four hours prior to reaching the maximum allowable duration for time-to-boil. If the alternate cooling water system cannot be established with the correct boron concentration, the MPC needs to be transferred to the cask loading pit. The alternate cooling water system uses SFP water to cooldown the MPC. The average SFP water temperature used in this project is approximately 85°F.
Supplemental Cooling System The supplemental cooling system is an external system for cooling the MPC inside the HI-TRAC transfer cask during on-site transport. Use of the supplemental cooling system is required for post-backfill HI-TRAC operation of an MPC containing one or more high burnup fuel assemblies or MPC heat loads in excess of 28.74 kW. For medium burnup fuel assemblies, the maximum temperature reached is limited by natural convection and passive heat rejection when in the vertical configuration in still air and would result in the HI-TRAC cask and fuel to be below the short-term temperature limit. If the MPC contains high burnup fuel assemblies, the cladding temperature would be greater than the cladding temperature limit and the supplemental cooling system would be required. The reference site has a supplemental cooling system, but it is not used since administrative controls limit the MPC heat load to less than 28.74 kW, and only Figure 2-45 Vertical Cask Transporter
68 medium burnup fuel assemblies are loaded into the MPC. The supplemental cooling system is sized to extract more heat, with margin, from the MPC than needed to keep the spent fuel in the MPC and the MPC below predefined temperature limits. The supplemental cooling system requires 240/120 VAC power and has uninterruptible power sources as back-up batteries in the event power is lost. During transport operation, the uninterruptible power sources are not used, as the vertical cask transporter has 120 VAC utility outlets to power the supplemental cooling system components.
Forced Helium Dehydration System At the reference site, the forced helium dehydration system is used for drying the MPC. The forced helium dehydration system is a conventional, closed loop dehumidification system consisting of a condenser, a demoisturizer, a compressor, and a pre-heater. The forced helium dehydration system recirculates relatively warm and dry helium through the MPC cavity, which helps maintain the spent nuclear fuel in a cooled condition while moisture is being removed.
Forced helium dehydration cooling ensures that the maximum calculated fuel cladding temperature would not exceed 400°C (752°F) for normal conditions of storage and short-term loading operation, including cask drying and backfilling. The forced helium dehydration system requires a 460/480 VAC, 100 amp, three-phase power source (minimum) for operation.
Automated Welding System The automated welding system performs field welding operations for the MPC closure in accordance with applicable sections of the American Society of Mechanical Engineers (ASME)
Boiler and Pressure Vessel Code. It is a self-contained apparatus consisting of the welding power supplies, process control and monitoring stations, weld head delivery system, weld heads, cameras, cooling systems, and interconnecting cables and hoses. The automated welding system is used in the following MPC welding operations:
Welding of the MPC lid to MPC shell weld Welding of the MPC closure ring to the MPC shell weld Welding of the closure ring to the MPC lid weld Welding of the MPC closure ring radial weld Welding of the MPC vent and drain port cover plates to the MPC lid weld Low-Profile Transporter The low-profile transporter is used to move a vertically oriented HI-TRAC transfer cask (loaded or empty), on an existing set of steel rails. Typically, the low-profile transporter will be used on railroad tracks to move the HI-TRAC into and out of the auxiliary building, where dimensional limitations (e.g., low head room clearance) prevent the use of other devices for movement (e.g., the vertical cask transporter). The low-profile transporter is a non-powered device designed to preclude tipover of the transfer cask and to minimize the horizontal movement and floor loads during seismic events. It consists of a baseplate, frame assembly, rail car wheels, and guide system. The baseplate and the frame assembly directly transfer the weight of the HI-TRAC to the wheels, which in turn transfer the load to the rails. The guide system maintains the low-profile transporters orientation during movement. The low-profile transporter is non-powered and moves along the track using a winch or power moving equipment (i.e., forklift).
69 Mating Device During the transfer of the MPC, the HI-TRAC cask is mated to the HI-STORM overpack by positioning and bolting the mating device between overpacks. This allows the removal of the HI-TRAC pool lid (bottom lid) to allow MPC download to the HI-STORM overpack. During this stage, the MPC is raised slightly, inflatable bags inside the mating device (see Figure 2-46) remove the pressure of the lid weight and the HI-TRAC pool lid is unbolted and removed from under the HI-TRAC allowing a passage for the MPC download into the storage overpack. The mating device also provides a seismic restraint function, transient shielding, and a means to move and handle the removed HI-TRAC pool lid. The mating device is operated by a hydraulic pump and portable air compressor designed to operate at 120 VAC.
Figure 2-46 Mating Device Other Plant Dry Cask Storage Supporting Systems During DCS operations other supporting equipment is used. Most of this equipment is non-safety-related; however, sources of potential damage to the fuel are drop of the HI-TRAC lid onto the HI-TRAC cask and drop of the HI-STORM lid onto the top of the HI-STORM cask.
Sources of industrial risk to the workers include falls, drops that injure workers, etc. Some of the supporting equipment includes:
Mobile cranes for placing or removing the HI-TRAC lid, HI-STORM lid, and mating device Forklifts as power for retrieving the low-profile transporter from the auxiliary building and moving the empty MPC on site (a loaded MPC is always inside a HI-TRAC or HI-STORM overpack and is always moved with the vertical cask transporter)
Personnel lifting devices used to provide a clear view of the crane flagger during MPC transfer
71
- 3.
SUMMARY
OF APPROACH This section summarizes the approach used to develop the Level 3 PRA model, and therefore, the quantification of the risk associated with the different sources of risk and the integrated risk of the site. Section 3.1 describes the overall approach of how the various risk source models were constructed. Section 3.2 describes the various technical analyses performed in the construction of the models. Section 3.3, Section 3.4, and Section 3.5 describe how the reactor, spent fuel pool, and dry cask storage risk models, respectively, are constructed based on the technical analyses. Section 3.6 describes how the integrated site risk model is constructed.
Overall Approach The L3PRA project scope includes an evaluation of the risk from multiple radiological sources, multiple hazards, multiple plant operating states or stages, and multiple PRA levels. For each major radiological source (i.e., reactor, SFP, and DCS), separate models were independently constructed. These models were then used to develop an integrated site risk model. Figure 3-1 illustrates the overall approach as described below.
Figure 3-1 Overall Approach to Level 3 PRA Model Separate reactor, at-power, Level 1 PRA models were constructed for internal events and internal floods based on the Level 1 PRA model for internal events and floods from the
72 reference site, available to the NRC in 2012.13F14 These two models were integrated to serve as the input to construct an at-power Level 2 PRA model for internal events and internal floods, and then an at-power Level 3 PRA model for internal events and internal floods.
Separate at-power Level 1 PRA models were constructed for internal fires, seismic events, and high winds. These models were used (along with the Level 1 PRA model for internal events and internal floods) to serve as the input to construct at-power Level 2 PRA models for internal fires, seismic events, and high winds, and subsequently for at-power Level 3 PRA models for each of these hazards. Consequently, for at-power conditions, Level 1 PRA results (e.g., core damage frequency [CDF]), Level 2 PRA results (e.g., radionuclide release frequency), and Level 3 PRA results (e.g., doses) were quantified individually and collectively for all these hazard categories.
For the other hazards (e.g., transportation accidents or external flooding), a screening analysis was performed that indicated the potential risk contribution would be insignificant. Therefore, a PRA model was not developed for these hazards.
For low power and shutdown (LPSD), only an internal events PRA model was constructed and quantified for Level 1, Level 2, and Level 3. Other hazard categories (e.g., internal fire, internal flooding, heavy load drops, and seismic events) are not addressed in this study. While some of these potential hazard categories could be potentially important contributors to LPSD risk, these were excluded due to the limited current state-of-practice methods for addressing these during LPSD conditions and the resource limitations of this project. As such, a quantitative, integrated all-operating-mode and all-hazard reactor PRA model was not developed.
For SFP and dry cask storage, a single integrated Level 1 and Level 2 PRA model was constructed for each of these radiological sources that addressed the risk significant hazards integrated across all the plant operating stages included in the scope of the model. Each of the integrated Level 1 and Level 2 models, for SFP and dry cask storage, served as the input to construct the Level 3 PRA models for these radiological sources.
The Level 3 PRA models for the reactor, SFP, and dry cask storage were integrated to create a site Level 3 PRA model for all sources and all hazards for which PRA models were constructed and quantified. Note, as mentioned above for LPSD, a PRA model was constructed and quantified only for internal events. Since external hazards make a significant contribution to integrated site risk (ISR), the ISR PRA model only focuses on plant operating states with both reactors in operation (so external hazards can be accounted for).
It is important to note that the development of all PRA models involves iteration and the occasional use of simplification strategies (e.g., the use of bounding analyses and screening).
In this study, the development of subsequent PRA models often led to the identification of changes that needed to be made to earlier models. In these cases, one of three alternative courses of action was implemented based on the anticipated impact of the change on the results and insights of the study, as well as the level of resources required to incorporate the change:
The change was incorporated into the earlier model(s), the models were requantified, and the model documentation was updated.
14 The information provided reflects the plant as it was designed and operated as of 2012 and does not reflect the plant as it is currently designed, licensed, operated, or maintained (e.g., the Level 3 PRA project models do not reflect the current RCP shutdown seal design at the reference plant, nor do they reflect the potential impact of FLEX strategies, both of which reduce the risk to the public). In addition, the information provided for the reference plant was changed based on additional information, assumptions, practices, methods, and conventions used by the NRC in the development of plant-specific PRA models used in its regulatory decisionmaking.
73 The change was incorporated into the overall project model so that subsequent models and any requantification of the overall model would reflect the change, but the documentation of the individual previous model(s) was not updated (though the potential discrepancy was noted in other project documentation).
The change was not incorporated into either the earlier models or the overall project model, but identification of the error and its anticipated impact on project results and insights was included in project documentation.
Approach for the Technical Analyses The development of the various models involves certain technical analyses. These technical analyses are performed using the current state-of-practice methods as described in Regulatory Guide (RG) 1.200, where applicable. RG 1.200 endorses the ASME/American Nuclear Society (ANS) standard that addresses a Level 1/large early release frequency (LERF) PRA for at-power conditions, for both internal and external hazards. Although not endorsed in RG 1.200 at the time of this study, the staff used the trial use PRA standards that ASME/ANS has issued (i.e., for Level 2 PRA, for Level 3 PRA, and for Level 1/LERF PRA for low power and shutdown).
The technical analyses that are part of constructing the PRA models are not necessarily common to each risk source, hazard, operating mode, or PRA level. The technical analyses that are common to each risk source, operating state, hazard, and PRA model include the following:
Plant familiarization Hazard and fragility analyses Screening analysis Uncertainty analysis There are, however, technical analyses that are common to development of a Level 1 and Level 2 PRA model, and some that are unique to Level 2 and Level 3. These technical analyses include:
Level 1 - Level 2 Technical Analyses Initiating Event Analysis Accident Progression Analysis Systems Analysis Parameter Estimation Analysis Human Reliability Analysis Structural Analysis Quantification Analysis Level 2 Technical Analyses Source Term (Radionuclide Release) Analysis Level 3 Technical Analyses Consequence Analysis
74 Figure 3-2 summarizes the technical elements and how they fit into the overall analyses.
Source Term Analysis Consequence Analysis Systems Analysis Initiating Event Analysis Accident Progression Analysis Structural Analysis Plant Familiarization Hazard/Fragility Analyses Screening Analysis Uncertainty Analysis Level 1 Level 2 Level 3 Parameter Estimation Analysis Human Reliability Analysis Quantification Analysis Figure 3-2 Technical Elements Ensuring the fidelity and robustness of the PRA model is also an essential factor to ensure that the model accurately represents the risk from the reactor, SFP, and dry cask storage.
Therefore, part of the technical approach included the development and implementation of a Quality Assurance Plan that is discussed in Appendix A. Figure 3-3 depicts the review process for each of the models.
Develop Initial PRA Model Perform Technical Advisory Group (TAG) Review Perform PWROG-led Peer Review Brief ACRS Re-Perform Internal Reviews Finalize Model Develop Documentation Revise PRA Model Revise PRA Model Staff Self-Assessment Internal Technical Review Management Review Perform Internal Reviews Figure 3-3 Review Process The following describes the approach used for each of the technical analyses.
Plant Familiarization It is essential that the PRA model realistically represent the design and operation of the plant site. Therefore, it is important that the analysts constructing the PRA model have a detailed
75 understanding of the design and operation of the plant - understanding how the structures, systems, and components (SSCs) are designed and operated; the support systems necessary for their operation; the interactions (dependencies) among the SSCs; how operations occur during maintenance and routine and emergency conditions; etc. This plant familiarization involves developing an understanding of the following information:
Plant design information reflecting the normal, abnormal, and emergency plant configurations Plant operational information, namely, procedures and practices Plant test and maintenance procedures and practices Engineering aspects of the plant design Emergency preparedness For each of the above, the following information was collected and reviewed:
Design The safety functions required to maintain the plant in a safe stable state and prevent core or containment damage Identification of those SSCs that are credited in the PRA to perform the above functions The relationships among the SSCs, including both functional and hardware dependencies The normal, abnormal, and emergency configurations of the SSCs The automatic and manual (human interface) aspects of equipment initiation, actuation, and operation, as well as isolation and termination The SSCs capabilities (flows, pressures, actuation timing, environmental operating limits)
Spatial layout, sizing, and accessibility information related to the credited SSCs Other design information needed to support the PRA modeling of the plant Operational The information needed to reflect the actual operating procedures and practices used at the plant, including when and how operators interface with plant equipment, as well as how plant staff monitor equipment operation and status The information needed to reflect the operating history of the plant, as well as any events involving significant human interaction Maintenance The information needed to reflect planned and typical unplanned tests and maintenance activities and their relationship to the status, timing, and duration of the availability of equipment Historical information related to the maintenance practices and experience at the plant Engineering The design margins in the capabilities of the SSCs Environmental limits of equipment operation
76 Expected thermal hydraulic plant response to different states of equipment (e.g., for establishing success criteria)
Other engineering information needed to support the PRA modeling of the plant Emergency Preparedness The information needed to reflect how the plant responds under emergency conditions Evacuation plans and drills Interface with local authorities and emergency personnel To ensure that the understanding of the plant design and operation represented the as-designed, as-built, and as-operated plant (circa 2012), approximately 10 site visits occurred involving numerous plant walkdowns and personnel interviews. These direct observations corroborated the documented informational sources. Personnel interviews provided the necessary understanding regarding how the various operational procedures (i.e., normal and emergency and on-site and off-site) are actually interpreted and implemented. The areas visited, and technical areas/issues pursued, are provided in Table 3-1 and Table 3-2, respectively.
77 Table 3-1 Areas Visited Auxiliary feedwater pump house Auxiliary building, CCW & ACCW HX &
pumps Auxiliary and fuel handling building level 1 (SFP floor level including cask loading pit, cask washdown area, and railroad corridor) and level A (just below auxiliary/fuel handling building cask level)
Boron injection tanks/pumps Cable spreading rooms Chemical storage locations external to structures, storage location just east of turbine building Hyperbolic cooling towers Component cooling water expansion tank Containment Containment purge system, HPSI pumps, RHR system Control building including roof, control building level 2 corridor 230, laboratory storage 231, janitorial storage 232, HVAC E Condensate/auxiliary feedwater tanks Diesel generator building Dry cask storage transport safe paths Evacuation exercises Evacuation routes (e.g., roads, trains, bridges)
Emergency planning Facilities (e.g., schools, industry, county prison)
Fuel handling building Fire training building and outside training area Hydrazine tanks Independent spent fuel storage installation Main control room, including room and floor directly above Main steam pipe tunnel Main steam valve rooms Manual operation of turbine-driven auxiliary feedwater pump Monitoring capabilities (e.g., helicopters)
Motor control center - 480 volt North fire pump house NSCW water storage tanks/cooling towers NSCW pump house NSCW towers and pipe tunnel Refueling water storage tanks Offsite locations - alternate offsite power generation site Operations support center Potential release points Production warehouse Rad waste building Remote shutdown panel RHR system ex-containment Simulator training facility Sirens and route alerting SFP SG level indication measurement, located on level B (i.e., lowest level of plant, just outside of containment)
Switchgear rooms Technical support center Training center Transformer yard Turbine building Services building Wastewater retention basins Water storage tanks
78 Table 3-2 Technical Areas and Issues Pursued Accident Progression Chemical/Hazardous Storage Chemicals stored Location of tanks Dry Cask Storage Emergency Response Alarms, sirens, and route alerting Evacuation routes Responsibility/roles of other organizations Procedures Evacuation exercises Fire Barriers Cables Propagation pathways Sources Sprinklers (other suppression systems)
High Winds Potential missiles (e.g., type, location)
Potential SSCs for wind pressure and missile effects Potential structural interactions Human Reliability Accessibility Activity conditions Alarms, cues Control room actions Ex-control room actions Operators availabilities Practices, procedures Tools and clothing Training Travel time Internal Flood Barriers Propagation paths Sources Vulnerable equipment Low Power and Shutdown Configurations Practices and procedures Equipment status Training Other Hazards Airports and flight paths Hazardous material storage Nearby dams Other hazardous facilities Transportation (e.g., trains and cargo)
Seismic Anchorage Lateral support Spatial interactions Structural interactions Site Dependencies among risk sources Spent Fuel Pool SSCs Locations Spatial interactions Vulnerabilities (e.g., flooding, room heat-up, fire)
Hazard and Fragility Analyses Hazard analyses estimate the frequency of occurrence for different intensities for the specific hazard under consideration. The frequencies are generated by developing phenomenological models of the hazard with estimated parameter values (e.g., peak ground acceleration) combined with historical data. Hazards curves providing the exceedance frequency versus the hazard intensity were developed for the various hazards for the reference plant. Fragility analyses estimate the conditional frequency of an SSC failure for the hazard response
79 parameter. Therefore, the fragility estimates are based on the capacity of the SSCs in any given failure mode.
For the reactor, Level 1 seismic PRA, fragility curves for the reference plant were provided by the licensee and reviewed and accepted for use in this study. However, some fragility estimates were developed as part of the L3PRA project for the Level 2 seismic PRA (i.e., buildings containing mitigation equipment) and for the spent fuel pool PRA (i.e., the capacity of the pool walls and estimates of water loss from sloshing). Also, since the licensee had not performed a high wind PRA, fragility curves for high winds were developed as part of the L3PRA project.
Screening Analysis Screening analyses identify whether certain hazards need to be evaluated (e.g., by constructing a PRA model), or can be eliminated from the project scope. Screening is also performed within the technical analyses to determine the scope of the analysis and the needed level of detail.
The criteria used in the L3PRA project to screen at either the hazard level or technical analysis level involve both quantitative and qualitative criteria to determine their potential risk significance. The quantitative screening criteria used conservative estimates to demonstrate a negligible impact on the risk; for example, to demonstrate that the hazard under consideration has a very low frequency of occurrence. The qualitative screening criteria were used to demonstrate the hazard could not have any impact on the plant risk; for example, it is physically impossible for the hazard to occur. An example of this criterion is that plant elevation is high enough that the plant would not be impacted by river flooding.
Uncertainty Analysis Uncertainty analyses assess the variability of the results obtained through quantification of the PRA. The L3PRA project addresses both parameter uncertainty and model uncertainty, as defined below.
Parameter uncertainty relates to the uncertainty in the computation of the input parameter values used to quantify the probabilities of the events in the PRA logic model. Examples of such parameters are initiating event frequencies, component failure rates and probabilities, and human error probabilities. These uncertainties can be characterized by probability distributions that relate to the analysts degree of belief in the values of these parameters (which could be derived from simple statistical models or from more sophisticated models).
Model uncertainty arises because different approaches may exist to represent certain aspects of plant response and none is clearly more correct than another. Uncertainty about the PRA results is then introduced because uncertainty exists about which model appropriately represents that aspect of the plant being modeled. In addition, a model may not be available to represent a particular aspect of the plant. Uncertainty about the PRA results is again introduced because there is uncertainty about a potentially significant contributor not being considered in the PRA.
For parameter uncertainty, a mean value of, and a statistical representation of, the uncertainty intervals for the parameter estimates were calculated for the basic events. The parameter uncertainties were propagated using the Monte Carlo approach to quantify the results. In addition, the uncertainties were propagated such that the state-of-knowledge-correlation between event probabilities was accounted for in the quantification.
80 For model uncertainties, key assumptions were identified. The impact of these key assumptions on the results was assessed. The key assumptions were those that had the potential to impact the PRA model (e.g., involve introduction of a new basic event or a change in the system success criteria). To the extent practical and consistent with project resources, sensitivity studies were performed to determine the extent to which the results changed given a change in the model assumption.
Initiating Event Analysis For Level 1 PRA, initiating event analyses identify and characterize the events that both challenge normal plant operation during power or shutdown conditions and require successful mitigation by plant equipment and personnel to prevent fuel damage from occurring. Events that have occurred at the plant and those that have a reasonable probability of occurring were identified and characterized. This identification was performed by examining plant-specific records for events that have occurred at all operating states. This identification was performed to identify possible transients, LOCAs, containment bypass accidents, and loss of support-system-initiated accidents. An understanding of the nature of the events was performed such that the various events were grouped, with the groups defined by similarity of system and plant responses (based on the success criteria). This grouping was performed to manage the large number of potential events that can challenge the plant. In each initiator group, the plant response to the various initiating events is the same; that is, if the accident progresses differently among initiating events, then a different initiator group was established.
While initiating events represent the beginning of Level 1 PRA accident (core damage) sequence analysis, the starting point for most Level 2 PRAs involves the development of plant damage states (PDSs). PDSs group the Level 1 PRA core damage sequences into a manageable number of bins, accounting for those plant response attributes that can have an impact on the containment response and/or fission product release to the environment (including the success or failure of systems, such as containment isolation, that are not necessarily modeled in the Level 1 PRA). PDSs can be considered as analogous to Level 1 PRA initiating events in the sense that they establish the initial conditions for the containment response analysis in the Level 2 PRA. However, for the L3PRA project, the Level 1 core damage sequences were directly linked to the Level 2 containment event tree sequences (i.e.,
all Level 1 cut sets were carried forward to the Level 2 model). As such, PDS bins were not used to reduce the number of accident sequences quantified in the Level 2 PRA, but only to reduce the number of deterministic (i.e., MELCOR) analyses to be performed.
Accident Progression Analysis Accident progression analysis models, chronologically (to the extent practical), the different possible progressions of events (i.e., accident sequences) that could occur from the start of the initiating event to either successful mitigation, fuel damage, or radiological release. The accident sequences account for the systems that are used (and available), the status of the containment (for the reactor model), and operator actions performed to mitigate the event based on defined success criteria and plant operating procedures (e.g., plant emergency and abnormal operating procedures) and training. In addition, thermal, chemical, and mechanical challenges to the system and engineered barriers are evaluated. For the L3PRA project, the SSCs and human actions identified in the success criteria were consistent with the features, procedures and operating philosophy of the plant. Engineering analyses were performed to identify the success criteria, timing of the accident progression, containment capacity and behavior, and core behavior. Evaluation of the availability of a system or capacity of a structure (e.g., containment,
81 SFP, DCS) included consideration of the functional, phenomenological, and operational dependencies and interfaces between the various systems and operator actions during the course of the accident progression. The operator actions necessary to mitigate the initiator were identified, which included those actions performed during the course of the accident progression. Phenomenological events that could generate mechanical loads or thermal challenges to the structures that could cause failure (and ultimately provide a release pathway) were also specified and evaluated. Environmental conditions and their potential impact on SSCs and human performance were considered.
Systems Analysis Systems analysis models the various combinations of equipment and operator failures that could prevent a system from performing its function as defined by the success criteria. The basic events representing equipment and human failures need to be developed in sufficient detail in the model to account for dependencies among the various systems and components, and to distinguish the specific equipment or human events that have a major impact on the systems ability to perform its function. In performing the systems analysis for the L3PRA project, an understanding of the systems was developed considering component capabilities and their boundaries, dependencies on other systems, instrumentation and control requirements, testing and maintenance requirements and practices, operating limitations such as those imposed by Technical Specifications, component operability and design limits, procedures for the operation of the system during normal and accident conditions, and system configuration during normal and accident conditions. A major aspect of the systems analysis included identification of possible common cause failures, accounting for both spatial and environmental hazards and the interfaces with support systems required for system operation, such as actuation logic, component control, component motive power, component cooling, and any other identified support function necessary to meet the system success criteria.
Parameter Estimation Analysis Parameter estimation analysis quantifies the frequencies of the initiating events, the equipment (and structure) failure probabilities and equipment unavailabilities for the modeled systems, and the probabilities of occurrence for various severe accident phenomena (e.g., hydrogen combustion). The estimation process included a mechanism for addressing uncertainties and had the ability to combine different sources of data in a coherent manner, including the actual operating history and experience of the plant when it was of sufficient quality, as well as applicable generic experience. For the basic events, the needed parameters to be estimated (e.g., failure on demand) and the required data were identified and their boundaries were established consistent with the systems analyses. The various equipment (components) were grouped into homogeneous populations for parameter estimation based on their design and environmental and service conditions. Both generic and plant-specific data were collected consistent with the defined component boundary conditions and the component groups. Plant records were reviewed to obtain the data necessary to perform the parameter estimation. The estimations were based on an integration of both the generic and plant-specific data. For many of the Level 2 PRA basic events involving severe accident phenomena, occurrence probabilities were estimated based on separate analyses (e.g., structural analysis or combustion analysis) or engineering judgment, due to a lack of relevant data.
82 Human Reliability Analysis Human reliability analysis identifies and quantifies the probabilities for the human failure events (HFEs) that can negatively impact normal or emergency plant operations. The HFEs identified in the analysis include those events occurring prior to the accident (pre-initiator actions) and those occurring after initiation of the accident (post-initiator actions). The HFEs occurring prior to the accident are associated with normal plant operation (e.g., specific routine activities) and include the events that leave the system (as defined by the success criteria) in an unrevealed or unavailable state. For the Level 1 PRA, the HFEs occurring after initiation of the accident are HFEs associated with emergency plant operation and include those human actions that, if not performed, do not allow the needed system to function. The identification of these events was based on consideration of the reference plant procedures and practices. Identification of post-core-damage mitigation actions to be credited in the Level 2 PRA involved multiple activities and sources of information. These include reviewing the reference plant severe accident management guidelines and extensive damage mitigation guidelines, as well as a report on an emergency preparedness drill for the reference plant. MELCOR simulations were also performed to provide additional context to the plant response expected for the accident sequence used in the drill. Lastly, the project team supplemented these activities by walking down portions of the plant associated with accident management, and discussing accident management training, exercising, and philosophies with site personnel.
Quantification of the probabilities for both the Level 1 and Level 2 PRA HFEs is based on plant-and accident-specific conditions, where applicable, including any dependencies among actions and conditions. The estimation of the reliability of the operator to correctly perform the necessary actions includes consideration of multiple factors, such as training, clarity of procedures, timing, ability to diagnose (e.g., availability of cues), and challenges in performing the action (e.g., special tools, environmental conditions, and accessibility to the equipment).
These factors are dependent on the particular hazard under consideration (e.g., responding to failure of a pump to start because of a random mechanical fault, as opposed to the failure to start because of an earthquake). Dependency impact on the calculated human error probabilities (HEPs) among multiple HFEs was evaluated considering the crew, timing, cognitive function, location, personnel resources, and stress.
Structural Analysis Structural analysis evaluates the strength of the structures modeled in the PRA. Of primary concern is the structural integrity of the containment structure. However, structural analysis is also used to evaluate the structural integrity of other plant SSCs, especially for seismic events and high winds.
The structural integrity of the containment can be challenged by physical loads as a result of an earthquake, overpressurization (e.g., steam production, release of non-condensable gases),
combustion processes, core-concrete interaction, blowdown forces, material deterioration, melt-through, etc. The potential failure modes and mechanisms were identified and evaluated considering the overall behavior of the containment structure, containment penetrations, discontinuities in the design (e.g., transition from cylindrical shell to the top head and basemat),
liner walls, and anchoring, etc. The evaluation determined the possible failure locations and the size of the failure. In addition to the evaluation of pressure loading, the evaluation also examined the effect of temperature to determine its potential to degrade the performance of penetration seals.
83 Quantification Analysis Quantification analysis involves quantification of the risk from the modeled accident sequences, either individually or in bins. To facilitate the quantification analysis (and reduce the associated computer processing time), a probability truncation limit is established for the end-state being evaluated (e.g., CDF or release category frequency). Accident sequence cut sets below the truncation limit are not retained or included in the final quantification results. For the L3PRA project, truncation was achieved in an iterative manner such that the quantified model converges and no significant accident sequences (or cut sets) are inadvertently eliminated. That is, convergence is achieved when successive reduction in truncation of one decade results in decreasing changes in the value of the end-state being evaluated, and the final change is less than 5 percent of the previously calculated end-state value.
Source Term (Radiological Release) Analysis Source term analysis evaluates the radiological release to the environment resulting from each severe accident sequence resulting in a release of radionuclides from its container (i.e.,
reactor vessel and containment, SFP storage, or dry cask storage container). The evaluation includes addressing the time, elevation, and energy of the release and the amount, form, and size of the radioactive material that is released to the environment. The source term analysis in the L3PRA project was sufficient to determine whether a large early release or a large late release occurs. As defined for the L3PRA project, a large early release is one involving the rapid, unmitigated release of airborne fission products to the environment, occurring before the effective implementation of offsite emergency response and protective actions, such that there is a potential for early health effects. Such accidents generally include unscrubbed releases associated with early containment failure at or shortly after vessel breach, containment bypass events, or loss of containment isolation. A large late release is defined as an unmitigated release occurring in a timeframe that allows effective implementation of offsite emergency response (e.g., evacuation) of the close-in population, making early health effects unlikely.
Consequence Analysis Consequence analysis evaluates how the radiological releases to the atmosphere are transported and dispersed in the environment, how the releases are potentially deposited and accumulated, and what protective measures could potentially influence the impact of radiation doses on both the human body and the environment. For the L3PRA project, protective actions were analyzed considering evacuation, sheltering, relocation, and land and food interdiction and remediation for both short-term and long-term periods. The land use was factored into the evaluation, along with population estimates considering permanent, vocational, and transient population. Meteorological impacts from rain and wind were evaluated under different conditions, such as different time frames (hourly and yearly) and different heights. Plumes of releases were modeled to evaluate the transportation and dispersion of the release considering the dosimetry; that is, the radiation dose exposed to individuals and population groups from both the plume and land contamination. Health effects were quantified for both early fatalities and injuries and latent (cancer) fatalities and injuries. Economic factors were analyzed for both short-term and long-term consequences. Short-term factors included the costs of transport, food, housing, and lost income dependent on the relocation time period. Long-term factors included relocation of people and businesses from areas rendered uninhabitable, and decontamination and interdiction of contaminated land and property.
84 Reactor Risk Model Reactor risk models were developed for the different PRA levels, operating stages and different hazards as described in Section 3.1. How the various sub-models were developed (and the technical analyses implemented) is discussed in the following sections. The Level 1, Level 2, and Level 3 PRA models for at-power conditions are discussed in Section 3.3.1, Section 3.3.2, and Section 3.3.3, respectively. The Level 1, Level 2, and Level 3 PRA models for low power and shutdown conditions are discussed in Section 3.3.4.
Level 1 At-Power Conditions PRA Model Level 1 PRA Model for Internal Events for At-Power Conditions The base Level 1 internal events at-power model was constructed by converting the reference plant internal events at-power PRA model to the SAPHIRE software platform. In performing the reference plant PRA using the CAFTA software, the licensee converted its event-tree-based model to a one-top fault tree CDF model to facilitate quantification. The licensee provided this converted model to the NRC for the L3PRA project. Since the licensee-provided model could not easily be converted back to an event-tree-based model, the event trees from the NRC Standardized Plant Analysis Risk (SPAR) model for the reference plant were instead used as the starting point for developing the L3PRA project Level 1 model in SAPHIRE.
The L3PRA project Level 1 model was then modified, where appropriate, based on (1) a review of the reference plant PRA model against the staff understanding of the plant design and operation using the ASME/ANS PRA standard, (2) industry peer review findings on the reference plant PRA model, (3) feedback provided by the Advisory Committee on Reactor Safeguards (ACRS), and (4) staff and contractor PRA expertise. In addition, the base Level 1 internal events model was modified to incorporate several modeling conventions for the NRC SPAR models.
Significant areas of additional work associated with the base Level 1 internal events model included:
performing thermal-hydraulic calculations to verify system success criteria Bayesian updating of industry-wide data using plant-specific data performing an expert elicitation to support modeling and quantifying interfacing system LOCA sequences reevaluating HFEs that were determined to be time-critical actions or had optimistic cognitive failure probabilities, including recalculating their HEPs A more detailed discussion of the development of the Level 1 internal events PRA model, including changes that resulted in differences with the underlying licensee reference plant model, is provided in (NRC, 2022a).
Level 1 PRA Model for Internal Floods for At-Power Conditions The internal flooding at-power PRA model is based on the reference plant internal flooding PRA.
The reference plant internal flooding PRA documentation was reviewed and flooding walkdowns at the plant site were performed to confirm the information used for developing the flood areas, flood sources, and flood accident scenarios. The flood initiating event frequencies were estimated using the generic industry flood data from EPRIs Pipe Rupture Frequencies for Internal Flooding Probabilistic Risk Assessments, Revision 3, and updating the frequencies with
85 plant-specific operating experience for the reference plant. The flooding scenarios were each mapped to an event tree in the internal events PRA and account for additional flood-related equipment failures. This approach was used to model the plant response and estimate the CDF for each flooding scenario. A more detailed discussion of the development of the Level 1 internal flooding PRA model is provided in (NRC, 2022b).
Level 1 PRA Model for Internal Fires for At-Power Conditions The Level 1, at-power, internal fire PRA model was constructed by expanding the Level 1, at-power, internal event PRA model using information from the licensees fire PRA for the reference plant. To make the model more manageable, the model was simplified by mapping sets of fire sequences from the reference plant fire PRA into a smaller set of fire scenarios, each represented by an event tree model in the L3PRA fire PRA.
The impacts of each individual fire scenario are accounted for in the model through the application of target sets, which fail components in the system fault trees that are assumed to be damaged by the fire. The fault trees were also modified to account for potential spurious operations of systems and components due to the fire.
In addition, due to modifications to some HEPs in the L3PRA internal event PRA (as mentioned in Section 3.3.1.1), some HFEs in the reference plant fire PRA have HEPs that are lower than those for the corresponding HFEs in the L3PRA internal event PRA. The HEPs for these HFEs were reevaluated for the L3PRA fire PRA.
Since an independent fire analysis was not performed as part of the L3PRA project, the information used to develop the event trees and fault trees for the fire PRA model was obtained from the licensees fire PRA, which had previously been peer reviewed. To further assure the adequacy of the licensees fire PRA model based on the identified tasks in NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities (NRC, 2005), the NRC commissioned an independent review of the licensees fire PRA. As part of this review, a team of fire PRA experts visited the site to confirm various aspects of the modeling and support reevaluation of a selected set of fire scenarios.
A more detailed discussion of the development of the Level 1 internal fire PRA model is provided in (NRC, 2022c).
Level 1 PRA Model for Seismic Events for At-Power Condition The Level 1 seismic at-power PRA model was constructed based on information obtained from the reference plant Level 1 seismic PRA model. The hazard and fragility curves developed by the reference plant were reviewed by NRC seismic experts for applicability. Building off this information, seismic hazard bins were defined by NRC seismic experts. The plant response model was developed in terms of seismic event trees that transfer seismic sequences to initiating event trees from the L3PRA internal event PRA, and accounts for additional seismic failures of SSCs.
In some cases, where deemed appropriate, L3PRA project team made changes to the reference plant seismic PRA modeling, success criteria, or data. Also, as mentioned in Section 3.3.1.1, there are significant differences between the L3PRA and licensee internal event PRA models. These differences permeate all parts of the L3PRA seismic PRA (most notably, in the modeling of the response to loss of offsite power events) and affect the plant seismic CDF as well as the detailed results.
86 It should also be noted that the current base case L3PRA seismic model does not include the potential effects of relay chatter, since the detailed plant-specific information needed to account for this phenomenon was not available at the time the model was developed. Subsequently, however, relay-chatter analysis results were reported to the NRC in response to Fukushima Near-Term Task Force Recommendation 2.1. Based on that information, a relay chatter sensitivity analysis was performed and is documented in (NRC, 2022d).
A more detailed discussion of the development of the Level 1 seismic PRA model is provided in (NRC, 2022d) and (NRC, 2022e). Reference (NRC, 2022d) focuses on the seismic plant response analysis of the Level 1 seismic PRA model, with summary sections on seismic hazard and seismic fragility analyses. Reference (NRC, 2022e) contains a detailed description and a review of the seismic hazard and seismic fragility analyses performed by the licensee.
Level 1 PRA Model for High Winds for At-Power Conditions The Level 1 high-winds PRA for the L3PRA project involved a wind hazard analysis, wind fragility analysis, and plant response analysis that produced a plant CDF for wind-related events during power operation. The types of high-wind events considered in the analysis included tornados, hurricanes, and straight winds. A plant walkdown by a high-wind expert was done.
Based on this walkdown, wind hazard frequencies were calculated, and wind fragilities for SSCs were evaluated. A high wind plant response analysis was performed that included all significant wind-caused initiating events and other failures that could lead to core damage or radioactive material release. The model was adapted from the internal events, at-power PRA model to incorporate unique wind-analysis aspects that were different from the at-power, internal events PRA model. A more detailed discussion of the development of the Level 1 high wind PRA model is provided in (NRC, 2022f).
Other Hazards Evaluation The general approach for the other hazards evaluation consists of four major steps: 1) review plant licensing bases and plant-specific data, 2) identify the set of hazards to be considered in the analysis, 3) perform a progressive screening analysis to eliminate non-risk-significant hazards from further consideration, and 4) develop a PRA for each hazard that does not screen out. This approach is based primarily on the guidance provided in NUREG-1407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities (NRC, 1991).
Table 3-3 summarizes the fundamental criteria, both qualitative and quantitative, used to determine that a hazard could be screened out. Table 3-4 lists all the internal and external hazards considered in the L3PRA project, based primarily on the list of hazards provided in Appendix 6-A of ASME/ANS RA Sa-2009. For the purposes of this evaluation, other hazards are considered to be hazards other than the internal events, internal flood, internal fire, seismic, and high wind hazards; these five hazards have been noted in the table with an asterisk and have been evaluated and documented separately from this evaluation.
A more detailed discussion of the other hazards evaluation is provided in (NRC, 2022g).
87 Table 3-3 Other Hazards Screening Criteria L3PRA Project
- 1. The hazard does not result in a plant trip (manual or automatic) or a controlled manual plant shutdown while at power and does not impact any SSCs that are required for accident mitigation from at-power transients or accidents. If credit is taken for operator actions to correct a condition to avoid a plant trip or controlled shutdown, it needs to be ensured that the credited operator actions and associated equipment have an exceedingly low probability of failure (i.e., collectively less than or equal to 1x10-5) following the applicable supporting requirements in subsection 2-2.5 in Part 2 of ASME/ANS RA-Sa-2009.
- 2. The hazard cannot occur close enough to the plant to affect it. This criterion must be applied taking into account the range of magnitudes of the event for the recurrence frequencies of interest.
- 3. The hazard is included in the definition of another analyzed hazard.
- 4. The hazard has a significantly lower mean frequency of occurrence than another hazard, taking into account the uncertainties in the estimates of both frequencies, and the hazard could not result in worse consequences than the consequences from the other hazard. Significantly lower infers that the screened hazard has a mean frequency of occurrence that is at least two orders of magnitude less than (i.e., no more than one percent of) the compared hazard.
- 5. It can be shown using a demonstrably conservative analysis that the current design-basis hazard has a mean frequency less than 1x10-5 per year, and the mean value of the conditional core damage probability is assessed to be less than 1x10-1.
- 6. The CDF of the external hazard, calculated using a bounding or demonstrably conservative analysis, has a mean frequency that is less than 1x10-6 per year.
Table 3-4 Other Hazards and Their Analyzed Impacts Hazard Analyzed Hazard Impacts Aircraft Impact A direct or indirect (i.e., skidding impact) collision of a portion of or an entire aircraft with one or more structures, systems, or components (SSCs) at or in the area surrounding the plant site.
Avalanche (snow)
Dynamic loading of SSCs and impacts on natural water supplies used for heat rejection due to a rapid flow of a large mass of accumulated frozen precipitation and other debris down a sloped surface.
Biological Events Accumulation or deposition of vegetation or organisms (e.g., zebra mussels, clams, fish, algae, etc.) on an intake structure or internal to a system that uses raw cooling water from a source of surface water.
Coastal Erosion Removal of material from a shoreline of a body of water (e.g., river, lake, ocean) due to surface processes (e.g., wave action, tidal currents, wave currents, drainage, or winds). This hazard includes riverbed scouring.
Drought A shortage of surface water supplies due to a period of below-average precipitation in a given region.
Dust Storm Dust infiltration into SSCs due to atmospheric transport of sand or dust driven by persistent heavy winds.
88 Table 3-4 Other Hazards and Their Analyzed Impacts Hazard Analyzed Hazard Impacts External Fire:
Wildfire Direct (e.g., thermal effects) and indirect effects (e.g., generation of combustion products) of a fire in an area of combustible vegetation (e.g., trees, grass, etc.) outside the plant boundary.
External Flooding:
Flooding Due to Local Intense Precipitation Flooding that results from intense local rainfall.
Flooding Due to a Hurricane (Tropical Cyclone)
Flooding that results from a hurricane (tropical cyclone). For example, storm surge, flooding due to rivers and streams, flooding due to dam failure, flooding due to intense rain fall, and flooding due to seiche, as induced by a hurricane.
Flooding Due to Rivers and Streams Flooding that results from the overflow of water from the banks of a river or stream due to intense and/or persistent regional rainfall.
Flooding Due to Dam Failure Flooding that results from the failure (i.e., structural collapse, severe leakage, or overtopping) of a dam that produces excess water flow past the structure.
Flooding Due to Ice Blockage Flooding due to downstream blockages of ice on a river.
High Tide Flooding due to the periodic maximum rise of sea level above mean sea level.
River Diversion Flooding that results from the redirection of all or a portion of river flow by natural causes (e.g., a riverine embankment landslide) or human actions (e.g., power production, irrigation, etc.).
Seiche Flooding from water displaced by an oscillation of the surface of a landlocked body of water, such as a lake, that can vary in period from minutes to several hours. A seiche may result from seismic activity or may be wind-driven.
Storm Surge Flooding that results from an abnormal rise in sea level due to atmospheric pressure changes and strong wind generally accompanied by an intense storm other than a hurricane.
Tsunami Flooding that results from a series of long-period sea waves that are usually generated by an impulsive disturbance that displaces massive amounts of water, such as an earthquake occurring on or near the sea floor, major submarine slides, or landslides.
Extraterrestrial Object Impacts A release of energy due to the impact of a space object such as a meteoroid, comet, or man-made object with the Earths atmosphere, a direct impact with the Earths surface, or a combination of these effects. This hazard is analyzed with respect to direct impacts of an SSC and indirect impact effects such as thermal effects (e.g.,
direct heating), overpressure effects, seismic effects, and the effects of ejecta resulting from a ground strike.
89 Table 3-4 Other Hazards and Their Analyzed Impacts Hazard Analyzed Hazard Impacts Fog Analyzed with respect to effects on the frequency of occurrence for other hazards such as transportation accidents.
Frost Analyzed with respect to temperature effects and is typically governed by the effects of snow and ice.
Hail Direct impact of hailstones on SSCs.
High Ambient Temperature Effects on SSCs operation due to abnormally high ambient temperatures resulting from weather phenomena.
- High Wind:
Tornado Dynamic loading on SSCs due to wind and missiles generated from a tornado.
Straight Wind Dynamic loading on SSCs due to wind and missiles generated a strong wind that is not associated with either tornadoes or tropical cyclones.
Hurricane (Tropical Cyclone)
Winds Dynamic loading on SSCs due to wind and missiles generated from a hurricane (tropical cyclone).
Ice Cover Reduced flow or blockage of water systems due to the accumulation of ice on or in (i.e., frazil ice) a body of water (e.g., lakes, rivers, ocean, etc.) or the waters system itself. This hazard is also analyzed for the effects of static loading of SSCs due to ice accumulation.
Industrial or Military Facility Accidents An accident at an offsite industrial or military facility that results in a release of toxic gases, a release of combustion products, a release of radioactivity, an explosion, or the generation of missiles.
- Internal Events Failures of SSCs and human errors internal to the defined plant boundary.
- Internal Fire Effects of fire that originates within the defined plant boundary
- Internal Flood Flooding that results from leaks or ruptures of liquid systems (e.g., tanks, pipes, valves, pumps) originating inside the plant site boundary.
Landslide Dynamic loading of SSCs or impacts on natural water supplies used for heat rejection due to movement of rock, soil, and mud down a sloped surface (i.e., does not include frozen precipitation).
Lightning Effects on SSCs due to a sudden electrical discharge from a cloud to the ground or Earth-bound object.
Low Ambient Temperature Effects on SSC operation due to abnormally low ambient temperatures resulting from weather phenomena.
Low Lake or River Water Level A shortage of surface water supplies due to a decrease in the water level of a body of water (e.g., lake, river, ocean) used for power generation.
90 Table 3-4 Other Hazards and Their Analyzed Impacts Hazard Analyzed Hazard Impacts Onsite Hazardous Material Release A release of toxic gases, a release of combustion products, a release of radioactivity, an explosion, or the generation of missiles due to an onsite accident involving the hazardous materials. In this context, an onsite release of radioactivity is assumed to be associated with low-level radioactive waste.
Pipeline Accident A release of hazardous material, a release of combustion products, an explosion, or generation of missiles due to an accident involving the rupture of a pipeline carrying hazardous materials.
- Seismic Failure of equipment due to a sudden ground motion or vibration of the Earth as produced by a rapid release of stored-up energy along an active fault.
Snow Static loading of accumulated snow on SSCs.
Soil Shrink-Swell Dynamic forces on structures foundations due to the expansion (swelling) and contraction (shrinking) of soil resulting from changes in the soil moisture content.
Transportation Accidents A release of toxic gases, a release of combustion products, an explosion, or generation of missiles due to an accident involving a land-based or marine vehicle transporting hazardous materials.
Turbine-Generated Missiles Damage to safety-related structures, systems, and components (SSCs) from a missile generated from rotating turbines. Damage may result from a falling missile or a missile ejected directly toward safety-related SSCs (i.e., low-trajectory missiles).
Volcanic Activity Direct impacts include seismic effects, tephra (i.e., rock fragments and particles ejected by volcanic eruption), lava flows, lahars (i.e., mud flows down volcano slopes),
volcanic gases, pyroclastic flows (i.e., fast-moving flow of hot gas and volcanic matter moving down and away from a volcano), and landslides. Indirect impacts include distant ash fallout (e.g., 10s to potentially 1,000s of miles away).
Waves Wave effects are accounted for in various other hazards, such as flooding due to rivers and streams and seiche.
Level 2 At-Power Conditions PRA Model A Level 2 at-power conditions PRA model for internal events and internal floods was developed that served as the base model that was subsequently expanded to address other hazards.
Level 2 PRA Model for Internal Events and Internal Floods for At-Power Conditions The reactor at-power Level 2 PRA model for internal events and floods was developed using the technical elements described in Section 3.2. The majority of the modeling was developed by NRC, but some aspects leverage the reference plant Level 2 PRA model (e.g., the containment isolation system model). The Level 2 PRA model extends the previously-described Level 1 PRA accident sequences by considering containment systems, performing plant damage state binning, and quantifying post-core damage accident response. Plant damage state binning was used to facilitate deterministic analysis and manage the flow of information across the Level 1 to Level 2 PRA interface, but all Level 1 PRA sequences and cut sets were processed through the
91 Level 2 PRA in an integrated fashion. The outcome of the Level 2 PRA is a set of release categories, each with a frequency and associated source term.
The principal technical elements addressed in the Level 2 PRA include:
Level 1/Level 2 PRA interface Containment capacity analysis Severe accident progression analysis Probabilistic treatment of accident progression Radiological source term analysis Evaluation and presentation of results Level 2/Level 3 PRA interface A more detailed discussion of the development of the Level 2 PRA model for internal events and internal floods is provided in (NRC, 2022h).
Level 2 PRA Model for Internal Fires, Seismic Events, and High Winds for At-Power Condition The reactor at-power Level 2 PRA for internal fires, seismic events, and high winds leverages the NRC-developed Level 2 PRA for internal events and floods. It utilizes the same modeling constructs (containment systems tree, plant damage state binning, containment event tree with supporting decomposition event trees, release categories) as the internal events and floods model, along with the same method for quantification and tabulation of results. The key difference is the modification of the embedded modeling elements (e.g., system models, human failure events) to account for unique aspects of the fire, seismic, or high winds initiating events (e.g., seismic fragility of a given system or effect of fire-induced main control room abandonment). Each of these three hazard groups is quantified separately, resulting in a set of release category frequencies for each hazard group.
A more detailed discussion of the development of the Level 2 PRA model for internal fires, seismic events, and high winds is provided in (NRC, 2022i).
Level 3 At-Power Conditions PRA Model A Level 3 at-power conditions PRA model for internal events and internal floods was developed that served as the base model that was subsequently expanded to address other hazards.
Level 3 PRA Model for Internal Events and Internal Floods for At-Power Conditions The reactor at-power Level 3 PRA model for internal events and internal floods was developed using the technical elements described in Section 3.2. The L3PRA offsite consequence analysis is intended to be a state-of-practice analysis, and as such, much of the work is based on or adapted from earlier analyses.
The MACCS code was selected for the offsite consequence analysis component of the L3PRA project because:
it is one of the current standard code systems used for probabilistic consequence analysis it has a long pedigree, record of continuous development, and extensive history of application to a wide variety of assessments it provides the capability to model a wide variety of features, events, and processes (i.e.,
atmospheric transport and deposition, exposure and dose assessment from multiple
92 pathways, protective actions, acute and stochastic health effects, and economic impacts) in a fully coupled fashion it allows for probabilistic treatment of potential weather conditions at the time of the release.
The principal technical elements addressed in the Level 3 PRA include:
Radionuclide release characterization for Level 3 PRA Meteorological data Atmospheric transport and dispersion Protective action parameters and other site data Economic factors Dosimetry Health effects Conditional consequence quantification and reporting Risk integration In the risk integration technical element, the results from the Level 2 PRA radiological release frequency analysis are combined with the corresponding results from the Level 3 PRA offsite radiological consequence analysis to provide an overall characterization of the risk to the offsite public from a broad spectrum of postulated accidents involving the modeled nuclear power plant site. This overall characterization includes a characterization of uncertainty and identification of significant contributors to risk. Such contributors stem from events, phenomena, or modeling assumptions addressed in all three analysis levels within a Level 3 PRA.
A more detailed discussion of the development of the Level 3 PRA model for internal events and internal floods is provided in (NRC, 2022j).
Level 3 PRA Model for Internal Fires, Seismic Events, and High Winds for At-Power Conditions The reactor at-power Level 3 PRA model for internal fires, seismic events, and high winds leverages the NRC-developed Level 3 PRA for internal events and floods. The MACCS model parameters are largely based on those used for internal events and floods. The methods used for quantification of offsite consequences, and the risk measures selected for tabulation, are also based on the Level 3 PRA for internal events and floods. The key differences relate to the evacuation model, which was modified to account for the expected adverse conditions associated with seismic events and high winds.
A more detailed discussion of the development of the Level 3 PRA model for internal fires, seismic events, and high winds is provided in (NRC, 2022k).
Reactor at Low Power and Shutdown Conditions for Internal Events PRA Model A low power and shutdown (LPSD) PRA was developed for this project using the technical elements described in Section 3.2. The Level 1, Level 2, and Level 3 PRA models for LPSD conditions are discussed in Section 3.3.4.1, Section 3.3.4.2, and Section 3.3.4.3, respectively.
Level 1 PRA Model for Internal Events for LPSD Conditions The LPSD PRA was developed by reviewing plant operating experience, procedures, calculations, and other information sources related to outage operations at the reference plant.
93 A plant walkdown during a refueling outage and interviews with plant staff were performed. The LPSD PRA was informed by past LPSD risk studies, notably NUREG/CR-6144, Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations at Surry, Unit 1. The NRC staff also has experience in developing shutdown accident scenarios in support of the SPAR model program. The event trees developed for the SPAR models served as a starting point for the LPSD PRA and were updated to reflect plant-specific information.
A set of plant operating states (POSs) were defined to evaluate the various plant configurations and activities performed during outages. Operational characteristics such as reactor power, reactor coolant system (RCS) temperature, RCS pressure, coolant level, equipment availability, maintenance activities, decay heat load, RCS status (e.g., vented or intact), and containment configuration were examined to identify those relevant to defining the POSs. The fraction of time spent in each POS was estimated using plant-specific information.
Initiating events relevant to the POSs or groups of POSs were identified using a systematic process involving review of past LPSD studies, generic operating experience data, and plant-specific information. Criteria were developed to prioritize the accident sequence analysis work on the most risk-significant conditions and accidents. The criteria considered containment status, time to reach RCS saturation temperature, and event frequency.
The highest priority accident scenarios were further analyzed to determine success criteria, develop mitigating system models, and perform human reliability analysis. These scenarios were incorporated into the model to estimate the CDF contribution due to shutdown operations during a refueling outage.
Some outage types, POSs, and initiating event categories were addressed qualitatively, but are not modeled in the LPSD PRA model. The LPSD PRA model scope is also limited to internal events only. Other hazard categories (e.g., internal fire, internal flooding, and seismic events) were not addressed due to limitations in project resources.
A more detailed discussion of the development of the Level 1 internal events PRA model for LPSD conditions is provided in (NRC, 2023a).
Level 2 PRA Model for Internal Events for LPSD Conditions The reactor LPSD Level 2 PRA uses the same basic modeling approach as the at-power Level 2 PRA models (containment systems tree, plant damage state binning, containment event tree with supporting decomposition event trees, release categories). However, each of these was modified to address the unique aspects of shutdown operation (e.g., the containment systems tree has an additional top event associated with containment hatch and airlock status, the plant damage state binning used different top events and categories, and some post-core damage phenomena were eliminated due to lack of relevance). In addition, modifications were also made to embedded modeling elements (e.g., system models and phenomenological representations) to account for unique aspects of shutdown operation (e.g., systems being out for extended maintenance and the effect of having the reactor pressure vessel head removed).
The outcome of the Level 2 PRA is a set of release categories that consolidates all modeled initiating events and plant operating states.
A more detailed discussion of the development of the Level 2 internal events PRA model for LPSD conditions is provided in (NRC, 2023b).
94 Level 3 PRA Model for Internal Events for LPSD Conditions The reactor LPSD Level 3 PRA for internal events leverages the NRC-developed at-power Level 3 PRA for internal events and floods. It uses a MACCS input deck that is largely based on the one developed for the reactor, at-power PRA for internal events and floods. The methods used for quantification of offsite consequences, and the risk measures selected for tabulation, are also based on the Level 3 at-power PRA for internal events and floods. The key differences relate to (1) radiological source terms (due to different accident progression characteristics and different core radiological inventories, associated with different periods following shutdown), and (2) the timing of protective action recommendations for these unique source terms.
A more detailed discussion of the development of the Level 3 internal events PRA model for LPSD conditions is provided in (NRC, 2023c).
SFP Risk Model A Level 1 PRA model was developed for the SFP to analyze fuel damage frequency (i.e.,
comparable to CDF from a Level 1 PRA for the reactor). Separate Level 2 and Level 3 PRA models were constructed as well.
SFP Level 1 and Level 2 PRA Model A prioritization and screening analysis was performed to focus the development of the SFP PRA model. The prioritization considered (1) the amount of time available before hazardous conditions develop on the refueling floor that may preclude recovery actions, and (2) the time available before significant fuel uncovery. These timings are influenced by the level of decay heat in the SFP, the rate of leaking from the pool, and the amount of sloshing from a seismic event. Consequently, a SFP model was developed only for (1) seismic events (with fuel uncovery resulting from some combination of SFP leakage, sloshing, and boil-off), and (2) non-seismic large loss of inventory on the reactor side (which leads to inventory loss from the SFP through the transfer tube). The model basically follows the technical elements described in Section 3.2 for the identified scope.
After developing the initial SFP Level 1 and Level 2 PRA model, an alternative prioritization analysis was performed to identify additional SFP accident scenarios to include as sensitivity analyses. These additional scenarios do not result in fuel damage until at least 7 days after event initiation.
A more detailed discussion of the development of the SFP Level 1 and Level 2 PRA model is provided in (NRC, 2023d).
SFP Level 3 PRA Model The SFP Level 3 PRA leverages the NRC-developed reactor at-power Level 3 PRAs for internal events and seismic events. The key differences relate to (1) radiological source terms (due to different accident progression characteristics and different spent fuel pool radiological inventories), and (2) the timing of protective action recommendations for these unique source terms. Also, for those SFP scenarios initiated by external events, differences may arise due to the modified evacuation model, which accounts for the expected adverse conditions associated with seismic events and high winds.
A more detailed discussion of the development of the SFP Level 3 PRA model is provided in (NRC, 2023e).
95 Dry Cask Storage Risk Model A separate PRA model for dry cask storage to analyze fuel damage (i.e., comparable to a Level 1 PRA for the reactor) was not developed. Instead, a single integrated Level 1 and Level 2 model was constructed.
DCS Level 1 and Level 2 PRA Model To analyze the risk from DCS operations, a single integrated Level 1 and Level 2 PRA model was constructed. A surrogate for CDF (i.e., comparable to a Level 1 PRA for the reactor) was not defined. The integrated Level 1 and Level 2 DCS PRA model was based on the model developed in NUREG-1864 (NRC, 2007), with improvements to make the model more realistic and account for site-specific features of DCS operations at the reference site. The PRA model in NUREG-1864 was based on a HOLTEC HISTORM-100 cask, which is a similar version of the cask used at the reference site (i.e., HISTORM-100S). Previous DCS analyses (e.g., EPRI DCS PRA [EPRI, 2004]) and other information sources (e.g., NMSS events database) were also used as input. A literature review and a hazard and operability study were performed to identify events with the potential to compromise the integrity of the DCS barriers (e.g., canister confinement, fuel rod cladding, and HVAC filtration) and result in a release of radioactive materials. These events where analyzed in detail and the event frequency, the conditional probability of breaching the barriers, the frequency of release, and corresponding source terms were estimated.
A more detailed discussion of the development of the DCS Level 1 and Level 2 PRA model is provided in (NRC, 2022l).
DCS Level 3 PRA Model The Level 3 DCS PRA was conducted using the initial MACCS input decks developed for the reactor at power internal events offsite consequence model with modifications to account for differences between the DCS analysis and the reactor analysis. The MACCS model used as input the source terms developed for each DCS event, along with other release parameters (e.g., event release timeframes). The MACCS results were used to calculate the frequency-weighted consequences for each of the events.
Major differences of this DCS PRA model when compared to past DCS PRA models include the following:
a more detailed and realistic structural analysis for cask drops and tipovers a site-specific failure model for the vertical cask transporter crane (including failures due to operator actions) an expanded fuel assembly misload analysis more consequence metrics reported than just individual latent cancer fatality risk A more detailed discussion of the development of the DCS Level 3 PRA model is provided in (NRC, 2022l).
Site Risk Model The integrated site PRA technical element focuses on multi-source accident scenarios involving more than one major site radiological source, including (1) operating reactor units, (2) SFPs, and (3) the dry cask storage facility. A key assumption in the technical approach to developing
96 the integrated site PRA model is that important multi-source accident scenarios can be identified and modeled by (1) logically combining important accident scenarios from the PRA models for each individual radiological source that serve as inputs to the integrated site PRA element, and (2) accounting for the impact of dependencies between sources on multi-source accident scenario frequencies or consequences.
Existing guidance and experience for performing multi-unit PRAs is incorporated into the overall ISR approach with particular focus on the identification of potential sitewide dependencies such as sitewide initiating events, shared physical resources and equipment, and expansion of common cause failure groups across radiological sources. The identification of sitewide dependencies allows the sitewide risk modeling to appropriately represent scenarios that involve failures for multiple radiological sources versus those that involve only independent failures. In addition, the ISR task developed and uses risk metrics that allow stakeholders to easily compare ISR results to traditional PRA results.
97
- 4. REFERENCES EPRI, 2004 Electric Power Research Institute, Probabilistic Risk Assessment (PRA) of Bolted Storage Casks Updated Quantification and Analysis Report, EPRI-1009691, 2004.
NRC, 1990 U.S. Nuclear Regulatory Commission, Severe Accident Risk: An Assessment for Five U.S. Nuclear Power Plants, NUREG-1150, December 1990 (ADAMS Accession No. ML040140729).
NRC, 2005 EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, EPRI 1011089 - NUREG/CR-6850, August 2005.
NRC, 2007 U.S. Nuclear Regulatory Commission, A Pilot Probabilistic Risk Assessment of a Dry Cask Storage System at a Nuclear Power Plant, NUREG-1864, March 2007.
NRC, 2022a U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 3a, Part 1: Reactor, At-Power, Level 1 PRA for Internal Events, Part 1 - Main Report, April 2022 (ADAMS Accession No. ML22067A211).
NRC, 2022b U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 3b: Reactor, At-Power, Level 1 PRA for Internal Flooding, April 2022 (ADAMS Accession No. ML22067A213).
NRC, 2022c U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 4a: Reactor, At-Power, Level 1 PRA for Internal Fires, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2022d U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 4b: Reactor, At-Power, Level 1 PRA for Seismic Events, Part 1 - Main SPRA Report, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2022e U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 4b: Reactor, At-Power, Level 1 PRA for Seismic Events, Part 2 - Review of Seismic Hazard Analysis and SSC Seismic-Fragility Analysis, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2022f U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 4c: Reactor, At-Power, Level 1 PRA for High Winds, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2022g U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 4d: Reactor, At-Power, Other Hazards Evaluation, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
98 NRC, 2022h U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 3c: Reactor, At-Power, Level 2 PRA for Internal Events and Floods, April 2022 (ADAMS Accession No. ML22067A214).
NRC, 2022i U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 4e: Reactor, At-Power, Level 2 PRA for Internal Fires, Seismic Events, and High Winds, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2022j U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 3d: Reactor, At-Power, Level 3 PRA for Internal Events and Floods, April 2022 (ADAMS Accession No. ML22067A215).
NRC, 2022k U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 4f: Reactor, At-Power, Level 3 PRA for Internal Fires, Seismic Events, and High Winds, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2022l U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 7: Dry Cask Storage PRA, Month 2022 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2023a U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 5a: Reactor, Low Power and Shutdown, Level 1 PRA for Internal Events, Month 2023 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2023b U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 5b: Reactor, Low Power and Shutdown, Level 2 PRA for Internal Events, Month 2023 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2023c U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 5c: Reactor, Low Power and Shutdown, Level 3 PRA for Internal Events, Month 2023 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2023d U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 6a: Spent Fuel Pool Level 1 and Level 2 PRA, Month 2023 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2023e U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 6b: Spent Fuel Pool Level 3 PRA, Month 2023 (ADAMS Accession No. MLxxxxxxxxx).
NRC, 2024 U.S. Nuclear Regulatory Commission, U.S. NRC Level 3 Probabilistic Risk Assessment (PRA) Project, Volume 1: Summary Report, Draft for Comment, Month 2024 (ADAMS Accession No. MLxxxxxxxxx).
99 APPENDIX A QUALITY ASSURANCE PLAN FOR THE LEVEL 3 PRA PROJECT Quality Assurance (QA) is a key factor in any analysis to ensure and demonstrate the technical acceptability of the analysis and probabilistic risk assessment (PRA) model fidelity. The objective of QA is to ensure that both the technical approach (methods, tools, data) is appropriate, and that implementation of the technical approach is appropriately performed. To achieve this objective, QA involves seven major elements which are discussed in the following sections:
Section A.1 - Use of established methods, tools and data Section A.2 - Qualified personnel Section A.3 - PRA model configuration control Section A.4 - Technical review of the methods, tools, data, and developed models Section A.5 - Documentation control Section A.6 - Technical reports Section A.7 - QA program implementation audits A.1 Established Methods, Tools and Data The PRA model will generally be based on state-of-practice methods, tools (e.g., computer codes) and data, that is, those that have been established and accepted (including verification and validation where applicable) in the risk community (i.e., U.S. Nuclear Regulatory Commission (NRC) and industry). Examples of sources include:
Consensus standards Internal and external guidance documents Accepted generic structures, systems and components (SSCs) performance data (where plant specific data is not available)
Validated codes For each technical task14F15, the method, tools and data being used will be documented along with the basis for their acceptability (e.g., NRC endorsement). This documentation is identified in each technical task in Technical Analysis Approach Plan (TAAP) report and described in Section A.5.
A.2 Qualified Personnel Qualified individuals are needed to perform the work. Their qualifications depend on whether the analyst is (1) a performer or (2) a reviewer.
A performer is an individual who develops some aspect of the PRA model. Their role, either as a team leader, a task leader, or an analyst will need to have some level of expertise. Certainly, an analyst can develop the qualifications with on-the-job training; however, the task and team 15 Technical tasks are the technical steps that will be performed to accomplish the technical element.
100 leaders need to be more experienced personnel who bring actual experience in the area they are leading. If an analyst has little to no experience, their work will be closely supervised and monitored by their task leader. PRA consensus standards and Regulatory Guide (RG) 1.20015F16 do not prescribe qualifications for the team performing the actual work. Moreover, one of the major objectives of the Level 3 PRA project is to train inexperienced staff in how to construct a PRA model.
A reviewer is an individual who has some role in reviewing the actual work and making judgments about its technical acceptability. In this regard, these individuals must have a certain level of expertise and on-the-job training is not acceptable. Both RG 1.200 and the PRA standards provides peer review personnel qualifications. These requirements should be met unless otherwise justified.
A.3 PRA Model Configuration Control Ensuring that the analysts are using the same information and same models and that the reviews are being performed on the most recent model and documentation is important in ensuring the fidelity of the PRA model. Developing a PRA model involves numerous tasks being performed by many different analysts. It is, therefore, essential that the information collected, and the models developed for this project, be controlled so that all of the analysts use the same information and models. The control of the developed models is discussed in this section. The control of information is discussed in Section A.5.
The Idaho National Laboratory (INL) will host and maintain the SAPHIRE-based models developed as part of the Level 3 PRA project. INL will provide the necessary technical management and oversight to ensure efforts by INL or NRC staff (including work performed by other NRC contractors and provided to INL by the NRC) to create, revise or otherwise modify the Level 3 PRA project models are coordinated and the models are properly integrated. These model enhancements may include the creation, addition, revision or other modification of a low-power/shutdown model, all-hazards model (e.g., fire, external flooding, seismic, etc.), Level 2 PRA model, multi-unit model, spent fuel pool model, or any other extended model applicable to the construct of the overall Level 3 PRA project model.
To the extent practicable, the methodology, quality, and philosophy used to develop the current set of Standardized Plant Analysis Risk (SPAR) models for the operating commercial nuclear power plants will be used to develop the external event model, low-power/shutdown model, extended Level 1 PRA model, and Level 2 PRA model for the Level 3 PRA project. This includes model construct, event nomenclature, assumptions, preferred technical positions, and other key aspects of the existing models to allow NRC staff the ease of use of the models.
INL will identify a single point of contact to act as the Level 3 PRA project model coordinator (Coordinator). The Coordinator will maintain a log and track all permanent revisions to the model including the reason for the revision, assumptions, deviations from preferred technical positions, and any other information deemed important to understanding the model or the revision to the model. The Coordinator will ensure that the appropriate model revision is being used and that the effort results in a properly integrated model. The Coordinator will also coordinate INL model integration activities. Version control software, suitable to this task and with sufficient documentation capabilities, may be used by INL, subject to approval by the NRC staff.
16 Regulatory Guide1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 1, U.S. Nuclear Regulatory Commission, Washington, DC, January 2007.
101 When multiple revisions to the enhanced Level 3 PRA project model are planned by INL or NRC staff, INL will coordinate the activities of the different modelers. This is to ensure that the model developers use the appropriate model version(s) and that the final product does not include models that were constructed based on an obsolete model version.
INL will also perform quality control (QC) and QA reviews of the new or revised models. This is to ensure that the model represents the as-built, as-operated plant to the extent practicable.
Similar QA criteria and processes used for the existing SPAR models will be used to review the Level 3 PRA project models. This includes (as appropriate and as practical) satisfying the criteria and processes in the Standardized Plant Analysis Risk (SPAR) Model QA Plan,16F17 the latest approved INL QC/QA processes, applicable sections of Volume 3 of the RASP Handbook,17F18 RG 1.200, and other applicable guidance.18F19 A.4 Technical Reviews In ensuring technical acceptability, different types of review may be performed. These involve five types which are discussed in the following sections:
Section A.4.1 - review by a Technical Advisory Group Section A.4.2 - internal self-assessment Section A.4.3 - external peer reviews Section A.4.4 - review by the Advisory Committee on Reactor Safeguards Section A.4.5 - public review and comment Each of these reviews has different objectives and scope which are described below.
A.4.1 Technical Advisory Group The objective of the Technical Advisory Group (TAG), as specified in the TAG charter,19F20 is to:
(1) review progress in the development of the Level 3 PRA, and (2) provide insight, advice, and guidance on (a) the technical bases, tools, methods, models, and data for the project, (b) the interpretation of the results of the various PRA models and the overall PRA model, and (c) the response to comments received from the external peer reviews of the study. In this role, the TAG will serve as an ongoing review team that will provide review and feedback as the project progresses. Also, as part of its initial review responsibility, the TAG will review the TAAP to provide feedback on the approach being used to perform the work.
As stated earlier, the approach used for the Level 3 PRA project will be based on plant information and established methods, tools and data. Where the plant information or the methods, tools or data do not exist to develop certain aspects of the PRA model, other sources such as expert opinion will be used. The TAG will play a key role in addressing the acceptability 17 Standardized Plant Analysis Risk (SPAR) Model QA Plan, Revision 0, U.S. Nuclear Regulatory Commission, Washington, DC, September 2006 (not publicly available).
18 Risk Assessment of Operational Events Handbook, Volume 3 - SPAR Model Reviews, Revision 1, U.S. Nuclear Regulatory Commission, Washington, DC, September 2007 (not publicly available).
19 For example: American Nuclear Society, American National Standard External-Events PRA Methodology, ANSI/ANS-58.21-2003, December 2003.
20 Charter for the Technical Advisory Group on the Full-Scope Site Level 3 Probabilistic Risk Assessment Project, ADAMS Accession Number ML120410123 (not publicly available).
102 of such proposed approaches. Furthermore, it is expected that the TAG will play a fundamental role in resolving technical or programmatic issues that may arise.
The TAG will consist of senior technical staff in the area of PRA, and in supporting technical areas (e.g., seismic hazard and plant response), as well as an experienced PRA representative from the Electric Power Research Institute and from industry.20F21 The Office of Nuclear Regulatory Research (RES)/Division of Risk Analysis (DRA) staff will chair and coordinate the TAG, which will meet periodically. The TAG Chairman will be responsible for leading and moderating the TAG meetings, and will serve as the TAG spokesperson, as necessary, in briefings to NRC and project management. The TAG Coordinator, in consultation with the Level 3 PRA Project Program Manager and the TAG Chairman, will develop and disseminate the agenda for each TAG meeting. The TAG Coordinator will also be responsible for organizing and recording the minutes of the TAG meetings and maintaining an electronic repository to provide reports, publications, and other technical information as background for all TAG meetings.
Table A-1 provides a template for the TAG review documentation. This template (or a similar documentation format) is to be used to document the results of the TAG reviews performed for the Level 3 PRA project.
Table A-5 TAG Review Documentation Template SR Finding Recommended Resolution Implemented Resolution Reviewer:
Responsible Analyst:
Risk Source:
Hazard: [e.g., internal events]
Level: [1, 2 or 3]
Technical Element:
Date:
21 This individual was initially a staff member of NextEra Energy Resources and then became an employee of Westinghouse.
Reactor, Spent Fuel Pool, Dry Cask Storage, Integrated Risk Describe the finding, what is the issue, why it is a concern; explanation needs to clearly explain the concern and the basis for the concern.
Describe the recommendation to resolve the concern; the explanation needs to be sufficiently detailed so that the analyst understands what needs to be revised in the PRA to resolve the concern.
Analyst describes the response to the finding and recommendation, describing how it was resolved; the explanation should not be just an accept, but an explanation of exactly how it was resolved (e.g.,
how the PRA model was revised).
List the applicable supporting requirement (SR) using the standard index number; if an SR is not applicable, then use the technical element 2 to 4 digit abbreviation (xxxx) and the finding numbered sequentially (yy) with an T (i.e., xxxx-yy-T). If criteria were developed and used, then reference the criterion number (see Table 2).
103 A.4.2 Internal Self-Assessment The objective of the internal self-assessment is to further ensure the technical acceptability of the work as the PRA model is being developed. The PRA model will be developed based on established and accepted methods, tools, and data as documented in, for example, consensus standards and guidance documents. For each technical element, a review of the work is performed using the process described below.
The full-scope site Level 3 PRA model consists of models developed by a volunteer licensee for one of their plants (referred to as the reference plant), and those developed internally by the NRC. Parts of the reference plant PRA model have received an industry peer review, using the ASME/ANS Level 1 PRA Standard.21F22 The self-assessment process will take advantage of the industry peer review. Figure A-1 provides the process for self-assessment. This process involves 5 steps as discussed below.
Figure A-4 Process Used for Self-Assessment Generally, the self-assessment is performed by the technical element leader, responsible analyst, or may be performed by an internal NRC team. If the work is performed by a contractor, the self-assessment is performed by an NRC team (with contractor support). The purpose of using an NRC team instead of the contractor to perform the self-assessment is for the NRC to have ownership of the work; that is, to understand the details of constructing the model.
In Step 1, the self-assessment reviewer determines whether an independent industry peer review was performed. This decision will determine the scope of the self-assessment; that is, the analyst is determining whether the self-assessment can take advantage of the independent 22 ASME/ANS RA-Sa-2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, Addendum A to RA-S-2008, ASME, New York, NY, American Nuclear Society, La Grange Park, Illinois, February 2009.
PRA model (technical task) acceptable Self-assessment complete No Yes Yes Step 1:
Step 4:
Step 2:
Step 3:
Step 5:
Revise PRA model (Technical task) accordingly No Perform a self-assessment Document the resolution of the findings and the self assessment Was an independent industry peer review performed?
Were the peer review findings adequately addressed or not significant?
104 peer review performed on the reference plant PRA. If an independent peer review was not performed, then the reviewer needs to perform a complete self-assessment (Step 4). If an independent peer review was performed, then the significance of the peer review results and resolutions needs to be assessed (Step 2).
In Step 2, the reviewer determines if the findings from the peer review were addressed and if they appropriately addressed the issue. If the peer review findings were adequately addressed or were not adequately addressed but determined not to be significant to the PRA, then the reviewer goes to Step 4 to perform the self-assessment. If the peer review findings are determined to not be adequately addressed and are significant to the PRA, then the reviewer needs to revise the PRA model to correct the issue (Step 3).
Significance can be determined both qualitatively and quantitatively, as follows:
Qualitative -
The finding can result in changing the basic structure of the PRA model (e.g., success criteria such that the accident sequence progression is changed, different initiating events and/or frequencies, different human events and/or frequencies, different equipment failure probabilities).
Quantitative -
Significant accident sequences are impacted. A significant sequence is one of the set of sequences, defined at the functional or systemic level that, when ranked, compose 95%
of the core damage frequency (CDF) or the large early release frequency/large release frequency (LERF/LRF), or that individually contribute more than ~1% to the CDF or LERF/LRF.
Significant basic event/contributors are impacted. Significant basic events (i.e.,
equipment unavailabilities and human failure events) are those that have a Fussell-Vesely importance22F23 greater than 0.005 or a risk-achievement worth greater than 2.
In Step 3, the reviewer revises the PRA model to resolve the inadequacy. After the PRA is revised, the reviewer goes to Step 4 to perform the self-assessment.
In Step 4, the self-assessment is performed using the guidance in RG 1.200. As such, the self-assessment:
Uses a set of desired PRA characteristics and attributes as the basis for review Uses a minimum list of review topics to ensure coverage, consistency, and uniformity Reviews PRA methods Reviews application of methods Reviews assumptions and assesses their validity and appropriateness Determines if the PRA represents the as-built and as-operated plant 23 For a specified basic event, Fussell-Vesely importance is the relative contribution of the basic event to the calculated risk. This relative or fractional contribution is obtained by determining the reduction in risk of setting the probability of the basic event to zero. Risk-achievement worth is the increase in risk if a plant feature (e.g., system or component) is assumed to be failed or always unavailable. Depending on how the increase in risk is measured, the risk achievement worth can either be defined as a ratio or an interval. Sometimes risk achievement worth is referred to as risk increase.
105 Reviews results of each PRA technical element for reasonableness Reviews PRA maintenance and update process Reviews PRA modification attributable to use of different model, techniques, or tools Reviews against modifications to the standard, if there is a standard In evaluating the above, if a standard exists, then the requirements in the standard are used as the basis for the self-assessment in determining whether, for example, the desired attributes and characteristics provided in RG 1.200, Section 1 are met. If a PRA standard does not exist for a particular hazard or technical element, then criteria are developed to perform the self-assessment. These criteria are detailed enough to judge the technical acceptability of the work.
They should be of consistent detail as in the standard for hazards or technical elements addressed by a standard. These criteria are documented using Table A-2 (or a similar documentation format). Once the self-assessment (Step 4) is complete, the reviewer should go to Step 5 to document the results.
Table A-6 Self-Assessment and Peer Review Criteria Where Standards Do Not Exist Criteria Criteria Source of Risk:
Hazard:
PRA Level:
Technical Element:
In Step 5, the reviewer documents the self-assessment using Tables A-3 and A-4 (or a similar documentation format). Table A-3 can be generated using the ePSA Risk and Reliability software. This program populates some of the fields in the table automatically based on the ASME/ANS Level 1 PRA standard. For those parts of the PRA not covered by this standard, the ePSA software cannot be used, and the analyst will have to create the table using the template and the criteria developed and documented in Table A-2. The purpose of Table A-4 is to provide a high-level summary of the conclusions of the self-assessment.
After Step 5, the initial self-assessment is complete.
The elements of the Level 1 PRA that require complete or focused review can be assessed using the guidance in RG 1.200 supported by the requirements provided in the ASME/ANS PRA Standard. For those aspects of the PRA models that do not have a final consensus standard, but do have a standard that is being developed, they will be reviewed using the high-level requirements stipulated in the latest draft of the specific standards. This process will be used for the self-assessment review of the Level 2, Level 3, and low power and shutdown PRA. The PRA models for which a standard does not exist or is not being developed (i.e., dry cask storage [DCS], spent fuel pool [SFP]), elements of these models that have similar bases as compared to those of the Level 1 PRA (e.g., initiating event analysis, data analysis, human In numbering the criteria, use the technical element 2-4 digit abbreviation (xxxx) and the criteria numbered sequentially (yy) with a C (i.e., xxxx-yy-C).
106 reliability analysis, accident sequence analysis, consequence analysis, source term determination, quantification/uncertainty analysis, etc.) can be reviewed using the requirements for the similar technical areas in the Level 1 through Level 3 PRA standards bearing in mind the differences in the requirements related to reactor versus those for the DCS/SFP.
Table A-7 Self-Assessment Documentation Template Section Finding ID Cat II Requirement Self-Assessment Finding Comment Resolution Describe the assessment, describe what was done, whether a concern was found or not. Describe the concern, why it is a concern; explanation needs to clearly explain the concern and the basis for the concern. If no concern is found, describe the basis for why it is believed the requirement (or criterion) was met. Describe the proposed fix to resolve the concern; the explanation needs to be sufficiently detailed so that it is understood what needs to be revised in the PRA to resolve the concern.
The supporting requirement for Capability Category II from the ASME/ANS Level 1 PRA standard is generated automatically if using the ePSA software; however, if this standard does not apply, the template is used and the defined criteria are entered manually from Table 2.
As a result of the self-assessment, if a concern is found, i.e., a finding, then a Y is marked; if there is no finding, then an N is marked.
Any additional explanations that are relevant to the self-assessment are discussed.
Analyst describes the response to the finding and the proposed fix, describing how it was resolved; the explanation should not be just an accept, but an explanation of exactly how it was resolved (e.g., how the PRA model was revised).
107 Table A-8 Overall Results of Self-Assessment Process Criteria Conclusion Reviewer:
Responsible Analyst:
Risk Source:
Hazard:
Level:
Technical Element:
Date:
Reference Plant Industry Peer Review 1
Was an independent peer review performed on the reference plant PRA?
2 Was the scope of the peer review adequate?
3 Did the peer review meet the staff position defined in Regulatory Guide 1.200 for an acceptable peer review?
4 Were the peer review findings adequately addressed in the PRA?
General Conclusions 5
Is the identified list of information needed to accomplish the task reasonably complete?
6 Does the plant information appropriately represent the as-built and as-operated plant?
7 Was the plant information used in an acceptable manner?
8 Are the assumptions for each task identified?
9 Are the assumptions for each task adequately justified (appropriate)?
10 Do the results (both interim and final) appear Describe the conclusion and the basis for the conclusion; may refer to self-assessment table..
108 Table A-8 Overall Results of Self-Assessment Process Criteria Conclusion reasonable given the design, operation and historical performance of the plant?
Specific Conclusions For example, the initiating event analysis for a SFP PRA uses similar techniques and processes as those used for a Level 1 reactor PRA. The high-level requirements for the reactor PRA model can be used for the SFP PRA model (the specifics of SFP are presented in parenthesis) as indicated below:
HLR-IE-A - The initiating event analysis shall provide a reasonably complete identification of initiating events.
HLR-IE-B - The initiating event analysis shall group the initiating events so that events in the same group have similar mitigation requirements to facilitate an efficient but realistic estimation of CDF (or fuel damage frequency)
HLR-IE-C - The initiating event analysis shall estimate the annual frequency of each initiating event or initiating event group Individual supporting requirements can be tailored for use in SFP PRA self-assessment.
Table A-5 provides an example self-assessment process for the SFP PRA. In the absence of any standard, the technical elements of the SFP PRA defined in the TAAP are compared to the similar elements of the Level 1 reactor at-power internal events PRA discussed in the ASME/ANS Standard. Tables A-5 and A-6 identify both the high-level requirements and the supporting requirements that are common and applicable for the self-assessment review of the SFP PRA.
Table A-9 Example: Mapping of the HLRs of SFP PRA and At-Power Level 1 PRA Tas k #
At-Power Level 1 PRA Technical Elements (HLR)
IE Analysis IE Analysis Identification Grouping Analysis Identification23F24 Grouping Analysis 24 Includes hazard and low-likelihood event screening.
Describe unique or specific conclusions, if any, and the basis for the conclusion.
109 Table A-9 Example: Mapping of the HLRs of SFP PRA and At-Power Level 1 PRA Tas k #
At-Power Level 1 PRA Technical Elements (HLR)
SFP PRA Technical Elements Operating Cycle Discretization 24F25 2
Accident Sequence Analysis Accident Sequence Analysis CDF Accident Scenario Description Treatment of Dependencies Fuel Uncovery Accident Scenario Description Treatment of Dependencies 3
Systems Analysis Systems Analysis Treatment of Causes for System failure Treatment of CCF Treatment of Dependencies Treatment of Causes for System Failure Treatment of CCF Treatment of Dependencies 4
Success Criteria Structural Analysis Defining Overall SSC and Human Action Success Criteria Using Thermal/Hydraulic, Structural and other supporting Engineering Bases to Drive SC Defining Overall SSC and Human Action Success Criteria Using Thermal/Hydraulic, Structural and other supporting Engineering Bases to Drive SC Identification of FP failure modes and locations SFP Structural Integrity Analysis SSCs Structural Integrity Analysis 5
Data Analysis Data Analysis 6
Human Reliability Analysis Human Reliability Analysis Identifying routines of activities Screening of activities Defining HFEs Assessing HFE Probability Identifying Operator Accident
Response
Defining Response HFEs Identifying routines of activities Screening of activities Defining HFEs Assessing HFE Probability Identifying Operator Accident
Response
Defining Response HFEs 25 Discretizing the reactor operating cycle into a finite set of operating cycle phases (OCPs) can be considered to be akin to the plant operating states considered in a low power and shutdown PRA, with respect to the amount of decay heat that needs to be considered. This process determines the time available to respond to an accident, before fuel damage occurs.
110 Table A-9 Example: Mapping of the HLRs of SFP PRA and At-Power Level 1 PRA Tas k #
At-Power Level 1 PRA Technical Elements (HLR)
SFP PRA Technical Elements Assessing Response HFE Probability Modeling Recovery Actions Assessing Response HFE Probability Modeling Recovery Actions 7
Quantification Quantification Table A-10 Applicability of SRs of the At-Power Level 1 PRA to the SFP PRA Technical Element HLR Supporting Requirement Applies (Y/N)
Comment 1 IE-A IE-A1 Y
Except instead of core damage (CD) it considers fuel damage (FD)
IE-A2 Y
Except the IE categories reduce to fuel uncovery and loss of power IE-A3 Y
IE-A4 Y
IE-A5 Y
IE-A6 Y
IE-A7 Y
IE-B IE-B1 Y
IE-B2 Y
IE-B3 Y
Note: The timing and the effect on the operability and performance of operators and relevant mitigating systems is one criterion to consider. The operating cycle discretization influences this timing factor.
IE-B4 Y
IE-B5 N
IE-C IE-C1 Y
IE-C2 Y
IE-C3 Y
IE-C4 Y
IE-C5 Y
111 Table A-10 Applicability of SRs of the At-Power Level 1 PRA to the SFP PRA Technical Element HLR Supporting Requirement Applies (Y/N)
Comment IE-C6 Y
Screening the low-frequency events IE-C7 Y
IE-C8 Y
IE-C9 Y
IE-C10 Y
IE-C11 Y
IE-C12 Y
IE-C13 Y
IE-C14 N
2 AS-A AS-A1 Y
AS-A2 Y
Except that instead of preventing core damage, fuel damage should be considered AS-A3 Y
AS-A4 Y
AS-A5 Y
AS-A6 Y
AS-A7 Y
AS-A8 Y
Except that instead of the core damage end state, the fuel damage end state should be considered AS-A9 Y
AS-A10 Y
AS-A11 Y
AS-B AS-B1 Y
AS-B2 Y
Except for examples AS-B3 Y
AS-B4 Y
AS-B5 Y
AS-B6 Y
AS-B7 Y
Except examples (b) and (c) 3 SC-A SC-A1 N
Applies to fuel damage
112 Table A-10 Applicability of SRs of the At-Power Level 1 PRA to the SFP PRA Technical Element HLR Supporting Requirement Applies (Y/N)
Comment SC-A2 Y
Modifies the parameters and SCs to be used in determining the fuel damage SC-A3 Y
SC-A4 Y
If applicable SC-A5 Y
SC-A6 Y
SC-B SC-B1 Y
SC-B2 Y
SC-B3 Y
SC-B4 Y
Except for fuel damage SC-B5 Y
4 SY-A SY-A1 Y
SY-A2 Y
SY-A3 Y
SY-A4 Y
SY-A5 Y
Except for fuel damage SY-A6 Y
SY-A7 Y
SY-A8 Y
SY-A9 Y
SY-A10 Y
SY-A11 Y
SY-A12 Y
SY-A13 Y
SY-A14 Y
SY-A15 Y
SY-A16 Y
SY-A17 Y
SY-A18 Y
SY-A19 Y
SY-A20 Y
113 Table A-10 Applicability of SRs of the At-Power Level 1 PRA to the SFP PRA Technical Element HLR Supporting Requirement Applies (Y/N)
Comment SY-A21 Y
SY-A22 Y
SY-A23 Y
SY-A24 Y
SY-B SY-B1 Y
SY-B2 Y
SY-B3 Y
SY-B4 Y
SY-B5 Y
SY-B6 Y
SY-B7 Y
SY-B8 Y
SY-B9 Y
SY-B10 Y
SY-B11 Y
SY-B12 Y
SY-B13 Y
SY-B14 Y
SY-B15 Y
5 HR-A HR-A1 Y
HR-A2 Y
HR-A3 Y
HR-B HR-B1 Y
HR-B2 Y
HR-C HR-C1 Y
HR-C2 Y
HR-C3 Y
HR-D HR-D1 Y
HR-D2 Y
HR-D3 Y
HR-D4 Y
114 Table A-10 Applicability of SRs of the At-Power Level 1 PRA to the SFP PRA Technical Element HLR Supporting Requirement Applies (Y/N)
Comment HR-D5 Y
HR-D6 Y
HR-D7 Y
HR-E HR-E1 Y
HR-E2 Y
Except for preventing or mitigating fuel damage HR-E3 Y
HR-E4 Y
HR-F HR-F1 Y
HR-F2 Y
HR-G HR-G1 Y
HR-G2 Y
HR-G3 Y
HR-G4 Y
HR-G5 Y
HR-G6 Y
HR-G7 Y
HR-G8 Y
HR-H HR-H1 Y
HR-H2 Y
HR-H3 Y
6 DA-A DA-A1 Y
DA-A2 Y
DA-A3 Y
DA-A4 Y
DA-B DA-B1 Y
DA-B2 Y
DA-C DA-C1 Y
DA-C2 Y
DA-C3 Y
DA-C4 Y
115 Table A-10 Applicability of SRs of the At-Power Level 1 PRA to the SFP PRA Technical Element HLR Supporting Requirement Applies (Y/N)
Comment DA-C5 Y
DA-C6 Y
DA-C7 Y
DA-C8 Y
DA-C9 Y
DA-C10 Y
DA-C11 Y
DA-C12 Y
DA-C13 Y
DA-C14 Y
DA-C15 Y
DA-C16 Y
DA-D DA-D1 Y
DA-D2 Y
DA-D3 Y
DA-D4 Y
DA-D5 Y
DA-D6 Y
DA-D7 Y
DA-D8 Y
7 QU-A QU-A1 Y
QU-A2 Y
Except for fuel damage frequency QU-A3 Y
Except for fuel damage frequency QU-A4 Y
Except for fuel damage frequency QU-A5 Y
QU-B QU-B1 Y
QU-B2 Y
QU-B3 Y
The example applies to fuel damage frequency QU-B4 Y
QU-B5 Y
116 Table A-10 Applicability of SRs of the At-Power Level 1 PRA to the SFP PRA Technical Element HLR Supporting Requirement Applies (Y/N)
Comment QU-B6 Y
Except for fuel damage frequency QU-B7 Y
QU-B8 Y
QU-B9 Y
QU-B10 Y
QU-C QU-C1 Y
QU-C2 Y
QU-C3 Y
QU-D QU-D1 Y
QU-D2 Y
QU-D3 Y
QU-D4 Y
QU-D5 Y
QU-D6 Y
Except for fuel damage frequency QU-D7 Y
QU-E QU-E1 Y
QU-E2 Y
QU-E3 Y
Except for fuel damage frequency QU-E4 Y
117 A.4.3 External Peer Reviews The objective of the external peer reviews is to provide independent reviews of the technical acceptability of the developed PRA model and its results. There are two types of peer review planned which are discussed in the following sections:
Section A.4.3.1 - PRA Standard Peer Review Section A.4.3.2 - Independent Expert Peer Review The first peer review is similar to the peer reviews performed by industry and follows the peer review process as required by the ASME/ANS PRA standard and employs the NEI peer review guidance. The purpose of the ASME/ANS peer review is to assess the PRA to the extent necessary to determine if the methodology and its implementation meet the requirements of this standard. And... to determine strengths and weaknesses in the PRA. The peer reviewers are industry individuals whose qualifications as acceptable peer reviewers are provided in the ASME/ANS PRA standard as endorsed in RG 1.200.
25F26 A major qualification includes independence from the team who developed the PRA model under review.
The second peer review is also an independent review performed by a team of experts. Many of these reviewers are likely to come from academia and national laboratories.
A.4.3.1 PRA Standard Peer Review ASME/ANS have developed PRA standards that provide the necessary technical requirements for what constitute a technically acceptable PRA based on state-of-the practice methods. One objective of the Level 3 PRA project is to develop a PRA based on current state-of-the-practice methods.
To the extent practical, the PRA standard peer reviews will be conducted for all major parts of the Level 3 PRA project at various points throughout the performance of the study. This approach will allow peer review findings to be addressed in a timely manner. It will, as opposed to performing one large, comprehensive external peer review at the end of the project, minimize the extent of potential re-work.
Where PRA standards (either final or draft for trial use) are available, they will provide the basis for the peer review. If a standard is in draft for trial use stage, the peer review part of the standard will be reviewed and additional guidance will be developed, if needed, to make it acceptable to the staff. If a PRA standard does not exist (e.g., spent fuel pool), review criteria will be developed to support the peer review of the PRA scope item.
The reviews will be performed consistent with the process described in RG 1.200 and supplemented with other related guidance. The peer review teams will be comprised of individuals who are independent from the project. It is envisioned that the standard peer reviews will be performed by industry (e.g., the Pressurized Water Reactor (PWR) Owners Group (OG) and consultants), supplemented by NRC staff (e.g., Regional senior reactor analysts (SRAs)). In determining whether the technical requirements in the standard have been met, the level of detail of the PRA model review goes beyond the technical bases, tools, methods, models, assumptions and data for the project, as well as interpretation of the study results. It also involves reviewing how the various models (e.g., accident sequence development, systems analyses) were constructed. In this regard, actual plant-specific 26 Regulatory Guide 1.200, Rev. 2, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, March 2009.
118 information is needed. The peer reviewers are required to sign a non-disclosure agreement since this information is proprietary.
The scope of the peer review will be documented prior to each peer review and provided to the peer review team. Table A-7 provides a suggested format for documenting the peer review findings (it is the same as the TAG review documentation template previously provided in Table A-1).
It is expected that the peer review team will generate a peer review report. This report will describe the process, team members (and their qualifications), and basis for review findings. It is further expected that the Level 3 PRA project task leader will review the peer review findings and document how each finding will be resolved. The results of the standard peer reviews will be provided to the Level 3 Program Manager and to the Document Controller.
Table A-11 External Peer Review Documentation Template SR Finding Recommended Resolution Implemented Resolution Reviewer:
Responsible Analyst Risk Source:
Level : [1,2,3]
Hazard: [e.g., internal events]
Technical Element:
Date:
o High Significance -- the issue needs resolution to ensure the technical adequacy of the PRA, the capability of the PRA, or the robustness of the PRA update process.
o Medium Significance -- The issue needs resolution to maintain maximum flexibility in PRA applications and consistency with Industry practices (as Describe the finding, what is the issue, why it is a concern; explanation needs to clearly explain the concern and the basis for the concern.
Describe the recommendation to resolve the concern; the explanation needs to be sufficiently detailed so that the analyst understands what needs to be revised in the PRA to resolve the concern.
Analyst describes the response to the finding and recommendation, describing how it was resolved; the explanation should not be just an accept, but an explanation of exactly how it was resolved (e.g., how the PRA model was revised).
The level of significance of the concern should be listed including the basis for level of significance assessed; see below for explanation of significance.
List the applicable supporting requirement (SR) using the standard index number; if an SR is not applicable, then use the technical element 2-4 digit abbreviation (xxxx) and the finding numbered sequentially (yy) with an P (i.e., xxxx-yy-P). If criteria were developed and used, then reference the criterion number (see Table 2).
Reactor, Spent Fuel Pool, Dry Cask Storage, Integrated Risk
119 Table A-11 External Peer Review Documentation Template SR Finding Recommended Resolution Implemented Resolution endorsed by the NRC) or simply to enhance the PRAs technical capability as time and resources permit. It is unlikely that the technical adequacy of the PRA is impacted.
o Low Significance -- The issue that does not impact the technical adequacy of the PRA.
A.4.3.2 Independent Expert Peer Review The purpose of the Independent Expert Peer Review (IEPR) is not to determine if the ASME/ANS PRA standard requirements were met, but to perform a high-level peer review comprised of known national or international PRA experts primarily from academia and national laboratories. The IEPR is intended to complement the public review and comment of the draft NUREG documenting the results of this project. The main objective is to determine strengths and weaknesses in the PRA. In this regard, the IEPR involves reviewing the technical bases, tools, methods, models, assumptions and data for the project, as well as interpretation of the study results. It does not involve reviewing how the various models (e.g., accident sequence development, systems analyses) were constructed.
Consistent with available project resources, this IEPR is intended to be performed at the end of the project. If project resources are not available to separately conduct this IEPR, public comments from subject matter experts will be sought during the public comment period of the draft NUREG documenting the results of this project (see Section A.4.5 below). Instructions for submitting public comments will be developed that include key aspects of the guidance below for the IEPR. If an IEPR is not performed, a report documenting the resolution of the public comments may be prepared and included with the project documentation.
The scope of the peer review will be documented prior to each peer review and provided to the IEPR team. The documentation of the IEPR will include the following:
Identification of the reviewer and the part of the Level 3 PRA project reviewed (which radiological sources, PRA Level(s), operating state(s), and hazard(s)).
Description of the findings, what is the issue, why it is a concern (i.e., the basis for the concern).
Identification of the level of significance of the issue and the basis for the significance.
The significance will be identified as:
o High Significance -- the issue needs resolution to ensure the technical adequacy of the PRA, the capability of the PRA, or the robustness of the PRA update process.
o Medium Significance -- The issue needs resolution to maintain maximum flexibility in PRA applications and consistency with Industry practices (as endorsed by the NRC) or simply to enhance the PRAs technical capability as time and resources permit. It is unlikely that the technical adequacy of the PRA is impacted.
120 o Low Significance -- The issue that does not impact the technical adequacy of the PRA.
Description of the proposed recommendation to resolve the concern; the explanation needs to be sufficiently detailed so that the analyst understands what needs to be revised in the PRA to resolve the concern.
It is expected that the IEPR team will generate a peer review report. This report will describe the process, team members (and their qualifications), and basis for review findings. It is further expected that the Level 3 PRA project task leader will review the IEPR findings and document how each finding will be resolved; the explanation should not be just an accept, but an explanation of exactly how it was resolved (e.g., how the PRA model was revised). The results of the IEPR will be provided to the Level 3 Program Manager and to the Document Controller.
A.4.4 Advisory Committee on Reactor Safeguards The objective of the Advisory Committee on Reactor Safeguards (ACRS) review for the Level 3 PRA project is to: (1) monitor progress in the development of the Level 3 PRA and (2) provide insight, advice, and guidance on the technical bases, tools, methods, models, assumptions and data for the project, as well as on interpretation of the study results.
The ACRS Reliability and PRA Subcommittee will be briefed approximately twice a year to obtain their feedback on the technical approaches and assumptions employed in the Level 3 PRA project.
A.4.5 Public Review and Comment As part of the documentation, a final summary of the results of the Level 3 PRA project will be published. This report will provide the various results of the study, and will also summarize the various tools, methods, models, assumptions and data used. This summary report (or reports) will be published for public review and comment.
A public meeting will be held to brief the public on the report(s) and answer questions. A second meeting will be held to provide responses to the public comments.
Each team leader is responsible for addressing the public comments associated with their part of the study.
A.5 Documentation Control Documentation control is a key factor in any analysis to ensure and demonstrate the technical acceptability of the analysis. For each technical task, the method, tools, data and other information being used will be documented along with the basis for their acceptability (e.g., NRC endorsement). The documentation for each technical task is identified in the TAAP, and the document control process for this project is described in this section.
As mentioned above, the information to be documented includes the following:
Methods Tools Data Other information - this includes the various information (other than methods, tools and data) used to develop the PRA model; for example:
121 o plant design information reflecting the normal and emergency configurations of the plant o plant operational information with regard to plant procedures and practices o plant history (plant, system, and component performance) o plant test and maintenance procedures and practices o engineering aspects of the plant design Analytical work Results Given the large amount of information of various types required to construct and report the results of the Level 3 PRA project, an appropriate medium is needed to store and access this information. This medium must have the ability for the project analysts to store, retrieve, edit, and control the information. SharePoint has been selected to be the medium, and the primary repository for Level 3 PRA project information will be referred to as the Level 3 PRA SharePoint site.
The Level 3 PRA project Documentation Coordinator will primarily be responsible for document control. The Documentation Coordinator will be in charge of the various tasks needed to ensure the SharePoint site runs smoothly and remains organized and will be responsible for receiving information from the licensee, processing it, and ensuring that the information gets to contractors and the SharePoint site in a reasonable timeframe, as well as ensuring that vital information is routinely backed up.
Documentation control for this project involves the following major elements, each of which is described in a separate section below:
Section A.5.1 - Storage and access of project information Section A.5.2 - Upload of information onto the SharePoint site Section A.5.3 - Documentation control of licensee information Section A.5.4 - Documentation backup Section A.5.5 - Use of external storage media Section A.5.6 - Working document folders Section A.5.7 - Use of templates and forms for documentation Section A.5.8 - Site Visits Section A.5.9 - Documentation control for NRC Contractors Section A.5.10 - Non-disclosure agreement to allow access to proprietary information Section A.5.11 - Project documentation markings Section A.5.12 - Guidance for addressing potential technical issues Section A.5.13 - Future plant modifications Section A.5.14 - Organization of the various types of information on the SharePoint site A.5.1 Storage and Access of Project Information
122 As mentioned above, SharePoint has been selected as the medium to store and access the Level 3 PRA project information. SharePoint has the necessary flexibility to organize and store the information in a manner consistent with the needs of the project. It also allows for dynamic changes to the organization and site as new needs arise over the course of the project.
Moreover, controls can be used to limit access to the information; for example, who is allowed to access the information and who is allowed to edit documents. These controls will help ensure that files are not accidentally deleted or edited without the authors approval. SharePoint also has an established backup procedure that ensures data integrity. Therefore, SharePoint provides a mechanism to ensure that information will not be lost or corrupted.
The information stored on the SharePoint site is only accessible by the project team members who have access to the NRCs local area network.
A.5.2 Upload of Information onto the SharePoint Site As the work progresses, the project team members will occasionally need to place files onto the Level 3 PRA Project SharePoint site. These files will include information that only the individual analyst will need to access, or that needs to be shared with other members of the task team or with the entire project team. Moreover, there may need to be restrictions, for example, on who has permission to edit these files.
Although most team members may not edit or modify most of the files stored on the SharePoint site, any project team member has permission to upload files into the temporary storage location titled, Inbox. Once a file is uploaded into the Inbox, the Documentation Coordinator will move the file from the Inbox to its proper read-only location.
In order to upload files, there is a link on the right-hand side of the front page that is titled, Inbox: Upload documents to the L3PRA website. Once on the Inbox page, the upload button is clicked and the analyst chooses the files to be placed on the site. In uploading each file, a brief description of the file and the last edited date is included in the Notes section. The restrictions on who has access, edit capability, etc., can be found in Table A-11 for the different types of information.
A.5.3 Documentation Control of Licensee Information The information received from the licensee will also be stored on the SharePoint site. The information on the SharePoint site will be read-only, with the exception of the personal working files (discussed in Section A.5.6). This administrative control will prevent inadvertent changes to information obtained from the licensee. All information received from the licensee will also be maintained on read only CD-ROMs or DVDs so that, in the event of an inadvertent change on SharePoint, the original data can be restored. Moreover, there is information received from the licensee which is proprietary and not available to the public, and therefore needs to be protected. When information is received from the licensee in support of this project, a proprietary determination is conducted for each submittal.26F27 Once this proprietary determination is conducted and approved by the Office of the General Counsel, the information is placed on the SharePoint site for all NRC Level 3 PRA Project Team members. The specific SharePoint folder that contains this information is clearly marked as Proprietary. If this information is needed by a contractor to perform their work, the information is then copied onto an encrypted external media device (usually a CD-ROM, marked as Proprietary, if applicable) and sent to 27 RES Office Instruction ADM-003, Revision 1, Procedures for Handling Request to Withhold Proprietary Information, May 11, 2012, ADAMS Accession Number ML12132A139 (not publicly available).
123 the contractor along with a notice, if applicable, that the CD-ROM contains proprietary information and should be handled appropriately.
In addition, the licensee may occasionally send updated information, or may resend the same information. These occurrences may cause confusion as to which version of the information is the most current. It is, therefore, essential that the information be administratively controlled such that different information is not being used in developing the model by different analysts.
The use of SharePoint for file hosting will greatly simplify this process. The Documentation Coordinator will ensure that the data on the SharePoint site is the most current, up-to-date information that the NRC has received from the licensee and will notify the entire project team when new information from the licensee is added to the SharePoint site. This notification will identify what information is being added and whether it updates any information currently existing on the site.
A.5.4 Documentation Backup Using SharePoint to store and access all the information connected with the Level 3 PRA Project will ensure a high level of data integrity. The files on SharePoint are backed-up several times a week and copies are maintained both onsite and offsite. If SharePoint is corrupted, this process ensures that there will be minimal loss of information, and progress of the project can continue given an extreme event. In addition to this automatic NRC backup of the information, once a week the Documentation Coordinator will copy all of the information on the Level 3 PRA SharePoint site onto an external media device. This backup of the files will be stored onsite for rapid recovery of files. Information that is not able to be placed on the SharePoint site will also be backed up and maintained.
A.5.5 Use of External Storage Media There may be types of information that are not permitted to be uploaded onto the NRCs SharePoint Site. This type of information generally involves large files and executable files (e.g., Access Database files and files that end in.exe). Therefore, an external media storage device that has been approved for use on NRC equipment will be available, on request, for project team members to back up these files. This external media device will be stored and maintained by the Document Coordinator.
In addition, some Level 3 PRA team members may develop work products that will not be able to be backed up onto the working documents section of SharePoint, described in Section A.5.6. An example of this type of work is the MELCOR calculations being completed on high performance computers. The personnel working on these types of files will be given a separate external media device that will allow them to regularly back up their work.
A.5.6 Working Document Folders For this project, there is a tremendous amount of information that is part of the technical work performed (e.g., code calculations) that is essential to retain. This information is critical in being able to understand how the PRA model was ultimately constructed. To ensure that this information is not lost, each analyst will store their work on the SharePoint site. The site will have a section with a separate folder assigned to each major technical area of the study. These working document folders will be viewable by all members of the project team; however, write access will only be available to the cognizant task leader. At their request, task leaders can request the Documentation Coordinator to provide write access for their folder to other ream members (e.g., if multiple team members are collaborating on the development of a document or file).
124 Each analyst of the Level 3 PRA project will store their working files and other important information relevant to the project in the associated working document folder on the SharePoint site instead of their personal computer or some other location. Given the back-up features in place for the Level 3 PRA project information on the SharePoint site, this will ensure that all the necessary information being used in the project is properly saved and stored.
A.5.7 Use of Templates and Forms for Documentation As the work is being performed and decisions are being made in constructing the PRA, it is important to document this information. To ensure the needed amount of information is documented and that it is documented consistently among the analysts, documentation templates/forms have been created. These templates and forms (or similar documentation formats), which will be stored on the SharePoint site, address the following information:
Results and resolution of reviews (i.e., TAG, self-assessment, and external peer reviews) - see Tables A-1, A-3, A-4, and A-7 Criteria used for self-assessment (where no standard exists) - see Table A-2 Results of meetings: TAG, internal discussions, licensee, briefings, ACRS - see Table A-8 Working files - see Tables A-9 and A-10 Technical issues and their resolution - see Table A-1 During meetings, discussions, and briefings, there can be significant decisions made about the PRA. It is essential to document this information. Table A-8 provides a template for documenting meetings and discussions. In many instances, there may be issues that are identified and need to be addressed. These issues will be documented via the process described in Section A.5.10.
In performing the work to develop the PRA model, various information, assumptions, etc., are used at different stages (e.g., for the different technical elements). It is essential to document this information. Table A-9 provides a template for documenting this information, using initiating event analysis as an example.
125 Table A-12 Documentation of Meetings and Discussions DATE:
TOPIC:
SUMMARY
OF MEETING/DISCUSSION:
CONCLUSIONS Num Decision Basis for Decision ACTION ITEMS Num Item Assignee Due Status Table A-13 Documentation for Level 1 Internal Events Initiating Event Analysis Sources of Information (Inputs)
Source Description A high-level summary of the major points.
List and describe each decision made during the meeting/discussions and the bases for the decision; include in the discussion on the decision where and how the PRA model is impacted; can be a high level discussion (e.g., revised Level 1 internal events success criteria).
Describe each action item identified during the meeting/discussion, who is assigned the action item, the due date of the action item, and the status of the action item, including the date for the reported status. When completed, not complete with the completion date.
126 Table A-13 Documentation for Level 1 Internal Events Initiating Event Analysis Data Item Value Distribution Description Assumptions Note:
An assumption is a decision or judgment that is made in the development of the PRA model. An assumption is either related to a source of model uncertainty or is related to scope or level of detail. An assumption related to a model uncertainty is made with the knowledge that a different reasonable alternative assumption exists. A reasonable alternative assumption is one that has broad acceptance within the technical community and for which the technical basis for consideration is at least as sound as that of the assumption being made. An assumption related to scope or level of detail is one that is made for modeling convenience.
Sources of Model Uncertainty Source Characterization List each event that has a parameter value, provide its value and uncertainty interval and describe the basis for both; this may be an attachment to the table.
Describe each assumption, give the basis for the assumption, and describe how the PRA model would be impacted (e.g., new initiating event, revised success criteria)
List each source of model uncertainty, describe the source, and describe how the PRA model would be impacted (e.g.,
new initiating event, different grouping).
Describe the source of information (inputs) used in the technical elements, the actual input may be attached; inputs from other tasks should also be included.
127 Table A-13 Documentation for Level 1 Internal Events Initiating Event Analysis Note:
A source of model uncertainty is one that is related to an issue for which there is no consensus approach or model (e.g., choice of data source, success criteria, reactor coolant pump seal loss-of-coolant accident model, human reliability model) and where the choice of approach or model is known to have an impact on the PRA results in terms of introducing new accident sequences, changing the relative importance of sequences, or significantly affecting the overall CDF, LERF, or LRF estimates that might have an impact on the use of the PRA in decision-making.
Documentation Criteria Criteria Documentation Description DOCUMENT the processes used to select, group, and screen the initiating events and to model and quantify the initiating event frequencies, including the inputs, methods, and results. This documentation includes the functional categories considered and the specific initiating events included in each the systematic search for plant-unique and plant-specific support system initiators the systematic search for RCS pressure boundary failures and interfacing system LOCAs the approach for assessing completeness and consistency of initiating events with plant-specific experience, industry experience, other comparable PRAs and FSAR initiating events the basis for screening out initiating events the basis for grouping and subsuming initiating events Provide a brief discussion of how the criteria were met; can reference another document that provides the necessary information.
128 Table A-13 Documentation for Level 1 Internal Events Initiating Event Analysis The final grouping of initiators for which accident sequence development will be performed the dismissal of any observed initiating events, including any credit for recovery the derivation of the initiating event frequencies and the recoveries used the approach to quantification of each initiating event frequency the frequencies quantified for initiating event group the justification for exclusion of any data Other Documentation Criteria A.5.8 Site Visits During the course of developing the Level 3 PRA model, it will be necessary for cognizant staff members to visit either the volunteer licensee headquarters, the reference plant site, or the surrounding reference plant site area. The purpose of these visits is to (1) gather additional information not obtainable via documentation, and/or (2) confirm understanding of information provided.
A site visit generally involves:
Discussions with various on-site personnel (e.g., engineering, operations, maintenance) and off-site personnel (e.g., local law enforcement regarding evacuation)
Walk-down of the site and/or the surrounding evacuation area To ensure that the purpose of the visit is achieved, the team leads participating in the site visit will prepare a site visit plan prior to the visit. This plan will be forwarded to the licensee (or other appropriate organization) so that the licensee (or other organization) is prepared for the visit.
The site plan will include the following:
Dates of visit Names of NRC staff and contractors attending, including their role and responsibility in the Level 3 PRA project Licensee or other organization personnel to be interviewed The places at the site (or surrounding area) to be visited List of questions and issues to be discussed It is equally important to document the results of the site visit. This documentation will include the following:
List any unique documentation requirements.
129 Dates of the visit Names of NRC staff and contractors on the site visit Names of licensee and other organization personnel (including their position) interviewed Specific questions and issues discussed along with a summary of the discussion Site areas visited with specific observations Summary of discussions; should identify the specific topic and details of the discussion General observations and conclusions made as a result of the visit If the intent of the visit is to access the actual reference plant site, it is preferred that the NRC staff have unescorted access so as not to be a burden to the licensee. To obtain unescorted access, the following must be performed:
Each NRC staff member on the site visit must have completed NRC site access training (i.e., H-100 [NRC Site Access Training] or H-101 [NRC online Site Access Refresher Training], as appropriate) within the last 12 months The Region must be notified. This notification will be performed by the NRC Level 3 PRA program manager, and will include the following information for each traveler:
o Name (as it appears on NRC badge) o NRC badge number o Clearance level (L, L(h), Q, or NC) o Site access training Completion date of training Type of training (H-100, H-101, or non-NRC training at a specified power plant) o Nuclear power plant/site to be visited o Date(s) of visit The Region will notify the security department at the reference plant site, by letter, of the upcoming visit. The letter will inform plant security that the NRC staff have the necessary access training and to provide them with a badge allowing unescorted access.
It is expected that the NRC contractors will be escorted (by NRC staff). However, the Region should still be notified of their participation in the visit, so that they are included in the letter that the Region sends to plant security. This will facilitate the badging process. It is also expected that all contractors will complete the NRC site access training so that they do not have to undergo such training at the site. The information to be provided to the Region for each contractor includes:
Name (as it appears on drivers license)
Company Site access training
130 o Completion date of training o Type of training (H-100, H-101, or non-NRC training at a specified power plant)
Nuclear power plant/site to be visited Date(s) of visit A.5.9 Documentation Control for NRC Contractors This project will involve a substantial amount of work developed by NRC contractors. For example, the SPAR models and SAPHIRE program were developed and are hosted by INL for the NRC under previous contracts. Under the Level 3 PRA contract, INL will also host the models for this project. It is expected that the NRC Contractors working on this project will have their own internal information and document control system. It is the Contracting Officers Representatives (CORs) responsibility to ensure that the contractor has an adequate plan to store and backup their work. The COR should document this finding using the review template.
When a document comes to the NRC from a contractor, it will be sent to the COR and technical lead. The technical lead will decide whether the information should be stored only on the SharePoint site, or also in ADAMS. In making this determination, the technical lead will need to consider the following factors:
Status of the information (e.g., draft, mark-up, final product)
Whether the document is a deliverable specified in the contract Likelihood that the information will ultimately be contained, in whole or in part, in another stored document As general guidance, final products and other contract deliverables should be stored in ADAMS (as well as on the SharePoint site). Most other information will just be stored on the SharePoint site. Information will be stored on the SharePoint site using the procedure outlined in Section A.5.2. The technical analyst will make the determination whether the information should be stored in their working document folder in SharePoint or in some other SharePoint location (if the latter, this should be coordinated with the Documentation Coordinator). Generally, contractor information that is final and is being used as reference material should be stored in, for example, a SharePoint location for the associated technical element. Contractor information that is not final should be stored in the technical analysts associated working document folder.
Additional information on the review and acceptance of contractor technical reports is provided in Section A.6.2.
A.5.10 Non-Disclosure Agreement to Allow Access to Proprietary Information To support the Level 3 PRA project, the NRC has collected a substantial amount of proprietary information about the reference plant and its PRA. To ensure that the staff does not violate the conditions under which the licensee has provided this information, each project team member receives the following electronic message which they must acknowledge before being granted access to the proprietary information area of the Level 3 PRA SharePoint site:
The proprietary information submitted by [licensee*] for [plant*] was provided to the NRC on a voluntary basis and can only be used to support the Level 3 PRA project. In no circumstances can this information be used to support a regulatory decision (including, but not limited to, inspection activities and license reviews). Furthermore, this information shall not be
131 redistributed beyond the Level 3 PRA project team. Please acknowledge your understanding of this information by clicking the vote button above.
- The name of the volunteer licensee and reference plant have been intentionally left out of this document.
A.5.11 Project Documentation Markings All documents generated as part of this project (either by staff or contractors) that contain licensee-provided proprietary information should have each page marked with a header and footer that states "Official Use Only - Proprietary Information."
In addition, all documents (by either staff or contractors) that contain licensee-provided proprietary information and that are placed in ADAMS, should include the following disclaimer on the cover page:
This document contains proprietary information voluntarily supplied by the volunteer licensee to support the Level 3 PRA Project. Per NRR Office Instruction LIC-204, Revision 3 (January 2007), and RES Office Instruction ADM-003, Revision 1 (May 2012), this information should not be used to support an NRC review and approval of a licensee application or a document, or for any other NRC decision.
It should be further noted that the proprietary information submitted by the volunteer licensee for the reference plant was provided to the NRC on a voluntary basis and can only be used to support the Level 3 PRA project. In no circumstances will this information be used to support a regulatory decision (including, but not limited to, inspection activities and license reviews). Aside from submitting documents into ADAMS with the disclaimer above, documents containing licensee proprietary information should not be distributed beyond the Level 3 PRA project team.
A.5.12 Guidance for Addressing Potential Technical Issues In developing the Level 3 PRA model, technical issues will arise that may impact the PRA results or insights. These issues can include:
potential issues that may call into question the technical rigor or adequacy of the licensees PRA for the reference plant (e.g., potential model errors or deficiencies that may require changes to the model) or related quality control activities (e.g., self-assessment or peer review) issues that require a decision by the Level 3 PRA Project Management Team or discussion with the Level 3 PRA TAG or other experts (e.g., selection of significant assumptions or a choice between different analytical methods, models, or approaches);
further technical analysis beyond that described in the TAAP; and/or coordination across technical areas.
An important consideration is that these issues are likely to involve proprietary PRA and plant information submitted by the licensee that must be protected from public disclosure or misuse.
The licensee has voluntarily submitted substantial amounts of proprietary PRA and plant information to the NRC in support of the Level 3 PRA project and, for the reasons detailed below, this information is not to be used to support regulatory decisionmaking:
Under the requirements specified in 10 CFR 2.390, Public inspections, exemptions, requests for withholding, proprietary information submitted will be withheld from public disclosure if it is of a type normally held in confidence by the licensee. All proprietary
132 information submitted by the licensee is reviewed and controlled as described in Section A.5.3. Non-proprietary versions of these documents, which would normally be submitted to support a license amendment or regulatory use, will not be developed to support this research project.
Information submitted by the licensee for this project does not support any regulatory decision and is not required to be done under oath and affirmation or docketed, as would normally be done for a licensing submittal (e.g., see 10 CFR 50.30).
This information is not being submitted either to support a licensing application or by the Commission's regulations, orders, or license conditions, and consequently the requirements of 10 CFR 50.9, Completeness and accuracy of information, do not apply.
Consequently, it is important to have a process for addressing potential issues that also ensures that appropriate separation between the Level 3 PRA project and regulatory decisionmaking is maintained. For this project, a process has been developed for resolving technical issues, communicating technical concerns to the licensee staff, and turning issue follow-up over to the appropriate regulatory process when appropriate.
For the purposes of this process, the following terms are used:
Level 3 PRA Project Management Team - In this context, refers to the Level 3 PRA project Program Manager, Principle Technical Advisor, and RES/DRA/PRAB Branch Chief.
Cognizant staff - project team members that include, at a minimum, the technical lead, but may also include other technical analysts on the project team that are involved with identification or resolution of the issue.
The following process is used to ensure that issues identified in the performance of the Level 3 PRA project that have the potential to impact regulatory decisionmaking are handled in an appropriate manner.
- 1. When a Level 3 PRA project staff member or contractor identifies an issue (or potential issue), the cognizant staff will assess what impact the issue could have on the PRA (i.e.,
the significance of the issue) and whether the issue could call into question the technical rigor or adequacy of the licensee PRA for the reference plant or related quality control activities. The cognizant staff will then summarize the issue and its potential impact on the PRA in a document (see Table A-10). This documentation shall be forwarded to the Level 3 PRA Project Management Team as soon as practical after the issue is identified, at which point the issue will be added to the Level 3 PRA project issue tracking spreadsheet.
General guidance for determining whether an issue should be documented and tracked includes:
- a. Issue may call into question the technical rigor or adequacy of the licensee PRA for the reference plant
- b. Issue involves a choice between different analytical methods, models, or approaches
- c. Issue requires additional work beyond that described in the TAAP
133
- d. Issue requires coordination across technical areas (e.g., an unresolved technical issue that has the potential to materially impact modeling decisions made in two or more technical areas)
- e. Issue warrants communication to the entire Level 3 PRA Project team for awareness
- f. Any other issue a project team member determines should be included or would be of interest to the Level 3 PRA Project Management Team
- 2. For those issues that potentially question the technical adequacy of the licensee PRA for the reference plant, the Program Manager will coordinate a meeting or discussion with the licensee to address the identified issue. The meeting or discussion will include licensee staff (as identified by the licensee), the Level 3 PRA Project Management Team, and the cognizant staff. The results of the meeting or discussion will be documented in accordance with project procedures (see Table A-8 for documenting discussions/meetings). To facilitate the discussion, the Program Manager may forward the summary description of the issue (in its entirety or in part) to the licensee prior to the meeting or discussion. In accordance with project communication protocols, the meeting/discussion will be coordinated with the Office of Nuclear Reactor Regulation (NRR)/Division of Reactor Licensing (DORL) Project Manager and the licensees Licensing Director.
- a. Following the discussion with the licensee (and after reviewing any additional information identified by the licensee), the Level 3 PRA Project Management Team and cognizant project staff may determine that the issue is adequately resolved because, for example:
- i. The licensee provided additional information or clarification to resolve the issue.
ii. The licensee and the NRC used different methods or approaches, both of which are acceptable.
iii. The issue was determined to not have a significant impact on the PRA results or insights.
If the issue has not been resolved, it will be evaluated by the Level 3 PRA Project Management Team to determine if a technical inadequacy (i.e., error) of the licensee PRA for the reference plant actually exists. It will be assumed that any technical inadequacy issue that is not resolved by the cognizant staff will be considered to be an error in the licensee PRA for the reference plant unless the Level 3 PRA Project Management Team determines that the issue has been resolved.
- b. Once an error of the licensee PRA for the reference plant has been identified, appropriate licensee staff will be contacted (in accordance with project communication protocols and in coordination with the NRR/DORL Project Manager) and informed of the details of the error, including the potential for the error to impact PRA results and/or insights or call into question the adequacy of quality control activities. The licensee will be requested to conduct a review of the error and inform the NRR/DORL Project Manager of the result of this review. This review will include consideration of any licensing and/or regulatory applications of the PRA. The Level 3 PRA cognizant staff will prepare a written summary of the notification of licensee staff of the error which the RES/DRA/PRAB Branch Chief will forward to the cognizant NRR/DORL Project Manager and appropriate NRR/DORL Branch Chief (either by formal memo or email notification).
134 Once the error has been communicated to the licensee and the NRR/DORL Project Manager, the Level 3 PRA project team is not responsible for any further follow-up on the potential regulatory implications of the error.
- c. Once the error has been turned over to NRR/DORL, it is recognized that the Level 3 PRA project team may proceed with an appropriate technical resolution consistent with the overall project objectives. The error will continue to be documented and tracked using Table A-10 as the error is resolved within the context of the Level 3 PRA project.
- 3. For those issues that require a decision, further technical analysis, and/or discussion beyond the cognizant staff, the cognizant staff member who has the lead for the issue will set up a project team meeting to discuss the issue. This meeting should include all cognizant staff and the Level 3 PRA Project Management Team. For those issues requiring further technical analysis, the cognizant staff, in consultation with the Level 3 PRA Project Management Team, will determine what technical analysis will be performed to resolve the issue. In determining what analysis to perform, consideration will be given to the potential impact that the issue may have on the PRA results or insights, the resources required for the additional analysis, and the availability of requisite staff.
The results of the meeting or discussion will be documented in accordance with project procedures (see Table A-8 for documenting discussions/meetings). If the cognizant staff and Level 3 PRA Project Management Team cannot resolve the issue during the meeting, then one or more of the following actions will be taken:
- a. The cognizant staff member who has the lead for the issue will organize a meeting with other knowledgeable staff or contractors.
- b. The Level 3 PRA Program Manager will communicate to the TAG coordinator that the project team wishes to discuss the issue with the TAG.
- c. The Level 3 PRA Program Manager will coordinate a meeting or discussion with the licensee to get more information related to the issue, as needed. The meeting or discussion will include licensee staff (as identified by the licensee), the Level 3 PRA Project Management Team, and the cognizant staff. To facilitate the discussion, the Program Manager may forward the summary description of the issue (in its entirety or in part) to the licensee prior to the meeting or discussion. In accordance with project communication protocols, the meeting/discussion will be coordinated with the NRR/DORL Project Manager and the licensees Licensing Director.
For all the above actions, the results of any meetings or discussions will be documented in accordance with project procedures (see Table A-8 for documenting discussions and meetings), and the issue tracking spreadsheet will be updated accordingly. Also, as part of the resolution of the issue, it is possible that a potential error or deficiency may be identified in the licensee PRA for the reference plant or related quality control activities.
If so, this issue will be addressed as discussed in Step 2, above.
- 4. The different types of issues discussed above are to be tracked using Table A-10 (or similar format). This process involves the following:
- a. Once the cognizant staff has entered the issue into Table A-10, the table is forwarded to the Documentation Coordinator.
135
- b. When there is any new information related to the issue, that information is forwarded to the Documentation Coordinator.
- c. The Documentation Coordinator will update and maintain the master list of all the issues, which will reside on the Level 3 PRA project SharePoint site.
136 Table A-14 Issue Documentation Template Technical Analyst ___________________
Status High Significance -- An issue needing resolution to ensure the technical adequacy of the PRA, the capability of the PRA, or the robustness of the PRA update process.
Medium Significance -- An issue whose resolution is needed to maintain maximum flexibility in PRA applications and consistency with Industry practices (as endorsed by the NRC) or simply to enhance the PRA s technical capability as time and resources permit. It is unlikely that the technical adequacy of the PRA is impacted.
Implemented Resolution Recommended Resolution Level of Significance Issue Num Describe the concern, what is the issue, why it is a concern; explanation needs to clearly explain the concern and the basis for the concern.
Describe the recommendation to resolve the concern; the explanation needs to be sufficiently detailed so that the analyst understands what needs to be revised in the PRA to resolve the concern, and the basis for the recommended resolution.
Describe the response to the issue and recommendation, describing how it was resolved; the explanation should not be just an accept but an explanation of exactly how it was resolved (e.g., how the PRA model was revised),
The level of significance of the concern should be listed including the basis for level of significance assessed; see below for explanation Provide a brief discussion of how the criteria were met; can reference another document that provides the evidence.
Use the technical element 2-4 digit abbreviation (xxxx) and the issue numbered sequentially (yy) followed by an I (i.e.,
xxxx-yy-I). Note, for issues that may cut across multiple technical elements, use the 4 digit abbreviation CCCC.
Describe the status, what has been accomplished, what still needs to be done, and the date of the status (i.e., the status will continually be updated, each time it is updated, the date needs to be changed accordingly).
Once the issue has been resolved (i.e., the PRA model has incorporated the resolution),
the status should state complete and the date completed. Part of the status is whether the issue has been reviewed by the TAG (the review by the TAG is documented elsewhere).List and Describe each action item identified during the meeting/discussion, who is assigned the action item, the due date of the action item, and the status of the action item, including the date for the reported status. When completed, note complete with the completion date.
137 A.5.13 Future Plant Modifications One objective of the Level 3 PRA project model is to ensure it reflects the as-built, as-operated plant. However, the Level 3 PRA project will take several years to complete, and the plant design and operation are likely to change over time. Therefore, the potential exists that the Level 3 PRA project model may not reflect the as-built, as-operated plant at the time of project completion. Consequently, criteria are needed to determine which future modifications under consideration by the licensee are incorporated into the model.
The following criteria are used to determine which, if any, future reference plant modifications will be included in the NRC Level 3 PRA model:
The potential modification is risk significant, There is a regulatory commitment that the proposed plant change will be completed by the time the Level 3 PRA model is completed, If procedures and training are required, they meet the guidelines of RIS 2008-15 and they are implemented in a timeframe that does not impede the overall Level 3 PRA
- schedule, The effect of the modification has already been evaluated by the NRC (e.g., safety evaluation report issued) and accepted, and There is sufficient information for the Level 3 PRA project to understand the proposed change.
All of the above criteria must be met for the plant modification to be included in the Level 3 PRA model. If one of the criteria is not met, then the plant modification will not be included.
However, sensitivity studies may be performed to determine its impact on the PRA. The basis for including and not including a plant modification will be documented using Table A-10.
A.5.14 Organization of the Various Types of Information on the SharePoint Site The Level 3 PRA project has different types of information that need to be stored and accessed.
The various types of information are summarized in Table A-11. Also provided in Table A-11 are the access control settings for the different types of information.
138 Table A-15 Summary of Level 3 PRA Project Information on SharePoint Site Brief Description of Folder Contents Access Control*
General L3PRA Project Documents General documents relating to the work performed in support of this project (e.g.,
briefings, TAAP documents)
Read/Write Access:
Documentation Coordinator Read-Only Access:
All Level 3 PRA Project Team Members No Access:
All other NRC staff Reference Documents (Including Reference Plant Site Information)
Plant-specific information previously available at the NRC (e.g., FSAR, IPE, IPEEE)
General non-plant-specific information (e.g., dry cask storage information)
Proprietary plant-specific information sent by the licensee in support of this project (e.g., PRA models and documentation, plant procedures, system diagrams)
Read/Write Access:
Documentation Coordinator Read-Only Access:
All Level 3 PRA Project Team Members*
No Access:
All other NRC staff Task Group Technical Documents Personal working files Read/Write Access:
Documentation Coordinator Each team member will have read/write access to their own working files.**
Read-Only Access:
All Level 3 PRA Project Team Members No Access:
All other NRC staff
139 Technical Advisory Group Documents TAG information (e.g.,
meeting minutes)
Read/Write Access:
Documentation Coordinator TAG Coordinator Read-Only Access:
All Level 3 PRA Project Team Members No Access:
All other NRC staff Inbox: Upload Documents to the L3PRA Website Miscellaneous documents uploaded to the site that have not yet been filed Read/Write Access:
Documentation Coordinator Read-Only Access:
All Level 3 PRA Project Team Members No Access:
All other NRC staff
- To access the proprietary information area of this folder, project team members need to acknowledge the non-disclosure statement (as discussed in Section A.5.9).
- Write access may be shared with other project team members at the request of the owning individual.
A.6 Technical Reports Before technical reports are made available outside the Level 3 PRA project, it needs to be determined that each is ready for release. The technical report may either be one generated by a Level 3 PRA project member or a contractor supporting the Level 3 PRA project.
A.6.1 Staff Technical Reports There are two general types of staff technical reports developed as part of the Level 3 PRA project. The first type are reports that document major project milestones (e.g., the reactor, at-power, Level 1 PRA for internal events). The determination of whether this type of staff technical report is ready for release is accomplished in a four-step process and documented on a sign-off sheet, as described below. A second type of staff-generated technical report are those that support the major project reports (e.g., a report documenting a set of MELCOR calculations performed to resolve a specific issue or set of issues). The determination of whether this latter type of report is ready for release is addressed at the end of this section.
The sign-off sheet is the cover page of each technical report and involves the following:
- 1. The task analyst (originator) performs a final check that all the necessary steps have been performed. These steps include (1) completion of all the necessary documentation and (2) completion of the self-assessment including its documentation. Once the task analyst believes the work is ready for release, the analyst signs on the release form. By signing the form, the individual is confirming that he/she is the individual taking responsibility for the documented work.
- 2. A separate individual performs a technical review. This individual is usually someone associated with the project who has technical knowledge in the subject area. Once the
140 findings from the reviewer are adequately addressed and resolved, the reviewer then signs off on the release form. By signing the form, the reviewer is confirming that he/she has performed a technical review and is approving the technical content, except where noted with comments.
- 3. A review is performed by a member of the Level 3 PRA Project Management Team. By signing the form, this individual is approving the document revision and confirming that it is ready for external review.
- 4. Once the above reviews are performed, the document is ready to be released to the TAG for review. This signature, generally provided by the Level 3 PRA Program Manager, confirms that the document revision has been provided to the TAG Chairman.27F28 Each time a new version of the document is produced, a new sign-off sheet should be completed. In addition, a revision log should be included in the report and updated with each revision. The revision log includes the revision number, the date the Level 3 PRA Project Management Team member signed off on the revision, and a description of the major changes to the report and the reasons why. For the initial version of the report, Initial issuance is entered under the description heading.
Table A-12 provides the template to be used for the sign-off sheet.
Finally, in order to track the status of the technical reports (and their revision), a document checklist template has been developed (see Table A-13). The document checklist will be completed collaboratively by the document originator and the Level 3 PRA Program Manager.
The document checklists will not be included in the reports but will be stored separately in a binder that will be maintained by the Level 3 PRA Program Manager.
A major inclusion as part of the documentation is to note the other participants in the work. This documentation should note the specific areas they contributed so that there is an historical account for all participants in the future.
28 Due to project schedule constraints, it was determined midway through the project that an expedited review process was needed. As such, for technical areas that had yet to complete the initial version of their report, the technical review (from Step 2 above) and the TAG review (from Step 4) were performed in parallel, and the technical reviewer only signed versions of the report following incorporation of TAG feedback. Also, the Level 3 PRA Project Management Team review (from Step 3) was only performed on the final version of the report.
141 Table A-16 Sign-Off Sheet for Staff Technical Reports Title of Document Revision Number: _______________________
ADAMS ML Number: _______________________
Document Approvals ORIGINATOR: ___________________________________________________________
Name (printed) Signature Date TECHNICAL REVIEWER: ___________________________________________________________
Name (printed) Signature Date L3PRA MANAGEMENT REVIEW: ____________________________________________________________
Name (printed) Signature Date TAG REVIEW INITIATED: _____________________________________________________________
Name (printed) Signature Date
142 Table A-17 Document Checklist Revision 0 (only)
Applicable code and model version (e.g., SAPHIRE 8.0.9.525, Model R01)
SAPHIRE Version ________________ Model Version ________
Changes in PRA Model of Record verified (i.e., configuration control of model)
Site visit trip reports completed Document
- Consistent with format guidance (RES OI ADM-017 Preparation of NUREG Series Reports)
- Proofread (e.g., good, plain English; spell check; grammar check)
- Originator signature on Reviewer Sheet
- Revision Number included Revision No. ____
- Revision log sheet included after sign-off sheet
- Acknowledgement page included All issues on the issue tracking list addressed in the document Self-assessment performed and documented Model, document, and self-assessment documentation reflect resolution of self-assessment comments ____________
Technical review performed and technical reviewer signature on Reviewer Sheet L3 PRA project management review performed and signature on Reviewer Sheet Document entered into ADAMS and accession number included on document Licensee Review Revision No. ____ Full Review ____ Focused Review ____
Document sent to licensee for Fact Check and Proprietary Review ____________
Licensee comments added to issue tracking list Model, document, and issue tracking list reflect resolution of licensee comments, and new revision number (if changed)
Revision No. ____
TAG Review Revision No. ____ Full Review ____ Focused Review ____
Document sent to TAG for review Consensus TAG review comments added to issue tracking list Model, document, and issue tracking list reflect resolution of consensus TAG comments, and new revision number (if changed) ____________
Revision No. ____
143 Table A-17 Document Checklist PWROG Peer Review Revision No. ____ Full Review ____ Focused Review ____
PWROG Peer Review (PPR) readiness letter sent 12 weeks in advance of PPR NRC support to PPR team identified and confirmed with PWROG ____________
Material sent to PPR team 4 weeks in advance of PPR Logistics for PPR meeting performed (e.g., rooms, equipment, documentation)
Outstanding items during PPR addressed and resolved (on-site PPR completed)
Draft PPR report sent to NRC for review and comment NRC comments on PPR report sent to PPR team Final PPR report issued (ADAMS No. ____________________)
PPR comments added to issue tracking list ____________
Model, document, and issue tracking list reflect resolution of PPR comments, and new revision number (if changed)
Revision No. ____
ACRS Review Revision No. ____ Full Review ____ Focused Review ____
Document sent to ACRS Presentation prepared and approved for ACRS briefing ACRS briefed on: ______________________
L3 PRA management identified ACRS comments to be added to issue tracking list Model, document, and issue tracking list reflect resolution of ACRS comments, and new revision number (if changed)
Revision No. ____
Final L3 PRA Project Management Approval L3 PRA project management approval of document as Revision No. ____
Revisions Originator modifies model and document as appropriate based on new information
- Applicable code and model version (e.g., SAPHIRE 8.0.9.525, Model R01)
SAPHIRE Version ________________ Model Version ________
- Verify changes in PRA Model of Record (i.e., configuration control of model)
Originator signature on Reviewer Sheet
- Revision Number included
144 Table A-17 Document Checklist Revision No. ____
- Revision log sheet updated ____________
Self-assessment performed and documented for modified portion of model Model, document, and self-assessment documentation reflect resolution of self-assessment comments ____________
Technical review performed for modified portion of model and technical reviewer signature on Reviewer Sheet ____________
Document entered into ADAMS and accession number included on document (new accession number for each revision)
L3 PRA project management review performed and signature on Reviewer Sheet Additional reviews required (L3 PRA management enters full, focused, or none, as appropriate):
Licensee for Fact Check and Proprietary Review ____________
TAG review ____________
PWROG review ____________
ACRS review ____________
L3 PRA project management approval on revised document issued as Revision No. ____
Comments:
As discussed at the beginning of this section, a second type of staff-generated reports are those that support the major project reports (e.g., a report documenting a set of MELCOR calculations performed to resolve a specific issue or set of issues). The determination of whether this type of staff technical report is ready for release is accomplished in a two-step process and documented on a sign-off sheet, as described below.
The sign-off sheet is the cover page of each technical report and involves the following:
- 1. The task analyst (originator) performs a final check that the report is complete and appropriately formatted. Once the task analyst believes the work is ready for release,
145 the analyst signs on the release form. By signing the form, the individual is confirming that he/she is the individual taking responsibility for the documented work.
- 2. A separate individual performs a technical review. This individual is usually someone associated with the project who has technical knowledge in the subject area. Once the findings from the reviewer are adequately addressed and resolved, the reviewer then signs off on the release form. By signing the form, the reviewer is confirming that he/she has performed a technical review and is approving the technical content, except where noted with comments.
Each time a new version of the document is produced, a new sign-off sheet should be completed. In addition, a revision log should be included in the report and updated with each revision. The revision log includes the revision number, the date the technical reviewer signed off on the revision, and a description of the major changes to the report and the reasons why.
For the initial version of the report, Initial issuance is entered under the description heading.
Table A-14 provides the template to be used for the sign-off sheet.
Table A-18 QA Review and Acceptance Form for Staff (Supporting) Technical Reports Title of Document Revision Number: _______________________
ADAMS ML Number: _______________________
Document Approvals:
ORIGINATOR: ____ ______________________________________________
Name (printed) Signature Date TECHNICAL REVIEWER: __ _________________________________________________
Name (printed) Signature Date A.6.2 Contractor Technical Reports The determination of whether a contractor technical report is ready for release is accomplished through an acceptance review by the Level 3 PRA project task leader. When NRC staff sign off on a project document that includes contractor work in either the main report or an attachment,
146 or references contractor work, the staff are not necessarily guaranteeing the technical adequacy of the contractor work, but are confirming that the work is appropriate for the project objectives, that the context of the work is consistent with other parts of the overall analysis, and that they can talk to the work at a high level to a third party audience.
Once the task leader believes the work is ready for release, the leader signs on the QA review and acceptance form (see Table A-15). By signing the form, the individual is confirming that he/she is the individual taking responsibility for the documented work.
Table A-19 QA Review and Acceptance Form for Contractor Technical Reports Title of Document Revision Number: _______________________
ADAMS ML Number: _______________________
Document Approval L3PRA TECHNICAL LEAD:
Name (printed) Signature Date A.7 QA Program Implementation Audits Periodic audits of the implementation of the Level 3 PRA project QA plan may be performed and cover a representative sampling of project activities in order to verify compliance with QA plan requirements. The Level 3 PRA Project Management team will determine the scheduling of these audits, if any, and how they are to be carried out.