Text

Plant TER on Individual Plant Exam Front End Analysis
	ML20101S038
Person / Time
Site:	Vogtle
Issue date:	11/15/1995
From:	Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20101S035	List: ML20101S038; ML20101S041; ML20101S045;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-94-2341-010, SEA-94-2341-10, NUDOCS 9604170519
	Download: ML20101S038 (51)
	v • d • e

.

o i SEA-94-2341-010-A:3 November 15,1995 i

4 j Vogtie Electric Generating Plant l

! Technical Evaluation Report ,

on the Individual Plant Examination Front End Analysis 3

i NRC-04-91-066, Task 41 ;

i 3

Willard Thomas 1,

i i

Science and Engineering Associates, Inc.

Prepared for the Nuclear Regulatory Commission 9604i70519 960415 PDR ADOCK 05000424 P PDR "

4@f9'/7(JS / /

4 g-

TABLE OF CONTENTS l E. EX E CUTIVE SU MM ARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

] E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

E.2 Licensee's IPE Process .............................. 3 j E.3 Front-End Analysis ................................. 4 i

E.4 Generic issues .................................... 6

E.5 Vulnerabilities and Plant Improvernsnts ................... 6 :

j E. 6 O b serva tio n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

)

d

1. INTRODUCTION ........................................ 9 l 1.1 Review Process ................................... 9 .

1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 i

! 2. TEC H NI C AL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 .

! 2.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 ;

i 2.1.1 Comoleteness and Methodoloav . . . . . . . . . . . . . . . . . . 12 2.1.2 Multi-Unit Effects and As-Built. As-Onerated Status . . . . . 12 ;

4 2.1.3 Licensee Particioation and Peer Review ............. 14 I' 2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . 15 2.2.1 initiatina Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2. 2. 2 E ven t Tree s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.3 Svstems Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.2.4 System Deoendencies . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3.1 Quantification of Accident Seouence Freauencies . . . . . . 21 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses . . . . 21 2.3.3 Use of Plant-Soecific Data . . . . . . . . . . . . . . . . . . . . . . 22 2.3.4 Use of Generic Data . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.5 Common-Cause Quantification ................... 25 2.4 Interface issues ................................... 28 2.4.1 Front-End and Back-End Interfaces . . . . . . . . . . . . . . . . . 28 2.4.2 Human Factors Interfaces . . . . . . . . . . . . . . . . . . . . . . . 29 2.5 Evaluation of Decay Heat Removal and Other Safety issues . . . . . 29 2.5.1 Examination of DHR .......................... 29 2.5.2 Diverse Means of DHR . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.5.3 _Uniaue Features of DHR . . . . . . . . . . . . . . . . . . . . . . . . 29 2.5.4 Other GSI/USls Addressed in the Submittal . . . . . . . . . . . 31

2. 6 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.6.1 Internal Floodina Methodoloav ................... 31 2.6.2 Internal Floodina Results ....................... 32 2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . 32 2.7.1 Dominant Core Damaae Seouences . . . . . . . . . . . . . . . . 32 2.7.2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.7.3 Prooosed imorovements and Modifications . . . . . . . . . . . 35 li

1 4

4 .

! 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS .............. 37 4

j 4. D ATA S U M M A RY SH EETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4

4 i

REFERENCES ............................................ 45 a

l t

i

?

lii

3 LIST OF TABLES Table 2-1. Summary of CDF Impact for Freeze Date Exceptions . . . . . . . . . . 14 ;

Table 2-2. Summary of Front-End Sensitivity Analyses . . . . . . . . . . . . . . . . 22 Table 2-3. Plant-Specific Component Failure Data ................... 24 Table 2-4. Generic Component Failure Data ....................... 26 Table 2-5. Comparison of Common-Cause Failure Factors . . . . . . . . . . . . . . 27 '

Table 2-6. Accident Types and Their Contribution to Core Damage Frequency ......................................... 33 Table 2-7. Initiating Events and Their Contribution to Core Damage Frequency ......................................... 33 Table 2-8. Top 5 Dominant Systemic Core Damage Sequences . . . . . . . . . . 34 ,

Table 2-9. Estimated CDF Impacts From Procedural Enhancements . . . . . . . 36 l Table 2-10. Summary of Plant Changes that Directly Affect Station Bl a c k o u t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 1

1 4

?

t h

d 4

I i

I iv

-, --me. -

.w..

a a

E. EXECUTIVE

SUMMARY

This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Vogtle Electric Generating Plant. This review is based on information contained in the IPE submittal [lPE Submittal) along I with the licensee's responses [RAI Responses] to a request for additionalinformation (RAl). j in responding to the RAl, the licensee mentioned that the original IPE analysis, as described in the IPE submittal, has been updated. Because the licensee does not provide additional details regarding the updated IPE, our review does not include findings and results from this updated model. However, the licensee does state that the updated model has not resulted in significant changes in major CDF contributors and is therefore considered representative of the base case model reflected in the submittal.

E.1 Plant Characterization i

The Vogtle Electric Generating Plant (VEGP) consists of two essentially identical Westinghouse pressurized water reactors (PWRs). Both units are four-loop designs with large, dry containments. Unit 1 begar commercial operation on June 1,1987, while Unit 2 began commercial operation on May 20,1989. The VEGP is similar to '

Comanche Peak.

Design features at VEGP that impact the core damage frequency (CDF) relative to other PWRs are as follows:

. Ability to oerform feed and bleed once through coolina. This design feature lowers the CDF by providing an alternative method of cora cooling given unavailability of the main and auxiliary feedwater (AFW) systems.

. Verv large refuelina water storaae tank (RWST) caoacitv of 715.000 gal oer noiL This design feature tends to decrease the CDF, as additional time is available for switchover from ECCS injection to recirculation.

Semi-Automatic switchover of emergency core coolina system (ECCS) from infection to recirculation. The transfer of residual heat removal (RHR) pump suction from the RWST to the containment sump is automatic. However, manual actions are required to piggyback the safety injection and centrifugal charging pumps onto the discharge of the RHR pumps. This design feature tends to increase the CDF over what it would otherwise be with a fully automatic switchover system. -

1

y i

)

New temoerature resistant reactor coolant Dumo (RCP) O-rinas. These new O-rings tend to lower the CDF because of the increased ability of the RCP seals to withstand loss of cooling. ,

l-l

Use of solenoid ooerated oower coerated relief valves (PORVs) that are not deoendent on instrument air. This design feature tends to lower the CDF. ;

' l

Seoarate closed 1000 coolina systems for RCP seal coolino and RHR heat .

removal functions. While both of these closed loop systems are cooled by the same external water source, the use of separate closed loop cooling systems ,

l for cooling the RCP seals and RHR system tends to lower the CDF. If the closed loop system used for RCP seal cooling falls and results in a RCP seal' ]

l loss of coolant accident (LOCA), the RHR cooling function is not automatically defeated.

Four safetv-related 125 VDC systems oer unit. Each 125 VDC system has its l own battery, battery chargers, inverter and distribution panels. This design j feature tends to lower the CDF. j

Redundancy in control room habitability systems. This design feature tends to lower the CDF. ;

Use of two sets of redundant c'oolina coils in the maiority of enaineered safety

~

features (ESF) rooms. Each of the cooling coils associated with a given room is cooled by a separate water system. This design feature tends to lower the CDF.

Availability 'of laroe auantity of AFW suction water. Each unit has two i condensate storage tanks (CSTs) of approximately 480,000 gal each that provide water to the AFW pumps. In addition, other supplies of AFW suction water can be provided by the demineralized water tank, the fire protection ;

system, or the nuclear service cooling water system. The analysis took credit only for water from one of two CSTs at each unit. This design feature tends to lower the CDF. ;

Ability to local-manually ooerate the turbine-driven AFW oumo on loss of DC power. This design feature tends to lower the CDF. Credit for this feature was

_ taken in the analysis.

Caoability to local-manually ooerate the main steam atmosoheric relief valves.

These valves are supplied with hydraulic stations that allows personnel to open the valves locally from the floor of the main steam room. These valves are classified as safety-related components at VEGP. This design feature tends to lower the CDF. Credit for this feature was taken in the analysis.

l 2

7-9r9 -- -

l l

. Autorecinpre of 4 kV circuit breakers for restartino oumos on various actuation sianals. This design feature tends to lower the CDF by providing automated restart of pumps following restoration of electrical power. The drawback to this feature is that automatic breaker reclosure is not prevented in the presence of a fault.

E.2 Licensee's IPE Process The licensee developed a Level 2 probabilistic risk assessment (PRA) in response to the requests of Generic Letter 88-20. The freeze date of the analysis was January 1, 1991, with several exceptions noted by the licensee. !

The responsibility of completion of the IPE project was assigned to engineers and analysts associated with the licensee's PRA group, Westinghouse, and Fauske and Associates, Inc. (a wholly-owned subsidiary of Westinghouse). The submittal does not quantify the degree to which utility personnel were involved in the IPE effort.

j However, the licensee's involvement appears to be more limited in comparison to some other IPE efforts.

Plant walkdowns were used to verify the design of systems, to familiarize analysts with the physical layout of the plant, and to provide analysts with a visualization of restorative actions or alternative systems. Additional walkdowns were used to support the flooding analysis.

Major documentation used in the IPE included: the Updated Final Safety Analysis Report (UFSAR), piping and instrumentation diagrams (P&lDs), electrical drawings, Technical Specifications, Abnormal Operating Procedures (AOPs), Emergency Operating Procedures (EOPs), maintenance work requests, licensee event reports (LERs), and a VEGP station blackout coping study.

Reviews were made of IPE and PRA studies for other plants to support the analysis ;

effort, specifically: IPE for Millstone 3, IPE for Diablo Canyon, IPE for Zion, PRA for '

Seabrook, and NUREG-1150 PRAs.

1 Reviews of IPE materials were made by site and corporate personnel at intermediate stages of the analysis process. The licensee also performed an independent in-house ]

review of the IPE. This independent review was performed by 8 plant and corporate '

staff, along with one consultant from Pickard Lowe and Garrick (PL&G).

The submittal states that a goal of the licensee in performing a PRA included the development of a risk based method that can be used, if desired, for applications such as optimization of planning, operational decisions, and Technical Specification improvements. However, we could find no specific statement indicating that the licensee plans to maintain a "living" PRA.

3

e E.3 Front-End Analysis The methodology chosen for the VEGP IPE front-end analysis was a Level 1 PRA. A variation of the large event tree modeling technique was used in the analysis. This method utilized plant response trees (PRTs) that explicitly include the analysis of containment systems. Support systems were modeled with special support system event trees and fault trees. The Westinghouse GRAFTER computer code was used to generate the analysis results.

The criteria for core cooling was that the core exit temperature not exceed 1,200 deg.

F for more than 30 minutes. The success criteria were based on a number of sources, including: the UFSAR, various (unspecified) Westinghouse Owners Group generic technical reports, EOPs, Modular Accident Analysis Program (MAAP) analyses (for LOCAs), Transient Real-Time Engineering Analysis Tool (TREAT) analyses (for transients), and Compartmentalized Analysis of Containment Transients (COMPACT) analyses (for room heatup). The success criteria are generally consistent with success criteria used in other PWR IPE/PRA studies.

The IPE quantified 26 initiating events exclusive of internal flooding: 6 LOCAs, including steam generator tube rupture (SGTR) and interfacing systems LOCA (ISLOCA); 14 generic transients, including single and dual loss of offsite power (LOSP), and two secondary side breaks; and 6 specialinitiating events representing loss of support syste'ms. The number of initiating events considered in the flooding analysis was not provided.

The IPE used plant-specific component failure data to update generic data by means of a Bayeslan process. With two exceptions, the time window used for the collection of plant-specific data was from first commercial operation at each unit' to January 1, 1991 (analysis freeze date). Reliability data for the diesel generators and essential chilled water system were gathered outside the January 1,1991 freeze date to account for the benefits of special reliability programs. Malntenance unavailabilities were computed based solely on plant-specific data.

1 The Multiple Greek Letter (MGL) method was used to model common cause failures. I The common cause events were quantified with data from the Electric Power Research Institute (EPRI). The common cause failure events were modeled within systems.

The licensee performed an internal flooding analysis. The list of safe shutdown 1 equipment developed in conjunction with the UFSAR Fire Hazards Analysis was used to determine areas for which flooding could result in a reactor trip. No scenarios were identified that involved both the failure of safe shutdown equipment and a .

l

' Unit 1 began commercial operation on June 1,1987, while Unit 2 began cornrnercial operation on May 20,1989. l 4

. t consequential reactor trip. Consequently, core damage evaluations were limited to flooding events that occur during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period after an independently-initiated reactor trip.

Because there were no significant differences between the two VEGP units, the models and analysis results developed were deemed applicable to both units. The total point estimate CDF for each unit is 4.9E-05/yr.' The CDF contribution from flooding is negligible. The internal initiating events that contribute most to the CDF and their percent contribution are listed below:'

LOSP (single unit) 56 %

LOSP (dual unit) 14% l Medium LOCA 9.0% i Small LOCA 6.8% l SGTR 3.6% J Large LOCA 3.2% l Partial Loss of Main Feedwater Flow 3.1% l Loss of Main Feedwater Flow . 1.1%

Core damage contributions by accident type are listed below:

Station Blackout 61 %

LOCAs 19%

LOSP (other than SBO) 9.0%

Transient 6.8%

SGTR 3.6% 'l Special Initiators 0.5%

Anticipated Transient Without Scram (ATWS) 0.2%

ISLOCA 0.1 %

The most important non-initiating events at each unit are (in order):

. Diesel generators fall to supply 4,160 VAC buses after LOSP

Diesel generator and nuclear service cooling water (NSCW) failures cause a station blackout condition following LOSP

Offsite power not recovered in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months following LOSP The PRTs used in the analysis model both the front and back-end aspects of the accident sequences. Plant damage states (PDSs) were assigned to the sequence endstates.

As used here and in other portions of this report, the term 'yr* refers to a reactor year.

Only the most dorninant initiating event contributors are listed here. A complete set of initiating event CDF contributors is provided in Table 3.4-1 of the submittal.

5

O 1 .

E.4 Generic issues The licensee compared decay heat removal (DHR) vulnerability insights from ,

Unresolved Safety issue (USI) A-45 studies with their applicability to VEGP as related i to: support system failures, adequacy of physical separation, sharing and 4

interconnection between redundant trains, human errors, contribution of LOSP, and :

effect on bleed and feed on DHR-related risk. Using qualitative and/or quantitative l data, the licensee demonstrated that the IPE results are consistent with or better than l those identified in the A-45 studies. Based on this comparison of VEGP results with j the A-45 studies, the licensee concluded that there are no unique DHR vulnerabilities I at VEGP.

The licensee does not propose to resolve any Generic Safety issues /Unrese!ved Safety Issues (GSl/USis) other than DHR.

! E.5 Vulnerabilities and Plant improvements The licensee selected the following definition of a plant specific vulnerability:

3

. Any functional core damage sequence that contributes greater than 1E-04/yr, or greater than 50% of the CDF, or s'

. The dominant core damage sequences resulting in containment bypass that contribute, when summed together as a group, greater than 1E-05/yr or greater

, than 20% of the CDF.

Based on the above criteria, the licensee determined that there are no vulnerabilities 2

at VEGP.

During the IPE analysis process, three plant improvements were identified that involve enhancements to procedures. The procedure enhancements were implemented in August 1992 and were credited in the analysis. These procedure enhancements are listed below:

. Manual control of AFW turbine-driven oumo durina a loss of all AC and DC

oower. Without this enhancement, the CDF would increase by 31% (from 4.9E-05/yr to 6.4E-05/yr).

. Establishment of one nuclear service coolina water (NSCW) oumo coeration on

, a loss of NSCW initiatina event. Without this enhancement, the CDF would increase by 9% (from 4.9E-05/yr to 5.3E-05/yr).

. Ooenina of DC cower room doors on loss of control building ESF electrical heatingi ventilating. and air conditionina (HVAC). Without this enhancement, the CDF would increase by 49% (from 4.9E-05/yr to 7.3E 05/yr).

6

i 4

Without credit for this group of three modifications, the total CDF would increase by !

67% (from 4.9E 05/yr to 8.2E-05/yr).'

1 Finally, the licensee provided information concerning plant changes made in response to the Station Blackout Rule, and other modifications separate from the Station Blackout Rule that were credited in the IPE. This information is summarized below:

Plant Improvements specifically related to the Station Blackout Rule ;

i

Ooenina of control building electrical eautoment room doors. This procedural )

modification is related to a similar but apparently more general modification !

specifically identified in conjunction with the IPE, namely " opening of DC power !

room doors on loss of control building ESF electrical HVAC" (as described above). The CDF impact of opening electrical equipment room doors only during station blackout conditions is unavailable. However, the station blackout procedural modification does contribute some portion of the 49% CDF change associated with the more general procedural modification described above. The IPE took credit for this modification.

Modifications affecting station blackout separate from the Station Blackout Rule a Connection to alternate AC oower source via underground cable with Plant Wilson. Plant Wilson, which is adjacent to the VEGP boundary, has 6 combustion turbines, and is under the direct authority of VEGP management.

This modification has been completed for both units and results in a 33%

decrease in total CDF (from 4.9E-05/yr to 3.3E-05/yr), or a decrease in station blackout CDF contribution from 61% to 47%. The IPE did not take credit for this modification.

E.6 Observations The licensee appears to have analyzed the design and operations of the VEGP to discover instances of particular vulnerability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at the VEGP; gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.

Strengths of the IPE are as follows: Even though the VEGP is a relatively new plant with limited operating experience, the licensee has made a major effort to use plant-specific data to support the quantification of initiating events and component unavailabilities.

The total CDF increase from all three modifications does not represent the sum of the individual CDF increases for each modification.

7

No major weaknesses of the IPE were identified.

Significant level-one IPE findings are as follows:

. Station blackout is a relatively large contributor to CDF, as is the case in a number of other PWR IPE/PRA studies. Important contributors to the station blackout CDF include failure of AFW flow due to condensate storage tank .

I depletion, failure to restore operation of the nuclear service water system after LOSP recovery, and failure of the turbine-driven AFW pump.

I

. Internal flooding is a negligible contributor to the CDF. The licensee states that !

the VEGP is one of the most recently licensed US nuclear plants, and as such j has been designed to mitigate and limit effects due to internal floods.

ATWS is a relatively small contributor to CDF. The licensee appears to have credited the possibility of successful ATWS mitigation throughout all portions of the core cycle. A dominant ATWS sequence in some other PWR IPE/PRA ;

studies involves the inability to mitigate an ATWS event during some portion of the early-in-life core cycle due to an unfavorable moderator temperature coefficient. -

i

. The common cause failure data used in the IPE are significantly lower than corresponding generic data presented in NUREG/CR-4550. For example, the IPE beta factor for charging /HPSI pumps is a factor of 3 lower than the NUREG/CR-4550 data, while the IPE beta factors for MOVs and RHR pumps are an order of magnitude lower than corresponding NUREG/CR-4550 data.

While the IPE common cause data are based on an EPRI common cause database, the licensee has judged that some of the EPRI events are not applicable to the VEGP. As a result, some of the EPRI events have been excluded from the quantification process, and common cause failure rates have been adjusted downward. It may be the case that the licensee's adjustment of common cause data is overly optimistic.

8

1. INTRODUCTION 1.1 Review Process This report summarizes the results of our review of the front-end portion of the IPE for l the VEGP. This review is based on information contained in the IPE submittal (IPE l Submittal) along with the licensee's responses (RAI Responses] to a request for additional information (RAl),

in responding to the RAI, the licensee mentioned that the original IPE analysis, as !

described in the IPE submittal, has been updated. Because the licensee does not provide additional details regarding the updated IPE, our review does not include findings and results from this updated model. However, the licensee does state that i the updated model has not resulted in significant changes in major CDF contributors I and is therefore considered representative of the base case model reflected in the submittal. (p. 2 of RAI Responses]

1.2 Plant Charactedzation The Vogtle Electric Generating Plant (VEGP) consists of two essentially identical Westinghouse PWRs. Both units are four-loop designs with large, dry containments.

Both units have power ratings of 3,565 megawatts thermal (MWt) and 1,210 gross megawatts electric (MWe). Unit 1 began commercial operation on June 1,1987, while Unit 2 began commercial operation on May 20,1989. The VEGP site is located on the Savannah River about 26 miles southeast of Augusta, Georgia. Southern Services and Bechtel shared the responsibility for the Architect / Engineer (AE) work. The VEGP is similar to Comanche Peak. (pp. 1.1-1,1.1-2,1.2.3-2,1.3.1-1, Table 1.3.1-2 of UFSAR, p. 74 of NUREG-1350, pp. 3-56, 3 57, 3-91 of submittal]

Design features at VEGP that impact the core damage frequency (CDF) relative to ;

' other PWRs are as follows: (pp. 3-33,6-2 to 6-6 of submittal]

= Abilitv to oerform feed and bleed once-throuah coolino. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the main and auxiliary feedwater (AFW) systems.

. Very larae refuelina water storage tank (RWST) caoacity of 715.000 gal oer unit This design feature tends to decrease the CDF, as additional time is available for switchover from ECCS injection to recirculation.

. Semi-Automatic switchover of emeraencv core coolina system (ECCS) from inlection to recirculation. The transfer of residual heat removal (RHR) pump suction from the RWST to the containment sump is automatic. However, manual actions are required to piggyback the safety injection and centrifugal charging pumps onto the discharge of the RHR pumps. This design feature 9

tends to increase the CDF over what it would otherwise be with a fully automatic switchover system. [pp. 6.3.2-9 of UFSAR, 3 56, 3 57, 6-4 of submittal]

. New temoerature resistant reactor coolant oumo (RCP) O-rings. These new O-rings tend to lower the CDF because of the increased ability of the RCP seals to withstand loss of coo ling.

. Use of solenoid-ooerated oower coerated relief valves (PORVs) that are not deoendent on instrument air. This design feature tends to lower the CDF.

. Seoarate closed 1000 coolino systems for RCP seal coolina and RHR heat removal functions. While both of these closed loop systems are cooled by the same external water source, the use of separate closed loop cooling systems for cooling the RCP seals and RHR system tends to lower the CDF. If the closed loop system used for RCP seal cooling falls and results in a RCP seal loss of coolant accident (LOCA), the RHR cooling function is not automatically i defeated.

. Four safetv-related 125 VDC systems oer unit. Each 125 VDC system has its own battery, battery chargers, inverter and distribution panels. This design feature tends to lower the CDF.

. Redundancv in control room habitability systems. This design feature tends to lower the CDF.

. Use of two sets of redundant coolino coils in the maiority of enoineered safety features (ESF) rooms. Each of the cooling coils associated with a given room is cooled by a separate water system. This design feature tends to lower the CDF.

. Availability of large cuantity of AFW suction water. Each unit has two condensate storage tanks (CSTs) of approximately 480,000 gal each that provide water to the AFW pumps. In addition, other supplies of AFW suction water can be provided by the demineralized water tank, the fire protection system, or the nuclear service cooling water system. The analysis took credit only for water from one of two CSTs at each unit. This design feature tends to lower the CDF. (p. 6-11, 6-12 of submittal]

. Ability to local-manually ooerate the turbine-driven AFW oumo on loss of DC oower. This design feature tends to lower the CDF. Credit for this feature was taken in the analysis. (p. 6-11 of submittal]

. Caoability to local manually coerate the main steam atmosoheric relief valves.

These valves are supplied with hydraulic stations that allows personnel to open 10

classified as safety-related components at VEGP. This design feature tends to

?

lower the CDF. Credit for this feature was taken in the analysis. [pp. 3-130,6-

' 4 of submittal]

= Autoreclosure of 4 kV circuit breakers for restartina oumos on various actuation sionals. This design feature tends to lower the CDF by providing automated restart of pumps following restoration of electrical power. The drawback to this feature is that automatic breaker reclosure is not prevented in the presenco of a fault. [pp. 3-256, 5-14 of submittal) i s

1

~

11

I

~

i l

l 1

2. TECHNICAL REVIEW ;

2.1 Licensee's IPE Process 1 r

l We reviewed the process used by the licensee with respect to: completeness and l i

methodology; multi-unit effects and as built, as-operated status; and licensee !

participation and peer review. l 1

I l

2.1.1 Comoteteness and Methodology. l

! I

! The submittal is complete with respect to the type of information requested by Generic Letter 88-20 and NUREG 1335. [pp.1-2 of submittal]

l The front-end portion of the IPE is a Level 1 PRA. A variation of the large event tree modeling technique was used in the analysis. Event sequence diagrams (ESDs) were !

developed for each group of initiating events. The ESDs illustrate all possible success paths from a particular initiating event to a stable plant condition. The ESDs were used to support the development of plant response trees (PRTs) that logically model the accident progression of an initiating event through mitigation of core damage and a determination of containment status. Output from the PRTs includes: expected timing of core damage, the status of ECCS and containment heat removal systems, containment status, and RCS pressure at time of core damage. The Westinghouse j GRAFTER computer software was used in the accident sequence analysis. [pp.1-2, 2-5, 2-6, 3-2, 3-7, 3-16, 3-25, 3 26 of submittal]

Internalinitiating events and internal flooding were considered. PRTs were developed for all classes of initiating events. Major support systems were modeled with special event trees. Support systems with limited support functions were modeled directly in fault trees or in the PRTs. [pp. 2-5, 3-7, 3 26 of submittal]

2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status.

The Vogtle plant is a dual unit site. The IPE analysis examined the design of the two units and their dependencies. Plant walkdowns were used to help identify differences between the two units. The licensee determined that the models and analysis results were applicable to both units due to a lack of significant differences between the units.

[pp. 2-15, 2-16, 3-188 of submittal]

A number of systems are shared between the two units, including: instrument air, control room HVAC, normal chilled water, turbine plant cooling water, turbine plant closed cooling water. For shared systems, credit was taken only for each unit's own components; the opposite unit's equipment was not credited. Failure of these shared systems does not result in a dual unit event different than the single unit events that were analyzed. [pp.1.2.2-6 of UFSAR,3-188 of submittal) 12

q The analysis modeled both single and dual unit LOSP initiating events in the analysis.

However, because the two units do not share systems that are important from the perspective of the IPE analysis, a dual unit LOSP event is equivalent to a single unit LOSP in terms of individual unit response. (p. 3-188 of submittal)

Based on information contained in the submittal and UFSAR regarding shared facilities and systems, we concluded that the IPE analysis has properly accounted for multi unit interconnections and shared systems. I The latest available revisions of drawings, plant procedures, and documents were used to support the analysis. Plant documentation used to support the analysis included: the UFSAR, P&lDs, electrical drawings, Technical Specifications, AOPs, EOPs, maintenance work requests, LERs, and the VEGP station blackout coping study. Plant walkdowns were used to verify the design of systems, to familiarize analysts with the physical layout of the plant, and to provide analysts with a I visualization of restorative actions or alternative systems. Reviews of plant records

. were made to develop an understanding of plant-specific behavior, for example component failure rates and initiating event frequencies. [pp. 1-2, 2-8, 2-10, 2-11 of submittal]

The freeze date of the analysis was January 1,1991, with four exceptions. The IPE took credit for these freeze date exceptions, which are summarized below: (pp.1-5 of RAI Responses, pp. 1-6, 3-106 of submittal]

. New Temoerature-Resistant RCP O-rinas. As of the analysis freeze date, new temperature-resistant RCP O-rings had been installed in Unit 2, but not in Unit

1. The new O-rings have since been installed in Unit 1.

. Procedural Enhancements. Three procedural enhancements were implemented in August 1992 and credited in the analysis. These procedural enhancements are related to: (1) manual control of AFW turbine-driven pump during a loss of all power, (2) establishment of one nuclear service cooling water (NSCW) pump operation following loss of NSCW, and (3) opening of DC power room doors on loss of HVAC. These procedural enhancements are described in more detail in subsection 2.7.3 of this report.

. Diesel Generator Reliability Data. Due to diesel generator reliability problems, especially in 1990, a program was implemented to enhance diesel generator reliability. The program was stated to significantly improve diesel generator reliability. Diesel generator reliability data from 1987 through 1991 were included in the IPE.

. Essential Chilled Water System Reliability Data. A program was implemented to improve the reliability of the essential chilled water system. The IPE used 13

failure data gathered after implementation of this reliability program. The failure ;

data were taken from the period November 20,1990 to April 27,1992. l Table 2-1 below summarizes the CDF impact of the freeze date exceptions.

Table 2-1. Summary of CDF Impact for Freeze Date Exceptions Freeze Date Exception Percent increase in CDF if Exception Not Credited (see note 1 below)

New Temperature Resistant RCP O-Rings Not available Procedural Enhancements 67%, or CDF change from 4.9E-05/yr to 8.2E-(Collective influence) 05/yr; (see note 2 below)

Reliability Data (a) Diesel Generator 23% (from 4.9E-05/yr to 6.0E-05/yr)

(b) Essential Chilled Water System 163% (from 4.9E-05/yr to 1.3E-04/yr)

(c) Collective influence of Diesel Generator and 203% (from 4.9E 05/yr to 1.5E-04/yr)

Essential Chilled Water System Data Notes: (1) The CDF increase data for each of the reported categories are not additive. ;

(2) CDF impacts of Individual procedural enhancements are provided in subsection 2.7.3 of this report. j The submitta! states that a goal of the licensee in performing a PRA included the development of a risk based method that can be used,if desired, for applications such !

as optimization of planning, operational decisions, and Technical Specification j' improvements. However, we could find no specific statement indicating that the licensee plans to maintain a "living" PRA. [p.1-1 of submittai]

2.1.3 Licensee Particioation and Peer Review.

It appears that the licensee relied on substantial assistance from outside contractors, specifically Westinghouse and Fauske and Associates, Inc. (a wholly-owned subsidiary of Westinghouse). While an engineer from the VEGP Nuclear Engineering and l Licensing Department was assigned to act as the IPE project engineer, a Westinghouse engineer acted as project manager for the front-end analysis, while another engineer from Fauske and Associates, Inc. acted as project manager for the i

back-end analysis. The acknowledgments portion of the submittal lists 31 Westinghouse IPE participants, and 2 Fauske and Associates, Inc. participants. [pp. II, 5-1 to 5-3 of submittal]

While substantial reliance was made on contractor support, the licensee appears to have had a significant involvement in the IPE process. For example, two senior-level engineers from the licensee's PRA group were dedicated to the IPE. Event sequence 14

diagrams were prepared with input from the plant training staff. In addition, the system notebooks and the dependency matrix were reviewed by plant system engineers. The plant Operations Department provided an operating crew for 2 days to conduct operator interviews. Plant staff also participated in recovery meetings. Engineers from the plant Maintenance and Support Department provided insights used to review the common cause database for applicability to the VEGP. The utility's A/E, Southern Company Services (SCS), provided technical information and reviews. [pp. 5-1 to 5-4 of submittal)

Reviews of IPE materials were made by site and corporate licensee personnel at intermediate stages of the analysis process. The licensee also performed an independent in house review of the IPE. The independent review group consisted of 4 Individuals from the plant staff,3 individuals from the corporate staff, a vice president from Southern Nuclear Operating Co., and a consultant from Pickard, Lowe, and Garrick (PL&G). The submittal provides summaries of example review comments and their corresponding resolutions. (pp. 5-5, 5-6, 5-7, 5 8, 5-10 to 5-16 of submittal) 2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the submittal.

2.2.1 initiatina Events.

The initiating events analyzed in the IPE include transients, LOCAs, and special initiators. The specific categories of initiating events included in the analysis are listed below: (pp. 3-2 to 3-4, 3-6 of submittal).

Generic Transients:

Positive reactivity insertion Loss of reactor coolant flow Loss of main feedwater flow Partialloss of main feedwater flow Loss of condenser Turbine trip Primary system transient Reactor trip LOSP (separate events for single and dual unit)

Safety injection signal Secondary side break (separate events for breaks inside or outside containment)

Inadvertent opening of steam valve Special Initiators:

Loss of instrument air 15

J Loss of nuclear service water cooling (NSCW)

Loss of two 120 VAC vitalinstrument panels Loss of 125 VDC bus 1 AD1 or 1BD1 i Loss of auxiliary component cooling water (ACCW)

Loss of one train of the control building ESF electrical room HVAC LOCAs:

Large (greater than 6")

Medium (2" to 6")

j Small (3/8" to 2")

SGTR ISLOCA Vessel Rupture Internal Flooding:

Number of initiating events not provided in submittal Primary system LOCAs less than 3/8" in diameter were not considered accident initiators because the leakage is generally within the design capacity of the normal makeup system and a reactor trip would not be generated. The small LOCA category is comprised of RCP seal failures, small pipe breaks, and primary safety and/or relief 1

valves failing open after a transient event. [pp. 3-3,3 5 of submittal]

Failures of 4,160 or 480 VAC buses were excluded as initiating events. Loss of a 4,160 or 480 VAC engineered safeguards features (ESF) bus would not cause an i immediate plant trip, because no equipment important to continued plant operation 4 .

would be affected. While loss of a 4,160 or 480 VAC ESF bus might eventually require a manual shutdown due to Technical Specification requirements, orderly

shutdowns of this type were beyond the scope of the analysis. The failure of certain non-ESF 4,160 and 480 VAC buses can lead to a plant trip by causing the loss of

important non-safety systems (for example, instrument air and main feedwater). While non-ESF bus failures were not explicitly modeled as initiating events, they have been accounted for in other initiating events that were modeled. [pp. 5,6 of RAI Responses)

Unlike many other plants, the component cooling water (CCW) system at VEGP provides cooling only for the spent fuel pool, RHR heat exchangers and RHR pump seal coolers. Consequently, loss of CCW would not disable equipment needed to sustain operation of the plant, and thus was not considered as an initiating event. A separate auxiliary component cooling water (ACCW) system at the VEGP provides coolng to various types of equipment important to plant operation, including the RCP thermal barriers, RCP motor coolers, and the positive displacement charging pump.

Loss of ACCW was included as an initiating event in the IPE. Loss of nuclear service cooling water (NSCW) was also included as an initiating event, as it provides cooling to the ACCW heat exchangers and the two centrifugal charging pumps. [pp. 3-33, 3-34, 3-37, 3-38 of submittal) 16

HVAC failures were considered as potentialinitiating events. Following an evaluation, the licensee included one category of HVAC failure as an initiating event, namely loss of one train of the ESF electrical room HVAC. Other types of HVAC failures were excluded as potentialinitiating events based on the licensee's evaluation. For example, failure of control room HVAC was excluded as an initiating event, as it was determined that this condition would not fail control room equipment. [p. 5-12 of submittal)

The identification of potentialISLOCA initiating events addressed pathways greater than 3/8" in diameter through which low pressure piping outside containment could be exposed to reactor coolant system (RCS) pressure. The total ISLOCA initiating event frequency was based on the sum of the frequencies of ISLOCAs involving the following systems: (1) reactor coolant pump seal water return line, (2) reactor coolant pump thermal barrier heat exchanger, (3) lines to charging pump discharge header, (4) i safety injection pump discharge lines, (5) RHR discharge lines, and (6) RHR hot leg suction lines. The RHR hot leg suction ISLOCA was identified as a dominant contributor to the overall ISLOCA frequency and also judged to be the most severe ISLOCA due to its adverse effect on long term decay heat removal. For this reason, only the RHR hot leg suction ISLOCA was formally analyzed in the IPE, though its assigned frequency was increased to reflect the other potential ISLOCA pathways identified above. The RHR hot leg ISLOCA was modeled as 0.1 sq. ft. break based on an upper bound estimate of flow through failed RHR pump seals. [pp. 9,10,38 to 40 of RAI Responses, pp. 3-6, 4-24, 4-42, 4-64, C-4 of submittal] l The initiating event frequencies were based on a plant-specific data, generic data, and

)

system fault tree analyses. Frequencies for anticipated and unanticipated transient initiating events were developed by applying a Bayesian update process. This Bayesian process was used to combine generic data with data collected for the VEGP.

In most cases, generic frequencies determined from experience at Westinghouse plants during a 6.5 year interval (January 1984 through June 30,1990) were used as prior mean values. Because the VEGP units are relatively new, only a limited amount of plant-specific data were available (4.2 reactor-years as of June 30,1990). The first year of operation for both units was excluded from the quantification process because, like other new plants, the VEGP units experienced abnormally high frequencies of transients due to the learning curve for plant personnel and the break-in of equipment.

[pp. 3-4, 3-5 of submittal]

Frequencies for single and dual unit LOSP were calculated separately. These l frequencies were based on methodologies and data contained in the following !

documents: [NUREG 1032], [NSAC-144), and (NUMARC 87 00].

The large and medium LOCA frequencies were extracted from WASH-1400. No l sources of data for the small LOCA category are identified. In addition, no sources of l data are identified for the ISLOCA initiating events. The special initiating events were quantified with fault trees. [p. 3-5 of submittal) 17

1 The quantification of the initiating events appears to be generally consistent with other PWR IPE/PRA studies. A list of Initiating event frequencies is provided in Subsection 4 of this report. l 2.2.2 Event Trees.

I The following PRTs were used in the analysis: [ Appendix A of submittal] l 1

1 Large LOCA

Medium LOCA i Small LOCA SGTR )

i Secondary Breaks inside Containment !

, Secondary Breaks Outside Containment General Transients Loss of Offsite Power j Anticipated Transient Without Trip (ATWT)

Station Blackout Loss of instrument Air Loss of Nuclear Service Cooling Water Reactor Vessel Rupture i ISLOCA Two categories of support system event trees were also used in the analysis. One category of support system ever.t tree addresses LOSP conditions. The other category models support systems necessary to respond to other transient events or events involving a safety injection signal and startup of ECCS (such as LOCAs). [p. 3-27 of submittal, Appendix B of submittal)

The front-end portion of the analysis was based on a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time, while the back-end analysis assumed a 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time. Core cooling was considered successful if the core exit temperature does not exceed 1200 deg. F for more than 30 minutes. It is not clear how this definition applies to short-term phenomena, for example the relatively high transient temperatures that are expected to occur following a large LOCA. [pp. 3-14,4-1, 4-9 of submittal)

The PRT top event success criteria were based on a number of sources, including: the UFSAR, various (unspecified) Westinghouse Owners Group generic technical reports, EOPs, Modular Accident Analysis Program (MAAP) analyses (for LOCAs), Transient Real-Time Engineering Analysis Tool (TREAT) analyses (for transients), and Compartmentalized Analysis of Containment Transients (COMPACT) analyses (for i room heatup). The IPE addressed requirements for containment cooling to prevent core damage and/or to prevent containment failure. [pp.11-28 of RAI Responses, pp.

3-14, 3-15, 3-24 of submittal]

18

. .- - - .. - -~.--.---. . . - - . - - . - - - - - - - .

4 ;

l l

l

_ Credit was taken for once through feed and bleed cooling of the primary system for transient accidents. Successful feed and bleed includes a requirement for flow from 1

of 2 centrifugal charging pumps and 1 of 2 PORVs. [pp. 21 of RAI Responses, pp. 3-

17,3-20,. A 59 of submittalj i

Like some other PWR IPEs, the VEGP IPE assumes that if high pressure injection.

l fails during a small LOCA, the primary system can be depressurized via the secondary

[ system so that the accident can be mitigated with the low pressure injection system.

i A similar assumption was also made for medium LOCAs. [pp.13-16 of RAI Responses, pp. A-B to A-30 of submittal)

I- As previously discussed in Section 2.2.1 of this report, the ISLOCA analysis formally i modeled an RHR hot leg suction ISLOCA. For this event, it is postulated that the two

! series hot leg isolation valves fail, exposing the RHR system to the higher pressure of 4 the RCS. While relief valves would open and discharge flow to the pressurizer relief l tank (and ultimately into the containment following failure of the relief tank rupture

disc), the pressure relief would be insufficient to prevent failure of the RHR pump j seals.5 The RHR pump motors were assumed to subsequently fail due to water spray.

Because of the plant layout, high pressure ECCS equipment would be unaffected by j spray or flood from this ISLOCA event, and thus credit was taken for high pressure

! ECCS injection for ISLOCA mitigation. The licensee made calculations to demonstrate j that the high pressure ECCS pumps would have a sufficient supply of suction water l j from the refueling water storage tank (RWST) for the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months front-end mission time.

3

. To ensure an adequate inventory from the RWST, containment cooling must be i established from the containment cooling units (CCUs), and the operators must also .

take actions to reduce ECCS flow over time. Unless the CCUs are actuated, the j

containment spray pumps would actuate on high containment pressure (from relief 3- valve flow into containment) and draw water from the RWST, thereby depleting some of the RWST inventory. [pp. 9,10,28 of RAI Responses, pp. 3 51, 4-64, A-93 of submittal]

As previously noted, new temperature-resistant RCP O-rings have been installed at both units. Credit for these new RCP O-rings was taken in the IPE RCP seal LOCA model, which is based on a Westinghouse analysis described in the following documents: [WCAP 10541] and [WCAP 11550). The RCP seal LOCA model assumes that following a loss of RCP seal cooling, only two failure mechanisms can lead to seal failure, namely catastrophic binding of the pump shaft or seal popping. It is further postulated that any seal failures will occur only within the first hour of a loss of seal cooling event. If there are no seal failures, the expected leakage rate is 21 gpm per pump. Under the worst conditions, the maximum seal leakage is postulated to be 480 gpm per pump. [pp. 31 to 33 of RAi Responses, pp. 3-193, 4-39,6-12 of submittal]

' It appears that other components of the overpressurized RHR system, for example piping and heat exchangers, are expected to remain intact for the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months accident mission time. This aspect of the modeling process may be optimistic.

19

As previously discussed, the auxiliary component cooling water (ACCW) system supplies water to the RCP thermal barriers and motor bearing oil coolers, while seal injection is provided by the charging system. The nuclear service cooling water (NSCW) system provides heat removal for the ACCW heat exchangers and pump lube oil coolers for the two centrifugal charging pumps. Lube oil cooling for the positive displacement charging pump is provided by the ACCW system. Because of these system dependencies, total loss of RCP seal cooling will result from sustained loss of the NSCW system. [pp. 3-33, 3 38, 3 58, 3-76, 3-77, C-6 of submittal]

The IPE analyzed loss of NSCW as a special initiating event, and credits operator actions to reduce heat loads to maintain RCP seal cooling via the ACCW system until NSCW flow can be restored. Included in this model are the failure of operators to reduce ACCW loads and start standby NSCW pumps. The licensee states that the operators would have aprmximately 30 minutes to re establish operation of the NSCW with one pump before the ; CCW system would overheat and presumably fail to perform its function. The loss of NSCW model does not include the failure of operators to trip RCPs on loss of NSCW, a situation expected to result in the maximum (480 gpm) per pump leak rate (at some time after the ACCW overheats). However, the licensee states that the omission of such an operator error does not have a significant impact on the CDF results, as the other types of operator failures included in the loss of NSCW model are probabilistically more important. [p. 34 of RAI Responses, pp. 6-12, A-72 of submittal]

The IPE ATWS model appears to credit the possibility of successful ATWS mitigation during all portions of the fuel cycle. This aspect of the modeling process may be due to an analysis assumption or plant safety / relief valves that are sized to provide sufficient ATWS relief capacity during the entire fuel cycle. [pp. 23,24 of RAI Responses, pp. A-64 to A-72 of submittal]

Credit was taken for recovery of offsite power in the IPE. Non recovery data for LOSP were generated from information contained in NUREG-1032. The IPE non-recovery data are more optimistic than average industry experience reported in an Electric

, Power Research Institute (EPRI)-sponsored study [NSAC 147]. For example, at two hours, the IPE probability for non-recovery of LOSP is about a factor of 3 lower than the corresponding NSAC data. At four and eight hours, the IPE non-recovery data are approximately a factor of 4 lower than the NSAC data.

2.2.3 Svstems Analvsis.

Systems descriptions are included in Section 3.2 of the submittal. The system descriptions provide information on system interfaces, system inter-dependencies, and sharing of systems between units. These system descriptions also contain simplified schematics that show major equipment items and important flow and configuration information. [pp. 3-31 to 3-85 of submittal]

20

l The PORV block valves are permitted to be closed during full power operation. Plant- I specific maintenance data used in the IPE indicate that a PORV is unavailable (with its block valve closed) 9.8% of the time. (pp. 3 80, 3 115, 3-249 of submittal]

The station batteries have a lifeume of approximately 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . It is not clear if this 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months lifetime includes credit for load shedding. (p.3-193 of submittal] j 2.2.4 Svstem Deoendencies. l The IPE addressed and considered the following types of dependencies in the following categories: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, HVAC, and operator actions. Dependency matrices are provided in Figures C-1, C-2, and C-3 of the submittal. These figures display, respectively, the following dependency relationships: (Appendix C of submittal) 1

Initiator to system, a System to system, and

Support system. j l

2.3 Quantitative Process l l

This section of the report summarizes our review of the process by which the IPE i quantified core damage accident sequences. It also summarizes our review of the J data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed were also reviewed.

2.3.1 Quantification of Accident Seauence Freauencies.

The methodology chosen for the VEGP IPE front-end analysis was a Level 1 PRA. A variation of the large event tree modeling technique was used in the analysis. This method utilized systemic plant response trees (PRTs) that explicitly include the analysis of containment systems. Support systems were modeled with special support system event trees and fault trees. The Westinghouse GRAFTER computer code was used to generate the analysis results.

Sequence quantification was applied to the entire plant model (front and back-end included) at a cutoff level of 1.0E-11/yr. The submittal does not state the effective truncation value used to support the front-end portion of the analysis. (p. 3-178 of submittal]

2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses.

Mean values were used to represent initiating event frequencies and event probabilities for hardware failures, hardware maintenance unavailabilities, and human failures. The overall CDF results are presented in terms of a point value estimate. No 21

l D

statistical uncertainty analyses were performed on the CDF. [pp. 3.5, 3-6, 3-92 to 3- j 115, 3-127 to 3-130, 3-189 of submittal]

Several types of front-end sensitivity analyses were performed. These sensitivity analyses and associated results are summarized below in Table 2-2. [pp. 2,5,9 of ,

RAI Responses, pp. 3-221,3-232,3 251 to 3-260 of submittal) l Table 2-2. Summary of Front End Sensitivity Analyses Type of Sensitivity Analysis impact on IPE CDF (see note 1 below)

Remove credit for 3 procedural enhancements identified 67% increase, or CDF increase from 4.9E-from IPE 05/yr to 8.2E-J5/yr; (see note 2 below)

Increase irrportant operator non-recovery event 90% increase (from 4.9E-05/yr to 9.3E-probabilitiet by an order of magnitude 05/yr)

Remove credit for all mitigating systems that rely on non- 31% increase (from 4.9E-05/yr to 6.4E- I ESF power sources 05/yr)

Increase the 4,160 VAC bus failure rate to evaluate 0% increase autoreclosure feature of 4,160 VAC pump circuit breakers Remove the 1990 VEGP LOSP event from LOSP 10% decrease (from 4.9E-05/yr to 4.4E-frequency calculations 05/yr)

Remove credit for plant specific failure data gathered beyond analysis freeze date (see note 3 below):

(a) Diesel generator data 23% increase (from 4.9E-05/yr to 6.0E-05/yr)

(b) Essential chilled water system data 163% increase (from 4.9E-05/yr to 1.3E-04/yr)

(c) Collective influence of diesel generator and essential 203% increase (from 4.9E-05/yr to 1.5E-chilled water system data 04/yr)

Increase common cause beta factors to values consistent with NUREG/CR-4550 (see note 4 below):

(a) RHR pumps 2% increase (from 4.9E-05/yr to 5.0E-05/yr)

(b) Motor-Operated Valves (MOVs) 5% increase (from 4.9E-05/yr to 5.1E-05/yr)

Notes: (1) The CDF impact data for each of the reported categories are not additive.

(2) CDF impacts of individual procedural enhancements are provided in subsection 2.7.3 of this report.

(3) Further described in subsection 2.1.2 of this report.

(4) Further described in subsection 2.3.5 of this report.

2.3.3 Use of Plant-Soecific Data.

A number of plant data sources were examined for the development of component failure rates and maintenance unavailabilities, including: maintenance work orders (MWOs), plant outage history, LERs, Limiting Conditions for Operations (LCO) status 22

. i sheets, surveillance tests, test procedure histories, and equipment hour logs. [pp. 3-91, 3105 to 3-115 of submittal]

With two exceptions, the time window used for the collection of VEGP plant-specific component data was from first commercial operation at each unit' to January 1,1991

(analysis freeze date). As previously discussed in subsection 2.1.2 of this report,

reliability data for the diesel generators and essential chilled water system were

gathered outside the January 1,1991 freeze date to account for the benefits of special reliability programs. For diesel generators, the data collection time window was from 1987 through 1991. For the essential chilled water system the data collection window

was from November 20,1990 to April 27,1992. [p. 3-91 of submittal, pp. 3 to 5 of i RAI Responses) i Component failure data were developed with a Bayesian analysis that updated generic data with plant-specific data. Maintenance unavailabilities were computed based ,

l solely on plant-specific data. [p. 3-107 N submittal) )

j Plant-specific data were gathered for a number of different components, including:

j pumps (for 10 different systems), chiller units, containment fan cooler units, cooling !

! tower fans, diesel generators, inverters, battery chargers, reactor trip breakers, MSIVs, I PORVs, MOVs (for 9 different systems), and check valves. [pp. 3-108 to 3-115 of i submittal] j Table A-o of this review compares plant-specific failure data for selected components e from the IPE to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for comparison [NUREG/CR 4550, Methodology). [pp. 3-108 to 3-112 of submittal]

The majority of the plant-specific data are generally somewhat lower than corresponding NUREG/CR-4550 data. The plant specific data for run failure of a j nuclear service water cooling pump is almost an order of magnitude lower than the NUREG/CR-4550 data, in addition, the plant-specific estimate for diesel generator start failures is about a factor of 5 lower than the NUREG/CR-4550 data. On the other hand, the plant-specific estimate for diesel generator run failures is almost a factor of 3

higher than the NUREG/CR-4550 data. The plant data for start failure of the turbine-driven AFW pump is about a factor of 4 lower than the NUREG/CR-4550 data. For 4

battery chargers, the plant failure data are about a factor of 5 higher than the NUREG/CR-4550 data.

5 I,

Unit 1 began commercial operation on June 1,1987, while Unit 2 began commercial operation on May 20,1989.

23

Table 2-3. Plant-Specific Component Failure Data' l

l Component IPE Mean Value Estimate Used in NUREG/CR 4550 Mean Accident Sequence Quantification Value Estimate Pump Turbine Driven AFW 7.1E 03 Fall to Start 3E-02 Fall to Start j 2.3E-03 Fail to Run 5E-03 Fail to Run Pump - Motor Driven AFW 3.45E-03 Fall to Start 3E-03 Fall to Start 1.0E-04 Fall to Run 3E-05 Fall. to Run Purnps - Centrifugal Charging 1.7E-03 Fail to Start 3E-03 Fall to Start 9.5E-06 Fall to Run 3E-05 Fall to Run ;

Pump- Safety injection 1.7E-03 Fail to Start 3E-03 Fail to Start ;

3.1E 05 Fail to Run 3E-05 Fall to Run l Pump - RHR 1.6E-03 Fall to Start 3E-03 Fail to Start 2.2E-05 Fall to Run 3E-05 Fall to Run Pump - CCW 9.0E-04 Fail to Start 3E-03 Fail to Start '

1.1E-05 Fall to Run 3E-05 Falito Run Pump - Nuclear Service Cooling 1.1E-03 Fall to Start 3E 03 Fall to Start Water 4.3E-06 Fall to Run 3E-05 Fall to Run MOV 3.8E-03 Fall to Operate (RHR 3E-03 Fall to Operate system) 1.15E-02 Fall to Operate (Nuclear l Service Cooling Water System) j Check Valve (all systems) 1.4E-04 Fall to Operate 1E-04 Fall to Open Battery Charger 5.3E 06 Fail to Operate 1E-06 Fail to Operate inverter 3.3E-05 Fail to Operate 1E-04 Failure (unspecified mode)

Diesel Generator 6.3E-03 Fall to Start 3E 02 Fall to Start 5.7E-03 Fail to Run 2E-03 Fail to Run Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. i The other failures represent frequencies expressed per hour.

As previously noted in Section 2.2.1 of this report, plant data were used in the development of initiating events. Because the VEGP units are relatively new, only a limited amount of plant-specific data were available (4.2 reactor-years as of June 30, 1990). The first year of operation for both units was excluded from the quantification process because, like other new plants, the VEGP units experienced abnormally high frequencies of transients due to the learning curve for plant personnel and the break-in of equipment. Frequencies for transient initiating events were developed by applying a Bayesian update process that was used to combine generic data and the limited 24

VEGP plant data. The specialinitiating events were quantified with fault trees. These !

fault trees presumably utilized plant data to some extent.

2.3.4 Use of Generic Data.

Generic failure data were used for component failures that were not included in the j plant-specific data collection effort. In addition, generic data were used as prior 1 distributions for the Bayesian updating method involving plant-specific data. The !

', primary source of generic data was NUREG/CR-4550 studies [NUREG/CR 4550, Methodology). Other sources of generic data included: [NUREG/CR 2815), (IEEE 500), [NUREG/CR 2728), [EPR' ALWRD], WASH-1400, and Westinghouse Technical

Reports. (p. 3-90, 3 93 of subrnittal] l l

We performed a comparison of IPE generic data to generic values used in the NUREG/CR-4550 studies [NUREG/CR 4550, Methodology). This comparison is summarized in Table 2-4. [pp. 3-92 to 3-99 of submittal]

With the exception of the run failure data used for the turbine driven AFW pump, the IPE and NUREG/CR 4550 failure data are in agreement. The submittal states that the turbine driven AFW pump run failure probability was quantified from an EPRI document [EPRI ALWRD) rather than from NUREG/CR 4550. The NUREG/CR 4550 data were not used in this instance because it reflects experience at only one plant.

[pp. 3-92, 3-93 of submittal]

As previously noted in Section 2.2.1 of this report, generic data were used in the development of initiating events. Frequencies for transient initiating events were developed by applying a Bayesian update process that was used to combine generic data and limited VEGP data. Frequencies for LOSP were partially based on generic data contained in the following documents: [NUREG 1032), [NSAC-144), and (NUMARC 87 00]. The large and medium LOCA frequencies were extracted from 2

WASH-1400.

. 2.3.5 Common-Cause Quantification.

The estimation of common-cause failure probabilities was based on the Multiple Greek Letter (MGL) method. The common cause factors were based on an EPRI database (EPRI 3967], methodology presented in an NP.C-sponsored study [NUREG/CR 4780),

and plant-specific considerations. [pp. 7,8 of RAI Responses]

25

1 Table 2-4. Generic Component Failure r 'ta' Component IPE Mean Value Estimate NUREG/CR 4550 Mean Value (Bayeslan Prior) Estimate Turbine Driven Pump 3.0E-02 Fail to Start 3E 02 Fail to Start l

6.0E-04 (used for AFW pump), SE-03 Fail to Rur-5.0E-03 (other) Fail to Run Motor Driven 3.0E-03 Fail to Start 3E-03 Fail to Start Pump 3.0E-05 Fail to Run 3E-05 Fail to Run Motor Operated Valve 3.0E-03 Fail to Open/Close 3E-03 Fail to Operate Check Valve 1.0E 04 Fall to Open 1E-04 Fail to Open Battery Charger 1.0E-06 Fails 1E-06 Fail to Operate Battery 1.0E-06 Fails 1E-06 Failure (unspecified mode)

Inverter 1.0E-04 Fails to Operate 1E-04 Failure (unspecified mode)

Circuit Breaker 3.0E-03 Fail to Transfer 3E-03 Fall to Transfer Diesel Generator 3.0E-02 Fall to Start 3E-02 Fail to Start 2.0E-03 Fail to Run 2E-03 Fail to Run Strainer / Filter 3.0E-05 Plugs 3E-05 Plugs Transformer 2.0E-06 Falls 2E-06 Short or Open Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The other failures represent frequencies expressed per hour.

In accounting for plant-specific considerations, some events contained in the EPRI database [EPRI 3967) were either modified or discarded. The following screening criteria were used to discard database events: [pp. 7,8 of RAI Responses, pp. 3-125, 3-130 of submittal]

= Events that did not occur in the same time frame

. Events in which the same cause was not readily apparent

= Off-tolerance conditions, such as packing leaks and setpoint drifts that did not constitute a failure

= Failures that were easily recoverable

. Events for which a VEGP defense mechanism exists (specific operatfon, maintenance, or design measures in place that would diminish the frequency or consequences of a common cause eve.nt).

Common-cause beta factors were generated 'or a number of compone;n groups, including: pumps, diesel generators, MOVs, coeck valves, major AC circuit breakers, battery chargers, HVAC chillers, HVAC fans, and cooling tower fans. The submittal notes that a separate " generic" component group was used to represent additional types of components, for example, relays, contacts, switches, AOVs, safety valves, and relief valves. The submittal does not explicitly state whether inverters and electrical buses were included in the common cause analysis.

26

Table 3.3.4-1 of the submittallists the various MGL parameters that were used in the l analysis. As a comment, this table does not specify the applicable component failure modes. [pp. 3-130 to 3-134 of submittal]

We performed a comparison of IPE common-cause beta factors with generic values used in the NUREG/CR-4550 studies [NUREG/CR 4550, Methodology). This 3 comparison is summarized in Table 2-5.

Table 2-5. Comparison of Common-Cause Failure Factors Component IPE Beta Factor (Assuming 2 NUREG/CR 4550 Mean

Component System) Value Beta Factor (2 Component System)

. Pump - AFW Motor Driven 0.011 0.056 Fall to Start

Pump Nuclear Service Cooling Water 0.012 0.026 Fail to Start J Pump - Component Cooling Water 0.012 0.026 Fall to Start

. Pump - RHR 0.0025 0.15 Fait to Start

. Pump - Charging /HPSI 0.007 0.21 Fall to Start Pump - Containment Spray 0.081 0.11 Fail to Start Valve - MOV 0.0069 0.088 Fail to Operate Valve - AOV 0.023 0.10 Fail to Operate Valve - Safety / Relief 0.023 0.07 Fall to Open Diesel Generator 0.027 0.038 Fall to Start l The data in Table 2-5 indicate that common-cause beta factors used in the IPE are lower than the NUREG/CR-4550 data. For example, the IPE beta factor for charging /HPSI pumps is a factor of 3 lower than the NUREG/CR-4550 data, while the IPE beta factors for MOVs and RHR pumps are an order of magnitude lower than corresponding NUREG/CR-4550 data. This aspect of the modeling process may be optimistic. For MOVs, only 20 of the 41 database events from the EPRI database

[EPRI 3967] were judged applicable to the VEGP. For the RHR pumps, only 2 of the 7 events were determined to be applicable to the VEGP. To further investigate the significance of the MOV and RHR common cause failure rates on the overall CDF, the licensee performed a special sensitivity analysis. If the MOV beta factor is increased to the NUREG/CR-4550 value of 0.088, the CDF will increase by 5% (from 4.9E-05/yr to 5.1E-05/yr). If the RHR pump beta factor is increased to the NUREG/CR-4550 value of 0.15, the CDF will increase by 2% (from 4.9E-05/yr to 5.0E-05/yr). [pp. 8,9 of RAI Responses) in summary, the licensee has applied judgments to excluce EPRI common cause events that are not applicable to the VEGP. It may be the case that the licensee's adjustment of the common cause data in this manner is overly optimistic.

27

0 2.4 Interface issues This section of the report summarizes our review of the !nterfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

2.4.1 Front-End and Back-End Interfaces.

Each VEGP unit has 8 containment cooling units (CCUs) and 2 containment spray trains that provide containment cooling functions. The CCUs units receive extemal cooling from the nuclear service cooling water system. The containment spray pumps can provide spray from either the RWST or from dedicated containment recirculation sumps that are separate from the RHR containment sumps. There are no heat exchangers in the containment spray system. As a result, spray recirculation alone cannot remove decay heat from containment. [pp. 3-45, 3-48, 3-50, 3-51, 3-53 of submittal]

The IPE success criteria include requirements for containment cooling to sustain core cooling and/or to prevent containment failure. As a related comment, the UFSAR appears to indicate that containment cooling is not required to maintain adequate net positive suction head (NPSH) for ECCS pumps taking suction from the containment sump. (pp.11-28 of RAI Responses, p. 3-24 of submittal, pp. 6.3.2-4, 6.3.2-5 of UFSAR)

The back-end analysis considered containment bypass, including SGTR and ISLOCA.

The RHR hot leg suction ISLOCA was identified as a dominant contributor to the overall ISLOCA frequency and also judged to be the most severe ISLOCA due to its adverse effect on long term decay heat removal. For this reason, only the RHR hot leg suction ISLOCA was formally analyzed in the IPE, though its assigned frequency was increased to reflect other potential ISLOCA pathways that were identified. The RHR hot leg ISLOCA was modeled as 0.1 sq. ft. break based on an upper bound estimate of flow through failed RHR pump seals. [pp. 9,10,38 to 40 of RAI Responses,pp. 3 6, 4-24, 4-42, 4-64, C-4 of submittal)

The IPE used the same set of event trees to model the front and back-end aspects of the accident sequences. Plant damage states (PDSs) were assigned to the sequence endstates. The PDS bins address both the core damage and ultimate containment state. The PDS bins account for a number of relevant criteria, for example the expected timing of core damage, the status of ECCS and containment heat removal systems, and the RCS pressure when core damage occurs. The assignment of PDSs is consistent with other PRA/IPE studies. (pp. 3-16, 3-27 to 3-30, 4-10 to 4-11 of submittal]

28

1 4

a 1

l 2.4.2 Human Factors Interfaces. j i

Based on our review of the front-end analysis, the following categories of operator actions were found to be important: [pp. 3-216, 3-217 of submittal) 1

- . Operator actions needed to establish ECCS recirculation 1

= Operator actions to locally operate the turbine-driven AFW pump following loss i of DC control power l 2

Operator actions needed to initiate feed and bleed cooling l l'

Operator actions needed to restore systems after offsite power recovery / station I blackout

2.5 Evaluation of Decay Heat Removal and Other Safety issues 3

This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other Generic Safety issues / Unresolved

Safety Issues (GSI/USIs), if they were addressed in the submittal, were also reviewed. .

1

2.5.1 Examination of DHR.

{

The licensee specifically addresses DHR and its contribution to CDF. Table 3.4.3-1 of the submittal compares DHR vulnerability insights from USl A-45 studies with their 1

applicability to VEGP. This table contains a discussion of DHR as related to: support system failures, adequacy of physical separation, sharing and interconnection between redundant trains, human errors, contribution of LOSP, and effect on bleed and feed on i DHR-related risk. Using qualitative and/or quantitative data, the licensee demonstrated that the IPE results are consistent with or better than those identified in the A-45 studies. Based on this comparison of VEGP results with the A-45 studies, i the licensee concludes that there are no unique DHR vulnerabilities at the VEGP. The

licensee proposes that A-45 be considered resolved at the VEGP. [pp. 1-7, 3-246 to 3-254 of submittal]

2.5.2 Diverse Means of DHR.

I The IPE evaluated the diverse means for accomplishing DHR, including: use of power conversion system, feed and bleed, auxiliary feedwater, and ECCS. Cooling for RCP t seals was addressed. in addition, containment cooling was addressed. [pp. 3-247 to 3-250 of submittal]

2.5.3 Unlaue Features of DHR.

The unique features at VEGP that directly impact the ability to provide DHR are as follows: [pp. 6-3 to 6-14 of submittal]

29

a

. Ability to oerform feed and bleed once-throuah coolina. This design feature lowers the CDF by providing an alternative method of core cooling given unavaliability of the main and auxiliary feedwater (AFW) systems.

. Verv farge refuelina water storaae tank (RWST) caoacity of 715.000 gal oer no_it i This design feature tends to decrease the CDF, as additional time is available for switchover from ECCS injection to recirculation.

Semi-Automatic switchover of emergencv core coolina system (ECCS) from iniection to recirculation. The transfer of residual heat removal (RHR) pump suction from the RWST to the containment sump is automatic. However, manual actions are required to piggyback the safety injection and centrifugal charging pumps onto the discharge of the RHR pumps. This design feature tends to increase the CDF over what it would otherwise be with a fully automatic switchover system.

Seoarate closed 1000 coolina systems for RCP seal coolina and RHR heat removal functions. While both of these closed loop systems are cooled by the same external water source, the use of separate closed loop cooling systems for cooling the RCP seals and RHR system tends to lower the CDF. If the closed loop system used for RCP seal cooling fails and results in a RCP seal loss of coolant accident (LOCA), the RHR cooling function is not automatically defeated.

. Availability of larae cuantity of AFW suction water. Each unit has two condensate storage tanks (CSTs) of approximately 480,000 gal each that provide water to the AFW pumps. In addition, other supplies of AFW suction water can be provided by the demineralized water tank, the fire protection system, or the nuclear service cooling water system. The analysis took credit only for water from one of two CSTs at each unit. This design feature tends to lower the CDF.

Abilitv to local-manually coerate the turbine-driven AFW oumo on loss of DC oower. This design feature tends to lower the CDF. Credit for this feature was taken in the analysis.

. Caoability to local-manuallv ooerate the main steam atmo :oheric relief valves. I These valves are supplied with hydraulic stations that allows personnel to open l the valves locally from the floor of the main steam room. These valves are classified as safety-related components at VEGP. This design feature tends to lower the CDF. Credit for this feature was taken in the analysis.

30

2.5.4 Other GSI/USls Addressed in the Submittal.

, The licensee does not propose to resolve any GSl/USIs other than DHR. However, it is stated that the licensee may elect to pursue resolution of other safety issues using the IPE at a later date. [p. 3 251 of submittal]

2.6 Intemal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.

4 2.6.1 Internal Floodina Methodoloav.

The analysis considered effects from both spray and direct flooding of equipment. The overall methodology used to analyze internal flooding involved the following general l steps: [pp. 3-180 to 3-187 of submittal]

' = information Collection

! = Walkdowns a Qualitative Analysis a Quantitative Analysis i

Fire zones developed in the Fire Hazards Analysis portion of the plant UFSAR were used as the basis for development of flooding zones. The list of safe shutdown equipment developed for this Fire Hazards Analysis was used to determine whether component failures in a given flooding zone could result in a reactor trip. (p. 3-180 of submittal]

Three separate sets of walkdown activities were used to support the flooding analysis.

One purpose of these walkdowns was to eliminate from the analysis zones with no flooding vulnerability. A subsequent qualitative analysis was done on the flooding zones that were not eliminated from consideration during the walkdowns. Factors considered during the qualitative analysis included: [pp. 3-180 to 3-187 of submittal]

. Flood mitigation features (for example, floor gaps, open stairways) l

Potential from flood propagation to/from other zones i

. Water spray effects (source distance from affected equipment, shielding)

= Qualification of equipment for operation in adverse environments.

Table 3.3.8-2 of the submittal summarizes the results of the qualitative portion of the .

analysis. No scenarios were identified that involved both the failure of safe shutdown i equipment (SSE) and a consequential reactor trip. Core damage evaluations were therefore limited to flooding events that occur during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months period after an independently-initiated reactor trip.

31

i 2.6.2 Internal Floodino Results.

Core damage frequency estimates were generated for two zones that were judged to j have the greatest flood-induced damage in combination with independent reactor trip initiators. Scenarios in these two zones are as follows: [pp. 3-180, 3-186, 3-187 of submittal]

A room cooler pipe rupture in Auxiliary Building room 147 could spray a motor control center and electrical panel, resulting in multiple component failures.

A fire system pipe rupture in Auxiliary Building room 148 could flood a motor i control center and electrical panel, also resulting in multiple component failures.

The CDF contributions for these scenarios were found to be less than 1.0E-11/yr. The licensee notes that the VEGP is one of the most recently licensed US nuclear plants, i and as such has been designed to mitigate and limit effects due to internal floods.

2.7 Core Damage Sequence Results This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences- whether systemic or functional- is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the ;

submittal, aie reviewed.

2.7.1 Dominant Core Damaae Seauences.

The IPE utilized systemic event trees, and reported results using the screening criteria from Generic Letter 88-20 for systemic sequences. The total point estimate CDF for each VEGP unit is 4.9E-05/yr. The CDF contribution from flooding is negligible. [pp.

-5, 3-189, 3-215 of submittal)

Accident types that contributed the most to the CDF, and their percent contribution, are listed in Table 2-6. [pp.1-9,1-23, 3-191, 3-192, 3-245, 4-33, 4-34 of submittal] :

Initiating events that contributed the most to the CDF, and their percent contribution, are listed below in Table 2-7.7 [p. 3-190 of submittal) 7 Only the most dominant initiating event contributors are listed here. A complete set of initiating event CDF contributors is provided in Table 3.4-1 of the submittal.

32

t Table 2-6. Accident Types and Their Contribution to Core Damage Frequency Accident Type CDF Contribution per yr. Percent Contribution to CDF Station Blackout - 3.0E-05 61 LOCAs 9.3E-06 19 LOSP (other than SBO) 4.4 E-06 9.0 Transient 3.3E-06 6.8 SGTR 1.8E-06 3.6 Special Initiators 2.4E-07 0.5 ATWS 1.1 E-07 0.2 ISLOCA 4.9E-08 0.1 Table 2-7. Initiating Events and Their Contribution to Core Damage Frequency initiating Event CDF Contribution / yr. % Cont. to CDF LOSP (single unit) 2.7E-05 56 LOSP (dual unit) 6.7E-06 14 Medium LOCA 4.4E-06 9.0 Small LOCA 3.3E 06 6.8 SGTR 1.7E-06 3.6 Large LOCA 1.5E-06 3.2 l

Partial Loss of Main Feedwater Flow 1.5E-06 3.1 ,

Loss of Main Feedwater Flow 5.4E-07 1.1 l l

Table 3.4-3 of the submittal lists and describes the highest frequency systemic core damage sequences per the NUREG-1335 screening criteria. The five most dominant systemic core damage sequences are listed below in Table 2-8 of this report. [pp. 3-193 to 3-214 of submittal] !

Finally, an importance analysis was performed and described in the submittal. This importance relates the summation of the accident sequence frequencies in which a top i event appears to the total CDF to obtain a percentage contribution. Both random and support system failures were considered in determining event CDF contributions. The '

most important events from this importance analysis are listed below: [pp. 3-216 to 3-I 218 of submittal)

. Diesel generators fall to supply 4,160 VAC buses after LOSP

. Diesel generator and nuclear service cooling water (NSCW) failures cause a station blackout condition following LOSP

. Offsite power not recovered in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months following LOSP 33

O Table 2-8. Top 5 Dominant Systemic Core Damage Sequences initiating Event Dominant Subsequent % Contribution to Failures in Sequence Total CDF LOSP (single unit) Loss of power to 4,160 VAC buses resulting in a 5.1 station blackout, LOSP not recovered in 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months before CST depletion; LOSP (single unit) Loss of power to 4,160 VAC buses resulting in a 5.0 station blackout, nuclear service water cooling system fails to restart after restoration of LOSP LOSP (single unit) Loss of power to 4,160 VAC buses resulting in a 3.7 l station blackout, failure of turbine-driven AFW pump Small LOCA Loss of nuclear service cooling water system that in 2.6 ,

turn causes loss of ECCS equipment Medium LOCA Failure of operator to align the RHR system for low 2.4 pressure recirculation 1

2.7.2 Vulnerabilities. l The licensee adopted guidance from a Nuclear Management and Resource Council (NUMARC) document (NUMARC 9104] for vulnerability screening. Based on this '

guidance, the licensee applied the following vulnerability criteria: [p. 3-234, 3-237 of ,

submittal]

= Any functional core damage sequence that contributes greater than 1E-04, or greater than 50% of CDF per reactor year, or The dominant core damage sequences resulting in containment bypass that contribute, when summed together as a group, greater than 1E-05 or greater than 20% of CDF per reactor year.

Based on the above criteria, the licensee determined that there are no vulnerabilities at VEGP. The most dominant functional sequence group has a frequency of 1.68E-05/yr, which corresponds to about 35% of the CDF. The sum of the containment bypass sequences was determined to.be 1.6E-06/yr, which is about 3% of the overall CDF. [pp. 3-220, 3-235, 3-236 of submittal]

Station blackout was not identified as a vulnerability, even though station blackout accidents collectively represent 61% of the total CDF. The station blackout sequences i were subdivided into several different functional categories, each of which has a CDF contribution that is less than 50% of the total CDF. The functional categories used to subdivide station blackout appear to be: (a) loss of primary / secondary cooling heat j removal in the injection phase, (b) induced LOCA with loss of primary coolant makeup l or adequate heat removal in the injection phase, and (c) induced LOCA with loss of i l

34 l,

4 primary coolant makeup or adequate heat removal in the injection phase. [pp. 3-235 to 3-242 of submittal]

2.7.3 Prooosed Imorovements and Modifications.

During the IPE analysis process, three plant improvements were identified that involve enhancements to procedures. The procedure enhancements were implemented in August 1992 and were credited in the analysis. These procedure enhancements are described below: [pp.1 to 3 of RAI Responses, pp. 1-6, 3-233, 6-1 to 6-3 of submittal]

= Ooenino of DC Power Room Doors on Loss of Control Buildino ESF Electrical HVAC. Based on room heatup calculations generated to support the IPE, it was determined that loss of HVAC could jeopardize the function of equipment needed to maintain the availability of DC power. The updated procedures call for locally opening of doors to important electrical rooms following loss of cooling. When the doors are opened, natural circulation will maintain room temperatures below 130 deg. F, and 125 VDC will remain available for use during accident conditions.

Manual Control of AFW Turbine Driven Pumo Durino a Loss of All AC Power and DC Power. The plant has procedures in place for operating the AFW manually. Previously, the operators could not get to this procedure from the loss of all AC power procedure. The loss of all AC power procedure has now been revised so that operators attempt local-manual operation of the turbine driven AFW pump upon loss of DC power.

. Establishment of One NSCW Pumo Ooeration on a Loss of NSCW Initiatino Event. The Nuclear Service Cooling Water (NSCW) system is used to provide cooling to all of the major ESF components. On a loss of both trains of NSCW, the operator could reduce Auxiliary Component Cooling Water (ACCW) loads to keep the RCPs seals cooled and subsequently establish single NSCW pump operation (by isolating loads and re-starting one pump). The previous abnormal operating procedure (AOP) for Loss of NSCW was revised so that a loop between the Loss of NSCW AOP and Loss of ACCW AOP does not occur.

After establishment of one-pump NSCW operation, the procedures have instructions for returning a centrifugal pump to service to provide makeup and RCP seal injection. Based on heatup calculations, the operator would have approximately 30 minutes to establish one-pump NSCW operation before the ACCW would lose its cooling function.

Table 2-9 lists the estimated CDF impacts from the three procedural enhancements.

The licensee provided information concerning plant changes made in response to the Station Blackout Rule, and other modifications separate from the Station Blackout Rule 35

that reduce the station blackout CDF. This information is summarized in Table 2-10. <

l

[pp. 2,29,30 of RAI Responses, p. 6-2 of submittal]

Table 2-9. Estimated CDF Impacts From Procedural Enhancements l

Procedure Enhancement Percent increase in CDF If Enhancement Not Credited )

I (1) Manual control of AFW turbine-driven 31% (from 4.9E 05/yr to 6.4E 05/yr) pump during a loss of all AC and DC power (2) Establishment of one nuclear service 9% (from 4.9E-05/yr to 5.3E-05/yr) cooling water (NSCW) pump operation on a loss of NSCWinitiating event (3) Opening of DC power room doors on loss 49% (from 4.9E-05/yr to 7.3E-05/yr) of control building ESF electrical HVAC Collective effect of all 3 enhancements 67% (from 4.9E-05/yr to 8.2E-05/yr); (see note 1)

Notes: (1) The total CDF increase for all 3 enhancements does not represent the sum of the individual CDF increases for each enhancement.

Finally, it is noted that the licensee addressed the Accident Management Strategies of Supplement no. 2 to Generic Letter 88-20. The licensee has implemented a number of these accident management strategies. The licensee states that hardware modifications delineated in Supplement no. 2 are either already available and proceduralized,.or are of negligible benefit. [pp. 6-7 to 6-14 of submittal]

Table 2-10. Summary of Plant Changes that Directly Affect Station Blackout Plant Change Dew ;,,e,6 of Plant ' Accounted for Change Status in IPE7 Notes Estimated CDF 1mpact Modifications Specifically Related to Station Blackout Rule Opening of control Completed Yes This procedural Not available; however, building electrical in August modification is related to does contribute some equipment room doors 1992 a similar (and more portion of the 49% CDF general) procedural change associated with modification specifically the more general identified in conjunction procedural modification

)

with the IPE, namely (item (3) In Table 2-9)

, item (3) in Table 2-9 Modifications Separate From Station Blackout Rule l

Connection to Completed No Plant Wilson has 6 33% decrease in total ]

alternate AC power (1994 for combustion turbines; the CDF (from 4.9E-05/yr to source via Unit 1, plant is adjacent to the 3.3E-05/yr); decrease in underground cable 1995 for VEGP boundary and is station blackout CDF with Plant Wilson Unit 2) under the direct authority contribution from 61% to of VEGP management. 47 %

36 i

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS l This section of the report provides an overall evaluation of the quality of the IPE based on this review. Strengths and weaknesses of the IPE are summarized. Important assumptions of the model are summarized. Major insights from the IPE are presented.

All of the major aspects that affect the CDF were addressed in the IPE. The analysis addresses the plant-specific characteristics of the VEGP, those that impact the CDF both positively and negatively.

Strengths of the IPE are as follows: Even though the VEGP is a relatively new plant with limited operating experience, the licensee has made a major effort to use plant-specific data to support the quantification of initiating events and component unavailabilities.

No major weaknesses of the IPE were identified.

Significant level-one IPE findings are as follows:

Station blackout is a relatively large contributor to CDF, as is the case in a number of other PWR iPE/PRA studies. Important contributors to the station blackout CDF include failure of AFW flow due to condensate storage tank depletion, failure to restore operation of the nuclear service water system after i LOSP recovery, and failure of the turbine-driven AFW pump. l I

= Internal flooding is a negligible contributor to the CDF. The licensee states that j the VEGP is one of the most recently licensed US nuclear plants, and as such has been designed to mitigate and limit effects due to internal floods.

. AMS is a relatively small contributor to CDF. The licensee appears to have credited the possibility of successful ATWS mitigation throughout all portions of the core cycle. A dominant ATWS sequence in some other PWR IPE/PRA studies involves the inability to mitigate an AMS event during some portion of the early-in-life core cycle due to an unfavorable moderator temperature coefficient.

The common cause failure data used in the IPE are significantly lower than !

corresponding generic data presented in NUREG/CR-4550. For example, the IPE beta factor for charging /HPSI pumps is a factor of 3 lower than the NUREG/CR-4550 data, while the IPE beta factors for MOVs and RHR pumps are an order of magnitude lower than corresponding NUREG/CR-4550 data.

While the IPE common cause data are based on an EPRI common cause 4 database, the licensee has judged that some of the EPRI events are not I applicable to the VEGP. As a result, some of the EPRI events have been excluded from the quantification process, and common caua failure rates have 37

. l

. l i

4 1

downward. It may be the case that the licensee's adjustment of common cause data is overly optimistic. ;

1 l

l j

i i

38

1 1

1 I

l 4. DATA

SUMMARY

SHEETS l This section of the report provides a summary of information from our review. ;

Initiatina Event Freauencies initiating Event Frequency per Year Large LOCA 3.0E-04 Medium LOCA 8.0E-04 '

Small LOCA 6.6E-03 i Steam Generator Tube Rupture 2.5E-02 Interfacing Systems LOCA 5.4E-06 Reactor Vessel Rupture 1.0E-07 i Positive Reactivity insertion 8.0E-02 Loss of Reactor Coolant Flow .1.2E-01 Loss of Main Feedwater Flow 5.3E-01 Partial Loss of Main Feedwater Fiow 1.5E+00 Loss of Condenser 3.5E-01 Turbine Trip 7.3 E-01 Primary System Transient 3.8E-02

. Reactor Trip 6.9E-01 Loss of Offsite Power (Dual Unit) 1.0E-02 Loss of Offsite Power (Single Unit) 4.1 E-02 Safety injection Signal 1.7E-01 Secondary Side Breaks (Inside Containment) 2.6E-03 Secondary Side Breaks (Outside Containment) 2.6E-03 Inadver1ent Opening of Steam Valve 3.0E-02 Loss of Instrument Air 2.4E-02 l

Loss of Nuclear Service Cooling Water 1.4E-04 Loss of Two 120 V AC Vital Instrument Paneis 1.9E-03 Loss of 125 VDC Bus 1 AD1 or 1BD1 1.8E-03 Loss of Auxiliary Component Cooling Water 1.3E-03 Loss of One Train of CB ESF Electrical Equipment 4.1 E-03 l

Room HVAC j Overall CDF The total point estimate CDF for each unit is 4.9E-05/yr. The CDF contributions from flooding were negligible.

l 39 l

l l

1

~

h

.= ;

Dominant l'nitiatina Events Contributina to CDFs LOSP (single unit)' 56%

LOSP (dual unit) 14% l Medium LOCA 9.0% 1 Small LOCA 6.8% -

SGTR 3.6%

Large LOCA 3.2% :

Partial Loss of Main Feedwater Flow 3.1 %

l Loss of Main Feedwater Flow 11% ;

i Dominant Hardware Failures and Ooerator Errors Contributina to CDF Dominant hardware failures contributing to CDF include:

Diesel generators fa!! to supply 4,160 VAC buses after LOSP Diesel generator and nuclear service cooling water (NSCW) failures cause a station blackout condition following LOSP AFW pump maintenance unavailability, failure of AFW pumps to start, and common cause failure of AFW check valves Dominant human errors and recovery factors contributing to CDF include:

Offsite power not recovered in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months following LOSP Operator fails to establish low- or high-pressure recirculation Operator fails to continue local operation of turbine-driven AFW pump during loss of DC power Dominant Accident Classes Contributina to CDF Station Blackout 61 %

LOCAs 19%

LOSP (other than SBO) 9.0%

Transient 6.8%

SGTR 3.6%

Special Initiators 0.5%

ATWS 0.2%

ISLOCA 0.1 %

Only the most dominant initiating event contributors are listed here. A complete set of initiating event CDF contributors is provided in Table 3.4-1 of the submittal.

40

l

~

I Design Characteristics Imoortant for CDF The following design features impact the CDF: ,

. Ability to oerform feed and bleed once throuah coolina. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the main and auxiliary feedwater (AFW) systems.

. Verv larae refuelina water storage tank (RWST) caoacity of 715.000 aal oer uniL This design feature tends to decrease the CDF, as additional time is available for switchover from ECCS injection to recirculation.

. Semi-Automatic switchover of emeroencv core coolina system (ECCS) from injection to recirculation. The transfer of residual heat removal (RHR) pump suction from the RWST to the containment sump is automatic. However, manual actions are required to piggyback the safety injection and centrifugal charging pumps onto the discharge of the RHR pumps. This design feature tends to increase the CDF over what it would otherwise be with a fully automatic switchover system.

. New temoerature resistant reactor coolant oumo (RCP) O-rinas. These new O-rings tend to lower the CDF because of the increased ability of the RCP seals ,

to withstand loss of cooling.

. Use of solenoid-ooerated oower coerated relief valves (PORVs) that are not deoendent on instrument air. This design feature tends to lower the CDF.

. Seoarate closed 1000 coolina systems for RCP seat coolina and RHR heat removal functions. While both of these closed loop systems are cooled by the same external water source, the use of separate closed loop cooling systems for cooling the RCP seals and RHR system tends to lower the CDF. If the closed loop system used for RCP seal cooling fails and results in a RCP seal loss of coolant accident (LOCA), the RHR cooling function is not automatically defeated.

. Four safetv-related 125 VDC systems oer unit. Each 125 VDC system has its own battery, battery chargers, inverter and distribution panels. This design feature tends to lower the CDF.

. Redundancv ir, control room habitability systems. This design feature tends to lower the CDF.

. Use of two sets of redundant coolina coils in the maiority of enaineered safety features (ESF) rooms. Each of the cooling coils associated with a given room 41

1 m

is cooled by a separate water system. This design feature tends to lower the )

CDF.

. Availability of larae auantity of AFW suction water. Each unit has two condensate storage tanks (CSTs) of approximately 480,000 gal each that provide water to the AFW pumps, in addition, other suppliec of AFW suction water can be provided by the demineralized water tank, the fire protection system, or the nuclear service cooling water system. The analysis took credit only for water from one of two CSTs at each unit. This design feature tends to lower the CDF.

. Ability to local-manually ooerate the turbine-driven AFW oumo on loss of DC power. This design feature tends to lower the CDF. Credit for this feature was taken in the analysis.

l

. Canability to local-manually ooerate the main steam atmosoheric relief valves.

These valves are supplied with hydraulic stations that allows personnel to open the valves locally from the floor of the main steam room. These valves are classified as safety-related components at VEGP. This design feature tends to lower the CDF. Credit for this feature was taken in the analysis.

. Autoreclosure of 4 kV circuit breakers for restartina oumos on various actuation ;

sionals. This design feature tends to lower the CDF by providing automated i restart of pumps following restoration of electrical power. The drawback to this feature is that automatic breaker reclosure is not prevented in the presence of a fault.

! 1 Modifications ,

l

During the IPE analysis process, three plant improvements were identified that involve

[ ' enhancements to procedures. The procedure enhancements were implemented in August 1992 and were credited in the analysis. These procedure enhancements are j j

i listed below: ;

I i . Manual control of AFW turbine-driven oumo durina a loss of all AC and DC j power. Without this enhancement, the CDF would increase by 31%

i j . Establishment of one nuclear service coolina water (NSCW) oumo ooeration on a loss of NSCW initiatina event. Without this enhancement, the CDF would j increase by 9%

l

. Ooenina of DC cower room doors on loss of control buildina ESF electrical

{ heatina. ventilatina. and air conditionina (HVAC). Without this enhancement, j the CDF would increase by 49% ;

l I

[

42

_, _ - - .,. ,-, m - ,

l e I i

! Without credit for this group of three modifications, the total CDF would increase by l 67% (from 4.9E-05/yr to 8.2E-05/yr).'

The licensee also provided information concerning plant changes made in response to the Station Blackout Rule, and other modifications separate from the Station Blackout Rule that were credited in the IPE. This information is summarized below:

Plant Improvements Specifically Related to the Station Blackout Rule

Ooenina of control building electrical eautoment room doors. This procedural modification is related to a similar but apparently more general modification specifically identified in conjunction with the IPE, namely " opening of DC power room doors on loss of control building ESF electrical HVAC" (as described above). The CDF impact of opening electrical equipment room doors only '

during station blackout conditions is unavailable. However, the station blackout procedural modification does contribute some portion of the 49% CDF change associated with the more general procedural modification described above.

Modifications affecting station blackout separate from the Station Blackout Rule

Connection to alternate AC oower source via underground cable with Plant Wilson. Plant Wilson, which is adjacent to the VEGP boundary, has 6 combustion turbines, and is under the direct authority of VEGP management.

This modification has been completed for both units and results in a 33%

decrease in total CDF, or a decrease in station blackout CDF contribution from 61% to 47%

Other USl/GSis Addressed The IPE does not propose resolution of any other USIs/GSis other than DHR.

Significant PRA Findings Significant findings on the front-end portion of the IPE are as follows:

Station blackout is a relatively large contributor to CDF, as is the case in a !

number of other PWR IPE/PRA studies. Important contributors to the station !

blackout CDF include failure of AFW flow due to condensate storage tank !

depletion, failure to restore operation of the nuclear service water system after LOSP recovery, and failure of the turbine-driven AFW pump.

The total CDF increase from all three modifications does not represent the sum of the individual CDF increases for each modification.

)

43

)

l 1 i

i

. )

= Internal flooding is a negligible contributor to the CDF. The licensee states that

! the VEGP is one of the most recently licensed US nuclear plants, and as such l l has been designed to mitigate and limit effects due to internal floods.

i

( = ATWS is a relatively small contributor to CDF. The licensee appears to have !

credited the possibility of successful ATWS mitigation throughout all portions of l

the core cycle. A dominant ATWS sequence in some other PWR IPE/PRA studies involves the inability to mitigate an ATWS event during some portion of the early-in-life core cycle due to an unfavorable moderator temperature coefficient.

)

= The common cause failure data used in the IPE are significantly lower than '

corresponding generic data presented in NUREG/CR-4550. For example, the IPE beta factor the charging pumps is a factor of 3 lower than the NUREG/CR-4550 data, while the IPE beta factors for MOVs and RHR pumps are an order of magnitude lower than corresponding NUREG/CR-4550 data. While the IPE ,

common cause data are based on an EPRI common cause database, the l licensee has judged that some of the EPRI events are not applicable to the VEGP. As a result, some of the EPRI events have been excluded from the quantification process, and common cause failure rates have been adjusted downward. It may be the case that the licensee's adjustment of common cause data is overly optimistic.

l l

4 44

l

j j

REFERENCES

[EPRI ALWRD] Advanced Light Water Reactor Requirements Document, EPRI, August 1990, l

[EPRI 3967] Classification and Analysis of Reactor Operating Experience involving Dependent Events, EPRI NP-3967, interim draft 1990 document.

[lEEE 500] Guide to the Collection and Presentation of Electrical, Electronic, Sensing, Component, and Mechanical Equipment Reliability Data for Nuclear Power Generating Stations, IEEE Std. 500-1984, December 1983.

[lPE Submittal] Vogtle Electric Generating Plant Units 1 and 2, December 1992 ,

l

[NSAC 147] Losses of Offsite-Power at U. S. Nuclear Power Plants Through 1989, EPRI (Nuclear Safety Analysis Center), NSAC-147, March 1990.

[NUMARC 87 00] Guidelines and Technical Bases for NUMARC Initiatives Addressing l Station Blackout of Light Water Reactors, NUMARC 87-00, August 31,1987. )

[NUMARC 9104] Severe Accident Issue Closure Guidelines, NUMARC Document 91-04, January 1992. l

[NUREG 1032] Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG-1032, June 1988.

[NUREG/CR 2728] Interim Reliability Evaluation Program Procedures Guide, NUREG/CR-2728, January 1983.

[NUREG/CR 2815] Probabilistic Safety Analysis Procedures Guide, NUREG/CR-2815, Vol.1, Rev.1, August 1985.

[NUREG/CR 3862] Development of Transient initiating Event Frequencies for Use in Probabilistic Risk Assessment, NUREG/CR-3862, May 1985.

[NUREG/CR 4550, Methodology) NUREG/CR-4550, Vol.1, Rev.1, Analysis of Core Damage Frequency: Internal Events Methodology, January 1990.

[NUREG/CR 4780] Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, Vol.1, February 1988 and Vol. 2, January 1989.

[RAI Responses] Vogtle Electric Generating Plant Response to Request for Additional Information Individual Plant Examination. Letter from C. K. McCoy, Georgia Power, to NRC, LCV-0636 B, September 13,1995.

45

-o t

(UFSAR) Updated Final Safety Analysis Report for Vogtle

[ WASH 1400] Reactor Safety Study, October 1975.

[WCAP 10541] Reactor Coolant Pump Seal Performance Following a Loss of All AC Power, WCAP-10541, Rev. 2, November 1986.

[WCAP 11550] RCP Seal Integrity, Generic issue B-23 Slides Presented to the NRC, WCAP-11550, July 1987.

46

_ .

ML20101S038

Text

SUMMARY

SUMMARY

Navigation menu

Search