ML20101C894

From kanterella
Revision as of 02:32, 29 April 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Plant IPE Insight Support Rept for NUREG-1150 Plants
ML20101C894
Person / Time
Site: Grand Gulf Entergy icon.png
Issue date: 10/16/1995
From: Tony Brown, Whitehead D
SANDIA NATIONAL LABORATORIES
To:
NRC
Shared Package
ML20101C184 List:
References
CON-FIN-W-6188, RTR-NUREG-1150 NUDOCS 9603190249
Download: ML20101C894 (88)


Text

. . . -

J 1

I a

i t

)

Grand Gulf Nuclear Station Individual Plant Examination insight Support Report for NUREG-1150 Plants NRC JCN W6188, Task 9 Donnie W. Whitehead' Thomas D. Brown2 ,

i Sandia National Laboratories

' Risk Assessment and Systems Modeling Department 2

Accident Analysis and Consequence Assessment Department October 16,1995 9603190249 960307 PDR ADOCK 05000416 P PDR

i .

This page intentionally left blank.

ii

Table of Contents  ;

I E. EXEC UTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensee lPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E.3 I P E Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.3.1 Front-End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.3.2 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 E.3.3 Back-End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 E.4 Generic issues and Containment Performance improvements . . . . . . . 9 E.5 Vulnerabilities and Plant improvements . . . . . . . . . . . . . . . . . . . . . . . . 9 E.6 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 l
2. Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . 13 l 2.1.2 Multiunit Effects and As-Built, As-Operated Status . . . . . . . . . 14 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . 14 2.2 Front-End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.1 Accident Sequence Delineation and System Analysis . . . . . . . 14 2.2.1.1 initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.1.2 Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.1.3 System Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.1.4 System Dependencies . . . . . . . . . . . . . . . . . . . . 22 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.2.1 Quantification of Accident Sequence Frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.2.2 Point Estimates and Uncertainty / Sensitivity Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.2.2.3 Use of Plant-Specific Data . . . . . . . . . . . . . . . . . 27 2.2.2.4 Use of Generic Data . . . . . . . . . . . . . . . . . . . . . . 27 2.2.2.5 Common-Cause Quantification . . . . . . . . . . . . . . 27 2.2.3 Interface issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.3.1 Front-End and Back-End interfaces . . . . . . . . . . 27 2.2.3.2 Human Factors Interfaces . . . . . . . . . . . . . . . . . . 31 lii 4

s .

l i

1 l l I

Table of Contents (Continued) 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.2.4.1 Internal Flood Methodology . . . . . . . . . . . . . . . . 34 2.2.4.2 Internal Flooding Results . . . . . . . . . . . . . . . . . . 35 2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . 35 2.3 Human Reliability Analysis Technical Review . . . . . . . . . . . . . . . . . . 36 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.3.1.1 Pre-Initiator Human Actions Considered . . . . . . . 36 2.3.1.2 Process for identification and Selection of Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . 38 2.3.1.3 Screening and Quantification Process for Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . 38 2.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.3.2.1 Types of Post-Initiator Actions Considered . . . . . 39 l 2.3.2.2 Process for Identification and Selection of Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . 39 l 2.3.2.3 Screening Process for Post-Initiator Response Action s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.3.2.4 Quantification of Post-Initiator Human Actions . . 41 2.3.2.4.1 Consideration of Timino . . . . . . . . . . . . . . 41 i 2.3.2.4.2 Other Performance Shaoino Factors i Considered . . . . . . . . . . . . . . . . . . . . . . . . 42 2.3.2.4.3 Quantification of Recoverv Actions . . . . . 43 2.3.2.4.4 Consideration of Deoendencies . . . . . . . . 43 2.3.2.4.5 Treatment of Ooerator Actions in the Internal Floodino Analysis . . . . . . . . . . . . 43 2.3.2.4.6 Seouences Screened Out Due to Credit for Recoverv Actions . . . . . . . . . . . . . . . . . . . 43 2.3.2.4.7 Treatment of Ooerator Actions in the Level 2 Analysis . . . . . . . . . . . . . . . . . ........ 44 2.4 Back-End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.4.1 Containment Analysis / Characterization . . . . . . . . . . . . . . . . . . 45 2.4.1.1 Sequences with Significant Probabilities . . . , . . 45 2.4.1.2 Failure Modes and Timing . . . . . . . . . . . . . . . . . 46 2.4.1.3 Containment Isolation Failure . . . . . . . . . . . . . . . 48 2.4.1.4 System / Human Responses . . . . . . . . . . . . . . . . . 49 2.4.1.5 Radionuclide Release Characterization . . . . . . . 49 2.4.2 Accident Progression and Containment Performance Analysis . 50 2.4.2.1 Severe Accident Progression . . . . . . . . . . . . . . . 50 2.4.2.2 Dominant Contributors: Consistency with lPE lnsights . . . . . . . . . . . . . . . . . . . . . . . . . 52 iv

1

. . l Table of Contents (Continued) 4 2.4.2.3 Characterization of Containment Performance . . 53 2.4.2.4 Impact on Equipment Behavior . . . . . . . . . . . . . . 55 2.4.2.5 Uncertainty and Sensitivity Analyses . . . . . . . . . 56 2.5 DHR, Other GSI/USIs and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . . . . . . . . . . . 56 2.5.1.1 Examination of DHR . . . . . . . . . . . . . . . . . . . . . . 56 2.5.1.2 Diverse Means of DHR . . . . . . . . . . . . . . . . . . . . 56 I 2.5.1.3 Unique Features of DHR . . . . . . . . . . . . . . . . . . 56 2.5.2 Other GSI/USis Addressed in the Submittal . . . . . . . . . . . . . . . 57 2.5.3 Responses to CPI Program Recommendations . . . . . . . . . . . . 57 2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . 58 2.6.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 2.6.2 Proposed improvements and Modifications . . . . . . . . . . . . . . . 58 2.6.3 IP E insights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 l

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . '61
4. DATA SU MMARY S H E ETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 RE F ERE N C ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Ap pend ix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 v

l i

List of Tables 1

j E.3.1-1 Comparison of IPE and NUREG/CR-4550 Core Damage

Frequency by Accident Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 E.3.2-1 Important Human Actions from a Risk Reduction Perspective . . . . . . . 5 E-3.2-2 Important Human Actions from a Risk Increase Perspective . . . . . . . . 6
E.3.3-1 Comparison of Conditional Containment Failure Assessment . . . . . . . 7 l l E.3.3-2 Comparison of IPE Release Categories with Equivalent j NUREG/CR-4551 Release Categories . . . . . . . . . . . . . . . . . . . . . . . . . 8 )
2.2.1.1 -1 Frequencies for IPE and NUREG/CR-4550 Initiating Events . . . . . . . 17 l 2.2.1.1 -2 Differences in Success Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 l 2.2.2.2-1 Nonhuman Action Events important in the IPE Submittal and in
N U R EG/C R-4550 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 l 2.2.2.3-1 Events Using Plant-Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.2.3.1 -1 Comparison of Plant Damage State Characteristics Used in IPE and
N U R E G-1 150 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.3.1 -2 Comparison of Plant Damage State Summary Groups . . . . . . . . . . . 31 2.2.3.2-1 Important Human Actions from a Risk Reduction Perspective . . . . . . 32 2.2.3.2-2 Important Human Actions irom a Risk Increase Perspective . . . . . . . 33 i 2.2.5-1 Comparison of IPE and NUREG/CR-4550 Core Damage
Frequency by Accident Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.2.5-2 Changes Made to the IPE Model to Simulate the NUREG/CR-4550 j M ode l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.1.2-1 Comparison of ultimate containment failure pressure distributions due to static loads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 j 2.4.1.5-1 Comparison of IPE Release Categories with Equivalent NUREGICR-4551 Release Categories . . . . . . . . . . . . . . . . . . . . . . . . 51 l

2.4.2.2-1 Containment Failure as a Percentage of Total CDF: Grand Gulf IPE i Results Compared with the Grand Gulf NUREG-1150 PRA and Other IP E Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 2.4.2.3-1 Comparison of Conditional Containment Failure Assessment . . . . . . 55 A-1 Differences identified in the general assumptions used in event tree I construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 l A-2 Differences in Event Tree Top Events . . . . . . . . . . . . . . . . . . . . . . . . A-4 l

l l

1 1

j 1

vi i

i i

4

Acronyms ASEP Accident Sequence Evaluation Program l CCF Common cause failure CDF Core damage frequency CETs Containment event trees CPI Containment performance improvement i

DG Diesel generator

DHR Decay heat removal ECCS Emergency core cooling system i

ESF Engineered safety feature HPCS High-pressure core spray HRA Human reliability analysis IPE Individual plant examination LOCA Loss-of-coolant accident LPCI Low-pressure coolant injection

. MAAP Modular Accident Analysis Program MSIVs Main steam isolation valves NRC Nuclear Regulatory Commission

! PCS Power conversion system

!' F-dss Plant damage states PRAs Probabilistic risk assessments 4

PSW Plant service water RCIC Reactor core isolation cooling RPT Recirculation purnp trip RPV Reactor pressure vessel

, SBO Station blackout SLC Stanby liquid control 2

SNL Sandia National Laboratories i SPMU Suppression pool makeup

SSW Standby service water i

t 4

vii

O ,

This page intentionally left blank.

1 1

1 I

l I

viii

i.

E. EXECURVE

SUMMARY

This report describes the Sandia National Laboratories (SNL) review of the Grand Gulf Nuclear Station Individual Plant Examination (IPE) submittal. Because this submittal is for a plant that has already been analyzed by the Nuclear Regulatory Commission (NRC) in the NUREG-1150 study, the major objective of this review is a comparison between the results of the IPE submittal and the results of the NUREG-1150 study as documented in NUREG/CR-4550 Vol. 6, Rev.1 and NUREG/CR-4551 Vol. 6 Rev.1.

With this objective in mind, the reader should understand that the material presented in this review will differ from other Technical Evaluation Reports performed for other plant submittals.

The purpose of this report is to summarize SNL's review of the Grand Gulf IPE submittal, including the results of a comparison between the front-end, human reliability i

analysis (HRA), and back-end portions of the IPE and NUREG-1150 analyses of the j Grand Gulf Nuclear Station. This summarization is based on information contained in i

the IPE submittal [lPE Submittal) and the detailed documentation of the front-end

[NUREG\CR-4450] and back-end (NUREG/CR-4451] analyses of Grand Gulf performed for the NUREG-1150 study.

j E.1 Plant Characterization

The Grand Gulf Nuclear Station is a General Electric boiling water reactor (BWR)/6 with a Mark lli containment located about 6 miles northwest of Port Gibson, Mississippi.

l The containment is a steel-lined reinforced concrete cylinder with a dome roof and a i design pressure of 15 psig. It is surrounded by secondary containment structures consisting of the reinforced concrete auxiliary building surrounding the lower part of the containment and a low-leakage, metal-siding enclosure building surrounding the containment above the roof of the auxiliary building.

important Design Characteristics  !

j .

Cross-tie of standby service water (SSW) B system to the low-pressure coolant injection (LPCl) B injection line.  ;

Makeup to the reactor pressure vessel (RPV) using the firewater system.

! . Division 3 high-pressure core spray (HPCS) diesel generator is of a different design and size than those for Divisions 1 and 2. 1 Cross-tying the HPCS diesel generator to either Division 1 or 2 during station i blackout (SBO) events per the Off Normal Event Procedure. l I 1 i a

Highly coiTptivientalized nature of Grand Gulfs auxiliary building improves the plant's ability to cope with intamal floods.

! E.2 Licensee IPE Process i

l The submittal states that the " methodology utilized ... was based upon the methodology j used in support of NUREG-1150... and follows the guidelines as provided by NUREG-

! 2300, ... Generic Letter 88-20, ... and NUREG-1335...."

l l For the front-end (i.e., Level 1) analysis, the "small event tree, large fault tree" l approach was used, and its use is clearly documented in the submittal. Intemal j initiating events and intamal flooding were considered. Event trees were developed for

all classes of initiating events. System descriptions were provided, and the
development of cciTiponent-level system fault trees was discussed. Intersystem l dependencies were provided in tabular format, along with the data used in the j quantification of the models. In addition, the methodology used to estimate the core
damage frequency from intemal flooding events was presented.

l 4

The HRA analysis was based on the Accident Sequence Evaluation Program (ASEP) method described in NUREG/CR 4772, and all explicitly modeled human errors were

classified as either pre-accident or post-accident. In addition, human errors were
implicitly incorporated into the initiating event frequencies of the IPE submittal either j from generic sources or from plant-specific sources. The general approach used to l identify and quantify human actions is clearly documented in the submittal.

The methodology used in the back-end (i.e., Level 2) analysis is similar to that used in NUREG/CR-4551 and used " containment event trees (CETs) to model the accident progression and fission product releases to the environment." The cut sets comprising 95% of the total core damage frequency obtained from the Level 1 analysis were grouped into plant damage states based on similar charactenstics. These plant damage states were then used as the entry points to the CETs. The Modular Accident Analysis Program (MAAP) computer code was used to quantify the CET events and source term parameters, along with applicable results from NUREG/CR-4551 and other past probabilistic risk assessments (PRAs).

The IPE was performed by a safety analysis group that was established within the onsite Design Engineering Department. This group consisted of six permanent engineers with supplemental support from other Grand Gulf technical personnel and contractors. Grand Gulf personnel directed and were involved in all aspects of the IPE, with at least 50 percent of the total engineering effort supplied by Entergy personnel.

The submittal states that to ensure the IPE represented the as-built, as-operated status of Grand Gulf, the IPE analysts conducted 2

_ _ . . _ _ _ . _ _ . _ _ _ _ _ _ . . . . _ _ _ _ _ = _ _ ____.__ _ _ _ _ _ . _.

, i

. walkdowns to verify system information, '

.- spatial or unusual characteristics of components, and .

l -

potential recovery actions; e interviews with operators; procedure and drawing reviews; and e

simulator exercises.

l In addition, independent reviews by plant personnel and contractor support staff were conducted.

Since Unit 2 has been canceled, multiunit considerations do not apply to Grand Gulf.

l l E.3 IPE Analysis i i

)

1 E.3.1 Front-End Analysis

] Based on the results presented in the IPE submittal [Section 3.4, specifically Table 3.4-

, 4] and in NUREGICR-4550 [Section 5, specifically Table 5.5-1), Table E.3.1-1 presents i a comparison of the core damage frequency results by accident class. From an j examination of this table, one can see that the percent contributions for the accident ,

i classes are different. Section 3.4.1.5 of the IPE submittal presents differences between  !

. the two studies. It states that there are three primary differences between the two j j studies. Among them are

?

-1 The NUREG/CR-4550 analysis did not include any special initiators except loss i of instrument air'. l 1

The dependence of SSW upon SSW pump house ventilation was not modeled in l NUREG/CR-4550, 2 I

( .

The reactor core isolation cooling (RCIC) turbine-driven pump failure rate for the j IPE submittal is significantly higher than that used for NUREGICR-4550.

4 l

?

4 1

l 'in the NUREGCR-4550 analysis, all other special initiators were either eliminated because they I were deemed to not meet the specialinitiator screening cdteria used in the analysis or were deliberately not

! included as part of the scope of the analysis (i.e., intomal flooding initiators).

1 2

The NUREGCR-4550 analysis assumed that ample room ventilation would be supplied to the SSW pump rooms due to their proximity to the cooling tower (i.e., the air current induced by the cooling tower) and the normally open louvers on the walls of the SSW pump rooms. Thus, a loss of room cooling 1 to the SSW pumps was not considered as a failure of the pumps.  ;

3 l

e g -

1 Table E.3.1-1 Comparison of IPE and NUREG/CR-4550 Core Damage Frequency by Accident Class Point Estimate Core Percent of Total Point j Damage Frequency Estimate Core Damage Accident Type Frequency IPE NUREW IPE NUREG/

CR-4550 CR-4550 Station Blackout 7.46E-6 1.9E4 43.3 94

, Anticipated transient without 5.56E-8 1.2E-7 0.3 6 scram

! Transient with loss of all 3.37E-6 1.4E-8 19.6 <1 injection

- Transient with loss of all high- 4.07E-6 Screened 23.6 Screened
pressure injection and failure out out  !

j to depressurize l Transient with loss of 1.74E-6 Screened 10.1 Screened a

containment heat removal out out leading to loss of injection -l

! Transient-induosd loss-of- 1.67E-7 Screened 1.0 Screened I l coolant accident (LOCA) out out LOCA 3.73E-7 Screened 2.2 Screened 1- out out

The licensee's Level 1 analysis, based on a comparison between the IPE submittal and NUREGICR-4550, appears reasonable and sufficient for identifying Level 1 l vulnerabilities. Specifically, the inclusion of additional special initiators, the i

identification of SSW dependency on SSW pump house ventilation, and the use of a

, plant-specific RCIC turbine-driven pump failure rate should help to ensure that Level 1 i vulnerabilities were identified.

i l E.3.2 Human Reliability Analysis l Both the IPE submittal and the NUREG/CR-4550 and NUREG/CR-4551 analyses used

the same techniques to identify and quantify human actions. Given the differences j between the IPE submittal results and those from NUREG/CR-4550 as documented in i i Table E.3.1-1, no undue significance should be attached to the fact that different j human actions were identified as important in the two studies.

fE i

d

l l

l

! In Table E.3.2-1 a select set of the human actions identified as important in the IPE submittal from a risk reduction perspective is compared with a select set of those identified in NUREG/CR-4550. From this table it can be seen that very little overlap

exists for specific operator actions. However, of the four actions identified as important in NUREG/CR-4550, three of them occur in LOSP sequences, which was the most i important initiator in both studies.

i Table E.3.2-1 important Human Actions from a Risk Reduction Perspective Human Action important in HEP

IPE' NUREGI IPE' NUREG/

! CR-45506 CR-4550' Failure of operator to actuate firewater x d 1.3E-2 j for RPV injection

Operator fails to bypass high steam x 5.0E-1 j tunnel temperature isolation
Failure to recover offsite power in 10 x 1.98E-2  ;

I hours  !

4 Failure to maintain the reactor x 1.0 -

l depressurized with RCIC steam line ~

! Failure to recover DG hardware failures x x 9.0E-1 9.0E-1 l within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Failure to depressurize in the short term x 3.0E-4 l Operator inhibits ADS per emergency x 1 l d

procedure l Failure to recover offsite power within 4 x 6.4E-2 l hours l Failure to restore Train A ventilation x 3.0E-3

after ,

j Failure to restore offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> x 1.9E-1 j Failure to restore DG from maintenance x 8.0E-1 l outage 4

Operator fails to depressurize during an x 1.25E-1 ATWS i-

  • From Table 3.4-8 of the submittal.

!* "From Table 5.4-1 of NUREGER-4550.

  • From Table 5.1-2 of NUREGCR-4550.

8

] x indcates action important in the study.

l j 5 i

I e .

in Table E.3.2-2 a select set of the human actions identified as important in the IPE submittal from a risk increase perspective are compared with a select set of those identified in NUREG/CR-4550. From this table it can be seen that there is no overlap between the two studies. As was stated before, no undue significance should be attached to this difference.

Table E-3.2-2 Important Human Actions from a Risk increase Perspective Human Action important in HEP IPE' NUREG/ IPE' NUREGI l CR-4550" CR-4550' Failure to depressurize in the short term x' 3.0E-4 Failure to restore Train A venti!ation x 3.0E-3 after Failure to manually actuate injection x 4.5E-4 within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after an auto-actuation ,

failure '

  • From Table 3.4-8 of the submittal.

'From Table 4.9-28 of NUREG/CR 4550.

8 x indicates acGon important in the study.

The licensee's HRA analysis, based on a comparison between the IPE submittal and the NUREG/CR-4550 and NUREG/CR-4551 analyses, apppears reasonable.  !

E.3.3 Back-End Analysis Core damage sequences defined in the Level 1 analysis that contributed to the top 95% of the total core damage frequency were combined into 33 preliminary plant damage states (PDSs). These PDSs were then grouped into nine final PDSs. These >

final PDSs provided the initial and boundary conditions for the Level 2 analysis.

The IPE submittal assessed the ultimate containment capacity for static, dynamic, and thermal loads. The distribution developed for the ultimate static containment strength in the IPE submittal is narrower than the NUREG/CR-4551 distribution; the range between the 95* percentile and the 5* percentile for the IPE distribution is 7 psi while for the NUREG/CR-4551 distribution, the corresponding range is 34 psi. At least 95 6

1 percent of the IPE distribution is above the 50 percentile from the NUREG/CR-4551 distribution. Hence, compared with the IPE distribution, the NUREG/CR-4551 distribution shows a greater probability of failure at lower pressures.

The conditional containment failure assessments from the IPE and from NUREG/CR-4551 are shown in Table E.3.3-1. The percentages for late containment failure, containment venting, and no containment failure are similar for the two studies. The most notable difference is the percentage associated with the intentional bypass of the containment from venting the reactor vessel through the main steam isolation valves (MSIVs). This mechanism is a dominant release mode in the IPE whereas venting the reactor vessel through the MSIVs was not considered in NUREG/CR-4551. Early containment failures in the NUREG/CR-4551 study were mostly attributable to j hydrogen combustion events. The IPE. submittal shows a lower percentage for early

failures caused by combustion events. This is potentially due to the different i assumptions that were used in the two studies regarding the amount of hydrogen generated during core damage and the subsequent combustion of this hydrogen.

i Table E.3.3-1 i Comparison of Conditional Containment Failure Assessment t

l Study MSIV Early Late Containment No i

Venting Containment Containment Venting Failure Failure Containment

! Failure 1

iPE 38 % 7% 26 % 6% 20%

NUREG/CR- NA 36% 38 % 9% 17%

f 4551 l

The release categories developed in the IPE and the percent that each category i contributes to the core damage frequency are presented in Table E.3.3-2. While

similar release categories were not developed in NUREG/CR-4551, approximate l equivalent release categories can be formsd by combining source term groups using i the same criteria that were used to form the release categories. The percent that each

! of the equivalent NUREG/CR-4551 release categories contributes to the mean core i damage is also presented in Table E.3.3-2. Also shown in this table are the numbers j of early fatalities and total latent cancer fatalities for each equivalent NUREG/CR-4551 j release category. In general, the results from the two studies are similar. For the IPE,

) early releases constitute more than 46 percent of the base case results. The majority 4

of these early releases occur when the operators intentionally vent the reactor vessel.

j in NUREG/CR-4551, early releases constitute approximately 36 percent of the core 7

1 4

4

damage frequency. The majority of these releases result from containment failures

! associated with hydrogen combustion events and loads that accompany vessel failure.

Note in Table E.3.3-2 that the consequences, both early and latent, follow a general trend tut is consistent with the release category definitions. That is, a low release is less than the medium and the medium is less than the high release. Also, the early

. releases are higher than the late releasas for a similar category.

Table E.3.3-2 l Comparison of IPE Release Categories with Equivalent NUREG/CR-4551 Release Categories  ;

i Release Category IPE NUREG/CR-4551 Consequences Conditional on Release

% Core  % Core Early Total Latent Damage Damage Fatalities Cancer Frequency Frequency Fatalities Early Low 8% 7% 1.9E-05 30 Release Early Medium-Low 0% 3% 2.7E-06 91 Release Early Medium 0% 21 % 7.5E-04 320 Earty. Medium- 35% 0% - -

High Release i

Eady High 4

3% 5% 6.0E-02 1130 '

Rullease Late Low Release 32% 35% 0.00 18 Late Reedium-Low 0% 1% 1.8E-07 81 Release

, Laes Medium 7% 28% 3.0E-04 260 Release l Late High Release 15% <1% 2.6E-02 880 L

l 8 1

I

The licensee's Level 2 analysis, based on a comparison between the IPE submittal and NUREG/CR-4551, appears reasonable and sufficient for identifying Level 2 vulnerabilities.

E.4 Generic issues and Containment Performance improvements l The IPE submittal stated that comparing Grand Gulf's total core damage frequency of

} 1.72E-5/yr with quantitative criteria that have been used by the NRC staff to categorize j decay heat removal (DHR) vulnerability results in a conclusion that no DHR generic

issue vulnerability exists for Grand Gulf. i l

The IPE considered the following recommendations from the Containment Performance  !

improvement Program (CPI):

t Hydrogen igniter operability during station blackouts, Containment heat removal, Alternative water supply for containment spray / vessel injection, Enhanced reactor pressure vessel depressurization system reliability, and 1 -

Emergency procedure and training.

1 It appears that the IPE submittal has addressed the recommendations from the CPI l . Program.

i E.5 Vulnerabilities and Plant improvements The IPE submittal states that the methodology used to identify whether vulnerabilities existed was that suggested by NUMARC 91-04. The IPE submittal states that no vulnerabilities were found. Several plant enhancements were identified as a result of i the IPE. Enhancements (1) and (3) will be implemented while enhancements (2), (4),

(5), and (6) will be considered for implementation after fureur evaluation. The ,

j enhancements include  !

1. Procedural bypass of Level 2 signal to allow Division 3 Power cross-tie with Divisions 1 and 2.

l 2. Evaluation of secondary containment isolation of plant service water (PSW) and instrument air.

t i 3. Procedural bypass of the leak detection system trip of the RCIC system.

{ 4. Increased training on and control room indication changes to SSW pump house ventilation status.

4 l

5. Operator training in alternative operation of low- pressure emergency core cooling system (ECCS) pumps to minimize impact of SSW dependency.
6. Modification of the containment flooding procedure to change the requirements for venting the reactor vessel.

E.6 Observations Basically the IPE and the NUREG-1150 analyses used the same techniques to model the equipment, plant features, and operator responses to events that can initiate core damage sequences. The only difference observed appears to be the level of detailed l plant-specific information available to the IPE vs. the NUREG-1150 analyses. This  !

additional information led to analysis of several special initiators that were screened in  !

the NUREG/CR-4550 analysis, and use of updated procedures that affected the construdson of event trees (e.g., change in HPCS diesel generator cross-tying criteria).  !

Thus, it is expected that differences will exist in the specific events that are identified as  !

important by the two studies (e.g., the operator actions as shown in Tables E.3.2-1 and E.3.2-2).

While the probabilities of containment failure8are similar in the two studies, different mechanisms are responsible for early containment failure. In the NUREG/CR-4551 study, the dominant mechanism of early containment failure was combustion of

!. hydrogen While hydrogen combustion events still contribute to early containment failures in the IPE, the dominant mechanism of early containment failure is venting of the RPV through the MSlVs. There are a number of factors that contribute to lower importance of hydrogen combustion events in the IPE; among them are the inclusion of an operator action to vent the RPV through the MSIVs, different assumptions regarding the production and combustion of hydrogen, and a different containment failure pressure distribution. Given that the IPE reflects current practices at the plant and there are large uncertainties associated with severe accident progressions and '

phenomena, these differences are not unreasonable. The overall conclusion is that the IPE results are reasonable for a plant of this type.

l 8

As used here, containment failure includes situations where the containment structurally fails as well as shusbons where it remains structurally intact, but is intentionally bypassed or vented.

t 10

l 1  !

l

1. Introduction '

1.1 Review Process l This report describes the Sandia National Laboratories (SNL) review of the Grand Gulf Nuclear Station Individual Plant Examination (IPE) submittal. Because this submittal is l for a plant that has already been analyzed by the Nuclear Regulatory Commission l (NRC) in the NUREG-1150 study, the major objective of this review is a comparison  !

between the results of the IPE submittal and the results of the NUREG-1150 study as documented in NUREG/CR-4550 Vol. 6, Rev.1 and NUREGICR-4551 Vol. 6, Rev.1.

With this objective in mind, the reader should understand that the material presented in this review will differ from other Technical Evaluation Reports performed for other plant submittals.

The purpose of this report is to summarize SNL's review of the Grand Gulf IPE submittal, including the results of a comparison between the front-end, human reliability analysis (HRA), and back-end portions of the IPE and NUREG-1150 analyses of the Grand Gulf Nuclear Station. This summarization is based on information contained in the iPE submittal [lPE Submittal] and the detailed documentation of the front-end ,

[NUREG\CR-4450] and back-end [NUREG/CR-4451] analyses of Grand Gulf j performed for the NUREG-1150 study.

1.2 Plant Characterization The Grand Gulf Nuclear Station is a General Electric boiling water reactor (BWR)/6 with a Mark lli containment located on the east bank of the Mississippi River in ,

Claiborne County, Mississippi, about 6 miles northwest of Port Gibson, 25 miles southwest o'Vicksburg, and 37 miles northeast of Natchez.

The nuclear boiler system consists of a direct-cycle, forced circulation boiling water reactor that produces steam for direct use in the steam turbine. The vessel is 251 inches in diameter with 800 fuel assemblies protected from overpressurization by 20 safety / relief valves [p 1.2-1 of submittal].

The containment is a steel-lined reinforced concrete cylinder with a dome roof designed by Bechtel Power Corporation. It houses the drywell, the suppression pool, the upper containment pool, and the primary nuclear system. It is surrounded by secondary containment structures consisting of the reinforced concrete auxiliary building surrounding the lower part of the containment and a low-leakage metal-siding enclosure building surrounding the containment above the auxiliary building roof. The containment has a free volume of 1,400,000 ft' with a design pressure of 15 psig [pp.

4.1-1 through 4.1-3 of submittal).

11

The plant power ratings are 3,833 MWt and 1,254 not MWe. Grand Gulf was declared

{

commercial on July 1,1985 [p 1.2-1 of submittal].

Design Characteristics Imoortant for CDF Cross-tie of standbv service water (SSW) B system to the low-oressure coolant iniection (LPCI) B iniection line. "The SSW-B system may be cross-tied to LPCI-B from the control room upon a loss of all low pressure emergency core cooling.

i All actions required to perform this alignment are performed using installed hand switches on the ECCS control panel. This feature allows for an additional ESF powered injection system for low pressure, loss of injection sequences" [p. 6.1-1 of submittal]. The effect of this feature is to lower the core damage frequency i (CDF) by providing an alternative method of injecting water into the reactor j vessel.

j .

Makeuo to the reactor oressure vessel (RPV) usino the firewater system. The l

Grand Gulf EOPs provide guidance for use of the firewater system for injecting water into the reactor vessel. "This system provides an independent source of  !

low volume, low pressure makeup tor the RPV for sequences that involve long term core damage' [p. 6.1-1 of submittal). The effect of this feature is to lower the CDF by providing an alternative method of injecting water into the reactor vessel.

Division 3 high oressure core sorav (HPCS) diesel generator (DG) is of a different design and size. The Division 3 DG is different in design and size from j the Division 1 and 2 diesel generators. "This reduces the possibility of common i cause diesel failures causing a failure of all three diesel generators. This is

! important in the plant's ability to respond to loss of offsite power and station blackout sequences" [pp. 6.1-1,6.1-2 of submittal). The effect of this feature is to lower the CDF by providing a source of onsite ac power less susceptible to common cause failures.

Cross-tvino the HPCS DG to either Division 1 or 2 durino station blackout (SBO) j events per the Off Normal Event Procedure. The HPCS DG can be cross-tied to either Division 1 or 2 during SBO events. "This capability provides a method for using the RCIC system in conjunction with containment heat removal to bring the reactor to a cold shutdown condition. Once at low pressure, low pressure ECCS

,1 would be available for coolant makeup. This feature is important in the

mitigation of SBO sequences with RCIC operating"[p. 6.1-2 of submittal). The effect of this feature is to lower the CDF by allowing the RCIC system to
continue operating, given an SBO sequence.

Hiohlv comoartmentalized nature of Grand Gulf's auxiliary building. The highly i compartmentalized nature of the auxiliary building containing the ECCS systems l

and other mitigating systems helps to limit the impact flooding initiators can have on other systems. Thus, this feature improves the plant's ability to cope with j flooding initiators.

i

12 l

1 4

i

2. Technical Review 2.1 Licensee IPE Process The following three sections describe the process used by the licensee with respect to:

completeness and methodology; mutt! unit effects and as-built, as-operated status; and licensee participation and peer review.

2.1.1 Completeness and Mdnodology The submittal appears to be complete in accordance with the type of information and level of detail requested in NUREG-1335. It states that the " methodology utilized ...

was based upon the methodology used in support of NUREG-1150... and follows the guidelines as provided by NUREG-2300, ... Generic Letter 88-20, ... and NUREG-1335...." (p. 2.3-1].

For the frord-end (i.e., Level 1) analysis, the "small event tree, large fault tree" approach was used [p.1.3-1 of submittal], and its use is clearly documented in the submittal. internal initiating events and intemal flooding were considered. Event trees were developed for all classes of initiating events. System descriptions were provided, and the development of component level system fault trees was discussed. Inter-j system dependencies were provided in tabular format, along with the data used in the quantification of the models. In addition, the methodology used to estimate the core damage frequency from intemal flooding events was presented.

The HRA analysis was based on the Accident Sequence Evaluation Program (ASEP) method described in NUREGICR-4772, and all explicitly modeled human errors were classified as either pre-accident or post-accident. In addition, human errors were implicitly incorporated into the IPE initiating event frequencies either from generic sources or from plant-specific sources [pp. 3.3-5,3.3 6 of submittal). The general approach used to identify and quantify human actions is cirsarly drumented in the submittal.

The methodology used in the back-end (i.e., Level 2) analysis is similar to that used in NUREGlCR-4551 and used " containment event trees (CETs) to model the accident progression and fission product releases to the environment." The cut sets comprising 95% of the total core damage frequency obtained from the Level 1 analysis were grouped into plant damage states based on similar characteristics. These plant damage states were then used as the entry points to the CETs. The MAAP computer

code was used to quantify the CET basic events and source term parameters, along with applicable results from NUREG/CR-4551 and other past PRAs [pp. 2.3-3, 3.164, 3.1 65).

13 4

. _ . ,._r m

-mmea n - _ s,n w-, - ,,, ,,,. w --- -- ; ---

2.1.2 Multiunit Effects and As-Built, As-Operated Status The Grand Gulf plant consists of a single unit located on a two-unit site. Since Unit 2  !

has been canceled [p 2.4-1 of submittal], multiunit considerations do not apply to this plant.

! The submittal states that to ensure that the IPE accurately reflects the "as built, as operated" plant, the IPE analysts conducted walkdowns to verify system information, spatial or unusual characteristics of components, and potential recovery actions;

, interviews with operators; procedure and drawing reviews; and simulator exercises. In

addition, independent reviews by plant personnel were conducted [pp. 1.4-1, 2.4-2, and
2.4-3 of submittal). i J

2.1.3 Licensee Participation and Peer Review To accomplish the objective of establishing PRA technology and expertise within the utility, Grand Gulf established a safety analysis group within the onsite Design Engineering Department and tasked this group with performing the IPE. This group consisted of six permanent engineers with background in design and analysis and was supplemented by other Grand Gulf technical personnel and contractor support as needed. Grand Gulf personnel directed and were involved in all aspects of the IPE. At least 50% of the total engineering effort was supplied by Entergy personnel [pp. 5.1-1, 7.1-1 of submittal).

To ensure the accuracy of the models used to represent the plant and that the IPE results were accurate, an independent in-house review, supplemented by an independent review conducted by the contractor was performed [p. 5.1-iof submittal).

The reviewers provided expert knowledge on the plant system configurations, operating practices and procedures and design limitations, and expertise in probabilistic risk assessment methods and applications. The submittal also states that comments from the reviews either were incorporated into the models or are reflected in the IPE submittalitself.

2.2 Front-End Technical Review Because the IPE submittal being reviewed is for a plant that has already been analyzed by NRC in the NUREG-1150 study, the focus of the front-end technical review will be on a comparison between the results of the IPE submittal and the results of the NUREG-1150 study as documented in NUREG/CR-4550 Vol. 6, Rev.1.

2.2.1 Accident Sequence Delineation and System Analysis in this section, comparisons between the results of the accident sequence delineation and system analysis tasks, as uocumented in the IPE and NUREG/CR-4550 analysis, will be made.

s 14 1

I i

2.2.1.1 initiating Events l l Both the IPE and the NUREG/CR-4550 analysis identified three major categories of initiating events [p. 3/1-1 of submittal and p. 4.3-2 of NUREG/CR-4550):

. transients, Loss-of-coolant accidents (LOCAs), and l

. specialinitiators. l

> i in the transient category both studies identified the same set of initiating events [pp.

3.1-2,3.1-3 of submittal and pp. 4.3-5,4.3-6 of NUREG/CR-4450):

i . T1: Loss of offsite power, T2: Transient with loss of the power conversion system (PCS),  !

T3A: Transient with PCS initially available, l

. T3B: Transient with loss of feedwater, and T3C: Transient caused by an inadvertent open relief valve.

I in the LOCA category, both studies identified the same set of initiating events [p. 3.1-3

of submittal and p. 4.3-3,4.3-4, and 4.3-5 of NUREG/CR-4450)

j = A: Large LOCA, I

. S1: Intermediate LOCA,

. S2: Small LOCA,  !

l

. S3: Small-small LOCA,  ;

i . V: interfacing system LOCA, and  ;

. R: Vessel rupture.

i Qualitative and quantitative arguments were used to eliminate the V and R initiating  ;

events from the NUREG/CR-4550 analysis [pp. 4.4-95 through 4.4-100) and to l eliminate the R initiating event from the IPE [pp. 3.1-36,3.1-37 of submittal). The V  ;

! initiating event is analyzed via an event tree in the IPE [pp. 3.1-31 through 3.1-36).

In the special initiator category, the IPE identified nine events that satisfied the criteria i for being a special initiator [p. 3.1-4 of submittal):  ;

)

4 = TIA: Loss ofinstrument air, j

  • TAC 1: Loss of emergency safety feature ac bus 15AA, i . TAC 2: Loss of emergency safety feature ac bus 16AB, i . TDC1: Loss of emergency safety feature 125 volt de bus 11DA, 4 . TDC2: Loss of emergency safety feature 125 volt de bus 11DB,
  • TBCW: Loss of turbine building cooling water, i 15 i

4

1 TCCW: Loss of component cooling water, TPSW: Loss of plant service water, and

Of these, only TIA was identified as a special initiator in the NUREGICR-4450 analysis.

The remaining initiators were either eliminated because they were deemed to not meet the special initiator screening criteria (i.e., all remaining initiators except intemal flooding) [pp. 4.3-14,4.3-19 of NUREG/CR-4550] or were deliberately not included as part of the scope of the analysis (i.e., internal flooding initiators).

In both analyses [pp. 3.1-7,3.1-8 of submittal and p. 4.3-19 of NUREG/CR-4550], loss of the heating, ventilating, and air conditioning systems and the standby service water system were deemed not to be special initiators.

Table 2.2.1.1-1 provides a comparison of the initiating event frequencies and the sources of data used to estimate the frequencies for both the IPE and NUREGICR-4550 analyses. Based on a comparison of the initiating events identified in the IPE submittal and NUREG/CR-4550, the licensee's treatment of initiating events appears reasonable. The differences (i.e., the identification of additional special initiators) noted in Table 2.2.1.1-1 result from additional plant-specific information.

Table 2.2.1.1-2 provides a comparison of the success criteria for each initiating event / event tree that was examined by both studies. (NOTE: For those initiating events / event trees that were not examined in the NUREGICR 4550 study, see Section 3.1 of the submittal for the IPE. success criteria.) Only differences between the success criteria used in the IPE and NUREG/CR-4550 are noted. Based on a comparison of the two studies, the licensee's success criteria appear reasonable.

2.2.1.2 Event Trees While it is not uncommon to have different event tree developments for two different studies, the common event trees in the IPE submittal and NUREG/CR-4550 analyses were examined to identify any differences. A limited examination of the event trees in the IPE submittal and in NUREG/CR-4550 identified differences in the way the trees were developed. All appear to be the result of either changes to the procedures used by the plant during the IPE process vs. the NUREGICR-4550 process, or reflect access to more detailed data.

The specific differences between the two sets of event trees are provided in Appendix A of this report. Based on a comparison of the two studies, the licensee's development of event trees appears reasonable.

16

Table 2.2.1.1-1 Frequencies for IPE and NUREG/CR-4550 initiating Events Frequency Data in a . g Source Description IPE' 4550* IPE 4550 T1 Loss of offsite power 0.068 0.11 g g T2 Transient with loss of PCS 1.67 1.62 ps g T3A Transient with PCS initially available 4.5 4.51 ps g T3B Transient with loss of feedwater 0.7 0.76 ps g T3C Transient caused by an inadvertent 0.24 0.14 ps g open relief valve A Large LOCA 1.0E-4 1.0E-4 g g S1 Intermediate LOCA 3.0E-4 3.0E-4 g g S2 Small LOCA 1.0E-3 3.0E-3 g g S3 Small-small LOCA 0.24 3.0E-2 ps g V Interfacing system LOCA (per system) 2.0E-3 5.0E- 3* g g TIA Loss of instrument air 2.0E-3 8.1 E-4 d ft eq TAC 1 Loss of emergency safety feature ac bus 5.0E-3 -

g -

15AA TAC 2 Loss of emergency safety feature ac bus 5.0E-3 -

g -

16AB TDC1 Loss of emergerg safety feature 125- 6.0E-3 -

g -

volt de bus 11DA TDC2 Loss of emergency safety feature 125- 6.0E-3 -

g -

volt de bus 11DB

. TBCW Loss of turbine building cooling water 3.8E-3 -

ft -

TCCW Loss of component cooling water 3.8E-3 -

ft -

TPSW Loss of plant service water 6.0E-3 -

ft -

  • [pp. 3.1-92, 3.1-93, 3.1-94 of submittal) g - genenc 6[pp. 4.3-15,4.3-16 of NUREG/CR-4550] ps - plant specific
  • [p. 4.4-98 of NUREG/CR-4550] ft - fault tree

'[p. 4.4-94 of NUREG/CR-4550) eq - equation

17

~

Table 2.2.1.1-2 Differences in Success Criteria initiating Emergency Containment Event Core Cooling Overpressure Protection or Event -

Tree '

IPE NUREGICR-4550 IPE NUREG/CR-4550 T1 Not considered 1 Feedwater train (after Not considered Power conversion system restoration of offsite (after restoration of offsite Power) power) ,

Depressurization to Depressurization to use a use low-pressure low-pressure systems systems is with 4 is with 3 valves valves Not considered Condensate (after '

restoration of offsite power) ,

T2 Depressurization to Depressurization to use No differences No differences  :

use low-pressure low-pressure systems systems is with 4 is with 3 valves i

valves T3A Depressurization to Depressurization to use No differences No differences ,

use low-pressure low-pressure systems systems is with 4 is with 3 valves valves

_.m.__ -._..______.m_._x_.__.___ _ _ _ _ _ _ _ . _ _ _ - . _ _ _ _ - . _ _ _ . _ _ _ . _ _ _ _ _ _ . _._________m -_ _

l i

Table 2.2.1.1-2 (Continued)

Di#erences in Success Criteria Initiating Emergency Containment Event Core Cooling Overpressure Protection or Event Tree IPE NUREGICR-4550 IPE NUREG/CR-4550 T3B Depressurization to Depressurization to use No diNerences No differences use low-pressure low-pressure systems 'j systems is with 4 is with 3 valves valves m Not considered Firewater considered W

T3C 1 Feedwater train Not considered Power conversion Not considered system Depressurization to Depressurization to use use low-pressure low-pressure systems systems is with 4 is with 3 valves valves A No di#erences No di#erences No di#erences No diWerences S1 No di#erences No diWerences No diferences No di#erences

i Table 2.2.1.1-2 (Continued) '

Differences in Success Critena Initiating Emergency I Containment Event Core Cooling Overpressure Protection or Event Tree IPE NUREG/CR-4550 IPE NUREG/CR-4550 S2 1 Feedwater train Not considered Power conversion Vapor suppression system system (early protection) and PCS Depressurization to Depressurization to use not considered for late

- use low-pressure low-pressure systems protection systems is with 4 is with 3 valves with no g valves AND requires 1 requirement for of 2 suppression pool suppression pool makeup trains for low makeup pressure core spray or low pressure coolant injection S3 Same as for T3A Same as for T3 Same as for T3A Same as for T3 if not isolated, then S2 If not isolated, then S2 V Same as for A or S2 No specific information Same as for A or.S2 No specific information given.

(size dependent) given. Appears to be (size dependent) Appears to be same as large same as large LOCA". LOCA".

2  ;

. . - _~

l .

t Table 2.2.1.1-2 (Continued)

Differences in Success Criteria Initiating Emergency Containment Event Core Cooling Overpressure Protection or Event Tree IPE NUREG/CR-4550 IPE NUREGICR-4550 TIA Not considered CRD flow (full flow from Not considered Power conversion system two pumps in short -

term; flow for one pump Not considered Containment venting in long term) g Not considered 1 feedwater pump T1 Depressurization to Depressurization to use No differences No differences  ;

(Blackout use low pressure low pressure systems I systems is with 4 is with 3 valves valves .

ATWS No tabled criteria See p. 4.4-102 of No tabled criteria See p. 4.4-102 of (Event provided. See pp. 3.1- NUREGICR-4550 providad. See pp. 3.1- NUREG/CR-4550 Tree) 58 and 3.1-59 58 and 3.1-59 P2 6 Depressurization to Depressurization to use No differences No differences (2 Stuck use low-pressure low-pressure systems g" systems is with 4 valves is with 3 valves Event Tree)

' Section 4.4.15 of NUREGER-4550.

b For reactor subcriticality, the IPE does not consider timely stanby liquid control (SLC) and recirculation pump trip (RPT) to be successful, as does NUREG/CR-4550. ,

y I

l 2.2.1.3 System Analysis System descriptions are included in Section 3.2.1 of the submittal. The front line and support systems contained in the IPE submittal are similar to those modeled in  :

NUREG/CR-4550. Systems modeled in NUREG/CR-4550 but not specifically identified

{

in the IPE list of systems modeled include the standby gas treatment system, the i containment isolation system, and hydrogen ignitor system. The fault trees developed for each system included equipment failures and human errors. In addition, for some i system top events, alternative operating modes were included in the fault trees. Thus, some system models in effect contain several fault trees. While the fault trees were not provided as part of the submittal, it appears likely that the systems are modeled to at least the same level of detail as in NUREG/CR 4550, if not to more detail. This

! judgment is based on the types of plant improvements discussed in Section 2.6.2 of this report and the listing of basic events provided as part of the IPE submittal. Thus, based on a companson of the two studies, the licensee's systems analysis appears reasonable.

2.2.1.4 System Dependencies l

Tables ?.2-3 and 3.2-4 of the submittal summarize front-line to support systems and support systems to support systems dependencies, respectively thus, providing the system depencency matrix requested as part of the IPE process. Just as in  !

NUREG/CR-4550, the IPE submittal addresses dependencies on power (both ac and i de) and cooling requirements (both water and room cooling). While the tables do not specifically address actuation dependencies, the submittal states that " relays which transmit actuation signals to individual components and were common to multiple components were modeled" [p. 3.2-25 of submittal). Thus, based on a comparison of the two studies, the licenses's treatement of system dependencies appears reasonable.

2.2.2 Quantitative Process The submittal states that a small event tree-large fault tree approach, using linked fault tree quantification, was used [pp. 1.3-1, 3.3-13 of submittal] to quantify the accident sequences. This approach is the same as that used in NUREG/CR-4550.

2.2.2.1 Quantification of Accident Sequence Frequencies While the specific computer codes used to quantify the accident sequences in the IPE are different than those used in NUREG/CR-4550, the steps used to quantify accident sequences are basically the same as those used in NUREG/CR-4550. Sequence cut sets were generated by use of appropriate sequence logic with a truncation limit of 1E-9 to 1E-10 per year. "In some cases it was necessary to truncate at a higher 22

._m frequency because of computer limitations. The general rule followed in this case was to capture cut sets that range over two orders of magnitude from the value of the top cutset" [p. 3.3-16 of submittal). The cut sets were then examined for validity. For those where operator recovery actions were applicable, the appropriate nonrecovery event was added to the cut set. If at any point during this recovery analysis the sequence frequency fell below a screening frequency of 1E-8 per year, the sequence was eliminated from further consideration. The only basic difference between the process used in the IPE and in NUREG/CR-4550 is that in NUREG/CR-4550 all sequences were truncated at a frequericy of 1E-8. A more complete discussion of the quantification of human errors, including recovery actions, is contained in Sections 2.3.1 and 2 3.2 of this report.

l 2.2.2.2 Point Estimates and Uncertainty / Sensitivity Analyses l In the IPE, point estimate calculations were used to quantify individual sequence frequencies for each sequence surviving through the recovery analysis. Afterward, an  ;

uncertainty analysis was performed on the surviving cut sets. However, only the top 87% of the total core damage frequency cut sets were examined due to computer I limitations [p. 3.4-2 of submittal]. In NUREG/CR-4550 all sequences surviving the recovery analysis were examined in an uncertainty analysis [p. 4.10-1 of NUREG/CR-4550] and all cut sets from all surviving sequences were examined in an uncertainty i analysis of the total plant model[p. 5-1 of NUREG/CR-4550). The following comparison is provided.

IP_E NUREG/CR 4550 Mean 1.67E-5 4.0E-6 Standard deviation 2.86E-5 1.9E-5 ,

95th Peroentile 5.04E-5 1.2E-5 Median 9.65E 6 1.2E-6 5th Percentile 3.11E 6 1.7E-7 l

Both the IPE and NUREG/CR-4550 identified important basic events from a risk increase and risk reduction view point. In addition, NUREG/CR-4550 provided an additional measure for each event--a measure of the event's uncertainty importance. l Table 2.2.2.2-1 provides a comparison of the top five nonhuman action events found to be important by each study. For a list of the important human actions, see Section 2.2.3.2 of this report.

Using the importance rankings of the basic events identified by the risk increase and i risk decrease measures, the IPE performed several sensitivity studies. These

sensitivity studies dealt with (1) SSW pump house ventilation, (2) failure of operator to 23

- . - . . . ~

Table 2.2.2.2-1 Nonhuman Action Events important in the IPE Submittal and in NUREG/CR-4550 Important in Risk important in Risk Event Probability Reduction for increase for Event Description IPE NUREGI IPE NUREGI IPE NUREGI CR-4550 CR-4550 CR-4550 Failure of SSW A pump house ventilation x' 1.00 (Flag event)

Hardware failures in RCIC pump / discharge x 2.30E-1 line (8-hour run time)

Hardware failures in RCIC pump /disch = ve x 6.30E-1 g line (24-hour run time) s SSW Train A pump house w quipment x 6.54E-03 hardware failures Common cause failure of ADS and non- x' 5.00E-04 ADS safety valves RCIC pump fails to run x 1.20E-1 DG 13 fails to start x 3.00E-2 DG 12 fails to start x 3.00E-2 Beta factor for common cause failure of x 4.00E-3 batteries l

Table 2.2.2.2-1 (Continued)

Nonhuman Action Events liriportant in the IPE Submittal and in NUREGICR-4550 Important in Risk important in Risk Event Probability Reduction for increase for Event Description IPE NUREGI IPE NUREGI IPE NUREGI CR-4550 CR-4550 CR-4550 Failure of a battery to provide power x 9.00E-4 (common cause)

Common cause failure of batteries A, B, & x 3.60E-S .

C Common cause failure --SSW motor- x 1.70E-4 operated discharge valves F005B Common cause failure of DG room x 2.99E-4 ventilation components Common cause failure of SSW discharge x 1.00E-5 check valves Common cause failure of ADS and non- x 5.00E-4 ADS safety valves Reactor protection system mechanical x 1.00E-5 failure Failure of a battery to provide power x 9.00E-4 (common cause)

Common cause miscalibration of reactor x 6.80E-5 vessellevelinstruments

. . . - - . . . . . ~ . . . -. . - . . . . . . .-. ._ - _.

~ '

Table 2.2.2.2-1 (Continued)

Nonhuman Action Events important in the IPE Submittal and in NUREG/CR-4550 Important in Risk Importantin Risk Event Probability Reduction for increase for Event Description IPE NUREGI IPE NUREGI IPE NUREGI CR-4550 CR-4550 CR-4550 Beta factor for common cause failure of x 4.00E-3 batteries SSW pumps common cause failure x 3.00E-3 .

  • x means the event was klentified as important in the study

l l

bypass the RCIC high steam tunnel temperature isolation, (3) bettery depletion time, j

(4) failure of the operator to align firewater for injection, and (5) secondary containment ,

isolation of plant service water and instrument air [pp. 3.4-10 firough 3.4-13 of  !

submittal).

2.2.2.3 Use of Plant-Specific Data Table 2.2.2.3-1 list the IPE basic events and their values forwhich plant-specific data were used to estimate the events' failure / unavailability [p. 3.3-79 of submittal] values. It also provides the same information for the initiating event frequencies that were estimated based on plant-specific data [p. 3.1-92 of submittat. Finally, since no plant-specific data were used in NUREG/CR 4550, tha table provides the corresponding-values for comparison purposes. The licenseet treatment of plant-specific data appears reasonable, given the additional plant specific infonnehon availabla during the IPE process.

2.2.2.4 Use of Generic Data in the IPE, generic data sources were used to estimate basic event probabilities and initiating event frequencies for all events for which plant-spede data were not used.

Table 3.3-2 of the submittallists the various sources used tointhe IPE. NUREGICR-4550 used generic data for all basic event probabilities and inbioting event frequencies.

From a limited review of the generic component failure rates and probabilities provided in Table 3.3-3 of the submittal, it appears that NUREG/CR-4560 was the source of data for all component failures comrhon to both analyses, with other sources being used for those failures unique to the IPE analysis. Thus, the licensees treatment of generic -

data for use in the IPE submittal appears reasonable.

2.2.2.5 Common 4ause Quantification The method used to quantify common cause failures in the IPEsubmittal (i.e., the beta factor method) is the same as used in the NUREG/CR-4550 analysis. Thus, the licensee's treatment of common cause failures in the IPE stdunittal is reasonable.

2.2.3 Interface issues I 1

2.2.3.1 Front-End and Back-End Interfaces The IPE used the concept of plant damage states (PDSs) to define the interface between the Level 1 and Level 2 analyses. Sequences that contribute to the top 95%

of the tota! core damage frequency, as evaluated in the Level 1 analysis, were first grouped into " bins" or preliminary PDSs based on characteristics of the accidents that 27

. 1 i

l Table 2.2.2.2-1 Events Using Plant-Specific Data Event Description IPE NUREG/CR-4550 E22-MA-MA4PCS-G HPCS system out for maintenance 5.30E-3 4.40E-3' i

E51-FR-TPC001-H RCIC turbine driven pump fails to run 2.5E-2/hr SE 3/hr j E51-MA-MARCIC-G RCIC system out for maintenance 2.00E-2 1.48E-2 6 E51-TE-TERCIC-G RCIC system out for test 8.26E-3 f No value l P75-FS-DG-DG11-A Diesel generator 11 fails to start 2.9-E3/d 3.0E-2/d P75-FR-DG-DG11-A Diesel generator 11 fails to run 2.5E-3/hr 2.0E-3/hr l P75-MA-DG-DG11-A Diesel geaarator 11 unavailable due 1.8E-2 ' 6.0E-3 to maintenance

[ P75-FS-DG-DG12-8 Diesel generator 12 fails to start 2.9-E3/d 3.0E-2/d P75-FR-DG-DG12-B Diesel generator 12 fails to run 2.5E-3/hr 2.0E-3/hr P75-MA-DG-DG12-B Diesel generator 12 unavailable due 1.8E-2 6.0E-3 to maintenance i P81-FS-DG-DG13-C Diesel generator 13 fails to start 3.9E-3/d 3.0E-2/d i

i P81-FR-DG-DG13-C Diesel generator 13 fails to run 3.7E-3/hr 2.0E-3/hr i

l P81-MA-DG-DG13-C Diesel generator 13 unavailable due 1.9E-2 6.0E-3

!- to maintenance t

l T2 Transient with loss of PCS. 1.67/yr 1.62/yr j T3A Transient with PCS initially available 4.5/yr 4.51/yr j T3B Transient with loss of feedwater 0.7/yr 0.76/yr

! T3C Transient caused by inadvertent 0.24/yr 0.14/yr  !

j open relief valve j i S3 Small-small LOCA 0.24/yr 3.0E-2/yr  !

! " Sum of basic events with maintenance unavailability [ Table 4.9-13 of NUREGER-4550]. i j " Sum of basic events with maintenance unavailability [ Table 4.9-18 of NUREGCR-4550).

l l

i j 28 4

. _ _ , . _ . - . . . . . - . . . , _ .,.__m.. _ - , . , , . . -

I I

4 are important to the Level 2 analysis. Sequences that contribute to the bottom 5% of l the total core damage frequency were not included in the Level 2 analysis. The j general categories of characteristics used to define the bins were accident class, timing l of core damage, reactor pressure vessel pressure, status of safety / relief valves, status of ac and de power, status of injection systems, and status of containment systems.

The individual characteristics are reported in Table 2.2.3.1-1 along with the l characteristics used in NUREG/CR-4551. As can be seen from Table 2.2.3.1-1, the characteristics used to define the PDSs are similar in the two studies. It is expected i that the characteristics used to define the PDSs in the IPE are sufficient to define the

interface between the Level 1 and Level 2 analyses.

I

The binning process resulted in the generation of 33 preliminary PDSs. These bins j were collapsed into 9 PDSs. While 9 final PDSs were defined, many of these PDSs i were divided back into the preliminary PDSs in the containment event tree and were i j

propagated through the containment evant tree quantification. As a point of l comparison,12 PDSs were defined in the NUREGICR-1150 study (some of these PDS l l

were also subdivided in the accident progression analysis). To facilitate comparisons, ,

l l j the 9 PDSs defined in the IPE and the 12 PDS defined in the NUREG-1150 PRA can I l

be combined into summary PDS groups. These summary PDS groups and the l percentage of the total core damage frequency that is attributed to each group are

' provided in Table 2.2.3.1-2. In both studies, SBO PDS groups are important contributors to the total core damage frequency while ATWS and LOCA PDS groups j are fairly minor contributors. In the IPE, ATWS sequences were in the bottom 5% of the total core damage frequency and, hence, were screened out of the Level 2 l l analysis. Also, LOCAs provide a small, but noticeable, contribution to the core damage l

! frequency (i.e., approximately 2%) in the IPE whereas in NUREG/CR-4550 all of the I LOCAs were below the cutoff frequency of 1.0E-08 and hence did not contribute to the

total core damage frequency. However, there is significant difference between the two l

studies in the percent contribution that the SBO PDS groups make to the total core l j damage frequency. In NUREGICR-4550, approximately 97% of the total core damage l

frequency was attributable to the SBO PDS groups. While in the IPE the station blackout PDS gmups continue to be important (i.e., approximately 45% contribution),

l j they are not as dominant a contributor as in the NUREG-1150 study. In the IPE the Other Transient PDS group is also an important class of accidents, contributing j approximately 54% to the total core damage frequency. Also, in the NUREG-1150 i PRA, only 5% of the core damage frequency is attributed to long-term PDS groups (i.e.,

PDSs in which core damage occurs many hours after the initiating event) while in the l j

~

IPE, the long-term PDS groups contribute approximately 33% to the core damage t frequency, i

! The licensee's treatment of plant damage states, based on a comparison of the two studies, appears reasonable. It is expected that the major features that are important i

j to the progression of the accident following core damage have been used to develop

the plant damage states. Differences between the two studies are not unexpected given that the IPE analysis considered additional initiators.

i 29 t

I

Table 2.2.3.1-1 Comparison of Plant Damage State Characteristics Used in IPE and NUREG-1150 Grand Gulf Plant Damage State Characteristics PDS Characteristic IPE NUREG-1150 ,

initiating Event or Accident Class X X Time of Core Damage X X RPV Pressure at the Onset of Core Damage X X SRV Operability X X Status of Electric Power (ac and de) X Status of HPCS X X Status of CRD X X Status of LPCI or LPCS X X -

Status of Alternative injection X X Status of Fire Water X X Status of Suppression Pool Cooling X Status of Suppression Poo! Makeup X Status of Containment Venting X X Status of Containment Sprays X X Status of Standby Gas Treatment System X X Status of Hydrogen Igniters X X Status of Containment isolation X t

  • The status of de power was not explicitly included in the PDS characteristic.

30 l

Table 2.2.3.1-2 Comparison of Plant Damage State Summary Groups Plant Damage Summary Groups Percentage of total core damage frequency" l

i IPE NUREG-1150 Short-term Station Blackout 31 94 j

Long-term Station Blackout 14 3 l

Short-Term LOSP 12 Other Short-termTransients 22 <1 l

- Other Long-term Transients 20 <1 Loss-of-coolant Accident 2 -

l Anticipated transients without scram 3 <

l j

  • Percent contribubons are based on Table 4.3-2 in the IPE and on Table 2.2-3 in NUREG/CR-4551. The i NUREGCR-4551 values are based on mean values.

b in the Nt. REG-1150 PRA, all of the accidents initiated by LOSP were also evolved to a station blackout.

!

  • In the IPE, there were no ATWS scenarios that contributed to the top 95% of the core damage frequency.

2.2.3.2 Human Factors interfaces Both the FE submittal and the NUREG/CR-4550 and NUREG/CR-4551 analyses used the same techniques to identify and quantify human actions. Given the differences between the IPE submittal results and those from NUREGICR-4550 as documented in Table 2.2.5-1, no undue significance should be attached to the fact that different human actions were identified as important in the two studies.

In Table 2.2.3.2-1 a select set of the human actions identified as important in the IPE submittal from a risk reduction perspective is compared with a select set of those identified in NUREG/CR-4550. From this table it can be seen that very little overlap exists for specific operator actions. However, of the four actions identified as important in NUREG/CR-4550, three of them occur in LOSP sequences, which was the most important initiator in both studies. ,

31

I i j Table 2.2.3.2-1 l Important Human Actions from a Risk Reduction Perspective i

Human Action important in HEP IPE' NUREG/ IPE" NUREGl 3 CR-4550 6 CR-4550

  • xd 1.3E-2 4

' Failure of operator to actuate firewater i for RPVinjection Operator fails to bypass high steam x 5.0E-1 f tunnel temperature isolation 4

Failure to recover offsite power in 10 x 1.98E-2

{ hours l

Failure to maintain the reactor x 1.0' i depressurized with RCIC steam line x x 9.0E-1 9.0E-1 i Failure to recover DG hardware failures within i hour l 3.0E-4 Failure to depressurize in the short term x i

j. Operator inhibits ADS per emergency x 1 procedure Failure to recover offsite power within 4 x 6.4E-2 l j

l l hours x 3.0E-3

! Failure to restore Train A ventilation i after 1-Failure to restore offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> x 1.9E-1 i

x 8.0E-1 l Failure to restore DG from maintenance j

outage x 1.25E-1 Operator fails to depressurize during an '

,. ATWS I

  • From Table 3.4-8 of the submittal.

I

2 ' From Table 5.1-2 of NUREG/CR4550.

  • x irxiscates action important in the study.

I 1

i 32 l.

i 1

in Table 2.2.3.2-2 a select set of the human actions identified as important in the IPE i submittal from a risk increase perspective is compared with a select set of those l identified in NUREG/CR-4550. From this table it can be seen that there is no overlap  ;

between the two studies. As was stated before, no undue significance should be l attached to this difference.

Table 2.2.3.2-2 l Important Human Actions from a Risk increase Perspective  ;

Human Action important in HEP IPE' NUREGI iPE' NUREG CR-4550 6 CR-4550' l Failure to depressurize in the short term xd 3.0E-4 Failure to restore Train A ventilation x 3.0E-3 ,

after Failure to manually actuate injection x 4.5E-4 within i hour after an auto-actuation failure i

  • From Table 3.4-8 of the submittal.

"From Table 5.4-2 of NUREG/CR-4550.

d x indicates acGon important in the study.

Based on a comparison between the IPE submittal and the NUREG/CR-4550 and NUREG/CR-4551 analyses, the licensee's HRA analysis apppears reasonable.

2.2.4 Intemal Flooding Since no internal flooding analysis was performed in the NUREG-1150 analysis of Grand Gulf, this section briefly presents the methodology and results from the IPE submittal. It should be noted that the approach described below is similiar to the approach used in NUREG-1150 analyses of plants for which an internal flooding analysis was performed (i.e., Surry and Peach Bottom).

33 j

I

1 i 2.2.4.1 Internal Flood Methodology "The flooding analysis task was performed in a stepwise manner, with an initial

! qualitative screening to identify the significant flood events and a quantitative analysis j to determine the contribution ... to core damage of the most significant flood scenarios" l [p. 3.3-18 of submittal).

The steps used in performing this flooding analysis consisted of the following [pp. 3.3-18 through 3.3-21 of submittal]:

l j 1. Define flood zones. These were defined on the basis of their elevation and whether their enclosures provided reasonable barriers to flooding.

The components modeled in the system fault trees were assigned to flood zones based on a review of plant documentation and by walk downs.

2. Identify flood sources. Flood sources inside and outside the flood zones were identified by means of a plant walk down and review of appropriate i plant documentation. Five failure modes were considered to be initiators for flood sequences within the flood zones. These include: (1) pipe ruptures, (2) extemal leakage of pipes, (3) external leakage of valves, (4) extemal leakage of pumps, and (5) heat exchanger / tank leakage. The contribution of human errors to the overall flooding frequency was estimated by doubling the calculated core damage frequency of flooding sequences.
3. Determine flood propagation pathways. This was accomplished during plant walk downs and by reviewing plant layout drawings.
4. Identify flooding scenarios. Scenarios were identified by analyzing the direct and indirect effects of the flood sources upon mitigating and support systems by use of conservative flow rates and propagation paths to determine possible component failures resulting from various flood sources.
5. Perform qualitative screening. Any flood scenario for which two or fewer random system failures could produce core damage was identified for further analysis.
6. Perform quantitative analysis. Any scenario that survived the qualitative screening step was quantified by: (1) identifying the event tree that conservatively modeled plant response to the scenario, (2) setting the components affected by the flood to failed, and (3) quantifiying the accident sequences using the same techniques used for the other internal event sequences.

34 1

i 4

i

! 2.2.4.2 Internal Flooding Results

! The qualitative screening process identified two flooding scenarios. One involved a leak in the PSW system on the 93-foot elevation of the auxiliary building and the other i was in the SSW system at the same level. Quantification of these two scenarios j resulted in all sequences being eliminated for the SSW system scenario and only one sequence surviving for the PSW system scenario. The core damage frequency for this j sequence was determined to be 1.96E-7/yr [pp. 3.3-21, 3.3-22 of submittal).

1

! 2.2.5 Core Damage Sequence Results i Based on the results presented in the IPE [Section 3.4, specifically Table 3.4-4) and in i NUREGICR-4550 [Section 5, specifically Table 5.5-1), Table 2.2.5-1 presents a i comparison of the core damage frequency results by accident class. From an examination of this table, one can see that the percent contribution for the accident classes are different. Section 3.4.1.5 of the IPE presents differences between the two i studies. The IPE states that there are three primary differences between the two 4

studies. These include:

I . The NUREG/CR-4550 analysis did not include any special initiators except loss l of instrument aird . This should increase the core damage frequency estimate in j the IPE analysis.

\

! . The dependence of SSW upon SSW pump house ventilation was not modeled in NUREG/CR-45505 . This should increase the core damage frequency estimate in l

j the IPE analysis. This should affect SBO sequences and possibly others.

i

! e The RCIC turbine-driven pump failure rate for the IPE is significantly higher than 4

that used for NUREG/CR-4550. This should increase the core damage l frequency estimate in the IPE analysis. This should affect the transient

! sequences involving loss of injection, possibly SBO.

! Taken together, these differences should increase the IPE's core damage frequency i estimate, which was the case, as can be seen in Table 2.2.5-1. Given the substantial j number of changes made to the IPE ATWS tree, no specific reason is offered for the

decreasein core damage frequency.

l l

d l in Sie NUREGER-4550 analysis, all other special initiators were either eliminated because they

' were deemed to not meet the special initiator screening critoile used in the analysis or were deliberately not l included as part of the scope of the analysis 0.e., internal flooding initiators).

sThe NUREGER-4550 analysis assumed that ample room ventilation would be supplied to the SSW pump rooms due to their proximity to the cooling tower 0.e., the air current induced by the cooling i tower) and the normally open louvers on the walls of the SSW pump rooms. Thus, a loss of room cooling to the SSW pumps was not considered as a failure of the pumps.

{

l 35

Table 2.2.5-1 Comparison of IPE and NUREG/CR-4550 Core Damage Frequency by Accident Class Percent of Total Point Point Estimate Core Estimate Core Damage Damage Frequency Accident Type Frequency NUREG/ NUREG/

IPE IPE CR-4550 CR-4550 Station blackout 7.46E-6 1.9E-6 43.3 94 ATWS 5.56E-8 1.2E-7 ~ 0.3 6 Transient wHh loss of all 3.37E4 1.4E-8 19.6 <1 injection Transient with loss of all high- 4.07E-6 Screened 23.6 Screened pressure injection and failure out out to depressurize Transient wMh loss of 1.74E-6 Screened 10.1 Screened containment heat removal out out leading to loss ofinjection .

Transient-induced LOCA 1.67E-7 Screened 1.0 Screened out out l [OCA 3.73E-7 Screened 2.2 Screened od oW Given the reasonable and thorough IPE analysis performed, as documented in the IPE submittal, it appears unlikely that any plant vulnerabilities were missed.

The IPE subrnittal describes an evaluation of the effect of the difference between the two models. Making the specific changes noted in Table 2.2.5-2 resulted in a new IPE core damage frequency of 3.53E-6/yr. This is relatively close to the NUREG/CR-4550 point estimate of 2.1E-6/yr.

2.3 Human Reliability Analysis Technical Review 2.3.1 Pre-Initiator Human Actions 2.3.1.1 Pre-Initiator Human Actions Considered The IPE states that both of the traditional classes of pre-initiator human actions (i.e.,

! human actions that occur before an accident-initiating event and which leave a system 36 l

Table 2.2.5-2 Changes Made to the IPE Model to Simulate the NUREGICR-4550 Model Description of Change Spec!al initiator frequencies were set to zero. This inc'Jded TBCW, TAC, TDC, and TPSW.

The SSW pump house contribution was removed by setting the appropriate flags to zero.

The RCIC turbine failure to run rate was changed from 2.5E-2/hr to 5.0E-3.

The flooding initiator frequency was set to zero.

Other initiator frequencies were changed to the corresponding NUREG/CR-4550 value. This included initiating events T1, T2, T3A, and T38.

The probability for the common cause failure of the SRVs was changed from SE-4 to 1 E-6.

Credit was given for operator maintaining reactor vessel depressurized with RCIC steam line and no batteries (i.e., X3 event changed from failure probability of 1.0 to 4.1 E-4).

Human error probability for failure to actuate injection system changed from 2.66E-3 to 3.5E-4.

Human error probability for failure to actuate injection system late changed from 2.66E-3 to 1E-4.

Removed contribution from RCIC steam tunnel isolation, operator inhibiting ADS, and ECCS low-pressure injection permissive. These were not modeled in NUREGICR-4550.

Changed failure rates and demand failure probabilities for the diesel generators to the NUREG/CR-4550 values.

or component in a degraded state) were included directly in the IPE system fault trees

[p.3.3-6 of submittal). These include failure to restore systems anar test, maintenance, or surveillance activities and instrument miscalibrations. In NUREG/CR-4550, systems were examined to identify the potential for calibration, testing, maintenance and restoration errors [p. 4.8-2 of NUREG/CR-4550] for inclusion in the system fault trees.

Thus, essentially the same types of pre-initiator human actions were considered in each stud,y with the IPE specifically identifying surveillance errors, whereas surveillance errors were not specifically identified in NUREGICR 4550.

37

-_ _ __ a

I An example of an action included in each study is failure to restore the HPCS system after maintenance. For a listing of the specific actions considered in each study, see Table 3.34 in the IPE and Table 4.8-1 in NUREG/CR-4550.

2.3.1.2 Process for identification and Selection of Pre-Initiator Human Actions The IPE approach used for identifying and selecting potential pre-initiator actions was based on the same approach used in NUREG-1150 and follows the guidelines contained in NUREG-2300 and NUREGICR-4772. Thus, the approaches used in the IPE and in NUREGICR-4550 are the same.

2.3.1.3 Screening and Quantification Process for Pre-Initiator Human Actions In the IPE, all pre-initiator actions were quantified using the approach described in NUREG/CR-4772. Quantification was performed for two major classes of human activities. The first class included all pre-initiator actions except for miscalibration errors. All errors in this first class were initially assigned a basic human error probability (HEP) of 0.03. Grand Gulf procedures were then reviewed and on the basis of similarities among the procedures and an evaluation that at least one and typically multiple characteristics (as defined in NUREG/CR-4772) apply that favor a reduction in the basic HEP value of 0.03, all events of this type were assigned a screening value of 0.003. No further detailL analyses were performed for actions in this class. The second class of errors (i.e., miscalibration errors) was examined in more detail using the same approach as used for the first class. Two different classes of calibration activities were considered: (1) trip unit calibrations and (2) sensor / transmitter calibrations. The IPE states that sace the types of equipment are essentially the same and that the procedures used are virtually the same except for specific setpoints, ,

miscalibration HEPs were considered to be the same for each class of activity l' regardless of the specific device [p. 3.3-7 of submittal).

Using a typical calibration procedure for each class and the procedure as described in NUREG/CR-4772, it was determined that common mode errors were very unlikely for equipment in different divisions (Div.1,2, or 3), in different systems (e.g., HPCS vs.

ADS), and for different functions (e.g., water level vs. reactor pressure). The basis for this decision was that "different divisions are done at different days ... with typically different crews," and that " required control room sign-offs and,[ sic] verifications as well as the different locations and signal inputs for the devices tend to eliminate chances for common mode miscalibration errors for equipment in different systems or having different functions. However, complete dependence was assumed to exist for calibration of components serving the same function in the same division and system"

[p. 3.3-8 of submittal).

38

The basic difference between the IPE and NUREG/CR-4550 is that in the NUREG/CR-4550 analysis, all pre-initiator human actions were examined in detail, not just the miscalibration actions, as was done in the IPE. One other observation is made. While both the IPE and NUREG/CR-4550 used the same methodology to identify and quantifiy the pre-initiator human actions, implementation of the methodology produced a different set of operator actions. For example, in NUREG/CR-4550, a single common cause miscalibration of vessel-level instruments was developed while in the IPE, individual common cause miscalibrations were developed for the trip units and the i sensors / transmitters for each of three divisions.

l The IPE apparently did not perform any pre-initiator quantification beyond what was j done for the screening analysis. Since NUREG/CR-4550 analyzed all pre-initiator l actions in detail, no quantification update was performed. Thus, there are no differences between the two studies in this area.

The licensee's treatment of pre-initiator human 4. :tions, based on a comparison of information in the IPE submittal and in NUREG/CR-4550, appears reasonable.

i 2.3.2 Post-Initiator Human Actions 2.3.2.1 Types of Post-Initiator Actions Considered The post-initiator human actions (i.e., human actions that are required in response to initiating events or related system failures) considered in the IPE included proceduralized actions involving failure to actuate or align systems that do not receive j automatic actuation, failure to backup an automatic initiation fault, and failure to recover failed or mispositioned components or systems. Generally, the first two types of actions are incorporated into the fault trees or sometimes the event trees. The last type of action is usually identified by examination of the specific failure events that occur in a cut set. In NUREG/CR-4550, the same types of proceduralized human actions were considered and incorporated directly into the fault trees or were added to the cut sets based on an inspection of the potential recovery possibilities associated with a cut set.

2.3.2.2 Process for identification and Selection of Post-Initiator Human <

Actions ,

Post-initiator human actions identified and selected for incoporation into the IPE were based on reviews of Grand Gulf's emergency operation procedures (EOPs) and related procedures to identify the actions necessary to cope with abnorme.1 plant conditions; that is, to return the plant to a safe condition. Both actions that were incorporated directly into the fault trees or event trees and those actions that were identified by examination of the specific failures contained in each cut set had as their basis the EOPs and related procedures.

39

l In NUREG/CR-4550 the post-initiator human actions were identified in a two-step process for non-ATWS sequences. In the first step, as the system models were developed, "any post-accident operator action required for the system to successfully function when demanded was identified and added directly to the system model. The actions considered were generally those actions performed by the operator for the system to function properly:

Manual operation of any components, Manual initiation as backup to auto-initiation." i l

In the second step, individual cut sets were examined to determine whether other post- i l initiator actions were warranted based on the specific combination of failures in the cut l l set. if so, nonrecovery events representing the failure to perform the appropriate action I l were incorporated into the cut set [Section 4.8.4 of NUREG/CR-4550]. For ATWS sequences, the human actions were identified as part of the development of the ATWS event tree [Section 4.8.5]. Based on a comparison of the IPE submittal and l l NUREG/CR-4550, the licensee's identification of post-initiator human actions appears reasonable.

, 2.3.2.3 Screening Process for Post-Initiator Response Actions 4

The IPE submittal states that in general, "the process of evaluating the post-accident HEPs starts with a screening technique. In this screening phase, post-accident human error events that have been identified and included in the event tree and fault tree models are given high screening values (typically 0.5 was used). During the accident sequence quantification portions of the IPE the initially dominant cut sets containing equipment faults and human errors as well as combinations of human errors are identified above some frequency threshold. For the ... IPE, thresholds of the order of 1E-10 or lower wer [ sic] typically used depending on the quantification complexities.

Use of such low thresholds and high HEP screening values assured that no potentially important human error events or combination of human errors ... were missed" (p. 3.3-9 of submittal).

For the non-ATWS sequences, NUREG/CR-4550 identified the potential for multiple post-initiator human actions to appear in a cut set as a result of the accident sequence cut set generation process, and stated that if some of these actions were dependent, then simply multiplying their individual HEPs would produce an incorrect cut set frequency. Thus, "these actions were assigned a screening value, generally 1.0, in the initial quantification step" in NUREG/CR-4550.

For the NUREG/CR-4550 ATWS sequences, a detailed HRA was performed for human actions associated with postulated ATWS sequences. Visits were made to the site and l 40

\

i .

j  !

i to the simulator "for the purpose of acquiring plant-specific information on (1) training, l 2

(2) procedures, (3) human engineering, and (4) experience and education levels of the l j operations crew " Interviews were conducted with Grand Gulf training instructors and reactor operators, and detailed task analyses were performed. This information was then used to estanate HEPs for the ATWS post-initiator human actions.

i 1

j Based on a comparison of the IPE submittal and NUREG/CR-4550, the licensee's post-

! initiator human action screening process appears reasonable.

i i

j 2.3.2.4 Quantification of Post-Initiator Human Actions i

The IPE submittal states that the process by which post-initiator HEPs were determined

! " closely follows that used in the NUREG-1150 program making use of either i NUREG/CR-4772 or NUREG/CR-1278 as required"[p. 3.3-9 of submittal). Since

! NUREG/CR-4772 was the basis for most post-initiator HEP determinations in

! NUREG/CR-4550 (ATWS post-initiator HEP determinations also made use of j NUREG/CR-1278), the quantification processes for both the IPE and NUREG/CR-4550 l are functionally the same. In addition, the IPE specifically states that "two days of plant

! simulator runs were conducted using different plant operating staffs to verify / modify the l preliminary evaluations based on observations of simulated accidents which ' tested' for

the desired responses / recoveries" [p. 3.3-9 of submittal).

Both the IPE and NUREG/CR-4550 indicate that if a post-initiator human action was not important, then the screening HEP was not changed. In addition, both studies used generic data to estimate the failure probabilities of those post-initiator human actions associated with necovery/ restoration of a system / component. Examples of these actions include: (1) restoration of offsite power, (2) recovery of the power conversion system, and (3) recovery of diesel generator common mode failure. Thus, it appears that both studies used basically the same approach to quantifying post-initiator human actions.

2.3.2.4.1 Consideration of Timina Since both the FIEand NUREG/CR-4550 used NUREG/CR-4772 or NUREG/CR-1278 to estimate the post-initiator HEPs, the amount of time available to perform the action was considered. The IPE states that the " time available to perform the desired actions (s) was artificially divided into two parts; allowable diagnosis time and allowable post-diagnosis action time" [p. 3.3-9 of submittal). However, it appears that the IPE does not state specifically how the time available for recovery was determined. This type of informahon was presented in Appendix C of NUREG/CR-4550.

41

2.3.2.4.2 Other Performance Shaoina Fadors Considered The IPE states that documentation forms were used to record the following set of performance shaping factors were identified for each human error evaluated.

. The actua'l sequence of events.

. Indication cues available to the operator staff, and interpretation difficulties (if any) associated with those cues. -

. The possibility of simultaneous concerns which could potentially divert operators' attention from the desired action (s).

. What procedural steps were involved and their clarity.

. The time available to perform the diagnosis, considering how much time it would take to perform the desired action (s) within the total allowed time.

. The communication skills and practices of the staff.

. The types and frequency of training applicable to the desired action (s).

. The number of staff and their assignments.

. The complexity of the required action (s) and where it must be performed.

. Whether special equipment or other items must be used to carry out the action (s).

. Whether the required diagnosis and/or action are skill-based, rule-based, or knowledge-based activities as defined in NUREG/CR-1278.

e Whether the required actions require a step-by-step or dynamic response.

! . The level of stress involved.

. The degree of dependence among individual actions as well as among the different members of the operations staff.

i This list encompasses the performance shaping factors as described in NUREG/CR-

4772. Thus, since NUREG/CR-4772 formed the basis for HEP estimations in i NUREG/CR-4550, the two studies have used essentially the same set of performance
shaping factors.

42

2.3.2.4.3 Quantification of Recoverv Actions For those post-initiator human actions that are classified as " recovery actions" (i.e.,

actions to repair / restore system / components), the IPE states that the "non-recovery probabilities were obtained from NUREG/CR-4550" [p. 3.3-17 of submittal). Thus, no differences exist between the two studies.

2.3.2.4.4 Consideration of Deoendencies Since both the IPE and NUREG/CR-4550 used NUREG/CR-4772 as the basis for HEP  !

evaluations, both should have taken into account dependencies. As was stated in Section 2.3.2.4.2, such things as the actual sequence of events and the degree of dependence among individual actions as well as among the different members of the operations staff were considered as performance shaping factors during the estimation of HEPs for use in the IPE. Thus dependencies were considered. The documentation in Appendix C of NUREG/CR-4550 shows that dependence was considered during the HEP estimation process.

2.3.2.4.5 Treshrient of Ooerator Actions in the Intemal Floodino Analysis The IPE states that "to account for the human error flooding contribution, the calculated flooding CDF was doubled." The basis for this decision was given as industry-wide data (NSAC/60, Vol.1, Oconnee PRA), indicating that approximately 50 percent of the flooding events were initiated by human error [ p. 3.3-19 of submittal).

For pre- and post-initiator human actions, the same method used for nonflood-induced sequences was used to determine the HEPs of human actions during flooa-induced accidents. The licensee's treatment of human actions in its internal flooding analysis appears reasonable, since the same techniques were used in the flooding analysis as were used in the nonflooding analysis. Since NUREG/CR-4550 did not perform a flooding analysis, no comparison can be made.

2.3.2.4.6 Seauences Screened Out Due to Credit for Recovery Actions Table 3.4-2 in the IPE submittal and Table 4.10-3 of NUREG/CR-4550 provide information on those sequences screened out because of the addition of recovery actions to the cut sets or the updating of a screening HEP for post-initiator actions already included in the cut sets. Based on a comparison of the two studies, the licensee's screening of sequences due to credit from recovery actions appears reasonable.

43 l I

I l

2.3.2.4.7 Treatment of Ooerator Actions in the Level 2 Analvsis A number of operator actions were considered in the IPE Level 2 analysis. The actions considered were based on the anticipated response of the operators, as directed by the Emergency Operating Procedures (EOPs), to the accident during the time period after the onset of core damage. The methodology for determining the human error probabilities associated with these actions is identical to the methodology used in the Level i HRA assessment. The types of opGrator actions considered in IPE Level 2 analysis included:

provide alternative injection to the vessel ( both early and late during the accident),

restore CRD injection to the vessel (both early and late during the accident),

provide fire water injection to the vessel, depressurize the reactor vessel after the onset of core damage, activate the hydrogen igniters, j -

vent the containment (early, late, and on high hydrogen concentration) vent the vessel through the MSIVs for situations where the procedures would i

require vessel venting, i l

- initiate suppression pool cooling, and j- -

activate the containment sprays (both early and late during the accident).

j Operator actions were also considered in the NUREGICR-4551 Level 2 analysis. The 1 i HEPs were estimated using the ASEP HRA methodology, which was the methodology i j that was also in the NUREG/CR-4550 Level 1 analysis. The operator actions 1

! considered in NUREGICR-4551 and quantified in the HRA analysis included:

I i - provide coolant injection to the vessel, j -

depressurize the reactor vessel,

- activate hydrogen igniters, j

- vent the containment, and j

- isolate the containment.

j By comparing the two lists of operator actions, it can be seen that similar actions were h

considered in the two studies; namely, restoration of coolant to the core, depressurization of the reactor vessel, activation of hydrogen igniters, and containment venting. The IPE also considered additional events in its HRA analysis: restoration of containment heat removal and reactor vessel venting. While in the NUREG/CR-4551 PRA the operability of the containment sprays was considered, the use of the sprays was not quantified in the HRA analysis. Reactor vessel venting via the MSIVs was not considered in NURf!G/CR-4551. Because the scenarios are not always the same in 4 the two studies, a cc.mparison of the HEPs is not provided.

44 A - - + - - r - 'wh'wwa - --

Both studies used the same methodology to quantify important operator actions. Both studies relied on the EOPs to indicate how the operators would respond to the accident supplemented with information from the plant operators. It appears that there was a slightly different philosophy in the use of the EOPs in the two studies. It appears that in the IPE, the operators are assumed to follow the EOPs very closely while in the NUREG/CR -4551 study, the EOPs were used to provide guidance on possible operator actions. To a certain extent, dependencies between HRA events were also addressed in both studies. In the NUREG/CR4550 and -4551 studies, the HEP for a particular action was dependent on whether the operator performed previous actions correctly; the HEP was increased if the operator displayed a pattern of previous failures. These dependencies were explicitly modeled in the Level 2 analysis. In the IPE, some dependencies were included, for example, if alternative injechon systems were available before core damage and the operator failed to use them to prevent core damage (i.e., error of omission), then it was assumed that the operator would also fail to use the system during core damage.

Based on a comparison of the two studies, the licensee's treatment of Level 2 operator actions appears reasonable. It appears that the utilities did a through review of the EOPs to include important operator actions-actions that can mitigate as well as exacerbate the consequences of a severe accident. The discovery of the operator i action to vent the reactor vessel via the MSIVs following the onset of core damage is an example of an action that exacerbates the consequences of the accident 2.4 Back-End Technical Review 2.4.1 Containment Analysis / Characterization 2.4.1.1 Sequences with Significant Probabilities Core damage sequences defined in the Level 1 analysis of the IPE submittal that contributed to the top 95% of the total core damage frequency were combmed into plant damage states and propagated through the Level 2 analysis. The sequences that <

contributed to the bottom 5% of the total core damage frequency were not analyzed in the Level 2 analysis. Furthermore, the mean containment bypass frequency was estimated to be below the screening value of 1.0E-7 and hence was not included in the Level 2 analysis. The plant damage states are discussed in Section 2.2.3.1 of this report.

In NUREG/CR4550, the dominant cut sets from all' of the sequences that had frequencies above 1 E-08 were grouped into plant damage states.

"Except for sequence T18-5 which was not included in the final calculation of the CDF [p. 4.10-9 of NUREG/CR-4550].

45

l l

2.4.1.2 Failure Modes and Timing The ultimate containment and drywell capacities for static, dynamic, and thermal loads were addressed in the IPE submittal. While these different modes were considered in the characterization of the containment, not all of these modes were explicitly included in the Level 2 analysis. The ultimate capacities for the containment and drywell are discussed below.

Static Ultimate Caoacity To assess the ultimate containment and drywell capacities for static loads, the IPE team compiled a list of failure mechanisms based on reviews of previous structural analyses of the Grand Gulf plant. The failure pressure for each failure mechanism was assessed based on results from these previous analyses and specified material strengths. These failure mechanisms were combined and a cumulative distribution function was developed for the ultimate capacity of the containment. The approach used to combine the distributions was not discussed in the submittal. Different distributions were not developed for different temperature conditions. Also, owing to the narrow di.stribution of results and the similarity between the containment and drywell

failure distributions, the same distribution was used for both the containment structure and the drywell structure. The ultimate containment failure distribution used in the IPE submittal and that used in the NUREG/CR-4551 analysis are presented in Table 4

2.4.1.2-1. From this table it can be seen that the IPE distribution is narrower than the

! NUREG/CR-4551 distribution; the range between the 95th percentile and the 5th percentile for the IPE distribution is 7 psi while for the NUREG/CR-4551 distribution, the corresponding range is 34 psi. Another observation is that at least 95 percent of the IPE containment failure distribution is above the 50th percentile of the NUREG/CR-l 4551 distribution, in other words, the NUREG/CR-4551 distribution shows a greater probability of failure at lower pressures than the IPE distribution.

i

, Table 2.4.1.2-1 Comparison of ultimate containment failure pressure distributions due to static loads l

Failure Pressure (psid) <

! Cumulative IPE NUREG/CR-4551 4

Probability Containment /Drywell Contairtment Drywell i e

.05 60 38 50

.25 62 46 66

.50 64 55 85

.75 65 64 104

! .95 67 72 120 4

] . .

The IPE submittal addressed the thermal capacity of the containment and concluded that thermal failure of the seal material for the penetration seals will govern. It also j stated that "when considering pressure loading of the drywell or containment in

conjunction with sustained accKient temperatures, failure pressures associated with j exposed metal boundaries are expected to be dependent on the accident temperature."

Given the poterstially large uncertainties involved in the characterization of containment failure pressures, the IPE distribution seems rather narrow. Nevertheless, while l

narrower than the NUREG/CR-4551 distribution, the IPE distribution is within the same i general pressure range, and appears adequate for the purposes of the IPE, which did

} not include an uncertainty analysis.

Dynamic Ultimate Caoacity a

l The dynamic capacity of the Grand Gulf containment was based on previous studies. It

) is worth noting that containment failures caused by dynamic loads from hydrogen 4 detonations were not considered in the Level 2 analysis. It was judged by the IPE team that hydrogen concentrations that would support a detonation would also fail the i containment from quasi-static overpressurization and, hence, detonations were not

considered. In the NUREGICR-4551 study, dynamic failure of the containment from l hydrogen detonation was considered and was shown to be a relatively minor j contributor to the containment failure probability (e.g., the probabilities of early j containment failure from a detonation and from a deflagration were approximately 0.04 j and 0.19, respectively).

! Other Drvwell Failure Modes l A potential failure mode for the drywell structure is failure of the reactor vessel pedestal

from either pressure loads or from concrete erosion that accompanies core-concrete
interactions. Both modes were considered in the NUREG/CR 4551 analysis. It is j stated in the IPE submittal that the distribution used in the NUREG/CR-4551 analysis j for pedestal failure caused by concrete erosion was considered.

Failure Location and Timina l The IPE team judged that the most probable failure location was in the vicinity of the

upper personnel airlock. Failure at this location would allow releases from the

! containment to enter the secondary containment in the vicinity of the fuel handling

area. Hence, for certain types of containment failures, credit was given for radionuclide j retention in the secondary containment.

i

! In the NUREG/CR-4551 study, the most probable failure location was judged to be near the containment springline. It was assumed that failures in that location would allow 47 i

1 i the releases from the containment to enter the enclosure building and then be released to the environment. No credit was given for radiological retention in the secondary containment building.

In both the IPE and the NUREGCR-4551 Level 2 analyses, three time regimes were i considered for containment failwe
before vessel failure, at vessel failure, and late (after vesselfailure).

J

Based on a comparison of the tuo studies, the licensee's treatment of containment failure location and timing appens reasonable. Given the large uncertainties involved

, with the estimation of the failurelocation, it is not unreasonable that NUREG/CR-455'.

PRA and the PE used slightly dNorent failure locations.

1 i 2.4.1.3 Containment isolation Failure The IPE team reviewed all of the penetrations in the containment and assessed the

! likelihood of both containment bypass and failure of containment isolation.- The IPE i submittal stated that the screening criteria used were based upon those prescribed in .

Appendix 2 of Generic Letter 88-20. In particular, bypass sequences and isolation l
sequences were not consideredif their frequency was less than 1E-07 per year. The IPE used a screening value of 1E-03 for the conditional probability of containment j bypass or failure of containment' solation. This value was based on an assumed core j damage frequency of 1E-04. The IPE submittal stated that any conditional probability  !
of containment bypass or isole' ion failure less than 1E-03, ensures that the maximum l

! frequency of core damage sequences that involve bypass is less than 1E-07 events per year. Based on this review, the IPE team concluded there were no sequences that involved unintentional containment bypass or failure of containment isolation that were

above the screening criteria. Hence, unintentional containment bypass and failure of containment isolation were not indbded in the accident progression analysis.
However, intentional venting of tie reactor vessel and intentional venting of the containment, as directed by the Emergency Operating Procedures, were included in the l

accident progression analysis.

l Similar to the FE, the probability of containment bypass sequences was considered negligible and was not includedin the NUREG/CR-4551 analysis. In the NUREGICR-2 4551 study, it was also concludedthattthere was a negligible probability for most isolation failures. It was judged, however, that there was some probability that either

, the personnel airlocks or the equipment hatch was not properly sealed. The quantification of this issue was driven by operator error. The conditional probability that containment isolation fails was 0.006. Owing to their low probabi.lity, isolation failures were a negligible contrtutor to risk.

! 48 i

L___- . . - - ,

1 . .

l

) Based on a comparison of the two studies, the licensee's treatment of containment isolation and containment bypass appears reasonable.

l 2.4.1.4 . System / Human Responses See Section 2.3.2.4.7 for a discussion of the operator actions treated in the Level 2 j analysis.

4 l l 2.4.1.5 Radionuclide Release Characterization l The radionuclide release characterization is discussed in Section 4.7 of the IPE j submittal. To estimate source terms, the IPE team utilized an approach that was

] similar to the parametric approach used in the NUREG/CR-4551 study. A parametric i

expression was developed that represented the release of radioactive material from the fuel and core debris and its subsequent transport through the containment to the

, environment. The key radionuclide release mechanisms were releases associated with 4 the in-vessel core degradation process, releases that accompany core-concrete interactions, and revolatilization of material deposited in the reactor vessel. Key

decontamination mechanisms included suppression pool scrubbing, primary system i natural deposition, containment natural deposition, containment sprays, scrubbing of j CCI releases by overlying water pools, and natural deposition in the secondary

! containment. While nine radionuclide groups were considered in the NUREG/CR-4551 model, the IPE adopted the approach used in the EPRI generic methodology and

! tracks the following five: noble gases, iodine, cesium, tellurium, and strontium. The l parameter values used to estimate the source terms were derived from MAAP j calculations. A source term was estimated for each accident progression. These l source terms were then grouped into 10 release categories based on the amount of '

! cesium and tellurium released and on the timing of the release relative to core damage;  ;

j The IPE submittal states that the CET end-states involving containment failure, either prior to vessel failure, or as a consequence of vessel failure, were classified as an early j

release. Even though reactor vessel venting is likely to occur after vessel failure, thema j scenarios were also classified as an early release.

4 9

, A parametric algorithm was also used in the NUREG/CR-4551 source term analysis to i

estimate source terms for each accident progression. The algorithm used in NUREG/CR-4551 considered many of the same release and decontamination

mechanisms. An additional late release mechanism considered in NUREG/CR-4551 that does not appear to be considered in the IPE is the late evolution of iodine from the suppression pool. In contrast to the IPE, NUREG/CR-4551 did not take any credit for j radionuclide retention in the secondary containment. Furthermore, the IPE source term
algorithm was quantified primarily with results from MAAP calculations whereas the i NUREG/CR-4551 source term algorithm was quantified primarily using distributions j developed from expert judgment techniques. A different process was also used to form i

) .

49 i

l 4

i source term groups in NUREG/CR 4551. In NUREG/CR 4551, the many source terms that were generated were combined into 57 source term groups using the PARTITION code. Offsite consequences were then calculated for each source term group.

The release categories developed in the IPE and the percent that each category contributes to the core damage frequency is presented in Table 2.4.1.5-1. While similar release categories were not developed in NUREG/CR-4551, approximate equivalent release categories can be formed by combining source term groups using the same criteria that were used to form the release categories. The percent that each of the equivalent NUREG/CR-4551 release categories contributes to the mean core ,

damage is also presented in Table 2.4.1.5-1. Also shown in this table are the numbers of early fatalities and total latent cancer fatalities for each equivalent NUREG/CR-4551 release category. In general, the results from the two studies are similar. For the IPE, early releases constitute more than 46 percent of the base case results. The majority of these early releases occur when the operators intentionally vent the reactor vessel.

The submittal states that "The occurrence of large releases stems from the transient-initiated accidents that were not identified as being significant contributors to the NUREG-1150 results." For NUREG-1150 PRA, early releases constitute approximately 36 percent of the core damage frequency. The majority of these releases result from containment failures associated with hydrogen combustion events and loads that accompany vessel failure. A reassuring observation that results from Table 2.4.1.5-1 is that the consequences, both early and latent, follow a general tend that is consistent with the release category definitions. That is, a low release is less than the medium and the medium is less than the high release. Also, the early releases are higher than the late releases for a similar category.

Based on a comparison of the two studies, the licensee's treatment of release categories appears reasonable. Differences between the two studies are not unexpected given that different sources were used to quantify the source term model in each study and a dominant release path identified in the IPE (i.e., venting of the RPV through the MSIVs) was not modeled in the NUREG/CR-4551 PRA.

2.4.2 Accident Progression and Containment Performance Analysis 2.4.2.1 Severe Accident Progression The IPE utilized containment event trees (CETs) to probabilistically model the progression of the accident following the onset of core damage. The CET is based on the model suggested in NSAC-159 [NSAC-159] with additional events added to the CET to facilitate the calculation of source terms, to represent venting of the reactor pressure vessel, and to decompose certain top events. The IPE CET is represented by a main CET supported by 13 subtrees. When all events were considered, the IPE CET consisted of 85 top events. The EVNTRE code that was developed and used in the 50 l

l l

Table 2.4.1.5-1 Comparison of IPE Release Categories with Equivalent NUREG/CR-4551 Release Categories Release Category IPE NUREG/CR-4551 Consequences Conditional on Release

% Core  % Core Early Total Latent Damage Damage Fatalities Cancer Frequency Frequency Fatalities Early Low 8% 7% 1.9E-05 30 Release Early Medium-Low 0% 3% 2.7E-06 91 Release Early Medium 0% 21 % 7.5E 04 320 Early Medium- 35% 0% - -

High Release Early High 3% 5% 6.0E-02 1130 Release Late Low Release 32 % 35% 0.00 18 Late Medium-Low 0% 1% 1.8E-07 81 Release Late Medium 7% 28% 3.0E-04 260 Release Late High Release 15% <1% 880 2.6E-02 __

NUREG/CR-4551 study was also used to evaluate IPE CET. The submittal states that most of the basic event probabilities used in the CET were evaluated based on either the MAAP analyses or on plant-specific human reliability analyses. Certain events not modelled in MAAP, such as fuel-coolant interactions, were also included in the CET and quantified using other sources such as NUREG/CR-4551. The IPE submittal states that the Grand Gulf "... Level 2 analysis may be characterized as a full-scope effort with somewhat less model detail than what was used in the Level 2 analysis of the NUREG-1150 and NUREG/CR-4551 of GGNS." As a point of comparison, the NUREG/CR-4551 accident progression event tree (APET) consisted of 125 top events.

51 i

The events included in the main IPE CET end the subtrees are discussed in Section 4.5 of the subnuttal. The CET considered three tirr,e regimes: early (prior to vessel failure), at vessel failure, and late (following vessel failure). While the exact definition of the last two time regimes is slightly different, NUREG/CR-45Si cons.idered essentially the same time regimes. Events considered in the main CET induded reactor vessel depressurization, injection recovery, containment failure, containment venting, suppression pool bypass, core damage arrest, debris coolability, reactor vessel venting, operation of containment sprays, fission product retention in the containment and fission product retention in the secondary containment. Additional top events were also included to facilitate the calculation of the source term. The same general types of events were considered in NUREG/CR-4551 with the exception that reactor vessel venting was not considered and no credit was given for the fission product retenbon capability of the secondary containment.

Key phenomena considered in the IPE CET included:

in-vesselmelt progression, melt empulsion from the reactor vessel, fuel-cociant interactions (both in-vessel and ex-vessel),

ex-vessel debris coolability, molten core-concrete interactions, flammable gas combustion, and drywellimiure and primary containment failure.

Based on a comparison of the two studies, the licensee's treatment of severe accident progression following the onset of core damage appears reasonable. Differences between the two studies are not unexpected, given the large uncertainties involved in severe accident progressions and different sources of information used to quantify the models.

2.4.2.2 Dominant Contributors: Consistency with IPE Insights Table 2.4.2.2-1 provides a comparison of the dominant contributors to containment failure that were obtained from the GGNS IPE, the other BWR/6 Mark lil IPEs, and the Grand Gulf NLREG-1150 PRA. The results from the IPEs were extracted from the NRC's IPE datatuse. Results in the database are provided for individual PDSs.

Average resubs across all PDSs were calculated by weighting the results from each PDS by its frequency (i.e., a frequency-weighted average). The results from the two Grand Gulf studies are similar. There is a slightly higher percentage of early failures in the GGNS IPE than in NUREG/CR-4551. The majority of the early f-ilures from the GGNS IPE are associated with venting the reactor vessel through the MSIVs. Most of the early failures in NUREG/CR-4551 are associated with hydrogen combustion events; venting the reactor vessel through the MSIVs was not considered as a mode of containment bypass. The other three IPEs show a higher percentage of an intact containment than the Grand Gulf studies.

52 i

Table 2.4.2.2-1 Containment Failure as a Percentage of Total CDF: Grand Gulf IPE Results Compared with the Grand Gulf NUREG-1150 PRA and Other IPE Results Study CDF Early Late Bypass intact w/o Intact w/

(per rx yr) Failure Failure Vessel Vessel Breach Breach Grand Gulf 1.58E-05 46 % 33 % - -

20%

IPE Grand Gulf 4.0E-06 36 % 47 % -

7% 11 %

NUREG-1150 Clinton IPE 2.66E-05 3% 2% - -

95 %

Perry IPE 1.25E-05 24 % 36 % -

27 % 13%

River Bend 1.55E-05 28% 14% - -

58 %

IPE 2.4.2.3 Characterization of Containment Performance The ultimate strength of the containment was characterized by a distribution of failure pressures and was discussed in Section 2.4.1.2. The phenomena considered as mechanisms for early containment failure7 (i.e., failures that occur prior to or as a consequence of vessel failure) in the IPE were:

rapid overpressurization due to hydrogen deflagrations, rapid overpressurization due to fuel-coolant interactions (FCis), and ,

intentional containment venting.

Containment failure from a hydrogen detonation was not explicitly included in the CET.

The IPE submittal stated that conditions that would lead to global detonations would result in containment failure from deflagrations and, hence, it was not necessary to explicitly consider detonations. Both in-vessel and ex-vessel steam explosions were considered as a mechanism for containment failure. Containment isolation failure and unintentional containment bypass were excluded from the analysis due to the low probability of these events. Containment failure accompanying high-pressure vessel 7

As used here, containment failure includes situations where the containment structurally fails as well as situations where it remains structurally intact, but is intentionally bypassed or vented.

53 m ~

failure was not considered in the IPE as a credible failure mechanism due to the large containment volume. Phenomena considered in NUREGICR-4551 included combustion of hydrogen (both deflagrations and detonations), fuel-coolant interactions, and the accumulation of steam and noncondensibles for long-term accidents where containment heat removal was not available.

In the IPE, the same phenomena considered for early containment failure were considered for late containment failure, with the following exceptions: a mechanism was added for overpressurization from steam and noncondensibles generated from CCl, and the FCI mechanism was deleted. Also included during the late time regime was intentional venting of the reactor vessel as a mechanism for bypassing the containment. (it should be noted that this failure mechanism was included in the early time regime in the source term assessment.)

The phenomena considered as mechanisms for early drywell failure in the IPE were hydrogen combustion and fuel-coolant interactions. Phenomena considered for late drywell failure included combustion of combustible gases and thermal failure of the drywell. Similar phenomena were considered in NUREG/CR-4551. In addition to these phenomena, loads accompanying vessel breach and failure of the reactor pedestal were also considered in NUREG/CR-4551 as mechanisms for failing the drywell.

Mechanism , for failing the pedestal included fuel-coolant interactions, loads

, accompanying vessel breach, and loss of support caused by the concrete erosion that accompanies core-concrete interactions.

The conditional containment failure assessments from the IPE and from NUREGICR-4551 are shown in Table 2.4.2.3-1. The results from the IPE are based on information provided in Section 4.6.4.1 of the submittal. The following five containment failure categories were defined in the IPE:

MSIV venting, early containment failure, late containment failure,

  • containment vent, and no containment failure.

The results from NUREG/CR-4551 were organized into similar groups. The percentages provided for NUREG/CR-4551 were calculated by dividing the mean frequency of a given containment failure bin by the total core damage frequency. The percentages for late containment failure, containment venting, and no containment failure are similar for the two studies. The most notable difference is the percentage associated with the intentional bypass of the containment from venting the reactor vessel through the MSIVs. This mechanism is a dominant release mode in the IPE whereas venting the reactor vessel through the MSIVs was not considered in 54

6 8 NUREG/CR-4551. Early containment failures in NUREG/CR 4551 were mostly attributable to hydrogen combustion events. The IPE shows a much kwer percentage for early failures caused by combustion events. This is potentially due to two factors:

(1) if there are two o more modes of failure and one of the modes is MSIV venting, the failure is assigned to the MSlV venting category, potentially masking other modes of failure and (2) different assumptions were used in the two studies ragsding the amount of hydrogen generated during the core damage and the combustion of this hydrogen.

With regard to the first factor, in the IPE a sensitivity calculation was performed in which MSIV venting was eliminated. When this mechanism was removed, the early failures did not increase significantly, indicating that a substantial fradon of the early failures from hydrogen combustion were not being masked by this failure mode. With regard to the second point, it appears that in NUREG/CR-4551 considerably more hydrogen was predicted to be produced and when it was ignited coneons were such that the loads would be more severe than in the IPE model. Based on a comparison of the two studies, the licensee's characterization of containment perfonnance appears reasonable.

Table 2.4.2.3-1 Comparison of Conditional Containment Failure Assessment Study MSIV Early Late Containment No Venting Containment Containment Venting Containment

. Failure Failure Failure IPE 38 % 7% 26 % 6% 20%

NUREG/CR- NA 36 % 38 % 9% 17 %

4551 2.4.2.4 Impact on Equipment Behavior The IPE considered the effects that containment failure and hydrogen combustion have on the secondary containment's ability to retain radionuclides. The secondary containment was not considered in NUREG/CR-4551. Both the IPE and NUREG/CR-4551 considered the possibility that containment failure near the spnngline could also fail the containment spray system. Failure of the drywell vacuum breakers caused by the severe environment that accompanies a hydrogen combustion event was also considered in NUREG/CR-4551. While failure of the drywell vacuurn brenwa was considered in the IPE, it does not appear that the failure was caused by fne severe environment.

55

4 .

i .

i 2.4.2.5 Uncertainty and Sensitivity Analyses

! To investigate the uncertainties in the progression of a severe accident, the IPE used

probabilistic models and performed a series of sensitivity studies with these models.

The sensitivity calculations that were performed are listed in Table 4.8-1 of the IPE

submittal. The submittal states that "The parameter of greatest interest is venting the RPV through the MSIVs. The sensitivity analyses indicate that this is an important i

parameter with regard to the predicted fission product releases at GGNS." An integrated uncertainty analysis was not performed.

NUREG/CR-4551 also used probabilistic models and included an integrated i uncertainty analysis that investigated the impact that uncertainties on the inputs to the IPE model have on the results. No sensitivity studies were reported in NUREG!CR-  !

l 4551.

2.5 DHR, Other GSl/USIs and CPI 2.5.1 Evaluation of Decay Heat Removal 2.5.1.1 Examination of DHR The IPE submittal stated that comparing Grand Gulf's total core damage frequency of

1.72E-5/yr with quantitative criteria that have been used by the NRC staff to categonze i DHR vulnerability results in a conclusion that no DHR generic issue vulnerability exists i for Grand Gulf [p. 3.4-17 of submittal).

4 2.5.1.2 Diverse Means of DHR The submittal does not contain a separate section describing the diverse means of DHR. A discussion of the methods incorporated into the IPE models is provided in Section 3.4.3 of the submittal. The methods described there can be grouped into two  !

. categories: (1) PCS available and (2) PCS unavailable. With PCS available, decay j heat is ultimately removed through the main condenser. If PCS is unavailable, then all other means of removing decay heat ultimately make use of the SSW system.

2.5.1.3 Unique Features of DHR The submittal does not contain a separate section describing the unique features of i DHR. As stated above, all methods of decay heat removal can be grouped into two  ;

4 categories.

Se j i

1 l

2.5.2 Other GSl/USis Addressed in the Submittal The submittal did not address any additional GSI/USIs. '

2.5.3 Responses to CPI Program Recommendations The IPE considered the following recommendations from the Containment Performance improvement Program (CPI):

. Hydroaan laniter Ooerability Durina Station Blackouts; The IPE included a sensitivity case simulating the presence of a backup power supply. The backup power supply had a minor impact on the failure of the containment.

. Containment Heat Removal: Both the Level 1 and the Level 2 analyses i considered the use of the existing containment vent as a containment heat l removal system. The submittal states that containment venting had a negligible

! impact on the calculated core damage frequency because the containment heat i removal failure sequences quantified were dominated by initiators that would i also fail containment venting.

t

. Alternative Water Suooly for Containment SoravNessel Iniection: The IPE i included the firewater system as an attemative injection source in both station

blackout accidents and loss of long-term decay heat removal sequences. No

! attemative means of providing water to the containment sprays were considered.

! The IPE submittal states that the firewater system had a significant impact on the  ;

j long-term decay heat removal sequences but a negligible impact on station j blackouts.

i I

= Enhanced Reactor Pressure Vessel Deoressurization System Reliabilitv
Vessel i . depressurization through the use of relief valves requires de power and a j pneumatic supply. Sensitivity studies on the battery depletion time during a

! station blackout were performed in the IPE. The IPE submittal states that the

! extension of the batter depletion time had very little impact on the frequency of

! core damage.

i t

1 - Emeroency Procedure and Trainina: The submittal states that Revision 4 to the i BWR Owners Group Emergency Procedures Guidelines have been used to  ;

! generate plant-specific emergency procedures and that these procedures were

! used in the construction of the IPE models and quantification of the human

errors.

I

it appears that the IPE has addressed the recommendations from the CPI Program.

1 4

j 57 4

s e

2.6 Vulnerabilities and Plant improvements 2.6.1 Vulnerabilities The IPE submittal states that the methodology used to identify whether vulnerabilities existed was that suggested by NUMARC 91-04 [NUMARC 91-04). Specifically, a vulnerability was defined as any sequence group with a core damage frequency greater than 1.0E-4 per reactor year or containment event tree end-state group with a containment failure / bypass greater than 1.0E-5 per reactor year [p. 3.4-14 of submittal).

The IPE submittal states that no vulnerabilities were found [p.1.1-1 of submittal).

2.6.2 Proposed improvements and Modifications Several plant enhancements were identified as a result of the IPE. Enhancements (1) and (3) will be implemented. Enhancements (2), (4), (5), and (6) will be considered.

While not specifically stated, it appears that no credit was taken in the IPE for l enhancements (1), (2), (4), and (5). Some credit was taken for (3). While no credit was taken for enhancement (6) in the IPE, sensitivity calculations were performed with this enhancement.

1. Division 3 Power Cross-Tie with Divisions 1 and 2 Offoormal event procedures (ONEPs) currently require that the Division 3 diesel generator be cross-tied to Divisions 1 or 2 if the HPCS pump is unavailable by aligning the appropriate circuit breakers. "However, this circuit breaker alignment is not possible if a HPCS initiation signal (RPV Level 2 or high drywell pressure) is present. The high drywell pressure initiation signal may be manually reset with a reset pushbutton in the control room. However, the ONEP does not allow the bypassing of the Level 2 initiation signal." For those accident sequences resulting in a Level 2 initiation signal, the cross-tying of the HPCS diesel generator is not possible with the current procedures. "The ONEP will be revised to allow for the Level 2 signal to be bypassed" (p. 6.2-1 of submittal).
2. Secondary Containment isolation of PSW and instrument Air "The secondary containment isolation valves close on the loss of a Division 1 or 2 AC or DC bus without the capability of bypassing the isolation signals and re-opening the valves." Closure of these valves will result in the ultimate loss of the main condenser, condensate, and feedwater systems. Loss would also degrade the CRD system. A comprehensive evaluation of the overall secondary containment isolation requirements will be performed to assess the appropriateness of making these design features. Depending on the results, Grand Gulf may request changes frem the NRC in these isolation requirements to obtain a lower overall risk and to improve plant operations [p. 6.2-1 of submittal).

58

3. Leak Detection System Trip of the RCIC System l

"The bypassing of the RCIC turbine trip due to main steam tunnel high j temperature was modeled for most sequences. Currently, the bypassing of this isolation signal is only proceduralized for SBO situations." in the current model, bypassing this signal for other than SBO situations ... was allowed with a conservative failure probability. " Procedural changes will be implemented to allow for this bypass ...." [pp. 6.2-1, 6.2-2 of submittal).

4. SSW Pump House Ventilation "A dependency between Division 1 and Division 3 SSW through the SSW pump house cooling system was noted. The SSW pump house that contains the j SSW-A (Division 1) and SSW-C (Division 3) pumps is cooled by two trains of
pump house ventilation. One train of pump house ventilation is powered by

! Division 1 power and the other train is powered from Division 2 power. A separate SSW pump house contains SSW-8 pump (Division 2) and has one l

train of ventilation powered by Division 2 power. Upon failure of ventilation in ,

either SSW pump house, the pump house will heat up, according to plant  !

specific calculations, such that SSW pump failures could occur in approximately l 2.5 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Therefore, a complete failure of both SSW pump house

! ventilation systems could fail all of the SSW trains. In a LOSP event, this

! complete failure of both SSW pump house ventilation systems would also fail all l three onsite diesel generators leading to SBO conditions. However, a pump i room heat up analysis indicated that the manual opening of the pump house

dampers could provide adequate ventilation such that pump failures would not
occur. The existing control room indication for the SSW pump house ventilation i system would not adequately warn operators of the conditions that could lead to ,
SSW pump failures. Consideration will be pven to increasing f.he training l l emphasis on the operational status of the SSW pump house ventilation system.

Some control room indication changes may also be considered" [p. 6.2-2 of l submittal).

5. Low-Pressure ECCS Pump Dependence on SSW
Low-pressure ECCS pump (i.e., LPCI and LPCS) dependence on SSW is
included in the IPE model. "The LPCS dependency is through pump room

! cooling. On the basis of plant specific calculations, a failure of this cooler or the l SSW supply to the cooler would be expected to result in a LPCS pump failure

after approximately 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The RHR pumps are dependent on SSW for '

pump seal cooling. A loss of SSW to the seal coolers could be expected to result in an RHR pump seal failure shortly after the suppression pool reaches saturated conditions. The IPE analysis conservatively assumed that the pumps 59 1

d i

4 would fail soon after seal failure. Analysis has shown that with a loss of all containment heat removal capabilities, the suppression pool will become

saturated in about 6 to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. LPCS pump seal failures may also occur at this time. Under these conditions, the operators may simply alternate operation ,

of the pumps to significantly extend the time available for recovery actions. I

Alternate operating of the pumps for loss of SSW scenarios is being considered for implementation in operator training" [p. 6.2-2 of submittal).

4 3 6. Reactor Vessel Venting dunng Containment Flooding Procedure i

A potentialimprovement that is being evaluated by the BWR Owners Group l j

Severe Accident Management Subcommitte is a modification of the portion of the l EOPs that directs the operators to vent the reactor vessel even if core damage has occurred.

2.6.3 IPEInsights l Section 6.2 of the IPE discusses the IPE insights and potential plant improvements. All
insights discussed here formed the basis for the potential plant improvements and are a

not repeated.

l

!. I t

I )

i 1

i i

i 60

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS Basically the IPE and the NUREG-1150 analyses used the same techniques to model j the equipment, plant features, and operator responses to events that can initiate core I damage sequences. The only difference observed appears to be the level of detailed plant-specific information available to the IPE vs. the NUREG-1150 analyses. This additional information led to analysis of several special initiators that were screened in the NUREG/CR-4550 analysis, and use of updated procedures that affected the l construction of event trees (e.g., change in HPCS diesel generator cross-tying criteria). i Thus, it is expected that differences will exist in the specific events that are identified as important by the two studies.

While the probabilities of containment failure8 are similar in the two studies, different mechanisms are responsible for early containment failure. In the NUREG/CR-4551 study, the dominant mechanism of early containment failure was combustion of

hydrogen. While hydrogen combustion events still contribute to early containment failures in the IPE, the dominant mechanism of early containment failure is venting of the RPV through the MSIVs. There are a number of factors that contribute to the lower importance of hydrogen combustion events in the IPE, among them the inclusion of an operator action to vent the RPV through the MSIVs, different assumptions regarding the production and combustion of hydrogen, and a different containment failure pressure distribution. Given that the IPE reflects current practices at the plant and there are large uncertainties associated with severe accident progressions and phenomena, these differences are not unreasonable. The overall conclusion is that the IPE results are reasonable for a plant of this type.

i sAs used here, containment failure includes situations where the containment structurally fails as well as situations where it remains structurally intact, but is intentionally bypassed or vented.

4 61

4. DATA

SUMMARY

SHEETS a Total core damage frequency (CDF): 1.72E-5 per reactor-year

e initiating events contributing to the total CDF are l Initiator Contribution a LOSP 55.2 %

o Loss of Division 2 AC bus 19.3%

a Loss of Division 1 AC bus 5.6%

o Transient with loss of PCS 3.9%
a Transient with PCS initially available 2.6%

a Loss of Division 2 DC bus 2.4%

a Loss of Division 1 DC bus 2.2%

j u Classes of accident sequences contributing to the total CDF are Seouence Contribution i a Station blackout 43.3 %

a Transient with loss of all injection 19.6%

o Transient with loss of all high-pressure injection 23.6%

and failure to depressurize o Transient with loss of containment heat removal, 10.1%

leading to loss of injection

a Transient-induced loss-of-coolant accident 1.0%

, a Loss-of-coolant accident 2.2%

a Anticipated transient without scram 0.3% '

s Major operator actions to prevent core damage or containment failure:

4 a inject with firewater

, a Bypass high steam tunnel temperature isolation

a Recover offsite power in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />

. o Recover diesel hardware failures within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> a Depressurize reactor vessel -

a Recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> a Restore SSW train-A pump room ventilation a Recover DC hardware failure a Recover diesel from maintenance in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> a Properly restore HPCS a Vent reactor pressure vessel through the MSIVs (results in an intentional bypass of the containment) a Vent containment a Activate the hydrogen ignition system 62

i e Contribution to total containment failure probability given core damage:

Containment Failure Assessment O RPV venting 38 %

l (considered early in definition of release categories) l D Early containment failure 7%

a Late containment failure 26 %

a Containment venting 6%

i a intact 20%

a Significant PRA findings:

Design or opershonal features having the most significant impact in reducing the CDF are o Capability of cross-tying standby service water (SSW) B system to the low-pressure coolant injection (LPCI) B injection line.

O Capability of injecting water into to the reactor pressure vessel (RPV) using the firewater system.

O Division 3 HPCS diesel generator is of a different design and size, reducing common cause failure concerns.

O Capability of cross-tying the HPCS diesel generator to either Division 1 or 2 dunng station blackout events per the Off Normal Event Procedure. I l

a Highly compartmentalized nature of Grand Gulf's auxiliary building i improves the plant's ability to cope with internal floods. i Systems or actions whose failure would have the most significant impact in increasing the CDF are j c Common cause failure (CCF) of batteries A, B, and C D CCF failure of SSW motor-operated discharge valve F0058 o CCF of DG room ventilation components a CCF of SSW discharge check valves a Failure to depressurize in the short term o CCF of ADS and non ADS safety valves a CCF of SSW pump house dampers  !

O Load shedding and sequencing system inadvertent load shed (DIV 11)  !

l 63 i

. . j e

e Potential improvements made or under evaluation:

l ,

O Procedural bypass of Level 2 signal to allow Division 3 power cross-tie with Divisions 1 and 2 completed.

a Secondary containment isolation of plant service water and instrument air under evaluation.

l 0 Procedural bypass of the leak detection system trip of the RCIC system j completed.

o increased training on and control room indication changes to SSW pump house

', ventilation status under evaluation.

4

. a Operator training in attemative operation of low-pressure emergency core cooling system pumps to minimize impact of SSW dependence under evaluation.

j u Modification of the portion of the EOPs that directs the operators to vent the reactor vessel even if core damage has occurred under evaluation.

i >

l e important plant hardware and plant characteristics:

l 0 Standby service water B cross-tie

a Firewater system
O HPCS diesel generator cross-tie to either Division 1 or 2

! O Hydrogen ignition system 64

REFERENCES

[lPE Submittal] Grand Gulf Nuclear Station IPE Submittal, December,1992

[NUREG-1150] U.S. Nuclear Regulatory Commission, " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-1150, June 1989.

[NUREG/CR-4550] M. T. Drouin et al.," Analysis of Core Damage Frequency: Grand Gulf Unit 1 Internal Events," NUREG/CR-4550, SAND 86-2084, Vol.

6, Rev.1, Parts 1 and 2, Sandia National Laboratories, Albuquerque, NM, September 1989.

[NSAC-159] Mendoza, Z. T., et al., " Generic Framework for IPE Back-End (Level 2) Analysis," NSAC-159, Volume 1-Main Report and Volume 3-BWR Implementation Guidelines, Electric Power Research Institute, Palo Alto, CA, October 1991

[NUMARC 91-04] NUMARC, " Severe Accident Issue Closure Guidelines," NUMARC 91-04, January,1992.

65

l 1

1 l

1 1

l l

I l

Appendix A Event Tree Comparison A-1

- - . _ . _ _ _ . . _ __ ~ _ _ - - _ _ _ . . . _ ___ _ _ _ _ _ __._ _

Table A-1 presents the differences noted between the general assumptions stated in  ;

the IPE [pp. 3.1-12 through 3.1-14] and in NUREG/CR-4550 [pp. 4.4-2,4.4-3] with regard to event tree developrnent. Table A-2 presents the differences noted between i the top event descriptions for the event trees common to the iPE and NUREG/CR-l 4550.

I j A limited examination of the trees identified the following differences in the way the i trees were developed. All appear to be the result of either changes to the procedures j used by the plant during the IPE process vs. the NUREG/CR-4550 process, or reflect l access to more detailed data.

T1 Event Tree

! The first difference appears after the loss of both train A and B of onsite emergency ac

! power (B). In the NUREG/CR-4550 tree the cross-tie of the HPCS diesel generator top l event (DGX) was asked after failure of B. In the IPE tree, DGX is as'Ked after the failure j of the HPCS system, which is asked after B [ Fig. 3.1.2.3-1 of submittal and Fig. 4.4-5 j (p.1 of 4) NUREG/CR-4550]. The second differerence occurs after successfully cross-tying the HPCS diesel generator to the train A bus. In the NUREGICR-4550 analysis, l

the low-pressure core spray (LPCS) system was asked if the reactor core isolation

! cooling (RCIC) system failed and the operators successfully depressurized the vessel.

j in the IPE, LPCS is not asked because as the IPE states [p. 3.1-16), "LPCS will not be

available for injection ... since its 2000KVA motor exceeds the capacity of the Division i Ill diesel generator." In addition, several other minor differences exist in some of the i transfer trees for the IPE and the NUREG/CR-4550 analysis [ Fig. 3.1.2.3-2 and 3.1.2.3-l 4 of submittal and Fig. 4.4-5 (p. 2 of 4) and Fig. 4.4-5 (p. 4 of 4)] (e.g., T1/TR2 and T1-l ib, respectively and T1/TR12 and T1-3a, respectively).

!- Of the differences noted here, the most important one would appear to be the one j involving the LPCS system. Since the LPCS pump would not be available when the HPCS diesel generator is cross-tied, this would reduce the number of pumps available l

j to inject water into the vessel, thus tending to increase the core damage frequency j somewhat.

l T2 Event Tree l The first difference appears in the transfer that takes place after the failure of the event

! representing the opening and closing of the SRV--P1. In the IPE, the transfer is to the T3C tree while in the NUREG/CR-4550 tree, the transfer is to the S2 tree. However,

! the logic developed appears to be very similar. The second difference appears in the l transfer trees: T2/TR3 (IPE) and T2-1c (NUREGICR-4550) and T2/TR4 (IPE) and T2-

id (NUREG/CR-4550). In the IPE transfer trees after failure of the single pump CRD event, the development of the sequence logic continues with questions about f

< A-2 4

Table A-1 Differences identified in the general assumptions used in event tree construction

]

IPE NUREG/CR-4550 LPCS and RHR pumps fail at 300 *F LPCS and RHR pumps fail at 280 *F Small LOCA requires suppression pool No requirement stated

makeup (SPMU)

ATWS requires SPMU No requirement stated Automatic or manual emergency No statement made*

depressurization results in the loss of RCIC No credit taken for SDC given one or No statement made more stuck-open SRVs 3

Credit is given for firewater only in long- No statement made tenn sequences SPMU is not required for transient event No statement made j trees Recirculation pump trip is assumed No statement made required to prevent vessel l overpressurization and potential failure during an ATWS due to the control rod insertion delay associated with attemate rod insertion No statement made if core damage occurs in an intact containment, it is assumed that the containment goes to a vulnerable condition.

  • This means that no specific statement was made in the section describing the general
assumptions used to construct the event trees. It does not necessarly mean that the assumption was not made during the construction of any specific event tree.

A-3

~

-I

~

Table A-2 '

Differences in Even: Tree Top Events Top IPE NUREGICR-4550 Event Event Tree ,

i' T1 DGX This statement is not included in the " or if the HPCS system operated but power to description of the event. Division 1 or 2 was not recovered after an appropriate time interval."

V2 LPCS not available for injection when HPCS This statement is not included in the description diesel generator cross-tied to Division 1 bus of the event.

since its 2000-kVA motor exceeds the capacity of the HPCS diesel generator.

> U3 " or the maximum flow lineup cannot be This statement is not included in the description

.b. obtained." of the event.

Y called vent valves Called vent dampers V3'-C

... only the C loop of the RHR LPCI mode can " at least one train of LPCI either automatically (in the provide long term core cooling." actuated ... or ... was manually actuated..."

IPE)

V3' (in 4550)

T2 U3 " or the maximum flow lineup cannot be This statement is not included in the description obtained." of the event.

Y Called vent valves Called vent dampers

Table A-2 (Continued)

Differences in Event Tree Top Events Top IPE NUREGICR-4550 Event Event Tree V3'-C

... only the C loop of the RHR LPCI mode can " at least one train of LPCI either automatically (in the provide long term core cooling." actuated ... or ... was manually actuated...*

IPE)

V3' (in '

4550)

T3A COND Not included in the IPE list of top events " Availability or unavailability of the Condensate (in system. Success implies that x% of the Q

?

  • 4550) failures did not fail condensate. Failure implies that 1-x% of the Q failures did fail condensate."

U3 " or the maximum flow lineup cannot be This statement is not included in the description obtained." of the event.

i COND' Not included in the iPE list of top events Same as COND except asked in the long term.

V3'-C

... only the C loop of the RHR LPCI mode can " at least one train of LPCI either automatically (in the provide long term core cooling." actuated ... or ... was manually actuated..."

IPE)

V3' (in 4550)

T3B Q1 " Success implies that the MSIVs are open ..." These phrases are not in the description of the

" Failure implies that either the MSIVs are event.

closed...."

l l

l Table A-2 (Continued)

Differences in Event Tree Top Events Top IPE NUREGICR-4550 Event Event Tree COlv0 Not included in the IPE list of top events " Availability or unavailability of the Condensate (in system. Success implies that x% of the Q 4550) failures did not fail condensate. Failure implies that 1-x% of the Q failures did fail concensate."

U3 " or the maximum flowlineup cannot be

... This statement is not included in the description -

obtained." of the event.

Y Called vent valves Called vent dampers

$ T3C Y Called vent valves Called vent dampers X2 Event not included in event tree. ... operator failed to manually depressurize . .."

V3'-C "

... only the C loop of the RHR LPCI mode can " at least one train of LPCI either automatically (in the provide long term core cooling." actuated ... or ... was manually actuated..."

IPE)

., V3' (in 4550)

A Y Called vent valves Called vent dampers S1 Y Called vent valves Called vent dampers S2 Y Called vent vaives Called vent dampers X2 Event not included in event tree. ... operator failed to manua!!y depressurize ...."

Table A-2 (Continued)

Differences in Event Tree Top Events Top IPE NUREG/CR 4550 Event Event Tree V3'-C "

... only the C loop of the RHR LPCI mode can "...at least one train of LPCI either automatically (in the provide long term core cooling." actuated ... or ... was manually actuated..."

IPE)

V3' (in 4550)

S3 L Event not included in the event tree. Event " Success or failure of the leak ... to be detected tree logic is same as T3A. No LOCA transfer. and isolated.' if fail, then transfer to S2 LOCA.

{ if success, then transfer to T3A V See pp. 3.1-34 through 3.1-36 of submittal for No top event descriptions given. No event tree description of top events. logic presented.

TIA V1 This event does not appear in the event tree. " Success or failure of the condensate sytem."

U3 This event does not appear in the event tree. " Success or failure of the CRD system" Y This event does not appear in the event tree " Success or failure of the Containment Venting system."

U4 This event does not appear in the event tree " Success or failure of the CRD system." One pump required for success.

V1' This event does not appear in the event tree " Success or failur of the Condensate system in the long term ...."

l Table A-2 (Continued)

' Differences in Event Tree Top Events i

Top IPE NUREG/CR-4550 Event Event  ;

Tree ,

V3'-C

... only the C loop of the RHR LPCI mode can

...at least one train of LPCI either automatically (in the provide long term core cooling." actuated ... or ... was manually actuated..."  ;

IPE) .

I V3' (in 4550)

T1 DGX This statement is not included ~in the event " Cross-tieing is prescribed here regardless of (Blackout description. HPCS availability."

y Event

& Tree)

I X1 This top event is not included in the event tree. Depressurize either by ADS or by manual operator action.

X2 Manual depressurization of the reactor. This top event is not included in the event tree.

ATWS Q This top event is not included in the event tree. " Success or failure of the PCS. In this event (Event tree a certain parcantage of the transient Tree) initiating events occur with and without the PCS i available. Success includes that number where the PCS is still available."

i CE Does not contain the alternate rod insertion includes the ARI system.

(ARI) system. The ARI is a separate top event.

Table A-2 (Continued)

Differences in Event Tree Top Events Top IPE NUREG/CR-4550 Event Event Tree RPT " Success implies ... a power equilibrium of " Success implies ... a power equilibration of 45%." ~30%."

"However, RPT failure is assumed to result in a "If RPT fails ... the power and pressure surge power / pressure surge that results in core does not result in a rupture of the primary ,

damage." system, but is assumed to result in a possible small LOCA."

M " Success or failure of the SRVs to open." This event is not included in the event tree.

'b Q (2nd " Success or failure of the PCS to operate" " Success or failure of PCS later in the 8 amin accident."

Nt?IEGI CR-4550, 1st time In IPE)

LEVEL " Success or failure of the operator to control This event is not included in the event tree.

feedwater flow in an ATWS ... in order to reduce core power."

INHIBIT " Success or failure of the operator to inhibit This event is not included in the event tree.

ADS and prevent HPCS injection." However, the event NX is included and it represents success or failure of the reactor to remain at high pressure--operator inhibits ADS and inhibit works.

s Table A-2 (Continued)

Differences in Event Tree Top Events  !

Top IPE NUREG/CR-4550 Event Event Tree i SLC " Success or failure of SLC to inject sodium The event tree contains the following top pentaborate into the reactror." events: C', C", C3, ardi C4. C' is success or failure of the operator to actuate the SLC  :

system early in the accident-within 10 ,

minutes. C"is success or failure of the operator . j to actuate the SLC system later in the accident.

C3 is success or failure of SLC to inject 86 gpm -!

of sodium pentaborate into the reactor. C4 is

> success or failure of SLC to inject 43 gpm of ,

y sodium pentaborate into the reactor.

TERMIN " Success or failure of the operator to terminate This event is not in the event tree.

ATE feedwater flow ... once the suppression pool temperature exceeds 110 'F."

CONTR " Success or failure of the operator to reinitiate This event is not in the event tree.

OL feedwater flow ... once all SRVs close and before the vessel level decreases below -

150.3" resulting in MSIV closure."

ECCS " Success or failure of the operator to prevent ... This event is not in the tree.

ECCS injection while attempts are being made to depressurize the reactor vessel and subsequently controls the ECCS injection to maintain vessel level within required limits."

. - . . . . . - . - - - . - - _ - . - - . . .~- -. . - - .- . . - . - . .

i i

Table A-2 (Continued)

Differences in Event Tree Top Events Top IPE NUREG/CR-4550 Event Event Tree X1 This event does not appear in the tree; " Success or failure of the operator to manually however, the event X2 does appear and its depressurize the reactor."

definition is the same.

V3S " Success or failure of LPCI injection through This event is not in the tree.

shutdown cooling lines" V4 " Success or failure of the SSW-B Cross-tie to This event is not in the tree.

LPCI-B."

W1 " Success or failure of the SPC mode of the This eveniis not in tre tree.

RHR system."

W3 " Success or failure of the CS mode of the RHR This event is not in the tree.

system."

Y " Success or failure of the Containment Venting This event is not in the tree.

system."

P2 6 Y Called vent valves Called vent dampers (2 stuck open SRV Event Tree)

l depressurization of the vessel, injection by CDS, LPCS, LPCI-C, SSW cross-tie, or i firewster. Only when all have failed does core damage occur. In the NUREG/CR-4550 l trees, core damage is assumed after failure of the single pump CRD event--no other questions are asked. It appears that asking additional system questions after the failure of the single-pump CRD event would tend to decrease the core damage frequency; however, the absolute importance of this change would depend on a l number of factors (e.g., initiating event fiequency and recovery actions considered).

! T3A Event Tree

' l The first difference appears in the transfer that takes place after the failure of the event representing the opening and closing of the SRV-P1. In the IPE, the transfer is to the i T3C tree while in the NUREG/CR-4550 tree, the transfer is to the S2 tree. However, j the logic developed appears to be very similar. The second difference is that the l NUREGICR-4550 tree contains a question about the availability of the condensate system while the IPE tree does not; otherwise the tree structure before transferring to i the T3A transfer trees is the same. The third and fourth differences appear in transfer trees T3A/TR2 (IPE) and T3a-1b (NUREG/CR-4550). The third difference is that the

, NUREG/CR-4550 tree contains a question about the availability of the condensate j system while the IPE tree does not. The fourth difference is that in the IPE transfer i

trees after failure of the single-pump CRD event, the development of the sequence

, logic continues with questions about depressurization of the vessel, injection by CDS, I LPCS, LPCI-C, SSW cross-tie, or firewater. Only when all have failed does core damage occur. In the NUREG/CR-4550 trees, core damage is assumed after failure of the single-pump CRD event--no other questions are asked. It appears that asking l additional system questions after the failure of the single-pump CRD event would tend to decrease the core damage frequency. The lack of a question about the availability

. of the condensate system might tend to increase the core damage frequency.

! However, the absolute importance of these changes would depend on a number of factors (e.g., initiating event frequency and recovery actions considered).

T3B Event Tree The first difference appears in the transfer that takes place after the failure of the event representing the opening and closing of the SRV-P1. In the IPE, the transfer is to the i T3C tree while in the NUREG/CR-4550 tree the transfer is to the S2 tree. However, the logic developed appears to be very similar. The second difference is that the NUREG/CR-4550 tree contains a question about the availability of the condensate system while the IPE tree does not. The lack of a question about the availability of the

. condensate system might tend to increase the core damage frequency. However, the absolute importance of this change would depend on a number of factors (e.g.,

initiating event frequency and recovery actions considered).

A-12

T3C Evert Tree The first difference is that the iPE tree transfers to the T1 tree after a random loss of offsite power while the NUREG/CR 4550 tree does not develop the sequence further.

The second difference is in the outcome of sequences where PCS and HPCS have failed and RCIC has succeeded In the IPE, the outcomes transfer to four different transferirees while in the NUREG/CR-4500 tree, the first two sequences are classified as core and containment OK with the last two sequences transfering to different transfertees. The major differences between the IPE and NUREG/CR-4550 transfer trees arehat the NUREG/CR-4550 trees contain a question about the success or failure of manual reactor depressurization which is not asked in the IPE tree and the iPE treeasks about the success or failure of train C of LPCI while the NUREG/CR-4550 tree asks success or failure of all three trains of LPCI. While these changes are not expeded to significantly change the core damage frequency, their absolute importana would depend on a number of factors (e.g., initiating event frequency and recoveryactions considered).

A Event _ Tree No logicstructure differences noted.

S1 EvertTree No logic structure differences noted.

S2 EventTree The first eierence is that in the IPE tree a question is asked about the success or fanure afme suppression pool makeup system. This question is not asked in the NUREGCR tree. The second difference is in the outcome of sequences where PCS and HPCS have failed and RCIC has succeeded. In the IPE, the outcomes transfer to four diffesent transfer trees while in the NUREG/CR-4500 tree, the first two sequences are classEed as core and containment OK, with the last two sequences transferring to differenttansfer trees. The major differences between the IPE and NUREG/CR-4550 transfertems are that the NUREG/CR-4550 trees contain a question about the success or failure ef manual reactor depressurization while the IPE question is manual / auto reactordepressurization; the IPE tree contains a question about suppression pool makeup and this question is not in the NUREG/CR-4550 tree; and the IPE tree questionabout success or failure of LPCI only considers train C while all three trains are cs-Aed in the NUREG/CR-4550 tree. While these changes are not expected to have a significant impact on the core damage frequency, both the suppression pool makeup question and the !.PCI train C question would tend to increase core damage frequency.

A-13

S3 Event Tree The IPE event tree for the S3 initiating event is the same tree used for the T3A initiating

<- event. The NUREG/CR-4550 tree contains a question about the detection and S

isolation of the sealleak which is not contained in the IPE event tree. If the leak is detected and isolated, then the sequence transfers to the T3A tree; thus the differences between the T3A event trees are applicable here. If the leak was not detected or isolated, the NUREG/CR-4550 tree transferred to the S2 tree; no such transfer exists for the IPE tree. The lack of a transfer tree in the IPE tree means that fewer sequences are generated, all else being equal. However, the impact on core damage frequency would depend on several factors, all of which are difficult to judge without detailed examination of the sequence logic and the values used for the basic event comprising the sequence cut sets, both of which are beyond the scope of this review.

V Event Tree No event tree logic presented in NUREG/CR-4550.

TIA Event Tree The first difference is that the IPE event tree does not contain questions about the

, success or failure of the condensate system, the control rod dnve system, or the containment venting system, while they are asked in the NUREG/CR-4550 tree. The second difference is that in the IPE tree after RCIC failure and failure to manually or automatically depressurize the reactor vessel, core damage with a vulnerable containment is assumed. In the NUREG/CR 4550 tree, additional questions pertaining to removal of decay heat via different operating modes of the residual heat removal system are asked. The third difference is in the outcome of sequences where RCIC has succeeded and suppression pool cooling has failed. In the FE, the outcomes transfer to two different transfer trees while in the NUREG/CR-4500 tree, the outcomes transfer to four different transfer trees. The major differences between the IPE and NUREG/CR 4550 transfer trees are that the NUREG/CR-4550 trees contain questions about the success or failure of the CRD system using one pump and the condensate system while these questions are not asked in the IPE transfertrees. In addition, one of the IPE trees asks about the success or failure of manual or automatic reactor depressurization, which is not asked in the NUREG/CR-4550 tree, and the IPE tree asks about the success or failure of train C of LPCI while the NUREG/CR-4550 tree asks about success or failure of all three trains of I.PCI. Taken together, these differences suggest that the core damage frequency from loss of instmment air could be more important in the IPE than in NUREG/CR-4550.

A-14

a .

T1B Event Tree The major difference between the IPE and NUREG/CR-4550 event tree is that in the IPE tree the status of the HPCS system is asked before the HPCS diesel generator cross-tie question. The other difference is that the manual reactor depressurization question in the IPE tree is a manual / automatic depressurization question in the NUREG/CR-4550 tree. The impact of these differences, by themselves, is probably not important; however, the absolute importance of these changes would depend on a number of factors (e.g., sequence timing, system availability, and recovery actions considered).

ATWS Event Tree The first difference is that the IPE tree does not contain an initial question about the power conversion system as does the NUREG/CR-4550 tree. Depending on the outcome of this question, the NUREG/CR-4550 tree transfers to either the T3 trees or the T1 and T2 trees. Since the IPE tree returns to the initiator, this does not appear to be of any significance. The second difference occurs after failure to manually scram the reactor. In the IPE, the logic development of this sequence continues, while in the NUERG/CR-4550 tree, the logic development is terminated. The third difference occurs after failure of the recirculation pump trip. In the IPE, the sequence is assumed to proceed to core damage while the sequence is not developed any further in the NUREG/CR-4550 tree. The final difference occurs after the failure of the mechanical portion of the reactor protection system in combination with the success of the recirculation pump trip. Significant differences exist between the logic development for the two trees and the reader is refered to Figures 3.1.3.10-2 and 3.1.3.10-3 of the submittal and Figure 4.4-13 of NUREGICR-4550 to see the differences. Given the significant number of differences in the ATWS trees, no judgment as to the importance of these changes was made.

P2 Event Tree No differences in tree structure idenhfied.

A-15

, -