ML20098C496

From kanterella
Revision as of 00:32, 1 May 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Technical Evaluation Rept on IPE Front End Analysis, for Plant Units 1 & 2
ML20098C496
Person / Time
Site: Quad Cities Constellation icon.png
Issue date: 07/07/1995
From: Darby J
SCIENCE & ENGINEERING ASSOCIATES, INC.
To:
NRC
Shared Package
ML20094L068 List:
References
CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-553-021, SEA-92-553-021-A:5, SEA-92-553-21, SEA-92-553-21-A:5, NUDOCS 9510100173
Download: ML20098C496 (52)


Text

een n, s.s,a_s 4 _ L 4 -A: 4a-. 6- 's,- 4, m , , -- mA--, --, - w 9 S s

6 I

6 i

F 1

QUAD CITIES UNITS 1 & 2 INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (FRONT-END) l ENCLOSURE 2

_,_'N n[so!15

,\

l

. o i

i SEA 92-553-021-A:5 ,

July 7,1995 l l

i

l l

4 i,

Quad Cities 1 and 2 Technical Evaluation Report on the Individual Plant Examination Front End Analysis NRC-04-91-066, Task 21

)

John L. Darby, Analyst i Willard R. Thomas, Editor Science and Engineering Associates, Inc.

Prepared for the Nuclear Regulatory Commission

s .

TABLE OF CONTENTS

1. EX E C U TIVE S U M M A R Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 B a c ka ro u n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 i 1.2 Lice nsee's I P E Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 >

l.3 Front-End Analvsis ..................................... 2 1.4 Plant i morove ments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

11. RESPONSE TO WORK REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . 6 l1.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 l1.1.1 C o mplete ness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 11.1.2 Meth odology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 11.1.3 M ulti-Unit Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 11.1.4 As-Built Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 l1.1.5 Licensee Participation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 II.1.6 in-House Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l1.2 Accident Secuence Delineation and Svstem Analysis ............ 8 II.2.1 Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 l1.2.2 Intemal Flood Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 11 11.2.3 Event Tree s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 II.2.4 Systems Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 l1.2.5 System Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 11.2.6 Common Cause Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 18 II.3 Quantitative P roces s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 l1.3.1 Quantification of Accident Sequence Frequencies . . . . . . . . . 19 11.3.2 Point Estimates and Uncertainty / Sensitivity Analyses . . . . . . 19 11.3.3 Use of Plant Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . 21 l1.3.4 Use of Generic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 11.3.5 Common Cause Quantification . . . . . . . . . . . . . . . . . . . . . . 25 11.3.6 Internal Flooding Quantification . . . . . . . . . . . . . . . . . . . . . . 28 l1.4 Core Damaae Seouence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 l1.4.1 Dominant Core Damage Sequences . . . . . . . . . . . . . . . . . . 28 11.4.2 Vulne rabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 11.4.3 Proposed improvements and Modifications . . . . . . . . . . . . . . 34 l1.5 Inte rface iss ue s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 l1.5.1 Front-End and Back-End Interfaces . . . . . . . . . . . . . . . . . . . 34 11.5.2 Human Factors interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 35 l ll.6 Evaluation of Decav Heat Removal and Other Safety issues . . . . . . . 36 11.6.1 Examination of DH R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 l1.6.2 Diverse Means of DH R . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 11.6.3 Unique Features of DHR . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 i ll.6.4 Other GSI/USl's Addressed in the Submittal . . . . . . . . . . . . . 38 I i

e O

. Ill. REVIEW

SUMMARY

AND DISCUSSION OF IPE INSIGHTS, IMPROVEMENTS, AND COMMITMENTS . . . . . . . . . . . . . . . . . . . . . . . . 39 REFERENCES................................................ 45 1

i i

I 1

1 i

i 9

li

LIST OF TABLES Table 11-1. Plant Specific Data in the Quad Cities IPE 23 Table ll-2. Generic Data in the Quad Cities IPE for 25 Safety / Relief Valves Table 113. Submittal Common Cause Beta Factors for 26 2-of-2 Components Table 11-4. Top 5 Systemic Core Damage Sequences 31 Table 11-5. Quad Cities Results Compared to Other PRAs/IPEs 33 Ili

LIST OF FIGURES Figure 111. CDF by idtiating Event for Quad Cities 30 a

e IV

1. EXECUTIVE

SUMMARY

This summary is based on the results of a Submittal only review of the Individual Plant Examination (IPE). Requests for Additional Information (RAI) were propo's'ed as a result of this review. Responses from the licensee to these requests were received, reviewed, and incorporated into this report. [lPE Responses] [lPE Responses 2][lPE Responses 3)

1.1 Background

The Quad Cities site contains two units, each a Boiling Water Reactor (BWR) 3 with a Mark I containment. The units are located on the Mississippi River in Rock Island County, Illinois . General Electric was the nuclear steam system supplier (NSSS), and Sargent and Lundy was the architect engineer (AE), for both units. Both Units achieved commercial operation in 1972. The licensed power is 2511 MWt, which provides 789 MWe (net), for each unit. Similar units in operation are: Dresden units 2 and 3, Millstone, Monticello, and Pilgrim 1.

Design features at Quad Cities that tend to lower the Core Damage Frequency (CDF) are as follows: .

Safe Shutdown Makeup Pump (SSMP) as a backup to Reactor Core Isolation Cooling (RCIC) system (installed for Appendix R compliance)

Ability to cross tie power between units in emergency buses 141 and 24-1 Ability to switch Low Pressure Coolant injection / Core Spray (LPCl/CS) from Suppression Pool to Contaminated Condensate Storage Tank (CCST) if Suppression Pool Cooling is lost Ability to use the Standby Coolant System (SBS) to flood the containment if suppression pool cooling is lost.

Design features that tend to increase the CDF are as follows: l Emergency Core Cooling System (ECCS) pumps have little Net Positive I Suction Head (NPSH) margin and cannot operate in recirculation from the suppression pool over the long term if containment cooling is lost or if the containment is vented to low pressure One diesel generator (DG) dedicated to each of two units and one swing diesel generator that can serve either unit, in contrast to 2 dedicated DGs per unit as installed at many dual unit sites.

1

, o 1

1.2 Ucensee's IPE Process The IPE is a level 2 Probabilistic Risk Assessment (PRA). The PRA was initiated in response to Generic Letter 88-20. The freeze data for the IPE model was July,1991. One modification to be installed after the freeze data was considered, that being the installation of a hardened containment vent.

Utility personnel were involved in the IPE effort. Contractor personnel  ;

performed the basic modeling and analysis; utility personnel performed success criteria  !

analysis with the Modular Accident Analysis Program (MAAP) code, and conducted reviews of models, assumptions, and results. Major contractors for the front-end PRA were the members of the Individual Plant Evaluation Partnership (IPEP):

Westinghouse, Fauske and Associates, and TENERA.

Plant walkdowns were performed to verify that the PRA model represented the as-built condition. Walkdowns were performed by members of the IPE team for the evaluation of specific plant systems, or other areas of special interest such as internal j

flooding. The walkdown teams were led by CECO personnel knowledgeable about the plant and its detailed arrangement.

Major documentation used in the IPE included: the Updated Final Safety Analysis Report (UFSAR), Technical Specifications, system descriptions, plant drawings, procedures, and calculations. ,

The Submittal lists the following PRA/IPEs as sources of information:  !

The Reactor Safety Study (WASH 1400) l l NUREG-1150 l Dresden IPE. I A review of each system model was performed by contractor personnel prior to i submittal to CECO. CECO IPE staff performed reviews of the models submitted by the cor, tractors. Products and results were reviewed by the Senior Management Support l

Team (SMST). A final review was conducted by CECO senior management.

The licensee does not define " Vulnerability", but concludes that no vulnerabilities exist due to the low CDF. No discussion of improvements to reduce the )

CDF is provided.  !

In the transmittal letter for the Submittal, the utility states that it intends to maintain a "living" PRA.

l.3 Front-End Analvsis The methodology chosen for the Quad Cities IPE front-end analysis was a Level I PRA; the large event tree technique with support state modeling was used and quantification was performed with IPEP software. The same event trees were used to model both units.

The IPE quantified the following initiating events: large Loss of Coolant Accident (LOCA), medium LOCA, small LOCA, general transients, inadvertent open relief valve, interfacing systems LOCA, and loss of offsite power at both units and at a single unit.

No plant specific initiating events, such as loss of DC power, were considered to be l

2

, . t initiating events in the IPE. Event trees were developed for each of the initiating events identified.

The event trees, denoted as Plant Response Trees (PRT), modeled both the front and back end phases of accident sequences together. In addition to specifying i accident sequences for core damage within the mission time, the event trees also l

specified accident sequences for which core damage would occur without I compensatory actions after the mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Such sequences were denoted as Success with Accident management (SAM) sequences. l l

The criteria for core cooling was based on fuel temperature. Core damage was i averted if fuel temperature was maintained below 4040 F.

Success criteria were developed based on MAAP analyses  ;

The IPE used plant specific data from 1985 through 1991. Generic data were '

used if plant specific data were not available.

The Multiple Greek Letter (MGL) method was used to model common cause failures. The data for common cause failures v.'ere taken from standard sources, but the data were screened by a review committee. The common cause factors for many important components were significantly lower than those typically used in PRAs/IPEs.

The intemal flooding analysis was performed in the following manner. Flooding l zones were identified and found to be generally consistent with the fire zones specified for Appendix R analysis. The use of safe shutdown equipment for the Appendix R fire {

analysis was used for the IPE internal flooding analysis. Walkdowns for the flooding analysis were performed. A flooding zone was Judged to be significant if the zone contained both equipment whose failure would result in a reactor trip and safe shutdown equipment. The Submittal states that the event trees developed for internal initiating events were used to quantify the CDF from internal flooding. Only one flood j zone survived screening, that being the condensate pump room, and floods in this  !

room cause a loss of feedwater transient. Since the frequency for the flood induced loss of feedwater event is much less than the frequency for loss of feedwater due to random failures, the licensee concluded that the impact of internal flooding on overall CDF is insignificant.

Effects of spray and leaks from plant heating system piping were not been included in the IPE analysis; however, the licensee summarized the results of an analysis of such events which found them to be insignificant in terms of CDF.

The total CDF from internal initiating events is 1.2E-6/ year. Internal flooding was determined to be an insignificant contributor to core damage.

Internal initiating events that contribute the most to CDF, and their percent contribution, are as follows:

i Dual Unit LOSP 56%

l Single Unit LOSP 16%

Medium LOCA 14% i i

I 3

7.__.-

l ATWS 6%

General Transient 4% l l

'Large LOCA 2%

Small LOCA 1%

inadvertent Open 0.1 % ,

Relief Valve interfacing 0.1% l Systems LOCA l

The IPE addressed loss of Decay Heat Removal (DHR). The IPE modeled the alternate means for core cooling, and determined that loss of DHR contributes 30% to the overall CDF; about 12% of this 30% is due to operator error. The IPE addresses l the diverse means available to provide for DHR, and discusses the plant specific design aspects that affect loss of DHR. The licensee concluded that there are no  !

vulnerabilities associated with DHR. I No GSI/USIs other than loss of DHR were addressed in the Submittal. '

Operator actions contributing significantly to the overall CDF are: failure to depressurize, failure to initiate RHR cooling (suppression pool and containment i cooling), and operator failure to switch LPCI or CS to the CCST if suppression pool cooling is lost.

Based on our review, the following modeling assumptions have an impact on j reducing the overall CDF: 1 (a) credit for actions to switch ECCS recirculation from the suppression pool to the CCST using LPCI or CS pumps'if suppression pool cooling is lost, before ECCS pumps are lost due to inadequate NPSHA from the

. suppression pool as it heats up (b) credit for actions to flood the containment with the SBCS if suppression pool cooling is lost, before ECCS pumps are lost due to inadequate NPSHA from the suppression pool as it heats up (c) the use of low common cause failure factors (d) the assumption that only one relief valve is required to depressurize to where LPCI or CS can cool the core if high pressure injection is lost.  !

In our opinion, the IPE process incorporated all the steps necessary for a PRA based model, and an appropriate PRA methodology was utilized. However, after 2

reviewing the Submittal and reviewing the licensee responses to RAI, we believe that the IPE has the following shortcomings: i (a) weak consideration of plant specific initiating events (b) use of low common cause failure values very low in comparison to other typical IPE/PRA studies 4

4 1

1 3

,1  !

l ATWS 6%  !

General Transient 4%

i  :

t j 'Large LOCA '

2%  ;

Small LOCA 1%

' inadvertent Open 0.1%

Relief Valve j i Interfacing 0.1 %

i Systems LOCA  !

i i t The IPE addressed loss of Decay Heat Removal (DHR). The IPE modeled the  ;

l altemate means for core cooling, and determined that loss of DHR contributes 30% to j the overall CDF; about 12% of this 30% is due to operator error. The IPE addresses  !

, the diverse means available to provide for DHR, and discusses the plant specific  ;

design aspects that affect loss of DHR. The licensee concluded that there are no ,

vulnerabilities associated with DHR. I No GSI/USIs other than loss of DHR were addressed in the Submittal. l Operator actions contributing significantly to the overall CDF are: failure to  !

depressurize, failure to initiate RHR cooling (suppression pool and containment )

cooling), and operator failure to switch LPCI or CS to the CCST if suppression pool l cooling is lost. 1 Based on our review, the following modeling assumptions have an impact on reducing the overall CDF:

(a) credit for actions to switch ECCS recirculation from the suppression pool to the CCST using LPCI or CS pumps'if suppression pool cooling is lost, before ECCS pumps are lost due to inadequate NPSHA from the

. suppression pool as it heats up (b) credit for actions to flood the containment with the SBCS if suppression pool cooling is lost, before ECCS pumps are lost due to inadequate NPSHA from the suppression pool as it heats up (c) the use of low common cause failure factors (d) the assumption that only one relief valve is required to depressurize to where LPCI or CS can cool the core if high pressure injection is lost.

In our opinion, the IPE process incorporated all the steps necessary for a PRA based model, and an appropriate PRA methodology was utilized. However, after reviewing the Submittal and reviewing the licensee responses to RAI, we believe that the IPE has the following shortcomings: ,

(a) weak consideration of plant specific initiating events (b) use of low common cause failure values very low in comparison to other typical IPE/PRA studies 4

Also, more information is needed to resolve confusion in the following areas, in our opinion:

(c) consideration of containment venting in front-end success criteria (d) credit for 1 relief valve to adequately depressurize to allow core cooling with low pressure systems (e) basis for not requiring HVAC for electrical switchgear or for control room. -

11 should be noted that the CDF calculated in the Quad Cities IPE of 1.2E-6/ year is the 3 lowest CDF reported for any of the 14 BWR IPEs that we have reviewed to date.  !

i 1.4 Plant imorovements No improvements were planned as a result of the IPE. The Submittal states that 81 insights were generated from the IPE. Station blackout is a dominant l contributor to core damage; in response to the DET, the utility stated that l improvements related to station blackout, specifically the installation of station blackout DGs and procedural enhancements, should reduce the CDF by about 40%. l The licensee provided example insights generated from the IPE in each of the following categories: procedures, hardware, training, information, and test and maintenance. i 1

5

]

l II. RESPONSE TO WORK REQUIREMENTS This section of the report addresses the requirements in the Statement of Work.

Strengths of the IPE are noted, and perceived weaknesses of the IPE are discussed and characterized with respect to their overall significance. Unique findings of the IPE are summarized.

11.1 Licengag's IPE Process We reviewed the process used by the licensee in the IPE with respect to the i guidance of Generic Letter 88-20. [GL 88-20)

II.1.1 Completeness I l

The Submittalis complete in terms of the overall requests of NUREG 1335. i l1.1.2 Methodology The PRA upon which the IPE is based was initiated in response to Generic l Letter 88-20. The front-end portion of the IPE is a level l PRA, which is a method that i is addressed in Generic Letter 88 20. The specific technique used for the level 1 PRA was a large event tree support state methodology, and it was described in the j Submittal. Plant Response Trees (PRT) were developed and analyzed; PRTs are event trees that model both the front and back end aspects of plant behavior. I The Submittal provides a brief description of the technique. Internalinitiating events and intemal flooding were considered. Event trees were developed for all classes of initiating events. The development of component level system fault trees was summarized, and system descriptions were provided. Support systems were modeled in support state event trees. Inter-system dependencies were discussed in the system descriptions and tables of system dependencies were provided. Data for quantificatio.n of the models were provided, including common cause data. The application of the technique for modeling internal flooding was described in the Submittal. The techniques used for performing sensitivity analyses were described in the Submittal.

The licensee described how dependencies were accounted for in the IPE. [lPE Responses) The licensee discussed three types of dependencies: (1) intra system dependencies involving support systems, (2) intra-system dependencies between front line systems, and (3) inter-system dependencies. The first type of dependency is accounted for using support state modeling. The second type of dependency is accounted for in the structure of the event trees. The third type of dependency is modeled by using more than one fault tree to reflect success of an event in which the system is only partially successful; this allows the state of failed components to be retained for quantification of later events involving systems using the same components.

6

l

The licensee stated that ' recovery' was considered to be actions taken beyond the EOPs to restore failed systems or equipment, and that such actions were not considered in the IPE. Operator actions as dictated by procedure were included in the i

)

event trees and in the fault trees as an integral response to the accident.

11.1.3 Multi-Unit Effects Quad Cities is a two-unit site, with numerous shared systems and components as described in the UFSAR. The IPE addressed shared systems in the event trees and fault trees and thereby considered the impact of shared systems on the unit witn the accident; however, dual unit core damage frequency was not calculated.

Design characteristics indicate that the potential for dual unit core damage from common failures may be more important at Quad Cities than at newer plants. For example, the site has three diesel generators, one of which is shared between the two units, and either of the two diesel generators for a unit can mitigate a loss of offsite power at that unit. Station blackout at one unit increases the likelihood of station blackout at the second unit, due to the unavailability of the shared diesel generator.

The licensee indicated that the dual unit loss of offsite power initiating event dominates the dual unit CDF. [lPE Responses) The dual unit CDF is 5.3E-7/ yr, or 44% of the individual unit CDF. (Note, that the contribution of dual unit loss of offsite power to the CDF for a single unit is 56%.)

11.1.4 As-Built Status Plant walkdowns were performed to verify that the PRA model represented the as-built condition. [lPE submittal, Section 2.3) Walkdowns were performed by members of the IPE team for the evaluation of specific plant systems, or other areas of special interest such as internal flooding. The walkdown teams were led by CECO personnel knowledgeable about the plant and its detailed arrangement.

Major documentation used in the.lPE included: the UFSAR, Technical Specifications, system descriptions, plant drawings, procedures, and calculations. [lPE submittal, Table 2-1)

The Submittal does not discuss other PRA/IPE studies that were reviewed, but does state that NSAC-151, a report on other plant PRAs, was reviewed for applicability. [lPE submittal, Section 2.3) Table 2-1 of the Submittal lists the following PRA/IPEs as sources of information:

The Reactor Safety Study (WASH 1400)

NUREG-1150 Dresden IPE.

The freeze date for the IPE model was July,1991. [lPE submittal, Section 2.3)

The IPE did include one modification to be installed after the freeze data, that being the hardened containment vent.

11.1.5 Licensee Participation 7

I l

Contractor personnel performed the basic modeling and analysis; utility

. personnel performed success criteria analysis with the MAAP code and conducted reviews of models, assumptions, and results. [lPE submittal, Section 1.2) Major contractors for the front-end PRA were members of the Individual Plant Evaluation Partnership (IPEP): Westinghouse, Fauske and Associates, and TENERA.

The involvement of Quad Cities operations and maintenance personnel in the development of and review of the PRTs and fault trees is summarized below:[lPE Responses]

Activity involvement Data Collection and Analysis Discussions with maintenance and

operations personnel on system l

demands, and coordination with plant  ;

coordinators involved in surveillance tracking databases System Fault Trees Consultation with system engineers

. Plant Response Trees Frequent discussions with operations 1 personnel and simulator instructors l

' 4 Human Reliability Analysis Numerous meetings with operations personnel and simulator instructors, and observations of operator training sessions on the simulator

Reviews Review by two formerly licensed Quad Cities SROs j The utility indicated in the transmittal letter for the Submittal that it intends to maintain a *living PRA".

fl.1.6 In-House Peer Review Several reviews of the level 1 PRA were performed. [lPE submittal, Section 3.2)

A review of each system model was performed by contractor personnel prior to submittal to CECO. CECO IPE staff performed reviews of the models submitted by the caneractors. Products and results were reviewed by the Senior Management Support Team (SMST). A final review was conducted by CECO senior management.

II.2 Accident Seauence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies 8

provided in the Submittal.

11. 2 .1 Initiating Events ,

The sizes of LOCAs, for breaks in water and steam lines, are not specified in l the Submittal. No distinction between LOCAs in main steam and feedwater lines inside and outside of containment is provided. The frequency assigned to a small LOCA is 3E-3/yr; this is similar to the frequency assigned to small LOCAs in other PRAs, but does not include a recirc pump seal LOCA which typically has a higher frequency. For example, the Browns Ferry IPE assigned a frequency of 4E-3 to a small LOCA I exclusive of the seal LOCA, and a frequency of 2E-2 to the seal LOCA. [ Browns Ferry j IPE submittal, Table 3.1.1-1) The NUREG 1150 study of Peach Bottom assigned a -

frequency of 3E-3 to a small LOCA exclusive of the seal LOCA and a frequency of 3E-2 to the seal LOCA. [NUREG/CR 4550 Peach Bottom, Table 4.3-3)

Recirculation pump seal LOCAs were not modeled as LOCAs but instead lumped in under the general transient model. [lPE Responses) The licensee states that the low leakage expected from a seal LOCA supports this treatment. In our opinion, the IPE should address recirc pump seal LOCAs as a specific small LOCA ,

initiating event, but this has minor impact for Quad Cities since the core cooling l systems all inject into the vessel; for an isolation condenser BWR plant, such as Dresden, recire pump seal LOCAs are of more concern since cooling with the isolation condenser does not include makeup to the vessel.

There is little discussion in the Submittal on plant specific initiating events. All transients, except for loss of offsite power, are combined into one overall initiating i event, " General Transient", but there is no discussion of the constituent transient initiating events. Without a discussion of the initiating events that comprise the

" General Transient" category, it is not clear if all appropriate plant-specific transient  !

initiating events were considered. Also, it is not clear how the effects of different i transient initiating events on the status of mitigating systems were modeled. Different events have different impact on the status of mitigating systems. For example, closure of MSIVs re.nders the main condenser unavailable for use, while loss of a DC power source renders all equipment powered by that source unavailable. Most PRAs discuss how plant specific failures were analyzed as potentialinitiating events, and most PRAs include plant specific failures as initiating events.

The licensee states that no plant specific initiating events need to be evaluated for the Quad Cities IPE. [lPE Responses 3) Although it is conceivable that Quad Cities has no important plant specific initiating events, the information provided by the licensee is too incomplete to support that conclusion, in our opinion. The ilcensee provides no details beyond brief engineering evaluations of the subject systems. Our experience indicates that a careful evaluation of plant support systems typically identifies some important, unique plant specific initiating events; tools such as Failure Modes and Effect Analysis (FMEA) and master logic diagrams are available to perform a systematic evaluation of plant specific initiating events.

For example, the licensee states that loss of service water is not an important 9

y

, a l

plant specific initiating event because "A review of several hundred reactor years of BWR experience reveals that, to date, a loss of all Service Water has never occurred",

and "The plant response to a loss of Service Water resembles the response to a general transient with the main condenser unavailable". [lPE Responses 3, Pages IE-29 and IE-30] This statement is too brief to support the conclusion that loss of service ,

water is not an important initiating event. Safety significant failures in service water j systems have occurred in BWRs; NUREG /CR-2797 lists some of these failures.

[NUREG/CR 2797) Also, it is not clear that loss of service water, a safety related system, is equivalent to loss of circulating water, a non-safety grade system that cools the main condenser.

Our conclusions are as follows:

  • the licensee has not provided a supportable basis for excluding all plant specific initiating events from quantification for CDF

= every other IPE/PRA that we have reviewed has quantified plant specific initiating events and for some plants some of these initiating events have been important contributors to CDF

  • the brief engineering evaluations provided by the licensee in the additional responses to support excluding plant specific initiating events from consideration, are too subjective and terse to support screening all plant specific initiating events from quantification.

The point estimate frequencies assigned to the initiating events that are listed appear comparable in magnitude to values used in typical IPE/PRAs, except for the following two instances. [lPE submittal, Table 4.1.1-1] The frequency of an interfacing systems LOCA is 1.2E-7/yr. The Submittal states that the interfacing systems LOCA frequency is based on a Quad Cities specific calculation. [lPE submittal, Section 4.1.1)

The licensee provided more details on the modeling of intedacing systems LOCAs.

The licensee provided information from the initiating Events Notebook (retained at the site) related to quantification of intedacing systems LOCAs. [lPE Response) The licensee discusses the systems modeled and the failure models developed. The systems mo. deled for interfacing systems LOCAs were the core spray system and the RHR system. 'The models for these systems assumed that low pressure piping will fall given exposure to full RCS pressure.

The frequency assigned to spurious opening of a relief valve appears to be based on generic data; the value for spurious opening is 7E-2 and also included in the

, overall frequency is the value for sequences in which a relief valve opened but failed to close,4E-2. [lPE submittal Table 4.1.1-1) [lPE Responses) The total frequency, 1E-1/yr, is in the range of used in other IPE and PRA studies; for example, the Browns Ferry IPE used 4E-2/yr, the NUREG 1150 study for Peach Bottom used 0.19, the NUREG 1150 study for Grand Gulf used 0.14/yr, and the Cooper IPE used 0.09.

[ Browns Ferry IPE submittal, Table 3.1.1-1) [NUREG/CR 4550 Peach Bottom, Table 4.3-1) [NUREG/CR 4550 Grand Gulf, Table 4.3-1) [ Cooper IPE submittal, Table 3.1.1-14] During the diagnostic evaluation of Quad Cities in late 1993 by the NRC, problems with the relief valves were noted. [DET) Numerous failures of these valves 10

l' i ,

J.

have occurred at Quad Cities, involving spurious opening, failure to open, and failure to reclose; the root cause of the problems was attributed to the use of

electromagnetic relief valves on steam lines with high vibration. However, the licensee i states that [lPE Responses) However, the licensee provides a summary of plant j historical data supporting the value used, and states that plant specific data were used f

to quantify this event. [lPE Responses) -

II.2.2 Intemal Flood Methodology The internal flooding analysis was performed in the following manner. Flooding ,

zones were identified and found to be generally consistent with the fire zones specified i for Appendix R analysis. The use of safe shutdown equipment for the Appendix R fire analysis was used for the IPE intamal flooding analysis. Walkdowns for the flooding analysis were performed. A flooding zone was judged to be significant if the zone  !

contained both equipment whose failure would result in a reactor trip and safe i shutdown equipment. Section 2.4 of the Submittal states that the event trees  ;

developed for internal initiating events were used to quantify the CDF from internal '

flooding. [lPE submittal, Section 4.4.4] I Section 11.3.6 of this report summarizes our review of the results of the internal  !

flooding analysis as summarized in the Submittal. 1 1

11.2.3 Event Trees '

Each accident initiating event was included in an appropriate class of initiating events, and each class of initiating events was modeled with an event tree. PRTs were used to model both frontline system response for the front end and back-end system response. Support systems were modeled in support state event trees. The PRTs were quantified for the various support states as specified in the support state event trees. The following PRTs were developed: [lPE submittal, Table 4.5-1)

Small LOCA Mediu.m LOCA Large LOCA Interfacing Systems LOCA Transient ATWS Inadvertent Open Relief Valve Loss of Offsite Power i Station Blackout.  !

The mission time used was 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. [lPE submittal, Section 4.1.3.3) )

The documentation of the event trees in the Submittal is very limited. Volume 1 of the Submittal provides event tree success criteria and definitions of acronyms used in the event trees. All of the event trees are provided in Volume 2 of the Submittal, but no discussion of the event tree sequences for the trees is provided it is extremely 4 difficult and time-consuming to follow, much less review, the event trees since no 11

discussion of the event tree sequences is provided. Based on follow-up discussions -

with the NRC, the licensee provided a "high level' explanation of the accident progression for each of the nine general transient initiating event accident sequences listed in Table 4.5.3-1 of the Submittal. [lPE Responses] This additional information is helpful, but does not provide the type of structured description of event tree sequences found in most IPE Submittals.

The submittal states that the success criterion for prevention of core damage is fuel temperature below 4040 F. [lPE submittal, Sections 1.4.2 and 4.1.4.1] The success criteria for prevention of core damage does not consider peak clad

temperature (PCT). PCT is more limiting than fuel temperature except for rapid

! overpower transients. If the clad oxidizes and becomes brittle, it can fall and block l flow of coolant to the fuel rods resulting in core damage. The licensee states that

! PCT was considered in development of the success criteria but was not explicitly quantified since MAAP was used to evaluate success criteria, and MAAP does not calculate PCT. Also, the Submittal does not discuss the collapsed water levels in the core necessary to prevent core damage for LOCAs and transients.

The functional success criteria used in the IPE are provided in Table 4.1.4-1 of the Submittal. During our review of the Submittal, we made note of the following::

(a) The Submittal states that reactor trip is not necessary after a large break LOCA. Quad Cities is a BWR and the ECCS water is not borated. The following BWR PRA/IPE studies assume that trip is required: WASH 1400, NUREG/CR 4550 for Peach Bottom, NUREG/CR 4550 for Grand 1 Gulf, IPE for Browns Ferry, IPE for Fermi, and the IPE for Perry. The  !

licensee stated that the IPE screened out a large LOCA with subsequent  !

failure to trip due to low frequency. The licensee confirms that a reactor trip is required to successfully mitigate a large LOCA.

(b) The Submittal states that only one ADS valve is required to depressurize so that LPCI or CS can be used to cool the core. Other PRA/IPEs assume that more are required; for example, the NUREG/CR 4550 study  ;

for Peach Bottom assumed that 3 are required. The licensee i

, summarized MAAP calculations indicating that opening of 1 valve is'  !

sufficient. The analysis credited the relief with relieving 645,000 lbm/hr at 1117 psig; the relief valve was opened when collapsed level reached the top of the active fuel. The injection flow from core spray and LPCI as a function of vessel pressure was not specified by the licensee. We have the following comments related to this aspect of the analysis. The relief  ;

capability of the valve in this analysis is a factor of about 1.2 greater than the capacity given in the UFSAR and in the IPE for the electromatic relief valves, 558, 000 lbm/hr at 1130 psia. [UFSAR, Section 5.2.2.1] [lPE submittal, Section 4.2.1.7) The Submittal states that the safety valves relieve 645,000 lbm/hr, but the safety valves cannot be used to depressurize. Also, with only one valve open, significant uncovery of the fuel for an extended time is expected unless the core spray or LPCI system injects an appreciable amount of water above 300 psig vessel 12 '

pressure. Most BWR IPEs and PRAs require opening of 2 or 3 valves to depressurize and use low pressure injection. We believe that more information is required to support the assumption that'only 1 valve is required to allow for depressurization and core cooling with low pressure ECCS systems. More information is required in the following areas: the behavior if the correct valve relief capacity is used, the model used for valve relief as a function of pressure, the data used for core spray and i LPCI injection as a function of pressure, the collapsed level as a function of time during the transient, and the heatup of the uncovered portion of the core until the core is recovered. This assumption is  !

especially important as the failure rate for electromatic relief valves to l open on demand at Quad Cities is high, as discussed later in this report.

(c) The IPE models containment venting for the back-end analysis, but the ,

front-end success criteria do not address containment' venting. If the containment is vented with a hot suppression pool, adequate NPSHA for ECCS pumps pulling from the suppression pool can be lost; this was the i assumption in the NUREG/CR 4550 analysis of Peach Bottom. The licensee states core cooling with recirculation using low pressure ECCS pumps is typically lost prior to venting due to inadequate NPSHA, ,

unless the pumps are realigned from the suppression pool to the CCST.

(d) Credit is taken for switching long term cooling with ECCS from the {

suppression pool to the contaminated condensate storage tank (CCST),

if containment cooling is lost which causes lo'ss of adequate NPSHA from the suppression pool. This complicated action should be further described since it can involve: bypass of ECCS instrumentation, throttling  ;

of flow to not overfill containment, and makeup to the CST. The licensee  ;

states that no additional support systems are required to transfer running  !

RHR or core spray trains from the suppression pool to the CCST. The I operator actions required to effect this transfer are provided. The CCST inventory is insufficient to fill the suppression pool torus air space; also,

, the model of this option includes operator action to throttle flow to extend the use of this option past 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

(e) Credit is taken for filling containment with feedwater from the condenser hotwell with feedwater and makeup from the standby coolant system (SBCS) to preserve NPSHA for ECCS recirculation from the suppression  ;

pool if containment cooling is lost. The licensee states that the following systems are required to implement core cooling with the Standby Coolant i System: i TBCCW )

Instrument Air Essential Service Bus Various AC and DC Buses.

The model for core cooling with SBCS considered these systems and associated operator actions. Control of containment overfill was not 13

j I l

! l 3

specifically modeled due to the relatively little amount of injection l required to provide for long term adequate NPSHA; the model implicitly assumed that operator action to control overfill would be taken, i (f) The success criteria for a large LOCA do not address the need to close J the discharge valve in the intact recirculation loop to prevent loss of LPCI injected water out the break. The licensee states that closure of the i discharge valve in the intact recirculation loop is required to successfully mitigate a large LOCA, and will be included in the update of the Quad l Cities PRA. This change is expected to increase the CDF by about i 0.5%. l (g) The success criteria for LOCAs do not address LOCAs outside  ;

containment, for example in. steam and feedwater lines, and the need to isolate the breaks to prevent loss of suppression pool inventory from ECCS recirculation out the break. The licensee states that high energy line breaks outside containment were not analyzed as LOCAs. -In our opinion, the IPE should address LOCAs in steam and feedwater lines outside containment as they are licensing design basis accidents and also require isolation for successful mitigation.

(h) The success criteria for ATWS do not discuss operator action to inhibit  !

ADS to prevent reactivity increase due to the injection of large quantities-of cold water. The licensee states that the model assumed the operators would inhibit ADS. In our opinion, the IPE should model failure of the operator to inhibit ADS in response to an ATWS. .

(i) The success criteria assume that for cases in which the core is cooled I using water sources outside containment, such as SSMP, Control Rod Drive (CRD), or feedwater, containment failure has no impact on the ability to cool the core. [lPE submittal, Section 4.4.5.2) The licensee states that the subject systems are located in the turbine building, not in the reactor building, and as such are relatively unaffected by environmentalimpacts of containment failure.

(i) , The success criteria indicate that SSMP can be used to mitigate a stuck open relief valve, but no credit for use of RCIC is indicated. Also, no credit is taken for RCIC to mitigate a small LOCA. SSMP and RCIC have similar flow capabilities, about 400 gpm to the vessel. Why was RCIC not considered? Most BWRs do not have a SSMP system and take credit for RCIC to mitigate a small LOCA or a stuck open relief valve. [NUREG/CR 4550 Peach Bottom][NUREG/CR 4550 Grand Gulf) [ Browns Ferry IPE)

The licensee states that RCIC alone cannot mitigate a maximum size break in the small LOCA range.

(k) Following a large LOCA, to meet Appendix K requirements, the following injection with ECCS is required: 1 train of LPCI (two pumps) and 1 CS pump, OR 2 CS pumps. [DET) Best estimate analyses by GE indicate that core cooling can be accomplished with: 1 train of LPCI (both pumps), OR 1 CS pumps. [BWROG, NEDC-30936P-A) The success 14

l l criteria in the IPE is 1 LPCI pump , OR 1 CS pump. Also, the UFSAR l Indicates that the long term requirements for LPCI injection consider

! 3000 gpm leakage from the jet pumps bolted and slip joints. [UFSAR, Sections 6.3.2.2.3.1 and 6.3.3.1.2.2] How is 1 LPCI pump adequate to mitigate a large LOCA? The large LOCA success criteria was based on MAAP calculations. The MAAP code did not consider leakage out the jet pump joints. The licensee states that the UFSAR indicates that one LPCI pump is adequate to provide core cooling during a large LOCA; the UFSAR information referred to is Table 6.3-11 of the UFSAR. It is not  ;

clear how the information in this table supports the licensee's contention i that one LPCI pump can provide core cooling since this table is based on i the ECCS failures indicated in Tables 6.3-7 and 6.3-9 of the UFSAR, in which at least one train of core spray and at least 2 LPCI pumps are available, or both core spray trains are available. The submittal and the follow-up licensee information do not provide a supportable basis for the  ;

large LOCA success criteria. However, the success criteria used for a i large LOCA are consistent with those used in other IPEs for similar plants, and one IPE for a similar plant used GE's SAFER /GESTR methodology to support the use of success criteria consistent with those used in the Quad Cities IPE. [TER Hatch)

(i) The success criteria states that containment co'oling can be provided with one Residual Heat Removal (RHR) pump with one RHR heat exchanger cooled by one Residual Heat Removal Service Water (RHRSW) pump.

This agrees with the results presented in Section 6.2 of the UFSAR for case E of long term containment heat removal; however, during the DET lt was noted that in the past Quad Cities has experienced significant degradation in RHR heat exchanger thermal efficiency due to silt buildup.

[DET] This was discovered in response to testing for Gen'eric Letter 89-

13. How did the IPE take into account'the as-found conditions of the RHR heat exchangers in the success criteria? The analysis of

, containment heat removal was performed with MAAP. The fouling factor used for the RHR heat exchanger was based on vendor drawings and did not include fouling due to aquatic organisms. The IPE considered j growth of aquatic organisms in the RHRSW system fault tree as a failure  ;

mechanism for the RHRSW system. (It should be noted that the problem l of silt buildup in the RHR heat exchangers has been addressed by l monitoring and flushing programs now in place at Quad Cities. [DET)) I (m) The success criteria for a medium LOCA indicates that the use of HPCI I

followed by either LPCI or CS (after the pressure is too low to drive the HPCI turbine) can cool the core for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> without containment heat  ;

removal and without any actions to compensate for loss of adequate NPSHA for LPCI and CS as the suppression pool heats up. Adequate NPSHA could be lost as the suppression pool heats up. The licensee states that for the subject sequence, wetwell vent operation was credited 15

, s 1

l 1

at 22.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> which resulted in minimal depressurization. This lowered I

the NPSH margin but did not result in loss of NPSH margin until about 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br />. Since the loss of NPSH margin occurred after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the -

sequence was identified as a SAM endstate. The modeling of containment venting in the front-end portion of the IPE is not clear. This

, licensee indicates that credit for venting was taken, but the success I criteria given in Table 4.1.4-1 for core cooling do not address containment venting.

The core damage frequency for Quad Cities is lowered significantly by credit for

, actions to respond to loss of containment cooling as discussed under the previous items (d) and (e) for the success criteria. In the Dresden IPE, the Submittal stated 1 that if credit was taken for switching LPCI or CS from the suppression pool to the l CCST, the overall CDF is decreased by a factor of 5. [Dresden IPE submittal, Section 4.6.4) Dresden and Quad Cities are similar plants, thus these assumptions should be of similar impact in the Quad Cities IPE as in the Dresden IPE. '

We estimated the time available to institute switchover of ECCS from the suppression pool to the CCST, or to initiate containment flooding with feedwater, if suppression pool cooling is lost. The results of our calculation indicate that there is a long time available for response to loss of suppression pool cooling before adequate

. NPSHA is lost, conservatively on the order of 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Therefore, a long time is available during which these compensatory actions can be.taken.

The event tree for A1WS Indicates that either of two operator actions can be used to initiate use of SLC to shutdown the reactor, these being OSL1 and OSL2. If OSL1 falls then OSL2 can provide successful initiation. OSL1 is early operator action and requires 1 of 2 SLC pumps for success. OSL2 is late operator action and requires 2 of 2 SLC pumps for success. No hardware failures are included in OSL1 and OSL2; these are purely operator action events. [lPE Responses) l The IPE modeled the fire protection system as a source of water for the SSMP. l

[lPE submittal, Table 4.1.3-4] Based on a review of the PRTs, the success criteria, l and the PRT event descriptions, it is concluded the fire protection system was modeled in the front-end analysis only as a source of water for the SSMP. [lPE submittal, Table 4.1.4-1 and Table 4.1.3-4]

11.2.4 Systems Analysis The Submittal states that fault trees were constructed for both frontline and support systems. System descriptions are included in Section 4.2.1 of the Submittal.

Ou~r comments on the system models are as follows.

The IPE did not model cooling to the recirculation pump seals. Without cooling, a transient can evolve into a small LOCA. The licensee stated that the recirc pumps are assumed to be tripped following all initiating events except ATWS, and that the loss of RBCCW flow to cool the recirc pump seals has no impact. In our opinion, the IPE should address recire pump seal LOCAs due to mitigating system failures, but this 16

l i

i

has minor impact for Quad Cities since the core cooling systems all inject into the vessel; for an isolation condenser BWR plant, such as Dresden, recire pump seal LOCAs are of more concern since cooling with the isolation condenser does not include makeup to the vessel.

The Submittal states that the following HVAC systems are not required: RCIC  !

pump room cooler, CS pumps room coolers, HPCI pump room coolers, TBCCW pumps room coolers, and RHR pumps room coolers for pumps 1 A,2A,18,2B,1C,

, and 1D. [lPE submittal, Section 4.4.5.1) The IPE states that room cooling is required l for: reactor feed pumps, RHRSW pumps, RHR pumps 20 and 2D, and the diesel l generators. The main basis for the assessment of the need for HVAC was a utility Nuclear Services Department report. The IPE does not address cooling for electrical components. The DET noted that much of the electrical switchgear is in the open turbine building subject to cooling by ambient air; however, some batteries are located i where cooling is not optimal. Also, during the DET, the issue of control room cooling was addressed because of the need to manually load onto the diesel generator the compressor that provides emergency cooling for the control room. At the time of the DET, which was over two years after the IPE freeze date, the Utility stated that the best calculation addressing loss of control room cooling indicated that overheating of components was a problem 15 minutes after loss of control room cooling. [DET)

The licensee stated that the review of plant systems indicated that HVAC is not required for electrical switchgear or for the control room; ventilation for the DG rooms was modeled as required. [lPE Responses) In our opinion, the licensee has not provided a supportable basis for excluding requirements for HVAC for electrical components and for the control room; other IPEs have found such HVAC systems to be important, and those IPEs that have excluded consideration of such systems have provided summaries of calculations supporting their exclusion.

During the DET it was noted that the high turbine backpressure trip setpoint for RClO was set at 25 psig, and had not been yet been raised to the 50 psig range as recommended be the GE SIL 371 of 1982. [DET) The purpose of the SIL was to enhance RCIC availability during sequences in which the containment pressurizes, such as sm{til break LOCAs. As noted previously, the IPE does not take credit for RCIC in the success criteria for small LOCAs or for an inadvertent open relief valve.

The IPE does take credit for RCIC to mitigate a transient, if suppression pool cooling is available. The licensee stated that for sequences without containment heat removal with only RCIC available, core damage will result from trip of RCiC at high backpressure. [lPE Responses)

The licensee stated that the battery lifetime is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. [lPE Responses)

The system description for electrical power indicates that if all electrical power to a unit is lost, both offsite power and emergency power from the diesel generators, then power from the opposite unit can be used. [lPE submittal, Section 4.2.1.3)

Specifically, it is stated that if emergency bus 14-1 (24-1) at unit 1 (2) is not being powered from the normal or DG sources, a cross-tie from bus 24-1 (14-1) from unit 2 (1) can be used as an alternate source. The support tree for loss of offsite power at a single unit, taken to be unit 1, indicates that if DG1 and DG1/2, the swing diesel 17 1

l generator, are lost, bus 14-1 can still be available. [lPE submittal, Volume 2 LS1 l

support tree page 1 and IPE submittal, Section 4.1.2.5] The licensee provided more details on how the unit crosstie between buses 14-1 and 24-1 is accomplished.,[lPE Responses] Also, the licensee provided information as to how one DG that is not the swing DG can be used to provide power to both units.

II.2.5 System Dependencies The Submittal provided tables that clearly indicate the dependencies of frontline systems on support systems and support systems on support systems. [lPE submittal, Tables 4.2.2-5 through 4.2.2-9]

Important asymmetries in train level system dependencies were indicated. The following types of dependencies were considered: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, area HVAC, operator actions, and environmental and phenomenological effects. The systems shared by the two units are also addressed in the dependency tables.

We identified no major items associated with the consideration of system dependencies other than those already discussed in Sections 11.2.4 and 11.1.2 of this report.

II.2.6 Common Cause Analysis The Multiple Greek Letter (MGL) method was used to model common cause failures. Generic data for common cause were used, but the Submittal indicates that an expert panel reviewed the applicability of the generic data to Quad Cities. [lPE submittal, Section 4.4.3) The Submittal identifies the components for which common cause failure was considered. Based on the Submittal, it appears that common cause failure was considered for like components within a system, but not for like components in different systems. This is the typical practice in PRAs; however, we believe that the IPE should have addressed common cause failure for the HPCI and RCIC turbin,e driven pumps, since it could have an impact on the unavailability of these two high pressure injection systems. The licensee position on common cause failure between HPCI and RCIC is discussed in Section 11.3.5 of this report. I 11.3 Quantitative Process 4

This section of the report summarizes our review of the process by which the l lPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed were also reviewed. ,

1 18

t II.3.1 Quantification of Accident Sequence Frequencies The specific technique used for the level l PRA was a large event tree support state methodology. Support state event trees were developed and solved to provide support state impacts and frequencies for quantification of PRTs. The PRTs were the frontline event trees used to quantify accident sequences. The PRTs consider both the front-end response of the plant for mitigation of core damage, and the back-end response of the plant for source term quantification. No plant damage states were developed to coalesce front-end sequences into bins for back-end analysis, since the PRTs modeled both front-end and back-end aspects of the analysis.

As discussed in Section 11.1.2 of this report, the manner in which event dependencies in the event trees were handled was resolved.

Fault trees were developed to quantify failures of events on the event trees.

The Submittal states that a truncation value of 1E-15 was used in quantification of the PRTs. [lPE submittal, Section 4.5) 11.3.2 Point Estimates and Uncertainty / Sensitivity Analyses Mean values were used for point estimate failure frequencies and probabilities, but we could find no definitive statement in the Submittal that the point estimates are means. No detailed uncertainty analyses were performed, but limited sensitivity analyses were performed. [lPE submittal, Section 4.5.4) The sensitivity analyses consisted of varying the point estimate failure values for the following events and calculating the overall CDF:

OAD1: operator action to depressurize the vessel OHX: operator action to align cooling to RHR OCST: operator action to align low pressure pumps to the CCST ROP-1: recovery of offsite power for sequences in which some ' source of AC power was available These events were chosen for sensitivity analysis, since they can have an important impact on tite CDF. The results indicate that the CDF is not highly sensitive to reasonable changes in the values for the operator action failure probabilities. An increase in the probability for any one of the three operator actions by a factor of 10, results in an increase in CDF of less than a factor of two, and the CDF is most affected by an increase in OAD1. Changes in ROP-1 had little effect indicating that the recovery of offsite power has little effect in sequences for which any source of onsite AC power is available.

Recovery of offsite power was considered in station blackout sequences; however, we could find no discussion of the times available for recovery of offsite power before core damage occurs, nor could we find a discussion of the data used to model recovery of offsite power. Recovery of offsite power is an important factor in that Station Blackout dominates the CDF. Based on the listing of events for the loss of offsite power support trees, it appears that the assumption used is that loss of offsite power must be recovered within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. [lPE submittal, Section 4.1.2.5) Table 19 l

4.5.2-1 of the Submittalindicates that the probability of failure to recover offsite power - ,
is 0.05. Assuming that this value correspond to a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> time, the value is  !

comparable to the value used in other PRAs.

The licensee provided a table of data used in the IPE for modeling recovery of

, offsite power. [lPE Responses] This data, and comparison values from a typical PRA, are as follows: ,

i l

i I

i i

20

i

)

Duration (hrs) Probability of Not Probability of Not Recovering Offsite Power Recovering Offsite Power j IPE Value [NUREG/CR 6144]

O 1.0 1.0 1

0.5 0.61 0.61 1 0.37 0.45 2 0.14 0.28 i 3 0.096 0.18 4 0.067 0.13 5 0.058 0.10 {

6 0.051 0.08 7 0.044 0.06 8 0.038 0.05 9 0.036 0.04 10 0.033 0.03 11 0.031 -----

12 0.028 -----

l 13 0.026 ----

l 14 0.024 - - - - -  ;

15 0.023 0.02 l 16 0.021 0.02 The model for recovery of offsite power is comparable to models used in other PRAs. l 11.3.3 Use of Plant Specific Data 4

The Submittal states that plant specific data was used based on the time period January 1,1985 through December 31,1991. [lPE submittal, Section 4.4.1] Plant specific data from both units were combined into one data base. Plant specific data were used to model maintenance unavailabilities of major components. Gendric data were used in cases where plant specific data were not available.

We performed a spot check of the plant specific data used in the IPE and 21

4M .de. 4 4 e . . - _ sue-, vde W 4 ret-_ea--A M-4.ka.,.4 e-4 .. -+A*em 4 4-e Em4 54 4 -1142-*J2h4a-. deM44aA hemm um 4.4e44mJ A4-e a .A smM4 -emMed --obha.J.e<4-aw wem.,s.aem_E.ziz.A-a my-s.m. ba4 e

I J

ed in other PRA/IPEs. The results of this comparison are

. Ind ca d in abe l-4 7

j l l

l

\ \

l l

l.

O g

h I

I l

1 22

,- ----- , c e ,. -- , ,, -. -,-,.a ,

I Table ll-1. Plant Specific Data in the Quad Cities IPE

)

4 Component and' Quad Cities NUREG/CR 4550 i Failure Mode Value "* Value m.m i Submittal Table 4.4.1-3 Peach Bottom l Table 4.9-1  !

Diesel Generator 1.6E-2/D OG1 3.0E-3/D Fall to Start 1.4E-2/D DG2 9.9E-3/D DG %

Diesel Generator 4.3E-3/H DG1 2.0E-3/H Fall to Run 1.8E-3/H DG2  ;

3.2E-3/H DG1/2 HPCI Turbine 1.4E-2/D 3E-2/D Fall to Start i HPCI Turbine 2.2E-4/H W SE-3/H Fail to Run LPCIPump 4.0E-4/D 3E-3/D Fall to Start LPCIPump 7.2E-4/H 3E-5/H i Fall to Run Core Spray Pump 3.4E-3/D 3E-3/D Fall to Start Core Spray Pump 1.8E-3/H 3E-5/H Fall to Run

~

MOV 1.4E-3/D 3E-3/D Fall to Change State (Open/Close)

AOV 2.0E-3/D 1 E-3/D Fall to Change State (Open/Close)

RCIC Pump 1.7E-2/D 3E-2/D Fall to Start RCICPump 2.2E-4/H W SE-3/H Fall to Run 23

4 (1) D is per demand; these values are probabilities.

(2) H is per hour; these values are frequencies.

(3) Generic Data from lEEE- Std. 500.

The results of Table 11-1 indicate that the plant specific data used in the Quad Cities data base are comparable with data used in other PRA/IPE studies. However, the failure probability for MOVs is lower than the value typically used in PRAs by about a factor of 2. The DET identified vibration / cavitation concerns in MOVs, especially for MOVs in the RHR system. [DET)

As a result of questions raised about recent component reliability by the DET,  ;

the licensee requantified the IPE model "to quantitatively estimate the impact of recent '

equipment performance and degradation on the CDF". [Pleniewicz) This evaluation

]

factored in a top level estimate of the 1992 and 1993 performance for the emergency i diesel generators, HPCI, RCIC, RHR, and RHRSW. This change in data increased the CDF to 1.9E-5/ year, an factor of 16 increase. [Pleniewicz) The licensee stated that aggressive actions to address long standing equipment issues are underway. The I licensee stated that the plant historical data support the MOV failure rate used in the IPE. [Pleniewicz)

The licensee provided more information about the plant specific data used for i the failure rates of the MOVs in general, and for the RHR MOVs in particular. The l licensee provided a summary of the plant specific failure data for MOVs in general; the l failure probability was stated to be 1.45E-3. [lPE Responses) The licensee also i provided a summary of the plant specific data for RHR MOVs in particular; the failure probability was stated to be 1.89E-3, only slightly higher than the value for all MOVs used in the IPE quantification.

11.3.4 Use of Generic Data Sources of generic data were: NUREG/CR-4550, IEEE Std. 500-1984, and NUREG/CR-2728.

Table 11-2 summarizes the generic data used in the IPE for safety / relief valves.

24

! Table ll-2. Generic Data in the Quad Cities IPE for Safety / Relief Valves W I

l Component and Quad Cities Browns Ferry i Failure Mode Value N IPE Value

! Submittal Table 4.4.1-6 Table 3.3.1-1 ,

! Safety Valve Prematurely 3E-6/H 6E-6/H for non PORV l l Opens Relief Valve l Relief Valve Falls to Open 3E-4/D 3E-4/D for safety valve i 2E-5/D for non-PORV I

relief valve 4E-3/D for Power Operated Relief valve i

l (4) Generic Data From NUREG/CR 4550.

(5) H is per hour; these values are frequencies.  :

l (6) D is per demand; these values are probabilities.

As discussed in Section 11.2.1 of this report, Quad Cities has a history of failures of safety / relief valves. The licensee provided information supporting the use of generic data for failure of the relief valves. The licensee stated that the use of generic data for the relief valves is not supported by plant specific data. [lPE Response) The licensee stated the plant specific data indicates that the probability that an electromagnetic )

~

relief valve fails to open on demand is 3.6E-2 instead of 3E-4 as quantified in the IPE using generic data. The licensee discussed the impact of this increase on the CDF and demonstrates that it is has a small effect. It should be noted that the requantification uses the success criteria of only 1 relief valve required for adequate

]

depressurization to allow use of low pressure ECCS if high pressure injection is a unavailable. The assumption that only 1 relief valve is required for successful depressurization was previously discussed in this report.

11.3.5 Common Cause Quantification We compared selected beta factors used in the IPE to those used in the other y PRA/IPE studies; Table ll-3 of this report summarizes the comparison.

1 25 l

- . - . = - . - . - - - . . . . . - . - . . . . - . . - . - . . . . . . - . - . - - . . . . . - . - - - - - - _

, t l'

Table ll-3. IPE Common Cause Factors for 2-of-2 Components t

Component Quad Cities Value Value from Source as Submittal Table 4.4.3-1 Indicated in Footnote Diesel Generator 0.002 0.04 (83 A) 0.03 (*) fail to run

{0.006 for fall to start}

MOV 0.01 0.05 ")

0.09 (2).9) 0.05 (*)

RHR Pump 0.009 0.1 ")-(')

0.2 cs) 0.1 (*) fall to start

{0.02 for fall to run}

Electromagnetic Relief -- ------ -

Valve Safety Relief Valve -----------

Safety /Rellef Valve 0.2 0.1 "3 0.2 (8) 0.3 (') fail to open on pressure

{0.1 fall to open on signal}

High Head-Pump 0.009 0.2 "I'(8)

Core Spray Pump 0.009 0.2 03 0.2 fall to start

{0.02 for fall to run}

Service Water Pump 0.009 0.03 "I D)

Circuit Breaker 0.04 0.2 (') for 480 V and higher 0.07 (d) for less than 480 V 26

j .

l I

L HPCl/RCIC Turbine Not Provided 0.02 fail to start W ,

! Pump {0.009 for i fall to run}  ;

i

(1) NUREG/CR 4550 Peach Bottom, Table 4.9-1.  !

! (2) NUREG/CR 4550 Grand Gulf, Table 4.9-29  ;

! (3) NRC lPE Review Guidance, Rev 1, November 1993 j (4) PLG Generic Data Base Browns Ferry IPE Submittal Table 3.3.4-10.

l l

The common cause factors appear low compared to other typical IPE/PRA studies.

l We had the same comment on the Drecoan IPE. The DET identified common cause failure of RHR MOVs due to high vibratbn n a concem. [DET) The beta factor for common cause failure of MOVs used in the Quad Chies IPE is a factor of 5 to 9 lower than the typical generic beta factor. The beta factor for common cause failure of DGs is more than a factor of 10 lower than the factor typically used. The Submittal does not provide a complete basis for the use of low beta factors.

The common cause failure value used for relief valves is typical of that used in l

other PRAs; however, as noted in the DET, Quad Cities has a history of failures of the electromagnetic relief valves. [DET] Based on the failure history of these components, we are note that the common cause failure factor could be significantly higher than l average. The bconsee stated that the common cause database was screened to

, make it specific to Quad Cities, using expert opinion. [lPE Responses)

The licensee addressed the low common cause failure value used for MOVs and for relief valves. The licensee stated that the values used were based on screening of the common cause database. [lPE Responses) The licensee further stated that a sensitivity study was performed in which all common cause failure.s were increased by a factor of 10, and this increased the total CDF by a factor of 3.4.

The licensee discussed how common cause failures between the HPCI and RCIC turbine were considered. The licensee stated that this common cause failure was not modeled in the IPE. [lPE Response) The licensee further stated that since the JPE cutoff data, separate turbine event failures have occurred at Comed stations, and this potentief common cause event will be evaluated in future updates of the PRA for Quad Cities. Many IPEs and PRAs consider common cause failure of HPCI and RCfC siince they aselho primary high pressure injection systems. In our opinion, the IPE should include common cause failure between HPCI and RCIC.

In our opinion, the Quad Cities IPE significantly underestimates the likelihood of common cause failures of important components. If common cause were treated as it is in most IPEs and PRAs, we believe that the CDF could increase by a factor of about 5 to 10.

27

11.3.6 Internal Flooding Quantification The treatment of intemal flooding is described in the Submittal. [lPE submittal, Section 4.4.4) The Submittalindicates that failures due to submergence and spray were considered, and that flood propagation was considered. No description of the flood zones, sources of flood water in the flood zones, and equipment in the flood zones is provided in the Submittal. The Submittal states that all flood zones were eliminated from consideration except for the unit 1 and 2 turbine building condensate pump rooms. The frequency for floods in these rooms was estimated at 1.3E-2/ year, and the Submittal states that the impact of the flood is equivalent to the impact of the higher frequency loss of feedwater intemal initiating event. Thus, intamal flooding was  !

determined to be a not important to CDF. Three flooding sources of concern were l 4

identified: SW, RHRSW, and fire protection. Floods from these snurces were l l evaluated considering the potential for plant trip, and equipment failure due to floods in l l all the flood zones in the plant. Both dimet equipment failure and failure due to flood  ;

propagation were considered. Based on this evaluation, only one flood zone in each j i unit was retained for further consideration, that being the condensate pump room. The  ;

! effect of a flood in the condensate pump room is a loss of feedwater transient. The l frequency of the flood was calculated to be 1.3E-2/ year, which is small compared to

( the frequency for loss of feedwater due to random failures of components. Therefore, the contribution of intamal flooding was insignificant to the CDF. [lPE Responses 2)

During the DET, it was noted that water bearing lines are routed over electrical switchgear in the turbine building, and one of the MCCs had a tarpaulin installed to prevent water from dripping into the switchgear. [DET) The licensee information for  !

! flooding also addressed such failures of electrical switchgear due to water spray. [lPE Responses 2) This failure was included in the general transient event model in the IPE. The licensee evaluated the impact of spray and leaks from the plant heating ,

system, which was not considered in the IPE, and found that the CDF from such events is insignificant. ,

- l l1.4 Core Damage Seouence Results l This section of the report reviews the dominant core damage sequences reported in the Submitral. The reporting of core damage sequences- whether systemic i or functional- is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerabHity provided in the Submittalis reviewed. Vulnerabilities, enhancements, and plans to rnodify plant hardware and procedures, as reported in the i Submittal, were reviewed.

11.4.1 Dominant Core Damage Sequences The IPE utilized systemic event trees, and reported results using the screening criteria from NUREG 1335 for systemic sequences. [lPE submittal, Section 4.6.1) 28

. - - - + - . -, -_ .--- . - - - , , - - , , , , , - . , - -%ew ,g

i i

Figure ll-1 of this report summarizes the major contributors to core damage by -

internalinitiating event. These results apply to each of the two units. Definitions of the acronyms and abbreviations used in this figure are as follows:

j LOCA Loss of Coolant Accident

, 'LOSP Loss of Offsite Power l ATWS Anticipated Transient without Scram

, IORV inadvertent Open Redef Valve

ISLOCA Interfacing Systems LOCA

! The Submittal lists the highest frequency systemic core damage sequences, per l the screening criteria of NUREG 1335, in Tables 4.5.3-1 and 4.6.2-2.

The total CDF from internal initiating events is 1.2E-6/ year. Intemal flooding

, was determined to be a negligible contributor.

l The top five sequences are summarized in Table ll-4 of this report.

i I

~

29

  • b CDF by initiating Event for Quad Cities Dual Unit LOSP

-m

$1M%%]$$%85%f416 Single Unit LOSP @g$f$ .

Medium LOCA Sj@M

--Q  :

a -- ,

15 ATWS $$$

@ w~

uJ General Transient en --f i 5 Large LOCA {

lii -rI E! Small LOCA 5 -

S IORV ISLOCA

-d .

k TOTAL  ;$$@ll@QlG%@&$$yM))!$@il$$/(t@gg!l$M$$$}Eib e i i i i i 0 2E-007 4E-007 6E-007 8E-007 1E-006 1.2E-006 Frequency,1/yr a ATWS is not an initiating Event. ATWS frequency is for those sequences that involve failure to scram.

Figure 11-1. CDF by Initiating Event for Quad Cities 30

g a Table ll-4. Top 5 Systemic Core Damage Sequences initiating Event Subsequent Failures Sequence Frequency 1/ year Dual Unit LOSP Station Blackout, 5.3 E-7 Failure to Recover Offsite Power Medium LOCA HPCI Falls, Operator Falls 1.6E-7 to Depressurize Single Unit LOSP Operator Falls to Align 2.7E-8 Cooling to RHR (Suppression Pool Coo'ing), SSMP fails, Operator Falls to align ECCS to CCST resulting in loss of adequate NPSHA from Suppression Pool for ECCS pumps Dual Unit LOSP Station Blackout, HPCI 2.2E-8 fails, Failure to Recover Offsite Power ATWS' ATWS involved 2.0E-8 mechanical failure to scram, thus rod insertion not possible, Operator fails to initiate SLC Initiating event followed by failure to scram; initiating event not specified but evidently is a ' General Transient' The CDF contribution from sequences involving station blackout is significant.

The dominant sequence involves station blackout and contributes 44% to the overall CDF. The significance of station blackout emphasizes the importance of recovery of offsite power, the ability to power components at a unit experiencing single unit LOSP with power from the other unit, and the DC battery lifetime without recharging.

Five initiating events contribute 97% to the total CDF, as follows: [lPE submittal, Section 4.6.2)

Dual Unit LOSP 56%

Single Unit LOSP 16%

Medium LOCA 14%

31

ATWS 6% i General Transient 4%. l Significant failures contributing to CDF are as follows: [lPE submittal, Section 4.6.2)

DC and AC Power High Pressure Makeup Operator Failure to Depressurize Operator Failure to initiate RHR Cooling (Suppression Pool Cooling)

Operator Failure to Switch ECCS Recirculation with LPCI or CS from Suppression Pool to CCST given loss of Suppression Pool Cooling.

We compared the findings for CDF from the Quad Cities IPE to those from other PRA/IPEs. This comparison is provided in Table 11-5.

l 32

i ._ .-

o 4

1 Table 11-5. Quad Cities Results Compared to Other PRA/IPEs ,

l

Types of Event Quad Cities NUREG/CR 4550 Browns I l Contributing _

IPE:' Peach Bottom:' Ferry IPE: 8 to CDF  % of Total CDF  % of Total CDF  % of Total CDF

_ Loss of Offsite 72%, with Station 49%, with Station 69%, with Station
Power Blackout on the Blackout 47% Blackout 27%

order of 50%

i LOCAs 17% 6% 1%

ATWS 6% 42% 3%

General Transient 4% 3%, this is all 18%, with 17% .

events except from Generic LOSP, LOCAs, Transients and 1%

and ATWS from Support System Failures Internal Floods Screened From Not included 10% I Consideration I Stuck Open Relief 0.1% included in general 2%  !

Valve transient Interfacing 0.1 % included in general <0.1%

Systems LOCA transient Total CDF of 1.2E-6/ year 8

Total CDF of 4.8E-5/ year '

8 Total CDF of 4.5E-6/ year The IPE used a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time over which core damage was quantified.

The event trees did identify accident sequences, denoted as severe accident management (SAM) accident sequences, for which core damage would occur after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> without compensatory action. The licensee stated that the sum of the SAM sequences is 5.7E-6/ year. [lPE Responses] The licensee also summarized the nature of the SAM sequences.

33

11.4.2 Vulnerabilities We could find no definition of vulnerability in the Submittal; however, Section 6.2 of the Submittal states that there are no vulnerabilities, based on the low overall

< CDF.

11.4.3 Proposed improvements and Modifications Section 4.7 of the Submittal summarizes evaluations performed based on the IPE. Based on the information in this section, we conclude that no improvements or modifications are planned based on the IPE. Section 4.7.1 of the Submittal indicates that 81 insights were generated from the IPE and grouped and given to the Senior Edison Management Review Team (SEMRT) for final evaluation and disposition. The Submittal does not provide these insights nor the results of the SEMRT evaluation.

The results of the IPE were also evaluated against the NUMARC Severe Accident Closure Guidelines. [lPE submittal, Section 4.7.2] It was concluded that no actions are required because the low frequencies of the accident sequences.

The Submittal indicated that Station Blackout is a significant contributor to CDF; however, the Submittal does not discuss the modification being installed to add Station Blackout diesel generators. As a result of concems raised during the DET about the IPE, the utility performed additional sensitivity analyses with the IPE model.

[Pleniewicz) This evaluation stated that the planned addition of Station Blackout diesel generators and an enhancement to the Station Blackout Procedure would reduce the CDF by about 40%.

The licensee provided example insights generated from the IPE in each of the following categories: procedures, hardware, training, information, and test and maintenance.

11.5 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

11.5.1 Front-End and Back-End Interfaces The IPE assumed that failure of containment has no effect on the ability to cool the core using injection with water sources from outside the containment, such as SSMP, feedwater/ condensate. or CRD. EQ related failures of equipment due to harsh environmental conditions were evidently not of concem. As previously discussed in this report, the licensee stated that EO related failures of these systems is not of concern due to their location outside of the reactor building.

If suppression pool cooling is lost, the IPE took credit for two ways to 34 1 _

, i compensate for suppression pool heatup and ultimate loss of adequate NPSHA for the' LPCI and CS pumps pulling from the suppression pool. One way is to provide for supply of cold water to the suppression pool using the Standby Coolant System (SBCS), which involves use of feedwater to flood containment from the condenser hotwell. The other way is to switchover LPCl/CS from the suppression pool to the Contaminated Condensate Storage Tank (CCST). As discussed previously in this report, credit for these methods can have a significant impact on the CDF; however, based on our independent calculation of loss of adequate NPSHA due to loss of suppression pool cooling, there is substantial time available, on the order of 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, for compensatory action.

We could find no discussion of the impact of either failure of containment isolation or of spurious initiation of containment isolation in the Submittal. For example, if the containment spuriously isolates during a transient, MSIVs would close and the main condenser would be lost as a heat sink.

The IPE used PRTs to model both front-end and back-end aspects of the accidents. Therefore, Plant Damage States (PDS) as usually defined were not used.

Typically, PDSs refer to the bins of core damage sequences that are analyzed in the back-end analysis. Each bin is defined by characteristics at the time of core damage that are important to the back-end analysis, such as_ status of containment, vessel pressure, timing of core melt, and amount of water in the containment. PDSs in this traditional sense were not used in the Quad Cities IPE, since the PRTs model both the front and back end portions of the sequences. The Submittal did identify bins denoted as Plant Damage States, but the term Plant Damage State as used in the IPE refers to the final state including the final state of containment. [lPE submittal, Table 4.1.3-2]

The containment vent is considered in the back-end analysis, but no discussion of the effects of venting on the front-end success criteria is provided. This observation was previously discussed in this report.

11.5.2 Human Factors interfaces Based on our review of the front-end model, the following operator actions are important and should be addressed in the human factors review of the IPE:

Operator action to depressurize the v(ssel Operator actions to initiate suppression pool / containment cooling Operator actions to align LPCl/CS to the CCST if suppression pool cooling is lost Operator actions to use the Standby Coolant System (SBCS) if suppression pool cooling is lost Operator action to inhibit ADS during an A1WS Operator action to initiate SLC during an ATWS Operator action to cross tie power to bus 14-1 (24-1) for unit 1(2) during loss of offsite power at one unit,1(2), from bus 24-1 (14-1) at the other unit 2(1)

Operator action to initiate containment venting Operator action to use the SSMP system.

35

9 The diesel generators do not have much margin during DBA conditions at Quad Cities, and the IPE should address how operator action to not overload diesel ,

generators was addressed in the IPE. During the DET, it was noted that the loading j of the diesel generators during a DBA large LOCA is such that if one diesel generator i fails and ECCS injection is supplied by the other diesel generator with both LPCI pumps available, when containment cooling is manually initiated, between about 10 and 30 minutes into the accident, one of the running LPCI pumps must be shed to allow starting / running of the RHRSW pump (s) to cool the RHR heat exchanger. [DET)

This is a special sort of operator action in that it requires operator action to stop safety grade equipment in order to use other safety grade equipment. Also, during the DET it was found that the loading calculations for the diesel generators did not account for manual loading of the compressor for emergency control room cooling. [DET) As a result of this finding, preliminary calculations were performed by the licensee that indicated that the additional loading due to the compressor could be tolerated, but the margin was sufficiently low such that detailed calculations were to be performed.

11.6 Evaluation of Decav Heat Removal and Other Safety Issues j This section of the report summarizes our review of the evaluation of Decay i Heat Removal (DHR) provided in the Submittal. Other GSI/USI's, if they were '

addressed in the Submittal, were also reviewed.

i l1.6.1 Examination of DHR DHR is addressed throughout the IPE model. Our detailed comments on the model associated with DHR are provided throughout the rest of this report.

The IPE specifically addresses DHR and its contribution to CDF as described in Section 4.6.4 of the Submittal. This section of the Submittal summarizes the systems that provide DHR, and the functional failures that contribute to loss of DHR.

The overall contribution of loss of DHR to CDF was calculated to be 30%.

About 12% of this 30% is due to operator failure to align for long term heat removal.

The licensee concludes that there are no vulnerabilities associated with loss of DHR.

The Submittal provides a discussion of the loss of DHR and the resulting impact on CDF.

II.6.2 Diverse Means of DHR The IPE evaluated the diverse means for DHR, including: use of the power conversion system (main condenser as a heat sink and condensate /feedwater as makeup), HPCI, RCIC, SSMP, LPCl, CS, suppression pool cooling (containment cooling), and use of the CCST for LPCl/CS long term supply if suppression pool cooling is lost.

11.6.3 Unique Features of DHR 36

The following design features related to DHR tend to decrease CDF: '

Safe Shutdown Makeup Pump (SSMP) as a backup to RCIC (installed for Appendix R compliance)

Ability to cross tie power between units in emergency buses 14-1 and 24-1 +

Ability to switch LPCl/CS from Suppression Pool to CCST if Suppression Pool Cooling is lost Ability to use the Standby Coolant System (SBS) to flood the containment if.

suppression pool cooling is lost.

The following design features related to DHR tend to increase CDF:

ECCS pumps have little NPSH margin and cannot operate in recirculation from the suppression pool over the long term if containment cooling is lost or if the containment is vented to low pressure One diesel generator dedicated to each of two units and one swing diesel generator that can serve either unit, in contrast to 2 dedicated DGs per unit as installed at many dual unit sites.

Other special features of note for the Quad Cities design that we noted during our review of the Submittal, UFSAR, and Technical Specifications, which do not have an obvious major impact on the overall CDF, are as follows:

Use of Electromatic Relief Valves l l

Safety Valves Discharge into Drywell, Not Suppression Pool One 'Bus to Power both Trains of LPCI injection Valves at each Plant (LPCI Swing Bus) l RCIC Turbine High Backpressure Trip Setpoint Set at 25 psig Diesel Generators have Little Loading Margin During DBAs Dedicated Diesel Generator Cooling Water Pumps Ability to Vent Containment Shared Condensate Storage tanks 37 r

4 Shared Service Water System.

11.6.4 Other GSI/USI's Addressed in the Submittal +

No other GSI/USls were addressed in the Submittal.  :

1 I

l I

i l

38

lli. REVIEW

SUMMARY

AND DISCUSSION OF IPE INSIGHTS, IMPROVEMENTS, -  !

AND COMMITMENTS i This section of the report provides an overall evaluation of the quality of the IPE based on this review. Strengths and weaknesses of the IPE are summarized. Also, the dominant contributors to CDF are summarized, with insights as to the effect of l plant design and modeling assumptions on the overall CDF and the types of scenarios that dominate CDF. Improvements planned as a result of the IPE are summarized.

Areas where licensee efforts could improve safety are summarized. Areas where the IPE process could be improved are summarized.

The Submittalis complete in terms of the information requested by Generic Letter 88-20 and NUREG 1335. The large fault tree methodology with support state event trees was used to perform a level i PRA; it is a typical methodology for performing the front-end portion of an IPE. Independent reviews of the IPE were completed. Plant walkdowns and the use of plant specific documentation were used to assure that the IPE modeled the as built plant. The licensee participated in the IPE.

Major strengths of the IPE are as follows. The Plant Response Trees (PRT) l model both front and back-end behavior, and thus integrate both core damage and j source term behavior. The impact of shared systems between the two units was  !

considered in the modeling of the response of one unit to an accident. The IPE considered loss of offsite power at a single unit and at both units.

Major shortcomings of the IPE are as follows. No plant specific initiating events  !

were quantified for core damage, and the basis for screening out all plant specific initiating events does not appear supportable. The common cause failure factors used are very low compared to other IPE/PRAs for many important c.omponents, and  !

common cause failure between HPCI and RCIC was not considered.

Other potential shortcomings of less impact are as follows: the consideration of l containment venting in the front-end success criteria is not clear; the credit for 1 SRV '

for successful depressurization requires further supporting information; and the basis is not clear to support the assumption that HVAC for electrical switchgear or for the  ;

control room is not needed.  !

The total CDF from internal initiating events is 1.2E-6/ year. Internal flooding was stated to be an insignificant contributor to core damage.

The contribution of initiating events to the CDF are as follows:

Dual Unit LOSP 56%

Single Unit LOSP 16%

Medium LOCA 14%

ATWS 6%

General Transient 4%

39

Large LOCA 2% -

Small LOCA 1%

inadvertent Open 0.1%

Relief Valve a Interfacing 0.1% l Systems LOCA l l

The IPE modeled the plant as of July,1991; one planned modification to be l Installed after the freeze data was considered in the model, that being the installation l of the hardened containment vent. '

The following design features impact the CDF:

Safe Shutdown Makeup Pump (SSMP) as a backup to RCIC (installed for Appendix R compliance)

One diesel generator dedicated to arch of two units and one swing diesel generator that can serve either unit Ability to cross tie power between units in emergency buses 14-1 and 24-1 Ability to switch LPCl/CS from Suppression Pool to CCST if Suppression Pool Cooling is lost Ability to use the Standby Coolant System (SBS) to ficod the containment if suppression pool cooling is lost Ability to Vent Containment Shared Condensate Storage tanks Shared Service Water System.

Operator actions contributing significantly to the overall CDF are: failure to depressurize, failure to initiate RHR cooling (suppression pool and containment cooling), and operator failure to switch LPCI or CS to the CCST if suppression pool cooling is lost.

Based on our review, the following modeling assumptions have an impact on j the overall CDF:

(a) credit for actions to switch ECCS recirculation from the suppression pool to the CCST using LPCI or CS pumps if suppression pool cooling is lost, before ECCS pumps are lost due to inadequate NPSHA from the 40

suppression pool as it heats up (b) credit for actions to flood the containment with the SBCS if suppression pool cooling is lost, before ECCS pumps are lost due to inadequate NPSHA from the suppression pool as it heats up (c) the use of low common cause failure factors (d) the assumption that only one relief valve is required to depressurize to where LPCI or CS can cool the core if high pressure injection is lost.

No improvements were planned as a result of the IPE. No USI/GSis were addressed in the Submittal other than loss of DHR.

l i

41 l l

O

  • a IV. DATA

SUMMARY

The following information from the Submittal is presented in this section of the report:

Total Core Damage Frequency Major Initiating Events Major Contributors by Function (if available)

Major Contributors to Dominant Core Damage Sequences System Hardware Modifications GSl\USI's Resolved, other then DHR Major Plant Design Characteristic that impact CDF Significant PRA Findings.

This section of the report is a compilation of the information in the Submittal.

No critique of the information as summarized is provided in this section of the report; Section 11 of this report provides a discussion of the information in the Submittal.

The total CDF from intemal initiating events is 1.2E-6/ year. Internal flooding was screened from quantification for CDF.

Internal initiating events that contribute the most to CDF, and their percent contribution, are as follows:

Dual Unit LOSP 56%

Singl'e Unit LOSP 16%

Medium LOCA 14%

ATWS 6%

General Transient 4%

Large LOCA 2%

Small LOCA 1%

42

inadvertent Open 0.1 %

Relief Valve Interfacing 0.1%

Systems LOCA The Submittal does not provide the CDF by accident class or by function.

The major contributors to dominant core damage sequences are as follows: 1 initiating Event Subsequent Failures Sequence Frequency 1/ year Dual Unit LOSP Station Blackout, 5.3E-7 1 Failure to Recover Offsite Power Medium LOCA HPCI Falls, Operator Fails 1.6E-7 to Depressurize Single Unit LOSP Operator Fails to Align 227E-8 Cooling to RHR (Suppression Pool Cooling), SSMP fails, Operator Falls to align i ECCS to CCST resulting in loss of adequate NPSHA from Suppression  ;

Pool for ECCS pumps j l

Dual Unit LOSP Station Blackout, HPCI 2.2E-8 l

- fails, Failure to Recover Offsite Power j ATWS' ATWS involved 2.0E-8 mechanical failure to {

scram, thus rod insertion not possible, Operator ]

falls to initiate SLC ,

l initiating event followed by failure to scram; initiating event not specified but evidently is a ' General Transient' The IPE modeled the plant with the planned addition of the hardened containment vent. No modifications are planned based on the results of the IPE, 43

. _ - _ _ . _ - = . _ _ . . _ . . . - -

t I

i although station blackout DGs are being added to the site to comply with the station '

blackout rule. I l No GSI/USIs are addressed in the Submittal other than loss of DHR.

l 1 The following design features tend to decrease CDF: I Safe Shutdown Makeup Pump (SSMP) as a backup to RCIC (installed for Appendix R compliance)

Ability to cross tie power between units in emergency buses 14-1 and 24-1 Ability to switch LPCl/CS from Suppression Pool to CCST if Suppression Pool i Cooling is lost l

Ability to use the Standby Coolant System (SBS) to flood the containment if suppression pool cooling is lost.

The following design features tend to increase CDF:

ECCS pumps have little NPSH margin and cannot operate in recirculation from the suppression pool over the long term if containment cooling is lost or if the I containment is vented to low pressure l One diesel generator dedicated to each of two units and one swing diesel generator that can serve either unit, in contrast to 2 dedicated DGs per unit as l installed at many dual unit sites. l The significant PRA findings are as follows:

The total CDF is low I Dual Unit Loss of Offsite Power Dominates the CDF )

l Intemal Floodmg is an Insignificant Contributor to CDF  !

l Loss of DHR contributes 30% the overall CDF There are No Vulnerabilities.

44

REFERENCES

[GL 88-20] " Individual Plant Examination For Severe Accident Vulnerabilities - 10 CFR 50.54 (f)",

Generic Letter 88.20, U.S. Nuclear Regulatory Commission, November 23,1988.

[NUREG-1335) " Individual Plant Examination Submittal Guidance", NUREG-1335, U. S. Nuclear Regulatory Commission, August,1989.

[lPE) Quad Cities IPE Submittal, December 13, 1993.

[UFSAR) Updated Final Safety Analysis Report for Quad Cities.

[ Tech Specs] Technical Specifications for Quad Cities.

[NUREG/CR 4550, Peach Bottom) NUREG/CR- 4550, Vol 4, Rev 1, Part 1,

" Analysis of Core Damage Frequency Peach Bottom, Unit 2: Internal Events".

i

[NUREG/CR 4550, Grand Gulf) NUREG/CR- 4550, Vol 6, Rev 1, Part 1,

" Analysis of Core Damage Frequency Grand Gulf, Unit 2: Intemal Events".

[ Browns Ferry IPE)) IPE Submittal for Browns Ferry.

1 [ Cooper IPEJ IPE Submittal for Cooper.

[Dresden IPE) IPE Submittal for Dresden.

[DET] ' Diagnostic Evaluation Team Report on Quad Cities Nuclear Power Station", Fall,1993.

[Pleniewicz) Letter from R. Pleniewicz, Quad Cities Station, to E.L. Jordan, NRC, November 1,1993,

" Quad Cities Station Units 1 and 2 IPE Sensitivity Analysis for Quad Cities Station".

[ Jordan) Letter from E. L. Jordan, NRC, to R.

Plenlewicz, Quad Cities Station, December 3, 45

1993, Response to Pleniewicz letter of l November 1,1993.

[BWROG NEDC-309*5P-A) "BWR Owner's Group Technical Specifications improvement Methodology", December,1988.

[ Steam Tables) Keenan and Keyes, Thermodynamic Pronerties of Steam

[ Reg Guide 1.1] U. S. NRC Regulation Guide 1.1, " Net Positive Suction Head for Emergency Core Cooling and Containment Heat Removal System Pumps",11-2-70.

[lPE Responses] Commonwealth Edison Responses to NRC Questions on Quad Cities IPE Submittal, letter from John Schrage to William Russell, August 8,1994.

[NUREG/CR 6144] ' Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations at Surry, Unit 1", NUREG/CR-6144, Vol. 2, Part 1 A, June,1994.

[lPE Responses 2] Commonwealth Edison Responses to NRC Ouestions on Quad Cities IPE Submittal, letter from John Schrage to William Russell, i October 3,1994.

{

[lPE Responses 3] Commonwealth Edison Responses to NRC

, Questions on Quad Cities and Dresden IPE Submittals, letter from John Schrage to NRC Document Control Desk, December 23,1994. j i

[NUREG/CR 2797) " Evaluation of Events involving Service Water Systems in Nuclear Power Plants",

NUREG/CR-2797, November 1982.

l l

[TER Hatch) SEA TER for Hatch IPE.

l 46 l