i sheir support systems. De subminal does not show them either. De EPRI's CAFTA fault tree manager was used for development and quantifiction of the top event fault trees. Dey were linked together using j, Imgic Analyst's HPSETS code to desermine the accident frequencies. De front

line systems fault trees j' were developed to allow the support system fault trees to be linked directly into the logic when quantification was performed. Human errors.were included in the fault trees, where an operator action

was necessary in order for a system to operate, such as the operator to switchover to recirculation.

!, Operator actions in response to equipment failures were not included in the fault trees, but were later l; included after sequence quantification as tscovery factors.

De cut set truncation limit used was 1.E-09. In the fault trees a. component was not modeled further

> down if no useful insights could be gained by more detailed modeling, i.e., if all the failures of the I subcomponents were encompassed by one failure mode of interest, such as, pump fails to start.

Similarly, negligible faults associated mainly with passive components such as pipes and manual valves were eliminated from further consideration.

• De fault trees developed for the Prairie Island IPE are listed in Table 3.

a . Table 2 Initiating Events .

F y g,,,,,sn f No. ','I laitiatlag Event Designator -

i k ,1 LOCA's Smat! LOCA SLOCA 3.00E 03 PWR IPEM Methodology Medium LOCA MthCA 8.00E o4

{ Large LOCA , L1hCA 3.00E o4 r

2 Anticipued - RX Trip (other than below) TRI 1.68 Plant Data Transients SG HI-H1 LVL TR2 9.00E42 Plant Data j landvertent SI-Signal - TR3 2.SoE-01 Plant Data taas of Peedwater TR4 9.00E-02 Plant Data A lessmal Auz. Bldg. Zone 7 (695* EI) AB7PLD 5.05E-03 EPRI1R.102266

, Rooks Aux. Bldg. Zens 3 (above e95*) AB8PLD 1.34E44 EPRI'IR 102266

i. TB Bldg. Zone 1 (APWP Rm)* T!PLD 1.o4E45 EPRI TR 102266 TB Bldg. Zone 13 (Relay Rm)* T13PLD 2.68E-05 EPRI TR-102266

! Sernhoe Zone 1 (50 Cl Ans) SHIPLD 6.09E-06 EPRI TR 102266 Sernhec Zoos 2 (Noe40 Area) SH2PLD 2.545 03 EPRI TR 102266 l

-3 Special Ames of Cooling Weisr* IDCL 1.82E 05 Feuk Tree Tsemannis imes of Comp. Cool Weaar LOCC . 3.46E43 Pauk Tree -

y Lees of Train A DC Power 1DDCA 8.69E43 Fauk Tree I Loss of Train B DC Power LDDCB 8.69E43 Pauk Tree

less oflastrument Air * . INSTAIR 1.17B42 Pauk Tree ,

} 4 Uematicipated Main Peedweser the Break MPLB 2.50E 05 WASH 1400 Transients Main sisam Line Break MSLB 3.90E44 WASH 1400 i

?

! 16 I

i i

i I

• ~ .  ;

l

' ~

j i h.

it Table 2 Initiating Events (Cont'd) l

'i l

)

?! e

% eeney m

! i.- ..Jdo. Qtegon - - _ , , ~ ,,w g.,g ,,,g _,;,,_, m, _ _ m _ _

=_ l Name -

-(per yr) --

q

]I

• 5 Loss of less of Offske Powes* - IJDOP 6.50E 02 NUREG-1032 1 44 Offske Power NUMARC-4700 i

\

i '

' ~

6 1)DCA , " LOCA ISLOCA 2.27E.07 Fauk Tree. NUREG-5102 l Owsids team Generator Tee Rupters BGTR 1.50E 02 Plant Data I

} Canaa nnened 7 Failure to RX Trip (other than Below) ATWS-TR1 2.52E M U Trip (NIWS) SG HI-H1 Level ATWS-TR2 1.35EW8

! laadvertent SI Signal ATWS-TR3 3.45 EMU taas of Feedwater ATWS TR4 1.35 EMU Less of Cooling Water ATWS-LOCL 2.73E-1F"

' 1ms: of Comp. Cooling Water ATWS.LOCC 5.19E-08w less of Train A DC Power A1WS-LODCA 1.30E M D Less of Train B DC Power A1WS-LODCB 1.30 EMS Less ofInstrument Air ATWS-INSTAIR 1.76EMD f Less of Offsite Power ATWS-LOOP 9.75EMD Main Feedwater Line Break A1WS-MFLB 3.75E-190 Main Steam Line Break ATWS-MSLB 5.89E M u int. Fid. AB Zone 7 (6951) EI) A1WS-AB7 7J8EW' int. Fid. AB Zone 8 (Above 695) ATWS-AB8 2.01EW" f Int. Fid. TB Zone I (AFWP Rm) ATWS-1151 2.55E-105 int. Fid. TB Zone 13 (Rly Rm) ATWS-T13 4.02E-10

Int. Fid. SH Zone 1 (SG Area) ATWS-SH1 9.14E-11(#

int. Fid. SH Zone 2 (Non-SG) ATWS-SH2 3.81 Ego Small LOCA ATWS-SLOCA 4.50 EMU i Medium LOCA ATWS-MLOCA 1.20E-08(#

( Steam Generator Tube Rupture A1WS-SGTR 4.50Equ t s ht #1mf Events Notes:

• Dual Unk Irdiastors:-

84 AE frequencies are mukiplied by the failure to trip desanad este (1.5E45/d) to determine ATWS frequency.

i # Sommes *Plart Data

• ada:etas plantepeelfic operating experianos data. "Fauk Tres* indacetes that a 7'-" , -* fauk true was construmed and quantified for this system to detennine the s .k eine ovset L-; -- y. Referenos to na NRC or 7 industry document indicates that a plant specific analysis was performed no deterndse the lasisting ovest frequency using the rosthodology provided in that document

, . . u- .

f -

w s

l t . 1 1 1

{

1 I

17 ,

i i

i

, 4 l -

l ,

7tble 3 Fcult 'hees Developed in the Prairie Island IPE i -

) Safety Functions /Frontline Systems Support Systems t

[ Reactivity Control Chemical Volume and Control System Station Power

~~

Emergency AC Power

! - DC Power Karandary Heat Removal Cooling Water Auxillary Feedwater Component Cooling Water l Main Feedwater/ Condensate Instrument Air Steam Generator PORVs SI Actuation Signal In:tmment Power 1 i

Short Term Injection CS Actuation Signal I

)' Safety Injection l Pressurizer PORVs Law Head injection (RHR)

, Long Term injection i

High Head Recirculation (SI/RHR)

Low Head Recirculation (RHR)

Caa'=iament Control Containment Spray Containment Spray Recirculation Fan Coil Units RCS Cooldown and Depressurization l l Charging i RHR Shutdown Cooling Auxiliary Spray

( -

2.2.2.2 Point satimatm d U.cataineytsemeway Anairms .

Mean values were used for the point anim* laitiator frequencies and all other basic events. Forma!

, mar 6=ht u-isidy analysis was not performed on the naults. However, the submittal reports point .

estimates of the core damage frequencies by tal+i*ia events separately for Unit I and Unit 2. In

, addition it provides point estimates for the 'y-rd aequence frequencies of Unit 1.

Importance analyses (by using Fussel-Vesely and Birnbaum '#-i.c4 Indicators) were performed for

the initiating events, the major operator actions and all the systems considered in the plant risk model.

The' Wor.ce analysis also included the corrective maintannare contributions as well as the preventive j ==lataamar+a and test contributions to the overall CDF.

t \

Sensitivity analyses were conducted on initiating event frequencies, operator action failure rates, common ,. l

~

cause, test and maintenance and for certain system components (e.g., EDG failure rates). i s

V

! 18 j l'

I t i l' \

l

I.

)

in response to an RAI, an NSP review of the modeling of malatananceiunavailabilities identified several cases in which maintenance on opposite unit equipment for shared and cross-tied systems was not v- correctly accounted for in the IPE. The combined impact of these omissions was then estimatad by t irwipcieting them into the IPE model and quantifying the change in CDF. De RAl response does not sh specify the affected sequences individually; h provides only the approximate value of the total CDF rise, which is 6% (i.e., she total CDF is approalmately 5.3 E-05/yr). It remarks, however, that nearly all of

1. this increase is due to the additional (preventive maintenance) unavailability of Bus 25, which supplies 1

power to the 21 AFW pump.

%e RAI response offers also some explanation about the modeling omission of pressurizer PORV block valves. In the IPE the PORVs are included in the model for feed & bleed and ATWS. However, in neither case are they modeled such that the block valves are required to open.

In the A'TWS modeling, the fraction of time that either block valve was assumed to be closed due to leaking PORVs was estimated as one month per year. That =timata results in an unavailability value of 3.3E 02 for each block valve. De impact of this omission to the ATWS CDF is not estimatad.

In the case of the feed & bleed, however, the omission increases only the feed & bleed unavailability by an amount on order of 1E 06, much smaller than the unavaliability due to human error, which is 4.5E 02,  :

l thus its effect on the CDF is negligible.

l

' \

2.2.2.3 Use of Plant Specific Data

• l

• The submittal emphasizes that many initiating events and all major and significant mechanical l component failure rates were generated using plant specific data. ar component failure data collection the sample period of 1/1/1978-12/31/1987 was selected, because this time period was i l

readily accessible using electronic data retrieval techniques.

During the component failure data collection process system boundaries were established which were used also for system fault tree modeling (e.g., the EDG boundaries included ~ the engine with h's support systems, the governor, the generator, the output breaker, and all control circuitry). Both demand and time related component failure rates were determined.

~

The licensee states that the plant specific failure rates were compared to generic sources to check for reasonableness. When a discrepancy occurred the plant specific value was thoroughly checked.

[

Whenever sufficient plant data were available to unake a statistically ===hle antimata of the failure

< rate, the plant value was used. However, for some components and failure modes which had no recorded data at the plant, generic values were applied.

Plant specific data were applied also to derive the fraction of time a given component or train of

! equipment could be expected to be out of service for malatanance Information to determine component unavailability during testing was ahtalaad from a review of plant surveillance procedures.

j. ,

• De subminal presents both the generic failure rates (used for certain components) along with the list

, of equipment for which plant specific data were used (Tables 3.5-1 and 3.3-2 of the submittal).

In this review Table 4 compares the IPE's plant specific failure data for selected components with values typically used in PRA and IPE studies, using the NUREG/CR-4550 data as a basis for 19 t

t

- e e - x ,

f I

comparison [NUREG/CR 4550, Methodology). One can see, that generally the Prairie Island data -

tend to be smaller than NUREG/CR 4550 data, except for the DG and AFW pump " fail to run"

, failure rates, and for the indicated MOV, AOV failure rates. In some cases, for example for IA g --compressors and check valves, the differences reach more than an order of magnitude.

f The cause of abese differences is apparendy " statistical fluctuation", or " fact of life". The RAI response i depicts for !==== the data analysis of check valves, as follows:

l

"To ca!culate failure rates for valves all valves or check valves were pooled together to create

! a large data pool of damaMs and failures. For check valves this created a pool with over 25,000 open damaMe and an equal number of close damaM<. There were no failures of check valves found in the plant records. However, since no equipment can be amen =M to

' have a zero failure probability, a value of 0.5 was used for the number of failures.1he resulting faUure rate is lower than generic industry values, however, the large pool of 4 damnMt coupled with the lack of failures justifies using the plant specific value."

t t 2 1 2.4 Use or Generic Data l The major components for which generic failure data were used in the IPE are the following: Pressurizer PORV, Circuit Breaker (4160 V/480 V), solid state logic modules, inverters, battery and battery chargers, MCCs, beat exchangers and chillers, relief valves, fans, relays, switches and transmitters.

Generic values were used also for some failure modes on some components due to low demands or i operating hours which did not produce reliable plant specific failure values ( e.g., for the " fail to run" failure mode of the SI/CS pumps).

t'~amaa cause failures of circuit breakers, swit& gear and relays were not explicitly modeled. According

, .to the RAI response they were considered implicitly. For instance, common cause failures of loads

. supplied through the breakers, such as pumps, valves and other components that can be attributable to

} common cause ==+=ntums, were modeled. Common switsgear failure was implicitly analyzed (in terms of function and the effects of failures) with other failures, such as diesel generator common cause failures.

! Relay common cause failures were considered to be covered under common cause failures of

instrumentation and control trains. .

11be following W-a* were used as " sources

• for the generic data :

!' I. NUREG/CR-2815, Probabilistic Safety Analysis Procedures Guide, j

~

2. NUREG/CR 4550, Analysis of Core Damage Frequency,

3. IEEE Standard 500 Data, f 4. EPRI TR 100320, Vol. 2, Reliability Centered Makaa== (RCM) Technical Manual, J 5. WASH 1400, Ranctor Safety Study (NUREG 75A)l4).

t f ,. .

, The Prairie Island IPE team systematically == mind the plant model for reduMant components to address

! potantini common <ause failures (within individual systems and across both units ).1he component J groups for which common cause events were defined are given below: .

, 20 g . - . _ _ _ _ _ . _ . . . _ _ . _

bo l !; - -

)i 1.

2.

Diesel generators (failure to start and run),

Pumps (failure to start anti run),

3. MOVs and AOVs (failure to open and close),

i; 4. PORVs (failure to open or reclose on demand),

j'!

5.

6.

Check Valves (failure to open on demand; falinre to reclose),

Batteries (fallure to operate on demand),

['

7.

8.

Instrumentation and Control ==i-: - = (falltre to send signal or actuate equipment),

Air compressors (failure to start and run),

j 9. Cooling fans (failure to start and run),

j 10. Chillers (failure to start and run).

I De common cause probability model used was the Multiple Greek Latter (MGL) method.

The primary data for the common cause factor mattmates were taken from the documents given below:

, NP-3967, " Classification and Analysis of Reactor Operating Experieoce Involving Dependent Events,"

EPRI, June 1985, NUREG/CR-3289, " Common Cause Fault Rates for Instrumentation and Control Assemblics," U. S. NRC, May,1983, NUREG/CR-2770, " Common Cause Fault Rates for Valves," U. l

, S. NRC, February,1983, " Nuclear Plant Reliability Data System," INPO. l These data were then sorted and classified according to the usual procedures for treating comrnon cause failures in safety and reliability studies. De obtained # and (if applicable) y and 6 factors are reported in the submittal, with discrimination based on the failure modes (e.g., in general, different values of MGL parameters are given to failure to start as opposed to failure to run).  !

For convenience, the # factors for various combinations of component failures are reproduced in Table  !

5 of this report to compare them with some reference # factors suggested in NUREG/CR 4550. De reference # factors are also presented in Table 5 ( NUREG/CR-4550 reports only failure to start #

factors).

Based on the table's data, the general observation is, that the common cause parameters applied in the Prairie Island IPE seem reasonable and consistent with those of recommended in NUREG/CR 4550 (in I addition, the common cause factors for the turbine drivers of the AFW pumps seem also reasonable: for FTS = .17 and for FTR = 0.04).

i 2.2.3 Interface Issues 2.1.3.1 Front-End and Back End Interfaces

. De submittal treats this issue rather concisely. It states that almilar core damage sequences were grouped 2

into classes according to the following criteria:

• Integrity of the containment l

• Initiator type i .

• Relative timing of the core melt with respect to the initiator

• Primary system pressure.

21

1 4

in 1 * '

j Table 4 Comparison of Component Failure Data I

Component Prairie Island + 4550*

EW Punips --

% Mesm- -% --

, inil to start 7.6E44 4.1E44 3.0E43 inil to run 1.4E44 1.3E 04 3.0E 05 TDAPW Punips ThrNee Assy fail to start 9.4E 03 6.1544 3.0E42 fail to run 6.1E 03 1.3E44 :5.0E 03 SI Pumps fail to start 1.15 43 3.0E43 dall to run 3.0545* 3.0E 05 i RHR Punips fail to start 4.6E44 3.0E43 ini! to run ' 2.6E 05 3.0E45 x ;I 11/21 CL (SWS) Pumps fail to start 4.8E 04 3.0E-03 fall to run 1.2E-05 3.0E 05 CCW Pumps init to start 2.7E 04 3.0E43 fail to run 2.7E 06 3.0E 05 i . IAI Compressors i fail to start 2.0E 04 < 4.0E42

• fail to run 4.9E 06 2.0E-04 i

j Geck Valves fall to open 1.8E 05 1.0E44 imil to close J.tE45 1.0E 03 1

-MOV -

p, .g - -

- _- . .- 4.7E43 - --

- - d.0E43

. fail to close 7.6E-03 I

j Air Operated Valve 61! to open 2.6E 03 imil to close 1.7E43 2.0E 03 Diesel Generator (D1 and D2) inils to start 3.4E43 3.0E42 I Mis to run 1.15 02 2.0E43 f

+ Values ladiossed ars semaded for companese.

80mmene pailure Rane from NUREG/CR 4550

Notes

(1) 4550 are sesan values tahan ten NUREG/CR 4550, l.a.', drom to NUREG-1150 asudy of Eve U.S.

[ evenaar power plants.

(2) Demand fatturm = protablutise per demand railurm ao run or operses ar , - empressed in

=* of failures per hour.

'22 E

e.,_...

y. - -

3 e-

! i. _-

l t .* .

Table 5 Comparison of Common-Cause Failure Factors l

ii~

Component Failure Mode Submittal A Factor Reference # Factor

<r i FW pump only, CCF of 2 pumps FTS/FTR 0.035/0.085 0.056

! 4 AFW motor driver, CCF of 2 drivers FI1/FTR 0.15/0.013 li RHR pump, CCF of 2 pumps FIS/FTR 0.16/0,18 0.15 j SI pump, CCF of 2 pumps FTS/ FIR 0.16/0.17 0.21 CL pump, CCF of 2 pumps FTS/ FIR 0.018/0.084 0.026 CL pump, CCF of 3 pumps FTS/PIR 0.018/0.099 0.014 h

[ CCW pump, CCF of 2 pumps FTS/ FIR O.14/0.058 0.026 3

CS (spsy) pump, CCF of 2 pumps FTS/FTR 0.38/0.081 0.11

• i MOV, CCF of 2 valves FTO/FTC 0.078 0.088 3

MOV, CCF of 3 valves PTO/FTC 0.082 0.057 l

AOV, CCF of 2 valves FTO/FTC 0.046 0.057 l l

Pressurizer Safety Valves FTO , 0.048 0.07 Diesel Generator, CQF of 4 DO FTS/FTR 0.027/0.075 Ref. is available only for 3 dos PTS = Fall to start FTR = Fail to run FTO = Fa'd to open PTC = Fall to close t

9 5

I 23 ,

2 I

) - ~

De distribution of sequences among these classes provides insights as to the functional failures which

! may dominate the risk leading to a core damage event. Table 3.1-4 of the submittal contains the j designators and the description of the accident classes. 'De classification of the accident classes .'

I "ly follows *e NUMARC Sevwe Accident luue Closure Guidelines and 6e table aho shows the

j. NUMARC accident class designators along with those used in the Prairie Island IPE.

f - 2.2.3.2 Hamman Facters Interfaces .

? . .

,. The Human Reliability Analysis Technical Review found in Section 2.3 addresses this issue.

2.2.4 Internal Mooding -

l 2.2.4.1 Internal Flooding Methodology f De methodology of the IPE to perform the Sooding analysis consisted of three makr steps: l l

l  !) Identification of potential floods and areas affected (flood zones),

2) Identification and initial screening of Sooding scenarios, and

3) Quantification of important flooding scenarios. .

In addition, extensive plant walkdowns supported the development of the flooding scenarios.

i la the analysis, propagation of Sooding to other areas (including back propagation through the rirains) and holation of the floods were considered. (Backflooding through floor drains was considered but was not credited.) Failure events which could cause flooding were the following: pipe and valve rupteres, l human errors (such as errors in maintenance works), and comb *mation of equipment failures and

! operations staff errors. Water spray on equipment was also taken into account, particularly when multiple systems or components were affected. Spray from a high capacity pipe was automatically included into j nhe analysis, because breaks large enough to flood a zone were conservatively assumed to fail all

' equipment in that zone.

I Flooding from the fire suppression systems was considered to a certain extent; i.e., if it was not bounded 1- by a flooding from a system of higher Sood capacity, such as the cooling water system.

I f Spurious actuation of' fire suppression was not considered. De reason for this, as given in an RAI I respcase, was the low probability of the following failure combination: failure of a fusible link in one cf fire suppression spray noezies, the nazie must be located near annanthi equipment, and the spray from l-the nazie must be able to fail the equipment. Potential plugging of the drains was also not considered i

• a problem.

l

,1he flood analysis included breaks in the cooling water piping, however breaks in the component cooling water system were not considered. De reason for the neglect, also given in the RAI response, was the i' linked amount of the water comment of the deced CC system, which is insufficient to Sood the large areas .

where CC piping exists.  ;

4 i After a thorough screening process, six flood annes were retained for snore detailed analysis. Dese -

were

24 i

?

s w

y es-r w .e--ee w ase ' cume e- > +-*-- e ,e,. .. - . , , .

l' '

ii..

!! Screen house safeguard areas,

{i -

Screen house non-safeguards areas, l Auxiliary building 695 level,

_ Auxiliary building 715 level (control room chiller rooms excluded), _

s Auxillary feedwater pump room in the turbine building,

,I Cable spreading room.

To quantify the flood initiating event frequencies the EPRI document TR-102266 was used and several

assumptions regarding systems and equipment that may be disabled as a result of the Sood or as a a consequence of operator actions have been made.

'Ibe Nag event frequencies daarmined for the various Sood zones are presented in Table 2, alongside i

j. with the initiating event frequencies of the internal events.  ;

De RAI response calls the attention to the fact that the pipe break frequencies used in the flood analysis

j. . and the pipe break frequency used in the initiating event I-LOCL are different. He pipe break frequency l for the initiating event represents a break anywhere in the system. De frequencies calculated for the

'r flooding analysis represent the pipe break frequency only for piping within a specific area of the plant i, which has been designated a flood area. I

!, 2.2.4.2 Internal Hooding Result i

l~ De six potentially significant flooding initiating events selected by the screening process were further analyzed in the transient event tree. Eramiriation of the reactor response established key timing for

. reactor conditions and operator actions and it was found that no new transient analysis was necessary to quantify flooding initiators. '

Each of the flood initiated accident sequences were assigned to the followlag accident classes:

Flood initiated core damage early.at high reactor pressure (designated as: FEH), or Flood initiated core damage early at low reactor pressure (designated as: PLH). .

De total contribution of internal flooding to the point estimate CDF was antimarad to be 1.04E-05/yr,

> which is about 21% of the total CDF (from internal events and internal flooding). His is dominatad by a single flood scenario, that accounts for almost .6 of the CDF due to flooding. The flood is in zone s TB1 which is the Auxiliary Feedwater Pump / Instrument Air Compressor Room. His room has the main cooling water supply headers to the Auxiliary Building running throagh the overhead.

De flood scenario consists of a single sequence in which a large break occurs in the Loop A or B cooling

water line above the auxiliary feedwater pump room in the turbine buuding. De resultant flood causes loss of auxiliary feedwater pumps, loss of all lastrument alt compressors and loss of main feedwater due to loss of instrument air and loss of tube ou cooling. Wary cooling falls due to failure of AFW and i MFW. Short term RCS inventory fails due to loss of pressurizer PORVs which fall closed on loss of Instrument air.

i -

No other flood sequence has a significant impact on the total CDP.

, 25

e. . . . - ~ . . . . _ _ . - - . . . . _ . - . - -m. ~ , , . . _. --. ~ . _ . _ . . . . . . . .

O 4 i ~

j 2.2.5 Core Damage Sequence Results

! 2.2.5.1 Core Damase Frequency By Initiatig Events .

5 L De IPE point estimate for the core damage frequency from laternal events and internal flooding is 5.0E-05/yr for Unit I and 5.lE 05/yr for Usik 2. Accident initiators and their percent contribution to the CDF .

i for both units, Unh I and Unk 2 are listed in Table 6. As k can be seen, the core damage contributions i f by inhiating event of Unit 2 closely resemble those of Unit 1. Dis is because there are only few and j minor asymmetries in the designs and corresponding risk models of the units and the Unit 2 level 1

- results were obtained essentially from requantifying the Unit I model and replacing appropriate Unit 1 I component failures by their counterpart for Unit 2.

Since new and significant safety insights were not obtained from the Unit 2 analysis, the submittal and consequently the present review discusses primarily the CDF results obtained for Unh 1.

l Table 7 reproduces the CDF results in term of grouped accident types and their percent contribution, i

! One can see, the largest contribution is due to the transient group (including the LOOP events). LOCA and internal flood events are the next contributors and they contribute almost equally. De SGTR's

( contribution is quite significant.

4 2.2.5.2 Dominant Accident Classes and Accidet en=

I De CDF results were obtained in the form of functional sequences.. Derefore the submittal used those screening crheria for reporting, which were required for such sequences in Generic letter 88-20. In fact,  !

Prairie Island "went one step further in reporting requirement by equating accident classes with functional

! sequences"; i.e., k grouped core damage sequences together according to their similarity in regard to

. initiators, timing of core melt and effect on contata-at pressure at the time of the core melt and treated such a group as a combined functior.al sequence. In Table 3.4-1 of the submittal all the accident classes j (including those that meet the reporting criteria and those that are beyond them ) constituting the total CDF are presented (altogether !.5 accident classes). De table contains also the description of the ilominant sequence from each accident class (escept accident class "1HE", from which two leading i* seguences were considered). Dese dominant sequences cover only 36.45, of total CDF. The sequences include: five LOCAs, two SGTRs, alx transients, two floods and one laterfaelag LOCA.

1 To illustrate the reporting process, Table 8 of this review presents the characterizations of the accident classes as functional sequences for those accident classes whose individral CDF is higher than IE- J 06/r. yr. For completeness, the table also shows the accident class "V" describing ILJ.cing rystems i LOCA sequences. In the table the descriptions of the dominant :,equences by accident class are reproduced, as well.

i j De SGTR contribution is relatively high due to dependence of pressurizar PORVs on instrument air, j zelative vulnerabilky ofinstrumer:t air (due to success crheria and room cooling dependencies) and some ,

' aimplifying conservative assumptions (not modeling g=.dem sprays, not modeling seconday steam .

t dump, not modeling cross connect of instrument air to station air, and ----taa isaam generror PORVs j aticking open with a probability of 1.0 in case of overfill).

26

,i

-- ~~--w. ..%w.w_.a.-- -..~ _ _ . _ _ _ . . . _ -

'i 2.2.5.3 Results of the Importance Analysis

!- De scope of the importance ar.alysis performed in the IPE extends to the following areas: initiating

i events, systems and components, corrective and preventive malnranances ('meluding test), and major

i operator actions. Two standard importance indicators were used

the Fussel-Vesely and the Birnbaum 4

j impucugge. In the subminal the resuhs are mmmarized in two tables (Table 3.4-5 and Table 3.4 6) and six figures (Figure 3.4-1 through 3.4-6).

li~

!

• De importance analyses performed on the nahtelag events asentially conf!rrns the inference previously obtained from Tables.6 and 7, that the most important initiators at Prairie Island are:

i' the 1.OOP(SBO) events, the Floods (T1FLD, SHIFLD), the LOCAs (MLOCA, SLOCA, LLOCA) i and the LOCL (loss of cooling / service water) event. I! l

• De impoiws analysis on the systems provided the ranking of the systems contributing the most

!i ' to the total CDF as follows: 1) the AFW,2) AC power,3) room-cooling, and 4. the cooling water systems. Number one is the AFW, because in many accident sequences due to a variety of initiators (e.g.1 LOOP, TIFLD, less of IA, less of DC) it is the only remaining means of i secondary cooling. AC power is in second place; its loss causes heavy reliance on the TDAFW pump during an SBO when the MFW and MDAFW pumps are lost. Room cooling is important, js' because when I.oss ofIA or less of CL occur, the chilled water that supplies the room cooling of , the Unit 1480 V safeguards bus rooms, fails. (This condition is algnificantly ameliorated, as j discussed earlier in the present TER based on the RAI response.) .

• With respect to corrective maintenance, the maintenance unavailabilities associated with the train -

i B AFW and the charging pumps are the most important: a.) he MDAFW pump train, because it is the most reliable pump to supply AFW to Unit 1 (the TDAFW pump has higher faildre rate and the MDAFW pump of Unit 2 requires operator action to be used), and b.) he charging pumps, because after an SGTR, charging is a requirement for successful RCS cooldown and depressurization. 1

• With respect to preventive maintanane* and test, k was found that among the unavailabilities of these types the most important is the one which is associated with the IA compressors. Als is due

to a combination of two negative factors: the 2/3 success criterion of the IA system (with one compressor in maintenance, a failure of the second compressor causes failure of the system) and the i steady use of the compressors which requires frequent preventive maintananean whose total time rapidly accumulates to a large value.

i e 1 27 t

    ?
   ?
   - - _ _ _ _ _ _ _ _ . . . . . , . _                                   _.                                    _ _ _ _ _ _ . _ . ~ . _ _ _ _ _ _ _ _ _ _

l Tcble 6 Core Damage Frequency by Initiatlag Event - ' CDF fresa Initiating , g .g. CDF fram Initiating 5 of Total CDF p GF h '# I'"" e Jaitiatia8 I Event Eventyear)

                                              - (per reactor     .. . . _ . WHaHar Event                                     W e p)                            WW Event y ,gg 3 b                                                      Unit 1                                                                  Unit 2                                     Unit 2 f         I-TRI                                       6.4E-07                                   1.3                            6.6E47                   .

1.3

   }        I-TR2                                       2.9E48                                  0.06                             3.1E 08                                       0.06

[ I-TR3 1.2E 06 2.4 3.2E46 2.4 1-TR4 5.2E47 -1.0 5.5E47 .1.1

  ?

I-LOCC 5.5E47 1.1 5.5E47 1.1 1-LOCL 6.4E47 1.3 6.4E47 3.3 i

  ~

I-LDCA 2.25 06 4.4 2.2E 06 4.3

  )         I-LOC 3                                     4.6E-07                                 e 0.9                            4.8E 07                                         0.9 I-INSTAIR                                   3.2E 06                                   6.3                            3.2E 06                                         6.2

{ I-LOOP 1.1E45 21.2 1.1E-05 22.4

  ;I        I-MSLB                                          *                                      *                                  *                                            *
  '          g-MFLB                                         *                                      *                                  *

• i I-SLOCA 4.1E 06 - 3.2 4.2E 06 8.2 I-MLOCA 4.6E-06 9.3 - 4.6E 06 9.1

              ~

I-LLOCA 3.7E-06 7.5 3.8E 06 7.3 I-SGTR 6.6E 06 13.2 6.6E 06 - 13.0 I TIFLD 1E-05 21 - 1.04E 05 20.4 I-T13FLD * -* * * { 1-AB7FLD 8.5E-10 2E-03 1.5E49 2.9E 03 i IAB8FLD * * *

• 1-SHIFLD 4.1E47 0.8 4.1E-07 0.8 j 1SH2FLD 4.35-10 11E44 > ~ 5.6E-10 .1.1E 03

  ;          V                                           2.3E-07                                  0.5                            2.27E47                                          0.5 f

i I i . t i I 28 f - t

l

                                                                                                                                 )

Table 7 Acddent Types and 'their Contribution to the CDF 4.

   ?                              Initiating Event Group                   Contribution to CDF (/r. yr)           %

i

LOCAs 1.22E 05 24.3 1; *

1 Janam Generosor 'Dube Rapture 4.6E 06 13.2 5"4=*== Systana LOCA 2.27E 07 0.5 1

4 Transients (w/o LOOP) 9.44E 06 18.8 e i ; Anticipated Trans. w/o Scram 3.2E 07 0.6 i ,

4 Internal Floo&ng 1.04E 05 .20.7 1

IDOP (with SBO) 3.1E4 (3.1E.06) 21.9 (6.2)  !

i l l i . TOTAL CDF 5.02E-05 100.0 i i + ', ? 4 ,

   }

t I l 4

   )

l f S I

   *                                                               - * -                                ~ ...

i t - 29

i [- Tcble 8 Imading Accident Classes and Core Damage y== by Accident Class - i k, l

Aen4Aant Class and

• t Accident Class na==laa=# Sequence IF ~

Designator and _ Aeridans Class Characterisation and . ji - wp -- CDF - % of na t ant Q = Description (per r. year) Total CDF ti

FEH TB1 -Flood whb 1545 21 nis armiaar class includes only .wmquence.

! early core damage at bigh Flood in the AFW pump room froan a beak of !,' RCS pressures a coohng loop bander. All AFW pures fail ]' i along with all IA compremers. MFW fails due so closure of main feed regulating mi bypass valves due to loss of IA and loss ofluke oil 1 coohng to the MFW pumps. Feed and bleed fails due to loss ofIA. See also Section 1 j 2.2.4.2 of abe subanitial.

    ;                                           THE - Transient with early                               1E45             20        The esquences in this class are characterized by core damage at bigh RCS                                                             a loss of MFW through loss of IA/ LOOP /SBO.                                l pressures                                                                           Subsequently, the AFW is lost partially or completely. RCS short term inventory fails due                              l to loss of feed and bleed coohng caused                                     !

through failure of the pressurizer PORV or the j operator, j Dominant Sequence 4.4E 07 8.9 Imes ofIA causes Rx trip due to loss of MFW. RCP seal cooling is successful but 11,12 and 22 AFW pumps fail to run so 21 AFW pump

                                                                          ,,                                                        cannot be used for Unit 1. Feed and bleed fails                             i due to loss of IA and level snetoration of MFW
    .                                                                                                                               is ===-ful.                                                                 l SLL - Lar3e/ Medium                                     8.3E-06           16.6      His class includes medium (break size range:                              .

LOCA with late core 5-12 inches) or large (break size at 12 inches) damage at low RCS LOCAs in which short term inventory using SI pressures or RHR 'is successful but the operators fail to r switeb to recirculatico before the RWST is depleted causing injection to fait lendag to core uncovery. Dommant (large LOCA) 2.5E 06 5 Successful abost-term RCS inventory. Iong Sequence earm RCS inventory fails des to operstar error in laning up for recirculation. Dominant (Medium LOCA) 2.2E 06 4.J Successful seactor trip and short-earm RCS Sequence inventory. Long term RCS inventory fails due to opentor error in lining up for recirculation. s f . S 30 'r

p. _ . _ , _ _ _ , . _ - _ . ..-- _ _ _ _ . , . _ , . . . . . _ . . . _ .

 ~ - - - ,                      . -               _,                   ,

                                                                                                      ~
                               . Table 8 Imading Accident Classes and Core Damage Sequences by Accideat Class

Aed.*mt Cia d

{ -Accident Class Deng tor and w% gg ,g " CDF %g rhaminant Sequence Description (per r. year) Total CDF - SEH - Small LOCA with 8.3E 06 16.4 h esquences within this class are ) early core damese at high abaractensed by either a small LOCA (break RCS prewures aime range: 0.375 - 5 inches) on RCP seal LOCAs caused by a LOOP loss of train A DC 1 power or loss of cooling water. Secondary j ooohng using either MFW or AFW is ' sucomesful but abort-term RCS investory fails

  !                                                          .                           due to failure of the SI system.

Denant Sequence d.3E47 J.3 Imes of cooling water causes seactor trip due to loss of CC to the RCP motors. Imss of CL i causes loss of chilled water and thus loss of ' scom ocohng to the 480 V safeguards bus t ,' scoms. This results in the 480 V AC bus failure causing loss of all charging pumps leading to an RCP seal LOCA that cannot be integrated by the SI pumps as they beve lost CC cooling to their lubs oil coolers. Local operator action to restore cooling water and 480 1 4 V bus room cooling also fail. ) GLH - SGTR with late 6E 06 12 ' lie accident class is charactenaed by SGTR in oore damage at high RCS which reactor trip, ==aaadag cooling, abort-  ; 3 pressure term RCS inventory and ruptured SG isolation  ; are sucomesful. 'Ibe operator then fails to l cooldown and depressurize the RCS before the i suptured SG overfills. Rehof sticks open and I l ee operator fails to cooldown and depressunse the RCS to RHP. ebutdown cooling (SDC) temperature and pressure before RWST j depletion occurs which causes loss of SI  ; inqjection and subsequent oore damage. J Dominant Sequence J.JE 06 2.1 SGTR with opersw failing to cooldown and  ! depressurias the RCS before reptwed SG overfill. The relief sticks open followed by the operator failing to cooldown and 4., nize the RCS to RHR SDC temperstwo and pressure before RWST depletion, [ r . 31 p**- -~--e=4 ,-,.. .. ++ - .+- *. - - ,w . . .

~I Tcble 8 Leading Accident Classes and Core Damage Sequences by Accident Ciass ** fr . Accident Class and i Accident Class nn-1 .d Sequence j -Accident Class Characterhation and l i_ o .l_.. CDF S of Dosninant Sequence Description j (per r. year) Total CDF ?I BEH-NOPWR SBO 2.8E-06 5.6 Sequences within this class are characterned by fl

• with early core damage at as SBO with successful TDAFW pump. He high RCS promouves operator is successful in cooling down and

                 )

4 depressurizing,tbe RCS with the SG PORVs to minimi= RCP esel leakage. Then he fails to seetore both offsite and onsite AC power before

                                                                                                                                     ********"1 i                                             Dominant Sequance                                 2.JE 07               0.5             LOOP and subsequent comunas canes failure of

!) four DGs. To AFW pump runs for 2 hours !I before baneries are depleted med SG level instr-*= tion is lost. The operator is successful to depressurize the SGs with SG i PORVs to reduce RCP seal leakage but he fails i!

• to restore offsite and onsite AC power at 5 hours.

SLH - Small LOCA with 2.4E 06 4.8 His class can be characterund by a small i late core damage at high LOCA (break reage: .375 - 5 inches) in which RCS sneeures 3 , secondary cooling and abort term RCS j , inventory using SI pumps is successM. The iT eparator then fails to cooldown and -

               ;                                                                                                                     depressurias the RCS to allow use of RHR obutdown cooling before RWST depletion 4

l eccurs. High head recirculation fails due to equipment failure or operator action. The core uncovers and is damaged due to loss of snakeup espability, iI Dominant Sequence 3.5E 07 0. 7 Small LOCA, sucomesful Rx trip, ==randary T ~ cooling and abort term RCS inventory. RCS

               ;                                                                                                                      econdown and depreneurhation to RHR SDC
               ;                                                                                                                      conditions is also nuncessful but the CC valves
               ;                                                                                                                      to the RHR heat enchangers fail to open failing

! -RHR recirculation. Local attempts at recovery fi areuneuocessful. ll .. . . .

1 if Il 32 ii 4

h I h; I i ! 5 e < -we.-- n _-w w . . .n. ~~~~w _m.-- ~- 9 ..p . 9 m, - 7 -- 4

            ~

!J t.. i; Table 8 Imading Accident Classes and Core Damage Sequeness by Accident Class i; ) i

;* Aacident Clam ad

Accident Class Dominant "gm p

                                                            *"                                               'Am m wh w

[ on CDF S of Desninant W W

'I                                                                       (per r. year)   Total CDF
       !                                  V -Interfacing Systems            2.3E-07           0.5      This class consists ofinterfacing systems j l                                        LOCA                                                         LOCAs with a bypassed containment. ISLOCA ll                                                                                    ,

pathways include: i: a) RHR to RCS loop B recurs lias; isolatson I configwation: 2 abeck valves and a sonnally closed MOV,

!,                                                                                                      b) RHR suction imm loops A and B, isolation

'g

• configuration: 2 monnally closed MOVs, c) Reactor vessel low band issection line; jl isolation
• configuration: 2 check valves.

j_ rw:-, Sequence . 5.5E.08 0.1 Chtsstrophic failure of both of RHR series loop l, A suctice isolation motor valves followed by ,' the failure of both of the RHR pump seals i enusing small LOCA outside contaiamant. The operator is na=w-=ful in coolmg down and lI depressurizing the RCS before RWST j, depletion. i i i 2>3 Human Reliability Analysis Technical Review i.e 2.3.1 P w-Initiator Human Actions Errors in the performance of pre Inittstar human actions (such as failure to restore or properly align l, equipment after testing or malatannae*, or miscalibration of system logic instrumantation), snay cause components, trains, or entire systems to be unavailable on demand during an initiating event. 'Ibe review of the human reliability analysis (HRA) portion of the IPE *a=1= the licensee's HRA process to

                                 . determine the extent to which pre-initiator human events were considered, how potential events were
       ;                            identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the t                            processes used to account for plant specific performance shaping factors (PSPs), recovery factors, and dependencies among multiple actions.

l 2.3.1.1 Types of Pre-Initiator Bisman Actions Considered I The Prairie Island IPE considered both of es traditional types of pre initiator homen accions: dailures to restore systems aAer test, ==iah=aare, or surveillanos activities and instnuneet miscalibrations. However, while a fairly { , brand range of failurs to restore events was modeled in the fault trees, miscalibration events were act expbcitly - l k modeled. Instead, miscah% ration of various sensors and instnanents was " treated through the inclusion of commnon i j , - cause failure modeling for the sensors or instruments themselves.* In other words, the common eense failure { probability for a group of related instnaments was soeumed to include the potential failure due to - cause t muscabbration. The a6mittal argues that because of =Asadaary in betrumaa*=tiaa for activation of safety systems,

       }                             - cause failures (and miscabbrations) of sensors were detennined to be insignificant contributors to plant 1                                                                                                                                                      i 33 i                                                                                                                                                      !

i 4 i

       "                                                                                                                                                      l

a . .

                                                                                           ~

sisk." While there are >====ht* aspects of such an argument, h abauld be aosed that miscalibraban events havs { been explicitly anodeled in other IPEs and in some instances have basa shown to be significant contributors nus, e the licesase's treatment of mindbestion evuoss anny have precluded identificauon of important pre-initiator events

  !             and is therefore a w==kaa== of the HRA.

t 2.3.1.2 Process for Identification and War *ia= ef Pre-Initiator Banan Actions I *

             - In the licensee's response to an NRC request for additional information (RAI), k was indicated that
            . errors committed during corrective and preventative maintenance and testing (including those during refueling outages) wem considered and their applicability was evaluated during development of the fault trees by reviewing operating procedures, malaten== procedures, administrative control dommante, and EOPs. Testing and maintenance procedures were reviewed to determine if any component is effectively                                              <

I disabled and cannot automatically be restored or realigned on an appropriate initiating signal. If so, then a basic event was added to the fault tree to reflect the potential for failure to restore. However, if an indication of the misalignment is given in the control room, the event was not modeled. If some other indication is given in areas toured by operators during rounds, the error was only considered for the interval between rounds. While no explicit statements regarding discussions with plant personnel on the interpretation and knplementation of procedures were provided, it appears that relevant information sources were examined and that factors which could influence the probability of pre-initiator restoration failures were considered. 2.3.1.3 Screening Process for Pre Initiator Emman Actions

                  *Ibe licensee stated that no screening valus were used when modeling pre-initiator human errors. As will be dkmuM in the next section, values were calculated for all the restoration events that were modeled.

For pre initiator ev.ents included in the fault trees that were later determined to result in indications occurring in the control room, their failure probabilities were set to zero and they were left in the models "for possible use in sensitivity studies." T' 2.3.1.4 Quantification of Pre Initiator Banan Actions l Restoration of components with maintannace procedures calling for post-maintannw verification of 1 component status were assigned HEPs of 0.003. A failure to restore probability of 0.01 was assigned to 9 =i-:-+ without such a verification. Plant-specific component unavailabilities were then calculated l using the HEPs in conjunction with factors such as maintenance frequency and duration, test frequency and interval, refueling outage frequency, and time from completion of the corrective maintan== to the votest of the component. The unavailability equation was indicated as being from ASME paper 91-JPGC- i NE-!! and eppeared reasonable. 'Ibe basis for the selected HEPs was not provided, but the values are tensonable and consistent with those that would be obtained using the method described in NUREGICR- ' 4772 (ASEP) for quantifying pre-initiators. Given plant practices regarding maintanaw of separate

 ;                 trains, all restoration failures were considered independent events. Dependencies associated with miscalibrations were at least indirectly covered by grouping instruments according to potential common
 !                 cause failure mechanisms. Similar instruments would probably have similar calibration procedures, but i              , other factors such as the plant schedule for calibrations could also have been relevant.

34

u ! 2.3.2 Post-Initiator Hurnan Actions Ii

• Post-initiator human actinat are those required in response to initiating events or related system failures.

l! j{ Although different labels are often applied, there are two important types of post-initiator human actions ' I that are usually addressed in PRAs: respoese actions and recovery actions. Response actions are generally l} distinguished frorn recovery actions in that response azions are usually explicitly directed by emergency cperating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover ll- a specific system in time to prevent undesired consequences. Recovery actions may entail going beyond l! EOP directives and usirgg systems in relatively unusual ways. Credit for recovery actions is normally not jj taken unless at least some procedural guidance is avaliable. l{ De review of the human reliability analysis (HRA) portion of the IPE determines the types of post-inhiator hurrr.n aabas considered by the licensee and evaluates the processes used to identify and select, ll [ acreen, anc quantify the post-initiator actions. De licensees treatment of operator action timing, j! dependerzies among human actions, considention of accident context, and consideration of plant specific j1 PSFs !s also examined. i i , 2.3.2.1 Types of Post-Initiator fiumt.c. Aetions Considered De Prairie Island IPE a6 dressed both risponse and recovery type post-initiator human actions. Response i; type actions were those mxleled only when clear procedural guidance (normal, abnormal, or emergency i; procedures) existed for the operator. Recovery actions included cases where procedural guidance may not have been available, but "the operators training or knowledge are assumed to lead him to perform the required action.." Repair activities (e.g., restoration of instrument air or component cooling water), -

   ;                   local operation of systems (e.g., manual opening of valves), and recovery of offsite power or a DG are examples of recovery events modeled in the IPE. Eleven recovery events are described in the submittal
  ;                    and none appeared to require extraordinary behavior on the part of the operators.

t 2.3.2.2 Process for Identification and LRarelaa of Phst-InitiatorBanan Areianc

  !                    A detailed discussion of the initial process for the identification and selection of post-initiator human actions was not provided by the licensee. However, k is noted in the submittal that "only those post-7 accidet operaeor actions required to initiate systems... wete included in the fault trees." Dese actions were described as being based on normal, abnormal, and emergency procedures. Operator actions in l                    response to equipment failures were not modeled until after the sequence cutsets were generated. If more than one operator action occurred in the same cutset, *elther independence of the human actions was confirmed, or a change was made to correctly snodel dependence between human errors." The

[ i subminal also indicated that in the % man factors review performed in support of the HRA," walkdowns

  ;                     of selected local and control room panel operator actions were performed to verify r plans and to
  ;                     "look for factors not previously considered." In addition, control room personnel were interviewed to i                     discuss roles and responsibilities during actions, timing of actions, and performance of specific actions.

t ' hus, k appears that activities were c=whuvad that would to help ensure appropriate modeling of operator l actions. I i , 2.3.2.3 Screening Process for Post-Initiator Rasponse Actions De submhtal indicates that acreening values were assigned "by following a flow chart and answering a

   ;                    series of questions." Neither the q==rinns nor the flow chart was provided, but " plant-specific mattmatn 35 I

p- .--.-s. . - - - - _ . , . _ _ _ . .

                                                                                                                                    - ~ . - -

l, * ' 4

J of the time available to initiate and perform the action" and "PSFs newimM with degree cf difficulty -

,y and stress" were considered. He screening HEPs were based on the Handbook (NUREGICR 1278), 1- Wash-1400 (NUREG-75/014), and "the daa sources used in the IDCOR BWR IPE methodology." Thus, at a minimum a systematic approach was taken in the assignment of post-initiator screening values. }lf i Examples of typical opersor actions and their ==aelad screening values were presented in Table 3.3-10 { of abe submittal. While some of these values (e.g.,1.0E-4 and 1.0E 3) might normally be considered l non-conservative for screening values, they may be justified given the apparent detailed screening analysis j, and the licensee's consideration of dependencies (as is discussed further below). As noted above, the i licensee indicsed that if more than one operator action occurred in the same cutset, "elther independence j of the human actions was confirmed, or a change was made to correctly model dependence between

, human errors." Furthermore, in response to an additional NRC RAI on the consideration of

! dependencies, the licensee stated that each operator action was =aralaM when k was calculsed, to l determine which operator amions were dependent due to the same cognitive process. Actiocs determined j to ame the same cognitive process were given large screening values to ensure that they wwe not truncated

- from the final core damage sequence equation. He final values of these operator actions were later set

!f to values that appear in the relevant tables in the submittal. The licensee also noted that all but six of lj the seventeen human actions left at screening values did appear in the final CDF or containment failure j' seguence equations. De r===talag six actions were said to be unlikely to ever appear in risk significant !, sequences, since they must fail in conjunction with highly reliable components. Dus, the licensees !' screening approach appears to have precluded inappropriate truncation. The licensee also noted that the !4 HEPs obtained for the human actions receiving detailed analysis were "at about the same value or lower ! than the screening analysis results." i i 2.3.2.4 Quantification of Post-Initiator Bisman Actions l~ j' - Pbst-Initiator response type actions found to be important received detailed HEP development. An action i was important if it contributed significantly to baseline core probability or "if a change in the failure rate l could cause significant increase in overall core damage probability." Most of the actions receiving i* daniled analysis were quantified with the ASEP method (NUREG/CR 4772). De response to the NRC

 !                . RAI states that a more refined estimate for the five most important human actions was obtained using the
                 ' 'DIERP Handbook (NURG/CR-1278). He five actions quantified with the Handbook included actions
 ;                   associated with transferring to recirculation following a 14CA and cooling down and depii                Ling t                   during a steam generator tube rupture. De values for the transfer to recirculation ranged from 0.0012
 ;                   to 0.008 and the values for cooldown were 0.011 and 0.0065. While none of these values are grossly anennaleme widi values ibr shnHar events in asher IPEs, k did appear that the switchover to recirculation i                   HEPs could be apet=1*1c given the available time frames for the small, medium, and large LOCA annarios. A description of how these values were obtained using the Handbook mahadology was not provided in the subminal or in the licensee's response to the initial RA1. He submittal does note that the analysis was similar to that used in ASEP, ascept that more detailed analysis is performed for types of procedures used (with or without sign offs), verification steps, crew size and crew response timing, errors of omission and commission, timing, expected stress and dependencies between operator actions.
 ,                   la response to an additional NRC RAI regarding the events quantified with the THERP Handbook, the                    .

j licensee provided detalled calenimian sheets 111ustrating how the HEPs were obtained for the switchover

 ;                   to rect tulation events. While the analyses were reasonable, the licensee apparently took some credit for I                    diagnosis of a 1.OCA and the eventual need for swiedever prior to the occurrence of the low RWST level              -

i alarm. His alarm is apparently the primary cue for the switebover action. De THERP annunciator naponse model was used to determine the post RWST level alarm HEP and the time based cue response i . 36 i i

 +

E p_ - __- - - -. .__ ~ - - , - - - . _ . - -

1 1 . . I . I 1I ,s.- . }} model was used to determine the HEP for diagnosis prior to the occurrence of the critical cue. De l !{_ analysts assumptions were not unreasonable and the approach was consistent with the application of THERP. Given other conservatisms noted by the licensee in the analysis of these events (e.g., l} conservative estimates of time available), the obtained HEPs appear reasonable. ,, j ! A description of the application of the ASEP methodology to the other events appeared aound. A review I* of the obtained values suggested a tendency toward conservatism, as was noted by the licensee and as is i generally the case with applications of ASEP (see Table 3.3-3 of the submittal). The licensee also noted j tha a relatively conservative diagnosis time was assumed for feed and bleed and that the same time was j applied in all instances of the events quantification. Dis approach has the potential to lead to pessimistic j3 HEPs for some cases of feed and bleed.

                    .33.2.4J        Endmates and Consideradon qf Operator Regense 1bne 1

4 . l} 'Ibe determination of the time available for operators to diagnose and perform event related actions is a l l critical aspect of HRA methods which rely on TRCs, such as the ASEP methodology. In the licensee's j* discussion of the application of the method, k is clear that appropriate timing parameters were considered.

MAAP runs were used to determine the latest time an operator action could be completed and guidance i from ASEP was used to assess the time needed to complete actions in control room. For action times j,' outside the control room, an engineer and former SRO was consulted and confirmatory walkdowns were r  : performed in some cases. The time at which a compelling signal is received was considered and

diagnosis times were computed. Examples indicated appropriate use of the timing parammers within the application of the method.

                    ,23.2.4.2       Other Perfonnance Shaping finctors Considered As noted above, the application of the Handbook to five important human actions involved detailed consideration of a set of important PSFs. De PSFs addressed in the application of ASEP included             ;

training, practice during simulator training, and whether the event was covered in the EOPs. In addition, she existence of written procedures for conducting the action, whether the procedural actions were step-by-step or dynamic, stress level, alze of crew and time available for recovery credit were considered.

                      'Ibese PSFs are those normally considered in apply *mg the ASEP methodology.

De submittal also stated that the " control room design review" was reviewed and that walkdowns of

                                                                                                                  ~

selected operator actions and control room panels were made to look for factors not previously considered. Whether and how these factors influenced resulting HEPs outside of the basic treatmant of

  !                    PSPs by the HRA methods was not discussed.

23.2.43 Considendon ofDependenties i ho basic types of dependencies are normally considered in quantifying post-taltiator' human actions:

1) time dependence and 2) dependencies between multiple actions in a sequence or cut net. One type of i time dependence is concemed with the fact that the time needed to perform an action influences the time

available to recognize that a problem has wi4 and to diagnose the need for an action. Dis type of

          .             time dependence was trested in using the ASEP quantification approach. De licensee's response to the l                    RAI also noted that the same timing parameters were used in applying the handbook method.

37 e y e = w we,wm+-,. , -.w.e eena.----,-- - * - --- --%.a ,, ,,- , , m# .._,

L -

• i

'I . i! Another aspect of time dependence is that when sequential actions we considered, the time to complete 'f one action will impact the time available to complete another. Similarly, the sooner one action is ii performed, the slower or quicker the condition of the plant changes. His type of time dependeace is !{ aormally addressed by making conservative assumptions whb respect to accident sequence definitions. l! One aspect of this approach is to let the timing of the Grst action in a sequence initially almmize the time

E window for subsequent actions. De occurrence of cues for later actions are then used as new time origins. Although not explicitly discussed, the lie === clear evaluation of timing factors and i ;[ consideration of dependencies appeared to cover this type of dependence.

1I De second type of dependence considers the extent to which the failure probabilities of multiple human 1j actions witnin a sequence or cutset are related. Dere are clearly cases where the context of the accident and the pattern of successa and failure can influence the pmbability of human error. Dus, in many cases k would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would ji be independent. Furthermore, uontext effects abould be examined evac for slagle actions in a cut set.

While the same basic action can be asked in a number of different sequences, different contexts can i? obviously lead to different likelihoods of success. Several discaissions in the submittal and in the 5

licensee's responses to the RAls indics's that potential dependencies among the operator actions were ji appropriately considered.

ii l' 23.2.4.4 Quangliandon of Recewy type Asdons lt

• De licensee's response to the RAI indicated that all recovery probabilities (with a coupi6 of exceptions)

{i were derived from NSAC-161, " Faulted Systems Recovery Experience" and that recovery actions were i l' culy added to cutsets when it was apparent that an operator would have sufficient time to perform the i aWhional action. Local recovery of valves which failed to open or close was credited only when there , was control room indication of valve position and the valve was easily accessible . A non recovery l l pmbability of 0.025.was assigned to these events. Recovery of equipment such as pcmps had the same

    ~
                                                                                                                                       )

criteria, but the non-recovery probability was "approximately 0.5." i lf %e validity of the derivation of HEPs for .~ y actions from NSAC - 161 was addressed in an l additional RAI to the licensee. De RAI suggested that the nature of the grouping of different recoveries

   ;               in NSAC-161 is fairly " coarse." And that in many cases the grouping appears to be " mixing apples and i!               -oranges." A discussion of the derivation process for recovery HEPs (with examples) was requested.

I r In response, the licensee demonstrated that a thoughtful analysis of the data in NSAC - 161 was i condnaed and that an attempt was made to use the most appropriate information. While k oocid still be e argued that the data in NSAC - 161 is insufficient in many cases for the derivation of recovery HEPs for j, PRA use, the examples provided by the licensee suggested that the data was used conservatively. , lr 3JJ.43 Ruman Asdons in ne Moodin Aan&ds Opensor amions were appaready not quantified in the Prairie Island IPE. However, the submittal states ji that "the minimum time allowed for a zone to Sood was based on the indications that the operators would

i receive to alert them to the Dood." Operators were assumed to find end isolate the source of flooding l! in 20 minutan if an alarm or other indication would tell them azactly where the Sooding was occurring.

ii If the indication occurs, but does not tall thesn azactly where the Sood is located, then 60 minutes is

                 ' assumed before they will isolate the leak. If no indication is given, k was amen =M that the operators ifj5                 would find and isolate the flood during their sounds wkbin three hour .                                         -

h No other discussion of operator actions in regard to the flooding analysis was found. n p 38 ( - 1: w - ._ _ - -

I i - 23.2.4.6 haan Asdons in the Lael 2 Analyds

i A review of the Prairie Island Lovel 2 analysis failed to find any discussion of the quantification of l{l operator actions. Apparently RCS depressurization was discussed, but the related operator action and

                                                                         ~

j. Its quantification was not addressed.

                                                                                                                ~                              '

!! 2.3.2.5 baportant Hassan Actions !) I. 1be Prairie Island IPE provided a list ofimportant human actions as determined on the basis of a Fussel-Veely analysis. Events identified as - *ia= ibr snore than 1% of the total CDF and their HEPs are presented below in Table 9. Each event's percent contribution to CDF is also listed. !{ i! A review of the HEPs associated with each event did not bientify any events with an HEP that would be considered inconsistent with failure probabilities obtained for almilar events in different plants or that ![' . appeared to be excessively low. i i; Table 9 Important Human Acilons i!.. - Event Description (percent contribution to CDF) ,y j Bleed and feed (no "S" signal)- for alngle operator action cutsets G.2%) 0.039 1 Cooldown and depressurize RCS to stop tube leak br/ ore SG overfill (6.7%). 0.011 } lI Transfer to recirculation during large LOCA (5.0%) 0.0084 Transfer to recirculation during medium LOCA (4.3%) 0.0027 Open doors on loss of room cooling (3.4%) 0.067 l Cross tie to unit 2 motor driven AFW pump (3.2%) 0.032 I Cooldown and depressurize RCS to stop tube leak qtter SG overfill (2.2%). 0.0065 l Transfer unit 2 AC to unit I during unit 1 SBO (1.3%). 0.0032 Bleed and feed (no "S" signal)- for multiple operator action cutsats (1.7%) 0.071 2.4 Back End Technical Review

                                                                                                              ~

i , 2.4.1 Containment Analysis /Characterhation t

2.4.!.1 Phug end Back end W f .

1he laterfaces between the tonand and back end analyses are provided in the IPE by the definitio'n of 14 sa:idna dasses (ACs). rwinirian ofIbe accident classed is discussed in Socsion 4.3 of the IPE mhrninal. 'Ibe parameters used in the IPE to define ibe ACh include: [ 39 1 t I

i '[  ! 1. 2. Accident initimor, Core melt timing,

                                                                                                         ~

l l

         ;                                 3. RCS pressure at the time of core melt.                                                            ,

_ ...___ ._. . . - .J

1he as:ident ininmors br the AO analymd in the Prairie Island FE include transient, station blackout (SBO),

           ,                LOCA, SUIR, ISLOCA, and ATWS.1he timing of core melt depends primarily on whether core melt is *

( samed by irsemion (earty) or recinadation failure (late), aw! RCS presure, which is denned in the PE as the primary system pressure being high enough so entrain the core debris out of the esvhy upon vessel failure, 4 d9 mds on the type of accident initiators. For example, sacept for the accident classes involving snedium and 4 inrge IDCA sequences, the RCS pressure for the accident classes imelving other accident sequences is high. The ar==teinn=1 probabuities of the AQ for the various accident initimors are: 23% for small LOCA Q ACs),

         ,                  22% br transient Q ACs),19% for haarnal Sooding Q ACs),16% for medium or large LOCA Q ACs),13%

tr SGIR Q ACs),6% for SBO (1 AC),0.6% hr A'!WS Q ACs), and 0.4% for ISLOCA (1 AC). The most pmbable AC h 'JHE Q0% CDF), an AC with aa:ident sequences inhiated by transient initiators with early core ask and high RCS pnssure. This is fauowed by FEH (19% CDF), an AC initiated by internal Gooding, with early core melt and high RCS pressure. Unlike the PDSs used in some other FEs, the availability of mnrninment systems are not explicitly included in the dennhion of the ACs in the Pmirie Island IPE. In the Prairie Island IPE, containment systen fauh trees (for comainment spray injection, containmars spray recirculation, and containment fan coil units) are quantified as frontline systems, along with the Level I frontline and support systan fault trees, using linked fault tree

models. The containmers symams fauk noe outsets are Iqut to the CET branches as necessary to support CET quann5 cation.

[ The ACs denned in the Prairie Island IPE to provide frontend back end dapanriancies for the 1mel 2 analysis i

                          , of theIPE seem @a Ahhough their dennition does not include the parameters indicating the availability
                          . of containment synems, the use of fault true linking to determine their availability in CET quantification seems           l

- adegume.

                         )14.1.2 Centainment Event Tree Devanag====r                                                  _

L Pmbabuity quantification of severe accident progression is performed using containment event trees (CETs). Ibe development of the CETs is discussed in Sections 4.5 of the FE pe=nkr=1. Five CETs are W in

     ;                       the Prairie IPE for the 14 pocident classes ahrainart in the FE. The CETs includes the following top events:
     ;                                      1. Accident class,

2. Bypass due to SGIR,

3. r~ala aaa' isolation,

4. Inwessel ,wsry, j 5. Reactor depnssurization,

    ;                                       6. Early mnentament challenges, 1

7. Ex vessel 1:section, ,

s. cane ta nent pnssum control,

9. Fission product scrubbing .eme 1,=naar Spray.

I Figms 4.5-1 through 455 of the enhenkr=1 show the struaures of the five CETs. Figure 4.5-2, the CET for j SBO accident class with early core meh, bciudes an additional top eveint to address the probability of ac power

     .                                                                              40 i
    ?

t n-.- - - - - - - . . . _ _ _ . _ _..

t i . 1 i {.- i vuxr.wy. the CETs in the Prairie Island PE have from 22 (fbr medium or large LOCA wkb lae core melt)

                                                                                                                                     \
                                                                                                                                     )

j so 49 and states (for SBO with early core melt). Since matairunent failure is assured for ISLOCA and SGTR 1 l accident sequences 0.e., by containment bypass), CETs are not developed for the ACs ==ceistad with these aequences and all of the them are === mad in the FE to lead to aantalamm bypass. In general, the CETs

 -!            developed in the Prairie Island PE are well structured and easy to understand. The top wants of the CET g             emer the importars issues that determine the RCS integrity, ent=In=m response, and wentual release from j              the containment.                                                                                                     l The quanofication of the CET in the Prahie Island PE is based cLn plant speelBc pherv=nanatogical waluations.

i 1he evaluadons include modeling and bounding calminciant Osased upon experimental data), consideration of phenomenological uncertairsies, and MAAP calcadations. In general,Ibe quantification process used in the FE

is symemade and traceable. Although the value assigned in 6e FE asem adequae, their M cannot be i verified in this te&nical evaluation report because of the limited scope of abis waluation. Some items that are of interest are discussed in the following.

i

 ,I
 ;              Castainment Fallwr Mades not induded in GTQuan@lcation

]* '? Containment failure modes are discussed in Section 4.4 of the FE submittal. Although all isvaiam severe accident containment failure modes that are discussed in NUREG-1335 are addressed in the FE mbmittal, some of them are ignored and not evaluated in CET quantification. These include those associded with the melt through of the containment steel shall 0 e., liner melt through), vessel thrust forces, and thermal arts 4 of maMament penetrations. 1 The potanial failure of the steel shell due to diras contact whb molten corium is discussed in the FE submittal

  ,              and also in the licensee's response to the RAI (Level 2 Question 5). 'Ibe potential of containment shell melt-      )

i through exists only during high pressure melt ejection (HPME) den a significars amount of core debris is  ! dispersed to the outside of the reactor cavity and come into contact with the steel shell structure of the 4

• conninment. Two debris dispusion paths are identified and evalumed in the FE. 'Ibe first one is through the I instrument tunnel to the upper comism.sm, stking the cavity a the seal table strucsure; the ascond one is through the access batches from the containment to the instrument tunnel. Of the two paths, the second one

 ;               presents a more significart challenge to coarmlament integrhy.1he access baches to the instrument tunnel are
 +               in an open area on the basement level of the aantninmant, and for both of the Prairie Island units, one of the

two batches faces toward the steel *-a-t about 30 feet away, whb a largely unnherructed path in between. According to the licensee's response to the RAI (Level 2 Question 5), a scoping study performed

• in the FE shows that the temperature generated by the debris adhering to the mael wall is insuf5cient to melt

( the steel and brea& the containment even whb conservative assumptions about the mass, diarD=*ina, and best i generation of the debris expelled from the instrumrat tunnel. However, details of the scoplag study are not provided in the submnel and the potential effect of corium attack on reducing anarmlamaar pressure capability is not diamecad. f 1he probability of comainment failure he to vasel ibnat forces and thermal stack of anarniamm penetraions are daa==ad in Section 4.4.3 of the FE muhmittal. For thrust forces, an antimmte of the thrust force genermed

                  & sing HPME is runiaad and compared wkb the weight of the reactor vessel and the capabilky of the primary

' i shield wall acting as a restraint to determine the probability of anatalamm failure due to this "W.

        .         For thermal attack, the penetrations and the seal materials used for the penetrations are identified and waluated agains represanative sevue accidst temperature pronia to determine the potential of anat=1amm failure due to excessive lena: age from thermally degraded seals. Resuhs obtained in the FE show the the probabilities of containment failure from both of the above phaanmaan are negligible.

41 P

      . - - --                       - - - - - - - - - ~ _ - . . - - - . -              - - -                   _ __ - - - _ - _ - - - _. -

jf

• Contalmnent Failure Modet CoruMennt er Unfaely but laduded in CET QMm"s fI 7be mentnment failure modes that are considered as unlikely in the FE but are assigned a small failure ,

!;, probabiliry in CET quantification include those manadard with direct containment beating (DCH,1E-3), in-

venet steam explosion (Alpha mode faBurt,1E 4), en wessel maam explosion (IE-3), and hydrogen .Midon i F (5Fe3). Corsainmers innimion failure is also considered a unlikely but is evaluated in the CET quantification ,

j' using the data ottained in the =*=in=*=* halmian analysis (see Secsion 2.4.1.4 of this *IER). in the PE, duerministic evaluation of the espected peak pressures was performed for the phenomena that

  ,                 would eve containment pressure challenges (e.g., DCH and bydrogen bum). 'Ibe es'irnmed pressure loads

)' were 'onen cortpared wkh the containment fragility cauve to determine the probability c f containment failure. ! For stase phenomena with other coreninmme challenga (e.g., steam explosion), a etc61 nation of deterministic i analysen rad expert opinion found in the open literature is used to animma containment failure probability. Became of tre uncertainties associated wkh these phenomena, the values used in the PE for these phenomena l- are described a' qualnmively evaluated values (in the licensee's response to RAI 1Avel 2 Question 3). jt According m the discussion provided in the IPE =#unieral the valuec used in Ibe FE for these phanamaan seem l to be adequate. l' Containment Bypass and induced Steam Generator 1kbe RHprunt GSG3.% !. Casainment bypass is considered in the IPE a one of the dominant containment failure modes (Secsion 4.4.2). J- According to the Prairie Island IPE, containment bypass occurs for the SGTR and ISLOCA events, k also 4 occurs with an induced creep rupture of the steam generator tubes. As mentioned above, CETs are not developed for SGIR and ISLOCA m%r* clanes and containment bypass is assured for these accident classes.

'Ibeir contdbutions to the total CDF are 135 and 0.4%, respectively. On the other band, ISGIR is evaluated l, ^ 1n the CET as one of the CET top events (Semion 4.5.3.1). According to the PE, ISGIR occurs only for i- '. cases with the RCS a high pressure, wkb dry steam generators, and wkb the restan of the rencsor analant

• pumps (RCPs). Although the pmbabuity value used in CET quannfication for ISGTR is not pmvided in the y: - adunieral, results presented in the submktal show a significant contr u melan froen ISGTR (about 31% of CDF).

                      'Ibe high ISGrR probability obtained in the FE is primarily due to the procedures that call for the restan of 4e ROs under severe accident condmons. According to the licensee's response to the RAI (Level 2 Question                                    .

l? Ii~ 7), these emergmcy pmcedures bsve been changed to pmbibit the restart of a reactor malam pump with a dry

l. suam smensor under sevent accident conditions (based on recommendations imm the Westingbouse Owners l' Group). This procedure change is ==,=*ad to reduce algnihely the probability ofISG'rR. Because of the l! change of the EOPs, the C-Matrix provided in the Ilmaw's response to the RAI (Level 2 Question 7) does ji mot include the contribution from ISGTR.

h VenelRectnery Tee means for in vessel recovery are considered in the IPE: restoration of injection and er +essel cooling of in vessel core debris. According to the IPE, the recovery of core indemion bas minor e5ect on preventing pl l vessel failure 0.e., in*essel recovery). ' Ibis is because of the short time available for injurion recxrvery for . j; 6e core melt sagtunces in which core damage is caused by the loss of iq}emion (i.e., the early melt sequences). i' On the other band, external cooling is sammed very e5 scrive in provueting vessel faDare for core melt O asquences in which the RWFT water has been iq}ected into the maniam=* (and thus the lower vessel bend q is submerged). In the PE, the probabilky oflower bend failure is assumed to be 0.1 if the RWST bas been h iqiased. since significant uncertausy k maocised wkb ibis probabuky value, k is mciudad in se senskivky I 42 [ L f-

i"* ,

mudy. Results of the smshivity sudy shows tbst mneninawn failure probabilities are not significantly affected  !

! ,by the probability value used for this vesad cooling mode. Ahbough the sensitivhy studies perfonned in the Prairie Island PE shows little effect of ex vessel cooling on 1 i containment failure, source terms obtained from containment failure may be affected by ex vessel cooling l l because fission product produaion and release path are modified (e.g., in-vessel release from a dry debris i versus ex vessel release from a debris bed covered by waer). Since ex-vessel cooling is not included in the , MAAP model which is used in the FE for source term caladation, the source terms obtained for the casm whb l low precure v=el breach are used for cases with no vessel failure. k is argued in the licensee's response to j the RAI 0.evel 2 Question 1) that this is a conservative approach because the former involve the release of i non volatile fission products from core concrete interamion. However, no quantitative information is provided l h ibe response to support this argument. $ According to the data provided in the C-Matrh (provided in the limname's response to Ibe RAI, Invol 2 Quesdon 7), the probabilio; of in vessel recovery 0.e., no vessel failure) is over 99% for late core melt sequences and zero for erly core melt sequences. De frequency of all ACs that involve in vessel recovery is about 23% of total CDF. De primary contnbutor to this probability is medium or large 1.OCA with late core melt (15% CDF). His is followed by small LOCA (6% CDF) and transient (25 CDF). RCSDrpressuriration RCS depressurization is one of the CET sop events. According to the submhtal, RCS depressurization from abe operation of both the pressurizer PORVs and the steam generator PORVs are credited in the FE. However, because of time constraint, RCS depressurization by the above awhanisms is assumed to be successful only for late melt casm when vessel lower head penetration is delayed by ex vessel cooling. De conditional probability of all late failure sequences in which RCS depressuriution may be effemive is about 8% (of CDF). De primary contributor is small LOCA (6% CDF). His is followed by transient Q%) and A*IWS (0.4%). In addition to the above two machanlams, RCS depresurization by creep rupture of the RCS synem is also . credited in the FE. In the CET r**' dan. Ibis RCS depressurization nwhanian is considered to be effemive only if the core can be retained in the vessel for an extended period of time such tha the RCS pressure boundary can bested to tempermures that can muse creep rupture. It is assumed in abs PE that this is effecsive i enly if abe lower vessel head is submerged, and RCS depressurization is minas assured under this condition > (a probability value of 0.99). Because of uncertainties associated whb this nwhaninrn, k is included in the sensitivhy studies of the IPE.

                  - As demissed above, in the Prairie Island FE model, both in-vessel recovery 0.e., no vessel failure) and RCS 3                   depressurization are effective only for cases wkb the vessel lower beed submerged, occurring in accident classes with las core melt. For thesa cxident classes, the probabilhy of leevessel sw,4ri 0.e., no vessel failure) is over 995. Since there is no vessel lower head failure for these cases, RCS pressure is not significant and                ,

thus not reported in the IPE submhtal. For the . =t=t=51% of these accident classes, the RCS pressure is i ! , low. Derefore, for late core melt seguances, the RCS either rammina intaa or fails at low pnssure. s - Enfy Containment Failure ~ Although containment failure timing is defined in the Prairie Island IPE a relative to the dedaration of a General Emergency (Table 4.3-3), enriy mneminment failure modes considered in the CET involve those 43

t . I occurring ber= or a ihe time a vasa bosom bead es= (p 4.5-iO). De um mechanisms mnsidered h the CET for early containment failure include bydrogen burn berore or at RPV failure, direct containmert 3 basing (DCH), in-vessel and ex vessel maam explosions, and vessel bkmdown forces. As discussed above, , l . all of these phenomena are considered in the IPE as unlikely to cause containment failure. However, a small

 ;       containment failure probability is assigned in the IPE for CET quantification.                                                    l f      De freguency of early containmera failure h about 0.8% of total CDF. De acciders class that has the highest                       )

l conditional probability of early erumminmare failure is that associated with internal flooding (1%). His is  :

        'followed by medhun/large LOCA (0.9%), small LOCA (0.7%), and transiere and SBO (both of 0.6%).                                    l l

I Debrir Coolability amt Late Contalmnent Falla l IJte containment failure occurs if the debris discharged from the reamor vessel is not coolable or if all decay has semoval systems fall. Because of the thin debris layer exposed on the containment floor following vessel

 ,        failure Gess than 25 cm for Prairie Island), the debris is assumed to be coolable if the RWST water is injected

m the anneminmert. Exwessel debris is thus assumed to be quenched if one train of any of the following three systems works : high bead safety injection, low head safety injection, or nar*=inmaar spray.

 !         Even wkh a coolable debris, decay bem removal is still required for containment pressure control. ila the IPE, containment pressure control is assumed to be successful if one fan cooler unit or one train of RHR in recirculation is available. De only excep: ion to the above requirement is tha associated with high pressure melt ejecxion. Since a significant amount of core debris is expected to be relocated to the upper wowunent of the mntainment, which cannot be cooled by the water in the reactor cavity, successful opersion of 4          corsainmet spray is required to prevent long-term reveninment overpressure failure for this case. According to the CET results, containment overtemperature/ overpressure failure due to lack of debris cooling for the debris relocated to the upper ww,.ruusst is the most significant late containment failure mode (about 17%

5

         'of CDF). His is followed by that caused by the loss of all decay best removal systems (6% of CDF), and A       .basemat melt 4hrough when most of the debris rummina in the reacsor cavity (0.1%) with no cooling water.

De condaional probability of tse coreninment failure is about 23% of total CDF. De accident class that has l

'          the highest conditional pmbabUity of late containment failure is small LOCA (58%). His is followed by                           l l          transient (39%) and SBO (7%). He conditional probabilities of has containment failure for the remaining
        . accident classes (i.e., mediumharge LOCA, IFL, and ATWS) are less than 1%. Since the availability or                             i secovery of the containment systems are obtained in the CET quantification by fault tree linking and detailed 4           hformation is not provided in the IPE me=nimal or the Ikansee's reponse to the RAI (Level 2 question 3), the                   l l           sennons for the differences in ime failure probabilities for the different accident classes are not known. Since the spantification process for systern availability is Idarvie=1 to that used in I.evel 1, it is espeasd to be

. enadwantly maintained throughout the CET analysis. i

;          MHPCf M ECF3OI4I 1

Oedit is take in the IPE for fisskm produa scrubbing by the operation of enneminmara spray. Umirad credit is taken for the opersion of fan cooler unit. '. j 2.4.1.3 Centaimnent FaDure blodes and nahg b De Prairie Island containment ultimate strength evaluation is described in Section 4.4.1 of the IPE submittal. ) nurminmere failure pressures were r**=inad in the Prairie Island IPE by a simplified plant specific structural 1 1 f

ig* 4 - 3 ., i! analysis using aaual nutorial failure erass. r'areninmare failure presures were calmised for four locations. ), Uncertainties of corsainmmt failure pressures due to variability in material properties and analytical modeling

               'were animmM e establish containment fauure distributions. The assumed coefficists of variations (i.e., the j[*

atandard deviation divided by the mean) for Ibc four animmad failure pressures varied thxn 11% to 15%. ii e an=b failure pressure distributions for Prairie Island were then determined frtun the results r**=iaM for '! abe four failure pressures.1be median car ==*mman failure pressure r**=ined in the Prairie Island PE is 150 pSl8-i ! 1be mrrainmers faDure pressure and their distr #=ninna chtained in the Prairie Island FE seem to be annaler=* i with those obtained in other FEs. For Prairie Island, a large catastrophic failure of the steel sheU is assumed in the FE if containment is failed by overpressure. This seems adequate for the free standing steel abeu anr*=inmara aructures used in Prairie Island. i i

 ;              2.4.L4 r ne.i-nard Isolation Fhilurt Containment nonleinri fsBure is one of the top event in the Prairie Island CETs. The evaluation of containment isolmion is dan =ed in Semion 4.4.3 of the FE mewnle=1. Additional discussion is provided in the licemee's response to RAI (level 2 Question 4). In the IPE, only pipes with diammars greater than 2 inches are evaluated, and resuhs show that the probabilky of matainment isola:5on failure for Prairie Island is about SE 4 (Table 4.43). Because ofits small probability, enreninment isolation failure is identified in the PE as t:likely containment failure modes. Nonesbeless, containment isolation failure is included in the CET quantatation and three of the seventeen CET end states that are selected in the FE for source term calm 1miant molve enraalament isolmion failure. Based on the C-Matrix provided in the licensee's response to the RAl (IJvel 2 f>eian 7), the conditional probabilitis of containment isolation failure for the various accident classes vary from 0 (e.g., for transient with late core melt) to 6E 4 (i.e., for internal Sooding with early core melt). The conditional probability of containment enimian l      failure for aU accident classes is about 2E-4.

According to the descriptions provided in the PE submhtal and the licemee's respoese to the RAI, all five areas idatified in the Generic Latter regarding the evaluation of anr*=inman isolation fauure are addressed in I

                 ,tbe FE.                                                                                                                   )
 ~

2.4.13 System /HunnaResponses j

                                                                                                                                            \

Both primary and aaaaad=ry depressurizations are enneidared in the CET.1bese involve the opening of the l primary and secondary PORVs by opersor actions.1be probabHity of anocessful RCS depresurization is evaluated as part of Ibe fault tree linking and the probabHity values used in the CET quantification are not provided in the FE =4=nirent. Siruz RCS depresurization is considered only for accident classes with late core melt and high RCS presure, which corartstes only abow E5 of meal CDF, the effect of RCS depressuritation on CET quantification is not expected to be ='g "== i i Recovery of ac power is included in the SBO CET as one of the top events. Addiriaanfly, avaBability and/or

    ;               secovery of anreninmare systems may also be considered in the PE analyses'. The probabuity values used in I

[ ' Akbough apairs of iniled equipment is ===*inad in the FE =4=aiet=1 (e.g., p 4.5-12), secovery of 4 containmant systems probably is not sradiend in CET ry=reibeian It h assied in the risponse to one of the RAI questmas (Invel 2 Question 11) abat "No audit for ripair and recovey of enreminmmt spray socirculation was given in the baealme IPE analysis". Since the recovery of this systan would have the most signi&=nr effect on 45 a

c . i -

                                   .e FE fo, .e          e nems -- provided in e FE . - bn:.se .ey - - udmmed m ,oi. vaium

! but are obtained from equadons 64ed for the CEF event tree bendings by linked fault tree models , ,g traponse to Izvel 2 Question 3). Because they are not normal output to CET quantification and a significant i j; T

                                   ==v of effort would be requiraf to scalculme and report these values, they are not provided in the response.                      l in general, abe treatment of systern availability and recovery in the CET analysis is similar and revaiene to

}, dat used in the Level 1 analysis. - I Another hsue that is related to systen recovery is the change of procedures at Prairie Island that may affea i the availabilley of containment spray in reciradation. In the Prairie Island FE, me*minm=* apray in socirculanon mode is required to provide long4enn cooling of the debris relocated to the upper compartment so provus tate consninmara failure. Results of e Lky mullat abow that the probability of late avvalammt a failure incnmes significantly (from 21% to 63 %) if the relocated debris is not coolable. A almilar dange in , avenlamme failure probability is exposed if mremla==v sprey is not available. At the time of FE the transfer l to mrvninment spray recitadation was pmceduralmed in the plant EOPs. However, changes of the EOPs made ij after the FE has this guidance removed. 'Ibe potendal impact of this procedure change on CET ;= :~-='- a is asked in one of the RAI questions (Level 2 Quation 11). De licensee's response to this quesdon is to f ~ the long time recpired for aveniamme failure by this ==Annimm (on the order of 3 to 4 days) such ,. est ample time would be available to align the system for operation despite the unavailability of procedures.

it also emphashes the low source terms ==wv4 mat with sveninmas failure =ww4 mat wkb the loss of l, aveniam-t spray in recirculation anode.

I i 2.4.1.6 mhu. Release Characterbation ! *Ibe and stas of the CET ylefined as damage stas in the Prairie Island FE submittal) are discussed in Section

4.3.2 of the IPE submittal.11uw parametess are used to define a damage state. hey are

1; J. L Reactor status, i , ii. Containment status, and iii. Cnarminmara failure timing. ll i . l Table 4}3 of the FE submittal shows the values acceptable for these parameters. A total of 17 CET and states ], se de6ned in the Prairie Island IPE for source term definition. Source terms of are determined by the analyses

i. of repreamrative sequences using MAAP computer codes. - . .

I t 1be CET and states defined in the Prairie Island FE using the above three parameters me not as detaUed as tone defined in some other IPEs in which more parameter are considered. Although the approach used in the Prairie kland FE makes the CET simuhs more traceable, it may occasionally lead to the grouping of sequences !'j wbkb do not bebsve in an androly similar way. His is realized in the Prairie Island FE and anantina is paid I 1 on the selection of the accident sequences. From the descripdon provided in the FE mhmirem1 it seems that - l ! the CET and stue smuping for soures tunn Mairlaa in the Prairie Island IPE is adequate. I(  ! j~ . D e T T -- S

• remhs provided ki*nble 4.61 of the FE powahral abow 17 CET and states that have I j: man sero fr=% Among these TT and states are three bypass and states that are ahrelami directly from j A

sanovery of other contmiammt systems are notsaedned ' CET--*% 46 4 i em . ,_ - 4 - -4_m- ~ ~ . ., ,. ~ - .

1* l

}.

j- . l

               - 6e accident classes (i.e., two SG7R and one ISLOCA) and two induced SGTR and states.7he 12 non bypass

CET atstes include 4 with late mat =1amare failure,3 with early cruentarnent failure,2 with containment i Innistian failure, and three with no containment failure. Including induced SGIR2, the percentage contributions of there CET and states to the total CDF are 32% for no failure,23% for late failure,1% for early failure, 4

~

455 for bypass failors. The probabuky ofISGIR is about 30%. The probability of bypass failure is skunased by 30% and the probability of no faBure is increased by 30% ifISGIR is not included. l Source terms for the CET end stats are determined by accident progression analyses using MAAP code

,                  (MAAP 3.0B Revision 19.0). Source terms ahrainad froen the ==p- code calculations are presented in Table 4.7.-2 of the IPE subminal. Source terms are presented in these tables in terms of release fractions of some of the repramantative radionuclida (e.g., CsI).

De use of the computer code calculations for source term definition is discussed in the following section of this report. 2.4.2 Accident Progression and Containment Performance Analysis 2.4.2.1 Severe Accident T.,. ___*= Sequence selection for fission product release characterization is discussed in Section 4.7 of the Prairie Island IPE. According to the Prairie Island IPE, the purpose of sequence selection is to choose specific accident progression sequences that best appmulmate the representadve source term results for end relevant CET and states based on the consideration of the dominant sequence in each end state and other factors that influence the source term results. De ==gnWs of fission product release are taken directly from MAAP calcadations. Typically, the MAAP calculations are mnrinued for 48 hours from sequence insistion or for 24 hours following containment failure, whichever is longer. Results of MAAP calculations are shown in Table 4.7-2. According a the results priserted in the table, MAAP calculations are performed for the selected sequences for 11 of the

-                    17 CET and states. De release fractions for the r==1ala 6 CET and states are assigned the values ahrninad l

for the CET and states with more severe risults. De seguence selection and the assignment of release fractions i for source term determination seem adequate. i Because of the uncertaindes in the MAAP modeling of fission product behavior and variarians in the specific sequence definition, the representative source term results are further grouped to provide snore general conclusions about the risults. De smuping is based on the magnitudes of the release fractions of noble gases, volatile releases (characterized by Cs! and CSOH releases), and no Helatile releases (characterized by the largest of the tellurium, strontium, or barium release) Six pummary source term types art obtained by the grouping. Results of source term grouping shows that 31% of all core damage sequences has releases limited a those w w er4ing c to normal leakage (Type 1), and 52% has high noble gas releases, but wkh low (Ins shan 1 %) or low 4ow (ims than 0.1%) volatile and omseladie fission products releases (IYPE D). One CET and state in Type B that is of particadar interest is that associated with Iriduced SGIR (about 30% of total CDF). De low release for this bypass sequence is due e the assumption used in the IPE regarding r ee mese genermor valve conditions. k is asumed in the IPE that the steun genermor valves, whid open to i 8 Acconing to the bcensee's response to the RAI (Level 2 Q==rian 7) ISGTR is effectively precluded by a procedure change. De C-Matrix provided in the response does not include ISGTR. 47 A aummeh whWim.- m. -%hmeahw att "t'" ".-^ prrea- M3 aum

i setieve the steam generator presmre, would reclose successfully. His limits the release to a relatively short { duration puff, followed by a series of shorter puffs. All releases are terminated upon vessel failure when the primary systern depressurizes to matalament pressure, ne effect of the harsh environmental conditions on l

• i the proper operation of valves are discussed in the licensee's response to the RAI (Level 2 Question 6).

However, the concern over ISGTR may be moot because, at this point, the EOP to restarts the RCPs, the

      ~

pr' unary reason for the high ISGTR probability, is danged. If the probability of ISGTR is removed, the ,  ; probability of Type I release would increase from 31% to 60%, and the probability of Type Il release would decrease from 52% to 22%. [ The release types that have high aabte ga and volatBe fission products releases are Type V (14.6%) and Type VI (0.5%), both of whid involve mnenlamant bypass. Type V includes SGTR as an initiating event and ISGTR with the steam generator valves not resenting property. Type VI includes ISLOCA sequences, ne seguences that involve enriy containmers failure are grouped to Types III (0.3%) and IV (0.6%), both of which have relese fractions for volatile fission products releases between 1% to 10%. i r , ne sequences selected for source term analyses and the source terms definition used in the IPE seem to be adequate. 2.4.2.2 Dominant Contributors: r- , with IPE Insights CET end states (or containment failure modes) and their frequencies ahtninM from the Prairie Island CET quantification are discussed in Section 4.6 of the submittal. Table 10, below, shows a comparison of the conditional probabilities for the various aantalament failure modes ahtalad from the Prairie Island IPE witt those ahtalad from the Surry and 2.lon NUREG-1150 analyses.

                                               .            Table 10 Containment Failure as a Percentage of Total CDF i                                               Prairie Island Nuclear                        Zion l                                            Containment Failure Mode          %h                          NUREG-1150 IPE                                  1150 Early Failure                        0.8                    0.7           1.4 i                                                    Late Failure                        22.6                    5.9         24.0 Bypass                           44.7                    12.2          0.7 f

isolation Failure 0.02 * " j Intact 31.8 81.2 73.0 CDF (!Iry) 4.9E-5 4.0E-5 3.4E.4

                                   **The data pnsented for Prairie Island are based on Table 4.7-1 of the IPE submittal, widch inclutte the
   ;                                 contribution imm induced So7m 00% of CDF). According to the recensee's resposes to the RAI, ISGIR is effectively precluded by a procedure change mawM by the Westinghouse Owners Group and i                                 implanented at Prairie Island, ne probabnity of bypass failure would decreme, and intaca en==iament
  ;                                  increase, by 30% if ISGIR is elimlantM.
  !

• Included in Eariy Failure, approrimstaly 0.02%

j - "' Included in Eariy Failure appr=l=*1y 0 5%

  +                                                                                                                                                      ,

4: s-y,a . - - . - . . , . . - .

                        .---.-m.

4 I

f. ,

'i                                                                                                                                            i i-                                                                                                                                           1

! As shown in the above table, the condidonal pmbabilky of containment bypass for Prairie Island is 44.7% of

meal CDF. Most of k is from induced steam genermor tube rupture (30% of total CDF). Excluding ISGTR, i* cxstainmers bypass is primarily from SGTR as an initiating event (13.2%). He contribution from IS14CA

is small (0.5%), but k results in the highest releases. -.

  !                        ne conditional probability of early enneminment faDure for Prairie Island is about 0.8% of total CDP'. k is about equally contributed by internal Boodmg G8% of early failure), small 1.DCA G6%), transient GO%), and medsum/large LOCA GO%) accident classes. De contribution from SBO aequences is only about 6%. De i                        smser cunnhtion from SBO sequences is partly due to the low CDF of SBO sequences (about 6% of total CDF). Early containmers failure is primarily due to hydrogen burn with vessel breadi at high pressure G4%

j , of early failure CDF). De r lala 26% of early failure is also due to hydrogen burn, but wkh no vessel

   ;                       failure, primarily from medium /large LOCA sequences.

[, ne conditional probabDky oflate corsninmera faDure for Prairie Island is 22.6% of total CDF. More than half of this is from small LOCA sequences (59%), with most of the reruaining coming from transient sequences 08%). On a conditional basis,58% of small LOCA sequences result in late containment failure and 39% of l l transient sequences results in late containment failure. De contribution from SBO sequences to late i containment failure G% to total late failure CDF and 75 conditional probability) is relatively now in !, ciomparison with that from small LOCA or transient sequences. De low failure probability for SBO is probably due to ac recovery. De time allows for ac recovery is long for late anarninmera faDure. l 3 For Prairie Island, lue containment failure is % wily due to ovartemperature/ overpressure failure caused by i lack of cooling to the debris dispersed to outside of the reactor cavity G8% oflate failure CDF). Because a j significant amount of core debris is dispersed to outside the reactor cavity only in high pressure vessel failure l

cases, the conditional probability oflate mntainment fauure is low h accident classes that involve low pressure  !

j! vessel failure or no vessel failure (e.g., medium /large LOCA and the late core melt accident classes). Besides i s the above late failure mecharusm, another low-i late failure machanism is the loss of decay beat removal

   ;                       ,G2% oflate failure). he contribution from basemat melt-through is smrl! because core debris is assumed to i                             be coolable if RWST water is injected to the aantninmer .                                                        i 2.4.2.3 charneseriansen er the=I===-# hrformance ji                            As shown in Table 10, & Prairie Island Nuclear Generating Station, the core damage frequency (CDF) is lower than that obtained in NUREG-1150 for Zion but comparable to that obtained in NUREG-1150 for Surry.

}! Although the conditional probability of enar= lament bypass obtained in the Prairie Island IPE is significantly j greater than those obtainad in NUREG 1150 for Suny and Zion, k is simBar to that for Surry if the probability ofISGTR is eliminated. For the other failure modes, the conditional probability ofIse aantninmant failure for Prairie Island is similar to that h Zion and the probability of early ~ '. ..ent failure is between those i obtained in NUREG-1150 h Surry and Zion. De cantninment faDure profHe obtained in the Prairie Island 4 IPE is in general conelerant with those obtained in NUREG-1150. I l' -

• He fractional contributions discussed below are obtained from the C-Matrix provkled in the licensee's seapome to RAI (Level 2 Question 7). Dare are minor differences between the some values preamnead in the IPE submittal and those obtained from the C-Matrix (probably due to trunestian or roundoff armes).

t 49

                                                                                                                                    .- . . -- - - . - .l r                                                                                                                  .

l *

    !                         De C Marix, which shows the =driaani probabilities of CET ed mates (or containment failure modes) for f                         the accident classes (orPDSs), is provided in the licensee's response so RAI (Lavel 2 Question 7). De C-l                         Matrix provided in the response does not include ISGIR failure. According to the response, the procedure to i                          vastart the RCPs, which has a significant effect on ISGTR, is changed based on the recommendations of the r                          W=iadm** Owners Group. His change would in ansc1 eliminate the ISGIR challenge.

1 2.4.1.4 kapact en St *, ' Behavior ( s The effects of barsh environmental condition on Ibe operation of meenlarnent sprays and ennemiammt fan i coolers are not discussed in the CET q=r-:A of the IPE submittal but are discussed in the ficaaaaa's

   ;                          respose to RAI (Laval 2 (Miaa 9). In the response, the potential adverse effect of =*=la==t pressure ad temperature, radiation, and aerosol and debris on the opersion of containment spray and fan coolers are discussed. Although the effect of aerosols and debris on the operation of the above containment syntans are 3.

i not considered in CET quantification, the sensidvity studies performed in the FE can be used to address the effect of the loss of these systems on nnnenlamme failure. 2.4.2.5 Uncertainties and Sensitivity Aanlysis

   )

i' Sensitivhy studies are discussed in Section 4.8 of the FE submhtal. Two types of sensitivky studies were performed in the Prairie FE to determine key assumptions on the final results. De first type of senshrvity studies are probabilistic in nature and address uncertainties in the quandfication of the various nameniammt failure modes modeled in the CET. He second type of sensitivity studies involve daerminictic analyses, performed in the IPE to establish the assitivity of the I.mei 2 analysis to uncertainties in abe physical modeling of containment response and the source term.

                             'De senshivhy studies of the first type performed in the FE include:

4

1. Reternion of the debris in the reusar venel by adraarging the lower vessel head (i.e., ex vessel cooling

                            .           for in-vessel recovery),

2. Depressurization of the reactor by bot leg creep rupture,

3. Debris coolability in the reacsor cavhy, and

4. Cooling of the debris relocated to the upper parts of the onntainman following HPME.

1 - Resuhs of the smshivhy audies abow linie effect on -w niam-v failure probabuities by ibe n.=miviaa used for kwassel recovery bl ex vessel cooling and the assumption used for bot leg creep rupture (Etems 1 and 2 l above). On the other band, the asumption on 6e coolabilky of the debris in the seamor cavky has a 4,.T.,.- l effett on late containmert failure. Asanning abat the debris is not coolabuity and long-term en=ralan=* failure

  ;                             occurs one the debris is dish v4 from the reassor vessel (i.e., the vessel falls), the conditional probability of late containment failure would increase thxn 21% for Ibe base case to 63%. Consspondingly, the l

wwdeinna! probabuity of so aveniamant thilure is dennesed from 65% to 235. Since in Ibis asesitivity case l matalamme fauvre is assured if the vessel falls,6e cases for no mnenlan=* fauurs (23%) are largely made 4

  ;                             up of sequences in which the event is terminsad by ex vessel cooling (i.e., with the lower vessel bead submerged).                                                                                                            ,

f* For the remaining senskivky case,9weala==* fauure by the relocated debris is amanned to occur men whb 6e operation of containtnent sprays. Results obtained for this sensitivity case are simHar to those obtained for . the senshivity case on debris cootabHity in the tenmor envky (pensitivky case 3 above) - De conditional probabusy for ime failure incneses from 215 for the base case to 63% for the senskivky case. De simHarity 50 I i e-me .- --..o ...ww.- - - 18""' ~'N'*w - , -

j - i ) l i

    )                of thase two sensitivhy cases reflects abe fact that the sukrky of cost damage everts occur at high pressure            i i: !,     -

with a significant amount of debris relocmad to the upper comparanent. I[ Deterministic analyses of the following categories are performed in the FE to evaluate the uncertainties in physical modeling of cornminmant response and the source tenn: j 4 I

1. Core melt progression and inessel hydmgen generation,

   .                 2.         Natural circulation, induced ruptures of the primary system, and RCS prissure at vessel failure,

3. Fission product release and rwipu.' . .k,s, ,

j 4. En-vessel debris coolability, . 1

5. Energetic events in =alam and

6. Containment failure modes. .

4 1 l ] MAAP code is med for the sanskivity studies of the above issues, which are identified in the Prairie Island IPE 4! by the recommerwbrinnt made in the EPRI Guidance Document for performing sensitivity studies with MAAP i' 3.0B, the augmernations to these r-maMations provided in the NRC sponsored MAAP 3.0B code evaluation, and specific areas deemed kr.pura for Prairie Island. t

                      %e sensitivity studies provided in the Prairie Island IPE maams to'have addressed the issues of significant ancertainties in the IPE analysis.

2.5 Evaluation of Decay Heat Removal and CPI i ! 2.5.1 Evaluation of Decay Heat Raunoval 2.5.1.1 Examination of DHR 1 l2 %e IPE addresses decay heat removal (DHR). Several nuehnh of DHR are discussed, including secoulary cooldown and depnssurization (using either AFW or main feedwater providing the steam generator makeup), i feed and bleed (i.e., utilizing the Si pumps and p.- /- PORV), safety %W and recirculalon cooling y '(as provided by the SI and RHR systems), and sinadown cooling (by the RHR opersion) . -In addition _ enarninment cooling is mentioned. -

   )                  'De CDF contributions from endi of the individual DHR nuehna were not anti == tad either in the manW

- or in the RAI response. { i 2.5.1.2 Diverse Means of DHR I

                       'Ibe submhta! provides a faidy detaBed descripdon of endi of the diverse DHR capabilities at the Prairie Island

{ plant. De description includes a reheration of several specific ( maybe " unique") features of the systems involved in DHR and major modeling assumptions, a discussion of the effects of initiating events on the I , symms' unavansbuides, and a pnaarsmion of the : yuc i hardware failures and opersor enors contributing to these unavailabuities. f . The specific features that directly impace ibe abnity of the systems to provide DHR are described in Section 1.2 (" Key Features"). Therefore, they will not be discussed here again.

   ,                                                                                      51 f

i p= -..,iwy.-.md- . . . . . . , , ,-w., . . ,. . . _ _ .

     ._...- -                  - - .             -    ----.-- - -..-....                               -.-. . - - . . - - ~ _ .

iI lf t k b noteworthy that the seats relief part of the samadary side bem removal was ex modeled for the Prairie Island IPE. De licens6e's reason for k is the large divershy of means of meam removal. ("Following a l g rumaar trip, steam is relieved to the condenser through a single air opersed rnief valve or to the amosphere !l through four air operated valves. If the MSIVs should fall closed, steam rdief is possible through ar. air' '[' opersed PORV for each steam generator or throust five safay relief valva on and steam generamr,il of which are upstream of the MSIVs. In the event ofloss of air, DC control power or instmment power, stamm i . relief is assured through the five safety valves for and steam generator as they are not dependent on any support systems.") %erefore, k was assumed, tha the unavailabuhy of secondary cooling is primarily determined through the probability for a loss of makeup capability to the SGs.

  \                                                 .

Table 11 aummarizes the unavailability values of the systems involved in the, DHR for selected initiating events or initiating event groups. De data markedly damaamste the strong dependency of the systems' unavailabilities on the type and nature of the lahia: events. His dependency is lilustrated by the following mamples: I De ansvallabuity of feed & bleed is relatively low for normal transients, since its operation is principally i akpenders on opersor maion to inhine the process. For initiatons, like loss of DC train A or B, the instrument air containment isolation valves fail closed cutting oNIA to the pressurizer PORVs, failing feed & bleed. The unavailability of the AFW system can vary for the spectrum ofinkistors. It has a ruher low value for

 +

transients (other than LOOPS) because the AFW support systems include only AC and DC power with cooling waar providing a redundant suction sourm in the event the condensate storage tanks are depleted. The increase of unavailability for LOOP events and for SBO reflects the additional dependence on the DGs. In the event of an SBO, the TDAFW pump is the only means for feedwater addition to the SGs. His pump is not dependent on AC or DC power, as the steam admission valve to the pump fails open on loss of DC power. He submittal expliEitly provides the h u6.iu i hardware and makr human error contrD=miant to the unavailability of the various DHR systems (expressed in %, but understood as "impurtance"). These offer j valuable insights about the relisbuity of the symems, therefore they are repmduced below. Aindlary Feedwater System: Random faDure of Unk 11DAFW pump to run 09%), similar fuhre for Unit 1 MDAFW pump G7%), misalignment of the MDAFW pump train aAer test & maintemnce G4%), and MDAFW pump motors fail to start due to ==maa cause G2%). The ww error "FaDure to crosstle the MDAPW pump tom Unk 2" contributes 515 to the symem's unavauabuity. I ne prest data on the unavailability of the APW symem reflect the recent improvements implemented on the symem (see the report, NSPNAD 8606P Rev.0). I t i . 0 4 e b l 52 f I 7-.-.----. - . . . .-

i- )i' i f !! Table 11 Effects of blartad Initianng Events en the Unsvallabluty of Systems Involved in DHR i .

                                                        " 'y Side

!l. ie Hast Raamval* St RHR 1r Intiaang Ewas/ Feed & i . Event *0roup - Stat. ' Bleed

APW new** Ini. macire. aqi. Racine. down

,;                                                                                                                                  Coolmg h                  1.arge IDCA                                                                             1.3E 04 1.2E@

1 Medium 14CA 1.9E 03 5.9E43 1.3E 04 1.2EG ! Small1DCA 1.9543 J.9E43 1.7E 02 SOTR ' 1.9543 5.95 03 1.75G I 1DOP 8.1E 04 1.0 1.6E42 - J.1542* (SBO) (3.6E 02) f less of CC 5.8E41' 5.2E Ol* i i j Imss of CL 1.0 5.8E 01* 5.2E 01* !I Ames ofIA 5.8E Ol* 5.8E 01 I? Imes of DC Tranment A 1.0 1.0 l .Imss of DC Transient B 1.0 !! Transisets 8.3E 05 6.5E43 Transienes with "s" signal '3.9E 02 4.7E 02* Transients w/o "s" signal 6.6E43 4.1E42'

• steam rshef was not modeled because of the seveal diverse means of steam removal.

**MFW is not a safeguards syssent 1 *laciudes recovery of initiating event.

l +value dnpends on the operator aceme to snart FAB and she ansvailability of Dos. j l .. j Main Feedwater System: Bus 110 unit cooler unavailable due to malreanance (15%), control room chillers 1

fail to'run due to common cause (4%), control room ch111ed water pumps fail to run due to enmnvws cause l (4%). All of these hardware failuns cause eventual loss Of DC power via loss of scom cooling to the l i amfuguards 480 V bus rooms. Namely, if room cooling is lost the transformers in the rooms will best up and l eventually fail causing loss of all loads supplied by the affected buses. In ibis way the bettery shargers will be lost causing DC power to fall aAer the batteries have depleted. (This condition has been changed, as l

i ===vbaai previously in this TER.) Mi.i operstos action is the restoration of MFW for events in which

   .                  It lost as a result of the initiating event but is otherwise available (60%).

I Feed & Bleed: Hardware failuns are insignificana contributors to the unavaBability of feed and bleed. Almost i ; 95% of the unavaBability is from l== nan enor to initiate the proces. (the process inMatha is different in the

   ,                  preurre or absece of an S signal: if there is na S signal, the operator must mamany start the SI pumps and

'[* epen the pressurizar PORV, while if an S signal has been generated, the operator has to verify only whether j , the SI pump is running and then open the pressurizar PORV.) i St Irdecdon: Boric Acid Supply'Ihnk (BAST) auction valves fab to open due to common cause (25%), RWST auction valves fail to open due to common cause (25%), control room chilled water pumps fail to start due to J. 53 4

f common cause (19%), both SI pumps fail to start due to common cause (9%). De SI pumps draw aucsion

.!        off the BASTS during the fint few minuts of the iq}ection phase of an wh. and then switch to the RWST when the 14-1A level alarm is reached on the BASTS. Onlled water failure would cause overheating of the l4         Unit I safeguards 480 V bus rooms and failing c(all loads supplied by the safeguards buses. His would mean

b

! for the SI system, that the suction valves imm the BAST and the RWST would fall as they are the only valves . _ __ 'f required to change state for successful system operation. De unavailability calmtarian included recovery actions, such as: local recovery of abe auction valves, recovery of 480 V room cooling. De submittal, bowever did not pmvide any quantitative infonnation about their total unavailability contribution. {l SI Recirculation: Both CC supply valves to the RHR best exchangers fail to open due to common cause jl G%), both RHR to Si crossover supply valves fail to open due to common cause G%), control room chilled

' water pumps fail to start due to common cause (45), and both control room chillers fail to start due to common cause (4%). De . tingle dominant operator failure for SI recirculation is to initiate the recirculation lI

)i (41%), since the lineup for the SI recirculation rannot be performed from the control room (the breakers for the RHR to SI crossover valves are locked in tha off posiuon and they have to be unlocked locally).

'j RHR In}ection: Both RHR pumps fail to start Q 7%) and fail to run Q95) due to common cause. RWST rupture (5%). i 'RHR Racirtunation: Both CC supply valves to the RHR best exchangers fail to open due to common cause (4%), both control room chilled water pumps fail to start Q%) and chillers fall to run G%) due to common cause. 'Ihe dominant operator failure U2 %) is to initiate the low head recirculation. (Switchover to low head recirculation can be performed from the control room; the limiting factor is the time available to perform the action before the RWST would deplete. During large LOCA the RWST level is eW to fall rapidly.) RHR Shutdown Cooling (RHR SDC): RHR Loop B return valve fails to open G8%), failure of Train A contml room chilled water pump to start (19%) and to run (13%), and failure of the chiller in the same train to run (13%). Failures n'sociated with the chilled water system cause the known bestup of the 480 V safeguards bus rooms, resulting in the loss of the motor control cater that powers the single Imop B return

  )         valve, failing RHR SDC.                                                        ,

Finally a remark has to be made on the role of the corsainment fan cooler units (FCUs) and spray (CS) systems

  ;          in the process of DHR: In the Prairie Island Event Trees success or failure of recirculation is asked before               .
  ;          asking the status of the top event " containment " (l.e., the FCU and CS). If recirculation fails, k is assumed
           . that core damage occurs. Credit is not given for the FCUs to remove decay best from enarninment and condense the ward to return k to the aantniammar sump. Ghus, according to this assumption, failure of the

RHR best exchanger nsults in failure of the recirculation even though the RHR pumps could recirculate the water through containment where the best could be removed by the FCUs.) l i 2.g.1.3 Conduelon On the Analysis of DER 5 %e NRC defines two requiremeras in NUREG-1289 tut have to be met by any systen which performs DHR. j g

Deseare: ,

                                                                                                                                  .       j i           1.       Maintain sumcient water inventory in the RCS to ensure adequate cooling of the fuel.

i 2. Provide the means for ET fmWg best from the RCS to an ultimate best sink. - I l' I

 .I                                                                                                                                       :
  '                                                                 54                                                                     !

i t i

  !                                                                                                                                        i t                                                                                                                                        ;
  . ~ _ ,                                                    -                 -     _ _.-._..__,_          _ _ _ . .

i . u .,

i. .

t.. In the FE there are no core damage sequence d at do not involve loss of ekher one or both of the two g+ requirements. His fqct lead the licensee to consider the loss of DHR to be synonymous with mre damage. Since the overall CDF was found to be acceptably low (5 E 05/yr) and k was abown, the there are several redundant and diverse means for DHR, (i.e., several of the DHR systans and operator actions would have to L fail in combination to have a serious neguive impaa on the DHR apabDity), the licensee considered that k

!             has fulfilled the " Shutdown Decay Heat Removal Requirements" of " Unresolved Safety issue A45," (USI A-l             45).

2.5.2 Other GSIs/USIs Addnesed in the Enhmkf at No GSIs or USIs, other than USl A45 are addressed in the submhtal. 2.5.3 Response to CPI Program Reen==aadatianc I The CPI mmendation for PWRs with a dry marninmant is the evaluation of meenlan=* and equipment i vulnerabDities to localized hydrogen combustion and the need for is rewiments. Although the effects of h)drogen combustion on containment integrity and equipment are dimited in Ibe submittal, the CPI issue is  !

not specificauy addrused in the submittal. More daalled information on this issue is provided in the licensee's

!              response to the RAI (i.evel 2 Question 10). Hydrogen sources, the condition for hydrogen dwanarian, and the         l load for hydrogen deflagration are dimmM in the response. According to the response, hydrogen detonation

, is highly unlikely to occur with the Prairie Island containment geometry and hydrogen concentration. De

!              loadug maman generated by hydrogen deflagration has been pessimlatie=Hy treated in the FE and found not likely to cause containment fanure.

2.6 Vulnerabilities and Plant Imprwements De criteria used in the Prairie Island FE to determine whether any vulnerability *11erM at abe plant were:

                !.                Are there any new or unusual means by dich core damage or containment failure occur as usini W to those identified in other PRAs?
                                                                                                             ~    ~

2. Is there adequate assurance of no undue risk to public health and safety?

i De licermee suses that nehher of the above criteria lead to the identifiestion of potential vulnerabilities for the plant. De FE process demonstrated that; the accident classes contributing to the CDF are .ee+.41e with I those calculsed in PRAs of similar nuclear plants (indeed the cosci,.deas made in Table 2.4-1 of the =M*=1 . with Surry, Kewaunee, Point Beach supports this viewpoint), and the overall CDF kself is at an acceptably low  ! hwel of SE 05/yr. Therefore the licensee believes that there is adequate assurance of no undue risk to public ! health and safay. I r The licensee staes that dile no vulnerabllhy stists, as a result of the IPE, mmmistiane have been l , genermed for plant improvernents. These mmendations are pardy implemented and partly only under 1 m=Wration but by no means represent any definitive "NRC mmmir==r=". De rewnmendations focus on

.            ' plant improvements in three areas: procedural /administruive, structural and training anhaa=nants.

t . T 55 i h k ow . . - _ - , _ , - . , _ - - , - - . - -- . . - - - .

   )                                                                                               .
                                                                                                                                                 ~

! Depending on further evalunion of poternial howets and practicality, the lheue expects a signWaae decrease i in the overall CDF (a decrease of IE 05/yr or granter). In particular, the risk contribution from internal i Sooding is anticipated to be reduced from 1E 05/yr to approximately 1E-08/yr.

l1p 1 ,

[ A aununary of the1.avel 1 related rwamm=wielaat is provided below

_

!i !1 Procedurnl/ Administrative Enhancements ) i .  ; 1. De plant strendy proceduralized the process esublishing crosstie from aestion air to istrument air in l

1 CM AOP1, Rev.0. i

. i' j a) If the crosstie could be established wkhin one bour aRer a CL Loop A break, feed & bleed ) j or main feedwater cooling could be restored and core melt could be pid.(Ibe station j i , air compnsaors are cooled from loop B cooling water and are not affected by a break in the l i ether loop.) s .  !

! b) "Ihe new procedure prucribes also abat the station air crosstie should be used when an IA )

1! compressor is in mahanara l l Present (November 28,1995) disposhion of the tscoenmendation: a.) CH AO? 1, Rev. 4 incorporates this action (Step 2.4.6); b) CM, Rev 12 incorporates this recommanwiniaa

2. De procedure C35 AOP1, Rev.2, " Lass of CL Water Header A or B" should be revised such that the crosstie between CL Loop A and B could be used. Two valves, one manual and an AOV.have to be opened during 20 minutes to supply cooling water to the MFW pumps' lube oil coolers. De  ;

MFW pumps can conservatively operate w/o cooling water for about 20 minutes before possible pump damage. ,

    ?                      Present disposhion of the rea==aad*iaa- See the next disposhion.

Structural Enhancements

    ;                      1.        Constrain the impact of AFW pump toom Sooding by some simple measures. -Evaluations are                       !

[ moderway to determine the best long term solution. In the interim the following measures are , i auggested; modify the side doors to pmmate water Sow out of the room, or close the Are door

    '                                between the two halves of the room and render the door to be " water. tight".

Pnsent dispa=hina of the recommendation: De CL bender piping was completely replaced wkh a piping of 33% tincker wall dring the Mwember,1992 dual unit outage. De internal surface of the new pipe is coated with an epoxy costing to inhibh microhiologically induced corrosion (MIC). Also piping failure would be 4 motiosd by any WW who periodically walk through these rooms.

    ;                      Rahane====8 of Training                                                                                        ,
                                               -                                                                                                   l
     }

5 1. Esplain the importance of the feeid & bleed process. Put an amph=le on the operator actions that are f - necessary for success. it is expected that the training wul result in ar.arked reduction of the - l contribution of accident class *nIE to the overall CDF. 1 i l 56 I l i l t l l

                                                                                                                                                   )

       . u    .

lI~

i e z i

,4 2. Explain the importance of a crosstle between the MDAFW pumps. Emphasize the opersor actions l l that are required for success. k is expected that due to the training a significant reducsion will occur ij also in the THE's contribution to the overall CDF. , 1 ,t e 3. Explain the importance of switchover to high and low head recirculsion. Emphasize the wen- , i activides tha are required to success. he training may reduce significantly the CDF cos=dtion of i the accident class SLL. ,i

4 Explain the importance of RCS cooldown and depressurization to terminate SI behbre ruptured SG , j j overfill. Emphasize the operator actions that are required for success. It is =W that the training l will result in reduction of the CDF contribution of accident class GLH.

i Disposhion of the above i- es==%iaae: ) i 4( i a) I.atier 2.21.94, M. Wadley to D. Reynolds, sking to take the necessary actions to ensure the 1 opersors receive periodic training on the FE recommended training actions. he letter identifies the  ! acsions and a suggested frequency for giving training on them. ) !. l i b) Request for Training 94-25 from J. Sorensen. RequaldNLO training on FE and bass. Training l completed during cycle 94-09. i ! c) Course Outline for Simulator %dag Training: P9160S, Rev.4. Records of the FE recommended ! training items at the frequency requested in the Wadley letter. ) I d) ' NLO training Program P8400, Rev.9: Outplant actions required to successfully establish low head recirculation and to cross connect the MDAFWP to the opposke unit are JPMs (SI-3 and AF-7), required biennially. . l' e) Lasson Plan P81611A03, Rev.1, Intmducxion to Accider Analysis for isc;:nse candidates: In addition to USAR accident analysis topics, students are trained in how PRA techniques are used to determine risk, and on the results and uses of the PI FE in the operation and maintaanwe of the plant. De following two recommendations are misted to the back end: .

1. Revise the EOP that requires the restart of the RCPs under ICC condition. k is mmended in the j FE subminal that the operator checks for adequate steam generator level before setempting to start the i RCP. His recommendation is intended to reduce the probability ofISGTR. l

2. Secure open the in-mre instrument tube batches for both units to aBow water to flow into the reactor 4 cavity to provide cooling to the lower vessel head 0.e., ex vessel coolleg) and improve debris I I

coolability in the reactor cavity. i 1

• l 57 n se^ + ~.w' a-w __pg., ...p, ,. ., ,,

hur46--m*=1

                                                                                           , a r- g h

9 4 I

        'f 1

P k 4 . e f i 4 t h. I i . s k t 0 W 4 D t

;f                                                      '

h+

1 N N

't 6

4

 . ,i
 .T 4

i f i 58 r a s

           ***-c- 9 w-mse c o-  . .iemme.www         __             ., _

u .. > e e g .s { 3 COMRACTOR OBSERVATIONS AND CONCLUSIONS 1 I !h Strengths of the level 1 analysis of the FE are a fouows: Thorough analysis of W*ia events and !I ibeir hapact for both units of the plant, descriptions of the plant responses, pr==aatmion of the results of j; yyvning MAAF cal =1=riaan (herian 7 of the anbmittal), seasonable failure data and cannaan cause f factors, usage of plant specific data whenever possible to support the ~~~**laa of Waia: events i4 and system ansvallabuities, and an ;-yvn s analysis on major variables ' ;=% core damage. 'Ibe 1 1, effort seems to have been evenly distributed across the various areas of the analysis. jl The FE Imvel I analysis has no thad===wat weakansses, les " leading" uninor weakness is the lack of (i detail in the individual accident sequence deswiyibas. The text of the submittal everywhere indicated

l that a detailed analysis was done but only highlights were reported.

!i )i *Ihe FE determined that an internal flooding sequence is the primary contributor to core damage. Its i initiator is a cooling water line break inside alther the Unh I or Unit 2 side of the Turbine Budding jf AFW/IA compressor room, which causes failure of these two systems fbr both units. There is a low ,. potential for this pipe rupture (only a small section of piping is involved); however, sbis initiating event !!i represents a potentially important location d--ad-aey for several systems at the plant, since abe AFW pumps (secondary best removal) and the IA compressors (in feed & bleed support for the pressurizer l, PORV) are located in the same room.

i

! As was noted previously, several recommendations for plant improvements have been made as a result 4 of insights obtained from the FE, particularly to reduce the CDF contribution of the above mentioned flood accident. The CDF knpact of these improvements is expected to be a CDF decrease on the order j of IE-05/yr or greater. I 1he HRA miew of the FE submittal did not idaatify any alp ~ = problems or errors. A viable I approach was used in performing the HRA and nothing in the licensee's submittal indicated that k faued

 .            to meet the intent of Generic Letter 88-20 in regards to the HRA. 46 moi elements pertinent to this
 ;            determination include the following:

F -1) - The submittal indicated that utility personnel were involved in the HRA and the procedure svviews, discussions with operations and training staff, and walkdowns of operator acsions

 !                       represent a viable process for confirming that the HRA portions of the FE represent the as buDt-
 ;                     .as operated plant.

2) The analysis of pre-laitistar human actions focused on restoration faults. The HEPs assigned to a the modeled restoration faults and the approach for -+;- Ag the component unavaDabilities

 !                       appeared reasonable. D5=adaneles between restoration errors were not addressed because h was I                     - argued that plant practices regarding nialatan=ae* of separate trains assured the independence of restoration faults. Miscalibration errors were " treated through the inclusion of common cause          .

failure modeling for the season or instruments dwanalves." 1he licensee's treatment of t sniscalibration events may have precluded identification of 46 moi pre-initiator events and is I therefore a weakness of the HRA. - i e I e _, _.m_ ....m.m._ _ ._ - . , , .- --

_ . ~ _ _ - . _ _ _ _ - - - - - - - . . -- - o a 3

3) Post-initiator hunan actions modeled included both --- .ir. and recovery 4ype actions.

       ;                                         Although the damnantalan for the screening analysis perrormed on post-initiators was minim =1, f'

k appeared that the screening analysis was relatively more " plant 4pecific" and detailed aban many of those performed for other pes. In addition, the licensee stated that if more than one r operator action occurred in the same cutset, *either independence of the human actions was

                                               - confirmed, or a change was made to correctly model darandane* between bensa errors." The l[
                                 ~

11amana*'s response to an additional RAI regarding trastment of dapandaarisa confirmed that they ( were appropriately addressed. Moreover, the detaDed quantifcation ofimportant post-initiator

     ,                                          operator actions and the -~* d- of recovery actions appeared sound.

1 . l 4) Plantepecific perinamence absping factors (PSFs) and event timlag, were appropriately n Considered. F l 5) A list of hnportant human actions based on their contribution to core damage frequency was provided in the subminal.

 -I                                                                                                    ..

De FE uses five small eaatainmaar phanamanalogical event tree (CET) with from 5 to 8 top events for Isvol 2 analysis. De quantificaGn of the CET in the Prairie Island PE is based on plant-specific y phenomenological evaluations, which include anodeling and haaadia= calculations (based upon emperimental data), cons 8derstbn of phenomenological uncertainties, and MAAP calculations. g I De interface between the Level I and level 2 analyses is accomplished by the development of a set of l 14 accident classes. The Level I core damage sequences are grouped in the accident classes based on ,  ! accident initiators, the time of core damage, and the RCS pressure at the time of cc:e damage. De availability of containment systems is not included in the definition of accidant classes. Conestament j system fault trees (for -. * . " - spray iqjection, containmaat spray recirculation, and - ' .... - fan 1 coU units) were quantified in the Prairie Island PE using linked fault tres models. De containment systems fault tree cutsets were input to the CET branches as necessary to support the CET quantification. t De definition of the ACs for Level I and Level 2 interface seems adequate. The CETs used in the FE

    !                                  provide a reasonable coverage of the kupertant backed 7 == De gnantinenttaa of the CETs i                                . also seems adequate.
                                                                                                                                                               ~

De following are the nudor findings of the back end analysis described in the submittal: .

• De back end portion of the IPE supplies a anh==atial amount of infonnation wkb regards % the subject areas identified in Generic Lauer 88-20. . ._.

l t

• De Prairie 1aland Nuclear Generating Station IPE provides an evaluation of all phenomena of

    !                                       importance to avere acendent progression in accordance whb Appendix I of the Generic IAuer.

t - l

• The IPE has identified a plant specific reactor cavity configuration feature that may affect accident

     ,                                      progression. Based on the PE, it is recommendad that the in core instrument tube hatches for both anits be secured open to allow water to flow into the reactor cavhy to provide cooling to the lower vessel head (l.s., sawassel cooling) and improve debris coolabHiry in the reactor cavtry.

• De aseel abell maatain===t of Prairie lated may be vulnerable to direct anack by dispersed core debris. De access hatches to the instrument tunnel are in an open area on the basement leivel of the

    !                                       eamainmant, and for both of the Prairie Island units one of the two hatches faces toward the steel dio-i L

r' ._ ..

g. _ . _ _

I l- containment, about 30 ft away, with a largely unobstructed path in between. Although a scoping

      ;               study performed in the FE shows that the temperature generated by the debris adhering to the steel wall is insufficient to melt the steel and breach the contalamant, details of the scoping study are not                      ,

I provided in the submittal and the potential effect of corium attack on reducing coa'atamam pressure

   )                  capability is not discussed.

i e De FE identified the potential of ISGTR due to the restart the RCPs upon an inadequate core cooling (ICC) condition. Based on the FE results, it is recommanded in the IPE submittal that the

,i EOP that requires the restart of the RCPs under 1CC condition be modified. It is recommended in i the IPE submittal that the operator checks for %=+ steam generator level before attempting to

   ,                  start the RCP. His recommendation is intended to reduce or eliminate the probability of ISGTR.

• De containment analyses indicate that there is a 68% conditional probability of comalan=nt failure ifISGTR due to restart of the RCP is included. De conditional probability of enntainmant bypass is about 45% of which 30% is from ISCTTR, the conditional probability of early containmant failure i is 0.8% , the conditional probability of isolation failure is about 0.02 % , and the conditional probability of late containment failure is 23%. He conditional probability of containment bypass decreases by 30% ifISGTR is assumed not to occur.

i ne licensee has addressed the recommendations of the CPI program.

6 l j I l 4 i 'i - t ]-

a =s x . f . i -

       +

3 4.. 1, i. w 3 This page blank. 6 e i t 0 l i 1 1 2 e i

                                                                                                                                                                               .a f

l t i e i i i y 1

s>= s i l i 1 l !l 4 REFERENCES l

                                                                                                                                                                \

i - l l (GL S8-20) Crutchfield, D.M., indMdual Plant Esanination Jbr Sewe Accident l Vulnerabilities, U.S. Nuclear Regulatory C== inion Generic Latter 88-20,

   .                                                                      November 23,1988.

[NUREG-1335) Individual Plant Framlnwinn* hhmhtml Guidance, U.S. Nuclear Regulatory

                                                                          a==1=taa Report NUREG-1335, August 1989.

l l' [IPE Submittal) Prairie Island, Individual Plang Framinminn GPE) NSPLM144001, Revision 0, the Northern States Power t'-amay, February,1994. l

(RAI Responses) Response so Requesjbr Additional hformationfor she IPE Progren, Prairie

i j

, Idand Mdear Genenming Plant, the Nonborn States Power Company, February lt 1996.

(NUREG-1150) Sewe Acddent Risk

An Assemnent ofFhe U. S. Nudear Ptmer Plants, U. S.

. Nuclear Regulatory Commission, December 1990. [NUREG/CR-1278) A.D. Swain and H.E. Guttman, Handbook ofHwnan Reliability Ana.) sis with l Enphasis on Nudear Power Applications : TedmiqueJbe Hanan Error Rate l Prediction, NUREG/CR-1278, U.S. Nuclear Regulatory Cn== inion,

Washington D.C.,1983.

2 i

, INUREG-751014) Wash-1400, Reaaor Sqfiny Sady - An Assennent of Accident Riskt in U.S. 1

Csisi,scial Nudear Pkmer Plants, USNRC, October,1975.

.i , [!DCOR) IDOOR BWR Individual Plant Evaluation Methodology, Rev 1, December 1986.

   ;                           (NUREGICR-4772)                             A.D. Swala, Acddent &~*=~ Emluation Progren Human Reliability Analysis
.[                                                                         Procedune, NUREG/CR-4772, U.S. Nuclear Regulatory Commission, l'i:                                                                        Washington, D.C., Febmary,1987.

ll [NSAC - 161] Nuclear Safety Analysis f' enter (NSAC), Faulted Systems Remmy Eiperience, 1 !t ih ji i t 4 b

\'

1! 63 i! i j# ~.-..---+-.....w. _ _ . - - . . . . . - - . - - . - - - . . . . _ . . - - , - . - -}}