Text

TER on IPE Front End Analysis
	ML20140B642
Person / Time
Site:	Clinton
Issue date:	05/03/1996
From:	Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20140B649	List: ML20140B642; ML20140B652; ML20140B658; ML20140C337;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-94-2342-010, SEA-94-2342-010-A4, SEA-94-2342-10, SEA-94-2342-10-A4, NUDOCS 9703200199
	Download: ML20140B642 (46)
	v • d • e

. - . . _ . . . _ . _ _ _ _ . - _ _ _ . _ . _ . _ . . _ _ . _ .

< *b

A ,

SEA-94-2342-010-A:4 4 May 3,1996

'l 4

)

Clinton Power Station ,

Technical Evaluation Report on the indMdual Plant Examination l Fmnt End Analysis ;

1 l

NRC-04 91-066, Task 42 Willard Thomas i

i i

i Science and Engineering Associates, Inc.

l l

Prepared for the Nuclear Regulatory Commission e

0 h329o121't h

TABLE OF CONTENTS 1

1 E. E XE C UTIV E S U M M ARY . . . . . . . . . . . . . . . . . . . . . . . . . .

l E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. .

E.2 Licensee's lPE Process .................................

2 E.3 F ront End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

. . . . . . . . . . . . . . . . 4. . . .

E.4 G e n e ric i s s u e s . . . . . . . . . . . . . . . . . . . ................

E.5 Vulnerabilities and P'lant improvements . . . . . . 5 E.6 Ob se rvation s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

1. I NTR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7. . .....

1.1 Re view P r oce s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.

1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9

2. TECHNI C AL REVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9. . . . .

2.1 Lice ns e e's l P E P roce s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. . . . .

2.1.1 Comoteteness and Methodoloav . . . . . . . . . . . . . . . . . ..... ... 9 2.1.2 _ Multi-Unit Effects and As-Built. As-Ocerated Status . . . 10 2.1.3 _ Licensee Particioation ano Peer Review . . . . . . . . . . . .10. . .

2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . 10 2.2.1. Initiatina Everits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2.2 Eve nt Tre e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Svstems An alvsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.4 System Deoendencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 ..

2.3.1 Q_ uantification of Accident Secuence Frecuencies ...... 20.........

2.3.2 Point Estimates and Uncertaintv/Sensitivitv Analyses 20 2.3.3 Use of Plant-Soecific Data ......................... 22 2.3.4 _U se of Ge ne ric D at a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.5 Common-Cause Quantification . . . . . . . . . . . . . . . . . . . . . . 24 2.4 int e rf ace iss u e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.4.1' Front-End and Back-End Interfaces , . . . . . . . . . . . . . . . . . . 25 2.4.2 Human Factors Interf aces . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.5 Evaluation of Decay Heat Removal anct Other Safety issues . . . . . 26 ..

2.5.1 E xa min ation of DH R , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.5.2 Diverse Me ans of DH R . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.5.3 U niou e F e atu re s of D H R . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.5.4 Other GSI/USls Addressed in the Submittal . . . . . .27. . . . . . .

2.6 Inte rnal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 27 2.6.1 I_ntemal Floodina Methodoloav . '. . . . . . . . . . . . . . . . . . . . . 28 .

2.6.2 Internal Floodino Results . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.7.1 Dominant Core Damaae Seouences . . . . . . . ........... . . . . . . . . . . 31 2.7.2 V ulne rabilitie s . . . . . . . . . . . . . . . . . . . . . . . .

i

2.7.3 Pronosed imorovements and Modifications . . . . . . . . . . . . . . 32 ,

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . 35

4. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

37 REFERENCES................................................ 40 O .

ii

.e . a 1

LIST OF TABLES !

Table 2-1. Generic Component Failure Data .......................... 22

. Table 2 2. Comparison of IPE and NUREG/CR-4550 Common Cause Data . . . . 23

[

Table 2-3. Dominant Sequences From Internal Flooding Analysis . . . . . . . . . . . 28 Table 2-4. Accident Types and Their Contribution to Core Damage Frequency . . 29 Table 2-5. Initiating Events and Their Contribution to Core Damage Frequency . 30 l Table 2-6. Dominant Functional Core Damage Sequences . . . . . . . . . . . . . . . . 30 Table 2-7. Summary of Plant Improvements . . . . . . . . . . . . . . .. . . . . . . . . . . . . 33 Table 2 8. Summary of Plant Changes Directly Related to Station Blackout . . . . 34 4

4 l

l l

l i

1 ill

J L

E. EXECUTIVE

SUMMARY

This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Clinton Power Station. This review is based l

. on information contained in the IPE submittal [lPE Submittal) along with the licensee's responses [RAI Responses) to a request for additiona! information (RAI)'.

E.1 Plant Characterization ,

l The Clinton Power Station (CPS) consists of a single unit boiling water reactor (BWR)- !

6 with a Mark lli containment. Clinton began. commercial operation in April 1987c Design features at Clinton that impact the core damage frequency (CDF) relative to )

other BWR 6 plants are as follows:

]

. Four hour batterv lifetime. With credit for load shedding, the battery lifetime can i be extended to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . However, a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery lifetime is less than battery lifetimes at some other BWRs. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery lifetime at Clinton tends to )

increase the CDF compared to those BWRs with longer ba+tery lifetimes. l

. Ability of emeroenev core coolino system ECCS) oumos to ooerate with a saturated sonoreccion cool. The high pressure core spray (HPCS), low .

pressure' core spray (LPCS), and residual heat removal (RHR) pumps can i operate with a saturated suppression pool and thus provide core cooling in,the ]

event containment cooling is lost. This design feature tends to decrease the i CDF. !

i e Ability to cross-connect the fire orotection system for core inlection. The fire protection system can'be aligned as a source of core injection. The fire protection pumps are diesel-driven. This design feature tends to decrease the CDF. The analysis took credit for this cooling method, though apparently not for station blackout sequences. This cooling rnethod would be of minimal value in station blackout sequences because the automatic depressurization system (ADS) safety relief valves (SRVs) will likely reclose after battery depletion, with a consequential rise in reactor pressure that would make fire profection injection unavailable.

d 8

in responding to the RAl, the limnsee states that several updates have been made to the original IPE analysis described in the submittal. Because no details are available for the latest IPE revision other ,

than a total CDF exclusive of flooding, our review is focused on the IPE presented in the submittat. [pp. l

2. 5 of RAI Responses) 1 ,

. o . , !

' E.2 Licensee's IPE Process The licensee developed a Level 2 probabilistic risk assessment (PRA) in response to the reques'ts of Ger'eric Letter 88 20. The freeze date of the analysis was December 31,1991. It appeare ttiat the only exception to the freeze date was the implementation of seve,ral station blackout procedures that were credited in the analysis.

The licensee had the primary role in each phase of the IPE, including: overall project )

, management, reviews of interim analysis products, and critical analysis and evaluation l of all results. Consultants used in the analysis were from Tenere, L. P., Fauske and )

Associates, and Westinghouse. l Major documentation used in the IPE included: piping and elect.ical diagrams, .

operating and emerge'ncy procedures, vendor manuals, system descriptions, j maintenancs work requests; surveillance logs, Technical Specifications, and licensee ;

- event reports (LERs). Plant walkdowns were also conducted to support the IPE.

I An independent review of the IPE analysis was performed. The IRE independent i

review team (llRT) consisted of six members of the utility staff. The chairman of the 11RT is the director of nuclear safety. Four of the other members have Clinton SRO l licenses, while the remaining individual has t, road maintenance experience.

l j The licensee intends to maintain the PRA as a living document to support future plant operations. .

i E.3 Front-End Analysis I The me'thodology chosen for the Clinton IPE front-end analysis was a Level 1 PRA.

The small event tree /large fault tree technique with fault tree linking was used.

Accident sequence,quantification was performed with the Cut Set and Fault Tree Analysis (CAFTA)' and Set Equation Transformation System (SETS) codes.

Event trees were developed for all classes of initiating events. Support systems were modeled with fault trees and linked with the appropriate frontline system fault trees.

An importance analysis was performed and described in the submittal. Several sensitivity analyses were performed on the front-end results.

The success criteria were based on Modular Accident Analysis Program (MAAP) calculations. Core damage is defined as a reactor level less than two thirds the length !

of the active fuel for more than 4 minutes or MAAP results with a fuel temperature of l 2,200 deg. F or more. l

. ]

The IPE quantified 12 initiating events exclusive of internal flooding; 5 loss of coolant accidents (LOCAs); 4 generic transients, including loss of offsite power (LOSP); and 3 P

.- - . _ - . - .. . . . =- _

l

e o l

i i l l specialinitiating events representing loss of support systems. The number of initiating

events considered in the flooding analysis was not specified.

Plant-specific data were used for test and maintenance unavailabilities. H.owever,

[ component unavailabilities due to failures were entirely based on generic data, with the

possible exception of diesel generator start failures. All the initiating events were based on generic data, though some plant specific considerations were included in the development of the LOSP initiating event frequency.

l The Multiple Greek Letter (MGL) method was used to model common cause failures. i The source of MGL data was not specified.

The total point estimate CDF for Clinton is 2.6E-05/yr*, including internal flooding. The I CDF contribution from flooding is 1.6E-06/yr'. l The initiating events that contribute most to the CDF and their percent contribution are listed below':

Loss of off-site power 46%

Transient w/o isolation from main cond. 18%

Transient with isolation from main cond. 16%

Loss of DC bus 5% L Inadvertent Open Relief Valve (IORV) 4%

Loss of Feedwater 4%

Core damage contributions by accident type are listed below:

Transients 52% ,

Station blackout 37 % i Internal Flooding 6%

LOCA (inc.ludes IORV) 4%

Anticipated transient without scram (ATWS) 0.5% .

Interfacing Systen:s LOCA (ISLOCA) negligible !

. l The most important non-initiating events are (in order): I

. Failure to recover off site power in 0,5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months -

. Independent sub-tree containing HPCS failure basic events l l

l l

2 The most recent update of the IPE predicts a CDF exclusive of flooding of 5.5506/yr. [p. 5 of RAI l Responses] )

l 3

As used here and in other portions of this report, the term *yr" refers to a reactor year. .

' A more complete set of initiating event CDF cont ibutors is provided in Table 2 5 of this report.

i 3

D . M l

Basic event representing recovery of HPCS failures

Independent sub tree containing reactor core isolation cooling (RCIC) failure basic events

Basic event representing recovery of RCIC failures

Operator falls to manually initiate ADS The Level 1 core damage end states were binned into accident classes to form the beginning states for containment event trees. This binning process appears to be comparable with similar methods' used in other PRA/IPE studies.

E.4 Generic lasues The decay heat removal (DHR) contribution to CDF was derived by elimin'ating from ,

accident sequence cutsets failures of systems that cannot remove decay heat.

Systems not able to remove decay heat include HPCS, RCIC, LPCS, ADS, and fire .

- protection. The CDF due to loss of DHR was estimated to be 5.2E-06/yr. The licensee states that this DHR-related CDF estimate is pessimistic, as additional methods of DHR were not credited, for example RHR lined up to the fuel pool cooling and cleanup syste.m. . .

As pointed out by the licensee, the unresolved safety issue (USI) A-45 study recommends that DHR related CDF contributione should not be greater than 1E-05/yr.

The Clinton DHR related CDF was determined to be 5.2E-06/yr. No DHR-related vulnerabilities were identified.

The licensee does not address any generic safety issues (GSis)/USIs other than DHR.

The licensee states that there are no open generic issues at Clinton.

E.5 Vulnerabilities and Plant Improvements The licensee selected the following definition of a plant specific vulnerability:

i

New or unusual means by which core damage or containment failure occur as l

~

compared to those identified in other PRAs, or

Results that suggest the plant CDF would not be able to meet the NRC's safety )

goal for core damage (1E-04/yr), or . . l I

Systems, components, or operator actions that control the core damage result (i.e., greater than 90%).

Based on the above criteria, the licensee determined that there are no vulnerabilities ,

at Clinton.

The following front end plant improvements were identified as a result of the IPE:

Operator training to emphasize importance of maintaining off-site power l

4' . .

1

Operator training to emphasize importance of manual ADS initiation

Modify HPCS surveillance procedure to test suppression pool suction path

Instell bypass line to allow easier use of fire protectior ystem for vessel maxeup None of these improvements was credited in the IPE version reported in the submittal.

The last two improvements (HPCS surveillance and fire protection bypass line) would each reduce the IPE CDF by about 13%. Estimates of CDF reductions for the other two improvements were not available.

E.6 Observations Because Clinton began commercial operation in April 1957, there is a relatively limited operational history from which to derive plant-specific failure rates. While plant-specific data were used in the IPE for test and maintenance unavailabilities, component hardware failures were entirely based on generic data (with the possible exception of diesel generator start failures). . Initiating event frequencies were for the most part also based on generic data. To support this wide use of generic data, the licensee cited instances where plant-specific failure data are comparable to or botter than

. corresponding generic data.

Some other plants with limited operational experience have used plant-specific data to update generic data via a Bayesian process. It is not clear why the Clinton IPE did not use a similar approach. In our judgment, the limited use of plant-specific data represents a weakness of the Clinton analysis. While it might be argued that the u' se of generic data provides an upper bound to the total CDF, the relative CDF contributions of various sequences and failure events may be distorted.

It is also noteworthy that the'Clinton IPE credited local repair of various equip' ment items and systems, including diesel generators, pumps, valves, and instrumentation. It

- . is positive that the licensee has attempted to credit a variety of repair activities to reflect the operation of the as-built, as-operated plant. However, IPE/.PRA studies typically limit cred'it for local equipment repair activities to diesel generators, as there is comparatively more experience for repair of diesel generators than for other components and systems. It is further noted that the Clinton IPE has taken credit f.or up to two component / system repair actions per accident sequence cut set. Credit for multiple repair activities within a given cut set is also not typically done in IPE/PRA studies. The licensee states that the credited repair activities included in the Clinton IPE are based on a demonstrated capability of the plant to field multiple repair teams during actual emergency exercises. However, the quantification of repair activities is based on a generic EPRI database, and it is not clear how accurately the generic EPRI data would reflect the Clinton plant during an actual accident condition given the uncertainties inherent in predicting human actions. It is also noted that the IPE data for non recovery of common cause diesel, generator failures are one to two orders of magnitude lower (more optimistic) than industry experience used in the Accident 5

~

Sequence Evaluation Program (ASEP) as reported in NUREG/CR-4550 (Rev.1, Methodology). .

As part of a response to an NRC Staff request for clarification or equipment r.epair :

models, the licensee performed a sensitivity analysis that involved removal of all credited equipment repair recoveries, except those involving off site power, DC power, and operator actions done from the control room. With this model change, the baseline CDF (exclusive of internal flooding5 ) increased by a factor of 1.44 (from 2.49E-05/yr to 3.57E 05/yr). The relative contributions of individual accident '

sequences were not significantly altered as a result of this sensitivity study. In no instances were increases in individual accident sequence frequencies greater than 2.4.

While two new sequences were introduced as a' result of the sensitivity analysis, their frequencies were less than 1E-08/yr.

While the Clinton IPE equipment repair model is more optimistic that repair models typically used in other IPE/PRA studies, the licensee's se~nsitivity analysis demonstrates that this repair model has not significantly affected the CDF or accident sequence profile. Therefore, it is our judgment that the licensee's equipment repair model does not represent a weakness of the IPE.

Significant level-one IPE findings are as follows:

Operator failure to manually initiate ADS for use of low pressure injection contributes about 24% to the total CDF. The licensee does not consider failure of operators to depressurize as a vulnerability because this action has been emphasized in training and has been judged unlikely to induce operator error, 4

8 No credit was given for flood-related operator mitigating actions.

6

1. INTRODUCTION 1.1 Review Process This report summarizes the results of our review of the front-end portion of the IPE for Clinton. This review is based on information contained in the IPE submittal (IPE Submittal) along with the licensee's responses [RAI Responses) to a request for additional information (RAI)'.

1.2 Plant Characterization The Clinton Power Station (CPS) consists of a single unit BWR 6 with a Mark lli containment. Clinton began commercial operation in April 1987, and has' power ratings of 2,894 MWt and 93,3 net MWe. The Clinton site is located in east-central lilinois. Condenser cooling and the ultimate heat sink for ECCS is provided by Lake Clinton. Sargent & Lundy served as the Architect-Engineer and design consultant for this plant. The River Bend, Perry, and Grand Gulf plants are similar in design to Clinton. [pp. 1.1 -1, 1.1 -2, 1.3-1, 1.4-2 of UFSAR,2-9 of submittal]

Design features at Clinton that impact the core damage frequency (CDF) relative to other PWRs are as follows: [pp. 3-84, of submittal, 6.3-5, 6.3-12, 6.3-17 of the UFAAP)

. Four hour batterv lifetime. With credit for load shedding, the battery lifetime can be extended to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . However, a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery lifetime is less than battery lifetimes at some other BWRs. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery lifetime at Clinton tends to increase the CDF compared to those BWRs with longer battery lifetimes.

Ability of emeroenev core coolino system ECCS) oumos to coerate with a saturated suooression cool. The high pressure core spray (HPCS), low pressure' core spray (LPCS), and residual heat removal-(RHR) pumps can operate with a saturated suppression pool and thus provide core cooling in the event containment cooling is lost. This design feature tends to decrease the CDF.

= Ability to cross-connect the fire orotection system for core iniection. The fire protection system can be aligned as a source of core injection. The fire protection pumps are diesel-driven. This design feature tends to decrease the CDF. The analysis took credit for this cooling method, though apparently not for station blackout sequences. The licensee notes that this cooling method

In responding to the RAl, the licensee states that several updates have been rnade to the original IPE analysis described in the subrnittal. Because no details are available for the latest IPE revision other than a total CDF exclusive of flooding, our review is focused on the IPE presented in the subrnittal. [pp.

2. 5 of RAI Responses) 7

. _ . . . . - - . - . . - = . - . . _ . . - . . . - _ - ..... _ , - . ... .. .

would be of minimal value in station blackout sequences because the ADS SRVs will likely reclose after battery depletion, with a consequential rise in reactor pressure that would make fire protection injection unavailable. (pp.10, 11 of RAI Responses, pp. 3 32, 3-89, 6 11, 6-12 of submittal]

o Y

2 I

9

)

6 l

4 1

1 4

3 .

1 4

6

'l g e s 4

4

. . 8

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process -

We reviewed the process used by the licensee with respect to: completeness.and methodology; multi-unit effects and as built, as-operated status; and licensee participation and peer review.

2.1.1 Comoleteness and Methodolocy.

The submittal appears to be complete with respect to the type of information requested by Generic Letter 88-20 and NUREG 1335. No omissions were noted. [pp. 2-2 of submittal)

~

The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the Level 1 PRA was the small event tree /large fault tree technique with fault tree linking.

[pp.1-5 to 1-7 of submittal] .

Intersystem dependencies were discussed and tables of system dependencies were provided. Data for quantification of the models were provided, including common cause events and human recovery actions. An importance analysis was performed and is described in the subm!ttal. Several sensitivity analyses were performed on the front-end analysis results.

2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status.

The Clinton plant is a single unit site; therefore, multi-unit considerations do not apply to this plant. -

The IPE was based on a variety of plant specific information, including piping and electrical diagrams (P&lDs), operating and emergency procedures, vendor manuals,,

system descriptions, maintenance work requests, surveillance logs, and Technical.

Specifications. Plant walkdowns were also conducted to support the IPE analysis.. A flooding walkdown was performed to determine flooding sources and potential effects of flooding, includin'g ISLOCA effects. Other walkdowns were made, for example-to address HRA considerations and to answer specific questions as they arose during the analysis. [p. 1-4,2-12, 2-14 of submittal) i The IPE made very limited use of plant-specific failure data. While plant-specific data were used for test and maintenance unavailabilities, component hardware failures were entirely based on generic data (with the possible exception of diesel generator start failures). The initiating events were generally based on generic data, though some plant-specific considerations were included in'the development of the LOSP l initiating event freauency. In our judgment, the .imited use of. plant specific data represents a weakness of the IPE.

9 l

The freeze date of the analysis was December 31,1991. It appears that.the only exception to the freeze date was the implementation of several station blackout procedures that were credited in the analysis. These station blackout procedures are described more thoroughly in Subsection 2.7.3 of this report. [pp. 3,9 of RAI )

Responses) l The licensee intends to maintain the PRA as a living document to support future plant operations. [ cover letter, p.1-5 of submittal) 2.1.3 Licensee Particioation and Peer Review.

The licensee had the primary role in each phase of the IPE, including: overall project management, reviews of interim analysis products, and critical analysis and evaluation of all resdis. All of the major work tasks were performed by licensee personnel.

Consultants used in th'e analysis were from Tenera, L. P., Fauske and Associates, and Westinghouse. The consultants provided support in several areas, including expertise in specific aspects of PRA and technical review of program products. Technology transfer from the consultants to the licensee's employees was considered as a very important part of the IPE program. [pp. 5-1 to 5-3 of submittal) -

Plant system engineers were involved in the.lPE process to answe'r questions related to design, capability, and function of the modeled systems, as well a:: to review the system models. The system engineers were trained in PRA terminology and methods to support the IPE analysis. A senior management review team (SMRT) consisting of upper level utility management staff was used to provide program oversight and to review the IPE progress and results. [pp. 5-4,5-6 of submittal)

An independent review of the IPE analysis was also performed. The IPE independent review team (llRT) consisted of six members of the utility staff, specifically the director of nuclear safety, four individuals with senior reactor operator (SRO) licenses, and one individual with broad maintenance experience. The llRT members were provided with training related to the PRA process. The licensee has provided a sampling of IIRT comments. [pp. 23 to 25 of RAI Responses, pp. 5 5,5-6 of submittal) 2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the' submittal.

2.2.1 Initiatino Events.

The specific categories of initiating events utilized in the IPE are listed below: [pp. 3-2 to 3-4,3 6,3 37 to 3 39 of submittal).

10

Transients: -

Loss of offsite power (LOSP) ,

Loss of feedwater Transient with isolation from main condenser '

Transient without isolation from main condenser -

inadvertent / stuck open safety relief valve (IORV) ,

Special Initiators: .

Loss of instrument air .

Loss of service water -

i Loss of non-safety DC bus LOCAs:

Small(within capacity of RCIC system) i Medium (beyond capacity of RCIC syste'm) i Large (runicient depressurization to allow use of low pressure injection

. systems) ,

ISLOCA (7 separate categories) f Intemal Flooding: ;

Number of initiating events not provided Failures of individual AC buses were excluded as initiating events. The licensee I acknowledges that loss of a single safety-related AC bus.could cause a transient with

~

isolation due to closure.of the main steam line isolation valves (MSIVs). However,- !'

loss of a safety-related AC bus was omitted from the analysis because its expected frequency (8.7E-04/yr) is about 3 orders of magnitude lower than the frequency for a !

transient without isolation 1.7/yr. In our judgment, this rationale for omitting safety-bus l AC bus failures is not necessarily supportable. While the expected frequency for the i AC safety-bus loss is 3 o.rders of magnitude lower than the frequency for transient .

without isojation, the AC bus loss represents an automatic failure of the safety

[

equipment powered by that bus that otherwise might have been available to mitigate ,

the transient. In contrast, the logic model for " transient without isolation" does not '

include this automatic failure. [p. 3 of RAI Responses) i The failure of an individual non-safety AC bus would lead to essentially the same conditions as a loss of service water. The loss of a non-safety AC bus was omitted from the analysis because its expected frequency is about'an order of magnitude lower than the frequency for loss of service water (1.75E-03/yr). [pp. 3,4 of RAI Responses, p. 3 38 of submittal]

Loss of an individual non safety DC bus was modeled as an ini.iating event, as it will cause a plant trip. In contrast, the loss of a safety-related DC bus would not cause a !

plant trip, and therefore was not modeled as an initiator. Totalloss of DC was not i modeled as an Initiating event, because failure of all 6 independent battery-charger ;

subsystems (4 safety-related,2 balance-of plant) was not judged to be credible. (p. 4 of RAI Responses, p. 3-84 of submittal)-

6 11 ;

W - -

_7 b.'.

HVAC failures are encompassed in the quantification of the transient initiating events, instead of being modeled separately. For example, control room HVAC failures are i included in the quantification of " transient with isolation." Because of system reoundancies, the contribution of control room HVAC failure to tnis transient initiating .

event frequency is stated to be very small. In our judgment, the licensee's rationale '

for grouping loss of HVAC events into the t,inslent loitieting' events is not necessarily supportable. A loss of HVAC to a plant area may disable certain mitigating system ;

equipment (beyond that required to cause a plant trip) that otherwise might have been available to mitigate the transient. It does not appear that the logic models for ;

irsasient events include the possibility of these types of consequ'ential failures. [p. 4 of RAI Responses) :

. The IPE does not have separate initiating events for loss of component cooling water (CCW) or turbine building : dosed cooling water (TBCCW). The CCW system provides ,

cooling for the service air compressors and ' recirculation pump seal coolers (though the shutdown service water system can also provide backup cooling to the recirculation pump seals). - Loss' of cocling to the service air compressors will lead to i los.s of Iristrument air, while loss of recirculation pump seal cooling can result in a ' l pump seal LOCA. The TBCCW system provides cooling for major non-sekty !

components in the turbine building, including the condensate booster pumps. '!

Presumably, loss of CCW and TBCCW have been included in the quantification of other initiating events. [pp. 3-38, 3-86, 3-88, 3-157 of submittal) .

l Seven separates categories of ISLOCA were addressed in the analysis. These seven !

categories are: (1) LPCI injection J..w, (2) LPCS injection line, (3) shutdown cooling suction line, (4) RPV head spray line (from RCIC. and LPCI loop B), (5) HPCS line, (6) '

l feedwater lines, and (7) shutdown cooling reium !ines. Lines eliminated from the l lSLOCA analysis included lines with a diameter less ihan 1.5 inches, and CRD injection lines. [pp. 3-11,3-12,3-39 of submittal)

-l 6 Initiating event frequencies for LOCAs were based on WASH-1400. The ISLOCA '

i events were quantified by ur;ing the methods described in NUREG/CR 5124, .

l' supplemented by input from WASH-1400, the IDCOR BWR IPE Methodology, EPRI pipe failure data (no reference provided), and the GESSAR PRA. [pp. 3-11,3-12,3- 1 40 of submittal)

The frequency for LOSP was derived from industry data and plant specific site location data with methods described in NUREG 1032 and NUMARC 87 00. Frequencies for other generic types of transient initiating events were based on data from.the l NUREG/CR-4550 Grand Gulf study. Plant-specific data were not used for generic transients due to limited plant operating experience. However, the licensee made a comparison of limited plant data and NUREG/CR-4550 Grand Gulf data for several transient categories. This comparison shows good agreement between the limited plant specific data and NUREG/CR-4550 Grand Gulf data. [pp. 312 to 3-14,3-40 of submittal) .

12 e

Initiating event frequencies for the loss of plant service water and instrument air were based on system logic models. The initiating event frequency for loss of a non-safety DC bus w?s based on data from NUREG 0666. [pp. 310, ? 12 to 3-15 of submittal]

Frequencies for equipment failures associated with flooding initiating events were i . extracted from WASH-1400, PRAs for Seabrook and Oconee, and NUREG/CR 1363.

l [pp. 3-188 to 3-190,3 211 of submittal]

f Except as discussed below, the initiating event frequencies are comparable to those typically used in other BWR IPE/PRA studies.

The Clinton IPE used 'a frecquency of 1E-03/yr for small LOCAs However, there ,

appear to have been 2 instances of recirculation pump seal failures during the Ciinton !

plant history. Given that the Cilaton IPE does not have a separate initiating event for !

recirculation, pump seal LOCAs, it appears that the small LOCA frequency has been !

underestimated. In other typical BWR PRA/IPE studies, the frequency of recirculation l 44 seal LOCAs is approximately 1E-02/yr. [p. 2 of RAI Responses, p. 3-37 of subminal] , ;

l 2.2.2 Event Trees. ,

l i

The following event trees were used in the analysis: [pp. 3-22 to 3-62 of submittal]

1 Transient with isolation from main condenser Transient without isolation from main condenser -

l Loss of feedwater Inadvertent / stuck open safety relief valve (IORV)

Loss of offsite power (LOSP) .

l Station blackout I Loss of instrument air l Loss of service water i Loss of non-safety DC bus ;

Small LOCA Med;om LOCA Large LOCA l ISLOCA l I

ATWS l l

The front end portion of the analysis was based on a 2.4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months mission time, while the back-end analysis assumed a 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time. [pp. 3-16, 3164, 4-22 of

. submittal] q

- Success criteria used in the analysis.were based on Modular Accident Analysis I Program (MAAP) calculations. Core damage was defined as a reactor level less than two thirds the length of the active fuel for more than 4 minutes or MAAP results with a l

13

j fuel temperature of 2,200 deg. F or more. Decay h, eat levels typical of conditions immediately following reactor trip were used in these calculations, with no credit for l, spray or steam coo'ing. [pp. 1-7, 3-30, 3-212 of submittal]

[ -

The IPE assumes that the LPCS, the HPCS, and the RHR pumps (in the LPCI mode)

' do not lose suction after loss of containment heat removal or containment depressurization.following containment venting or containment failure unless the failure is in the suppression pool. Per design, sufficient NPSH is expected to remain available to operate these pumps with the suppression pool at saturation conditions.

[p. 60 of RAI Responses, pp. 6.3-5,6.3-12, 6.3 17 of UFSAR,3 28 of the submittal)

Clinton has a suppression pool makeup system., which is designed to dump water from an upper pool down into the suppression pool during post-LOCA conditions. This purpose of this added water is to ensure that c,dequate water exists in the suppression

. pool given that inventory during recirculation is diverted out the break from the suppression pool into the drywell. However, the licensee states that upper pool dump is not required for maintaining adeq'uate NPSH for the ECCS pumps in the event of a LOCA. [pp. 3 29, 3-76 of submittal)

As long as the reactor is shutuown and core damage is averted via ECCS cooling, loss of containment cooling will not cause containment failure during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months front-end mission time. The licensee states that containment cooling is not required c'ue to the relatively large suppression pool volume and free air volume. Because ECCS systems would not be affected during the front-end mission time, containment venting was not required or modeled in the front-end analysis. [p. 31 of RAI Responses)

The fire protection systern can be aligned as a source of core injection. The fire protection pumps are diesel-driven. The alignment of the fire protection system for core injection requires several hours to accomplish. The analysis took credit for this cooling method, though apparently not for station blackout sequences. The licensee notes that this cooling method would be of minimal value in station blackout sequences because the ADS SRVs willlikely reclose after battery depletion, with a consequential rise in reactor pressure that would make fire protection injection unavailable. [pp.10,11 of RAI Responses, pp. 3-32, 3-89, 6-11, 6-12 of submittal)

P The control rod drive (CRD) system was modeled as a source of flow to the reactor vessel. The CRD flow rate at a 1,000 psig reactor pressure is abcut 140 gpm with one pump, and 150 gpm with two pumps. A flow rate of 140 gpm was used in the analysis. MAAP simulations performed by the licensee indicate that CRD with one

- pump running (140 gpm at 1,000 psig) is adequate after one hour to. avert core damage. [p.11 of RAI Responses, pp. 3-30, 3 32, 3-80, 3-182 of submittal]

In the ISLOCA analysis, no credit was taken for mitigating systems in which the ISLOCA occurred. Each of the ECCS systems is located in its own flood-proof r6om which prevents flood waters from traveling from the area where the break occurred to

. 14

1 l

l l

l other ECCS rooms. Because the ECCS' pump rooms are not vapor tight, steam can be transported among these rooms. However, the ECCS equipment qualification ;

envelop demonstrates the operability of ECCS equipment after exp~osure to high temperature and humidity conditions. The IPE assumes that an ISLOCA will not depressurize the reactor to the point where low pressure injection systems can provide makeup. However, credit was taken for use of the low pressure injection systems in )

conjunction with operator depressurization. [p. 8 of.RAI Responses, p. 3 57 of !

submittal] ,

l The ISLOCA analysis.does not include the possibility of break isolation. It is assumed I that FCCS systems can provide adequate makeup for the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months accident mission time. The possibility of suppression pool depletion during the mitigation period was :

not addressed in the IPE. A 1993 (post IPE) study examined the likelihood of l

suppression pool depletion through the two predominant ISLOCA paths, the RHR ;

shutdown cooling line and the feedwater lines. This study estimated that the i frequency of an inventory-depleting ISLOCA event through the RHR shutdown cooling line has a frequency of 3.3E-08/yr. For the feedwater lines, the frequency of an ;

inventory-depleting ISLOCA was estimated to be 2.3E-08/yr. In other words, the total ,

frequency of an inventory-depleting ISLOCA was estimated to be 5.6E-08/yr. All of ;

the IPE ISLOCA sequences were below the truncation valve of 1.1E-09/yr. Therefore, !

had the IPE considered suppression pool inventory depletion, the ISLOCA frequency !

would not exceed 5.6E-08/yr. [p. 8 of RAI Responses, pp. 3 57,4-33,4 79 of :

submittal) -

Like the Grand Gulf NUREG/CR-4550 study, the Clinton IPE took credit for HPCS as an ATWS mitigating system. [pp. 3 27,3-59 to 3-62 of submittal)

[

2.2.3 Systems ~Analvsis.

Systems descriptions.are included in Section 3.2.1 of the submittal. These system f descriptions contain information on system function, system design and operation, l modeling assumptions, operator actions, and system interfaces. The system l descriptions also'contain simplified schematics that show major equipment items and I important flow and configuration information. [pp. 3-63 to 3-161 'of submittal] ,

Clinton has two turbine-driven reactor feedwater pumps and one motor driven !

feedwater pump. The motor-driven feedwater pump can sup' ply water to the reactor regardless of the availability of motive steam and the main condenser, which are :

required for operation of the turbine-driven feedwater pumps. Thus, the feedwater !

system can provide core cooling for transients with and without main' steam line ,

i isolation. [pp. 3-98, ~6-3, 6-4 of submittal] , i Clinton has a steam-driven RCIC system and motor-driv'en HPCS system, both of which are typical of BWR 6 plants. The HPCS injects over the core as opposed to the !

downcomer. Clinton also has a typical RHR and LPCS arrangement. The RHR -

i

~

l

. i 15- l

^

system provides LPCI, as well as containment spray and suppression pool cooling. ,

Two trains of the RHR system, "A" and "B", can operate in four different modes, ;

specifically: LPCI, containment spray, suppression pool cooling, and shutdown. The !

third train'of the RHR system can only operate in the LPCI mode. The LPCl injects !

into the core region. Spray over the top of the core can be provided by the LPCS. !

[p. 3 75 of submittal]

Clinton is equipped with a total of 16 safety relief valves (SRVs),7 of.which are automatically actuated by the ADS. Compressed air for the operation of these valves '

is required to be between 1.40 and 200 psig to ensure successful operation. This air is

' normally provided by the instrument air system. Air amplifiers are provided to boost the pressure in the instrument air system from 120 psig to a minimum of 150 psig. A :

backup supply of air is provided via compressed air bottles for the nine SRVs.that do not have an ADS function'. The motor operated isolation valve : to these bottles can be opened from the control room. [pp. 6.3-49, 9.3-3 of UFSAR, 3-18, 3-77 to 3-79 of submittal] >

Three diesel generators are provided, one each for Class 1E electrical Divisions 1,2, :'

and 3, respectively. The Division 3 diesel is strialler than the other two diesels, as it provides power only to the HPCS and its required support loads. No cross-

. connections between Division 3 and Divisions 1 or 2 are displayed in Figure 3.2-34 of ,

the submittal. It appears that the IPE did not take credit for using the Division 3 diesel generator to power any Division 1 or 2 equipment..The NUREG/CR 4550 PRA for i Grand Gulf credited use of Division 3 power (HPCS diesel generator) to power electricalloads in Divisions 1 or 2 by means of a cross-tie. [pp. 8.3-4 of UFSAR,3-83, 3139 of submittal] !

The shutdown service water (SX) system provides, cooling water to safety related l equipment when the normal balance of plant (BOP) systems are not available. .

. During normal plant operation, the SX system is in standby whil'e the plant service !

water (WS) system provides flow to various' safety and non-safety related loads. Upon >

receipt of a LOCA ' signal, the SX pumps will start and the WS/SX cross tie valves l close. The SX pumps will also start on receipt of a low header pressure signal, for -

l example after a LOSP condition that would cause the WS pumps to become unavailable. [pp. 3-85, 3-86 of submittal] !

t The shutdown service water system can provide up to 1,000 gpm to the reactor via ;

the RHR system when the reactor is depressurized below 50 psig. Achieving this flow rate would require isolation of all other heat loads except diesel generator cooling and ;

the control room heating, ventilating, and air conditionin'g (HVAC) heat exchangers. A requirement for heat load isolation is not presently incorporated in the Clinton 7

Each of the SRVs. including those without an ADS function, also has an air accurnulator. However, no credit was taken for these air accurnulators, as their capacity was assumed insufficient for the required !

mission time.

16 l

l

l .

procedures. Consequently, this method of core cooling was not modeleo in the IPE. ,

[p. 3 31 of submittal]

2.2.4 System Denendencies. '

l The submittal contains dependency matrices that identify asymmetries and include

dependencies related to electrical power, instrument air, HVAC, and pump cooling.

l These dependency matrices contain footnotes that provide additional supporting l information. [p. 3 95 of submittal)

Control room HVAC was not modeled as a required support system during the post-accident roitigating system period. The licensee states that control room HVAC is a continuously running, redundant system with a probability of failure significantly less ,

. than failure probabilities of front-line systems. Also, the large volume.cf the control j room would lead to a relatively slow heat-up, thereby allowing additional response time for using remote shutdown capabilities. An analysis performed in response to the station blackout rule determined that the control room would not exceed 120 deg F within four hours. Procedures and equipment are also in place.to provide attemate '

cooling measures. [p. 4 of RAI Responses]

The IPE assumed that ECCS and RCIC equipment 'would remain operable for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months without HVAC. This assumption was based on a heatup analysis of the LPCS room and review of ECCS equipment qualification limits. HVAC unavailabilities beyond 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months were assumed to fall the associated ECCS/RCIC pumps. In circumstances where ECCS/RCIC pump failure occurred due to loss of HVAC (4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ), credit was taken for backup core cooling from the CRD or fire protection system. There is no automatic trip of ECCS pumps on high temperature. [pp.10,11 of RAI Responses)

The RHR and LPCS pumps will continue to run for a period of time after shutdown cooling wate,r supplies to the pump motor lube oil coolers is lost. However, the IPE did assume that the RHR and LPCS pumps will fall if lube oil cooling.is lost. [p.10 of RAI Responses, p'p. 3-93, 3-104, 3-105 of submittal] .

in summary, it appears that the IPE has accounted for all system dependencies.

2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed were also reviewed. ;

17 s

i

-# , . . , ,c-_ ,_._. -- . , _ .,.-.__-..e ... . _ . -e . ,

, j 2.3.1 Quantification of Accident Seouence Freauencies.

The IPE used a small event tree /large fault tree technique with fault tree linking to quantify core damage sequences. The Cut Set and Fault Tree Analysis (CAFTA) code was used for the development and linking of system fault trees, and manipulations of cutsets developed from the fault trees. The Set Equation .

. Transformation System (SETS) code was used to generate the sequence cut sets and -

numerical frequencies. The cut set truncation limit used for accident sequence cut ,

sets was 1.1E-09/yr. [pp.1-5 to 1-7,3-46 to 3-62,3 91 to 3 95, .3-187,3188 of :

submittal]

Credit was taken for recovery.of offsite power in the IPE. Non-recovery data for LOSP i were generated from information contained in NUREG-1032. The IPE nori. recovery data are more optimistic that average industry experience reported in an Electric -

Power Research Institute (EPRI)-sponsored study [NSAC 147]. For example, at two hours, the IPE probability formon-recovery of LOSP is about a factor of 4 lower than the corresponding NSAC data. At four and eight hours, the IPE non-recovery data are ,

approximately a factor of 5 lower than the NSAC data. [p.12 of RAI Responses, pp. s 3-180, 3-181, 3-204 of submittal] , ,

While diesel generator failures can occur randomly during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months front-end ,

mission time, the probability of non recovery of offsite power significantly decreases as a function of time. Therefore, if diesel generator "run" failure rates are simply multiplied by the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months front-end mission time with no further numerical adjustment, the resulting analysis is expected to be pessimistic. To more accurately account for this aspect of the analysis, the licensee applied a time-phased to station blackout cut sets. The approach used in the Clinton IPE effectively reduces the mission time used ,

to quantify diesel generator "run" failures from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months or less. A similar

~

time-phased recovery analysis was also applied to diesel fuel oil pumps, and included consideration of both.LOSP non-recovery probabilities'and the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months diesel day tank .

. capacity. Also,'a special" containment" time phased recovery was used in the back-end analysis to account for available times to prevent vessel failure. The time-phased power recovery techniqu9 used in the Clinton IPE appears to be consistent with similar approaches used in some other IPE/PRA studies. [pp.11 to 22'of RAI Responses, pp. 3-53, 3-180, 3-181, 3-204, 3 205, 3-201 of submittal]

The IPE credited local repair of various equipment items and systems, including diesel generators,' pumps, valves, and instrumentation. It is positive that the licensee has attempted to credit a variety of repair activities to reflect the operation of the as-built, as-operated plant. However, IPE/PRA studies typically limit credit for local equipment ,

repair activities to diesel generators, as there is comparatively more expe,rience for l repair of diesel generators than for other components and systems. It is further noted i l that the Clinton IPE has taken credit for up to two component / system repair actions j

per accident sequence cut set. Credit for multiple repair activities within a given cut set is also not typically done in IPE/PRA studies. The licensee states that the credited i

18- ]

l

repair activities included in the Clinton IPE are based on a demonstrated capability of the plant to field multiple repair teams during actual emergency exercises. However, ~

the quantification of repair activities is based on a generic EPRI database [EPRI 3000

- 34), and it is not clear how accurately the gencric EPRI data would reflect the Clinton

, plant during an actual accident condition given the uncertainties inherent in predicting human actions. It is also noted that the IPE data for non recovery of common cause diesel generator failures are one to two orders of magnitude lower (more optimistic) than industry experience used in the Accident Sequence Evaluation Program (ASEP) as reported.in NUREG/CR-4550. [pp. 44 to 51 of RAI Responses, Table 8.210 of NUREG/CR Methodology, Vol.1) .

The selection of available time for component / system repair was based on the role of each particular system or component in preventing core damage. For injection system

. components failed due to loss of room cooling, a repair time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months was used. -

This repair time was based on a heatup analysis of the LPCS room and review of ECCS equipment qualification limits. Where injection components failed for reasons other than loss of room cooling, injection component repair appears to have been allowed only for transients. The repair time in this case was % hour, based on MAAP )

i

. calculations that show vessel makeup can be delayed for at least % hour without l significant core damage. For diesel generators, recovery probabilities were 1 determined for 1 and 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months time periods. The 1 and 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months periods correspond to the times considered in the event tree for AC power recovery in time to prevent battery depletion. Recovery times for fans and shutdown service water system components were assumed to be four hours, it appears that in.all cases. the maximum time analyzed in the EPRI database was only two hours. .Thus, where component /syst'em recovery could be credited for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months in the IPE,'2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months EPRI data were used. Most ,

of the non-recovery probabilities for credited component / system repair actions range '

from 0.3 to 0.8. [pp. 44 to 51 of RAI Responses, pp. 3-179,3-180 of submittal] l

^

As part of a response to an NRC Staff request for clarification of equipment repair models, the licensee performed a sensitivity analysis that involved removal of all ;

credited equipment repair recoveries, except those involving off-site power, DC power, and operator actions done from the control room. With this model change, the ;

baseline CDF (exclusive of internal flooding') increased by a factor of 1.44 (from '

2.49E-05/yr to 3.57E-05/yr). The relative contributions of individual accident ;

sequences were not significantly altered as a result of this sensitivity study. In no l Instances were increases in individual accident sequence frequencies greater than 2.4.

While two new sequences were introduced as'a result of the sensitivity analysis, their frequencies were less than 1E-08/yr. ,

I While the Clinton IPE equipment repair model is more optimistic that repair models l typically used in other IPE/PRA studies, the licensee's sensitivity analysis !

demonstrates that this repair model has not significantly affected the CDF or accident i l

i

No credit was given for flood-related operator mitigating actions 19

sequence profile. Therefore, it.is our judgment that the licensee's equipment repair ,

model does not represent a. weakness of the IPE. 1 l

i n ally, credit was taken for rapid recovery of a loss of feedwater initiating, event.

Quantification of this recovery action was also based on EPRI data [EPRI 3000 34). - It appears that the licensee has used a value of 0.21 as the non recovery probability for this activity. [p. 3-180 of submittal) 2.3.2 Point Estimates and Uncertaintv/Sansitivity Analvses. '

The submittal does not state the statistical significance of the initiating event and fault tree basic events. However, the IPE used pipe break frequencies from WASH-1400 that represent mean values. In addition, generic transient initiator frequencies are based on mean value data provided in the NUREG/CR-4550 Grand Gulf study. Also, most of the component failure data used in the IPE analysis were extracted from the mean values presented.in the NUREG/CR-4550 method ~ ology document. The overall CDF is presented in terms of a point value.. No statistical uncertainty analysis of the results was performed. [pp. 3-11, .313, 3-192 to 3-194 of submittal]

The licensee performed several types of sensitivity analysis. In one analysis, all !

recovery actions assigned a value less than 0.1 we're set to 0.1. The frequency of a l loss of feedwater sequence increased by a factor of 5.8, while the frequencies of several other sequences increased by factors less than two. The overall CDF increased by only 4%. [pp. 3-182,3-183 of submittal]

The licensee performed sensitivity analyses related to the CDF impact from two plant I improvements. These sensitivity analyses are summarized in Subsection 2.7.3 'of this j report. As previously discussed in Subsection 2.3.1 of this report, the licensee also ;

generated a sensitivity analysis related to the IPE component / system repair models. ;

i A sensitivity' analysis was performed on preliminary front-end results to identify human events requiring possible refinement of their quantification. Following this screening !

process, some of the human event data were re-quantified before the final results !

, were generated. A set of back-end MAAP sensitivity analyses was also performed.

- l

[pp. 3-172,3-173,3-198 to 3 200,4-50 to 4-65 of submittal] '

2.3.3 Use of Plant Soacific Data.

Plant-specific data were used to quantify maintenance unavailabilities. However, all of the component hardware failure' rates, with the possible exception of diesel generator '

20

start' failures, were quantified with generic data'. The licensee states that the short time history of the plant (approximately six years at the time the IPE was performed) is unlikely to provide sufficient failure data to support the analysb. The licensee further states that plant specific data were not ignored, even though the decision was made to use generic data for component hardware failures. The licensee examined plant-specific data to determine if any unusual failure rates were occurring as summarized below: [pp.1,2 of RAI Responses, pp. 3-164 to 3-167,3-193, 3 207 of submittal]

Even at the time of the IPE, various safety system out-of service times compared favorably with the other domestic BWR-6 plants.,

a To date, there have been no surveillance-related pump start failures on any of the safety-related injection systems. Based on quarterly testing, this result corresponds to no failures in at least 157 attempts, or a start failure probability less than 6E-03'. The generic value used in the IPE for the probability of pump start failure was SE-03.

- Other than the HPCS water leg pump, there have been only 2 pump *run" failures in about 200,000 hours0 days 0 hours 0 weeks 0 months . One of the failures was a post-maintenance test failure and was not counted. By counting the remaining pump failure, a pump failure-to-run rate is SE-06/hr, compared to a generic value of SE-05/hr.

The HPCS water leg pump failures were attributed to a design problem and no subsequent failures have occurred following corrective actions.

. Of a population of 170 safety-related and risk significant motor-operated valves (MOVs), there have been 37 cases recorded as valve failures. Assuming that each valve is stroked only once per quarter (minimum surveillance requirements), this operating experience supports a failure-to-stroke rate of 7E-03 per demand. The failure probability of 7E-03 is pessimistic, because some of the recorded failures include non-risk significant failures such as seat leakage. The IPE used a generic value of 3E-03 for MOV demand failure probabilities.

. The average forced outage rate over the commercial life of the plant has been '

about 3.5 outages per operating year. including the first years of plant life, as compared to a' generic frequency of 7 events per year.

' The licensee states that the diesel g,anerators have been : started a sufficient nurnber of tirnes (306) during surveillance testing to deterrnine a plant-specific failure rate estirnate. The plant specific diesel generator start failure probability. 2:0E-02, is close to the NUREG/CR-4550 generic estirnate of 3E-02. It is unclear, however, if the IPE actually used the plant specific estirnate. For exarnple, cornrnon cause data listed in Table 3.312 of the submittal suggests that the licensee ULd the generic estirnate of 3E-02. [pp.

3-165. 3-166, 3 193, 3-207 of subrnittaf]

21

l Based on the above discussion, the licensee has demonstrated instances where plant-specific failure data are comparable to or better than corresponding generic data.

Howe"er, in our judgment, the omission (or very limited use) of plent-specific hardware data represents a weakness of the analysis. While it might be argued that the use of generic data provides an upper bound to the total ~CDF, the relative CDF contributions of various sequences and failure events may be distorted.

As previously noted in Section 2.2.1 of this report, plant data were generally ornitted from the development of initiating event frequencies.

2.3.4 Use of Generic Data.

The primary source of generic data was the NUREG/CR-4550 methodology document.

The other sources of generic data were the NUREG/CR 4550 Grand Gulf study,-

NUREG/CR 2815, IEEE 500, and (unspecified) General Electric reliability data reports.

[p. 22 of RAI Responses, pp. 3-146,3165,3-192 to 3-194 of submittal]

We performed a comparison of IPE generic component failure data to generic values used in NUREG/CR-4550. This comparison is presented below in Table 2-1.

Table 2-1. Generic Component Failure Data' ,

)

~

Component Fature Mode IPE Mean Value Esemate NUREG/CR-45s0 ,

Mean Value Esemate Turbine-driven purnp Start 3E 02 3E-02 l Run SE-03 (first hour) SE-03 l 2E-05 (subsequent hours) 1

~

Motor-driven pump (see note 2) Start 3E 03 3E-03 Run 3E-05 3E-05 MOV Transfer 3E-03 3E-03 Check valve Open (demand) 1E-o4 1 E-04 l Battery charger No output 1E-06 1E-06 ;

Battery No output 1E-06 1E 06 inverter No output 1E-o4 1E 04 l Circuit breaker Transfer 3E-03 3E-03 .

l Diesel generator Start 3E 02 3E-02 [

Run 2E-03 2E-03 !

Strainer / Filter Plugs 3E 05 3E 05 j Transformer No output 2E-06 2E 06 !

(short/open) fhe Ce '-"" Os represent i Motes: (1) Fedures to etert, open. close, operate. or trenefer are proDebHstres of ladure on demand.

i frequencies expressed per hour. (2) IPE date used nor various motor dnven pumps, including d,eoel fuel ou pumps.

The licensee states that plant specific component failure data will be included in future updates to the iPE as ' statistically valid" data are gathered.

22 l l

i

e t

T4ble 2-1 shows that IPE generic data are consistent with NUREG/CR-4550 data, .

except for the turbine-driven pump run data. The IPE has used a value of 2E-05/hr for a turbine-pump to run after the first hour, compared with the NUREG/CR-4500 value of SE 03/yr applicable for all run periods. This element of the IPE failure data was i extracted from the PRA Procedures Guide [NUREG/CR 2815). !

As was previously noted in Section 2.2.1 of this report, generic industry data were used in the development of LOCA and transient initiating events. .

2.3.5 Common Cause Quantification.

l l The estimation of common-cause failure probabilities was based on the Multiple Greek j Letter (MGL) method. A number of component groups were included the common '

l . cause analysis, including diesel generators, pumps, MOVs, AOVs, check valves, explosive valves, circuit breakers, battery chargers, inverters, relays, safety relief valves, batteries and instrumentation and control components. The submittal does not -

state the source of the MGL data used in the IPE. [pp. 2-4,2 5,3-185, 3 206 to 3-208 -

of submittal] .

We performed'a comparison of IPE common-cause data with generic beta factors

. used in the NUREG/CR-4550 studies [NUREG/CR 4550, Methodology). In preparirig !'

this comparison, the MGL-based failure rates provided in Table 3.312 of the submitta!

were used to derive equivalent fractional failures to correspond to the beta factors presented in NUREG/CR-4550. The common cause data comparison is summarized i below in Table 2-2. [pp. 3-207,3-208 of submittal]

Table 2-2. Comparison of IPE and NUREG/CR-4550 Common-Cause. Data Component Fature Group Stre ' Equivalent IPE Bets Factor NUREG/CR 4550 Mode Derived from Table 3.312 of Mean Value Beta Submittel Factor Shutdown Service Start 2 0.17 0.026 .

Water Pump Run 2 0.067 RHR/LPCS Pump Start 4 0.037 0.10 Run 4 0.04 MOV Transfe.r 2 0.33 0.088 4 0.0037 0.057 AOV Transfer 2 0.15 0.10 (2 or more)

Diesel Generator Start 3 0.0097 0.018 Run . 3 0.042 As indicated in Table 2-2, the IPE c'ommon cause data for start failure of 2 shutdown service water pumps is over a factor of 6 higher than the NUREG/CR-4550 generic j data. Also, the IPE cnmmon cause data for failure of 2 MOVs is almost a factor of 4 I

l- 23

,. o higher than the generic data. On the other hand, the IPE deta for common cause failure of 4 MOVs is about a factor of 15 lower than the generic data. In addition, the IPE data for RHR/LPCS pump and diesel generator start, failures are lower than generic data by factors of about 3 and 2, respectively.

The licensee states that a beta factor of 0.02 was used to quantify common cause failures of diesel fuel oil pumps. This value is based on NUREG/CR-2098. [p. 22 of RAI Responses]

2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the,interfacer between the front-end and human factors analyses. The focus,of the review was on significant interfaces that affect the ability to prevent core damage.

2.4.1 Front-End and Back-End Interfaces.

The IPE assumes that the LPCS,.the HPCS, and the RHR pumps (in the LPCI mode) )

do not lose suction after loss of containment heat removal or containment depressurization following containment venting or containment fallute unless the failure I is in the suppression pool. Per design, sufficient NPSH is expected to remain i available to operate these pumps with the suppression pool at saturation conditions, j

[p. 60 of RAI Responses, pp. 6.3-5,6.3-12,6.3-17 of UFSAR,3-28 of the submittal] l As long as the reactor is shutdown and core damage is averted via ECCS cooling, loss of containment cooling will not cause containment failure during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months front-end mission time. The licensee states that containment cooling is not required due to the relatively large suppression pool volume and free air volume. Because ECCS systems would not be affected during the front-end mission time, containment venting was not required or modeled in the front-end analysis. (p. 31 of RAI Responses)

While six vent paths containment vent paths are available, only the three with the largest capacity were modeled in the back-end analysis. The other three paths do not have sufficient capacity by themselves to vent containment. The modeled paths are:

the RHR system through the fuel pool cooling and cleanup (FC) system; the FC system through the spent fuel pool; and through a hole cut in the piping of the containment continuous purge systems. One of the credited paths vents directly to the outside so that operator access to plant areas is rninimally impacted. The other two i paths are scrubbed through the spent fuel pool to minimize the impact on area j accessibility. [p. 60 of RAI Responses, pp. 3-22, 3-80, 3-81 of submittal)

The possibility of suppression pool depletion during an ISLOCA was not addressed in !

the IPE. A 1993 (post-IPE submittal) study examined the likelihood of suppression ,

p'ool depletion through the two predominant ISLOCA paths, the RHR shutdown cooling

^

24 i

' I l

line and the feedwater lines. This study estimated,that the frequency of'an inventory- l depleting ISLOCA event through the RHR shutdown cooling line has a frequency of -

3.3E-08/yr. For the feedwater lines, the frequency of an inventory-depleting ISLOCA l was estimated to be 2.3E-08/yr. In other words, the total frequency of,an inventory-depleting ISLOCA was 5.6E-08/yr. All of the IPE ISLOCA sequences were below the truncation valve of 1.1E-09/yr. Therefore, had the IPE considered suppression pool ;

inventory depletion, the ISLOCA frequency would rM exceed 5.6E-08/yr. [p. 8 of RAI Responses,pp. 3-57,4 33,4-79 of submittal] (

l The Level 1 core damage end states were binned into accident classes to form the 1' l beginning states for containment event trees. The binning of Level 1 end states into

! accident classes was based on the following criteria: containment integrity, primary i system integrity, relative timing of core damage, primary system pressure, and failure j of critical functi9ns leading to core damage. These five classes were further i l

subdivided into subclasses based on the unavailability of key functions. The binning process used to couple core damage sequences into the back-end analysis appears to !

be comparable with the process used in other PRA/IPE studies. [pp. 2-6, 2-7, 3-34, 3-35, 4 22, 4-23 of submittal) 2.4.2' Human Factors Interfaces. -

Dominant human errors and recovery factors. contributing to CDF include: [p. 6-27 of submittal]

Failure to recover offsite power in 0.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months

Operator fails to manually initiate ADS -

\

Operator failure to manually initiate ADS for use of low pressure injection contributes about 24% to the total CDF. In contrast, equipment failures re!ated to ADS failure are relatively minor contributors to CDF. The licenses states that per procedure, there are no conditions were automatic depressurization would be allowed. At the same time, '

the Clinton procedures are stated to be consistent with Revision 4'of the BWR Emergency Procedure Guidelines (EPGs). The failure of operators to manually initiate ADS was quantified with a human error probability (HEP) of SE-04. Altemate methods of vessel depressurization were not credited in the IPE (for example, via MSIVs and turbine bypass valves). As stated.by the licensee, faMure of operators to depressurize does not represent a vulnerability because this' action has been emphasized in training and has been judged unlikely to induce operator error. bp. 26 to 30 of RAI Responses)

As previously discussed in Subsection 2.3.1 of this report, the IPE took credit for component / system repair recoveries, including up to two such recoveries per accident l

sequence cut set. Credit was also taken for rapid recovery of a loss of feedwater l initiating event. [p. 3-180 of submittal]

25

2.5 Evaluation of Decay Heat Removal and Other Safety issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USis, if they were addressed in the submittal, were also reviewed.

2.5.1 Examination of DHR. '

The DHR contribution to CDF was derived by eliminating from accident sequence cutsets failures of systems that cannot remove decay heat. Systems not able to f remove decay heat include HPCS, RCIC, LPCS, ADS. and fire protection. The CDF due to loss of DHR was estimated to be 5.2E-06/yr. The licensee states that this DHR related CDF estimate is pessimistic, as additiorial methods of DHR were not credited, for example RHR livd up to the fuel pool cooling and cleanup system. (p. 3-231 of submittal].

As pointed out by the licensee, the USI A-45 study recommends thrat DHR-related CDF contributions should not be greater than 1E-05/yr. The Clintca DHR-related CDF was' determined to be no greater than 5.2E-06/yr. No DHR-related vulnerabilities were identified. [g. 3-232 of submittal] .

2.5.2 Diverse Means of DHR.

- The IPE evaluated the diverse means for accomplishing DHR, including: use of the power conversion system, RCIC, HPCS, and use of low pressure injection by opening safety relief valves. [pp. 3-230,3 231 of submittal]

2.5.3 Unlaue Features of DHR.

The unique features at Clinton that directly impact the ability to provide DHR are as follows: (pp. 4-1,' 4-42, 4-43, 6-2 to B-4, 6-11 to 6-14 of submittal]

. Diversitv of reactor feedwater oumo motive oower. Two of the reactor feedwater pumps are turbine-driven, while the third pump is motor-driven. The motor-driven pump provides the capability of providing feedwater for transients with and without main steam isolation. This design feature tends to decrease the CDF.

= Abilitv of emercenev core coolina system (ECCS) oumos to coerate with a saturated suooression cool. The high pressure core spray (HPCS), low pressure core spray (LPCS), and residual heat removal (RHR) pumps can operate with a saturated suppression pool and thus provide core cooling in the event containment cooling is. lost. This design feature tends to decrease the CDF.

26

,s . .

. Ability to cross-connect the fire erotection system for core iniection. The fire protection system can be aligned as a source of core injection. The fire protection pumps are diesel-driven. This design feature tends to decrease the CDF. The analysis took credit for this cooling method, though apparently not for station blackout sequences. The licensee notes that this cooling method would be of minimal value in station blackout sequences because the ' ADS SRVs will likely reclose after battery depletion, with a consequential rise in reactor pressure that would make fire protection injection unavailable.

. 2.5.4 Other GSI/USIs Addressed in the Submittal.

The submittal does not addr'ess GSis/USis other than DHR. The licensee states that there are no open generic issues at Clinton. [p. 3 232 of submittal) 2.6 Intemal. Flooding This section of the report summarizes our reviews of the process used to model intamal flooding and of the results of the analysis of internal flooding.

2.6.1 Internal Floodina Methodoloav.

The flooding analysis considered effects from both submergence and spray. Based on a post-IPE submittal review, the licensee concluded that the analysis also accounts for steam impingement. [p. 26 of RAI Responses, p. 3-189 of submittal) .

The flooding analysis evaluated events that could lead to a scram *or shutdown requiring core cooling systems. Plant walkdowns, a Sargent & Lundy flooding report

[S&L Flood), and input from'the IPE Senior Reactor Operator were used to support the analysis. Propagation of a flood beyond the flood-initiation area.through doorways, hatches, stairwells, etc. was addressed. [pp. 3-189,3-190 of submittal)

The frequency of flooding initiating events was based on a review of the specific components that could rupture or leak and cause a flood. Random equipment failures were considered as initiating events, as well as personnel failures to perform system isolation prior to maintenance. Equipment considered in the development of initiating events included piping, expansion joints, valves and tanks. The initiating event frequencies were extracted from WASH 1400, PRAs for Seabrook and Oconee, and NUREG/CR-1363. Sequence quantification was based on the intamal events logic models, with consideration' given to flood-related component failures. No credit was taken for flood-related operator mitigating actions, such as flood isolation _or tripping of pumps. [pp. 56,57 of RAI Responses, pp. 3-188 to 3-191,3-211 of submittal]

27

. _ - . -. ~ - _ . . - . .. . . - . - - _ - - _ . - - . - .. - . . - - - . - - - - -

l -

4 l l2.6.2. Internal Floodino Results. - .

The total point estimate CDF contribution from internal flooding was calculated to be

, 1.vE-06/yr, which represents about 6% of the total CDF. Five dominant sequences j g

collectively represent 75% of the total flooding related CDF contribution.' These i l sequences are summarized below in Table 2-3. [pp. 3 224 to 3-228,3 235 of i l submittal] ,

l Table 2-3. Denninant Sequences From intomal Flooding Analysis t

inNieting Event CDF (per yr) l Feedwater line break in main steam tunnel , 4.17E-07 l Plant service water line break in CCW pump and tank area (control budding elev 762') 2.24E-07 Plant service water break in HPCS purnp room . 2.23E 07 HPCS line rupture in HPCS pump room 1.79E-07 [

CCW line break in CCW pump and tank area (control building elev 762') 1.55E-07 [

2.7 Core Damage Sequence Results :

This section of the report reviews the dominant core damage sequences reported in ,

the subn.ittal.. The reporting of core damage s.equences- whether systemic or '

functional- is reviewed for consistency.with the screening criteria of NUREG-1335.

The definition of. vulnerability provided in the submittal is reviewed. Vulnerabilities, l enhancements, and plant hardware and procedural modifications, as reported in the ;

submittal, are reviewed. ,

l 2.7.1 Dominant Core Damage Sequences.

The IPE utilized event trees that are generally functional in nature, and reported ;

res'ults using the screening criteria from Appendix 2 of Generic Letter 88-20 for - l functional sequences. The total point estimate CDF for Clinton is 2.6E-05/yr, including' !

a 1.6E-06/yr contribution from internal flooding". [pp. 3-212,3 213 of submitta]

Acc! dent types and their percent contribution are listed in Table 2-4. [pp.1-10. '1-11 !

of submittal]

l

" The most recent update of the IPE predicts a CDF exclusive of flooding of 5.5E-06/yr. [p. 5 of RAI Responses] '

28

s Table 2-4. Accident Types and Their' Contribution to Core Damage Frequency Act.; dent Type CDF Conesadon . , steent Cordrtudon pr yr. to CDF Transients 1.4E 05 52 Station Blackout 9.8E-06 37 Intemal Flooding 1.6E-06 6 LOCA (includes IORV) 1.1 E-06 4 ATWS 1.4E-07 0.5 ISLOCA negligible negligible As previously noted, the licensee defines station blackout to be loss of offsite power combined with loss of power from the Division 1 and 2 diesel generators. The status of the Division 3 diesel generator (HPCS) is not considered in the definition of station blackout. [pp. 34,353,6-5 of submittal)

Initiating event contributions to the CDF, and their percent contribution, are listed below in Table 2 5". [pp.1-9, 3-235 of submittal) ,

Seven functional serquences were identified above the Generic Letter 88-20 screening criteria of 1.0E-06/yr; These dominant functional sequences are listed in Table 2-6 of this report. [pp. 1-8, 1-14, 3-224, 3-225, 3-235 of submittal]

Operator failure to manually initiate ADS for use of low pressme injection contributes about 24% to the total CDF. In contrast, equipment failures related to ADS failure are relatively minor contributors to CDF. The' licensee states that per procedure, there are no conditions were automatic depressuri'z ation would be allowed. At the same time, the Clinton procedures are stated to be consistent with Revision 4 of the BWR Emergency Procedure Guidelines (EPGs). Th'e failure'of operators to manually initiate

. ADS was quantified with a human error probability (HEP) of SE-04. Altemate methods of vessel depressurization were not credit'ed in the IPE (for example, via MSIVs and turbine bypass valves). As stat 6d by the licensee, failure of operators to depressurize does not represent a vulnerability because this action has been emphasized in training and has been judged unlikely to induce operator error. [pp. 26 to 30 of RAI Responses)

U With the exception of lower order fboding events, this table is complete. This table was assembled from information contained in Tables 1.41 and 3.4 3 of t'he submittal. Submittal Table 1.41 prpsents initiating events for non-flood events, while submittal Table 3.4-3 presents dominant flooding sequences.

Together, the intamal flood initiating events listed in submittal Table 3.4-3 represent about 75% of the total flood-related CDF. Because intomat flooding contributes about 6% to the total CDF, the missing flood--

related initiating events represent about 1.5% of the total CDF.

' ~

29

8 e o l

l Table 2-5. Initiating Events and Their Contribution to Core Damage Frequency I inflisting Event CDF % Cont.

Contributiorvyr. to CDF LOSP 1.2E-05 46

. Transient without isolation 4.8E-06 18 fransient with isolation 4.2E 06 16 i Loss of DC Bus 1.2E-06 4.6 Inadvertent open relief valve (IORV)- 1.1 E-06 4.2 Loss of feedwater 9.6E-07 3.7 i

Feedwater line break in main steam tunnel (internal flood) 4.2E 07 1.6 Plant service water line break in CCW pump / tank area (intamal flood) 1.2E-07 0.9 Plant service water break in HPCS pump room (intomal flood) 2.2E-07

0.9 Loss of servicst water 1.9E-07 0.7

.l HPCS line rupture in >fPCS pump room (intomal flood) 1.8E-07 0.7 CCW line break in CCW pump / tank area (intomat fload) 1.6E-07 0.6 l ATWS (see note 1) , 1.4E 07 0.5 l Medium LOCA 1.3E 08 0.05 Loss of instrument air 1.0E-08 0.04 i Large LOCA negligible negligible Small LOCA negligible negligible .

ISLOCA negligible negligible Notes: (1) The subn.;;;si lists ATWS as an " initiating event"; other IPE/P RA studies generally categonze ATWS as an accident type. .

. Table 2-6. Dominant Functional Core. Damage Sequences ,

inkisting Event Dominent Subsequent % Conetbution i Fouures in Sequence to Total CDF l LOSP Division I and ll diesel generators fait, HPCS and 20 RCIC fall (short-term station blackout scenario)

LOSP Division I and II diesel generators fail, HPCS fails, 18 RCIC runs until better/ fails (long-term station blackout scenario)

Transient Without isolation All high pressure injection fails, depressurization falls 13 Transient With isolation All high pressure injection fails, depressurization falls 12 in'emal Flooding (combination Most significant scenario involves a 'feedwater line 6 of 5 separate initiating events) break in the steam tunnel that floods RCIC, LPCS,

, and RHR 'A' train equipment Loss of Non-Safety DC Bus Main condenser and allinjection sources fail 4 Open relief valve Loss of feedwater delivery and all high and low 4 pressure injection systems; in many cases, failure' of injection is related to lack of ac power 30 l

L

~

Results from a Fussel-Vesely importance analysis were presented in the submittal.

The most iraportant events based on this measure are' listed below: [pp. 6-4, 6-5, 6- l j

27 to 6-32 of submittal]

i a Failure to recover off site power in 0.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months l

Loss of off site power (initiating event) ;

Independent sub tree containing HPCS failure basic events t

Basic event representing recovery of HPCS failures !

Independent sub tree containing RCIC failure basic events

Basic event representing recovery of RCIC failures 4

Operator falls to manually initiate ADS l Finally, as previously discussed in Subsection 2.3.1 of this report, the licensee .

I performed a sensitivity analysis that involved removal of all credited equipment repair recoveries, except those involving off-site power, DC power, and operator actions done i

from the control room. With this model change, the bas ~eline CDF (exclusive of 1 intamal flooding") increased by a factor of 1.44 (from 2.49E-05/yr to 3.57E-05/yr). i The relative contributions of individual accident sequences were not significantly ;

altered as a result of this sensitivity study. In no instances were increases in in'dividual i accident sequsnce frequencies greater than 2.4. While two new sequences were !

introduced as a result of the sensitivity analysis, their frequencies were less than 1E- :

. 08/yr.

While the Clinton IPE equipment repair model is more optimistic that repair models typically used in other IPE/PRA studies, the licensee's sensitivity analysis :

demonstrates that this repair'model has not significantly affected the CDF or accident l sequence profile. Therefore, it is our judgment that the licensee's equipment repair i model does not represent a weakness of the IPE.

i 2.7.2 Vulnerabilities. }

~

The licensee used the following criteria to identify vulnerabilities: (p/ 3,-228 of !

submittal) l l

New or unusual means by which core damage or containment failure occur as ,

l compared to those identified in other PRAs, or

Results that suggest the plant CDF would not be able to meet the NRC's safety I goal for core damage (1E-04/yr), or

Systems, components, or operator actions that control the core damage result (i.e., greater than 90%).

As stated by the licensee, acciderst classes that contribute to core damage at Clinton are similar to those identified in PRAs of comparable facilities, such as the

" No credit was given for flood-related ohrator mitigating actions 31

e . .

i NUREG/CR-4550 Grand Gulf study. It is~also stated that the CDF internal events estimate of.2.6E-05/yr leaves ample margin for accommodating risks of external ;

events and still meet the NRC's (former proposed) safety goal of 1E-04/yr. Based on -}

the above criteria, the licensee determined that there are no vulnerabilities at Clinton.

[pp. 3-228,3 229 of submittal] i 2.7.3 Pronosed Imorovements and Modifications.

Several potentialimprovements were identified as a result of the IPE. None of these improvements was credited in the IPE version repoded in the submittal. The plant improvements are summarized in Table 2-7. [pp. 4 to 7 o'r RAI Responses, pp. 6-1,6-4 to 6-26 of submittal]

. The licensee provided information regarding plant changes made in response to the .

Station Blackout Rule, and other modifications separate from the Station Blackout Rule that reduce the station blackout CDF. These modifications are summarized in Table 2 8. [pp. 9,10 of RAI Responses) t

+

9 4

e G

I

[

j 32 l . .

Table 2-7. Summary of Plant improvements Plant improvement Status Notes Estimated CDF ,

Impact i improvements Affecting Core Damage Risk l

Operator training to emphasize Complete Not available importance of maintaining off site power Operator training to emphasize Complete Not available importance of manual ADS initiation Modify HPCS surveillance procedure to Complete CDF reduction based on 12.8% reduction !

demonstrate unobstructed flow path from IPE reported in submittal (see note at left) suppression pool (CDF reduced from 2.6E-05/yr to 2.3F. 05/yr) l Install bypass line to allow easier use of Deferred (see (1) Licensee has not yet 13% reduction fire protection system for vessel makeup note 1 at decided whether to make (see note 2 at ;

right) this modification; decision left) l will be based on cest- l benefit analysis (2) For IPE j reported in submittal,13%

l CDF reduction (from 2.6E-

. 05/yr to 2.3E-05/yr); for 1 latest IPE update,9% CDF !

reduction (from 5.5E 06 to 5.0E-06/yr)

Evaluate possible changes to training Complete 11is not clear what (if any) Not available !

program beneficial to recover AC power changes were made as a l supplies during LOSP result of this evaluation i Provide additional procedural Dropped (see Modification not made due Not available confirmation that shutdown service water note at right) to small perceived benefit pumps have started when required for -

diesel generator operation improvements Affecting Back-End Risk l

Operator training to emphasize Complete Not applicable importance of maintaining off site power related to preventing offsite releases Operator training to emphasize Complete Not applicable i importance of AC power recovery '

Operator training to emphasize Complete Required isolation Not applicable importance of manually isolating accomplished by closing containment bypass path into fuel pool valve 1FC008 cooling / cleanup line during station blackout I Operator training to emphasize Complete Not applicable significance of scram system hardware ;

failures as related to release frequenci.es 33

Table 2 8. Summary of Plant Changes Directly Related to Station Blackout l

l Description of Plant Change Status Plant Change Notes Estimated CDF i Accounted for , impact !

inIPE7 Modifications Specificepy Related to Station Blackout Rule !

Procedures for DC load Complste Yes Apparently Not available shedding during station implemented after blackout Dec 31,1991 IPE i freeze dak ,

Procedures for'RCIC and Cornplete Yes Apparently Not aval!able HPCS operation during implemented after l station blackout Dec 31,1991 IPE !

freeze date l Portable fan to cool main Complete No Not available control room during station blackout !

Modifk:stions Separate From Station Blackout Rule l Installation of concrete Complete No Barriers protect Not available barriers around all outside transformers from transformers damage due to vehicle or failure of adjacent transformer l

6 O

e 0

i i

i 34

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS-

, This section of the report provides an overall evaluation of the quality of the IPE based

., on this review. Strengths and weaknesses of tha IPE are summarized. Important l assumptions of the model are summarized. Major insights from the IPE are presented.

Because Clinton began commercial operation in April 1987, there is a relatively limited operational history from which to derive plant specific failure rates. While plant-specific

, data were used in the IPE for test and maintenance unavailabilities, component I

hardware failures were entirely based on generic data (with the possible exception of I diesel generator start failures). Initiating event frequencies were for the most part also ,

based on generic data. To support this wide use of generic data, the licensee cited

{

instances where plant-specific failure data are comparable to or better than )

corresponding generic data. * ;

I l Some other plants with limited operational experience have used plant-specific data to l update generic data via a Bayesian process. It is not clear why the Clinton IPE did !

not use a similar approach, in our Judgment, the limited use of plant specific data .l represents a weakr)ess of the Clinton analysis. While it might be argued that the use ,

of generic data provides an upper bound to th.e total CDF, th' s relative CDF l

contributions of various sequences and failure events may be distorted. :

It is also noteworthy that the Clinton IPE credited local repair of various' equipment

,. Items and systems, including diesel generators, pumps, valves, and instrumentation. It L

is positive that the licensee has attempted to credit a variety of repair activities to l reflect the operation of the as-built, as-operated plant. However, IPE/PRA studies '

, typically limit credit for local equipment repair activities to diesel generators, as there is i comparatively more experience for repair of diesel genrers than for other ;

components and systems. It is further noted that the Clhton IPE has taken credit for

)

up to two component / system repair actions per accident sequence cut set. Credit for ;

multiple repair activities within a given cut set is also not typically done in IPE/PRA i studies. The licensee states that the credited repair activities included in the Clinton IPE are based on a demonstrated capability of the plant to field multiple repair teams during actual emergency exercises. However, the quantification of repair activities is based on a generic EPRI database, and it is not clear how accuraaly the generic

. EPRI data would reflect the Clinton plant during an actual accident condition given the uncertainties inherent in predicting human actions. It is also noted that the IPE data for non-recovery of common cause diesel generator failures are one to two orders of magnitude lower (more optimistic) than industry experience used in t.he Accident Sequence Evaluation Program (ASEP) as reported in NUREG/CR-4550 (Rev.1, Methodology).

I As part of a response to an NRC Staff request for clarification of equipment repair models, tne licensee performed a sensitivity analysis that involved removal of all l .

k 35 b

4

._..-,,,.,,,_ns -~ v-- "-------r ~V"'TW'

credited equipment repair recoveries, except those involving off site power, DC power, and operator actions done from the control room. With th;s model change, the baseline CDF (exclusive of internal flooding") increased by a factor of 1.44 (from 2.*dE-05/yr to 3.57E-05/yr). The relative contributions of individual accident sequences were not significantly altered as a result of this sensitivity study. In no instances were increases in individual accident sequence frequencies greater than 2.4.

4 While two new sequences were introduced as a result of the sensitivity analysis, their, frequencies were less than 1E-08/yr.

While the Clinton IPE equipment repair model is more optimistic that repair models j typically used in other IPE/PRA studies, the licensee's sensitivity ' analysis demonstrates that this repair model has not significantly affected the CDF or accident '

nequence profile. Therefore, it is our judgment that the licensee's equipment repair model does not represent a weakness of the IPE.

1 Significant level-one IPE findings are as follows: l 1

Operator failure to manually initiate ADS for use of low pressure injection ) '

contributes about 24% to the total CDF. The licensee does not consider failure of operators to depressurize as a vulnerability because this action has been )

emphasized in training and has been judged unlikely to induce operator error.

Based on this review, the following aspect of the IPE modeling process has an impact l

l on the overall CDF: ,

a The HPCS, LPCS, and RHR pumps can operate with a saturated suppression -

pool and thus provide core cooling in the event containment cooling is lost.

This design feature tends to decrease the CDF. ,,

4 i

I l

l l

. i l

i l

l l

. . 1

" No credit was given for flood-related operator mitigating actions.

- 36

4. DATA

SUMMARY

SHEETS This section o' the report provides a summary of information fror ou.r review.

Initiatina Event Frecuencies s

Innisting Event Frequency Per Year Srnall Break LOCA 1.00E 03 Medium Break LOCA 3.00E-04 Large Break LOCA 1.0E-04

~

Interfacing LOCA (see breakdown below) 5.00E-06

, Breakdown of ISLOCA lE LPCI Injection Lines 1.47E 07 LPCS injection Line 2.86E 08 Shutdown Cooling Suction Line 2.54E-06 RPV Head Spray Line 4.94E 11 HPCS Line 1.98E-09

~

Feedwater Lines 2.28E-06 -

Shutdown Cooling Return Lines 3.31E 11

. Inadvertent / Stuck-Open Safety Relief Valve (IORV) 1.00E-01 Loss of Offsite Power 8.4E 02 Loss of Feedwater .06 Transient with isolation 1.7 Transient without isolation 4.7 ,

Loss of instrument Air 4.32E 03 l Loss of Service Water 1.75E 03 Loss of Non-Safety DC Bus 1.39EO-02 Overall CDF The total point estimate CDF for Clinton is 2.6E-05/yr, including internal flooding. The CDF contribution from flooding is 1.6E-06/yr.

Dominant Initiatina Events Contributino to CDF Loss of off-site power 46%

Transient w/o isolation from main cond. 18%

. Transient with isolation from' main cond. 16%

Loss of DC bus 5%

Inadvertent Open Relief Valve (IORV) 4%

37

' Loss of Feedwater 4% l i

, Dominart Hardware Failures and Onorator Errors Contributino to CDF l Dominant hardware failures contributing to CDF include: , .

Failure to recover off-site power in 0.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months e independent sub-tree containing HPCS failure basic events Basic event representing recovery of HPCS failures ,

e independent sub-tree containing RCIC failure basic events '

Basic event representing recovery of RCIC failures Domiriant human errors and recovery, factors contributing to CDF include:'

= Failure to recover offsite power in 0.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months

Operator falls to manually initiate ADS Dominant Accident Classes Contributino to CDF Transients , f"i Station blackout 37 % - '

Intemal Flooding .

6%

LOCA (includes IORV) 4%

Anticipated transient without scram (ATWS) 0.5%

interfacing Systems LOCA (ISLOCA) negligible Desian Characteristics Imoortant for CDF I The following design features impact the CDF:

Four hour batterv lifetime. With credit for load shedding, the battery lifetime can ,

be extended to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . However, a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery lifetime is less than battery lifetimes at some other BWRs. The 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery lifetime at Clinton tends to increase the CDF compared to those BWRs with longer battery lifetimes. -

. Ability of emeroency core coolina system (ECCS) oumos to coerate with a saturated sunoression nool. The high pressure core spray (HPCS), low pressure core spray (LPCS), and residual. heat removal (RHR) pumps 'can operate wit,h a saturated suppression pool a.nd thus provide core cooling in the i event containment cooling is lost. This design feature tends to decrease the j CDF. ;

i

. Ability to cross-connect the fire orotection system for core inlection. The fire l

protection system can 6e aligned as a source of core injection. The fire ;

protection pumps are diesel-driven. This design feature tends to decrease the i l

l 38 )

]

l CDF. The analysis took credit for this cooling method, though apparently not for station blackout sequences. This cooling method would be of minimal value

, in station blackout sequences because the ADS SRVs willlikely reclose after battery depletion, with a consequential rise in reactor pressure that would make fire protection injection unavailable.

Modifications The following plant improvements were identified as a result of the IPE:

Front-end Operato'r training to emphasize importance of maintaining off-site power Operator t nining to emphasize importance of manual ADS initiation Modify HPCS surveillance procedure to test suppression pool suction path Install bypass line to allow easier use of fire protection system for vessel makeup

. Back-end Operato'r training to emphasize importance of maintaining off-site power to l prevent offsite releases Operator training to emphasize importance of AC power recovery '

l Operator training to emphasize importance of manually isolating containment bypass path into fuel pool cooling / cleanup line during station blackout Operator training to emphasize significance of scram system hardware failures as related to release frequencies I

Other USI/5 Sis Addressed i Norie.

Sionificant PRA Findinos

Operator failure to manually initiate ADS for use of low pressure injection contributes about 24% to the total CDF. The licensee does not consider failure of operators to depressurize as a vulnerability because this action has been emphasized in training and has been judged unlikely to induce operator error.

l J

39

s .

l l

l REFERENCES

[EPRI 3000 34] Faulted Systems Recovery Experience, EPRI draft report RP-3000-34, no date provided.

l

[lEEE 500] Guide to the Collection and Presentation of Electrical, Electronic, Sensing, Component, and Mechanical Equipment Reliability Data for Nuclear Power Generating Stations, IEEE Std. 500-1984; December 1983. -

[lDCOR 86 381) Individual Plant Examination' Methodology for Boiling Water l Reactors, IDCOR Technical Report 86,3B1, no date provided. !

. [lPE Subml".al) Clinton Power Station IPE Submittal, September,1992

[NSAC 147) Losses of Offsite Power at U. S' Nuclear Power Plants Through 1989, EPRI (Nuclear Safety Analysis Center), NSAC-147, March 1990.

[NUMARC' 87 00) Guidelines and Technical Bases for NUMARC Initiatives Addressing l Station Blackout of Light Water Reactors, NUMARC 87-00, August 31,1987.

[NUREG 0666) A Probabilistic Safety Analysis of DC Power Supply Requirements f'or i Nuclear Power Plants, NUREG-0666, April 1981. 1

[NUREG 1032) Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG-1032, June 1988.

[NUREG/CR 1363) Data Summaries of Licensee 'Event Reports of Vaives of U. S.

Commercial Nuclear. Power Plants, NUREG/CR-1363,1982.

[NUREG/CR 2815) Probabilistic Safety Ana'ysis Procedures Guide, NUREG/CR-2815, Vol.1, Rev.1, August 1985. ,

[NUREG/CR 4550 Grand Gulf) Analysis of Core Damage Frequency: Grand Gulf, Unit 1 Internal Events, NUREG-4550, Vol. 6, Rev.1, August 1989.

[NUREGICR 4550, Methodology) NUREG/CR-4550, Vol.1, Rev.1, Analysis of Core Damage Frequency: Internal Events Methodology, January 1990.

[NUREG/CR 5124] Interfacing Systems LOCA, Boiling Water Reactors, NUREG/CR-5124.

[RAI Responses) Letter from J. G. Cook, Illinois Power, to NRC, JGC-495 95, November 22,1995. .

[UFSAR) Updated Final Safety Analysis Report for Clinton 40 e

1 o ,

[ WASH 1400] Reactor Safety Study, October 1975.

4 S

e 4

e e

9 0

O I

l t

41 l

l f

I

p m.

1

\

4 4

I l

l J

+

l J

.I i

' APPENDIX B j HUMAN RELIABILITY ANALYSIS TECHNICAL EVALUATION REPORT 1

l A

0 4

1

O l

l

ML20140B642

Contents

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20140B642

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search