ML20138J827

From kanterella
Revision as of 16:05, 29 June 2020 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Technical Evaluation Rept on IPE Front End Analysis
ML20138J827
Person / Time
Site: Columbia Energy Northwest icon.png
Issue date: 10/22/1996
From: Darby J, Sciacca F, Thomas W
SCIENCE & ENGINEERING ASSOCIATES, INC.
To:
NRC
Shared Package
ML17292A805 List:
References
CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-94-2345-010, SEA-94-2345-010-A3, SEA-94-2345-10, SEA-94-2345-10-A3, NUDOCS 9702130114
Download: ML20138J827 (40)
v  d  e


Text

.-. .

e; 9' '9; .,-.

.m I

s-1 .:

i.

APPENDIXA

~

WASHINGTON PUBLIC POWER SUPPLY SYSTEN - NUCLEAR PROJECT NO 2' ,

TECHNICAL EVALUATION REPORT '

4  !

(FRONT-END)

, a 4 - .

L d

5 n

h

  1. 4

)-

0 t

9 970Z/.30// E# ~

sy,-.,

'W >$ ,

SEA 94-2345 010-A:3 October 22,1996 4

i ";

1 WNP-2 Technical Evaluation Report on the individual Plant Examination '

Front End Analysis 3

i +

4 j.

l NRC-04-91-066, Task 45 i 4 i

i 1

i I

John L. Darby, Analyst Frank W. Sciacca, Analyst i- -

Willard R. Thomas, Editor l

r.

I

! Science and Engineering Associates, Inc.

I f

1 i .

, Prepared for the Nuclear Regulatofy Commission

.c

'e

~

f Tr r

Ia v

TABLE OF CONTENTS E. Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensee's lPE Process ....................................... 2 4

E.3 Front-End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

E.4 Generic issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 i E.6 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 j t

I 1. lNTRODUCTl0N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7  !

1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 l

2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l 2.1 Licensee's lPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Comolatanans and Methodoloav . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l

!.- 2.1.2 Multi-Unit Effects and As-Built As-Onarated Statum .....,...... 9 1 2.1.3 l icensaa Partleination and Paar Ra' view . . . . . . . . . . . . . . . . . . . . . 9

- 2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . . . . . 9 2.2.1 Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 11 2.2.2 Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2.3 Systems Analysis . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . 15

' 16 2.2.4 System Dependencias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.3.1 Omantification of Annidant Seouance Freauencias . . . . . . . . . . . . . 16 2.3.2 Eoint Estimmten and Uncertaintv/Sannitivity Analvses . . . . . . . . . . 16 2.3.3 USe of Plant-Specific _ Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 18

! 2.3.4 L auz!. Generic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.3.5 Common-Can== Omantification . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.4 Interf ace issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4.1 Front.End and Ranir_.End interfaces . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4.2 Human Factors interf aces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.5 Evaluation of Decay Heat Removal and Other Safety lasues . . . . . . . . . . 21 21
2.5.1 Examination of DHR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.5.2 Diversa Maans of DHR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.5.3 klDigua Featuras of DHR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.5.4 Other GSl/USIs Addrs===d in the Submittal . . . . . . . . . . . . . . . . . . 23 2.6 Intemal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4

2.6.1 Intamal Floodina Methodoloav . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.6.2 Intamal Flooding Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.7.1 Dominant Core Dammaa Saauances . . . . . . . . . . . . . . . . . . . . . . . 25 2.7.2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.7.3 Pranaamd imorovements and Modifications . . . . . . . . . . . . . . . . . . 27 il ,

1 i

L l

l I. _. . . - -. . - , ,

.g g- ,

l

3. ( ~ (ACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . 29

, 4

4. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 RE FE RENCE S : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 I

1 i

. E d

f 4

Y e

e i

4 I

l 1

1 l

d 1

i i

1

-i l

i 1

I lii ,

I I

1 O...

.: t .

, g- . . - . _ - - . - . . .. .. . -

i-LIST OF TABLES Table 2-1. Plant Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 i- Table 2-2. Generic Diesel Generator Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . 19

' Table 2 3. Data for Non-Recovery of Offsite Power . . . . . . . . . . . . . . . . . . . . . . . . 19

. Table 2-4. Beta Factors for 2-of-2 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Table 2-5. Accident Types and Their Contribution to Core Damage Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Tabis 2-6g' initiating Events and Their Contribution to Core Damage 1 Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Table 2-7. Top 5 Dominant Systemic Core Melt / Core Damage Sequences . . . . . . 26 4

4

, i 3

l l

l l

1 i

i I

^ l l

1 1

1 I

d

. l IV

.y

. j

y .-

1; 9 _

j E. Executive Summary ,

j This report summarizes the'results of our review of the front-end portion of the individue! Plant Examination (IPE) for Washington Nuclear Power Plant 2 (WNP-2).

This review is based on information contained in the IPE submittal [lPE Submittal) along with the licensea's responses (RAI Responses-A] to a request for additional information (RAl).

E.1 Plant Characterlantion

. The WNP-2 nuclear plant consists of a single unit Boiling Water Reactor (BWR) 5 with ,

. a Mark li containment located on the Har: ford Reservation in Washington state. The  !

plant power ratings are 3233 MWt and 1095 MWe (not).

Design features 'at WNP-2 that impact tiie Core Damage Frequency (CDF) relative to other BWRs are as follows:-

.- Inahiliev to rannect fire water for inlar*lan in a timalv f==hion. The plant has the capability to uso diesel driven firewster for injection to the vessel to ccJ the core; however, the submittal states that time constrainte are such thas this option was credited only for certain scenarios, such as short term station bMkout, where ,

operators would recognize the need for this system sufficiently enriy that it could ,

be aligned in time to prevent core damage. This feature tends to increase the  !

L CDF in comparison with BWRs for which injection with fire water can provide timely core cooling.  !

. Threm SRVs raai Ad to dar.r===>rize for i of low or== aura cara coolina

[ galems. The IPE assumes that 3 Safety Relief Valves (SRVs) are required for

[ timely depressurization to use low pressure core cooling systems in response to i transients in which aN high pressure injection is lost. Other IPEs for BWRs have

~

J i assumed that only 1 or 2 SRVs are required. Therefore, this tends to increase the

CDF for WNP-2 in comparison to these other plants.

l . Inahility to connant the HPCS DG to 1E divialana 1 or 2 in a timalv fashion. The

[ ,

licensee states that during station blackout crosstie of the High Pressure Core Spray (HPOS) Diesel Generator (DG) to power 1E loads in division 1 or 2 was not credited. This tends to increase the CDF during station blackout compared to plants where such cross tie can be accomplished in a timely manner.

.. Four he,ur battery lifetime. _The four battery lifetime, with credit for load shedding, is relatively short and this tends to increase the CDF from station blackout since it

restricts the time available to recover offsite power.

1~

r

_y. _

f. ); ,

.. 7 L E.2 Lioonose's IPE Process

~

The IPE represents a level 2 Probabilistic Risk Assessment (PRA), that includes p intomal initiating events and intomal flooding. The IPE reflects the plant design as of the end of 1993.

{

Utility personnel were involved in all aspects of the IPE. The Individual Plant  !

' Examination Partnership (IPEP) provided contractual support for the original IPE, and

. NUS provided contractual support for the revised IPE. Plant walkdowns were used to support the IPE analysis, along with numerous items of up-to-date plant documentation.

! The final PRA was reviewed by utility personnel not involved in the WNP-2 PRA. -

i The submittal does not state whether or not the licensee intends to maintain a "living" ,

1- PRA; however, the submittal states that the IPE will be used for plant-specific probabilistic safety assessment methodology, i r

]' L E.3 Front-End Analyele The methodology chosen for the WNP-2 IPE front-end analysis is a Level 1 PRA. The 4

small event tree /large fault tree technique with fault tree linking was used. The NUPRA >

computer code was used to quantify accident sequence frequencies. l The IPE quantified 22 classes of initiating events: 7 generic transients,5 Loss of Coolant Accidents (LOCAs), and 12 plant specific initiating events. Loss of instrument

air was considered as an init! sting event. Loss of Heating Ventilation and Air t Conditioning (HVAC) to the control room and switchgear rooms were also considered

' as initiating events, i The criterion for preventing core damage was taken to be peak cladding temperature below 2200 F.

I System success criteria were based on GE NEDC-:sGG36P and engineering analyses.

Plant-specific component failum data were used for selected components for both l.

hardware failures and unavailabilities due to test and maintenance. The beta factor method was used to quantify common cause failures. Common cause failures across selected systems were considered.

L A number of sensitivity analyses were completed.

[ ,

The CDF for WNP-2 from intomal initiating events and intamal flooding is 1.43E- l j

05/ year. Intemal flooding contributes 5.9% to the total CDF. Section 4 of this report ]

i contains a more complete listing of CDF by initiating event; those events that contribute

, greater than 1% to the total CDF are as follows:

!~

l- ,

2 p 9 i - - -

p 1~ M' g Loss of Offsite Power . 73.1 % l Loss of Feedwater 5.9% .

l Turbine Trip Transient 3.6%  :

Flood in Turbine Bldg /Cire Water House 2.6% 1 Loss of Main Condenser 2.1%

Flood in Reactor Building 1.8%

Loss of Plant Service Water 1.8% 2 Manual Shutdown 1.5% i Flood in Turbine Bldg 1.5% ,

Anticipated Transient without Scram (ATWS) after Turbine Trip 1.0%

Coro damage contributions by class of accident are as follows:

Station Blackout 71.9 %

Generic Transients 15.0 %

finiemal Flooding 5.9%

Plant Specific Transients 3.2%

ATWS 2.3%

LOCA 0.8%.

Component failures in the following systems contribute significantly to the overall CDF:  ;

. Reactor Core Isolation Cooling (RCIC)

. DGs' i . HPCS.

Operator errors that contribute significantly to the overall CDF are as follows:

! . failure to vent containment.

]

l The dominant recovery action whose failure contributes the most to the CDF is failure i n to recover offsite power during station blackout.

The IPE assigns a Plant Damage State (PDS) to the level 1 core damage sequences.

Every core damage sequence greater that 1E-9/ year was binned into an appropriate PDS and evaluated in the level 2 portion of the PRA.

E.4 Generb leeues The submitt al addresses Decay Heat Removal (DHR) and its contribution to CDF.

d The IPE modeled DHR systems for both core cooling and containmere. heat removal, )

including: Emergency Core Cooling Systems (ECCS) and RCIC, depressurization,  ;

injection with standby service water, suppression pool cooling, anJ containment l l: venting. i 1

i.

3 1

}

i

j 9L }

! The licensee discussed the contribution of DHR to the CDF both in terms of achieving
  • core cooling and in terms of containment heat removal. The licensee concludes that .

there are no vulnerabilities associated with loss of DHR.  :

The licensee proposes that the IPE resolves two other Generic Safety  ;

lasues/ Unresolved Safety issues (GSI/USI's): USl A-17, " System Interactions in j Nuclear Power Plants", and GSI 105, "intersystem LOCAs".

l E.8 Vulnerabilities and Plant improvements The IPE used the following criteria for vulnerabilities:

. Sequence groups with CDF > 1E-6/ year that require modifications based on NUMARC g104 guidelines ]

l ~.' Total CDF in excess of 1E-4/ year

. . Sequences that indicate a plant-specific feature that is an outlier compared to other BWR PRAs.

I The licensee concluded that WNP-2 has no vulnerabilities.

The IPE identified several potential improvements to be considered. These i improvements are as follows.

. 500 KV backfand. Offsite power can be supplied by backfeed of 500 XV power if  :

the main generator is disconnected. Currently, disconnecting the main generator ^

l

. requires 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to accomplish. A plant modification to allow backfeed within 4 j hours could reduce the total CDF by up to 58%. This modification has been shown to be cost beneficial from a risk perspective and is currently under

[ evaluation.

. Startup Transformar Capability if the 230 KV supply voltage drops below a preset

value, transfer to the 115 KV tino occurs and the startup transformers are not

' available. A modification to increase the capacity on the transfer was proposed but determined to not be cost effective as it could reduce the total CDF by only

[ 4%. l

! i

. 125 V DC Battery Swing Charper. Common cause failure of battery chargers 2

contdbutes to CDF. A modification was evaluated to provide a separate charger 4

that can be used to charge either DC division. The evaluation indicated marginal benefits and would result in only a negligible improvement in CDF. Therefore, this

improvement is no longer being considered. Improved maintenance practices on 4

the existing chargers was determined to be cost effective.  :

i .

l 4 l

)

t u

~s

l

.v: y' l

l L

! '. ADS inhibit Switch. During a non-ATWS transient, operators are not allowed to t-

. use the ADS inhibit switch, and operators must invoke the ATWS inhibit function

every 105 seconds. Failum to inhibit ADS contributes about 1.5% to the CDF. A l licensing action has been completed to allow use of the ADS inhibit switch during l non-ATWS transients, and this procedural change has been implemented.
  • Procedural Recommandations. (1) An evaluation of the procedures and training
for the recognition and isolation of floods was performed. This was determined to

. . not be cost beneficial and has been dropped from consideration. (2) Maintenance l practicos were evaluated for changes to decrease common cause failures. The recornmended actions have been implemented and are part of the current i

program. (3) RCS Depressurization during station blackout was evaluated to l l- increase the time until vessel breach once fuel melt starts. The emergency l procedures were determined to affect the desired depressurization, and this

! recommendation is considered to be implemented.

i Containment nitrogen (CN) Supply to MSlVs and Vent Valves. A modification was j evaluated for suppling backup nitrogen from the containment nitrogen system to the inboard MSIVs and to the containment vent valves. The evaluation showed i that the change is not cost effective; however, the change may be re evaluated if l

other changes lower the CDF to where loss of containment heat removal is more
of a contributor to the total CDF.

None of the recommendations cited above were credited in the IPE.

Additional potential improvements were stated to also be under consideration. These are as follows.

  • Evaluate means to improve the reliability of RHR for containment heat removal.

. Consider the IPE ranking of system importance in the reliability centered j maintenance efforts. ...

. Consider important operator actions as determined by the IPE in operator training.

. Initiate RCIC before HPCS following loss of feedwater type transients to prevent isolation of the main condenser if RCIC and HPCS simultaneously initiate.

The status of the evaluations for these additional changes was not indicated by the licensee.

The submittal also notes that the air supply pressure has recently been raised from 150 psig to 186 psig, which will delay closure of MSIVs and SRVs during sequences in 4 which the containment pressurizes.

4 i

i 5

m . _ _ _ _ _ __ _ . _ . _ . . _ _ _ _ . _ _ _ _ . . _ _ _ _ _ _ _ _

-V- y r t -

E.8 Observatione 4 1

' The licensee appears to have analyzed the design and operations of WNP-2 to ~

discover instances of particular vulnerability to core damage. lt also appears that the iconsse has: developed an overall appreciation of severe accident behavior; gained an j understanding of the most likely severe accidents at WNP-2; gained a quantitative  :

understanding of the overall frecuency of core damage; and implemented changes to

the plant to help prevent and mitigate severe accidents.

l Strengths of the IPE are as follows. The IPE had the benefit of an earlier PRA of WNP- l

! ~ 2, and the IPE models were improved to mors accurately reflect the plant. The j identification and evaluation of initiating events is thorough compared to some other '

IPE/PRA studies. Common cause failures were considered across selected diverse systems. Plant-specific data were used where possible to support the quantification of initiating events and component unavailabilities.

i No weaknesses were identified in the IPE. .

4 Significant findings on the front-end portion of the IPE are as follows:

! . Station blackout is a major contributor to the CDF since it renders all core cooling options eventually unavailable if power is not recovered.

. LOCAs are a small contributor to the total CDF, and LOCAs outside containment  !

i

, dominate,the contribution from this accident class. LOCAs contribute a small amount to the total CDF due to the numerous systems available to mitigate a LOCA. LOCAs outside containment result in core damage if they are not isolated.

j l

i f

6  ;

i

,s I

,r p-
1. INTRODUCTION ,

1.1 Review Procese r )

This report summarizes the results of our review of the front-end portion of the . .

l 3 Individual Plant Examination (IPE) for Washington Nuclear Power Plant 2 (WNP 2). '

i This review is based on information contained in the IPE submittal [lPE Submittal) along  !

i with the licensee's responses [RAI Responses-A, RAI Responses-B] to a request for l L additionalinformation (RAI). 1 i

F 1.2 Plant Characterization l The WNP-2 nuclear plant consists of a single unit General Electric BWR 5 with a Mark  :

[ Il containment located on the Hanford Reservation in Washington state. The plant i

power ratings are 3233 MWt and 1095 MWs (not). Bums and Roe was the Architect 1

[ ' Engineer (AE). The plant achieved commercial operation in 1984.  ;

l ' Design features at WNP-2 that impact the CDF relative to other BWRs are as follows:

l. . Inability to connect fire water for injection in a timely fashion. The plant has the a

capability to use diesel driven firewater for injection to the vessel to cool the core; )

however, the submittal states that time constraints are such that this option was l credited only for certain scenarios, such as short term station blackout, where

'~

operators would recognize the nood for this system sufficiently early that it could

be aligned in time to prevent core damage. This feature tends to increase the CDF in comparison with BWRs for which injection with fire water can provide timely core cooling. .

l

.. Three SRVs required to depressurize for una of low pressura cora cooling systems. The IPE assumes that 3 SRVs are required for timely depressurization to use low pressure core cooling systems in response to transients in which all

high pressure injection is lost. Other IPEs for BWRs have assumed that only 1 or 2 SRVs are required. Therefore, this tends to increase the CDF for WNP-2 in comparison to these other plants.

. Iriah!!itv to twinrM the HPCS DG to 1E divialona 1 or 2 in a timalv fanhlon. The

licensee states that during station blackout crosstie of the HPCS DG to poymr 1E loads in division 1 or 2 was not credited. This tends to increase the CDF during 2- station blackout compared to plants where such cross tie can be accomplished in a timely manner.

. Four hour battery lifetime. The four battery lifetime, with credit for load shedding, is relatively short and this tends to increase the CDF from station blackout since it j restricts the time available to recover offsite power.

1 i

7 I

N

'_____________ _ E'___________ - - " -- r '~w^'

l: i. W ,

)

y

2. TECHNICAL REVIEW ,

J l 2.1 Lioonose's IPE Procese l LThe process used by the licensee was reviewed with respect to: completeness and

methodology; multi-unit effects and as-built, as-operated status, and licensee

! participation and peer review.

L' 2.1.1 Completanass and Methodology A level 2 probabilistic risk analysis (PRA) was performed in response to Generic Letter

88-20. [GL 88-20] [ submittal Section 1.1]

An IPE submittal was originally provided to the Nuclear Regulatory Commission (NRC)

} in 1992. The IPE was subsequently revised and an updated submittal that reports this :

updated IPE was provided to the NRC in 1994. The revisions to the IPE focused on the i following areas: [ submittal Section 1.1]

. More realistic considerations of constraintse' r-:::d by technical specifications on

mamtenance s

I

  • Refined offsite power system model i

. More rationale treatment for common cause failure of the safety relief valves (SRVs), i F

L An additional, limited scope update of the IPE was performed in 1996. Only the

[ changes relative to the earlier IPE were provided to the NRC.

Our review focuses on the revised IPE analysis, including the partial update performed in 1996.

!' The submittal contains the information requested by Generic Letter 88-20 and NUREG 1335. [GL 88-20][NUREG 1335].

The front-end portion of the IPE is a level 1 PRA. The small event tree, large fault tree 4

technique with fault tree linking was used. Dependencies were included in the fault

, trees. The NUPRA computer code was used for quantification of accident sequences.

[ submittal Section 1.3]

! - Intersystem dependencies are discussed and tables of system dependencies are provided. Data for quantification of the models are provided, including common cause events and human recovery actions. Sensitivity and importance analyses were

performed and results of these analyses are described in the submittal.

1 8

?

--- -y- - - - - "w y w

1 o .j g -(

l 5

2.1.2 Multi-Unit Effects and As-Built. As-Operated Status ,

WNP-2 is a single unit site; therefore, multi-unit consideratioris do not apply to this 4 plant.

r - .

The freeze date for the original IPE was 1989; the updated IPE uses the end of 1993 as l - the freeze date. [ submittal Section 1.1]  ;

\ .

i For the 24 systems modeled with fault trees, system walkdowns were conducted. The

j. ~ fault tree analyst together with other staff, typically including the Walkdown Coordinator,  :

i a System Engineer from Engineering, and a Health Physics Technician, walked down .

1 each system. [ submittal Section 2.4] l t'

t The submittal states that the IPE will be used as a plant-Wie probabilistic safety

{ assessment methodology in such areas as: maintenance rule, revisions to technical +

c specifications, scenarios for drills and exercises, and 50.59 evaluations and i, justifications for continued operation (JCO). [ submittal Transmittal Letter] ,

2.1.3 Licensea Participation and Pear. Review I The licensee provided the overall management of the IPE offort. Licensee st6ff ,

l participated in all aspects of the IPE. For the original IPE, the Individual Plant Examination Partnership (IPEP) provided contractual support. NUS provided  ;

j contractual support for the revised IPE. [ submittal Section 5.1] >

l A multi-tiered review of the IPE was performed. Technical reviews of analysis products l were performed as individual aspects of the analyses were completed. The system  !

notebooks were reviewed. The fault tree models were reviewed by IPEP staff. All  !

quantification results were reviewed by IPEP staff, for the original IPE, and by NUS

~

staff, for the revised IPE. An independent in-house review team was established to review the IPE. The team was composed of individuals knct '-;d'= about the plant

. who were not involved in the preparation of the IPE. In addition to the in-house review,

! the original IPE was reviewed by IPEP and the revised IPE was reviewed by NUS.

[ submittal Section 5.2]

2.2 Accident Sequence Delineation and System Analysis I

This section reviews of both the accident sequence delineation and the evaluation of g system performance and system dependencies provided in the WNP-2 IPE submittal.

,2.2.1 initiating Events The licensee states that an initiating event disrupts normal plant operation and requires either automatic or manual reactor scram. [ submittal page 3.1-1] [RAI Responses-B, l:

_p.1]-

l l ,

9 i

i l* ,T l l

1 .p The ' submittal states that all of the ialtiating events considered in the Individual Plant L Evaluation Methodology (IPEM) for BWRs, IDCOR Technical Report 86.381, were considered in the IPE. Each generic initiating event was assessed against the WNP-2 plant response, and each support system was assessed against the WNP-2 plant

! response. In addition to the events from the IDCOR source, two additional support

: system failures,' loss of containment instrument air and loss of control and service air,'

. were considered.

The evaluation of initiating events. included a review of the WNP-2 reactor trip ,

experience and an evaluation of support systems for.their ability to cause a reactor trip.

[RAI Responses-A, p.1-1]

l Catastrophic vessel rupture was screened from consideration in the IPE. ,

The IPE considered 24 classes of initiating events: 7 generic transients,5 LOCAs, and 12 plant specific initiating events. The following plant-spec!fic initiating events were

considered: . [ submittal Table 3.1.1-3] [RAI Responses-B, p. 4, 5) loss of division 1 DC
loss of division 2 DC i loss of an AC bus loss of turbine building service water (TSW).

loss of containment instrument air (CIA) 4 loss of containment nitrogen (CN) c instrument line break intomal flooding (category 6) intomal flooding (category 7)

. intomal flooding (category 14) loss of control air system (CAS) loss of HVAC.

Loss of HVAC was considered for the control room, emergency switchgear room, and on ESF system failures. Both the control room and the switchgear rooma for emergency buses are provided with both normal and emerge 6cy HVAC. Loss of HVAC i

to the control room was considered both the frequency of loss of the cooling system p and the failure to offect repairs prior to reaching high temperatures in the control room.

Failure to repair frequencies were taken from NUREG/CR-6084. The resultant contribution to CDF was stated to be negligible. Totalloss of HVAC to switchgear

. rooms due to random faults in both HVAC systems, including the probability of non-

repair (per NUREG/CR-6084) was evaluated. The assessment included a non recovery i factor of 0.1 based on the fact that HVAC flow and room temperature annunciated in the controi room and procedures are in place for responding to thess occurrences. The contribution to CDF from loss of HVAC to svistchgear rooms was found to be negligible.

WNP-2 also performed a test in which the HVAC to one division of safety ralated batteries, battery chargers, inverters,4160 switchgear, and the 480 volt swit.:hgear was taken out of service. The associated room temperature was stated to increase by only 10 L.--__--____-_-_____.------__- ,. - l-,

V i

i  : 4F in five hours, indicating that operators have a reasonable amount of time to respond to such events. Loss of HVAC/ room coolers for ESF systems (except RCIC) were modeled as contributors to the ESF system failures rather than as separate initiating  :

. events. The largest contribution to system unavailability was stated to be 28%.

Calculations showed that RCIC operation is not dependent on HVAC. [RAI Responses-B, p.1-5] ,

The evaluations indicated that loss of Division 2 DC power had only a small contribution 3

to the cosa damage frequency. The evaluation of loss of Division 1 DC power showed that it contributed even less to CDF than loss of DMsion 2. Loss of all DC power, apart from a station blackout, was determined to have a frequency of about 4E-07/Rx-yr, and l

'- would contributo about the same to the CDF as would the loss of a single DC bus. [RAI

,' Responses A, p.1-2, RAI Responses-B, p. 3] ,

s . Loss of reactor building component cooling water (RCCW) would result in high reactor building pressure, which would trigger a SCRAM due to RPS actuation. RPS actuations .

! we's included in the turbine trip initiating event frequency. Thus, loss of RCCW was .

i  : inc,uded only as part of the turbine trip initiating event. [RAI Responses-B, p.1] )

l The initiating events were quantified with both generic data and plant-specific data.

The frequencies used for the initiating events are comparable to those used in other IPE/PRAs. [ submittal Table 3.1.1-3]

- The frequency for loss of offsite power is 0.025/ year, based on data from the Bonneville ,

Power Administration. [ submittal Page 3.144] l v

Loss of Standby Service Water was included as an initiator in revision 1 of the IPE, i based on Technical Specification shutdown requirements. While loss of this system

- would not cause a reactor trip, the licensee indicated that, of the initiating events, it was F the third largest contributor to CDF. Other IPE/PRA studies typically do not model this l type of event as an initiator, and thus the WNP-2 analysis is more pessimistic than other IPE/PRA studies in this regard. [RAI Responses-A, p.1-2] Loss of Standby -

! Service Water was deleted as an initiatorin the most recent WNP-2 IPE revision. [RAI Responses-B, p.1]

'2.2.2 Event Trees l

p The plant response to intomal initiating events is modeled with 23 event trees. To model the response to intomal flooding, an additional 3 event trees are used. Systemic event trees are used in the IPE.

t i System success criteria wem based on GE NEDC-30936P and engineering analyses.

The success criteria for preventing core damage in the IPE is preventing peak cladding  ;

l temperature from exceeding 2200 F. [ submittal Section 3.1.1.3] ,

11 ,

e <

l l.

s

., 1 o  ;

i .o Table 3.1.14 of the submittal provides the systems-level success criteria for the various classes of initiating events.

The submittal indicates that RCIC was credited for mitigation of a small LOCA but not 3

for mitigallon of a medium LOCA. The small LOCA size range is up to 1 inch (0.0054 sq ft) for a liquid line failure and up to 4 inches (0.087 sq ft) for steam line break. Small j LOCAs represent the range of primary system break sizes for which RCIC or HPCS can maintain the RCS inventory and pressure. Medium LOCAs were primary break sizes between 1 and 6 inches in diameter for liquid lines, and between 4 and 6 inches for J steam lines. These are the range of break sizes for which RCS 'nventory and pressure l can be adequately maintained by HPCS, LPCS or RHR/LPCI. [ submittal Table 3.1.1-4)

[RAI Responsen-A, p. 3-1]

j The event tree for a stuck open relief valve assumed that RCIC was not capable of 4

mitigating this event. More recent calculations have indicated that RCIC can provide

! edequate flow to the RCS to maintain the inventory and pressure for a stuck open relief valve event, and future revisions to the WNP-2 PSA will reflect this capability.

[ submittal Figure 3.1.2.1-6] [RAI Responses-A, p. 3-2) l The success criteria indicate that the fire protection system can be used to mitigate loss
of offsite power events and short term station blackout events. The IPE did not credit
the use of the the pictoction system as a means of core cooling for most accident types i due to the time required to implement this option for core cooling. For general transients and LOCAs, and for cases where injection with other low pressure systems i has not been successful, the reactor vessel water level would have decreased to the

! tow, low (L1) setpoint prior to the time when operators would tum to the fire protection system for injection. At that point, however, the time required to successfully align fire

! protection would be too long to prevent core damage. Hence, injection with fire

! protection water was not credited for such events. Credit was given for fire protection l system injection for the short-term station blackout sequence whereby high pressure

injection has failed and otherlow pressure injection systems are unavailable because of
lack of power. In this case the argument is made that operators would recognize the
need for injection Mh the fire protection system in a more timely manner (while the
reactor vessel wawr :svol is relatively high), and that injection could be initiated prior to the time when the t.4ter level in the reactor vessel had fallen to the point where core damage is imminent. During long term station blackout scenarios, the containment pressure may be too high to allow for reactor system depressurization, and thus the fire protection system coald not function in such cases. [ submittal Page 3.2-81) [RAI Responses-A, p. 8-1) [RAI Responses-B, p. 24-25]

l The fire protection system has both motor driven and diesel driven pumps. Two of the fire protection system main pumps are diesel driven, and do not require AC power for their operation. The tables of system dependencies indicate that use of the firewater j .

wystem for core cooling is partially dependent on AC power (SM 1,2,3). This dependency reflects the fact that emergency AC power assists in establishing the injection path to the primary system through the condensate and feedwater system via )

12 3 g

, , - - ~ - . . _ _ _ _ _. _. -. . . . - , -

g g ,

the operation of motor operated valves. However, injection with the fire protection i A system can be established in the absence of all AC by manual operation of the necessary valves, given that operators ini+Me the necessary actions in a timely manner so that injection with the fire protection system is started prior to core uncovery.

[ submittal Figure 3.1.2.1-7.2 Table 3.2.3-1] [RAI Responses A, p. 8-2] [RAI Responses B, p. 24 25]

Crosstie of standby service water loop B to RHR loop B for injection to the vessel is credited for transients, small LOCAs, and medium LOCAs. [ submittal Table 3.1.1-4]

The success crite'ria table states that one Low Pressure Coolant injection (LPCI) pump can mitigate a large LOCA; however, only 2 of the 3 RHR/LPCI loops contain heat exchangers which can provide for long term heat removal from the containment.

Therefore, for cases where LPCl is relied upon for long term core cooling, success requires that at least one of the RHR/LPCI loops equipped with a heat exchanger be employed. [RAI Responses-A, p. 9-1]

The IPE modeled only the suppression pool spray / cooling mode of RHR for containment heat removal. The other modes of operation of RHR, such as shutdown cooling, drywell spray, and vessel head spray, were not considered for containment heat removal as they use many of the same components required for suppression pool l I

cooling (e.g., RHR pumps and RHR heat exchangers). [ submittal Page 3.1-18]

During loss of containment heat removal sequences, RCIC can be used for core cooling

injection up to the point where the containment pressure reaches 20 psig. At that point RCIC will trip off due to high turbine exhaust back pressure. Core cooling can also be l l provided by the normal feedwater-condenser system if the containment pressure remains below 54 psig, at which point the MSIVs are assumed to reclose. The IPE assumed that HPCS would remain available up to the point of containment i overpressure failure. Given containment overpressure failure, the IPE assumed that

! HPCS (or other injection sources) could continue to provide core cooling with a likelihood of 0.965, i.e., these sources would fall only 3.5% of the time. This low i

likelihood core damage for containment failure sequences apparently stems from the

!. assumption that containment failure would likely occurin the drywell region 67% of the L time and in the wetwell region 33% of the time. Failures in the drywell were assumed to have no adverse impact on the operability of core coolant injection systems. This

. approach for the WNP-2 IPE was based on the further assumption that containment

. failures in the drywell would likely be characterized by non-catastrophic tears which j would maintain the containment sufficiently pressurized that the HPCS pumps would

have adequate NPSH to operate successfully while drawing from a saturated
sw
::'=i pool. The description states that failures in the wetwell lead to Equipment

, Qualification (EQ) related failures of high pressure core coolirtg systems due to the harsh environmental conditions on the pumps and electrical gear.- (Low pressure core cooling systems are rendered ineffective by the inability to maletain the SRVs open at high containment pressure.)- [ submittal, p. 3.1-19, RAI Responsos-A, pp. 2-1, 2-2, RAI Responses-B, pp.10 - 23] Given failure of containment and of HPCS and RCIC, core

i. 13

7_

-+ , i l

l cooling with low pressure injection systems or with the PCS may be possible after the containment pressure has fallen sufficiently that the reactor system can be depressurized and/or the MSIVs reopened. At WNP-2 operators can also switch the i suction of HPCS from the suppression pool back to the CST. However, the information l provided states that no credit was taken for this option because the EOPs instruct operators to terminate coolant injection from extemal sources once the Maximum Primary Containment Water Level Limit is reached. [RAI Responses-B, pp.10 - 11]

j The success criteria require operation of 3 SRVs to allow timely depressurization and use of low pressure core cooling systems, to mitigate a transient if high pressure core cooling systems fail. [ submittal Table 3.1.1-4)

The system description for 125 V DC power states that the batteries have a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> i lifetime without load shedding. Credit is taken for load shedding in the loss of off-site

- power event tree for sequences where both Divisions 1 and 2 of AC power have failed l l and RCIC is available for four hours. Certain loads must be shed from the 250 VDC battery within one hour for the RCIC to be available for four hours. [ submittal 3.1-45,

~ 23.2-23) [RAI Responses A, p.10-1)

Station blackout is defined as the loss of offsite power and the loss of both 1E divisions i of AC power. The IPE does not credit use of the third diesel generator, the HPCS DG,

for powering Division 1 or 2 components. [ submittal Pages 3.1-43, 3.4-2g]

i The model for station blackout assumes that the RCIC pump will not overheat, given no

! room cooling from the fan cooler, if the doors to the room are opened. However, the Scensee has stated that the requirement that the room doors be opened to allow .

E adequate cooling is a " conservatism", and that analyses have indicated that RCIC pump i room temperatures remain at safe levels even with the doors closed and normal HVAC unavailable. Also, the pump room temperatures are monitored in the control room to j

alert opostors of high temperature conditions. [ submittal Page 3.1-45) [RAI i Respons'es A, p. 4-1]

4 l Ventbg is not credited with loss of offsite power. The submittal states that venting depends on AC power, CAS, and TSW. Since TSW requires offsite power, we conclude that venting is not available without eMsite power. [ submittal Figure 3.1.2.1- l 7.2, Page 3.2-106)  :

l The model for loss of offsite power does not credit crosstie of standby service water l loop B to RHR loop B for core cooling, since diesel generator B may not be available. (

~

This is a pessimistic assumption. [ submittal 3.1-46) l The interfacing systems LOCA model possimistically assumed that all piping pressurized to greater than its design pressure would fall. The model for mitigation of an interfacing systems LOCA credits depressurization as a method to mitigate the .

LOCA. The submittal states that the break fio,w must be stopped, and that long term ,

makeup was possible with an ISLOCA. However, a revised evaluation indicates that i 14

, - , . m _ _- . . , . _ . . ..m. , . , - .- r ..- -

O L  :

. . i

long term makeup is expected to have a low probability of success. [ submittal Figure 3.1.2.2-5) [RAI Responses-A, p.12-1)

I The ATWS event trees require inhibition of ADS and success of Standby Liquid Control l

.(SLC) to successfully mitigate the ATWS if the initial power level is above 25 percent.

j - [ submittal Figures 3.1.2.3-1 A through 3.1.2.3-5)  ;

[ The IPE considers a LOCA outside containment. Isolation of the LOCA is required to

prevent core damage. [ submittal Section 3.1.2.2.4, Figure 3.1.2.2 4) -
2.2.3 Systems Analysis i

Systems descriptions are included in Section 3.2.1 of the submittal. There are 24 ,

l system descriptions in total, each consisting of a brief description of the system and a

simplified schematic of the system.

I The submittal indicates that a hardened containment vont is not installed, but that use I I of a " soft" vent was credited. Containment venting through this system can be l

accomplished from either the wetwell or the drywell. The submittal states that the vent  ;
- lineup uses the standby gas treatment (SGT) system which is expected to fall during ~ l venting, but that EQ related damage to core cooling equipment is not expected to  ;

~

occur. The submittal states that the containment venting system depends on AC power for control of the vent valves, and on CAS for motive power for tho' valves. [ submittal l Page 1.0-1, 3.1-18, 3.2-106, 3.4-22 ) [RAI Responses-A, p.11-1]

System descriptions of CN, CIA, and CAS are provided; these are the systems that i supply air / nitrogen to components such as the SHVs and the MSIVs.

i The SLC system is manually actuated at WNP 2.

The 1E 125 VDC batteries last 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> without recharging and without load shedding.

l The 1E 250 VDC batteries, which are needed for RCIC operation during loss of off site 4

power with loss of AC Divisions 1 and 2,' will last for four hours provided shedding of n non-essential loads is accomplished. [RAI Responses-A, p.10-1] ,

- )'

i '

The fire protection system has two diesel driven pumps. The system description for the i

fire protection system states that fire protection can be used for injection to the vessel ,

through connections to the suction of condensate pump 2A. This source of coolant j

, injection was credited only for events where operators would promptly recognize the o need to employ this system (when reactor vessel water level was at Level 2 or higher) and the fire protection system could be property aligned prior to excessive water loss from the reactor. Fire protection was credited in loss of off-site power events and short term station blackout events. For other types of events the IPE did not credit use of the fire protection system for core cooling due to the time required to implement this core ,

I cooling option. [ submittal Page 3.1-17,3.2-81) [RAI Responses-A, p. 8-1) [RAI j Responses-B, p. 24 -29)

.15 i

,p . ,, _ .m.. , - _ , -,-- - ' , . ~, -- - . - , . . . . , -

4

The submittal contains a system description for the reactor building emergency cooling system. This system provides room cooling for ECCS pump rooms and for electrical 4

- switchgear. .

l -2.a ? 'ystem Dependencies i

The submittal contains tables of inter-system dependencies. These tables indicate the

dependencies of frontline systems on support systems, and the dependencies among -

support systems. Partial dependencies are noted in the tables. [ submittal Tables 2

3.2.3-1 and 3.2.3-2]

i i Table 3.2.3-2 indicates that onsite AC power is partially dependent on DC power. DC power is needed for control of circuit breakers and for control of field flashing. The AC

breakers of interest are stated to fall as is. They require DC power to change state, but

. not for continued operation. Thus, loss of DC power will not disrupt the flow of power l through the AC breakers. DC power is needed for starting, loading, and controlling the

diesel generators.

Table 3.2.3-2 indicates that AC and DC power have a partial or delayed dependence on

! room cooling. However, the IPE models assumed that loss of emergency room cooling l would lead to failure of the affected equipment. No compensatory actions were i i

credited, with the exception of opening doors to the R,ClO room. [RAI Responses-A, p.

13-1]

Table 3.2.3-1 of the submittal indicates that the following pumps are dependent on 1

room coolers for operation: HPCS, Low Pressure Core Spray (LPCS), and RHR/LPCI.

The submittal indicates that RCIC has a partial dependence on a room cooler. ,

However, as previously discussed in this report, an updated analysis indicates that temperatures in the RCIC pump room would remain at safe levels with the loss of room t cooling and the doors remaining closed. [RAI Responses-A, p. 4-1]

2.3 Quantitative Process ,

! 2.3.1 Quantification of Accident Sequem:a Fmquencias i

l The WNP-2 IPE used the small event tree large fault tree technique with fault tree

! linking. The NUPRA computer code was used to quantify accident sequence frequencies. Support systems were modeled in the fault trees. Common cause fallures

. and human errors were considered in the model. A 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time was used for the front end model. The IPE used a truncation value of 1E-10 for cut sets. (submittal Pages 1.0-4, 3.3-35] Recovery was considered.

2.3.2 Point Estimatas and Uncertainty /SanaltMtv Analynas

- The accident sequence quantification process utilized mean values for initiating event

frequencies and fault tree event probabilities. Mean values are reported for the i 16 r ,

s ,s

. ~ , - a ,. .- - . - u . . , - . - -

n.

.., . , i e

sequence frequencies and the total CDF No uncertainty analysis is discussed '

in the submittal.

The submittal summarizes the results of sensitivity analyses that were perfo.rmed. The sensitivity analyses focused on sequences associated with loss of offsite and onsite

_ power, since .the licensee concluded that these events dominate the CDF.' The results of the sensitivity analyses indicate that the CDF is sensitive to values used for the following events: [ submittal Section 3.4.5]

operator failure to vent containment operator action to open RCIC pump room doors for emergency cooling operator failure to initiate ADS 1

operator failure to initiate containment cooling the frequency of loss of offsite power 1 the likelihood of recovery of offsite power during station blackout I the ability to power Division 1 or 2 equipment with the HPCS DG (not credited in  !

base model) common cause failure of the DGs. J 2.3.3 Una of Plant-Specific Data l Data from the !nstitute of Nuclear Power Operations (INPO) Nuclear Power Reliability Data System (NPRDS) data base specific to WNP 2 were used for selected components. This data covered the most recent 18 month time period while the IPE . ,

was being performed. The 18 month interval for data collection was used because the l INPO data base uses an 18 month interval for its standard component failure analysis l reports. [ submittal Section 3.3.2]  :

1 The components modeled with plant specific data are listed in Table 3.3.2-2 of the L submittal. Plant specific component failure data was used when such data were available, unless no failures had occurred. Generic data were used whenever plant specific data was alther unavailable or inadequate. [RAI Responses A, p. 5-2]

1 The plant specific data listed in Table 3.3.2-2 of the submittal are provided in terms of

)

) failure frequency,1/hr. Additional information provided by the licensee included the i failure probabilities for all components used in the WNP-2 IPE. [RAI Responses-A, j Attachment to Question #5 Response]

L Table 2-1 of this report provides a comparison'of selected WNP-2 plant specific data i i with similar data used in the Peach Bottom PRA. [NUREG/CR 4550, Peach Bottom]

. The data in Table 2-1 show that the values used in the WNP-2 IPE are generally in

- agreement with the data used in NUREG/CR-4550 Peach Bottom PRA.  ;

17

~

e ,,,AN .m , , - , ,- . - n , . - ~ - - , - - . - . -

Table 2-1. Plant Specific Data Component and Failure Mode IPE M

Motor Operated Valve 8.5E 3/D 3.0E-03/D i Fallto Open 1 Check Valve . 3.2E-4/D 1.0E 04/D

Fail to Open Battery 3.8E-5/H 1.0E 06/H HPCS Pump 1.3E 2/D 3.0E 3/D Fallto Start i

, HPC8 Pump 1.2E 5/H 3.0E 5/H i FM2Rm i RCIC Turtpine Pump 2.4E 2/D 3.0E 2/D Fall to Start

. RCIC Turbine Pump 4.6E-5H 5.0E 3/H Fall to Run RHR Pump 9.9E 4/D 3.0E 3/D -

Fall to Start RHR Pump 1.2E 5/H 3.0E 5/H i Fall to Run

(1) D is por demand; those values are probabaties.
(2) H is per hour; these values are frequencies.

I The submittal indicates that plant specific data were used to quantify unavailabilities due to test and maintenance. [ submittal Page 3.3-6]

, 2.3.4 Use of Generic Data

The primary source of generic data for component failures and maintenance

! unavailabilities was the INPO NPRDS data base. This data base was supplemented i

with data from the following sources: NUREG/CR-2815, NUREG-0460, and WASH-1400. [ submittal Section 3.1.1]

4 The failure data for most of the active cv .ponents and component actuation elements (sensors, transmitters, relays, etc.) used in the WNP-2 IPE were based on plant specific i experience. An exception is the failure data for the diesel generators, which was based

on generic data. Generic data was used because the limited plant specific data
available for the WNP 2 DGs was not considered to be statistically valid. The following table compares the WNP-2 data with that used in NUREG/CR-4550. [RAI Responses A, p. 51]

, 18

- - - , , - - -.,y - , - -.-,,m-.- - - ~ . - - - - . - - -

(

Table 2-2. Generic Diesel Generator Failure Data i >

! Component IPE"k # NUREGICR 4850 Methodology Valueonm i

DieselGenerator Fallto Start 2.1E 2/D 3.0E 02/D Desel Generator Fallto Run 3.0E 3M 2E-03M l .(1) . D is por demand; these values are probabdmes.

(2). H is por hour; these values are frequerces.

i- .

As shown by Table 2-2, the WNP-2 generic data for diesel generator failure to start and failure to run are in good agreement with the NUREG/CR-4550 PRA Methodology data.

The IPE used data from NSAC-194 to model recovery of offsite power following station blackout. Table 2 3 of this report compares the values used for recovery of offsite -

power in the WNP-2 IPE to values used in the Surry Shutdown PRA. [ submittal Page l 3.1 47]

I Table 2-3. Data for NonOn-xxy of Offelte Power i .

WNP-2 ProbotWity thatOffsite ProbotWity that Offsite Power l Time (hr) Poweris Not Recovered le Not Recovered

  • I 0.5 0.62 0.61 1 0.13

) 4 0.144 10- 0.03 0.03 l

' Source: Surry Shutdown PRA NUREG/CR-6144

. The data used in the IPE for recovery of offsite power are consistent with the data based on actual losses of offsite power.

j Overall, the generic data used in the WNP-2 IPE appear to be consistent with the data usage for other PRAs/IPEs.

l 2.3.5 Common-Causa Quantification I'

The IPE modeled common cause failures in the fault trees. Common cause failures were typically only considered within a system, but common cause failures across the following systems were considered: LPCS and LPCI, and SW and TSW. (submittal Page 1.0-4, Section 3.3.4)

The following common cause failures were modeled:

1 DGs (start and run) pumps (start and run)

MOVs

circuit breakers 1 1g
  • 6 batteries battery chargers Air Operated Valves (AOVs)

SRVs check valves.

The beta factor method was used to quantify common cause failures. Beta factors used )

in the quantification were taken from NUREG/CR-4780, except that the SRV beta factor l was calculated using the formula from NUREG/CR-4550. [ submittal Section 3.3.4)

Table 2-4 of this report compares the beta factors for 2-of 2 components used in the '

WNP-2 IPE to those used in other IPE/PRAs. [ submittal Page 3.3-32) i

~

The submittal states that a beta factor of 0.10 for 2-of-2 component failures was used for all components not specifically listed on page 3.3-22 of the submittal. [ submittal l Page 3.3-22) 1

, Table 2-4. Beta Factors for 2-of 2 Components j

1 Component WNP 2IPE Beta Factor l Beta Factor [NUREGICR 4550 Methodology) l DieselGenerator 0.05 0.04 i MOV 0.06 0.068 ,

SRV 0.088 about 0.10 RHR 0.11 0.15

, Service Water 0.03 0.03 Based on Table 2-4, the common cause failure data used in the WNP-2 IPE are consistent with data used in other IPE/PRAs. j I

2.4 Interface issues ..

This section of the report summarizes our review of the interfaces between the front- l end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ,

ability to prevent core damage. l l

2.4.1 Front-End and Back-End Interfaces l As discussed previously in this report, the IPE assumes that loss of containment cooling i and loss of containment venting causes loss of the ability to cool the core with low pressure cooling systems, because the SRVs cannot be maintained opened as the containment pressure increases.

l

)

20 l l

P

! For loss of containment cooling sequences, the IPE assumes that core cooling with

] RCIC can be maintained until containment pressure reaches about 20 psig. HPCS was j assumed to be operable for core cooling until containment failed by overpressurization,  ;

and even in this case HPCS was assumed to continue operation unless the containment pressure decreased to the point where adequate suction head was lost.

Most sequences involving loss of containment heat removal assumed core coo!!ng could be successfully achieved even after containment failed by overpressurization.

?

The IPE assumed that the containment will fall in the drywell with a 67% probability and that the containment will fall in the wetwell with a 33% probability. Failure in the drywell

is assumed to not cause EQ related loss of high pressure core cooling systems; failure  ;

l in the wetwell is assumed to cause EQ related loss of high pressure core cooling I

systems.

j The IPE assigned plant damage states (PDS) to those core damage sequences with a l

. frequency in excess of 1E-9/ year. Section 4.4 of the submittal discusses the binning  ;

criteria; these critoria are comparable to those used in typical IPE/PRAs. [ submittal  !

. . Section 3.1.5] l

2.4.2 Human Factors Interfaces

. I

Based on the front-end review, the following operator actions were noted for possible I consideration in the review of the human factors aspects of the IPE. i 1

j . action to vent containment' -

' . action to open RCIC pump room doors for emergency cooling

  • action to initiate ADS during a transient with loss of high pressure injection l

i

. action to block ADS during an ATWS

. action to initiate SLC during an ATWS i

e action to initiate containment cooling

. action to stop flooding

= action to shed electrical loads when RCIC is relied upon for core cooling during LOSP events.

~

2.5 Evaluation of Decay Heat Removal and Other Safety issues This section of the report summarizes our review of the evaluat!on of Decay Heat' Removal (DHR) provided in the submittal and RAI Responses-A. Other GSI/USIs, if they were addressed in these documents, were also reviewed.

2.5.1 Examination of DHR The WNP-2 submittal summarized their evaluation of DHR to identify vulnerabilities.

No vulnerabilities associated with DHR were found as a result of the IPE.

The WNP-2 IPE event tree models address decay heat removal (DHR), both in terms of direct cooling for the core and in terms of containment cooling as needed to support

. 21 e---v , , , ., ,. - - , - - -

= ,

core cooling. Section 3.4.3 of the submittal explicitly discusses DHR, primarily from the standpoint of heat removal from the centainment. Additional DHR information has also been provided by the licensee which elaborates on the means available for effecting i heat removal from the reactor core. [RAI Responses A]

! The total CDF attributable to loss of decay heat removal is 5.7E-6/yr, or 32.6% of the total CDF. Loss of DHR sequences attributable to loss of containment heat removal contribute about 12% of the 32.6%.

l i Section 3.4.3 of the submittal discusses the three means credited in the IPE models for i

! containment heat removal: (1) the main condenser, (2) the RHR system, and (3)

! containment venting. Coro damage sequences involving loss of containment heat

removal have a CDF of 1.9E-8/ year, which is less than the NUREG-1289 goal of 1 E-  ;

5/ year. [ submittal Page 3.4 25] [RAI Responses-A, p.16-1] [RAI Responses-B, p.12]

The dominant cause of failure of containment venting is operator error. Therefore, the
licensee concludes that replacement of the existing " soft" containment vent with a i hardened containment vent would have little effect on reducing the CDF,'since failure of the hardened containment vent would also be dominated by operator error. [ submittal l Page 3.4-25]

. The assessment of DHR at WNP 2 included an evaluation of both the assumptions used in the IPE modeling and procedural / hardware changes which might be made to i enhance the reliability of DHR. It also reviewed each of the altamatives identified in NUREG-1289," Regulatory and Backfit Analysis: Unresolved Safety issue A-45, Shutdown Decay Heat Removal Requirements" to assure that none of the 3 improvements suggested in this NUREG were o/erlocked. None of the attematives presented in NUREG 1289 were found to be wcrthwhile or needed for WNP-2.

i Changes to be implemented as a result of the o terall evaluations are discussed in Section 2.7.3 of this report. [RAI Responses-A, p.16-1 through 16-7]

The licensee states that the importance of loss of DHR to the overall CDF may have been overstated in the IPE due to the modeling assumptions used. These assumptions will be revisited in the next update of the IPE. [RAI Responses-A, p.16-3]

The licensee concludes that there are no vulnerabilities associated with DHR.

2.5.2 Diverse Means of DHR The IPE evaluated the diverse means for accomplishing DHR, both in terms of core cooling and containment cooling, including: use of PCS, ECCS and RCIC systems, depressurizaj % injec% to the vessel with standby service water, suppression pool cooling, and fantainmer.1 venting.

22

. , , . _ = _ , , . , , , . _ - ~ _ . - . ~ . - - -_ , ___ -- - _ .. ____ - - - _-__ - - - _ - .

= e.

2.5.3 Unique Featuras of DHR.

i

The unique features at WNP-2 that directly impact the ability to provide DHR are as follows
.

a lonhhv to connaM fire water for inlaction in a timalv f==hion. The plant has the >

capability to use diesel driven firewater for injection to the vessel to cool the core-however, the submittal states that' time constraints are such that this option was  ;

credited only for certain scenarios, such as short term station blackout, where operators would recognize the need for this system sufficiently early that it could be aligned in time to prevent core damage. This feature tends to increase the j CDF in comparison with BWRs for which injection with fire water can provide timely core cooling. ,

. Three SRVs requiraq to depressurize for use of low pressure core cooling

! systems. The IPE assumes that 3 SRVs are required for timely depressurization

to use low pressure core cooling systems in response to transients in which all high pressure injection is lost. Other IPEs for BWRs have assumed that only 1 or 2 SRVs are required. Therefore, this tends to increase the CDF for WNP-2 in
comparison to these other plants.

. lomhility to connad the HPCS DG to 1E divielma 1 or 2 in a timalv f==hion. The

, licensee states that during station blackout crosstie of the HPCS DG to power 1E loads in division 1 or 2 was not credited. This tends to increase the CDF during station blackout compared to plants where such cross tie can be accomplished in a timely manner.

2.5.4 6 in the Submittal

The licensee proposes that the IPE resolves two GSI/USI's: USl A-17," System interactions in Nuclear Power Plants", and GSI-105, "Intersystem LOCAs". [ submittal

! Section 3.4.4) , .

The submittal states that the IPE models system dependencies and common cause

failures, and that the results of the IPE indicate no vulnerabilities due to system interactions.

The submittal states that the IPE models interfacing system LOCAs, and that the

! results of the IPE indicate that interfacing system LOCAs are not of risk concem.

]

2.8 Intemal Flooding This section of the report summarizes our reviews of the process used to model intsmal flooding and of the results of the analysis of intamal fiooding.

23 1 t

, .-., , - --, e- 4

r ,

l-2.6.1 infamal Flooding Niethodology.

Intemal flooding was modeled using the following steps. (1) Areas containing equipment modeled in the system fault trees were identified. Areas without equipment ,

. modeled in the fault trees were screened from further consideration. (2) For those l

areas remaining, maximum flood levels were calculated, considering: rate of flooding, p total quantity of flood source, detection of flooding, and operator actions to isolate the

flood source.~ if maximum flood levels and spray effects did not damage equipment within an area, the area was screened from further consideration. (3) Areas containing ,

equipment whose failure does not cause plant shutdown were screened from further l

consideration in the initial IPE. (4) The frequency of floods were quantified in the -

i remaining areas. Events with a frequency less than 1E 6/ year in the initial IPE were L screened from further consideration. The remaining flood initiating events were binned

. into .14 categories. (5) The CDFs from the 14 categories of flood initiating events were calculated using flood-specific event trees. [ submittal Section 3.1.2.4.7]

t

).- 10.2 intamal Flooding Results. .

i

' Of the 14 flooding categories,3 result in a CDF greater than 1E-7/ year. These three are as follows [RAI Responses-B, p.13]

r Flood events in the turbine building that cause loss of feedwater, condensate, and j CAS.

. Flood events in various areas of the plant that cause loss of TSW .

l

. A break in the TSW piping in the reactor building that fails ECCS pumps without  ;

operator action to terminate the flood.

l
The submittal contains the event trees used to quantify the CDF from these 3 categories of floods. [ submittal Figures 3.1.2.4.7 6 through 3.1.2.4.74]

The CDF from intomal flooding is 5.9% of the total CDF from intomal initiating events and intomal flooding events. [RAI Responses B, p. 5-6]

p 2.7 Core Damage Sequence Results

)

. This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage eequences- whether systemic or functional- is -

reviewed for consistency with the screening criteria of NUREG-1335. The definition of vulnerability provided in the submittalis reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.

i-t 24 4

9

f:o d i.

. 2.7.1 Dominant Core Damage Sequences l The IPE utilized systemic event trees. The reporting of results in the submittal is '

l consistent with the Generic Letter 88-20 screening criteria for systemic sequences.

. [ submittal Section 3.4]

The CDF from intomal initiating events and intomal flooding is 1.75E-5/ year.  ;

. Table 2-5 of this report summarizes the CDF for the dominant accident classes. [RAI

. Responses-B, p.12 - 14]

Table 24. Accident Types and Their Contribution to Core Damage Frequency

Mean COF Contrtwthm Percent Contritwtlon to Aookient Type per year CDF ,

) Station Blackout - 1.0E 5 73.1 % .

Generic Transients - 2.0E-6 13.8% -

Intemal Flooding 8.4E 7 5.9%

Plant Specific Transients 4.6E 7 3.2% ,

l.

! LOCA- 1.2E 7 0.8%

r l Table 2-6 of this report summarizes the CDF for the dominant initiating events. Section 4 of this report provides a more complete tabular listing of the CDF for each initiating event ,odeled in the IPE. [ Table 3.4.1-2 of submittal) l

. i

. Table 24. Initiating Evente and Their Contribution to Core Damage Frequency )

L l initleting Event Mean CDF Contritwtlon Percent Contritwtlon to CDF I c hr

~

l Loss of Offsite Power 1.0E 5 73.1 %

Lossof Feedwater 8.4E 7 5.2%

I Turt>ine Trip Transient 5.2E 7 3.6%

Flood in Turtpine 86dgWec Water House 3.7E 7 2.6%

Loss of Main Condenser 3.0E 7 2.1%

[ Floodin Reactor Building 2.6E-6 1.8%

2.6E 7 1.8%

~

Loss of Plant Service Water -

4 Flood in Turbine Bldg 2.2E 7 1.5% -

Manual Shutdown 2.2E 7 1.5%

I Loss of DC DMalon 2 - 2.1E 7 1.2% .

ATWS afterTurbine Trip 1.4E 7 1.0%

i

-25 I

l

,m I a-~--

W w -,,we =w-* = - = . w rwr-- - r, .e

  • a
  • e i

The remaining initiating events each contributed less than 1% to the CDF.

The top 5 systemic core damage sequences are summarized in Table 2-7 of this report.

Table 2-7. Top 5 Dominant Systemic Core Molt / Core Damage Sequencee l Initioting Event Dominant Subsequent Failuresin Percent Contribution to Sequence Total CDF Loss of Offsite Power Station Blackout; Failure of HPCS; Failure 36.5 %

to Recover Offsite Powerin 4 Hours Loss of Offsite Power Station Blackout; HPCS Operstmg but 28.0%

CST Depiction Occurs; Failure to Recover Offsite Powerin 10 Hours Loss of Offsite Power Station Blackout: Failure of HPCS, RCIC, 4.5%

i and fire Protection: Failure to Recover Offsite Powerin 30 Minutes

! Turbine Trip Failure of Long-Term Decay Heat 3.4%

Removal

! Loss of Foodwater Loss of HPCS and RCIC; Failure to 3.1%  !

1 Depressurize I

These results indicate that the CDF is dominated by station blackout. Intemal flooding is also an important contributor to CDF. Plant specific events and ATWS also 4

contribute to the CDF. LOCAs contribute only a small amount to the CDF; based on Table 3.4.1-2 of the submittal, LOCAs outside containment dominate the contribution of all the LOCAs to the CDF.

The submittal summarizes the importance of basic events by both the Fussell Vesely _

measure and by the risk achievement worth. Based on these importance results, component failures in the following systems contribute significantly to the overall CDF:

[ submittal Section 3.4.2]

. RCIC l

. DGs

' + HPCS.

Based on these importance results, operator errors that contribute significantly to the  ;

overall CDF are as follows:

2

. failure to vent containment Based on these importance results, the dominant recovery action whose failure contributes the most to the CDF is:  ;

26 l

e 1

v e' .p

. failure to recover offsite power during station blackout. ,

2.7.2 Vulnerabilities .

l The IPE used the following criteria for vulnerabilities: [ submittal Section 3.4.2] l

.. Sequence groups with CDF > 1E-6/ year that require modifications based on NUMARC 91-04 guidelines  :

1

. Total CDF in excess of 1E-4/ year

]

. Sequences that indicate plant specific a feature that is an outlier compared to -'

other BWR PRAs.

The licensee concluded that WNP-2 has no vulnerabilities.

2.7.3 Proposed impmvements and Modifications I

The IPE identified several potential improvements to be considered. These - .

improvements, and the status of their implementation, are as follows. (submittal Section 6.2] [RAI Responses-A, p. 7-1,7-2] ]

. 500 KV backfand. Offsite power can be supplied by backfeed of 500 KV power if the main generator is disconnected. Currently, disconnecting the main generator

' requires 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to accomplish. A plant modification to allow backfeed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> could reduce the total CDF by up to 58%. This modifcation has been shown to be cost beneficial from a risk perspective and is currently under

. evaluation.

. Startup Transformer Capability if the 230 KV supply voltage drops below a preset t' '

value, transfer to the 115 KV line occurs and the startup transformers are not-available. A modification to increase the capacity on the transfer was proposed but determined to not be cost effective as it could reduce the total CDF by only

, 4%. .

. 125 V DC Battany Swing Charaar. Common cause failure of battery chargers L contributes to CDF. A modification was evaluated to provide a separate charger that can be used to charge either DC division.- The evaluation indicated marginal benefits and would result in only a negligible improvement in CDF. Therefore, this F improvement is no longer being considered. improved maintenance practices on 2 the existing chargers was determined to be cost effective.

.- ADS inhibit Switch. During a non-ATWS transient, operators are not allowed to

~use the ADS inhibit switch, and' operators must invoke the ATWS inhibit function

. every 105 seconds. Failure to inhibit ADS contributes about 1.5% to the CDF. A 27

. o l l

, I licensing action has been completed to allow use of the ADS inhibit switch during non-ATWS transients, and this procedural change has been implemented. -

i Procedural Recommendations. (1) An evaluation of the procedures and training  !

, for the recognition and isolation of floods was performed. This was determined tc

not be cost beneficial and has been dropped from consideration. (2) Maintenance
practices were evaluated for changes to decrease common cause failures. The recommended actions have boon implemented and are part of the current
program. (3) RCS Depressurization during station blackout was evaluated to increase the time until vessel breach once fuel melt starts. The emergency
procedures were determined to affect the desired depressurization, and this
recommendation is considered to be implemented. ,

i

. Containment nitrogen (CN) Supply to MSIVS and Vent Valves. A modification

~ was evaluated for suppling backup nitrogen from the containment nitrogen system -
to the inboard MSIVs and to the containment vent valves. The evaluation showed that the change is not cost effective; however, the change may be re-evaluated if ,

l' other changes lower the CDF to where loss of containment heat removal is more of a contributor to the total CDF.

i i None of the recommendations cited above was credited in the IPE.

Additional potential improvements were stated to also be under consideration. These  ;

are as follows. ,

  • Evaluate means to improve the reliability of RHR for containment heat removal.

Consider the IPE ranking of system importance in the reliability centered maintenance efforts.

! . Consider important operator actions as determined by the IPE in operator training.

{

. Initiate RCIC before HPCS following loss of feedwater type transients to prevent l isolation of the main condenser if RCIC and HPCS simultaneously initiate.

The status of the evaluations for these additional changes was not indicated by the licensee.

The submittal also notes that the air supply pressure has recently been raised from 150 psig to 186 psig, which will delay closure of MSIVs and SRVs during sequences in j which the containment pressurizes.

The status of the evaluations for these changes was not indicated in the submittal or

',  ; responses to NRC's Request for Additional Information. ,

d N

] 28 l

g.

.a- -

.n m . -- ..e _ . . - ., e ._ .. 4 ., . n, ,,,. ,-.,

my l L.: a l 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS i

l This section of the report provides an overall evaluation of the quality of the IPE based

. on this review. ' Strengths and shortcomings of the IPE are summarized. Important
assumptions of the model are summarized. Major insights from the IPE are presented.

Strengths of the IPE are as follo'ws. The IPE had the benefit of an eariier PRA of WNP-2, and the IPE models were improved to more accurately reflect the plant. The identification and evaluation of initiating events is thorough compared to some other

!PE/PRA studies. Common cause failures were considered across selected diverse systems. Plant-specific data were used where possible to support the quantification of initiating events and component unavsilabilities.

l No weaknesses wora identified in the IPE.

Based on our review, the following modeling assumptions used in the IPE have an

- impact on the overall CDF: ,

7

. Injection with the CRD system cannot be used for core cooling either earty or late

in any accident sequence. ,

i l L . ADS must be inhibited to mitigate an ATWS. .!

\

The first assumption tends to increase the CDF, since the CRD system is not credited l as ancther option for high pressure injection for core cooling. The second assumption

~ tends to increase the CDF since core damage is assumed following an ATWS if ADS is not inhibited.

! Significant findings on the front-end portion of the IPE are as follows:

  • Station blackout is a major contributor to the CDF since it renders all core cooling options eventually unavailable if power is not recovered.

- LOCAs are a small contributor to tlN total CDF, and LOCAs outside containment

)

dominate the contribution from LOCAs. LOCAs contribute a small amount to the 2' total CDF due to the numerous systems available to mitigate a LOCA. LOCAs
outside containment result in core damage if they are not isolated.

.S 4

]

i j

l 2g  ;

I I
(,

4 1 a

l

.. I

4. DATA

SUMMARY

SHEETS l 1 .i This section of the report provides a summary of information from our review.  !

1

! Overall CDF  !

The total CDF from intamal initiating events and intomal flooding is 1.43E-5/ year.

Intemal flooding contributes 5.9% of the total CDF.

Initiating Event Frequencias ,

. i 1 The initiating event frequencies used in the WNP-2 IPE are as follows: [RAI l Responses-8, p. 4,5) l i

initleting Event '

Frequency per Year j

Tuftsine Trip 2.90 ]

!' MSIV Closure 0.12 ,

Loss of Condenser 0.06 Loos of Feedwater 0.5 l Loss of Offsite Power 2.46E 02 lORV/SORV 0.2 l l Manual Shutdown 1.4 i Large LOCA (D > 6') 3E-04

, Medium LOCA (4' < D < 6") 3E-03 Small LOCA (1' < D < 4') 6E-03 Steem Line Break Outside Containment 2.17E 05 4 ISLOCA 2.26E-06 ATWS following Turbine Trip with Bypass (100% power) 2.4 ATWS following Turbine Trip with Bypass (25% power) .5

. ATWS following MSIV Closure 0.12 ATWS following Loss of Condenser 0.06 ATWS following Loss of Feedwater 0.5 ATWS following SORV '- 0.19 Loss of Division 2 DC 3.0E-03 Loss of Division 1 DC 3.0E 03 Loss of TSW 1.25E-03 Loss of CIA 1.25E-03 Loss of an AC Bus 2.4E-04 Loss of HVAC toControl Room 1.93E-04 Loss of HVAC to " M=r Roome 6.4E 06 instrument Line Break 1E-02 intemel Floodeng (Category 6) 2.92E-03 l Intomal Flooding (Category 7) 2.70E 07  !

. Intemal Flooding (Category 14) 4.69E-03 I b -

, Loss of CAS 1.25E 03  ;

f.

E j

. l

! i

, - - - - - . , + - . . . . . . - - - _. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

'a e;

initiating Events Contributing to CDF
The initiating events contributing at least 0.1% to CDF are as follows: [RAI Responses-B,' p. 6,7) .

Loss of Offsite Power 73.1% -

i

Loss of Feedwater 5.9%
Turbine Trip Transient 3.6%

Flood in Turbine Bldg /cire water house 2.6%

Loss of Main Condenser 2.1%

Flood in Reactor Building ' 1.8%

Loss of Plant Service Water 1.8%

2 Flood in Turbine Bldg 1.5%

Manual Shutdown 1.5%

i Loss of DC Division 2 1.2%

A1WS afterTurbine Trip 1.0%

! Break in instrument Line 0.8%

! Loss of Feedwater ATWS 0.8% .

IORV/SORV - 0.7%

IORV/SORV ATWS 0.7%

Loss of DC Division 2 0.5%

! Loss of Control and Service Air 0.5%

MSIV Closure ATWS 0.2%

. Loss of DC Division 1 0.1%

Medium LOCA 0.1%

Loss of Condenser ATWS 0.1%

Dominant Hardware Failures and Onaratar Errorn Contributina to CDF

. Component failures in the following systems contribute significantly to the overall CDF:

1 RCIC DGs HPCS.

t Operator errors that contribute significantly to the overall CDF are as follows:

failure to vent containment )

l The dominant recovery action whose failure contributes the most to the CDF is: failure to recover offsite power during station blackout.

i 1

31 1 4

i c

.a.  !

1

e- 6

'1 l l Dominant Anemnt Cle=~ Contributino to CDF i Station Blackout 73.1 %

i Generic Transients .13.8%

intamal Flooding 5.9%

l

, Plant Specific Transients 3.2%  :

i ATWS 2.3% l 4

LOCA 0.8% l 4

1 i Danign Characteristica important for CDF '

. Inability to connect firm water for inl action in a timely fashion. The plant has the

capability to use diesel driven firewater for injection to the vessel to cool the core; i

! however, the submittal states that time constraints are such that this option was  :

i credited only for certain scenarios, such as short term station blackout, where

, operators would recognize the need for this system sufficiently earty that it could j be aligned in time to prevent core damage. This feature tends to increase the .

CDF in comparison with BWRs for which injection with fire water can provide

timely core cooling. -

. Three SRVs required to depressuriza for use of low pressure cora cooling

systems. The IPE assumes that 3 SRVs are required for timely depressurization  !

to use low pressure core cooling systems in response to transients in which all

high pressure injection is lost. Other IPEs for BWRs have assumed that only 1 or

[ 2 SRVs are required. Therefore, this tends to increase the CDF for WNP-2 in comparison to these other plants.

. Iriahlmv to connect the HPCS DG to 1E divisions 1 or 2 in a timalv fanhlon. The ,

i licensee states that during station blackout crosstie of the HPCS DG to power 1E

loads in division 1 or 2 was not credited. This tends to increase the CDF during  ;

i station blackout compared to plants where such cross tie can be accomplished in I a timely manner. ,, l t

Modifications j

< t

The iPE identified several potential improvements to be considered. These  ;

} improvements, and the status of their implementation, are as follows:

4 l . 500 KV backfand. Offsite power can be supplied by backfeed of 500 KV power if  :

i the main generator is disconnected. Currently, disconnecting the main generator

! requires 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to accomplish. A plant modification to allow backfeed within 4 ,

j hours could reduce the total CDF by up to 58%. This modification has been i 1 shown to be cost beneficial from a risk perspective and is currently under t

' evaluation.

l  !

4 g f I

w i h

a e i

l l . Startup Transformer Capability if the 230 KV supply voltage drops below a preset l value, transfer to the 115 KV line occurs and the startup transformers are not available. A modification to increase the capacity on the transfer was proposed I but determined to not be cost effective as it could reduce the total CDF by only 4%.

j

  • 125 V DC Battarv Swing Charner. Common cause failure of battery chargers j contributes to CDF. A modification was evaluated to provide a separate charger l
that can be used to charge either DC dMalon. The evaluation indicated marginal l

benefits and would result in only a negligible improvement in CDF. Therefore, this i impicveT,w-4 is no longer being considered. Improved maintenance practices on l the existing chargers was determined to be cost effective.

j

!

  • ADS Inhibit Switch. During a non-ATWS transient, operators are not allowed to
use the ADS inhibit switch, and operators must invoke the ATWS inhibit function  :

I every 105 seconds. Failure to inhibit ADS contributes about 1.5% to the CDF. A licensing action has been completed to allow use of the ADS inhibit switch during

non-A1WS transients, and this procedural change has been implemented.

. P_mcaduraLBacom'nandations. (1) An evaluation of the procedures and training for the recognition and isolation of floods was performed. This was determined to not be cost beneficial and has been dropped from consideration. (2) Maintenance practices were evaluated for changes to decrease common cause failures. The recommended actions have been implemented and are part of the current i program. (3) RCS Depressurization during station blackout was evaluated to increase the time until vessel breach once fuel melt starts. The emergency ,

procedures were determined to affect the desired depressurization, and this j recommendation is considered to be implemented. .

l

l. . Containment nitrogen (CN) Surwh to MSIVS and Vant Valvaa. A modification  !

i was evaluated for suppling backup nitrogen from the containment nitrogen system to the inboard MSIVs and to the containment vont valves. The evaluation showed i that the change is not cost effective l however, the change 'may be re-evaluated if i other changes lower the CDF to where loss of containment heat removal is more  :

1 of a contributor to the total CDF.

1 None of the recommendations cited above was credited in the IPE. l Additional potential improvements were stated to also be under consideration. These ]

are as follows. j

! . Evaluate means to improve the reliability of RHR for containment heat removal.  !

i Consider the IPE ranking of system importance in the reliability centered

maintenance efforts.

4 1

k' I

- ,m < v ,- - ,-- - - - - - - , ---

W o 4 .

i

  • Consider important operator actions as determined by the IPE in operator training.

The status of the evaluations for these additional changes was not indicated by the licences.

The submittal also notes that the ' air supply pressure has recently been raised from 150 -

poig to 186 poig, which will delay closure of MSIVs and SRVs during sequences in which the containment pressurizes. l m  :

The licensee proposes that the IPE resolves two GSI/USI's: USl A-17, " System l

- Interactions in Nuclear Power Plants", and GSI-105, "Intersystem LOCAs". j i

Significant PRA Findings i Significant findings on the front-end portion of the IPE are as follows: l

I
. Station blackout is a major contributor to the CDF since it renders all core cooling options eventually unavailable if power is not recovered; the IPE uses lower

- probabilities for non-recovery of offsite power than are used in some other IPEs.

. LOCAs are a small contributor to the total CDF, and LOCAs outside containment i dominate the contribution from LOCAs. LOCAs contribute a small amount tc the

total CDF due to the numerous systems available to mitigate a LOCA. LOCAs outside containment result in core damage if they are not isolated.

5

) ,

L .

L i

34 i

i' .

,9 L

o gy REFERENCES

[lPE Submittal) Revised WNP-2 IPE Submittal July 27,1994 )

[GL-88-20] Generic Letter 88 20, " Individual Plant I Examination for Severe Accident Vulnerabilities",

U.S. NRC, November 23,1989. l l

[NUREG 1335] " Individual Plant Examination: Submittal Guidance", U.S. NRC, August,1989.

]

[NUMARC 91-04) Severs Accident issue Closure Guidelines, )

NUMARC Document 91-04, January 1992.

[NUREG/CR 4550 Methodology) NUREG/CR-4550, Vol.1, Rev.1, " Analysis of Core Damage Frequency: Intemal Events j Methodology", January 1990.

[NUREG/CR 4550, Grand Gulf) " Analysis of Core Damage Frequency: Grand Gulf, Unit 1 Intemal Events", Vol. 6, Rev.1, Part 1, September,1990.

[NUREG/CR-4550, Peach Bottom] " Analysis of Core Damage Frequency: Peach Bottom, Unit 2 Intemal events", Vol. 4, Rev.1,

~

Part 1, August,1989.

[NUREG/CR-4780) " Procedures for Treating Common Cause Failures in Safety and Reliability Studies, Procedural Framework and Examples," PL&G, Inc., January 1988.

[RAI Responses-A) G02-95 224, Letter from J. V. Parrish, Washington

! Public Power supply System, to US Nuclear Regulatory Commission, October 20,1995.

[RAI Responses-B) G02-96181, Letter from D. A. Swank, Washington

Public Power supply System, to US Nuclear Regulatary Commission, September 12,1996.

I 1 i

l l

. 35 l

I

.w- , - , - , - , . - , . , - . . , . . - - - . , , . , , . . , , - , . - n_,., ,.,

Retrieved from "https://kanterella.com/w/index.php?title=ML20138J827&oldid=2866142"