ML20140F384
| ML20140F384 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 01/13/1997 |
| From: | Forester J, Lin C, Musicki Z BROOKHAVEN NATIONAL LABORATORY |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20140F349 | List: |
| References | |
| CON-FIN-W-6449 NUDOCS 9705020278 | |
| Download: ML20140F384 (61) | |
Text
..____._..
)
TECHNICAL REPORT FIN W4449 11/19/96, Revised 01/13/97 i
I TECHNICAL EVALUATION REPORT i
OF THE IPE SUBMITTAL AND i
l RAI RESPONSES FOR THE k
CRYSTAL RIVER POWER STATION, UNIT 3 l
i t
Zoran Musicki C. C. Lin i
John Forester' i
' Department of Advanced Technology, Brookhaven National Laboratory Upton, New York 11973 I
1I I PreparedfortheU.S.NuclearRegulatoryComrnission Office of Nuclear Regulatory Research Contred No. DE-AC02-76CH00016 i
'Sandia Nat'onal Laboratories 9705020278 970428 PDR ADOCK 05000302 9
Pon Y/
i cowrENTS Page Executive Summary
..................................................v Nomenclature
.....................................................xix l
1.
Introduction
..................................................I 1.1 R evi e w Proc es s..........................................
1 1.2 Plant Characterization....................................... I 2.
Tech nical Review.............................................. 5 2.1 Licensee's IPE Process
.....................................5 2.1.1 Completeness and Methodology........................... 5 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status.............. 6 4
2.1.3 Licensee Participation and Peer Review...........
7 2.2 Front End Technical Review................
.................8 2.2.1 Accident Sequence Delineation and System Analysis..............
8 2.2.2 Quantitative Process.............
14 1
2.2.3 Interface lssues 21 1
2.2.4 Internal Flooding................
...............22 2.2.5 Core Damage Sequence Results..........................
23 2.3 Human Reliability Analysis Technical Review...
25 i
i 2.3.1 Pre-Initiator Human Actions...........................
25 2.3.2 Post-Initiator Human Actions...........................
26 2.4 Back End Technical Review.................................
31 i
2.4.1 Containment Analysis / Characterization.....................
31 I
a 2.4.2 Accident Progression and Containment Performance.............
41 2.5 Evaluation of Decay Heat Removal and Other Safety Issues and CPI........
45 2.5.1 Evaluation of Decay Heat Removal........................
45 2.5.2 Other GSIs/USIs Addressed in the Submittal..................
47 2.5.3 Response to CPI Program Recommendations..................
47 j
2.6 Vulnerabilities and Plant Improvements..........................
47 2.6.1 Vul nerability......................................
47 2.6.2 Proposed Improvements and Modifications...................
48 4
j 3.
Contractor Observations and Conclusions..............................
49
[
4.
References.................................................
5 3 6
i 5
iii I
TABLES Table Page E-1 Accident Types and Heir Contribution to the CDF......................... ix E-2 Dominant Initiating Events and Deir Contribut'on to the CDF
..................x
' E-3 Containment Failure as a Percentage of Total CDF......................... xii i
Plant and Containment Characteristics for Crystal River 3
....................3 2
Comparison of Failure Data
......................................18 3
Comparison of Common-Cause Failure Factors..........................
19 4
Initiating Event Frequencies......................................
21 5
Accident Types and Reir Contribution to the CDF,......................
24 6
Dominant Initiating Events and heir Contribution to the CDF................
24 7
Dominant Core Damage Sequences to the CDF..........................
25 8
Impo rtan t H u m an A ct io ns..................................
30 9
Containment Failure as a Percentage of Total CDF...
42 FIGURES Figure Page i
System importance..................
.......................16 i
i 1
i
EXECUTIVE
SUMMARY
nis Technical Evaluation Report (TER) documents the findings from a review of the Individual Plant Examination (IPE) for the Crystal River Power Station, Unit 3. The primary intent of the review is to ascertain whether or not, and to what extent, the IPE submittal satisfies the major intent of Generic Letter (GL) 88-20 and achieves the four IPE sub-objectives. The review utilized both the information provided in the IPE submittal and additional information (RAI Responses) provided by the licensee, the Florida Power Corporation, in the response to a request for additional information (RAI) by the NRC.
E.1 Plant Characterization The Crystal River 3 Nuclear Power Plant is a 2544MWth (821 MWe) Babcock and Wilcox, two loop, pressurized water reactor (PWR). De reactor coolant system (RCS) consists of the reactor vessel, two vertical once-through steam generators, 4 shaft-scaled reactor coolant pumps, an electrically heated pressurizer and interconnected piping. He Gulf of Mexico serves as the ultimate heat sink. Crystal River 3 has a large, dry containment constructed of reinforced concrete with a steel liner. The plant is operated by Florior Power Corporatinn (FPC), and started commercial operation in March 1977. There are no other units on site.
Design features at Crystal River 3 that impact the core damage frequency (CDF,' reladve to other PWRs are as follows:
1)
De turbine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level. Usually, one pump will be tripped after a reactor trip, while the other will be coritrolled by the integrated control system (ICS).
2)
The emergency feedwater (EFW) system consists of one 750 gpm turbine driven and one 750 gpm motor driven pump (the design flow rate for the EFW system is 550 gpm). The system is automatically initiated and controlled by the emergency feedwater initiation and control (EFIC) system. The EFW pumps may also be started manually.
3)
The motor driven EFW pump has to be cooled by the nuclear services closed cycle cooling system.
4) ne normal EFW suction source is the 150,000 gal inventory in the dedicated EFW storage tank (12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> inventory). Backup supplies are the 150,000 gal condensate storage tank and the condenser hotwell.
5)
De battery depletion time is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, with load shedding.
6)
One pressurizer PORV or one of two safety valves can be utilized for feed and bleed (called HPl/PORV cooling in the submittal). Dere are three makeup pumps, which are also used for high pressure injection. His gives Crystal River 3 a diversity of options for feed and bleed.
De PORV block valve is usually open.
7)
The three makeup pumps require cooling from one of the two closed cooling systems (called component cooling water, i.e..CCW, systems at many plants): the Nuclear Services Closed Cycle v
l
i a
4 Cooling (NSCCC) system normally provides cooling for pumps MUP;1 A and IB, and backup cooling to pump MUP-lC. The Decay Heat Closed Cycle Cooling (DHCCC) system normally provides cooling for MUP-lC, and manual backup cooling to MUF-1 A.
i 8)
Apparently the reactor system only has. normal pressurizer spray, driven by reactor coolant pump l
RCP-18.
9)
De NSCCC (part of the component cooling' water) system cuotains three pumps in parallel, one normal and two emergency pumps. De emergency pumps are sized 50% greater than the normal pump due to additional loads created by the reactor building ventilation fans, in case of certain accidents. In addition to the makeup pumps mentioned above, this system cools the following i
important loads: reactor coolant pumps, seal. return coolers, control complex water chillers, the motor driven EFW pump, the NSCCC pump motors and the raw water (called service water, i.e. SW, at other plants) pump motors, as well as some loads not modeled. De RCP and seal reurn loads are shed on generation of an engineered safeguards actuation system (ES AS) signal.
l Operation of one NSCCC pump and three out of four NSCCC heat exchangers constitutes success.
10)
De DHCCC (part of the component cooling water) system consists of two separate trains, providing cooling to the decay heat removal (DHR) heat exchangers, the DHR pump motors, the reactor buildinE spray pump motors, the DHCCC air handling units, the makeuo pumps stated above and the decay heat portion of the raw water system pump motors. One operating train constitutes success.
11)
De Raw Water (RW) system is divided in two parts, one cooling the NSCCC circuit, the other cooling the DHCCC circuit. De configuration mirrors that of the closed cooling system being cooled (i.e., three pumps, one normal and two emergency and 4 heat exchangers for the NSCCC cooling, and two trains for the DHCCC cooling).
12)
De emergency power system at Crystal River 3 includes two emergency diesel generators. The safeguards buses are powered from a dedicated transformer (offsite power transformer) with a j
manual backup from the startup transformer. Dese transformers are powered from the 230kV switchyard which is separate from the 500kV switchyard supplied by the main generator. Thus, j
the important loads are isolated from effects of a unit trip. Dere is also redundancy in the DC power system: there are three chargers per battery bank, two normally operating and one spare.
nere are two safeguards DC trains and one normal DC train.
13)
Recirculation switchover is accomplished manually.
14)
De plant uses Byon4ackson RCP seals. According to the submittal these seals have shown no appreciable leaka,e in tests when all seal cooling was lost, provided that the RCPs are tripped.
Derefore, RCP seal failure occurs only if the operators fail to trip the RCPs following failure of all seal cooling. Since makeup pump MUP-1B is normally operating, and it is in turn cooled by the NSCCC system, which also cools the RCP seals, then loss of the NSCCC will, at least temporarily, cause loss of all seal cooling.
vi l
i 15)
Crystal River 3 has two types of reactor building cooling: the reactor building sprays and the reactor building ventilation cooling fans. However, Level I success criteria do not require reactor building cooling following a LOCA.
16)
A borated water storage tank (BWST) refill ability apparently exists, which is credited in the SGTR sequences.
De plant characteristics important to the back-end analysis are:
I)
De containment has a relatively small reactor cavity (12 ft. diametcr by 10 ft. high and a floor area of 260 ft') which is closed off from the containment interior by two steel doors on the access tunnel and by a steel plate through which the in-core instrument tubes pass. Water can drain into and out of the reactor cavity by three 1.5-inch diameter drain holes and by the annular 0.2-inch clearance between each instrument tube and the steel plate. He total water access cross section from the containment floor to the reactor cavity is about 28 sq. in. He floor of the reactor cavity is about one foot lower than the surrounding containment floors. This tends to prevent debris spreading and reduces the probability of debris cooling.
2)
De large containment volume, high containment pressure capability, and the open nature of compartments facilitate good atmospheric mixing.
E.2 Licensee's IPE Process De licensee initiated work on a probabilistic risk assessment (PRA) for Crystal River 3 in response to Generic Letter 88-20. The freeze data for the analysis was April 1992.
To support the IPE process, a. review was made of, and models were built upon, a previous PRA of Crystal River 3, completed in 1987. This study was reviewed by the NRC and found to be of generally good quality. Attention was also focused on other PRAs for other plants similar to Crystal River 3.
Licensee personnel were involved in all aspects of the analysis. In-plant expertise was already existent due to the previous Crystal River 3 PRA study, which was contracted to SAIC to " assist the FPC in the creation of a 12 vel 1 PRA for Crystal River 3 (CR-3) nuclear unit". Dat PRA model has been used by the utility in " licensing, engineering, operations, maintenance and training". De utility has also been involved in maintaining the PRA consistent with evolving plant configuration and procedures. De IPE Level I analysis (except for flooding) seems to have been performed mostly by reviewing the previous study's model for consistency with current plant configuration and practices, updating the data and roquantifying the model. De flooding analysis was performed either by SAIC or with the help from SAIC, but with the " full participation of the FPC PRA' staff". De front-end analysis was primarily performed by two full time engineers with assistance from other licensee personnel as needed.
De licensee states that "the independent review of the CR-3 PRA/IPE consisted of having each system model reviewed by the relevant FPC system engineer, and having the event sequence analysis, quantification and recovery analysis reviewed by the Nuclear Safety Supervisor at CR-3."
A nuclear safety supervisor who was a former senior reactor operator (SRO) was used as a " constant source i
of knowledge regarding operator actions and procedures." The same individual was used for internal review vii
of the event sequence analysis, quantification, and recovery analysis. Regarding the IPE HRA representing the as-built, as-operated plant, it was indicated that after initial quantification, potentially significant human actions were "modeled specifically," taking'into account procedures, training, and operator interviews. There was no mention of any observations of simulator exercises or "walkdowns' of important or time consuming operator actions. Apparently reviews of procedures and training and interviews with operators were used to help assure that the IPE HRA represented the as-built, as-operated plant. Argonne National Laboratory reviewed the original PRA, but no mention of any external review of any part of the IPE was found. Both pre-initiator actions (performed during maintenance, test, surveillance, etc.)
and post initiator actions (performed as part of the response to an accident) were addressed in the IPE. A list of important human actions (as determined by those individuals perfo ming the recovery analysis) was provided and it was noted that several improvements to plant emergency procedures were recommended and included. A list of the improvements was not provided.
De back-end containment analysis was performed with the help of Risk Management Associates (RMA) and Risk and Safety Engineering (RSE), and, according to the IPE submittal, there was full participation by the FPC PRA staffin the task. However, it is not clear from the description provided in the submittal the extent of involvement of the FPC's personnel in the preparation and, particularly, in the independent in-house review of the IPE. Although a question was asked in the RAI regarding this issue (RAI Question 20), additional information beyond that provided in the IPE submittal was not provided. According to NUREG-1335, "He submittal should contain, as a minimum, a description of the internal review performed, the results of the review team's evaluation, and a list of the review team members." The description provided in the IPE submittal is not sufficient to meet the above request. It is not clear whether the intent of Generic Letter 88-20 in this regard is satisfied.
The RAI responses indicate that the licensee intends to maintain a "living PRA."
E.3 IPE Analysis E.3.1 Front-End Analysis he methodology chosen for the front-end analysis was a Level 1 PRA; the small event tree-large fault tree with fault tree linking approach was used. De computer code used for modeling and quantification was CAFTA.
The IPE quantified the following initiating event categories: 4 LOCAs,12 transients and 3 flooding initiators. The IPE developed 4 event trees to model the plant response to these initiating events. De flooding analysis utilized the existing transient event tree.
Success enteria were based on existing informaion (e.g. USAR) supplemented by calculations, as needed, some of which were performed for similar plants (Oconee and Davis Besse, for example).
Like some other PWR IPEs, the Crystal River 3 IPE assumes (calculates) that core flood tanks are not needed in large and medium LOCAs. Likewise containment heat removal (CHR) systems are not needed.
Dese assumptions reduce the CDF from LOCAs, but not significantly (about 10% impact from the CHR considerations, " negligible" from the core flood tank considerations, per RAI responses).
viii
d He RCP seal cooling model assumes that both thermal barrier cooling and seal injection must fail and the operators must fail to trip the RCPs in order for the seals to fail. His element of the success criteria is more optimistic than the Westinghouse model, however, according to the licensee, it is based on the design and tests with the Byron-Jackson N-9000 seals used at the plant. Since NSCCC is used for cooling of the operating makeup pumps, as well as for the RCP seal thermal barrier cooling, the loss of NSCCC will fail all RCP seal cooling and the operators have to act rather quickly to stop the RCPs.
The data collection process period was from 1978 through early 1988 ( i.e., about 10 years). Plant specific component failure data were used where possible, otherwise generic data were used. Here was no Bayesian updating. Plant specific data were used exclusively for unavailabilities due to test and maintenance activities. If such data were unavailable, a screening value of 0.01 for component unavailability was used.
Crystal River 3 data are generally consistent with the NUREG/CR-4550 data, but tend to be on the low side. For the air compressor failure and the EFW turbine driven pump failure to run, the plant specific failure rates are one to two orders of magnitude lower than the generic failure rates. No raw plant data were provided, ne baa factor method was used to characterize common cause failures. The $ factors tend to be lower than the ones used in the NUREG/CR-4550 analyses (by a factor of 2-4 generally). He licensee explained that independent failures are under reported in LERs, therefore the commonly used # factor values are conservative, and they were therefore adjusted.
l ne reported internal core damage frequency is 1.4E-5/yr. Flooding contributes an additional 1.3E-6/yr, or about 10%. He internal accident types and initiating events that contribute most to the CDF, and their percent contributions, are listed below in Tables E-1 and E-2:
Table E-1 Accident Types and Their Contribution to the CDF l
Initiating Event Group Contribution to CDF (/yr)
Small LOCA, failure in recirculation 7.2E-6 51.4 SBO 3.4E-6 24.3 Medium LOCA, recirculation failure 1.7E-6 12.1 Transient induced LOCA with loss of secondary cooling, 4.4E-7 3.1 secondary cooling recovery, failure in recirculation SGTR with failure to implement DHR cooling or control 3.1E-7 2.2 RCS inventory long-term J
SGTR with successful secondary cooling, failure in HPI 3.0E-7 2.1 Transient indue.M LOCA with recirculation failure 2.9E-7 2.1 TOTAL CDF 1.4E-5 97.3 i
ix
Table E-2 Dominant Initiating Events and Their Contribution to the CDF Initiating Event Contribution to CDF (/yr)
Medium and Small LOCA 9.0E-6 64 less of Offsite Power 3.4E-6 24 SGTR 7.0E-7 5
Other 4.2E-7 3
E.3.2 Human Reliability Analysis The HRA process for the Crystal River 3 IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post initiator actions (performed as part of the response to an accident). The analysis of pre initiator actions included both miscalibrations and restoration faults. A screening analysis was performed and pre-initiator human actions surviving screening were quantified in more detail using the guidance provided in the book Human Reliability Analysis vy Dougherty and Fragola.
Post initiator human actions modeled included both response-type (rule-based) and recovery-type actions.
For the post-initiator screening analysis, the modeled sequences were first quantified without considering any operator assisted recovery actions. Potential recovery actions were then identified and an initial screening value of 0.1 was used to identify the most important events. Events determined to be "of low consequence" were left at the screening value, with the remaining receiving a more detailed evaluation based on 'the Dougherty and Fragola method. The extent to which dependencies among multiple actions in a cutset were considered was not addressed. All post initiator response and recovery type human actions were quantided using the same basic method, with adjustments in HEPs made as a function of whether the actions were considered rule-based (procedural guidance) or knowledge-based (limited procedural guidance). As defined in the submittal, recovery actions could include actions that were not proceduralized. While a review of the modeled recovery actions did not indicate that extraordinary actions on the part of the operators were assumed, no justification for the modeling of the various non-proceduralized actions was provided. Without such justification, the modeling of any completely non-proceduralized actions would have to be considered optimistic. Furthermore, consideration of plant-specific performance shaping factors and dependencies was apparently limited (based on the documentation in the submittal and in the response to the NRCs RAI) and therefore the results of the HRA may have been optunistic (or pessimistic) for these reasons also. Finally, inadequste documentation was provided on the determination of the time available for operator diagnoses, which if done incorrectly, could also lead to optimistic estimates of HEPs. Without additional information about some of the modeled events, it was difficult to determine whether the HEPs would in general be considered outside the normal range of values obtained for similar events in other IPEs. However, a common human action found in PWRs is the action to switch over to recirculation. The HEP derived for this event by Crystal River 3 would not be considered outside the normal range. A list of important human actions (as determined by those individuals performing the recovery analysis) was provided and it was noted that several improvements to plant emergency procedures were recommended and included. A list of the improvements was not provided.
X
I E.3.3 Back-End Analysis i
lhe Approach usedfor Back-End Analysis l
De methodology employed in the Crystal River 3 IPE for the back-end evaluation is clearly described in the submittal. Plant Damage States (PDSs) are used as the initial conditions for the back-end analysis.
De PDSs are defined in the Crystal River 3 IPE by the use of containment system event trees (CSETs),
which consist of a set of characteristics describing the availability of containment systems, ar.d the core damage bins (CDBs), which group the core damage sequences obtained from the front-end analysis.
Dirteen PDSs are developed in the Crystal River 3 IPE. Brough combination and elimination, they are further grouped into five key PDSs (KPDSs) for back-end analysis. He five KPDSs include one with isolation failure, one with containment bypass, and one each with the RCS at low, medium, and high t
pressures.
Quantification of accident progression involves the development of a small containment phenomenological 1-event tree (CPET, or CET in some other IPEs) with 13 top events. Unlike most other IPEs, quantification l
of the Crystal River CPET does not involve the use of logic tree structures (i.e., decomposition event j
trees or fault trees) for the CPET top events, but relies on the use of a set of dependency rules to i
determine the conditions and Ge corresponding split fractions for the top events. The CPET and the l
dependency rules addressed most if the containm:nt failure modes discussed in NUREG-1335. He containment failure modes that are assumai negligible and thus not included in the CPET structure 1
include those from temperature induced SGTR, in-vessel steam explosion (the alpha mode failure), vessel
{
thrust force (the rocket mode failure), and penetration failure due to degradation of sealing materials j
ur ; harsh environmental condition.
1 Recovery actions are not credited in the back-end analyses of the Crystal River 3 IPE. AC power recovery is not credited in the IPE partly due to lack of strategies for optimal actions after power
]
recovery. Other recovery actions that are considered in some other IPEs, such as RCS depressurization by operator actions and recovery of containment heat removal capability, are also not credited in the Crystal River 3 IPE. According to the IPE submittal, recovery actions would be addressed in a potential accident management follow-on activity within the context of developing Crystal River 3 plant-specific accident management guidelines. Dese guidelines, which direct an optimized course of recovery actions in the form of accident management, could then be reflected in the CPET.
l
- The quantiilcation of the Crystal River 3 CPET is based on the results of plant-specific accident progression analyses using computer codes (MARCH 3, TRAPMELT3, and CONTAIN 1.1), review of the NUREG-ll50 analyses for Surry and Zion, review of the Seabrook back-end analysis, and results from special analyses of some containment issues. Point estimam are obtained in the Crystal River 3 IPE. Uncertainties associated with the parameter values and models used in the computer codes for accident progression analyses and their effects on CPET quantification are not discussed in the IPE submittal. Although uncertainties of containment phenomena are briefly discussed in Appendix 1 of the IPE submittal (submitted as part of the RAI response), the discussion is qualitative in nature.
De result of the CPET analysis leads to an extensive number of CPET end states which are binned into fifteen release categories (RCs). De 15 RCs are further grouped into five key release categories (KRCs).
The five KRCs include one with no containment failure, one with early containment failure, one with late containment failure, and two with containment bypass. Source terms for these KRCs are determined by
accident progression analyses of selected sequences using the MARCHfrRAPMELT/CONTAIN computer codes.
For the Crystal River 3 iPE, the PDS definition scheme is reasonable. De CPET is well structured and easy to understand. Although CPET quantification and source term grouping and quantification seem adequate, there are issues that are not discussed in sufficient detail (to show that they are treated adequately) in the IPE submittal, and questions are thus asked in the RAI on these issues. However, the licensee's responses to some of the RAI questions are not satisfactory, and the short responses to the follow on questions do not provide any additional information beyond that already provided in the IPE submittal and the original RAI respo'ises. Although the IPE process is in general logical and consistent with GL 88-20, the adequacy and completeness of the treatment of some of the issues is not clear.
Back-End Analysis Results The leading KPDS obtained in the back-end analysis is the KPDS with medium RCS pressure (57%
CDF), consisting primarily of small LOCA sequences. His is followed by the high pressure KPDS (24% CDF) from primarily SBO sequences, low pressure KPDS (13% of CDF) from primarily medium and large LOCA sequences, and the bypass KPDS (5% af CDF) from primarily SGTR sequences. The pressure limit used in the Crystal River 3 IPE to define the low pressure KPDS is 600 psia. This is greater than that used in some other IPEs (e.g.,200 psia). The probability of the low pressure KPDS would decrease and that of the medium pressure KPDS would increase had a lower pressure limit (e.g.,
200 psia) been used in the IPE.
Table E-3 shows the probabilities of containment failure modes for Crystal River 3 as percentages of the total CDF. Results from the NUREG-ll50 analyses for Surry and Zion are also presented for comparison.
Table E-3. Containment Failure as a Percentage of Total CDF Containment Failure Mode Crystal River Surry-ll50 Zion-ll50 Early Failure 3.0 0.7 1.4 Late Failure 62.6 5.9 24.0 Bypass 4.8 12.2 0.7 Isolation Failure 0.7 Intact 28.9 81.2 73.0 CDF (1/ry) 1.5E-5 4.0E-5 3.4E-4
- Included in Early Failure, approximately 0.02%
Included in Early Failure, approximately 0.5%
Containment bypass failure for Crystal River 3 (4.8% of total CDF) comes primarily from SGTR as an initiating event. Although temperature induced SGTR is ignored in the IPE, a small containment bypass isolation failure due to failure to isolate the RCP seal bleed lines and letdown line is considered in the xii
IPE. De contribution from isolation bypass failure and ISLOCA to the total bypass failure seems to be negligible.
Of the 0.03 conditional probability of early containment failure, About half comes from SBO sequences and another half from LOCA seqt.ences. On a conditional basis, it is more likely to have an early failure for SBO sequences than for LOCA sequences. Quantification results show that while about 6% of SBO sequences lead to early failure, less than 2% of LOCA sequences lead to early failure. He primary contributor to early failure is DCH. Besides DCH, only early hydrogen burns contribute to early failure.
Other early failure modes, including that from in-vessel steam explosion (alpha mode failure), are ignored in the Crystal River 3 IPE model.
Containment isolation failure, which is grouped in the IPE with the early failure release category, contributes 0.7 % to the total CDF Containment isolation failure is not discussed in detail in the IPE submittal, it is not clear from the description provided in the submittal, and the licensee's response to the RAI, whether the analyses performed in the IPE have addressed all five area., identified in the Generic Letter regarding containment isolation.
De conditional probability oflate failure obtained in the Crystal River 3 IPE is higher than that obtained in most other PWR IPEs. Of the 0.63 conditional probability, about half is from small LOCA sequences, 1/3 from SBO secuences, and 1/6 from medium and large LOCA sequences. On a conditional basis, about 94% of SBO sequences,52% of small LOCA sequences, and 77% of medium and large LOCA i
sequences result in late containment failure. The high late failure probability of Crystal River 3 is panly due to plant-specific configurations and panly due to pessimistic assumptions. In the Crystal River 3 IPE, recovery actions are not credited and containment failure is assured if containment heat removal is not available. As a result, containment will fail late for all of the SBO sequences that do not fail early.
Except for SBO sequences, CHR is most likely available for other sequences. Late containment failure for non-SBO sequences is primarily due to basemat melt-through. He high failure probability of basemat melt-through is attributable to the special cavity configuration of Crystal River 3.
Source terms are provided in the IPE for four of the five KRCs using computer code calculation results.
Results from MARCH /TRAPMELT/CONTAIN calculations for seven sequences are used for source term I
definition. Although the selection of these sequences to represent the source term categories is not discussed in the IPE submittal and some assumptions used in the calculations regarding equipment availability and containment failure timing may not be conservative for all the sequences in the release category, the selection is in general adequate. The only question is the extremely low source term reponed in the IPE submittal for the late failure release category. The reported release fractions of less than 2.0E-6 for lodine and Cesium releases are much lower than those reported in other IPEs for similar failure modes (late containment rupture with no containment systems available).
Accident phenomenology and parameter sensitivity are discussed briefly in Appendix 1 of the Level 2 Appendices (submitted to the NRC as pan of the RAI responses). He parameters identified in Table A.5 i
of NUREG-1335 are briefly discussed in this appendix and are qualitative in nature. A sensitive study as described in NUREG-1335 was not performed in the Crystal River 3 IPE. For example, the IPE does not provide any quantitative information on how containment failure probabilities would change if uncertamties on containment phenomena are considered. The lack of a sensitivity study and the insights that may be obtained from such a study is a significant deficiency of the Crystal River 3 IPE. Sensitivity studies performed in other IPEs include those associated with the computer codes used for accident progression analyses and those associated with containment phenomena and operator actions. The xiii i
I
c ymi River 3 IPE, although onservative, ignoring of recovery actions (e.g., by operator actions) in ths r
may not reflect best estimate conditions that can be obtained by a closer camination of cF.ator recovery actions during a severe accident.
E.4 Generic Issues and Containment Performance Improvements De IPE addresses decay heat removal (DHR). CDF contributions were estimated for the following DHR mahods; emergency feedwater, main feedwater, primary feed (makeup /HPI), and RCS pressure control (PORV/ safety valves). Failures of the AFW and makeup /HPI cooling did not result in a major contribution to the total CDF.
The licensee states that the sequences with total loss of DHR are overwhelmingly station blackout sequences, i.e., are caused by loss of support systems. Service water failuru do not cause total loss of DHR due to SW redundancies and independence of the turbine driven EFW pump from support systems.
E.5 Vulnerabilities and Plant Improvements The licensee denned a vulnerability as sequences with unusually high frequency, a heretofore unknown dependency or a risk signincant sequence which could easily be reduced to risk insignificance by simple measures (procedure change or minor hardware fix). No vulnerabilities were found.
No potential hardware improvements were identified as a result of the IPE, however previous analyses had identified improvements which resulted in a substantial CDF reduction. Rese were implemented and were credited in the IPE. EOP improvements mentioned are SGTR BWST re611, and verification of cooling water supply.
Vulnerabilities are not defined in the IPE submittal for the back end.
E.6 Observations Based on our review and the weaknesses enumerated below, there is insufficient information in the IPE and the RAI responses to conclude that the licensee has met the intent of Generic Letter 88-20. The
)
weaknesses stem primarily from sparse documentation provided by the licensee on the conduct of the IPE analysis. Both the original IPE submittal as well as the RAI responses were very brief to the point of being inadequate in some areas.
i Strengths of the IPE are as follows: The IPE relies on an earlier PRA which was reviewed by the NRC and found to be of quality. The model seems reasonable.
The weaknesses of the Level 1 analysis of the IPE are in insufficient documentation of the as-built as-operated plant, utility involvement, HVAC treatment, dependencies, improvements and insights. Some important failure data is much lower than expected (turbine driven pump and compressor), the common cause factors are considerably lower than expected and some initiating event frequencies (LOOP, LOCAs) are lower than expected and not documented. Many RAI responses provide no useful additional information.
xiv
6) ne licensee did not identify important human actions through the use of importance measures.
It was stated that operator actions were identified as being important "during the manual operation of accident sequence recovery analysis." While such an approach may in fact capture the most important human actions, a quantitative assessment provides a s;raightforward means of determining relative importance.
He following are the major findings of the back-end analysis described in the submittal:
De back end ponion of the IPE supplies a substantial amount of information with regards to the subject areas identified in Generic Letter 88-20.
TI'e Crystal River 3 IPE provides an evaluation of all phenomena of importance to severe accident progression in accordance with Appendix ! of the Generic Letter. However, because of the lack of sufficient responses to the RAI questions, the adequacy and completeness of the treatment of some of the issues is not clear.
The containment analyses indicate that there is a 0.71 conditional probability of containment failure. De conditional probability of containment bypass is 0.05, the conditional probability of early containment failure is 0.03, the conditional probability of isolation failure is about 0.007, and the conditional probability of late containment failure is 0.63.
The licensee has addressed the recommendations of the CPI program. However, it seems that the issue has not been evaluated in the IPE in a detailed, complete fashion.
The strengths of the back-end analysis is the following:
De IPE has identified the plant-specific reactor cavity configuration for Crystal River 3 and taken into consideration the effect of this plant-specific feature on accident pranression. Because of the cavity configuration, the thickness of the core debris in the cavity is likely to be more than one foot, and, as a result, the probability of debris coolability is lower for Crystal River 3 than for other PWR plants.
The weaknesses of the back-end analysis are primarily related to the lack of sufficient responses to the RAI questions. As a re.; ult, the adequacy and completeness of the treatment of some of the issues is not clear. The weaknesses of the back-end analysis include the following:
1)
A sensitive study as that described in NUREG-1335 is not performed in the Crystal River 3 IPE.
De IPE does not provide any quantitative information on how containment failure probabilities l
would change if uncertainties on containment phenomena are considered. The lack of sensitivity study and the insights that may be obtained from the sensitivity study is a significant deficiency of the Crystal River 3 IPE.
2)
Accident sequences are selected in the IPE for computer calculations to provide data to assist CET quantification and for estimating the source terms. However, the selection criteria are not discussed in the IPE submittal. De relationship between the selected sequences and the accident sequences binned to the PDSs or the source term categories is not established or discussed in the submittal. Nonetheless, the sequences selected for computer calculation seem to provide a reasonable representation of the PDSs and the source term categories. The only concern is the
- extremely small source term reported in the IPE submittal for the late failure release category.
xvi i
I
The most important class of sequences are the small LOCAs with recirculation failure (due to operator error or common cause failure of valves) and the station blackout sequences (involving mostly a loss of offsite power initiator, but also the loss of an offsite transformer with operator error to switchover to the startup transformer), with consequent failures of the EDGs and failure to restore offsite power in time to prevent core uncovery, The HRA review of the Cr,, sun hver 3 IPE submittal and a review of the licensees responses to HRA related questions asked in the NR(. RAI, revealed several weaknesses in the HRA as documented. Although a viable approach (the Dougherty ar.d Fragola method) was used in performing the HRA, several weaknesses in how the analysis was conducted kr at least in the licensees documentation of the conduct of the analysis) were identified. Because of the apparent weaknesses and the lack of adequate documentation in the submittal or the licensees response to the NRC's RAI, it cannot be concluded that the licensee met the intent of Generic j
Letter 88-20 in regards to the HRA. Important elements pertment to this determination include the following:
i 1)
The submittal indicates that utility personnel were involved in the HRA. The participation of a nuclear safety supervisor who was a fonner senior reactor operator (SRO), reviews of procedures and training, and interviews with operators helpeo assure that the HRA portions of the IPE represent the as-built, as-operated plant. However, documer.tation of HRA related walkdowns and observations of simulator exercises would have stre.ngth.ned the notion that a viable process was used.
2)
The submittal mdicated that the amJpis of pre-initiator actions included both miscalibrations and restoration faults. An acceptable, but potentially optimistic screening analysis was used. Events found to be potentially risk significant v.ere analyzed in more detail using a method based on the book by Dougherty and Fragola.
3)
Post initiator human actions modeled included both response-type and recovery-type actions.
Recovery events were defined as situations which are "beyond the design basis of the plant and which are not covered by the procedures, bet for which actions are still available to prevent core damage." A review of these events indicated that none of them appeared to require extraordinary behavior on the part of the operators and that procedures for performing the actions might exist, even if the operators would be required to diagnose the need for the actions on the basis of experience.
However, no ;ustification was provided for any of the modeled non-proceduralized actions and without such;ustification, the HEPs assigned to the events could be optimistic.
4)
Consideration of plant-specific performance shaping factors and dependencies was apparently limited (based on the documentation in the submittal and in the response to the NRCs RAI).
Inadequate treatment of these factors can lead to selected HEPs being optimistic or in some cases pessimistic. In particular, the use of a screening value of 0.1 for post-initiator actions clearly demands a careful consideration of dependencies. Without additional information about some of the modeled events, it was difficult to determine whtsher the HEPs would in general be considered outside the normal range of values obtained for similar events in other IPEs.
5)
Dwmmtation was inadequate on the process used to determine the time available for operators to diagnose needed actions and on the time needed to conduct the actions (particularly outside the control room). If the neury calculations are not done correctly, optimistic estimates of HEPs can be obtained. In general, there was a lack of documentation on how time was considered in quantifying operator actions.
xy
= - _ -
i ne reported release fractions ofless than 2.0E-6 for lodine and Cesium releases are much lower than those reported in other IPEs for similar failure modes (late containment rupture with no containment systems available).
3)
Containment isolation failure is not discussed in detail in the IPE submittal. It is not clear from the description provided in the IPE submittal and the licensee's response to the RAI whether the analysis performed in the IPE have addressed all five areas identified in the Generic Letter regarding containment isolation.
4) ne recommendations of the CPI program are discussed in the licensee's response to one of the RAI questions. It seems that the CPI issue is not evaluated in the IPE in detail. Although the potential of hydrogen pocketing and detonation in the reactor cavity before vessel breach is discussed in the response, the potential of hydrogen pocking and detonation after vessel breach is not discussed.
5)
Recovery actions are not credited in the Level 2 IPE. Since sensitivity of containment failure is not investigated in the IPE, likely benefit of the recovery actions on accident progression is not available from the IPE.
6)
The lack of discussion of the sealing materials used in the Crystal River 3 containment penetrations and their properties under harsh environmental conditions is a weakness of the IPE submittal.
xvii i
4.
-a-5-a-e 12
-, + - s -.
2
--rar s
a I
h
+
D
?
I a
f i
t t
se4 4
NOMENCLATURE
AFW Auxiliary Feedwater BWST Borsted Water Storage Tank CCF Common Cause Failure CCW Component Conting Water CDB Core Damage Bins CDF Core Damage Frequency CHR Containment Heat Removal Cl Industrial Cooling System CPET Containment Phenomenological Event Tree CPI Containment Performance improvement l
CR-3 Crystal River 3 CSET Containment Systems Event Tree DCH Direct Containment Heating DHCCC Decay' Heat Closed Cycle Cooling DHR Decay Heat Removal EDG Emergency Diesel Generator EFIC Emergency Feedwater Integratica and Control EFW Emergency Feedwater EOP Emergency Operating Procedure ESAS Engineered Safeguards /. :mation System i
FPC Florida Power Corporatic..
GL.
Generic Letter HEP Human Error Probability HPl High Pressure Injection i
HPME High Pressure Melt Ejection HRA Human Reliability Analysis i
HVAC Heating, Ventilating and Air Conditioning ICS Integrated Control System IPE Individual Plant Examination 1 REP Integrated Reliability Evaluation Program ISLOCA Interfacing Systems LOCA 1
KPDS Key Plant Damage State KRC Key Release Class LER License Event Report LOCA Lass-of Coolant Accident LOOP 14ss of-Offsite Power NSCCC Nuclear Services Closed Cycle Cooling l
OTA Operations Technical Advisor PDS Plant Damage State PORV Power Operated Relief Valve i
Xix 9..
i NOMENCLATURE (Cont'd) i PRA Probabilistic Risk Analysis PWR Pressurized Water Reactor RAI Request for Additional Information j
RB Reactor Building RBCU Reactor Building Cooling Unit RC Release Class j
RCP Reactor Coolant Pump
)
RCS Reactor Cooling System RMA Risk Management Associates RSE Risk and Safety Engineering RW Raw Water SAIC Science Applications International Corporation
' SBO Station Blackout SGTR Steam Generator Tube Rupture SLI Success Likelihood Index SRO Senior Reactor Operator STET Source Term Event Tree SW Service Water TER Technical Evaluation Report I
TRC Time Resource Correlations UCHB Unconditional Hydrogen Burn I
USAR Updated Safety Analysis Report 1
M if
.1
- 1. INTRODUCTION 1.1 Review Process His technical evaluation report (TER) documents the results of the BNL review of the Crystal River 3 Individual Plant Examination (IPE) submittal (IPE, RAI Responses]. His technical evaluation report adopts the NRC review objectives, which include the following:
i To assess if the IPE submittal meets the intent of Generic Letter 88-20, and To determine if the IPE submittal provides the level of detail requested in the " Submittal Guidance Document," NUREG-1335.
A Request for Additional Information (RAI), which resulted from a preliminary review of the IPE submittal, was prepared by BNL and discussed with the NRC on June 6,1995. Based on this discussion, the NRC staff submitted an RAI to the Florida Power Corporation (FPC) on September 19, 1995.
Florida Power Corporation responded to the RAI in a document dated November 22,1995. This TER is based on the original submittal and the response to the RAI (RAI Responses).
1.2 Plant Characterization De Crystal River 3 Nuclear Power Plant is a 2544 MWth (821 MWe), Babcock and Wilcox two loop pressurized water reactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two vertical once-through steam generators, 4 shaft-sealed reactor coolant pumps, an electrically heated pressurizer and interconnected piping. Crystal River 3 has a large, dry containment constructed of reinforced concrete with a steel liner. De plant is operated by Florida Power Corporation (FPC), and started commercial operation in March 1977. There are no other units on site.
Design features at Crystal River 3 that impact the core damage frequency (CDF) relative to other PWRs are as follows:
1)
De turbine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level. Usually, one pump will be tripped after a reactor trip, while the other will be controlled by the integrated control system (ICS).
2)
The emergency feedwater (EFW) system consists of one 750 gpm turbine driven and one 750 gpm motor driven pump (the design flow rate for the EFW system is 550 gpm). He system is automatically initiated and controlled by the emergency feedwater initiation and control (EFIC) system. He EFW pumps may also be started manually.
)
3)
The motor driven EFW pump has to be cooled by the nuclear services closed cycle cooling system.
4)
De normal EFW suction source is the 150,000 gal inventory in the &dicated EFW storage tank (12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> inventory). Backup supplies are the 150,000 gal coadensate storage tank and the condenser hotwell.
I
i 5) ne battery depletion time is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, with load shedding.
6)
One pressurizer PORV or one of two :,afety valves can be utin wi for feed and bleed (called HPI/PORV cooling in the submittal). Here are three makeup pumps, which are also used for high pressure injection. His gives Crystal River 3 a diversity of options for feed and bleed.
He PORV block valve is usually open.
7)
De three makeup pumps require cooling from one of the two closed cooling systems (called component cooling water, i.e. CCW, systems at many plants): the Nuclear Services Closed Cycle' Cooling (NSCCC) system normally provides cooling for pumps MUP-1 A and IB, and backup cooling to pump MUP-IC. He Decay Heat Closed Cycle Cooling (DHCCC) system nonnally provides cooling for MUP-IC, and manual backup cooling to MUP-1 A.
8)
Apparently the reactor system only has normal pressurizer spray, driven by reactor coolant pump RCP-18.
9)
He NSCCC (part of the component cooling water) system contains three pumps in parallel, one normal and two emergency pumps. He emergency pumps are sized 50% greater than the normal pump due to additional loads created by the reactor building ventilation fans, in case of certain accidents. In addition to the makeup pumps mentioned above, this system cools the following important loads: reactor coolant pumps, seal return coolers, control complex water chillers, the motor driven EFW pump, the NSCCC pump motors and the raw water (called service water, i.e. SW, at other plants) pump motors, as well as some loads not modeled. He RCP and seal return loads are shed on generation of an engineered safeguards actuation system (ESAS) signal.
Operation of one NSCCC pump and three out of four NSCCC heat exchangers constitutes success.
10)
He DHCCC (part of the component cooling water) system consists of two separate trains, 1
providing cooling to the decay heat removal (DHR) heat exchangers, the DHR pump motors, the j
reactor building spray pump motors, the DHCCC air handling units, the makeup pumps stated above and the decay heat portion of the raw water system purap motors. One operating train constitutes success.
11)
He Raw Water (RW) system is divided in two parts, one cooling the NSCCC circuit, the other cooling the DHCCC circuit. De configuration mirrors that of the closed cooling system being cooled (i.e., three pumps, one normal and two emergency and 4 heat exchangers for the NSCCC cooling, and two trains for the DHCCC cooling).
12)
De emerges:y power system at Crystal River 3 includes two emergency diesel generators. He safeguards buses are powered from a dedicated transformer (offsite power transformer) with a manual backup from the startup transformer. Dese transformers are powered from the 230kV switdiyard which is separate fmm the 500kV switchyard supplied by the main generator. nus, the li +cnimig loads are isolated from effects of a unit trip. Dere is also redundancy in the DC i
power system: there are three chargers per battery bank, two normally operating and one spare.
Dere are two safeguards DC trains and one normal DC train.
13)
Recirculation switchover is accomplished manually.
2
- ~ -
i 14)
The plant uses Byron-Jackson RCP seals. According to the submittal these seals have shown no appreciable leakage in tests when all seal cooling was lost, provided that the RCPs are tripped.
'Iherefore, RCP seal failure occurs only if the operators fail to trip the RCPs following failure of all seal moling. Since makeup pump MUP-1B is normally operating, and it is in turn cooled by the NSCCC system, which also cools the RCP seals, then loss of the NSCCC will, at least temporarily, cause loss of all seal cooling.
15)
Crystal River 3 has two types of reactor building cooling: the reactor building sprays and the reactor building ventilation cooling fans. However, Level I success criteria do not require reactor building cooling following a LOCA.
i 16)
A borated water storage tank (BWST) refill ability apparently exists, which is credited in the SGTR sequences.
Some of the plant characteristics important to the back-end analysis are summarized in Table 1 below and compared to the Zion and Surry values.
Table 1 Plant and Containment Characteristics for Crystal River 3 j
Characteristic Crystal River 3 Zion Surry l
Thermal Power, MW(t) 2544 3236 2441 RCS Water Volume, ft' N/P*
12,700 9200 Containment Free volume, ft' 2,000,000 2,860,000 1,800,000 Mass of Fuel, Ibm N/P 216,000 175,000 Mass of Zircalloy, Ibm N/P 44,500 36,200 Containment Design Pressure, psig 55 60 45 Median Containment Failure Pressure, psig 122 135 126 RCS Water Volume / Power, ft'/MW(t)
N/P 3.9 3.8 Containment Volume / Power, ft'/MW(t) 786 884 737 Zr Mass / Containment Volume, Ibm / ft' N/P 0.016 0.020 Fuel Mass / Containment Volume, Ibm / ft)
N/P 0.076 0.097
- Not provided in the IPE submittal.
4 Both the power level and the containment free volume of Crystal River 3 are less than those of Zion but greater than those of Surry. The containment volume to thermal power ratio and the containment design pressure of Crystal River are also between those of Zion and Surry. In comparison with Zion, the combiamina oflower containment volume to thermal power ratio and lower design pressure for Crystal River 3 indicate that the containment structure for Crystal River is not as robust as that of Zion relative to a containment overpressure challenge in a severe accident (assuming that the overpressure challenge a
3 4
r
I is proportional to the voluneto power Tatoy Liase&un a similarmomparimn, the containment structure of Crystal river is more robust than that of Surry, it should be noted, however, that the lower design pressure for Surry is primarily due to its subatmospheric containment.~nie. reactor coolant system (RCS) water volume, fuel clad mass, and containment failure pressure, which also can be used as indicators for containment challenges during a severe accident are not provided.in the Crystal River 3 IPE submittal.
It should be noted that the parameters presented ir*the above table provide only rough indications of the containment *s capability to meet severe accident challenges and thartmth the containment strength and the challenges associated with the severe accident involve significant uncertainties, The plant characteristics imponant to the back-end analysis are:
1)
De containment has a relatively small reactor cavity (12 ft. diameter by 10 ft. high and a floor area of 260 A2) which is closed off from the containment interior by two steel doors on the access i
tunnel and by a steel plate through which the in-core instrument tubes pass. Water can drain into and out of the reactor cavity by three 1.5-inch diameter drain holes and by the annular 0.2-inch clearance between each instrument tube and the steel plate. The total water access cross section from the containment floor to the reactor cavity is about 28 sq. in, ne floor of the reactor cavity is about one foot lower than the surrounding containment floors. This tends to prevent debris spreading and reduces the probability of debris cooling.
2)
The large containment volume, high containment pressure capability, and the open nature of compartments facilitate good atmospheric mixing.
4 i
)
l j
- 2. TECHNICAL REVIEW
)
2.1 Licensee's IPE Process 2.1.1 Completeness and Methodology De licensee has provided most of information requested by Generic Letter 88-20 and NUREG 1335 but there are some serious shortcomings.
The front-end portion of the IPE is a Level 1 PRA. De specific technique used for the Level 1 PRA was a small event tree /large fault tree, and it was clearly described in the submittal.
Internal initiating event and internal flooding were considered. Event trees were developed for all classes of initiating events. An uncertainty analysis was performed that provided a probability distribution for the core damage frequency.
To support the IPE process, the licensee made a review of, and built the model upon, a previous probabilistic study on Crystal River 3, the 1987 Crystal River Unit 3 Probabuistic Risk Assessment, which was reviewed for the NRC by the Argonne National Laboratory and found to be generally sound.
Dere is no discussion about the disposition of the ANL comments, other than a statement that the comments which the licensee thought were substantial were incorporated (RAI responses). PRA studies for similar plants were also reviewed, for instance the ones for Oconee, Arkansas Nuclear One - Unit 1, and Davis Besse. A previous Crystal River 3 NRC sponsored study, part of the IREP program, was also referenced.
The submittal information on the HRA process was generally inadequate in scope. Some additional information/ clarification was obtained from the licensee through an NRC request for additional information, but sufficient information was not provided in the response to the RAI cither. The analysis of pre-initiator actions included both miscalibrations and restoration faults. A screening analysis was performed and pre-initiator human actions surviving screening were quantified in more detail using the guidance provided in the book human Reliability Analysis by Dougherty and Fragola. Post initiator human actions modeled included both response-type (rule-based) and recovery-type actions. For the post-initiator screening analysis, the modeled sequences were first quantified without considering any operator assisted recovery actions. Potential recovery actions were then identified and an initial screening value of 0.1 was used to identify the most important events. Events determmed to be "of low consequence" were left at the screening value, with the remaining receiving a more detailed evaluation based on the Dougherty and Fragola method. De extent to which WW among multiple actions in a cutset were considered was not addressed. All post-initiator response and recovery type human actions were quantified using the same basic method, with ad,ustments in HEPs made as a function of whether the actions were considered rule-based (pmcedural guidance) or knowledge-based (limited procedural guidance). As defined in the submittal, recovery actions could include actions that were not proceduralized Whde a review of the modeled recovery actions did not indicate that extraordmary actions on the part of the operators were assumed, no;ustification for the modeling of the various non-proceduralized actions was provided. Without such;ustification, the modeling of any completely non-proceduralized actions would have to be caa=4 ed optimistic. Furthermore, consideration of plant-specific performance shaping factors and Wies was apparently limited (based on the documentation in the submittal and in the response to the NRCs RAI) and therefore the results of the HRA may have been
]
5
1 optimistic for these reasons also Fmally,'madequate documentaboo was pmvidcJ on the determmation of the time needed for operator diagnoses and onethe time.nerded to conduct the actions, which if done incorrectly, could also lead to optimistic estimates of HEPs in general, there was a lack of documentation on how time was considered in quantifying operator actions. Without additional mformation about some of the modeled events, it was difficult to determine whether the HEPs would in general be considered outside the normal range of values obtained for similarsvents in other IPEs A list of important human actions (as i
determined by those individuals performing the recovery.nnalysis) was pro 6ded.ond it was noted that several improvements to plant emergency procedures were recommende.d and. included A list of the improvements was not provided.
De Crystal River 3 Individual Plant Examination (IPE) back-end submittal is essentially consistent with respect to the level of detail requested in NUREG 1335.
He methodology employed in the Crystal River 3 IPE submittal for the back-end evaluation is clearly described. Plant Damage States (PDSs) are used as the initiM conditions for the back-end analysis. The PDSs are denned in the Crystal River 3 iPE by the use of containment system event trees (CSETs),
q which consists of a set of characteristics describing the availability of containment systems and the core damage bins (CDBs), which group the core damage sequences obtained from the front-end analysis.
Quantification of the accident progression involves the development of a small containment phenomenological event tree (CPET, or CET in some other IPEs) with 13 top events. The quantification of the Crystal River CPET does not involve the use of logic tree structures (i.e., decomposition event trees or fault trees; for the CET top events, as are used in some other IPEs, but involves the use of a set j
of dependency rules for the top event to determine the conditions and the corresponding split fractions i
of the CPET top events, ne CPET and the dependency rules used in the Crystal River 3 IPE provide a structure for the evaluation of most of the containment failure modes discussed in NUREG-1335. The containment failure modes that are assumed negligible and thus not included in the CPET structure include those from temperature induced SGTR, in-vessel steam explosion (the alpha mode failure), vessel thrust force (the rocket mode failure), and penetration failure due to degradation of sealing materials under harsh environmental condition.
De result of the CPET analysis leads to an extensive number of CPET end states which are binned into fifteen release categories (RCs). Dese RCs are further grouped into five key release categories (KRCs) for source term definition. De quantification of the CPET is based on the results obtained from plant-specific analysis of accident progression using' computer codes (MARCH 3, TRAPMELT3, and i
CONTAIN 1.1), review of the NUREG-ll50 analyses for Surry and Zion, review of the Seabrook Level 2 analysis, and results from special analyses performed for some containment issues.
2.1.2 Multi Unit Effects and As-Built, As-Operated Status Dere are no other nuclear units on site. However, according to NSAC-194 (pp. A-12, A-13), there are at least three fossil units on site, which are not mentioned or discussed in the IPE. It appears that at least the switchyard may be shared besween the nuclear and the fossil units.
De as-built, as-operated status is not well documented. Dere is a statement in the submittal that there was a review by a relevant systems engineers. De freeze date of the analysis was April 4,1992 (RAI Responses). The plant models are mostly based on the updated models contained in the NRC-reviewed 1987 study, with the most significant modification being a change in battery depletion time from 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (RAI responses). De differences in the two studies stem mostly from the more accurate data, 6
1 panicularly pertaining to the number of demands on components, and also due to changed trip frequencies (RAI responses). He data were gathered by reviewing the shift supervisor logs, the operator logs and the procedure history (RAI responses). Comprehensive plant walkdowns were performed for internal flooding effects. Other internal flooding location and vulnerability information came from documents, drawings and the plant configuration management information system.
Plant speci6c data were used where possible.
The participation of a nuclear safety supervisor who was a former senior reactor operator (SRO), reviews of procedures and training, and interviews with operators helped assure that the HRA portions of the IPE represent the as-built, as operated plant. However, documentation of HRA related walkdowns and observations of simulator exercises would have strengthened the notion that a viable process was used.
Insofar as the back-cnd analyses are concerned, it appears that all the Crystal River 3 containment specific features are modeled.
He RAI responses indicate that the licensee intends to rnaintain a "living PRA" 2.1.3 Licensee Participation and Peer Review Licensee personnel were involved in all aspects of the analysis. In-plant expertise was already existent due to the previous Crystal River 3 PRA study, which was contracted to SAIC to " assist the FPC in the creation of a Level 1 PRA for Crystal River 3 nuclear unit". That PRA model has been used by the utility in " licensing, engineering, operations, maintenance and training". The utility has also been involved in maintaining the PRA consistent with evolving plant configuration and procedures. The current Level 1 analysis (except for flooding) seems to have involved reviewing the previous study's model for consistency with current plant configuration and practices, updating the data and requantifying the model. The flooding analysis was performed either by SAIC or with the help from SAIC, but with the " full participation of the FPC PRA staff'. He front-end analysis was primarily performed by two full time engineers with assistance from other licensee personnel as needed.
De containment analysis of Crystal River 3 was performed with the help of Risk Management Associates (RMA) and Risk and Safety Engineering (RSE).
According to the IPE submittal, the preparation of the IPE involves full participation of the FPC PRA staff and the independent review of the IPE " consisted of having each system model reviewed by the relevant FPC system engineer, and having the event sequence analysis, quantification, and recovery analysis reviewed by the Nuclear Safety Supervisor at Crystal River 3, a former Senior Reactor Operator." It is not clear from the above description the extent of involvement of the FPC's personnel in the preparanos and, particularly, in the independent in-house review of the IPE. Although a question was asked in the RAI regarding this issue (RAI Question 20), additional information beyond that provided in the IPE submittal was not provided. According to NUREG-1335, "De submittal should contain, as a minimum, a description of the internal review performed, the results of the review team's evaluation, and a list of the review team members." He description provided in the IPE submittal is not sufficient to meet the above request.
7
2.2 Front End Technical Review 2.2.1 Accident Sequence Delineation and System Analysis l
2.2.1.1 Inidating Ennis The identification of initiating events proceeded in a three-stage approach in the IPE analysis: 1) review of existing sources was conducted, including other PRAs of similar plants; 2) a thorough review was made of each system at Crystal River 3 to identify events that could be of a unique nature or that would not be well characterized by analyses or operating experience of other plants; 3) the operating experience for Crystal River 3 was examined to determine if it suggested any additional types of events that were not identified elsewhere.
i i
As a result, a total of 19 initiating events (including 3 flood initiators) were identified. Rese were:
Large LOCA Medium LOCA Small LOCA j
Steam Generator Tube Rupture Transients:
Reactor /turbme trip Loss of power conversion system (includes instrument air loss)
Loss of offsite power Excessive feedwater Steam /feedline break Spurious low pressurizer pressure Spurious engineered safety features actuation Loss of 4160 V ES bus 3A Loss of 4160 V ES bus 3B Loss of service water Loss of RWP flush water Loss of offsite power transformer Internal floods:
SW pipe break in zone AB-1194E (spray)
BWST contents into decay heat pit B BWST flood or RW expansion joint flood onto el. 95' aux bldg.
Note: The term " lost ofserdce unter (or SW)* In this IPE is used to denote what is referred to usually as the ' lost ofconponent cooling noter * (i.e. the NSCCC part of the system, since the DHCCC part is not used in normal opemtion). The ' raw noter" or RW denotes what is commonly called he serdce noter elsewhere, i.e. the ultimate heat sinkfor decay heat rejection. The RWPflush water refers to the domestic noter source usedfor lubrication of the bearings around the raw unter (RW)punp shqfts.
ISLOCAs and reac'or vessel rupture were considered separately and found not to be a significant contributor (on the order of a few times 104/yr in core damage frequency), so these initiators were not 8
included in the results. The treatment of ISLOCAs was detailed, that of the reactor vessel rupture was qualitative and relied on a generic B&W study.
DC power failures were " considered and eliminated" as an initiator, apparently due to system redundancies. In the RAI responses, the licensee stated that the loss of a DC bus as an initiator will be reconsidered. HVAC failures were not included as an initiator, apparently due to redundancies in equipment and slow heatup rates. He control room HVAC is not included due to availability of alarms and recovery actions credited. It should be noted that the HVAC system was not included in the PSA model of the IPE submittal, but has since been added (RAI responses). (The resultant increase in the CDF is "small", according to the RAI responses).
In the RAI responses, it is stated that the loss of non-nuclear instrumentation is included under loss of MFW.
2.2.1.2 Event Trees The IPE developed 4 event trees to model the plant responses to internal initiating events: large LOCA event tree, medium and small LOCA event tree (considered together), SGTR event tree, and transient event tree. ATWS was considered using a scoping study. No event trees were developed for ISLOCAs.
No separate event trees were developed for Gooding scenarios, the transient event tree was used with additional flood-caused failures flagged in the appropriate fault trees.
De event trees are functional. The mission time used in the core damage analysis was 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unless a shorter time is indicated (e.g. LOCA injection phase),
ne event tree end states are divided into the two possible outcomes: success or core damage.
No definition of core damage is given in the IPE, but it seems the traditional mixture of core uncovery for most events and the peak cladding temperature for LOCAs was used. De RAI responses state that
- core damage for the Crystal River 3 IPE is conservatively defined as core uncovery". However, core uncovery does occur (temporarily) in some successful LOCA sequences.
Success criteria seem reasonable and are based mostly on the Oconee PRA calculations and similarities between the two plants.
The success criteria for the medium and the small LOCAs are the same, thus the two initiators were treated using the same event tree. De success crite-ia call for using one of three makeup pumps in the injection phase, followed by high pressure recirculation, or depressurization in conjunction with low pressure recirculation.
De feedwater flow must be supplied within 4 minutes of a transient in order to prevent the actuation of the PORV. De PORV has insufficient capacity to remove the decay heat immediately after a reactor trip. Derefore, in absence of feedwater, the pressurizer would fill in another 6 minutes, with demand for the safety relief valves (SRVs) reached soon thereafter. Recovery of steam generator cooling within 30 minutes can prevent a demand for high pressure injection (HPI) cooling. Feed and bleed cooling requires no opening of the PORV, i.e., the makeup pump has sufficient head to operate in conjunction with the safety valve opening..
9
_ ~ _ _ _ _
1 An omission in the IPE was lack <ol amsderafimcuf core flmed.tankEin large10CA sequences (one LPI pump in combination with one of two core flood tanks is needed)..However, this was corrected in the RAI responses and the CDF increase was negligible Containment heat removal systems are not needed (this was the result of Oconee and Davis-Besse calculations). Oconee calculations show the time to containment failure without any heat removal to be on the order of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. A sensitivity study was performed which included these systems in large LOCA sequences. He increase in the CDP was 1.2E-6/yr, or less than 10% of the calculated core damage frequency.
De RCP seal cooling model assumes that both thermal barrier cooling and seal injection must fail and the operators must fail to trip the RCPs in order for the seals to fail, nis element of the success criteria is more optimistic than the Westinghouse model. It is based on design and test data for the Byron-Jackson N-9000 seals used at Crystal River 3. It should be noted that loss of the NSCCC system (e.g.,
initiating event T a) will cause loss of both methods of seal cooling, as the NSCCC system is used to cool i
the normally operating makeup pump 1B.
In the ISLOCA treatment, assumptions are made which are not fully discussed, e.g., regarding LOCA size, isolability, operator actions, availability of water in the containment sump to support recirculation (possibly from PORV opening).
2.2.1.3 Systems Analysis A total of 12 systems / functions are described in Section 3.2 of the Submittal. Included are descriptions of the following systems: AC electrical power, DC electrical power, core flood tanks, engineered safeguards actuation system, makeup and purification system, building spray system, decay heat removal system, power conversion system, emergency feedwater system, reactor coolant pressure control system, service water systems and the reactor building ventilation systems. Note that the service water systems description includes both the closed cooling systems (NSCCC and DHCCC) which are equivalent to a CCW system, and the ultimate heat sink systems (NSSW and DHSW), which are equivalent to a SW system elsewhere.
Each system description includes a discussion of the system design and operation. De descriptions are very short (% page to one page on the average) and sometimes wanting in important details (e.g.
dependencies, any cross connection possibilities between trains).
Also included for many systems are simplified schematics that show major equipment items and important flow and con'iguration information.
Sometimes the diagrams provided are not very helpful in understanding a system (e.g. AC, DC power).
Success criteria are described in the event tree descriptions portion of the report. System dependencies are not fully explained (e.g. which systems have DC power dependency). No dependency table is provided, however a pictorial presentation of ECCS support systems is included in the RAI responses.
His does not seem to be complete. Some support system descriptions include a list of systems which they support.
i 10
1
~
Some HVAC mnsiderations are supplied with the RAI responses since this system was not included in the original submittal model. He model was requantified with HVAC included and the CDF rise was found to be "small" (RAI responses),
i ne following paragraphs provide a brief description of each system analyzed:
The AC power system consists of 6 trains. De reactor coolant pumps are powered off the 6.9 kV buses 3A and 3B, which are supplied by the main generator when the plant is up and running. He main generator supplies the 500 kV switchyard. These loads are transferred to the startup transformer in the 230 kV switchyard upon loss of the main generator. Power to the Unit buses 3A and 3B, which power most of the other normal plant loads, is also supplied through the 230 kV switchyard, via the startup transformer. He two engineered safeguards buses (4160 V) are supplied from the offsite power transformer, also connected to the 230 kV switchyard. Rus, electrical power is isolated from the effects of a unit trip and loss of the main generator (i.e., except in case of loss of the 230 kV switchyard).
Electrical power will continue to be supplied to the normal plant loads (including the RCPs) as well as i
the engineered safeguards.
i ne engineered safeguards buses can also be supplied from the two emergency diesel generators. Note i
that on loss of the offsite power transformer, the diesel generators will start up automatically, however, j
the operators would first try transferring the ESF buses to the startup transformer by closing the appropriate breakers. This action is proceduralized and well known to the plant operators, according to the submittal.
De emergency diesel generators depend on DC power, such that a failure of the associated battery means a failure of the diesel.
The DC power system provides an uninterruptible source of power at 250,125 and 24 volts. It also serves as the primary source of power to the 120 V AC instrument buses. There are three separate trains of DC power: A, B and C. He A and B trains supply DC power to the ESF and IE equipment, whereas the C train provides power to the non-lE equipment. Each train has its own battery bank, consisting of j
two 125V cell groups in series. Charging power to the batteries is supplied by nine AC battery chargers (two normally operating chargers and an installed spare for each train). The capacity of the two operating chargers is sufficient to maintain battery charge while supplying all normal DC loads on a given train.
The battery depletion time in a station blackout has been increased from two hours to four in response to the station blackout rule. This assumes load shedding by the operators. "De extension of battery lifetime resulted in a significant decrease in CDF" (RAI Responses).
The makeup and purification system has three makeup pumps which are also employed as HPI pumps.
One makeup pump is normally running and providing makeup flow and seal injection. During an accident, suction is provided from either the BW5T or the containment sump, via the decay heat removal pumps. De recirculation switchover is manual. All operating makeup pumps require cooling from the Closed Cycle Cooling portion (NSCCC or DHCCC) of the Service Water System.
The HPI system is automatically started upon indication of either an RCS pressure of 1500 psig or a mntainment pressure of 10 psig. The latter initiation setpoint ensures timely startup of the HPI in case of a very small LOCA (< !.5 inch break size), i.e., within 30 minutes if steam generator cooling is available and within I hour otherwise.
11
De reactor building spray system has two spray pumps and two spray headers. De system is designed to furnish 100% of the design cooling capacity (i.e., reduce pressure to 55 psig and temperature to 281*F after a large LOCA) with both of the spray paths in oper4 tion. It is designed to operate effectively for as long as 60 days. The system is initiated on high reactor building pressure (30 psig) in conjunction with an HPI actuation signal. The suction is initially from the BWST and is manually transferred to the containment sump for recirculation.
He decay heat removal system has two trains oflow pressure injection pumps and heat exchangers. In normal operation, this system is used for shutdown cooling, when the RCS pressure is below 200 psig, with suction from the RCS hot legs and discharge into the cold legs. In accident conditions, the system is automatically actuated when the RCS pressure reaches 500 psig, such that the suction is from the BWST and the injection path a the RCS is open. He system will start injecting when the RCS pressure falls below the pump deadhead pressure of 200 psig. Upon recirculation, the suction is manually switched over to the containment sump, with the discharge either aligned to the RCS cold legs or the i
suction of the HPI pumps.
The power conversion system is the part of the plant used to cool the reactor in normal operation and convest the heat into electricity. he plant systems of interest, subsumed under this system, are the main feedwater system, the condensate system, the main steam system, the integrated control system, and the circulating water system.
De main feedwater and the condensate systems consist of two trains of pumps supplying water to the steam generators. The condensate pumps are motor driven while the main feedwater pumps are steam turbine driven. De MFW pumps are run back following a reactor trip and continue to operate for most j
plant upsets. It is not clear if MFW failure post-trip, due to control system failure or operator error is properly modeled, or failure of MFW due to MSIV closure. De feedwater flow in normal operation and 1
following a plant trip is controlled by the integrated control system (ICS). The ICS controls the feedwater system, the main steam system and the reactor control system. The steam relief function of the main steam system is accomplished by the turbine bypass valves and the atmospheric dump valves.
The emergency feedwater system is used as a post-shutdown backup of the main feedwater system. It consists of one turbine driven and one motor driven pump and associated piping, as well as the emergency feedwater initiation and control (EFIC) system. Each pump is rated at 750 gpm, with the design flow of 550 gpm to both OTSGs (once thmugh steam generators) at 1050 psig. He EFIC system serves several functions, including: automatic initiation of the EFW, control of the EFW flow rate, regulation of the secondary side pressure during EFW operation and isolation of the main steam and feedwater lines on low steam generator secondary side pressure. De three primary sources of water for EFW operation are the dedicated 150,000 gal EFW storage tank, the 150,000 gal condensate storage tank and the condenser hotwell. He EFW storage tank capacity is enough to cool the reactor for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
Refilling of the EFW tank is an operator action which doesn't seem to have been credited.
The motor driven EFW pump is cooled by the NSCCC (part of the service water system), whereas the turbine driven pump is self cooled.
De EFW pumps are automatically started on the following conditions: low level in either steam generator, loss of both main feedwater pumps, loss of four reactor coolant pumps, low pressure in either steam generator, an engineered safeguards actuation system high pressure actuation signal or AMSAC initiation of MFW < 17% nominal flow and power > 25%. AMSAC is the ATWS mitigation system.
12
i 1
ne reactor coolant pressure control system consists of a PORV and the pressurizer spray. The PORV opening setpoint is at 2450 psig for automatic actuation, reciosing occurs automatically at 2380 psig (when opened manually from the control room, the PORV does not reciose automatically). This means that the turbine trip and the reactor trip occur almost simultaneously, as the RCS high pressure trip set point is at 2355 psig. When the plant initially started operation, the PORV setpoint was much lower, at 2250 psig, such that a turbine trip could be accommodated without tripping the reactor, i.e., the initial pressure rise would be relieved by the PORV, the reactor power would be reduced by the ICS via partial insertion of the control rods, while the MFW flow would be run back. De raising of the PORV setpoint was mandated by the post-TMI concerns about challenges to the PORV possibly resulting in a small LOCA due to failure to reclose.
He PORV can be used for feed and bleed (in conjunction with HPI pump operation), as can the primey safety relief valves.
De PORV is opened by operation of a solenoid valve which is actuated by a relay. Failure of either 24V DC NNI X buses inhibits operation of the PORV.
The pressure control can also be accomplished by the pressurizer spray, operation of which must be accomplished manually, from the control room, by opening one of the two motor operated valves in series (the other valve is usually open). De pressurizer spray is taken from the discharge of pump RCP.
j IB.
The service water systems consists of the closed cycle cooling pan and the raw water system (or the ultimate heat sink) part. De former is usually called the component cooling water system at other plants, while the latter corresponds to the service water system at other sites, ne closed cycle cooling part of the system is subdivided into the nuclear services closed cycle cooling (NSCCC) and the decay heat cl.osed cycle moling (DHCCC) systems. The NSCCC is used both in normal operation and in post-trip and accident situations, whereas the DHCCC is only used post-shutdown. De ultimate heat sink part of the system is subdivided into the nuclear services seawater (NSSW) and the decay heat seawater (DHSW) systems. NSSW cools the NSCCC loads, while the DHSW cools the DHCCC loads.
The NSCCC system contains three pumps in parallel, one normal and two emergency pamps. The emergency pumps are sized 50% greater than the normal pump due to additional loads created by the i
reactor building ventilation fans, in case of certain accidents in addition to the makeup pumps mentioned above, this system cools the following imponant loads: reactor coolant pumps, seal return coolers, con!rol complex water chillers, the motor driven EFW pump, the NSCCC pump motors and the raw water pump motors, as well as some loads not modeled in the PRA. It can also be used to cool the reactor building ventilation fan coils. De RCP and seal return loads are shed on ESAS (engineered safeguards actuation system) signal generation, while the reactor building fan coils are added. Operation of one NSCCC pump and three out of four NSCCC heat exchan'gers constitutes success.
De DHCCC system consists of two separate trains, providing cooling to the DHR heat exchangers, the DHR pump motors, the reactor building spray pump motors, the DHCCC air handling units; the makeup pumps stated above and the decay heat portion of the raw water system pump motors. One operating train mnstitutes success.
De Raw Water (RW) system is divided in two pans, the NSSW system cooling the NSCCC circuit, and the DHSW cooling the DHCCC circuit. De configuration mirrors that of the closed cooling system 13
_..-~ _ _ - _ _ _ _
l L
being cooled (i.e., three pumps, one norinal and two ernugency and 4 bes exchangers for the NSCCC cooling, and two traire for the DHCCC. cooling)
The reactor building ventilation systemis used~in both normal and accidem conditions. It consists of three fan assemblies with associated cooling coils and filters Each fan assembly supplies 50% of the cooling capacity requirements during normal operation and 33.33% of the cooling capacity requirements in accident conditions. De cooling coils are cooled by the industrial cooling system (Cl) during normal operation, or they can be connected to the NSCCC to further reduce or control the reactor building j
temperature, ne NSCCC is also used for eraergency cooling of the reactor building cooling coils.
i A 1500 psig ESAS signal will automatically start the main fan assemblies in slow speed, or revert any operating assembly to slow speed. De reactor building isolation and cooling signal (4 psig in the reactor building) will automatically swap the fan assembly cooling source from Cl to NSCCC and place the main fan assemblies in slow speed. He slow speed operation protects against motor overload while operating in a dense atmosphere (assumed LOCA conditions).
2.2.1.4 System Dependencies The IPE addressed and considered the following types of dependencies: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, areas requiring HViC (not considered in the original submittal), and operator actions. HVAC was determined to be important in the battery rooms, battery charger rooms, inverter rooms, EFIC (emergency feedwater initiation and control) rooms and the diesel generator rooms. In other rooms, temperature limits would'not be exceeded in the accident scenarios ofinterest, or, as in the case of the control room complex, alarms and operator i
action would preclude any damaging effects (RA! responses). Consideration of HVAC has resulted in a "small increase in the overall core damage frequency" (RAI responses).
Documentation for HVAC considerations was very brief and incomplete. No basis was provided for using 150'F across the board as the criterion for system / component failure. No details were provided on room heatup calculations, operator actions, alarms, etc. The increase in the CDF from HVAC considerations (which were not taken into account in the original IPE) was not further defined, other than as small. The dependency anagram was incomplete (e.g., did not show DC power, AC power, 9
instrument air, etc., dependencies).
2.2.2 Quantitative Process 2.2.2.1 Quant (jfcation of Accident Sequence Frequencies ne IPE used a small event tree /large fault tree technique with fault tree linking to quantify core damage sequences. Fault tree models were developed for top events depicted in the event trees. Rese high level fault trees are shown in the submittal. De systems in these fault trees were also modeled by fault trees, as were their support systems. Modular fault trees were used. De event trees were functional. The CAFTA software package was used for development and quantification of top event probabilities and accident frequencies.
De cut set truncation limit used was 1.E-8/yr, except for the SGTR sequences, where a truncation limit of 1.E-9/yr was used. Tests were performed to insure that non-negligible contribution to the sequence frequencies were not missed due to the application of the truncation limits. Quantifying the model at the 14 t
u--
1 1.E-9/yr level, without recovering cutsets below the 1.E 8/yr level, resulted in an increase in the CDF of 13%. Further reducing the truncation to 1.E-10/yr in a similar fashion, resulted in a further CDF increase of 4%.
The IPE took credit for various recovery activities, including the recovery of offsite power. He IPE power recovery curve is more optimistic than the average industry data cited in an Electric Power Research Institute (EPRI)-sponsored study (NSAC-147), although the RAI responses claim that the curve used is more conservative than reality due to inclusion of snow storm events. He power recovery curve was obtained by fitting a Weibull distribution function to data obtained from Figure 3.2 in NUREG-1032, i.e.,
Pr(offsite power not restored by time t) = exp(-at*),
where: a= 1.,1, b=0.583, t is in hours.
His yields a probability of nonrecovery at I hr of 0.33, vs. the NSAC value of 0.40, and the probability of nonrecovery at 8 hrs of 0.024 vs. 0.05 from NSAC data.
2.2.2.2 Point Estimates and Uncertainty / Sensitivity Analyses Mean values were used for the point estimate initiator frequencies and all other basic events. A formal mathematical uncertainty analysis was performed on the results, using Monm Cado simulations and employing the UNCERT computer code which is a module of the CAFTA workstation.
He mean of the core damage frequency is 1.39E-5/yr. De 5th, the 50th and the 95th percentiles are, respectively: 2.36E-6/yr, 8.30E-6/yr and 4.24E-5/yr.
System importance analysis results are shown in Figure 1.
2.2.2.3 Use of Plant Specific Data The data collection process period was from September 18,1978 through January 10, 1988.
The plant specific data for the following components were used: air operated valve, motor operated valve, relief valve, solenoid valve, manual valve, check valve, motor driven pump, turbine driven pump, air compressor, diesel generator, inverter, battery and battery charger. All the other components were given generic data.
Both demand and time related failures were addressed. The primary source of plant specific failure data was the computerized Maintenance Activity Control System (MACS), which was implemented in 1989, presumably including data preceding its implementation. In addition, LER reports were also consulted.
Plant specific data were used for unavailabilities due to test and maintenance activities. This data was derived from the operator action statements. For components where maintenance unavailability data was unavailable, a screening value of 0.01 was used.
He submittal shows both the generic data and plant specific data used for a component. The generic data were taken from the SAIC compiled data base used in the original Crystal River 3 PRA study. A SAIC computer (CARP) is used to aggregate as many as 20 data sources for each component type and failure mode combination.
15
0.5 -
l 0.45-
~
0.4 -
0.35-e 0.3 -
e u 2E
.}. g 025-a.
cc E 0.2 -
0 m
4e sw erw ac rw oc uu System System Key DH i Decay Heat Removal AC AC Power SW Nuclear Services Closed Cycle, Decay Heat Closed Cycle, Nuclear Services Sea Water, and Decay Heat Sea Water Coolina EFW Emergency Feedwater RC Reactor Coolant Pressure Control (PORV and SRVs)
FW Main Feedwater and integrated Control DC DC Power MU Makeup and Purification Figure 1 System importance 16
Table 2 mmpares the failure data for selected components from the IPE to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for comparison [NUREG/CR 4550, Methodology).
Most of the Crystal River 3 data in Table 2 is plant specific, but generic data are also included for some important components, for comparison.
Crystal River 3 data are generally in agreement with the NUREG/CR-4550 data. However, the turbine
' driven pump, and the air compressor have a substantially lower failure rates than the reference data, whereas the failure rates for the motor driven pump and the diesel generators are somewhat lower. The EFW turbine driven pump is an important feature for dealing with station blackout situations (which contribute almost 30% of the total CDF), thus the data used for it is important. However, according to the submittal, plant specific experience is used here to arrive at a failure rate (to run) that is two orders of magnitude lower than that in NUREG/CR-4550, or in the generic data base used.
2.2.2.4 Use of Generic Data As discussed in Section 2.2.2.3 above, several sources of generic data were consulted to arrive at a composite generic value for each component and failure mode.
2.2.2.5 Common-Cause Quant (fication Redundant components were systematically examined to address potential common-cause failures. The approach used was the beta factor method. The data base used was the EPRI data base. The events in this data base were reviewed for applicability to Crystal River 3, and the applicable common cause factors calculated.
De categories of components modeled in the common cause analysis were: all kinds of pumps, MOVs, safety / relief valves, check valves, diesel generators, chillers and fans.
A comparison of the # factors in the submittal vs. those suggested in NUREG/CR-4550 (" reference #
factor") is presented in Table 3. NUREG/CR-4550 reports only failure to stan # factors, in addition, common cause failures of check valves, chillers and fans were considered, as were those of batteries (however the # factors for batteries were not reported in the submittal). De # factors were derived from the values in the EPRI report NP-5613, by assuming that those values were the 95th percentiles of the true # factors (having a log-normal distribution with an error factor of 3). The ranonale is that the common cause failures are reported in the LERs very conscientiously, but that only a fraction of independent failures are thus reported. Derefore, dividing the common cause occurrences by the independent occurrences overestimates the contribution of the common cause. Dus the assumption that the number in NP-5613 represents the 95th percentile of the true # factor. Similar reasoning was used in a draft version of the NUREG/CR-4550 report.
'7
Table 2 Comparison of Failure Data Component CR3 4550 MD Pump fail to start 1.3E-3 3.0E-3 fail to run 1.4E 5 3.0E-5 TD Pump fail to start 1.4E-2 3.0E-2 fail to run 3.8E-5 5.0E-3 IAS Compressor fail to start
- 5. l E-3 8.0E-2 fail to run 1.5E-5 2.0E-4 Battery Charger Failure
- 3. l E-5 1.0E-6 Battery Failure
- 2. l E-6 1.0E-6 Circuit Breaker fail to remain closed 1.4 E-7 1.0E-6 AC Bus Fault (120V to 4.2kV) 2.2E-7 to 3.9E-7 1.0E-7 Check Valve fail to open
- 3. l E-4 1.0E-4 fail to close 3.2E-4 1.0E-3 MOV Fail on Demand 6.7E-3 3.0E-3 Air Operated Valve fail to open/close 2.6E-3 2.0E-3 Pressurizer PORV fails to open 5.9E-3 2.0E-3 fails to rec!nse, steam rif 5.0E-3 2.0E-3 Emergency Diesel Generator fail to start
- 6. l E-3 3.0E-2 fail to run 1.3E-3 2.0E-3 l
Notes: (1) 4550 are mean values taken from NUREG/CR-4550, i.e. from the NUREG-1150 study of five U.S. nuclear power plants.
(2) Demand failures are probabilities per demand. Failures to run or operate are frequencies expressed in number of failures per hour.
18 i
Table 3. Comparison of Common-Cause Failure Factors Component Submittal #
Reference #
factor factor Diesel generators 0.021 0.038 f
MOV 0.033 0.088 i
Safety / relief valve 0.029 0.07 failure to open 4
Makeup pumps, three 0.071 0.10 pumps Decay heat pumps 0.046 0.15 Bldg. spray pumps 0.021 0.11 EFW pumps 0.012 0.056 SW pumps, two 0.012 0.026 (three)
(0.014) ml De Table shows that the # factors used in the submittal are comparable, but consistently lower than those from NUREG/CR-4550. Also, in an update of the IPE PRA, the common cause failures between the turbine driven and the motor driven EFW pumps were deleted from the model, with no estimate on the impact on the results (RAI responses). De lower common cause factors, compared to the generally lower failure rates for some important components, and relatively low values used for some important initiator frequencies, may be pan of the reason for the relatively low total CDF reported in the IPE (1.4E-5/yr) compared to other IPEs, and also compared to the earlier, reviewed Crystal River 3 PRA, on which this IPE is based. The earlier PRA reported a CDF of 5.6E-5/yr, which the ANL review modified to 1.lE-4/yr. According to the RAI responses, the main reason for the difference between the CDF values reported in the earlier PRA and its review on the one hand, and the IPE CDF values on the other, is because the data were updated. The licensee states in the RAI responses that despite the lower CCFs, the common cause failures still dominate the CDF results. Derefore, the values used could have a significant impact.
2.2.2.6 lattiating Event Frequency Quantification De following transients used plant specific data: reactor / turbine trip, loss of power conversion system and loss of offsite power transformer. The frequency for loss of a 4160V bus was derived from generic failure data. The frequency for loss of offsite power was derived from industry data specialized to the Crystal River 3 site and the design of the electrical distribution system. Events involving snow or ice related failures were culled from the data base, while hurricane related events were given more weight.
De frequencies for excessive feedwater, steam /feedline break, spurious low pressurizer pressure and spurious ES actuation were taken from NUREG/CR-3862, which employed industry values. The frequency for loss of service water and loss of raw water pump flush water was derived from fault tree analysis, he frequencies of medium break LOCAs and SGTR events were based on data in NUREG/CR-4407, " Pipe Break Frequency for Nuclear Power Plants". He large LOCA frequency was calculated by dividing the medium LOCA frequency by 10 to account for " leak before break 19
l i
considerations". 'ne small'LOCwfregurcy'wasitAkemftw%e Oconed PRA (NSAC-60, June 1984),
which considered one flow diversion event resultiny.irnHPhacniationand dividing that event into the l
number of PWR reactor years.
Table 4 lists the initiating event frequencies used ir.the:!Pid Most initiating event frequencies seem reasonahle and are compamb!r to other PRA studies. He exceptions are the following:
5 The loss of offsite power frequency seems low for a site along the Gulf of Mexico. The hurricane 3
contribution is only once per hundred years, according to the submittal.. One could argue that precautionary shutdowns would usually be effected in advance of such an event.
The small break LOCA frequency is low compared to the NUREG/CR 4550 value of 1.3E-2 for a combination of small-small and small LOCAs. Spurious.RCP failures were apparently not considered.
De large LOCA frequency is about one order of magtntode below that recommended in NUREG/CR-4550, whereas the medium LOCA frequency is low by a factor of two.
l t
The licensee states that the LOCA frequency values are typical of other industry PSAs, and compares them to WASH-1400 values of 1.E-3/yr, 3.E-4/yr and 1.E-4/yr for small, medium and large break LOCAs, respectNely.
it should be noted that LOCAs and loss of offsite power are dominant contributors to the core damage frequency. In the RAI responses, the licensee disagrees that the LOCA and LOOP frequencies are low, citing other B&W plants for comparison.
t An event which occurred early in the operating history (within about a year of the start of commercial operation) was not included in the initiating event frequency. His event involved detachment of two burnable poi. con rods, causing damage to the RCS and the steam generators. De data window starts after the 7-month shutdown which followed.
i De ISLOCA frequency development arbitrarily assumes that only 10% of valve ruptures occur in the
.l 1
l critical parts of the valve, the rest occurring in the valve bonnet.
2 I
i 20
7 Table 4 Initiating Event Frequencies Event Description Mean (/y)
T reactor / turbine trip 1.4 i
T loss of power conversion system 0.4 2
1 T
- 3.5E-2 3
T.
excessive feedwater 0.13 T
steam /feedline break 2.lE-2 3
T.
spurious low pressurizer pressure 2.6E-2 T,
spurious ES actuation 5.2E-2 T.
loss of 4160V ES bus 3A 3.2E-3 T,
loss of 4160V ES bus 3B 3.2E-3 Tid loss of service water 2.2E-3 Tn loss of RWP flush water 5.2E-3 T
loss of offsite power transformer 0.4 i2 S
small break LOCA 2.0E-3 M
medium break LOCA 5.0E-4 A
large break LOCA 5.0E-5 R
steam generator tube rupture 1.7E-2 2.2.3 Interface Issues 2.2.3.1 front-End and Back End interfaces Crystal River 3 has both containment fan coolers and containment spray (CS) systems to provide containment cooling functions.
The IPE assumes that containment heat removal is not necessary to prevent core damage. This is based on Oconee and Davis Besse calculations. However, the effect of this assumption was quantified and found to lead to a decrease in the large LOCA CDF of 1.2E4/yr, or about 8% of the total CDF.
For certain small LOCA sequences (break size less than 1.5 inches), the RCS will not depressurize to the HPI setpoint in time to prevent core uncovery (3060 min depending on the availability of secondary cooling). However, the HPI will be initiated in a timely manner by the conuinment high pressure setpoint, according to Oconee calculations.
Another issue considered in the IPE is early depletion of the BWST for transient and small LOCA sequences. _ The concern is that the sprays may come on thus depleting the BWST before the operator is ready to effect the recirculation switchover. This is a concern at Oconee where the sprays initiate on 21
- _ ~ - _ -
containment pressure.of'10,psig. At I:rystal. River, tte.serpoint:is30 psig, which is unlikely to be reached if the containment fans are ope ating. 'Evernif Ae sprays come<nn, they would operate for a very short time, as the containnumt pressure would drop rather precipitnusly upon spray initiation.
Section 2.4 provides further discussion of level'2 issues.
2.2.3.2 Hwaan Factors interfaces Section 2.3.2.5 provides a discussion of imponant operatm actions.
2.2.4 Internal Flooding 2.2.4.1 laternal Flooding Methodology he methodology used to perform the flooding analysis consisted of three major steps:
1)
Identification of potential floods and areas affected (flood zones),
2)
Identification and initial screening of Gooding scenarios, and 3)
Quantification of important flooding scenarios ne development of flooding scenarios was supported by extensive plant walkdowns.
He existing transient event tree was used to quantify important flooding scenarios. System failures due to flooding scenarios were flagged in the fault trees. Propagation of flooding to other areas and isolation of the floods were considered. Component failures considered which could cause flooding were pipe and valve ruptures.
Spray effects were considered. Equipment was noted that had anti spray shields installed. Equipment height off the floor was noted and a time calculated for the flood to reach a certain critical height.
Intercortpartmant door failure was also considered.
HEPs were not considered to be influenced by the occurrence of a flood.
it should be noted that Crystal River 3 is it relatively open plant, such that there is little potential for flood water to accumulate in important areas.
Once the failure modes were identified, they were quantified using appropriate equipment failure data developed for the internal events, as well as the human reliability analysis.
It is not clear whether the following aspects were considered: maintenance induced floods, back
[
I pmpagation through the drains, plugging of the drains, and inadvertent actuation of the sprinkler system.
De open design of the plant would argue against some of these concerns.
2.2.4.2 internal Roodng Results Only two scenarios, when quantified without recovery actions, came in above 1.E-8/yr in frequency.
Dese were:
22 r
P 1)
SW pipe break in auxiliary bldg.,119 ft. elevation. His would be a spray, and since the effects are localized and any related failures would occur quickly, no further recovery or mitigation factors were pursued. However, considering that this estimate does not take credit for any isolation attempts and all spray vulnerable components in the entire zone are failed by this scenario, it is still considered pessimistic. The frequency is 1.25E 6/yr.
2)
BWST contents into Decay Heat Pit B. Since the BWST holds a maximum of 449,000 gallons, there will be about 185,000 gallons of overflow from the Decay Heat Pit B onto the 95' elevation of the auxiliary building. Bis would cover the auxiliary building floor to about a 1 ft depth.
The important equipment there is at least 7 inches off the floor. His part of the scenario was considered in another scenario and found to be a negligible contributor. For the part of the water i
that drains into Decay Heat pit B, a core damage frequency of 2.3E-8/yr results. His includes an HEP value of 0.3 to mitigate the flood given approximately 6 minutes to do so.
Herefore the total flood contribution to the CDF is about 1.3E-6/yr, or about 10% of that from the internal initiators, l
2.2.5 Core Damage Sequence Results 2.2.5.1 Dominant Core Damage Sequences ne results of the IPE analysis are in the form of functional sequences, therefore NUREG-1335 screening criteria for reporting of such sequences are used. De point estimate for the core damage frequency from internal events is 1.4E-5/yr Accident types and their percent contribution to the CDF, are listed in Table
- 5. He most important initiators are given in Table 6.
Dominant sequences for each of the four dominant initiators are described in detail: small and medium LOCA, loss of offsite power, SGTR and loss of 4160 V ESF bus. He 10 dominant sequences are shown -
in Table 7.
The submittal did not list the ISLOCA sequences, even though the reporting request for containment bypass sequences is 104/yr. In the RAI responses, dominant ISLOCA scenarios are discussed.
In this TER, the results of importance analysis are shown in Subsection 2.2.2.2.
The SBO sequences contribute about 29% to the total CDF. His includes the loss of offsite power initiator and the loss of offsite power transformer initiator, l.oss of RCP seals is apparently a negligible contributor to the CDF.
ISLOCA contributes 2.5E-7/yr (this assumes that only 10% of failures are in the body of the valve, the rest are in the bonnet section), or 1.8% of CDF. He flooding scenarios contribute a further 10% to the CDF.
b I
23 j
Tal,le 5 Accident Types and heir Contribution to the CDF Initiating Event Group Contnbution to CDF (/yr)
Small LOCA, failure in recirculation 7.2E-6 51.4 SBO 3.4E-6 24.3 Medium LOCA, recirculation failure 1.7E-6 12.1 Transient induced LOCA with loss of 4.4 E-7 3.1 secondary cooling, secondary cooling recovery, failure in recirculation SGTR with failure to implemait DHR
- 3. lE-7 2.2 cooling or control RCS inventory long-term SGTR with successful secondary 3.0E-7 2.1 cooling, failure in HPI Transient induced LOCA with 2.9E-7 2.1 recirculation failure TOTAL CDF 1.4E-5 97.3 i
Table 6. Dominant Initiating Events and Their Contribution to the CDF Initiating Et'at Contribution to CDF (/yr)
Medium and Small LOCA 9.0E-6 64 j
Loss of Offsite Power 3.4E 6 2s.
SGTR 7.0E-7 Loss of 4 kV ES bus 5.6E-7 4
Other 4.2E-7 3
)
24
P Table 7. Dominant Core Damage Sequences I
Initiating Event Dominant Subsequent Failures in
% of Sequence CDF j
Small LOCA Operator fails to go to HPR 14.3 Medium LOCA Operator fails to go to HPR 3.6 Small LOCA DHV-42,43 CCF to open (flow path from 3.L containment sump to LPR)
Small LOCA DHV-II,12 CCF to open (flow path from 3.5 LPR to HPR) i Loss of Offsite Power EDG CCF to start, offsite power not 2.0 restored in 4hr 50 min I
l Small LOCA failure of train A recirc valve DHV-42, 1.9 decay heat pump B train in maintenance Small LOCA failure of train B recire valve DHV-43, 1.9 i
decay heat pump A train in maintenance i
Loss of Offsite Power diesel generator A start failures, EDG-3B 1.9 in maintenance, offsite power not restored j
in 4hr 50 min j
Loss of Offsite Power EDG-3A in maintenance, EDG-3B start 1.9 failures, offsite power not restored in 4hr 50 min Small LOCA failure of train A recirc valve DHV-42, 1.7 DHCCC train B in maintenance Small LOCA failure of train B recirc valve DHV-43, 1.7 DHCCC train A in maintenance I
i 2.3 Human Reliability Analysis Technical Review 2.3.1 Pre Initiator Human Actions Errors in the performance of pre-initiator human actions (such as failure to restore or properly align
. equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause components, trains, or entire systems to be unavailable on demand during an initiating event. 'Ihe review of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to determine the eatent to which pre-initiator human events were considered, how potential events were identified the effectiveness of any quantitative and/or qualitative screening processes used and the processes used to account for plant-specific performance shaping factors (PSPs), recovery factors, and I
dependencies among multiple actions.
l 25
2.3.1.1 'lypes of Pre-Initiator Human Actions Considered he Crystal River 3 IPE considered both of the traditional types of pre-initiator human actions: failures to restore systems after test, maintenance, or surveillance activities and instrument miscalibrations.
2.3.1.2 Processfor Idenn)1 cation and Seleaion of Pre-Initiator Hwnan Aaions According to the Crystal River 3 IPE, the techniques usul for the HRA were based on the methods presented in the book Henan Reliability Analysis by Dougherty and Fragola. His book does provide general guidance relevant to the identification and selection of pre-initiator human actions, but does not provide explicit guidelines. In the plants response to an NRC request for additional information (RAI),
it was stated that maintenance errors involving standby components were selected if the error could cause a required function to be disabled when needed. Calibration errors were selected if the miscalibration could prevent a required function from initiating when needed. While no explicit statements regarding dismssions with plant personnel on the interpretation and implementation of procedures were provided, such discussions are suggested in the Dougherty and Fragola methodology. Moreover, the discussion of the quantification of pre-initiators provided in the IPE indicates that procedures and plant practices were considered. Rus, it would appear that relevant information sources were examined and that factors which could influence the probability of human error in pre-initiator actions were considered.
2.3.1.3 Screening Processfor Pre. Initiator Hwnan Aaions A screening value of 0.001 was apparently assigned to all modeled electrical system components. He value was based on the Dougherty and Fragola methodology, which cites THERP as its source. It was also stated that the 0.001 value was raised to 0.003 for mechanical components. While the reason for the increase for mechanical components was not discussed, it was stated that the Dougherty and Fragola screening values were supposed to be conservative. Exactly why the values were assumed to be conservative was not stated and it could be argued that in some cases the values used could be considered optimistic. In a response to an NRC RAI, the licensee indicated the " screening process limited detailed analysis of human errors to those which had potential to be risk significant." However, a discussion of how risk significance was determined was not provided.
2.3.1.4 Quannfication of Pre-Initiator Hwnan Aaions As noted above, the quantifiction of pre-initiator events was based on the Dougherty and Fragola method.
The screening values or
- base probabilities" for potentially risk significant events were adjusted as a function of several performance shaping factors (PSFs) such as surveillance procedures, functional testing, double sign <ffs, and " multiple components." He value used for each PSF was 0.1. Events with multiple components, such as a group of related level transmitters, were apparently conservatively treated by assuming complete dependence across the redundant channels. Restoration of different trains of the same system were apparently assumed to be independent.
2.3.2 Post-Initiator Human Actions Post-initiator human aaions are those required in response to initiating events or related system failures.
Although different labels are often applied, there are two important types of post-initiator human actions that are usually addressed in PRAs: response actions and recovery actions. Response actions are generally distinguished from recovery actions in that response actions are usually explicitly directed by emergency operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover a specific system in time to prevent undesired consequences. Recovery actions may entail going beyond 26
EOP directives and using systems in relatively unusual ways. Credit for recovery actions is normally not taken unless at least some procedural guidance is available.
The review of the human reliability analysis (HRA) portion of the IPE determines the types of post-initiator human actions considered by the licensee and evaluates the processes used to identify and select, screen, and quantify the post-initiator actions. The licensees treatment of operator action timing, dependencies among human actions, consideration 9 accident context, and consideration of plant-specific f
PSFs is also examined.
2.3.2.1 Types ofPost-Initiator Hwnan Aalons Considered De Crystal River 3 IPE addressed both response and recovery type post-initiator human actions. The submittal refers to all post-initiator human actions as dynamic human actions. Response type actions are considered " rule-based" actions. Recovery events are defined as situations which are "beyond the design basis of the plant and which are not covered by the procedures, but for which actions are still available to prevent core damage." In addition to recovery of offsite power events and operator actions to transfer to diesel generators when necessary, credit was taken for approximately 14 recovery related human i
actions. A review of these events indicated that none of them appeared to require extraordinary behavior on the part of the operators and that procedures for performing the actions might exist, even if the operators would be required to diagnose the need for the actions on the basis of experience.
2.3.2.2 Processfor identification and Seleaion of Post-Imtiator Hwnan Aaions in a respone to an NRC RAI, it was indicated the all dynamic human actions were selected "primarily by manually reviewing cutsets and determining if operator actions could mitigate the sequence." It was also stated that the dynamic human errors were associated with operator actions required for recovery scenarios and that others were based on EOP requirements for long-term events. No further discussion on the identification and selection of operator actions was provided.
2.3.2.3 Sawening Processfor Post-Initiator Response Aalons De modeled sequences were first quantified without considering any operator assisted recovery actions.
j Potential recovery actions were then identified and an initial screening value of 0.1 was used to identify the most important events. Events determined to be "of low consequence" were left at the screening value, with the remaining receiving a more detailed evaluation. A screening value of 0.1 would not normally be considered unreasonable as long as potential dependencies between multiple events in a sequence were ivr priately considered. With multiple events in a sequence, insufficient considerations o
of dependencies between the human actions could lead to an unrealli estimate of successful operator intervention, even with screening valves of 0.1. While the identification of potential operator actions on the basis of a review of the cutsets would have given the analysts the opportunity to consider dependencies, there was no evidence provided that potential dependencies were considered during screening.
2.3.2.4 Quantyfeation of Post Initiator Hwnan Aalons De quantification of post-initiator or'." dynamic" human actions was based on either " time response correlabons" (11tCs) derived from the Dougherty and Fragola methodology or on other TRC s developed earlier by SAIC. The TRC curves derived from Dougherty and Fragola were provided in the submittal, but the SAIC TRCs were not presented and it was stated that "they would not be used following the next quantification." De submittal indicted that the Dougherty and Fragola TRC curves considered whether 27
the operators had procedural guidance andswhethet.therrwouldLie Acme form of hesitancy or conflict on the part of the operacors to perform a particular functicaflt was Also indicated that a success likelihood index (SIJ) was fadored into the curves whictrallows for adjustments in.HEPs as a function of " operator experience'or attitudes."Jt was argued thata "goor plant typically has an SLI of 0.7, but that an SLI of 0.5 was assumed for Crystal River 1to*alloM6rt unknown factors." While the consideration of procedural guidance and response hesitancy noted:above would appear to indicate that at least minimal plant-specific PSFs were considered in performing theRRA, Crystal River's. response to the NRCs RAI stated that no plant-specific PSFs were considered.
In general, the way in which the Dougherty and Fragola HRA method was' applied in the Crystal River IPE did not appear to violate its basic tenets and the resulting HEPs would not in general be considered excessively low. However, the limited consideration of plant-specific PSFs creates the possibility that events assigned relatively low HEPs (e.g.,1.0E-3 to 1.0E-4) are optimistic about the likelihood of operator success. In other wortis, while the HEP values assigned may very well be realistic, it is possible that the plant has been overly optimistic (or in some cases overly pessimistic) in their estimates of operator success. Hus, by performing a " generic analysis," the licensee may have missed the opportunity to obtain important insights about the activities of operators in their plant.
2.3.2.4.1 Estimates and Consideration of Operator Response Time ne determination of the time availble for operators to diagnose and perform event related actions is a critical aspect of HRA methods which rely on TRCs to asses the probability of operator failure. In order to appropriately use the Dougherty and Fragola TRCs, the net available time for an operator to respond must be determined by considering the appearance cf cues, such as control room alarms or other indications, that signal the operators that a particular response is required, in many cases the time at which operators receive the relevant cues is significantly later than when the event to be responded to actually occurred. Dus, if the point at which the relevant cues occur is not considered in determining available time, the resulting estimates could be significantly greater than the actual time available.
Moreover, if significant, the time needed to perform a certain action must be subtracted from the total available time before the TRCs are used. For example, if the actions necessary to accomplish a particular task, such as the switchover to recirculation, require 15 minutes and only 30 minutes total time.is available, then the operators have only 15 minutes available to diagnose the need for the switchover.
Rus,15 minutes rather than 30 minutes should be used when selecting the appropriate HEP from the TRCs and the result is non-trivial (e.g., an order of magnicude in difference).
The submittal itself did not discuss the approach used to deterinine or estimate the time needed for operators to diagnose and perfrom relevant actions. In Crystal River's response to the NRC RAI, it was stated that "the timing for dynamic errors was obtained either from design basis analysis or from documented experience." It was also stated that no distinction was made between available and icquired times. Derefore, without additional information, it is impossible to determine which parameters were considered in determing the times assumed to be available and needed for operators to diagnose and perform the necessary actions. Times based on documented experience may very well take the occurrence of relevant cues into account and may include the use of walkdowns to anelmato the time to complete human actions, but no explanation of " documented experience" was presented. Moreover, design basis analysis, which usually is basrA on thermal-bydralic calculations, typically measures time available from the occurrence of the event. Taus, in some lantan= the time mammad to be available for various operator actions may have bean op9nistic.
28 o
__________._____m f
I 4
4 2.3.2.4.2 Other Performance Shaping Factors Considered Other than those discussed above, there was no evidence of any other PSFs being considered.
2.3.2.4.3 Consideration of Dependencies 1
Two basic types of dependencies are normally considerd in quantifying post-initiator human actions: 1) time dependence and 2) dependencies between multiple actions in a sequence or cut set. One type of time dependence is concerned with the fact that the time needed to perform an action influences the time
~
available to recognize that a problem has occurred and to diagnose the need for an action. His type of j
time dependence is handled by the Dougherty and Fragala method by creating TRCs which reflect the likelihood of operators diagnosing and perfroming the related actions in a particular time window. In essence, the method assumes that the probability of errors k pc: forming in-control room actions is i
negligible compared to the potential for diagnosis failure. He method derives different HEPs 'when 4
actions outside the control room are required. The Crystal River submittal made no mention of this distinction and it could not be determined whether any of the modeled events required actions outside the control. room.
i l
Another aspect of time dependence is that when sequential actions are considered, the time to complete 1
one action will impact the time available to complete another. Similarly, the sooner one action is j
performed, the slower or quicker the condition of the plant changes. This type of time dependence is normally addressed by making conservative assumptions with respect to accident sequence definitions.
One aspect of this approach is to let the timing of the first action in a sequence initially minimize the time 4
window for subsequent actions. The occurrence of cues for later actions are then used as new time l
originschere was no evidence that this type of time dependence was considered.
De second type of dependence considers the extent to which the failure probabilities of multiple human j
actions within a sequence or cutset are related. There are clearly cases where the context of the accident j
and the pattern of successes and failure can influence the probability of human error. Dus, in many cases it would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would j
be independent. Furthermore, context effects should be examined even for single actions in a cut set.
While the same basic action can be asked in a number of different sequences, different contexts can j
obviously lead to different likelihoods of success. Dependence among multiple human actions and context i
effects on single human actions was not explicitly addressed in the submittal. However, if all operator actions modeled in the Crystal River IPE were selected by reviewing cutsets (as was indicated in the respone to the NRC RAI), then at least some aspects of this type of dependence could have been
)
addressed. To the extent that this type of dependence was not addressed, the analysis would have to be
. considered optimistic.
2.3.2.4.4 Quantification of Recovery Type Actions l
' he submittal indicated that all post-initiator human actions were quantified with the approach described l
above in section 2.3.2.4. Different TRCs were used to quantify "non-tule-based " or recovery actions as opposed to rule-based actions.
2.3.2.4.5 Human Actions in the Flooding Analysis i
l In the Crystal River 3 IPE, human recovery of several flooding scenarios was considered and the
)
- recovery values were determined using the recovery related TRCs from the Dougherty and Fragola methodology. While an explicit discussion of the derivation of the non-recovery probabilities for operators 4
29
mitigating flooding scenario.pwas not proiided, allJmt one of theyresente&non-recovery probabilities appeared consistent with values:used'in the internal events malysis. In, response to a question asked in the NRCs RAI regarding the use of a non recovery value<of 6'8E 6'anttme flooding scenario, it was stated that the value was significantly lower than any of the other HEPs for recovery actions used in the IPE, only because an artificial floor of 1.0E-4 was not appli.d in the flooding. analysis, it was then noted that even if the 6.8E-6 value was increased to 1.0E-4, it would have a marginal effect on CDF.
Regardless, in this event 115 minutes were assumed available for operators to isolate a flood which initiates in the turbine building and propogates to the auxiliary building where the water flows over the top of the decay heat pit barriers and fails RHR. Assuming the estimate of the time available is accurate, the 1.0E-4 value would not be unreasonable.
1 2.3.2.4.6 Human Actions in the Level 2 Analysis j
A review of the Crystal River 3 Level 2 analysis failed to find evidence that any operator actions were i
credited.
2.3.2.5 Important Human Aaions The Crystal River 3 IPE apparently did not perform a quantitative assessment of importance. Section 3.4.2.4 of the submittal presents a list of sixteen operator actions that were identified as being important "during the manual operation of accident sequence recovery analysis." 'lhe list is said to reflect the operator actions most important to avoiding " core damage during a transient" and each action was deemed "reasonabic and achievable" by an operations technical advisor (OTA) who was a former senior reactor operator (SRO) at Crystal River 3. It was stated that the list was not in any particular order. The list of events and the associated HEPs (when they could be determined) are presented in Table 8 below.
Pairing of HEPs and events listed as important was difficult in some cases. This is apparently due to differences in the terminology used in the HEP tables and in the list of important events. Areas of confusion are indicated with a question mark or the HEP is listed as unknown.
Table 8 Important Human Actions Event Description Probability (HEP)
Failure to transfer to high pressure recirculation during a small break LOCA,
1.0E-3 i
or SGTR.
Failure to refill BWST during an SGTR 1.74E-2 Failure to shed non-essential loads during a station blackout.
Unknown Failure to transfer to startup transformer after a loss of offsite power 1.0E-3 transformer (50 Min.).
Failure to switch cooling sources to the makeup pumps 1.0E-3 7 Recovery of offsite power Non-HRA Failure to switch makeup pump suction alignment.
1.55E-2 7 Failure to cross-tie decay heat pump trains.
1.55E-2 to l.0E-3 30
Human Error Event Description Probability (MEP)
Failure to recover diesel generator during station blackout.
Unknown Failure to locally isolate makeup pump recirculation line.
1.55E-2 or 1.00E-3 7 Failure to switch in spare battery chargers.
1.0E-3 Failure to isolate BWST transfer to the containment sump.
5.82E-2 Failure to switch power source to MUP-1B.
1.0E-4 Restarting load-shed MUP-1B following LOOP 3.43E-3 Manually starting RWP-2A following failure of RWP-1 and RWP-2B 1.0E-3 Restoration of main feedwater 1.0E 3 to 1.87E-3 i
2.4 Back End Technical Review 2.4.1 Containment Analysis / Characterization 2.4.1.1 Front-end Back-end Dependencies De interface between the front-end and back-end analyses consists of a set of plant damage states (PDSs).
PDS definition is discussed in Section 4.3 of the IPE submittal. PDSs are defined by the core damage bins (CDBs), obtained from the front-end core dsmage cutsets, and containment systems event trees (CSETs), used to define the states of the containment systems, he parameters used in the IPE to define the PDSs include:
a)
The pressure inside the reac:or coolant system (RCS) at the time that the debris melts through the vessel, b)
The presence of water in the reactor cavity and on the containment floor at the time of vessel melt-through, c)
De state of the containment at the time when core damage starts (i.e., containment isolation and bypass status),
d)
De availability of containment heat remova! and fission product scrubbing.
%ree pressure ranges are used in the Crystal River 3 IPE to define the RCS pressure: high fo:' pressure
- greater than 1500 psia, medium for pressure between 600 to 1500 psia, and low for pressure less than 600 psia. Dese pressure ranges are different from those defined in NUREG-1150 and some other IPEs.
For example, the low pressure limit of 600 psia used in the Crystal River 3 IPE is significantly higher than the low pressure limit of 200 psia used in NUREG-II5O. De use of a higher low pressure limit may reduce the estimated containment failure probability due to the pressure load associated with high pressure melt ejection (HPME), such as that from direct containment heating (DCH). Although, according to NUREG-Il50, the technical basis for a cutoff pressure for DCH is weak, DCH is regarded in NUREG-IISO as possible if the RCS pressure at vessel breach is greater than approximately 200 psia.
31
- ~.. - - -. - -. - - _ -.,. - -
l De high pressure limit is usedin the IPE to deternime both:the sevetityoiPda DCH challenge and the potential ofloss of RCS integrity due to creep rupture (e.g.,:horleg or. surge line, or SGTR tubes), ne high pressure limits used in NUREG-l!50 include those at system setpoint pressure (about 2500 psia),
occurring when the SRVs are cycling, and those above 600 psia to about 2000 psia, occurring when there is a small leak of the RCS De two high pressure limits used in NUREG-il50 thus cover both the high and the median pressure ranges defined in the Crystal River 3 IPE. Although 1500 psia is used in the Crystal River 3 IPE for the classification of sequences to the high RCS pressure category, examination of the sequences classified to this category shows that the RCS pressures for these sequences are most likely to be at system setpoint pressure. De high pressure sequences defined in the Crystal River 3 IPE therefore correspond to the system pressure sequences defined in the NUREG-ll50, and the medium pressure sequences defined in the Crystal River 3 IPE correspond to the high pressure sequences defined l
in NUREG 1150.
In the Crystal River 3 IPE, the RCS pressure at vessel breach is determined from two components. De first component is the RCS pressure resulting from the events that are represented in the cutset and the
(
second component is that resulting from hog leg rupture during the times between the beginning of core j
l damage to vessel breach. The former is used for PDS definition and the latter is evaluated in the containment event tree Based on the first component, the front-end accident sequences are grouped into the PDSs according to their RCS pressure expected at the time of vessel breach, not the pressure at the beginning of core damage. Consequently, the front-end accident sequences are grouped into the PDSs j
based on their initiating events - transients with no RCS breach are grouped to high pressure PDSs; small break LOCAs or transients with stuck-open SRV are grouped to medium pressure PDSs; and medium break LOCAs or Large LOCAs are grouped to low pressure PDS. The classification of medium LOCAs to a low pressure PDS in the Crystal River 3 IPE is based on a series of (probably 6) March 3.0 calculations (results plotted in Figure 4.3-1 as RCS pressus versus RCS leak ar:a). According to these calculations, the RCS pressure drops to about 600 psia before vessel breach for a break size of approximately 2 inches in diameter, less than the 2 to 4 inch break size used !a the Crystal River 3 for medium LOCA definition. Uncertainties in MARCH code calculations on RCS pressure predictions are not discussed in the classification of the PDSs in the Crystal River 3 IPE. Furthermore, the results presented in Figure 4.3-1 show that the RCS pressure drops to below 200 psia before vessel breach only if the break size is greater than about 13 sq. in., or slightly greater than the 4-inch upper limit used in the Crystal River 3 IPE for medium LOCA definition; medium LOCAs would therefore be grouped to a medium pressure PDS if 200 psia was used in the IPE as the low pressure limit for low pressure PDSs.
Of the parameters considered in the IPE for PDS definition, the status of reactor cavity flooding is determined primarily by whether the Borated Water Storage Tank (BWST) has been injected into the RCS or the containment. In addition to the status of BWST injection, the effect of RB sump isolation failure is also considered in the IPE. According to the IPE submittal, the reactor cavity will not be flooded even with BWST injection if there is a RB sump isolation failure. In such an event, the pressure in the reactor building will force the water in the RB sump out of the containment through the four-inch diameter RB sump pump discharge line into the auxiliary building and thus change a wet sequence to a dry sequence.
Although a quantitative result of this isolation failure event is not provided in the IPE submittal, its effect l
on the Crystal River 3 containment failure profile seems to be negligible. It is noted that the communication area between the reactor cavity and the containment is quite limited in Crystal River 3.
According to the licensee's response to the RAI, the reactor cavity is closed off from the containment imerior by two steel doors on the access tunnel and by a steel plate through which the in-core instrument tubes pass. Water can drain into and out of the reactor cavity by three 1.5-inch diameter drain holes and by the annular 0.2-inch clearance between each instrument tube and the steel plate. De total water 2
amens cross section from the containment Soor to the reactor cavity is about 28 in. De effect on reactor l
32
i cavity flooding of the small communication area between the reactor cavity and the containment floor is not discussed in the IPE submittal.
In the Crystal River 3 IPE, containment isolation failure status is a PDS paramner, determined in the CSET. According to the IPE submittal, four different types of containment isoittion failure are tracked on the CSET: large RB atmospheric penetration failure, small RB atmospheric penetration failure, RB sump isolation failure, and small RB bypass isolation failure. Of the four isolation failure modes j
considered in the IPE one would result in a containment bypass release. The RB bypass isolation failure includes those from failure to isolate the RCP seal bleed lines (1.5-inch diameter) and the letdown lines 1
(2.5-inch diameter). These isolation failures involve lines which lead directly from the RCS to outside the reactor building. Hey create a containment bypass condition and are grouped in the IPE to the bypass PDSs. As discussed above, sump isolation failure, in addition to being a containment isolation failure mode, will also cause a loss of water from the containment.
De last parameter used in the IPE for PDS definition involves the availability of containment systems.
For the Crystal River 3 IPE, successful containment heat removal requires one of three reactor building cooling units (RBCUs) or one of two trains of sump recirculation cooling; and successful fission product scrubbing requires one of two trains of RB spray recirculation. Although fission product scrubbing due 4
to the operation of the RBCUs is not considered in the PDS definition, its effect on source term calculation is accounted for in the IPE quantification.
According to the IPE submittal, the quantification of the PDSs involves the development of fault trees for the CSET top events, including those related to containment isolation states and the availability of containment heat removal and containment spray. However, details of the fault tree development and quantification are not provided in the submittal. Thirteen PDSs are obtained from PDS quantification in the Crystal River 3 IPE. Among the 13 PDSs, two involve isolation failure (with 0.7% total CDF) and two involve containment bypass (with 4.8% total CDF). He PDSs with high, medium, and low RCS pressures account for 0.25,0.62, and 0.13, respectively, of the total CDF. Nearly all containment bypass PDSs come from sequences with SGTR as an initiating event.
In the Crystal River 3 IPE, not all PDSs are carried forward for further back-end analysis. Some are eliminated due to low frequencies and some are combined with others with higher frequency and higher consequence potential. According to the submittal, the cutoff frequencies used in the IPE for PDS elimination are one-tenth the values provided in Generic Letter 88-20 for selecting important severe accident sequences for IPE submittal reporting. He use of the Generic Letter criteria for PDS elimination may not be appropriate because the frequencies discussed in the Generic Letter are those for functional sequences, not for PDSs, and a PDS may include many functional sequences. However, examination of the eliminated PDSs indicates that they are of sufficiently low frequencies such that their elimination may not lead to the omission of significant insight.
After elimination and combination, five key PDSs (KPDSs) in the IPE are retained for further back-end analysis. He five KPDSs include one with isolation failure, one with containment bypass, and one each with the RCS at high, medium, and low pressures, ne most probable KPDS is K6BA (57% CDF), a KPDS with medium RCS pressure, with the BWST injected into the containment, and with CHR available. His is followed by K7D (24% CDF), a PDS with high RCS pressure, with BWST not injected into the containment, and with CHR not available. De primary contributors to K7D are the station blackout (SDO) sequences.
I The PDSs defined by the CDBs and the CSETs described in the Crystal River 3 IPE submittal seem reasonable. Although the use of t'ae Generic Letter criteria for PDS cutoff frequency selection may not 33 l
l
be appropriate,.the: result of:therelimhution, process does not seem:to cause the loss of significant information. De KPDSs defined;bythe quantificatiorepmcesstare also utsufficient detail to provide a proper, but probably conservative,, account:af thefront-end:andiback-endsdependencies and adequate information for back-endxcident progtession: analysis.
2.4.1.2 Containment Ennt 1>ee.tknlopment Probability quantification of severe accident propession 'is performed using containment
. phenomenological event trees (CPETs). De development of.the CPET is discussed in Sections 4.5 of the IPE submittal. He same CPET is used for all KPDSs. ~ne phenomenological behavior of the KPDS is defined by the accident sequences selected from the PDSs wh'ich contribute to the KPDS. The general CPET used in the Crystal River 3 IPE includes the following top events:
1.
Plant Damage State, 2.
Hot leg rupture before vessel breach (or RCS depressurization),
3.
Debris quenched and cooled in-vessel, 4.
No hydrogen burn before vessel breach, 5.
Containment intact before vessel breach, 6.
No direct containment heating, 7.
No hydrogen burn after vessel failure, 8.
Containment intact after vessel breach, 9.
Debris cooled external to reactor vessel, 10.
Core-concrete interaction (CCI) source term scrubbed, 11.
No large late hydrogen burn, 12.
Containment cooling available or recovery late, 13.
Containment intact late, 14.
No leak from basemat melt-through.
Figure 4.5-1 of the submittal presents the structure of the CPET. It shows that the 14 top events of the CPET may result in up to 404 CPET sequences. The CPET developed in the Crystal River 3 IPE is well structured and easy to understand. The top events of the CET cover the important issues that determine the RCS integrity, containment response, and eventual release from the containment. Table 4.5-1 of the submittal shows the questions used in the Surry accident progression event tree (APET) for NUREG-il50 analysis and where each of these questions is considered in the Crystal River 3 CPET.
Quantification of the Crystal River 3 CPET is discussed in Section 4.7 of the IPE submittal. The quantification of the Crystal River 3 CPET involves the definition of a set of dependency rules for the CPET top events. For each top event, the dependency rules are used to determine the condition of the top event during accident progression. He split fraction for the top event is then determined by the pmbability value obtained in the IPE for that condition. De dependency rules for the CPET top events and the CPET split fractions for the various conditions are presented in Tables 4.7-1 and 4.7-2 of the submittal, respectively.
He conditions of the CPET top events determined by the dependency rules include the severe accident phenomena and the containment events that are important to accident progression. Although all of the important severe accident containment failure modes that are discussed in NUREG-1335 are addressed in the IPE submittal, some of them are not included in the Crystal River 3 CPET model. De containment failure modes that are omitted in the CPET model include those associated with temperature induced SGTR, steam explosion, vessel thrust force, and failure of containment building penetrations.
34
Except for induced SGTR OSGTR), the bases for the omission of the other failure modes are brie 0y discussed in Appendix ! of the submittal (Response to RAI Question 40).
- ISGTR is ignored in the Crystal River 3 CPET quantification because of loop seals in the steam generator heat endiangers. According to the Crystal River 3 submittal, natural convection flow paths through the heat exchanger tubes cannot develop in a straight-tube heat exchanger, such as the B&W OTSG used in Crystal River 3, as long as the loop seals remain in place. Since only the potential of ISGTR due to natural convection is discussed in the IPE, Question 30 of the RAI asked the potential of induced SGTR due to forced circulation caused by the restart of the RCPs. According to the licensee's response, restart of the RCPs is possible in Crystal River 3 during degraded core conditions. It is directed by EOP 07 of the Crystal River 3 Emergency Operating Procedure under Inadequate Core Cooling GCC) conditions.
The restart and continued operation of the RCPs may clear the loop seals completely and allow the hot core exit gases to flow from the core to the steam generator region. De circulation may continue by natural circulation driving force even after ensuing RCP failure. It is noted in the response, however, that according to the EOPs, the restan of the RCPs is likely followed by RCS depressurization. The procedures that call for the restan of the RCPs also call for RCS depressurization (by opening the PORV and all High Point Vents). The low RCS pressure would significantly reduce the challenge of ISGTR.
Besides induced SGTR, the most important failure mode that is excluded from the Crystal River 3 IPE model is that associated with in vessel steam explosion (i.e., the alpha mode failure). In NUREG Il50, a conditional probability of 0.8% is assumed for alpha mode failure if the RCS is at low pressure. This would lead to a cor/ainment failure probability of a fraction of one percent. Since the total early containment failure probability for Crystal River 3 is about 3% of total CDF, the omission of the alpha mode failure does not seem to be signincant. However, the significance of alpha mode failure increases if the probability of early containment failure is reduced in a future IPE update. The other containment failure modes ignored in the Crystal River 3 CPET, containment failure due to vessel thrust force and penetration failure, usually do not contribute significantly to the probability of containment failure.
However, the lack of discussion of the sealing materials used in the Crystal River 3 penetrations and their propenies under harsh environmental conditions is a weakness. NUREG-1335 (p2-II) requests that "The licensee submittal should include an assessment of the penetration elastomer seal materials and their response to prolonged high temperatures." He Crystal River 3 IPE submittal does not seem to satisfy the above request.
In general, the CPET structure used in the Crystal River 3 IPE is logical and of sufficient detail.
Although suf6cient discussion is not provided in the submittal for the omission of some of the failure modes, their omission is not expected to result in the loss of significant information.
De quantification of the CPET in the Crystal River 3 IPE is based on plant-specific analysis of accident progression using the MARCH 3 and the CONTAIN computer codes, review of NUREG-II5O analysis results for Surry and Zion, review of the back-end analysis results for Seabrook, and special analyses performed in the IPE for some containment issues in general, the quantification process used in the IPE is systematic and traceable. Although the values assigned in the IPE seem adequate, their adequacy cannot be ver fled in this technical evaluation report because of the limited scope of this evaluation. Some items that are of interest are discussed in the following.
Hotist Failure prior to RPV Failure According to the submittal, this top event is used in the CPET to address the broader question of RCS depressurization before vessel breach for high and medium pressure scenatios. However, only hot leg creep rupture is considered in the CPET quantification, RCS depressurization due to a stuck-open SRV 35
l is considered in the PDSuleterminahon:and:RCS depreswrization by operator: actions is discussed, but i
not modeled, in the IPE The probability values used'm'the IPE for~ hot leg failure is 0.0 for low pressure PDSs,0.05 for high pressure PDSs, and 0.15 for medium pressure PDSs. He value of 0.05.for high pressure PDSs is l
significantly lower than that used in NUREG 'll50 (with a mean value of 0.72) and the value of 0.15 for medium pressure PDSs is higher than that used in NUREG-il50 (with a mean value of 0.03). In comparison with NUREG-IISO, the probabilities of hot leg failure for high pressure and medium pressure PDSs are also reversed - while it is more likely to have a hot leg failure for high pressure than medium pressure PDSs in NUREG-ll50, it is more likely to have a hot leg failure for medium pressure than high pressure PDSs in the Crystal River 3 IPE. The probability values used in the Crystal River 3 IPE for hot leg failure are based on analysis results of accident sequences selected in the IPE as representative for the PDSs, and the creep rupture characteristics of the material used in Crystal River 3. Although the approach used in the IPE to determine the hot leg probability values is adequate, the number of sequences i
analyzed in the Crystal River 3 IPE are somewhat limited (one or two sequences per KPDS).
Furthermore, the effects of code calculation uncertainties (e.g., due to uncertainties in computer code modeling and input parameter values) on the results are not discussed in the IPE submittal, j
RCS depressurization due to hot leg failure may have either a positive or a negative effect on early containment failure, depending on what contairunent failure mechanism is dominating in the CET. While the probability of containment failure due to in-vessel steam explosion (or Alpha mode failure) increases f
with RCS depressurization, the probability of containment failure due to the phenomena associated with i
high pressure melt ejection (HPME) decreases with RCS depressurization. Since alpha mode failure is
]
neglected in the Crystal River 3 CPET model, RCS depressurization due to hot leg failure is expected to reduce the probability of early containment failure. De use of a lower probability value for hot leg failure is thus more pessimistic. The values used in the Crystal River 3 IPE,5% and 15% for high pressure and low pressure sequences, respectively, are not expected to cause a significant reduction of HPME failure probability.
Early Containment Failure Early containment failure is defined in the Crystal River 3 IPE as either before or shortly after vessel melt-through. De failure mechanisms considered in the CPET for early containment failure include hydrogen burn prior *.o RPV failure, and direct containmeat heating (DCH) and hydrogen burn at vessel breach. Alpha mode failure is ignored in the Crystal River 3 IPE.
De evaluation of the pressure loads associated with hydrogen burn and DCH is discussed in detailed in the IPE submittal and the Level 2 Appendices submitted as part of the licensee's response to the RAl.
Hydrogen burn prior to vessel breach, which is ignored in some other IPEs because of its low containment failure potential, is considered in the CPET model. De inclusion of this containment fa"ure mode in the CPET model may not be conservative because hydrogen burns prior to vessel breach are not likely to result in significant containment pressure loads to challenge containment integrity but may consume sufficient hydrogen such that the probability and/or magnitude of a later hydrogen burn is diminished. Early hydrogen burns considered in the Crystal River 3 IPE model include those from local hydrogen burns (such as that from a standing flame) when the predicted containment atmospheric l
conditions cannot support global hydrogen burns. Such local hydrogen burns are not likely to challenge containment integrity but will consume enough hydrogen such that a later hydrogen burn is less likely to occur and even if it occurs is not likely to challenge containment integrity. De effect of early hydrogen burns on the overall containment failure probability is not expected to be significant because only a 55 probability is assigned in the Crystal River 3 IPE for local hydrogen burns.
36
]
i
i l
l i
i The most significant challenge to containment integrity at vessel breach is that associated with high j
^
pressure melt ejection (HPME). The containment failure mechanisms considered in the Crystal River 3 1
j IPE for HPME include those from direct containment heating (DCH) and hydrogen burns. De containment is most severely challenged when DCH is accompanied by an unconditional hydrogen burn (UCHB). In UCHB, there are no ignition limits and all the hydrogen is recombined (limited only by the
]
j availability of oxygen). UCHB may occur only at a high temperature, typical of that occurring at vessel breach when core debris is discharged from the vessel. De containment pressure loads used in the l
Crystal River 3 IPE for HPME are derived from the analyses of DCH (with associated hydrogen burn) 1 for Surry by Sandia [Sandia] and for Zion by BNL [BNL]. De containment failure probabilities from containment pressure loads are calculated in the Crystal River 3 IPE by the use of a stress-strength l-interference method. DCH load definition and the stress strength interference method are discussed in Appendices E and F, respectively, of the Level 2 Appendices of the Crystal River 3 IPE (submitted by the licensee as part of response to the RAI). De containment failure probabilities obtained in the Crystal River 3 IPE for the high pressure PDSs are 0.252 for DCH with UCHB and 0.018 for DCH with default l
hydrogen burn.
Early containment failure is also evaluated in the IPE for a hydrogen burn alone, without DCH. De j
pressure loads for hydrogen burns are estimated in the IPE based on sequence calculation results, which are summarized in Figure 4.7-1 of the IPE submittal. Figure 4.7-1 shows a hydrogen burn map (post burn pressure versus hydrogen concentration) obtained from a constant volume, adiabatic burn model
{
described in Appendix C of the Level 2 Appendices of the IPE. Similar to the cases with DCH, i
containment failure probability is calculated by the stress-strength interference inethod. De conditional 4
probabilities of containment failure (given hydrogen burn occurs) obtained in the Crystal River 3 IPE are
]
0.02 for low pressure sequences,0.015 for medium pressure sequences, and 0.008 for high pressure sequences.
4 l'
He treatment of early containment failure in the Crystal River 3 IPE is reasonable. De data used in the quantification, although arbitrary in some cases, seem adequate, within the uncertainty range of the j
underlying phenomena.
4 Debris Cooled Outside of RPV l
I he reactor cavity area for Crystal River 3 is relatively small (floor area of 260 ft ) when compared with 2
other PWR plants with a large dry containment, and the reactor cavity floor of Crystal River 3 is about i
one foot lower than the containment floor (he reactor floor is at Elevation 94' and the containment floor i
is at Elevation 95'). De reactor cavity region communicates v..h the surrounding containment regions 1
by two rectangular tunnels penetrating the reactor cavity wall: the access crawl space has a cross section of approximately 2 ft by 2 ft and the instrument line tunnel has a cross section of 3 ft (tall) by 12 ft i
(wide). He reactor cavity region is closed off from the containment interior by two steel doors (1.25 in.
thick) in the access crawl space and by a steel plate (3.5 in. thick) through the instrument line tunnel.
Although water can flow from the containment floor to the reactor cavity through three 1.5-inch diameter drain holes (at elevation 94') as well as the clearance between the penetration tubes and the holes on the steel plates (above Elevation 94'), the spread of core debris to the outside of the reactor cavity requires i
the failure of the steel plates. De trapping of the ex-vessel debris in the reactor cavity region and its i
effect on debris coolability are considered in the Crystal River 3 IPE.
i k is assumed in the Crystal River 3 IPE that the potential of debris trapping depends on the RCS pressure at vessel breach and the flooding of the reactor cavity. The effect of ex-vessel steam explosion (EVSE) j on debris trapping is not considered in the Crystal River 3 IPE because it is assumed in the IPE that vessel melt-through occurs at one or more instrument penetrations, the debris relocation from the vessel 37
,,,. - + - - - - - - -,
~
,,n
l to the cavity is gradual and sigiiificam EVSE withunt ocm Debtic trappmg isievaluated in the Crystal River 3 IPE only for sequences with'iow m medium:PCS pasum his.diyersal is assumed certain for high pressure sequences Because of the cavity configuration, debris trapping for Crysta! River 3 depends on the melt-through of the steel doors in the crawl space. He two steel doors for the crawl space are at different elevations.
The door on the reactor cavity side is at Elevation 94* and is assumed to-fail at contact with the core debris. De other door is at Elevation 95', one foot above the cavity floor. This door may remain in place if the core debris depth in the reactor cavity is less than one foot. The potential of melt-through of the steel plate, and thus the spread of the core debris to the containment floor (inside the secondary shield wall), is estimated in the IPE by evaluating the heat transfer capability through the steel plate.
Since it is less likely to melt-through the steel plate if the cavity is flooded, the potential of debris trapping is more likely for wet sequences than for dry sequences. De probabilities used in the IPE for debris trapping is 0.2 for dry cavity cases, primarily from SBO s.equences with hot leg failure, and 0.9 for wet cavity cases, primarily from LOCA sequences.
The probability values assigned in the IPE for debris cooling depend on the debris condit!on (trapped
. or dispersed) and the availability of cooling water. Since the reactor cavity floor is about one foot lower than the surrounding containment floors, the debris bed in the Crystal River 3 reactor cavity would be at least 12 inches deep. De debris is not likely to be coolable even if there is an overlying water pool.
As a result, the probability values assigned in the Crystal River 3 IPE for debris coolability are in general lower than those used in NUREG-il50 or other IPEs. It is assumed in the Crystal River 3 IPE that debris coolability is not possible for dry sequences in which the BWST is not injected. For sequences in which the BWST is injected, the probability values used in the IPE for debris coolability are 0.1 for sequences with trapped debris and 0.5 for sequences with dispersed debris, j
Late Containment Failure ne mechanisms considered in the IPE for late containment failure include containment over-pressurization and basemat melt-through. Containment over-pressure failure may be caused either by a late burn of combustible gases (i.e., hydrogen and carbon monoxide) or by the loss of containment heat removal (CHR). He loss of CHR due to harsh environmental conditions by hydrogen burn and DCH is considered in the Crystal River 3 IPE. Only the failure of the RBCU due to harsh environmental conditions is assumed possible in the IPE. The operation of containment sump recirculation and containment spray is assumed not to be affected by the harsh environmental conditions because only passive piping components are located in the containment. He failure of RBCUs as a result of hydrogen burn or DCH is assumed possible because the power cables, the control cables, the motors, and the fans i
of the RBCU system are inside the containment. De probability for RBCU failure is assigned a value of 0.1 with a hydrogen burn and 0.5 with DCH.
Containment over pressure failure is assumed certain in the Crystal River 3 IPE if CHR is not available.
Basemat melt-through may occur if CHR is available but the debris is not coolable. De probability of basemat melt-through given core debris not coolable is assigned a value of 0.9 if the debris is trapped in the reactor cavity and a value of 0.5 if the debris is spread out of the reactor cavity. Basemat melt-through is not assumed catain even with the debris not coolable (reflected by the use of a less than unity probability value) because of the long time required to melt-through the basemat. De Crystal River 3 basemat is 13.5 foot thick and is assumed to take days to melt-through. De probability values used in the Crystal River 3 IPE for basemat melt-through given debris not coolable are in general greater than those used in other IPEs.
38 m-.,e-
_ _ _ _ _. _ _ _ _ _. _. _ ~. _ _ _ _
i Source Term Scrubbing De scrubbing of the fission products released from core-concrete interaction (CCI) is considered in the
)
CPET model. For dry sequences, the effect of the operaticn of the reactor building cooling units (RBCUs) on source term scrubbing is considered for source term definition. For wet sequences, the
.)
[
effect of debris trapping on source term scrubbing is considered. A low probability of debris scrubbing 1
is used in the IPE for the trapped debris cases even for wet sequences. This is because water access'to the reactor cavity is limited by the plugging of the holes between the containment and the cavity region (by the debris).
2.4.1.3 Containment Failure Modes and 11 ming The Crystal River 3 containment ultimate strength evaluation is described in Section 4.4 of the IPE submittal. Containment failure pressures are obtained in the Crystal River 3 IPE for three temperatures:
300T,500T, and 80(PF. Hey are obtained from the analysis performed by ABB Impell. Seven failure locations are investigated. For each of the seven failure modes, the expected failure pressure is quantified for the above three temperatures. Uncertainties of containment failure pressures due to variability in material properties and analytical modeling are evaluted to establish containment failure distributions.
The containment failure distributions for all cases are cut-off below 78 psia, the pressure at which the containment was tested following construction. Composite failure pressure distributions for Crystal River 3 are then determined from the results obtained for the individual failure modes. De median containment failure pressure for 300T is 122 psig. De containment failure pressures and their distributions obtained in the Crystal River 3 IPE seem to be consistent with those obtained in other IPEs.
2.4.1.4 Containment Isolation Failure Containment isolation failure is one of the parameters used to define the PDSs in the Crystal River 3 IPE.
De evaluation of containment isolation is discussed very briefly in Section 4.1.2 of the IPE submittal.
It is stated in the IPE submittal (pl86) that "The RB isolation failure evaluation for Crystal kiver 3 was performed by modeling each penetration to determine probability of non-isolation, and by coupling them to the applicable Level I cutsets. It was concluded that the only accident sequence for which a postulated isolation failure was applicable was the station blackout sequence with a medium-size isolation failure."
According to PDS definition, the containment isolation failures considered in the IPE include both large and small isolation failures (greate. or less than 3 inch diameter, respectively). He probability of isolation failure is about 2.7% for the SBO sequences, or 0.7% of total CDF. Because detailed discussion of how this failure probability was obtained is not provided in the submittal, a question was asked in the RAI requesting more information (Question 29 of RAI). De question requested that more detailed discussion of containment isolation be provided and that any findings on containment isolation failure related to the five areas identified in Section 2.2.2.5 of NUREG-1335 be discussed. However, the response to this question is very minimal and does not provide much more information than that already provided in the submittal, it is not clear from the description provided in the IPE submittal and the licensee's response to the RAI whether the analyses have addressed all five areas identified in the Generic Letter regarding containment isolation.
2.4.1.5 Syalem/ Human Repponus Although recovery actions are discussed in the IPE submittal, they are not credited in CPET quantification. The recovery actions discussed in the IPE submittal include operator actions to 39
--w~
c-w.
_. _ ~. _ _ _ _ _ _ _
i f
depressurize the'RCS, the recovery of in vesstF mjectionc and the. recovery of. containment heat removal (CHR). Power recover! for CHR-recovery is not credited.in the CPET.quantif'uation partly because of t
3 the lack of an optimal strategy for actiorw.to lx takea aften powei. recovery., Aecording to the discussion j
presented in the IPE submittal for CHR: recovery,: recovery actions will not be addressed in the CPET quantification, but, based on the IPE'resultowould'beladdrersed'irra potential accident management follow-on activity within the context of. developing Crystal River 3. specific accident management guidelines. Once an optimized course of actionskthe form of accident. management guidelines has been i
determined, these guidelines could then be reth:md in the CPET.
2.U.6 Radionuclide Release Chameterization ne radionuclide release characterization is described in Section 4.5.4 of the IPE submittal, ne end states of the CPETs are the source term categories. Six parameters are used to define the source term categories. Hey are:
1.
Containment bypass, 2.
In-vessel quenching, 3.
Containment failure and failure time, 4.
Containment failure location, l
S.
Vaporization source term mitigation (for ex-vessel source term features),
6.
RCS pressure at vessel breach.
Figure 4.5-2 of the submittal shows the source term event tree (STET) used in the IPE for source term (or release category) definition. It seems that the top events of the STET cover the important issues that determine the source term, containment failure mode and timing, and in-vessel and ex-vessel releases and '
mitigation. A total of 26 source release categories (RCs) are defined in the STET. Release fractions for the RCs are determined by the analyses of representative sequences using MARCH /TRAPMELT/
CONTAIN computer codes.
The CPET quantification results provided in Table 4.7-7 of the IPE submittal show that out of the 26 RCs defined in the STET,15 have non-zero frequencies. De 15 RCs include 5 with late containment failure, 6 with early containment failure, 3 with containment bypass, and one with no containment failure.
Containment isolation failure is binned to the early containment failure category. In the Crystal River i
3 IPE, the 15 release categories are funher grouped into five key release categories (KRCs). This grouping is bued the percentage contribution of the RCs to the KRCs and the severity of the source terms of the RCs in the KRCs. He five KRCs obtained in the Crystal River 3 IPE include one with no containment failure, one with early containment failure, one with late containment, and two with containment bypass. De percentage contributions of these KRCs to the total CDF are 28.9% for no failure, 62.6% for late failure, 3.6% for er.rly failure, and 4.8% and 0.1% for the two bypass failure KRCs.
Source terms for the five KRCs are determined by accident progression analyses using MARCH 3/
TRAPMELT/CONTAIN computer codes. Source terms aheniaad from the computer code calculations are presented in Table 4.6.6-1 through 4.6.6 7 of the IPE submittal. Source terms are presented in these tables in terms of release fractions of some of the representative radionuclide classes (e.g., Iodine). He calculated release fractions are presented in these tables as the 50th percentile values. Uncertainties of l
release fractions are defined in these tables in terms of the 5th and 95th percentile values. De 5th and 95th percentile values presented in these tables are based on the analysts' judgment after considering the different major sources of uncertainties associated with source terms. ney are not supported by sufficient quantitative information.
40
_ _ ~ - -
l i
2.4.2 Accident Progression and Containment Performance Analysis 2.4.2.1 Senere Aeddent Progression Unlike most other IPEs, in which the MAAP code is used, the computer codes used for accident sequence analyses in the Crystal River 3 IPE include (1) MARCH 3 for in-vessel thermal hydraulic analyses, (2) 1 TRAPMELT3 for the examination of in-vessel behavior of fission products, and (3) CONTAIN 1.1 for i
the evaluation of thermal-hydraulic behavior of the containment along with the behavior of the fission products released from the primary system and the core-concrete interaction (CCI).
According to the discussion provided in Section 4.6 of the IPE submittal, computer code calculations were performed in the Crystal River 3 IPE for five accident sequences, one for each KPDSs. He accident sequences analyzed in the Crystal River 3 IPE include one small LOCA sequence (for KPDS K6BA), one SGTR sequence 54K), one SBO sequence (K7D), one SBO sequence with containment isolation failure (K7JH), and one large LOCA sequence (K3BA). He sequences selected to represent the KPDSs are in general consistent with the definition of the KPDSs. However, discussions of how these sequences were selected to represent the KPDSs are not provided in the submitta! and there are questions on the assumptions used in the analyses regarding system availability. For example, except for j
SBO sequences, secondary cooling is assumed to be available for all other sequences. For SBO Swa, secondary cooling is assumed to be available through the turbine <lriven EFW until the battery is deplesed (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after accident initiation). Since secondary cooling is not a PDS parameter, its status is unknown for a PDS sequence. The assumption on secondary cooling will affwt the timing of accident
(
progression and source term definition for these sequences. According to the licensee's response to one of the RAl questions, the assumptions used in the IPE calculations for steam generator availability is justified because the contribution to the KPDSs from the sequences with secondary cooling not available l
is insignificant. Although quantitative information is not provided to support the above argument, the j
assumption seems reasonable. Another example is the assumption on the availability of the core injection system. Core injection is assumed to be available for both the small LOCA and the large LOCA sequences. This is based on the KPDS condition that for these KPDSs the content of the BWST is injected into the containment. However, according t'
- ie definition of the KPDS, the BWST can be injected into the containment either by the core injection systems or containment spray injection.
Although it is expected that the majority of the LOCA sequences would have core injection, no discussion i
is provided in the submittal to support this point.
j i
in the Crystal River 3 IPE, the accident sequence analyses are also used for source term definition. The source terms (in terms of fission products release fractions) calculated for seven accident sequences are provided in the submittal (Tables 4.6.6-1 through 4.6.6-7). Hey include the five sequences discussed i
above and two additional sequences that are variations to KPDS K7D (with failed containment) and K3BA i
(with all core in the cavity). The calculated sortce terms for these seven sequences are used in the IPE to define the source terms for the five key release categorica (KRCs). According to the licensee's response to Question 32 of the RAI, the calculated source term from sequence K4K is used for KRC KBXDAU (a bypass failure release category), K7D for KRC KXDAU (a late failure), K7JH and K7D (with failed containment) for KRC KXEUH (an early failure), and K6BA, K3BA, and K3BA (with all debris in the cavity) for KRC KXN (no containment failure). No source term defmition is provided in the submittal for KRC KBXEUH, a SGTR with early containment failure release category, because of its low frequency (about 0.1% of total CDF).
Although the selection of the sequences to represent the source term categories is not discussed in the IPE submittal, the selection is in general adequate. However, the containment remains intact throughout the calculation time in the calculation of sequence K7D, used in the IPE for source term definition for late j
i 41
- -. - - -. ~. - - -
.. ~.
failure (KXDAU)~RCs. Acmrdmg*to the IPLrsahmittalJhe.calculati<m o't this sequence was terminated at 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, well before the expectedmntainment failure: time of 3 days,:and the source term for the late failure category is thus estimated fium thersource ternauspended.in the containment atmosphere at 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. His estimate method seems.tn provide a pessimistic estimate..However, the release fractions rgorted in the IPE for this' late failure-release. category is t xtremely low (less than 2.0E-6 for I and Cs, Table 4.6.6-3), much lower than that predicted for a.similar failure mode (late containment rupture with no containment systems available) in other.JPEs. Since it is close to those obtained in Other IPEs for the no containment failure case, it is not clearwhether the reported source term for late containment failure was obtained from the estimated: method:as described in the IPE submittal.
Another question on the Crystal River 3 source term definition is that the assumptions used in the sequence calculations are optimistic in terms of source term definition. In addition to the above-mentioned assumpt ons on system availability that may be beneficial to source term prediction, the time i
of containment failure assumed in the calculations may be optimistic. For example, containment failure due to late hydrogen burn may occur prior to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after accident initiation for some late failure sequences. Although the contributions of the sequences with more severe source terms to the release categories are expected to be small, their source terms may be considerably greater.
Despite lack of discussion of sequence selection and some minor questions on the assumptions used in
' sequence calculations, the sequences selected for analyses and the assumptions used in the analyses seem to be appropriate. Although the source terms defined by these sequences may not be conservative j
estimates for the release categories, they seem to provide reasonable estimates for all release categories except for the latc failure release category. He estimated source term for late failure is extremely low when compared with those obtained in other IPEs.
i 2.4.2.2 Dominant Contributors: Consistency with IPE insights Source term categories (or containment failure modes) and their frequencies obtained from the Crystal River 3 CET quantification are discussed in Section 4.7 of the submittal. Table 9, below, shows a comparison of the conditional probabilities for the various containment failure modes obtained from the Crystal River 3 IPE with those obtained from the Surry and Zion NUREG 1150 analyses.
Table 9 Containment Failure as a Percentage of Total CDF Containment Failure Mode Crystal River 3 Surry-1150 Zion-1150 Early Failure 3.0 0.7 1.4 Late Failure 62.6 5.9 24.0 Bypass 4.8 12.2 0.7 Isolation Failure 0.7 Intact 25.9 81.2 73.0 CDF (1/ry) 1.4E-5 4.0E-5 3.4E-4
- Included in Early Failure, approximately 0.02%
" Included in Early Failure, approximately 0.5%
42
As shown in the above table, the conditional probability of containment bypass for Crystal River 3 is 4.8% of total CDF. Nearly all of it is from SGTR as an initiating event. Temperature induced SGTR is ignored in the Crystal River 3 IPE. The only other bypass failure mode considered in the back-end analysis of the Crystal River 3 IPE is a small RB bypass isolation failure due to failure to isolate the RCP l
seal bleed lines and the letdown line. Although the contribution from this failure mode is not provided in the submittal, itr, contribution seems to be small because the total contribution from containment bypass (4.8%) is close to that obtained in the front-end analysis.
Of the five key release categories defined in the Crystal River 3 IPE, two involve containment bypass.
One of the bypass release categories involves early containment failure from the energetic events 1
associated with HPME. The probability of this bypass failure is very small (about 0.1% of CDF) and the source term is not defined in the IPE for this failure mode.
He conditional probability of early containment failure for Crystal River 3 is about 3% of total CDF.
About half of this is from SBO sequences (K7D) and another half from LOCA sequences (K3BA and K6BA). On a conditional basis, about 6% of SBO sequences, less than 2% of small LOCA sequences, and 1% for medium and large LOCA sequences have early containment failure. According to the CPET model, early containment failure can be caused by either DCH or early hydrogen burn. The higher conditional probability of early containment failure for the SBO sequences, which are high pressure sequences, seems to be attributable to DCH. Early hydrogen burn also contributes to early containment failure, ne early failure for medium and large LOCA sequences, which are low pressure sequences, is likely due to early h,,drogen burn. The conditional probability of containment isolation failure, which is grouped in the IPE in the early failure category contributes 0.7 % to the total CDF.
De conditional probability oflate containment failure for Crystal River 3 is 62.6% of total CDF. About half of this probability is from small LOCA sequences (K6BA), about 1/3 from SBO sequences, and about 1/6 from medium and large LOCA sequences (K3BA). On a conditional basis,94% of SBO sequences result in late containment failure. Because recovery actions are not credited in the IPE and containment failure is assured if containment heat removal is not available, containment failure is assured for SBO sequences. Accordingly, the containment will fail late for those SBO sequences that do not fail early (6% early failure probability). Besides SBO sequences, about 52% of small LOCA sequences and about 77% of medium and large LOCA sequences have late containment failure. Since CHR is most likely available for these sequences, late containment failure for these sequences is princity due to basemat melt-through. De high failure probability of basemat melt-through even with the availability of CHR and BWST injection is due to the special cavity configuration of Crystal River 3 (which reduces the likeliness of debris coolability). Since debris dispersal is more likely for small LOCA sequences (medium RCS pressure) than for medium or large LOCA sequences (Iow RCS pressure), the probability of having a coolable ex-vessel debris is more likely for small LOCA sequences than for medium and large LOCA sequences. As a result, the basemat melt-through is less likely for small LOCA sequences than for medium and large LOCA sequences, in addition to basemat melt-through, late containment failure for the LOCA sequences may also be caused by late hydrogen burn and the loss of containment beat removal due to harsh environmental conditions.
2.4.2.3 Chameteritation of Containment Performance As shown in Table 9, for Crystal River 3, the core damage frequency (CDF) is lower than those obtained in the NUREG-IISO studies for Surry and Zion, and except for late containment failure, the containment failure profile is in general consistent with those obtained in NUREG-IISO studies for Surry and Zion.
De conditional probability of early containment failure obtained from the Crystal River 3 IPE (3% of 43
k notal CDF) is grcater:th.m thosunbriined from.Surry aric'ZirritiNLTRiimf_tX0, but comparable to the average value obtained from.aluthe;!PEMfodP.Wptano, The conditional probability of late containment' failure fursCrystal: River Tis significantly greater than those obtained in the NUREG-il50 analyses and, with very few exceptions. greater than those obtained l
In the other PWR IPEs. His may be partly attributable to Crystal. River.3 plant-specific configurations and partly due to the pessimistic assumptions mi in the IPE As discussed above, the reactor cavity configuration of Crystal River 3 doc.cnotTavor ex-vessel debris cootability, and as a result, containment failure by CCI (e.g., basemat melt-through and gar genetation) is more likely for Crystal River 3 than for other pirnts. De pessimistic assumptions used in the Crystal River 3 IPE include the omission of recovery actions (e.g., power recovery for SBO sequences) and the neglect of a mission time. As discussed in the. IPE submittal, most of the late failures occur days after accident initiation and containment failures at such time frame are ignored in some other IPEs because of the use of a mission time (of about two days for Level 2 analyses).
j i
I Containment bypass failure for Crystal River 3 comes primarily from SGTR initiated events.
Temperature induced SGTR is ignored in the Crystal River 3 IPE and the contributions from other containment bypass failure modes (e.g., ISLOCA) are negligible. The probability of containment isolation failure for Crystal River 3 is 0.7%, similar to that used in NUREG-il50 for Zion.
He C-Matrix, which shows the conditional probabilities of RCs for the PDSs, is provided in Table 4.7-7 of the submittal.
2.4.2.4 Impaa on Equipment Behavior The probability of containment spray and fan cooler failure due to adverse conditions is considered in the
'IPE. It is assumed in the Crystal River 3 IPE that the operation of containment sump recirculation and containment spray is not affected by the harsh environmental conditions because only passive piping components are located in the containment. However, failure of RBCUs as a result of hydrogen burn or DCH is assumed possible in the IPE because the power cables, the control cables, the motors, and the fans are inside the containment. De failure probability for RBCU failure is assigned a value of 0.1 for hydrogen burn and a value of 0.5 for DCH. Dese are based on the analyst's judgment because there is essentially no data to support the assignment of probability values for these events. To support the values used in the IPE, it is noted in the submittal that the TMI-2 fan coolers did not fail as a result of a hydrogen burn. De effect of the debris in the sump (from where the pumps take suction) on the operation of the spray pump is not discussed in the submittal.
2.4.2.5 Uncertainties and Sensitivity Analysis Although the uncertainties of containment pressure loads associated with some of the containment load phenomena are considered in the IPE by assigning load distributions, instead of point estimates, to these containment load phenomena (e.g., hydrogen burn), these distributions in turn are used in the IPE to prtmde a point estimate, not an uncertainty range, for con *=Im failure by these phenomena. Except for the above consideration, uncertainties and sensitivity analyses are not performed in the Crystal River 3 IPE.
Because the quantification of the CPET involves various forms of uncertainties, both the Generic IAtter and NUREG-1335 state that the CPET quantification should include consideration of uncertainties. De various ways of propagating uncertainties through the back-end portion of a PRA are discussed in NUREG-1335. Although load distributions are used in the Crystal River 3 IPE, the uncertainties 44
associated with these distributions are not propagated through the CPET. As a result, point estimates, not distributions (as that obtained in the NUREG-il50 analyses), are obtained in the Crystal River 3 IPE.
Another approach to address uncertainties is a well-structured sensitivity study. This involves the i
identification of the parameters that are likely to have the largest effect on CPET quantification and the determination of the feasible ranges for these parameters. Although the parameters presented in Table A.S.of NUREG-1335 represent a reasonably comprehensive list of parameters for use in a sensitivity study, parameter identification should not be limited to those in this table.
1 i
Accident phenomenology and parameter sensitivity are discussed briefly in the Level 2 Appendix 1 (as part of the response to RAI). In this appendix, the parameters identified in Table A.5 of NUREG-1335 l
are briefly discussed. The discussion is brief and qualitative in nature. A sensitive study as that described in NUREG-1335 is not performed in the Crystal River 3 IPE. For example, the IPE does not provide any quantitative information on how the containment failure probabilities would change if i
j uncertamties on the pressure loads associated with the containment load phenomena (e.g., DCH, hydrogen j
burn) are considered. It also does not provide any quantitative information on how late containment failure probability would change if the probability of debris coolability is changed.
4 The lack of sensitivity study and the insights that may be obtained from the sensitivity study is a significant weakness of the Crystal River 3 IPE. Sensitivity studies performed in other IPEs include those associated with the computer codes used for accident pragression analyses and those associated with containment phenomena and operator actions. The ignoring of recovery actions (e.g., by operator actions)in the Crystal River 3 IPE, although conservative, may not reflect best estimate conditions that l
can be obtained by a closer examination of operator recovery actions during a severe accident.
i 2.5 Evaluation of Decay Heat Removal and Other Safety Issues and CPI i
i 2.5.1 Evaluation of Decay Heat Removal 1
2.5.1.1 Examination of DHR The IPE. addresses decay heat removal (DHR). He methods of DHR cooling discussed in the corresponding section of the report are the main feedwater, the emergency feedwater and the feed and bleed operation. The sequence type representing a total loss of DHR is TBLIU, and is dominated by station blackout scenarios, contributing 29% to the total CDF. He licensee states this shows the l
reliability of the DHR function in that failure of this function is caused by failure in the AC power l
system. The service water does not play a role due to its redundancy and independence of the turbine driven EFW pump from it.
According to the system importance measures, the EFW system contribute about 5% to the total CDF, the MFW contributes about half that, the PORVs and the SRVs contribute about 5% and the HPl or 1
makeup system contributes about 1%. One can note the redundancy in the HPI system (3 pumps), the independence of the EFW TD pump of support systems, the relatively low failure and CCF data used, especially for the TD pump, and the redundancy in the bleed pan of the feed and bleed operation.
De suppon systens, AC power and SW, contribute about 25% each to the total CDF. De decay heat system (i.e., the LPl/LPR system) contributes about 47%.
Major contributors to failure of emergency feedwater and feed and bleed are not explicitly calculated in i
the submittal.
45
2.5.l.2 Dhnerse Means of DHR.
De IPE evaluated the diverse.means for DHUincludirrgameo)f> the power.rerversion system, feed and bleed, and emergency feedwater, Deptessurizationssingtthesecondarpystem was considered. Cooling for RCP seals was considered.
2.5.1.3 Unique Features of DHR De unique features of Crystal Rivur 3 that penain tothe DHR function are as follows:
1)
De tuttine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically mr.tched to the decay heat level. Usually, one pump will be tripped after a reactor trip, while the other will be controlled by the integrated control system (ICS).
De main feedwater system depends on offsite power, thus it is lost in a LOOP event. It also depends on other suppon systems (instrument air, de power, secondary service water or circulating water, etc.).
2)
De emergency feedwater (EFW) system consists of one 750 gpm turbine driven (TD) and one 750 gpm motor driven pump (the design flow rate for the EFW system is 550 gpm). The system is automatically initiated and controlled by the EFIC (emergency feedwater initiation and control) system. De EFW pumps may also be started manually.
3)
The motor driven EFW pump has to be cooled by the nuclear services closed cycle cooling system.
4)
De normal EFW suction source is the 150,000 gal inventory in the dedicated EFW storage tank (good for 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />). Backup supplies are the 150,000 gal condensate storage tank and the condenser hotwell.
5)
He battery depletion time is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, with load shedding.
6)
One pressurizer PORV or one of two safety valves can be utilized for feed and bleed (called HPI/PORV cooling in the submittal). There are three makeup pumps, which are also used for high pressure injection (HPI). His gives Crystal River 3 a diversity of options for feed and bleed. The PORV block valve is usually open.
7)
The three makeup pumps require cooling from one of the two closed cooling systems (corresponding to CCW systems at other plants): the Nuclear Services Closed Cycle Cooling (NSCCC) system normally provides cooling for pumps MUP-1 A and IB, and backup cooling to pump MUP-lC. De Decay Heat Closed Cycle Cooling (DHCCC) system normally provides cooling for MUP-lC, and manual backup cooling to MUP-1 A. De makeup pumps also provide RCP seal injection.
8)
De NSCCC system contains three pumps in parallel, one normal and two emergency pumps.
De emergency pumps are sized 50% greater than the normal pump'due to additional loads created by the reactor building ventilation fans, in case of certain accidents. In addition to the makeup pumps mentioned above, this system cools the following important loads: reactor coolant pumps, seal return coolers, control complex water chillers, the motor driven EFW pump, the NSCCC pump motors and the raw water pump motors (equivalent to SW at other plants), as well l
t-ry
' as some non-PRA loads. De RCP and seal return loads are shed on ESAS (engineered i
l safeguards actuation system) signal generation. Operation of one NSCCC pump and three out
.=
of four NSCCC heat exchangers constitutes success.
i 9)
The DHCCC system consists of two separate trains, providing cooling to the DHR heat
}
exchangers, the DHR pump motors, the reactor building spray pump motors, the DHCCC air handling units, the makeup pumps stated above and the decay heat portion of the raw water system pump motors. One operating train constitutes success.
10)
De Raw Water (RW) system is divided in two parts, one cooling the NSCCC circuit, the other 5
coolmg the DHCCC circuit. The configuration mirrors that of the closed cooling system being cooled (i.e., three pumps, one normal and two emergency and 4 heat exchangers for the NSCCC cooling, and two trains for the DHCCC cooling).
1 g
II)
Crystal River 3 has two emergency diesel generators. The safeguards buses are powered from l
a dedicated transformer (offsite power transformer) with a manual backup off of the startup transformer. Dese transformers are powered from the 230kV switchyard which is separate from the 500kV switchyard supplied by the main generator. Thus, the important loads are Isolated j
from effects of a unit trip. There is also redundancy in the DC power system, such that there j
are three chargers per battery bank, two normally operating and one spare. There are two safeguards DC trains and one normal DC train.
j-2.5.2 Other GSIs/USIs Addressed in the Submittal L
i I
l in addition to USI A-45 (DHR Evaluation) no other USis and GIs are addressed in the submittal.
t 2.a.3 Response to CPI Program Recommendations j
The CPI recommendation for PWRs with a dry containment is the evaluation of containment and
{
equipment vulnerabilities to localized hydrogen combustion and the need for improvements. Although the effects of hydrogen combustion on containment integrity and equipment are discussed in the submittal, the CPI issue is not specifically addressed in the submittal. More detailed information on this issue is l
provided in the licensee's response to the RAI.
. According to the response, the only confined space where hydrogen could accumulate is in the reactor i
j cavity, and, up to vessel breach, it is not possible for hydrogen to be released into the reactor cavity and j
there are no ignition sources in the reactor cavity. It is therefore concluded in the response that hydrogen j
pocketing and detonation is not an issue of concern in the Crystal River 3 configuration. However, the potential of hydrogen detonation after vessel breach is not discussed in the response, j
[
2.6 Vulnerabilities and Plant Improvements 2.6.1 -Vulnerability
. De following is a discussion of vulnerabilities from the RAI responses:
l.
- nere is no precise definition of vulnerability for the Crystal River 3 IPE. Review of the core damage l
cutsets looking for sequences with unusually high frequencies, sequences hinting of some heretofore
{
unknown dependency, and risk significant sequences which can easily be reduced to rick insignificance j
47
via a procedure change or a rninor. hardware change consistedsoGPC's review of the IPE results for vulnerabilities. 'The review indicated ;no acciden* : sequences whi:1h :might potentially be deemed -
vulnerabilities."
Vulnerabilities are not defined in the IPE. submittal for the Level'2 analyses l
2.6.2 Proposed knprovements and~ Modifications No improvements have been identified or undertaken as a result of the~1PE. ' Previous improvements were credited: increasing battery life from 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (as a result of the blackout rule), building a backup flush water supply to the RW water pump bearing cooling (previous PRA and App. R concerns) and sleeving of expansion joints (a previous deterministic flooding analysis) were the three principal improvements credited, which resulted in a substantial CDF decrease (not otherwise quantified).
In the plant improvement section of the IPE, it was noted that several improvements to plant emergency pmcodures were recommended and included. A list of the improvements was not provided. However, in response to additional RAls, the impovemerts are mentioned as "BWST refill, verification of cooling water supply."
l No back end plant improvements are mentioned in the IPE submittal.
l l
l
\\
[
48
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS Based on aur review and the weaknesses enumerated below, there is insufficient information in the IPE and the RAI responses to conclude that the licensee has met the intent of Generic Letter 88-20. The weaknesses stem primarily from sparse documentation provided by the licensee on the conduct of the IPE analysis. Both the original IPE submittal as well as the RAI responses were very brief to the point of being inadequate in some areas.
Strengths of the Level 1 IPE are as follows: The IPE relies on an earlier PRA which was reviewed by the NRC and found to be of quality. De model seems reasonable.
De following weaknesses are noted about the IPE:
In the area of the "as built as operated plant" modeling, there is insufficient documentation about how the comments in the ANL review of the original Crystal River 3 PRA were incorporated into the model, and how the model was changed from the original PRA to model the plant as it is today. Information is also insufficient as to why different data gathering periods were used for different data (plant specific vs. Generic and initiating events vs. The failure data), and what the extent of the walkdowns was.
In the discussion of the review of the IPE submittal, insufficient information i., provided on the extent of the review and about the areas of concern uncovered in the review and the resolution of major issues.
In the area of initiating events, there is insufficient documentation about treatment of losses of DC power and non-nuclear instmmentation. De ISLOCA treatment uses assumptions which are not fully discussed or justified.
In the area of systems, aspects of modeling of certain systems are not clear or seem to be incomplete (HVAC, MFW). The dependency diagram is not inclusive of all dependencies.
The data section shows significantly lower than expected failure data for certain components (turbine driven pump, compressor) and somewhat low data for some other important components. The common cause factors are somewhat low, as are initiating event frequencies for LOCAs, and perhaps loss of offsite power.
Certain aspects of the flooding analysis were not documented (e.g., treatment of drains and maintenance induced floods).
De sections on improvements and insights were very brief or nonexistent, both in the submittal and the RAI responses. Dere is no discussion of insights in the submittal. For example, why is loss of RW flush water not an important contributor to the CDF7 Why are the result so different from the original ANL-reviewed PRA? In response to additional RAls, the licensee has a one phrase (not sentence) summary about the insights derived from the IPE: " absolute level of risk and risk important systems, components, human actions and initiating events" (without specifying what these might be). De RAI on improvements (no discussion in the submittal itself) elicited a one phrase response "BWST refill, verification of cooling water supply."
49
Dis suggests there may not have been full utility involvement-in the IPE, or good two way communication between the analysts and the utility / plant, including the management. Such two way communication was, in our view, the intent of the Generic Letter 88-20.
Agairi, it must be emphasized that the level 1 domimentation vas very brief, and the RAI responses very j
uneven, ranging from totally unresponsive, to a very detailed discussion of the convolution method used in modeling loss of offsite power sequences.
1 De most important class of sequences are the small LOCAs with recirculation failure (due to operator error or CCF of valves) and the station blackout sequences (involving mostly a LOOP initiator, but also the loss of offsite transformer with operator error to switchover to the startup transformer, with
)
consequent failures of the EDGs and failure to restore offsite power in time to prevent core uncovery).
1 De HRA review of the Crystal River 3 IPE submittal and a review of the licensees responses to HRA related questions asked in the NRC RAI, revealed several weaknesses in the HRA as documented.
Although a viable approach (the Doughesty and Fragola method) was used in performing the HRA, 1
several weaknesses in how the analysis was conducted (or at least in the licensees documentation of the conduct of the analysis) were identified. Because of the apparent weaknesses and the lack of adequate documentation in the submittal or the licensees response to the NRC RAI, it cannot be concluded that the licensee met the intent of Generic Letter 88-20 in regards to the HRA. Important elements pertinent to this determination include the following:
1) he submi..a! indicates that utility personnel were involved in the HRA. De paiticipation of a j
nuclear safety supervisor who was a former senior reactor operator (SRO), reviews of procedures and training, and interviews with operators helped assure that the HRA portions of the IPE represent the as-built, as operated plant. However, documentation of HRA related walkdowns and observations of simulator exercises would have strengthened the notion that a viable process i
was used.
2) ne submittal indicted that the analysis of pre-initiator actions included both miscalibrations and restoration faults. An acceptable, but potentially optimistic screening analysis was used. Events found to be potentially risk signif; cant were analyzed in more detail using a method based on the q
book by Dougherty and Fragola.
1 3)
Post initiator human actions modeled included both response-type and recovery-type actions.
Recovery events were defined as situations which are 'beyond the design basis of the plant and which are not covered by the procedures, but for which actions are still available to prevent core damage." A review of these events indicated that none of them appeared to require extraordinary behavior on the part of the operators and that procedures for performing the actions might exist, J
even if the operators would be required to diagnose the need for the actions on the basis of experience. However, no justification was provided for any of the modeled non-proceduralized j
actions and without such justification, the HEPs assigned to the events could be optimistic.
4)
Consideration of plant-specific performance shr. ping factors and dependencies was apparently limited (based on the docunention in the submittal and in the response to the NRCs RAI).
r==tmp.* tramnw of these faaors can lead to selecsed HEPs being optimistic or in some cases pessimistic. In particular, the use of a screening value of 0.1 for post-initiator actions clearly demands a careful consideration of dependencies. Without additional information about some of the modeled events, it was difficult to determine whether the HEPs would in general be considered outside the normal range of values obtained for shnilar events in other IPEs.
50
]
5)
Documentation was inadequate on the process used to determine the time available for operators to diagnose needed actions and on the time needed to conduct the actions (particularly outside the control room). If the necessary calculations are not done correctly, optimistic estimates of HEPs can be obtained. In general, there was a lack of documentation on how time was considered in quantifying operator actions.
6) ne licensee did not identify important human actions through the use of importance measures.
It was stated that operator actions were identified as being important "during the manual operation of accident sequence recovery analysis." While such an approach may in fact capture the most imponant human actions, a quantitative assessment provides a straightforward means of determining relative importance.
a The IPE uses a small containment phenomenological event tree (CPET) with 13 top events for back-end analysis. Dependency rules are used to determine the conditions and the corresponding split fractions for the CPET top events. he quantification of the Crystal River 3 CPET is based on results from plant-specific analysis of accident progression using computer codes (MARCH 3, TRAPMELT3, and CONTAIN 1.1), review of NUREG-il50 analyses for Surry and Zion, review of Seabrook Level 2 analysis, and results from special analyses of some cont inment issues. The interface between the front-end and back-end analyses is accomplished by the development of a set of PDSs, defined by the front-end core damage sequences and the status of containment systems. The PDS definition is adequate. The CPET and the associated dependency rules provide a reasonable coverage of the important back-end i
phenomena. Although CPET quantification and source term grouping and quantification seem adequate, there are issues that are not discussed in sufficient detail (to show that they are treated adequately) in the IPE submittal, and questions are thus asked in the RAI on these issues. However, the licensee's responses to some of the RAI questions are not satisfactory, and the shon responses to the follow on questions do not provide any additional information beyond that already provided in the IPE submittal and the original RAI responses. Although the IPE process is, in general, logical and consistent with GL 88-20, the adequacy and completeness of the treatment of some of the issues is not clear.
The important points of the technical evaluation of the Crystal River 3 IPE back-end analysis are summarized below:
1)
The back-end ponion of the IPE supplies a substantial amount of information with regards to the subject areas identified in Generic Letter 88-20.
2)
The Crystal River 3 IPE provides an evaluation of all phenomena of importance to severe accident progression in accordance with Appendix I of the Generic Letter. However, because of the lack of sufficient responses to the RAI questions, the adequacy and completeness of the treatment of some of the issues is not clear.
3)
The IPE has identified the plant-specific reactor cavity configuration for Crystal River 3 and taken into consideration the effect of this plant-specific feature on accident progression. Because of the cavity configuration, the thickness of the core debris in the cavity is likely to be more than one foot, and, as a result, the probability of debris coolability is lower in Crystal River 3 than in many other PWR plants.
4)
Acc! dent sequences are selected in the IPE for MARCHfrRAPMELT/CONTAIN calculations to provide data to assist CET quantification and for estimating the source terms. However, the selection criteria are not discussed in the IPE submittal. The relationship between the selected sequences and the accident sequences binned to the PDSs or the source term categories is not j
51
established or discussed;in the. submittal.Nunethelessc theaequences selected for computer calculation seem to provide a reasonale representation enPthe PDSs and the source term categories. The only question is the extremely small source term calculated for the late failure release category. He release fractions repotted in the IPE submittal (less than 2.0E-6 for lodine and Cesium) are much lower than those reported in other IPEs for a similar failure mode (late containment rupture with no containment systems available).
5)
A sensitive study like that described in NUREG-1335 is not performed in the Crystal River 3 IPE. The IPE does not provide any quantitative information on how containment failure pmbabilities would change if uncertainties on containment phenomena are considered. The lack of a sensitivity study and the insights that may be obtained from the sensitivity study is a significant weakness of the Crystal River 3 IPE. Sensitivity studies performed in other IPEs include those associated with the computer codes used for the accident progression analyses and those associated with containment phenomena and operator actions.
6)
Recovery actions are not credited in the IPE. According to the submittal, recovery actions would be addressed in a potential accident management follow-on activity within the context of developing Crystal River 3 specific accident management guidelines. Once an optimized course of actions in the form of accident management guidelines has been determined, these guidelines could then be reflected in the CPET. The omission of recovery actions provides a more pessimisti estimate of accident progression results. It also avoids a closer examination of operator recovery actions and their effects on severe accident progression in a severe accident.
7)
Containment isolation failure is not discussed in detail in'the IPE submittal. Although a question is asked in the RAI regarding this issue, the response to this question is very minimal and does not provide any additional information beyond that already provided in the IPE submittal, it is not clear from the description provided in the IPE submittal and the licensee's response to the RAI whether the analyses performed in the IPE have addressed all five areas identified in the Generic Letter regarding containment isolation.
8)
He recommendations of the CPI program are discussed in the licensee's responso to one of the RAI questions. It seems that the CPI issue is not evaluated in the IPE in detail. Although the potential of hydrogen pocketing and detonation in the reactor cavity before vessel breach is discussed in the response, their potential after vessel breach is not discussed.
9)
The lack of discussion of the sealing materials used in the Crystal River 3 containment penetrations and their properties under harsh environmental conditions is a weakness of the IPE submittal.
l l
I 1
52
- 4. REFERENCES 1
. \\lPE)
Crystal River 3 Individual Plant Examination, Florida Power Corporation, j
March,1993.
)
[RAI Responses)
Response to NRC Request for Additional /qformation, Crystal River 3 IPE,"
j Florida Power Corporation, November,1995.
4 lSANDIAl Containment in2ds due to Direa Containment Heating and Associated Hydrogen l
Behavior: Analysis and Calculations with the CONTAIN Code, Sandia National t
Laboratory, NUREG/CR-48%,1987.
(BNL}
Enunation of Containment Pressure loading due to Direct Containment Heating forthe Zion Plant, Brookhaven National Laboratory, NUREG/CR-5282, March i
1991.
IBook)
E.M. Dougherty and 1.R. Fragola, Human Reliability Analysis: A Systems Engineering Approach with Nuclear Pour Plant Applications, NY: John Wiley
& Sons,1988.
(NUREGICR-1278)
A.D. Swain and H.E. Guttman, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Applications : Technique for Human Error Rate Prediction, NUREG/CR-1278, U.S.
Nuclear Regulatory Commission, i
Washington D.C.,1983.
9 e
0 53
.