Response to U.S. EPR Design Certification Application RAI ...

Response to

Request for Additional Information No. 7, Revision 0 5/16/2008

U. S. EPR Standard Design Certification

AREVA NP Inc. Docket No. 52-020

SRP Section: 19 - Probabilistic Risk Assessment and Severe Accident Evaluation Application Section: 19

SPLA Branch

AREVA NP Inc. Response to Request for Additional Information No. 7 U.S. EPR Design Certification Application of 32

Question 19-56:

Please provide an overview of the reactor coolant pump (RCP) seal failure model, including: (a) given loss of seal cooling, the assumed RCP seal leakage rate and its basis; (b) the basis for the standstill seal failure probability; and (c) the sensitivity of core damage frequency (CDF) for internal events to a ten-fold increase in the standstill seal failure probability.

Response to Question 19-56:

(a) Given loss of seal cooling, the assumed RCP seal leakage rate if a RCP pump fails to trip or Standstill Seal System (SSSS) fails to close was estimated to be larger than 400 gpm. This flow rate was not specifically considered, because all RCP Seal LOCAs (on one or multiple pumps, due to failures to isolate leakoff lines, or to close SSSS, or to trip the pumps) were analyzed in the U.S. EPR PRA model as small LOCAs.

(b) The standstill seal failure probability of 1.0E-3 was based on an engineering judgment, because this is a newly developed system for which historical failure data is not available. However, a failure probability of 1.0E-03 per demand is judged to be applicable for a simple and passive SSSS design.

(c) A sensitivity case is defined with a ten-fold increase in the standstill seal failure probability. This results in a 10% increase in total CDF and 12% increase in internal events CDF, as shown in Table 19-56-1.

Table 19-56-1—Sensitivity Case Results for a Ten-Fold Increase in the SSSS Failure Probability

Base Case Sensitivity Delta CDF CDF Internal Events 2.9E-07 3.2E-07 12% Total CDF (Internal Events, Fire and Flood) 5.3E-07 5.8E-07 10%

FSAR Impact:

The FSAR will not be changed as a result of this question.


Question 19-57:

Please describe why main steamline break inside containment with blowdown of multiple steam generators is a significant contributor to large release frequency (LRF). Identify any major conservatism in the modeling, including potential operator actions and mitigating features not modeled in the probabilistic risk assessment (PRA) that could preclude containment overpressure.


Steamline break inside containment (SLBI) with blowdown of multiple steam generators is a significant contributor to large release frequency (LRF) because the associated core damage end state is assumed to directly result in early containment failure on overpressure. If 3 MSIVs fail to isolate following a SLBI initiating event, a simultaneous blowdown of 4 SGs occurs. If main feedwater does not automatically isolate, the subsequent overcooling is assumed to result in an uncontrolled reactivity event and is led directly to core damage. This is a conservative assumption and due to the sequence low frequency (1.0E-08/yr), no additional reactivity analysis was judged necessary. After core damage, the sequence described above was assumed to result in an early containment failure. Core damage was assumed to be caused by a return to criticality; therefore the sequence may result in the full 100% power secondary steam inventory being released inside the containment. The subsequent overpressure is assumed to fail the containment. Potential operator actions susceptible to mitigate containment overpressure were not considered. These include the actuation of the SAHRS containment sprays and the manual termination of feedwater. To credit these actions, a combined reactivity analysis and containment pressurization analysis would be required. Due to the low frequency of this sequence (1.0E-08/yr), such a complex analysis was not considered necessary.

FSAR Impact:



Question 19-58:

For each loss of component cooling water (LOCCW) initiating event, please provide additional information on: (a) the situation it represents, (b) the rationale for treating it as a separate initiator, and (c) a comparison of the initiating event frequency to comparable industry PRA models or other generic data sources. For example, please clarify why the LOCCW1 and LOCCW1L initiators, which appear to result in similar unavailability, are treated separately. Also, please clarify the statement on page 19.1-91 that LOCCW12 PM2 includes “maintenance unavailability for standby train.” What is the sensitivity of CDF and LRF for internal events to a ten-fold increase in the total LOCCW initiating event frequency?


(a) Loss of component cooling water (LOCCW) initiating events are initiators that occur due to losses of the CCW common headers 1 or 2 (CCW CH1 or 2), leading to the losses of the cooling to the RCP pumps 1 & 2 (CCW CH1) or RCP pumps 3 & 4 (CCW CH2). Loss of component cooling water initiating events in the U.S. EPR PRA and the situations they represent are described below:

1) LOCCW-CH1L - Leak in Common Header 1 2) LOCCW1L - Leak in CCW/ESW Train 1 and Failure to Isolate (leading to a loss

of CCW CH1), CCW/ESW Train 1 not available 3) LOCCW1 - Loss CCW/ESW Train 1 and Failure of Switchover (leading to a loss

of CCW CH1), CCW/ESW Train 1 not available 4) LOCCW12 - Loss of CCW/ESW Train 1 and Train 2 (leading to a loss of CCW

CH1), CCW/ESW Trains 1 and 2 not available 5) LOCCW12 PM2- Loss of CCW/ESW Train 1 and Train 2 (leading to a loss of

CCW CH1), CCW/ESW Trains 1 and 2 assumed to be in PM 6) LOCC14-CH1 - Loss of running CCW/ESW Trains 1 and 4 (common cause

failures considered) and Failure of one Switchover (leading to a loss of CCW CH1), CCW/ESW Trains 1 & 4 not available

7) LOCCW14-CH12 – Loss of CCW/ESW Trains 1 and 4 and Failure of two Switchovers to CH 1 & 2 (leading to losses of CCW CH1 and CH2), CCW/ESW Trains 1 & 4 not available

8) LOCCW-ALL - Total loss of CCW/ESW four divisions (leading to a loss of CCW CH1 and CH2), all CCW/ESW trains not available.

Note: Preceding IEs 1 through 6 are symmetrical: applicable to both CCW common headers.

(b) LOCCW IEs are treated separately because of: (i) the differences in the IE frequency and (ii) difference in impacts on the mitigating systems. For example, the LOCCW1 and LOCCW1L initiators are treated separately, because, even though they have the same impact on the mitigating systems, they have different IE model and frequencies. One of these initiators (LOCCW1) is a result of the CCW Pump Train 1 yearly failure frequency and it would results in a loss of the CCW CH1 if a switchover to the CCW Train 2 is not successful (IEF=2.7E-03/yr). The other initiator (LOCCW1L) is a result of a yearly leakage frequency in the CCW Pump Train 1 and it would result in a loss of the CCW CH1 if an isolation of the CCW Train 1 and a switchover to the CCW Train 2 is not successful (IEF=5.3E-04/yr). The need to isolate CH1 for LOCCW1L was the reason to model these events separately.


(c) Given four separated safety divisions in the U.S. EPR design, it is difficult to find comparable data in the industry. Two comparison cases are shown below::

• LOCCW-ALL IEF of 2.4E-06/yr could be compared to “Total Loss of SW” IEF of 9.7E-04/yr (NUREG/CR 5750, Table 3-1) or “Total Loss of SW/CCW” IEF of 4E-04/yr (NUREG/CR 6928, Table 8-1); the difference can be explained by the four independent CCW/ESW trains and the four separated UHS in the U.S. EPR design.

• The six other LOCCW IEFs (all but of LOCCW-CH1L and LOCCW-ALL) with total frequency of 2.6E-02/yr, could be compared to “Partial Loss of SW” IEF of 8.9E-03/yr (NUREG/CR 5750, Table 3-1) or “Partial Loss of SW/CCW” IEF of 2E-03/1.2E-03/yr (NUREG/CR 6928, Table 8-1); ); the difference can be explained by the U.S. EPR PRA results enveloping more combinations of the events.

(d) As stated in the FSAR Table 19.1-4, LOCCW12 PM2 includes “maintenance unavailability for standby train”: this IE is modeled as the CCW Pump Train 1 yearly failure frequency and a loss of the CCW CH1 because the standby CCW Train 2 is in maintenance. This specific event is separated to avoid simultaneous maintenance unavailabilities with the other standby CCW Train 3 in the event tree sequences.

(e) A ten-fold increase in the total LOCCW initiating event frequency would result in:

• Corresponding Internal events CDF increase of 3.4E-08/yr (≈12%)

• Corresponding Internal events LRF increase of 5.2E-10/yr (≈2%)

FSAR Impact:



Question 19-59:

Please provide the basis for the pressurizer safety valve (PSV) spurious opening frequency, stated as 2E-4 per year (/yr) in Final Safety Analysis Report (FSAR) Table 19.1-4.


An estimate of the PSV LOCA initiating event frequency was based on a review of the industry operating experience as documented in NUREG/CR-5750. NUREG/CR-5750 identifies two PSV failures to fully reseat following actuation in the period 1987 through 1995 (covering approximately 500 PWR reactor critical years). These two events were caused by transients (loss of one AC bus and turbine trip) that are not expected to result in a demand on the U.S. EPR PSRVs. Therefore it was judged that neither of these events would be likely to result in a PSV LOCA initiating event in the U.S. EPR design. Based on this industry experience, and the specific PSV design, the U.S. EPR PSV LOCA initiating event frequency was estimated to be 2E-04/yr (0.1 events in the 500 critical reactor years included in the NUREG/CR-5750 database).

FSAR Impact:



Question 19-60:

Please provide additional information on the fast cooldown operation, including success criteria for both small and medium loss-of-coolant accidents (LOCA) and a discussion of the assumptions included in the human reliability analysis.


The fast cooldown (FCD) operation is used when there is a small or medium LOCA coincident with failure of all medium head safety injection (MHSI). FCD involves opening the main steam relief train (MSRT) pathways on all four steam generators (full open) and cooling down rapidly with the secondary side until the RCS pressure reaches the delivery pressure of the accumulators and low head safety injection (LHSI).

The FCD success criteria used in the PRA for small and medium LOCA are summarized in Table 19-60-1.

Table 19-60-1: Summary of Fast Cooldown Success Criteria for Small and Medium LOCA

MSRT FW Accumulators LHSI Total

Available Time

SLOCA 2 of 4

2 of 4 SSS injection

lines or 2 of 4 EFW

1 of 4 1 of 4 40 minutes

MLOCA 1 0f 4 Not required 1 of 4 1 of 4 30 minutes

These success criteria have been verified by MAAP runs. The combinations of MSRT and EFW trains discussed previously were chosen as conservative modeling assumptions to limit the complexity of the model and reduce the number of analysis cases. There are other combinations of MSRT and EFW that may be success paths that were omitted from the model. For example, MAAP runs of some small LOCAs indicate success with one MSRT and one EFW train.

The human reliability analysis (HRA) assumes that the operator will actuate FCD upon indications of loss of subcooled margin (LSCM) coincident with indications of MHSI failure. In addition to opening the MSRT pathways, the operator will also verify initiation of EFW and LHSI.

The HRA used the SPAR-H methodology for assignment of the human error probability (HEP). Assumptions were made in order to select the Performance Shaping Factors (PSFs). The PSFs for timing are based on timing of the cues from representative MAAP runs for small and medium


LOCAs. The PSF for stress is assigned to extreme given the nature of the event (LOCA with loss of MHSI).

The complexity PSF for diagnosis is assumed to be moderate for medium LOCA and high for small LOCA, and nominal for action in both events. The PSF for experience and training is assumed to be high because FCD, like feed & bleed, is expected receive extra attention in training.

The detail of the PSFs and the HEP calculation can be found in Table 19-60-2.

Table 19-60-2—Performance Shaping Factors and HEPs for Fast Cooldown Operator Actions1

ID Description Basic HEP

PSF1 (Timing)

PSF2 (Stress)

PSF3 (Complexity)

PSF4 (Training)

HEP Mean Value

Diagnosis 0.01 1 5 2 0.5 5.00E-02

Action 0.001 1 5 1 0.5 2.50E-03

OPE-FCD-30M

Operator Fails to Perform FCD for a Medium LOCA Total 5.3E-02

Diagnosis 0.01 1 5 5 0.5 1.25E-01

Action 0.001 1 5 1 0.5 2.50E-03OPE-FCD-40M

Operator Fails to Perform FCD for a Small LOCA

Total 1.3E-01

FSAR Impact:


1 All other PSFs are nominal.


Question 19-61:

Please discuss why the evaluation of an interfacing systems LOCA (ISLOCA) due to a RCP thermal barrier tube leak does not consider dependence between operator failure to isolate the ISLOCA and operator failure to initiate secondary cooling and align residual heat removal (RHR) in four hours. This dependence appears to be evaluated for other ISLOCA events that do not lead directly to core damage.


Similarly with the other ISLOCA initiators, the dependency between the isolation action and the RHR action should have been considered for this specific initiator. However, since this omission does not have a significant numerical impact on CDF, LRF or any risk insight, no changes are required to the FSAR. A sensitivity case supporting this conclusion and a discussion of the conservatism of this dependency model is presented below.

A sensitivity case is defined by using the dependent value for the RHR action following the Initiating Event ISLOCA due to a thermal barrier tube leak (IE ISL-CCW RCPTB). The dependent HEP (moderate dependency, 0.14) is the same value used for the other ISLOCA IEs (IE ISL-CVCS HPTR and IE ISL-CVCS REDS). The CDF for the IE ISL-CCW RCPTB increases 65 times, from 8.8E-13/yr to 5.8E-11/yr. Although the relative increase is significant for that initiator; it remains a negligible contributor to the overall CDF or LRF results, as shown in Table 19-61-1.

It should be noted that this dependency model yields conservative results. The information on whether the ISLOCA is caused by an operator failure to isolate (or by a hardware failure) is not carried over from the initiating event fault tree to the ISLOCA event tree. Therefore, the dependent RHR action HEP is conservatively applied for each sequence initiated by this ISLOCA event.

Table 19-61-1: Sensitivity Case Results for including dependency in ISL-CCW RCPTB

Base Case Sensitivity Case Delta CDF (Relative) CDF Internal Events (1/yr) 2.9E-07 2.9E-07 6E-11 (0.0%) LRF Internal Events (1/yr) 2.2E-08 2.2E-08 6E-11 (0.3%)

FSAR Impact:



Question 19-62:

Please describe how ventilation dependencies of equipment outside the safeguard buildings (e.g., emergency diesel generators (EDGs), essential service water pumps, and station blackout diesel generators) are modeled. If any dependencies are not modeled, please justify their exclusion and include sensitivity studies as appropriate.


Ventilation systems outside the Safeguard Buildings are not modeled in the PRA. Outside of the Safeguard Building, no ventilation dependencies were identified, in the sense that:

1) No single ventilation failure would result in the loss of more than one building.

2) Loss of ventilation due to a support system (electrical power, cooling) failure could only result in the loss of those systems that directly depend on the same support systems and would also be lost.

To support those two points, a short evaluation of ventilation systems and their support systems is performed for the following buildings: ESW pump buildings, Emergency Power Generation Buildings (EPGB), station blackout diesel generator (SBODG) rooms, Switchgear Building, and Turbine Building. The conclusions are summarized below:

ESW Pumps

Each division of the ESW pump ventilation system is powered by its own Class 1E, EDG backed, power division. The ESW pump ventilation system is cooled by the ESWS. Therefore the failure of support systems for an ESW ventilation division would directly result in the loss of the ESW pump – no additional ventilation dependency is identified.

Emergency Power Generation Buildings

Each division of the EPGB ventilation system is powered by its own Class 1E, EDG backed, power division. The building ventilation is provided by fans only – no additional cooling is necessary. The EDG engines are cooled by the ESWS – this dependency is explicitly modeled in the PRA. The design of the control and electrical areas ventilation is not finalized, and in this phase cooling dependencies, if any, are assumed to be divisional (Division 1 systems providing cooling to EDG 1) and enveloped by the ESWS cooling dependency modeled in the PRA.

SBO DG Rooms

The SBO diesel ventilation system design requirements stipulate that it shall be powered from the same SBO diesel-backed electrical division it serves. The SBO diesel ventilation system is assumed not to depend on the other fluid-carrying system. Therefore, no additional ventilation dependency is identified.

Turbine Building

The TB ventilation system is powered by redundant non-safety power divisions. In case of loss of offsite power, or general failure of the non-safety power supply, the TB ventilation system


would fail. This has no impact on the PRA since systems in the TB modeled in the PRA would also fail on loss of non-safety power.

The TB ventilation system cooling coils are cooled by the Operational Chilled Water System – Turbine Island (OCWS TI, not modeled in the PRA). This system is cooled by the Closed Cooling Water System (CLCWS, modeled in the PRA). Failure of the CLCWS could result in ventilation failure, but this is also not a dependency issue since MFWS and SSS would also be lost on a loss of the CLCWS.

Switchgear Building

The switchgear building ventilation system is not modeled in the PRA. It is assumed that switchgear building ventilation dependencies, if any, would not have a significant impact on risk. Future detailed system information will be reflected in the PRA within the applicants PRA maintenance and upgrade program, as described in FSAR Section 19.1.2.4. COL item 19.1-9 listed in FSAR Table 1.8-2 is provided to confirm that significant PRA assumptions on system modeling remain valid.

In conclusion, no ventilation dependency was identified outside of the Safeguard Buildings. Failure of a ventilation system or sub-system could result in the loss of one building or one division of a system.

FSAR Impact:



Question 19-63:

According to section 8.3.1.1.1 of the FSAR, an alternate feed connection is provided between emergency power supply system (EPSS) divisional pairs to provide a normal and standby source of power when certain electrical components, including an EDG, are out of service. The discussion of station blackout power on page 19.1-9 of the FSAR indicates that this connection may be modeled in the PRA to some extent. Please discuss whether the alternate feed connection is credited in the PRA to provide power to certain equipment when the EDG in that division is out of service for maintenance.


The alternate feed connection during emergency diesel generator maintenance as described in Section 8.3.1.1.1 of the FSAR is not modeled in the PRA. The PRA models the electrical system in its standard configuration regardless of the status of the EDG. However, in case of loss of power to division 2 (or 3), an operator action to feed important division 2 (or 3) loads from division 1 (or 4) using the alternate feed is modeled.

In other words, the alternate feed is credited in some cases as a response to a loss of power. The alternate feed configuration as an initial alignment prior to the initiating event is not modeled.

FSAR Impact:



Question 19-64:

Please discuss how accident sequences initiated by spurious opening of a main steam safety valve (MSSV) are modeled differently from other steam line breaks. The contribution of MSSV initiators appears not to be high enough to be included in Table 19.1-6 of the FSAR, but it is not clear how the mitigation strategy is different from the other steam line breaks with comparable initiating event frequencies.


A MSSV IE presents an unisolable steam line break outside containment (SLBO). The other SLBO are assumed to be isolable (downstream from MSIVs). The conditional core damage probability (CCDP) is slightly higher for the MSSV IE (2.2 E-06) than for the SLBO IE (1.9E-06). However, due to the lower frequency of the MSSV IE (1.0E-03/yr vs. 2.1E-03/yr), the resulting CDF is lower than for the SLBO IE. The MSSV contribution to the CDF is just under 1% (0.8%) so it was not presented in FSAR Table 19.1-6 that included only initiators contributing more than 1% to the Level 1 internal events CDF.

FSAR Impact:



Question 19-65:

Please describe how the steam line break outside containment (SLBO) frequency of 2.1E-3/yr was derived. Specifically, FSAR Table 19.1-4 indicates that leaks were excluded from the NUREG/CR-5750 value (1.0E-2/yr); please justify this exclusion.


Leaks are not likely to result in a significant disturbance in the plant conditions–a trip would be unlikely. Even if a trip occurred, the plant response would be similar to a general transient. The following explains how the SLBO frequency (with leaks eliminated) was derived:

The information from NUREG/CR-5750 was used. The NUREG uses the description that includes the word “leak”: “Steam line break/leak outside containment”.

The mean of the distribution of 1.0E-02/yr from Table 3-1 of the NUREG is based on the seven SLB events. In this analysis, only the breaks that are sufficient in size to cause a low steam line pressure signal and initiate a safety injection were considered. Only one of these seven events resulted in a safety actuation. The values in Table 3-1 are obtained by updating a prior gamma distribution (parameters 7.5 and 728) with the seven events. Updating the same distribution with just one event results in a 1.5, 728 gamma distribution that has a mean of 2.1E-03/yr.

FSAR Impact:



Question 19-66:

Please provide a more detailed discussion of how feedwater line breaks are modeled in the PRA. Page 19.1-22 of the FSAR states that feedwater line breaks inside containment (FLBI) and steam line breaks inside containment (SLBI) are considered as a single initiator, but the SLBI initiating event frequency is taken directly from NUREG/CR-5750, which has a separate frequency for feedwater line breaks. The FSAR also states that feedwater line breaks outside containment are treated as total loss of feedwater (LOMFW) initiating events, but the LOMFW initiating event frequency is taken directly from NUREG/CR-6928, which does not appear to include feedwater line breaks.


The following discussion addresses 1) feedwater line breaks inside containment (FLBI) and 2) feedwater line breaks outside containment (FLBO).

1) FLBI

The two feedwater line break initiating events reported in NUREG/CR-5750 (Millstone Unit 2, 1991 and Unit 3, 1990) both occurred on the turbine side of the plant, outside of the reactor or auxiliary buildings. There is no value in NUREG/CR-5750 for feedwater line break inside containment. The frequency of 1.0E-03/yr for SLBI, based on 0 events for 499 reactor years, is judged to envelop both SLBI and FLBI for the U.S. EPR. This is based on the following considerations:

• 1.0E-03/yr frequency is judged to be a conservative number for SLBI. There are only four main steam line segments (one per SG) inside containment. Using the EPRI TR-102266 Pipe Failure Study Update, this corresponds to a break frequency of 4 segments x (8.9E-10/ MS segment-hr) x (8760 hr/yr) = 3.1E-05/yr.

• The main feedwater system design includes a check valve upstream of the steam generator inlet. Therefore, only a break in the portion of the MFWS piping downstream of this check valve (one segment per SG) would result in a steam generator blowdown inside the containment. Using the EPRI TR-102266 method yields a break frequency of 4 segments x (6.4E-10/FW segment-hr) x (8760 hr/yr) = 2.2E-05/yr.

Therefore, it is judged that the frequency of 1.0E-03/yr for SLBI conservatively envelops both SLBI and FLBI.

2) FLBO

NUREG/CR-5750 number for feedwater line breaks 3.4E-03/yr, based on two events and 729 reactor-years, is applicable to FLBO. Such events are most likely to occur in the Turbine Building and would result in a loss of feedwater event. The frequency used for LOMFW, based on NUREG/CR-6928, which does not include feedwater line breaks, is more than one order of magnitude higher, at 9.6E-02/yr. It is judged that a value of ~0.1 for total loss of feedwater is


conservative for an advanced plant, and therefore it was assumed that this value subsumes pipe breaks.

FSAR Impact:



Question 19-67:

Please provide the basis for the statement on page 19.1-56 of the FSAR that “[s]ome limited credit is given to the operators to recover from these software CCFs [common cause failures] (0.5).” How does this recovery action account for loss of instrumentation and the time available to the operators?


The 0.5 recovery probability for software CCF is considered a conservative substitute for operator recovery that also bounds the reliability of an automated backup if the diversity and defense-in-depth (D3) analysis determines that is necessary.

D3 features intended for mitigation of software CCF have not yet been credited in the PRA, except for the diverse reactor trip that is part of the anticipated transient without scram (ATWS) system. The methodology for the D3 design is described in Topical Report ANP-10284 and FSAR Section 7.8. The D3 design activity will include an event-specific analysis to determine if there is sufficient time and instrumentation for operator action given that the event occurs coincident with software CCF. This analysis will determine whether the recovery action is manual or automated, and what indications and controls are needed to support the action. Future detailed system information will be reflected in the PRA within the applicants PRA maintenance and upgrade program, as described in FSAR Section 19.1.2.4. COL item 19.1-9 listed in FSAR Table 1.8-2 is provided to confirm that significant PRA assumptions on system modeling remain valid.

The recovery probability (0.5) used for software CCF is not initiating event-specific and therefore does not explicitly account for the time and instrumentation available to the operator.

Instrumentation will be available to support any operator actions that may be credited for response to software CCF. The main control room (MCR) of the U.S. EPR has two independent human machine interface (HMI) systems for indication and controls. These are the process information and control system (PICS) and the safety information and control system (SICS), which are described in FSAR Section 7.0. PICS is the non-safety- related HMI system that contains all of the controls necessary to operate the plant. PICS is implemented on a diverse instrumentation and control (I&C) platform from the Protection System. SICS is a safety-related HMI system that is a backup for use if the PICS becomes unavailable. SICS is implemented on the TELEPERM XS (TXS) platform, and uses similar hardware and operating system as the Protection System. Either PICS or SICS provides sufficient means for the operator to perform the control and information functions needed to monitor the plant safety status and bring the unit to and maintain it in a safe shutdown state. Because of the redundancy and diversity provided by the PICS and SICS, complete failure of all control room indication is not a credible event.

See also the response to Question 19-68 for sensitivity to software CCF without credit for recovery.

FSAR Impact:



Question 19-68:

Please describe the results of additional sensitivity studies that illustrate the effect of digital instrumentation and control (DI&C) modeling uncertainties on CDF and risk insights. Sensitivity studies that may be appropriate are listed on pages 9 of the draft Interim Staff Guidance (ISG) on review of new reactor DI&C PRAs (DI&C-ISG-03, January 2008, Agencywide Document Access and Management System (ADAMS) Accession No. ML080350109).


Sensitivity cases have been run to illustrate the effect of DI&C modeling uncertainty. These sensitivity cases are described below. These cases are comparable to those in the January 2008 draft of the referenced ISG.

Some of the cases suggested by the draft ISG are not applicable because the features described are not credited in the U.S. EPR PRA. Specifically, the diversity and defense-in-depth (D3) systems are not credited in the PRA, except for the diverse reactor trip that is part of the anticipated transient without scram (ATWS) system. Only limited credit is given in the PRA for recovery from DI&C common cause failure (CCF) (refer also to response to Question 19-67) until the D3 evaluation, which is described in Topical Report ANP-10284 and in FSAR Section 7.8, is completed, including determination of whether backup actions will be manual or automated. Therefore, the sensitivity studies for “non-safety-related defense-in-depth systems” and “diverse backup systems,” which are suggested in the January 2008 draft of the ISG are not applicable to the U.S. EPR PRA. The sensitivities reported below may be higher than they would otherwise be if the D3 systems were credited.

The results of the following sensitivity cases are reported in Table 19-68-1. These cases were run for CDF at power (base CDF 5.3E-07/year including internal floods and fires).

1. All software CCF probabilities are increased by one order of magnitude (10X). In addition, the software CCF recovery probability (see response to Question 19-67) is eliminated. (Net increase is 20X for application software, 10X for operating system.)

2. In addition to #1, the diverse actuation system (DAS) is set to guaranteed failure. The only DAS function modeled in the PRA is the diverse reactor trip function for ATWS.

3. In addition to #1, all of the beta-factors for CCF of digital components are increased by a factor of two (2X).

4. In addition to #3, human error probabilities (HEP) associated with cut sets involving CCF of DI&C (including software) are increased by one order of magnitude (10X). Since the D3 evaluation is not explicitly credited in the PRA, the only operator actions that are credited in these cut sets are general actions such as feed and bleed that may apply to many events. These HEPs are increased by 10X when they are in cut sets associated with CCF of digital I&C. If increasing the HEP by 10X would cause the HEP to be greater than one (1.0), then the SPAR-H adjustment formula from NUREG/CR-68832 is

2 NUREG/CR-6883, “The SPAR-H Human Reliability Analysis Method,” Idaho National Laboratory, August 2005.


used, with a 10X increase in a performance shaping factor (PSF). (For example, a 10X PSF increase causes an HEP for feed and bleed to increase from 0.13 to 0.58). It is noted that these HEP increases are conservative. Since there are diverse information and control systems in the main control room, there are no postulated CCFs that result in complete loss of control room indication (refer to response to Question 19-67).

Table 19-68-1—Results of Sensitivity Cases for Digital I&C

Sensitivity Case

Description CDF (1/year) Delta CDF

1 Software 10X increase No software recovery

7.0E-07 33%

2 Software 10X increase No software recovery DAS guaranteed failure

7.3E-07 39%

3 Software 10X increase No software recovery Digital 2X beta increase

7.0E-07 33%

4 Software 10X increase No software recovery Digital 2X beta increase HEP 10X increase

1.1E-06 102%

FSAR Impact:



Question 19-69:

Please provide the basic screening human error probability (HEP) used for pre-initiator human actions in the human reliability analysis (HRA). If the screening HEP of 0.03 from Accident Sequence Evaluation Program HRA Procedure (ASEP) is used, please perform a sensitivity study starting with the screening value of 0.05 recommended for cases where no plant visit or interaction is possible, as is the case at the design certification stage. (See page 3-32 of NUREG-1842 and page 4-2 of NUREG/CR-4772 for further details.)


The screening HEP median value of 0.03 is used as the basic HEP for the pre-initiator human errors. Pre-accident HEPs category 1 and 3 are derived from the basic HEP by applying the recovery factors applicable to each category. This gives the median HEPs, which are then converted to mean values to be used in the model.

A sensitivity case is run by increasing the median basic HEP from 0.03 to 0.05. This corresponds to increasing the mean HEP values by the same factor, as shown in Table 19-69-1.

The results of the sensitivity case are shown in Table 19-69-2. The increase in pre-accident HEPs resulted in a small increase in internal events and total CDF.

Table 19-69-1—Pre-Accident HEP Parameters

BHEP=0.03 (Median) BHEP=0.05 (Median) Parameters

Median Mean Median Mean

Pre-accident HEP Cat. 1 7.E-05 2.E-04 1.E-04 3.E-04

Pre-accident HEP Cat. 3 3.E-03 8.E-03 5.E-03 1.E-02

Table 19-69-2—Sensitivity Case Results for a BHEP increase from 0.03 to 0.05

Base Case Sensitivity Delta CDF (Relative) CDF Internal Events (1/yr) 2.9E-07 2.9E-07 6E-09 (2%) Total CDF (Internal Events, Fire and Flood, 1/yr) 5.3E-07 5.5E-07 2E-08 (4%)

FSAR Impact:



Question 19-70:

In its discussion of post-initiator human actions, NUREG-1792 states that “[t]he total combined probability of all the HFEs in the same accident sequence/cut set should not be less than a justified value. It is suggested that the value not be below ~0.00001 since it is typically hard to defend that other dependent failure modes that are not usually treated (e.g., random events such as even a heart attack) cannot occur.” Please discuss how this recommendation has been applied to the U.S. EPR PRA.


This recommendation has been applied by following the SPAR-H method for HEP determination and dependency evaluation. No absolute lower bound was set for combination of HEPs; however, the SPAR-H method for dependency evaluation was used to assign high failure probabilities to actions that are judged to be dependent on a previous failure.

The following is a discussion about low HEP (or combination of HEPs) in the U.S. EPR HRA.

• No single HFE has a probability of less than 1.0E-5.

• A study of the cutsets with multiple operator failures shows that there are a small number of HEP combinations that result in a combined human failure probability of less than 1.0E-05. This applies to a limited number of HEP combinations, for which it was judged that no dependency exists based on the different type of task, the involvement of a different crew, different time windows.

• A sensitivity case is provided to assess the effect of assigning a lower bound to any combination of HEPs. All the combinations of human errors identified as having a lower than 1E-05 combined probability are changed to a 1.0E-05 value. The results are shown in Table 19-70. The increase in CDF is not significant.

• The recommendation of NUREG-1792 of setting a lower bound to any combination of HEPs is recognized as a good practice. However, the PRA results are not affected by the absence of a threshold value.

Table 19-70: Sensitivity Case Results for setting an absolute lower bound to HEP combinations

Base Case Sensitivity Delta CDF (Relative) Total CDF (Internal Events, Fire and Flood, 1/yr)) 5.3E-07 5.3E-07 6.E-09 (1%)

FSAR Impact:



Question 19-71:

Please discuss how the use of a modern, digital control room has been considered in the HRA. Specifically, how is the use of touch screens and computerized procedures expected to affect operation? How is the failure of control room indication accounted for in the PRA?


The use of a modern digital control room has not been considered explicitly in the human reliability analysis (HRA) at this time.

The SPAR-H methodology, used for the HRA, does not explicitly account for the difference between a modern digital control room and the old style analog control rooms, nor does it distinguish between paper and computerized procedures. SPAR-H is an all-purpose methodology that assigns performance shaping factors (PSF) to account for influences such as complexity, stress, and ergonomics.

In addition, the human factors engineering (HFE) design of the human machine interface (HMI) is in its early stages, and some details that may affect the HRA are not yet available, including decisions regarding screen design and the extent of procedure automation.

However, the screen-based HMI and computerized procedures are expected to provide significantly more information to the operator in a more efficient way, than conventional displays. This is expected to increase situational awareness, without creating information overload. With a well-designed system overview, the decision making process is made easier because the "data collection" mode required when using conventional panels is minimized. Also, computerized procedures may have ties to the indications that the operator requires to make procedure step decisions.

To perform the HRA, the process described in response to Question 19-72 was used to gain a general understanding of the factors that were important to the development of the SPAR-H HRA models, and PSF were assigned in a conservative manner, using the best information available at the time.

The HFE/HRA integration plan, discussed in response to Question 19-72 and in Section 18.6 of the FSAR, will allow for refinement of the HRA as the HMI design and the related emergency procedure guidelines (EPG) mature. Risk-significant human actions and their associated tasks and scenarios will be specifically addressed during HFE activities such as function allocation analyses, task analyses, HMI design, procedure development, and training.

With respect to failure of control room indication, this was not considered to be a significant contributor to the HRA or the PRA because of the redundancy and diversity provided by the two HMI systems. The U.S. EPR has two independent HMI systems for main control room (MCR) indication and controls: the process information and control system (PICS) and the safety information and control system (SICS), which are described in FSAR Section 7.0. The PICS and SICS are implemented on diverse I&C platforms, and so are not vulnerable to the same common cause failure (CCF). In addition, a diverse actuation system (DAS) will be implemented using PICS and the process automation system (PAS), in case of CCF of the safety-related computers. As the designs of the PICS, SICS and PAS are developed in more detail, the HFE verification and validation (V&V) process, described in section 18.10 of the FSAR, will be performed for risk important human actions on both HMI systems, to verify the important HRA assumptions. Incorporation of feedback from the V&V activity and updates to


the HRA are performed in accordance with the HFE/HRA integration plan and the PRA maintenance and upgrade process described in Section 19.1.2.4 of the FSAR.

FSAR Impact:



Question 19-72:

Page 19.1-3 of the FSAR states that qualified analysts have performed each of the technical elements of the PRA. Please discuss the involvement of HRA practitioners and human factors specialists in the development of the U.S. EPR PRA, identified as a good practice in NUREG-1792.


The HRA was performed by experienced PRA and HRA practitioners, with access to and frequent interactions with a multidisciplinary team of human factors, operations, instrumentation and control (I&C), and thermal hydraulic analysis specialists.

In addition to informal interactions, regularly scheduled meetings are held between the team members in PRA/HRA, human factor engineering (HFE), I&C, and operations. The HFE and I&C team members are responsible for design of the main control room (MCR) and human machine interface (HMI), and the operations team members are responsible for design of the emergency procedure guidelines (EPG). The purpose of these meetings is to discuss interface issues and coordinate integration of the various disciplines on the U.S. EPR design team that are associated with HMI, EPG, and PRA development.

The SPAR-H HRA methodology was chosen for the U.S. EPR because it is a conservative methodology and because it is an appropriate methodology for a design that lacks detail with respect to EPG and HMI designs. The HRA will continue to be refined in parallel with the EPG and HMI designs as they mature.

One product of the cooperation discussed above is an implementation plan for the integration of HRA into the HFE program. This plan is discussed in the HFE Program Topical Report (ANP-10279) and in Section 18.6 of the FSAR. The plan describes the iterative process by which the HRA, HMI, and EPG designs will be refined through detailed design. Via this process, the HRA and HFE will support each other and the EPG by providing the design team with feedback that assists in minimizing personnel errors, and improving operator recovery from human errors and plant system failures.

Risk-significant human actions identified by the PRA team, and the associated tasks and accident scenarios, will be addressed during HFE activities such as function allocation analyses, task analyses, procedure development, and training. Consequently, the HFE and EPG teams provide insight to aid the HRA team in assessing the performance shaping factors (PSF) that are important in the HRA. The PSF influence the human error probabilities (HEP) by accounting for conditions such as complexity, operator stress, timing, ergonomics, and other considerations that can be improved by good HFE and EPG design.

As described in Section 18.10 of the FSAR, the HFE verification and validation (V&V) process includes validation of HRA assumptions for dominant sequences by walkthrough analyses with operationally experienced personnel using a plant-specific control room mockup or simulator. Incorporation of feedback from these activities and updates to the HRA are performed in accordance with the HFE/HRA integration plan described in FSAR Section 18.6 and the PRA maintenance and upgrade process described in Section 19.1.2.4 of the FSAR.

FSAR Impact:



Question 19-73:

(Follow-up to Question 19-04) Please provide additional information on the failure rates used for TELEPERM XS (TXS) components. How do the failure rates compare to both observed field experience and theoretical (e.g., part stress) estimates? How do the failure rates account for possible adverse environmental conditions (e.g., high temperature) in accident scenarios?


The response to Question 19-73 includes information determined by AREVA to be proprietary and both proprietary and non-proprietary versions are submitted via AREVA NP Inc. letter to NRC, “Response to U.S. EPR Design Certification Application RAI No. 7, Question 19-73,“ dated June 16, 2008. An affidavit to support withholding of information from public disclosure, per 10CFR2.390(b), is provided as an enclosure to that letter.


Question 19-74:

(Follow-up to Question 19-22) Please describe the expected shutdown sequence of events from entry into MODE 5 until the reactor cavity is flooded for refueling and during startup from the time when reactor cavity draining begins until entry into MODE 4.


Shutdown and startup sequences discussed below are based on PRA related modeling assumptions for design certification. Future detailed information will be reflected in the PRA within the applicants PRA maintenance and upgrade program, as described in FSAR Section 19.1.2.4. COL item 19.1-9 listed in FSAR Table 1.8-2 is provided to confirm that important PRA assumptions on shutdown operations remain valid.

Mode 5 to Reactor Cavity Flooding

The initial entry into Mode 5 occurs when the RCS temperature drops below 200°F. At this point all four RHR trains and two RCPs are in operation, and the SGs are functioning to support RCS cooling in parallel with RHR. When the RCS pressure and temperature are sufficiently reduced, the high pressure letdown path of CVCS is isolated and the low pressure reducing station is aligned and fed by an RHR train. At a high level the following basic set of steps are performed to reach flooded reactor cavity conditions:

1. Continue cooling and depressurizing the RCS

2. Secure the last operating RCP when the RCS is cooled to 131°F.

3. Depressurize and drain RCS to just below the RPV head

4. De-tension RPV head studs and prepare RPV head for removal

5. Flood refueling cavity as the RPV head is removed

Reactor Cavity Draining to Mode 4

Prior to draining the reactor cavity the RHR is in-service removing core decay heat and the plant is in Mode 6. At a high level the following basic steps are consistent with the PRA modeling:

1. Drain refueling cavity

2. Set RPV head and tension head studs (Mode 5)

3. Vacuum fill RCS

4. Pressurize RCS (with PZR heaters) to support RCP operation

5. Realign CVCS to the high pressure letdown path when sufficient pressure is established

6. Start RCPs and commence RCS heat-up to Mode 4 (>200°F)


FSAR Impact:



Question 19-75:

(Follow-up to Question 19-24) Table 19.1-87 states that the reactor coolant system (RCS) is vented in Plant Operating State (POS) CAd2, CAd3, and CAu. Please clarify how the venting affects the availability of the steam generators for heat removal in these POS.


The use of the word “vent” to describe the RCS integrity in Plant Operating States CAd2, CAd3, and CAu was not intended to imply that the RCS was vented to atmosphere. Rather, it was intended to convey that a limited venting evolution (off-gassing) was in progress with an otherwise closed RCS pressure boundary. During CAd2 and CAd3, the pressurizer vent is opened to degas the pressurizer whereas during CAu, the pressurizer vent and RPV vent are opened to off-gas entrained air within the primary system. Hence, this limited venting does not affect the availability of the steam generators during these POS. With respect to the purpose of Table 19.1-87, the integrity column entry for these POS will be changed to “closed” to more accurately reflect the state of the RCS pressure boundary.

FSAR Impact:

FSAR, Tier 2, Table 19.1-87 will be revised as described in the response and indicated on the enclosed markup.


Question 19-76:

(Follow-up to Question 19-39) Please provide system information (including a description and system drawing or fault tree) as assumed in the PRA for the demineralized water system. This system appears to be modeled in the PRA, but no information on the system could be found in the rest of the FSAR.


The demineralized water distribution system (DWDS) is modeled in the PRA based on a representative system design. Potential future changes to the design will be reflected in the PRA within the applicants PRA maintenance and upgrade program, as described in FSAR Section 19.1.2.4. COL item 19.1-9 listed in FSAR Table 1.8-2 is provided to confirm that significant PRA assumptions on system modeling remain valid.

The main function of the demineralized water distribution system (DWDS) is to store water in the demineralized water storage tanks and deliver it to the users in the plant. The function of the system explicitly credited in the PRA is to provide make-up water to the Feedwater Storage Tank (FST) in support of Startup and Shutdown System operation. Only the components of the DWDS that support this specific function are modeled in the PRA:

• The demineralized water storage tanks (30GHC01/02 BB001).

• The emergency demineralized water pump (30GHC60 AP001).

• MOVs and check valves on the emergency demineralized water pump line.

The emergency demineralized water pump is modeled to be manually started when make-up to the feedwater storage tank is needed to support SSS operation. A simplified system drawing of the emergency portion of the DWDS is shown in Figure 19-76-1.

Note: The PRA implicitly credits the DWDS for another function, which is to provide make-up to the EFW storage tanks in case of a break in the EFWS, after successful isolation of the break. This function is performed by the normal (non-emergency) part of the DWDS. Operator failure to isolate is assumed to dominate this function; therefore this part of the DWDS is not modeled in detail. In case of a LOOP, this action is set to failure due to the unavailability of the DWDS.

FSAR Impact:



Figure 19-76-1—Demineralized Water Distribution System (Emergency part) Simplified Drawing (Representative design)


Question 19-77:

(Follow-up to Question 19-46) Please discuss the success criteria and operator action timing for primary feed and bleed in various accident scenarios. The response to question 19-46 provided the probabilities for a modeling uncertainty case in which 1, 2, or 3 PSVs were needed; please discuss how these probabilities were selected. In addition, please clarify the statement on page 5-21 of the Applicant’s Environmental Report that “[o]nly one valve is required for a successful feed and bleed,” so larger valves are not necessary.


Successful feed and bleed can be performed through the use of either the Severe Accident Depressurization Valves (SADVs) or the Pressurizer Safety Relief Valves (PSRVs). The SAMDA discussion presented on page 5-21 of the Design Certification Environmental Report referred to the SADVs. The PRA success criterion for feed and bleed via SADV is 1 out of 2 valves opening, which is consistent with the statement in the ER.

Successful Feed and Bleed through PSRVs is modeled to require 3 out of 3 valves opening. A few MAAP cases used in the U.S. EPR PRA success criteria evaluation have shown that two PSRVs may lead to a success if different timings for a feed and bleed actuation are selected. Given that success criteria for (feed and) bleed depend on a complex combination of a time to initiate the action and the number of the SI pumps/accumulators credited, the most conservative case was selected for the analysis.

The Feed and Bleed success criteria used in the PRA model are summarized in Table 19-77-1.

Table 19-77-1: Summary of Feed and Bleed Success Criteria

Event Bleed Feed Operator Action

Timing for Feed and Bleed

Transient 3 of 3 PSRVs, or

1 of 2 SADVs

1 of 4 MHSI and 1 of 4 Accumulators 90 minutes

Small LOCA 3 of 3 PSRVs, or

1 of 2 SADVs

1 of 4 MHSI and 1 of 4 Accumulators, or

1 of 4 LHSI and 2 of 4 Accumulators

40 minutes

Medium LOCA 3 of 3 PSRVs, or

1 of 2 SADVs

1 of 3 MHSI and 1 of 3 Accumulators, or

1 of 3 LHSI and 3 of 3 Accumulators

30 minutes


As stated in the response to Question 19-46, probabilities selected for a “bleed” need of one, two, or three PSRVs were based on engineering judgment. The highest probability (0.5) was assigned to the base case (3 out of 3).

FSAR Impact:


U.S. EPR Final Safety Analysis Report Markups

U.S. EPR FINAL SAFETY ANALYSIS REPORT

Tier 2 Revision 1—Interim Page 19.1-389

)

Table 19.1-87—Plant Operating States (POS) Sheet 1 of 2

POS DescriptionRCS Conditions

Transition BoundariesT (F) P(psia) Integrity LevelA Power Operation Nominal Nominal Closed Normal Reactor is Critical (all

rods are not in)

B Hot Standby Nominal to 248

Nominal to 460

Closed Normal From 0% power (all rods in) until RHR operation (<248°F and 460 psia)

CAd1 RHR: RCS Normal Level with 2 RHR and SG (shutting down)

248 to 212 460 to 380 Closed Normal From start of RHR operation until 4 RHR in operation

CAd2 RHR: RCS Solid with 4 RHR and SG (shutting down)

212 to 131 380 VentClosed

PZR 90% to Solid

From 4 RHR operation till all RCPs stopped at 131°F (Secondary cooling with SG stopped earlier)

CAd3 RHR: RCS Solid 4 RHR (shutting down)

131 380 to Atm

VentClosed

PZR Solid From 131°F (no RCPs running) until start of drain down

CBd RHR: Mid-loop w/ RPV head on (shutting down)

131 Atm Vent Mid-loop From start of drain down until RPV head off

Dd RHR: Mid-loop w/ RPV head off (shutting down)

131 Atm RPV head off

Mid-loop From RPV head off until cavity is flooded

E Cavity Flooded (fuel off load)


Cavity From cavity is flooded until fuel in SFP with gates/transfer tube closed

F Core Off-load Fuel is in SFP with gates/transfer tube closed

E Cavity Flooded (fuel load)


Cavity From opening of transfer tube/gates until start of draining the cavity

Du RHR: Mid-loop w/ RPV head off (starting up after refueling)


Mid-loop From start of cavity draining until RPV head on

CBu RHR: Mid-loop w/ RPV head on (starting up after refueling)

131 Atm Vent Mid-loop From RPV head on till level in the pressurizer

U.S. EPR FINAL SAFETY ANALYSIS REPORT

Tier 2 Revision 1—Interim Page 19.1-390

CAu RHR: RCS Normal Level ( starting up after refueling)

131 to 248 Atm to 460

VentClosed

Normal From level in the pressurizer until RHR is secured

B Startup 248 to Nominal

460 to Nominal

Closed Normal From RHR secured until criticality

A Power Operation Nominal Nominal Closed Normal Reactor is Critical

Table 19.1-87—Plant Operating States (POS) Sheet 2 of 2

POS DescriptionRCS Conditions

Transition BoundariesT (F) P(psia) Integrity Level

Response to U.S. EPR Design Certification Application RAI ...

Documents

Transcript of Response to U.S. EPR Design Certification Application RAI ...