NOT PROTECTIVELY MARKED. REDACTED PUBLIC VERSION HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion NNB GENERATION COMPANY (HPC) LTD

Transcription

1 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: i / iii NNB GENERATION COMPANY (HPC) LTD HPC PCSR3: CHAPTER 16 PROBABILISTIC SAFETY ASSESSMENT SUB-CHAPTER 16.2 PSA RESULTS AND DISCUSSION { PI Removed } uncontrolled Published in the United Kingdom by NNB Generation Company (HPC) Limited, 40 Grosvenor Place, Victoria, London SW1X 7EN. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, without the written permission of the copyright holder NNB Generation Company (HPC) Limited, application for which should be addressed to the publisher. Such written permission must also be obtained before any part of this publication is stored in a retrieval system of any nature. Requests for copies of this document should be referred to NNB Generation Company (HPC) Limited, 40 Grosvenor Place, Victoria, London SW1X 7EN. The electronic copy is the current issue and printing renders this document

2 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: ii / iii APPROVAL SIGN-OFF: DOCUMENT CONTROL REVISION HISTORY { PI Removed } { PI Removed } { PI Removed } Text within this document that is enclosed within brackets { } is Sensitive Nuclear Information, Sensitive Commercial Information or Personal Information and has been removed.

3 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: iii / iii TABLE OF CONTENTS 1. LEVEL 1 PSA RESULTS AND DISCUSSION RESULTS SENSITIVITY STUDIES CONCLUSION LEVEL 2 PSA RESULTS AND DISCUSSION LEVEL 2 PSA MODEL RESULTS SOURCE TERM ANALYSIS RESULTS SENSITIVITY AND UNCERTAINTY ANALYSIS CONCLUSIONS AND INSIGHTS PSA LEVEL 3 RESULTS AND DISCUSSION INDIVIDUAL RISK SOCIETAL RISK OPERATOR RISK RISK INFORMED DESIGN (RID) RID STUDIES INTERNAL EVENTS RID STUDIES HAZARDS REPETITION OF ALARP STUDIES CARRIED OUT FOR GDA ALARP CONCLUSIONS REFERENCES... 89

4 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 1 / 183 SUB-CHAPTER 16.2 PSA RESULTS AND DISCUSSION 1. LEVEL 1 PSA RESULTS AND DISCUSSION This sub-chapter presents the results and insights of the Hinkley Point C (HPC) Probabilistic Safety Assessment (PSA), summarising the following analyses: The Level 1 PSA for internal events presented in HPC Pre-Construction Safety Report (PCSR) 3 Sub-chapter 16.1 section 1. The Internal and External Hazards probabilistic analysis, presented in HPC PCSR 3 Sub-chapter 16.1 section 1. The accident in the fuel pool probabilistic analysis, presented in HPC PCSR 3 Sub-chapter 16.1 section 1 Results are compared with the probabilistic target set out in the Nuclear Safety Design Assessment Principles (NSDAPs) [Ref. 1]. Results are also compared with those of HPC PCSR 2012 [Ref. 2] to show the cumulative effect of design and modelling developments. These updates were carried out in batches with the developments at each step reported [Ref. 3] to [Ref. 6]. See Sub-chapter 16.1 section 1. Unavailability due to repairs and preventive maintenance activities is included in the system fault trees of the HPC PCSR3 Reference PSA model (HPC_DPSA_V3_0.RPP); further detail is provided in Sub-chapter 16.1 section 1. The Core Damage Frequency (CDF) with and without preventive maintenance has been compared to demonstrate the effect of adding in this modelling; this review is presented in section Some sensitivity studies carried out for the updated HPC site-specific model for PCSR3 are reported in sections to of this sub-chapter. The PSA model has some limitations, simplifications and conservatism which could have an impact on overall results; it also does not include additional facilities that are not part of the EPR Nuclear Island design, such as the Interim Spent Fuel Store (ISFS). These features are identified in the relevant HPC PCSR3 sub-chapters, and a specific assessment of limitations and gaps of the current PSA model has been completed [Ref. 7] to provide an assessment of the potential impact on risk from features not included in the model. The probabilistic studies performed for HPC, which are presented in this sub-chapter, are considered to provide a suitable base-line for risk analysis. This, coupled with the assessment of the impact of limitations in the current analysis [Ref. 7] and ongoing PSA Risk Informed Design (RID) activities, provides assurance that the risk from accidents leading to release of radioactivity into the environment will be reduced to as low as reasonably practicable (ALARP).

5 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 2 / RESULTS Summary of Results Core Damage Frequency in the Reactor Building HR The overall core damage frequency (CDF) is assessed at 5.62E-07 per reactor year (/r.y). This includes the contributions from: Internal events (including Loss of Offsite Power (LOOP) which includes contributions from equipment failures and hazards). Key internal hazards (internal fire and flood). Key external hazards (combined snow & wind, and Loss of Ultimate Heat Sink (LUHS)). It should be noted that LUHS is considered to occur as a result of several external hazards in addition to internal events. All reactor states (excluding internal hazards). Preventive maintenance in at-power and shutdown states. This frequency has decreased by 34% compared to the results presented for HPC PCSR 2012 (8.57E-07/r.y). Although some new initiating events have been added compared to the HPC PCSR 2012 PSA model, the core damage frequency has decreased because some conservatism has been removed: for example modelling of the house load, update of reliability data, etc. Although there remain limitations in the model, see below, the predicted CDF is significantly below the safety objective of 1E-05/r.y for the core damage cumulative frequency, as defined in the NSDAPs [Ref. 1]. It should be noted that there are some limitations in the modelling, (e.g. simplifications, or initiating events, hazards and systems that are not yet included) that make the current CDF an underestimation. Sub-chapter 16.1 section 1 Table 9 presents details of a number of initiating events that are not currently included in the Reference PSA model and provides justification as to why their omission is judged to be of low risk significance. In addition the potential impact that other limitations could have on the HPC risk has also been assessed [Ref. 7]. The potential increase or decrease in risk that each limitation could cause has been considered, taking into account insights from deterministic analysis, the risk gap analysis performed for the UK EPR Generic Design Assessment (GDA) and other relevant PSAs (e.g. US EPR, the Flamanville (FA3) EPR and Sizewell B (SXB)). The main gaps are considered to be: Some missing hazards These have been addressed as Risk-Informed Design (RID) studies while the design and PSA model were still being developed; hazard RID studies are reported in Sub-chapter 16.1 section 4. Heating Ventilation and Air Conditioning (HVAC) systems The design is being completed with PSA RID studies as a key and integral part of the work. This will ensure that the solution is one that has acceptable consequences on the core damage risk. Although the assessment of limitations [Ref. 7] is based on engineering judgement, the assessment and RID studies give confidence that future removal of model limitations shall not lead to an unacceptable increase in overall risk.

6 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 3 / Risk distribution between Internal Events and Hazards The following table presents the main results for the CDF from internal events, internal hazards and external hazards. It should be noted that all of these cases take account of preventive maintenance (PM). Core damage frequency [/r.y] Contribution to overall risk Internal Events Internal Hazards External Hazards Overall CDF 4.30E E E E % 16.8% 6.7% 100% Internal events contribute 76.6% to the overall core damage frequency, internal hazards contribute 16.8% and external hazards contribute 6.7%. However, it should be noted that LOOP has been defined as an internal event whereas in reality, the main cause of long LOOP is due to extreme weather. If this were taken into account the balance between hazards and internal events would be more even. Furthermore, the relative risk from hazards is probably underestimated due to the limited hazard modelling at this stage. For internal hazards, only fire and flood initiating events are modelled for the at-power reactor states. For external hazards, the current model only includes: extreme snow and wind (causing LOOP combined with diesel generator unavailability), massive ingress of marine organisms or debris (causing LUHS), and some consideration of extreme wind (implicit in the derivation of LOOP frequencies). The potential impact on risk of missing hazards is further discussed in the assessment of the current PSA limitations and gaps [Ref. 7] Risk distribution between states The following table shows that State A is the main contributor in terms of core damage frequency. It contributes 76.5% to the core damage risk as it is presented in Sub-chapter 16.2 Section 1 - Figure 1. This is mainly explained by the fact that the time spent in State A is much higher than the time spent in other states. State Hours spent in the state Core damage frequency [/r.y] Hourly core damage frequency [/h] Contribution to the overall CDF [%] A E E B E E CA E E C E E-10 CB E E D E E E E E Note: The sum of the contributions to the overall core damage frequency by states is lower than 100%. This is explained by the calculation simplifications performed by the PSA software, which are more conservative for the overall calculation.

7 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 4 / 183 Regarding the hourly CDF, the highest CDF is in State D (8.8E-10/h). A single sequence contributes 63.6% to the overall core damage frequency in State D. This sequence is initiated by the loss of the three operating Low Head Safety Injection (LHSI) trains in Residual Heat Removal (RHR) mode, combined with the operator failure to start the stand-by LHSI train in RHR mode and the failure of the In-Containment Refuelling Water Storage Tank (IRWST) cooling with the Containment Heat Removal System (EVU [CHRS]) trains. This scenario is specific to State D; indeed in State C, the scenario is mitigated with the steam generators (SGs) and in State E the primary water inventory is sufficient enough to exclude this initiating event owing to associated residual consequences Risk distribution between the Initiating Event Groups Sub-Chapter 16.2 Section 1 Table 1 and Figure 2 present the different initiating events and their contribution to the overall CDF. The largest contributor (19.3%) is the group Loss of power supply < 10kV, composed of the short and long Loss Of Off-site Power (LOOP) and loss of the 10kV Emergency Secured Power Supply Production and Distribution LH busbars (LOLH). The situation in which the four Emergency Diesel Generators (EDGs) and the two Ultimate Diesel Generators (UDGs) have failed represents the major part of the risk associated to this group. (Note that the group LOOP induced by a reactor trip is considered separately; it contributes 8.5% to overall CDF.) The second largest contribution to core damage frequency is from the primary transients accounting for 18.4% of the total core damage frequency. The main initiating event of this group in terms of risk is the total loss of the Residual Heat Removal (RHR) system initiating event in shutdown states. It should be noted that the loss of LH busbars and the Loss of Cooling Chain (LOCC) scenarios in shutdown states have been integrated in the total loss of the RHR system initiating event for modelling reasons. The third highest contributor to the overall core damage frequency is the internal hazards (fire and flood in at-power states), which contribute 17.3%. The dominant internal hazard is fire, where the initiating event of fire in a safeguard building contributes 12.4% to the overall core damage frequency. However, it should be noted that there is some conservatism in the modelling of these initiating events [Ref. 7] and they are reviewed in RID studies, see Subchapter 16.1 section 4. The next contributor is the Loss Of Primary Coolant Accident (LOCA) initiating event group which contributes 12.4%. This relative contribution value is considered to be typical for pressurised water reactors. No other initiating event group contributes more than 10% to the overall core damage frequency Fuel Damage Frequency and Steaming Frequency in the Fuel Pool Building (HK) The overall fuel damage frequency is assessed at 6.09E-09/r.y and the global steaming frequency is calculated to be 3.49E-05/r.y. It should be noted that hazards are not included in this part of the analysis, exceptions being for massive ingress of marine organisms which is modelled as a cause of LUHS and extreme weather induced LOOP.

8 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 5 / Risk distribution between states Fuel damage frequency The following table shows that States A and B contribute 58.8% of the overall fuel damage frequency. This important contribution is explained by the high proportion of time spent in those states. State Hours spent in the state Fuel damage frequency [/r.y] Hourly fuel damage frequency [/h] Contribution to the overall risk [%] AB E E % C E E % D E E % E E E % F E E % The hourly fuel damage frequency in State E is the highest (1.3E-11/h). This is due to the fact that some draining scenarios are only possible in State E. For instance the initiating event Break on the Safety Injection System (RIS [SIS]) line outside containment is only considered in State E and it contributes 38.6% to the overall risk of this State. In fact, State E is the only State when the transfer tube between the reactor building and the fuel pool building is opened. The hourly risks in states A, B, C and D are the same as the studies performed in these states and are very similar Steaming frequency The following table shows that States A and B are also the main contributors of the overall boiling frequency (90.7%), which is again explained by the high proportion of time spent in these states. State Hours spent in the state Steaming frequency [/r.y] Hourly steaming frequency [/h] Contribution to the overall risk [%] AB E E % C E E % D E E % E E E % F E E % The highest hourly steaming frequency is in State F (7.9E-09/h). This is mainly explained by the fact that two Fuel Pool Cooling System (PTR [FPCS]) trains are required in the refuelling state compared to one in the non-refuelling state. Also, the preventive maintenance on the Circulating Water Filtration System (CFI [CWFS]) trains 2 and 3 is performed during State F. State F is the State during which the power in the spent fuel pool is at its highest.

9 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 6 / Risk distribution between the Initiating Event Groups Fuel damage frequency Sub-chapter 16.2 Section 1 Table 2 and Sub-chapter 16.2 Section 1 Figure 3 present the different initiating events and their contribution to the overall fuel damage frequency in the Fuel Building (HK [FB]). Draining events contribute 96.6% to the overall fuel damage frequency whereas loss of cooling events only contribute 3.4%. Overall, accidents from the spent fuel pool only lead to a small proportion (about 1%) of the CDF. It should also be noted that the spent fuel pool fuel damage analyses, particularly those carried out for draining events, are impacted by a number of conservative inputs. Notably the support studies are heavily penalised and the human reliability analysis method used to estimate the human error probabilities associated with fault mitigation is not well suited to multi-step actions over a very long timescale (often >10 hours). Additionally the operating configuration of certain isolating components such as the fixed gates in the spent fuel pool has not been finalised and penalising configurations are studied in these analyses. The results presented in this report should therefore be considered bounding rather than best estimate. The break on a main PTR train sub-group dominates the fuel damage frequency with a contribution of 41.2%. It is noted that a single sequence contributes 21.7% to the overall fuel damage frequency. This sequence is initiated by a break on a main PTR train in states A to D. Then, the operator fails to isolate the associated PTR train, to start the make-up and to restore cooling via the third PTR train before the fuel is uncovered (i.e. in 13h20). The second highest contributor to the overall fuel damage frequency is the break on the PTR purification line sub-group, which contributes 27.2%. The main sequence of this sub-group contributes 19.2% to the overall fuel damage frequency. This sequence is initiated by a break on the PTR purification line in states A to D, with subsequent failure of the isolation of the cask loading pit purification line. This leads to draining to 60cm above the level of the top of fuel in the storage racks, a loss of spent fuel pool cooling and uncovering of the fuel in storage racks due to boiling. The third largest contributor is the break on the third PTR train sub-group with a contribution of 10.3% to the total fuel damage frequency. Also a single sequence of this sub-group contributes 9.5% of the overall fuel damage frequency. This sequence is initiated by a break on the third PTR train in states A to D. Then, the operator actions to isolate the third train, to start the makeup and to restore cooling via a main PTR train fail before the fuel is uncovered (i.e. in 10h). It is noted that the contribution of no other sub-group exceeds 10%. The next most significant contributors are also linked to draining events: break on the RIS line outside the containment (9.6%) and break on the reactor building purification line (7.4%). The highest contributor among the loss of cooling scenarios is the LOOP sub-group, which contributes 2.5% of the overall fuel damage frequency Steaming frequency Sub-chapter 16.2 Section 1 Table 3 and Figure 4 present the different initiating events and their contribution to the overall steaming frequency in the Fuel Building (HK [FB]). Loss of cooling events contributes 99.7% to the overall boiling frequency whereas draining events only contributes 0.3%.

10 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 7 / 183 The largest contribution to boiling frequency is initiated by the Loss of Cooling Chain (LOCC) initiating events, accounting for 53.8% of the total risk. It is noted that a single sequence contributes 27.6% to the overall boiling frequency. This sequence is initiated by the LOCC in states A and B that leads to the loss of train 1 of PTR, followed by failure of the operator actions to start-up the PTR trains 2 and 3 before the spent fuel pool temperature reaches 97 C. The second highest contributor to the overall steaming frequency is the loss of a main PTR pump sub-group which contributes 36.6%. It is also noted that the main part of the risk associated with this sub-group comes from a single sequence (32.7% of the overall boiling frequency). This sequence is initiated by the failure of the PTR train 1 sub-train 1 in operation in states A and B, followed by failure of the operator actions to start-up all of the other PTR trains before the spent fuel pool temperature reaches 97 C. There is no other sub-group whose contribution to the total boiling frequency is higher than 10%. The LOOP event is the next most significant contributor, it contributes 5.1% Results The full set of results is presented in a dedicated report [Ref. 3]. Nevertheless a discussion of the dominant sequences, the importance factors and associated uncertainties is presented in the following sub-sections Dominant Sequences of Core Damage Frequency The 50 most frequent Minimal Cutsets (MCS) are listed in section 1.5 in Sub-chapter 16.2 Section 1 - Table 4. This table lists the frequency of the MCS, the percentage contribution, the cumulative frequency and cumulative percentage contribution to the overall Core Damage Frequency (CDF). An MCS description is also provided. In addition, a dominant sequence review has been performed. This review involved the identification and grouping of the highest frequency event tree (accident) sequences in the Level 1 PSA that are assigned the consequence F, corresponding to core damage. The results, as summarised in the table at the end of this section, indicate that eight sequences contribute over 46% to the total CDF. These eight sequences are explained in further detail below, along with their associated CDF which has been calculated by the summation of the relevant Event Trees (ET) sequence frequencies: Sequence 1 (9.24E-08/r.y): Long LOOP(direct with failure of the house-load or induced following a Reactor Trip (RT), Turbine Trip (TT), Loss of Main Feedwater (LOMFW), Loss of Cooling (LOC), or LOCC Pre-Initiating Event caused by a leak on common header- States A&B) in state A or B. Loss of the 4 EDGs. No SGs available. The unacceptable consequence is reached because, if the Reactor Coolant System (RCP [RCS]) pump seals (without considering the Standstill Seal System (DEA [SSSS])) are unable to withstand the extreme temperature and pressure, the RCP cooling is required with the four Steam Generators (SGs) in order that the pressure and temperature remain within the design envelope for DEA protection and thus guarantee primary circuit integrity. This cooling down to

11 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 8 / C should be symmetrical for the four loops. It requires at least one Emergency Feed Water System (ASG [EFWS]) pump supplied by the Ultimate Diesel Generators (UDGs), and the manual opening of the ASG header to cool the four SGs with only one ASG train. The failure of this cooling leads to LOCA and core damage. The MCS 5, 14, 29, 30, 46 and 47 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence. Sequence 2 (3.85E-08/r.y): Fire in Safeguard Building (HL) 1 during power States A and B. Failure of the automatic switchover of seal water injection by the Chemical and Volume Control System (RCV [CVCS]) train 2. Degradation of RCP pump seals. Loss of the four Medium Head Safety Injection (MHSI) trains. Operator fails to initiate the Fast Secondary Cooldown (FSCD). The unacceptable consequences arise because it is not possible to remove the residual heat sufficiently and to make-up the primary inventory lost at the seal breach using the LHSI pumps, owing the failure of the FSCD to reach the LHSI injection conditions. Note that the estimated CDF of this sequence and the estimated CDF arising from fires in general are overestimated because of conservatisms, including the assumption that the initiating event occurs in division 1. The MCS 10, 11, 12 and 13 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence. Sequence 3 (2.88E-08/r.y): LUHS in states A or B. No ASG trains available. The secondary side fails to remove the residual heat and it is assumed that core damage cannot be avoided (feed and bleed operation requires the availability of the MHSI which are not operable due to the LUHS). The MCS 1 and 2 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence. Sequence 4 (2.46E-08/r.y): Failure of the three running Residual Heat Removal (RHR) pumps in state D Loss Of Residual Heat Removal (LORHR). Operator fails to start the fourth RHR pump. Failure to initiate the IRWST cooling for MHSI. The MCS 8, 27 and 28 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence.

12 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 9 / 183 Sequence 5 (2.36E-08/r.y): Fire in Safeguard Building (HL) 1 during power States A and B. Failure of the automatic switchover of seal water injection by RCV train 2. Degradation of RCP pump seals. Failure of the partial cooldown or four ASG trains. Operator fails to initiate the primary bleed before 30 mins. Core damage is assumed to occur because it is not possible to remove the residual heat by feed and bleed. The MCS 37, 38 and 39 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence. Sequence 6 (2.31E-08/r.y): Small primary break between 20 and 45 cm 2 in power states A and B. Failure of the three remaining MHSI pumps (one MHSI injection line is considered lost at the primary break). Operator fails to initiate the FSCD. As the LHSI conditions are not reached and the MHSI injection is unavailable, the core damage occurs because of the uncovering of the core. The MCS 6 and 7 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence. Sequence 7 (1.66E-08/r.y): Loss of cooling chain (LOCC) or loss of a LH busbar (LOLH) and failure of the cooling of the common Component Cooling Water System (RRI [CCWS]) circuits. Degradation of RCP pump seals. Failure of the partial cooldown or four ASG trains. Operator fails to initiate the primary bleed before 30 mins. Core damage is assumed to occur because it is not possible to remove the residual heat by feed and bleed. The MCS 19, 20, 24 and 26 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence. Sequence 8 (1.39E-08/r.y): Break on the pressuriser in power states A and B. Failure of the partial cooldown or four ASG trains. Operator fails to initiate the primary bleed before 30 mins.

13 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 10 / 183 Core damage is assumed to occur because it is not possible to remove the residual heat by feed and bleed. The MCS 34 and 35 of Sub-chapter 16.2 Section 1 Table 4 are part of this sequence. The frequency, percentage and cumulative percentage of the eight most dominant sequences are presented in the following table: Sequence Frequency [/r.y] % of total CDF Cumulative % of total CDF E % 16.44% E % 23.29% E % 28.41% E % 32.79% E % 36.99% E % 41.10% E % 44.05% E % 46.52% Importance Factors and Discussions The importance analyses allow the estimation of the relative weights of the different elements (basic events, parameters, components, etc.) of a PSA model within the overall risk. The main elements in term of contribution to the overall risk can thus be identified. The main importance factor used is the Fussell-Vesely (FV) factor. The FV factor corresponds to the ratio of the frequency of the MCS involving the element A divided by the overall risk frequency. It is roughly equivalent to the Fractional Contribution (FC), which corresponds to the fraction of decrease of the overall risk if the element A never fails (failure probability of 0). The Risk Decrease Factor (RDF) evaluates the factor by which the overall risk frequency is decreased if the element A never fails (failure probability of 0). The Risk Increase Factor (RIF) evaluates the factor by which the overall risk frequency is increased if the element A fails with a probability of 1. The Sensitivity High ( Sens. High ) factor evaluates the factor by which the overall risk frequency is increased if the failure probability of the element A is multiplied by k (k=10 in this report). The Sensitivity Low ( Sens. Low ) factor evaluates the factor by which the overall risk frequency is decreased if the failure probability of the element A is divided by k (k=10 in this report). The Sensitivity ( Sens ) factor is the ratio between the Sensitivity High factor and the Sensitivity Low factor. The formulae for these importance factors are given below. FV=(R(MCS involving A))/R FC=(R-R(0))/R ; RDF=R/(R(0)) ; RIF=(R(1))/R ;

14 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 11 / 183 Sens.high=R(p(A)*k ; Sens.low=R(p(A)/k) ; Sens=(Sens.high)/(Sens.low). Where R is the overall risk frequency, R(0) is the overall risk frequency if the failure probability of the element A is set to 0, R(1) is the overall risk frequency if the failure probability of the element A is set to 1, R(p(A)*k) is the overall risk frequency if the failure probability of the element A is multiplied by k, R(p(A)/k) is the overall risk frequency if the failure probability of the element A is divided by k. At the end of this sub-chapter there are two tables for each of the components, Common Cause Failure (CCF), Operator Post-Accident Actions, and Instrumentation and Control (I&C) basic events: The first table contains the Nominal Probability per demand (probability of event occurring), and the FV, RDF, Sens, Sens Low and Sens High factors of each basic event that has a FV greater than 1%. Where applicable the list is limited to 50 basic events. The second table contains the Nominal Probability per demand and the RIF of each basic event that has a RIF greater than two. Where applicable the list is limited to 50 basic events. This list will enable some additional features to be captured (compared to the previous list) that have a very low failure probability but for which failure would have a great effect. Where it is judged to be informative, basic events within 10% of the FV or RIF threshold have been included. For the I&C basic events table ranked according to FV, additional CCF events with FV s significantly below 1% have been included for information purposes. A ranking of the significant systems based on their FC has also been included; it also contains the FC, RIF, RDF, Sens, Sens low, and Sens High factors for each system within the HPC PCSR 3 Reference PSA model Significant Components FV Ranking Table 5 presents the 20 most risk significant component events (i.e. not including post-accident operator actions, CCFs and I&C which are studied separately in subsequent sections) ranked by the FV importance measure. The highest ranked components are the main coolant pump shaft seals exposed to RCP [RCS) pressure and temperature. These components provide the leak tightness of the main coolant pumps following the loss of both seal injection via the Chemical and RCV [CVCS] and thermal barrier cooling by the Component Cooling Water System (RRI [CCWS]). The failure of the reactor coolant pump sealing system causes a small LOCA during loss of cooling chain transients (i.e. Loss Of Cooling Chain (LOCC), Loss of Ultimate Heat Sink (LUHS)) or during Loss Of Off-site Power (LOOP). Their importance is a result of the relatively high failure probability assumed in the PSA which is the same as for the HPC PCSR 2012 report [Ref. 2]. The FV values for these seals have dropped from 25.2% in HPC PCSR 2012 [Ref. 2] to 15.6% in the HPC PCSR 3 Reference PSA model.

15 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 12 / 183 The O-rings of the Standstill Seal System (DEA [SSSS]) exposed to (RCP [RCS]) pressure and temperature was the third, fourth and 10th most important components in the HPC PCSR 2012 model [Ref. 2]. In the updated model they are now 14th, 15th and 17th respectively. The FV values for these O-rings have decreased from 8.00E-02 to 2.01E-2 and from 6.28E-02 to 1.58E- 02 respectively. The modelling of the RCP system has been updated [Ref. 5]. Changes to the design of the thermal barrier [Ref. 6] have led to the FV of all of the RCP pump seals falling. The design change includes the addition of a common header on RRI thermal barrier cooling lines, which improves the cooling of the four thermal barriers by one RRI common header. The next most important components are the diesel generators, which comprise the four main Emergency Diesel Generators LHP/Q/R/S (EDGs) and the two Ultimate Diesel Generators LJP/S (UDGs). These diesel generators contribute to the mitigation of loss of offsite power events. Following the LOOP in at-power and shutdown states, the EDGs and UDGs ensure the power supply of the safety systems. The high importance of the diesels is partly due to the relatively low reliability of this type of component. The next most important components are the Medium Head Safety Injection (MHSI) pumps in trains 3, 4 and 1, which contribute to the mitigation of numerous transients and accidents by performing control of the primary circuit inventory as well as the primary feed function. It should be noted that MHSI pumps in train 2 do not feature as these are assumed unavailable as a result of preventive maintenance. There has been a decrease in the FV values of these pumps, they were the 14th to 16th most important component based on FV in HPC PCSR 2012 [Ref. 2] and they are now 16th, 19th and 20th respectively. The reliability of these pumps has decreased from 2.05E-02 per demand to 1.98E-02 per demand, which in turn has led to a decrease in the associated FV values. The FV for the MHSI pump on train 3 has dropped from 1.92% to 1.59%. The FV for MHSI pump train 2 is a little lower than the other trains (it is ranked 22nd) because the maintenance on MHSI trains is only modelled in train 2. The following components are modelled as macro-components utilising a single basic event. The new basic events representing the house load failure probability per demand and failure rate for either short or long LOOP are now the third and eighth most important components based on the FV factor. In the HPC PCSR 2012 PSA model the LOOP initiating event was defined as a complete loss of the offsite grid (main and auxiliary grid connections) such that the switch-over to the main generator (house load operation) was assumed to implicitly fail. The house load has been modelled into the HPC PCSR3 Reference PSA model as a supplementary line of defence against the failure of external power sources [Ref. 4]. The FV value for these basic events is high due to their high probability of failure of the house load and the quite high original weight of the external LOOP family. The Main Steam Bypass (GCT [MSB]) failure is the next most important macro-component modelled in this way. Its FV value increased from 1.14E-02 to 1.91E-02 and it is now the 13th most important component whereas it was ranked at the 17th place in HPC PCSR 2012 [Ref. 2]. This is mainly due to the integration of the small Steam Generator Tube Rupture (SGTR) initiating event. In fact, in case of small SGTR, a failure of GCT combined with the failure of three out of four Main Steam Relief Trains (VDA [MSRT]) leads to core damage Risk Increase Factor Ranking Sub-chapter 16.2 Section 1 Table 6 presents the 50 most risk significant component events ranked by the Risk Increase Factor (RIF) importance measure. The top three components are all part of the Nuclear Island uninterrupted 400 V supply (LVD).

16 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 13 / 183 The most important component is the LVD inverter. The three-phase inverter has a static contactor to supply power to the 230/400 V AC main distribution system from the 220 V DC provided by the charger / battery combination. Its RIF value has increased from 5.7 in HPC PCSR 2012 [Ref. 2] to in the HPC PCSR3 Reference PSA model and risen from 14th to the most important component based on the RIF. The second most important component is the LVD busbar. Its RIF value has increased from 9.6 to 11 and it has gone from the eighth most important to the second most important component. The third most important component is the LVD circuit breaker. This is a new basic event which was added to the modelling of LVD 400V supply in the HPC D-PSA updates [Ref. 4]. The increase in the RIF values for each of these components is due partly to the Uncontrolled Level Increase (ULI) events at power which have been added to the PSA model [Ref. 3] and partly on the fact that some of the electrical supply of components were missing or incomplete in the HPC PCSR 2012 model. In case of the ULI, the LVD is involved in the isolation of the charging line of RCV. These additional faults have led to an increase in the RIF value. The fourth most important component (fifth in HPC PCSR 2012 [Ref. 2]) is the LHD busbar. This busbar is part of the 10 kv Nuclear Island emergency power supply system. The loss of the 10kV busbar (LHD) induces the loss of the normal and auxiliary grid supply for train 4 of following systems; ASG, MHSI, RRI, LHSI for injection and RHR. The fifth most important component (third in HPC PCSR 2012 [Ref. 2]) is the two hour 220V batteries that provide among other things, power supply to the diesels I&C in case of LOOP thus contributing to the power supply function in case of loss of external power sources. The most important components in HPC PCSR 2012 [Ref. 2] using this measure were the reactor coolant pump circuit breakers. These circuit breakers trip the reactor coolant pumps following a loss of RCV seal injection and loss of thermal barrier cooling. If they do not operate correctly, a seal LOCA is assumed to occur. Due to a design change implemented in the HPC PCSR3 Reference PSA model [Ref. 3], an additional Class 1 breaker is modelled for the RCP pumps, providing component redundancy for the pump tripping function and thus leading to a significant decrease in the RIF for the RCP pump circuit breakers Significant Systems Sub-chapter 16.2 Section 1 Table 7 presents the 30 most risk significant systems ranked by the Fractional Contribution (FC) importance measure. When reviewing the system ranking analysis the following point should be noted: When added together, the FCs equal greater than 1 (or 100%). This is due to several MCS having multiple systems assigned to them e.g. a MCS contributing 25% to the overall CDF may contain the failure of an I&C component and a RCP component. This 25% contribution is then assigned to each system, rather than splitting it between them. Unlike the HPC PCSR 2012 results [Ref. 2], where it was the second most important system after the contribution from operator actions, the I&C is the most significant system with an FC of 59%. This is due to the addition of the Diesel Building Ventilation System (DVD) on both Class 1 and Class 2 I&C platforms and by the changes in safety classification on the existing systems leading to the addition of new I&C signals and upgrading Class 2 signals to Class 1 signals (when it leads to duplication of the initial SPPA T2000 signal on the TXS platform). The operator actions are now the second most important system with an FC of 49%. This has reduced due to the increase in the importance of the I&C. Sections and below consider operator actions and I&C events separately

17 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 14 / 183 The third most safety significant system is the EDG with an FC of 22%. It should be noted that with the FC from the failure of the UDG (9.6%), it can be ascertained that the combined diesel systems have an FC of 3.17E-01 (~32%). This was the fourth most important system in HPC PCSR 2012 [Ref. 2], but due to the drop in the importance of the RCP, it has risen a place in the list. The RCP is the fourth most safety significant system with an FC of 22%. This arises from its role in preventing LOCA events following the loss of reactor coolant pump seal cooling in the event of LOOP, LOCC and LUHS. The modelling of the RCP has been updated in the HPC PCSR Reference PSA model [Ref. 3. Changes have been made to the design of the thermal barrier, where the addition of a common header on RRI thermal barrier cooling lines means that the four thermal barriers are permanently cooled by one RRI common header. This in turn leads to a decrease in the frequency in the loss of the RCP, and as such the systems FC has decreased from the third [Ref. 2] to the fourth most important system in the HPC PCSR3 Reference PSA model. The fifth most safety significant system, as it was in HPC PCSR 2012 [Ref. 2], is the Safety Injection System (RIS [SIS]) with an FC of 19%, which is needed to perform Safety Injection or Residual Heat Removal (RHR) for numerous transients and accident situations Significant Operator Post-accident Actions FV Ranking Sub-chapter 16.2 Section 1 Table 8 presents the 17 most risk significant operator post-accident actions ranked by the FV importance measure. The most important operator post-accident action based on FV is the manual start-up and control of ASG via the Non-Computerised Safety System (NCSS) with a time window of 60 minutes. This manual action is required in the case of a total loss of digital I&C in order to perform the secondary residual heat removal. This was the second most important action in HPC PCSR 2012 [Ref. 2]. All NCSS operator action failure probabilities have been recalculated and updated in order to take into account an increased time of 15 minutes for the transfer to the NCSS instead of 10 minutes considered in HPC PCSR 2012 [Ref. 3]. The second most important operator post-accident action is the manual initiation of a feed and bleed operation via the NCSS with a time window of 30 minutes. This operator action has increased in importance from HPC PCSR 2012 [Ref. 2] where it was the fifth most important operator action, due to the re-evaluation of all NCSS operator actions, in particular the transfer time to NCSS [Ref. 3]. The third most important operator post-accident action is the manual initiation of a feed and bleed operation via the NCSS with a time window of 120 minutes. This operator action is dependent on the manual start of the ASG (the most important operator action based on FV) and it ensures that feed and bleed is activated within two hours in the event of failure of the secondary cooling and / or depressurisation to remove the residual heat and perform primary circuit makeup. In HPC PCSR 2012 [Ref. 2] this was the sixth most important operator action. The fourth most important operator post-accident action based on FV is the manual initiation of Low Head Safety Injection (LHSI) train 4 for Residual Heat Removal (RHR) with a time window of 15 minutes. This was the 22nd most important in HPC PCSR 2012 [Ref. 2], the increase in the FV is due to HPC PCSR3 Reference PSA model updates [Ref. 3] where the modelling of Loss Of Residual Heat Removal (LORHR) event trees in shutdown states is updated. These modelling changes also incorporate the Loss of Ultimate Heat Sink (LUHS), Loss of Cooling Chain (LOCC) and loss of power supply in shutdown states. The operator action is claimed as

18 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 15 / 183 protection in shutdown states Cb and D and as such is now claimed as protection against more initiating events. The fifth most important operator post-accident action based on FV is the manual initiation of fast secondary cooldown (FSCD) due to a small break Loss Of Primary Coolant Accident (LOCA) (20-45 cm 2 ). This is a new operator action and it replaces the previous event OP_FSCD_30MN. The failure probability of this operator action is set to 1.0 as the operator does not have enough time to complete the action in order to prevent core melt. Many NCSS operator actions are prominent in the list of the most important operator actions. It should be noted that the Human Error Probabilities (HEPs) that are assigned to NCSS operator actions are estimated using higher stress factors from the Accident Sequence Evaluation Program (ASEP) stress factors higher than those used for operator actions on all other I&C platforms. As such, the resulting HEPs are significantly higher leading to dominance in the importance results. The FV values of the following operator actions have significantly changed, when comparing the results from HPC PCSR 2012 [Ref. 2] and the current HPC PCSR3 Reference PSA model. The operator action (OPE_52) which ensures that the IRWST cooling is provided by the Containment Heat Removal System (EVU [CHRS]) within four hours is the 10th most important operator action in the HPC PCSR3 Reference PSA model whereas it was the 48th most important event in the HPC PCSR 2012 PSA model [Ref. 2]. This is explained by the update of the modelling of Loss Of Residual Heat Removal (LORHR) in shutdown states. The previous modelling was optimistic as the IRWST cooling by EVU or LHSI Pump (ISBP) was not required in some sequences to avoid core damage. In fact, 89% of the contribution of this event in the overall core damage frequency comes from a single sequence of LORHR in state D. This sequence is initiated by the loss of the three Safety Injection System operating in Residual Heat Removal Mode (RIS/RRA [SIS/RHR]) operating trains in state D then the operator fails to start the RIS/RRA train in stand-by and the IRWST cooling by EVU fails. The eighth most important operator post-accident action in HPC PCSR 2012 PSA model [Ref. 2] was the actuation of Low Head Safety Injection (LHSI) Safety Injection System (RIS [SIS]) pumps 1 and 4, cooled by the Safety Chilled Water System (DEL [SCWS]) within a time window of 120 minutes. The manual start of the LHSI with the dedicated cooling chain independent of the RRI / Emergency Service Water System (SEC [ESWS]) following a total loss of cooling chain (TLOCC) or LUHS in State D is required. This is because the TLOCC leads to a decrease in the primary coolant inventory due to boiling. It should be noted that the automatic makeup using the MHSI is unavailable as a direct consequence of the initiating event. Due to a design change performed in the HPC PCSR3 Reference PSA model update [Ref. 6], the operator action would be replaced by an automatic I&C response. The FV was 2.83% in the HPC PCSR 2012 model [Ref. 2] and it has dropped to 0.01%, making it now the 51st most important operator action according to the FV in the HPC PCSR3 Reference PSA model Risk Increase Factor Ranking Sub-chapter 16.2 Section 1 Table 9 presents the 12 most risk significant operator post-accident actions ranked by the Risk Increase Factor (RIF) importance measure. The operator action (OPE_52) which ensures that the IRWST cooling is provided by the EVU within four hours is the most important operator action with a RIF value of 179. In the HPC PCSR 2012 PSA model [Ref. 2] it was the 14th most important action with a RIF of 1.6. Design modifications made for HPC [Ref. 6] to the EVU and Ultimate Cooling Water System (SRU [UCWS]) systems to manage the Total Loss Of Cooling Chain (TLOCC) as a Design Basis

19 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 16 / 183 Accident (DBA) (including modifications to the systems architecture, sizing and I&C)) ensures higher reliability for the mitigation means claimed against a TLOCC accident. The modifications include classification upgrades on the EVU and the implementation of manual actuations for the EVU containment spray and IRWST pool cooling configurations. As a result of this modification, additional claims are made on the operator action OPE_52, and this eventually leads to the massive increase in the RIF. The second most important operation action involves the operator either: 1) failing to perform the cross connection of the Steam Generator (SG) tank or; 2) failing to re-feed the Start-up, Shutdown System (AAD [SSS]), Main Feed Water System (ARE [MFWS]) or the Emergency Feed Water System (ASG [EFWS]) tank. This operator action was the most important action identified in HPC PCSR 2012 [Ref. 2] with a RIF of 36. The RIF has dropped to 27.5 due to the modelling changes, where the mechanical failure of the related feed system(s) is now also incorporated along with the electrical dependency of the I&C system and the failure of the operator action. The RIF values of the following operator actions have significantly changed, when comparing the results from PCSR 2 [Ref. 2] and the current HPC PCSR 3 Reference PSA model. The third most important operator post-accident action based on RIF in HPC PCSR 2012 [Ref. 2] was the actuation of Low Head Safety Injection (LHSI) RIS pumps 1 and 4, cooled by the Safety Chilled Water System (DEL [SCWS]) within a time window of 120 minutes. Manual start of the LHSI with the dedicated cooling chain independent of the RRI / SEC following a TLOCC or LUHS event in State D is required. This is because the TLOCC leads to a decrease in the primary coolant inventory due to boiling. It should be noted that the automatic makeup using the MHSI is unavailable as a direct consequence of the initiating event. Due to a modelling change performed in the batch 3 update [Ref. 6], the operator action has been replaced by an automatic I&C response. The RIF was 14.3 in HPC PCSR 2012 [Ref. 2] and it has dropped to 1.05 and it is now the 36th most important operator action according to the RIF in the batch 4 model. A local actuation of the low speed rotation and low pressure washing of the Circulating Water Filtration System (CFI [CFWS]) filters is performed in case of total loss of I&C [Ref. 5]. It is a diverse operator action to actuate the CFI band screens in case of Total Loss of I&C, this operator action is now the ninth most important according to the RIF values. When reviewing both rankings in combination (i.e. actions with FV>1% and RIF>2), the following operator post-accident actions are identified as the most important: ID Description Nominal Probability per demand OP_EFWS_60MN_NCSS OP_BLEED_120MN OPE_52 Operator fails to start and control EFWS - NCSS Operator fails to initiate Bleed t<120mn Operator fails to initiate IRWST cooling with CHRS (Grace period >4h) FV RIF 7.86E % E % E %

20 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 17 / 183 ID Description Nominal Probability per demand OP_SIS_INJ_80MN_NCSS OP_SBODG2H OP_EFWS Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS Operator fails to start UDGs or to close breakers within 2 hours Operator failure to start and control EFWS FV RIF 8.49E % E % E % 5.99 Two out of the six operator post-accident actions have already been discussed due to their high FV or high RIF. The four additional actions identified are: Actuation of Bleed within a time window of 120 minutes. This action is required in case of the failure of the secondary residual heat removal function, especially during primary and secondary transients. Ensure the start-up of MHSI or LHSI via the NCSS. This action is required in case of an uncontrolled level drop in State Cb. Ensure the start-up of the UDGs from the MCR within two hours. This action is required following the failure of the four emergency diesel generators in the event of a LOOP. Ensure the start-up of the ASG and the control of the steam generator water level following the loss of the automatic start-up and control by the protection system. These actions were also identified as important in HPC PCSR 2012 [Ref. 2] Significant common cause failure events This section does not include the CCF of sensors. These are included in the section relative to I&C below FV Ranking Sub-chapter 16.2 Section 1 Table 10 presents the 15 most risk significant CCF events ranked by the FV importance measure. The most important Common Cause Failure (CCF), based on FV is the total loss of the four emergency diesel generators (LHP/Q/R/S (EDGs)). These diesel generators contribute to the mitigation of loss of offsite power events. Following the LOOP in at-power and shutdown states, the EDGs ensure the power supply of the safety systems. The second and third most important CCF, based on FV, is the failure of the MHSI pumps and the LHSI pumps in operation in the RIS injection line. Failure of the pumps in operation leads to the loss of an entire RIS injection line (MHSI / LHSI). The next most important events are the CCFs of the ASG pumps in operation. The consequence of the failure of the ASG is the loss of residual heat removal and depressurisation with the secondary side in most of the transients and LOCAs.

21 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 18 / 183 The next important CCF, based on FV is the total loss of the two UDGs (LJP/S). This equipment is required following the failure of the four emergency diesel generators in the event of a LOOP. The next two most important CCFs are the total loss of the RRI pumps in operation and the total loss of SEC pumps in operation. The consequence of either of these failures is the total loss of the cooling chain supporting, in particular the MHSI pumps, LHSI pumps 2 and 3, Chemical and Volume Control System (RCV [CVCS]) pumps, thermal barrier etc Risk Increase Factor Ranking Sub-chapter 16.2 Section 1 Table 11 presents the 50 most risk significant CCF events ranked by the RIF importance measure. The top four most important CCFs based on RIF are the total loss of the RRI pumps in operation and the total loss of the SEC pumps in operation, either by the pump itself or the pump motor failing to run. The reason for the particularly high RIF is mainly due to: The low CCF frequency, and because the consequence of either of these systems failures is the total loss of the cooling chain supporting the MHSI pumps, LHSI pumps 2 and 3, RCV pumps, thermal barrier etc. Within the batch 4 update to the PSA model [Ref. 3], the modelling of LORHR event trees in shutdown states has been updated. The loss of RIS trains and RRI and SEC trains are modelled in these updated initiating event fault trees and the loss of cooling chain is integrated into the new modelling of the LORHR. These modelling changes also incorporate the Loss of Ultimate Heat Sink (LUHS), Loss of Cooling Chain (LOCC) and loss of power supply in shutdown states. This has led to the increase in RIF from 1817 to and from 1816 to respectively. The fifth most important CCF event based on RIF is the failure to open the first isolation check valve in the RIS injection line. Failure to open this check valve causes the loss of an entire RIS injection line (MHSI / LHSI). This was the most important CCF event based on RIF in HPC PCSR 2012 [Ref. 2], but due to the increase in the RIF values for the RRI and SEC pumps, it has dropped to the fifth most important CCF event based on RIF values. The sixth most important CCF event is nine stuck control rods. The activation of the control rods is required during a reactor trip to prevent core damage. The Anticipated Transient Without Scram (ATWS) faults are events where required reactor trip fails because of failure of I&C signals, reactor trip actuators or mechanical blockage of control rods. Due to a data update of the probability of nine stuck rods out of 89, there has been a significant decrease of the ATWS Common Mode Failure (CMF) contribution. These control rods are an important safety feature and their failure would have a significant effect on the CMF as demonstrated by the RIF. The next most important events are the CCFs of the Emergency Feed Water System (ASG [EFWS]) pumps in operation. The consequence of the failure of the ASG is the loss of residual heat removal and depressurisation with secondary side in most of the transients and LOCA Significant I&C events It should be noted that this section includes the CCF of sensors.

22 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 19 / FV Ranking Sub-chapter 16.2 Section 1 Table 12 presents the 20 most risk significant I&C events ranked by the FV importance measure. The most important I&C event is the common logic failure leading to the total failure of the SPPA-T2000 platform. The second important I&C event is the common logic failure leading to the total failure of the Teleperm XS (TXS) platform. The third most important I&C event is the specific logic failure leading to the total failure of the sub-system A of the Protection System (RPR [PS]). The fourth most important I&C event is the specific logic failure leading to the total failure of the sub-system B of the Protection System (RPR [PS]). The fifth most important I&C event is the common logic failure of the Non-Computerised Safety System (NCSS) platform. It is interesting to note that the most significant types of cutset involving the SPPA platform involve a reactor coolant pump seal LOCA or an operator error following NCSS signal. It should also be noted that the benefit of the NCSS is limited by the reliability of the operator actions in response to NCSS signals. These five elements were also within the top 10 most important I&C events in the HPC PCSR 2012 model [Ref. 2], with the top four being the same and the NCSS platform in position seven. The FV value for the NCSS platform is roughly the same (1.84% compared to 1.77 %), whereas the other FV values have increased. For the SPPA-T2000 and TXS platforms, the FV has increased by a factor of over a third. For the two TXS platform specific logic parts the RPR subsystem A FV has increased by a factor of roughly a third, whereas the FV for the RPR sub-system B has increased by a factor of 2.5 This increase in FV values of the Class 1 and Class 2 I&C systems is due to the addition of the DVD system on both Class 1 and Class 2 I&C platforms and by the change in safety classification on the existing systems leading to the addition of new I&C platforms and upgrading Class 2 platforms to Class 1 platforms. The CCF events on the head loss detection sensors and CCF on the level sensors were the fifth and sixth most important I&C events in the HPC PCSR 2012 model. These events are no longer relevant to the PSA results due to the new modelling of the common cause failure of the Circulation Water Filtration System (CFI [CWFS]) sensors performed [Ref. 5]. A new CCF event for the failure of all of the CFI sensor trains replaces the basic events for the CCF on the head loss sensors and the CCF on the level sensors. This basic event is the 11th most important I&C event in the HPC PCSR3 Reference PSA model. As the probability of the basic events the CCF on the head loss sensors and the CCF on the level sensors are 1.00E-02 and the probability of the CCF event for the failure of all the CFI sensor trains is 1.00E-05, the frequency of the complete minimal cut-sets is divided by a factor 10. The probability for this basic event comes from a Risk Informed Design (RID) study [Ref. 8]. The CCF of the Reactor Coolant System (RCP [RCS]) hot leg loop sensors are the next most important I&C events. The CCF of the RCP pressuriser pressure sensors are the next most important I&C events. The Uncontrolled Level Increase (ULI) events have been added in the

23 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 20 / 183 HPC PCSR3 Reference PSA model [Ref. 3] and these additional faults have led to an increase in the FV value. The failure of these sensors can lead to a Core Melt due to an ULI initiating event Risk Increase Factor Ranking Sub-chapter 16.2 Section 1 Table 13 presents the 50 most risk significant I&C events ranked by the RIF importance measure. The most important I&C event is the CCF leading to the total failure of the (Teleperm XS) TXS platform. The second most important I&C event is the CCF leading to the total failure of the sub-system A of the Protection System (RPR [PS]). The third most important I&C event is the CCF leading to the loss of the four sensor trains of the Circulating Water Filtration System (CFI [CFWS]). The fourth most important I&C event is the CCF leading to the total failure of the sub-system B of the Protection System (RPR [PS]) Significant Parameters Sub-chapter 16.2 Section 1 Table 14 presents the 41 most risk significant parameters ranked by the FC importance measure. The most important parameter is the probability of common logic failure leading to the total failure of the SPPA-T2000 platform. The second most important parameter is the failure to run of the emergency diesel generators The third most important parameter is the probability of common logic failure leading to the total failure of the TXS platform. The fourth most important parameter is the failure to run of the MHSI pumps. The fifth and sixth most important parameters are the probability of failure of the Reactor Coolant System (RCP [RCS]) pump shaft seals 2 and 1 during rundown phase respectively Conclusion Sub-chapter 16.2 Section 1 Table 15 shows the 50 most significant events for components, I&C events, CCF events and operator post-accident actions according to the FV Ranking, it also presents RIF values for each event. The most important event is the CCF leading to the total failure of the SPPA-T2000 platform. The second important event is the CCF leading to the total failure of the (Teleperm XS) TXS platform. The third and fourth most important events are the loss of the main coolant pump shaft seals exposed to RCP pressure and temperature.

24 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 21 / 183 The fifth most important event, based on FV is the total loss of the four main emergency diesel generators (LHP/Q/R/S (EDG)). The sixth most important event based on FV is the manual start-up and control of ASG via the Non-Computerised Safety System (NCSS) with a time window of 60 minutes Uncertainties In this section the uncertainty in the overall CDF due to reliability data uncertainty and truncation of the MCS included in the CDF calculation is addressed Reliability Data Uncertainty Most of the PSA results presented in UK PSA documentation are based on point estimate values (i.e. they consider only the mean and not the parameter uncertainty). The purpose of this section is to assess the impact of these reliability data uncertainties on the overall CDF and hence to assess the robustness of point estimated results. It should be noted that some other types of uncertainties exist [Ref. 7] and this assessment considers only uncertainty in the failure data assigned to the majority of components modelled in the PSA. Uncertainty in the Level 1 HPC PCSR3 Reference PSA results is quantified using the built-in uncertainty analysis capabilities of the RiskSpectrum TM code, which evaluate parametric uncertainty. Uncertainty analyses are performed with 30,000 Monte Carlo simulations (30,000 is the maximum number of simulations that can be performed in RiskSpectrum TM ). Each of the parameters (probabilities, failure rates, initiating frequencies, etc.) used in the Level 1 HPC PCSR3 Reference PSA modelling is associated with a distribution (usually lognormal and beta). These distribution types and associated parameter values (error factor) are produced from the database used to define the value of the parameters. In a few cases, the distributions are not known. In these cases, a lognormal distribution with an error factor of 10 is assumed. The uncertainty analysis results are: Mean Value: 4.47E-07 /r.y 5th percentile: 2.68E-07 /r.y Median: 4.01E-07 /r.y 95th percentile: 7.57E-07 /r.y There is less than one order of magnitude between the fifth percentile and the 95th percentile. As discussed above, all parameters are subjected to uncertainty assessment. In addition, the distributions chosen, for example for unknown distributions, are considered to be conservative. Consequently the point estimate value is considered suitable to describe the level of risk. It should be noted that, with the current model, even the 95th percentile value satisfies the safety objective defined for CDF of <1E-05/r.y in the Nuclear Safety Design Assessment Principles (NSDAPs) [Ref. 1].

25 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 22 / Impact of the MCS Set Truncation Due to the size of a PSA model, it is not practical to generate all the MCS. Consequently, a truncation process of the MCS has to be used to reduce the amount of computation involved in the MCS generation. This truncation process is based on a probabilistic threshold. All MCS with an occurrence probability (or frequency) lower than the threshold is not included in the final results of the calculation. Input absolute cut-off Input relative cut-off Used cut-off for module MCS Used cut-off for demodularisatio n Result [/r.y] Run time [s] (with activation of the calculation of the importance factors) 1E E-13 1E E E E-15 1E E E E E E The threshold value of 1E-15 avoids any significant under-estimation of the global CDF due to the MCS set truncation whilst still enabling an acceptable run time for the computer code calculations Findings Insights regarding Core Damage Frequency in the Reactor Building HR The overall core damage frequency decreased by 34% between the HPC PCSR 2012 PSA model and the HPC PCSR3 Reference PSA model (from 8.57E-07/r.y to 5.62E-07/r.y). The balance between the different initiating event groups shows that there is no group which exceeds 20% of the overall risk but however there is a particular sensitivity to LOOP situations. The most noticeable evolutions between these two stages of the HPC PSA model are listed below. The risk associated with primary transients has increased as a result of the two following major reasons: o o Introduction of new initiating events regarding the Uncontrolled Level Drop (ULD) in States A to CA and Uncontrolled Level Increase (ULI) in States A to CB. The loss of 10kV emergency power LH busbars and the loss of cooling chain scenarios in shutdown states are grouped with the loss of Safety Injection System operating in Residual Heat Removal Mode (RIS/RRA [SIS/RHRS]) mode due to the update of the structure of the event trees. Therefore the risks associated with these scenarios are integrated in the primary transient group. The risk associated with the Loss of power supply <10 kv group decreased by 68% in terms of the absolute frequency. This decrease is mainly due to the integration of the house load in the model (removal of conservatism). An important decrease is explained by the addition of a manual action implemented in the SPPA-T2000 platform to perform the switchover from the Component Cooling Water System (RRI [CCWS]) to the Safety Chilled Water System (DEL [SCWS]) for the LHSI pumps cooling for trains 1 and 4. This

26 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 23 / 183 decrease compensates for the additional risk linked to the integration of the initiating event loss of LH busbars. The risk associated with LOCA group has decreased. This can be explained by the update of the small LOCA situations and particularly the re-assessment of specific operator actions probabilities of failure. By using new support studies and splitting the initiating events of small LOCA (the break from 2 to 45 cm² is divided into two breaks 2 to 20 cm² and 20 to 45 cm²), the model currently assesses the risk in a more best-estimate way (but which is still conservative). The update of the reliability data (MHSI pumps, RRI pumps, mechanical blockage of control rods, EDG breaker, etc.) globally leads to a decrease of the core damage frequency. This is mainly explained by the important decrease of the probability of mechanical blockage of control rods. However the update of the reliability of RIS pumps increased the core damage frequency. The importance of analysis by elementary system shows the I&C and operator actions are particularly risk-significant. These two fields are those in which the modelling changes performed have the greatest impact as detailed below. The work performed to justify claims on operator actions that were previously assumed to be unachievable by human factor experts during GDA. The integration of a manual action to perform the switchover from RRI to DEL for LHSI pumps 1 and 4 cooling implemented in the SPPA-T2000 platform. The integration of an operator action to start the band screens in case of loss of I&C (both TXS and SPPA-T2000 platforms). The impact of the increase of the penalty time for operator actions performed with NCSS means (assessed time to switch from the digital I&C to the NCSS has been updated from 10 minutes to 15 minutes by human factor experts). However, the apparently high contribution of I&C to the risk and the significant impact of the I&C modelling on the results must be viewed with caution given the following elements. The current I&C modelling does not allow sensitivity analysis on the I&C architecture given the use of a single black box per platform and deterministic figures. Possible improvements should be made on the modelling of sensors in order to describe more accurately their behaviour with respect to actuation (in particular for Reactor Trip (RT)). The current high level I&C modelling is therefore a limitation on deeper analyses of PSA transients. The Safeguard Building Controlled Area Ventilation System (DVL [SBVSE]) and associated DEL cooling is not currently included in the HPC PCSR3 Reference PSA model. Its introduction may have a significant impact on the overall risk.

27 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 24 / Insights regarding Fuel Damage Frequency in the Fuel Building (HK [FB]) The fuel damage frequency has increased significantly between the HPC PCSR 2012 PSA model and the HPC PCSR3 Reference PSA model. It has increased by a multiple of more than 10 (from 5.31E-10/r.y to 6.09E-09/r.y). In fact the risk associated with non-draining events decreased by 63.4% (from 5.28E-10/r.y to 1.93E-10/r.y). This corresponds to the contribution from initiating events that were already modelled and developed in the HPC PCSR 2012 PSA. This decrease is mainly explained by the following two modifications. The start of the PTR main trains is now made by using TXS I&C platform (Class 1) instead of SPPA T2000 I&C platform. Diversification of the electrical supply of the PTR pumps (PTR train 1 pumps are now supplied by electrical division 2 instead of division 1). There is a significant increase in proportion of the risk associated with LUHS situations but this increase is still minor in term of absolute frequencies. This increase of risk needs to be investigated further because the Circulating Water System (CRF [CWS]) and the Auxiliary Raw Water Cooling System (SEN [ACWS]) pumps are now considered to be running in shutdown states. This is a possible conservatism that could be removed. The risk associated with the draining events was previously modelled by point values based on a Flamanville 3 (FA3) risks from the 2006 PSA which is now completely out of date. By correctly modelling the draining events, the risk associated with these initiating events has been assessed to be 5.88E-09/r.y representing an increase in the overall risk of %. What can be said on these initiating events is that the risk is mainly due to the rupture of main Fuel Pool Cooling System (PTR [FPCS]) line (42.7% of the risk). However, the quantification of some long term operator actions (a few hours available to perform the actions) included some limitations. In fact, a human error limiting value of 1E-5 has been introduced for long-term actions which were previously assumed to be successful or actions which were previously modelled as being completely independent. These limitations induce a high increase of the risk which is considered to be conservative. Therefore, the assessment of the overall risk is unbalanced. The importance factors highlight the importance of PTR system, operator actions and I&C in mitigating fuel damage in the spent fuel pool Insights regarding Steaming Frequency in the Fuel Building (HK [FB]) The steaming frequency decreased significantly between the HPC PCSR 2012 PSA model and the HPC PCSR3 Reference PSA model. The frequency has been reduced by 88.0% (from 2.90E-04/r.y to 3.49E-05/r.y). An important decrease is observed for all non-draining initiating event groups. As for the assessment of fuel damage risk, it is mainly linked to the modification of the I&C platform for the start of the PTR main trains (now Class 1). The decrease for the LUHS family is due to a change on the modelling of sensors in the pumping station. For draining events, the risk associated with steaming (9.39E-08/r.y.) remains negligible in comparison with the non-draining events.

28 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 25 / SENSITIVITY STUDIES In addition to the calculation of the importance factor (and particularly Sens. High and Sens. Low ), in order to gain the maximum insight from the HPC PCSR3 Reference PSA model, some sensitivity studies have been performed with respect to the modelling of maintenance, common cause failures, and operator actions. It should be observed that the long-term sensitivity analyses have not yet been reviewed to take into account the design and modelling changes for the HPC site-specific PSA. Nevertheless the relevance of the GDA sensitivity analysis is assessed below with respect to the evolutions of the reference PSA model Maintenance A preliminary assessment of the effect of the preventive maintenance (PM) is integrated in the model. However, this assessment remains preliminary as: The EPR is still in a design phase, thus PM has not been defined in detail (scope, scheduling, duration). In the modelling with RiskSpectrum, adding PM at an early stage of the design could bias the importance analysis. The modelling of PM with RiskSpectrum gives an average risk over one year and can hide instantaneous hazardous plant configurations. Unavailability due to corrective maintenance that requires operating experience to quantify should also be considered. Preventive maintenance as well as corrective maintenance is scheduled during both at-power and shutdown states. In this first analysis, it has been assumed that the provisions (duration) taken into account for the preventive maintenance also covers the impact of the unavailability due to corrective maintenance. The modelling of preventive maintenance in the HPC PCSR3 Reference PSA is described in section of HPC PCSR3 Sub-chapter Impact of Maintenance on the Core Damage Frequency in the Reactor Building (HR [RB]) In the HPC PCSR 2012 PSA model, the maintenance was responsible for the increase of 15% of the CDF frequency. These represented an increase compared to GDA PSA model due to the introduction of the Circulation Water Filtration System (CFI [CWFS]) and its maintenance. The following table presents the results of the new HPC PCSR3 Reference PSA model:

29 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 26 / 183 Base Case CDF [/r.y] (taking into account maintenance) New CDF [/r.y] (without taking into account maintenance) ΔCDF [/r.y] ΔCDF [%] 5.6E E E-8-14 The contribution of maintenance to the CDF prediction in the HPC PCSR3 Reference PSA model is similar to what it was in the HPC PCSR 2012 PSA model Impact of Maintenance on Fuel Pool (Fuel Damage) Preventive maintenance on the Fuel Pool Cooling System (PTR [FPCS]) and its support system during power operation has also been considered. Preventive maintenance on the PTR trains during refuelling operations is not considered. The result of the sensitivity analysis case indicates that the impact of the preventive maintenance is about 6E-11/r.y (about 1%). The main contributor is the preventive maintenance on the pumping station and the cooling chain (CFI (drum-screen trains 2 and 3) because maintenance is performed in refuelling states, Safety Injection System RIS [SIS], Component Cooling Water System (RRI [CCWS]) and Emergency Service Water System (SEC [ESWS])) which cool the main PTR trains. The relative importance of the different maintenance has evolved since HPC PCSR 2012 because of the new modelling of the draining events Extended Analysis Analysis of extended Loss of Offsite Power (LOOP) (up to 192 hours) and Loss of Ultimate Heat Sink (LUHS) (up to 100 hours) was carried out using an adapted model based on the Generic Design Assessment (GDA) and reported in HPC PCSR The total risk associated with these extended LOOP and LUHS initiating events was calculated to be 9.34E-08/r.y and 1.36E-08/r.y respectively. (March 2011 GDA Step 4 PCSR results). This was judged to be acceptable [Ref. 2]. Subsequent evolutions related to reliability data and modelling of the HPC D-PSA up to Batch 4 have been screened with respect to any potential significant impact on the extended LUHS and LOOP events. These notably include all the system design modifications recorded in the associated Batch summary reports [Ref. 3] to [Ref. 6]. It was demonstrated that when these evolutions of the HPC PSA model are taken into account, the impact on the CDF which was calculated using the GDA model for extended events is very limited and would probably lead to a reduction. Therefore, for the HPC PCSR3 Reference PSA model, it is judged that for the PCSR no further development is needed for the extended LUHS and LOOP Sensitivity to Initiating Event Frequency Sub-chapter 16.2 Section 1 Table 16 presents the forty Initiating Events ranked by FV in terms of Core Damage Frequency (CDF). The first four Initiating Events are:

30 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 27 / 183 ID -LOOPL_AB -IH F SB1_AB -RT_A- - LUHS_MI_FILTERS Description Long Loss Of Offsite Power (2<recovery<24hr) - States A+B Fire in Safeguard Building 1 Spurious Reactor Trip in power state A Massive ingress frequency leading to the filters'''' clogging Normal value { SCI removed } { SCI removed } { SCI removed } { SCI removed } FV RDF Sens. high Sens. low 1.30E E E E E E E E E E-02 It is observed that the Core Damage frequency is sensitive to LOOP events. 1.09E E E E E E-07 To assess more precisely the impact on the CDF of the LOOP Initiating Events, the following sensitivity studies were performed: Long LOOP (2h < t < 24h) - Initiating Event Frequency (IEF) multiplied by 10 Short LOOP (t < 2h) - IEF multiplied by 10 A combination of the above (both long and short LOOP IEF multiplied by 10) No house load modelled. The frequency of consequential LOOP is already considered to be conservative, so sensitivity studies are unlikely to provide useful insight. The results are as follows: Sensitivity Study new CDF /r.y CDF Increase (%) Long LOOP Initiating Frequency - increase by factor E Short LOOP Initiating Frequency - increase by factor E LOOP (Long and Short) Initiating Frequencies - increase by factor E no House Load 6.21E Although the results are clearly sensitive to the LOOP frequency and claim on house load especially for the long LOOP, there is some comfort from the fact that even with such an unrealistic assumption regarding the IEF, the CDF only rises to just over 1E-06/r.y. It is clear that this is not based on realistic assumptions because:

31 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 28 / 183 The best estimate figure for Long LOOP is considered to be between the value of 1E- 03/r.y which was used in the GDA and the HPC site-specific value of 5E-03/r.y which is used in PCSR3. In the sensitivity study the Long LOOP frequency is 5E-02/r.y. If applied across all EDF reactor sites in the UK we would expect a long LOOP for a whole site approximately every three years, which is not reflected by operating experience Common Cause Failures The sensitivity analysis is performed to assess the importance of Common Cause Failure modelling: Base Case CDF [/r.y] (taking into account CCF) New CDF [/r.y] (without taking into account CCF) ΔCDF [/r.y] ΔCDF [%] 5.6E E E As expected for the EPR which has a four train redundant design for its safety-related systems, the CDF result is sensitive to the Common Cause Failure (CCF) modelling Operator actions Where the PSA modelling effectively claims that several operator actions would have to fail before reaching an undesired outcome, consideration has to be given to potential dependencies between the various actions. The model takes account of such dependencies using the Swain approach, described in the human reliability analysis report which was performed for the GDA. However, UK practice is to assume that there will be a limit to the overall human reliability, known as a Human Performance Limiting Value (HPLV). A HPLV of 1E-05 is recognised as generally appropriate to be applied to combinations of post trip operator actions claimed in Level 1 PSA models in the UK. As this method has not been applied to most of the HPC reference model, a study has been performed to check that the total failure probability from combinations of operator actions within any Minimal Cutsets (MCS) does not reach a value below 1E-05 or, if it does, checks are performed to confirm that the impact on the global results is negligible. The result of this sensitivity study shows that the order of magnitude of the potential optimism linked to the over-claims of the combined operator actions is 5E-10/r.y compared to a global core damage frequency of 5.62E-07/r.y (less than 0.1%). Consequently, it is considered that the current modelling is acceptable and that there are no real situations where the over-claiming of operator actions within a single accident sequence could be problematic. The main MCS that involve multiple combinations of operator actions are presented in the Sub-chapter 16.2 Section 1 - Table 17. It should be noted that the following combination appears frequently in these MCS: OP_EFWS: Operator failure to start and control the Emergency Feed Water System (ASG [EFWS]) (the control part is involved here) OP_FB_120M_MDEP: Operator fails to initiate F&B (Tm= 2 h) with medium dependency OP_FEED_TK: Operator fails the cross-connection of Steam Generator (SG) tank / Operator fails to re-feed the feedwater systems Start-up, Shutdown System (AAD [SSS]), Main Feed Water System (ARE [MFWS]) or ASG tank

32 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 29 / 183 As a conclusion, with respect to the low impact of the modelling limitation for combinations of operator actions, the model is considered to be acceptable regarding this aspect CONCLUSION This section of the Sub-chapter 16.2 presents the results of the updated site-specific PSA for HPC. Although there are limitations in the model [Ref. 7], the calculated level of risk is significantly below the safety objective of 1E-05/r.y for the core damage cumulative frequency, as defined in the Nuclear Safety Design Assessment Principles (NSDAPs) [Ref. 1]. Moreover, although the calculated level of risk is significantly below the safety objective, an ALARP discussion of the PSA results is given in in order to provide a quantitative ALARP assessment of the design. The balance of risk associated with core damage shows sensitivity to the LOOP initiating events. In spite of the introduction of some new initiating events, the assessed risk has decreased compared to the risk presented in Chapter 15 of HPC PCSR This decrease in assessed risk is partly due to the modifications to the HPC design which have been implemented and partly due the reduction of some conservatisms within the PSA model. The introduction of the new initiating events and the reduction of some of the modelling conservatisms have contributed to the development of an improved PSA model for HPC which enables further more relevant ongoing insights into the design. It is observed that I&C importance has been reinforced due to some of the design modifications to HPC, which require additional signals or the upgrade of some I&C signals from class 2 to class 1. Therefore, the sensitivity to the reliability of these I&C platforms is quite high. It should also be noted that the benefit of the Non-Computerised Safety System (NCSS) as back-up is limited, in some faults, by the assumed human reliability for subsequent operator actions which has been reduced following a human factors analysis of those actions (see Sub-chapter 18.1). Accidents from the spent fuel pool only lead to a fuel damage frequency that is only a small proportion (about 1%) of the CDF. The balance of the risk between the accident families shows that the risk associated with draining events dominates the results. However it is noted that this is likely to be due to conservative support studies and the fact that the human reliability analysis method used to estimate the human error probabilities associated with fault mitigation, is not well suited to multi-step actions over a very long timescale (often >10 hours). It should be noted that there are some limitations in the modelling, (e.g. simplifications, or initiating events, hazards and systems that are not yet included) that make the current CDF an underestimation or an overestimation, depending upon the combined impacts of those limitations. The potential impact that these limitations could have on the HPC risk has been assessed [Ref. 7]. The potential increase or decrease in risk that each limitation could cause has been considered taking into account insights from deterministic analysis, the risk gap analysis performed for GDA and other relevant PSAs (e.g. US EPR, Flamanville 3 (FA3) and Sizewell B (SXB)). Although this assessment of the current PSA limitations and gaps is based on engineering judgement, it provides confidence that future removal of the model limitations will not lead to an unacceptable increase in the overall risk for HPC.

33 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 30 / 183 An iterative process to identify design improvements using PSA was implemented throughout the development of the EPR design. The March 2011 GDA Step 4 PCSR presented the results of this process at the time. For the HPC EPR, it is intended that probabilistic assessments will continue to be used to risk-inform the detailed design, as the HPC design develops. A Risk- Informed Design (RID) process has been implemented. This process and examples of realised studies are presented in sections 4 of Sub-chapter 16.1 (process) and Sub-chapter 16.2 (studies). The PSA results, sensitivity analysis and discussion presented in this section are considered to provide sufficient confidence that the EPRs proposed for HPC meet the targets and requirements laid out in the NSDAPs as far as Level 1 of PSA is concerned. 2. LEVEL 2 PSA RESULTS AND DISCUSSION This section presents the results of the Hinkley Point C (HPC) PCSR3 Reference Level 2 Probabilistic Safety Assessment (PSA), including; the Level 2 PSA model results, the source term analysis results, and sensitivity and uncertainty analysis performed on the Level 2 PSA LEVEL 2 PSA MODEL RESULTS The scope and methodology of the Level 2 PSA model are presented in Sub-chapter 16.1 section 2. The following results from the Level 2 PSA model are presented in this section: Core Damage End State (CDES) frequencies, Release Category (RC) frequencies, Large Early Release Frequency (LERF), and Large Release Frequency (LRF). The CDES are the Level 2 PSA initiating events and the CDES results are obtained from analysing the Level 1 PSA model. The results for the RCs, LERF and LRF are obtained from analysing the Level 2 PSA model. All Level 2 PSA results have been post processed using post processing specification FMD LVL2 UK. Minimal CutSet (MCS) post processing edits the results obtained from the PSA model to take additional factors into account, primarily consideration of operator action dependency. The MCS post processing of Level 2 PSA results is presented in more detail in Sub-chapter 16.1 section 2 with details of MCS post processing specification FMD LVL2 UK. There is a requirement in the Nuclear Safety Design Assessment Principles (NSDAPs) [Ref. 1] to demonstrate that the frequency of early containment failure or very large releases are well below 1 x 10-6 per reactor year (ry). The assumptions identified within this sub-chapter are identified by the label AS-PSA-154-yyy. All assumptions are then collated within the Assumptions Report [Ref. 9].

34 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 31 / Core Damage End States Results The CDES are described in Sub-chapter 16.1 section 2; they are Level 1 PSA consequences and Level 2 PSA initiating events. The frequency results for CDES in Plant States A and B are presented in Sub-Chapter 16.2 Section 2 Table 5, which shows that the following CDES are most significant for Plant States A and B: SS, representing core damage from seal Loss Of Coolant Accident (LOCA) sequences where off site power is available but Fast CoolDown (FCD) is not initiated, is the most significant CDES. Sub-CDES SS-SB1, representing the same sequence but specifically following a fire in the safeguard building, is particularly important. However, it should be noted that the modelling following a fire in the safeguard building is currently conservative; this is explored in detail in Sub-chapter 16.2 section 4 which covers Risk Informed Design (RID). TP, representing core damage following Long Loss Of Offsite Power (LOOP) (including consequential Long LOOP). TR, representing core damage following a transient or from non-isolated homogeneous boron dilution sequences. The MCS for all CDES in Plant States A and B are presented in Appendix C of Sub-chapter 16.2 section 2 supporting information report [Ref. 10]. The Level 1 PSA results are discussed in Subchapter 16.2 section Release Category Results The RCs are described in Sub-chapter 16.1 section 2 and summarised in Sub-Chapter 16.2 Section 2 Table 6. Sub-Chapter 16.2 Section 2 - Table 7 presents the frequency of each RC in each plant state, including release from the Spent Fuel Pool (SFP). There is no Level 2 PSA model for SFP accident sequences. Fuel damage in the Level 1 PSA SFP model is assumed to lead directly to the SFP RC. The Level 1 PSA SFP model is presented in Sub-chapter 16.2 section 1. The dominant RCs (as a percentage of the frequency of all RCs) are: RC101 (20%), RC102 (58%), and RC504 (12%). A summary of each RC and the dominant contributors to each are presented in Sub-Chapter 16.2 Section.2 - Table 9, with MCS for each RC presented in Appendix D of Sub-chapter 16.2 section 2 supporting information report [Ref. 10]. Sub-Chapter 16.2 Section.2 - Table 9 was created based upon a review of the dominant MCS for each RC and the basic event importance listing for each RC. The review was limited to Plant States A and B due to the significant contribution to risk of Plant States A and B as compared to shutdown states.

35 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 32 / 183 RC101 and RC102 represent sequences where the containment remains intact and is not bypassed. They are considered success sequences. RC504 represents sequences where containment fails in the long-term due to containment heat removal being unavailable to control containment pressure and the containment sprays being unavailable to reduce the source term of the release. RC504 is dominated by Long LOOP and failure of on-site Alternating Current (AC) power due to Common Cause Failure (CCF) and Instrumentation and Control (I&C) failures. The contribution of RC504 would be reduced if the planned resilience enhancements for HPC were taken into account, a sensitivity study was performed [Ref. 11] and showed a 17% reduction in RC504 following core damage caused by Long LOOP when the resilience enhancements are taken into account. It should be noted that not all RCs defined in Sub-chapter 16.1 section 2 are included in the Level 2 PSA model; therefore they do not appear in the RC results. RC601, RC801, RC802a and RC802b are not included in the Level 2 PSA model for the following reasons: containment building sprays do not impact the source term following basemat failure (RC601), the break location of an Interfacing Systems Loss of Coolant Accident (IS LOCA) is modelled as not being underwater; therefore no fission product scrubbing is provided (RC801), and RC802a and RC802b are sensitivity studies for the source term following an IS LOCA, taking into account deposition and ventilation. Sub-Chapter 16.2 Section 2 Table 10 presents the breakdown of the RCs into the different containment failure modes. This shows that the conditional probability of the containment remaining intact, isolated and not bypassed following core damage is 78.3%. The conditional probability of the containment being bypassed or not isolated following core damage is 6.4%. The conditional probability of the containment failing in the short or medium term, before or at the time of vessel failure, is 2.8% and in the long-term, after vessel failure, is 12.5%. These results can be derived from examination of Sub-Chapter 16.2 Section 2 - Table 7, taking the RC definitions into account. The decoupling criterion for core damage is defined for the Level 1 PSA, presented in Sub-chapter 16.1 section 1. Sub-Chapter 16.2 Section 2 Table 8 presents the hourly frequency of each release category in each state. It shows that the per hour risk is higher in shutdown states, particularly Plant States C and D. However, the time spent in the shutdown states is much lower than the time spent at power, which reduces the contribution of shutdown states to the per reactor year results presented in Sub-Chapter 16.2 Section 2 - Table Large Early Release Results The LERF is defined 1 as the frequency of a release of more than 100 TBq of Cs-137 that occurs before vessel failure. This definition results in the following RCs being included in LERF: Release Category Included in LERF Release Category Included in LERF RC101 No RC401 Yes RC102 No RC402 Yes 1 A review of international definitions for LRF and LERF is presented in HPC PCSR2012 Sub-chapter The international review was used to develop the definitions adopted for HPC.

36 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 33 / 183 MCS No. Release Category Included in LERF Release Category Included in LERF RC200 Yes RC403 Yes RC201 Yes RC404 Yes RC202 Yes RC501 No RC203 Yes RC502 No RC204 Yes RC503 No RC205 Yes RC504 No RC206 Yes RC602 No RC301 Yes RC701 Yes RC302 Yes RC702 Yes RC303 Yes RC802 Yes RC304 Yes SFP No The MCS, importance and sensitivity listings for the LERF assessment are presented in Appendix E of Sub-chapter 16.2 section 2 supporting information report [Ref. 10]. The total predicted result for LERF is 4.91E-8 /ry. The MCS which contribute greater than 1% to LERF are listed below. In total, these 13 MCS contribute 41.7% to LERF. Frequency /ry Contribution % E E E E E DIL HE_CA PROB=1 -PBV_AB Basic Event ID L2CP ISL BL NO WATER PROB=1 -SGTR1_AB RIS1420POEFR_D-ALL SYS_OTHER_B_CC -SGTRS_AB Description Heterogeneous Dilution during state Ca Probability used for events in certain failure V-LOCA during power states AB Level 2 conditional probability: break location not under water (ISL) Probability used for events in certain failure SG tube rupture 1 tube - States AB CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic GCT VDA1110VVPFO_D-234 -SGTRS_AB GCT VDA1110VVPFO_D-ALL Small SG tube rupture - States A+B By-pass Condenser Fails CCF fail to open MSR fluid valves Small SG tube rupture - States A+B By-pass Condenser Fails CCF fail to open MSR fluid valves E SGTR1_AB SG tube rupture 1 tube - States AB

37 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 34 / 183 MCS No. Frequency /ry Contribution % E E E E E E E Basic Event ID SYS_OTHER_B_CC SYS_PROTC_A_CC -SGTR1_AB RPR_PS_DIV_B_A24SC SYS_OTHER_B_CC -ULD_NCP_A12 L2CP ISL BL NO WATER RPR_PS_DIV_B_A24SC SYS_NCSSUNICORN_FAIL -ULD_NCP_A12 L2CP ISL BL NO WATER SYS_NCSSUNICORN_FAIL SYS_PROTC_A_CC -ULD---_B1C2 L2CP ISL BL NO WATER OP_RCV_ISO_150 SYS_PROTC_A_CC -ULD---_B1C2 L2CP ISL BL NO WATER OP_RCV_ISO_150 RPR_PS_DIV_B_A24SC Description Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic SG tube rupture 1 tube - States AB E1A, 2/4- Failure of specific logic part - PS diversity B Failure of SPPA-T2000 platform common logic Initiating Event ULD 1 year Level 2 conditional probability: break location not under water (ISL) E1A, 2/4- Failure of specific logic part - PS diversity B Failure of NCSS/UNICORN platform common logic Initiating Event ULD 1 year Level 2 conditional probability: break location not under water (ISL) Failure of NCSS/UNICORN platform common logic Failure of TXS platform common logic ULD pre-initiating event states B1C2 Level 2 conditional probability: break location not under water (ISL) Operator fails to manually isolate RCV HP letdown before 150 min in state B1- C2 Failure of TXS platform common logic ULD pre-initiating event states B1C2 Level 2 conditional probability: break location not under water (ISL) -DIL HE_A- PROB=1 -RT_A- OPD-L2-CIH NCSS Operator fails to manually isolate RCV HP letdown before 150 min in state B1- C2 E1A, 2/4- Failure of specific logic part - PS diversity B Heterogeneous Dilution during power operation Probability used for events in certain failure Spurious Reactor Trip in power state A Dependent operator failure to close containment isolation valves - NCSS

38 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 35 / 183 MCS No. Frequency /ry Contribution % Basic Event ID OP_EFWS_60MN_NCSS OP_FB_120M_MDEP_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC TEG HPFL Description Operator fails to start and control EFWS - NCSS Operator fails to initiate F&B (Tm=2 h) with medium dependency - NCSS Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic Probability that GWPS fails on containment high pressure MCS 1 represents a heterogeneous boron dilution during State CA, which is conservatively assumed to lead directly to early containment failure with no mitigation modelled [AS-PSA ]. This conservative assumption should be considered for further investigation as part of the future development of the Level 2 PSA. This MCS is captured within RC304. MCS 2 represents an IS LOCA during Plant States A and B, which is conservatively assumed within the Level 1 PSA [AS-PSA ] to lead directly to core damage. It is assumed in the Level 2 PSA [AS-PSA ] that the break location is not underwater; therefore no fission product scrubbing is provided. IS LOCAs bypass containment, so no other mitigation is considered available. 29 bounding fault frequencies contribute to the IS LOCA initiating event [Ref. 12]. This MCS is captured within RC802. MCS 3 represents rupture of a single Steam Generator (SG) tube in Plant States A and B followed by a CCF of all four Medium Head Safety Injection (MHSI) pumps to run and failure of the SPPA-T2000 I&C platform resulting in failure of the Chemical Volume and Control System (RCV [CVCS]) and Fast Secondary CoolDown (FSCD). This combination of failures, after a single Steam Generator Tube Rupture (SGTR), results in core damage and containment bypass. The Emergency Feedwater System (ASG [EFWS]) is available to the ruptured SG which provides fission product scrubbing, reducing the source term of the release. SGTRs bypass containment, so no other mitigation is considered available. This MCS is captured within RC701. MCS 4 and 5 represent a small SGTR in Plant States A and B. Following the small SGTR secondary cooldown fails due to failure to remove steam from the intact SGs via the bypass condenser or the Main Steam Relief Train (VDA [MSRT]). This is caused by failure of the bypass condenser and CCF of the main steam relief fluid valves. ASG is not claimed to provide fission product scrubbing. SGTRs bypass containment, so no other mitigation is considered available. Both of these MCS are captured within RC701. Two MCS are generated due to two different CCFs being calculated, CCF of all four main steam relief fluid valves and CCF of the three main steam relief fluid valves on the remaining three intact SGs. MCS 6 and 7 represent a single tube SGTR in Plant States A and B followed by I&C failures which then results in core damage. The I&C failures cause failure of RCV, FSCD and MHSI. This combination of failures, after a single tube SGTR, results in core damage and containment bypass. ASG is available to the ruptured SG which provides fission product scrubbing, reducing the source term of the release. SGTRs bypass containment, so no other mitigation is considered available. Both MCS are captured within RC701. These two MCS are similar to MCS 3, with the MHSI failure being caused by I&C failures rather than CCF. MCS 8 and 9 represent an Uncontrolled Level Drop (ULD) in State A combined with failure to either isolate RCV let down or provide safety injection, both due to a combination of Teleperm

39 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 36 / 183 XS (TXS) and Non Computerised Safety System (NCSS) I&C platform failures. This results in an IS LOCA and core damage. It is assumed in the Level 2 PSA [AS-PSA ] that the break location is not underwater; therefore no fission product scrubbing is provided. IS LOCAs bypass containment, so no other mitigation is available. Both MCS are captured within RC802. MCS 10 and 11 represent an ULD in Plant States B1 or C2 combined with automatic safety injection failure, caused by failure of the TXS I&C platform, and failure of the operator to manually isolate RCV let down within 150 minutes. This results in an IS LOCA and core damage. It is assumed in the Level 2 PSA [AS-PSA ] that the break location is not underwater; therefore no fission product scrubbing is provided. IS LOCAs bypass containment, so no other mitigation is considered available. Both MCS are captured within RC802. MCS 12 represents a heterogeneous boron dilution during State A leading directly to early containment failure with no mitigation modelled. It is conservatively assumed [AS-PSA ] that a heterogeneous boron dilution in State A results in early containment failure. This MCS is captured within RC304. MCS 13 represents spurious Reactor Trip (RT) followed by I&C and operator action failures, resulting in core damage. The secondary Residual Heat Removal (RHR), with Main Steam Bypass (GCT [MSB]) and Main Feedwater System (ARE [MFWS]) or Start-up and Shutdown Feedwater System (AAD [SSS]), and reactor coolant pump trip fail due to the failure of both TXS and SPPA-T2000 I&C platforms. Secondary cooldown then fails due to the failure of the TXS and SPPA -T2000 I&C platforms in conjunction with the failure of the operator to manually start the ASG from the NCSS platform within 60 minutes. Finally, the operator fails to initiate Feed and Bleed (F&B) from the NCSS platform within two hours, resulting in core damage. Following core damage the operator successfully depressurises the primary circuit before induced SGTR or Hot Leg (HL) rupture. The containment is not fully isolated following failure of the Gaseous Waste Processing System (TEG [GWPS]) and the operator also fails to manually isolate containment, taking previous failures into account (see Sub-chapter 16.1 section 2 for details on MCS post processing). This MCS is captured within RC206. The importance listing for basic events presents the basic events which are the most significant contributors to LERF. The following table presents the basic events with a fractional contribution of greater than 0.1 to LERF: No. Basic Event ID Description 1 SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic Fractional Contribution 3.67E-01 2 SYS_PROTC_A_CC Failure of TXS platform common logic 2.56E-01 3 L2CP ISL BL NO WATER 4 PROB=1 5 L2PH VECF-FA(H) 6 RPR_PS_DIV_B_A24SC Level 2 conditional probability: break location not under water (ISL) Probability used for events in certain failure Very early containment failure due to H2 Flame Acceleration (Hi pressure sequences) E1A, 2/4- Failure of specific logic part - PS diversity B 2.29E E E E SGTR1_AB SG tube rupture 1 tube - States AB 1.25E-01

40 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 37 / 183 The basic event importance listing confirms the importance of I&C to preventing a large early release. Basic event L2CP ISL BL NO WATER has a probability of failure of unity, and represents the assumption that the break location of an IS LOCA is not underwater, so no fission product scrubbing is provided. This indicates that IS LOCAs contribute to a significant proportion of LERF. Basic event PROB=1 is used for a number of situations where failure is assumed certain, such as heterogeneous boron dilution leading to core damage and containment failure. Basic event L2PH VECF-FA(H) does not appear in the MCS discussed above. However after the top 13 MCS, the risk profile becomes very flat and this basic event appears in many MCS (additional MCS presented in Appendix E of the HPC PCSR3 Sub-chapter 16.2 section 2 supporting information report [Ref. 10]). Early containment failure due to hydrogen flame acceleration in high pressure sequences has a significant contribution to LERF. The significance of hydrogen flame acceleration sequences should be considered for investigation as part of the future development of the Level 2 PSA. The basic event representing SGTR in a single tube in Plant States A and B confirms the significant contribution of containment bypass sequences to LERF. The following table presents the most significant initiating events to LERF: No. Basic Event ID Description Fractional Contribution 1 -SGTR1_AB SG tube rupture 1 tube - States AB 1.25E DIL HE_CA Heterogeneous Dilution during state Ca 9.16E PBV_AB V-LOCA during power states AB 7.53E SGTRS_AB Small SG tube rupture - States A+B 7.26E ULD---_B1C2 ULD pre-initiating event states B1C2 5.75E-02 This confirms the significant contribution of SGTRs and IS LOCAs to LERF. It also confirms the significance of the assumption that heterogeneous boron dilution in State CA leads directly to containment failure [AS-PSA ]. The dominant initiating contributors to LERF are Level 1 PSA failure sequences which lead directly to a large and early release, with no mitigation claimed in the Level 2 PSA. The following table presents the most significant phenomenological events to LERF: No. Basic Event ID Description 1 L2PH VECF-FA(H) 2 L2PH INVREC(S-DEP)=Y 3 L2PH INVREC(T-DEP)=Y Very early containment failure due to H2 Flame Acceleration (Hi pressure sequences) In-vessel recovery success - hot leg rupture or operator depressurization during seal/small LOCA DES In-vessel recovery success - hot leg rupture or operator depressurization during transient CDES Fractional Contribution 1.51E E E-02

41 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 38 / 183 No. Basic Event ID Description 4 L2PH CBV HP 5 L2PH INVREC(T-DEP)=N Complete circumferential rupture of vessel (gives vessel rocket in HP sequences) In-vessel recovery fails - hot leg Rupture or operator depressurization during transient CDES Fractional Contribution 2.09E E-02 This confirms that phenomenology is not a dominant contributor to LERF, and that the most significant phenomenological event is hydrogen flame acceleration in high pressure sequences. The phenomenology modelled in the Level 2 PSA is discussed in detail in Sub-chapter 16.1 section 2. It should be noted that in-vessel recovery is only claimed following primary circuit depressurisation, either by the operator or HL rupture. HL rupture is only possible following failure of the operator to depressurise the primary circuit, in these sequences HL rupture is seen as providing a benefit by avoiding high pressure core melt. The following table presents the most significant operator actions to LERF, from both the Level 1 and Level 2 PSA: No. Basic Event ID Description 1 OPD-L2-CIH NCSS Dependent operator failure to close containment isolation valves - NCSS Fractional Contribution 9.68E-02 2 OP_BLEED_30MN_NCSS Op. fails to initiate bleed in 30 min - NCSS 7.09E-02 3 OP_EFWS_60MN_NCSS 4 OPD-L2-CIH 5 OP_RCV_ISO_150 Operator fails to start and control EFWS - NCSS Dependent operator failure to close containment isolation valves Operator fails to manually isolate RCV HP letdown before 150 min in state B1-C2 7.08E E E-02 This confirms the relatively low importance of operator actions in preventing a large early release, this is due to SGTR and IS LOCA leading directly to a large early release following core damage without any opportunity claimed for the operator to intervene. The operator actions modelled in the Level 1 PSA are discussed in detail in Sub-chapter 16.1 section 1, and the operator actions modelled in the Level 2 PSA are discussed in detail in Sub-chapter 16.1 section 2. The following table presents the most significant CCF groups contributing to LERF: No. CCF Group ID Description Fractional Contribution 1 RIS1420POEFR_D CCF fail to run MHSI pump 1.44E-01 2 VDA1110VVPFO_D CCF fail to open MSR fluid valves 7.31E-02 3 RCP681YMP_AC_D CCF between 4 pressurizer pressure sensors 6.47E-02 4 LHP DFR_D CCF to run emergency diesel generators 3.98E-02 5 RIS1220POEFR_C CCF fail to run LHSI pumps 3.73E-02

42 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 39 / 183 MCS No. This confirms the low significance of Level 2 specific CCFs to LERF. CCFs of the Emergency Diesel Generators (EDGs), Low Head Safety Injection (LHSI) and MHSI are significant contributors to core damage (see Sub-chapter 16.2 section 1), and therefore have a significant presence in the Level 2 PSA. Main steam relief is required to prevent core damage following small SGTR and failure of the bypass condenser, SGTRs bypass containment, so no other mitigation is considered available Large Release Results The Large Release Frequency (LRF) is defined 2 as the frequency of a release of more than 100 TBq of Cs-137 /ry. This definition results in the following RCs being included in LRF: Release Category Included in LRF Release Category Included in LRF RC101 No RC401 Yes RC102 No RC402 Yes RC200 Yes RC403 Yes RC201 Yes RC404 Yes RC202 Yes RC501 No RC203 Yes RC502 Yes RC204 Yes RC503 No RC205 Yes RC504 Yes RC206 Yes RC602 Yes RC301 Yes RC701 Yes RC302 Yes RC702 Yes RC303 Yes RC802 Yes RC304 Yes SFP Yes The MCS, importance and sensitivity listings for the LRF assessment are presented in Appendix F of Sub-chapter 16.2 section 2 supporting information report [Ref. 10]. The total predicted frequency for LRF is 1.20E-07 /ry. The MCS which contribute greater than 1% to LRF is listed below. In total, these nine MCS contribute 18.0% to LRF. Frequency /ry Contribution % E E Basic Event ID -DIL HE_CA Description PROB=1 -PBV_AB L2CP ISL BL NO Heterogeneous Dilution during state Ca Probability used for events in certain failure V-LOCA during power states AB Level 2 conditional probability: break 2 A review of international definitions for LRF and LERF is presented in HPC PCSR2012 Sub-chapter The international review was used to develop the definitions adopted for HPC.

43 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 40 / 183 MCS No. Frequency /ry Contribution % E E E E E Basic Event ID WATER PROB=1 -LOOPL_AB %COEF_A1/AB HOUSELOAD_FS L2 REC OSP 2-7H L2 REC OSP 7-31H LHP DFR_D-ALL SYS_OTHER_B_CC -SGTR1_AB RIS1420POEFR_D-ALL SYS_OTHER_B_CC -RT_A- L2 REC OSP 2-7H L2 REC OSP 7-31H LHP DFR_D-ALL LOOPL_ON_RT SYS_OTHER_B_CC Description location not under water (ISL) Probability used for events in certain failure Long Loss Of Offsite Power (2 < recovery < 24 h) - States A+B Time spent in states A1 (8076 h) during states AB (8225 h) House load failure to start on demand Offsite power not recovered between 2 and 7 hours Offsite power not recovered between 7 and 31 hours CCF to run emergency diesel generators Failure of SPPA-T2000 platform common logic SG tube rupture 1 tube - States AB CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic Spurious Reactor Trip in power state A Offsite power not recovered between 2 and 7 hours Offsite power not recovered between 7 and 31 hours CCF to run emergency diesel generators Induced LOOP (> 2 h) after Reactor Trip -SGTRS_AB GCT Failure of SPPA-T2000 platform common logic Small SG tube rupture - States A+B By-pass Condenser Fails VDA1110VVPFO_D- 234 CCF fail to open MSR fluid valves -SGTRS_AB GCT VDA1110VVPFO_D- ALL Small SG tube rupture - States A+B By-pass Condenser Fails CCF fail to open MSR fluid valves

44 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 41 / 183 MCS No. Frequency /ry Contribution % E E Basic Event ID -LOOPL_AB %COEF_A1/AB HOUSELOAD_L_FR L2 REC OSP 2-7H L2 REC OSP 7-31H LHP DFR_D-ALL SYS_OTHER_B_CC PTR_MAIN LINE_RU %COEF_AD/YEAR FB OP DR LONG TERM REC OPE_95 Description Long Loss Of Offsite Power (2 < recovery < 24 h) - States A+B Time spent in states A1 (8076 h) during states AB (8225 h) Plant operation failure rate during house load for LOOP long Offsite power not recovered between 2 and 7 hours Offsite power not recovered between 7 and 31 hours CCF to run emergency diesel generators Failure of SPPA-T2000 platform common logic Break on a main PTR train Time spent in states A to D 8406 h per year ( )/8760 Long term recovery of operator errors after SFP boiling during draining transients Operator diagnosis, isolation, make up and start 3rd PTR train < 13 h 20 from MCR MCS 1 and 2 appear as MCS 1 and 2 for LERF and are discussed in section MCS 3 and 8 represents a Long LOOP initiating event in Plant States A and B, followed by failure of house-load, leaving the site reliant upon AC power from the EDGs and Ultimate Diesel Generators (UDGs). The EDGs fail to start due to CCF and the UDGs fail due to failure of the SPPA-T2000 I&C platform, these failures result in no on-site AC power being available and, therefore, core damage. Following core damage attempts to restore the grid connection fail and AC power is not restored to site, no claim is made on repairing the EDGs or UDGs. Containment fails due to failure to provide containment heat removal, leading to containment overpressurisation, caused by no on-site AC power being available. Both of these MCS are captured within RC504. MCS 4 appears as MCS 3 for LERF and is discussed in section MCS 5 is similar to MCS 3 and 8; however Long LOOP occurs due to a spurious RT followed by a consequential loss of grid. No claim is made on house load, and the probability of grid restoration is assumed the same as if the initiating event were a loss of grid, rather than a spurious RT, which could be conservative. This MCS is captured within RC504. MCS 6 and 7 appear as MCS 4 and 5 for LERF and are discussed in section

45 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 42 / 183 MCS 9 represents draining of the Spent Fuel Pool (SFP) via a main Fuel Pool Cooling System (PTR [FPCS]) train break in Plant States A-D. Following the break the operator fails to isolate the train associated with the break and fails to start the SFP make-up using the 3rd PTR train before the fuel is uncovered. The operator then fails to recover from the previous failures, leading to fuel damage. This MCS is captured within the SFP RC. SFP results are presented as part of the Level 1 PSA in Sub-chapter 16.2 section 1. The importance listing for basic events presents the basic events which are the most significant contributors to LRF. The following table presents the basic events with a fractional contribution of greater than 0.1 to LRF: No. Basic Event ID Description 1 SYS_OTHER_B_CC 2 L2 REC OSP 2-7H 3 L2 REC OSP 7-31H Failure of SPPA-T2000 platform common logic Offsite power not recovered between 2 and 7 hours Offsite power not recovered between 7 and 31 hours Fractional Contribution 3.49E E E-01 4 SYS_PROTC_A_CC Failure of TXS platform common logic 2.55E-01 5 %COEF_A1/AB 6 -LOOPL_AB Time spent in states A1 (8076 h) during states AB (8225 h) Long Loss Of Offsite Power (2<recovery<24h) - States A+B 2.38E E-01 7 LHP DFR_D-ALL CCF to run emergency diesel generators 1.85E-01 8 HOUSELOAD_FS House load failure to start on demand 1.79E-01 9 LOOPL_ON_RT Induced LOOP (>2 h) after Reactor Trip 1.35E RCP_SEAL#2_RD 11 RCP_SEAL#1_RD Conditional failure of RCP shaft seals #2 during rundown phase Failure of RCP shaft seals #1 during rundown phase 1.15E E RT_A- Spurious Reactor Trip in power state A 1.10E-01 The basic event importance listing confirms the importance of I&C and availability of on-site AC power in preventing a large release. Basic event SYS_PROTC_A_CC represents failure of the TXS I&C platform. Although this basic event does not appear in the top nine MCS discussed above, it appears in several of the remaining MCS. Basic events RCP_SEAL#2_RD and RCP_SEAL#1_RD represent failure of the reactor coolant pump seals and also do not appear in the top MCS listed above. Failure of the reactor coolant pump seals leads to a LOCA, which then requires claims on additional systems to prevent core damage than demanded by the initial initiating event.

46 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 43 / 183 The following table presents the most significant initiating events to LERF: No. Basic Event ID Description 1 -LOOPL_AB Long Loss Of Offsite Power (2<recovery<24h) - States A+B Fractional Contribution 2.04E RT_A- Spurious Reactor Trip in power state A 1.10E IH F SB1_AB Fire in Safeguard Building E SGTR1_AB SG tube rupture 1 tube - States AB 5.10E LOOPS_AB Short Loss Of Offsite Power (<2h) - States A+B 4.98E-02 This confirms the significant contribution of LOOP to LRF. The high contribution of SGTR originates from its importance to LERF (which is included within LRF). The following table presents the most significant phenomenological events to LERF: No. Basic Event ID Description 1 L2PH VECF-FA(H) 2 L2PH INVREC(S-DEP)=Y 3 L2PH CPIHLR-TR,TP=Y 4 L2PH INVREC(T-DEP)=Y 5 L2PH CBV HP Very early containment failure due to H2 Flame Acceleration (Hi pressure sequences) In-vessel recovery success - hot leg rupture or operator depressurization during seal/small LOCA DES Induced hot leg rupture. Conditional probability given no ISGTR. TR, TRD, TP, TPD cases. In-vessel recovery success - hot leg rupture or operator depressurization during transient CDES Complete circumferential rupture of vessel (gives vessel rocket in HP sequences) Fractional Contribution 5.69E E E E E-03 This list is very similar to that for LERF, but at reduced significance. The phenomenology modelled in the Level 2 PSA is discussed in detail in Sub-chapter 16.1 section 2. It should be noted that in-vessel recovery is only claimed following primary circuit depressurisation, either by the operator or HL rupture. HL rupture is only possible following failure of the operator to depressurise the primary circuit, in these sequences HL rupture is seen as providing a benefit by avoiding high pressure core melt. The following table presents the most significant operator actions to LERF, from both the Level 1 and Level 2 PSA: No. Basic Event ID Description 1 OP_BLEED_30MN_NCSS Op. fails to initiate bleed in 30 min - NCSS Fractional Contribution 3.95E-02

47 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 44 / 183 No. Basic Event ID Description 2 OPD-L2-CIH NCSS 3 OP_EFWS_60MN_NCSS 4 OPE_X_CONNECT 5 OP_SBODG2H Dependent operator failure to close containment isolation valves - NCSS Operator fails to start and control EFWS - NCSS Failure probability of operator to perform local action for switchgear crossconnection Operator fails to start SBO diesels or to close breakers within 2 hours Fractional Contribution 3.92E E E E-02 This shows that operator actions are less significant in LRF than LERF, and have a relatively low significance to LRF; this is likely due to the high contribution of I&C failure and on-site AC power unavailable sequences to LRF. The operator actions modelled in the Level 2 PSA are discussed in detail in Sub-chapter 16.1 section 2. The following table presents the most CCF groups contributing to LRF: No. CCF Group ID Description Fractional Contribution 1 LHP DFR_D CCF to run emergency diesel generators 3.14E-01 2 LJP DFR_B CCF to run SBO diesel generators 1.36E-01 3 RIS1420POEFR_D CCF fail to run MHSI pump 6.16E-02 4 VDA1110VVPFO_D CCF fail to open MSR fluid valves 3.01E-02 5 RCP681YMP_AC_D CCF between 4 pressurizer pressure sensors 2.85E-02 This confirms the low significance of Level 2 specific CCFs to LRF. CCFs of EDGs, UDGs and MHSI are significant contributors to core damage (see Sub-chapter 16.2 section 1), and therefore have a significant presence in the Level 2 PSA Comparison against Nuclear Safety Design Assessment Principles Target The Nuclear Safety Design Assessment Principles (NSDAPs) [Ref. 1] contain an objective for sequences potentially involving either the early failure of the primary containment or very large releases to have a cumulative frequency well below 1E-6 ry. The LRF results presented above contain consideration of both large releases (including very large releases) and early containment failure. LRF for the Level 2 PCSR3 Reference PSA is 1.20E-07 /ry, which is an order of magnitude below the 1E-06 /ry target in the NSDAPs.

48 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 45 / SOURCE TERM ANALYSIS RESULTS Part of the Level 2 PSA is the analysis of the source term for each RC. This analysis was performed in the Modular Accident Analysis Program (MAAP), as described in Sub-chapter 16.1 section 2, and is presented in the sections below: Release Fractions The results of the source term analysis for each RC is presented in Sub-Chapter 16.2 Section Table 11 The release fractions can be combined with the fission product inventories of the core and SFP, so that the total activity of the fission products released from the containment can be calculated and fed into the Level 3 PSA, presented in Sub-chapters 16.1 section 3 and 16.2 section Core Inventory The core inventory is presented in Appendix A of Sub-chapter 16.2 section 2 supporting information report [Ref. 10]. This table presents a summary of the isotopic content for both the bounding and equilibrium cases. The bounding case was chosen as the highest of the highest isotopic activities for all combinations of enrichment and fuel burnup expected for the EPR. The equilibrium core inventory represents more of a best estimate value for each isotope presented. The fission product inventory for the Level 2 PSA is derived from the spreadsheet entitled Core Inventory for EPR Level 3 PSA.xls that was supplied as part of the documentation package for the US EPR Level 3 PSA for Direct Current (DC) and the UK EPR Generic Design Assessment (GDA) [Ref. 13] (AS-PSA ). The remainder of the table in Appendix A of reference 3 provides values for the nominal core inventory for Nuclear Power Plant (NPP) TMI-1 [Ref. 14], and the inventory for the same plant were it to be operated at 4612 MW. The final column in the table provides values for the ratio of the bounding to equilibrium core inventory. These ratios are provided to allow benchmarking of the EPR core inventory Spent Fuel Pool Inventory The fission product inventory for the SFP accident is presented in Appendix B of Sub-chapter 16.2 section 2 supporting information report [Ref. 10]. The basic inventory data in this table comes from Table A4-1 of NUREG 1738 [Ref. 15]. Since the reference inventories in the referenced table are for Millstone 1, they are scaled up in accordance with the ratio of the nominal power levels of the reactors. The scale up factor of 1.7 x 4,500/3,441 is composed of two parts. The factor of 1.7 is used to scale the original Millstone power level to that of the large Boiling Water Reactor (BWR) with a power level of 3441 MW discussed in Appendix 4 of NUREG 1738 [Ref. 15] (AS-PSA ). The factor of 4500/3441 provides the ratio of the power level of the UK EPR to that of the BWR. There is no adjustment for complete fuel unload as the SFP accident is assumed to occur while fuel is in the core. The values for the 30 day and one year SFP inventories correspond to a SFP load after the 11th refuelling outage, with 1/3 core offloaded each outage. The "30 day" values assume that 30 days has elapsed since last discharge, and this value is adjusted for core power in the corresponding column.

49 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 46 / 183 The column called "Fresh Discharge" calculates values for fission product inventory to be used as the source term for the SFP accident. The value in this column uses the one year reference inventory, adjusts it for the EPR power level, and adds 1/3 of the MAAP core inventory to account for the portion of the core discharged to the SFP immediately prior to the SFP accident. Only the active nuclides are considered in this analysis. Thus, when the associated MAAP fission product groups are indicated in this table, only specified isotopes are compared. The last two columns of the table calculate the ratio of the 30 day adjusted and fresh discharge fission product inventories, respectively, with the MAAP core inventory. This has been done to facilitate direct conversion of the MAAP core inventory to the SFP inventories Source Term Release Energies and Locations The release energies and locations and timings associated with the source term in each release category are presented in Sub-Chapter 16.2 Section 2 Table 12. This information is provided as an input to the Level 3 PSA (Sub-chapters 16.1 section 3 and 16.2 section 3). The release start and end times are derived from analysis of the source term MAAP run results, as well as the phenomenological evaluation governing that failure mode. The energy release rate is conservatively assumed to be the highest energy release rate observed during the release duration [AS-PSA ] SENSITIVITY AND UNCERTAINTY ANALYSIS Uncertainty Analysis for all Plant States Uncertainty analysis was performed for the LRF and LERF MCS analysis cases; the results can be seen in Appendices E and F of Sub-chapter 16.2 section 2 supporting information report [Ref. 10]. A sample size of 30,000 was used for this analysis. The following results were obtained: For the LERF, the fifth percentile is 2.20E-08 /ry and the 95th percentile is 8.20E-08 /ry. For the LRF, the fifth percentile is 5.13E-08 /ry and the 95th percentile is 1.79E-07 /ry. It should be noted that for LRF, the MCS analysis case mean frequency result is 2.4% lower than that frequency obtained by the summation of the mean frequencies from the individual RC MCS analysis cases that contribute to LRF. The 2.4% discrepancy for the LRF is due to the removal of non-minimal cutsets when the individual cutset lists are combined, i.e. if an additional failure in an accident sequence causes a slightly different large release two cutsets would exist in two separate RC analysis cases, however these two different cutsets would be merged into a single MCS in the LRF MCS analysis case. It should be noted that there was no similar noticeable discrepancy in the LERF results Sensitivity Studies The following sensitivity studies have been run using the Level 2 PSA:

50 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 47 / 183 1) Failure of operator action to manually isolate containment, 2) Success of all operator actions (Level 1 and Level 2 PSA), 3) Duration of containment hatch open states, 4) Addition of resilience enhancements. Failure of operator actions to manually isolate containment This sensitivity study was implemented by setting the following basic events to TRUE : Basic Event OP_MSIV_ISOL OPF-L2-CI-30M OPF-L2-CI-30M_NCSS Description Operator Fails to Manually isolate MSIV/MSRIV after SLBI. Includes mechanical failures. Operators fail to initiate manual Containment Isolation Signal Operators fail to initiate manual Containment Isolation Signal - NCSS The study showed that LERF is sensitive (an increase of approximately 60% to 7.87E-08 /ry) to the operators successfully manually isolating containment, if automatic containment isolation fails. This is due to failure to isolate containment leading directly to early containment failure following core damage. LRF is less sensitive with an increase of approximately 20% to 1.44E-07 /ry. Success of all operator actions (Level 1 and Level 2 PSA) This sensitivity study was implemented by examining the Risk Decrease Factor (RDF) of the OPERATOR system attribute. The RDF shows the decrease in frequency if all basic events associated with the attribute are 100% reliable (i.e. no possibility of failure). The OPERATOR system attribute is associated with all operator actions in the Level 1 and Level 2 PSAs. The study shows approximately a 36% reduction in LERF and approximately a 30% reduction in LRF. Whilst operator action reliability is important to reducing the frequency of a large release, this study shows that if the operators were 100% reliable it would not lead to a significant reduction to the frequency of large release. Duration of containment hatch open states This sensitivity study was implemented by doubling the conditional probability that the hatch is open during the State C sub-states. The following basic events represent the conditional probability that the hatch is open in each State C sub-state: Basic Event Description Basecase Hatch Open Conditional Probability L2_HATCH_OPEN_CA1 Time ratio where cont. hatch open during state Ca1 Sensitivity Study Hatch Open Conditional Probability

51 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 48 / 183 Basic Event Description Basecase Hatch Open Conditional Probability L2_HATCH_OPEN_CA2 L2_HATCH_OPEN_CA3 L2_HATCH_OPEN_CA4 L2_HATCH_OPEN_CB Time ratio where cont. hatch open during state Ca2 Time ratio where cont. hatch open during state Ca3 Time ratio where cont. hatch open during state Ca4 Time ratio where cont. hatch open during state Cb Sensitivity Study Hatch Open Conditional Probability The study shows approximately a 1% increase in LERF to 4.96E-08 /ry, demonstrating that LERF is not sensitive to the proportion of time in state C that the hatch is open. This is due to the Level 2 PSA claiming operator action to close the hatch within two hours with a reliability of 1 x 10-2 per demand and the low significance of State C to sequences where the status of the containment hatch impacts the accident sequences (i.e. not IS LOCAs) to LERF. Addition of Resilience Enhancements This sensitivity study was implemented using the Batch 3 D-PSA model [Ref. 11]. The Level 2 PSA was decoupled from the Level 1 PSA and the containment event trees for core damage following Long LOOP were amended to include the following resilience enhancements: Small scale Diesel Generators (DGs) to power the Severe Accident I&C (SA I&C), Containment water injection to reduce containment pressure until on-site AC power can be restored, Off-site large AC DGs to restore on-site AC power. The study examined the relative decrease in late containment failure frequency following core damage with Long LOOP initiating events. The study shows: 15% decrease in relative containment failure frequency in Long LOOP scenarios where EDGs, UDGs and grid restoration are available (at their usual reliabilities), 37% decrease in relative containment failure frequency in Long LOOP scenarios where only the UDGs are available (at their usual reliability), 52% decrease in relative containment failure frequency in Long LOOP scenarios where no on-site AC power is available.

52 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 49 / 183 This shows the potential significance of a diesel backed system to prevent late containment failure following core damage in Long LOOP sequences, especially in scenarios where no onsite AC power is available. The resilience enhancements are presented and discussed in more detail in Sub-chapter CONCLUSIONS AND INSIGHTS This sub-chapter has presented the results of the HPC PCSR3 Reference Level 2 PSA, including the Level 2 PSA model results, the source term analysis results and the sensitivity and uncertainty analysis performed on the Level 2 PSA. Level 2 PSA Initiating Events The following Plant States A and B CDES/sub-CDES are shown to be the most likely causes for entry into the Level 2 PSA: 1) SS-SB1 - Core damage from seal LOCA sequences (following fire in safeguard building) with offsite power available and where fast cooldown is not demanded or operator fails to initiate it. 2) TP - Core damage from sequences initiated by a long loss of offsite power (consequential LOOP included). 3) TR - Core damage from transient sequences or from not isolated homogeneous boron dilution sequences. The total frequency of entry from Plant States A and B into the Level 2 PSA is 4.44E-7 /ry. Level 1 PSA results are presented and discussed in Sub-chapter 16.2 section 1. Total Release Frequency The Level 2 PSA results show that the strong containment and dedicated severe accident mitigation measures of the HPC EPR plant are effective in reducing the frequency and magnitude of releases to the environment in the case of a core damage event. The Level 2 PSA shows a conditional probability of around 80% for the containment remaining intact, isolated and not bypassed following core damage. This results in the frequency of a large release to the environment being predicted to be extremely low at 1.20E-7 /ry. Release Categories The frequency results for each RC in each plant state are presented, and the dominant RCs discussed. Each RC is summarised and the major contributors to each RC discussed at a high level. The RCs with the highest frequencies are RC101, RC102 and RC504. RC101 and RC102 represent containment intact RCs and are seen as success sequences. However it should be noted that although the containment is considered to be intact for RC101 and RC102, that a small release still takes place caused by containment leakage. RC504 represents late containment failure following failure to provide containment heat removal. Further mitigation to RC504 is being explored, and risk informed using the Level 2 PSA.

53 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 50 / 183 Large Early Release A release of 100 TBq of Cs-137 is used as a guide to define large release, and an Early release is a release which occurs before or at the point of vessel failure. The frequency with which a release of this magnitude could be exceeded is calculated as 4.91E-8 /ry for all plant states, and represents 8.7% of the Core Damage Frequency (CDF). The dominant contributors to a large early release are explored and any major assumptions or areas for further work identified. Large Release A release of 100 TBq of Cs-137 is used as a guide to define large release. The frequency with which a release of this magnitude could be exceeded is calculated as 1.20E-7 /ry for all plant states, including the SFP, and represents 21.3% of the CDF. The dominant contributors to a large release are explored and any major assumptions or areas for further work identified. The frequency of large release predicted by the Level 2 PSA meets the NSDAP target of 1E-06 /ry. Source Term Analysis The results of the source term analysis are presented. Each RC represented in the Level 2 PSA, and a release from SFP, has been analysed to give a representative source term and release profile (release energy, height, duration etc.). The source term analysis will be used as part of the Level 3 PSA, presented in Sub-chapter 16.1 section 3 and Sub-chapter 16.2 section 3 of HPC PCSR3. Uncertainty Analysis Results Uncertainty analyses indicate that the 95th percentile for LERF is 8.20E-8 /ry. Uncertainty analyses indicate that the 95th percentile for LRF is 1.79E-7 /ry. These results increase confidence that both the LERF and LRF for the HPC EPR are very low. Model Sensitivity The following sensitivity studies were run using the Level 2 PSA: 1) Failure of operator actions to manually isolate containment. 2) Success of all operator actions (Level 1 and Level 2 PSA). 3) Duration of containment hatch open states. 4) Addition of resilience enhancements. The following conclusions can be reached from the sensitivity studies:

54 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 51 / 183 1) LERF is sensitive to the operators successfully manually isolating containment if automatic containment isolation fails. 2) Operator action reliability is important to preventing a large release, however 100% reliable operator actions results in a comparable LRF as is seen with the currently modelled operator reliability. 3) The time the containment hatch is open during State C is seen to have very little impact on LERF and LRF, due to operator action to manually close the hatch being claimed. 4) Late containment failure in loss of on-site AC power sequences is significantly impacted by the addition of the resilience enhancements designed to prevent late containment failure where no on-site AC power is available. 3. PSA LEVEL 3 RESULTS AND DISCUSSION A Level 3 Probabilistic Safety Assessment (PSA) of the UK EPR design has been performed to determine the risk to the general public and workers on site due to postulated accidents and ensure that it is As Low As Reasonable Practicable (ALARP). The methodology associated with the Level 3 PSA is described in Sub-chapter 16.1 section 3. The individual and societal risk calculations have been performed using updated Level 1 and Level 2 PSA (batch 4) data. The operator risk calculation is the same as that presented in HPC PCSR The following sections present the results for the individual, societal and operator risk associated with a twin reactor located at Hinkley Point C (HPC) and compare these against their respective Safety Design Objectives (SDO) from the NNB GenCo (HPC) Nuclear Safety Design Assessment Principles (NSDAPs) [Ref. 1] INDIVIDUAL RISK This section presents the individual risk of fatality per year for comparison with SDO-7. For each dose band it also presents the predicted frequency of any single accident which could result in a dose in that band to an individual off-site, for comparison with SDO-8. The key features of the results are discussed and the conclusions presented Frequencies and Dose Band Allocation The frequency and dose band data used to calculate the individual risk are associated with sequences identified in the Level 1 PSA, the additional Non-Core Damage (NCD) analysis and the Level 2 PSA. Further details of the three assessments are presented in Sub-chapter 16.1 section The dose band data is obtained by identifying a set of representative radiological releases that can be used to define Release Categories that are then associated with the end states. The allocation of Release Categories to dose bands is described in a dedicated supporting report [Ref. 16]. The frequency and dose band results for the Level 1 PSA success states are presented both in terms of end states, Section Table 18 and Release Categories, Section Table 19. The full results from the Level 1 PSA Low Consequence High Frequency (LCHF) analysis are presented in a dedicated supporting report [Ref. 17].

55 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 52 / 183 The frequency and dose band data for additional NCD sequences are presented in Section Table 20. This includes the frequency contribution to potential radioactive release from accidental aircraft crash [Ref. 18]. The consequences of an accidental aircraft crash have been assigned conservatively to Dose Band (DB) 2. In addition, as part of the site specific assessment for HPC, the strike frequency due to turbine disintegration from both HPC and Hinkley Point B (HPB) has been assessed for each safety-related building [Ref. 19]. For all targets other than the contaminated tool storage building, there are no radiological consequence assessments available at this stage and therefore these have been screened out. The dose due to impact on the contaminated tool storage building has been assumed to be DB1. The frequency and dose band data for core damage sequences from the Level 2 PSA are presented in Section Table Assessment against SDO-8 The frequency and dose band data used to calculate individual risk are summarised in Section Table 22. The frequency contribution to each dose band from each assessment is presented together with the total frequency for the dose band. The totals are then displayed on the dose band staircase diagram in Section Figure 13. The Basic Safety Level (BSL) and Basic Safety Objective (BSO) values of the NSDAPs SDO-8 are also shown and this demonstrates that the safety criteria have been met with the total frequencies well below the BSOs for each dose band. It can be seen from Section Table 22 that the summated frequency of faults predicted to result in an off-site effective dose in excess of 0.1 msv is 2.00E-03 /ry (DB1 to DB5). Over 99% of this frequency is associated with very low off-site consequences in DB1 (<1 msv) and for this dose band, the frequency is almost an order of magnitude below the BSO and therefore the target is met with a considerable margin. Only 2.39E-07 /ry (0.01%) of this frequency is associated with off-site consequences above 100 msv (DB4 and DB5). It should be noted that the frequency of summated faults within DB5 is slightly higher than that of DB4. Whilst this risk profile is not fully uniform, since frequency does not always reduce with dose, the effect is very small. Furthermore, both results are well below the BSO and, as stated, these results contribute to only 0.01% of the total frequency. The frequency associated with the lowest consequence dose band (DB1) is significantly higher than that associated with the higher consequence dose bands (DB2 to DB5). This is an artefact of using the conservative results produced in the consequence assessment performed for the Design Basis Assessment (DBA). If a less conservative, best estimate, consequence assessment were applied it is likely that the consequences of some of the dominant sequences would be shown to be below DB1. Screening out of these sequences as low consequence would significantly reduce the frequency allocated to the lowest dose band. In dose band DB1 (0.1 to 1 msv), the dominant events are NCD sequences (90%), mainly due to Steam Generator Tube Rupture (SGTR) (affected Steam Generator (SG) isolated), a fuel handling accident in the Fuel Building (HK [FB]) with one fuel assembly partially damaged (all fuel rods along one edge) and filtration available and fuel assembly drop in the Reactor Building (HR [RB]) (10%). In dose band DB2 (1 to 10 msv), the dominant events include a fuel handling accident in the Spent Fuel Building (HHK [ISFS]) with 100% clad failure and filtration available (78%) and NCD sequences, mainly due to SGTR (affected SG not isolated) (18%). In dose band DB3 (10 to 100 msv), the dominant events are a fuel handling accident in the HK [FB] building with 100% clad failure and filtration not available (60%) and core damage accidents with containment intact (annulus and building ventilation operational) (39%).

56 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 53 / 183 In dose band DB4 (100 to 1000 msv), the dominant events are core damage accidents with containment intact (failure of annulus and building ventilation) (over 99%). The contribution from NCD Loss Of Coolant Accident (LOCA) inside containment with 1% clad failure and containment bypass events is negligible. In dose band DB5 (>1000 msv), the dominant events are core damage accidents with containment failure (75%), SGTR (11%), Interfacing System LOCA (IS LOCA) (9%) and fuel damage after loss of cooling or rapid drainage of the Spent Fuel Pool (SFP) (5%). The contribution from feed and bleed with containment bypass is negligible (0.9%). It is emphasised that the identification of the dominant events, as well as any analysis of risk balance, must be considered with care as modelling assumptions, especially where varying degrees of conservatism are introduced, lead to distortions in the risk breakdown and profile Annual Risk of Death to an Individual and Assessment against SDO-7 As described in Sub-chapter 16.1 section 3, the risk of death to the most exposed member of the public can be estimated using the frequencies and dose band information presented in the preceding section and by making an assumption that an effective dose of 1 msv will result in an increase in the risk of individual death due to effects of radiation of 5 x 10-5 [Ref. 20]. It is assumed that for doses greater than 1000 msv (DB5) the probability of individual death is unity. Applying the data in Section Table 22 to the equation given in Sub-chapter 16.1 section 3 for the annualised probability of death results in a risk of individual death of 2.4 x 10-7 per reactor year. If the frequencies of contributing initiating events and hence the risk from a single unit is doubled to take into account that HPC is intended to be a twin unit site, this risk becomes 4.9 x 10-7 per year. The site risk meets the target of 1.0 x 10-6 /y set by SDO-7. In order to gain insight into which events are contributing significantly to the risk of death, the contribution from individual dose bands is presented in Section Table 23. It can be seen from the data that the majority of risk is associated with DB5 (53%) and DB1 (41%) with very little risk from DB2, DB3 and DB4, all of which contribute less than 3%. The risk associated with DB1 is likely to be overestimated due to conservatisms in the methodology when assigning consequences. If best estimate methods were to be applied, it is therefore expected that many of the contributing sequences would be found to be below DB1 and could therefore be screened out. It is also likely that conservatisms are leading to sequences that are DB4 being assigned to DB SOCIETAL RISK The results from the PC COSYMA consequence assessment calculations are presented and combined with the Level 2 PSA frequencies in order to calculate the societal risk and compare it with SDO-9, the target frequency for 100 fatalities resulting from an off-site release. The key features of the results, the sources of uncertainty in the calculations and sensitivity study results are discussed PC COSYMA Results PC COSYMA has been used to calculate the probability of 100 fatalities for the release categories in DB4 and DB5. Details of the calculation, results and uncertainties are presented in a dedicated supporting report [Ref. 21]. A number of different end points have been examined, including early and late health effects and the impact of countermeasures. The probability of 100 deaths for DB4 release categories was found to be zero.

57 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 54 / 183 The frequency and associated probability of 100 fatal cancers for the core damage and NCD sequences that result in DB5 consequences are presented in Section Table 24. There is no contribution from the additional NCD sequences as these are below DB5 and therefore have zero probability of 100 fatal cancers Societal Risk and Assessment against SDO Frequency of 100 Fatalities Using the data presented in Section Table 24, it can be seen that for a single unit, the total frequency of accidental releases that could lead to more than 100 late fatalities is 6.76 x 10-8 per reactor year. For the whole site at HPC, with two units, this frequency is 1.35 x 10-7 per year. The result for the twin reactor is above the numerical target set in SDO-9 of 1.0x10-7 per year and as such is in the ALARP range. To satisfy SDO-9 it must therefore be demonstrated that the value is ALARP. This is considered in Sub-chapter 16.2 section 4. The conservative nature of the frequency doubling approach to account for the twin units is demonstrated in a dedicated supporting report [Ref. 22]. The data presented in Section Table 24 shows the breakdown by frequency of at least 100 fatalities per release category. It shows that just eight of the release categories contribute just under 90% of the risk. Within this subset, Release Categories 504 (late containment failure) and 802a (IS LOCA) present the greatest risk, contributing 16% and 17% respectively. Release Category (RC) 504 has a low probability of 100 fatalities, however the frequency is high. In the case of RC 802a, the frequency and consequence are both relatively high. RCs 303 and 304 (early containment failure with and without sprays respectively) have a combined contribution of approximately 20% and RCs 701 and 702 (SGTR with and without fission product scrubbing respectively) also have a combined contribution of approximately 20%. The SFP (Loss of SFP cooling and SFP rapid drainage) release contributes 9% and RC 206 (small containment failure) contributes just over 7%. The conditional probability of 100 fatalities calculated by PC COSYMA, uses the long term effects only. Very few of the RCs result in any early fatalities. Those that could result in significant numbers of early fatalities are RC SFP, 702 and 802a [Ref. 21]. It should be noted that these releases have a conditional probability of 100 long term fatalities of unity (except for RC 802a which has a probability of 0.993). Therefore, the impact of not including the early fatalities directly in this calculation is negligible Consequence Assessment Results The complete set of potential societal consequences for all 27 release categories is presented in the Societal Risk Assessment [Ref. 21]. The key features of these are summarised here. Major releases include the 200, 300, 400 and 700 series and the 802a and SFP releases. In all cases, the short-term dose is dominated by the contribution from inhalation and the longer-term dose is dominated by dose due to groundshine. As expected, the number of late health effects greatly outnumber those of early health effects. The dominant late health effect is lung cancer, resulting in nearly a third of all fatal cancers and this is due, in particular, to Cs-134 and Cs-137. In terms of countermeasures other than food bans, the responses vary across the categories although the effect is less sensitive for releases beyond a certain severity: RC 101 requires no sheltering, evacuation or intake of iodine tablets beyond the Detailed Emergency Planning Zone (DEPZ). Similarly, the 500 series and NCD RCs both involve late and prolonged release

58 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 55 / 183 durations with relatively low release fractions compared to other release categories and therefore do not require extensive countermeasures beyond the DEPZ. In contrast, the 200 series, which occurs quickly and with relatively large release fractions at ground level that result in limited dispersion before affecting those close to the release point, leads to high numbers being evacuated. It is notable that even though the health effects impact more people for the SFP release, this does not involve significantly more people with respect to countermeasures compared to the other releases, since countermeasure zones are limited by distance and the maximum number of people within these zones are already affected by less severe releases. Compared to the UK population of just under 59 million people, the maximum number of people evacuated (1,350, for RC 702 for example) represents just 0.002%, and the maximum number of people taking iodine tablets or sheltering, 66,200, (for RC 404) represents about 0.1%. Whilst this is a large number of people, sheltering only occurs whilst the plume is passing overhead and so is not as disruptive to society as evacuation would be. Areas affected by food bans are generally much larger than those affected by sheltering and evacuation, as food bans are not limited by distance. Significant amounts of food are assumed to be banned for the severe releases, in some cases reducing the dose due to ingestion to a minimal amount Uncertainty Analysis and Sensitivity Studies In order to ensure that the conclusions drawn from the results are valid and robust, it is important to consider the uncertainties associated with the model and its input data and assumptions [Ref. 21]. There are two types of uncertainty associated with the results for the societal risk that originate from uncertainty in the input parameters (parametric uncertainty) and inaccuracies in the modelling (modelling uncertainty). Regarding the choice of model, PC COSYMA has been widely accepted in the UK as the best available tool, using recognised models for atmospheric dispersion and consequence assessment. An EC/US Nuclear Regulatory Commission (USA) (NRC) study [Ref. 23] was conducted to assess mainly parametric uncertainty in COSYMA calculations by analysing uncertainty in different sections of the system. Expert judgement was used to specify probability distributions for values of each of the parameters involved and samples from these were then propagated through the model to derive information on the uncertainty in the model s predictions. Clearly, there is no correct value, but a range of accepted inputs for many of the parameters. The studies found that the uncertainty factor (the ratio of the 95th to 5th percentiles of the uncertainty distribution) on the numbers of fatal cancers in the population is likely to be of the order of 100 and this is equivalent to an error factor of 10. In general, the results suggest that the uncertainty increases as the consequence decreases. The main uncertainties associated with late health effects were found to originate from the risk coefficients for cancers. Parameters from the dispersion dose and food chain models were also found to be important in some situations. It was reported that uncertainty from meteorological sampling is much smaller than that resulting from the uncertainty in the parameter values. The study concluded that if COSYMA was run with only default settings, then it would give reasonable predictions of the long-term doses and predictions towards the lower end of the calculated range of values for late health effects. As well as identifying the uncertainty in the input parameters, it is also important to establish the sensitivity of the model to the range of potential values. The methodology report [Ref. 24] considers the input data and assumptions to be used in PC COSYMA calculations and investigates the sensitivity to various parameters where a high level of uncertainty exists. Further studies have been performed for HPC PCSR3, detailed results of which are presented in supporting reports [Ref. 25] and [Ref. 21] and summarised below.

59 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 56 / 183 The studies presented in the supporting report [Ref. 25] investigated a subset of release categories that have been selected to represent a range of release magnitudes and timing profiles. Five release categories were examined to assess their sensitivity to the source term (twin reactor issue), countermeasures (variation and type), release profile and location factors. The sensitivity tests on the results of the PC COSYMA calculations lead to the following conclusions: Twin Reactor Studies (modelling uncertainty) [Ref. 25]: Doubling the source term to represent a twin unit site results in an increase in the long*term fatalities of around 1.9 for the larger releases and around 1.5 for RC 504. This factor is limited by the population in each location affected by the release. Due to the non-linear dose risk relationship for early fatalities, much larger increases are seen. For example, RC 702 increases by a factor of Again the extent of the increase will depend on the population in the location impacted by the release and early fatalities were still only present in the most severe cases. Countermeasures (modelling and parametric uncertainty) [Ref. 25]: There is limited sensitivity to countermeasures other than the food bans as the majority of the fatal cancers occur in areas beyond those at which these other countermeasures are implemented. Therefore there is insignificant sensitivity to the assumptions relating to the timings associated with implementing the countermeasures or in the implementation dose levels. Food bans however are not limited by distance and can reduce ingestion dose from contributing up to 60% to contributing a minimal amount to the total dose. This has a significant impact on the number of stochastic fatalities, which can increase by up to a factor of two without food bans in place. Phases (parametric uncertainty) [Ref. 25]: It is currently assumed that the release is constant over the duration of the release. In order to investigate the impact of this assumption, the number of phases was reduced. This generally resulted in an increase in mean early fatalities (up to an increase of 38% for RC 702) but a decrease in mean long-term fatalities (up to a decrease of 14% for RC 702) and a reverse in trend for the maximum ends of the distributions. The results reflect the balance of higher individual doses but fewer people impacted. Cloudshine factor (parametric uncertainty) [Ref. 25]: For the late containment failure releases such as RC 504, cloudshine is a more important pathway than for other release categories. For RC 504, using a cloudshine location factor of 0.6 rather than 1 reduces the mean number of long term fatalities by 6%. Groundshine factor (parametric uncertainty) [Ref. 24]: For all releases the groundshine pathway contributes significantly to dose. If an indoor occupancy rate of 50% is assumed for the groundshine location factor rather than 90%, significant reductions in long-term fatalities are seen (over 60% reduction for RC 201). Release energy (parametric uncertainty) [Ref. 24]: The energy of release can be significant, as a fundamental parameter defining the shape of the dispersion plume. This is particularly important with regard to early fatalities because they are influenced by the point at which radioactive material returns to ground level. Deposition parameters (parametric uncertainty) [Ref. 24]: Deposition factors are a large source of inherent uncertainty and can have a significant influence but no consistent trend is seen and recommended values are being used.

60 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 57 / 183 Zone demarcation (parametric uncertainty) [Ref. 24]: Whilst a reduction in the countermeasure zone distances leads to a significant reduction in the number of people evacuating and a small increase in the number sheltering, there is little change in the numbers of fatalities. Meteorological data (parametric uncertainty) [Ref. 24]: Little variation was seen in the use of either weather data from different years (2004 to 2005, compared to 2007 to 2008) or in a different choice in the sampling scheme cycle. With the exception of RC 504, the risk metric of 100 fatalities shows very little sensitivity to these parameters, due to the mean number of fatalities being significantly higher than 100. For cases where the mean is much higher than the metric of interest, the Complementary Core Damage Frequency (CCDF) is very flat and therefore much less sensitive to changes in inputs. Conversely, in the case of RC 504, the mean number of fatalities is 61 and therefore the metric of 100 fatalities occurs at a point on the CCDF that is highly sensitive to parameter changes that lead to even a small change in the number of fatalities. Therefore, despite the relatively high levels of uncertainty which are inherent in the nature of these calculations, the results are considered to be sufficiently robust and the conclusions valid. The studies discussed here show areas where conservatisms, such as location factors, could be removed. However, this would have minimal impact on the frequency of 100 deaths as only the contribution from RC 504 would be significantly changed. For discussions regarding the limitations of the Level 1 and Level 2 PSA, see Sub-chapter 16.2 section OPERATOR RISK The risk to workers on site has been assessed separately to the risk to members of the public off-site [Ref. 26] to [Ref. 28]. The frequency and dose band data for each accident or Local Operator Safety Action (LOSA) are presented in Section Table 25 for comparison with SDO-6. The total individual risk of death from on-site accidents is presented and compared with SDO-5. The key features of the results are discussed and the conclusions presented. As discussed in Sub-chapter 16.1 section 3.3, the results have not been updated for PCSR3, however a review that includes a partial update has been carried out in order to provide confidence that the conclusions presented here remain valid [Ref. 29] Assessment against SDO-6 The results of the comparison against SDO-6 are shown in Section Table 25 and Section Figure 14. None of the accidents are above the BSL in the unacceptable region and the annual frequency of most accidents is at least two orders of magnitude below the BSL which marks the boundary between the tolerable if ALARP region and the unacceptable region. There are three accidents which are between the BSO and BSL and therefore fall within the tolerable if ALARP region. All of these accidents are from the Level 1 PSA and relate to LOCA accidents with the most exposed worker in the HR [RB] building containment (WRB3, WRB4 and WRB5). No account has been taken of the probability that a worker is present when the accident occurs when comparing against SDO-6 and while this is not strictly a requirement of the assessment against SDO-6, it should be taken into account when determining if the frequency of the accident should be considered ALARP. The low occupancy factor for the HR [RB] building of 2% [Ref. 30] would put these accidents within the broadly acceptable region, if it were to be factored in to the accident frequency. So while the frequency of the accident that has the possibility of causing a dose to workers is higher than the BSO, the probability of a worker being present at the time of the accident is very low.

61 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 58 / 183 There are three further accidents which are at the BSO on the boundary between the broadly acceptable and the tolerable if ALARP regions. The fuel handling accidents, PCC4-03a and PCC4-03b, result in Worker Dose Band (WDB) 3 and WDB4 consequences respectively and a leak from the Gaseous Waste Processing System (TEG [GWPS]), PCC3-01, results in a WDB2 consequence. For these accidents a brief ALARP discussion presented within The Worker Risk Assessment [Ref. 28] concludes that it is not necessary to include further safety measures within the design since existing safety features ensure that the probability of mishandling fuel is at a level which is considered to be ALARP. All other PSA Level 1, Plant Condition Category (PCC), Expert Review accidents (EXRV) and LOSAs are below the BSO and therefore fall within the broadly acceptable region. For these accidents no further discussion is considered to be necessary, assuming that the risk is already minimised through the safety measures that are currently in place. The higher consequence (WDB4 and WDB5) portion of the frequency-dose staircase is dominated by accidents related to LOCAs assessed in the Level 1 PSA. The severe (core damage) accidents shown as three representative accidents in the WDB3, WDB4 and WDB5 regions, have sufficiently low accident frequencies to remain below the BSO and within the broadly acceptable region. The frequency of any severe core damage accident will therefore be acceptable against the SDO-6 criteria with respect to consequence to workers Assessment against SDO Risk of Fatality to a Generic Worker from all Accidents Using the methodology described in Sub-chapter 16.1 section 3, the overall annual risk of fatality for a generic worker due to exposure to radiation from on-site accidents is 3.6E-7 /y. The annual risk target set by SDO-5 is < 1.0E-6 /y and therefore, at 36% of this value, the criterion is satisfied with some margin. It should be noted that this value includes the risk arising from LOSAs, the total risk without LOSAs being 3.1E-7/y. Risk contribution by Dose Band The overall risk results can be summarised in terms of the relative contribution to the overall risk from accidents leading to consequences in a particular DB. The results are presented in Section Table 26. From this table it can be seen that the risk is relatively well balanced between the WDB categories. Risk contribution by Accident Group The overall risk results can also be summarised over the main accident identification groups. These results are presented in Section Table 27. These results indicate that around 40% of the risk to workers arises from the NCD accident sequences that were identified in the Level 1 PSA, with about 30% arising from the PCC accidents that were excluded from the PSA. The risk to workers from high consequence core damage accidents considered in the Level 2 PSA can be seen to make a relatively small contribution, due to the low frequency of such events. The risk to workers from LOSAs is about 13%. It can be seen that the additional accidents identified from the EXRV of the Generic Design Assessment (GDA) PSA (EXRV group) do not make a significant contribution to the risk, indicating that the accident sequences identified for the PSA and PCC analysis were reasonably comprehensive in relation to risk to workers as well as off-site risk.

62 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 59 / Risk Assessment for Other Worker Cohort Groups Two other worker cohorts have been defined in addition to the generic worker. Considering the hierarchy of dominant accidents and their relative Occupancy Factor for a generic worker, these two other cohorts are the most relevant in order to ensure that the most at risk individual on site has been assessed. The overall risk for these groups has been assessed separately, both with and without LOSAs, for comparison against SDO-5. Main Control Room (MCR) Worker Cohort This worker cohort represents workers in the MCR and it is assumed that they spend all of their time whilst on-site in the MCR. As this group of workers is assumed to have to remain in the MCR in the event of an accident, they are assumed to have a maximum likelihood of being exposed to the on-site consequences of accidents anywhere on site, including severe accidents. Therefore, the risk to this group of workers is comprised of the risk from the Level 2 PSA core damage accidents and the off-site consequences of the Level 1 PSA, PCC and EXRV. In all cases the occupancy factor for exposure of MCR workers to these accidents is assumed to be unity. Excluding LOSAs, the annual risk of death for the MCR worker cohort is 6.3E-8 /y. This is 6% of the SDO-5 target and a factor of 5 smaller than the result for the generic worker cohort. Including LOSAs, this becomes 1.1E-7 /y which is 11% of SDO-5. This lower risk is due to the fact that although MCR workers will have a high occupancy factor due to the requirement for them to remain on site during an accident, the dose that they receive from most accidents will be very low compared to workers local to the accident. Fuel Building Worker Cohort This worker cohort represents a specific group of workers who work exclusively in the HK [FB] building whilst on-site and who do not spend any of their time in any other areas. As such, this group will have the maximum likelihood of exposure to accidents involving fuel handling and accidents involving the SFP. This cohort will therefore have an occupancy factor of unity for all HK [FB] building accidents and an occupancy factor of zero for all other accidents. A list of the accidents for which the HK [FB] building worker cohort is assumed to be affected is given in Section Table 28. Unlike the other worker cohorts, this group is assumed not to be affected by the on-site consequences of accidents in other areas, except for the Level 2 PSA core damage accidents for which a worker anywhere on site is assumed to be affected due to the severity of these accidents. Excluding LOSAs, the annual risk of death for the HK [FB] building worker cohort is 2.8E-7 /y. This is 28% of the SDO-5 target and is close to the result for the generic worker. Including LOSAs, this becomes 3.3E-7 /y which is 33% of SDO Worker Cohorts Risk Summary According to the current assumptions the most at risk individual worker on site is found to be the generic worker, with an annual risk that is 36% of the target of 1 x 10-6 /y set by SDO-5. The HK [FB] building worker cohort is assessed as having a risk which is close to the generic worker, at around 33% of the SDO-5 BSO. The MCR worker cohort risk is only a third of the generic worker cohort risk when including LOSAs.

63 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 60 / Effect of having two EPR Units on Site A summary of the risk contributions associated with a two unit site are presented in Section Table 29. The assumptions relating to this assessment are outlined in Subchapter 16.1 section 3. The results indicate that in terms of risk to an individual worker, the effect of having two EPR units on the same site is minimal and would lead to a relatively small increase in risk of the order of 13%. This is due to the fact that the risk to workers is dominated by the risk arising from being exposed to the radiological release from accidents in the building where the worker is present. The only significant effect of having two EPR units on site in terms of worker risk is the effective doubling of the frequency, and hence the risk contribution, from severe core damage accidents. This conclusion assumes that workers on one EPR unit would not be required to carry out LOSAs at the other EPR unit. If they were, the LOSAs risk contribution for the case with two EPR units would be doubled, taking the percentage increase in total risk from 13% to 26% which is not insignificant but still represents a relatively small increase in total risk. Further work is required to analyse the impact upon the worker from a twin unit site when better knowledge of the maintenance and operating regimes intended for HPC exists. 4. RISK INFORMED DESIGN (RID) An iterative process to identify design improvements using Probabilistic Safety Assessment (PSA) was implemented throughout the development of the EPR design. The 2012 Generic Design Assessment (GDA) and Hinkley Point C (HPC) Pre-construction Safety Report (PCSR) Sub-chapter 15.7 recorded the main examples of design improvements made as a result of insights from the PSAs. Subsequently, for HPC the Risk Informed Design (RID) process [Ref. 31] was implemented, and a work programme [Ref. 32] and database were developed to manage and formally record RID activities. The results and impact of significant RID activities carried out since the GDA are reported below; these activities were selected for reporting here in accordance with the process described in Sub-chapter 16.1, section 1.4. It should be noted that some of the studies were of broader scope than has been reported in this section; e.g. where investigations showed that an assumed or potential issue was not relevant, it was reported in the study but is not relevant to the PCSR. As noted in Sub-chapter 16.1, section 1.4, ongoing studies that are incomplete at the time of writing are not recorded here. Thus the Heating, Ventilation and Air Conditioning (HVAC) RID activities (Safeguard Building (uncontrolled area) Ventilation Systems Electrical (division) (DVL [SBVSE]), Control Room Air Conditioning System (DCL [CRACS]), and Safety Chilled Water System (DEL [SCWS])) are out of scope. RID studies related to internal events are reported in section 4.1. The As Low As Reasonably Practicable (ALARP) studies carried out at GDA have been repeated to confirm that the ALARP position of the modifications has not changed. This is reported in section RID STUDIES INTERNAL EVENTS The following items are RID activities that provided insights or direct inputs to modifications under consideration, some of which have been implemented and others were not taken forward.

64 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 61 / Circulating Water Filtration System CFI [CFWS] Sensors Reliability and Architecture, RID No. 31 The Circulating Water Filtration System (CFI [CFWS]) sensors provide a pump trip signal to the Circulating Water System (CRF [CWS]) and Auxiliary (Raw Water) Cooling System (SEN [ACW]) pumps in the event of the CFI [CFWS] raw water filters (drum and band-screens) clogging; detected by either reaching a maximum permitted head loss or a minimum permitted water level downstream of the CFI [CFWS] system. In order to risk inform the design of the CFI [CFWS] sensors configuration, a probabilistic evaluation has been performed over several configurations of sensors and associated voting logic for both the head loss and the water level sensors. The considered configurations took into account the redundancy and diversity requirements between analogue sensors and smart sensors and different voting logic: one out of two, two out of three, etc. As the reliability of the sensors depends on their classification, analogue sensors are assumed to be class 1, whereas sensitivity studies were performed for smart sensors as assuming they have a reliability commensurate with that of a class 3 or class 2 component. The reliability of the trip signal of the CRF [CWS]/SEN [ACW] pumps was evaluated for one filtration train. The results depend on the selected configuration in terms of the combination of analogue and smart sensors and the voting logic and have to be considered against the CRF [CWS]/SEN [ACW] pump breaker reliability. The failure to open of the CRF [CWS]/SEN [ACW] pump breaker being evaluated at 5.2 x 10-5 per demand, a target of 1 x 10-4 per demand for the failure probability of the instrumentation part was considered as a good indication of a well-balanced design between equipment and instrumentation potential failure of one train. Moreover, the robustness of the various voting logic of the sensors against spurious actuation was analysed. The configurations that are the most reliable are not the most robust against spurious actuation signals. Indeed, if for high reliability purposes, the logic accepts signals from the smallest number of working sensors, the consequence is that this limited number of sensors is sufficient to generate a spurious actuation signal. Thus, the sensitivity of the sensors to the type of spurious operation also has to be considered when defining the design. These results and insights were issued [Ref. 33] to the designers. The preliminary design choice of the designers for the CFI [CFWS] instrumentation is a logic vote type one out of two with one analogue sensor (class 1) and one smart sensor (class 3) (a pair of sensors is required for the water level measurement). This leads to the following figures for the instrumentation probability of failure per demand: 2.20 x 10-4 per demand for head loss measurements with one analogue and one smart sensor with a voting logic in one out of two; 4.30 x 10-4 per demand for water level measurements with one pair of analogue and one pair of smart sensors (pairs of sensors on opposing sides of the CFI [CFWS] filtration). This preliminary design choice has probability of failure over the target proposed and it is not robust against spurious actuation. However, the probabilistic impact of this configuration on the overall core damage frequency and on the Loss of Ultimate Heat Sink (LUHS) faults has been assessed [Ref. 34] and it leads to an acceptable increase of the two values with respect to the reference case which considers the target value of 1.00 x 10-4 per demand: An increase of 1.6% for core damage frequency.

65 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 62 / 183 An increase of 24% for the LUHS faults. These results are still acceptable with respect to the overall probabilistic targets of the HPC EPR and do not destabilise a well-balanced design, as the contribution of the LUHS faults to the overall risk only increases from 6% to 7.2% Fish-Friendly Operation of CFI [CFWS]Band Screens, RID No. 75 An analysis of the impact on risk of a potential modification to the CFI [CFWS] band screen operating conditions has been performed [Ref. 35]. The considered change, for environmental purposes, is the addition of a permanent Very Low Pressure fish-friendly washing and a permanent functioning of the Low Speed rotation, except in case of maintenance. The operating regime of the band screens depends on the state of clogging, defined by the head loss thresholds. The reference regime is: no clogging (head loss < MAX1): Stand-by state for rotation and washing. Low Speed rotation and Low Pressure washing are started intermittently (for approximately one hour every six hours), limited clogging (head loss > MAX1): Low Speed rotation and Low Pressure washing, and clogged (head loss > MAX2): High Speed rotation and the High Pressure washing. The different rotation speed / washing pressure can be started manually by the operators (from the Process Information and Control System (MCP [PICS]) or directly in the Pumping Station). Additionally, in the event of a loss of the instrumentation and control (I&C) SPPA T2000 cabinets, the Teleperm-XS (TXS)/Protection System (RPR [PS]) cabinets can start the Low Speed rotation and the High Speed rotation if the CFI [CFWS] Band Screen is significantly clogged. For most of the operation, when there is no clogging, the following modified operating regime is under analysis at the Environment Agency request in order to protect fauna: No clogging (head loss < MAX1): Low Speed rotation and Very Low Pressure washing. The other states would remain the same; thus the low speed rotation is permanent (except when significantly clogged) and if the head loss exceeds MAX1 the washing pressure would increase. The probabilistic impact of the evolution of these operating conditions has been evaluated at different levels. At the local level of one band screen, the probability of failure of one band screen has been evaluated over a seven hour cycle with respect to the current operation profile (standby state during six hours, followed by one hour operation) and the prospective continuous operation over seven hours. The probability of failure of one band screen is evaluated at 4.46 x 10-4 per demand with the current operating conditions whereas it almost doubles to 7.92 x 10-4 per demand with the prospective operating conditions. The dominant contributor to the risk is the band screen unreliability, which is based on data issued from the French Operational Experience (OPEX), representative of the current stand-by operating conditions.

66 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 63 / 183 At a more macroscopic level, such as the reliability of the CFI [CFWS] system as a support system or the LUHS initiating event frequency, a change in the operating conditions is without probabilistic impact. Even if the prospective conditions of operation would indeed eliminate the failures to start of the system as it would continuously be running, the failures in operation during the mission time of 24 hours are preponderant in comparison to the failures to start. As such, although changing the operating conditions of band screens has no effect on the overall safety of the plant, it affects the reliability of the one band screen function and thus potentially raises equipment unavailability concerns. All these insights have to be taken into account by the designers in the final decision of the implementation of the prospective operating conditions of the band screens Non-Computerised Safety System (NCSS) Signal Manual Start-up of Low Head Safety Injection (LHSI) Train 1 or 4 in Injection Mode cooled by DEL [SCWS], RID No. 11 During consideration of design provisions to mitigate the loss of the SPPA-T2000 platform, the impact on the PSA model of adding functions to the Non-Computerised Safety System (NCSS) was investigated. Complementary to the provisions for Total Loss of computerised Instrumentation and Control (I&C) (TLIC), addressed in the GDA, potential NCSS signals to mitigate the loss of the SPPA-T2000 platform were considered. The RID study [Ref. 36] screened proposals and identified one potential signal for analysis: Manual start-up of Low Head Safety Injection (LHSI) train 1 or 4 in injection mode cooled by the DEL [SCWS] system. This action provides diverse cooling of the LHSI motors in case of a Loss Of Cooling Chain (LOCC) in state D. The following comparison was performed: Calculation 1: Calculation 2: The manual function is considered available on SPPA-T2000 and NCSS. The NCSS operator action is different to the one on SPPA-T2000. The NCSS operator action is penalised. The manual function is considered available on SPPA-T2000 and the RPR [PS] system (and not in the NCSS system). The RPR [PS] operator action is different to the one on SPPA-T2000 (because of Protection System Operating Terminal (PSOT)). The RPR [PS] operator action is penalised (same penalisation as for the NCSS system in calculation 1). The resulting Core Damage Frequency (CDF) for a LOCC and LUHS in state D were:

67 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 64 / 183 Calculation 1 Calculation 2 LOCC state D 2.97E-08/ry 2.96E-08/ry LUHS state D 2.30E-14/ry 3.50E-15/ry It was concluded that such a modification would have no impact on risk assessed by the PSA. To avoid unnecessary oversizing of the NCSS system, the modification was not progressed Emergency Feed Water System ASG [EFWS] Reliability (Diverse Turbine Driven Pumps), RID No. 27 As a post-fukushima study, to provide diversity in the event of loss of electrical power, the PSA impact of using two Turbine Driven Pumps (TDPs) instead of motor driven pumps (on trains 1 and 4) was assessed. An initial study was performed [Ref. 37] assuming the TDPs would be available in states A to C, and then refined to take account of the fact that in state C there will not be sufficient steam pressure to provide motive force to the TDPs [Ref. 38]. In the initial study [Ref. 37], the addition of TDPs gave a small decrease in CDF (all states) of approximately 2.5%, mainly due to the reduction in the CDF for Loss Of Off-site Power (LOOP) events. A larger CDF decrease of over 9% was calculated with the French OPEX data (in which both the Turbine Failure to Start and Failure to Run are significantly lower than in the NUREG data). The NUREG data are considered more appropriate because at HPC the Emergency FeedWater System (ASG [EFWS]) is purely a standby system similar to the US plants, whereas these pumps are also used during hot shutdown on the French fleet. The updated study [Ref. 38] presented two further cases: one where the TDPs are assumed not to function for all of state C, and one where the TDPs are assumed not to function only in state Cb. The calculation performed with preventive maintenance (two Steam Generators (SGs) in state C), was considered to be over-conservative, so the calculations were repeated without maintenance. The results, compared with the reference Batch 1 overall (all states) CDF of 5.60 x 10-7 per reactor year are: TPDs not functional in: Overall CDF increase with SG maintenance Overall CDF increase without SG maintenance All State C 24% 20% State Cb 16% 12% This suggests that the introduction of TDPs for the ASG [EFWS] is not beneficial when considering that the TDPs would be unavailable in all, or part of, of state C. Therefore it was concluded that the introduction of TDPs for the ASG [EFWS] would not be beneficial from a PSA point of view. Taking into account the PSA results, among other considerations, the ALARP assessment [Ref. 39] concluded that the introduction of TDPs would not be ALARP for the HPC design.

68 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 65 / Bayesian update of Long LOOP frequency, RID No. 71 The long LOOP Initiating Event Frequency (IEF) of 5.00x 10-3 per year is based on OPEX across English and Welsh reactor sites. This OPEX was reviewed and events considered to be unsuitable for inclusion in the HPC site-specific assessment screened out [Ref. 40]. This frequency was reviewed in 2014 following a long LOOP event at Dungeness B (DNB). On 28 October 2013 a severe storm caused a LOOP event at DNB affecting both reactors, which lasted nine hours. As there were no special circumstances that would exclude consideration of this event from the HPC IEF, it was decided to include it in the derivation of the Long LOOP frequency at HPC. It was noted during the review that Bayesian analysis was not applied to derive the IEF [Ref. 40]. The use of Bayesian analysis to derive IEFs is now standard UK practice and also considered to be international best practice as recommended by the International Atomic Energy Agency (IAEA) and Office for Nuclear Regulation (ONR) Technical Assessment Guides (TAG) guidelines. Therefore this review derived the revised HPC LOOP IEF using Bayesian analysis. This Bayesian analysis was performed using the RDAT software using the following parameters: An error factor of 30 chosen to reflect the variance between the national grid characteristics and those local to HPC, Prior distribution based on screened data from the initial IEF calculations with the recent DNB event added giving 7.24 x 10-3 per year; and Hinkley Point station data of 0 relevant events in 124 reactor years of operation (A and B site). The result was an HPC site-specific Long LOOP frequency of 1.33 x10-3 per year. Note that this is considered specific to the HPC reactor at Hinkley because the filtering of OPEX takes account of the improved grid connections at HPC. The reason for deriving a reduced long LOOP IEF following an event is because the reference value is based on all events at many sites, but screened for relevance to HPC, so there were less events to consider. In the Bayesian analysis, the lack of screened events at Hinkley leads to a lower figure. It should be noted that the initial analysis [Ref. 40] reviewed a number of potential IEFs concluding that a best estimate, frequency would lie somewhere between 1.00 x10-3 per year and 5.00 x10-3 per year. One of the factors that led to the selection of the 5.00 x10-3 per year frequency was that this was consistent with the UK severe storm frequency. The values reviewed are presented below with the new Bayesian frequency for comparison: Long LOOP IEF calculation OPEX per turbine disconnected OPEX per site Generic severe storm* New Bayesian Analysis Frequency per year 5.00E E E E-03 * Of the size that caused long LOOP events at some (but not all) affected sites.

69 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 66 / 183 It was concluded that the reference IEF of 5.00 x10-3 per year would be retained on the following basis: Although it can be considered conservative, it does cover any perceived uncertainties in the screening of the OPEX; A reduction in the IEF would have to be supported by an HPC-specific confirmatory study from the Met Office and National Grid Company; to confirm that this is consistent with the site-specific severe storm frequency or any other external hazard that can induce a LOOP for the HPC site Unsubstantiated Human Reliability Claims, RID No. 30 During GDA activities, post-accident operator actions, Type C Human Based Safety Claims (HBSC), were identified from the GDA PSA according to their contribution to CDF. The high and medium risk significant Type C claims were selected to be substantiated using task analysis performed by Human Factors (HF) Specialists (with the exception of one action which was selected for deterministic reasons). This task analysis was based on the Flamanville 3 (FA3) operating procedures and simulator observations/talk-throughs. The objective of the task analysis was to demonstrate the achievability of the HBSC in the available time before core damage would occur as identified by the thermohydraulic studies that support the PSA, and in order to substantiate the Human Error Probabilities (HEPs) assigned in the UK EPR GDA PSA. A summary of the status of each claim in terms of achievability and assessed reliability was produced (see Sub-chapter 18.1). Of the operator actions analysed, six were assessed by the task analysis to be unachievable based on assessed task duration as compared to the available time claimed in the PSA for the operator to perform the task [Ref. 41], these actions were: Operator Action OP_EFWS OP_FSCD_30MN SGTR 1Tube OP_FSCD_30MN_IH OP_SCD_30MN OP_SBODG_LOCAL Description Operator starts and controls ASG [EFWS] within one hour in case of RPR [PS] failure. Operator initiates Fast Secondary CoolDown (FSCD) following a small break Loss of Coolant Accident (LOCA) Operator manually trips the reactor and isolates the radioactive SG within 50 minutes following a Steam Generator Tube Rupture (SGTR) event in one tube. Operator initiates FSCD (within 30 minutes from Safety Injection (SI) signal) during internal hazard (fire). Operator initiates fast secondary cooldown within 30 min (from SI signal) following SGTR. Operator starts the Station Black-Out (SBO) Diesel Generators (DGs) by Local To Plant (LTP) action within 2 hours. The operator action SGTR 1 Tube was analysed upon deterministic request; this operator action is not claimed in the Level 1, 2 or 3 PSA models and is therefore reviewed in relation to the PSA modelling considerations discussed below. Issues relating to this claim will be addressed through the HPC HFs programme (see Sub-chapter 18.1).

70 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 67 / 183 A review of the conservatisms identified both in PSA modelling and in HFs task analysis was carried out to update the probabilistic assessment of these operator actions for the HPC D-PSA Batch 3 update. A probabilistic assessment of the impact on CDF using updated HEPs was performed to ensure the acceptability of the changes. Following the review of the scenarios where the five unsubstantiated operator actions are claimed and of FA3 studies on similar scenarios, the allowable timescales for operator actions and probabilities were updated accordingly with less conservative assumptions [Ref. 43]: Initial Operator Action ID Initial Allowable Time (Tm) Initial HEP Updated Operator Action ID Updated Allowable time (Tm) Updated HEP OP_EFWS 60 min 2.84E-03 OP_EFWS 75 min 2.44E-03 OP_FSCD_30MN OP_FSCD_30MN_IH 30 min 30 min 4.28E E-01 OP_FSCD_120MN 140 min 2.13E-03 OP_FSCD_55MN 66 min 2.84E-03 OP_FSCD_PZR 60 min 3.30E-03 OP_FSCD_29MN 29 min 1.00 OP_SCD_30MN 30 min 4.28E-02 OP_SCD_65MN 85 min 2.44E-03 OP_SBODG_LOCAL 120 min 5.00E-02 OP_SBODG_LOCAL N/A 1.00 These updated timescales, allow the operator more time to respond before core damage occurs; therefore reducing the predicted HEPs. With respect to this RID study the following points should be noted: Due to changes in the HPC D-PSA Batch 3 model, the OP_SBODG_LOCAL operator action is no longer claimed within the PSA. New operator actions related to the initiation of Fast Cooldown have been created based on the analysis of the existing operator actions; following the separation of 2-45 cm 2 small break LOCA into new 2-20 cm 2 and cm 2 small break LOCA events. The failure probability of the initiation of the Fast Cooldown in 29 minutes, OP_FSCD_29MN, is set to 1.00, as in this case the task analysis considered that the operator cannot perform the required task within the available time before core damage occurs. The impact of these changes on the CDF was predicted as follows: Model Batch 3 master model - HPC_DPSA_V2_3 Reference case - HPC_DPSA_V2_3 with separation of small LOCA events CDF (per year) Change compared to base case 5.94E E-07 negligible All unsubstantiated HBSC set to E Updated HEP for the unsubstantiated HBSC 5.52E

71 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 68 / 183 For the HPC D-PSA Batch 3 model with the new small break LOCA modelling the CDF was calculated to be 5.78 x 10-7 per reactor year. When considering all five operator actions as unachievable (based on a previous working model [Ref. 42]), the CDF increases by over a factor of 7 to 4.08 x 10-6 per reactor year, which confirms these operator actions are still important and risk significant. In the updated Batch 3 D-PSA model which uses the updated HEPs and updated small break LOCA event trees modelling the CDF is calculated to be 5.52 x 10-7 per year. By reducing the conservatism in the HEPs and in the PSA modelling of the initiating events of small break LOCA, there is a 4% reduction in the CDF. The operators have more time to respond and as such are more likely to perform the required task in the allowable time which has been evaluated more precisely and in relation to the context. The operator actions related to the start and control of the ASG [EFWS] system and to the initiation of the Fast Cooldown (OP_EFWS and OP_FSCD_PZR) appear to have the greatest effect on the CDF. Particular attention should be given to substantiating these operator actions, as they represent a preponderant proportion in the CDF increase over the 1.00 x 10-6 per reactor year threshold. It is important to note that all of the operator actions in the HPC PCSR Reference D-PSA model are based on either FA3 operator actions or assumptions and that the HF task analyses have been performed with FA3 procedures and team organisation. Further work will be carried out to substantiate risk significant operator actions in the PSA (see Sub-chapter 18.1 for more details) using HPC specific procedures and arrangements. Where necessary, time available for operator actions and HEP values will be updated for the HPC PSA to ensure a high level of representativeness of the model Application of Methodology for Twin Reactor Site, RID No. 61 For numerical targets in the NSDAPs which relate to the site and not per reactor a method developed by EDF Research and Development (R&D) has been applied for comparison with the simple doubling of the frequency of contributing initiating events and hence doubling the risk from a single reactor. In the NSDAPs there are numerical targets for accident conditions, some of which relate to the entire site rather than being per reactor. The PSA is used to assess the HPC twin-reactor site against Safety Design Objectives (SDOs) SDO-5, SDO-7 and SDO-9, with an assumption that a factor 2 on the single reactor risk is conservative. The aim of the study [Ref. 22] was to justify this assumption, using a method developed by EDF R&D, by: defining an appropriate level of detail for a demonstration and to create a simplified twin reactor model or develop a simplified assessment; and identifying whether there are aspects or parts of the modelling for which the factor 2 appears not to be appropriate, and if necessary to propose solutions to address it. The method involves: a) Using the Unified Partial Method (UPM) to determine a Common Cause Failure (CCF) β factor for computerised I&C systems of the two units; a value of 5% is derived. Note that the model used was an intermediate batch 4 update model.

72 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 69 / 183 b) Identifying main Initiating Events (IE) contributing to Dose Band (DB) 5 release and identifying which of these affect one unit or a whole site. These are: Unit IE Reactor Trip state A Uncontrolled Level Drop Turbine Trip Internal Hazard Fire Loss of Coolant Chain 1 train/ 3 trains Loss of Coolant Chain Primary Break Small Heterogeneous dilution (States A, Ca) Small SGTR state AB Steam Line Break (small and large) Site IE Loss Of Off-site Power Long term Loss of Ultimate Heat Sink Loss Of Off-site Power short term For Site IE, a distinction can be made between type I and type II IE: Type I, being events that induce a transient only on one plant. Type II, being events that may induce a transient on both plants at the same time. According to UK OPEX used to determine the LOOP IEF [Ref. 10], most LOOP events are the result of climatic events, and thus are type II. However LUHS events are the results of system failure in one unit thus are all Type I. The following table sums up the contributions: Initiator Type I contribution Type II contribution LOOP Short 10% 90% LOOP Long 0% 100% LUHS 100% 0% c) Parameters of CCF groups were modified to include the identical systems of the other unit. The most relevant CCF groups were selected based on the Risk Increase Factor (RIF) and their FV. 1 Unit Twin unit Factor Increase CDF 5.38E-07 /y 9.87E-07 /y 1.83 Risk of individual death 2.09E-07 /y 4.05E-07 /y 1.94 Probability of 100 deaths 7.7E-08 /y 1.08E-07 /y * 1.40 * Twin reactor methodology applied to 6 most significant Release Categories, the remaining release categories were multiplied by 2.

73 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 70 / 183 In conclusion, it appears that it is conservative to simply double the risk calculated for a single unit when considering a twin units evaluation. In consequence, Basic Safety Objective (BSO) numerical targets are likely to be satisfied. While the probability of 100 deaths from the site falls marginally above the objective, it should be reminded there are conservatisms within the methodology Electrical CCFs, RID No. 39 As part of the response to GDA queries concerning electrical supplies, the consequences of CCFs of the electrical power supply systems were requested to be examined more closely to determine if any modifications to improve the diversity of the EPR design would be ALARP. These electrical CCFs were considered both as new IEs and as failures during mitigation of frequent Design Basis Events (DBEs). The response to this assessment finding involved several work packages, some of which were performed in parallel. The following enlisted direct involvement from the PSA RID team, these included a series of workshops which were held to review susceptibility of the HPC electrical system design to CCF. These workshops involved experts from multiple disciplines including: Electrical design, safety case, PSA, maintenance and UK and French OPEX. The outputs of these workshops were then used to predict CCF frequencies and probabilities. The results and conclusions of these workshops are presented in a summary report [Ref. 44] which proposes improvements in design and operation in order to minimise the occurrence of CCF. These recommendations were fed into an ALARP study [Ref. 45], which collated recommendations from all the work packages into a single place. Following this ALARP study it was requested that the PSA team reviewed the impact of all the proposed modifications on the predicted CDF for HPC using the PSA model [Ref. 46]. These studies predicted the following increases in CDF associated to total loss of electrical switchboards: Total loss of 690 V Emergency Power Supply Production and Distribution (LJ) with the plant at power Frequency (CDF) = 1.60 x 10-9 per reactor year. Total loss of 400 V AC Uninterrupted Power Supply (UPS) Distribution (LV) with the plant at power Frequency (CDF) = 5.90 x 10-9 per reactor year. Based on the predicted increases in risk presented above it was considered that the modifications to the electrical system would satisfactorily reduce the risk arising from electrical CCF initiating event faults Safety Injection System (RIS [SIS]) Pumps Power Distribution, RID No. 26 To assess a proposed power supply diversity improvement, the consequences and risks of changing (swapping) the electrical power of Medium Head Safety Injection (MHSI) and LHSI trains 2 and 3 were reviewed. A wider study of electrical CCFs and potential modifications to increase diversity and to protect against loss of a given voltage level (e.g. all LJ busbars) was conducted. The study assessed the effect of swapping over the power supplies between the medium head and low head Safety Injection System (RIS [SIS]) pumps on trains 2 and 3, which are not supplied by the Ultimate Diesel Generators (UDGs).

74 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 71 / 183 Pump ID Pump description Reference supply Change to RIS2220 LHSI pump Train 2 LJB LHB RIS2420 MHSI pump Train 3 LHB LJB RIS3220 LHSI pump Train 2 LJC LHC RIS3420 MHSI pump Train 3 LHC LJC Additionally the CCF modelling for the 10 kv MHSI breakers and 690 V LHSI breakers were adjusted (there is no CCF modelling on the switchboards). The results [Ref. 47] show that the change in electrical supply from 690V LJ to 10 kv Emergency Secured Power Supply Production and Distribution (LH) had a negligible (0.36%) effect on the overall CDF (internal events and hazards). Furthermore, the balance of risk was hardly changed, with the results for the accident families showing minimal reductions. The families most affected were: LOCA Overall with a 1.15% reduction, and Steam Line Break (States AB) (SLB_AB) with a 1.01% reduction. The slight reduction in the CDF is due to the modelling change for the CCF of the breakers which are connected to the injection pumps. The conclusion was that the potential modification adds diversity while from a PSA perspective; there is neither apparent safety benefit nor drawback PSA Review of Classification Over the development of the Reference Configuration (RC) for PCSR3, PSA was used in an integrated manner to inform the safety classification of certain Safety Feature Groups (SFGs) and to provide some feedback on the appropriateness of the deterministically derived safety classification of other SFGs RID STUDIES HAZARDS Introduction As part of the overall response to GDA Assessment Finding AF-UKEPR-PSA-032 RID studies for the following hazards were performed: internal fire internal flood, and seismic events.

75 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 72 / 183 A summary of the results generated by these studies are presented in this section; a more detailed description of these analyses is presented in their respective results reports. It should be noted that these analyses have considered the safeguard buildings as a whole, rather than their respective sub-divisions as described in Sub-chapter 1.1 i.e. they are referred to as HL1, HL2, HL3 and HL4. The following table indicates how these buildings map to their respective sub-divisions: Safeguard Building Sub- Division Internal Fire RID Analysis HL1 HL2 HL3 HL4 HLA HLB HLC HLD HLF HLG HLH HLI HLK HLL The internal fire analysis is presented in the Internal Fire RID PSA results summary report [Ref. 56]. This analysis performed internal fire analysis for the HPC site. In order to ascertain which buildings should be analysed and at what level of detail; each building on the HPC site was reviewed with respect to: HLM the level of information available regarding the building design and its contents, and how important the Structures, Systems and Components (SSCs) within each building were considered with respect to CDF. HLN From this pre-screening the following categories were assigned to each building: Screened out the building will not be subjected to internal fire analysis at this time, Screened in for building level analysis internal fire analysis will be performed for the building as a whole with no credit taken for any compartmentalisation, or Screened in for compartment level analysis internal fire analysis will be performed for the building with compartmentalisation taken into account, this includes consideration of: o o intra compartment analysis fires occurring within each compartment analysed, and inter compartmental analysis fires occurring in one compartment and spreading to another are analysed. This analysis produced the following results: Analysis Initiating Event Frequency (IEF) (/ry.) Conditional Core Damage Probability (CCDP) (/demand) CDF (/ry.) Safeguard Building 1 (HL1) (Intra) 1.47E E E-09 Safeguard Building 1 (HL1) (Inter) 7.54E E E-11

76 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 73 / 183 Analysis Initiating Event Frequency (IEF) (/ry.) Conditional Core Damage Probability (CCDP) (/demand) CDF (/ry.) Safeguard Building 1 (HL1) Total 1.54E E E-09 Safeguard Building 2 (HL2) 1.51E E E-08 Main Control Room (MCR) 5.29E E E-10 Safeguard Building 2 (HL2) Total 2.04E E E-08 Safeguard Building 3 (inc. RSS) (HL3) 1.65E E E-09 Safeguard Building 4 (HL4) 1.61E E E-07 Pump House Div.A (HPA) 1.69E E E-11 Pump House Div.B (HPB) 1.69E E E-09 Pump House Div.C (HPC) 1.69E E E-10 Pump House Div.D (HPD) 1.69E E E-11 Pump House (HP) Total 6.74E E E-09 Electrical building (Unit 1) (HF1) 5.63E E E-07 Turbine Hall (HM) 5.90E E E-09 Gas Insulated Switchgear (HTE) 1.94E E E-10 Reactor Building Containment (HRA) 1.20E E E-09 Total 1.51E E E-07 The table above presents a summary of the Internal Fire RID PSA results, grouped by building. The IEF, CDF and CCDP (calculated as the CDF divided by the IEF). The CCDP essentially indicates the level of plant protection provided for each fire event, using this measure it is clear that the plant is most sensitive to internal fire events in HF1 and HL4. It should be noted that the analysis results for internal fire in the: Turbine Hall (HM), Gas Insulated Switchgear (HTE), and Reactor Building Containment (HRA) have not been discussed in detail in this report. This is because these buildings only had a new initiating event calculated for them with no new modelling; hence the Minimal CutSets (MCS) produced are identical to those presented in Section Although this modelling has attempted to be as best estimate as possible; certain conservative simplifications have had to be made to enable the analysis. One obvious modelling simplification is the adoption of building analysis; this was employed as full fire compartment layout information was only available for HL1 at the time of analysis. From this analysis the following recommendations and insights were noted: 1) If further information could be obtained to support any of the following claims, a notable reduction in the predicted CDF would result:

77 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 74 / 183 a) Claiming fire protection e.g. detection and suppression systems, etc. that could be demonstrated to have a failure of 1.00 x 10-1 per demand or lower. b) Performing more detailed fire analysis to establish the zone of influence of the fire and obtain a more accurate estimation of plant damage. c) Claiming Fire Fighting Water Supply System (JAC) makeup of the ASG [EFWS] system with a failure probability of 1.00 x 10-1 per demand or lower. d) Claiming of segregation or protection in 1HF to prevent a single fire event from being able to fail all four divisions of the 10 kv Normal Power Supply Distribution (LG). 2) Specifically for Safeguard Building division 1: a) The predicted CDF increase is particularly sensitive to a fire in compartment HLK2611ZFS. This is because the equipment located in this compartment has the potential to render both the Main FeedWater System (ARE [MFWS]) and Start-up and Shutdown feedwater System (AAD [SSS]) unavailable. b) The analysis indicates that a mandatory trip of the reactor following an internal fire event in the constituent areas of HLF0111SFS which are not enclosed by a 60 minute fire barrier would not necessarily be the safest course of action. This should be considered in the future development of the HPC operating rules or technical specifications. c) The failure probability of a fire barrier is taken to be 1.00 x 10-1 per demand. The sensitivity results indicate that the model is sensitive to the failure probability of the barriers preventing fire spread to compartments HLK2611ZFS and the constituent areas of HLF0111SFS not enclosed by a 60 minute fire barrier. Therefore these barriers should be further investigated to ensure that they comply with this prediction with respect to their rating and penetrations. 3) This analysis has highlighted a number of specific components that would have a beneficial impact on risk if they were protected against an internal fire event, e.g. LV Division F, LVF1101, circuit breaker. These specific aspects should be reviewed in conjunction with the points presented above to see if it is ALARP to introduce this protection into the HPC design. 4) One of the key assumptions made by this analysis is that the divisional segregation of connected buildings, e.g. HP and Safeguard Buildings (HL [SB]), ensures that an internal fire event cannot spread between them. This underlying assumption is a key part of this analysis; its removal would result in a significant increase in the predicted CDF. Therefore the provisions made for maintaining this divisional separation should be kept under review during design, construction and operation. 5) This analysis clearly indicates that the majority of the risk from the pump house originates from division B. This is due to the locating of electrical equipment relating to the other divisions within HPB, such that it can render all four trains of Auxiliary (Raw Water) Cooling System (SEN [ACWS]) unavailable following an internal fire event. A review of the confirmed layout of the latest HP design should be undertaken to see if these components are still located in HPB and, if so, a separate RID study should be undertaken to see if their relocation is consistent with the ALARP principle. 6) Specifically for the MCR:

78 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 75 / 183 a) The predicted CDF presented in this analysis case is sensitive to the assertion that only 1 in 100 fires in the MCR would render it untenable, further refined analysis should be performed once the information is available to underwrite this assertion. b) Similarly, the ability of the MCR operators to switch control over to the RSS before abandoning the MCR is important to the predicted CDF. Further refined analysis should be performed once the information is available to underwrite this assertion. 7) The following compartments were found to have a fire load greater than 227 MJ/m 2 therefore it may be appropriate that the fire barriers and any structural supports in these compartments are reviewed to ensure they are not impacted by the postulated fire events: a) HLA2211SFI, b) HLA2612SFI, c) HLF0112SFI, and d) HLF0511SFI. 8) It is noted that the compartmental information for the HPC design is currently quite limited, therefore it should be appreciated that the results presented in this report for compartment level analysis are only indicative and should be re-performed once further information is available Internal Flood RID Analysis The internal flood analysis is detailed in the Internal Flood RID PSA results summary report [Ref. 57]. This analysis performed internal flood analysis for the HPC site. In order to ascertain which buildings should be analysed and at what level of detail; each building on the HPC site was reviewed with respect to: The level of information available regarding the building design and its contents, and How important the SSCs within each building were considered with respect to CDF. From this pre-screening the following categories were assigned to each building: Screened out the building will not be subjected to internal flood analysis at this time, Screened in for building level analysis internal flood analysis will be performed for the building as a whole with no credit taken for any compartmentalisation, or Screened in for compartment level analysis internal flood analysis will be performed for the building with compartmentalisation taken into account. Following the performance of the analysis the results below were produced: Building IEF (/ry.) CCDP (per demand) CDF (/ry.) Electrical Building (Unit 1) (1HF) 6.34E E E-07 Safeguard Building 1 (HL1) 5.12E E E-07

79 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 76 / 183 Building IEF (/ry.) CCDP (per demand) CDF (/ry.) Safeguard Building 2 (HL2) 5.12E E E-09 Safeguard Building 3 (HL3) 5.11E E E-09 Safeguard Building 4 (HL4) 5.36E E E-08 Pump House (HP) 1.85E E E-09 Fuel Building (HK) 6.84E E E-12 Total 4.62E E E-07 The table above presents a summary of the Internal Flood RID PSA results, grouped by building, with the IEF, CDF and CCDP (calculated as the CDF divided by the IEF). The CCDP essentially indicates the level of plant protection to each flood event, using this measure it is clear that the plant is most susceptible to internal flood events in 1HF and HL1. Although this modelling has attempted to be as realistic as possible; certain conservative simplifications have had to be made to enable the analysis. One obvious modelling simplification is the adoption of building analysis; this was produced as full flood propagation modelling was only available for the Fuel Building (HK [FB]). It is therefore considered that the CDF estimations of the building analysis group are conservative and that a more realistic approach would in all likelihood reduce their contribution to risk by at least an order of magnitude. Therefore updating of this analysis should be considered when full prorogation analysis has been completed for the remaining buildings. It is considered that compartment level analysis, coupled with accurate estimation of flood heights will represent the next suitable step towards realistic internal flood PSA. From this analysis the following recommendations and insights were noted: 9) If further information could be obtained such that any of the following aspects could be claimed there would be a notable reduction in CDF prediction: a) Claiming flood protection e.g. drains, bunds around flood sources, etc. that could be demonstrated to have a failure probability of 1.00 x 10-1 per demand or lower. b) Refining the pipework failure data to better take account of the quality of pipework planned for the EPR design. c) Reviewing the flood sources and proposed procedures to underwrite a claim that local operators could isolate the flood before the loss of any safety significant SSCs with a failure probability of 1.00 x 10-1 per demand or lower. d) Claiming JAC makeup of the ASG [EFWS] system with a failure probability of 1.00 x 10-1 per demand or lower. e) Claiming segregation or protection in 1HF to prevent a single flood event from being able to fail all four divisions of the LG.

80 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 77 / ) This analysis has highlighted a number of specific components that would have a beneficial impact on risk if they were protected against an internal flood event, e.g. the two hour 220 V DC Power Production and Distribution (LAA) system rectifier LAA1101R, these specific aspects should be reviewed in conjunction with the points presented above to see if it is ALARP to introduce this protection into the HPC design. 11) One of the assumptions made by this analysis is that the divisional segregation of connected buildings, e.g. HP, HL [SB], HK [FB] ensures that an internal flood event cannot spread between divisions. It is considered that if this underlying assumption was removed a significant increase in CDF prediction would occur; therefore this divisional segregation is considered very important to maintain. 12) This analysis clearly indicates that the majority of the risk from HP originates from division B (HPB). This is due to the locating of electrical equipment relating to the other divisions within HPB, such that it can render all four trains of the SEN [ACWS] system unavailable following an internal flood event. A review of the confirmed layout of the latest HP design should be undertaken to see if these components are still located in HPB and, if so, a separate RID study should be undertaken to see whether they could be relocated to other areas of the plant. 13) The analysis indicates that a mandatory trip of the reactor following an internal flood event in HK [FB] would not necessarily be the safest course of action especially if the flood were to originate in HK0156ZL or HK2495ZL. This should be considered in the future development of the HPC operating rules or technical specifications. 14) The location of LJ switchgear in the HK [FB] building introduces a dependency between ASG [EFWS] Train 1 and the HK [FB] building, which may not be immediately obvious. However, given that these dependencies arise in fault sequences with a frequency of the order to 1.00 x per reactor year. It is considered that relocating the LJ switchgear elsewhere will not lead to a significant reduction in the contribution to the CDF Seismic RID Analysis The Seismic RID analysis is detailed in the Seismic RID PSA results summary report [Ref. 58] and was applied it to the PCSR3 PSA model discussed in Sub-chapter Several levels of a seismic event were evaluated for the Seismic RID PSA, with the data used to define the Peak Ground Acceleration (PGA) taken from the latest Probabilistic Seismic Hazards Assessment (PSHA) [Ref. 59] and interpolated to produce the following input data: Mean Annual Frequency of Exceedance Mean Peak Ground Acceleration (g) 5th Percentile Annual Frequency of Exceedance 95th Percentile Annual Frequency of Exceedance Error Factor 1.00E E E E E E E E E E E E E E E E E E E E E E E E E E E E

81 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 78 / 183 Mean Annual Frequency of Exceedance Mean Peak Ground Acceleration (g) 5th Percentile Annual Frequency of Exceedance 95th Percentile Annual Frequency of Exceedance Error Factor 1.00E E E E E E E E The following table presents a summary of the predicted CDF increase for each hazard level, along represented as an increase over the HPC PCSR 3 PSA model CDF prediction of 5.62 x 10-7 per reactor year. It also presents an estimate of the CCDP, which essentially provides a quantitative estimate of the protection the plant has for each event: Return Frequency (/yr) CCDP (/demand) Δ CDF (/ry.) Δ % Comments 1.00E E E % 1.00E-15 cutoff used 1.00E E E % 1.00E-15 cutoff used 1.00E E E % 1.00E-15 cutoff used 1.00E E E % 1.00E-13 cutoff used 1.00E E E % Estimated From the results presented above it is clear that risk contribution from the hazards within the design basis (i.e x 10-4 per year) is less than 0.75%, and when the 1.00 x 10-5 per year event is included their summed risk contribution is less than 2.25%. This provides confidence that the design basis of the EPR is sufficient for the HPC site. From the analysis presented in this report the following insights have been revealed: 1) There is a cliff-edge effect on CDF between the 1.00 x 10-5 per year. and 1.00 x 10-6 per year seismic event; this corresponds to a level between 0.33 g and 0.75 g, with a 1.58% rise at the 0.33 g level. Therefore it is considered that the conclusions of the previous GDA Seismic Margin Assessment (SMA), where a 5% increase is predicted following a 0.4 g event, are largely supported by this RID study. However it is recommended that a future analysis is performed to estimate: a) The increase in CDF prediction following a 0.4 g event, and b) The value of g where the cliff-edge effect lies. 2) The aforementioned cliff-edge effect at the 1.00 x 10-6 per year event is considered to be primarily due to the generic nature of the fragility data used for the EPR SSCs. It is considered good practice to have different fragility parameters derived for each seismic event level as a single set of parameters are unlikely to be able to adequately span the required PGA levels for the complete spectrum of the seismic events to be analysed. Given that the original purpose of these generic fragility values was to perform an SMA suitable for GDA it is considered that they were configured to be most representative of seismic events closer to the design basis level i.e g; 3) In general the failure of the grid leading to a seismically-induced LOOP S LOOP -S is prevalent in most cases. The sensitivity results for the 1.00 x 10-6 per year event indicate that if this PFD was lowered by an order of magnitude from 9.54 x 10-1 per demand to 9.54 x 10-2 per demand for this seismic event, then the CDF prediction would decrease to 7.00 x 10-7 per reactor year, a reduction of approximately 4.58 x 10-7 per reactor year (~40%). It should be

82 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 79 / 183 noted that this reduction is optimistic as the SIET structure means that avoiding a LOOP also avoids any other consequential impacts of a seismic event, which is a conservative simplification of this analysis. However, the avoidance of a LOOP is still considered to have a notable impact on risk. It is considered that this reduction could be achieved by: a) strengthening the grid supply system to HPC such that the area affected by the seismic event is more robust to seismic events; b) qualifying the house load system to be claimable following seismic events with a probability ~1.00E-01 or better. 4) For the 1.00 x 10-6 per year event LOCAs have a rising contribution to risk, especially M1 LOCAs MED_1_LOCA_-S (Event 5) which contributes ~15% to the overall CDF prediction in this case. The sensitivity results indicate that if this PFD was lowered by an order of magnitude to 2.14 x 10-3 per demand then the CDF prediction would decrease to 9.52 x 10-7 per reactor year, a reduction of approximately 20%. This reduction may well be achieved by improved fragility data for the primary circuit, whereas currently all pipework is assigned the same fragility parameters; 5) With respect to certain systems, most notably the diesel generators, it is observed that, even for a 1.00 x 10-6 per year event, the plant-based i.e. non-seismic events are still more probable than a seismically-induced failure. This insight indicates that design effort could be more worthwhile reducing the plant-based failure probability, rather than seismic events REPETITION OF ALARP STUDIES CARRIED OUT FOR GDA Introduction Sub-chapter 17.5 of PCSR 2012 presented a number of potential design alternatives and assessed whether they were ALARP to implement. This analysis has been repeated for PCSR3 to confirm that the ALARP position of these design alternatives has not changed. From this point on this section represents a repeat of the analyses carried out in Sub-chapter 17.5 of PCSR As noted in Sub-chapter 17.1, ONR guidance on application of ALARP for new civil reactors [Ref. 48] recommends that there should be a clear conclusion that no further reasonable practicable improvements could be implemented in the reactor design, and that therefore the risk has been reduced to ALARP. In this guidance, the proposed approach is to compare the benefits of the risk averted by an additional design option, with the modification cost and its difficulty. If the cost and difficulty are grossly disproportionate to the benefit achieved, the modification may not be reasonably practicable to implement. The USNRC process for design certification of new reactors requires designers to consider the cost and benefits of Severe Accident Mitigation Design Alternatives (SAMDA) and provide reasons for not incorporating them in their designs [Ref. 49]. The SAMDA process is similar to the quantitative ALARP process applied in the UK. The AREVA Standard Design Certification report [Ref. 50] contains a SAMDA assessment for the EPR design submitted for design certification in the US, which concludes that no further modifications can be justified on cost/benefit grounds. The current sub-chapter provides an ALARP assessment methodology and an ALARP assessment of several UK EPR design alternatives.

83 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 80 / Selection of Initial Design Alternatives In order to confirm that no further reasonably practicable improvements could be implemented, design alternatives were selected for analysis. This selection is based on modifications required by international regulators in their assessment of the EPR, or design variants belonging to the Sizewell B (SZB) PWR design. The following design alternatives were selected and are assessed in section 4.3.3: 1) Addition of a third train to the Extra Boration System (RBS [EBS]), 2) Increase in the capacity of the accumulators in the low pressure RIS [SIS] system, 3) Modification of the Reactor Pressure Vessel (RPV) design to remove the circumferential weld at the core mid-height, 4) Modification of the pre-stressed inner containment to adopt ungrouted greased tendons, 5) Installation of pipewhip restraints on main loop pipework, 6) Increase in the injection pressure of the Medium Head Safety Injection (MHSI) pump Selection of Other Design Alternatives The application of the ALARP methodology to the EPR design, consistent with UK practices, was new and not formally applied as an integral part of the EPR design process. Nevertheless, as stated above, initial design alternatives were selected for analysis to confirm that no further reasonably practicable improvements could be implemented. As part of the detailed design and site licensing phase, other design alternatives may be selected and their reasonable practicability fully evaluated Description of ALARP Methodology The UK EPR ALARP methodology report [Ref. 51] provides complete operational guidance on ALARP assessment. The ALARP demonstration corresponds to a decision making process, which makes it possible to justify that the risks have been reduced as far as is reasonably practicable and to identify the ALARP design option that could resolve a safety issue. It should be fit for purpose and requires a formal and documented process, based on sound technical information. Fundamentally, the ALARP process is based on five steps: 1) Presentation of the safety issue; 2) Identification of the various possible options, which could resolve the safety issue; 3) Qualitative assessment of each design option; 4) Quantitative assessment of each design option; and 5) Conclusion and justification of the ALARP option.

84 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 81 / 183 These five steps are detailed in the UK EPR ALARP methodology report [Ref. 22]. Steps 3 and 4 are briefly introduced below Qualitative ALARP Assessment The aim is to assess each of the possible options, which could cope with the safety issue, using qualitative factors. This assessment aims at defining the benefits and disbenefits of each option, based on engineering judgement backed up by consolidated evidence/information. The benefits to be considered are fundamentally safety benefits. The disbenefits to be considered are fundamentally safety and commercial disbenefits, which refers to money, time and trouble. Implementation and operational costs can be identified. However, it may also be useful to supplement this assessment by using other factors, in particular, environmental factors Quantitative ALARP Assessment The basis for the quantitative ALARP assessment is the comparison of the cost of a modification option with the value of the risk reduction achieved. The risk reduction value is an estimate in economic terms of the value of the risk averted by the plant modification. It is defined by the equation: Where: RRV C A (F) T (1) RRV = Risk reduction value (GBP) A = Accident cost at present values (GBP) C= Present value factor, allowing for discounting (see below) ΔF= Reduction in accident frequency achieved by plant modification (/y) T= Time over which risk reduction is achieved = operating life of facility (y) If the cost of the plant modification is grossly disproportionate to the Risk Reduction Value obtained from (1), the implementation of the modification may not be reasonably practicable under ALARP principles. The UK EPR ALARP Methodology [Ref. 51] provides further discussion of the process for the identification of the reasonably practicable ALARP design options. According to the ONR guidelines, the accident costs should include all costs to society of the accident, including the health consequences to workers and members of the public, the cost of evacuation, relocation, land interdiction and the cost of land decontamination and food bans etc. Calculation of accident costs for a UK EPR for the purpose of the current ALARP assessment is described in section below. { This paragraph contains SCI and has been removed } The number of years at risk in equation (1) is taken as the design life of the reactor (60 years).

85 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 82 / Accident Cost Evaluation As noted above, the ONR Technical Assessment Guide [Ref. 48] states that accident costs should include the economic costs of radiation exposures to the public and workers and the cost of other detriments such as the need to decontaminate areas, evacuation, relocation and food bans. Commercial costs to the plant operator due to loss of the facility or loss of revenue from generation are excluded. { This section contains SCI and has been removed } { SCI Section Title Removed } { This section contains SCI-only text and has been removed } ALARP Assessment of Initial Design Alternatives The initial design alternatives selected in section were mainly assessed using the UK cost benefit methodology presented in section and, where possible, the PSA model for the UK EPR has been used to quantify the risk benefit Addition of a Third Train to Extra Boration System RBS [EBS] The UK EPR RBS [EBS] system is a Class 1 safety classified system, which provides boron injection to compensate for the reactivity insertion due to cooldown in order to achieve a safe shutdown state in Plant Condition Category (PCC) events. It also provides a means of reactivity control in Anticipated Transient Without Scram (ATWS) events at power and boron dilution events when the reactor is shutdown. The RBS [EBS] system is described in Sub-chapter 6.5. The RBS [EBS] system comprises 2 x 100% trains. As the RBS [EBS] system comprises two trains, it is only planned to carry out preventative maintenance on its mechanical components during a unit shutdown. In the SZB PWR, a 4 x 100% train RBS [EBS] system was provided for reactivity control in ATWS events, to meet the request of the UK regulatory authorities. Furthermore the Finnish safety authorities have requested an addition of a back-up pump in the RBS [EBS] system for the Olkiluoto 3 EPR, installed in parallel of the two existing ones and intended to be available during preventative maintenance of one of the two others. In view of the regulatory concerns it was decided to carry out an ALARP assessment of the cost and benefits of a modification to increase the redundancy of the RBS [EBS] system by adding a third fully functional 100% train. { This paragraph contains SCI and has been removed } Increase in RIS [SIS] Accumulator Capacity The EPR is equipped with four accumulator tanks which provide passive injection of coolant into the Reactor Cooling System (RCP [RCS]) in case of large LOCAs involving rapid depressurisation of the primary system. The accumulators are an integral part of the low pressure RIS [SIS] system of the reactor, as described in Sub-chapter 6.2.

86 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 83 / 183 In the PCC analysis of large break LOCA (see Chapter 14) the inventory of the accumulator in the broken loop is assumed to be lost at the break. However, the inventory of the three intact loop accumulators is considered to be available for injection. This differs from the assumptions applied to large LOCA analyses in the SZB PWR design when the injection capacity of one further accumulator is assumed lost due to postulated failure of one of the accumulator check valves, by application of the single failure principle. In the EPR accident analysis the single failure principle is not applied to the accumulator check valves, based on appropriate justifications including reliability aspects. Due to the application of the single failure principle in the SZB design, a plant modification was implemented to increase the capacity of the accumulators compared with the reference PWR design on which it was based. An assessment was carried out of the reasonable practicability of enlarging the EPR accumulators as done in the SZB PWR, to enable check valve failure in large LOCA to be accommodated within the design basis. In the EPR design, guillotine failure of the main loop pipework (2A-LOCA) is excluded from the list of design basis accidents due to application of the Break Preclusion principle, the largest breach considered in the design basis accident (PCC) analysis being a guillotine failure of the pressuriser surge line. However, to achieve defence in depth, the containment building and the RIS [SIS] system are designed with sufficient margins to withstand the effects of a 2A-LOCA, assessed with realistic assumptions, without exceeding design and safety limits applicable to the containment and core (see Sub-chapters 6.1 and 6.2). Despite the exclusion of 2A-LOCA from the list of design basis accidents, the 2A-LOCA has been assessed in the PSA with conservative assumptions, in terms of core damage and containment failure. The Level 1 PSA, has assessed the frequency of 2A-LOCA { SCI removed }, such a low value being applicable due to the high design, construction and in-service inspection standards applied to Break Preclusion pipework. For this event, the PSA assumes that two MHSI pumps, three accumulators and two LHSI pumps are required to ensure the Safety Injection (SI) mission. Based on thermal-hydraulic success criteria for a large break LOCA up to a guillotine failure of the pressuriser surge line (see Sub-chapter 16.2), this is assumed to be sufficient to ensure the RCP [RCS] inventory control. This requirement is expected to be highly conservative. { This paragraph contains SCI and has been removed } Modification of RPV Design to remove Mid-Height Weld The EPR RPV has a circumferential weld close to the mid-height of the core, similar to that used in currently operating Nuclear Power Plants (NPPs) in France. The peak neutron flux levels in the core occur at the core mid-plane. Positioning a weld in the high flux region potentially increases the vulnerability of the weld metal to radiation embrittlement; therefore a potential reduction in the risk due to RPV failure could in principle be achieved by redesigning the RPV with the mid-height circumferential weld relocated to be outside the region of highest flux. Such a modification was implemented in the SZB PWR. A study was carried out to establish if it would be reasonably practicable to modify the RPV of the UK EPR to relocate the mid-height weld. Although the mid-height weld is at the axial peak flux region, the neutron fluence at the weld is reduced to a low level by the heavy reflector surrounding the reactor core. Compared with previous French NPP designs, the fluence over life is considerably reduced, as indicated below: 900 MWe NPP Design: 6.5 x n/cm² (40 years),

87 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 84 / MWe NPP Design: 4.6 x n/cm² (40 years), N4 NPP Design: 3.7 x n/cm² (40 years), and EPR (FA3): 1.2 x n/cm² (60 years). As no significant degradation of weld material has been experienced in the previous designs, there is confidence that the EPR design will also not experience significant degradation over the plant life. As noted above the SZB PWR RPV design was modified to have a single core shell containing no mid-height welds. However, due to the absence of the shielding effect of a heavy reflector, the 40 year (lifetime) fluence experienced by the two welds closest to the core is expected to be similar to the 60 year (lifetime) fluence experienced by the EPR RPV mid-height weld. Therefore there is no reason to expect that the weld failure risk in the EPR will be higher than in the SZB unit. A major design improvement of the EPR RPV compared to previous designs is the use of a single forging for the flange and nozzle shell (upper part of the RPV body). This avoids the need to locate a weld in the thick part of the RPV, giving a significant benefit with regard to in-service inspection and weld controllability. This advantage would be lost if the RPV design was modified to relocate the central weld. It is further noted that current worldwide forging capabilities would not allow the forging of a single core shell large enough to remove the weld from the core zone: a shell of the required diameter could not be forged to the required height, due to ingot size and forging limitations. Therefore there is limited potential for re-designing the RPV to further reduce the fluence on the affected welds. In conclusion, the current EPR RPV design based on two core shells, results in a fluence on the most central weld that is less than or comparable to that on similar vulnerable welds in previous RPVs. Additionally, the EPR design enables a single flange and nozzle shell to be used, which avoids the need to locate a weld in the thick part of the RPV, giving a significant benefit with regard to in-service inspection and weld controllability. On balance it is considered that the net effect is a reduction in the risk of RPV failure. The UK EPR PSA has quantified the risk due to catastrophic failure of the RPV, which is assigned a frequency of 1.00 x 10-8 per reactor year. { SCI removed }. It is concluded that removing the mid-height weld in the RPV design would not be justified under UK ALARP principles based on both qualitative and quantitative considerations Modification of the Pre-stressed Inner Containment to adopt Ungrouted Greased Tendons Within the UK all the previous pre-stressed concrete pressure vessels performing a nuclear role have used ungrouted greased tendons. The UK EPR inner containment pre-stressing is provided by an arrangement of fully cement-grouted bonded steel tendons. A study, summarised in Sub-chapter 12.3, section 2, was carried out to justify this new design and consistency with the ALARP principle, by assessing some design alternatives and improvements.

88 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 85 / 183 The study has concluded that: the grouted tendon design will provide adequate reliability of pre-stressing through the life of the EPR containment structure; the adoption of an alternative pre-stressing system utilising ungrouted tendons would not be consistent with ALARP; a modified layout of strain gauges in the containment wall of the UK EPR is proposed to improve the ability to detect hypothetical tendon failures; and no further reasonably practicable improvements have been identified Installation of Pipewhip Restraints on Main Loop Pipework In the EPR design, guillotine failure of the main RCP [RCS] coolant pipework (2A-LOCA) is excluded from the list of design basis accidents due to these pipes being High Integrity Components (HICs) (see Sub-chapter 5.2). The largest primary pipework break considered in the design basis accident (PCC) analysis is a guillotine failure of the largest pipe connected to the RCP [RCS] system, which is the pressuriser surge line. However, to achieve defence in depth, the containment building and the RIS [SIS] systems are designed with sufficient safety margins to withstand the effects of a 2A-LOCA (mass flow equivalent to a 2A-opening of a main coolant line) without exceeding the design and safety limits applicable to the containment and core (see Sub-chapters 6.1 and 6.2). The 2A-opening is also assumed for the qualification of equipment. Despite the exclusion of 2A-LOCA from the list of design basis accidents, the 2A- LOCA has been assessed in the PSA with conservative assumptions, in terms of core damage and containment failure. In spite of the application of the designation of this pipework as HIC, the Finnish regulator (STUK) required the mechanical consequences of a postulated guillotine break of the main RCP [RCS] coolant pipework to be taken into account in the design of Olkiluoto 3 (OL3). Due to the inclusion of 2A-LOCA in the list of design basis accidents for OL3, installation of anti-whipping devices will be required on the main RCP [RCS] pipework. A study was carried out to establish if it would be reasonably practicable to provide similar pipewhip restraints in the UK EPR. The Level 1 PSA, has assessed the frequency of 2A-LOCA as { SCI removed }, based on an assumed failure rate of { SCI removed }. The low failure rate of the welds is justified by the quality assurance process in the manufacturing and in the control of the welds. { This paragraph contains SCI and has been removed } Adding pipewhip restraints to the main loop pipework has a number of qualitative disadvantages. In-service inspection of the pipework would require removal of the restraints, incurring significant operator radiation doses and increasing the likelihood of undetected defects, potentially increasing the pipework failure probability. It is concluded that installation of a pipewhip restraints of the RCP [RCS] pipework would not be justified under UK ALARP principles, on a quantitative or qualitative basis.

89 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 86 / Increase in the Injection Pressure of the MHSI Pumps As described in Sub-chapter 17.2, the UK EPR retained a requirement for the maximum head developed by the MHSI pumps to be below the set pressure of the safety relief valves on the secondary system. Associated with the automatic shutdown of Chemical and Volume Control System (RCV [CVCS]) charging pumps, this design reduces the risk of primary coolant bypassing the containment through the secondary system in Steam Generator Tube Rupture (SGTR) events by preventing liquid discharge from SG relief valves. A study was carried out to establish whether it would be reasonably practicable to increase the injection pressure of the MHSI pumps, i.e. would it be reasonably practicable to implement new MHSI pumps like the SBB High Head Safety Injection (HHSI) pumps, which are similar to the MHSI pumps of French PWR NPP (N4 and 1300 MWe plant series). This alternative design increases the risk of primary coolant bypassing the containment through the secondary system in SGTR. However, it could reduce the risk in the case of LOCA since it does not require any automatic initiation of Partial Cool Down (PCD) in order to reduce the RCP [RCS] pressure to enable the injection of borated water by the MHSI pumps. The costs of the HHSI pump and EPR MHSI pump are similar. However, the implementation of a HHSI pump replacing a MHSI pump would incur additional costs: some arrangements of pipes and valves of the RIS [SIS] circuit might be changed and some additional studies would be required to check that the RIS [SIS] circuit was able to sustain the higher pressure. Nevertheless there is no cliffedge effect. A qualitative analysis is not sufficient to weigh the advantages and disadvantages of HHSI pumps against MHSI pumps. Therefore a quantitative ALARP assessment using the Level 1 and Level 2 PSA models was performed. { SCI removed } This quantitative assessment concluded that it would not be reasonably practicable to replace the EPR MHSI pumps by HHSI pumps ALARP Assessments of Other Design Alternatives As detailed in section 4.2 in order to confirm that no further reasonably practicable improvements could be implemented, design alternatives were selected, and assessed as described in section As part of the detailed design and site licensing phase, other design alternatives may be selected and their reasonable practicability fully evaluated. From that perspective the formulation of emergency procedures and procedures for severe accident management, will be fully evaluated as part of the detailed design and site licensing phase Conclusion of ALARP Assessment of Design Alternatives ONR guidance on application of ALARP for new civil reactors in the UK recommends that arguments are presented that no further reasonably practicable improvements could be implemented in the reactor design, and therefore the risk has been reduced to ALARP. The current sub-chapter has provided an ALARP assessment of several UK EPR design alternatives

90 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 87 / 183 Initial design alternatives were selected for analysis since they are based on modifications required by international regulators in their assessment of EPR, or design variants belonging to the SZB PWR design: 1) Addition of a third train to the RBS [EBS] system, 2) Increase in the capacity of the accumulators in the RIS [SIS] system, 3) Modification of the RPV design to remove the circumferential weld at the core mid-height, 4) Modification of the pre-stressed inner containment to adopt ungrouted greased tendons, 5) Installation of pipewhip restraints on main loop pipework, and 6) Increase in the injection pressure of the MHSI pump. None of the modifications considered above is indicated as reasonably practicable according to the quantitative ALARP assessment methodology. Other design alternatives to the EPR design may be provided as part of the detailed design and site licensing phase. In that case, the ALARP methodology consistent with UK practices will be applied. Therefore, within PCSR3, it is judged that the design alternatives considered at GDA are still not ALARP to implement ALARP CONCLUSIONS As well as updating the ALARP assessment of some specific design modifications using PSA, it is important to consider the overall PSA results from an ALARP perspective. To this end a dominant sequence review was performed on the level 1 and level 2 sequences contributing to the CDF and Large Release Frequency (LRF) respectively. The review identified PSA conservatisms as well as known design or operational improvements for the sequences contributing 90% of the CDF and LRF risk. The method and detailed results are presented in the ALARP assessment results document [Ref. 55] and a summary of the results is shown below. Base case 90% (/r.yr) Without conservatisms (/r.yr) With improvements (/r.yr) CDF 5.1E E-07 (-14.2%) 2.8E-07 (-47.3%) LRF 1.1E E-08 (-55.5%) 2.7E-08 (-75%) The assessment shows that conservativisms have a significant impact on both level 1 and level 2 PSA results. Furthermore it shows that improvement currently not modelled in the PSA are expected to have a large, positive impact on the PSA results and the safety of the plant. Considering the results of this ALARP assessment along with the ALARP studies reported in section 4.2, it is concluded that the PSA shows an ALARP position for the HPC EPR for the following reasons: The largest contributors to risk have been identified and conservative PSA inputs which have led to some of them being overestimates of risk are understood

91 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 88 / 183 The largest contributors to risk have been identified and for many of them modifications have already been identified to further reduce their significance in the PSA The current reported CDF and LRF results fall below the Basic Safety Objectives (BSOs) and in the broadly ALARP region of risk laid out in the NSDAPs. The revised results represent a design in which reasonable measures have been undertaken to reduce risk and are themselves lower than the current results. The body of work reported in this chapter shows that additional safety measures have been investigated to further reduce risk throughout the design phase of the HPC EPR and implemented where judged to be beneficial or ruled out from implementation where judged to be marginally or not at all beneficial. There are at this time no further modifications which have been identified.

92 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 89 / REFERENCES [1] NNB GenCo Ltd Nuclear Safety Design Assessment Principles, NSDAPS-NNB-OSL- STA , version 2.0, August 2015, NNB. [2] Hinkley Point C Pre Construction Safety Report, Sub Chapter 15.7 PSA Discussion and Conclusions, , version 1.0, August 2015, NNB and EDF/SEPTEN. [3] D-PSA Batch 4 D-PSA update for PCSR3 Master Model summary update, HPC- ECESNX-XX-000-NOT , rev. A, April 2015, EDF/CNEN. [4] HPC D-PSA Batch 1 PSA update for PCSR3 Master Model Summary Report, ECESN131020, rev. A, March 2014, EDF/CNEN. [5] HPC PSA - Batch 2 D-PSA update for PCSR3 - Master Model Summary Report, ECESN131336, rev. A, May 2014, EDF/CNEN. [6] HPC PSA - Batch 3 D-PSA update for PCSR3 - Master Model Summary Report, ECESN140389, rev. B, August 2014, EDF/CNEN. [7] Assessment of limitations and gaps of the HPC PCSR3 PSA model, HPC-NNBOSL-XX- 000-REP , Version 1.0, October 2016, NNB GenCo (HPC). [8] EPR project CFI Sensors Reliability and Architecture, ECESN130465, rev. A, June 2013, EDF/CNEN. [9] D-PSA Assumptions Log Update to Version 3.0, HPC-CNENXX-AU-NOT , Revision A, October 2015, EDF. [10] HPC PCSR3 Sub-chapter 16.2 Section 2 - Level 2 PSA Results and Discussion Supporting Information, CRA-NNB-POW-J297 Report 4, Issue 2, July 2015, CRA. [11] Hinkley Point C Filtered Containment Vent Level 2 Probabilistic Safety Analysis Sensitivity Study, CRA-NNB-POW-J280 Report 1, Issue 2, January 2015, CRA. [12] EPR Probabilistic Analysis of Accident Sequences Caused by Interfacing Loss of Coolant Accidents, EPSE DC 833, Revision F, March 2006, AREVA. [13] US EPR PRA - Level 3 PRA for DC, , AREVA. [14] Level 3 PRA for Three Mile Island Unit 1, BAW-2413, February 2002, Framatome ANP, Inc. and Duke Energy Corporation (for the B&W Owners Group). [15] Technical Study of Spent Fuel Pool Accident Risk at Decommissioning Nuclear Power Plants, NUREG-1738, February 2001, US NRC. [16] Release Categories for the LCHF/Level 3 PSA (supporting study for Chapter 15), ENTEAG080122, June 2008, EDF. [17] Review of LCHF End States Assigned to New and Updated Event Trees in the HPC PCSR3 Reference PSA Model, UKX-GEN340-XX-000-REP ,Issue 2, August 2015, CRA.

93 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 90 / 183 [18] EPR UK/HPC: Aircraft impact risk frequencies considered for LOOP, LUHS and PSA Level 3 releases, ENFCFF110004, July 2011, EDF. [19] { This reference contains SCI and has been removed }. [20] The Tolerability of Risk from Nuclear Power Stations, ISBN , 1992, UK Health and Safety Executive. [21] Societal Risk Calculation for HPC; , Version 2.1, February 2016, NNB. [22] Application of the twin reactor site methodology, HPC-ECESNX-XX-000-NOT , Revision C, February 2017, EDF CNEN. [23] Jones, J.A, Ehrhardt J, Goossens, L.H.J, Fischer, F., Brown J, Cooke R.M, Fischer F, Hasemann I, Kraan B.C.P., Probabilistic Accident Consequence Uncertainty Assessment Using COSYMA: Overall Uncertainty Analysis, EUR-18826, 2001, European Communities. [24] Methodology for the UK societal risk level 3 PSA, ENFCFF090213, Revision C, October 2010, EDF. [25] Sensitivity Studies for Hinkley Point C Level 3 PSA, JA2-EDF-NNB-1501, Revision 0, June 2015, Jacobsen Analytics. [26] Methodology for Assessing Worker Risk for the UK EPR Head Document, ENFCFF100382, Issue B, September 2011, EDF SEPTEN. [27] Methodology for Assessing Worker Risk for the UK EPR Worker Release Categories, ENTEAG100429, Issue B, November 2011, EDF SEPTEN. [28] Preliminary Worker Risk Assessment for the UK EPR, ENFCFI110114, Issue B, March 2012, EDF SEPTEN. [29] Hinkley Point C Nuclear Power Station 2016 Update to the Operator Risk Assessment, UKX-GEN340-XX-000-REP , Revision 2, August 2016, CRA. [30] Initial Assessment of Worker Occupancy for the UK EPR, HPC-NNBOSL-U0-000-REP , Issue 1.0, December 2011, NNB GenCo. [31] Risk Informed Design (RID) Using Probabilistic Considerations, HPC-ECESNX-XX-ALL-NOT , Revision C, December 2014, CNEN. [32] Risk Informed Design Using Probabilistic Considerations Work Program, HPC-ECESNX-XX-ALL-NOT , Revision G, December 2016, CNEN. [33] CFI [CFWS]sensors reliability and architecture, ECESN130465, June 2013, CNEN. [34] EPR UK PSA - CFI Sensors Reliability and Architecture (RID 31), HPC-CNENXX-AU- CFI-NOT , Revision A, BPE, December 2015.

94 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 91 / 183 [35] CFI [CFWS]Band Screens fish friendly operation, HPC-ECESNX-U1-CFI-NOT , D Revision A, February 2015, CNEN. [36] EPR HPC Analysis of the need for RC1 configuration to add safety features to NCSS for scenarios different to TLIC, HPC-ECESNX-XX-ALL-RET , ECESN140154, March 2014, CNEN. [37] Comparative PSA Study on ASG design 2 Motor Driven Pumps and 2 Turbine Driven Pumps, HPC-ECESNX-XX-ALL-NOT , ECESN140390, May 2014, CNEN. [38] Comparative PSA Study on ASG design 2 MDPs and 2 TDPs TDPs unavailable in state C, HPC-ECESNX-XX-ALL-NOT , ECESN140554, June 2014, CNEN. [39] Consideration of Steam Driven Turbine Driven Emergency Feed to the SG, UKX-ECUKXX-XX-ALL-NOT , ECUK Revision A, September 2014, CNEN. [40] Frequency of loss of off-site power (LOOP) for use in HPC PCSR PSA, ENFCFI Revision A, December 2011, SEPTEN. [41] Substantiation of Identified Type C Human Failure Events Modelled in the PSA, RPT-0004-H-BPE issue H-BPE, August 2012, AMEC. [42] EPR UK PSA Probabilistic assessment on the effect of unsubstantiated operator actions on the Core Melt Frequency, HPC-ECESNX-XX-ALL-NOT-00252, ECESN140522, May 2014, CNEN. [43] EPR UK PSA Probabilistic evaluation of GDA unsubstantiated Human Based Safety Claims, HPC- ECESNX-XX-000-NOT , D , May 2015, CNEN. [44] UK EPR Electrical Common Cause Failure (CCF) Resilience Workshop Summary Report, CRA-NNB-POW-J252-R1, Issue 3, CRA. [45] UK EPR Electrical Common Cause Failure Global ALARP Study, HPC-ECEELX-XX- ALL-NOT , ECEEL140814, July 2014, CNEN. [46] Evaluation of the CDF associated to CCF electrical initiating events (Action 7 of CSNE5064UK) HPC-ECESNX-AU-ALL-NOT /D , CNEN. [47] Sensitivity Study on RISMP and RISBP pumps electrical supply, HPC-ECESNX-XX- ALL-NOT , ECESN140128, February 2014, CNEN. [48] Nuclear Safety Technical Assessment Guide Guidance on the Demonstration of ALARP (As Low As Reasonably Practicable). NS-TAST-GD-005 Revision 7. December ONR. [49] US NRC. Regulations (10 CFR), 51.55(a), Environmental Report Standard Design Certification. [50] AREVA NP Environmental Report: Standard Design Certification, ANP-10290, Revision 0, November [51] UK EPR ALARP methodology to support the design modification process. ENSNDR / UKX-SEPTEN-XX-ALL-STU Revision C. EDF/SEPTEN. July

95 HPC PCSR3 Public Version Sub-chapter 16.2 PSA Results and Discussion Page No.: 92 / 183 [52] { This reference contains SCI and has been removed }. [53] { This reference contains SCI and has been removed }. [54] Regulatory Analysis Technical Handbook. NUREG/BR USNRC. January [55] ALARP Assessment of the Level 1 and Level 2 PSA Results for the HPC PCSR3. HPC- NNBOSL-XX-000-ANA October EDF NNB GenCo (HPC). [56] HPC Internal Fire Risk Informed Design PSA Results, UKXX-GEN340-XX-000-REP , CRA-NNB-POW-J277, Report No. 3, Issue 2, October 2016, CRA. [57] HPC Internal Flood Risk Informed Design PSA Results, UKXX-GEN340-XX-000-REP , CRA-NNB-POW-J277, Report No. 4, Issue 2, October 2016, CRA. [58] HPC Seismic Risk Informed Design PSA Results, HPC-NNBOSL-XX-000-REP , Version 1.0, October 2016, NNB GenCo (HPC). [59] Hinkley PSHA Site Response Analysis, HPC-GEN426-XX-000-RET , Issue 2, Revision 0, December 2015, CH2M HILL.

96 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 93 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 1 : CORE DAMAGE FREQUENCY PER INITIATING EVENT GROUPS Groups Sub-groups States A & B frequency States C. D. E frequency Group CDF [/r.y.] LOCA Loss Of primary Cooling Accident 6.55E E E-08 VLOCA LOCA leading to containment bypasses 3.70E E E-09 RPV Reactor Pressure Vessel Failure 1.00E-08 See A&B 1.00E-08 SSB Breaks on secondary side (steam or water) 9.13E E-09 Steam Line Rupture with Steam Generator Tube(s) Rupture 2.98E E-09 SGTR Steam Generator Tube(s) Rupture 1.07E E-08 Secondary Transients Loss of power supply 10kV Induced LOOP Primary Transients Total Loss of Main FeedWater 8.86E E-09 Loss of Start-up and Shutdown System 1.89E E-09 Loss of Condenser 2.53E E-09 Turbine Trip 3.37E E-09 Total Loss Of Off-site Power (2h) 9.26E E E-08 Total Loss Of Off-site Power (24h) 6.88E E E-08 Loss of LH busbars 3.72E E-09 Induced LOOP 4.64E E-08 Homogeneous boron dilution 8.22E E E-09 Heterogeneous boron dilution 7.05E E E-09

97 Groups HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Sub-groups States A & B frequency States C. D. E frequency Group CDF [/r.y.] Total loss of RHR System E E-08 Uncontrolled Drop of primary Level 1.10E E E-08 Uncontrolled Increase of primary Level 5.52E E E-10 Spurious Reactor Trip 1.35E E-08 LOCC Partial or total Loss Of Cooling Chain 2.41E E-08 ATWS Anticipated Transients Without Scram 6.06E E-09 Internal Hazards External Hazards Internal Hazards (Fire and Flooding) 9.41E E-08 Loss Of Ultimate Heat Sink (LUHS) 3.43E E E-08 Combination of snow and wind 1.92E E E-09 Totals (CMF OVERALL) E-07 Page No.: 94 / 183

98 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 95 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 2 : FUEL DAMAGE FREQUENCY IN FUEL BUILDING (HK) PER INITIATING EVENT GROUPS Group Sub-groups Description Loss of PTR Draining LESUPPLY LFPCP LHEADER Loss of one (2 in REF state) electrical supply Loss of a (2 in REF state) PTR pump Loss of a (2 in REF state) PTR header Fuel Damage frequency (/r.y) States A to D frequency States E and F frequency Group frequency 2.97E E E E E E E E E-14 LOCC Loss of cooling chain 4.34E E E-11 LOOP Loss of Offsite Power 3.04E E E-10 LUHS Loss of ultimate heat sink 3.10E E E-13 FP_DR_PTR_3 3rd PTR train break 6.31E E-10 FP_DR_PTR_MAIN Main PTR train break 1.39E E E-09 FP_DR_PTR_PURF PTR purification line break 1.59E E E-09 FP_DR_PURF_RB RB purification line break E E-10 FP_DR_RIS_IC FP_DR_RIS_OC RIS break inside containment RIS break outside containment E E E E-10

99 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 96 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 3 : STEAMING FREQUENCY IN FUEL BUILDING (HK) PER INITIATING EVENT GROUPS Group Sub-groups Description Loss of PTR Draining LESUPPLY LFPCP LHEADER Loss of one (2 in REF state) electrical supply Loss of a (2 in REF state) PTR pump Loss of a (2 in REF state) PTR header States A to D frequency Steaming frequency (/r.y) States E and F frequency Group frequency 1.19E E E E E E E E E-08 LOCC Loss of cooling chain 1.72E E E-05 LOOP Loss of Offsite Power 1.61E E E-06 LUHS Loss of ultimate heat sink 1.24E E E-07 FP_DR_PTR_3 3rd PTR train break 6.71E E-11 FP_DR_PTR_MAIN Main PTR train break 7.94E E E-08 FP_DR_PTR_PURF PTR purification line break FP_DR_PURF_RB RB purification line break FP_DR_RIS_IC FP_DR_RIS_OC RIS break inside containment RIS break outside containment E E-09

100 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 97 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 4 : FIFTY MOST FREQUENT MINIMAL CUTSETS CONTRIBUTING TO THE OVERALL CDF WITH PREVENTIVE MAINTENANCE No cutsets Frequency /r.y % cumulative Frequency /r.y 1 1,41E-08 2,52 1,41E-08 2,52% 2 1,41E-08 2,52 2,82E-08 5,02% 3 1,18E-08 2,1 4,00E-08 7,12% % Event -LUHS_MI_FILTERS %COEF_AB/YEAR FLAG_LUHS OP_EFWS_60MN_NCSS RPR_PS_DIV_A_A24SC SYS_OTHER_B_CC -LUHS_MI_FILTERS %COEF_AB/YEAR FLAG_LUHS OP_EFWS_60MN_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC Description Massive ingress frequency leading to the filters'''' clogging Time spent in states A (8182h) and B (43h) during the year (8760h) Flag used for LUHS detection Operator fails to start and control EFWS - NCSS E1A, 2/4- Failure of specific logic part - PS diversity A Failure of SPPA-T2000 platform common logic Massive ingress frequency leading to the filters'''' clogging Time spent in states A (8182h) and B (43h) during the year (8760h) Flag used for LUHS detection Operator fails to start and control EFWS - NCSS Failure of SPPA-T2000 platform common logic -RT_A- OP_EFWS_60MN_NCSS OP_FB_120M_MDEP_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC Failure of TXS platform common logic Spurious Reactor Trip in power state A Operator fails to start and control EFWS - NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic

101 No cutsets Frequency /r.y % cumulative Frequency /r.y 4 1,00E-08 1,78 5,00E-08 8,90% 5 8,33E-09 1,48 5,83E-08 10,38% 6 7,61E-09 1,35 6,59E-08 11,73% 7 7,61E-09 1,35 7,36E-08 13,09% 8 7,61E-09 1,35 8,12E-08 14,44% 9 6,87E-09 1,22 8,80E-08 15,66% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event -RPV_F PROB=1 -LOOPL_AB Description RPV failure Probability used for events in certain failure Page No.: 98 / 183 Long Loss Of Offsite Power (2<recovery<24hr) - States A+B %COEF_A1/AB Time spent in states A1 (8076 h) during states AB (8225 h) HOUSELOAD_FS LHP DFR_D-ALL SYS_OTHER_B_CC -PBS2-_AB OP_FSCD_29MN RIS1420POEFR_D-ALL -PBS2-_AB OP_FSCD_29MN RIS1420POEFR_D-123 -LO1RHR_%_D House load failure to start on demand CCF to run emergency diesel generators Failure of SPPA-T2000 platform common logic Small Break LOCA (20-45cm2) - State A+B Operator fails to initiate FSCD (Tm=29mn) CCF fail to run MHSI pump Small Break LOCA (20-45cm2) - State A+B Operator fails to initiate FSCD (Tm=29mn) CCF fail to run MHSI pump OPE_52 OP_LH/RHR_15MN RIS1220POEFR_C-ALL -IH F SWGB_AB ASG1210POEFR_D-ALL Number of days spent in state D per year Operator fails to initiate IRWST cooling with CHRS (Grace period >4h) Operator fails to start LHSI train 4 for RHR (t<15min) CCF fail to run LHSI pumps Internal Hazard Fire in the Switchgear Building CCF to run EFWS pumps

102 No cutsets Frequency /r.y % cumulative Frequency /r.y 10 6,86E-09 1,22 9,49E-08 16,88% 11 6,86E-09 1,22 1,02E-07 18,10% 12 5,68E-09 1,01 1,07E-07 19,12% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event OP_BLEED_120MN Description Operator fails to initiate Bleed t<120mn -IH F SB1_AB Fire in Safeguard Building 1 RCP_SEAL#1_RD RCP_SEAL#2_RD RIS1420POEFR_D-234 SYS_OTHER_B_CC SYS_TR1_UNAVAIL Page No.: 99 / 183 Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic Safety Train 1 Unavailable -IH F SB1_AB Fire in Safeguard Building 1 RCP_SEAL#1_RD RCP_SEAL#2_RD RIS1420POEFR_D-ALL SYS_OTHER_B_CC SYS_TR1_UNAVAIL Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic Safety Train 1 Unavailable -IH F SB1_AB Fire in Safeguard Building 1 RCP_SEAL#1_SD RCP_SEAL#2_SD RIS1420POEFR_D-ALL SYS_OTHER_B_CC SYS_TR1_UNAVAIL Failure of RCP shaft seals #1 during shutdown phase Conditional failure of RCP shaft seals #2 during shutdown phase CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic Safety Train 1 Unavailable

103 No cutsets Frequency /r.y % cumulative Frequency /r.y 13 5,68E-09 1,01 1,13E-07 20,13% 14 5,39E-09 0,96 1,19E-07 21,09% 15 4,50E-09 0,8 1,23E-07 21,89% 16 3,70E-09 0,66 1,27E-07 22,54% 17 3,70E-09 0,66 1,30E-07 23,20% 18 3,63E-09 0,65 1,34E-07 23,85% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event Description -IH F SB1_AB Fire in Safeguard Building 1 RCP_SEAL#1_SD RCP_SEAL#2_SD RIS1420POEFR_D-234 SYS_OTHER_B_CC SYS_TR1_UNAVAIL -RT_A- LHP DFR_D-ALL LOOPL_ON_RT SYS_OTHER_B_CC -DIL HE_CA PROB=1 -PBSPZR-_AB RIS1420POEFR_D-ALL SYS_OTHER_B_CC Page No.: 100 / 183 Failure of RCP shaft seals #1 during shutdown phase Conditional failure of RCP shaft seals #2 during shutdown phase CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic Safety Train 1 Unavailable Spurious Reactor Trip in power state A CCF to run emergency diesel generators Induced LOOP (>2h) after Reactor Trip Failure of SPPA-T2000 platform common logic Heterogeneous Dilution during state Ca Probability used for events in certain failure Small break LOCA PZR leak - State A+B -PBV_AB PROB=1 -LOOPL_AB CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic V-LOCA during power states AB Probability used for events in certain failure Long Loss Of Offsite Power (2<recovery<24hr) - States A+B %COEF_A1/AB Time spent in states A1 (8076 h) during states AB (8225 h)

104 No cutsets Frequency /r.y % cumulative Frequency /r.y 19 3,61E-09 0,64 1,38E-07 24,49% 20 3,61E-09 0,64 1,41E-07 25,13% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event HOUSELOAD_L_FR LHP DFR_D-ALL SYS_OTHER_B_CC -LOCC_CCWS_AB OP_BLEED_30MN_NCSS RCP_SEAL#1_RD RCP_SEAL#2_RD RPR_PS_DIV_B_A24SC RRI_C1B_TB SYS_OTHER_B_CC -LOCC_CCWS_AB OP_BLEED_30MN_NCSS Description Page No.: 101 / 183 Plant operation failure rate during house load for LOOP long CCF to run emergency diesel generators Failure of SPPA-T2000 platform common logic LOCC Pre-Initiating Event caused by a mechanical failure on RRI running train - States A&B Op. fails to initiate bleed in 30 min - NCSS Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase E1A, 2/4- Failure of specific logic part - PS diversity B Probability that CCWS Common 1B is initially aligned to RCP TB Failure of SPPA-T2000 platform common logic LOCC Pre-Initiating Event caused by a mechanical failure on RRI running train - States A&B Op. fails to initiate bleed in 30 min - NCSS RCP_SEAL#1_RD RCP_SEAL#2_RD RRI_C1B_TB SYS_OTHER_B_CC SYS_PROTC_A_CC Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase Probability that CCWS Common 1B is initially aligned to RCP TB Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic 21 3,09E-09 0,55 1,44E-07 25,68% -SLB SO_AB Small Second. steam break upstream MSIV

105 No cutsets Frequency /r.y % cumulative Frequency /r.y 22 2,95E-09 0,52 1,47E-07 26,21% 23 2,78E-09 0,49 1,50E-07 26,70% 24 2,78E-09 0,49 1,53E-07 27,20% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event RIS1420POEFR_D-ALL SYS_OTHER_B_CC -TT_A- OP_EFWS_60MN_NCSS OP_FB_120M_MDEP_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC -LOCC_ESWS_AB OP_BLEED_30MN_NCSS RCP_SEAL#1_RD RCP_SEAL#2_RD RPR_PS_DIV_B_A24SC RRI_C1B_TB Description CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic turbine trip in state A Operator fails to start and control EFWS - NCSS Page No.: 102 / 183 Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic LOCC Pre-Initiating Event caused by a mechanical failure on SEC running train- States A&B Op. fails to initiate bleed in 30 min - NCSS Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase E1A, 2/4- Failure of specific logic part - PS diversity B SYS_OTHER_B_CC -LOCC_ESWS_AB OP_BLEED_30MN_NCSS RCP_SEAL#1_RD Probability that CCWS Common 1B is initially aligned to RCP TB Failure of SPPA-T2000 platform common logic LOCC Pre-Initiating Event caused by a mechanical failure on SEC running train- States A&B Op. fails to initiate bleed in 30 min - NCSS Failure of RCP shaft seals #1 during rundown phase

106 No cutsets Frequency /r.y % cumulative Frequency /r.y 25 2,53E-09 0,45 1,55E-07 27,65% 26 2,41E-09 0,43 1,58E-07 28,08% 27 2,37E-09 0,42 1,60E-07 28,50% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event RCP_SEAL#2_RD RRI_C1B_TB SYS_OTHER_B_CC SYS_PROTC_A_CC -LOMFW_A- AAD_DEP ASG1210POEFR_D-ALL OP_BLEED_120MN -LOCC_CCWS_AB OP_EFWS_60MN_NCSS OP_FB_120M_MDEP_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC Description Page No.: 103 / 183 Conditional failure of RCP shaft seals #2 during rundown phase Probability that CCWS Common 1B is initially aligned to RCP TB Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic Total Loss Of Main FeedWater - State A Conditional probability of MFWS & SSS CCF CCF to run EFWS pumps Operator fails to initiate Bleed t<120mn LOCC Pre-Initiating Event caused by a mechanical failure on RRI running train - States A&B Operator fails to start and control EFWS - NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS Failure of SPPA-T2000 platform common logic -LO1RHR_%_D EVU1110POEFR_B-ALL OP_LH/RHR_15MN RIS1220POEFR_C-ALL Failure of TXS platform common logic Number of days spent in state D per year CCF to run CHRS pumps Operator fails to start LHSI train 4 for RHR (t<15min) CCF fail to run LHSI pumps 28 2,37E-09 0,42 1,63E-07 28,92% -LO1RHR_%_D Number of days spent in state D per year

107 No cutsets Frequency /r.y % cumulative Frequency /r.y 29 2,34E-09 0,42 1,65E-07 29,34% 30 2,32E-09 0,41 1,67E-07 29,75% 31 2,19E-09 0,39 1,69E-07 30,14% 32 2,08E-09 0,37 1,71E-07 30,51% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event EVU1430POEFR_B-ALL OP_LH/RHR_15MN RIS1220POEFR_C-ALL -LOOPL_AB Description Page No.: 104 / 183 CCF to run motor pumps (dedicated interm. cool. CHRS) Operator fails to start LHSI train 4 for RHR (t<15min) CCF fail to run LHSI pumps Long Loss Of Offsite Power (2<recovery<24hr) - States A+B %COEF_A1/AB Time spent in states A1 (8076 h) during states AB (8225 h) HOUSELOAD_FS LHP DFR_D-ALL LJP DFR LJS DFR -LOOPL_AB House load failure to start on demand CCF to run emergency diesel generators Ultimate Diesel Generator fails to run Ultimate Diesel Generator fails to run Long Loss Of Offsite Power (2<recovery<24hr) - States A+B %COEF_A1/AB Time spent in states A1 (8076 h) during states AB (8225 h) HOUSELOAD_FS LHP DFR_D-ALL LJP DFR_B-ALL House load failure to start on demand CCF to run emergency diesel generators -SGTR1_AB RIS1420POEFR_D-ALL SYS_OTHER_B_CC -ULD_CP_A12 OP_EFWS_60MN_NCSS CCF to run SBO diesel generators SG tube rupture 1 tube - States AB CCF fail to run MHSI pump Failure of SPPA-T2000 platform common logic Failure of RCV charging pump over 1 year Operator fails to start and control EFWS - NCSS

108 No cutsets Frequency /r.y % cumulative Frequency /r.y 33 2,08E-09 0,37 1,74E-07 30,88% 34 2,03E-09 0,36 1,76E-07 31,24% 35 2,03E-09 0,36 1,78E-07 31,60% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event OP_FB_120M_MDEP_NCSS RPR_PS_DIV_A_A24SC SYS_OTHER_B_CC -ULD_CP_A12 OP_EFWS_60MN_NCSS OP_FB_120M_MDEP_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC -PBSPZR-_AB GCT OPE_PCD OP_BLEED_30MN MDEP SYS_PROTC_A_CC Description Page No.: 105 / 183 Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS E1A, 2/4- Failure of specific logic part - PS diversity A Failure of SPPA-T2000 platform common logic Failure of RCV charging pump over 1 year Operator fails to start and control EFWS - NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic Small break LOCA PZR leak - State A+B By-pass Condenser Fails Operator fails to start PCD before 15 mn Operator Fails to Initiate Bleed in 30 min after failure of the PCD -PBSPZR-_AB GCT OPE_PCD OP_BLEED_30MN MDEP RPR_PS_DIV_B_A24SC Failure of TXS platform common logic Small break LOCA PZR leak - State A+B By-pass Condenser Fails Operator fails to start PCD before 15 mn Operator Fails to Initiate Bleed in 30 min after failure of the PCD E1A, 2/4- Failure of specific logic part - PS diversity B

109 No cutsets Frequency /r.y % cumulative Frequency /r.y 36 1,96E-09 0,35 1,80E-07 31,95% 37 1,94E-09 0,35 1,82E-07 32,30% 38 1,94E-09 0,35 1,83E-07 32,64% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event -LOOPL_CB LHP DFR_D-ALL LJS DFR PM_GROUP_I_ST_C Description Page No.: 106 / 183 Long Loss Of Offsite Power (24hr) - State Cb (RCS part. open) CCF to run emergency diesel generators Ultimate Diesel Generator fails to run Preventive Maintenance on the steam generator (inspection) during state C -IH F SB1_AB Fire in Safeguard Building 1 OP_BLEED_30MN_NCSS RCP_SEAL#1_RD RCP_SEAL#2_RD RPR_PS_DIV_A_A24SC SYS_OTHER_B_CC SYS_TR1_UNAVAIL Op. fails to initiate bleed in 30 min - NCSS Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase E1A, 2/4- Failure of specific logic part - PS diversity A Failure of SPPA-T2000 platform common logic Safety Train 1 Unavailable -IH F SB1_AB Fire in Safeguard Building 1 OP_BLEED_30MN_NCSS RCP_SEAL#1_RD RCP_SEAL#2_RD SYS_OTHER_B_CC SYS_PROTC_A_CC SYS_TR1_UNAVAIL Op. fails to initiate bleed in 30 min - NCSS Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic Safety Train 1 Unavailable 39 1,94E-09 0,35 1,85E-07 32,99% -IH F SB1_AB Fire in Safeguard Building 1

110 No cutsets Frequency /r.y % cumulative Frequency /r.y 40 1,87E-09 0,33 1,87E-07 33,32% 41 1,87E-09 0,33 1,89E-07 33,65% 42 1,87E-09 0,33 1,91E-07 33,98% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event OP_BLEED_30MN_NCSS RCP_SEAL#1_RD RCP_SEAL#2_RD RPR_PS_DIV_B_A24SC SYS_OTHER_B_CC SYS_TR1_UNAVAIL -ULD---_CB OP_SIS_INJ_80MN_NCSS RCPX861MN_AC_D-123 SYS_OTHER_B_CC -ULD---_CB OP_SIS_INJ_80MN_NCSS RCPX861MN_AC_D-124 SYS_OTHER_B_CC Description Op. fails to initiate bleed in 30 min - NCSS Page No.: 107 / 183 Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase E1A, 2/4- Failure of specific logic part - PS diversity B Failure of SPPA-T2000 platform common logic Safety Train 1 Unavailable Uncontrolled Level Drop State CB Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS CCF between 4 hot leg loop sensors Failure of SPPA-T2000 platform common logic Uncontrolled Level Drop State CB Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS CCF between 4 hot leg loop sensors -ULD---_CB OP_SIS_INJ_80MN_NCSS RCPX861MN_AC_D-ALL SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic Uncontrolled Level Drop State CB Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS CCF between 4 hot leg loop sensors Failure of SPPA-T2000 platform common logic 43 1,87E-09 0,33 1,93E-07 34,32% -ULD---_CB Uncontrolled Level Drop State CB

111 No cutsets Frequency /r.y % cumulative Frequency /r.y 44 1,87E-09 0,33 1,95E-07 34,65% 45 1,85E-09 0,33 1,97E-07 34,98% 46 1,81E-09 0,32 1,98E-07 35,30% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event OP_SIS_INJ_80MN_NCSS RCPX861MN_AC_D-134 SYS_OTHER_B_CC -ULD---_CB OP_SIS_INJ_80MN_NCSS RCPX861MN_AC_D-234 SYS_OTHER_B_CC -LOCC_ESWS_AB OP_EFWS_60MN_NCSS OP_FB_120M_MDEP_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC Description Page No.: 108 / 183 Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS CCF between 4 hot leg loop sensors Failure of SPPA-T2000 platform common logic Uncontrolled Level Drop State CB Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS CCF between 4 hot leg loop sensors Failure of SPPA-T2000 platform common logic LOCC Pre-Initiating Event caused by a mechanical failure on SEC running train- States A&B Operator fails to start and control EFWS - NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic -LOOPL_AB Long Loss Of Offsite Power (2<recovery<24hr) - States A+B %COEF_A1/AB Time spent in states A1 (8076 h) during states AB (8225 h) HOUSELOAD_FS LHP DFR_D-ALL LJP DFR PM_GROUP_G_ST_A House load failure to start on demand CCF to run emergency diesel generators Ultimate Diesel Generator fails to run Preventive Maintenance on the SBO-DG (LJ-) during state A

112 No cutsets Frequency /r.y % cumulative Frequency /r.y 47 1,77E-09 0,32 2,00E-07 35,62% 48 1,77E-09 0,32 2,02E-07 35,93% 49 1,76E-09 0,31 2,04E-07 36,24% 50 1,76E-09 0,31 2,05E-07 36,56% % HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event -LOOPL_AB Description Page No.: 109 / 183 Long Loss Of Offsite Power (2<recovery<24hr) - States A+B %COEF_A1/AB Time spent in states A1 (8076 h) during states AB (8225 h) HOUSELOAD_FS LHP DFR_D-ALL OP_SBODG2H -LOC_AB OP_EFWS_60MN_NCSS OP_FB_120M_MDEP_NCSS SYS_OTHER_B_CC SYS_PROTC_A_CC -PBM1-_AB RIS1420POEFR_D-123 House load failure to start on demand CCF to run emergency diesel generators Operator fails to start SBO diesels or to close breakers within 2 hours Loss of condenser in power states AB Operator fails to start and control EFWS - NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS Failure of SPPA-T2000 platform common logic Failure of TXS platform common logic Medium Break LOCA1 ( cm2) - States A+B CCF fail to run MHSI pump -PBM1-_AB RIS1420POEFR_D-ALL Medium Break LOCA1 ( cm2) - States A+B CCF fail to run MHSI pump

113 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 110 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 5 : COMPONENT RANKING ACCORDING TO FUSSELL-VESELY (FV) No ID Description 1 RCP_SEAL#1_RD 2 RCP_SEAL#2_RD Failure of RCP shaft seals #1 during rundown phase Conditional failure of RCP shaft seals #2 during rundown phase Nominal Probability per demand FV RDF Sens. Sens. High Sens. Low { SCI removed } 15.60% 1.18E E E E-07 { SCI removed } 15.60% 1.18E E E E-07 3 HOUSELOAD_FS House load failure to start on demand { SCI removed } 10.10% 1.11E E E E-07 4 RCP_SEAL#2_SD 5 RCP_SEAL#1_SD Conditional failure of RCP shaft seals #2 during shutdown phase Failure of RCP shaft seals #1 during shutdown phase { SCI removed } 6.39% 1.07E E E E-07 { SCI removed } 6.39% 1.07E E E E-07 6 LJP DFR Ultimate Diesel Generator fails to run { SCI removed } 4.65% 1.05E E E E-07 7 LJS DFR Ultimate Diesel Generator fails to run { SCI removed } 4.09% 1.04E E E E-07 8 HOUSELOAD_L_FR 9 LHP DFR 10 LHS DFR 11 LHR DFR 12 LHQ DFR Plant operation failure rate during house load for LOOP long Emergency Diesel Generator fails to run Emergency Diesel Generator fails to run Emergency Diesel Generator fails to run { SCI removed } 3.72% 1.04E E E E-07 { SCI removed } 3.00% 1.03E E E E-07 Emergency Diesel Generator fails to run { SCI removed } 2.85% 1.03E E E E-07 { SCI removed } 2.81% 1.03E E E E-07 { SCI removed } 2.37% 1.02E E E E GCT By-pass Condenser Fails { SCI removed } 1.97% 1.02E E E E-07

114 No ID Description 14 RCP-SSSS_ORING_52 15 RCP-SSSS_ORING_53 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Failure of the O-rings exposed to RCS (P,T) Failure of the O-rings exposed to RCS (P,T) Nominal Probability per demand FV RDF Sens. Page No.: 111 / 183 Sens. High Sens. Low { SCI removed } 2.01% 1.02E E E E-07 { SCI removed } 2.01% 1.02E E E E RIS3420POEFR MHSI pump failure to run { SCI removed } 1.59% 1.02E E E E RCP-SSSS_ORING_51 Failure of the O-rings exposed to RCS (P,T) { SCI removed } 1.58% 1.01E E E E RIS4220POEFR_SD LHSI pump failure to run { SCI removed } 1.00% 1.01E E E E RIS4420POEFR MHSI pump failure to run { SCI removed } 0.97% 1.01E E E E RIS1420POEFR MHSI pump failure to run { SCI removed } 0.92% 1.01E E E E-07

115 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 112 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 6 : COMPONENT RANKING ACCORDING TO RISK INCREASE FACTOR (RIF) No ID Description Nominal Probability per demand 1 LVD1101DLIFR failure to run - inverter { SCI removed } LVD1101JBOFL failure - busbar (400V) { SCI removed } LVD1103JAISO Failure spurious operation 400 V circuit breaker LOA/D or LAA/D to LVA/D RIF { SCI removed } LHD1101JBOFL_S Failure (short) - busbar 10kV { SCI removed } LAA1101BT_FS Failure to start discharging from the 220 V LAA 2 hour battery { SCI removed } LAD1101BT_FS Failure to start discharging from the 220 V LAD 2 hour battery. { SCI removed } LHC1101JBOFL_S Failure (short) - busbar 10kV { SCI removed } LVA1101DLIFR failure to run - inverter { SCI removed } LAC1101BT_FS Failure to start discharging from the 220 V LAC 2 hour battery { SCI removed } LAB1101BT_FS Failure to start discharging from the 220 V LAB 2 hour battery { SCI removed } LLC1101JAFSO Failure spurious operation 10 kv outgoing fuse contactor to the HV/LV transformer { SCI removed } EVU4111VPEFO Failure to open - Motor Operated Valve { SCI removed } EVU4111VPBFC Failure to close - breaker { SCI removed } RIS4520VPCFO Failure to open - 2nd isolation check valve on LHSI Tr4 { SCI removed } RIS4248VNEFO switchover valve - failure to open { SCI removed } RIS4249VNEFO switchover valve - failure to open { SCI removed } 3.50

116 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Page No.: 113 / 183 Nominal Probability per demand 17 RIS4220POEFR_SD LHSI pump failure to run { SCI removed } RIS4220POMFR_SD LHSI pump motor failure to run { SCI removed } RIS4248VNBFC Breaker (switchover valve) failure to close { SCI removed } RIS4249VNBFC Breaker (switchover valve) failure to close { SCI removed } RIS4210VPBFC Failure to close - breaker { SCI removed } RIS4259VPBFC Failure to close - breaker { SCI removed } RIS4292VPBFC Failure to close - breaker { SCI removed } RIS4220POEFS LHSI pump failure to start { SCI removed } RIS4220POBSO Pump motor breaker - spurious operation { SCI removed } RIS4292VPEFO Failure to open - Motor Operated Valve { SCI removed } RIS4270VPEFC Failure to close - Motor Operated Valve { SCI removed } RIS4259VPEFC Failure to close motor operated valve (Mechanical stop) { SCI removed } RIS4210VPEFO Failure to open - Motor Operated Valve { SCI removed } RIS4270VPBFC Failure to close - breaker { SCI removed } RIS4220POBFC Pump motor breaker - failure to close { SCI removed } RIS4220POMFS LHSI pump motor failure to start { SCI removed } RIS3261VPEFC Failure to close - Motor Operated Valve { SCI removed } RIS3271VPEFC Failure to close - Motor Operated Valve { SCI removed } RIS3261VPBFC Failure to close - breaker { SCI removed } RIS3271VPBFC Failure to close - breaker { SCI removed } 3.06 RIF

117 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description 37 LJN1101JAFSO 38 LLD1101JAFSO Failure spurious operation 10 kv fuse contactor LHA/D to LJK/N outgoing from LHA/D Failure spurious operation 10 kv outgoing fuse contactor to the HV/LV transformer Page No.: 114 / 183 Nominal Probability per demand RIF { SCI removed } 3.01 { SCI removed } CFI4110FCEAU_FR Drum screen - Failure to run { SCI removed } CFI4410POMPE_FR Pompes de lavage BP des TF et FAC - Failure to run the pump, its motor and its contactor { SCI removed } LVC1101DLIFR failure to run - inverter { SCI removed } ASG1210POEFR EFWS pump failure to run { SCI removed } ASG1210POMFR EFWS pump motor (690V) - failure to run { SCI removed } ASG1210POBSO Pump motor breaker - spurious operation { SCI removed } ASG4210POEFR Failure to run - EFWS pump { SCI removed } ASG4210POMFR Failure to run - EFWS pump motor (690V) { SCI removed } ASG4210POBSO Spurious operation - Pump motor breaker { SCI removed } CFI1110FCEAU_FR Band screen - Failure to run { SCI removed } CFI1410POMPE_FR 50 CFI3510POMPE_FR Pompes de lavage BP des TF et FAC - Failure to run the pump, its motor and its contactor Pompes de lavage BP des TF et FAC - Failure to run the pump, its motor and its contactor { SCI removed } 2.47 { SCI removed } 2.37

118 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 115 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 7 : SYSTEMS RANKING ACCORDING TO FRACTIONAL CONTRIBUTION (FC) No ID Description FC RDF RIF Sens. 1 I&C Instrumentation and Control System 59.30% 2.45E E E E E-07 2 OPERATOR Operator actions (pre- and post-accidental human errors) Sens. High Sens. Low 49.00% 1.96E E E E E-07 3 LH Emergency Diesel Generators 22.10% 1.28E E E E E-07 4 RCP Reactor Coolant System (without pressuriser) 21.90% 1.28E E E E E-07 5 RIS Safety Injection System 19.00% 1.23E E E E E-07 6 RRI Component Cooling Water System 14.70% 1.17E E E E E-07 7 PM Preventive Maintenance 14.20% 1.17E E E E E-07 8 ASG Emergency Feedwater System 10.40% 1.12E E E E E-07 9 E-SUPPLY Electrical Supply (without diesels) 10.10% 1.11E E E E E SBO Ultimate Diesel Generators 9.62% 1.11E E E E E SEC Essential Service Water System 2.70% 1.03E E E E E EVU Containment Heat Removal System 2.31% 1.02E E E E E VDA Main Steam Relief Trains 2.10% 1.02E E E E E GCT Main Steam Bypass 1.97% 1.02E E E E E RBS Extra Borating System 1.60% 1.02E E E E E AAD Start-up and Shutdown System 1.23% 1.01E E E E E CFI Circulation Water Filtration System 0.90% 1.01E E E E E RT Control Rod Drive Mechanism 0.79% 1.01E E E E E-07

119 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description FC RDF RIF Sens. Page No.: 116 / JAC Fire Fighting Water Supply System 0.64% 1.01E E E E E SRU Ultimate cooling water system 0.43% 1.00E E E E E PZR Pressuriser 0.22% 1.00E E E E E RCV Chemical and Volume Control System 0.14% 1.00E E E E E VVP Main Steam Safety Valves 0.12% 1.00E E E E E DEL Safety Chilled Water System 0.10% 1.00E E E E E ARE Main Feedwater System 0.09% 1.00E E E E E SEN Auxiliary (raw water) cooling system 0.01% 1.00E E E E E SRI Conventional island closed cooling water system Sens. High Sens. Low 0.00% 1.00E E E E E SDR Demineralization water system 0.00% 1.00E E E E E REA Reactor Boron (and water makeup) System 0.00% 1.00E E E E E RGL Control rod operation 0.00% 1.00E E E E E-07

120 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 117 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 8 : OPERATOR ACTION RANKING ACCORDING TO FUSSELL-VESELY (FV) No ID Description Nominal Probability per demand 1 OP_EFWS_60MN_NCSS Operator fails to start and control EFWS - NCSS FV RDF Sens. Sens. High 7.86E % 1.12E E E OP_BLEED_30MN_NCSS Op. fails to initiate bleed in 30 min - NCSS 6.25E % 1.09E E E OP_FB_120M_MDEP_NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS 4 OP_LH/RHR_15MN Operator fails to start LHSI train 4 for RHR (t<15min) 1.50E % 1.06E E E E % 1.05E E E OP_FSCD_29MN Operator fails to initiate FSCD (Tm=29mn) 1.00E % 1.04E E E OP_BLEED_120MN Operator fails to initiate Bleed t<120mn 8.12E % 1.04E E E OP_BLEED_30MN MDEP Operator Fails to Initiate Bleed in 30 min after failure of the PCD 2.30E % 1.02E E E OPE_PCD Operator fails to start PCD before 15 mn 5.25E % 1.02E E E OP_EFW/MSRT_2H LOCAL Op. fails SCD by the cross-connection of SGs and opening of MSRT before 2h in SBO condition -LOCAL 10 OPE_52 Operator fails to initiate IRWST cooling with CHRS (Grace period >4h) 5.00E % 1.02E E E E % 1.02E E E- 07 Sens. Low 5.03E E E E E E E E E E-07

121 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand 11 OP_SIS_INJ_80MN_NCSS Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS 12 OP_SBODG2H Operator fails to start SBO diesels or to close breakers within 2 hours 13 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency Page No.: 118 / 183 FV RDF Sens. Sens. High 8.49E % 1.02E E E E % 1.02E E E E % 1.01E E E OP_EFWS Operator failure to start and control EFWS 2.44E % 1.01E E E OP_DIL_25MN manual dilution isolation failure <25 min 1.45E % 1.01E E E OPE_X_CONNECT Failure probability of operator to perform local action for switchgear crossconnection 17 OP_COMBI_240MN_LDEP Operator fails to initiate primary bleed (Tm<4h) and LHSI for inj. with IRWST cooling + low dep 5.00E % 1.01E E E E % 1.01E E E- 07 Sens. Low 5.47E E E E E E E-07

122 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 119 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 9 : OPERATOR ACTION RANKING ACCORDING TO RISK INCREASE FACTOR (RIF) No ID Description Nominal Probability per demand 1 OPE_52 Operator fails to initiate IRWST cooling with CHRS (Grace period >4h) 1.00E OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS, MFWS or EFWS tank RIF 1.00E OP_SBODG2H Operator fails to start SBO diesels or to close breakers within 2 hours 2.13E OP_EFWS Operator failure to start and control EFWS 2.44E OP_BLEED_120MN Operator fails to initiate Bleed t<120mn 8.12E OPE_SGTR Operator fails to initiate the partial cooldown before IRWST drainage 1.00E OP_DIL_240MN manual dilution isolation failure t> 240 min 1.00E OP_RCV_ISO_150 Operator fails to manually isolate RCV HP letdown before 150 min in state B1-C2 2.03E OP_CFI_LOCAL_360MN Local actuation failure of CFl LS rotation and CFI LP washing in TLIC situations t<360min 1.00E OP_SIS_INJ_80MN_NCSS Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS 8.49E OP_EFWS_60MN_NCSS Operator fails to start and control EFWS - NCSS 7.86E OP_FSCD_50MN Operator fails to initiate FSCD (Tm=50mn) 3.33E

123 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 120 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 10 : COMMON CAUSE FAILURE RANKING ACCORDING TO FUSSELL- VESELY (FV) No ID Description 1 LHP DFR_D-ALL CCF to run emergency diesel generators Nominal Probability per demand FV RDF Sens. Sens. High Sens. Low { SCI removed } 12.10% 1.14E E E E-07 2 RIS1420POEFR_D-ALL CCF fail to run MHSI pump { SCI removed } 6.95% 1.07E E E E-07 3 RIS1220POEFR_C-ALL CCF fail to run LHSI pumps { SCI removed } 4.71% 1.05E E E E-07 4 ASG1210POEFR_D-ALL CCF to run EFWS pumps { SCI removed } 4.50% 1.05E E E E-07 5 RIS1420POEFR_D-234 CCF fail to run MHSI pump { SCI removed } 2.59% 1.03E E E E-07 6 RIS1420POEFR_D-123 CCF fail to run MHSI pump { SCI removed } 2.37% 1.02E E E E-07 7 LJP DFR_B-ALL CCF to run SBO diesel generators { SCI removed } 2.13% 1.02E E E E-07 8 RRI1210POEFR_D-ALL CCF to run CCWS pumps { SCI removed } 2.13% 1.02E E E E-07 9 LHP DFR_D-134 CCF to run emergency diesel generators { SCI removed } 1.97% 1.02E E E E SEC1110POEFR_D-ALL CCF to run ESWS pumps { SCI removed } 1.27% 1.01E E E E LHP DFR_D LHP DFR_D LHP DFR_D-123 CCF to run emergency diesel generators CCF to run emergency diesel generators CCF to run emergency diesel generators { SCI removed } 1.15% 1.01E E E E-07 { SCI removed } 1.15% 1.01E E E E-07 { SCI removed } 1.14% 1.01E E E E ASG1210POEFR_D-134 CCF to run EFWS pumps { SCI removed } 1.05% 1.01E E E E-07

124 No ID Description HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Nominal Probability per demand FV RDF Sens. Page No.: 121 / SEC1110POMFR_D-ALL CCF SEC pump motors { SCI removed } 0.94% 1.01E E E E-07 Sens. High Sens. Low

125 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 122 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 11 : COMMON CAUSE FAILURE RANKING ACCORDING TO RISK INCREASE FACTOR (RIF) No ID Description Nominal Probability per demand 1 RRI1210POEFR_D-ALL CCF to run CCWS pumps { SCI removed } SEC1110POEFR_D-ALL CCF to run ESWS pumps { SCI removed } SEC1110POMFR_D-ALL CCF SEC pump motors { SCI removed } RRI1210POMFR_D-ALL CCF to run RRI pump motors { SCI removed } RIS1560VPCFO_D-ALL CCF to open check valves (SIS first isolation valve) { SCI removed } STUCK RODS at least 9 out of 89 stuck rods { SCI removed } ASG1212VDEFO_D-ALL CCF to open EFWS pressure control valves { SCI removed } ASG1310VDEFO_D-ALL CCF to open EFWS SG-Level control valves { SCI removed } ASG1212VDBFC_D-ALL CCF breaker { SCI removed } ASG1310VDBFC_D-ALL CCF breaker { SCI removed } ASG1210POEFS_D-ALL CCF to start EFWS pumps { SCI removed } RRI1210POEFR_D-234 CCF to run CCWS pumps { SCI removed } ASG1210POEFR_D-ALL CCF to run EFWS pumps { SCI removed } SEC1110POEFR_D-234 CCF to run ESWS pumps { SCI removed } SEC1110POMFR_D-234 CCF SEC pump motors { SCI removed } RRI1210POMFR_D-234 CCF to run RRI pump motors { SCI removed } RRI1210POEFR_D-123 CCF to run CCWS pumps { SCI removed } RIF

126 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand Page No.: 123 / SEC1110POEFR_D-123 CCF to run ESWS pumps { SCI removed } SEC1110POMFR_D-123 CCF SEC pump motors { SCI removed } RRI1210POMFR_D-123 CCF to run RRI pump motors { SCI removed } RIS1220POEFR_C-ALL CCF fail to run LHSI pumps { SCI removed } RIS1220POMFR_C-ALL CCF RIS BP pumps { SCI removed } DVD1410GFEFR_E-ALL CCF to run the cooling coils { SCI removed } DVD1407ZVHFR_E-ALL CCF to run the electrical rooms' conditioning fans { SCI removed } C2CFIFAC_FR-ALL CCF to run band screen { SCI removed } C2CFIPOBPFAC_FR-ALL CCF to run BS LP pump, its motor and its contactor { SCI removed } C2CFIFAC_FS-ALL CCF to start band screen { SCI removed } STUCK RODS at least 5 out of 89 stuck rods { SCI removed } RIS1420POEFR_D-ALL CCF fail to run MHSI pump { SCI removed } RIS1420POMFR_D-ALL CCF RIS MP pump motors { SCI removed } RIS1540VPCFO_D-ALL CCF fail to open - check valves { SCI removed } RIS1420POEFS_D-ALL CCF fail to start MHSI pumps { SCI removed } RIS1420POBFC_D-ALL CCF breaker { SCI removed } C2CFIPOBPFAC_FS-ALL CCF to start BS LP pump, its motor and its contactor { SCI removed } RIS1420POMFS_D-ALL CCF RIS MP pump motors { SCI removed } VDA1110VVPFO_D-ALL CCF fail to open MSR fluid valves { SCI removed } VDA1210VVECF_D-ALL CCF to control the flow by MSRV { SCI removed } RIF

127 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand Page No.: 124 / VDA1124VVBFC-ALL CCF breaker { SCI removed } VDA--VVOFO_P-ALL CCF to open MSRIV pilot valves { SCI removed } ASG1212VDEFO_D-134 CCF to open EFWS pressure control valves { SCI removed } ASG1310VDEFO_D-134 CCF to open EFWS SG-Level control valves { SCI removed } ASG1212VDBFC_D-134 CCF breaker { SCI removed } ASG1310VDBFC_D-134 CCF breaker { SCI removed } ASG1210POEFR_D-134 CCF to run EFWS pumps { SCI removed } VDA1110VVPFO_D-234 CCF fail to open MSR fluid valves { SCI removed } VDA1210VVECF_D-234 CCF to control the flow by MSRV { SCI removed } ASG1210POEFS_D-134 CCF to start EFWS pumps { SCI removed } STUCK RODS at least 3 out of 89 stuck rods { SCI removed } LHA1102JABFC_D-ALL CCF to close 10kV circuit breakers { SCI removed } LHP DFS_D-ALL CCF to start emergency diesel generators { SCI removed } RIF

128 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 125 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 12 : I&C EVENT RANKING ACCORDING TO FUSSELL-VESELY (FV) No ID Description Nominal Probability per demand 1 SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic 2 SYS_PROTC_A_CC Failure of TXS platform common logic 3 RPR_PS_DIV_A_A24SC E1A, 2/4- Failure of specific logic part - PS diversity A 4 RPR_PS_DIV_B_A24SC E1A, 2/4- Failure of specific logic part - PS diversity B 5 SYS_NCSSUNICORN_FAIL Failure of NCSS/UNICORN platform common logic 6 RCPX861MN_AC_D-123 CCF between 4 hot leg loop sensors 7 RCPX861MN_AC_D-234 CCF between 4 hot leg loop sensors 8 RCPX861MN_AC_D-124 CCF between 4 hot leg loop sensors 9 RCPX861MN_AC_D-134 CCF between 4 hot leg loop sensors 10 RCPX861MN_AC_D-ALL CCF between 4 hot leg loop sensors { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } FV RDF Sens. Sens. High Sens. Low 45.50% 1.83E E E E % 1.23E E E E % 1.06E E E E % 1.05E E E E % 1.02E E E E % 1.01E E E E-07 { SCI removed } { SCI removed } 0.76% 1.01E E E E % 1.01E E E E % 1.01E E E E % 1.01E E E E-07

129 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand 11 C4CFISENSORS-ALL CCF on the 4 sensors' trains of CFI 12 RCP681YMP_AC_D-123 CCF between 4 pressurizer pressure sensors 13 RCP681YMP_AC_D-234 CCF between 4 pressurizer pressure sensors 14 RCP681YMP_AC_D-ALL CCF between 4 pressurizer pressure sensors 15 RCP681YMP_AC_D-124 CCF between 4 pressurizer pressure sensors 16 RCP681YMP_AC_D-134 CCF between 4 pressurizer pressure sensors 17 AREX83YMN_CCF_16 CCF on the 16 SG level wide range sensors 18 LHX111YTU_AC_H-ALL CCF between 8 voltage sensors 19 AAD AC F1B, F2, NC sensor - On- Off pump sensor 20 RCV7322MD_AC F1A sensor - RCP2 seal injection line flow { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } FV RDF Sens. Sens. High Page No.: 126 / 183 Sens. Low 0.51% 1.01E E E E % 1.00E E E E % 1.00E E E E % 1.00E E E E % 1.00E E E E % 1.00E E E E % 1.00E E E E-07 { SCI removed } { SCI removed } 0.21% 1.00E E E E % 1.00E E E E % 1.00E E E E-07

130 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 127 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 13 : I&C EVENT RANKING ACCORDING TO RISK INCREASE FACTOR (RIF) No ID Description Nominal Probability per demand 1 SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } RPR_PS_DIV_A_A24SC E1A, 2/4- Failure of specific logic part - PS diversity A { SCI removed } C4CFISENSORS-ALL CCF on the 4 sensors' trains of CFI { SCI removed } RPR_PS_DIV_B_A24SC E1A, 2/4- Failure of specific logic part - PS diversity B { SCI removed } RCPX861MN_AC_D-123 CCF between 4 hot leg loop sensors { SCI removed } RCPX861MN_AC_D-234 CCF between 4 hot leg loop sensors { SCI removed } RCPX861MN_AC_D-124 CCF between 4 hot leg loop sensors { SCI removed } RCPX861MN_AC_D-134 CCF between 4 hot leg loop sensors { SCI removed } RCPX861MN_AC_D-ALL CCF between 4 hot leg loop sensors { SCI removed } AREX83YMN_CCF_16 CCF on the 16 SG level wide range sensors { SCI removed } LHX111YTU_AC_H-ALL CCF between 8 voltage sensors { SCI removed } RCP681YMP_AC_D-123 CCF between 4 pressurizer pressure sensors { SCI removed } RCP681YMP_AC_D-234 CCF between 4 pressurizer pressure sensors { SCI removed } RCP681YMP_AC_D-ALL CCF between 4 pressurizer pressure sensors { SCI removed } RCP681YMP_AC_D-124 CCF between 4 pressurizer pressure sensors { SCI removed } RCP681YMP_AC_D-134 CCF between 4 pressurizer pressure sensors { SCI removed } VVPX81XMP_CCF_8_TYPB CCF on the 8 Type B Main steam line pressure sensors { SCI removed } SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic { SCI removed } RIF

131 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand Page No.: 128 / RCPX881MT_AC_D-234 CCF between 4 hot leg temperature sensors { SCI removed } RISX852MP_AC_D-134 CCF between 4 hot leg pressure sensors { SCI removed } RCPX881MT_AC_D-ALL CCF between 4 hot leg temperature sensors { SCI removed } RISX852MP_AC_D-124 CCF between 4 hot leg pressure sensors { SCI removed } RISX852MP_AC_D-ALL CCF between 4 hot leg pressure sensors { SCI removed } RISX852MP_AC_D-123 CCF between 4 hot leg pressure sensors { SCI removed } RISX852MP_AC_D-234 CCF between 4 hot leg pressure sensors { SCI removed } RCPX881MT_AC_D-134 CCF between 4 hot leg temperature sensors { SCI removed } RCPX881MT_AC_D-124 CCF between 4 hot leg temperature sensors { SCI removed } RCPX881MT_AC_D-123 CCF between 4 hot leg temperature sensors { SCI removed } RCV681XMT_AC_D-123 CCF between 4 charging line temperature sensors { SCI removed } RCV681XMT_AC_D-124 CCF between 4 charging line temperature sensors { SCI removed } RCV681XMT_AC_D-134 CCF between 4 charging line temperature sensors { SCI removed } RCV681XMG_AC_D-ALL CCF between 4 boron concentration in charging line sensors { SCI removed } RCV681XMG_AC_D-124 CCF between 4 boron concentration in charging line sensors { SCI removed } RCV681XMG_AC_D-123 CCF between 4 boron concentration in charging line sensors { SCI removed } RCV681XMG_AC_D-234 CCF between 4 boron concentration in charging line sensors { SCI removed } RCV681XMG_AC_D-134 CCF between 4 boron concentration in charging line sensors { SCI removed } RCV681XMT_AC_D-234 CCF between 4 charging line temperature sensors { SCI removed } RCV681XMT_AC_D-ALL CCF between 4 charging line temperature sensors { SCI removed } RIF

132 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand Page No.: 129 / SYS_NCSSUNICORN_FAIL Failure of NCSS/UNICORN platform common logic { SCI removed } RCV681YMD_AC_D-123 CCF between 4 charging flow sensors { SCI removed } RCV681YMD_AC_D-124 CCF between 4 charging flow sensors { SCI removed } RCV681YMD_AC_D-ALL CCF between 4 charging flow sensors { SCI removed } RCV681YMD_AC_D-134 CCF between 4 charging flow sensors { SCI removed } RCV681YMD_AC_D-234 CCF between 4 charging flow sensors { SCI removed } RCPX813MT_AC_D-234 CCF between 4 cold leg temperature sensors { SCI removed } RCPX813MT_AC_D-ALL CCF between 4 cold leg temperature sensors { SCI removed } RCPX813MT_AC_D-134 CCF between 4 cold leg temperature sensors { SCI removed } RCPX813MT_AC_D-123 CCF between 4 cold leg temperature sensors { SCI removed } RCPX813MT_AC_D-124 CCF between 4 cold leg temperature sensors { SCI removed } RCPX181MN_AC_D-ALL CCF between 4 hot leg loop level sensors { SCI removed } RIF

133 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 130 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 14 : PARAMETER RANKING ACCORDING TO FUSSELL-VESELY (FV), RISK INCREASE FACTOR (RIF) GIVEN Type: q Probability, r Failure rate No ID Description Type 1 SYS_OTHER_B_CC 2 LH# DFR 3 SYS_PROTC_A_CC 4 RIS#420POEFR 5 RCP_SEAL#2_RD 6 RCP_SEAL#1_RD 7 #########A24SC 8 OPF_045MN_BL 9 HOUSELOAD_FS Failure of SPPA-T2000 platform common logic Emergency diesel generator - failure to run - FA3/EDF data Failure of TXS platform common logic RIS MP pump - failure to run - FA3/EDF data Conditional failure of RCP shaft seals #2 during rundown phase Failure of RCP shaft seals #1 during rundown phase Failure of PS system specific logic 2/4 voting logic Operator failure to F&B in Tm=45mn q r q r q q q Nominal Probability per demand FC RIF Sens. Sen. High Sens. Low { SCI removed } 45.50% E E E-07 { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } 21.70% E E E % E E E % E E E % E E E-07 Failure to start house load during LOOP short and long q q { SCI removed } { SCI removed } 15.60% E E E % E E E % E E E % E E E-07

134 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Type 10 ASG#210POEFR 11 LJ# DFR Failure to run - ASG pump - FA3/EDF data SBO diesel generator - failure to run - FA3/EDF data 12 #########A AC Failure of acquisition part F1A q 13 OPF_15MN_BL Operator Failure to F&B in Tm=15min 14 OPF_015MN Operator Failure for Tm=15mn q 15 OPF_DEP_0,15 16 RCP_SEAL#2_SD 17 RCP_SEAL#1_SD 18 RIS#220POEFR dep medium - bleed 120m (8.12E-3) Conditional failure of RCP shaft seals #2 during shutdown phase Failure of RCP shaft seals #1 during shutdown phase Failure to run - RIS BP pump - FA3/EDF data 19 UNSUBSTANTIATEDHEP Operator Failure for Tm=24mn q 20 OPF_120MN_BL r r q q q q r Nominal Probability per demand { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } FC RIF Sens. Page No.: 131 / 183 Sen. High Sens. Low 9.27% E E E % E E E % E E E % E E E % E E E % E E E % E E E % E E E-07 Operator Failure for Tm=120mn (Bleed) q { SCI removed } 6.39% E E E % E E E % E E E-07

135 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Type 21 HOUSELOAD_FR 22 OP_LOCAL 23 RRI#210POEFR 24 OPF_DEP_0,23 25 VDA#110VVPFO Failure of plant to run during house load for LOOP short and long Local action with a grace period greater than 2h Failure to run - RRI pump - FA3/EDF data dep medium - bleed 30m (1.01E-1) Main Steam Relief Isolation Valve - failure to open 26 BP_COND By-pass Condenser Fails q 27 DEA_ORING_53 28 DEA_ORING_52 Failure of the O-rings exposed to RCS Failure of the O-rings exposed to RCS 29 OPF_240MN Operator failure >4h q 30 SYS_NCSS_FAIL 31 OPF_120MN 32 OPF_065MN_BL Failure of NCSS/UNICORN platform common logic r q r q r q q q Nominal Probability per demand { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } FC RIF Sens. Page No.: 132 / 183 Sen. High Sens. Low 3.77% E E E % E E E % E E E % E E E % E E E % E E E % E E E % E E E-07 Operator Failure for Tm=120mn Operator failure to F&B in Tm=65mn q q { SCI removed } { SCI removed } 1.85% E E E % E E E % E E E % E E E-07

136 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Type 33 SEC####POEFR 34 LJ# DFS 35 DEA_ORING_51 36 EVU####POEFR Failure to run - SEC or SRU pumps - FA3/EDF data SBO diesel generator - failure to start - FA3/EDF data Failure of the O-rings exposed to RCS EVU pump (int & ppal) - failure to run - FA3/EDF data 37 OPF_070MN Operator Failure for Tm=70mn q 38 #######VAMEC2 39 SEC#110POMFR valve left in a wrong closed position Failure to run - SEC pump motor - FA3/EDF data 40 OPF_025MN Operator Failure for Tm=25mn q 41 #######ZVEFS Fan - failure to start q r q q r q r Nominal Probability per demand { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } { SCI removed } FC RIF Sens. Page No.: 133 / 183 Sen. High Sens. Low 1.65% E E E % E E E % E E E % E E E % E E E % E E E % E E E % E E E % E E E-07

137 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 134 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 15 : OVERALL RANKING ACCORDING TO FUSSELL-VESELY (FV), RISK INCREASE FACTOR (RIF) GIVEN TOP 50 BASIC EVENTS Event Types: Comp Component, IC I&C, Op Operator Action and CCF Common Cause Failure No ID Description Nominal Probability per demand FV RIF Event Type 1 SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic { SCI removed } 45.50% IC 2 SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } 18.70% IC 3 RCP_SEAL#1_RD Failure of RCP shaft seals #1 during rundown phase { SCI removed } 15.60% 1.85 Comp 4 RCP_SEAL#2_RD Conditional failure of RCP shaft seals #2 during rundown phase { SCI removed } 15.60% 1.27 Comp 5 LHP DFR_D-ALL CCF to run emergency diesel generators { SCI removed } 12.10% CCF 6 OP_EFWS_60MN_NCSS Operator fails to start and control EFWS - NCSS { SCI removed } 10.50% 2.24 Op 7 HOUSELOAD_FS House load failure to start on demand { SCI removed } 10.10% 1.38 Comp 8 OP_BLEED_30MN_NCSS Op. fails to initiate bleed in 30 min - NCSS { SCI removed } 7.86% 1.05 Op 9 RIS1420POEFR_D-ALL CCF fail to run MHSI pump { SCI removed } 6.95% CCF 10 RCP_SEAL#2_SD Conditional failure of RCP shaft seals #2 during shutdown phase { SCI removed } 6.39% 1.11 Comp 11 RCP_SEAL#1_SD Failure of RCP shaft seals #1 during shutdown phase { SCI removed } 6.39% 1.45 Comp 12 RPR_PS_DIV_A_A24SC E1A, 2/4- Failure of specific logic part - PS diversity A { SCI removed } 5.70% IC 13 OP_FB_120M_MDEP_NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS { SCI removed } 5.41% 1.31 Op

138 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand Page No.: 135 / 183 FV RIF Event Type 14 OP_LH/RHR_15MN Operator fails to start LHSI train 4 for RHR (t<15min) { SCI removed } 5.11% 1.05 Op 15 RPR_PS_DIV_B_A24SC E1A, 2/4- Failure of specific logic part - PS diversity B { SCI removed } 5.10% IC 16 RIS1220POEFR_C-ALL CCF fail to run LHSI pumps { SCI removed } 4.71% CCF 17 LJP DFR Ultimate Diesel Generator fails to run { SCI removed } 4.65% 1.83 Comp 18 ASG1210POEFR_D-ALL CCF to run EFWS pumps { SCI removed } 4.50% CCF 19 OP_FSCD_29MN Operator fails to initiate FSCD (Tm=29mn) { SCI removed } 4.24% 1.00 Op 20 LJS DFR Ultimate Diesel Generator fails to run { SCI removed } 4.09% 1.73 Comp 21 OP_BLEED_120MN Operator fails to initiate Bleed t<120mn { SCI removed } 3.77% 5.60 Op 22 HOUSELOAD_L_FR Plant operation failure rate during house load for LOOP long { SCI removed } 3.72% 1.37 Comp 23 LHP DFR Emergency Diesel Generator fails to run { SCI removed } 3.00% 1.38 Comp 24 LHS DFR Emergency Diesel Generator fails to run { SCI removed } 2.85% 1.36 Comp 25 LHR DFR Emergency Diesel Generator fails to run { SCI removed } 2.81% 1.36 Comp 26 RIS1420POEFR_D-234 CCF fail to run MHSI pump { SCI removed } 2.59% CCF 27 RIS1420POEFR_D-123 CCF fail to run MHSI pump { SCI removed } 2.37% CCF 28 LHQ DFR Emergency Diesel Generator fails to run { SCI removed } 2.37% 1.30 Comp 29 OP_BLEED_30MN MDEP Operator Fails to Initiate Bleed in 30 min after failure of the PCD { SCI removed } 2.30% 1.08 Op 30 OPE_PCD Operator fails to start PCD before 15 mn { SCI removed } 2.25% 1.02 Op 31 LJP DFR_B-ALL CCF to run SBO diesel generators { SCI removed } 2.13% 8.63 CCF

139 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand Page No.: 136 / 183 FV RIF Event Type 32 RRI1210POEFR_D-ALL CCF to run CCWS pumps { SCI removed } 2.13% CCF 33 OP_EFW/MSRT_2H LOCAL Op. fails SCD by the cross-connection of SGs and opening of MSRT before 2h in SBO condition -LOCAL { SCI removed } 2.07% 1.39 Op 34 GCT By-pass Condenser Fails { SCI removed } 1.97% 1.18 Comp 35 LHP DFR_D-134 CCF to run emergency diesel generators { SCI removed } 1.97% CCF 36 RCP-SSSS_ORING_52 Failure of the O-rings exposed to RCS (P,T) { SCI removed } 2.01% 1.08 Comp 37 RCP-SSSS_ORING_53 Failure of the O-rings exposed to RCS (P,T) { SCI removed } 2.01% 1.08 Comp 38 SYS_NCSSUNICORN_FAIL Failure of NCSS/UNICORN platform common logic { SCI removed } 1.83% IC 39 OPE_52 Operator fails to initiate IRWST cooling with CHRS (Grace period >4h) { SCI removed } 1.78% Op 40 OP_SIS_INJ_80MN_NCSS Op. fails to start SIS by MHSI/LHSI (Tm=80min) - NCSS { SCI removed } 1.73% 3.02 Op 41 OP_SBODG2H Operator fails to start SBO diesels or to close breakers within 2 hours { SCI removed } 1.65% 8.71 Op 42 RIS3420POEFR MHSI pump failure to run { SCI removed } 1.59% 1.78 Comp 43 RCP-SSSS_ORING_51 Failure of the O-rings exposed to RCS (P,T) { SCI removed } 1.58% 1.10 Comp 44 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency { SCI removed } 1.35% 1.08 Op 45 SEC1110POEFR_D-ALL CCF to run ESWS pumps { SCI removed } 1.27% CCF 46 OP_EFWS Operator failure to start and control EFWS { SCI removed } 1.22% 5.99 Op 47 LHP DFR_D-124 CCF to run emergency diesel generators { SCI removed } 1.15% CCF 48 LHP DFR_D-234 CCF to run emergency diesel generators { SCI removed } 1.15% CCF

140 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion No ID Description Nominal Probability per demand Page No.: 137 / 183 FV RIF Event Type 49 LHP DFR_D-123 CCF to run emergency diesel generators { SCI removed } 1.14% CCF 50 OP_DIL_25MN manual dilution isolation failure <25 min { SCI removed } 1.08% 1.06 Op

141 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 138 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 16 : INITIATING EVENTS RANKING ACCORDING TO FUSSELL-VESELY (FV) ID Description Normal value FV RDF Sens. -LOOPL_AB Long Loss Of Offsite Power (2<recovery<24hr) - States A+B sens. High sens. Low { SCI removed } 1.30E E E E E-07 -IH F SB1_AB Fire in Safeguard Building 1 { SCI removed } 1.26E E E E E-07 -RT_A- Spurious Reactor Trip in power state A { SCI removed } 8.00E E E E E-07 - LUHS_MI_FILTERS Massive ingress frequency leading to the filters'''' clogging { SCI removed } 6.27E E E E E-07 -LO1RHR_%_D Number of days spent in state D per year { SCI removed } 5.62E E E E E-07 -PBS2-_AB Small Break LOCA (20-45cm2) - State A+B { SCI removed } 4.26E E E E E-07 -ULD---_CB Uncontrolled Level Drop State CB { SCI removed } 3.86E E E E E-07 -PBSPZR-_AB Small break LOCA PZR leak - State A+B { SCI removed } 3.75E E E E E-07 -LO1RHR_%_CB Number of days spent in state CB per year { SCI removed } 2.95E E E E E-07 -IH F SWGB_AB Internal Hazard Fire in the Switchgear Building { SCI removed } 2.24E E E E E-07 -PBS1-_AB Small Break LOCA (2-20cm2) - State A+B { SCI removed } 2.05E E E E E-07 -LOCC_CCWS_AB LOCC Pre-Initiating Event caused by a mechanical failure on RRI running train - States A&B { SCI removed } 2.04E E E E E-07 -TT_A- turbine trip in state A { SCI removed } 1.96E E E E E-07 -LOMFW_A- Total Loss Of Main FeedWater - State A { SCI removed } 1.91E E E E E-07 -RPV_F RPV failure { SCI removed } 1.80E E E E E-07 -SLB SO_AB Small Second. steam break upstream MSIV { SCI removed } 1.73E E E E E-07

142 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion ID Description Normal value FV RDF Sens. Page No.: 139 / 183 -LO1RHR_%_C1 Number of days spent in state C1 per year { SCI removed } 1.72E E E E E-07 -LOOPS_AB Short Loss Of Offsite Power (<2hr) - States A+B { SCI removed } 1.66E E E E E-07 -LOCC_ESWS_AB -DIL HO100_B- LOCC Pre-Initiating Event caused by a mechanical failure on SEC running train- States A&B Homogeneous Boron Dilution. RBWMS dil 100t/h state B sens. High sens. Low { SCI removed } 1.57E E E E E-07 { SCI removed } 1.36E E E E E-07 -LOC_AB Loss of condenser in power states AB { SCI removed } 1.26E E E E E-07 -SGTR1_AB SG tube rupture 1 tube - States AB { SCI removed } 1.10E E E E E-07 -LOOPL_CB Long Loss Of Offsite Power (24hr) - State Cb (RCS part. open) { SCI removed } 1.08E E E E E-07 -ULD_CP_A12 Failure of RCV charging pump over 1 year { SCI removed } 1.06E E E E E-07 -LO1RHR_%_C2- C3 Number of days spent in state C2-C3 per year { SCI removed } 1.03E E E E E-07 -PBM1-_AB Medium Break LOCA1 ( cm2) - States A+B { SCI removed } 9.71E E E E E-07 -DIL HE_CA Heterogeneous Dilution during state Ca { SCI removed } 8.09E E E E E-07 -LOOPL_CA Long Loss Of Offsite Power (24hr) - State Ca { SCI removed } 7.63E E E E E-07 -PBV_AB V-LOCA during power states AB { SCI removed } 6.65E E E E E-07 -SGTRS_AB Small SG tube rupture - States A+B { SCI removed } 6.41E E E E E-07 -LOLH_AB LOLH pre Initiating Event caused by a failure on LH busbars - States A&B { SCI removed } 6.33E E E E E-07 -IH F CTM_AB Internal Hazard Fire in the Containment { SCI removed } 5.66E E E E E-07 -LOOPS_D- Short Loss Of Offsite Power (<2hr) - State D -RCS open { SCI removed } 5.58E E E E E-07

143 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion ID Description Normal value FV RDF Sens. Page No.: 140 / 183 -ULD_NCP_A12 Initiating Event ULD 1 year { SCI removed } 5.48E E E E E-07 -PBM2-_AB Medium Break LOCA2 (45-100cm2) - States A+B { SCI removed } 5.28E E E E E-07 -ULD---_B1C2 ULD pre-initiating event states B1C2 { SCI removed } 5.08E E E E E-07 -IH F TH_AB Internal hazard Fire Turbine Hall { SCI removed } 4.87E E E E E-07 -PBSPZR-_CA Small break LOCA PZR leak - state Ca { SCI removed } 4.52E E E E E-07 -LOOPL_D- Long Loss Of Offsite Power (24hr) - State D { SCI removed } 4.49E E E E E-07 -IH FL FB_AB Flooding in Fuel Building 1 { SCI removed } 4.41E E E E E-07 sens. High sens. Low

144 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 141 / 183 SUB-CHAPTER 16.2 SECTION 1 - TABLE 17 : SIGNIFICANT CUTSETS FOR THE SENSITIVITY STUDY OF SECTION (CUTSETS FOR WHICH THE QUANTIFICATIONS WHITH LIMITATIONS TO 1E-05 OF THE OPERATOR ACTIONS HAVE THE MOST SIGNIFICANT IMPACT ON THE GLOBAL CDF) Frequency with a 1E-05 limit on operator actions 1.50E E E-11 Frequency in PCSR3 PSA model 5.49E E E-13 Frequency / probability Event Description { SCI removed } -LOC_AB Loss of condenser in power states AB 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -RT_A- Spurious Reactor Trip in power state A { SCI removed } GCT By-pass Condenser Fails 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -LOMFW_A- Total Loss Of Main FeedWater - State A 2.44E-03 OP_EFWS Operator failure to start and control EFWS

145 Frequency with a 1E-05 limit on operator actions 2.50E E-11 Frequency in PCSR3 PSA model 9.15E E-14 Frequency / probability HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event Description Page No.: 142 / E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -TT_A- turbine trip in state A { SCI removed } GCT By-pass Condenser Fails 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -LOLH_AB LOLH pre Initiating Event caused by a failure on LH busbars - States A&B 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic 1.10E E-12 { SCI removed } -LO1RHR_%_C1 Number of days spent in state C1 per year

146 Frequency with a 1E-05 limit on operator actions 1.00E E-12 Frequency in PCSR3 PSA model 1.18E E-14 Frequency / probability 1.00E E-02 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event OP_CFI_LOCAL_360 MN OP_EFWS_60MN_N CSS { SCI removed } RPR_PS_DIV_A_A24 SC Description Page No.: 143 / 183 Local actuation failure of CFl LS rotation and CFI LP washing in TLIC situations t<360min Operator fails to start and control EFWS - NCSS E1A. 2/4- Failure of specific logic part - PS diversity A { SCI removed } SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic { SCI removed } -RT_A- Spurious Reactor Trip in power state A 1.00E E-02 OP_CFI_LOCAL_360 MN OP_EFWS_60MN_N CSS { SCI removed } OP_FB_120M_MDEP _NCSS { SCI removed } RPR_PS_DIV_A_A24 SC Local actuation failure of CFl LS rotation and CFI LP washing in TLIC situations t<360min Operator fails to start and control EFWS - NCSS Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS E1A. 2/4- Failure of specific logic part - PS diversity A { SCI removed } SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic { SCI removed } -ULD_NCP_A12 Initiating Event ULD 1 year 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank

147 Frequency with a 1E-05 limit on operator actions 9.33E E E-12 Frequency in PCSR3 PSA model 3.41E E E-14 Frequency / probability HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event Description Page No.: 144 / 183 { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -ULI---_AB Initiating event ULI states AB 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -IH F SB1_AB Fire in Safeguard Building 1 { SCI removed } GCT By-pass Condenser Fails 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -ULD---_A3 ULD pre-initiating event in state A3 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank

148 Frequency with a 1E-05 limit on operator actions 2.80E E-12 Frequency in PCSR3 PSA model 1.02E E-13 Frequency / probability HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event Description Page No.: 145 / 183 { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } - LOCC_CCWSLEAK_ CC_AB LOCC Pre-Initiating Event caused by a leak on common header- States A&B { SCI removed } GCT By-pass Condenser Fails 2.44E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -TT_A- turbine trip in state A 1.00E E E-01 OP_CFI_LOCAL_360 MN OP_EFWS_60MN_N CSS OP_FB_120M_MDEP _NCSS Local actuation failure of CFl LS rotation and CFI LP washing in TLIC situations t<360min Operator fails to start and control EFWS - NCSS { SCI removed } RPR_PS_DIV_A_A24 SC Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS E1A. 2/4- Failure of specific logic part - PS diversity A { SCI removed } SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic 1.67E E-15 { SCI removed } -LOCC_CCWS_AB LOCC Pre-Initiating Event caused by a mechanical failure on RRI running train - States A&B

149 Frequency with a 1E-05 limit on operator actions 1.50E-12 Frequency in PCSR3 PSA model 1.77E-13 Frequency / probability HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event Description { SCI removed } GCT By-pass Condenser Fails Page No.: 146 / E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 { SCI removed } OP_FEED_TK PM_GROUP_A_ST_ A Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank Preventive Maintenance on the cooling chain (RIS/RRI/SEC) during power operation { SCI removed } RRI_C2B_TB Probability that CCWS Common 2B is initially aligned to RCP TB { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -LOC_AB Loss of condenser in power states AB 1.00E E E-01 OP_CFI_LOCAL_360 MN OP_EFWS_60MN_N CSS OP_FB_120M_MDEP _NCSS Local actuation failure of CFl LS rotation and CFI LP washing in TLIC situations t<360min Operator fails to start and control EFWS - NCSS { SCI removed } RPR_PS_DIV_A_A24 SC Operator fails to initiate F&B (Tm=2h) with medium dependency - NCSS E1A. 2/4- Failure of specific logic part - PS diversity A { SCI removed } SYS_OTHER_B_CC Failure of SPPA-T2000 platform common logic 1.29E E-15 { SCI removed } -LOCC_ESWS_AB LOCC Pre-Initiating Event caused by a mechanical failure on SEC running train- States A&B

150 Frequency with a 1E-05 limit on operator actions 1.08E E-12 Frequency in PCSR3 PSA model 3.95E E-15 Frequency / probability HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event Description { SCI removed } GCT By-pass Condenser Fails Page No.: 147 / E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 { SCI removed } OP_FEED_TK PM_GROUP_A_ST_ A Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank Preventive Maintenance on the cooling chain (RIS/RRI/SEC) during power operation { SCI removed } RRI_C2B_TB Probability that CCWS Common 2B is initially aligned to RCP TB { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } - ULD_RCV _ A12 Failure of RCV1314 and RCV1324 during state A E-03 OP_EFWS Operator failure to start and control EFWS 1.50E-01 OP_FB_120M_MDEP Operator fails to initiate F&B (Tm= 2 h) with medium dependency 1.00E-04 OP_FEED_TK Operator fails the cross-connection of SG tank /Operator fails to re-feed SSS. MFWS or EFWS tank { SCI removed } SYS_PROTC_A_CC Failure of TXS platform common logic { SCI removed } -LOLH_AB LOLH pre Initiating Event caused by a failure on LH busbars - States A&B { SCI removed } AAD_DEP Conditional probability of MFWS & SSS CCF { SCI removed } ASG1210POEFR_D- CCF to run EFWS pumps

151 Frequency with a 1E-05 limit on operator actions Frequency in PCSR3 PSA model Frequency / probability HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Event 234 Description Page No.: 148 / E-03 OP_BLEED_120MN Operator fails to initiate Bleed t<120mn 2.28E-03 OP_MFWS_90MIN Operator fails to start ARE (Tm<90min) 2.13E-03 OP_SBODG2H Operator fails to start SBO diesels or to close breakers within 2 hours

152 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 149 / 183 SUB-CHAPTER 16.2 SECTION 1 - FIGURE 1 : CONTRIBUTION OF THE PLANT OPERATING STATES TO THE OVERALL CDF

153 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 150 / 183 SUB-CHAPTER 16.2 SECTION 1 - FIGURE 2 : CONTRIBUTION OF THE INITIATING EVENTS TO THE OVERALL CDF Note: It is noted that the contribution of risk associated with internal and external hazards are slightly different between this pie chart and the results presented in Sub-Chapter 16.2 Section 1 Table 1. This is explained by the fact that the sum of the risk results of each group is smaller than the overall risk calculation because calculation simplifications performed by the PSA software are more conservative for the overall risk calculation.

154 HPC PCSR3 Sub-chapter 16.2 PSA Results and Discussion Page No.: 151 / 183 SUB-CHAPTER 16.2 SECTION 1 - FIGURE 3 : CONTRIBUTION OF THE INITIATING EVENTS TO THE OVERALL FUEL DAMAGE FREQUENCY IN THE SPENT FUEL POOL