LD-88-015, Nonproprietary Base Line Level 1 PRA for Sys 80R NSSS Design

From kanterella
(Redirected from LD-88-015)
Jump to navigation Jump to search
Nonproprietary Base Line Level 1 PRA for Sys 80R NSSS Design
ML20149M706
Person / Time
Site: 05000470
Issue date: 01/31/1988
From:
ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY
To:
Shared Package
ML19341D978 List:
References
LD-88-015, LD-88-15, NUDOCS 8802260246
Download: ML20149M706 (536)
v  d  e


Text

~ ~ ~ -

i Enclosure (2) l to LD-88-015 O ,

BASE LINE LEVEL 1

, PROBABILISTIC RISK ASSESSMENT i

FOR THE SYSTEM 80" NSSS DESIGN i

i PREPARED FOR THE U.S. DEPARTMENT OF ENERGY l DESIGN VERIFICATION PROGRAM l

JANUARY 1988 C PDR

% s BASE LINE LEVEL 1

PROBABILISTIC RISK ASSESSMENT FOR THE R

. SYSTEM 80 NSSS DESIGN l

PREPARED BY Nuclear Power Systems Divisicn Combustion Engineering, Inc.

l 1000 Prospect Hill Road l- Windsor, Connecticut 06095 - .

I' PRINCIPAL INVESTIGATORS I

0. J. Finnicum R. A. Weston S. C. Vickrey PREPARED FOR The U.S. Department of Energy Design Verification Program l

January 1988

.-,r-, , , , , .., 9- ,w,r-..,_w- - , ,~,., - ~. . - - - . - ,--em.m,,-s,- ,--.-- - - - - --

1339/(83G5)/ mas-2 e

TABLE OF CONTENTS Section Title Page TABLE OF CONTENTS i LIST OF ACRONYMS v LIST OF FIGURES ix LIST OF TABLES x1

1.0 INTRODUCTION

1-1 1.1 Background 1-1 1.2 Purpose. 1-1 1.3 Scope -

1-3 l

2.0 METHODOLOGY 2-1 1

2.1 Plant Familiarization 2-1 2.2 Accident Sequence Definition 2-4 2.3 System Modeling 2-6 2.4 Data Assessment 2-13 2.5 Accident Sequence Quantification 2-15 2.6 Specific Analysis Ground Rules 2-18 2.7 Description of Computer Codes 2-19 3.0 INITIATING EVENT EVALUATION 3-1 3.1 Master Logic Diagram Development 3-1 3.2 Selection of Initiating Events 3-6 O i l

l 1

1339/(83G5)/ mas-3 TABLE OF CONTENTS (Cont.)

Section Title Page 4.0 ACCIDENT SEQUENCE DETERMINATION 4-1 4.1 Large LOCA 4-1 4.2 Medium LOCA 4-8 4.3 Small LOCA 4-15 4.4 Steam Generator Tube Rupture 4-27 4.5 Large Secondary Side Breaks 4-46 4.6 Transients 4-57 4.7 Loss of Offsite Power and Station Blackout 4-66 4.8 Anticipated Transients without Scram 4-94 4.9 Interfacing Systems LOCA 4-106 4.10 Vessel Rupture 4-109 4.11 Boron Dilution 4-110 5.0 SYSTEMS ANALYSIS 5-1 5.1 General Plant Description 5-1 5.2 System Dependencies and Comonalities 5-8 5.3 System Descriptions 5-24 5.3.1 Emergency Feedwater System 5-24 5.3.2 High Pressure Safety Injection System 5-27 5.3.3 Low Pressure Safety Injection System 5-31 5.3.4 Main Steam Line Isolation System 5-35 O

11

.1339/(83G5)/ mas-4' C

,J' TABLE OF CONTENTS l (Cont.)

Section Title Page 5-37 5.3.5 SG Blowdown System 5.3.6 Shutdown Cooling System 5-41 5.3.7 Turbine Bypass System 5-44 5.3.8 ADVs 5-49 5.3.9 MSSVs 5-53 5.3.10 Containment Heat Removal System 5-54 5s?.11 Containment Isolation Syst2m 5-58 5.3.12 Containment Spray System 5-60 5.3.13 Essential Spray Pond System 5-63 5.3.14 Iodine Removal System 5-63 5.3.15 Ultimate Heat Sink 5-69 5.3.16 Engineered Safety Feature Actuation 5-69 System 5.3.17 Reactor Protection System 5-72 5.3.18 Chemical Volume and Control System 5-73 5.3.19 Essential Cooling Water System 5-77 5.3.20 Heating, Ventilation and Cooling 5-80 Systems 5.3.21 Instrument Air System 5-86 5.3.22 Nuclet- Cooling Water System 88 5.3.23 Electrical Distribution System 5-90 5.3.24 Diesel Generators 5-95 O 111 l

l

1339/(83GS)/ mas-5 l

TABLE OF CONTENTS (Cont.)

Section Ti tle Page 5.3.25 Alternate Secondary Heat 5-98 Capability 6.0 DATA ANALYSIS 6-1 6.1 Initiating Event Frequencies 6-1 6.2 Special Event Tree Element Quantification 6-21 6.3 Human Reliability Quantification 6-31 6.4 Component Failure Rates 6-101 7.0 ACCIDENT SEQUENCE ANALYSIS 7-1 O

7.1 System Unavailabilicy Analysis 7-1 7.2 Accident Sequence Quantification 7-56 8.0 RESULTS 8-1 8.1 Sumary of Results 8-1 8.2 Insights 8-7

9.0 REFERENCES

9-1 9

iv

.y

- 1339/(83G5)/ mas-6

'~

LIST OF ACRONYMS Q' i ADV Atmospheric' Dump Valve ADS Atmospheric Dump System AFW Auxiliary Feedwater AFWS Auxiliary Feedwater System 9

ALWR Advanced Light Water Reactor A0 Auxiliary Operator A00 Anticipated Operational Occurrence AR0 All Rods Out ATWS Anticipated Transient Without SCRAM B0P Balance-of-Plant BPS Blowdown Processing System CCAS Containment Cooling Actuation System i s CCW Component Cooling Water CCWS Component Cooling Water System CEA Control Element Assembly CEDM Control Element Drive Mechanism CEOG Combustion Engineering Owners Group CIAS Containment Isolation Actuation Signal l CPC Core Protection Calculator CSAS Containment Spray Actuation Signal CS Containment Spray CSS Containment Spray System CST Condensate Storage Tank i

CVCS Chemical and Volume Control System i

l DG Diesel Generator l

DOE Department of Energy V

1339/(83GS)/ mas-7 LIST OF ACRONYMS (Continued)

ECCS Emergency Core Cooling System EDS Electrical Distribution System EFAS Emergency Feedwater Actuation System EFW Emergency Feedwater EFWS Emergency Feedwater System EPRI Electric Power Research Institute ESF Engineering Safety Features ESFAS Engineering Safety Features Actuation Signal FSAR Final Safety Analysis Report FWCS Feedwater Centrol System gpm Gallons Per Minute .

HEP Human Error Probability HP High Pressure HPSI High Pressure Safety Injection HX Heat Exchanger IDCOR Industry Degraded Core Rulemaking Program IPE Individual Plant Evaluation IREP Interim Reliability Evaluation Program LOCA Loss of Coolant Accident LOHS Loss of Secondary Heat Sink LOOP Less of Offsite Power MCC Motor Control Center MFIV Main Feedwater Isolation Valve O!

l vi l l

l l

l

1339/(83GS)/ mas-8 LIST OF ACRONYMS

(

(Continued)

MFW Main Feedwater System MLD Master Logic Diagram MSIS Main Steam Isolation Signal MSIV Main Steam Isolation Valve MSSV Main Steam Safety Valve ,

NRC Nuclear Regulatory Comission NREP National Reliability Evaluation Program NSSS fluelear Steam Supply System PLCS Pressurizer Level Control System j PORY Power Operated Relief Valve i PPCS Pressurizer Pressure Control System PPS Plant Protection System PRA Probabilistic Risk Assessment PSA Probabilistic Safety Analysis P5V Primary Safety Valve PTS Pressurized Thermal Shock PNGS Palo Verde Nuclear Generating Station

( RAS Recirculation Actuation Signal RCP Reactor Coolant Pump RCS Reactor Coolant System R0 Reactor Operator RPS Reactor Protection System RWST Refueling Water Storage Tank

~

O vii f

1339/(83GS)/ mas-9 LIST OF ACRONYMS (Continued)

RWT Refuelir.g Water Tank SBCS Steam Bypass Control System SBLOCA Small Break Loss of Coolant Accident SCS Shutdown Cooling System SG Steam Generator SGTR Steam Generator Tube Rupture SIAS Safety Injection iictuation Signal SPS Supplementary Protection System SRO Senior Reactor Operator STA Shift Technical Advisor TBV . Turbine Bypass Valve TBS Turbine Bypass System TCV Turbine Control Valve TT Turbine Trip T

HOT Reactor Coolant System Hot Leo Temperature VCT Volume Control Tank WNP-3 Washington Nuclear Project Unit 3 WSES Waterford Steam Electric Station A Core Damage Frequency CD l

l l l

l e'1 l viii I

1339/(83G5)/ mas-10

']

/ LIST-0F FIGtJRES kJ Figure Title .P_ age 2.0-1 Major PRA Tasks 2-2 2.3-1 Fault Tree Symbology 2-8 2.3-2 Sample Safety System Fault Tree with Simplified 2-12 Comon Cause/Comon Element Support System Model 3.1-1 Haster Logic Diagram 3-2 4.1-1 Event Tree 1 - Large LOCA 4-7 4.2-1 Event Tree 2 - Medium LOCA 4-14 4.3-1 Event Tree 3 - Small LOCA 4-26 4.4-1 Event Tree 4 - Steam Generator Tube Rupture 4-45 4.5-1 Event Tree 5 - Large Secondary Side Breaks 4-56 4.6-1 Event Tree 6 - Transients 4-65 l

4.7-1 Event Tree 7 - Loss of Offsite Power 4-80 l 4.7-2 Event Tree 8 - Station Blackout 4-93 4.8-1 Event Tree 9 - Anticipated Transients Without Scram 4-105

! 4.9-1 Simplified Diagram of Safety Injection and Shutdown 4-108 l Cooling Piping 5.2-1 System 80 System Dependency and Comonality 5-11 Matrix Guide 5.2-2 System 80 System Dependency and Comonality 5-12 Matrix 5.3.1-1 Emergency Feedwater System 5-25 5.3.2-1 High Pressure Safety Injection System 5-28 l (Injection Mode) 5.3.2-2 High Pressure Safety Injection System 5-29 l

(RecirculationMode) 1 O ix

1339/(83GS)/ mas-11 LISTOFFIGURES(Cont.)

Figure Title Page 5.3.3-1 Low Pressure Safety Injection System 5-32 (Injection Mode) 5.3.4-1 Main Steam Isolation System 5-36 5.3.5-1 Steam Generator Blowdown System 5-38 5.3.6-1 Shutdown Cooling System 5-42 5.3.7-1 Turbine Bypass System 5-45 5.3.7-2 Schematic of a Typical turbine Bypass Valve 5-46 5.3.8-1 Atmospheric Dump System on Steam Generator 1 5-50 5.3.8-2 Atmospheric Dump System on Steam Generator 2 5-51 5.3.9-1 Main Steam Safety Valve 5-55 5.3.10-1 Containment Cooling System 5-57 5.3.12-1 Containment Spray System 5-62 5.3.13-1 Essential Spray Pond System 5-65 5.3.18-1 Chemical and Volume Control System 5-74 5.3.19-1 Essential Cooling Water System 5-78 5.3.20-1 Essential Heating, Ventilation, and Air Conditioning 5-82 System for ESF Pump Room 5.3.20-2 A Typical Train of Essential Heating, Ventilation, 5-84 and Air Conditioning System for Battery Room 5.3.21-1 Instrument Air System 5-C7 5.3.22-1 Nuclear Cooling Water System 5-89 5.3.23-1 One-Line Schematic of AC Power System 5-92 l 5.3.23-2 One-Line Schamatic of DC Power Syste.' 5-93 5.3.25-1 Alternate Secondary Capability Condensate 5-100 l

Pump Alignment O

X

4 1339/(83G5)/ mas C'i LIST OF TABLES V

Table Title Pm 3.2-1 General PWR Transient Categories 3-11 3.2-2 Zion Unit 2 and 2 Initiating Event Categories 3-13 3.2-3 Potential Initiating Events from Oconee PRA 3-17 3.2-4 Grouped EPRI NP-2230 Transient Events Causing 3-20 ,

Reactor Shutdown at Calvert Cliffs Units 1 3.2-5 Events Analyzed in CESSAR-F 3-22 3.2-6 Initial List of Initiating Events for Analysis 3-24 3.2-7 Final List of Initiating Events 3-33 6.1-1 Generic Frequencies for PWR Transient Initiators 6-17 -

l 6.1-2 Initiating Event Occurrence Frequencies 6-20 l 6.2-1 PWR Rod Demands, 1/61 through 11/86 6-27 6.2-2 Special Event Tree Element Probabilities 6-30 6.3-1 Human Error Probabilities 6-91 6.3-2 Operator Recovery Actions 6-100 6 *. 4 .1- 1 Maintenance Unavailabilities 6-105 6.4.2.2-1 Common Cause Failure Rates for Valves 6-112 6.4.2.5-1 Comon Cause Failure Rates for Components with Assumed 6-118 l

l Beta-Factors l

6.4.2.6-1 Comon Cause Failure Component Codes 6-119 6.4.3-1 Generic Component Failure Rates 6-123 6.4.3-2 Independent Component Failure Rates 6-127 xi l

l

1339/(83G5)/ mas-13 (List of Tables Continued) g Table Title Page 6.4.4.2-1 Cooling Water Developed Event Unavailabilities 6-147 6.4.4.3-1 Instrument Air Developed Event Unavailabilities 6-149 7.1.2-1 LPSI System unavailability Parameters 7-4 7.1.2-2 Dominant Cutset Groups for Failure of LPSI Injection 7-5 7.1.2-3 Dominant Cutset Groups for Failure of LPSI 7-6 Recirculation 7 .1. .~ .1 HPSI System Unavailability Parameters 7-8 7.1.3-2 Dominant Cutset Groups for Failure of HPSI 7-10 Injection - 2 of 3 Lines 7.1.3-3 Dominant Cutset Groups for Failure of HPSI 7-11 Injection- 3 of 4 Lines 7.1.3-4 Dominant Cutset Groups for Failure of HPSI 7-12 Injection - 4 of 4 Lines 7.1.3-5 Dominant Cutset Groups for Failure of HPSI 7-13 Recirculation 7.1.3-6 Dominant Cutset Groups for Hot and Cold 7-15 Leg Injection 7.1.3-7 Dominant Cutset Groups for High Pressure 7-17 Injection for ATWS 7.1.4-1 Containment Spray System Unavailability 7-20 Parameters 7.1.4-2 Dominant Cutset Groups for Containment 7-21 Spray Recirculation Cooling O

xii l i

I i

.1339/(83G5)/ mas-14

[]/

's Table Title (List of Tables Continued)

Page 7.1.4-3 Dominant Cutset Groups for Containment 7-23 Spray Recirculation Cooling Given HPSI Recirculation Successful 7.1.5-1 Shutdown Cooling System Unavailability Parameters 7-26 7.1.5-2 Dominant Cutset Groups for Failure to Establish 7-27 Shutdown Cooling 7.1.6-1 Unavailability Parameters for Auxiliary Feedwater 7-31 System 7.1.6-2 Dominant Cutset Groups for Failure to Deliver AFW 7-32 to 1 of 2 Generators 7.1.6-3 Dominant Cutset Groups for Failure to Deliver AFW 7-33 to Intact Generator -

7.1.6-4 Dominant Cutset Groups for Failure to Deliver AFW 7-34 to 1 of 2 Generators Given SB0 7.1.7-1 Unavailability Parameters for Turbine Bypass Valves 7-36 7.1.7-2 Dominant Cutset Groups for Failure of Turbine 7-37 Bypass Valves: Transients 7.1.7-3 Dominant Cutset Groups for Failure of Turbine Bypass 7-38 l

Valves: Non-Transients 7.1.8-1 Unavailability Parameters for the Atmospheric 7-40 Dump Valves 7.1.8-2 Dominant Cutset Groups for Failure of Atmospheric 7-41 Dump Valves - 4 of 4 7.1.8-3 Dominant Cutset Groups for Failure for Atmospheric 7-42 Dump Valves - 2 of 2 O xiii

1339/(83G5)/ mas-15 (List of Tables Continued)

O Table Title Page 7.1.9-1 Unavailability Parameters for Alternate Secondary 7-44 Heat Removal 7.1.9-2 Dominant Cutset Groups for Alternate Secondary 7-45 Heat Removal 7.1.10-1 Dominant Cutset Groups for Failure of RCS 7-47 Pressure Control 7.1.11-1 Dominent Cutset Groups for Unisolable Leak in 7-50 Bad Generator 7.1.13-1 Unavailability Parameters for Maintain Secondary 7-54 Heat Removal 7.2-1 Core Damage Frequency Contributions for Large 7-57 ,

LOCA Core Damage Sequences 7.2-2 Core Damage Frequency Contributions for Medium 7-58 LOCA Core Damage Sequences 7.2-3 Core Damage Frequency Contributions for Small 7-59 LOCA Core Damage Sequences 7.2-4 Core Damage Frequancy Contributions for Steam 7-62 Generator Tube Rupture Core Damage Sequences 7.2-5 Core Danage Frequency Contributions for Large 7-72 Secondary Side Break Core Damage Sequences 7.2-6 Core Damage Frequency Contributions for Transient 7-74 Core Damage Sequences O

xiv

54 '

1339/(83GS)/ mas-16 1

(List of Tables Continued)

Table Title. Page-l

, 7.2-7 Core Damage Frequency Contributions for loss of 7-75.

Offsite Power Core Damage Sequences

-7.2-8 Core Damage Frequency Contributions for Station 7-76 Blackout Core Damage Sequences 7.2-9 Core Damage Frequency Contributions for ATWS 7-79 Core Damage Sequences 8.1-1 Core Damage Frequency Contributions by Initiating Event 8-2 8.1-2 Core Damage Frequency Contributions for Dominant Accident 8-4 sequences O

1 t

1

($2)

XV

1339a/(83G5)/ mas-1

1.0 INTRODUCTION

1.1 BACKGROUND

The U.S. Department of Energy (00E), the U.S. Nuclear Regulatory Connission

_ (NRC), the Electric Power Research Institute (EPRI), and the electric utility industry are all working toward the development of advanced light water reactors (ALWRs) for the 1990's and the stabilization of the regulatory process. The major areas of activity are the implementation of the NRC Severe Accident P,.licy Statement (August 1985)(1) , development of the Standardization Policy, and the development and certification of standardized ALWR designs.

The DOE ALWR Design Verification Program is addressing the severe Accident Policy Statement for an actual standardized design (System 80R ). System 80 design documentation will be submitted for review and certification by the NRC, thus setting a precedent for policies and procedures on future nuclear plant design certifications.

l 1.2 PURPOSE 1

One of the requirements of the NRC's Severe Accident Policy (1,2) is that a Probabilistic Risk Assessment (PRA) must be performed for all future plants.

To address these requirements a System 80 PRA is being performed as part of the DOE ALWR Design Verification Program. ,

l l

0 1-1

1339a/(83GS)/ mas-2 1

The System 80+ PRA, being performed as part of the DOE ALWR Design Yerification Program, has three purposes. The first purpose is simply to comply with the NRC Severe Accident Policy.II'2) The second purpose is to provide a tool for evaluating the impact of design modifications, associated with EPRI ALWR Design Requirements, on core damage probability and public risk. The final purpose is to estimate the core damage frequency and large release frequency and compare them to goals that have been established by the NRC and by the industry.

)

This PRA is being performed in two phases. In the first phase, Event Trees and Fault Tree Models were developed for the current System 80 design. These models were used to establish a baseline core damage frequency for the current System 80 design and to determine the dominant core damage contributors for System 80. The second phase will be an interactive process in which these models will be modified to reflect proposed system design changes. The models will then be reevaluated to determine the impact of the design changes on core damage frequency and dominant core damage contributors. These impacts will be reviewed and additional design changes will be considered as appropriate to achieve the risk reduction requirements.

The purpose of this report is to document the results of the baseline core damage frequency evaluation of the current System 80 design and to describe the methodology and data used to derive these results.

O 1-2

1339a/(83GS)/ mas-3 r3 1.3 SCOPE O

The baseline System 80 core damage frequency calculation performed for the DOE ALWR Design Verification Program is a Level 1 PRA for the System 80 Nuclear SteamSupplySystem(NSSS)scopeasdescribedinCESSAR-F.I4) This PM includes the identification and quantification of accident sequences attributable to internal initiators which lead to core damage. Evaluation of containment failure processes is not included because the containment design is not within current System 80 scope. External event analysis is not included because this evaluation requires detailed infomation on plant siting and plant layout, both of which are outside of the NSSS scope and are unavailable. While the Balance of Plant (80P) systems are outside of the System 80 NSSS scope, infomation on certain BOP systems, was required in i

order to evaluate the Perfonnance of the NSSS Systems. Where such information was required, functional system designs which met CESSAR-F(4) interface requirements and were consistent with support system configurations used in recent vintage C-E plants (7,8,9,10) were used in the analyses.

I O

1-3

1339e/(85G2)/ca-1 Q

LJ 2.0 METHODOLOGY As stated in Sections 1.2 and 1.3, the objectives of this analysis are to calculate a baseline core damage frequency for a generic System 80 plant, to determine the dominant core damage contributors and to assess potential areas for design improvement in the System 80+. This analysis is equivalent to the baseline Probabilistic Safety Analysis (PSA) described in the PSA Procedures Guide (5) and the methodologies employed in this analysis are consistent, within the scope and intent of this analysis, with methodologies outlined in the PSA Procedures Guide (5) and methodologies described in the PPA Procedures Guide (6) . This analysis basically used the small event tree /large fault tree approach. Figure 2.0-1 shows the major tasks in this analysis. The following sections describe each of these tasks and associated methodology in greater detail.

O V

2.1 PLANT FAMILIARIZATION This first major task in this analysis was plant familiarization. The -

objective of this task is to collect the information necessary for identification of appropriate initiating events, determination of the success criteria for the systems required to prevent or mitigate the transients and accidents (the front line systems) and to identify the dependence between the front lirie systems and the support systems which are required for proper functioning of the front line system;. This task was primarily an infornation gathering task.

O 2-1 l

l

S O

kw W W$$

w w M 2 M }

x -

c.

AN 1

z s w -

b $

w l

Z M o w -

.c m Dhb u w -

N

  • C M g

=

G7 M M m k

n o'

L ji g N 1I c- ?

a =

O  ?

b

-m

=u s

z e

=

bbw 3 D85 0 8 4Nb o = #

9

)N z

O i H N

D d 5 d

kw I

I 2-2

1339e/(85G2)/ca-3 7 The information. collected in this task included design information, (D

operational information and information on plant responses to transients.

CESSAR-FI4) was used to provide information on the design of systems within the basic NSSS scope and interface requirements for the support systems.

Where additional design detail was needed for support systems, typical system designs were generated based on support system designs described in the FSARs of recent vintage C-E plants with similar NSSS designs (7,8,9,10) . Chapter 5 of this document contains the appropriate system descriptions as well as an evaluation of the system commonalities and dependencies.

Chapter 15 of CESSAR-FI4) provided the basic information on plant responses to accidents and transients. This information was supplemented with discussions with safety analysts and licensed operators in C-E's Training Department and with information contained in the report, "Depressurization and Decay Heat d Removal - Response to NRC Questions"(11) and its associated supplements pertinent to System 80 plants (12,13) . Several transients were also run using CEPAC I14) , C-E personal computer based PWR simulator, to get a better understanding of the plant's physical response to transients.

Operator actions during plant transients were evaluated and established based onC-E'sEmergencyProcedureGuideline(15)anddiscussionswithlicensed operators in C-E's Training Department and at Arizona Nuclear Power Project.

Surveillance requirements and operability definitions were derived from C-E's Standard Technical Specifications (16) and, where more specific detail was needed, from the Palo Verde! Technical Specifications (17) . Maintenance information, where needed, was based on common industry practices, 2-3

1339e/(85G2)/ca-4 TheReactorSafetyStudy(1} , several other Published PRA Studies (19,20,21, 22,23) , and the 10COR IPE Procedures (24) guide were also reviewed as part of the plant familiarization task. The objectives of these reviews was to provide a broad overview of areas to be addressed in this analysis and to identify potential problem areas.

2.2 ACCIDENT SEQUENCE DEFINITION The second major task in this analysis was the accident sequence definition.

The objective of this task wo.s to qualitatively identify those accident sequences which lead to core melt / core damage. This was accomplished using event tree analysis. Event tree analysis involves defining a set of initiating events and constructing a set of system event trees which relate plant system responses to each defined initiating event. Each system event tree represents a distinct set of system accident sequences, each of which consists of an initiating event and a combination of various system successes and failures that lead to an identifiable plant state. Procedures for developing system event trees are described in detail in the PRA Procedures Guide (6) ,

For this analysis, the small event tree /large fault tree approach was used.

In this approach, only the front line systems which respond to mitigate an acCd9t or transient, are addressed on the event tree. The impact of the s u.

r' stems is addressed within the fault tree models for the front line 7.

O 2-4 I

i

1339e/(85G2)/ca-5 i

O b

The first step in defining the accident sequences was to s. elect the initial

. set of initiating events to be addressed in the analysis. (Note: initial selection of initiating event is considered to be part of the plant familiarizationtaskinthePSAPraceduresGuide(5)). A Master Logic Diagram (MLD) was constructed to guide the selection and grouping of the initiating events. An MLD is essenthily a top level fault tree in which the general conditions which could lead to the top level event are deductively determined.

For this analysis, the top event on the MLO was defined to be "offsite release" even though the scope of the analysis is limited to identifying core damage frequency and dominant contributers. This was done to ensure completeness and to facilitate any later extension of this analysis. The -

botto:.1 level elements on the MLD established the initial groupings of initiating event types to be considered, w The next step was to develop an initial list of event initiators. First, the ,

lists of suggested event initiators were extracted from the PRA Procedures Guide (6) , tha PSA Proceduras Guide (5) , the IPE Methodology ManualI24)andthe lists of event iaitiators and fina'l initiating event groups were extracted from the Caivert Cliffs IREP Study (21) , the Zion PRAII9) ,theOconeePRA(20) and the Arkansas IREP Study (22) These lists of event initiators were then l .

condensed into a single list. This list was then reviewed to eliminate event l

' initiators which were not applicable because of plant design features (e.g., ,

PORV LOCAs were eliminated because System 80 doesr.'t have PORVs). The event initiators were then grouped into initial initiating event classes based on t

the bottom events on the MLD, the transient grouping in Chapter 15 of l

l CESSAR-F(4) and the initiating events analyzed in the other ,

! PRAs(19,0,21,22,23) ,

O 2-5 ,

i I

1339e/(85G2)/ca-6 An iterative process was then used to select the final set of initiating events and to define the event sequences. First, a initial draft of an event tree was developed for each of the initial initiating svent classes based on plant system responses to the specific type of initiator. These event trees were then compared and where the system responses with respect to preventing core damage were the same or equivalent, the classes were combined. The event trees were then briefly evaluated for the individual initiators within the class. If the system resr onses to the specific i-tiator were not ecvered by the class event tree, the initiator was either transferred to an event class for which the system responses were apprcpriate, or a new event class was created and a new draft event tree was developed. This process was repeated until a set of initiating event classes were defined that iricluded all the initiators in the original list and the event tree for each event class covered the system responses for each initiator. The final event trees were then prepared and the description and success criteria were defined for each element on the event trees. In general, the success criteria for the event tree elements were based on the system perfomance assumed in the Chapter 15 and Chapter 6 analyses in CESSAR-F I4) . For a few elements, however, transients were run using the System 80 CEPACII4) to determine success criteria and to eveluate transient timing.

2.3 SYSTEM MOLELING Each system event tree, as described in Section 2.2, represents a distinct set of system accident sequences, each of wh:ch consists of n initiating event and a combination of various system successes and failures that lead to an identifiable 91 ant state.

9 :

2-6 l I

1

1339e/(85G2)/ca-7 Quantification of the system accident sequences requires knowledge of the

-(3

%.) .

failure probability or probability of occurrence for each element of the system accident sequence. The initiating event frequency and the probability of failure for a system accident sequence element involving the failure of a single component can be quantified directly from the appropriate raw data using methods described in Reference 6. However, if the system accident sequence element represents a specific failure mode for a system or subsystem, a fault tree model of the system or subsystem must be constructed and <

quantified to obtain the desired failure probability. Construction of the fault tree requires a complete definition of the functional requirements for the system, given the initiating event to which it is responding, and the physical layout of the system. The system fault tree is a graphic model of the various parallel and serial combinations of component failures that would result in the postulated system failure mode (25) . The symbols used in constructing the fault tree models are presented and defined in Figure 2.3-1.

The evaluation of each fault tree yields both qualitative and o.uantitative informatioII. The qualitative infortnation consists of the "cutsets" of the model. The cutsets are the various combinations of component failures that result in the top event, i.e., the failure of the system. The cutsets form the .sasis of the quantitative evaluation which yields the failure probability f5r the system accident sequence element of concerr..

The quantitative evaluation cf the fault trees yields several numerical measures of a systems failure probability, two of wh:ch are typically employed in the event tree quantificat 2or, i.e., the. .navailabi?ity and unreliability.

O 2-7

- _ _ ___ - - _ - __-_____-_____ ___________ ____________________ _ _ _ _ __ D

FIGURE 2.3-1 FAULT TREE SYMBOLOGY  !

O1 OR GATE OUTPUT EVENT OCCURS IF ONE OR MORE OF THE INPUT EVENTS OCCURS AND GATE OUTPUT EVENT OCCURS IF ALL OF THE INPUT EVENTS OCCUR.

r, BASIC EVENT BASIC FAULT EVENT REQUIRING NO FURTHER DEVELOPMENT.

U O

AN E. VENT WHICH IS DESCRIBED BY A FAULT EXTERNAL INPUT TREE MODEL DEVELOPED INDEPENDENTLY.

TYPICALLY A SUPPORT SYSTEM FAILURE.

TRANSFER IN USED AS A METHOD OF CONVENIENTLY

[\ SEGMENTING THE TREE FOR DRAFTING PURPOSES AND TO AVOID DUPLICATION OF PORTIONS UF THE TREE. INDICATES V l CONTINUATION TO OTHER PORTIONS OF THE TREE.

TRANSFER OUT 2-8

1339e/(85G2)/ca-9 s

The unavailability is the probability'that a system will not. respond when demanded. This value is used when the system accident sequence element represents a system function or action which is performed quickly, such as the reseating of a previously opened safety valve, or if the element represents a particular condition, such as offsite power unavailable at turbine trip. The unreliability is the probability that a system will fail (at least once) during a given required operating period. This value is typically used when the system accident sequence element specifies a required operating period for a system, such as auxiliary feedwater system fails to deliver feedwater for four hours. The unreliability is usually added to the unavailability when the system accident sequence element represents-the failure of a standby system to actuate and then run for a specified period of time.

Two types of human failures are typically included in fault tree analyses.

i O I

V They are "pre-existing maintenance errors" and failures of the operator to -

respond to various demands. Pre-existing maintenance errors are undetecte.d errors comitted since the 'ast periodic test of a standby system. An example of this type of error is the failure to reopen a mini-flow valve which was closed for maintenance. A failure of the operator to respond includes the failure of the operatnr to perform a required function at all or to perform it correctly. An example of this type of error is the failure of the operator to back-up the automatic actuation of a safety system.

For this PRA, failure of the operator to respond to various demands where there was a time constraint was quantified using the Human Cognitive l

Reliability Model I20) . The human cogi;itive reliability model is a set of time l

1 l

o 2-9 l_

1339e/(85G2)/ca-10 dependent functions which describe the probability of a crew response in perfoming a task. The human cognitive reliability model permits the analyst to predict the cognitive reliability associated with a non-response for a given task or series of related tasks, once the dominant type of cognitive processing (skill-based, rule-basedorknowledge-based),themediumresponse time for the task or tasks under nominal ccnditions and performance shaping factors such as stress levels or environment are identified. The inherent time dependence in this model made it ideal for evaluating operator responses during a transient. The failure prooability for "pre-existing maintenance errors" was quantified using the Handbook of Human Reliability Analysis (27) ,

The Handbook of Human Reliability analysis is an extension of the human reliability analysis methodology developed for WASH 1400, the Reactor Safety Study (18) and is intended to provide method::, models and estimated human error probabilities to enable analysts to make quantitative or qualitative assessments of the occurrence of human errors that affect the availability or operational reliability of engineered safety systems and components. The emphas:s is on tasks addressed in the Reactor Safety Study, calibration, maintenance and selected control room tasks related to engineered safety features availability. It is the best available source for evaluating human performance with respect to maintenance, calibration, testing and other tasks performed during normal plant operation. However, its time dependent model is not as thorough and explicit as that provided by the human cognitive reliability model.

For this PRA, the small event tree - large fault tree approach was selected.

The event trees developed for this PRA addressed the response of the front O

2-10

1339e/(85G2)/ca-11 1

pO line systems, that is, those systems directly involved in mitigating the various initiating events. The impact of the support systems was modeled within the front line system models. The electrical supplies were fully modeled within each front line system model, and simplified comon cause/ce. mon element models were included for the other support systems. The simplified comon cause/comon element models were developed by constructing full models for each support syster. These models were then compared to each other and to the front line system models to identify the comon elements, and comon cause failures. The elements thus identified were driven to the top of their respective fault trees and removed. Then, within the appropriate front line system medels, the support system was represented by a simplified model censisting of the identified common elements, the comon cause failures and an undeveloped event representing the remainder of the fault tree model for that

- system. These undeveloped events were quantified by cuantifying the

(

\ appropriate fault tree models. Figure 2.3-2 illustrates the simplified comon cause/comen element model.

i CESSAR-FI4) contains interface requirements for the support systems but does not contain any support system configurations or P& ids. Therefore, in order l to develop the support system models described above, representathe support system configurations were developed using the CESSAR-F(4} interface requirements, support system configurations for recent vintage C-E plants (7,8,9,10) at:d the typical syst+m conficurations in the NPRDS Reportable Scope Manual for C-E Plants I28) . The support system configurations used in this analysis are described in Section 5 of this report.

l l

lO 2-11 t

FIGURE 2.3-2 SAMPLE SAFETY SYSTEM FAULT TREE WITH SIMPLIFIED COMMON CAUSE/COMON ELEMENT SUPPORT SYSTEM MODEL g

HPSI SYSTEM FAILS r,

I e

g 999 9

HPSIPUMP A FAILS TO RUN O

I MECHANICAL COMMON I

g CAUSE FAILURE NO CCW TO FAILURE OF ggg PUMP OF PUMP PUMF

\

I I I '

FAILURE OF COMMON FAILURE 0F >

SERVICE G99 CAUSE CCW-A WATER FAILURE COMPONENTS

<> E"5 <>

( J( J Y Y COMMON CAUSE RESIDUAL COMMON ELEMENTS O

2-12

1339e/(85G2)/ca-13 p 2.4 OATA ASSESSMENT -

O Reliability data is needed for the quantification of the system fault trees and the system accident sequences which result in severe core damage. The data needed for this quantification includes:

1. initiating event frequencies
2. component failure rates (demand and time-dependent)
3. component repair times and maintenance frequencies
4. comon cause failure rates i
5. human failure probabilities
6. special event probabilities (e.g., restoration of offsite power)
7. error factors for the items above Generic reliability data was used in this analysis per the guidance in the PSA Procedures Guide (5) The basic initiating event frequencies were extracted fromthePSAProcedureGuide(5) ,EPRINP-2230(29) and the NREP Generic Data Base (30) The initiating event frequencies presented in the Zion PRA II9) ,

the Oconee PRA(20) and the Calvert i

2-13 l

L

1339e/(85G2)/ca-14 Cliffs IREP Report (21) were also used as guidelines. The appropriate basic initiating event frequencies were used to calculate the needed initiating event class frequencies as described in Section 6 of this report.

The basic component failure rate data and associated error factors was extracted from Appendix A of the EPRI ALWR Requirements Document ( ), which contains a compilation of generic failure rate data from other nuclear sources . This data was supplemented with data from WASH 1400(18) , the NREP Data BaseI3C)andIEEEStd.500I31) as needed. Component maintenance frequencies and repair times were calculated using the procedures outlined in the PSA Procedure Guide (5) The specific component failure data used in this analysis is documented in Section 6 of this report.

Common cause failures of components were explicitly r ed in the system fault trees. The comon cause failures were calculatea using equivalent Beta factors. The quantification process was equivalent to that outlined in Appendix A of the EPRI ALWR Requirements Document (3) with data extracted from 32,33,34,35,36,37) several data sources as appropriate. The common cause failure rates used in this report are documented in Section 6 of this report.

As discussed in Section 2.3, two types of human failure; "pre-existing maintenance errors" and failure of the operator to perform various actions during a transient; wera modeled in this analysis. "Pre-existing maintenance errors" were evaluated using the methods described in the Handbook of Human Reliability Analysis (27) and the operator responses during an event were modeled using the Human Cognitive Reliability Model(26) . Quantification data O

2-14

1339e/(85G2)/ca-15 L

( was primarily extracted from the Handbook of Human Reliability Analysis (27) ,

Task breakdowns and quantification of the operator actions are described and documented in Section 6 of this report. ,

The methods and data used for quantifying the probability of special events (e.g., the restoration of offsite power within a given time period) were r

dependent on the specific event. Section 6 of this report documents the methodology and data sources used for quantifying each special event.

L 2.5 ACCIDENT SEQUENCE QUANTIFICAf!ON The basic objective of this analysis was to model a baseline core damage frequency for a generic System 80 D plant. The total core damage frequency, due to internal events, is the sum of the frequencies of the system leYel accident sequence frequencies for those accident sequences which result in core damage. As described in Section 2.2, the system level accident sequences leading to core damage were identified using event tree analysis. Each system  !

level accident sequence consists of an initiating event and one or more  ;

additional elements, each representing either a front line system failure or a special event such as failure to restore off site power within a given time or the most reactive rod sticking out of the core. The frequency for the system level accident sequence is determined by quantifying the individual elements r in the sequence and then combining the results in the appropriate manner. The l frequencies for the initiating events and the special events are directly calcolable. The specific calculations are presented in Section 6.  !

O 2 1s  :

. , , , . , .c , - - . , . . - . _ .

1339e/(85G2)/ca-16 The front line system failure probabilities were calculated using conditioned fault tree analysis. The first step in this process was to construct a fault tree model for each front line system that appeared as an element in a system accidentsequence(seeSection2.3). The models include submodeh for the appropriate support systems.

The next step was to perform a base line quantification of each fault tree using generic failure rates. For those front line systems appearing in the LOCA or steam line break sequences, base line quantifications were made with and without offsite power. This quantification prCvided a list of cutsets, the system unreliability and the system unavailability for each front line system. This quantification was performed using the CEREC conputer code (see Section 2.6 and IRRAS(60) ,

The third step in this process was to identify comon elements in fault tree O

models appearing in any given event sequence and to calculate conditional failure probabilities for these elements. Take for example, an accident sequerce, S = 1 x A x B, where I is the initiating event, A is the failure of System A and B is the failure of System B. The components appearing in the fault tree model for System B are compared to the components appearing in the fault tree model for System A, and a list of comon components is generated.

Then, for each comporent on the common component list, the probability that the component is failed given that System A is failed is calculated. For any given corrnon component, Z, all System A cutsets containing Z are identified and their probabilities are sumed. This sum is then divided by the total 9'

2-16

1339e/(85G2)/ca ~

failure probability for System A to determine the probability of System A being failed due to a cutset containing Z. The conditional failure probability for Z given that System A failed (P(Z l A)) is calculated as:

P(ZlA)*P(Aduetoacutsetcontaining2)

X P(Zla cutset containing Z)

+ P(A due to a cutset not containing Z)

X P(Zl a cutset not containing Z) (egn.2.5-1)

But, P(Z l a cutset containing Z) is 1 by definition and P(Zl a cutset.not containing Z) is P(Z) cr, for small A, Agt, where t is the mission time for System A. Thus, equation 2.5-1 becomes:

P(Z l A) = P(A due to a cutset containing Z)

O' + P(A due to a cutset not containing Z)

  • P(Z) (eqn.2.5-2)

After all the conditioned component failure rates were calculated, the system I

fault trees were requantified using the appropriate conditioned component failure rates, thus yielding a set of system failure probabilities specific to the initiating event classes.

The final step in the cuantification of the core damage frequency was to solve each system accident sequence equation using the appropriate initiating event, i

special event and system failure probabilities. This was done using CESAM, a  ;

Monte Carlo sampling code for equation solving. ,

[

O  !

2-17

1339e/(85G2)/ca-18 i

2.6 SPECIFIC ANALYSIS GROUND RULES h

In performance of this analysis, the followirig ground rules were used:

a) only internal events were addressed; b) only events with potential for core damage were' addressed; c) event sequences were evaluated only with respect to core damage; d) initiating events were only evaluated for 100% power conditions; e) where needed, realistic, best-estimate assumptions were used when evaluating plant responses to an initiating event; f) core damage '.s assumed if the core was uncovered for an extended time period; g) the full event mission time was 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and the success criteria were:

1) the plant was in cold shutdown with the shu*.down cooling system in operation, or 9

2-18

. . . - ~

1339e/(85G2)/ca-19 L( 2) the plant was in stable hot' shutdown with decay heat removal via the secondary side, ,

t

.of i
3) the~ plant was stable with hot and cold leg recirculation and recirculationcoolingestablished(LOCAs);

h) genseic failure rates and initiating event frequencies were used for quantification. .

i

2.7 DESCRIPTION

OF COMPUTER CODES 2.7.1 CEREC 4

The evaluation of the fault trees constructed for this study was aided by the l useofthecomputercodeCEREC(C-EReliabilityEvaluationCode). CEREC is a',

extensively modified version of the PREP and KITT codes (38). The PREP  !

portion of the code, which generates the cutsets, has several modifications to ,

1 its cutput format. The KITT portion of the code, which performs the quantitative evaluations, has several major additions to the original KITT capabilities. They are as follows:

1. The capability of calculating the unavailability for a periodically  ;

tested standby system using either the demand failure rate (inhibit ,

condition) or the standby failure rate, test interval and allowable ,

downtime.

24,  ;

t

-.. - . - . - _ - _ - - _ - . - ~ . . - . , -- - -.. - -

1339e/(85G2)/ca-20

2. The capability of filtering out cutsets based on cutoff values for any of five calculated reliability parameters.
3. The capability of automatically performing sensitivity analyses on any parameter.
4. The capability of determining the uncertainty of any of the output '

reliability parameters based on the uncertainty of the component failure data.

CEREC is written in FORTRAN IV for use on the CCC 7600 computer, and FORTRAN 77 for use on a PRIME 550 minicomputer.

2.7.2 CEDAR The CEDAR code (C-E Dependency Analysis Fcutine) is a utility code designed to autcmate the identification of shared components and the calculation of their conditional failure probabilities. The PRIP portion of the CEREC code produces and stores a file containing the cutsets of a system fault tree model. CEDAR identifies connon components within these files and calculates i

their conditional failure probability as the ratio of the sum of the probabilities of the cutsets containing the shared components to the total system failure probability plus the random failure probability multiplied by one minus the ratio of the sum of the procabilities of the cutsets containing the shared component to the total system failure probability (see Equation 2.5-2).

O 2-20

1. t/(85G2)/ca-21

(~N CEDAR is written in FORTRAN IV for use on a CDC 7600 computer and FORTRAN 77 O for use on a PRIME 550 minicomputer.

2.7.3 CESAM CESAM, C-E's version of the SAMPLE code used in the Reactor Safety Study, is designed to perform incertainty analysis on any generalized equation. The required input consists of a FORTRAN function subroutine to describe the function of interest, specification of the type of distributions to be used in modeling the variables of the function and the parameters used to define the distributions for each variable.

Monte Carlo simulation is performed by sampling the variable distributions and evaluating the function numerous times. These trials then define the distribution of the total function values and CESAM provides various descriptions of this distribution.

l In the analyses performed for thir task, the generalized equations consisted of individual sequence and totsl core damage frequency equations. The probabilities of the sequer.ce elements were represented by log-normal i

distributions. The parameters of the distributions were obtained from the l

l CEREC runs for each element.

(

SAMPLE is written in FORTRAN IV for the CDC 7600, and FORTRAN 77 for a PRIPE 550 minicomputer.

l O 2-21 I

t

I \

S '

1339f/(83GS)/ca-1 s

3.0 INITIATING EVENT EVALUATION 3.1 MASTER LOGIC DIAGRAM DEVELOPMENT Following plant familiarization, the first major step in determining the plant  ;

core damage frequency is to identify the initiating events for which event trees will be constructed end quantified. To systematize the identification of the initiating events, a master logic diagram was constructed. The master logic diagram (Figure 3.1-1) is a high level fault tree Mel of the potential causes cf a postulated undesirabla event and the logical relationships between these potential causes. Although this analysis is a level 1 PRA and thus ,

addresses only core damage, the top event for the master logic diagram was chosen to be 'uffsite release of radioactive material" to ensure completeness f in the evaluation. I k ,

As shown in Figure 3.1-1, the two ways to get an excessive :ffsite release

are
a) a release of core material; or b) a release of non-core material such as radioactive wastes or spent fuel material. Releases of non-core material are not included in this analysis.

A release of core material will occur if there is an event resulting in severe core damage, and the containment fails. The containment failure includes t

, containment bypass and consequential containment failures. Containment failure was not addressed in this analysis.

Severe core damage r:an occur due to excess core power or loss of cnee cooling, in an excess power event, core damage results from energy generation within 3-1

FIGURE 3.1-1 (SilEET 10F 3)

MASTER LOGIC DI AGRAM

~

OFFSITE RELEASE OF RADIOACTIVE NATERIALS I

RELEASE OF CORE RELEASE OF MATERIAL NON-CORE MATERIAL y T OUT

" SCOP l I SEVERE CONTAINNENT CORE FAILURE DAMAGE SCOPE I I EXCESS CORE l LOSS OF POWER CORE CCOLING ECP TO S!IEET 2 e e~ e

O O O FIGURE 3.1 - 1 (SHEET 2 0F 3)

MASTER LOGIC DI AGRAN LOSS OF CORE COOLING

/N L4

' I LOSS OF HEAT BREACH OF TRANSFER TO PRINARY SECONDARY PRESSURE IDE BOUNDARY TO SHEET 3 l l r INDIRECT DIRECT '

[ INITIATORS INITIATORS LOSS OF HEAT LOSS OF HEAT TRANSFER TO TRANSFER TO SECONDARY SECONDARY SIDE SIDE il l I LOSS OF PRIMARY LOSS OF FEEDWATER LOSS OF COCLANT FLOW STEAM FLOW FLOW LO LOFW- LOSF

O E

RR OU T T R AP T R U l

G ER S NE EB G U T

F EY 0 RR M EA A l

U A. ^ TC C W i CSD ASN E EU R RO Q SO YL S

O L

F I

B PB O

) >

3 FM A 0A Y C O 3 G R R L A A C TA EI l

MrE I

1 O

ED l RT L i

SC PS

( I Y G S 1 O

- L 1

. R 3 TE ES RA U

G M I

F O

5

1339f/(83G5)/ca-5 the fuel at a rate greater than the energy can be transferred to the coolant. '

Conceptually, excess power events can be initiated by CEA ejections, uncontrolled CEA withdrawals from zero power or a boron dilution event at hot ,

zero power early in core life. '

For loss of core cooling events, core damage results from core uncovery due to loss of the primary coolant inventory. Primary coolant inventory can be lost as a result of an unisolable breach of the prinary pressure boundary (a LOCA-type event) or as a result of a loss of heat transfer to the secondary side which leads to the primary pressure and temperature increcsing to the point where the primary safety valves will lift and discharge primary coolant into containment. Loss of heat transfer to the secondary side can be directly initiated by a loss of feedwater flow, a loss of steam flow or an interruption of the primary coolant flow. through the core. Loss of heat transfer to the secondary side can be indirectly initiated by events which result in a reactor

, trip and turbine trip. (Note: The initiators discussed above, and shown on l Figure 3.1-1, represent unmitigated initiators. Mitigation of these initiators is evaluated in the event tree analysis. Severe core damage

( actually occurs only if the initiatnr occurs and the mitigating systems do not function.)

i l

l O 3-5

1339f/(83GS)/ca-6 3.2 SELECTION OF INITIATING EVENTS The master logic diagram (Figure 3.1-1) was used to identify a set of general conceptual core damage initiators. The next step in selecting the initiating events for event tree analysis was to identify specific detailed initiating events for each of these general initiator classes.

First, sets of detailed initiating events were extracted from sever ~al reference documents. Table 3.2-1 presents the forty-one (41) PWR initiating events formulated in EPRI NP-2230(27) and contained in the PSA Procedures Guide (5) . Table 3.2-2 presents the initial list of initiating events presented in the Zion PRA II9) , Table 3.2-3 presents the initial list of initiating events from the Oconee PRA(20) , and Table 3.2-4 presents the list of initiating events from the Calvert Cliffs IREP Study I21) . Finally, Table 3.2-5 presents a list of initiating events analyzed in Chapters 6 and 15 of CESSAR-F I4) . The lists of initiating events presented in Tables 3.2-1 through 3.2-5 were compared and combined into a single comprehensive list, grouped by the eight general initiator categories on the uaster logic diagram (Figure 3.1-1). This list, as presented in Table 3.2-6, represents the initial set of initiating events for this analysis.

The initial list of initiating events on Table 3.2-6 then went through an iterative process of review and evaluation to reduce this list to the final set of initiating events for ever:t tree analysis. First, the events were reviewed to identify those events which were outside of the scope of analysis or were precluded because of system design features. Based on this review, 9

3-6

1339f/(83G5)/ca-7 g "Fire Within Plant" (Item 14.1) was eliminated because it is norn: ally grouped :

with external events which are outside of the scope of this study. "Startup of Inactive RCP" (Item 13.3) was eliminated because C-E plants operate with all four RCPs running except at very low power levels, and this analysis is limited to events occurring from at or near 100% power. Likewise, "Cold water Addition" (Item 15.5) was eliminated because there is no credible way to get significant amounts of cold water into the RCS at operating temperatures and pressures.

The next step in the condensation process was to evaluate the remaining events with respect to the physical process perturbations involved and the anticipated response of the front line systems. The objective was to group the events according to similar.ities in the process perturbations and the responses of the front line systems. This iterative process, described in Section 2.2, involved evaluation of the accident and transient analysis in CESSAR-FI4)andthedevelopmentofpreliminaryeventtrees. The results of this process are discussed below. The final set of initiating event groups and their constituent initiating events are presented in Table 3.2-7.

i The prfmary system LOCA class break sizes were established based on the response of the HPSI and LPSI systems, the need for reactor trip for l reactivity control, the need for secondary side heat removal, and the long tenn cooling method (hot and cold leg injection with recirculation cooling or "normal"shutdowncooling). Vessel failure was removed from the large LOCA class and established as a separate initiator defined to be "any loss of 4

coolant accident in excess of the ECCS capacity". CEA ejections were included

'l 3-7 i

E

1339f/(83G5)/ca-8 in the small LOCA class. C-E plants typically operate with all rods out (ARO) or with a few CEA's slightly inserted when at power, thus, power perturbations, if any, would be minimal, and the major impact would be the breach of the primary pressure boundary. Failure of a primary safety valve (PSV) to reseat following a PSV opening as a consequence of a transient were also included in the small LOCA class.

Loss of offsite power / station blackout was removed from the turbine trip category and established as a separate initiator category because of the impact of these events on the front line systems. Event trees were constructed for both "Loss of Offsite Power" and "Station Blackout". "Total loss of RCS flow" was also included in this category because loss of offsite power is the most likely means of losing all RCS flow and the response to a loss of offsite power is bounding with respect to systems available for mitigation. Loss of RCS flow in one Isop was included in the transient category.

Large steam line breaks, inside or outside of conta'inment, and large feedwater line breaks downstream of the main feedwater iso 16 tion valves (MFIVs), result in a rapid blowdown of the seconaary system with the attendant rapid cooldown of the primary system. The response of the front line systems is equivalent for all of the breaks. Therefore, a single event initiator category, large secondary side breaks, was established. This category includes large steam line breaks inside or outside of containment, main feedwater line breaks downstream of the MFIVs, and spurious openings of multiple turbine bypass O

3-8 l

l 1

1339f/(83GS)/ca-9

, valves, atmospheric dump valves or main steam safety valves. Small steam losres which do not result in a significant blowdown of the secondary system were included in the transient category.

An evaluation of the process perturbations and the front line system responses to the full or partial loss of feedwater events (event category 7 on Table 3.2-6), the loss of steam flow events (event categories 8 and 9), with the exception of loss of offsite power and the indirect initiators (MLD category G on Table 3.2-6) with the exception of the large steam and feedwater lire breaks, indicated that all these events had equivalent responses. These events produce process perturbations which result in a reactor trip and turbine trip. Main feedwater flow cuts back to 5%. If main feedwater flow is lost on the ramp back or the transient was loss of main feedwater, the auxiliary feedwater system actuates. Steam removal following the trip is via b

d the turbine bypass valves or atmospheric dump valves. Loss of condenser -

vacuum and loss of circulating water events do affect the turbine bypass system, but this is addressable in the turbine bypass system model.

Therefore, all of these events were combined into the single initiator class, l "transients". In other PRA's 19,20,21,22) , "loss of component cooling water" l and "loss of service water" are included as special initiators because they could initiate a plant transient and affect the ability of the front line systems to respond to the transients. System 80 plants have a separate essential cooling water system for the essential systems and the ECCS pumps are air-cooled. Therefore, these two events can be treated as transient  !

initiators in this analysis.

  • t As previously discussed C-E plants operato at power with all rods out or with l a few rods slightly inserted. A CEA withdrawal at power, if possible, would 3-9 1 _ - - .- ._ . . _ - , _ _ . _

s.

1339f/(83GS)/ca-10  !

produce only a minor power perturbation followed by a reactor trip and subsequent secondary system responses. Therefore, CEA withdrawal was included in the transient category.

Strictly speaking, "Anticipated Transient Without Scram (ATWS)" is not an initiating event, but rather is a faulted response to an event requiring CEA insertion for reactivity control. However, because of the significant impact that an ATWS has on plant responses, it is included as a separate initiating event class.

O O

3-10

1339f/(83GS)/ca-11 g

TABLE 3.2-1 GENERALPWRTRANSIFNTCATEGORIES(1)

Category Title 1 Loss of RCS Flow (1 Loop) 2 Uncontrolled Rod Withdrawal 3 CRDM Problems and/or Rod Drop 4 Leakage from Control Rods 5 Leakage in Primary System 6 Low Pressurizer Pressure

.7 Pressurizer Leakage 8 High Pressurizer Pressure 9 Inadvertent Safety Injection Signal l 10 Containment Pressure Problems 11 CVCS Malfunction - Baron Dilution 12 Pressure / Temperature / Power Imbalance-Rod Position Error 13 Startup of Inactive Coolant Pump i

14 Total Loss of RCS Flow 15 LossorReductioninFeedwaterFlow(1 Loop)

I 16 Total Loss of Feedwater Flow (All Loops)

I 17 Full or Partial Closure of MSIV (1 Loop) 18 Closure of All MSIV 19 IncreaseinFeedwaterFlow(1 Loop) 20 Increase in Feedwater Flow (All Loops) 21 feedwater Flow Instability - Operator Error 22 Feedwater Flow Instability - Misc. Mechanical Causes l 23 LossofCondensatePump(1 Loop) 24 Loss of Condensate Pumps (All Lorps) 25 Loss of Condenser Vacuum 26 Steam Generator Leakage 27 Condenser Leakage 28 Miscellaneous Leakage in Secondary System O

3-11 l

1339f/(83G5)/ca-12 TABLE 3.2-1(Cont.)

Category Title 29 Sudden Opening of Steam Relief Valves 30 Loss of Circulating Water 31 Loss of Component Cooling 32 Loss of Service Water Systems 33 Turbine Trip. Throttle Valve Closure, EHC Problems 34 Generator Trip or Generator Caused Faults 35 Total Loss of Offsite Power 36 Pressurizer Spray Failure 37 Loss of Power to Necessary Plant Systems 38 Spurious Trips - Cause Unknown 39 Auto Trip - No Transient Condition 40 . Manual Trip - No Transient Condition 41 Fire Within Plant Note 1: Extracted from PSA Procedures Guide, NUREG/CR-2815.

3-12 l

1339f/(83GS)/ca ~

TABLE 3.2-2 w/

ZION UNIT 1 AND 2 INITIATING EVENT CATEGORIES II)

1. LARGE LOSS OF COOLANT ACCIDENT (Blowdown greater than 6-inch pipe rupture) 1.1 Pipe Failures 1.2 Valve Failures 1.3 Vessel Failures 1.4 Other Large LOCAs
2. MEDIUM LOSS OF COOLANT ACCIDENT (Blowdown in range of 2 to 6-inch pipe rupture)

. 2.1 Pipe Failures -

2.2 Pressurizer Safety and Relief Valve Failures (Multiple) 2.3 Other Valve Failures 2.4 Other Medium LOCAs

! 3. SMALL LOSS OF COOLANT ACCIDENT (Blowdown less than 2-inch pipe rupture) 3.1 Pipe Failure ,

l 3.2 Pressurizer Relief Valve or Safety Valve Failures 3.3 Other Valve Failures 3.4 Control Rod Drive Mechanism Failures 3.5 Reactor Coolant Pump Seal Failure (4 or less) 3.6 Other Small LOCAs I

4 LEAKAGE TO SECONDARY COOLANT l

4.1 Single Steam Generator Tube Rupture l 4.2 Other Steam Generator Leaks l

O l

j 3-13 l

l l

1339f/(83G5)/ca-14 TABLE 3.2-2(Cont.)

5. LOSS OF REACTOR COOLANT FLOW 5.1 Loss of Reactor Ccolant Flow in One Loep 5.2 Loss of Reactor Coolant Flow in All Loops 5.3 Other Losses of Reactor Coolant Flow
6. LOSS OF FEE 0 WATER FLOW 6.1 Feedwater Pipe Rupture Outside Containment 6.2 Loss / Reduction of Feedwater Flow in One Steam Generator 6.3 Loss of Feedwater F, low in All Steam Generators 6.4 Feedwater Flow Instability - Operator Error 6.5 Feedwater Flow Instability - Mechanical Causes 6.6 Loss of One Condensate Pump 6.7 Loss of All Condensate Pumps 6.8 Condenser Leakage 6.9 Other Secondary Leakage
7. PARTIAL LOSS OF STEAM FLOW 7.1 Full Closure of Main Steam Isolation Valve (MSIV) 7.2 Partial Closure of Main Steam Isolation Valve 7.3 Other Losses of Steam Flow
8. TURBINE TRIP 8.1 Turbine Trip (General) 8.1.1 Closure of all main steam isolation valves 8.1.2 Increase in feedwater flow in one or more steam generator's 8.1.3 Loss of condenser va:uum 8.1.4 Loss of circulating water O

3-14

1339f/(83GS)/ca-15

. ,o TABLE 3.2-2(Cont.)

X ,

8.1.5 Throttle-valve closure / electrohydraulic control problems

  • 8.1.6 Generator Trip or generator-caused faults .

8.1.7 Turbine trip due to overspeed 8.1.8 Other turbine trips 8.2 Turbi..2 Trip Due to Loss of Offsite Power 8.3 Turbine Trip Due to Loss of Service Water

9. SPURIOUS SAFETY INJECTION 9.1 Spurious Safety Injection: Charging Pumps Operate l
10. REACTOR TRIP 10.1 Reactor Trip O 10.1.1 Control rod drive mechanism problems and/or rod drop r

10.1.2 High or low pressurizer pressure 10.1.3 High pressurizer level 10.1.4 Spurious automatic trip -- no transient condition 10.1.5 Automatic / manual trip -- operator error '

10.1.6 Manual trip due to false signal 10.1.7 Spurious trip - cause unknown 10.1.8 Primary system pressure, temperature, power imbalance .

l 10.1.9 Other resctor trips L

l 10.2 Reactor Trip Due to Loss of Component Cooling Water

! 10.3 Reactor Trip Due to Loss of DC or AC Power

)

O 3-15 1

i

l 1339f/(83G5)/ca-16 TABLE 3.2-2(Cont.) h

11. LOSS OF STEAM INSIDE CONTAINMENT 11.1 Steam Pipe Rupture Inside Containment 11.2 Feedwater Pipe Rupture Inside Containment 11.3 Steam Relief Valve or Safety Valves Open Inadvertently (included with inside containment group for functional reasons -- leak upstreamofMSIVS) 11.4 Other Steam Losses Inside Containment
12. LOSS OF STEAM OUTSIDE CONTAINMENT 12.1 Steam Pipe Rupture Outside Containment 12.2 Throttle-Valve Opening / Electrohydraulic Control Problems 12.3 Steam Dump Valves Failing Open 12.4 Other Steam Losses Outside Containment O
13. CORE POWER INCREASE 13.1 Uncontrolled Rod Withdrawal 13.2 Baron Dilution -- Chemical Volume Control System Malfunction 13.3 Core Inlet Temperature Drop 13.4 Other Positive Reactivity Addition Note 1: From Zion PRA.

O 3-16

1339f/(83G5)/ca-17 4

TABLE 3.2-3

-POTENTIAL INITIATING EVENTS FROM OCONEE PRA fI)'

Reactivity Control:

r

1. Rod Drop
2. Inadvertent rod withdrawal
3. Rod ejection
4. Inadvertent boration or deboration ,
5. Reactor trip
6. Cold-water addition i i

Core-Heat Removal:  !

1
7. Reactor coolant pump trip
8. Reactor coolant pump seizure l
9. Flow channel blockage RCS Heat Removal:
10. Loss of main feedwater f l
11. Excess of feedwater (main or emergency) '
12. Loss of condenser vacuum
13. Inadequate main feedwater

! 14 Feedwater or condensate line breaks

15. Steamlinebreaks(insideandoutsidecontainment) i
16. Turbine control valve malfunction
17. Turbine bypass valve inadvertent opening
18. Turbine trip or t.alfunction l 19. Loss of circulating water I

i

!O 3-17 l

l

1339f/(83G5)/ca-18 TABLE 3.2-3(Cont.) h

\

gntrol of RCS Inventory and pressure:

20. Small RCS pipe breaks
21. Large RCS pipe breaks
22. Inadvertent PORV or safety-valve opening
23. Failure of reactor-coolant pump seals 24 Leakage of control-rod drive seals
25. Interfacing-system loss of coolant
26. Reactor-vessel rupture
27. Steam-generator tube leak / rupture
28. Charging exceeds letdown
29. Letdown exceeds charging
30. Inadvertent high-pressure injection
31. Failure on or off of pressurizer heaters
32. Failure on or off of pressurizer spray Maintenance of Vital Support Systems:
33. Loss of offsite power J4. Loss of power to necessary systems
35. Partial losses of power to control systems
46. Loss of service water
37. Loss of component cooling
38. Loss of instrument air
39. Integrated control system failures
40. Fire affecting necessary systems
41. Internal flooding affecting necessary systems 9

3-18

1339f/(83GS)/ca-19 I l

i 3

TABLE 3.2-3(Cont.)  :

?

Maintenance of Normal Power Operation:

! I

42. Generator faults  ;
i. 43. Grid disturbances  !

I

44. Administratively caused shutdown i i

i:  ;

l Note 1: From Oconee PRA NSAC/60  ;

i i I j

I l.

I  :.

' +

i h

l d

i i .

t i

f i

I i

t t

i k

i 3-19 f

1339f/(83GS)/Cc-20 TABLE 3.2-4 CR0tPED FPRI PF-2230 TRANSIEt4T EVENTS CAUSINC REACTOR SIRITDOWN AT CALVERT CLIFFS 8JNIT 1 EPRI NP-2230 Total Frequency Transient Appilcable EPRI te'-2230 Frequency Per Per Reactor Designator Transient Description Transients Reactor Year Year T Total toss of Of fsite Power #35) Total Loss of Of fsite 0.14 0.14 I Power Ty Total interruption of the #16) Total Loss of Main 0.15 0.80 Power Conversloe System Feedmater Flow (Main feedwater)

  1. 38) Closure of all MS8Vs 0.03
  1. 21&22) feed.ater Flow instability 0.36
  1. 24) Loss of All Condensate 0.00 Pumps
  1. 25) Loss of Condenser Vacuum 0.20 w #30) Loss of Circulating water 0.06

$ T 3

Transients Requiring RCS #33) Turbine Trip or Throttle 1.38 1.85 Pressure Relief Valve Closure

  1. 34) Cenerator Trip or 0.38 Cenerator Caused Faults
  1. 37) Loss of Power to 0.09 Necessary Plant Systems Tg Other Transients Requiring #1) Loss of RCS Flow in One 0.39 6.8 Reactor Shutdown Whlch Do Loop Not Significantly Affect Frunt Line Systems #3) CRDH Problems, Rod Drop 0.65
  1. 6) Low Pressurizer Pressure 0.03
  1. 8) High Pressurizer Pressure 0.03
  1. 9) Inadverteat Safety 0.06 injection 5Ignal ell) CVCS Malfunction-Boron 0.04 Ollution O O O

(

\

Q U

139f/(83GS)/Cc-21 TABLE 3.2-4 (Cont.)

EPRI W-2230 Total Frequency Transtant Appilcable EPRI NP-2230 Frequency Per Per Reactor Designator Transient Descrfetion Translents Reactor Year Year

  1. 12) Preswre/ Temperature / Power 0.16 Imbalance
  1. 14) Total Loss of RCS Flow 0.03
  1. 15) 1.oss of Reduction in Mein 1.00 feedmeter (1 Loop)
  1. 17) Full or Partial Closure 0.23 of One MSIV
  1. 19) lacrease in hin Feeematur 0.69 Flow in One Loops
  1. 20) Increase in hin Feeemeter 0.01 Flam in All Leops ta #23) Less of Condensate Pump 0.08 h (1 Loop) w
  1. 27) Condenser Leakage 0.05
  1. 29) Leakage in Secondary System
  1. 29) Sudden opening of Steam 0.04 Rollef Valves
  1. 36) P assuri v 5 pray Failure 0.04
  1. M) Spurious Trips-Cause lenknamn
  1. 39) Auto Trip-Me Transient 1.55 Condition
  1. 40) Manual Trip-foo Transient 0.62 Condition hte 1: From Calvert Clif f s IREP Study, 5Al-001-87-BE

1339f/(83G5)/ca-22

TABLE 3.2-5 EVENTS ANALYZED IN CESSAR-F Number _ Event ,

Section 1 Large Break LOCAs (>.5 ft2 ) 6.3.3.2 2

2 SmallBreakLOCAs(<.5ft) 6.3.3.2 I 3 Decrease in Feedwater Temperature 15.1.1

.- 4 Increase in Feedwater Flow 15.1.2 5 Increased Main Steam Flow 15.1.3 6 Inadvertent Opening of a Steam Generator Relief or Safety Valve 15.1.4 7 Steam System Piping Failures Inside and Outside Containment 15.1.5 8 Loss of External Load 15.2.1 9 Turbire Trip 15.2.2 10 Loss of Condenser Vacuum 15.2.3 9 11 Main Steam Isolation Valve Closure 15.2.4 -

12 Steam Pressure Regulator Failure 15.2.5 t 13 Loss of Non-Emergency A-C Power to Station r Auxiliaries 15.2.6

.l 14 Loss of Nomal Feedwater Flow 15.2.7 15 Total loss of Reactor Coolant Flow 15.3.1 16 Flow Controller Malfunction Caur,ing Flow Coastdown 15.3.2 k 17 Single Reactor Coolant hop Rotor Seizure with loss of Offsite Power 15.3.3 18 Reactor Coolant Pump Shaft Break with Loss of Offsite Power 15.3.4 19 Uncontrolled CIA Withdrawal from a Suberitical or Low Power Conditien 15.4.1 O

3-22 E

1339f/(83G5)/ca-23 t

L TABLE 3.2-5(Cont.)

Number Event Section 20 Uncontrolled CEA Withdrawal at Power 15.4.2 21 Single CEA Drop 15.4.3 ,

22 Startup of an Inactive RCP 15.4.4 23 Inadvertent Deboration 15.4.6 24 Inadvertent Loading of a Fuel Assembly into the Improper Position 15.4.7 25 CEA Ejection 15.4.8 26 Inadvertent Operation of ECCS 15.5.1 27 CVCS Malfunction - Pressurizer Level Control >

System Malfunction with Loss of Offsite Power 15.5.2 I

28 Inadvertent Opening of a Pressurizer Safety /

Relief Valve 15.6.1 29 Double Ended Break of a Letdown Line Outside Containment 15.6.2 30 Steam Generator Tube Rupture 15.6.3 i 4

i i

?

l l h P

f

3-23

)

i

' A.$ 4"

  • A s ? . ?N ,L .?l " 1 ~6'?*?

~.' L; 6 N '-!? A w . . i. ';

~

- (:..

'. ,.'I.y-

  • .i.,..,=',. .

1339f/(83GS)/ca-24 Sheet 1 of 9 TABLE 3.2-6 INITIAL LIST OF INITIATING EVENTS FOR ANALYSIS MLD EPRI NP-2230 l I

CATEGORY EVENT CATEGORY / EVENT CATEGORY A PRIMARY SYSTEM LOCAS ---

l 1.0 LARGE LOCAS ---

1.1 PIPE RUPTURE 1.2 VESSEL FAILURE 1.3 PRESSURIZER RUPTURE Y

% 2.0 MEDIUM LOCAS ---

2.1 PIPE FAILURE 2.2 MULTIPLE SAFETY VALVE FAILURES 2.3 OTilER MEDIUM LOCAS 3.0 SMALL LOCAS ---

3.1 SMALL PIPE BREAK (INSTRUMEiiT LINES, ETC.)

1 3.2 PRIMARY SAFETY VALVE FAILURE 3.3 RCP SEAL FAILURES (MAY BE MEDIUM) 3.4 CEDM 110USING SEAL LEAKS 4 O O O

. . .g 4 - e' ,9 , , . , . . ,~,.."j g. . ,3 ,ni - ' . . - - ,- .;- . _ , . , . . g 3 ,

.j, y- ,5" k_,_ "' ~

c _,. Y .." -[ hy g ',

  1. '.{ ' - +...

_ . , , . '{ : ,d .

, __4 ' , 79 g

. ~,-c,. _,,

.* . c .,

, "g - .

.e, s.,.

+ ./h .e . - ~ ;- ,. .s*

-y .

. *, _ ,g t..,

-..g' .

. _ . , , 7 v' ,

, > , ', . , ,9 , . ,_

u

m,h

~

!  !,  ! w -

.g5 t

~ m u

- W I i 2

w G

_EE -

5EE 7

e 555 MG  ;

I e g y 6 W _mG "E!

t p ,

i E e w

5 W gk=

_g m

s g g

e a33 em e "!g ce 5 - m m d

gllt-

! W *saEt$

sm eg-5 m , 5 m e m es""a = = s8sw

""ekI"

~

W m W g l 0

555 5 8 W .

' kk EEgEE '

g a f m A"

- g m w w w 5 2 555 m *8 e c ans

=

  • mm W

< g gHms=We

- 5 m

g

  • ge m  :

i E

. i_ -n, . . .

s-  !

m .

=

, s.-n,.ms W $ E G o 5 e o  :

5 4 J $ J t

, R 5 E o i 1

4 _E W 8 x m i-7 M

=

i =

d o8 m u o ,

? MW i D l I

l l

I 3-25 i l

t

1339f/(83GS)/cc-26 Sheet 3 of 9 TABLE 3.2-6 (Cont.)

MLD EPRI NP-2230 CATEGORY EVENT CATEGORY / EVENT CATEGORY E LOSS OF FEEDWATER FLOW 7.0 LOSS OF FEED FLOW 7.1 REDUCED FEEDWATER FLOW TO ONE GENERATOR 15 A. PARTIAL CLOSURE OF ONE MFIV 7.2 LOSS OF FEEDWATER FLOW TO ONE GENERATOR 15 A. CLOSURE OF ONE MFIV 7.3 REDUCED FEEDWATER FLOW TO ALL GENERATORS 3

A. PARTIAL CLOSURE OF ALL MFIVS E! B. FULL CLOSURE OF ONE MAIN FEEDWATER CONTROL VALVE C LOSS OF ONE MAIN FEEDWATER PtMP D. REDUCED SPEED ON ONE MAIN FEEDWATER PUMP E. REDUCED SPEED ON ALL MAIN FEEDWATER PUMPS F. LOSS OF ONE CONDENSATE PUMP 23 G. MAJOR FEEDWATER HEATER TUBE RUPTURE H. EXCESS MAIN FEED RECIRCULATION 7.4 LOSS OF FLOW TO ALL GENERATORS 16 A. CLOSURE OF ALL MFIVS B. CLOSURE OF ALL MAIN TEEDWATER CONTROL VALVES C. LOSS OF ALL FEEDWATER PUMPS (INTRINSIC / SUPPORT SYSTEMS)

D. LOSS Of HEATER DRAIN PUMPS E. LOSS OF ALL CONDENSATE PUMPS 24 O O O

b n ~ , .

U ~$ nu nuns; 8

m M

- 1 5

_E g .

) o

$gg u

E E m -  ;

d ,

e I=s i

E I a15

r e 8 2 g2a

, Eg

=_ -ss w-8 i

o g

m

~

a W G GWW t g! ggg E =8= 2 g5eee

- a w m _m W WWW m

= 2 5

=g Os e s *s=s*5w*se ggn=ggie

= e m E'S a_gs g e

e ge_e s- =g m

ee, -

m m  :

C ie w w $5_E'3 W C*$W=SE E z =

=ggg am8 s atsc-s i Eses *c s f ar**ssl-i * -

g esess!ss e

e m

sessasa x!8a 5

g m

s- e g

i - ~ ,

- .... . m....

s-s  !

E m o  :

a 8 s >

n m m i y 8 8

s  !

a g r I N

  • l

. 8 l 5 e$ w w R MW i s  ;

I

\

3-27

1339f/(83GS)/cc-28 Sheet 5 of 9

. TABLE 3.2-6 (Cor.t.)

MLD EPRI NP-2230 CATEGORY EVENT CATEGORY / EVENT CATEGORY F LOSS OF STEAM FLOW (Continued) 8.9 GENERATOR TRIPS 34 8.10 LOSS OF SERVICE WATER 32 8.11 CONDENSER LEAKAGE 27 9.0 PARTIAL LOSS OF STEAM FLOW 9.1 CLOSURE OF ONE MSIV 17 y 9.2 PARTIAL CLOSURE OF MSIV(S)

E! 9.3 SPURIOUS TURBINE RUNBACK (FAILURE OF ONE TGGV) 9.4 OTHER G INDIRECT INITIATORS OF LOSS OF HEAT TRANSFER TO SECONDARY SIDE 10.0 REACTOR TRIP (NOT CAUSED BY INSUFFICIENT CORE HEAT REMOVAL EVElyTS) 10.1 RAPID NEGATIVE REACTIVITY INSERTION 3 A. SINGLE CEA DROP B. BROKEN CEA FINGER C. MULTIPLE CEA DROP (RANDOM)

D. CEA SUBGROUP DROP E. CEA GROUP DROP O O O

39f/(83GS)/co-29 Sheet 6 of 9 TABLE 3.2-6 (Cont.)

MLD EPRI NP-2230.

CATEGORY EVENT CATEGORY / EVENT CATEGORY G INDIRECT INITIATORS OF LOSS OF HEAT TRANSFER TO SECONDARY SIDE (Continued)

F. PART LENGTH CEA DROP G. PART LENGTH CEA SU8 GROUP DROP H. PART LENGTH CEA GROUP DROP

!. LOSS OF ONE CEDM BUS (DROP HALF OF ALL CEAS)

J. LOSS OF BOTH CEDM BUSSES (DROP ALL CEAS)

K. UNCONTROLLED SEQUENTIAL INSERTION OF A CEA y 10.2 SLOW NEGATIVE REACTIVITY INSERTION G A. CVCS MALFUNCTION LEADING TO BORON INJECTION 10.3 SPUPIOUS REACTOR TRIPS 38, 39, 40 A. SPURIOUS AUTOMATIC TRIP DUE TO INSTRUMENT MALFUNCTIONS.

B. SPURIOUS AUTOMATIC TRIP DURING PPS TEST C. SPURIOUS AUTOMATIC TRIP-CAUSE UNKNOWN D. MANUAL TRIP DOE TO FALSE SIGNAL E. MANUAL TRIP-OPERATOR ERROR F. MULTI-CHANNEL PPS MALFUNCTION (SEE 10.3.A) 10.4 RCS PRESSURE / TEMPERATURE IMBALANCES 6, 8, 36, 12 A. SPRAY VALVES FAIL OPEN B. AUXILIARY SPRAY VALVES FAIL OPEN C. PROPORTIONAL AND BACE. UP HEATERS FAIL OFF D. PRESSURIZER PRESSURE & LEVEL CONTROL SYSTEM FAILS HIGH

.N ' ,

1339f/(83GS)/co-30 Sheet 7 of 9 TABLE 3.2-6 (Cont.) -,

MLD EPRI NP-2230 EVENT CATEGORY / EVENT CATEGORY CATEGORY G INDIRECT INITIATORS OF LOSS OF HEAT TRANSFER TO SECONDARY SIDE (Continued)

E. SPRAY VALVES FAIL CLOSED F. PROPORTIONAL HEATERS FAIL FULL ON G. BACKUP HEATERS FAIL ON H. PPLC FAILS LOW 10.5 PRIMARY SYSTEM POWER IMBALANCE A. AXIAL OFFSET EXCESSIVE B. FLUX / FLOW IMBALANCE y

O C. XENON OSCILLATIONS 10.6 MULTIPLE EFFECTIVE TRANSIENT DUE TO LOSS OF SUPPORT SYSTEMS A. LOSS OF COMPONENT COOLING WATER 31 B. LOSS OF AC OR DC BUS 37 C. LOSS OF INSTRUMENT AIR (SEE ALSO 8.1 AND 8.10) 10.7 DECREASE IN RCS INVENTORY (NON-LOCA)

A. EXCESS LETDOWN / LETDOWN DIVERSION B. DECREASED / LOST CHARGING C. PRESSURIZER LEAKAGE WITHIN CHARGING CAPACITY 7 D. OTHER PRIMARY LEAKAGE WITHIN CilARGING CAPACITY 5 E. STEAM GENERATOR TUBE LEAKAGE WITHIN CHARGING CAPACITY 5, 26 O O O

0 3

2Y 2R O _

PG 9 6 8 3 3 9 NE 2 2 2 1 .

T f IA o RC P

8 E t

e e

h S _

) )

d D e S E u E E n V P S

i L t A R n V E o S V

O C _

( S A E S E E P N P D V Y I M I ) L B B U S . A R P T C V E U Y N T N T T E G R E E T S 1 ( N S N S A t N N T S 8 E A I P D T l , E N A R N t e E G U N N l E t E P U E R R T A R : lle l

O E N Y T P l C A R

) C N T t N B O A N H A .

. E l N L A I E T I C T -

t T S l O I T A E L E N S n N A C A N T NIP N D O E F .

C o E V

O T

T N

S V E F O C

N O R T P W I E I C R U

O P M _

E

( E O S D T R E C R L O S P U

/ R C S I U U O DI S E

U T

P _

6 Y E M S O D I E T M L GI P

- R F E N P T D S R R G 2 O S T D E I S N I F F A S T P A N C G N N I R N N E S O O F E U T I R _

3 E A S O K O I N T V O H S G t E

T A

R T

E N I N M A E T S I N I

U G G O ie IN S( A S l

) L T I H R ta E A 0 V L C I R R C E A V E S

W T H D I B A K O 8 E S K N N E W CS LT EAT C T T I A T A T A P S N A E E V L S E T N E N E E E S O O E P P L O O S E H O R N N NI L C R O O A R L A S U N V C B O I B V T E A O F I E F L ( M E T T N M R I I O O E E F A D E N N P O A C S R F _

D N O R H E I N E E M C E N U N O _

S I I E C T S I  ! T U T I S P O S S L E T A S T L R R D E S U S I P _

O N R A E U E E N Y O T U _

L I M U W R R O M V V M I R R I R A T A LI D B E A D D A B E O R E L R _

F S E E H S E A A E R H T U H O A -

O S T A E G T S T N N TI U T N P T S T O S F F S O O S I S T O E S O I S S L L V R N -

O M M I 1 2 3 4 -

- T A 1 2 3 4 5 A 1 2 3 4 5 6

. A E E S ,

. I T 1 1 1 1 1 T 2 2 2 2 2 2 C 3 3 3 3

.. T S 1 1 1 1 1 S 1 1 1 1 1 1 R 1 1 1 1 I

N I

. 0 0 0 T _

C 1 2 3 _

E 1 1 1 1 R -

. 3 I

- D a N c I -

- /

) -

S

. G ,

3 8 Y

(

/

R O _

f DG G

. 9 LE MT 3:

A C

YM _

l li. 1 I I I ij! f  ;

1

1339f/(83GS)/cc-32 Sheet 9 of 9 TABLE 3.2-6 (Cont.)

MLD EPRI NP-2230 CATEGORY EVENT CATEGORY / EVENT CA1EGORY G INDIRECT INITIATORS OF LOSS OF HEAT TRANSFER TO SECONDARY SIDE (Continued) 14.0 OTHER 14.1 FIRE WITHIN PLANT 41 H EXCESS CORE POWER 15.0 EXCESS CORE POWER y 15.1 CEA EJECTION 2 15.2 UNCONTROLLED CEA WITHDRAWAL 2 15.3 UNCONTROLLED GROUP WITHDRAWAL 2 15.4 BORON DILUTION ,

11 15.5 COLD WATER ADDITION (SEE 13.3 ALS0)

I ANTICIPATED TRANSIENT WITHOUT SCRAM (NOT ON MLD)

O O O

9f/(83GS)/cs-33 ,

Sheet I of 4 TABLE 3.2-7 FINAL LIST OF INITIATIE EVENTS EVENT EPRI NP-2230 NUMBER EVFNT/ ELEMENTS CATEGORY 1 VESSEL RUPTURE --

2 LARGE LOCA ---

2 PIPE BREAKS >0.2 ft 3 MEDIUM LOCA --

w PIPE BREAKS <0.2f2t , >0.05 f t 2 b MULTIPLE SAFETY VALVE OPENIES 4 SMALL LOCA 4.5,7 2 2 PIPE BREAKS <0.0S ft >0.0008 ft SINGLE SAFETY VALVE FAILURE CONSE(PJENTIAL SAFETY VALVE FAILURE RCP HOUSIE SEAL LEAK 4 5 INTERFACI E SYSTEM LOCA LETDOWN LINE BREAK OUTSIDE CONTAlleENT SHUTDOWN COOLING LINE BREAK OUTSIDE CONTAlleENT SAFETY INJECTION LINE BREAK OUTSIDE CONTAlleENT

+

--__--_._________________i

W f

O

=

28 am m

~

o

~

m ,

m -

e <e,m m

~ ,

C E

~ S t

5 8

m 0 e -

k

, =

uh glo mm 500 s "

r8-a

- m 4

7 -

.c E5Wsa"5 8-u e

$~de-

"8

=

a w a 8+8 W 8W~s "

s-4 W 5 G*E""$$5 8 0"$ 5" 2 d-5WO s

w e

t e" s

m2; m

sl Edda--a . E Sw B m

a WI"8g em $

a = ew gssem mme mee g-se A W bR =

~

W 5 G$m w W==W

=

44"WHe= 28e dg2W5 WR s2 8eeWEEES G**C0tt2 "$ m m mw 98g59 t3 w

xs -

uua ***u w MM

  • 5ud8 S0 433W *g22 E90 CSS $m a o m 5 9 2a a a o o Oo Wb ea 8b!$8Esb maaeaaaa e55 m ae 04MM8$

eeesas w

o a 5

w e M E G 5 S 2 7,

4

^

M E

E E$ e ~ m e A

W5 wa 3-34

39f/(83G5)/ca-35' '

Sheet 3 of 4 TABLE 3.2-7 (Cont.)

EVENT EPRT NP-2230 HUMBER EVENT / ELEMENTS CAT

I FEEDWATER INSTABILITY - OPERATOR ERROR 21

! FEEDWATER INSTABILITY - MECHANICAL CAUSES 22-

INCREASE IN FEEDWATER FLOW (1 LOOP) 19 i INCREASE IN FEEDWATER FLOW (ALL LOOPS) 20 LOSS OF CONDENSER VACUUM 25 LOS'. CIRCULATING WATER 30 l y FEET h LINE BREAK OUTSIDE CONTAINMENT l !?> TURBikE TRIP THROTTLE VALVE CLOSURE, EHC PROBLEMS 33

! TURBINE TRIP, EQUIPMENT PROTECTION GENERATOR TRIPS OR GENERATOR CAUSED FAULTS 34 FULL OR PARTIAL CLOSURE OF MSIV (1 LOOP) 17

! CLOSURE OF ALL MSIV 18 CONDENSER LEAKAGE 27 MISCELLANEOUS SECONDARY SIDE LEAKAGE 28 SPURIOUS OPENING OF 1 MSSV SPURIOUS OPENING OF 1 TBV SPURIOUS OPENING OF 1 ADV CEA/ GROUP DROP 3 CEA WITHDRAWAL (AT POWER) 2 SPURIOUS AUTOMATIC TRIP 38

1339f/(83GS)/ca-36 Sheet 4 of 4 TABLE 3.2-7 (Cont.)

EVENT EPRI NP-2230 NUMBER EVENT / ELEMENTS CATEGORY 9 TRANSIENTS (Continued)

AUTOMATIC TRIP - NO TRhNSIENT CONDITION 39 SPURIOUS MANUAL TRIP 40 PRESSURIZER SPRAY FAILURE 36 LOW PRESSURIZER PRESSURE 6 HIGH PRESSURIZER PRESSURE 8 PRESSURE / TEMPERATURE / POWER IMBALANCE 12 3, LOSS OF RCS FLOW (1 LOOP) 1 8( LOSS OF COMPONENT COOLING WATER 31 LOSS OF SERVICE WATER 32 LOSS OF NON-VITAL BUS 37 10 BORON DILUTION 11 11 ANTICIPATED TRANSIENTS WITHOUT SCRAM l

l l

l O - -- --

O O

1339b/(83X5)/ca-1 -

ip) 4.0 ' ACCIDENT SEQUENCE' DETERMINATION 4.1 LARGE LOCA - EVFNT TREE 1 The large LOCA event tree, Event . Tree 1, applies to all reactor coolant system ruptures inside containment which have an effective break area greater than 0.2 ft .2 Tnis includes the double ended guillotine break in a reactor coolant loop cold leg - the design basis accident.

The Large LOCA is a severe event in which blowdown of the reactor coolant system occurs within a very short period of time; from seconds to a few minutes. The accumulators refill the reactor vessel downcomer and the icw pressure safety injection (LPSI) pumps restore and maintain water in the reactor vessel. Because of rapid depressurization, the nuclear reaction is

, quickly shutdown due to voiding in the core region. Reactor trip is not required for this sequence.

After the reflood, the subcriticality is assured by the boron concentration in tire injected water. After the injection phase, switch-over to recirculation is required to continue decay heat removal. Additionally, some means of containment heat removal is required to maintain containment integrity, and to cool the RCS inventory in the sump to maintain suction head for the recirculation pumps.

l l

l After the core is quenched, long term cooling is initiated. For Large LOCA's RCS pressure rerrains below 300 psi and shutdown cooling conditions cannot be l

1 4-1

1339b/(83X5)/ca-2 established. Instead, simultaneous hot and cold leg injection is used for long term heat removal from the core and flushing boric acid from the system to prevent concentration. Long term containment cooling and sump inventory cooling is accomplished by containment spray recirculation.

The following paragraphs described the individual elements of the Large LOCA event tree.

4.1.1 Event Tree 1 Elements 4.1.1.1 Large LOCA Initiators The Large LOCA event tree is initiated by random reactor coolant system pipe breaks with an effective break area greater than 0.2 ft2. Reactor vessel breaks of a size and location as to be within the capabilities of the ECCS are included in this class of initiators. Large LOCA's which create a direct path outside containment are treated as a separate type of event (Interfacing System LOCA). LOCA's arising as a consequence of another type of event are evaluated within the context of that event. Large LOCA's caused by external events such as seismic events are outside of the scope of this study.

4.1.1.2 Safety Injection Tank (SIT) Injection I

The Safety Injection Tanks provide the initial injection of borated water needed to cool the core following a LOCA. There are four SITS, one per Reactor Coolant System (RCS) cold leg. It is assumed that one SIT feeds the 1

RCS break. The success criterien for SIT injection is that the remaining O{

4-2

1339b/(83X5)/ca-3 three SITS inject coolant into the three intact RCS cold legs. (Expert

(")T w

opinion is that two of the remaining three SITS should deliver sufficient coolant to provide the initial core cooling.)

4.1.1.3 Low Pressure Safety Injection (LPSI)

Low Pressure Safety Injection provides core cooling following a LOCA until decay heat has dropped to the point where boiloff can be matched by-the High Pressure Safety Injection recirculation cooling. The success criteria for Low Pressure Safety Injection is that one of two LPSI punps must deliver flow to the RCS.

f The refueling water storage tank provides the source of borated water (4000 PPM < C < 4400 PPM) required for low pressure injection and recirculation c'coling of the core as well as containment spray following a large LOCA event.

The RWST is a large stainless steel tank containing approximately 600,000 gallons of borated water. (NOTE: RWST minimum volume is determined based on cold shutdown requirements. The volume required for ECCS operation is approximately 500,000 gallons.) The RWST has three suction lines; one which i supplies the charging pumps; one which supplies the A train High Pressure i Safety Injection (HPSI), low Pressure Safety Injection (LPSI) and Containment Spray (CS) pumps; and one which supplies the B train HPSI, LPSI and CS pumps.

The RWST level is alarmed in the control room and, per technical specifications, RWST level and boron concentration must be verified once every seven Gays.

O 4-3 t

1339b/(83X5)/ca-4 l

l 4.1.1.4 HPSI Recirculation Following injection of the RWST water into the Reactor Cooling System, a Recirculation Actuation Signal (PAS) is generated to switch tne suction of the High Pressure Safety Injection (HPSI) pumps from the RWST to the centainment sump. Using the HPSI pumps provides long-term core cooling and core covery.

RAS occurs approximately 30 minutes after a large LOCA. The RAS secures the LPSI pumps and opens the sump isolation valves so that the HPSI and CS pumps can take suction from the sump. Operator action is required to close the RWST isolation valves after verifying flow from the sump. (NOTE: Recirculation will probably be successful even if RWST valves are not closed.) The success criterior for cold leg recirculation is that one HPSI pump provides flow from the sump to the RCS.

4.1.1.5 Hot Leg Recirculation Following a period of cold leg recirculation after a hrge LOCA, hot and cold leg injection is needed to assure circulation through the core and to prevent bo'ric acid crystallization. Approximately 2 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> post-LOCA, the hot leg injection valves are manually opened. The success criteria for hot and cold leg injection are; successful coTd leg recirculation; and the hot leg injection valve for an operating HPSI loop be opened.

O 4-4

1339b/(83X5)/ca-5 m 4.1.1.6 Recirculation Cooling Initial core and RCS heat removal following a large LOCA is' achieved via injection of the SIT and RWST inventory. Following the initial injection phase, core heat removal is maintained via hot and cold leg recirculation.

However, heat must be removed from the reactor coolant to prevent high sump temperature and resulting HPSI pump cavitation. This is achieved by circulating the sump inventory through the shutdown cooling heat exchangers and back into the containment via the spray headers. The success criteria for recirculation cooling are:

a) One containment spray pump provides flow from the sump through one shutdown cooling heat exchanger and back to the containment via the spray headers.

1O b) Essential chillt.d water flow must be maintained to the operating shutdown cooling heat exchanger.

4.1.2 Major Dependencies l

The following functional dependencies are important for Event Tree 1:

a) If the RWST is unavailable, LPSI Injection, HPSI Recirculation and Hot Leg Pecirculation fail because there is no source of water, b) If SIAS fails, there is no actuation signal for ECCS equipment. Hence, LPSI Injection, HPS! Recirculation and Hot leg Recirculation fail, O

v 4-5

~

1339b/(83X5)/ca-6 c) If LPSI fails, extensive core damage is likely. The LPSI system and the Containment Spray System share a common suction line to the RWST, so containment spray failure may also occur.

d) Failure of HPSI recirculation results in failure of hot leg recirculation because both rely on the HPSI system, e) Failure of either HPSI recirculaticn or hot leg recirculation is presumed to result in failure of recirculation cooling because all three use a comon suction header. This is slightly conservative because CS used different pumps. This assumption does not affect core melt frequency.

4.1.3 Major Recovery Actions The following major recovery actions will be addressed in the recovery analysis for the Large LOCA Event Sequences:

a) If HPSI Recirculation fails due to failure of the ir.jection valves, cold leg injection flow can be established by restarting the LPSI pumps.

However, HPSI pump flow is still required for hot leg injection, b) LPSI pumps can be used for recirculation cooling if the containment spray pumps are unavailable. This requires starting the pumps and aligning valves such that the LPSI pump discharge is aligned to the shutdown cooling heat exchanger.

O 4-6

M N M M M s C C C C C O i 2 3 4 5 6 C G N RI I

L CO e EO RC GC E

L R I  :

TC O RE I

I A

C O C L

SI R I

2  :

G PC  :

R 1 HE

- R A 1 L .

4 E N 1

R O E U I

.O I

E G S T R I F PC E

_ T L J

T N N I E

V E N O

I TTC I

q SE J

N I

E G A RC AO L _

L _

O

.L

i 1339b/(83X5)/ca-8 4.2 MEDIUM LOCA - EVENT TREE 2 g

The Medium LOCA event tree, Event Tree 2, applies to all reactor coolant system ruptures inside containment which have an effective break area from 0.05 ft2 to 0.2 ft 2, The Medium LOCA category encompasses a spectrum of break sizes sufficient for decay heat removal via the break, but for which RCS pressure does not decrease to the shutoff head pressure for the low pressure injection pumps until several hundred seconds into the accident, and the LPSI pumps do not deliver significant flow. The temperature transient is mitigated primarily by the safety injection tanks and the high pressure injection pumps. Reactor trip is required for reactivity control.

The systems required for response to a Medium LOCA include the safety injection tanks, the high pressure safety injection system, the Reactor Protection system, and the ESFAS. The high pressure safety injection pumps are also required for HPSI recirculation and hot leg recirculation during the long term cooling phase. After the core is re-covered, long term cooling is initiated. For Medium LOCA's, shutdown cooling conditions cannot be established. Therefore, Large break LOCA procedures are used and simultaneous hot and cold leg injection is used to cool the core and control boric acid concentration in the system. Long term recirculation cooling is provided by the containment spray pumps and the shutdown cooling heat exchanger.

The following paragraphs describe the individual elements of this event tree.

O 4-8

1339b/(83X5)/ca-9 j] 4.2.1 Event Tree 2 Elements v

4.2.1.1 Medium LOCA Initiators The Medium LOCA event tree is initiated by random reactor coolant system pipe breaks with an effective break area greater than 0.05 ft2 , but less than 0.2 ft .2 Medium LOCA's which create a direct path outside containment are treated as a separate type of event (Interfacing System LOCA). Medium LOCA's caused by external events such as seismic events are outside of the scope of this study.

4.2.1.2 Reactor Trip The Reactor Protection System (RPS) trips the reactor to reduce thermal energy production following a transient by removing power from the control element drive mechanism (CEDM) busses which allows the control element assemblies (CEA's) to drop into the reactor core under the influence of gravity.

De-energization of the CEOM busses on reactor trip also generates a turbine trip.

For a Medium LOCA, the RPS will generate a reactor trip signal on low l pressurizer pressure.

The success criteria for this element are:

a) a trip signal is generated, O 4-9

1339b/(83X5)/ca-10 1

b) both CEDM busses are de-energized, h

c) all CEAs are inserted into the core.

(NOTE: expert opinion is that de-energization of one CEDM bus and insertion of half of the CEAs should be sufficient to shutdown the reactor.)

4.2.1.3 Safety Injection Tank (SIT) Injection The Safety Injection Tanks may provide the initial injection of borated water needed to cool the core following a LOCA depending on break size and HPSI start-up time. There are four SITS, one per Reactor Coolant System (RCS) cold leg. It is assumed that one SIT feeds the RCS break. The success criterion for SIT injection is that the remaining three SITS inject coolant into the three intact RCS cold legs. (Expert opinion is that two of the remaining three SITS should deliver sufficient coolant to orovide the initial core cooling.)

4.2.1.4 High Pressure Safety Injection (HPSI)

The primary function of High Pressure Safety Injection. (HPSI) is to inject borated water into the RCS. There are two HPSI pumps and success is defined as one HPSI pump injects water into three of four RCS cold legs. The HPS!

system gets its actuation signal from the SIAS and water supply from the RWST.

Recirculation of water from the containment sump with the HPSI pumps is treated as a separate element in the event tree. HPSI starts to inject water into the RCS as soon as the RCS pressure falls below the HPSI pump head, but O

4-10 l

1339b/(83X5)/ca-11

'l the'important contribution is after the SIT's have exhausted their water

-NJ '

supply. At this stage, the HPSI system must inject coolant into the core to prevent core damage.

4.2.1.5 HPSI Recirculation Following injection of the RWST water into the Reactor Coolant System, a Recirculation Actuation Signal (RAS) is generated to switch the suction of the High Pressure Safety Injection (HPSI) pumps from the RWST to the containment ,

sump. Recirculation of the RWST water in the containment sump using the HPSI pumps provides long-term core cooling and core covery. RAS occurs approximately 30 minutes after a Medium LOCA. The RAS secures the LPSI pumps and opens the sump isolation valves so that the HPSI and CS pumps can take j - suction from the sump. Operator action is required to close the RWST U isolation valves after verifying flow from the sump. (NOTE: Pecirculation will probably be successful even in RWST valves are not closed.) The success criterion for cold leg recirculation is that one HPSI pump provides flow from l the sump to the RCS via two of four cold legs.

l .

l l 4.2.1.6 Hot and Cold Leg Recirculation l

Following a period of cold leg recirculation after a Medium LOCA, hot and cold leg injection is needed to provide circulation through the core and to prevent boric acid concentration. Approximately 3 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> post-LOCA, the hot leg injection valves are manually opened. The success criteria for hot and cold leg injection are; successful cold leg recirculation; and the hot leg l

l injection valve for an operating HPSI loop be opened.

O I 4-11 l

l l _ . _ _ -. _ _ _. _ , , _

1339b/(83X5)/ca-12 )

l l

l 4.2.1.7 Recirculation Cooling '

Initial core and RCS heat removal following a Medium LOCA is achieved via injection of the SIT and.RWST inventory. Following the initial injection phase, core heat removal is maintained via hot and cold leg recirculation.

Powever, heat must be removed from the reactor coolant in the sump to prevent HPSI pump cavitation. This is achieved by circulating the sump inventory through the shutdown cooling heat exchangers and back into the contairrr.ent via the spray headers. The success criteria for recirculation cooling are:

a) One containment spray pump pr;vides flow from the sump through one shutdown cooling heat exchanger and back to the containment via the spray headers, b) Essential chilled water flow must be maintained to the operating shutdown cooling heat exchanger.

4.2.2 Major Dependencies The following functional dependencies are important for Event Tree 2:

a) If the RWST is unavailable then HPSI Injection, HPSI Recirculation and Hot Leg Recirculation and Recirculation Cooling fail because there is no source of water, b) If SIAS fails, there is no actuation signal for ECCS eouipment. Hence, HPSI Injection, HPSI Recirculation and Hot leg Recirculation fail.

O 4-12

1339b/(83X5)/ca-13 ,

^

/' c) Failure of HPSI recirculation results in failure of hot leg '

b' recirculation, d) Failure of either HPSI recirculation or hot leg recirculation is presumed to result in failure of recirculation cooling because all HPSI and CS use a common suction. This is somewhat conservative because CS uses different pumps. This assumption does not affect core melt frequency, e) Failure of the HPSI system results in failure of HPSI injection, HPSI recirculation and hot leg recirculation.

4.2.3 Major Recovery Actions The following major recovery actions will be addressed in the recovery V analysis for the Medium LOCA Event Sequences:

a) LPSI pumps can be used for recirculation cooling if the containment spray pumps ire unavailable. This reauires starting the pumps and aligning valves such that the LPSI pump discharge is aligned to the shutdown cooling heat exchanger.

O 4-13

EVENT TREE 2 - MEDIUM LOCA FIGURE 4.2-1 MEDIUM REACTOR SIT llPSI 11 PSI Il0T LEG RECIRC LOCA TRIP INJECTION INJECTION RECIRC RECIRC COOLING i

i

,, ,, .. ,, ,, 1 s

) 2 CM r

j  % y 3 CM i ATWS l 4 CM i -

1

! 5 CM 1

l 6 CM 1

)

i i

9- - --

O _ - -

O- -

1339b/(83X5)/ca-15

(] 4.3 SMALL LOCA - EVENT TREE 3 ,

V The Small LOCA event tree, Event Tree 3, applies to all reactor coolant system ruptures inside containment which have an affective break area between 0.0008 ft2 and 0.05 ft 2, The Small LOCA category encompasses a spectrum of break sizes for which primary pressure remains above the point at which the safety injection tanks will inject and for which core uncovery is not expected. High pressure safety injection is required for primary system inventory control, CEA insertion is required for reactivity control and secondary side heat removal is needed for decay heat removal. Hot and cold leg injection is not required for boric acid flushing during the long term cooling phase.

The systems required for response to a Small LOCA are the RPS/CEA's, high pressuresafetyinjection, auxiliary (ornormal)feedwater,somemeansof secondary steam removal (turbine bypass valves or atmospheric steam dump valves) and the shutdown cooling system. The high pressure injection system is required for recirculation, but hot and cold leg injection during long term 4

cooling is not required.

The following paragraphs describe the individual elements of this event tree.

lO

! 4-15 l

1339b/(83X5)/ca-16 4.3.1 Event Tree 3 Elements h 4.2.1.1 Small LOCA Initiators The Small LOCA event tree is initiated by random reactor coolant system pipe breaks with an effective break area greater less than 0.05 ft 2. Small LOCA's which create a direct path outside containment are treated as a separate type of event (Interfacing System LOCA). LOCA's arising as a consequence of another type of event are evaluated within the context of that event. LOCA's caused by external events such as seismic events are outside of the scope of this study.

4.3.1.2 Reactor Trip The Reactor Protection System (RPS) trips the reactor to reduce thermal energy 9

production following a transient by removing power from the control element drive mechanism (CEDM) busses which allows the control element assemblies (CEA's) to drop into the reactor core under the influence of gravity, De-energization of the CEDM busses on reactor trip also generates a turbine trip.

On a Small LOCA, the RPS will generate a reactor trip signal on low pressurizer pressure.

The success criteria for this element are:

O 4-16

1339b/(83X5)/ca-17

_ r^g a) a trip signal is generated, V both CEDM busses are de-energized, b)

.c) all CEAs are inserted into the core.

(NOTE: expert opinion is that de-energization of one CEDM bus and insertion

  • of half of the CEAs should be sufficient to shutdown the reactor.)

4.3.1.3 High Pressure Safety Injection (HPSI)

The High Pressure Safety Injection (HPSI) system injects borated water into ,

i the RCS if a break occurs in the RCS boundary. There are two HPSI pumps and success is defined as one HPSI pump injects water into two of four RCS cold

  • 1egs. The HPSI system gets its actuation signal from the SIAS and water supply from the RWST. Recirculation of water from the containrr.ent sump with t lO l

V the HPSI pumps is treated as a separate element in the event tree. The HPSI starts to inject water into the RCS as soon as the RCS pressure falls below the HPSI pump head.  ;

I

\

4.3.1.4 Deliver Auxiliary Feedwater i

Following a Small LOCA event, feedwater rust be supplied to the steam generators in order to remove decay heat from the RCS. Auxiliary feedwater is l automatically actuated by the engineered safety features actuation system (ESFAS). It can also be manually actuated from the control room. The success -

criterion for this element is that auxiliary feedwater flow must be delivered  ;

from cne of two category 1 auxiliary feedwater pumps to one steam generator.

O 4-17 1

1339b/(83X5)/ca-18 4.3.1.5 Remov'e Secondary Steam Secondary steam must be removed from the steam generators to control secondary pressure, and to remove secondary heat (transferred from RCS). The following sections describe the three credited methods of secondary steam removal.

4.3.1.5.1 Turbine Bypass Valves The preferred means of removing secondary steam is via the turbine bypass valves. These valves are automatically opened by the steam bypass control system to prevent lifting of the secondary safety valves following a turbine trip. These valves can also be remotely opened from the control room. Six of the eight valves dump to the condenser and the other two dump to atmosphere.

The turbine bypass valves will not open if the condenser is unavailable.

The success criterion for this element is that one of eight bypass valves open to remove secondary steam.

4.3.1.5.2 Atmospheric Oump Valves (ADV)

If the turbine bypass valves are unavailable, secondary steam can be removed using the atmospheric dump valves, two per steam generator. These valves are remotely controlled from the control room.

The success criterion for this element is that one of the four atmospheric dump valves open to remove secondary steam.

G 4-18

1339b/(83X5)/ca-19

/ 4.3.1.5.3 Main Steam Safety Valves (MSSV)

N)T If the turbi.e bypass valves and the atmospheric dump valves are unavailable, the steam generator pressure will increase until the main steam safety valve setpoint is reached. The main steam safety valves will then begin to cycle to maintain the steam generator pressure in a narrow band around the main steam safety valve setpoint pressure. The RCS temperature and pressure will then increase until an equilibrium point is reached where the heat transfer from the RCS to the steam generators is balanced by the heat removed through the main steam safety valves. As long as auxiliary feedwater is available, the plant will remain stable. However, it is not possible to bring the plant to shutdown cooling entry conditions unless an atmospheric dump valve or a turbir,e bypass valve is restored.

m

, The success criterion for this element is that one of twenty main steam safety valves open. (NOTE: Failure of an MSSV to reseat is not considered problematic in this case because it would be approximately equivalent to having a dump or bypas's valve open for steam removal.)

4.3.1.6 Deliver Alternate Feedwater i

If auxiliary feedwater is not available, it may be possible to deliver water to the steam generators from the low head condensate pumps. The operator would have to reduce the secondary pressure to approximately 600 psia using i the turbine bypass or atmospheric dump valves. (NOTE: Main steam safety l valves cannot be used for this.) The operator then must align the feedwater l

O 4-19 l

l

1339b/(83X5)/ca-20 system so that the main feedwater pumps are bypassed and then start the condensate pumps. The operator will also have to trip the RCFs (if they have not been tripped already) to eliminate their heat input to the RCS and initiate auxiliary spray to control RCS pressure. Success of this operation requires that power be available for the condensate pumps, that condensate pumps have not failed, and that the downcomer feedwater control valves and the main feedwater isolation valves are open or can be opened.

With loss of all feedwate'.*, the RCS temperature is controlled at a value slightly above that corresponding to steam generator saturation conditions until a substantial portion of the tube bundle in each steam generator is uncovered. At this point, RCS temperature will begin to increase. When the steam generators boil dry, RCS temperature and pressure will rise rapidly. If conditions in the RCS reach the setpoints for the primary safety valves, RCS inventory will begin to discharge out the safety valves. If a secondary heat sink is not re-established and loss of RCS inventory continues at high pressure, core uncovery will occur. Core damage conditions, defined for this study as peak cladding temperatures of 2200'F, will be reached in approximately 70 minutes following a reactor trip signal based on low steam generator level.

The success criterion for this element (deliver alternate feedwater) is that flow be delivered from one of three condensate pumps to one steam generator within 60 minutes following the plant trip.

The emergency operating procedure guidelines specify that if main and auxiliary feedwater are lost, flow to the steam generators must be G

4-20

1339b/(83X5)/ca-21 i 1

re-established, but they do not specify how toedo this. Thuc, the operator

.['O]

actions required to achieve this goal are considered to be knowledge-based and performed under high stress conditions within a limited time frame. If emergency procedures specifying how to align the feedwater system to deliver flow from the condensate pumps to the steam generators were developed, these actions could be classified as rule-based.

4.3.1.7 Depressurize for LPSI Injection -

If, following a Small LOCA, the high pressure safety injection system does not function, the LPSI system can be used to provi L injection. The primary '

system must be aggressively depressuri.ted using the secondary system for rapid heat removal. To achieve this, both steam generators must be used.

I T

f The success criteria for this element are:

a) Aggressive cooldown is initiated within 15 minutes.

b) Auxiliary feedwater is supplied to both steam generators.

I c) Steam is removed from both steam generatcrs using either; two of eight

turbine bypass valves (with a path from both generators) or one Of two atmospheric dump valves on each generator.

l d) LPSI flow is delivered from the RWST using one of two LPSI pumps.

{

!O 4-21 P

i

~ . . - ._. . .

1339b/(83X5)/ca-22 SIT injection will occur during the blowdown, but this alone would, in g;

general, not be sufficient to satisfy the inventory requiiements.

4.3.1.8 HPSI Recirculation Following injection of the RWST water into the Reactor Cooling System, a Recirculation Actuation Signal (RAS) is generated to switch the suction of the High Pressure Safety Injection (HPSI) pumps from the RWST to the containment sump. Recirculation of the RWST water in the containment sump using the HPSI pumps provides long-tenn core cooling and core covery The RAS secures the LPSI pumps and t,. s the sump isolation valves so that the HPSI and CS pumps can take suction from the sump. Operator action is required to close the RWST isolation valves after verifying flow from the sump. (NOTE: Recirculation will probably be successful even if RWST valves are not closed.) The success criterion for cold leg recirculation is that one HPSI pump provides flow from O the sump to the RCS.

4.3.1.9 LPSI Recirculation If HPSI recirculation cannot be established, the LPSI system can be used as a backup if the primary system can be rapidly depressurized, or has already been depressurized, using the secondary systen. As for LPSI injection (See 4.3.1.7), heat removal from both steam ganerators is required. The success criteria for this element are:

a) If the RCS is at pressure; O

4-22

4

-1339b/(83X5)/ca-23 p 1) deliver auxiliary feedwater.to both generators,

(.

2) remove steam from both generators using 2 of eight turbine bypass valves and a path from each steam generator or using one of two

. atmospheric dump valves on each generator,

3) deliver flow from the containment sump to the RCS using one LPSI pump.

b) If LPSI injection had been used:

1) deliver flow from the sump to the RCS using one LPSI pump (system alreadydepressurized)

RAS secures the LPSI pumps, so in both cased above, the pumps have to be restarted.

4.3.1.10 Establish Shutdown Cooling l

Once the plant has been cooled down to shutdown cooling entry conditions (350'Fand400 psia)theplantcanbebroughttocoldshutdownusingthe

shutdown cooling system. The success criterion for this element is that shutdown cooling flow be established through one shutdown cooling system train.

i e

O A-23 l

1339b/(83X5)/ca-24 4.3.1.11 Maintain Secondary Heat Removal (MSHR)

If shutdown cooling entry conditions cannot be achieved, or the shutdown cooling system is unavailable, the plant must be maintained in a stable condition via contir.ued secondary heat removal. The success criteria for this element vary depending on the status of auxiliary feedwater. The criteria are:

a) For sequences with auxiliary feedwater available;

1) deliver flow from 1 of 2 A N pumps and removo steam via 1 of 8 TBVs, or 1 of 4 ADVs or 1 of 20 MSSYs; b) For sequences with auxiliary feedwater unavailable;
1) deliver flow from 1 of 3 cordensate pumps and remove steam via 1 of 8 TBVs or 1 of 4 ADVs; (MSSVs cannot be used as secondary pressure must be maintained at or below 600 psia.)

In both cases, additional water inventory must be provided to the condensate storage tank before it empties at between 16 aad 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> following the event.

4.3.2 Major Dependencies The following major dependencies are impo* tant for Event Tree 3:

O 4-24

1339b/(83X5)/ca-25 a) If HPSI injection fails, HPSI recirculation also fails, '

(JT b) If auxiliary feedwater is unavailable, the main steam safety valves do not provide a success path for steam removal because the secondary system must be depressurized to 600 psia to use the condensate pumps.  ;

c) If the HPSI system fails, both steam generators must be used for secondary heat removal in order to depressurize the primary system below

the LPSI cutoff head before core unct.very occurs. -

I d) If the RWST is unavailable, there is no inventory available for injection. The core will uncover and trelt.  !

t i

?

4 t

i l

lO 4-25 1

l-

m 92-t m

z H

7g SMALL LOCA mm cm lc u H

m, (4 REACTOR TRIP

.h m

-%r- 0 HPSIINJECTION o

n O DEllVER AFW

,, , , TBV'S OR ,

mu i

ADV'S l 3m

! Om l ,,

MAIN STEAM )g SAFETIES a

DELIVER ALTERNATE FEEDWATER DEPRESS TO U

LPSI INJECT e -ap O HPSI RECIRC LPSI RECIRC 0 0 0 (DEPRESS)

EST ABLISH di HI dl

.ap yp yp ..qp yp -sp MAINTAIN SEC. HEAT REMOVAL O$OOMO~E~5G~~~~8 #""*"*""~ -

o3ww33a3wwowwooowoo<nenww a 2 a aaa aa 2 J

1339b/(83X5)/ca-27 4.4 STEAM GENERATOR TUBE ' RUPTURE - EVENT TREE 4

' %f)J The steam. generator tube rupture (SGTR) event tree, event tree 4 (Figure 4.4-1) applies to the rupture of one or more tubes in one steam generator causing primary coolant to leak to the secondary system. Credible tube failures range in severity from leak rates of a few to several hundred gallons per minute for the guillotine rupture of several tubes. The event chosen as representativa of this range is the complete severance of a single tube, resulting in a leakage rate of about 400 gpm at normal RCS and secondary-system conditions. This choice was made on the basis that less than complete failure will result in much smaller leak rates, generally within the capacity of the nortnal makeup system, and a fairly normal shutdown can take place. Multiple-tube failures, on the other hand, were r.ot explicitly addressed because they are much les likely and because the success criteria

\ for systems called upon to respond are substantially the same as those for the failure of a single tube. In fact, multiple-tube failures m% aid in depressurizing the RCS, a necessary action in recovering from a tube failure.

4.4.1 Normal Transient progression A steam generator tube rupture event begins as a breach of the primary coolant barrier between the RCS and the secondary side of the steam generator, primary system pressure (nominally 2250 psia) is initially much greater than the steam generator pressures (nominally 1000 psia), so reactor coolant flows from the primary into the secondary side of the affected steam generator. In response to this loss of reactor coolant, pressurizer level decreases at a a

O 4-27

1339b/(83X5)/ca-28 rate which is dependent upon the size of the rupture and the number of failed tubes. RCS pressure also decreases as the steam bubble in the pressurizer expands. For normal response, charging flow will automatically increase and pressurizer heaters will energize in an effort to stabilize pressure and level. However, if leakage exceeds the capacity of the Chemical and Volume Control System, reactor coolant inventory will continue to decrease and eventually lead to an automatic reactor trip signal on CPC hot leg saturation.

Prior to this, normal letdown flow would isolate, and pressurizer heaters would turn off on low pressurizer water level.

Following reactor trip, core power rapidly decreases to decay heat levels, steam flow to the t;rbine is terminated, and the turbine bypass system actuates to dump steam to the condenser to establish no-load coolant temperatures in the primary system. Following turbine trip but prior to the opening of the bypass valves, secondary pressure may momentarily spike high enough to lift the first MSSV on each steam generator. If the turbine bypass system is unavailable, all MSSVs would lift to relieve steam flow. The normal feedwater control system throttles feedwater flow in response to the reduced steam flow. If normal feedwater flow is interrupted, the auxiliary feedwater system would be automatically actuated on l'ow steam generator level, or it could be manually actuated. Eventually, manual action is required to control auxiliary (or normal) feedwater flow to maintain proper level in the intact steam generator. If, at this point, the turbine oyoass system were unavailable, the operator:; would open one ADV on each steam generator to initiate plant cooldown.

O 4-28 t

1.

1339b/(83X5)/ca-29 A Following the reactor trip, RCS pre.ssure decreases more rapidly as the energy ij transfer to the secondary system shrinks the reactor coolant and the tube rupture flow depletes ths primary inventory. This results in an SIAS on low pressurizer pressure shortly after the reactor trip. On SIAS, two of the four RCPs (in opposite loops) would be manually tripped. If RCP operating limits were not met, the remaining two RCPs would also be tripped. (Two of the four RCPs would be restarted if and when restart criteria were met.)

Following reactor trip, initiation of plant cooldown, and safety injection, the operators would identify and isolate the steam generator with the tube rupture. The actions involved include closing the appropriate MSIV, ADV and MFIV. Steam generator blowdown, vents, drains, exhausts and bleedoffs would also be isolated.

Operators must also act to stabilize the reactor coolant system and cooldown and depressurize it to a pressure at or slightly above the pressure in the affected steam generator to terminate (or minimize) the leak flow to the affected generator. (Note: RCS kept slightly above affected generatcr to prevent reverse flow and potential dilution of the RCS.) The RCS is cooled down by secondary heat removal via the unaffected steam generator. Feedwater flow is provided by the main feedwater system or the auxiliary feedwater system and steam is removed by the turbine bypass system (preferred) or the atmospheric dump valves. The Pressurizer spray, if the RCPs are running, or auxiliary spray is used for RCS pressure control and depressurization. When pressurizer level and hot leg subcooling are recovered, the operator would throttle the HPSI flow to prevent repressurizing the RCS and increasing the leak rate to the secondary system.

O 4-29

1339b/(83X5)/ca-30 Following isolation of the affected steam generator, its level will continue to increase as long as there is a non-zero leak rate. To prevent overfilling the affected steam generator, it may be necessary to occasionally drain the steam generator via the blowdown system, or, if the blowdown system is unavailable, by dumping steam to the condenser if the turbine bypass system is available or to the atmosphere using the ADV's if the turbine bypass system is unavailable.

With the RCS stabilized and the affected generator isolated, the RCS will be cooled down and depressurized to shutdown cooling entry conditions (350'F and 400 psia). The shutdown cooling system would be aligned and started and the plant would be taken to cold shutdown for repair. During the cooldown to shutdown cooling entry conditions, the RWT and condensate storage tank (CST) levels must be monitored to ensure adequate inventory for the cooldown.

4.4.2 Accident Prooression with Coincident LOOP If a loss of offsite power (LOOP) occurs coincident with the tube rupture, system behavior will be slightly different, but the recovery actions will be similar, albeit using different equipment. With offsite power unavailable, the turbine bypass system and the main feedwater system will be unavailable due to loss of condenser vacuum on loss of the circulation water pumps. Thus, secondary side cooldown is achieved using the auxiliary feedwater system and the ADVs. Also, with the TBS unavailable, the MSSV's will lift to handle initial steam flow following turbine trip. The steam generator blowdown system will be unavailable, so level in the affected generator will be controlled using the ADV's. All RCPs will trip on loss of offsite power, so O

4-30

1339b/(83X5)/ca-31

(~y the onnal pressurizer sprays will be unavailable. Thus, auxiliary sprays (3 must be used for depressurization. In addition, with the RCPs not running, the RCS will be in natural circulation so hot leg tempe*atures will lag cold leg and steam generator temperatures and the upper head region will be inactive. These effects result in a slower cooldown and an increased chance of voiding in the upper head region. However, cooldown, RCS inventory control and RCS pressure control can be maintained with available equipment.

t 4.4.3 Event Tree 4 Elements l

4.4.3.1 Steam Generator Tube Rupture Initiators Steam generator tube ruptures include the failure of one or more steam generator tubes in one or both steam generators such that the total leak flow 1

ID V rate exceeds the capacity of the charging system (144 gpm).

4.4.3.2 Reactor Trip The Reactor Protection System (RPS) trips the reactor to reduce thennal energy l

production following a transient by removing power from the control element drive mechanism (CEDM) busses which allows the control element assemblies I (CEA's) to drop into the reactor core under the influence of gravity.

De-energization of the CEDM busses on reactor trip also generates a turbine trip.

O 4-31

1339b/(83X5)/ca-32 For a steam generator tube rupture, the RPS will generate a trip signal on CPC hot leg saturation, CPC out-of-range, low DNBR, or low pressurizer pressure.

The success criteria for this element are:

a) a trip signal is generated, b) both CEDM busses are de-energized, c) all CEAs are inserted into the core.

(NOTE: expert opinion is that de-energization of one CEDM bus and insertion of half of the CEAs should be sufficient to shutdown the reactor.)

4.4.3.3 High Pressure Safety injection The High Pressure Safety Injection (HPSI) pumps inject borated water into the RCS to make up lost inventory if a break occurs in the RCS boundary. There are two HPSI pumps and success is defined as one HPSI pump injects water into two of four RCS cold legs. The HPSI system gets its actuation signal from the SIAS and water supply from the RWST. The HPSI starts to inject water into the system as soon as the primary pressure falls below the HPSI pump head.

4.4.3.4 Deliver Auxiliary Feedwater Following an SGTR event, auxiliary feedwater must be supplied to the intact steam generator in order to remove decay heat from the RCS, Auxiliary 9

4-32

1339b/(83X5)/ca-33 feedwater is automatically actuated by the engineered safety features

{

actuation system (ESFAS) or it can be manually actuated from the control room.

The success criterion for this element is that auxiliary feedwater flow must be delivered from one of two category 1 auxiliary feedwater pumps to the intact steam generator.

4.4.3.5 Remove Secondary Steam Secondary steam must be removed from the intact steam generator to control secondary pressure, to remove secondary heat (transferred from RCS) and to prevent steam generator overfill. The following sections describe the primary methods of secondary steam removal following an SGTR event.

4.4.3.5.1 Turbine Bypass Valves

The preferred means of removing secondary steam is via the turbine bypass f valves. These valves are automatically opened by the steam bypass control system to prevent lifting of the secondary safety valves following a turbine trip. These valves can also be remotely opened from the control room. Six of the eight valves dump to the condenser and the other two dump to atmosphere.

The turbine bypass valves will not open if the condenser is unavailable. -

i t

The success criterion for this element is that one of eight bypass valves open to remove secondary steam.

~

f B

O .

4-33 L

1339b/(83X$)/ca-34 4.4.3.5.2 Atmospheric Dump Valves (ADV)

If the turbine bypass valves are unavailable, secondary steam can be removed using the atmospheric dump valves, two per steam generator. These valves are remotely controlled from the control room.

Initially, if the turbine bypass system is unavailable, operators would try to dump steam from both steam generators. However, once tha steam generator with the tube rupture is identified, it would be isolated and the operators would steam from the intact steam generator. Therefore, the success criterion for this element is that one of two ADV's on the intact steam generator open to remove steam.

4.4.3.5.3 Main Steam Safety Valves (MSSV)

If the turbine bypass valves and the atmospheric dump valves are unavailable, the steam generator pressure will increase until the main steam safety valve setpoint is reached. The main steam safety valves will then begin to cycle to maintain the steam generator pressure in a narrow band around the main steam safety valve setpoint pressure. The RCS temperature and pressure will then incresse until an equilibrium point is reached where the heat transfer from the RCS to the steam generators is balanced by the heat removed through the main steam safety valves. As long as auxiliary feedwater is available, the plant will remain stable. However, the leakage from the RCS to the secondary side via the ruptured tube will remain high. Also, it would recuire a very long tira (in excess of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) to steam the plant to shutdown cooling entry 9

4-34

1339b/(83X5)/ca-35 conditions using only the secondary safety valves. Therefore, if extended steaming on the MSSV's occurs, both RWT and CST inventory will be depleted unless action is taken to replenish the inventory in the RWT and CST.

The success criterion for this element is that one of ten MSSV's on the intact steam generator open to remove steam. (Note: The MSSVs and ADV's on the ruptured generator are not credited although the MSSV's on the ruptured generator would probably also lift.)

4.4.3.6 Depressurize for LPSI Injection If, following an SGTR event, the high pressure safety injection system does not function, the LPSI system can be used to provide injection if the primary system is aggressively depressurized using the secondary system for rapid heat O removal. To achieve this, both steam generators must be used. This might result in higher initial releases but will prevent core uncovery, j The success criteria fcr this element are:

a) Aggressive cooldown is initiated within 15 minutes.

I b) Auxiliary feedwater is supplied to both steam generators.

c) Steam is removed from both steam generators using either; two of eight I

turbine bypass valves (with a path fron both generators) or one of two atmospheric dump valves on each generator.

O 4-35 L

1339b/(83r5)/ca-36 d) LPSI flow is delivered from the RWT using one of two LP!! pumps.

SIT injection will occur during the blowdown, but this alone would, in general, not be sufficient to satisfy the inventory requirements.

4.4.3.7 Deliver Alternate Feedwater If auxiliary feedwater is not available, it may be possible to deliver water to the steam generators from the low head condensate pumps. The operator would have to reduce the secondary pressure to approximately 600 psia using the turbine bypass or atmospheric dump valves. (NOTE: Main steam safety valves cannot be used for this.) The operator then must align the feedwater system so that the main feedwater pumps are bypassed and then start the condensate pumps. Success of this operation requires that power be available for the condensate pumps, that condensate pumps have not failed, and that the downcomer feedwater control valves and the main feedwater isolation valves are open or can be opened.

With loss of both main and auxiliary feedwater, the RCS temperature is controlled at a value slightly above that corresponding to steam generator saturation conditions until a substantial portion of the tube bundle in each steam generator is uncovered. At this point, RCS temperature will begin to increase. When the steam generators boil dry, RCS temperature and pressure will rise rapidly. If conditions in the RCS reach the setpoints for the primary safety valves, RCS inventory will begin to discharge out the safety valves. If a secondary heat sink is not re-established and loss of RCS O

4-36 l

1339b/(83X5)/ca-37 inventory continues at high pressure, core uncovery will occur. Core damage conditions, defined for this study as peak cladding temperatures of 2200'F, will be reached in approximately 70 minutes following a reactor trip signal based on low steam generator level.

The success criterion for this element is that flow be delivered from one of three condensate pumps to the intact steam generator within 60 minutes following the plant trip.

The emergency operating procedures guidelines specify that if main and auxiliary feedwater are lost, flow to the steam generators must be re-established, but they do not specify how to do this. Thus, the operator actions required to achieve this goal are considered to be knowledge-based and perfomed under high stress conditions within a limited time frame. If emergency procedures which specified how to align the feedwater system to deliver flow from the condensate purrps to the steam generators were developed,

~

these actions could be classified as rule-based.

l 4.4.3.8 RCS Pressure Control To minimize the leakage from primary to secondary during the plant cooldown, RCS pressure must be maintained at or near the pressure in the steam generator with the ruptured tube. Pressure control must have sufficient time to pemit i

bringing the plant to cold shutdown conditions and stopping the leak before the inventory in the RWT is depleted. The two actions involved in establishing RCS pressure control are throttling the HPSI pumps once

n l

v 4-37 i

t

1339b/(83Xd)/ca-38 pressurizer level and RCS subcooling have been re-established, and starting pressurizer spray flew. If two RCPs are running, the normal pressurizer spray system may be used. If the RCP's are not running, auxiliary spray flow from the charging pumps must be established. (CEN-239(12) describes the depressurization process and rationale in detail.)

On natural circulation, with auxiliary sprays available and auxiliary feedwater available to the good generator, the plant can be brought to shutdown cooling entry conditions (350'F and 400 psia) in about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (see Appendix 0 of CESSAR-FI4)). The shutdown cooling system can then cool the plant to less than 212*F in between 6 and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Therefore, the total cooldown time reouired is approximately 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. At a constant 400 gpm leak rate from primary to secondary, the 630,000 gallon RWT would be depleted in 26 hours3.009259e-4 days <br />0.00722 hours <br />4.298942e-5 weeks <br />9.893e-6 months <br />. (Note: leak rate will actually decrease during cooldown and depressurization.) Thus, if pressure control is established within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, the plant can be cooled dcwn and depressurized with the available RWT inventory.

The success critaria for this element are:

a) HPSI flow must be throttled within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, and b) Pressurizer spray flow using either the nonnal spray flow or auxiliary spray flow from 1 of 3 charging pumps must be established within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />.

O 4-38

1339b/(83X5)/ca-39  ;

p 4.4.3.9 Unisolable Leak in Bad Generator

'O If an unisolable path exists from the steam generator with the tube rupture and atmosphere, the bad generator could be at or near atmospheric pressure.

Thus, the differential pressure between RCS and the bad generator will remain high with the attendant high leak rate between the RCS and the bad generator (approximately 178 gpm after 500 sec. per CESSAR-F(4)). The RCS pressure would have to be decreased to atmospheric pressure to terminate the leak.

This would have to be accomplished before the available RWT inventory was depleted. This would be accomplished by cooling and depressurizing the RCS to shutdown cooling entry conditions (350'F and 400 psia) using the good generator and the pressurizer sprays. The shutdown cooling system would then be used to cool and depressurize the plant to atmospheric pressure and less than 212'F. On natural circulation, with auxiliary sprays available, the ,

plant can be brought to shutdewn cooling entry conditions in about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (see Appendix 50 of CESSAR-F I4) . The shutdown cooling system can then bring the plant down to under 212*F in between 6 and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

i The success criterion for this element is that there is no unisolable path from the ruptured generator to the atmosphere.

i i The potential failure paths for this element are:

a) one or more MSSVs are stuck open, or b) one or both ADV's are stuck open.

O 4-39

1339b/(83X5)/ca-40 The mechanisms for achieving one of the above two conditions are:

a) TBV's fail to open on reactor trip, MSSV's open on both generators, One or more MSSV's on bad generator fail to reseat; b) Isolated bad generator begins to fill, Blowdown system unavailable, ADV's on bad generator unavailable, Bad generator fills, MSSV's on bad generator lift.

MSSV fails to reseat; c) ADV's on both generators opened for initial cooldown, ADV on bad generator fails to close; d) Isolated bad generator begins to fill, Blowdown system unavailable, Operator opens ADV on bad generator, ADV fails to close.

4.4.3.10 Refill RWT If RCS pressure control is not maintained, or if there is an unisolabic path to atmosphere from the bad steam generator, there will be continuous leakage O

4-40 I

1

1339b/(83X5)/ca-41 from primary to secondary. 'This leakage would eventually deplete the RWT inventory if RCS pressure control was not re-established or, in the case of an unisolable leak to atmosphere from the bad generator.-if the plant was not brought to cold shutdown conditions within.the time periods discussed in Sections 4.4.3.8 and 4.4.3.9. Depletion of the RWT inventory would' lead to ,

core uncovery and core melt. To prevent this, the RWT inventory must be replenished.

Additional inventory can be sus,,.sied to the RWT from the spent fuel pool via the boric acid makeup pumps, from the hold up tank via the holdup pumps, from the reactor and equipment drain tanks using the reactor drain pumps, or it can be batched using the boric acid batching tank with the reactor makeup water pumps supplying water to the reactor make0p water tank. The spent fuel pool has 33,500 gallons of borated water which can be delivered to the RWT at between 165 and 330 gpm (1 or 2 pumps). The holdup tank has 435,000 gallons of borated water which can be delivered to the RWT at a rate of between 50 and 100gpm(1or2 pumps). The reactor and equipment drain tanks have approximately 10,000 gallons of borated water which can be delivered to the RWT using the reactor drain pumps at between 50 and 100 gpm (1 or 2 pumps).

The boric acid batching tank and the reactor makeup water pumps can also be used to provide 2100 gallon batches of borated water. However, this is the least viable operation because it takes 4-5 hours to prepare a batch.

4.4.3.11 Establish Shutdown Cooling Once the plant has been cooled down to shutdown cooling entry conditions (350'F and 400 psia) the plant can be brcught to cold shutdown conditions 4-41

1339b/(83X5)/ca-42 using the shutdown cooling system. The success criterion for this element is that shutdown cooling flow be established through one shutdewn cooling system train. 4 4.4.3.12 Maintain Secondary Heat Removal (MSHR)

If shutdown cooling entry conditions cannot be achieved, or the shutdown cooling system is unavailable, the plant must be maintained in a stable condition via continued secondary heat removal. The success criteria for this element vary depending on the status of auxiliary feedwater. The criteria are:

a) For sequences with auxiliary feedwater available;

1) deliver flow from 1 of 2 AFW pumps to the intact steam generator and remove steam from the intact steam generator via 1 of 8 TBVs, or 1 of 2 ADVs or 1 of 10 MSSVs; b) For sequences with auxiliary feedwater unavailable;
1) deliver flow from 1 of 3 condensate pumps to the intact steam generator and remove steam from the intact steam generator via 1 of 8 TBVs or 1 of 2 ADVs; (MSSVs cannot be used as secondary pressure must be maintained at or below 600 psia.)

In both cases, additional water inventory must be provided to the condensate storage tank before it empties at between 16 and 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> following the event.

O 4-42

1339b/(83X5)/ca-43

,r N 4.4.4 Displayed Dependencies U

't The following functional dependencies are displayed on Event Tree 4:

a) If reactor trip does not occur, the event sequence branches to the A.TWS eventtree(Section4.8).

b) If the T8Vs and ADVs on the intact generator are not available, shutdown 4 cooling entry conditions cannot be established and long-term cooling must be maintained via secondary heat removal.

c) If HPSI and auxiliary feedwater are not available, there is insufficient 4 time to establish LPS! or condensate flow before core uncovery.

l d) If the HPS! system fails, both steam generators must be used for secondary heat removal in order to depressurize the primary system below the LPSI shutoff head before core uncovery occurs, a

e) If auxiliary feedwater is unavailable, the main steam safety valves do d

not provide a success path for steam removal because the secondary system must be depressurized to 600 psia to use the condensate pumps.

l f) If there is an unisolable leak to atmosphere from the bad steam

generator, and the shutdown cooling system is unavailable, secondary heat I

removal must be maintained and the RWT must be refilled.

O 4 4-43 l

l

1339b/(83X5)/ca-4$

g) If RCS pressure control is not established, it is assumed that shutdown cooling entry conditions can not be established, h) If the RCS is depressurized for LPSI injection due to the unavailability of the HPSI system, pressurizer spray is not needed for RCS pressure control because RCS pressure and temperature will be within shutdown cooling entry conditions limits. (Note: during the cooldown a head bubble will occur and some voiding is likely to cccur but core will remaincovered.)

4.4.5 Major Pecovery Actions The following major recovery actions will be addressed in the recovery analysis for the steam generator tube rupture sequences.

a) For failure to deliver auxiliary feedwater, the normal startup (non-category 1) auxiliary feedwater pump can be manually started and aligned to deliver feedwater.

b) If shutdown cooling cannot be established due to the unavailability of the LPSI pumps, the containment spray pumps may be used, c) If the intact generator cannot be used for RCS heat removal, the bad generator could be used, albeit with an increase in releases.

O 4-44

a I 1 5

s. t a== == *E * !*. 5 Ei * .. ,. .n. g 5g og .

Ig - =

" *5 $lI *3 ~EI 3 " 3 h I -

( E* swl fl- Y- .l" 5 i

c 11 4 h

- 8y sse- W ag g e! _ g5 t) 5- 5 =

g, g g

' ' ^

-- 1 S p ,

3 M 4 S 7 ^

9 7 $ S ATWS 6 CML 7 5 8 M 9 C7%

10 $

T _

g, 3 7 12 M T _

13 5 g4 3 T

1S CML T 16 5 17 C?t 18 CM,

it ,,

y 19 5

^

20 CML T - 21 S 22 Ct T 23 5 24 CML 25 CML 26 CM

^

27 5 28 $

O)

( T 29 C1L 30 $

,; 3t S 32 CML 33 S 34 CML 35 CML 36 CM

,  ; " ^

37 5 38 5

^

39 Ctt T _

40 5 4, 3 T 4g nz 7 43 $

i l 44 Ot I 45 CML 46 CM

' - 47 CM
O 48 5

' ^

7 49 5 50 CML 51 CM

';  ;; ^

52 5

^

$3 5 54 C%

55 CM

$6 CM

$7 CM EVENT TREE 4 - STEAN SENERATOR TUSE RUPTURE i O Fl6URE 44-1 i 4-45

1339b/(83X5)/ca-46 4.5 LARGE SECONDARY SIDE BREAKS - EVENT TREE 5 The large secondary side breaks event tree, Event Tree 5, describes the sequence of events for large secondary side line breaks, both inside and outside of containment. Large secondary side steam line breaks are characterized as cooldown events due to increased steam flow rate, which causes excessive energy removal from the steam generators and the reactor coolant system (RCS). This results in a decrease in temperature and pressure in both the RCS and steam generators. The cooldown causes an increase in core reactivity due to the negative moderator and Doppler reactivity coefficients.

Licensing analyses for large secondary side breaks assume that the most reactive rod is stuck out of the core in order to evaluate the potential for a return to power. A best estimate transient analysis of a large steam line break for a System 80 NSSS at end of cycle with blowdown of both generators, most reactive rod stuck out of the core and no boron injection showed no return to power. Therefore, the conclusion for this analysis is that a large secondary side break will not result in a return to power, even with the most reactive red stuck' out of the core.

Detection of the cooldown is accomplished by the pressurizer and steam generater low pressure alams, by the high reactor power alarm and by the 1cw steam generator water level alarm. Reactor trip as a consequence of a secondary line break is provided by one of several available reactor trip signals.

O 4-46 l

l

1339b/(83X5)/ca-47 p The depressurization of the affected steam generator results in the actuation ofamainsteamisolationsignal(MSIS). This closes the MSIVs, isolating the unaffected steam generator from blowdown and closes the main feedwater isolation valves (MFIVS), terminating nain feedwater flow to both steam generators. After the reduction of steam and feed flow, the level in the intact steam generator falls below the emergency feedwater actuation signal (EFAS)setpoint. The resulting EFAS causes emergency feedwater (EFW) flow to be initiated to the intact steam generator. The EFAS logic prevents feeding the affected steam generator. The pressurizer pressure decreases to the point where a safety injection actuation signal (SIAS) is initiated. The isolation of the unaffected steam generator and subsequent emptying of the affected steam generator terminate the cooldown. The introduction of safety injection boron upon SIAS causes core reactivity to decrease. The operator, via the appropriate emergency procedures, may initiate plant cooldown by manual contro? of the atmospheric steam dump valves, or, in the event that offsite power is available and the break location is not between the MSIVs and the turbine stop valves, by using the MSIV bypass valves associated with the

, unaffected steam generator and the turbine bypass valves, any time after the 4

affected steam generator empties.

For a large feedwater line break downstream of the main feedwater isolation valves (MFIVs), the transient progression is similar to that described above after the initial heatup due to reduced feedwater flow. The tr*.'1 stent progression for a feedwater line break upstream of the MFIV5. i .rd be equivalent to a loss of main feedwater. This type of event 13 covered by the transienteventtree(seeSection4.6).

O 4-47 l

l l

L

1339b/(83X5)/ca-48 For the purposes of this analysis, the location of the break, inside containment or outside containment, is not considered to be important because plant and operator responses with respect to core melt prevention will be similar. The primary differences relate to containment effects, availability of containment safegu?.rds systems and potential release paths.

4.5.1 Event Tree 5 Elements 4.5.1.1 Large Secondary Side Break initiators large secondary side breaks include large main steam line piping breaks up to and including double-ended guillotine breaks, spurious openings of multiple MSSVs, ADVs or TBVs and main feedwater line piping breaks. Piping breaks inside or outside of containment are covered by this category. The spurious opening of an MSSV, ADV or TBV and small steam line, feedwater line or blewdown line breaks are not covered in this category. They are covered in the transient category (see Section 4.6).

4.5.1.2 Reactor Trip The Reactor Protection System (RPS) trips the reactor to reduce thenrel energy production following a transient by removing power from the control element drive mechanism (CEDM) busses which allows the control element assemblies (CEAs) to drep into the reactor core under the influence of gravity.

De-energi:ation of the CEDM busses on reactor trip also generates a turbine trip.

O 4-48

i 1339b/(83X5)/ca-49 O

v The steam line break is an over cooling event that introduces positive reactivity feedback. Reactor trip should occur in about seven seconds on low DNBR. Other trip parameters available to trip the reactor are low steam generator pressure, . low RCS pressure, low steam generator water level,' high reactor power, and high containment pressure.

The success criteria for this element are:

a) a trip signal is generated, b) both CEDM buses are deenergized.

c) all CEAs are inserted into the core, l

4.5.1.3 Deliver Auxiliary Feedwater O Following a secondary side break event. auxiliary feedwater must be supplied to the intact steam generator in order to remove decay heat from the RCS, Auxiliary feedwater is automatically actuated by the engineered safety features actuation system (ESFAS). It can also be manually actuated from the control room. The success critorion for this element is that auxiliary feedwater flow must be delivered from one of two category 1 auxiliary feedwater pumps to the intact steam generator.

4.5.1.4 Remove Secondary Steam Following a secondary line break, secondary steam must be removed from the intact steam generator to centrol secondary pressure, to remove heat (transferred from RCS) and to prevent steam generator overfill. The following sections describe the two available methods of secondary steam removal.

4-49

1339b/(83X5)/ca-50 4.5.1.4.1 Atmospheric Dump Valves Following a secondary side break, the preferred means of removing steam from the intact steam generator is via the atmospheric dump valves. There are two ADVs per steam generator. Therefore, the success criterion for this element is that one of two ADV's be opened for steam removal.

4.5.1.4.2 Main Steam Safety Valves if the ADVs on the intact generator are not available, the steam generater temperature and pressure will gradually increase as decay heat is transferred from the RCS. RCS temperature and pressure will also be increasing. When the MSSV setpoint is reached, the MSSVs will begin to cycle to maintain the secondary pre n ure in a narrow band around the MSSV setpoint. RCS temperature and pressure will stabilize at a point where decay heat energy generated in the RCS is balanced by the energy reraoved through the MSSVs. As long as auxiliary feedwater is available, the plant will remain stable. However, it is not possible to bring the plant to shutdown cooling entry conditions unless an atmospheric dump valve is restored.

There are ten MSSV's per steam generator. Therefore, the success criterion for this element is that one of ten MSSV's on the intact steam generator opens.

O 4-50

1339b/(83X5)/ca-51 i

4.5.1.5 High Pressure Injection

, In the event of the failure of the auxiliary feedwater system, the HPSI system (

will provide sufficient inventory to the RCS during the initial cooldown so that one hour is available to align the condensate pumps to delivsry feedwater  ;

to the intact generator. j i

The success criterion for this element is an SIAS signal is generated and 1 of 2 HPSI pups deliver flow to the RCS.  ;

e 4.5.1.6 Deliver Alternate Feedwater If auxiliary feedwater is not available, it may be possible to deliver water to the steam generators from the low head condensate pumps. The operator l O would have to reduce the secondary pressure to approximately 600 psia using 1

the turbine bypass or atmospheric dump valves. (NOTE: Main steam safety valves cannot be used for this.) The operator then must align the feedwater system so that the main feedwater pumps are bypassed and then start the condensate pumps. The operator will also have to trip the RCPs (if they have not been tripped already) to eliminate their heat input to the RCS and initiate auxiliary spray to control RCS pressure. Success of this operation requires that power is available for the condensate pumps, that condensate pumps have not failed, and that the downcomer feedwater control valves and main feedwater isolation valves are open or can be opened.

O 4-51

1339b/(83X5)/ca-52 During a seccndary line break, the RCS coolant will rapidly cool and contract (resultinginapre'suredecrease). The HPSI system will be automatically actuated on low pressurizer pressure and will inject borated water to provide additional negative reactivity and to compensate for the inventory contractien. If, following the blewdown phase, auxiliary feedwater is not supplied to the intact generator to maintain RCS heat removal (and thus temperature and pressure), decay heat will begin to heat up the RCS. With no RCS heat removal, RCS temperature and pressure will increase until the primary safety valve setpoint is reached. The primary safety valves will lift and discharge RCS inventory into containment. The primary safety valves will cycle to maintain RCS pressure in a narrow band around the safety valve setpoint, and RCS inventory will be discharged to containment each time the valves lift. HPS! injection will have provided sufficient additional RCS inventory so that if alternate feedwater is supplied to the intact generator within one hour of the time at which auxiliary feedwater would nomally have been delivered (about 30 seconds following the time at which the AFAS actuation level was reached in the intact generator), core uncovery, and hence core damage, will be prevented.

The success criterion for this element is that flow be delivered from one of three cendensate pumps to one steam generator within 60 minutes follcwing the plant trip.

The emergency operating precedure guidelines specify that if main and auxiliary feedwater are not available following a transient, flow to the stean generators must be re-established, but they do not specify how to do this.

Thus, the operator actions required to achieve this goal are considered to be O

4-52

1339b/(83X5)/ca-53 knowledge-based and performed under high stress conditions within a limited

(~~

~ time frame. If emergency procedures which specified how to align the feedwater system to deliver flow from the condensate pumps to the steam generators were developed, these actions could be classified as rule-based.

4.5.1.7 Estabitsh Shutdown Cooling Once the plant has been cooled down to shutdown cooling entry conditions (350'F and 400 psia) and stabilized, the plant can be brought to cold shutdown conditions using the shutdown cooling system. The success criterion for this element is that shutdown cooling flow be established through one shutdown cooling system train. (NOTE: For a medium to large steam line break, the primary system will be at or near shutdewn cooling entry conditions very early in the transient.)

4.5.1.8 Maintain Secondary Cooling If shutdown cooling entry conditions cannot be achieved, or the shutdown cooling system is unavailable, the plant must be maintained in a stable condition via continued secondary heat removal.

The success criteria for this element are:

a) deliver llow to intact generator via 1 of 2 AFV purpst b) remove steam from intact generator via 1 of 2 ADVs or via 1 of 10 MSSVs.

O 4-53

1339b/(83X5)/ca-54 4.5.2 Displayed Dependencies The following functional dependencies are displayed on Event Tree 5:

a) If reactor trip does not occur, the event seque..ce branches to the ATWS event tree (Section 4.8),

b) If the ADVs on the intact generator are not available, shutdown cooling entry conditions cannot be established and long-term cooling must be maintained via secondary heat removal.

c) If auxiliary feedwater is not available, HPSI must have been successful to provide sufficient time to establish condensate flow before core uncovery.

A non-displayed dependency is that if main steam isolation does not occur, there will not be sufficient steam pressure to drive the turbine driven auxiliary feedwater pump. This is treated within the model for "Deliver Auxiliary Feedwater".

4.5.3 Major Recovery Actions The following major recovery actions will be addressed in the recovery 1

analysis for the large secondary break sequences:

l l

1 9,

, 4-54  !

l i

l i l

i 1

1339b/(83X5)/ca5

, - a) For failure to deliver auxiliary feedwater, the normal startup

, (non-category 1) auxiliary feedwater pump can be manually started and

aligned to deliver auxiliary feedwater.

4 b) If shutdown cooling cannot be established due to the unavailability of the LPSI pumps, the containment spray pumps may be used, t

5 O

l I

(

4-55

J I

DEllVER DELIVER ESTABLISH NAINTAIN LARGE REACTOR AUXILIARY STEAt1 REf10 VAL SECONDARY HPSI ^

SIDE FEEDWATER INJECTION ALTERNATE SHUTDOWN ^

ADVS MSSV'S FEEDWATER COOLING

. BREAK RE OVAL

S  :: 1 S O 2 S ATWS 3 L 0 0 4 S 5 CML V

6 CM

. O O O O 7 S

$ 0 8 S 9 CML 10 CM g 11 CM 12 CM EVENT TREE S LARGE SECONDARY SIDE BREAK FIGi1RE 4.5-1 O O O

1339b/(83X5)/ca-57 4.6 TRANSIENTS - EVENT TREE 6 Transients are non-LOCA/non ACCIDENT events in which a process parameter perturbation leads to a reactor trip. The normal progression for a transient and the associated responses are as follows:

a) transient occurs b) reactor trips (Reactivity Control) c) feedwater ramps back to 5% or auxiliary feedwater is actuated d) turbine bypass valves or atmospheric dump valves open to remove steam e) plant is stabilized in hot standby conditions As previously discussed, the transient event category includes all events which do not involve a LOCA (primary side break) or a large secondary side break and for which the basic plant response is as described above. Because of significant differences in plant responses, loss of'offsite power transients (and transients with a similar response) and anticipated transients without SCRAM are not included in this category.

4.6.1 Event Tree 6 Elements 4.6.1.1 Transient Initiators 4

Transient Initiators include all non LOCA, non secondary side break initiators for which the basic plant respense is a reactor trip with RCS heat removal satisfied by delivery of auxiliary or main feedwater and steam removal via the O

4-57

1 1339b/(83X5)/ca-58 turbine bypass valves or atmospheric dump valves. These initiators include full or partial losses of main feedwater, turbine or ger.erator protective trips, spurious si,;;1e MSIV enclosures, CEA drops, spurious manual or automatic SCRAMS, PCS flow reductions other than 4 pump loss of flow events, RCS parameter perturbations leading to a trip, and small secondary side breaks. This event category does not include loss of offsite power events, ATVS events, consequential LOCA events or large secondary sida breaks. (See Section 3. for a detailed evaluation of the transient initiators) 4.6.1.2 Reactor Trip The Reactor Protection System (RPS) trips the reactor to reduce thermal energy production following a transient by removing power from the control element drive mechanism (CEDM) busses which allows the control element assemblies (CEA's) to drop into the reactor core under the influence of gravity.

De-energization of the CEDM busses on reactor trip also generates a turbine trip.

Following a transient, the RPS will generate a reactor trip signal on one of several parameters, depending upon the specific transient. If the RPS does not generate a trip, the supplementary protection system will gerarate a trip signal on high pressurizer pressure.

The success criteria for this element are:

a) a trip signal is generated, O

4-58

1339b/(83X5)/ca-59 b) both CEDM busses are de-energized,

[v] c) all CEAs are inserted into the core.

(NOTE: expert opinion is that de-energization of one CEDM bus and insertion of half of the CEAs should be sufficient to shutdown the reactor.)

4.6.1.3 Deliver Feedwater Flow Following the transient and reactor trip, feedwater must be provided to the steam generators in order to remove decay heat. For transients which are not caused by a loss of main feedwater, th'e main feedwater supply will ramp back to -

5% flow to maintain decay heat removal. If the ramp back is not successful, that is, main feedwater is lost following the trip, feedwater must be provided by the auxiliary feedwater system. For transients which are caused by a loss of main feedwater, post-trip feedwater flow must be provided by the auxiliary feedwater system. The success criterion for this element is that feedwater

, must be delivered to one of the two generators via the 5% main feedwater flow or from one of two category 1 auxiliary feedwater pumps.

4.6.1.4 Remove Secondary Steam l

Secondary steam must be removed from the steam generators to control secondary pressure, to remove secondary heat (transferred from RCS) and to prevent steam generator overfill. The following sections describe the three primary methods of secondary steam removal.

4-59

1339b/(83X5)/ca-60 4.6.1.4.1 Turbine Bypass Valves '

The preferred means of removing secondary steam is via the turbine bypass valves. These valves are automatically opened by the steem bypass control system to prevent lifting of the secondary safety valves following a turbine trip. These valves can also be remotely opened from the control room. Six of the eight valves dump to the condenser and the other two dump to atmosphere.

The turbine bypass valves will not open if the condenser is unavailable.

The success criterion for this element is that one of eight bypass valves open to remove secondary steam.

4.6.1.4.2 Atmospheric Dump Valves (ADV)

If the turbine bypass valves are unavailable, secondary steam can be removed using the atmospheric dump valves. There are four atmospheric dump valves, two per steam generator. These valves are remotely controlled from the control room.

The success criterion for this element is that one of the four atmospheric dump valves open to remove secondary steam.

4.6.1.4.3 Main Steam Safety Valves (MSSV)

If the turbine bypass valves and the atmospheric dump valves are unavailable, the steam generator pressure will ircrease until the main steam safety valve l l

setpoint is reached. The main steam safety valves will then begin to cycle to O.

4-60

1339b/(83X5)/ca-61 maintain the steam generator pressure in a narrow band around the main steam

. ]

safety valve setpoint pressure. The RCS temperature and pressure will then increase until an eouilibrium point is reached where the heat transfer from the RCS to the steam generators is balanced by the heat removed through the main steam safety valves. As long as auxiliary feedwater is available, the plant will remain stable. However, it is not possible to bring the plant to shutdown cooling entry conditions unless an atmospheric dump valve or a turbine bypass valve is restored.

The success criterion for this element is that one of twenty main steam safety valves open. (NOTE: Failure of an MSSV to reseat is not considered problematic in the case because it would be approximately eouivalent to having a dump or bypass valve open for steam removal.)

(~

Q) 4.6.1.5 Deliver Alternate Feedwater If auxiliary feedwater is not available, it may be possible to deliver water to the steam generators from the low head condensate pumps. The operator would have to reduce the secondary pressure to approximately 600 psia using the turbine bypass or atmospheric dump valves. (NOTE: Main steam safety valves cannot be used for this.) The operator then must align the feedwater system so that the main feedwater pumps are bypassed and then start the condensate pumps. The operator will also have to trip the RCPs (if they have not been tripped already) to eliminate their heat input to the RCS and initiate auxiliary spray to control RCS pressure. Success of this operation requires that power is available for the condensate pumps, that condensate pumps have not failed, and that the downcomer feedwater control valves and the main feedwater isolation valves are open or can be opened.

4-61

1339b/(@3X5)/ca-62 l

l l

With loss of both main and auxiliary feedwater, the RCS temperature is  !

controlled at a value slightly above that corresponding to steam generator saturation conditions until a substantial portion of the tube bundle in each steam generator is uncovered. At this point, PCS temperature will begin to increase. When the steam generators boil dry, RCS temperature and pressure will rise rapidly. If conditions in the RCS reach the setpoints for the primary safety valves, RCS inventory will begin to discharge out the safety valves. If a secondary heat sink is not re-established and loss of PCS inventory continues at high pressure, core uncovery will occur. Core damage conditions, defined for this study as peak cladding temperatures of 2200*F, will be reached in approximately 70 minutes following a reactor trip signal based on low steam generator level.

The success criterion for this element is that flow be delivered from one of three condensate pumps to one steam generator within 60 minutes following the plant trip.

The emergency operating procedure guidelines specify that if main and auxiliary feedwater are not available following a transient, flow to the steam generators must be re-established, but they do not specify how to do this.

Thus, the operator actions required to achieve this goal are considered to be knowledge-based and performed under high stress conditions within a limited time frame. If emergency procedures which specified how to align the feedwater system to deliver flow from the condensate pumps to the steam generators were developed, these actions could be classified as rule-based.

O 4-62

l 1339b/(83X5)/ca-63 l l

l 4.6.1.6 EstablishShutdownCooling(SDC) -

Once the plant has been cooled down to shutdown cooling entry conditions (350'F and 400 psia) the plant can be brought to cold shutdown conditions using the shutdown cooling. system. The success criterion for this element is that shutdown cooling flow be established through one shutdown cooling system train.

4.6.1.7 Maintain Secondary Heat Removal (MSHR)

If shutdown cooling entry conditions cannot be achieved, or the shutdown cooling system is unavailable, the plant must be maintained in a stable condition via contained secor.dary heat removal. The success criteria for this p element vary depending on the status of auxiliary feedwater and the condenser.

U The criteria are:

a) For sequences with AFW and the condenser available;

1) deliver flow from 1 of 2 AFW pumps and remove steam via 1 of 8 TBVs, or 1 of 4 ADVs or 1 of 20 MSSVs; b) For sequences with AFW available but the condenser unavailable;
1) deliver flow from 1 of 2 AFW pumps and remove steam via 1 of 4 ADVs or 1 of 20 MSSVs; O

4-63

1339b/(03X5)/ca-64 c) For sequences with AFW unavailable but the condenser available;

1) deliver flow from 1 of 3 condensate pumps and remove steam via 1 of 8 TBVs or 1 of 4 ADVs; d) For sequences with AFW and condenser unavailable;
1) deliver flow frem 1 of 3 condensate pumps and remove steam via 1 of 4 ADVs.

For the sequences in which steam is exhausted to the atmosphere and the auxiliary feedwater is taken from the condensate storage tank, additional water inventory must be provided to the condensate storage tank before it empties.

4.6.2 Displayed Decendencies The following functional dependencies are important for Event Tree 6:

a) If the turbine bypass valves and the atmospheric dump valves fail.

shutdown cooling entry conditions cannot be achieved because the secondary and hence primary pressure will stay high.

b) If auxiliary feedwater fails and the turbine bypass and atmospheric dump valves fail, alternate flow from the condensate pumps cannot be established because the secondary pressure cannot be reduced to or below the pumo cutoff head by the main steam safety valves.

O 4-64

m n 5 m 5 5 m n 5 5 5 O - m m , m e - . . e =

  • Q$

<m

$E> ,

iH 0--- IW Ide, =

m zz UM mg_g E" =

< - as fn Z mM mE rn gHW 2 m< 2 >4 n

w n >55 2

m m.

m 7 NI

&e r Q R fn I

m k NN

  • @ S E to m ;l?

U 2 m

> u. 5 < r<n z t O z m

E 2

on rn b  ; ; ;l; W n be t 2 4 i H 1

. CZ; l c" 4M

$_ 3 3 CU e m@ w w

E O s M g 'M

<s '+

m 4 ct:

2 m_

n 2

ct:

H 4-65 O

1

1339b/(83X5)/ca-66 4.7 LOSS OF 0FFSITE POWER AND STATION BLACXOUT - EVENT TREES 7 AND 8.

/

The loss of offsite power event covers all vents initiated by a loss of grid power of any duration from the high voltage distribution lines serving the station. If the loss of offsite power is accompanied by failure of the stations diesel generators (DGs), a station blackout has occurred. Because of the unique effect of these two events on the plant, separate event trees are presented for them. Event Tree 7 applies to loss of offsite power events for which one or more diesel generators start and load. Event Tree 8 applies to station blackout events, that is, events involving a loss of offsite power and failure of all station diesel generators.

4.7.1 Normal Event Proaression A loss of offsite power will result in a loss of forced reactor coclant fitw due to simultanecus loss of electrical power to all four reactor cooiant pumps (RCPs), a loss of condenser vacuum and loss of main feedwater due to the loss of power to the circulating water pumps, a turoine trip with fast closure of the turbine stop valves due to loss of load, and a start signal to the emergency diesel generators due to low voltage on the 4.16 KV vital buses.

Due to the loss of condenser vacuum, the steam bypass control system (SBCS) and the turbine bypass valves are also unavailable.

The loss of forced coolant flow following loss of power to the RCPs leads to a reactor trip on low DNBP and reactor power begins to decrease accompanied by a decrease in pressurizer level due to cooling and contraction of reactor coolant. The loss of secondary heat sink due to the loss of main feedwater in O

4-66

1339b/(83X5)/ca-67

^

/N conjunction with the unavailability of the SBCS soon results in a reduction in d RCS heat removal. Both primary and secondary pressure will increase. The primary and secondary safety valves will lift to' control primary and secondary pressure respectively. (High Pressurizer Pressure Trip signal will also be generated) Concurrently, steam generator level will be decreasing due to void collapse, and emergency feedwater will be actuated (a low steam generator level reactor trip signal will also be generated). Secondary heat removal (and RCS heat removal) via the emergency feedwater and the secondary safety valves is thus re-established and primary pressure and temperature will begin l

to decrease. At this time the atmospheric dump valves can be opened to continue cooling and depressurizing the reactor to shutdown cooling entry conditions.

When offsite powcr is lost, the diesel generators will receive a start signal.

The diesel generators will start and load the Engineered Safety Features (ESF) l buses. The ESF buses provide power to the HPSI and LPSI pumps and motor operated valves, the containment spray pumps and motor operated valves, the motor-driven emergency feedwater pump and the motor operated emergency l feedwater valves, the e3sential cooling water pumps and associated motor operated valves and the assential spray pond pumps. The charging pumps and l

the nuclear cooling water pumps can be manually loaded if needed.

With the diesel generators available, the HPSI pumps can be started and used to provide RCS inventory .?akeup and for boron addition to provide additional shutdown margin. The charging pumps may also be loaded on the diesel generators and started to provide auxiliary spray capability and additional I 4-67

1339b/(83X5)/ca-68 i

boron addition capability. Once the plant has been steamed down to shutdown cooling entry conditions (primary temperature and pressure 350'F and 400 psia respectively) using the emergency feedwater system and the atmospheric dump valves, the shutdown cooling system can be aligned to the RCS and the plant can be brought to cold shutdown conditions.

Failure of a primary safety valve to reseat following the initial pressure spike would result in a small LOCA and the required system responses are equivalent to those discussed in Section 4.3 (with offsite power unavailable).

Failure of the auxiliary feedwater system would result in a loss of secondary heat sink with the alternate secondary heat sink unavailable (condensate pumps are not powered from the vital buses). AC power would have to be restored and the condensate pumps aligned to the steam generators and started within one -

hour to prevent core damage. Failure of the HPSI system would affect the ability to compensate for reactor coolant shrinkage and a bubble would form in the reactor vessel upper head. Without some RCS makeup, the hot legs would be uncovered before reaching shutdown cooling entry conditions and the natural circulation mode of cooling would ba lost. If natural circulation is lost, shutdcwn entry conditions could not be established. The charging pumps are able to provide sufficient makeup to preclude losing natural circulation and if need be, the operators could provide sufficient makeup from a safety injection tank to maintain natural circulation long enough to achieve shutdown cooling entry conditions.

4.7.2 Station Blackout Event proaression If the diesel generators fail to start following the loss of offsite power, the resulting transient must be mitigated, at least initially, by AC 4-68

1339b/(83X5)/ca-69 l

I (l independent equipment. With the diesel generators failed, the HPSI, LPSI and LJ containment spray systems are unavailable, and the essential' cooling water system and essential spray pond systems are not available for cooling the RCP seals or for decay heat r.emoval via the shutdown cooling heat exchangers.

The turbine-driven emergency feedwater pump is required to supply emergency feedwater to the steam generators, and secondary steam must be removed via the main steam safety valves or the atmospheric dump valves.

.The initial progression of the transient would be similar to the standard loss of offsite power, with lifting of the primary and secondary safety valves, emergency feedwater being delivered to the steam generators to restore RCS heat removal and the atmospheric dump valves being opened for secondary steam removal. The ADVs receive control power from the vital DC buses and batteries i

!V and use nitrogen for opening (instrument air is unavailable). The batteries can supply rated lead for approximately two (2) hours, and the nitrogen supply l

resersoirs are good for a limited number of cycles. Thus, lacking any other l problems, initial plant cooldown can proceed for about two hours withcut

! restoration of AC power. At this time, without AC power, the ADVs would l

l become inoperable, secondary pressure would increase to the secondary safety valve setpoint and the primary side temperature and pressure would increase until the heat transfer from the RCS to the steam generators was in eouilibrium with the heat removed from the steam generators via the safety valves. The plant would remain stable in this configuration until AC power is restored or the condensate is exhausted at about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Core damage would follow within one hour unless water flow to the steem generators is re-established.

O 4-69

1339b/(83X5)/ca-70 i

With loss of all station AC power (Station Blackout), RCP seal cooling water 1

will be lost. The NRC has postulated in their evaluation of Station l Blackout I39) that under these conditions, the seals will begin to degrade and gross seal leakage on the order of several hundred gpm may occur. (The CE0G contends that this is not credible for Byron-Jackson Pumps (40) . If gross seal leakage does occur, a source of AC power must be restored and the HPSI System started to provide RCS inventory makeup before the core uncovers. The time available to accomplish this is dependent on the seal leak rate.

If the turbine driven emergency feedwater pump fails to start and deliver feedwater to the steam generators, secondary steam removal through the secondary safety valves (or atmospheric dump valves) will continue until the steam generators boil dry at approximately 25 minutes. Primary pressure will rapidly rise and the primary safety valves w'ill open. Core uncovery will occur within 35 minutes of generator dry out. Thus, with initial loss of emergency feedwater, AC power must be restored, and emergency feedwater ficw established, within one hour to prevent core damage.

O 4-70 c,

133?b/(83X5)/ca-71 r~3 4.7.3 Loss of Offsite Power Event Tree C/

4.7.3.1 Event Tree 7 Elements 4.7.3.1.1 Loss of Offsite Power Initiators:

Loss of offsite power events include all events initiated by a loss of grid power of any auration from the high voltage distribution lines serving the station and all events involving the loss of the onsite AC distribution

-systems. The loss of the grid power may be caused be external events such as storms, fires, floods or earthquakes, equipment failures within the grid ,

systeta or site switch yard or by human error. Loss of the internal AC distribution system may be caused by equipment failures or human error, s The loss of offsite power event class specifically includes success of at least one diesel generator.

4.7.3.1.2 Reactor Trip The Reactor Protection System (RPS) trips the reactor to reduce thermal energy production following a transient by removing power from the control element drive mechanism (CEDM) busses which allows the control element assemblies (CEA's) to drop into the reactor core under the influence of gravity.

De-energization of the CEDM busses on reactor trip also generates a turbine trip.

O 4-71

1339b/(83X5)/ca-72 On a loss of offsite power, the RPS will generate trip signals on low DNBR, Low steam generator level and high pressurizer pressure. If the RPS does not generate a trip signal, the Supplementary Protection System (SPS) will generate a trip signal on High Pressurizer Pressure. In addition, on loss of offsito power, power will be lost to the motor generator sets, which provide holding power to the CECM buses. Thus, even if a trip signal is not generated, the CEDM buses will be de-energized within approximately 5 seconds.

The success criteria for this element are:

a) a trip signal is generated, b) both CEDM busses are de-energized, c) all CEAs are inserted into the core.

(NOTE: expert opinion is that de-energization of one CEDM bus and insertion 9

of half of the CEAs should be sufficient to shutdown the reactor.)

4.7.3.1.3 PSV Reseat The initial loss of secondary beat sink following the loss of offsite power will result in the primary system pressure increasing and the primary safety valves opening. Failure of a primary safety valve to reseat af ter the primary side pressure decreases will result in a small LOCA with offsite power unavailable. This is considered to be a small LOCA initiator for quantification of Small LOCA frequencies.

O 4 72

1339b/(83X5)/ca-73 The success criterion for this element is that four of four primary safety

(~')

v valves must reseat.

4.7.3.1.4 Deliver Auxiliary Feedwater Following a loss of offsite power, auxiliary feedwater must be supplied to the steam generators in order to remove decay heat from the RCS. The auxiliary feedwater system will be automatically actuated on a low steam generator level by the ESFAS. It can also be manually actuated from the control room. The success criterion for this element is that auxiliary feedwater must be delivered from one of two category 1 auxiliary feedwater pumps to one steam generator. With the presumed success of at least one diesel generator for this event, the use of the electric driven auxiliary feedwater pump is not c automatically precluded, t

V) 4.7.3.1.5 Remove Secondary Steam

. Secondary steam must be removed from the steam generators to control secondary pressure, to remove secondery heat (transferred from RCS) and to prevent steam l

generator overfill. The following sections define the success criteria for these elements.

4.7.3.1.5.1 Atmospheric Dump Valves Following a loss of offsite power, the preferred means of removing secondary steam is via the atmospheric dump valves. There are two atmospheric dump O

4 73 l

1339b/(83X5)/ca-74 1

valves per steam generator and they are remotely controlled from the control l room and must be manually opened following a transient. They are air operated valves which fail closed on loss of air. Each valve has a backup Nitrogen I supply bottle which will maintain valve operation for a limited number of cycles. Each valve has a DC powered solenoid control valve for opening and closing. These solenoid valves receive control power from the 125 VDC vital buses.

The success criteria for this element are:

a) one of four ADV's must be opened to remove steam b) valve must be on a steam generator to which auxiliary feedwater is being delivered c) air compressor must be restored to service before nitrogen supply is exhausted. (Offsite power restored or compressor manually *,oaded on DG)

These criteria conservatively do not credit the fact that if more than one valve is available, they can be used in rotation so as to extend the time for which the ADVs can be used for steam removal without restoring instrument air.

4.7.3.1.5.2 Main Steam Safety Valves If, following a loss of offsite power, the atmospheric dump valves cannot be opened, the main steam safety valves can be used for steam removal. (NOTE:

O 4 74

1339b/(83X5)/ca-75

/7 LJ The MSSVs provide initial steam removal on loss of offsite power, but the ADVs are the preferred means.) The main steam safety valves will cycle to maintain the steam generator pressure in a narrow band around the main steam safety valve setpoint pressure. The RCS temperature and pressure will then increase until an eouilibrium point is reached where the heat transfer from the RCS to the steam generators is balanced by the heat removed through the main steam safety valves. As long as auxiliary feedwater is available, the plant will remain stable. However, it is not possible to bring the plant to shutdown cooling entry conditions unless an atmospheric dump valve or a turbine bypass valve is restored.

The success criterion for this element is that one of twenty main steam safety valves open (and that this valve be associated with a SG to which AFW is being delivered). Failure of an MSSV to reseat would result in a faster than

(-)

' desired RCS cooldown which could not be controlled. However, as long as AFW and AFW control power are available, this is not cor.sidered to be problematic with respect to causing core damage.

4.7.3.1.6 Deliver Alternate Feedwater Flow If auxiliary feedwater is not available following a loss of offsite power event, it may be possible to deliver water to the steam generators from the low head condensate pumps. The operator would have to reduce the secondary pressure to approximately 600 psia using the atmospheric dump valves. (NOTE:

Main steam safety valves cannot be used for this.) The operator then must align the feedwater system so that the main feedwater pumps O

4-75

1339b/(83X5)/ca-76 are bypassed and then start the condensate pumps. Success of this operation requires that offsite power be re-established for the condensate pumps and the feedwater and condensate system valves.

With loss of both main and auxiliary feedwater, the pCS temperature is controlled at a value slightly above that corresponding to steam generator saturation conditions until a substantial portion of the tube bundle in each steam generator is uncovered. At this point, RCS temperature will begin to increase. When the steam generators boil dry, RCS temperature and pressure will rise rapidly, l# conditions in the RCS reach the setpoints for the pr bary safety valves, RCS inventory will begin to discharge out the safety valves. If a secondary heat sink is not re-established and loss of RCS inventory continues at high pressure, core uncovery will occur. Core damage conditions, defined for this study as peak cladding temperatures of 2200'F, will be reached in approximately 70 minutes following a reactor trip signal based on low steam generator level.

The success criterion for this element is that offsite pcwer be re-established and flow be delivered from one of three condensate pumps to one steam generator within 60 minutes following the loss of auxiliary feedwater.

The emergency operating procedure guidelines specify that, if main and auxiliary feedwater are lost, flow to the steam generators must be re-established, but they do not specify how to do this. These actions are further complicated by the need to restore offsite power. Thus, the operator actions reouired to achieve this goal are considered to be knowledge-based and performed under high stress conditions within a limited time frame.

O 4 76 l

l

~

1339b/(83X5)/ca-77 4.7.3.1.7 Establish Shutdown Cooling

. %( A' Once the plant has been cooled down to shutdown cooling entry conditions (350*F and 400 psia) the plant can be brought to cold shutdown conditions using the shutdown cooling system. The success criterion for this element is that shutdown cooling flow be established through one shutdown cooling system train. Restoration of offsite power is not needed to achieve shutdown cooling if at least one DG is operating.

4.7.3.1.8 Paintain Secondary Heat Removal If shutdown cooling entry conditions cannot be achieved, or the shutdown cooling system is unavailable, the plant must be maintained in a stable condition via continued secondary heat removal. The success criteria for this element vary depending on the status of prior elements. If Auxiliary feedwater is available the success criteria are:

i a) deliver flow from one of two AFW pumps to 1 of 2 SGs.

b) renove steam via 1 of 4 A0Vs or 1 of 20 MSSVs; For this condition, restoration of offsite power is not required, but instrument air must be provided to the ADVs to use them for steam removal.

l f

10 4-77 s

1339b/(83X5)/ca-78 If auxiliary feedwater is not available, the success criteria for this element are:

a) deliver condensate flow from 1 of 3 condensate pumps to 1 of 2 SGs b) remove steam using 1 of 4 ADVs.

For this condition, offsite power must have been restored.

In both of the above cases, additional water inventory must be made available before the condensate storage tank (or hot well) empties. This will occur at between 16 and 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> following the initiating event.

4.7.3.2 Displayed Dependencies The following functional deper.dencies are displayed 00 Event True 7:

a) If the atmospheric dump valves fail, shutdown cooling entry conditions cannot te achieved because the secondary and hence primary pressure will stay high.

b) If auxiliary feedwater fails and the atmospheric dump valves fail, s

alternate flow from the condensate pumps cannot be established because the secondary pressure cannot be reduced to or below the pump shutoff head by the main steam safety valves.

G 4-78

l 1339b/(83X5)/ca-70 j l

l c) If the PSV fails to reseat,_the event is treated as a small LOCA with offsite power unavailable.

In addition to the above. dependencies, the following dependencies are important:

a) For long term steam removal, the ADVs need instrument air.

b) Offsite power must be re-established in order to use the condensate pumps to supply feedwater, i c) The motor driven auxiliary feedwater pump is powered from DG-B.

I

(~ ,

The following maior recovery actions will be addressed in the recovery analysis for the loss of offsite power sequences:

, a) restoration of offsite power l b) for the "Deliver auxiliary feedwater" elements, manually loading startup auxiliary feedwater pump on to an available DG and using it to deliver auxiliary feedwater l

j c) for the "establish shutdown cooling: element, if the LPSI pumps are unavailable, the containment spray pumps can be used to provide shutdown Cooling flow.

l I 4-79

1 1

5 5 5 5 5 5 m o m m m O -

g

-<a Zw

<W< >

~

N M Y O ~

n '

2 ,g aw h

gU)

=x d8-

<-  : ,, O w"drh g w2 W M*W 3 >2< ^

o -a3 -

w =N$ Ww H

<6 1

L~ @

O L5

(> b h

g OY g E om m o1 M O3 E

'C ~

4 i

U M o o L e ., ,m te-w <

C H m H 3 6 g

Z w >-Q W

" 'd 3 . ,

y i r w wx$

QD

<w w m

w 3

o a

N >

sw as EI WQ Q

8 a. m

=

k2 w* 53 H

M $

0$6 ,

BeR W s a.

4-80 l r ,

N

1339b/(83X5)/ca-81 r~' 4.7.4 Station Blackout Event Tree

(_)n 4.7.4.1 Event Tree 8 Elements 4.7.4.1.1 Station Blackout Initiators A station blackout is initiated by a loss of offsite power coupled with the concurrent failure of both diesel generators. (See Section 4.7.3.1.1 for definition of loss of offsite power initiators.)

4.7.4.1.2 Reactor Trip The Reactor Protection System (RPS) trips the reactor to reduce thermal energy production following a transient by removing power from the control element drive mechanism (CEUM) busses which allows the control element assemblies (CEA's) to drop into the reactor core under the influence of gravity. .

De-energization of the CEDM busses on reactor trip also generates a turbine ,

trip.

l On station blackout, as on loss of offsite power, the RPS will generate trip signals on low DNBR, low steam generator level and high pressurizer pressure.

If the RPS does not generate a trip signal, the Supplementary Protection System (SPS) will generate a trip signal on High Pressurizar Pressure. In addition, on loss of offsite power, power will be lost to the rotor generator sets, which provide holding power to the CECM buses. Thus, even if a trip signal is not generated, the CEDM buses will be de-energized within approximately 5 seconds.  ;

4-81  ;

l  !

I t

1339b/(83X5)/ca-82 4.7.4.1.3 PSV Reseat The initial loss of secondary heat sink following the station blackout will result in the primary system pressure increasing and the primary safety valves opening. Failure of a primary safety valve to reseat after the primary side pressure decreases will result in a small LOCA with AC power unavailable.

This is considered to be a small LOCA initiator for quantification of Small LOCA frequencies.

The success criterion for this element is that three of three primary safety va!ves must reseat.

4.7.4.1.4 Deliver Auxiliary feedwater (turbine)

Following a station blackout, auxiliary feedwater must be supplied to the steam generators in order to remove decay heat from the RCS. The auxiliary feedwater system will be automatically actuated by low steam generator level by the ESFAS, and it can also be manually actuated from the control room.

However, with the failure of both DGs, only the turbire driven pump would be available. It can be supplied with steam from either steam generator.

Control power for the throttle valve and for other valv'ss in the auxiliary feedwater system comes frem the 125 VDC vital buses which are powered from the station batteries.

The success criterion for this element is that the turbine driven auxiliary feedwater pump trust start and deliver flew to one of two steam generators.

O 4-82

1339b/(83X5)/ca-83 (3 4.7.4.1.5 Remove Secondary Steam LJ Secondary steam must be removed from the steam generators to control secondary pressure, to remove secondary heat (transferred from RCS) and to prevent steam generator overfill.

4.7.4.1.5.1 Atmospheric Dump Valves Following a loss of offsite power, the preferred means of removing secondary steam is via the atmospheric dump valves. There are two atmospheric dump valves per steam generator and they are remotely controlled from the control room and must be manually opened following a transient. They are air operated valves which fail closed on loss of air. Each valve has a backup Nitrogen supply bottle which will maintain valve operation for a limited number of

'n v cycles. Each valve has a DC powered solenoid control valve for opening and closing. These solenoid valves receive control power from the 125 VOC vital buses which are powered from the station batteries.

The success criteria for this element are:

a) one of four ADV's must be opened to remove steam i

b) valve must be on a steam generator to which auxiliary feedwater is being delivered l

l0 4-83 i

1

1339b/(83X5)/ca-84 These criteria conservatively do not credit the fact that if more than one valve is available, they can be used in rot? tion so as to extent the time for which the ADVs can be used for steam removal without restoring instrument air.

4.7.4.1.5.2 Main Steam Safety Valves If, following a loss of offsite power, the atmospheric dump valves cannot be opened, the main steam safety valves can be used for steam removal. (NOTE:

The MSSVs provide initial steam removal, but the ADVs are the preferred means.) The main steam safety valves will cycle to maintain the steam generator pressure in a narrow band around the main steam safety valve setpoint pressure. The RCS temperature and pressure will then increase until an equilibrium point is reached where the heat transfer from the RCS to the steam generators it, balanced by the heat removed through the main stean safety valves. As long as auxiliary feedwater is available, the plant will remain stable. However, it is not possible to bring the plant to shutdown cooling entry conditions unless an atmospheric dump valve or a turbine bypass valve is restored.

The success criterion for this element is that one of twenty main steam safety valves open (and that this valve be associated with a SG to which AFW is being delivered). Failure of an MSSV to reseat would result in a faster than desired RCS cooldown rate which could not be controlled. However, as long as AFW and AFW control Power are available, this is not considered to be problematic with respect to causing core damage.

O 4-84

1339b/(83X5)/ca-85 CN 4.7.4.1.6 Restore Power Within 1 Hour V

This element is associated with sequences for which the turbine driven auxiliary feedwater pump fails to deliver feedwater to the steam generators.

Without auxiliary feedwater flow to replace the steam generator inventory being lost through the ADVs or the MSSVs, the steam generators will boil dry.

RCS Pressure and temperature will rapidly rise, and the primary safety valves will lift, discharging primary inventory into the containment. Core uncovery and core damage will occur approximately 70 minutes following the loss of auxiliary feedwater. If auxiliary feedwater flew is restored within 60 minutes, core uncovery and therefore, core damage, can be prevented. To re-establish auxiliary feedwater flow, a source of 4.16 KV power must be

,g available for the motor-driven auxiliary feedwater pump or the norinal startup (non category 1) auxiliary feedwater pump. Therefore, the success criterion for this element is that a source of 4.16 XV power must be made available for the motor-driven auxiliary feedwater pump or the normal startup (non-catecory

1) auxiliary feedwater pump within 60 minutes. This can be accomplished by re-establishing at least one source of offsite power or by starting and loading one of two diesel generators.

4.7.4.1.7 Restore Power Within 3 Heurs following a station blackout, the station batteries are the only source of electrical power. These batteries provide 124 VDC control power to the turbine throttle valve for the turbine-driven auxiliary feedwater pump, to the ADV control solenoid valves and to the safety related instrumentation. The

O 4-85 l

1 l

1339b/(83X5)/ca-86 batteries are sized to provide rated power for two hours. With depletion of the batteries charge, control power to the turbine-driven auxiliary feedwater pump's turbine throttle valve will be lost, resulting in a loss of auxiliary feedwater. With the loss of auxiliary feedwater, the steam generators will soon boil dry. At this point, RCS pressure and temperature will rapidly increase and the primary safety valves will lift, discharging primary inventory into containment. Core uncovery and core damage will occur within approximately 70 minutes following the loss of auxiliary feedwater. Core damage can be prevented if auxiliary feedwater is recovered within 60 minutes of its loss. Because the steam generators will be dry and the batteries depleted at this point, 4.16 KV must be available and the motor-driven auxiliary feedwater pump must be started to supply auxiliary feedwater flow.

Therefore, the success criteria for this element are:

a) 4.16 KV power must be restored within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> of the station blackout.

This can be accomplished by restoring one source of offsite power or by starting and loading one diesel generator.

b) The motor-driven auxiliary feedwater pump must be started and used to supply auxiliary feedwater flow.

4.7.4.1.8 Establish Alternate FW Flow This element is applicable only for those sequences in which auxiliary feedwater is not delivered by the turbine-driven auxiliary feedwater pump and in which pcwer is restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of the station blackout.

O 4-86

1339b/(83X5)/ca-87

,O Given that auxiliary feedwater is not being delivered due to the v

unavailability of the turbine driven pump, but that AC power is available, either from a diesel generator or from an offsite source. The operators must take action to restore auxiliary feedwater flew. The preferred method is to start the motor-driven auxiliary feedwater pump and align the valves to l

deliver auxiliary feedwater to at least one of the two steam generators. This pump may be powered from the "B" diesel generator or offsite power.

If the motor-driven auxiliary feedwater pump is unavailable, the nonnal startup (non-category 1) auxiliary feedwater pump may be used. This pump can be powered from either dieiiel generstor of from any offsite power source.

If neither motor-driven auxiliary feedwater pump is available, it may be possible to deliver water to the steam generators from the low head condensate O. pumps. The operator would have to reduce the secondary pressure to approximately 500 psia using the atmospheric dump valves. (NOTE: Main steam safety valves cannot be used for this.) The operator then must align the feedwater system so that the main feedwater pumps are bypassed and then start the condensate pumps.

An offsite power source is required to provide power to the condensate pumps.

The success criterion for this element is that auxiliary feedwater/ condensate flow be delivered to at least one of the steam generators using one of the methods described above.

O 4-87

1339b/(83X5)/ca-88 4.7.4.1.9 RCP Seal Integrity With loss of all station AC power (station blackout), RCP seal cooling will be lost. The NRC has postulated that the seals will begin to degrade and gross seal leakage, on the order of several hundred gpm, may occur (39) . The CEOG contends that this is not credible for Byron-Jackson pumps or pumps with an equivalent seal design (40) . Operating experience on Byron-Jackson Pumps as documented in Reference 40 has shown that the seals can sustain loss of cooling for at least 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> without developing excessive leakage. Seal cartridge tests, also documented in Reference 40 have shown that the seals can withstand station blackout conditiens for at least 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> without developing significant seal leakage. Thus, the occurrence of excessive RCP seal leakage following a station blackout is unlikely, and even should it occur, it will be several hours into the transient. If power is restored before excessive leakage starts, seal cooling will be restored and leakage will not occur.

The success criterion for this element is that the RCP seal cartridges on all

'four RCPs maintain their integrity.

4.7.4.1.10 RCS Makeup Given that the RCP seals develop excessive leakage, the operator must take action to makeup RCS inventory. It is assumed that, given that RCP seal leakage occurs, it occurs between 2 and three hours following the transient (see Section 4.7.4.1.10). Thus, power is available shortly after the onset of excessive seal leakage (power restoration covered per Section 4.7.4.1.8).

O 4-88

'1339b/(83X5)/ca-89 i

[J The success criterion for the element is that the operator will start at least one HPSI pump and deliver flow to the RCS. If the HPSI pumps were unavailable, operators could initiate an aggressive cooldown to reach the LPSI ,

injection point. This would require that both steam generators be available and involves a sequence of actions not covered explicitly in the emergency l procedures. LPSI injection is conservatively not credited in this analysis.

1 l

4.7.4.1.11 Recirculation Injection Given excessive RCP seal leakage, RCS makeup using the HPSI system will eventually deplete the RWST inventory. A Recirculation Actuation Signal (RAS) will be generated on low RWST level and the HPSI pump suction will be switched from the RWST to the containment sump. The HPSI system will continue to makeup RCS inventory, taking suction from the sump. The success criteria for this elerrent are: ,

a) the RAS is generated, b) A flow path from the sump to the RCS via ore of two HPSI pumps is established.

4.7.4.1.12 Establish Shutdown Cooling Once the plant has been cooled down to shutdewn cooling entry conditions (350'F and 400 psia) the plant can be brought to cold shutdown conditions using the shutdown cooling system. The success criterion for this element is O

4-89 i

1339b/(83X5)/ca-90 that shutdown cooling flow be established through one shutdown cooling system train. This can be accomplished if one source of offsite power is available or one OG has been restored.

4.7.4.1.13 Maintain Secondary Heat Removal If shutdown cooling entry conditions cannot be achieved, or the shutdown cooling system is unavailable, the plant must be maintained in a stable condition via continued secondary heat removal. The success criteria for this element vary depending on the status of prior elements. If Auxiliary feedwater is available the success criteria are:

a) deliver flow frem one of two AFW pumps to 1 of 2 SGs.

b) remove steam via 1 of 4 ADVs or 1 of 20 MSSVs; This condition requires that offsite power or one DG be restored and that instrument air be re-establish *d to the ADVs to use them for steam removal.

If auxiliary feedwater is not available, the success criteria for this element are:

a) deliver condensate flow from 1 of 3 condensate pumps to 1 of 2 SGs b) remove steam using 1 of 4 ADVs.

O 4-90

1339b/(83X5)/ca-91

-f For this condition, offsite power mest have been restored to provide power to the condensate pumps.

In both of the above cases, additional water inventory must be made available beforethecondensatestoragetank(orhotwell) empties. This will occur at between 16 and 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> following the initiating event.

4.7.4.2 Displayed Dependencies The following functional dependencies are displayed on Event Tree 8:

a) If the turbine driven pump is unavailable, power must be restored within one hour to prevent core melt.

O b) If power is not restored within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, core melt will occur due to loss of auxiliary feedwater following battery depletion.

c) If the atmospheric dump valves fail, shutdown cooling entry conditions cannot be achieved because the secondary and hence primary pressure will stay high, d) If auxiliary feedwater fails and the atmospheric dump valves fail, alternate flow from the condensate pumps cannot be established even with I

power available because the secondary pressure cannot be reduced to or below the pump shutoff head by the main steam safety valves.

O 4-91

_. _.J

1339b/(83X5)/ca-92 e) If the PSV fails to reseat, the event is treated as a small LOCA with offsite power unavailable.

In addition to the above dependencies, the following dependencies are important:

a) For long term steam removal, the ADVs need instrument air.

b) Offsite power must be re-established in order to use the condensate pumps to supply feedwater.

c) The motor driven auxiliary feedwater pump is powered from DG-B.

4.7.4.3 Major Recovery Actions The following major. recovery actions will be addressed in the recovery analysis for station blackout:

a) Restoration of AC power (directly addressed in elements 7 and 8, Section 4.7.4.1.7, and 4.7.4.1.8) b) Use of the startup (non-category 1) auxiliary feedwater pump is addressed inelement8(Section4.7.4.1.8).

c) For element 13. "Establish Shutdown Cooling", if the LPSI pumps are unavailable, the containment spray pumps may be used to provide shutdown cooling flow, O

4-92

l C6-t Q STATION BLACKOUT H  ;

y p a h REACTOR TRIP 5= Egg 4 l PSV RESEAT A> q hh Mz O DELIVER AFW (TURB) i l

to 5

n 0 0 ADV'S :n mu

@ $m c <

)

i H m MAIN STEAM i S AFETIES j g RESTORE POWER WITHIN 1 HR m

m RESTORE POWER WITHIN 3 HRS h

EST ABLISH O ALTERNATE FEFDWATER FLOW O O O RCP SEAL INTEGRITY

, RCS MAKEUP q, yp -4) RECIRC COOLING ESTABLISH

-4> H I SHUTDOWN COOLING MAINTAIN SEC. HEAT

-4D ~4' d' REMOVAL O U " E$ G 5 G 5 G ~ C G ~ 5 * * " * " A " " ~ g esses s- sess s ess s==

1339b/(83X5)/ca-94 4.8 ANTICIPATED TRANSIENTS WITHOUT SCRAM - EVENT TREE 9 g 4.8.1 ATWS Description The Anticipated Transient without Scram (ATWS) is an anticipated operational occurrence coupled with the failure of the Reactor Protection System (RPS) to insert negative reactivity, via the control element assemblies (CEAs). The failure to insert the CEAs is postulated to occur by two mechanisms: failure of the electrical portion of the RPS to de-energize the control element drive mechanism (CEDM) busses to allow the CEAs to drop into the reactor core under the influence of gravity, or if the RPS functions as designed and de-energizes the CECM busses, a postulated mechanical failure prevents the CEAs from dropping into the reactor core.

The ATWS is potentially a severe event in which the reactor coolant r.ystem goes through a pressure excursion due to a mismatch between the core heat generation rate and the reactor coolant system energy removal capability.

Although 10CFR50.62(50) defines a prescriptive solution for the ATWS scenario in' terms of prevention and mitigatien, the success criteria for the event is given in NUREG-0460(50) , Volume 3 and can be summarized as follows:

For the reactor coolant system pressures calculated, the integrity of the reactor coolant pressure boundary and the functionability of valves needed for long term cooling shall be demonstrated.

O 4-94

1339b/(83X5)/ca-95

~

. /'. - The calculated radiological consequences shall be within the guidelines set forth~1n 10 CFR100(52) .

- The reactor fuel rods shall be shown to w1thstand the internal and external transient pressure so as to maintain a long term coolable j geometry.

t

- The peak fuel enthalpy of the hottest fuel pellet shall not result in l

significant fuel melting.

- The probability of departure from nucleate boiling for the hot rod shall be shown to be low. [

- The maximum cladding temperature and the extent of the Zr-H2 O reaction j O- shall be determined and shown not to result in significant cladding degradation. ,

1 For the limiting ATWS scenario, the criteria relating to the pressure boundary [

integrity and functionability of the valves required for long term cooling are of primary interest. The concern is that if the peak pressure in the RCS exceeds Level C stress limits (approximately 3000 PSIA), a breach of the l primary coolant pressure boundary will occur and that the Safety Injection System check valves will be jammed closed. This would result in a LOCA with no RCS makeup available.

i O 4-95

1339b/(83X5)/ca-96 The course of an ATWS event is primarily dictated by a macroscopic energy balance on the reactor coolant system. Energy generated in the core and h

deposited in the coolant can be removed by various means. They are: the steam generators, the primary safety relief valves, reactor coolant system leakage. Changes in the reactor coolant system pressure and temperature are produced as a result of an imbalance between the rates of energy deposition into and removal from the reactor coolant, All ATWS consequences are determined directly by the core power transient and the power imbalance transient. The relative consequences of ATWS events are thus determined by the relative magnitude of those plant parameters which govern these transients.

The energy generation within the core during the period of peak RCS pressure and maximum potential for clad damage is determined by the relative esgnitude of Doppler and moderator temperature reactivity feedback. A power imbalance which produces an increase in moderator temperature and pressure coupled with a negative moderator temperature coefficient also produces a negative reactivity feedback which tends to reduce the core power and hence reduces the core power imbalance. During an ATWS event, primary coolant temperature increases. Since the assumed moderator temperature coefficient in the core is negative, the temperature increase results in an insertion of negative reactivity which reduces the core power. The moderator temperature ccefficient will become more negative over the ccre cycle. Therefore, as the cycle progresses, the consequences of an ATWS event would become less :;evere, in that the core power reduction via moderator feedback will be greator, thus reducing the imbalance between the core heat generation rate and the RCS heat removal capability.

O.

4-96

1339b/(83X5)/ca-97 fm Since RCS peak pressure and associated system stresses are the primary b concerns during an ATWS, it has been determined by analysis that the complete ,

loss of feedwater event with failure of turbine trip is the limiting at-power peak pressure event.

The loss of normal feedwater flow could result from a malfunction in the feedwater/ condensate system or its control system. This malfunction can be caused by a closure of all feedwater control valves, trip of all condensate pumps, or, trip of all main feedwater pumps.

The loss of normal feedwater causes a reduction in feedwater flow to the steam generators when operating at power. This produces a reduction in the water inventory in the steam generators. Consequently, the secondary system can no longer remove the heat that is generated in the reactor core. Due to the assumed failure of the CEAs to insert on reactor trip, the core power remains at or near 100% of the initial level during the early part of the transient.

The heat buildup in the primary system is indicated by rising RCS temperature and pressare, and by increasing pressurizer water level due to the insurge of expanding reactor coolant. The initiation of the ATWS event may be identified by means of the failure of CEA insertion on the reactor trip signal, sharp increases in RCS pressure and temperature, and a rise in steam generator pressure. The heat capacity of the primary and secondary coolant inventories, I

the discharge capabl11ty of the RCS and steam generator safety and atmospheric dump valves, and the action of the auxiliary feedwater control system, steam j

bypass system, and the chemical and volume control system all combine to provide the heat removal capability to limit the consequences of the reactor power generated during this incident.

4-97

1339b/(83X5)/ca-98 Realistic best estimate analyses of a total loss of Feedwater without Turbine Trip or Scram were run using CENTS (53) , C-E's Nuclear Transient Simulator Code, for MTCs of 1.0, -0.2 and -0.68. The peak vessel pressures generated in these analyses were 3644 PSIA for an MTC of 1.0, 3084 PSIA for an MTC of -0.2, and 2794 PSIA for an MTC of -0.68. Therefore, since total loss of Main Feedwater Flow without Turbine Trip is the limiting ATWS, an ATWS event will not exceed Level C stress limits for MTCs of -0.68 or less.

Figure 4.8-1 presents the core damage event tree for ATWS. The following subsections describe the individual elements on this event tree.

4.8.2 ATWS Event Tree Elements 4.8.2.1 ATWS Initiators ATWS is defined to be an anticipated operational occurrence coupled with failure to insert negative reactivity via the control element assemblies.

Since the primary ATWS concern is the peak RCS pressure. ATWS initiators, for this study, are defined to be those transients which tend to prcduce RCS pressure transients. These include loss of feedwater events, turbine trips, MSIV closures and loss of RCS flow events.

4.8.2.2 RPS Electrical This element is defined as a failure to de-energize the CECM busses due to a failure within the electrical portion of the RPS. A complete evaluation of the RPS is presented in C-E's "Reactor Protection System Test Interval Evaluation"(54) which was prepared in response to Generic Letter 83-28(55) ,

4 98

1339b/(83X5)/ca-99  ;

l 4.8.2.3 . Supplementary Protection System Failure j i

i The System 80 protection system includes a 4 channel safety grade supplementary protection system which will trip the reactor on a 2 of 4 l coincidence signal on high pressurizer pressure if the RPS fails to generate a L trip signal. The SPS trip signal opens the Motor-Generator Set output  ;

contactors which are upstream of the Reactor Trip Switchgear. This element is ,{

therefore defined as a failure to de-energize the CEDM busses due to an t

electrical failure within the SPS.  !

I r

4.8.2.4 RPS Mechanical i I

This element is defined to be the failure of more than 50% of the CEAs to  ;

insert due to mechanical binding of the CEAs.

4.8.2.5 MTC Overpressure This element is defined to be that the MTC is such that a severe ATWS will produce peak RCS pressures in excess of the level C stress limits (approximately3000 PSIA). C-E best estimate analyses have shown that for an

, MTC of -0.68, an ATWS initiated by a total loss of main feedwater without

! turbine trip results in peak pressures of less than 3000 PSIA.

i

)

lO 4-99 i

)

1339b/(83X5)/ca-100 4.8.2.6 Celiver Auxili6ry Feedwater Following the ATWS transient (with a presumed consequential loss of main feedwater), auxiliary feedwater must be supplied to the steam generators in

- der to remove decay heat from the RCS. Auxiliary feedwater is automatically actuated by the engineered safety features actuation system (ESFAS). It can also be manually actuated from the control room. The success criterion for this element is that auxiliary feedwater flow must be delivered from one of two category 1 auxiliary feedwater pumps to one steam generator. C-E best estimate analyses have shown that for MTCs of -0.68 or less, one auxiliary feedwater pump can deliver sufficient flow to maintain RCS pressure peaks below 3000 PSIA, even with a total loss of main feedwater.

4.8.2.7 Remove Secondary Steam O

Secondary steam must be removed from the steam generators to control secondary pressure, to remove secondary heat (transferred from RCS) and to prevent steam generator overfill. The following sections describe the three primary methods of secondary steam removal.

4.8.2.7.1 Turbine Bypass Valves The preferred means of removing secondary steam is via the turbine bypass valves. These valves are automatically opened by the steam bypass control system to prevent lifting of the secondary safety valves following a turbine trip. These valves can also be remotely opened from the control room. Six of the eight valves dump to the condenser and the other two dump to atmosphere.

The turbine bypass valves will not open if the condenser is unavailable.

4-100

1339b/(83X5)/ca-101-m The success criterion for this element is that one of eight bypass valves open

.( I to remove secondary steam.

4.8.2.7.2 Atmospheric Dump Valves (ADV)

If the turbine bypass valves are unavailable, secondary steam can be removed using the atmospheric dump valves. There are four atmospheric dump valves, two per steam generator. These valves are remotely controlled from the control rocm.

The success criterion for this element is that one of the feur atmospheric dump valves open to remove secondary steam.

4.8.2.7.3 Pain Steam Safety Valves (MSSV)

O If the turbine bypass valves and the atmospheric dump valves are unavailable, the steam generator pressure will increase until the main steam safety valve setpoint is reached. The main steam safety valves will then begin to cycle to maintain the steam generator pressure in a narrow band around the main steam safety valve setpoint pressure. The RCS temperature and pressure will then increase until an equilibrium point is reached where the heat transfer from the RCS to the steam generators is balanced by the heat removed through the main steam safety valves. As long as auxiliary feedwater is available, the plant will remain stable. However, it is not possible to bring the plant to shutdown cooling entry conditions unless an atmospheric dump valve or a turbine bypass valve is restored.

O 4-101

1339b/(83X5)/ca-102 The success criterion for this element is that one of twenty main steam safety valves open.

4.8.2.8 High Pressure Injection Following an ATWS event, high pressure injection is required to provide boron for long term shutdown margin rasintenance and to provide RCS makeup for inventory lost during the early phases of the transient.

The success criterion for this element is that water with refueling boron concentration be delivered from the RWT to the RCS via 1 of 2 HPSI pumps or three of three charging pumps.

4.8.2.9 Long Term Cooling 9

Once the reactor is shutdown and the plant is stabilized following an ATWS, the plant must be brought down to cold shutdown via the shutdown cooling system or maintained in a stable hot shutdown condition. The subelements for this element are described below.

4.8.2.9.1 Establish Shutdown Cooling Once the plant has been cooled down to shutdown cooling entry conditions (350'F and 400 psia) the plant can be brought to cold shutdown conditions using the shutdown cooling system. The success criterion for this eierent is that shutdown cooling flow be established through one shutdown cooling system train.

O 4-102

1339b/(83X5)/ca-103 D 4.8.2.9.2 Maintain Secondary Heat Removal y O If shutdown cooling entry conditions cannot be achieved, or the shutdown cooling system is unavailable, the plant must be maintained in a stable condition via contained secondary heat removal. The success criteria for this element vary depending on the status of auxiliary feedwater and the condenser.

The etiteria are:

a) For sequences with AFW and the condenser available;

1) deliver flow from 1 of 2 AFW pumps and remove steam via 1 of 8 TBVs, or 1 of 4 ADVs or 1 of 20 MSSVs; Ou b) For sequences with AFW available but the condenser unavail&ble;
1) deliver flow from 1 of 2 AFW pumps and remove steam vid 1 of 4 ADVs or 1 of 20 MSSVs; c) For sequences with AFW unavailable but the condenser unavailable;
1) deliver flow from 1 of 3 condensate pumps and remove steam via 1 of 8 TBVs or 1 of 4 ADVs; d) For secuences with AFW and condenser unavailable;
1) deliver flow from 1 of 3 condensate purrps and remove steam via 1 of 4 ADVs.

4-103

1339b/(83X5)/ca-104 For the secuences in which steam is exhausted to the atmosphere and the auxiliary feedwater is taken from the ecndensate storage tank, additional water inventory must be provided to the condensate storage tank before it empties.

4.8.3 Dependencies The following functional dependencies are important for Event Tree 9:

a) All sequences not involving failure to scram are not addressed in this event tree b) Failure to scram coupled with an adverse NTC are assumed to result in peak pressures exceeding level C stress limits. This is assumed to cause a 1.0CA with safety injection disabled and leads directly to core damage, c) The Auxiliary Feedwater Actuation System (AFAS) shares bistables with the RPS. Thus, in sequences involving RPS failure, the probability of AFAS failure will be higher than in other sequences.

d) Failure of high pressure injection is presumed to result in a return to pcwer en cooldown due to insufficient negative reactivity. The AFW system would not be able to remove sufficient energy. The steam generators would dry out. The primary pressure would rapidly increase and the primary safety valves would lift again. The primary safety valves would discharge inventory to containment and the core would become uncovered within approximately 35 minutes of the lifting of the safety valves.

4-104

1 Sot 9 i

EVENT INITI ATOR C RPS ELECTRICAL

<l SPS ELECTRICAL m

RPS MECHANICAL Z

-4p 4p 3

_ g-

. 1:  : 1: NTC DVER PRESSURE he Y'

->H l 1: w DELIVER AFW z

o

<l5 H

(

u H

15 0$ 15 STEAM REMOVAL

> H

--46 k

- -46 r.n -HD h HIGH PRESSURE INJECTION

-0 -16 -il LONG TERM COOLING o ~~~5~E~~~5**"*"*""~

99999"99999"E99999"E> >

0

1339b/(83X5)/ca-106 4.9 INTERFACING SYSTEMS LOCA h

An Interfacing System LOCA is a loss of primary coolant outside containment via a syster which interfaces with the RCS and for which the pressure beundary is outside containment. The interfacing system LOCA is presumed to result from exposing low pressure piping of the interfacing system to full primary system pressure due to failure of multiple pressure barrier valves. Initial plant response to an interfacing system LOCA is the same as the response to an equivalent sized LOCA inside containment. However, PCS inventory and ECCS inventory are being discharged outside containment and is not returned to the containment sump. Thus, when the RWST inventory is depleted and RAS is generated, tre ECCS pumps will have no inventory to deliver to the reactor.

The core will be uncovered and core melt will occur. Therefore, an interfacing system LOCA will, by definition, lead to core melt, and the ECCS ,

response need not be evaluated. In addition, an interfacing system LOCA will provide a direct path through contairment for the release of radioactive material.

Systems which interface with the RCS include the HPSI and LPSI systems, the shutdown cooling system, the CVCS and the sampling system. The CVCS is not considered to be a source for an interfacing system LOCA because the piping in this system is qualified to relatively high pressures, and is also of relatively small diameter (2 to 4 inches). Likewise, the HPSI system is not considered to be a source for an interfacino system LOCA because the piping is qualified fer high pressure and is of small diameter. The sampling system is l

O 4-106

'h' i

IL9' .'83X5)/ca-107  ;

i not considered to'be a source for an interfacing system LOCA because the piping is small enough that the coolant loss resulting from a break in this {

piping could be replaced by the charging system. Thus, the interfacing systems LOCA sources considered in this analysis are the four (4) tPSI lines I and the two (2) shutdown cooling suction lines. Figure 4.9-1 presents a simplified pipe and valve arrangement for these lines showing the containment wall and the postulated break points. f i

f, t

i

[

O t

[

i f

I t

i f

l 4 1

}

1 l i

i i

i

!O 4-107 l

i 1

LPSI LPSI LPSI LPSI d" D D d" d* d" dd[" d[ 7p 7p ] [O] [O d[ d[

514IS SI-625 SI-656 S14 % SI-691 SI-665 55-32' SI-63S SI-645

-, -, b ,

1 I I I I I I I I I I SI'89 SI-379 58-114 SI-124 51-134 S3-144 HPSI HPOI To To HPSI HPSI 1 N 1 PW h 2 INJECTION LINES SI-654 A

S1-653 A

k* To 1 E ET 1 f SI-652 SI-6S1 L E fHOT LEO fHOT LEO S3-217 \ SI-227\ SI-237 SI-247 V 4 SHUTDOWN SHUTDOWN T V toop LOOP 000 LING 000 LING LOOP LOOP 2A 2B IA 30 Str1PLiflED DI AGRM10F SAFETY INJECTION AND SHUTDOWN COOLING PIPING Q

  • ASSUt1ED BREAK PO!NT FIGURE 4.9-1 O

O O

1339b/(83X5)/ca-109 l 4.10 VESSEL RUPTURE i

Vessel rupture is defined as any breach o' primary pressure boundary where the rate of loss of primary coolant exceeds the capacity of ECCS. Vessel ruptures

. include catastrophic failure of the vessel shell, the vessel nozzles, the vessel head, or a simultaneous rupture of two or more large primary coolant l

l pipes. Vessel rupture accidents lead directly to core melt because, by definitior., the ECCS cannot deliver sufficient inventory to maintain core cover.

O s

O 4-109

1339b/(83X5)/ca-110 4.11 BORON DILUTION A boron dilution event occurs as a result of improper operator actions or failures in the boric acid / demineralized water makeup flow path to the suction of the charging pump which results in a boren concentration in the charging flow less than that in the RCS. The worst case condition occurs if the demineralized water tank is aligned directly to the charging pump suction and charging and letdown is proceeding at the maximum rate of 132 gpm. Boron dilution reduces the RCS baron concentration and adds positive reactivity to the core, if the boren dilution is allowed to proceed, particularly during approximately the first half of core life, it is possible to insert enough positive reactivity such that it is not possible to shutdown or to maintain the core suberitical with the control rods.

While a boren dilution event can occur in any mode, the basic response is the G same in all cases, stop the deboration by turning off the charging pumps and isolating letdown. Once the deboration event is terminated, shutdown margin can be restored via the emergency beration procedure.

4.11.1 Boron Dilution Event Progression If the boren dilution event is initiated when the plant is in hot standby or hot shutdown, all control rods are fully inserted and the secondary side is providing decay heat removal. With a 2% do shutdown margin, a charging and letdown rate of 132 gpm and the charging pump sucticn aligned to the demineralized water tank, it takes approximately 95 minutes to deborate the O

4-110

1339b/(83X5)/ca-111 RCS to zero shutdown margin, at which point the core would achieve

(]

LJ criticality. The initial early indications of a boron dilution would be demineralized water / boric acid flow rates, system lineup indications on the control panel and possibly sampling results. The operators are not likely to observe these indications unless they are closely observing the CVCS operation. The first positive indication would be a low boron concentration alarm from the boronmeter. If the deboration is not terminated, the next indication is a boron dilution /high neutron flux alarm on the startup flux channel. At this point, the deboration event ccn still be terminated by stopping the charging pumps and isolating letdown. If this is not accomplished, the next indication will be a high logarithmic power trip alann as the reactor go.es critical. To terminate the deboration event at this point will require emergency boration to shut the reactor down and restore shutdown s

margin. Assuming that the deboration is not terminated, reactor power will v

) slowly increase following criticality, and heat transfer to the secondary side will increase. Assuming secondary steam removal via the ADVs and with the ADVs and the auxiliary feedwater system in manual control, the steam generator pressure will start to increase due to the difference between the energy input from the RCS and that removed via the ADV's. The MSSVs will lift to balance energy removal and steam generator levels would begin to decrease due to the mismatch between steam flow and auxiliary feedwater flow. In approximately forty h e minutes, the steam generators will essentially dry out. At this point, the RCS temperature and pressure will rapidly increase and the primary safety valves will lift and discharge RCS inventory into containment. Within approximately 35 minutes fo11 ewing the initial lift of the primary safety valves, core uncovery will begin.

4-111

I 1339b/(83X5)/ca-112 l

l Emergency deboration can bring the RCS boron concentration from zero margin criticality to a 2% ao shutdown margin with the reactor subcritical in approximately 23 minutes. An additional one minute of emergency boration is required for every four.(4) minutes the deboration continues past criticality.

Thus, the operator must start emergency boration within 15 minutes after criticality occurs to terminate the transient and prevent core damage.

If the deboration event is initiated while the plant is at power, reactor power will start to increase and a reactor trip on high power will occur. The reactor trip does not terminate the deboration, and, following the trip, the event follows the progression of the hot standby case discussed above. The response of the secondary side systems is equivalent to their response to any transient-induced trip (see Section 4.6). Thus, if the secondary side systems do not respond properly, core damage will occur even if the deboration is teminated. If the secondary side systems respond properly, but the deboration is not terminated and/or emergency boration started, core damage will occur. To account for this duality, the deboration occurrence frequency will be included in the transient occurrence frequency and the deboration event sequence will address only the actions needed to terminate the deboration or to implement emergency boration, d.11.2 Deboration Event Seouence Based on the event description in Section 4.11.1, core damage due to deboration can be represented by a single event secuence. This event sequence is:

O 4-112

1339b/(83X5)/ca-113 1). -Deboration is initiated, ~

and

2) Operator fails to respond to the boronmeter "low boron concentration" alarm within 15 minutes.

and

3) Operator fails to respond to the boron dilution alarm within 15 minutes, given that he did not respond to the low boron concentration alarm.

and l 4) Operator does not start emergency boration within 15 minutes of receiving the high logarithmic power trip alarm (and other indications of power increase with rods inserted) given that operator did not respond to the boron dilution alarm.

i 10 4-113 l

1339c/(82Q10)/ca-1

/ 5.0 SYSTEM ANALYSIS 5.1 GENERALPLhNTDESCRIPTION A typical System 80 nuclear power plant unit includes a nuclear steam supply system (NSSS), the steam and power conversion system and associated auxiliary and safety systems. Among the major systems and components are:

i

1) Reactor and its components,
2) Reactor Coolant System and Auxiliary Systems,
3) Engineered Safety Features and Protection Systems,
4) Steam and Power Conversion Systems, l
5) Heating, Ventilation and Air-Conditioning Systems, i

6 )* Cooling Water Systems, and 1

7) Electric Power Systems.

l Summary descriptions of the systems and components relevant to this study are presented below ar.d detailed in Section 5.3 of this report.

l O

5-1

1 1339c/(82Q10)/ca-2 l

5.1.1 Reactor Coolant System The Reactor Coolant System (RCS) contains two independent primary coolant loops, each of which has two reactor coolant pumps, a steam generator, a outlet (hot) pipe and two inlet (cold) pipes. An electrically heated pressurizer is connected to one of the loops, and safety injection lines are connected to each of the four cold legs and the two hot legs. Pressurized water is circulated by the reactor coolant pumps through the inlet pipe, downward between the reactor vessel shell and the c > support barrel, upward through the reactor core, through the outlet pipe, inrough the tube side of the vertical U-tube (with an integral economizar) steam generators, and back to the reactor coolant pumps. The saturated steam produced in the steam generators is passed to the turbine.

5.1.2 Engineered Safety Features The Engineered Safety Features (ESF) systems are provided to control, mitigate or terminate such postulated accidents as a loss-of-coolant accident (LOCA) in order that the release of radioactive material be limited to acceptable levels. The ESF systems include:

1) Safety Injection System (SIS),
2) ContainmentCoolingSystem(CCS),
3) Containment Spray System (CSS),

O 5-2

1339c/(82010)/ca-3

4) ContainmentIsolationSystem(CIS),

ci

5) Iodine Removal System (IRS),.and
6) Emergency Fecdwater System.

5.1.3 Protection System Automatic protection systems arc provided to assure safe operation of the plant. Among these is the Reactor Protection System (RPS). The RPS consists of sensors, logic arid other equipment necessary to monitor selected NSSS conditions and to effect reliable and rapid reactor shutdown (trip) if any or a combination of the monitored conditions approach specified safety system settings.

O In addition, an Engineered Safety Features Actuation System (ESFAS) is provided to generate ESF equipment actuation signals when the selected monitored variables reach the levels that indicate conditions which require protective action.

5.1.4 Steam and Power Conversion System The steam and power conversion system removes heat energy from the reactor coolant in two U-tube steam generators, and converts the steam into electrical energy by means of a turbine-generator. The unusable heat in the steam cycle O 5-3

-____-___________-____-___-____-__-___-_-___A

1339c/(82Q10)/ca 4 is transferred to the main condenser for reiection by the circulating water system. The resulting condensate is then deaerated, heated through feedwater g

heaters and returned to the steam generators as feedwater.

Two major components of the steam and power conversion system are the turbine (or turbine-generator) and condenser. Other subsystems or components of the steam and power conversion systems are the Turbine Bypass System, Steam Generator Blowdown System, Main Steam Isolation System, Main Steam Safety Valves, Atmospheri: Cump Valves, and the main Feedwater and Emergency Feedwater Systems.

5.1.5 Heating, Ventilation and Air-Conditionino Systems The Heating, Ventilation, and Air-Conditioning (HVAC) systems provide a controlled environment to ensure the comfort and safety of personnel and to maintain the integrity of equipment. The HVAC systems are provided throughout the nuclear power plant unit. One HVAC system relevant to this study is the HVAC system for the auxiliary building, which includes the ESF pump room and the battery room.

5.1.6 Cooling Water Systems The cooling water systems function to remove heat generated in the NSSS systems and components. Cooling systems necessary for safe plant operation and safe plant shutdown are listed below.

G 5-4

1339c/(82010)/ca-5 5.1.6.1 Cooling Systems for Reactor Auxiliaries

%)

Cooling for reactor auxiliaries is provided by two systems, the safety-related essential cooling water system (ECWS) and the non-safety-related nuclear coolingwatersystem(NCWS).

A. Essential Cooling Water System The ECWS is comprised of two redundant Seismic Category I trains. These trains supply corrosion inhibited cooling water to components that are required for normal and emergency shutdown.

B. Nuclear Cooling Water System The non-safety-related NCWS supplies corrosion inhibited cooling water to reactor auxiliary systems and equipment recuired during normal plant operation.

5.1.6.2 Essential Spray Pond System The Essential Spray Pond System (ESPS) is a safety-related, Seismic Category I system comprised of two redundant trains. The ESPS trains supply cooling water to the ECWS trains that are required to function for normal and emergency shutdown.

5-5 I

1339c/(82Q10)/ca 6 5.1.6.3 Ultimate Heat Sink The ultimate heat sink consists of two, Seismic Category I, essential spray ponds. The ultimate heat sink is utilized for nomal and emergency shutdown in conjunction with the ESPS and the ECWS.

5.1.7 Electric Power Systems The electric power systems that are of interest in this study include the essential AC power system, DC power system and the standby AC power system.

Engineered safety feature AC loads are divided into two independent and redundant load groups. Each group consists of one 4.16-kV bus, and associated 480V load centers and motor control centers. The normal plant AC loads are supplied by two 13.8-kV buses, two 4.16-kV buses and associated 480V load centers and motor control centers.

Standby AC power is supplied by two diesel generators. Each ESF load group is supplied by a separate diesel generator. Each diesel generator is sized to meet the maximum demand of its ESF load group.

The DC power is supplied by four independent class IE 120V DC systems, 1 per ESF channel. The systems supply power to vital instruments and controls.

O 5-6 l

l

1339c/(82010)/ca-7 l l

l l

/~'N 5.1.8 Auxiliary Systems V-Auxiliary systems that provide support for safe plant cooldown or safety-related functions are summarized below:

5.1.8.1 Shutdown Cooling System The Shutdown' Cooling System (SCS) is used to reduce the temperature of the reactor coolant at a controlled rate from a hot shutdown temperature of 350'F to a refueling temperature of approximately 135'F and to maintain the proper reactor coolant temperature during refueling.

5.1.8.2 Chemical and Volume Control System O

V One of the functions of the Chemical and Volume Control System (CVCS) is to control the boric acid content of the reactor coolant.

The CVCS controls the boric acid concentration in the coolant by a "feed and bloed" method. The letdown stream is purified and may be diverted to a baron recovery section. The diverted coolant stream is processed by ion exchange and degasification and flows to a concentrator. The concentrator bottoms are sent to the refueling water tank for reuse as boric acid solution and the distillate is first passed through an ion exchanger and then stored for. reuse as demineralized water in the reactor makeup water tank.

t I

O 57 I

1339c/(82010)/ca-8 5.1.8.3 Emergency Feeawater System h

The Emergency Feedwater System (EFWS) supplies condensate to the steam generators following the loss of normal feedwater. The EFWS also provides water to the unaffected steam generator following a postulated main steam or feedwater line break.

5.1.8.4 Instrument Air System Instrument air system supplies properly conditioned compressed air to operate air operated valves, pneumatic instruments and controls.

5.2 SYSTEM DEPENDENCIES AND COMMONALITIES Section 4 identified core melt sequences in terms of initiating events O

combined with failure of front line systems. A failure of a front line system may originate not only within the system itself but may also be caused by another system or component with which it interacts. This interaction can be in the fann of an interdependency or a comonality.

Interdependency can be in the form of exclusive dependency, support, actuation, or isolation. Comonality results when the system shares the whole or a part of another system, or when two systems (or components, or a system l O 5-8 t

l l

I

l 1339c/(82Q10)/ca-9 and other components) participate in performing a certain function. For

(]

V example,-the high pressure safety injection (HPSI) system shares piping and other components with the low pressure safety injection (LPSI) system.

Another example of commonality is the shutdown cooling system (SCS) and LPSI system where in the SCS and LPSI pumps participate in performing the plant Cooldown.

Interdependency exists when two systems have a dependency of a sort on each other. This interdependency will exist when:

a) One system is dependent upon another system for electrical power or for controlled air for valve operation.

g b) One system actuates another system, for example safety injection actuation signal (SIAS) actuates the HPSI pumps, c) One system supports another system for the latter's functionality, for example essential cooling water system supports shutdown cooling system enabling it to perform its functions.

d) One system isolates another system, for example SIAS will isolate the steam generator blowdown system.

Figure 5.2-2 shows the dependency and contronality relationships between the various systems. Figure 5.2-1 shows how this matrix of dependency and commonality relationships is subdivided.

O 5-9 l

l

1339c/(82Q10)/ca-10 The purpose of this matrix is to demonstrate the way each system interfaces with other systems in the plant. Both the vertical axis and the horizontal axis contain the same list of systems. In order to properly read the matrix, select a system from the vertical list of systems. This is considered to be the reference system. The reference system may then be compared to other (interfacing) systems by reading across the top of the matrix and looking at the point of intersections of the two systems. The reference system either:

o shares comon element (s) with the interfacing system (C-E.);

o supports the interfacing system (S);

o actuates the interfacing system (A);

o isolates the interfacing system (I);

o depends on the interfacing system (D); or o has no relationship to the system (blank).

O For example, if the Emergency Feedwater System is chosen as the reference system, the matrix shows that the Emergency Feedwater System is:

o dependent on EFAS-1, EFAS2,125 VDC, 480 VAC, and 4160 VAC; and o shares comon elements with the Chemical and Volume Control System.

9'1 5-10

l l

l

., FIGURE 5.2-1

{"} SYSTEM 80 l

SYSTEM DEPENDENCY AND COtt10NALITY MATRIX MATRIX HAS BEEN DIYlDED AS FOLLOWS FIGURE FIOURE FIOURE F100RE FIGURE 5.2-2 5.2-2 5.2-2 5.2-2 5.2-2 SHEET 10F 12 SHEET 2 0F 12 SHEET 3 0F 12 SHEET 4 0F 12 SHEET 5 0F 12 F100RE F10VRE F10VRE F100RE FIOURE 5.2-2 5.2-2 5.2-2 5.2-2 5.2- 2 l

l j SHEET 6 0F 12 SHEET 7 0F 12 SHEET 8 0F 12 SHEET 9 0F 12 SHEET 10 0F 15 I

C. E. COMMON ELEMENTS S SUPPORTS A ACTUATORS I ISOLATOR $

D DEPENDENCY

  • NOTE 5-11

O FIGUAE S.2-2 SHEET 10F 12 SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX

'N

  • W Auh4 EMERGENCY HIPRESSURE MAIN STEAM LO PRESSURE SG (1) SHUTDCWN Tuc8:NE ggy. YSTEM FEEowATEQ sAFETv SAFETY isot Afice4 SLO coaN C00Liw eypAss SVSTEM SYSTEM IPUECTICN IPUECTICN SYSTEM SYSTEM SYSTEM SYSTEM h EMERGENCY j FEEDWATER  :

SY STEM  !

MI;;E55uRE CI. j SAFETY b' @

IPUEC TION } CI. F LO PRESSURE 5AFETY C E.  !@ t j C E. i@

,wgerigy l C E.  ! l  ! C.E.

MAIN STE AM l  !

ISOLATION .

I '

SUSTEM 5 O*D *N SYSTEM i 5W M*h COOLING

! C E. @ l l

SYSTEM C E. I  !

TUR5fNE @

QVPASS SYSTEM CCt4TAINMENT i HE AT REMOVAt l'

SYSTEM CCNTAINr*ENT l

ISOLATION i 1 i SYSTEM CCt4TAINMENT CI.

SPR.A Y -- l @ C E. @ j Cf. @

F-SvSrEM  ! Cf. C f. I C E.

TSSENTIAL i i

SPRAY PCNO 9VSTEM I l LOO 4NE l

REMWAL  :

SYSUM I ULTIMATE '

F EAT S;NK i

i j RAS 1 4 nSiS

]._- ^[^ ,

CS S t t  !  :

1 I I I I I i l i CiAS  :

+

E, S.,

i iA i

1 i

e 5-12

FIGURE S.2-2 SHEET 2 OF 12 SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX

'N ' " A" Containment Containment Contairrnent Essenuel lodine REF. YSTE!1 g,g p ,i spey $,,y pg p ,, Ulumste 33

%,g @, System

[D SYSTEM System System System System Heat Sink F1 SIS

\ )

EMERGENCY FEEDWATER SYSTEM HiPRESSURE CI.

. SAFETY tMJECT10N CI.

Lo PPISSURE SAFETY CI. O IPLTCTION CI.

MAIN STEAM 0 D 480L An^"

SYSTEM 0 D SYSTEM 0 0 WM Cf.

COOLING SYSTEM C E.

TUR5tNE @

SYPASS SYSTEM CONTAINMENT HEAT REMOVAt SYSTEM CONTAINMENT ISOLATIONn SYSTEM V_9 CONTAINMENT SPRAY C .E . @ Q SYSTEM C E. O I ESSENT1AL o' 1 Q SDRAY PCND SYSTEM _

ICOINE CE.

REMOVAL

{

SYSTEM C I- l ULTIMATE HEAT SINK I 3 RAS MSIS

^

CSAS g

^

CIAS A h I i EF A S- 1 j S-13 a

O FIGURE 5.2-2 SHEET 3 OF t 2 SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX q N T E A.F ACING CHEMICAL &

I ggy YSTEM CSAS CIAS EFAS-1 EFAS-2 SIAS RPS VOLUME

' 1, S TE M CONTR'JL EMERGENCY 0 D *

, FEE 0 WATER l

-+- -

l' l CI. @-

SY STEM i i 0 0 l C E.

HiPQE55UGE l D 5AFETY 4

' INJECTICtJ I O 'b

LO DRE! SUPE D l l 41ECT ON i } i 0 C 'G MA6N STE AM [ i l

' ISOL A T!ON  ;

. system i

[i t SG (j i SLCWD M D@

SVSTEM D D D D D@

SWTDM l j,'

,l COOLING g

, sy:TrM ,

! TUEttNE ($

l QYDASS i SY STEM iC ONTAINMENT HEQT DEMOVAL l SYSTEM g

CONTAINMENT ISOL A TI

'Sv9 TEM D D@

  • C ONTAINMENT p

'A AY l TrM D f

- Cf. @

33ENTI AL l 0 SDRAY POND "

SVSTIM O IOCINE I D

AEMOVAL svtTrM D L1 TiMATE HE AT SINK

! I nAS

-- 7 -

j g n$is . _ _ _ . _.

CSAS b I

k E,...,

{

5-14

.I l l

FIGURE S.2-2 SHEET 4 OF 12 SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX INTERFActNG ESSENTIAL INSTTtUM(NT NUCLEAR pgy, YSTEM HVAC 12S VOC 400 VAC CMING AIR COOLING A B C D VITAL

(^x SYSTEM EMERGENCY WATER SYS SYNEM WATER SYS 0

FEEDWATIA SYSTEM 0 0 HiPRESSURE D 0 0 0 SAFETY IMJECTION O O O O

LO PRESSURE D D D 0 SAFETY THJECT10N O O O O MAIN STEAM O 150LATION SYSTEM O

BL 0 SYSTEM MN O O O COOLING SYSTTM 0 0 0 TURSINE @

BYPASS O SYSTTM CONTAMNT HEAT REMOVAL ,

SYSTTM CONTAltt1ENT ISOLAT10N g SYSTEM h CONTAINMENT 0 0 0 o SPRAY SYSTTM 0 0 o o I

SPRAY PCND CJ'\ SYSTEM S 100lNE REMOVAL SYSTIM 1A.TIMATE HEAT SINK ,

0 0 0 0 0 0 0

MSIS O

O CSAS O

O CIAS O

O EFAS-1 5-15 A

3 (J

1 l

l l

l l

l 1

Ol FIGURE 5.2-2 SHEET 5 OF t2 SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX

-qNiiEF AciNa rNYSTEM 4160VAC 120 VAC DIESEL FIDE I3'O KV #O p$5nnh

VITAL A B C D GENERAT0Q PA0TECTION EMEPGENCY i
  • t t I l I '

7EEDWA TT2 -

I--

SYSTEM I D I I l 1

. Mi PEE 550RE D I' I  !

~ SAFETY ~ ~ ~ ~ ~

I O i g inJEC TICt4 '

! L o PPE55UEE

.'3AFETY Dl 1 i

r-i 14)ECTION I O l I I

MAIN STEAM i i I 150L ATlON 5 -- !

I SV5 FEM i I

50 Q) l

,I OL0atX?*ti i

' S YS TEM i

SHUTDO*14 j

' {

! COOLING '

! 5YSTEM I TUDSINE SYPASS @

SYS TEM CONTAINMENT HEA T PEMOVAt.

SYSTTM -

CONTAINMENT II50LATION f 5VSTTM

, CCf4TAINMENT O l l 6 SPDAY -

3YSTEM j D l -

, ESSENTIAL

  • 5;QAYPONO l 3 SYSTEM ' 3
100iNE l g j l' QEMOVAL SYSTEM I I l ULTIMA TE WE AT SINK 0 0 RAS 0 @) D [10) 0 i 0 Msis h.., . _

i k0 0

70) 0 CSAS f D

{ @) 0 'flo)

I ID D i 0 ! @) _o go)

CrAs 0

I D'

@) _o o

@)

g (FAs.i D o 5-16

FIGURE S.2-2 SHEET 6 OF 12 SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX

,c3 NTETIFACING EN HIPAESSUAE LO PRESSL51E d. %TTAM SG @ SHUTDOWN TUASM

) pgp, YSIIM FEEDWATER SAFETY SAFETY ISCLATION 5 LOWDOWN COOLING gypAss (d '

SYSTEM SYSTEM ,lHJECTl(N IMJECTION SYLTEM SYSTEM SYSTEM SYSTEM @

EFAS-2

^ '

A I SIAS Al A I I @ l l A i A 1 I WS l

l CHEMICAL 8 l

VCLLf1E CE.

b CE. C t.

b CI.

CNTRO.

l ESSENTIAL 3 COG.tNG WATETtSYS S i i HVAC g 3 3 3 $ i g j l  !

INSTRUMENT i i AIR S S j

SvSitM - -

NUCLEAR COG.ING WATTASYS S ! j Sl 5 j __

12S VOC I  ! I hI k _

l I S Sl S! S l I S I S l 5 de0VAC i S1 Si  !

S!

I~[

VITAL g l l f  ;

4160 VAC l 5I SI i l

' ~ ~ ~

VITAL  ; g j $ - ~[ $  !  ;

!  !  ! i t j ' i 120 VAC .

i i i i i.

13 S KV ',  ! l l i

i i  !

OltSEL .  :

FIRE l  ;

PROTECTICH  ;  ;  ;

ADV1 l l 5-17

l 1

FIGURE 5 2-2 SHEET 7 OF 12 a ,

l SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX '

QNTERFActNGContainment 'C ontainmentContainment Essential lodice

'Dt EQSTEM Heat Cemoval isolation So"my Sorsy Pond A*moval Ull' mate p iTEMh,5vstem System @ System System System Hest Sint irs 3 2 ..-.

A SiAS -

A EDS CMEnlC AL &

' VOLUr"E CNTQOL b

C E.

ESSENTI A L D

l COOLING e

wafEmsv5 0 0 5 S S S S I:N3 TAUR"ENT l AIR

. ev5 TEM NUCLE AR COOLING WATER Sv5 j 3 5 i _

i 125 VOC S

S. _.. . . . . _ .-

S S l 400 V A C S S S i S S S S S dh60 V AC f .

S@ S

[120VAC I

S S l

S @ S @-

i S S

,I 138rV I

DIESEL 0 lGENERATCC 0

Fl:E PQOTECTICN ADvS 5-15

1 FIGURE 5.2-2 SHEET 8 OF 12 SYSTEM 80 SYSTEM DEPENDENCY AND COMMONAllTY MATRIX n -

( } N(NTERFACING 4:HEMICAL &

(/ El SYSTIM YSTEM CSAS CIAS EFAS-1 EFAS-2 SlAS APS ' /0LUME

<0NTROI.

EFAS-2 i

SIAS l I RPS CHEMICAL &

VOLUME CNTROL ESSENTIAL D

COOLING WATER SYS 0 HVAC S S S S S S S S S S

i INSTRUMENT AIA SYSTTM NUCLEAR COOLING WATER SYS I i

125 VDC

(~% i C) l l  !

450 VAC i i S S

~~

VITAL  ; 3 3 4160 VAC  ! I i VITAL i j j ,  ;

120 VAC --

S S  !@ S  ;@- . - S @ S  :@ S@

S I$ iS iS lS S S  ;@ S l@ S  :@ S , @ S i@ S@

,S }S iS iS ,

S S i , , 4 13 5 KV l l j  !

OIESEL 4

l FICL , .

i i

I PROTECDCN l

l A0v1 5 19 l

O O

1 l

1 1

1 FIGURE 9.2-2 SHEET 9 OF 12 )

SYSTEM 80 SYSTEM DEPENDENCY AND COMMONALITY MATRIX i NNYERr ACINC ESSENp q YSTEM ggn, igg HVAC lNSTRUMENT AIR NUCLEAR 125 VDC 480 VAC O1 i REF. CoalNG A B C WATER SYS BYSTEM D VITAL

. SYSTEM WATER SYS 0

EFAS-2 -

g - - - - - - - - -- - ---" - - - - - --

. A D SIAS ' '

D i . ,

RP3 ,

i CHEMIC AL L

. VCLUME D D

  • D CN*:0L

. ESSENTI AL CCOLING - . - - . . . . . - ~ _ ._ _ _. _-... .. _: _.

wAno svS S.

HVAC D p D INSTRUMENT t i AIR  ;

SYSTIM 4 NUCLEAR , 3 COOLING S i wATfD Sv5

+ i

$ i g;e g . . . . . . . . . . _ . , . . . _ _ __

_.y . -i _ . . . . . . . . _ . . .

S ,

480 VAC S S__ _ . . _ _. . .. _._m__

vlTAL $ 5  !

d t 60 VAC S '

i

  • I I VITAL $

s D D

! . D -

! D 120VAC D D

' - D D 13 5 KV DIESEL . . . . . . . . . _ . _ . . . . _ . __ . . . _ . .b_ t D .

D@ ,. ., ,,,_,,,,

GENERATCA D D FIDE PQOTEC TION ADVS D . O O 3 0

5-sV O

FIGURE S.2-2 SHEET IO OF l2 l SYSTEM 80 SYSTEM DEPENDENCY AND COf110NAllTY MATRIX

/

/N NTERFACING 4160VAC 120VAC O!ESEL Flpf g

1 YsTEM I NCM l (,f REF.

sYsTEn VtTAL A B C D EMRATOR EFAS-2 i

D @ D l@  !

I D !D  !

I s:As p

Res @ @ @ @

D D D D CHEF 1 CAL & t VOLUME CNTROL ESSENTIAL  !

1 l I

. CDOLING WATEQ SYS HVAC

' ~

l 3!  !

5

, 7 AIR s SYSTEM NUCLEAR COOLlHG V ATER SYS

' s s l@ s

, s !s s 125 VDC

-3 g- - --

3

~

i s is s D 400 VAC D S S j j

~~

VITAL 0 s i S ,

4160 VAC  !

j  ! O o ;@

VITAL  !

! l I D iD I __ .

! l l

' l

- 120 VAC .

4 i ,

I i i i i

13.S KV 5 'S DIESEL S .@  !

i i

ENERATOR S 3  !  !

FIRE l P90TECTIVN i =

ADVS . .

j l

l 5 21 0

1339c/(82Q10)/ca-22

. FIGURE 5.2-2 Sheet 11 of 12 NOTES

1. LPSI, HPSI and Containment Spray System share a common suction header off the Refueling Water Tank in the CVCS.
2. The Shutdown Cooling System uses both LPSI and CSS pumps.
3. The Containment Spray Pumps provide the suction for the Iodine Removal System.
4. The Chemical and Volume Control System shares the Refueling Vater Tank, discharge valves and associated piping with HPSI, LPSI, and CSS (Train B, only).

S. Diesel Generators' start-up depends upon vital de power, and de power keeps breaker closed during operation.

6. Reactor Makeup Tank (in CVCS) provides alternate supply of water to EFW System (Condensate Storage Tank is primary source).
7. System is dependent upon the condensor system, which is not shewn on the matrix. Also, electric supplies are non-vital and not shcwn on matrix.

O 5-22

1339c/(82010)/ca-23' l

FIGURE 5.2-2 Sheet 12 of 12 NOTES (continued)

8. The SG Blowdown System operates continuously, but is isolated by either !

MSIS, EFAS, or SIAS.

9. 4.16 KV depends upon diesel generators upon loss of offsite power,
10. ESFAS/RPS trips upon loss of 120VAC power. 120VAC does not actuate the trip.
11. ADV's are dependent on instrument air to open. Nitrogen is used as a back-up for instrument air.
12. There are containment isol$ tion valves in every system, and they are actuated by CIAS.
13. There are three redundant compressors / receivers in the Instrument Air System. These compressors are cooled by the turbine cooling water system.

14 Upon loss of offsite power, power to the motor driven pump is supplied by a standby diesel ganerator.

l O'

5-23

1339c/(82Q10)/ca-24 5.3 SYSTEM DESCRIPTIONS 5.3.1 Emeroency Feedwater System 5.3.1.1 System Description A schematic of the Emergency Feedwater System (EFWS) is presented in Figure 5.3.1-1. The EFWS is designed to supply an assured source of water to the ,

steam generators during normal plant startup and shutdown in the event of loss of main feedwater supply. The EFWS will start automatically on actuation of an emergency feedwater actuation signal (EFAS). The EFWS maintains flow control during system operation.

The EFWS consists of one Seismic Category I motor-driven pump, one Seismic Category I steam turbine-driven pump, one non-Seismic Category I motor-driven pump, associated valves, piping, controls, and instrumentation. The primary source of emergency feedwater is the condensate storage tank. The Seismic Category I motor-driven pump and all motor-operated valves receive pcwer from both onsite and offsite power sources. In the event of a loss of offshe power, power to the motor driven pum) is supplied by a standby diesel generator. The turbine-driven pump is supplied with steam from the main steam lines of either steam generator upstream of the MSIVs. Signals from the EFAS start the Seismic Category I motor-driven and turbine-driven pumps, shut all isolation valves, and open the associated isolation valves to the downcomer nozzles of the steam generators. The non-Seismic Category I motor-driven pump is started manually. Its associated valves are powered from Class 1E sources and are opened manually from the control room. Operation of the non-Seismic 9

5-24

)v l I

1 t s

) e o e V v l

a p v l

2 o I

v c s

v t r

n o

c f- d 4

7 V

}

h a n

= hs o n

- bo V i o

t l

a

~ o s

i W

F M

_-  ; = =

M e E h T t i _

4 5 S M.a ai w 3 w

1 W 3 Y

S 1

f o

Mw R - t s

C n ae

- 1 m 2 E 1 a

$ g. , e

  • T A 3 e r

u"rOu V - r W

D 5 t

s ii w I

E E E p

u 4

s F R m U G

en Y

C I i 5

l r F l,

_ E

, 3 G r I

R e

\ n i

E t a

T a M a

r E

d w

e _

e 0

F 0

_ V n i

o -~ a M

_ 0 0

V

,y I

W s t

1m"r1 6

0 0

V e4

_Q, 4

W c

e s

r ee 5

1 0

V ,u- t r nu i g 04 V ,

i nF i

, n o

ao tr c a t rt

_ _N ba=I A n r t A pe

_ _ I S

PR mf ue

~

1339c/(82010)/ca-26 ]

7 J

Category I, non-essential pump is considered in the EFW Restoration Analysis, g The EFWS unavailability analysis includes only the Seismic Category I .

essential pumps and associated valves.

5.3.1.2 Sp tem Functions

}

The primary function of the EFWS is to supply water to the steam generator (s) in the event the main feedwater supply is not available. The supply of emergency feedwater is adequate to provide for the removal of decay heat from the reactor core and reduce the reactor coolant system temperature to the entry temperature for actuating the shutdown cooling system.

b 5.3.1.3 System Dependencies and Common Components 3 The EFWS is dependent upon the ESFAS Emergency Feedwater Actuation Signal e1 (EFAS-1 and EFAS-2) for actuation of the system.

The EFW Seismic Category I motor-driven pump depends on 4.16-kV vital power supply, and motor-operated valves depend on 480V motor control center power supply.

l 5 Valves downstream of the EFW turbine pump, as well as all valves that supply steam to the tiW pump, are dependent upon 125V DC for power supply.

1 e,

5-26 5

1339c/(82Q10)/ca-27

- (q In the event that the condensate storage tank is unavailable, the EFWS obtains G its water supply from the Reactor Makeup Water Tank (RMWT). The RMWT is part ,

of the chemical and volume control system, i Upon loss of offsite power, the Seismic Category I motor-driven pump is dependent upon a standby diesel generator for power supply.

5.3.2 High pressure Safety injection (HPSI) System 5.3.2.1 System Description Schematics of the HPSI System (Injection Mode and Recirculation Mode) are presented in Figures 5.3.2-1 and 5.3.2-2. The injection mode of operation is initiateduponreceiptofasafetyinjectionactuationsignal(SIAS). A SIAS is produced upon any two coincident low pressurizer pressure (<1700 psia) or high containment pressure signals. The SIAS may also be initiated manually in ,

the control room. Upon a SIAS, the PPSI pumps automatically start and the 4

HPSI header isolation valves open. During injection mode, the minimum flow lines downstream of each pump are kept open to prevent possible dead head operation. The pumps take suction from the Refueling Water Tank (RWT) and discharge through the eight HPSI header isolation valves via two redundant HPSI headers. The safety injection water then flows to the reactor vessel through a safety injection nozzle on each of the four RCS cold leg pipes. If offsite power (normal AC) is unavailable, the ESF tuses are connected to the diesel generators and safeguard loads (the HPSI System) are then started in a preprogranned time sequence.

O 5-27

l o.

si. 9. o.

=

7 7 7 7 m e m ~ m - m o m M M M j_. -

a-w_

a_

g,

~

s

. ~ , ~ . ~ . si s a . a a s s a

" $f S $ ld $l IS Si l$

!s % . I E N N g58 8 i '8' i@EI I

@ N@l!

I I

x l 3 n -

~ a a kk R kk b-a t EtiaE 2 a 5 I n.

e w r 5m S .E E

. 3 MUN m b d l~'

5 g' E d T' m i"s -

1 \))s e

s

" e a = =

3 $. 12( 1)(

- n 2

- Il 4@

5 5 s I N N@ n M@: 2 q, o. _I k-5

'5n.

'y o s

~

3

&We I

c II l-s -

O 5-28 ,

1 I

J

o. -

n, p. 9.

9}.

~

5 ma 7

=

7

=

7

.M . ~ . _ .

g m M M M e

a  : a _ a - a 2

- a-

- a

._e g" g m 3  %  % $

Y  ? 9 Y Y I $

la a la? si l a. al a

!g @al K @K @K @K @K M.

_g i f I

i i 1

- x I a

'_ - n _~ n a

$$ 8 kE e S

? 4 U i4 O a s"

i e"

i 3"2

=

glw i $hgd I 5 /_f -$

= g. g N-- a .e e h-

, , ,, n .

5

.o o g

' @ d 'q= g Oog l

!s! .

O_is e e is

_s i e e "3 $. I. R IE

. E

=?=I I

.W . l

!k $ .M gi i

O 5-29 l

i

1339c/(82010)/ca-30 The recirculation mode is automatically initiated by the Recirculation Actuation Signal (RAS) upon Icw RWT level. The RAS opens the containment sump outlet valves and closes the HPSI pump mini-flow line circulation valves.

5.3.2.2 System Functions The primary function of a High-Pressure Safety Injection (4 PSI) pump is to inject borated water into the RCS if a break occurs in the RCS pressure boundary. For small breaks, the RCS pressure remains high for a long period of time following the accident, and the high-pressure safety injection pumps ensure that the injected flow is sufficient to meet design criteria. The high-pressure safety injection pumps are also used during the recirculation mode to maintain a borated water cover over the core for extended periods of time following a loss of Coolant Accident. For long term core cooling, the HPSI pumps are manually realigned for simultaneous hot and cold leg injection.

This insures flushing and ultimate subcooling of the core independent of break location. For small breaks, the HPSI pumps continue injecting into the RCS to provide makeup for spillage out the break while a normal ecoldown is 1Eplemented.

During normal operation, the high pressure safety injection pumps are isolated from the RCS by motor operated valves. During safety injection the HPSI pumps deliver water from the refueling water storage tank to the RCS via the cold leg safety injection nozzles whenever RCS pressure falls belcw pump shutoff head. During the recirculation mode of operation, the pumps take suction from the containment sump.

O 5-30

1339c/(82010)/ca-31 1

q -

5.3.2.3 System Dependencies and Comon Components V

The HPSI system is dependent upon the 4.16-kV vital bus to supply power to the HPSI purps. The motor-operated HPSI header valves receive power from the 480V motor control center power supply.

The HPSI system depends on the ESFAS for the Safety Injection Actuation Signal (SIAS)tobeginoperation.

The HPSI system is also dependent on the Heating, Ventilation and Air-Conditioning (HVAC) system for cooling of the room that houses the HPSI pumps.

The HPSI system shares comon components with both the LPSI system and the

\ containment spray system. Those components are the suction header from the refueling water tank in the chemical volume and control system, the suction line from the sump and all associated valves, and the injection line into the RCS, 5.3.3 Low-Pressure Safety Injection System 5.3.3.1 System Description Low-Pressure Safety Injection (LPSI) system is used for two modes of operation; one for emergency core cooling and the other for shutdown cooling.

The schematic of the LPSI system in injection mode, i.e., in the Emergency Core Cooling System (ECCS) configuration, is presented in Figure 5.3.3-1. Two trains of LPSI sys' tem are provided for redundancy. Each LPSI train consists 5-31

0 RWT si-660 s s si-659 01430 Y CH-531 si-669 N N si-668 LPsilEADER n n VALVES

. 41 sm tps [ stas h si-144 51-247

~ ~ pc3 CH-305 CH M HDR1 LO@

n si-s e (s As A )

j q si-435 n (s:As b,sie si-2oi e i sig si-306 si-237

$3_ 34 RCs si-683 pump 1 si-646 LOOP si-542 u,

~

[ stas 1-s' sH24 51-227 RCs tpsi toap 2 si-541 (slAs B )

i si-625 (siAs } g saw si-so7 si-217 s -114 Rcs si-692 punp 2 si-6:5 -

si-540 CONnipt1ENT utt LOW PRESSURE SAFETY IRJECTION SYSTEM (INJECTION MODE)

FIGURE 5.3.3-1 e G #

1339c/(82Q10)/ca-33 p of one LPSI pump and two motor-operated injection valves. LPSI system shares

'O piping and check valves with other safety injection systems for discharging core cooling flow into the Reactor Coolant System (RCS). The shutdown cooling configuration of the LPSI system is shown elsewhere in the report in the shutdowncoolingsystemdescription(seeSection5.3.6).

The injection mode of LPSI system is initiated upon a receipt of a Safety Injection Actuation Signal (SIAS). Upon a SIAS, the LPSI pumps automatically-start and the LPSI header valves open. The pumps take suction from the Refueling Water Tank (RWT) and discharge through the four LPSI header isolation valves via two LPSI headers. The safety injection water then flows to the reactor vessel through a safety injection nozzle on each of the four RCS cold leg pipes.

The LPSI pumps are provided with minimum flow protection to prevent damage I

when starting against a closed system.

l 5.3.3.2 System Functions l

The Low-Pressure Safety injection (LPSI) pumps serve two functions. One of these is to inject large quantities of borated water into the reactor coolant I system in the event of a large pipe rupture. The other function of the low-pressure safety injection pumps is to provide shutdown cooling flow through the reactor core and shutdown cooling heat exchangers for normal plant shutdown cooling operation or as required for long term core cooling.

O 5-33 L

1339c/(82010)/ca-34 During normal operation the low-pressure safety injection pump > are isolated from the RCS by motor-operated valves. During safety injection the LPSI pumps deliver water from the refueling water tank to the RCS via the RCS safety injection nozzles whenever system pressure is below pump shutoff head.

5.3.3.3 System Dependencies and Common Components The LPSI system is dependent upon the 4.16-kV vital bus to supply power to the LPSI pumps. Motor-operated LPSI header valves receive power from the 480V motor control center power supply.

The LPSI system depends on the ESFAS for the Safety Injection Actuation Signal (SIAS) to begin operation.

The LPSI system is aise dependent on the Heating, Ventilatien and Air-Conditioning (HVAC) system for cooling the LPSI pump room.

The LPSI system shares conmon components with both the HPSI system and the containment spray system. The shared components are the suction header from the refueling water tank in the chemical volume and control system, the suction header from the containment sump and the injection lines.

O 5-34

P-1339c/(82Q10)/ca-35 P 5.3.4 Main Steam Isolation System 5.3.a.1 System Description Each of the main steam lines is equipped with one quick acting Main Steam IsolationValve(MSIV). Figure 5.3.4-1 provides a schematic of these valves.

Each valve has an actuation time of 5 seconds or less and operates automatically in the event of rupture in the main steam piping or associated components either upstream or downstream of the MSIV. They prevent blowdown of more than one steam generator (assuming a single active failure). The valves are designed to close upon loss of electric power. Once isolation is initiated, in response to a main steam isolation signal, the valves continue to close and cannot be opened until manually reset. -

Each valve has two physically separate and electrically independent solenoid actuators in order to provide redundant means of valve operation.

l l

l 1

5.3.4.2 System Functions The main steam isolation valves are designed to isolate the main steam lines

- and the steam generators if required during operation.

l t

Reverse flow protection is also achieved through the main steam isolation valves.

l l

O 5-35 t

0-G m

77 a5 32

=g- -

SW o

kJ V

b i .

egB -

  • w

~K-5 -

5 -

8

  • w -

ME - C E "g m i

g at 22 3

m E

en i

em en em 55u LJ V %J  % .s g .

E_I

~5w

- ~

m  ;

l 9

5-36

1339c/(82Q10)/ca-17 3 5.3.4.3 System Dependencies and Connon Components

-(O The main steam line isolation system is dependent upon the ESFAS Pain Steam Isolation Signal (MSIS) for actuation of the isolation valves.

5.3.5 Steam Generator Blowdown System 5.3.5.1 System Description A schematic of the Steam Generator Blowdown System (SGBS) is presented in Figure 5.3.5-1. The SGB5 processes water from the tube bundle area of the steam generators. The blowdown water is filtered and purified to remove any impurities. Then, if meeting appropriate specifications, it is returned to the condensate system for reuse. The SBCS is an integral part of the Secondary Chemisvy Control System (SCCS).

Each SG is equipped with its own blowdown processing line with the capability of blowing down either the primary inlet or primary outlet regions of the SG shell side. Each blowdown line leaves the containment through its own penetration and discharges into the steam generator blowdown flash tank. The liouid portion flows through the blowdown heat exchanger to the blowdown l

filter where the major portion of suspended particles are removed. After filtration, the blowdown fluid is processed by the blowdown demineralizer.

5-37 l

l

0-4 m11=

a a* 5 i i

!  !  ! 1 5

N:tE! 5  ! M $ 2 i!

M(Est  ; s it" H:: I.

lf.

"=

g _

g i.

o a n a E

lAI! lAI!

ix ix

!= eti settsti s 3 G

5-38 i

I

O .

Es ig' ig !=

siti!!

a g.

AAD m+ On

i. i.

!ui i,

i

=  ;

= -

O i "3

- 1-l'i s

8 !:

m

$ 3 g -

i

.s a i

a5:5 I x i gi l

=

l15 2l n

l O

5-39

1 1339c/(82Q10)/ca-40 The containment isolation valves are normally open and can be remotely ,

operated from the main control room. These valves automatically close upon receipt of a Main Steam Isolation Signal (MSIS), an Auxiliary Feedwater Actuation Signal (AFAS) or a Safety Injection Actuation Signal (SIAS). Any of these signals will close the valves. The valves fail closed on loss of air.

The blowdown is measured for radioactivity in order to detect primary to secondary leakage. If significant steam generator tube leaks exist, blowdown flow from the demineralizer is routed to the Blowdown High Total Dissolved Solids (TDS) sump and to the chemical waste neutralizer tank. From there, the liquid is processed by the Liquid Radwaste System (LRS) via the high TOS holdup tank.

5.3.5.2 System Functions The Steam Generator Blowdown System (SGBS), in conjunction with the chemical feed and secondary sampling systems, functions to control the chemistry for the steam generator secondary side water. In addition, the SGBS performs the following functions:

a) Monitor secondary side radioactivity for any primary to secondary leakage.

b) Reduce the steam generator blowdown contaminants to an acceptable level prior to discharge to the environment.

O 5-40

1339c/(82010)/ca-41 (a c) Provide the necessary blowdown during normal operating conditions and .

O abnomal condenser in leakage.

d) Provide blowdown system containment isolation capability.

5.3.5.3 System Dependencies and Common Components r

The steam generator blowdown system operates continuously, but is isolated by either the Main Steam Isolation Signal (MSIS), the Emergency Feedwater Actuation Signal (EFAS) or the Safety Injection actuation Signal (SIAS).

Therefore, the SG blowdown system is dependent upon ESFAS for isolation, but not for actuation.

The SG blowdown system is also dependent upon the instrument air system to [

supply air to the containment isolation valves.

5.3.6 Shutdown Cooling System 5.3.6.1 System Description j The schematic of the shutdown coolina system is presented in Figure 5.3.6-1.

I TheShutdownCoolingSystem(SCS)containstwoshutdowncoolingheat exchangers (SOCHX) and uses the two low pressure safety injection (LPSI) pumps throughout shutdown cooling. Flow from the Containment Spray (CS) pumps through the shutdown cooling heat exchangers may be used to achieve an increased cooldo'en rate during the latter stages of shutdown cooling or if the LpSI pumps are unavailable. During initial shutdown cooling, some of the t

. I 5-41

[

I l S1-144 DS43 @247 r- -ih LOOP LOW PRF.SSJRE to SI-306 SAFETY INJECTim SF434 SI-435 SI-6 4 tog pggg L- ,

pump 1 IN ~~i SAFETY INJECTION HEADER 1

514 57- -

SF134 SI-542 SF237 5 435 RCS LC@

l-194 IA l

CONTAINMENT Xe

$1486 SPRAYPUMP 1

_ y Si-48S Si484 S84 78 -l 3l Ol Y Cor1POWENT CONTAIWlENT WALL C00LlHO WATER (n

k CONTANTNT M -1r SPRAY PUMP 2 D

$1496 2

51-404 51-689 S1479 - -

l-195 g ,.,* S1-124 SI-541 SI-227 l 5:4 85 51-657 - -

LOOP CS L LOW PRESSUE 26 sp307 LOOP SAFETY INJECT 10N SI-446 Si-447 SI425 LO# PRESSURE 2 m PUMP 2 N, SM -s SAFETY INJECTION HEADER 2 RCS LOOP SHUTDOWN COOLING SYSTEM Si4tS 2A FIGURE S.3.6-1 Si-114 S1-540 S1-217 e O O

1339c/(82010)/ca-43 (N reactor coolant flows out the shutdown cooling nor.zigi on the hot leg pipes

\'~) and is circulated through the shutdown cooling heat exchangers by the LPSI ,

pumps. The return to the Reactor Coolant System (RCS) is through the four LPSI lines. t s

The SCS suction line isolation valves are interlocked to prevent overpressurization of the SCS by the RCS. An overpressure relief valve is also provided on each suction line just inside containment.

Shutdown cooling and LPSI flow are measured by orifice meters in each LPSI '

header. The operator uses this information for flow control during shutdown cooling operation. The cooldown rate is controlled by adjusting flow through 7 the heat exchangers with throttle valves on the discharge of each heat i exchanger. The operator maintains a constant total shutdown cooling flow to the core by adjusting the heat exchanger bypass flow to compensate for changes in flow through the heat exchangers.

5.3.6.2 System Functions f

The shutdown cooling system is used in conjunction with the main steam and main or emergency feedwater systems to reduce the RCS temperature in post shutdown periods from normal operating temperature to the refueling temperature. Following the initial phase of cooldown when shutdown cooling [

entry temperature and pressure have been reached, the SCS is put hto I operation to reduce the RCS temperature to the refueling temperature and to raintain this temperature during refueling.

1O 5-43 l

l

1339c/(82Q10)/ca-44 The shutdown cooling heat exchangers are also used during the recirculation mode following a Less-of-Coolant Accident (LOCA) or Main Steam Line Break (MSLB) to provide a flow path for containment spray.

Furthermore, the SCS is used in addition to the steam generator atmospheric steam release capability and the emergency feedwater system to cooldown the RCS following a small break LOCA. The SCS may also be used subsecue'1t to steam line and feedwater line breaks, steam generator tube rupture, and would be used to maintain flow through the reactor core during plant startup.

5.3.6.3 System Dependencies and Comon Components The shutdown cooling system is dependent upon tha essential cooling water system for the shutdown cooling heat exchangers.

The shutd:wn cooling system independent on the 480V vital power supply and 125V DC power supply.

The shutdown cooling system uses both the Low Pressure Safety Injection (LPSI) pumps and the Containment Spray System (CSS) pumps for operation.

5.3.7 Turbine Bypass System 5.3.7.1 System Description Figure 5.3.7-1 provides a schematic of the turbine bypass system, The Turbine Bypass Steam (TBS) consists of eight air-operated globe valves and associated O

5-44

r - - - - - _ _ _ _ _ _ , . _ - _ . . _ _ . _

l D

f O

~

1 i

N N

)4 i Mle UE

$ M h "!

-D0 DC 1

Wl .

ce

-@l DC

>l= 5 -

oe 2 r!.

+

I w I 5

  • 2 I lA J O *!

oc

  • ! l *l i+ um
i g-

)

! M I *

-04  ?<_

a Wle .

oc e

fe I*

! M ks  ; *!

  • )0 M

. I i

cE cE di di ib ib i

l _ _ ~ ~

N N N N l

!O l 5-45 4

l I

el g ,,

<3 zi n ,~

I I s E s &

- m @5i ,_ E

-  ?.

c5 **

g

,, u_ .

O USw 1E i

EI c iss 3

gb

(

lI am 4.

a i

O. l 5-46

1339c/(82Q10)/ca-47 instruments and controls. These valves branch from each main steam line

[

downstream of the main steam isolation valves. Six of these valves direct steam to the condenser and the remaining two vent directly to the atmosphere.

The TBS provides a maximum steam dump capacity of 55% rated main steam flow.

The valves are designed to fully open or close within 1 second or to modulate full open or closed in a minimum of 15 seconds and a maximum of 20 seconds.

The valves are equipped with remote-operated handwheels to permit manual operation at the valve location.

The two valves which exhaust to the atmosphere are the last to open and the first to close during load rejections, thus minimizing the cuantity of steam discharged to the environment. The valves and piping for the system are located in the turbine building. ,

During normal operation, the TSVs are under the control of the steam bypass control system. The main function of the TBVs is to limit the pressure rise in the steam generator, following a reactor trip, to a level which prevents

opening of the main steam line safety valves. The bypass valves also open to the condenser to remove decay heat following a reactor shutdown or during hot standby conditions.

i During plant shutdown, one turbine bypass valve is remotely or manually l

positioned to remove reactor coolant system sensible heat to reduce the i reactor coolant temperature. Since steam pressure decreases as the system temperature is reduced, bypass valve flow capacity becomes limited at low l

l 5-47

1339c/(82010)/ca-48 pressures and other bypass valves are opened to complete the cooldown at the ,

design rate until shutdown cooling is initiated. All turbine bypass valves can be remotely operated from the main control room. These valves are pneumatically operated.

The valves in the turbine bypass system are designed to fail closed to prevent uncontrolled bypass of system, 5.3.7.2 System Functions The primary function of the turbine bypass system is to accommodate load rejections up to 45 percent of the full load main steam flow without tripping the turbine or lifting the pressurizer or main steam safety valves. In addition, the turbine bypass system performs the following functions:

a) Maintain the Reactor Coolant System (RCS) at hot zero power conditions.

b) Provide a control elemnt assembly automatic withdrawal prohibit signal subsequent to a demanded steam bypass system operation.

c) Provide a means for manual control of the RCS temperature during heatup or cooldown, e) Provide a condenser interlock which will block steam bypass flow when unit condenser pressure exceeds a preset limit.

O 5-48

1339c/(82010)/ca-49 5.3.7.3 System Dependencies and Cemon Components i

The turbine bypass system is dependent upon the instrument air system to pressurizer the solenoid turbine bypass valves.

Operation of the turbine bypass system depends on the availability of the condenser.

All power supplies to the turbine bypass system are non-vital.

5.3.8 Atmospheric Dump Valves 5.3.8.1 System Description .

The atmospheric dump system (ADS) consists of four Atmospheric Dump Valves (ADVs)andeightsolenoidvalves. Two redundant ADVs are provided for each steam generator, one per main steam line. The ADVs are pneumatically operated j

and can be controlled from the main control room. A handwheel is also provided with the atmospheric dump. valve for local hand operation. Schematics of the ADS are presented in Figures 5.3.8-1 and 5.3.8-2.

In the "open" mode, two solenoid valves leer ADV) open and align to supply air to the underside of the actuator piston. The air pressure under the actuator piston opposes the spring tension above the piston. An increased air pressure under the piston allows the actuator piston to move upward, raising the plug,

and increasing flow through the valve dump.

O 5-49

4 e-

-, =

l Ez e i e, s ib 4b Mn' Y ' ' '

G .J b

b h 5

i e M .~ -

, Ei

i. M--(

~

.~ __

]

bEh 3 k, k

, c, s

6. E E .

G

= i i 5 0- g- @~ E

[

a T D i

hZ r 4,

'r u 5

0 3

= (k 5

n le< e

.s. .

O 5-50 E

i o .

i I

i 15 IE s

  • 5 1R

- s 1

,$ a gg i

n a x

n St et at GE hE s

. E i n

~

3 N 8

@]['-* M I e E ci 9, 6 ~g "

~ 5W O

x-( ~ ! ('

1-eitge s. !

4 l_

c, us j 2 .

I $  !

a kF 9 5

!Z 4 o o o

@YE I:

=1 8

$5

s. '

O 5-51

f 1339c/(82Q10)/ca-52 In the "close" mode, the solenoid valves close and align to vent the air from the ADV to the atmosphere. The spring tension above the piston provides the g

driving force to close the valve.

The Class 1E 125 VOC power system provides power to the solenoid valves that control the ADVs. The solenoid valves are designed to fail "open" in the exhaust position; therefore. ADVs cre fail closed on loss of electrical power.

Air supply to the ADVs is provided by the turbine building instrument air header. Should instrument air be lost, a nitrogen accumulator supplies backup pressure automatically. The ADVs are designed to fail closed on a loss of air pressure. Cooldown can also be accomplished through manual operation of the atmospheric dump valves. Each valve has a handwheel that can be operated locally to override the actuator spring. .

5.3.8.2 System Functions The primary function of the Atmospheric Dunp Valves (ADVs) is to facilitate bringing the plant from hot standby conditions to shutdcwn cooling system entry temperature.

5.3.8.3 System Dependencies and Comon Components The Atmospheric Dump Valves (ADVs) receive electrical pcwer from 125V DC pewer supply.

9 5-52

o 1339c/(82010)/ca-53 I

The ADVs are also dependent upon the instrument air system as air is required j for the ADVs to open. In the event of loss of instrument air, nitrogen is used as a back-up for pressurization of the ADVs.  !

b 5.3.9 Main Sts u Safety Valves -

5.3.9.1 System Description A schematic of the Main Steam Safety Valves (MSSVs) is presented in Figure 5.3.9-1. The springloaded MSSVs provide overpressure protection for the secondary side of the steam generator and the main steam piping. Each main steamlineisprovidedwithfivesafetyvalves(tenvalvespersteam generator). The total relieving capacity of the safety valves is 11.13 x 10 0

lb/hr. per steam generator. The valve setpoints are as fu ws:

O Lift Setting I

1250 psig 1290 psig Note: Two valves per SG at 13 a psig each setpoint.

1315 psig I 1315 psig 4

1

! Successful operation of a MSSV recuires the valve to open at the proper oressure setpoint and to reclose upon decreased pressure.

t

O i 5-53 i

a

1339c/(82Q10)/ca-54 5.3.9.2 System Functions g The primary function of the Main Steam Safety Valves (MSSVs) is to relieve the steam generator secondary side pressure when the condenser is not available.

Thus, MSSVs facilitate removal of decay heat generated in the reactor coolant system during transient and accident conditions.

5.3.9.3 System Dependencies and Common Components The Main Steam Safety Valves (MSSVs) are not dependent upon any other system.

5.3.10 Containment Heat Removal Systems 5.3.10.1 System Description The containment heat removal system consists of the Containment Cooling System (CCS) and Cor.tainment Spray System (CSS). The containment heat removal system is arranged into two independent 100 percent capacity subsystems, each of which is comprised of one contair. ment spray train and two fan coolers. Heat removal is achieved by the simultaneous operation of the two subsystems.

The containment spray system is described in Section 5.3.12 of this report.

The Containment Cooling System (CCS) fan coolers operate during normal plant operation and following a loss of Coolant Accident (LOCA) or a Main Steam Line Break (MSLB) inside containment.

9 5-54 i

7-~-,_ .

-lv) -

A a a a

. c. .S. S, c. .n.O , c.

A OO

$$ . 5b uSb

  • ma . 5b

<E_ , ._ , $ $_

= m m a:

ao

.. . , C:: e ..m , a. s .

ao ,

-s .3L to a. ,

o es , , em . , ea ,A ea ,A  ;,

V EO 5d -

5 5-p '. 2 Y

  • .a , Co .. , .* , Co , ,

E

_M_E SE 8 5'W r 3 r n

% J  % J N N s ,

s ,

I l

1 s

l 5-55

1339c/(82010)/ca-56 I l

A schematic of the CCS is shown in Figure 5.3.10-1. The CCS consists of four fan coolers, a ducted air distribution system and the associated instrumentation and controls. Each fan cooler consists of two banks of coolirg coils, casing, vane axial two speed fan and motor. Each cooling coil bank is connected to supply and return manifolds of the Essential Cooling Water System (ECWS). Each CCS train consists of two fan coolers both of which discharge into a common duct. The duct from each train then is interconnected into a common ring header and the distribution system.

During normal operation three of the four fan coolers are manually started from the control room and operate at the higher of two speeds.

Upon receipt of a Safety Injection Actuation Signal (SIAS) following a LOCA or MSLB, the four fans are automatically placed into low speed operation. The fan coolers will remain operational in the emergency mode until the operator intervention.

5.3.10.2 System Functions The primary function of the Containment Cooling System (CCS) which is a subsystem of the containment heat removal system, is to reduce the containment temperature during normal operation and following a LOCA or a MSLB accident, O

5-56

O H

C T

I W

S S N TA R F A

T T S A R OT TS U

AO- T M P S E OA Tl T

S SS Y i;

S N G 1

V A

i  !.  ! -

.i. . F N 0

, i!

IL1 .

O3 O

C 5 T E N RU O E MIG NF I

A T

N O

C G

N L I

I

_ L O L O O C C

O E

1339c/(82010)/ca-58 5.3.10.3 System Dependencies and Connon Components The Contairment Cooling System (CCS) requires an operator action to actuate during normal plant operation. However, the CCS is automatically actuated on an SIAS following a postulated accident.

The CCS depends upon 480V vital electric supply for power.

5.3.11 Containment Isolation System 5.3.11.1 System Description

.The Containment Isolation System (CIS) consists of piping, valves, and actuators required to provide a means of isolating fluid systems that pass through the containment. The CIS confines any radioactivity that may be released into the containment atmosphere following a postulated design basis accident, such as Lois of Coolant Accident (LOCA) or Main Steam Line Break (MSLB).

Some of the important design features of the CIS are highlighted below:

a) Two isolation valves are provided at each containment penetration; one inside the containment and one outside the containment.

b) Systems which are not required to operate, or which only operate intermittently during normal plant operation, are isolated at the containment penetration.

O 5-58

1 1339c/(82Q10)/ca-59 c). Lines penetrating containment that are not required for operation of the Engineered Safety Features (ESF) systems are isolated in the event of a LOCA.

d) The containment and steam generators are isolated in the event of a MSLB.

5.3.11.2 System Function The function of the Containment Isolation System (CIS) is to isolate the containment following a LOCA or MSLB.

5.3.11.3 System Dependencies and Common Components

, The containment isolation system is dependent upon the ESFAS Containment Isolation Actuation Signal (CIAS) to actuate the system.

l The CIS also depends upon 480V vital electric supply for power.

l l

l lO 5-59 l

1339c/(82Q10)/ca-60 5.3.12 Containment Spray System 5.3.12.1 System Description The Containment Spray System (CSS) consists of two 100% capacity trains.

The containment spray systems utilizes the refueling water tank, the containment sump, two containment spray pumps, two shutdown cooling heat exchangers, two independent spray headers, and associated valves, piping and instrumentation as shown in Figure 5.3.12-1. The spray system is actuated by the Containment Spray Actuation Signal (CSAS) on high containment pressure.

The CSAS starts the containment spray pumps and opens the spray control valves to the containment. The Essential Cooling Water System (ECWS) and the Essential Spray Pond System (ESPS) are reouired to provide coolant to the shutdown heat exchangers and are actuated by the Safety Injection Actuation Signal (SIAS) on high containment pressure. The SIAS starts the ECW pumps and the ESP pumps.

During the injection mode the actuated spray pumps take suction from the refueling water tank and discharge through the shutdown heat exchangers to the containment headers. These headers contain spray nozzles that break the flow into small droplets which are then dispersed into the containment atmosphere to absorb heat. When the water droplets reach the containment floor, they drain to the containment sump where they remain until the recirculation mode begins.

I O'

5-60 l

l

13r.?c/(82010)/ca-61 When the refueling water tank inventory decreases to 10% of its minimum (o) allowed volume, a recirculation actuation signal (RAS) is generated.

Generation of RAS opens the containment sump isolation valves to allow automatic transfer of the containment spray pumps suction from the refueling water tank to the containment sump. Transfer of pump suction ensures that containment cooling is maintained.

5.3.12.2 System Function The objectives of the containment spray system are to reduce the containment temperature and pressure following a loss of coolant accident or main steam line break by removing thermal energy from the containment. This cooling system also serves to limit offsite radiation levels by reducing the pressure differential between the containment atmosphere and the external environment.

q

%J 5.3.12.3 System Dependencies and Comon Components The Containment Spray System (CSS) is dependent on either the RAS or CSAS for a'ctuation of the system. It is also dependent on the hVAC system for cooling.

e The CSS receives power from 125V DC and 480V vital and 4160V vital sources.

In the case of loss of power, the CSS receives power from the diesel generators.

O 5-61

o O.

" W .= WN

  • 5 5

~ ~

1= I a- W

!! ?z =

?z a .

a s.

at

~3

, ~ -

4

= . ." .

~

r I@ Gc[$?

I

~T*

g g.W g  :

8lv

~*

5!

55' $

d jY e" @

$< *W .

  • ~

ke ke 69a -M9  ! -

mi m9 a E a E! -

E$ -

,i 5

U.

w 1

3 g fs.

G 2 G f3 ,

6 g $

l- .

t

  • ' E N w Q Sh3 G h -( 4 a

Is 5-

- ga4 f3T bd2 "S T

V = $, @ { g

~

2@O jf e y-l

+-- -

. . =

@... 1 1

  • E 1.-

O 5-62

f-1339c/(82010)/ca-63 The CSS shares comon compongnts with the HPSI system, LPSI system, shutdown

(

cooling system, Iodine removal system and the chemical and volume control system. Specifically, the CSS shares a comon suction header off the refueling water tank in the CVCS, and the shutdown cooling system uses both CSS and LPSI pumps. The CSS pumps provide suction for the iodine removal system. (CVCS shares the refueling water tank, discharge valves and associated piping with HPSI, LPSI and CSS, train B only.)

5.3.13 Essential Spray Pond System 5.3.13.1 System Description The Essential Spray Pond System (ESPS), as depicted in Figure 5.3.13-1, consists of two redur Tfety-related ESPS trains. Each ESPS train in conjunction with tt- <= dd ECWS train is capable of supporting 100 percent of the cooling functions required for a safe shutdown or required following an accident.. Each train includes a 100 percent capacity ESPS pump and a 100 percent heat dissipation capaci+.y spray pond (ultimate heat sink).

The water is pumped through the components being cooled, to the spray nozzles and back to the pump.

Both trains of the ESPS are actuated ty any single or any combination of the following signals or operatiers:

- Safety Injection Actuation Signal (SIAS)

- Centrol Room Ventilation and Isolation Actuation Signal (CRVIAS) 1 5-63 l

i

1339c/(82Q10)/ca-64 l

- Control Room Essential Filtration Actuation Signal (CREFAS)

- Diesel Generator Start Signal (DGSS)

- Loss of Offsite Power Signal (LOOP)

- Manual start by control room 5.3.13.2 System Function All heat absorbed by the system through the nuclear components of the plant is dissipated to the atmosphere via the essential spray ponds.

The ESPS provides cooling water needed for those components that must operate following a Loss-of-Coolant Accident (LOCA) and that are essential to a safe reactor shutdown:

Standby diesel generator cooling systems O

- Essential Cooling Water System (ECWS) Heat Exchangers.

5.3.13.3 System Dependencies and Common Components The essential spray pond system is actuated by the SIAS ESFAS actuation signal. The ESPS supports the essential cooling water system, and is dependent upon the ultimate heat sink.

The essential spray pond system also supports the diesel generators.

O 5-64 l

Ws ex x

--<e . - -

I I

-<E

-.- .e Mh o

-<E 2g_

i

- +---

! l D $

w N

$ 7 i s_J ga m' 4 W-

@g!a @XSn

5 E -

?K w

we -

l l

'*G

-o - - _

--<( Q "6 6 }

! ~ te. ,

i 5N

-- I I

$ 8-l a-2" $

W O .

5-65 1

l l

1339c/(82Q10)/ca-66 5.3.14 Iodine Removal System h

5.3.14.1 System Description

.~

The iodine removal system (IRS) consists of two redundant trains, each containing a spray chemical addition pump, isolation valves, and addition lines.

A hydrazine and water solution is used to enhance the removal of iodine from the containment atmosphere by the containment spray system. The aqueous hydrazine solution is stored in a tank and metered in proper amounts to the suction of the containment spray pumps using the spray chemical addition pumps and isolation valves. The spray fluid is then introduced to the containment atmosphere by the containment spray system. Upon receipt of a Containment Spray Actuation Signal (CSAS), the isolation valves open and the spray chemical addition pumps start in each of the two redundant spray che.mical addition tra.as. After the required hydrazine has been injected, the isolation valves are shut and the spray chemical addition pumps are stopped by a low-low level signal from the spray chemical storage tank (SCST).

The spray chemical addition pumps and the SCST are located outside containment to permit personnel access for inspection, testing, and maintenance during normal plant operation. Access is also provided post-LOCA for refilling the SCST in the event additional hydrazine is required for long-term iodine control. The pumps and addition lines are physically separate such that a single failure in one train will not cause the loss of the redundant train.

O 5-66

1339c/(82Q10)/ca-67

/ -

Redundantisolationvalves(IR-680,-681,-682,-683) are provided in both IRS

~(

trains to assure system isolation on low-low SCST level. Additionally, during normal reactor plant operation, they minimize spillage in the event of component or piping failure, provide for component isolation for maintenance, and limit the extent of the reactor coolant pressure boundary during SDC operations.

A test line which recirculates back to the SCST is provided to facilitate periodic inservice testing of flow path integrity and the spray chemical additionpumps(SCAP). The fill connection may be used to fill the SCST even during IRS operation. Drain lines are provided to facilitate testing and component maintenance.

5.3.14.2 System Function The function of tFe iodine removal system is to remove iodine from the containment atmosphere following a loss of coolant accident, so that in the event of cont 'nment lcakagt, activity at the site boundary due to radioactive 4

iodine will be reduced.

A hydrazine and water solution is used to enhance the removal of iodine from the containment atmosphere.

Hydrazine addition is at a constant flow rate which will produce a 50 + 5 ppm l hydrazine concentration at the containment spray pump (CSP) suction at CSP l

runout flow. This hydrazine concentration is sufficiently high to rapidly reduce iodine concentrations in the containment atmosphere, yet it is O -

5-67

1339c/(82Q10)/ca-68 sufficiently low to avoid toxic levels of hydrazine in the containment atmosphere. Hydrazine concentration in the spray fluid will increase as CSP flow decreases to its design flow. This is considered beneficial to the removal of iodine.

Hydrazine addition continues through recirculation and is terminated approximately four hours post-accident.

Upon reaching the low-iow level in the SCST, the system will be automatically isolated from the CSP suction. The isolation system is fully automated and is capable of manual control.

5.3.14.3 System Dependencies and Common Components The iodine removal system is dependent upon the ESFAS for & CSAS actuation signal for initiation. The IRS is also dependent upon 125V DC power and 4160V vital power.

The IRS injects the required amount of hydrazine into the containment spray pump suction. The containment spray pumps take suction from either the refueling water tank or the containment sump, and deliver the solution to the containment spray headers.

O 5-68

'1339c/(82Q10)/ca-69 s

~

( _5.3.15 Ultimate Heat Sink

~ Q] f -

5.3.15.1 System Description For this analysis the ultimate heat sink consists of two adjacent Essential Spray Ponds (ESP). The two ESP are interconnected with redundant valves installed in their comon wall in order to permit equalization of the water levels between ESP of the same unit. The' essential spray pond system discharges to the ESPs through the spray nozzles and takes taction from the ESPs. During operation of the essential spray pond system, the themal load is dissipated to the air by the sprays and the surface heat _ exchange of the unsprayed area of the ponds. When the sprays are not operating, part of the thertnal load is dissipated to the atmosphere by the surface heat exchange of the total pond area, and the remainder goes into raising the spray pond

, ._) temperature. During normal operation, the essential spray pond system is not l

operating. I i 5.3.16 Engineered Safety Features Actuation System (ESFAS) l.

l 5.3.16.1 System Description The Engineered Safety Features Actuation System (ESFAS) consists of the electrical and electro-mechanical devices and circuitry, from sensors to actuation device input terminals, involved in generating those signals that

! actuate the required Engineered Safety Feature (ESF) systems.

lO l 5-69 l

l

1339c/(82Q10)/ca-70 ESF system equipment receive (1) actuation signals from the ESFAS or the operator, and (2) permissive signals from sensors which monitor conditions that affect ESF system performance. The signals from the ESFAS actuate the ESF system equipment. The permissive signals provide additional interlocks, blocks and sequencing necessary to provide proper ESF system operation.

The actuation circuits for the ESFAS are all similar except for specific inputs, operating bypasses, and actuation devices.

The actuation systems consist of the sensors, logic, and actuation circuits.

They monitor selected plant parameters and provide an actuation signal to each individual actuated component in the ESF systems when these parameters reach preselected setpcints. Each actuation system is identical except that specific inputs (and blocks where provided) vary from system to system and the actuated devices are different.

Two-out-of-four coincidence of like trip signals from four independent measurement channels is required to actuate any ESF system. Each actuation system logic, including testing features, is similar to the logic for the reactor protective system, and is contained in the same physical enclosure.

The combination of the ESFAS and Reactor Protective System (RPS) is designated Plant Protection System (PPS).

The ESFAS can operate, if need be, with up to two channels out of service (one bypassed and another tripped) and still meet single failure criteria. The only operating restriction while in this condition (effectively one-out-of-two O

5-70

1339c/(82Q10)/ca-71

'(~~'T logic) is that no provision is made to bypass another channel for periodic L) maintenance. The system logic must be restored to at least a two-aut-of-three condition prior to removing another channel for maintenance.

5.3.16.2 System Function The function of the Engineered Safety Features Actuation System (ESFAS) is to generate the following actuation signals when the monitored variable reaches the levels that are indicative of conditions which require protective action:

a) Safety Injection Actuation Signal (SIAS) b) Containment Isolation Actuation Signal (CIAS) c) Containment Spray Actuation Signal (CSAS)

- m d) ' Main Steam Iaolation Signal (MSIS) e) Emergency Feedwater Actuation Signal (EFAS) f) Recirculation Actuation Signal (RAS) 5.3.;6.3 System Dependencies and Common Components The ESFAS is dependent on 120V AC vital power supply for electric power requirement, but actuates on loss of power (fails safe).

The ESFAS shares the same physical enclosure with the RPS.

O 5-71 l

1339c/(82010)/ca-72 5.3.17 Reactor Protective System (RPS) 5.3.17.1 System Description The Reactor Protective System (RPS) consists of sensors, calculators, logic, and other equipment nec'ssary e to monitor selected Nuclear Steam Supply System (NSSS) and containment conditions and to effect reliable and rapid CEA insertion (reactor trip) if any or a combination of the monitored conditions approach specified safety system settings.

Four measurement channels with electrical and physical separation are provided for each parameter used in the direct generation of trip signals, with the exception of Control Element Assembly (CEA) position. A two-out-of-four coincidence of like trip signals is required to generate a reactor trip signal. The fourth channel is provided as an installed spare and allows bypassing of one channel while maintaining a two-out-of-three system. Manual reactor trip is also provided.

T'e h reactor trip signal deenergizes the Control Element Drive Mechanism (CEDM) coils, allowing all CEAs to drop into the core. Once initiated, the protective action goes to completion.

I 5.3.17.2 System Function I The functions of the Reactor Protective System (RPS) are to protect the core 1

and Reactor Coolant System (RCS) pressure boundary for defined anticipated 1

i 1

5-72 l

l 1

1339c/(82Q10)/ca-73

-(] operatioral occurrences (A00s) and also.to provide assistance in limiting the vi consequences for certain postulated accidents.-

5.3.17.3 System Dependencies and Comon Components The RPS depends on 120V AC vital power supply for electrical power requirement, but actuates on loss of power (fails safe).

The RPS shares the same physical enclosure with the Engineered Safety Features Actuation System (ESFAS).

5.3.18 Chemical Volume and Control System l

n 5.3.18.1 System Description

,-Q

! A schematic of the relevant portion of the Chemical and Volume Control System (CVCS) is presented in Figure 5.3.18-1.

i l

Reactor coolant is processed and degassed in various CVCS components. The degassed liquid is eventually pumped into the Boric Acid Concentrator (BAC) where the bottoms are concentrated to within the range of 4000 to 4400 ppm boron.

The boric acid concentrator bottoms are continuously monitored for proper boron concentration. Normally, the concentrator bottoms are pumped directly O 5-73

CEGASSED rN PURIFICATIT T

A A LETDOWN CCN. gx HEAT EXCHANGER 1r (( - -

ui-327 2 1F CH M O WATER TANK REACTG1ttAKELP Y^# TANK 43Ey_2,ex .4 ,2 _

r

= 4 aft _S. &_u_

AE6EN S_ _

SAFETY DUECTICN 4 --

WATER TM

% &M& CHARGING ptry 2 CH-524 u- TO CHARGING SYSTEr1 LOOP CH-53 SGllC A~D CHARGING T1AKElp Pur1PS W3 FLJti LETDOWN 3 > Oi-210Y j CH-327

'r &>

CH-514 CHEMICAL VOLl51E AND CCUTROL SYSTEM FIGURE 5.3.18-1 O O O

r ,

1339c/(82Q10)/ca-75 D In the event that abnormal quantities.of

[b to the Refueling Water Tank (RWT).

radionuclides are present, the bottoms ~are concentrated to 12 wt. percent boric acid and are discharged to the Solid Waste Management System (SWMS).

The concentrator distillate passes through a boric acid condensate ion exchanger, where boric acid carryover is removed. The distillate is collected in the Reactor Makeup Water Tank (RMWT) for reuse in the plant. If recycle is not desired, the condensate is diverted to the Liquid Waste Management System (LWMS).

The charging pumps normally take suction from the Volume Control Tank (VCT) and pump into the Reactor Coolant System (RCS). Two charging pumps are normally in operation and one letdown control valve is modulated to maintain g the pressurizer level. Seal injection water is supplied to the Reactor d Coolant Pumps (RCPs) by diverting a portion of the charging flow at a point in the system downstream of the charging pumps.

A makeup subsystem of the CVCS provides for changes in reactor coolant baron concentration. For this purpose, boric acid and reactor makeup water are mixed in a predetermined ratio. The boric acid solution is then stored in the RWT. Boric acid solution stored in the RWT is supplied via the Boric Acid Makeup Pumps (BAMPs), while the reactor makeup water stored in the RMWT is supplied via the Reactor Makeup Water Pumps (RMWPs). The boric acid solution is pumped either to the VCT or directly into the charging pump suction header via the VCT bypass valve. The charging pumps discharge into the RCS, or in the event the auxiliary spray is required, the flow is diverted to the auxiliary spray header, r

l 5-75

1339c/(82Q10)/ca-76 5.3.18.2 System Function The Chemical and Volume Control System (CVCS) performs many diverse functions.

Functions that are relevant to this study are listed below:

a. Maintain the chemistry and purity of the reactor coolant during normal operation and during shutdowns;
b. Control the boron concentration in the RCS to obtain optimum Control Element Assembly (CEA) positioning,-to compensate for reactivity changes associated with major changes in reactor coolant temperature, core burnup, and xenon variations, and to provide shutdown margin for maintenance and refueling operations;
c. Provide auxiliary pressurizer spray for operator control of pressure during the final stages of shutdown and to allow pressurizer cooling;
d. Provide a source of borated water for safety injection.
e. Provide makeup for losses from small leaks in RCS piping.

O 5-76

1339c/(82Q10)/ca-77 (3 5.3.18.3 System Dependencies and Comen Components LJ The chemical and volume control system is dependent on the nur.1 tr cooling water system for cooling of system components. The CVCS is also dependent on the 480V vital power source.

The reactor makeup tank in the CVCS provides an alternate supply of water to the emergency feedwater system in the event that the condensate storage tank is unavailable. The CVCS shares the refueling water tank, discharge valves and associated piping with the HPSI, LPSI and CSS systems.

5.3.19 Essential Cooling Water System

, 5.3.12.1 System Description The Essential Cooling Water System (ECWS), as depicted in Figure 5.3.19-1, consists of two independent, closed loop, safety-related trains. Either train of the ECWS is capable of supporting 100% of the cooling functions required for a safe reactor shutdown or required following an accident. Each train of l the ECWS includes a 100 percent capacity heat exchanger (shell side), a 100 percent capacity pump, a surge tank and a chemical addition tank. The cooling water is pumped by the ECWS pumps through the shell side of the ECWS heat exchangers, to the components being cooled and back to the pumps. The tube i side of the heat exchangers is furnished with cooling water from the essential t spray pond system (ESPS) at a higher operating pressure than the shell side in -

order to prevent leakage into the ESPS from the ECWS.

l-O ,

5-77

L g'

=

$E S

g-me 1. K*5 I %K e si -

b-B =

is a= s, -

EU t \

31 wO

,E i

c_

- 1 e

@3Ps I )

E

.. S

  • L -

E E

" i 1 ci

- I

=

?a

=$ G-9 -

I g--

N 5 xi i =x a

2

=.

e si. -

g.- -

0

= }{*C

"$4

- i "l '

i 8-

'* g m -

Y h5

" 5 I I MQ 5

l l

9 5-78 1

1339c/(82Q10)/ca-79:

! Both trains of the ECWS are actuated by any one or any combination of the following signals or operations:

- Safety Injection Actuation Signal (SIAS) l

- Control Room Ventilation and Isolation Actuation Signal (CRVIAS) i - Loss of Offsite Power Signal (LOOP)

- Manual start by control room i 5.3.19.2 System Function l- Each train of the ECWS provides cooling for the following safety related l

components:

l. >

j - Shutdown Cooling Heat Exchangers [

O - Essential Chillers l

i However, the ECWS can provide cooling water to the safety related Fuel Pool Heat Exchangers and to the folloving non-sa#ety related components; I

i

- Reactor Coolant Pumps

- CEDM Coolers

- Nont.al Chillers

- Nuclear Sample Coolers O

S-79

1339c/(02Q10)/ca-80 in the event the Nuclear Cooling Water System (NCWS), which norually cools these components, becomes inoperable. In this case the operator can align ECWS train A from the control room or locally align ECVS train B if ECWS trains A fails.

During normal plant operation the ECWS is not operating.

5.3.19.3 System Dependencies and Connon Components The essential cooling water system is dependent upon the SIAS ESFAS signal for actuation. The ECWS is also dependent upon the essential spray pond system for water supply.

The ECWS supports the shutdown cooling system and the HVAC system.

5.3.20 Heating, Ventilation and Air-Conditioning (HVAC) 5.3.20.1 System Description The Heating, Ventilation, and Air-Conditioning (HVAC) systems are provided throughout the plant as required. The HVAC systems provided for each building or room are designed for the specific functional requirements of that individual building or room. Two rooms, which are relevant to this study and for which HVAC systems are essential, are the Engineered Safety Feature (ESF) pump room and the battery room. For the ESF purrp room and battery rocm, which are required for functional use during all plant modes, two separate HVAC O

5-80

1339c/(82Q10)/ca-81

/9

/ systems are provided: (i)individualsystemfornormaloperationand(ii) individual system for essential (emergency) operation. For the essential system, redundant trains are provided. The HVAC system of interest for each of these two rooms is that for the essential operation only.

A schematic of the essential HVAC system for the ESF pump room is shown in Figure 5.3.20-1. The ESF pump room essential air coolers consists of a recirculatin'g air handling unit, including a cooling coil, in each pump room.

There are no outside air connections.

Electric service and chilled water service for the unit is provided by the same trains which provide these services to the pump in the room. Water is distributed to the ESF equipment room cooling coils from the essential chilled water system.

2 l

O The essential air coolers are automatically started on a Safety Injection Actuation Signal (SIAS) to maintain the room temperature within the specified limit.

l A schematic of the essential HVAC system for the battery room is shown in Figure 5.3.20-2.

Two redundant, physically separated air conditioning systems are provided, one for each ESF equipment train.

1

!O 5-81

l1 O

a -

V 1

r 0 U 0 C RA P L N 1 A O rIT O t

R PN P I E SS M PS LE

- U P

F S

E R

O F

M L E A T S!

I R

1 r

0 U 0 C T E N L E L SI Y -

S0 C 2 A3 O

RA SH EC VS H E PL -

tI A LR 1

L T AU P EN I

TI G

I NF SS E PS S HE S

. E F

O N

I G

A DN R EI T

LT L 6 LA A I

L C U H U I P

MC C C Y LR

- OA O AIC T I

R L PI MT U N P E A

S zS T N R E EP S

EWPL T1 AP _

SS CE O

7 llll l i l

1339c/(82Q10)/ca-83 Each train includes two air handling units composed of a high efficiency filter, a chilled water cooling coil, fans, supply and return air ductwork, and one air handling unit composed of a chilled water cooling coil, fans, and supply air duct work. .

Separate 100% capacity exhaust fans are provided for each battery room. The fans exhaust to the atmosphere in order to prevent any hydrogen buildup in the battery room.

There are four battery rooms, and one essential exhaust fan for each room.

There is a backdraft damper in each exhaust duct.

The battery room air is supplied through a transfer grille with a fire damper. i The exhaust fans exhaust the air directly to the atmosphere.

Upon a receipt of an ESF system actuation signal, such as a Safety Injection actuation Signal (SIAS), the essential battery room HVAC system is automatically put into operation. Moreover, transfer to the essential system may also be initiated manually from the control room. -

The recirculation fans draw air through prefilters, high efficiency filters, and the chilled water coils and discharge the air into the battery rooms. The essential exhaust fans exhaust the battery room air to the atmosphere.

Outside air is brought in to makt up for the battery room air exhausted to the atmosphere, O

-l 5-83

FRCt1 ,

TO SUPPLY DUCT v EXHAUST DUCT I P a

4 4

- a -=

BATTERY ROOM ESSENTIAL ACU 1r Y'

T

[y -

= l ESSENTIAL ESSENTIAL CHILLER CHILLED WATER

, CIRCULATING PLF1P TYPICAL TRAIN OF ESSENTI AL HVAC SYSTEM FOR BATTERY ROOM FIGURE 5.3.20-2 HVAC O_ - -

O O

D ,,

1339c/(82Q10)/ca-85 7 S.3.20.2 System Function (O

The function of the Heating, Ventilation, and Air-Conditioning (HVAC) system is to provide personnel comfort, personnel safety protection, and equipment functional. protection as required throughout the plant. Specifically, the ESF pump room system functions to maintain the room temperatures to ensure the operability of the ESF pumps and motor during accident conditions, while the battery room essential HVAC system functions to maintain the inside temperature requirements for operability of the battery and to provide for the

! required ventilation and exhaust for the ESF battery room during accident conditions, t

l 5.3.20.3 System Dependencies and Comon Components

'u The HVAC system is dependent on both the essential cooling water system and l

the nuclear cooling water system for cooling.

The HVAC system supports the HPSI system, LpSI system, main steam line isolation system, c.ontainment spray system, ESFAS controls, and the diesel generators.

O 5-85

1339c/(82Q10)/ca-86 5.3.21 Instrument Air System g

5.3.21.1 System Description A schematic of the instrument air system is shown in Figure 5.3.21-1. The instrument air system has three parallel trains, each consisting of an intake air filter, a compressor, an after-cooler with moisture separator, an air receiver and interconnecting piping and valving. The three air receivers are connected in parallel by a common header. The instrument air then passes through two parallel drying / filter lines. Each line has a prefilter, an instrument air dryer and an afterfilter. Downstream of the afterfilter, the two lines join into a header from which all instrument air requirements are supplied.

The compressors are reciprocating type with water cooled cylinders. Each compressor is capable of delivering 50% of the total instrument and service air requirements. The two drying / filter trains are each of 100% capacity.

Each dryer has dual towers loaded with activated alumina, a desiccant. An automatic control system reverses the chambers operation every five minutes to provide continuous drying of the air.

5.3.21.2 System Function The instrument air system is required for normal operation and startup of the plant. One air compressing train is in service during nomal operation with the other two in standby. A pressure switch installed in the instrument air O,

5-86 l

I

/

t.

g s a

= _, n  ; s 8 e ! .  ! Ls  ! 8 n .= -: n E: ES EC gg

.=

s a n  ; ~ .

d -

EC

.5 Es "I

5: b HI N N O izi 4z, 4zi j 3 1

g

.EE .EI .EE -

Edj a_

EOj a-EOj r-

<6 o a, e

n 4 4 si.

gN O

slN .

O si..

N m

E w . . - .

4-3 3 4 4E f f 5 < 5 - 5 e N5' e

t NE -N5 E

5 t i i e 5 8 sk 4L sh I l O 5-87

1339c/(82Q10)/ca-88 supply main header provides an actuation signal for the standby air h compressors and the backup nitrogen system. The instrument air system is not essential for safe shutdown of the plant.

5.3.21.3 System Dependencies and Comon Components The instrument air system supplies air to the SG blowdown system, the turbine bypass system, and the ADV's.

Components in the instrument air system draw power from the non vital power distribution system.

5.3.22 Nuclear Cooling Water System 5.3.22.1 System Description O

The Nuclear Cooling Water System (NCWS) is depicted in Figure 5.3.22-1.

The NCWS consists of one closed loop. This loop includes two redundant 100%

capacity pumps and two redundant 100% capacity heat exchangers. The tube sides of the heat exchangers are furnished with cooling water from the plant cooling towers via the Plant Cooling Water System (PCWS). The shell side of the heat exchangers is part of the closed NCWS cooling loop that includes the pumps, surge tank, and equipment coolers for non-safety-related reactor auxiliaries. Makeup water for the closed loop is supplied to the surge tank from the deminerali:ed water system.

O 5-88

O O O

, FROM EQUIPMENT COOLERS 1r TO FROM 1r FRM NCWS HX 1

> PLANT COOLING WATER > NCWS HX 2 >

PLANT COOLING TO l

WATER SYSTEM 1r 1r PLANT COOLING WATER SYSTEM

/ /

l 1r 1r m I i

'r (Y *\ >\

4N l

> l To NCWS PUMP 1 EOulPMENT COOLERS

> \ > 1r uN > 1 V

NCWS PUMP 2 NUCLEAR COOLING WATER SYSTEM (NCWS)

FIGURE S.3.22-1

1339c/(82Q10)/ca-90 5.3.22.2 System Function The NCWS, in conjunction with the plant cooling water system (PCWS), is designed to provide an adequate supply of cooling water to the non-safety-related components, such as letdown heat exchanger and reactor coolant pump pump seal cooler.

5.3.22.3 System Dependencies and Comon Components The nuclear cooling water system supports the chemical and volume control system and the HVAC system.

The components in the NCWS draw power from the non-vital power distribution system.

5.3.23 Electrical Systems (Vital) 5.3.23.1 System Description Schematics of the Electrical Distribution System (EDS) are provided in Figures 5.3.23-1 and 5.3.23-2. The EDS is divided into two categories, the non-class 1E power system and the class 1E power system. Both the non-class 1E and class IE power systems are further divided into AC and DC systems.

O 5-90 ,

1 l

1339c/(82010)/ca-91 A one-line schematic of the AC system is shown in Figure 5.3.23-1. The

[]

v non-class 1E AC system distributes power at the 13.8kV, 4.16kV, 480V, and 208/120V levels for all non-safety related loads. The non-class IE AC buses normally are supplied through the unit auxiliary transformers from the main generatcr. However, during plant startup or shutdown, power is supplied from the switchyard through the secondary windings of the start up transformers.

In the event of failure of the unit auxiliary transformer, a generator trip, or backup protective trip, fast transfer to offsite power (switchyard) maintains continuity of power to the 13.8kV and 4.16kV non-class IE buses.

The class 1E AC system distributes power at the 4.16kV, 480V, and 120V levels to safety-related loads. The class 1E AC buses normally are powered from non-class 1E AC buses 13.8kV E-NAN-503 and E-NAN-504. In the event of loss of g the preferred power source, the class 1E AC system is powered from the standby b diesel generators. _

l l

A one-line schematic of the DC system is shown in Figure 5.3.23-2. The DC subsystems A and B provide control power for AC load groups 1 and 2, respectively. These subsystems also provide vital instrumentation and control power for channels A and B, respectively, of the reactor protection and ESF systems and diesel generators A and B, respectively. The DC subsystems C and 0 provide vital instrumentation and control power for channels C and D, l .

I respectively, for the reactor protection and ESF systems and other safety-related loads. Each class IE DC power subsystem consists of one 125V battery, one battery charger, one distribution panel, and is supplied with  !

480V AC power from a different MCC. Each load group additionally contains a l

O 5-91 i

r

TOSWITCHYARD TO SWITCHYARD TO5WITCHYARD dk 4L JL w STAR M l WW F1AH STAR M 1

mw em w )(FMR A ,(j -- )(Fift m m )(Ft1R S Mf 44 13EKV NT.

WW LMIT AUX BUS A g )cpgqq 13aKy nT.

BUS B v +f M v

fm v f

wm nc#? nC #Y wm

-- Nr v mm ESF SVC ESF SVC XFt1R 13.8KVBUS A 13.8KVBUS B )(Ft1R E I I E

v v ESF 4.16 KV BUS A #I v

  1. I v ESF 4.16 KV BUS B g u

~

44 4% & 44WW WM 4% 44 44 44

  • N %k %k %k %k %k %k Ak wk WO WN wN g ,- - S< -- -- -- -- p WO -

44

%k "a" 44

%k 44

%k 44

%k 44

%k v

==v 44

%k m ,

Al A2 A3 400 VAC B1 B2 B3 LOAD CENTERS 44 44 44 44 44 44 44 44 44 44 44 44

%k %k %k %k %k %k %k %k %k %k %k %k 400 VAC All A12 A21 A22 A31 A32 r1CC Bil 812 821 822 B31 832 ONE-LINE SCHEMATIC OF AC POWER SYSTEM FIG. S.3.23- 1 O O O

O O O 480Vt1CC 480 Y F1CC All A21 460Vt1CC 480Vr1CC A31 A12 BATT SATT b

=

- = = =

=

C11 n BATT

=

C12 4B0 V 2 gp gh db 480Vt1CC g,,

49 4p 4 gg a %9 Nf ^

g <r &p #f "j 125VDC r g 4h yw[

BUSA 7 49

  • j> gp 12SVDC susC

> 4,,

.,_ i2sV*

DP A i2s vDC

,, - /-

DP C

_=_ ,, . o

) 120 VAC ONA [ 120VM T BMC T

480 Y F1CC 480 V t10C 480 V t1CC 480 V t100 811 821 831 812 BATT BArr BArt BATT Z CHGR O MiR Z CHGR CH6R

_ B11 812 -

Dil D12 480 V t10C 4 g 4p 480 V t1CC gg 4p jg h) I Y)f N9 Yf Yf Yf fg * 'h 3 $

i25VDC

'"O 7 #h3 8 12 "5VDC 125 VDC 125 VDC

= /-

DP B " #~

DP D

= ", _^ "

ONE-LINE SCHENATIC OF - -

120YAC 120VAC f) BMB DC POWER SYSTEM g)

  • FIGURE 5.3.23-2

l 1339c/(82Q10)/ca-94 l l

l backup battery charger normally connected to DC subsystems A and B, and manually transferable to DC subsystems C and D. The transfer mechanism is mechanically interlocked to prevent both subsystems of a load group from being simultaneously connected to the backup battery charger.

Four inverters, supplied from DC subsystems, provide four independent 120V AC vital instrumentation and control power supplies for the channels of reactor protection and ESF systems.

5.3.23.2 System Function The function of the Electrical Distribution System (EDS) is to provide power to the systems and components vital to mitigation of Design Basis Events (DBEs) or equipment used to safely shutdown the reactor following a DBE.

5.3.23.3 System Dependencies and Comon Components The EDS is dependent on power supply from offsite source or standby diesel generators.

O 5-94

1339c/(82Q10)/ca-95 5.3.24 Diesel Generator V(3 5.3.24.1 System Oescription The standby diesel power supply consists of two diesel generators complete with their accessories and fuel storage and transfer systems. Each diesel generator with its accessories provide standby power exclusively to a single 4.16kV safety features bus of a safety-related load group.

The diesel generators are physically and electrically isolated from each other. In other words, there are no provisions for automatically paralleling the two diesel generators and interlocks are provided to prevent manual paralleling of the diesel generators. ,

(

k The diesel generators are controlled from the electric mimic bus panel in the i

main control room or from a local panel within each diesel generator control l

room. Controls and instrumentation are provided in both locations for l-starting, stopping, and for governor and excitation system' adjustments. A key-locked "0FF-LOCAL-REMOTE" switch is provided at each local panel with the key removable in the OFF and REMOTE positions only. Manual control from the l

local panel is possible only in the LOCAL position. Additionally, a push l

button has been installed at the train B local diesel engine control panel to provide manual emergency start capabilities. Manual control from the main control room is possible in the REMOTE position only. Automatic starting of O 5-95

1339c/(82Q10)/ca-96 the diesel generator is possible in the LOCAL and REMOTE positions of the key-locked switch. In the OFF position no automatic or manual start is possible and a DIESEL GENERATOR INOPERABLE alam is initiated at the safety equipment status system annunciator.

Each diesel generator is automatically started on any of the following conditions:

a) Undervoltage on the 4.16kV safety-features bus to which the generator is connected or loss of offsite power, or b) Safety Injection Actuation Signal (SIAS) c) Emergency Feedwater Actuation Signal (EFAS) 5.3.24.2 System Function The diesel generators function to provide AC power for safety plant shutdown following a design basis event when a loss of preferred power occurs and for post-accident operation of Engineered Safety Feature (ESF) loads.

5.3.24.3 System Dependencies and Comon Components The diesel generators are dependent upon the essential spray pond system and the HVAC system for cooling.

O 5-96

- 1339c/(82Q10)/ca-97 W

Startup for the diesel generators depends upon 125 VDC power, and this power also keeps the breaker closed during operation.

The diesel generators supplies the vital 4.16kV power upon loss of offsite power.

l-i i

i l -

O 1

I I

i i

l 9

4

~O 5-97

3 1339c/(82Q10)/ca-98 I

5.3.25 Alternate Secondary Heat Removal Capability 5.3.25.1 System Description Alternate Secondary Heat Removal (ASHR) refers to the capability to provide low pressure feedwater in tie event of a total loss of all normal and emergency feedwater. This involves the use of the Condensate System to provide feed flow following a loss of main and auxiliary feedwater.

A simplified flow diagram of the Alternate Secondary Heat Removal Capability -

Condensate System pump alignment is shown in Figure 5.3.25-1. The system consists of a condenser, three 50% capacity pumps,. low pressure feedwater heaters and the required piping and valves. The condensate pumps take suction from the condenser hotwell and through the use of the feed bypass line supply water directly to each steam generator following depressurization of the secondary system to below the pump shutoff head. The condensate flow bypasses tne main feedwater pumps and the high pressure feedwater heaters, and goes diret:tly to the~downcomer main feedwater lines.

5.3.25.2 System Function The primary function of the Alternate Secondary Heat Removal - Condensate System is to provide low pressure feedwater in the event of a loss of main and auxiliary feedwater.

O 5-98

1339c/(82Q10)/ca-99 5.3.25.3 System Dependencies The Alternate Secondary Heat Removal - Condensate System depends on the Non-Vital AC power distribution system and the.Tostrurnent Air System.

In order for the ASHR capability to be effective, the secondary pressure must be reduced to allow the low head condensate pumps to feed the steam generators.

O O 5-99

To CONDEHSER C - BLosoonn I Ells Ef11NERALI ER EXO R Cm- W -191 HV-199 HV-1 pois V-074 1 W' W~ W-'

i 214A 215A

~

216A

~

ny 2

~

CDN- >

HV-4 PotC V-077 POV-195 DEf1NERALI2ER g W gy_33 BYPASS g CCNDENSATE LP HEAT FROt1 CONDENSATE Put1PS EXCHANGERS STORAGE TANK b

, m _-

HV #1 HV-HV-

- MAN 8 HV-130 HV-172 FV-1113 FEEDWATER

( $NTOn * '

i V-692 FP HEAT FMi-Q Q EXCHANGERS k POIA w ad32 J a. rv-iii2 M,_ *-31 O vT34 Hv-io --73 g,, ,

o *

. .,os a= '

N2 C s7gy, /M' *Q 2

v-693 g

M w-to2 HV M y,,,3 v737 W IfV-157 HV-177 FV-1122 ALTERNATE SECONDARY CAPABILITY-CONDENSATE PLf1P ALINGT1ENT FIGURE S.3.25-1 O .

O O

13399/(84C2)/ mis-1 6.0 OATA ANALYSIS 6.1 INITIATING EVENT FREQUENCIES This section describes the quantification of the frequencies for the initiating events presented on Table 3.2-7. Table 6.1-1 presents the generic PWR transient frequencies from EPRI NP-2230(29) . These values are used extensively for quantifying the initiating event frequencies used in this analysis. The results of these quantifications are summarized in Table 6.1-2.

6.1.1 Vessel Rupture Frequency -

a t

Cata. strophic reactor vessel ruptures beyond the capability of ECCS capacity wereanalyzedinWASH-1400(18) . The WASH-1400 astimate of the vessel rupture probability was 1 x 10-7/ year with an error factor of 10. This value was used

! in this analysis.

6.1.2 Large LOCA Frequency The Large LOCA frequency presented in the NREP Data Base (30) is 1 x 10~4/ plant

{ year with an error factor of 10. This is for pipe breaks greater than 6 2

inches in diameter which corresponds to a break area greater than 0.2 ft ,

The PSA procedures guide . EPRI NP-2230(29) and Appendix A of the EPRI Requirements Document ) do not provide estimates for Large LOCA frequencies.

I The NREP Data Base Large LOCA frequency is used in this analysis. .

I IO 6-1

13399/(84C2)/als-2 6.1.3 Medium LOCA Frecuency The medium LOCA frequency presented in the NREP Data Base ( 0) is 1 x 10-3/ plant year with an error factor of 10. This is for breaks between 2 inches and 6 inches in diameter. The PSA Procedures Guide I6) , EPRI NP-2230(29) and Appendix A of the EPRI Requirements DocumentI3) do not provide estimates for Medium LOCA frecuencies. The Calvert Cliffs IREP study I I) used a medium LOCA frequency of 2.4 E-4, in the Zion PRA (19) , a median frequency of 3.44 E-4 with an error factor of 10.3 was used, and, in The Seabrook PRA (59) , a median valve of 2.00 E-4 with an error factor of 8.2 was used. Statistically averaging the NREP, Calvert Cliffs, Zion and Seabro:k -

Medium LOCA frequencies yields a base median valve of 4.87 E-4 with an error factor of 1.97.

The Medium LOCA class also includes the spurious opening of multiple primary safety valves. System 80 TM has four primary safety valves. Therefore, spurious opening of two or more valves constitutes a Medium LOCA. The NREP Data Base ( 0) specifies a premature open rate of 1 x 10-2/yr per valve with an error factor of 3 for PWR pressure relief valves. This value appears to be somewhat high. A review of Nuclear Power Experience (43) and the GraybookI " )

shows that in 408 reactor years of experience, there have been no spurious openings of primary safety valves. This corresponds to a spurious opening rate of 2.4 x 10~3/ plant year for any primary safety valve or 6 x 10'4/yr per valve. NUREG/CR-2770534) does not provide a beta factor for spurious opening of safety valves, so a beta factor of 0.1 was assumed for two valves and 0.05 for three or more valves, both with an error factor rf 3.

O 6-2

13399/(84C2)/als-3 CESAMI42) was used to quantify the total Medium LOCA frequency based on the

(

following equation:

PT=Pg + 6Py 2+8P2y+8P3y (egn6.1.3-1) where P is the base Medium LOCA frequency, 1

P is the valve failure probability.

y 82 is the Beta factor for 2 valves.

83 is the Beta factor for 3 or more valves.

The results of this calculation are:

Median = 6.28 E-4 Error Factor = 1.87 Pean = 6.74 E-4 Standard Deviation = 2.66 E-4 6.1.4 Small LOCA Frequency The small LOCA frequency presented in the NREP Data Base ( 0) is 1 x 10-2/ year with an error factor of 10. This frequency is for breaks less than 2 inches in diameter. ThePSAProceduresGuide(5) , EPRI NP-2230(29) and Appendix A of the EPRI Requirements document I do not provide frequency estimates for small LOCAs. The Calvert Cliffs IREP study (II) used a small LOCA frequency of 2.1 i E-2. The Zion PRA II9) used a median small LOCA frequency of 3.07 E-2 w1th an error factor of 2.41. The Oconee PRA (20) used a median small LOCA frequency of 5.0 E-4 with an error factor of 37. The Westinghouse APWR PRA I23)useda 6-3

13399/(84C2)/;1s-4 median small LOCA frequency of 5.6 E-3 with a variance of 1.8 E-5. The Seabrook PRA (59) used a median frequency of 1.8 E-3 with an error factor of g

12.5 for non-isolable small LOCAs, and a median frequency of 8.73 E-3 with an error factor of 13.4 for isolable small LOCAs. These small LOCA frequencies cover all small LOCA contributors. The base small LOCA frequency used in this analysis was derived by statistically averaging the above frequencies using CESAM I42) . The results of this calculation are:

Median = 1.95 E-2 Mean = 2.86 E-2 Error Factor = 2.83 -

Standard Deviation = 2.67 E-2 6.1.5 Interfacing System LOCA Frequency As discussed in Section 4.9, System 80 has six (6) potential locations for an interfacing system LOCA; the four LPSI injection lines, and the two (2) shutdcwn cooling suction lines.

As shown on Figures 4.9-1, the LPSI lines each have two check valves inside containment, and a normally closed motor-operated valve just outside containment. The LPSI line piping is rated for full RCS operating pressure up to and including the motor-operated valves. Catastrophic internal failure of both check valves and the motor-operated valve in a LPSI line would expose the low-pressure piping upstream of the motor-cperated valve, resulting in the rupture of this piping and an interfacing system LOCA. The back-seating of 9

6-4

13399/(84C2)/cis-5 the valves in the LPSI lines is verified during each refueling and just prior a

to return-to-power following a cold shutdown. (For this analysis, only the refueling interval test is considered). During normal operation, only the check valve closest to the RCS is exposed to RCS pressure and temperature.

The other valves are exposed to significantly lower temperatures and pressures. The second check valve would be exposed to RCS pressure and temperature if the first check valve failed, and the motor-operated valve would be exposed to RCS pressure and temperature only after both check valves fail. (Common cause failure is not included because of the differences in the normal operating environment). If the first check valve failed, the pressure

- in the line between the two check valves would increase to the RCS operating pressure, and the pressure indicator in the line between the two check valves will sound an alarm in the control room. The normal operator response to this alarm and high pressure indication would be to attempt to bleed the pressure

'd off the line using other available' lines. If this could not be accomplished I after several attempts, the plant would then be taken to cold shutdown for fault isolation and repair. It is estimated that no more than thirty (30) hours would elapse between the initial indication of the failure and the plant

reaching cold shutdown conditions. Thus, if the operators take the appropriate actions, the maximum time that the second check valve would be exposed to RCS pressure is thirty hours. If the operators did not take the appropriate action, it is conservatively assumed that the second check valve I

would be exposed to RCS pressure until the next refueling cutige. Thus, the f probability of an interfacing System LOCA in a LPSI line can be expressed as:

O i 6-5 i

I l - - _ _

13399/(84C2)/ mis-6

=

P(ISL-L) 4(P(checkvalves)*P(checkvalve2 check valve 1))

  • P(motor-operated valve check valve 2)) (eqn 6.1.5-1) or t g=T t 2=X t =X r r f3 2

P(ISL-L)=4A gy AMOV t gdtg t dt 2 2 t dt 3 3

) J J t i=0 t 2=0 t3=tg T t =X t r r2 (3=X dt; dt 2 dt 3 t g=0 # t02 t =t 3 2 g=T t 2=T =T O

2

+ 4A A Po t ydt1 t dt t dt CV MOV 2 2 3 3

- > J t g=0 t2=tg t =t 3 2 (eqn 6.1.5-2) t t t =T

[i=T #3

[2=T dt 1 dt 2 dt 3 Y J t g=0 t 2=tg t =t 3 2 1

which reduces to:

O 6-6 l

1

13399/(84C2)/ mis-7 O(r P(IS!.-L) = 1 2

A CV MOV 2

XT 2

+A 2 3

A P CV MOV o T 2 (egn6.1.5-3)

The following difinitions apply to the above equations:

A CV = Failure rate for catastrophic internal failure of a check valve A

MOV = Failure rate for catastrophic internal failure of a motor-operated valve Po = Probability that operators fail to bring plant to cold shutdown given an indication that the first check valve failed tg = Exposure time for the first check valve t2 = Exposure time for the second check valve t3 = Exposure time for the motor-operated valve T = The test interval = 18 months X = The time to reach cold shutdown following failure of the first check valve = 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> 4

The shutdown cooling suction lines, as shown on Figure 4.9-1, each have two (2) motor-operated valves in series inside containment, and a pair of motor-operated valves in parallel outside containment. There is a small thermal relief valve which discharges to the Reactor Drain Tank (RDT) between i

!o l 6-7 I

l

1 13399/(84C2)/ Is-8 the two motor-operated valves inside containment in each line. There is also a 6 inch relief valve which discharges to the sump just upstream of the second motor-operated valve in each line. The shutdown cooling suction line piping up to and including the second motor-operated valve is rated for full RCS pressure. The piping upstream of the second moter-operated valve in each line has a design pressure of only 435 PSIA. Thus, catastrophic internal failure of first two motor-operated valves would expose the low-pressure piping to RCS pressure. (Note: The large relief valve just upstream of the second motor-operated valve in each line can not relieve pressure fast enough to prevent the low pressure piping from being exposed to full RCS pressure at leastmomentarily). Given failure of the two motor-operated valves, the break is postulated to occur just outside the containment wall.

The shutdown cooling suction valves are tested during each refueling and after each cold shutdown. For this analysis, however, only the refueling interval test is considered. During normal operation, only the first motor-operated valve in each line is exposed to RCS pressure and temperature. The second valveisnor$allyexposedtoMuchlowertemperaturesandpressureandwouldbe exposed to full RCS pressure and temperature only if the first valve failed.

If the first valve failed, the thermal relief valve between the first and second valves wculd lift and discharge to the RDT at greater than 10gpm (not enough to relieve pressure). The resulting pressure and temperature increase in the RDT would be alarmed in the control room. In addition, charging would be increased to make up for the losses and to maintain pressurizer level.

Thus, the operators would have sufficient information to determine that they 0

6-8

13399/(84C2)/als-9 have an RCS leak rate great e than 10gpet and to identify the potential sources. For an RCS leak rate of 10gpm Technical Specification require that they be in cold shutdown within 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. Thus, if the operators take appropriate actions, given an RCS leak rate of greater than 10gpm, the maximum time the second motor-operated valve would be exposed to full RCS pressure and temperature is 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />. If the operators do not take appropriate action, it is conservatively assumed that the second motor-operated valve would be exposed to RCS pressure and temperature until the next refueling outage.

Therefore, the probability of an interfacing system LOCA in the shutdown cooling lines can be expressed as:

P(ISL-LSOC) = 2(P(MOV 1 fails)x P(MOV 2 fails given MOV 1 failed) (egn6.5.1-4) or i

t t l ( g=T (2=X 2

P(ISL-SOC) = 2 A MOV t dt i 1 t 2dt 2-

> J J t 1=0 t 2=0 l

i 1

t =T t r 2'*

r-1 dt g dt 2 t 3=0 t 2=0 I

l O 69

13399 /(04C2)/ mis-10 e

t g=7 t

< 2=X h 2

+ 2A M0V Po t dt t dt i 1 2 2

) t 1=0 J

t 2=0 (egn6.5.1-5)

\

t y=T t =X f f2 dt g dt 2 t 1=0 t 2=0 Equation 6.5.1-5 reduces to:

P(ISL-SOC) = A 2

MOV TX + A 2 MOV pot 2 (egn6.5.1-6) 2 2 The following definitions apply to equations 6.5.1-5 and 6.5.1-6:

AMOV = Failure rate for catastrophic internal leakage of a motor-operated valve, Po = Probability that operators fail ta bring plant to cold shutdown within 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />, ty = Exposure time for first motor-operated valve, t2 = Exposure time for second motor-operated valve, T = The test interval = 18 months, and X = Time to reaco cold shutdown following failure of the first valve

= 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> l

l 9

6-10

13399/(84C2)/ mis-11 The total probability for an' interfacing system LOCA can be obtained by

[~')

w ,.

combining equations 6.5.1-3 and 6.5.1-6 which yields:

2 P(ISL) = A A CV MOV T+A 2 CVAMOV pot 3 2 2

+ + A pot 2 MOV MOV , equation 6.1.5-7 2 2 Where the variables are as previously defined From Appendix A of the EPRI ALWR requirements document (3) , the mean failure rate for catastrophic internal leakage for an MOV is 3.1 E-8 per hour with a 7.s variance of 1.5 E-14, and the mean failure rate for catastrophic internal leakage for check valves is 2.3 E-7 per hour with a variance of 3.0 E-13.

Using tables 20-22 and 20-16 in the Handbook of Human Reliability ( } , the operator error rate is estimated to be 1.0 E-3 with an error factor of 5.0.

Equation 6.1.5-1 was evaluated using CESAM (42) and the values presented above. The results of this equation for P(ISL) are

Median = 1.87 E-11 Mean = 4.48 E-9 Error Factor = 274 Standard Deviation = 6.51 E-8 O 6-11

-_ .~ _ . _ , . - , . _ . . _ _ _ . _ _ . , - _ ~ ._ - .

1 13399 /(84C2)/ mis-12 6.1.6 Steam Generator Tube Rupture Frequency The PSA Procedures Guide (5) , EPRI NP-2230(29) , the Ni<EP Data Base (30) and Appendix A of the EPRI Requirements Cocument do not provide any occurrence frequency estimates for steam generator tube rupture. In the Zion PRA II9) ,a median value of 1.48 x 10-2/ year was used. In Westinghouse APWR PRA(23) ,

median value of 3.1 x 10-2 was used. NUREG-0651b7) indicates that there have been four (4) tube rupture events at U.S. PWR. Per NUREG-0020 I44) , PWRs have accumulated 408 reactor years of operating experience through November,1986.

This corresponds to a tube rupture frequency of 9.8 x 10-3/ reactor year.

For this analysis, a median steam generator tube rupture frequency of 1 x 10-2/ year with an - r factor of 5 will be used.

6.1.7 Large Secondary Side Break Frequency Large secondary side pipe breaks are considered to be rare events in the same class as large primary system pipe breaks. The generic sources for initiating event frequencies (3,29,30) do not provide an estimate for large secondary side piping breaks. A median value twice that for large primary system pipe failures was selected to account for steam and feedwater line breaks.

Therefore, the base secondary side break occurrence frequency is 2 x 10 with an error factor of 10.

O 6-12

13399/(84C2)/ mis-13 The large. secondary side break class also includes spurious openings of

{m 1 multiple MSSVs, ADVs or TBV's during steady state power operation. These are defined to be the opening of 5 or more MSSVs (>2 MSSVs/ generator), the opening of three or more turbine bypass valves or the opening of three or more ADVs during steady state power operation. A review of Nuclear Power Experience (43) revealed three cases of a spurious opening of an MSSV, one case of the spurious opening of a valve equivalent to an ADV and no spurious openings of TBVs during steady state power operation in 408 reactor years. This corresponds to a baseline frequency for any single valve opening of 7.3 x 10-3/ year for MSSVs, and 2.4 x 10-3/ year for ADVs and MSSVs. Assuming a Beta factor of 0.05 for the common cause opening of any combination of three or more valves yields a spurious multiple valve opening frequency of 3.6 x 10~4/yr for MSSVs, 1.2 x 10-4 for ADV's and 1.2 x 10-4 for TBVs. When combined with the basic pipe break frequency of 2 x 10~4 , these values provide an overall large secondary break frequency of 8.1 x 10'# . This value is consistent with the value used in the Westinghouse APWR PRA(23) , and the ccmbined steam line break inside and outside containment values used in the Zion PRA.

l

! For the purposes of this analysis, a large secondary side break occurrence frequency of 1 x 10-3 with an error factor of 10 will be used.

l 6.1.8 Loss of Offsite Power / Station Blackout Frequencies Based on NSAC/80(45) and NSAC/85(46) data, C-E has calculated a loss of I

offsite power frequency of 0.045/ year. This is a median value with an error factor of 3.

O 6-13 I

13399/(84C2)/ mis-14 l l

l

~

Station blackout involves a loss of offsite power and the failure of both I diesel generators to start. This can be quantified using the following equation:

+2PPRg+Pccf) (eqn 6.1.8-1)

PSB0 = PLOOPI R Where P SB0

= Probability of station blackout P = Probability of loss of offsite power LOOP P = The randem diesel generator failure probability R

P g

= The probability that a diesel generator is unavailable due to maintenance P = Comon cause failure probability for the ccf diesels.

O Appendix A of the EPRI ALWR Requirements DocumentI ) provides an estimate of the mean and variance for P R f 7 x 10-3/d and 1 x 10-5 , and an estimate of the mean and variance for P ccf of 2.6 x 10-4/d and 9 x 10-8 ,

PM can be calculated as:

Pg = (P Rx 12 x 72)/8760 = 0.099

  • P p (eqn 6.1.8-2)

O 6-14

13399/(84C2)/ mis-15

[ Medians and error factors were back-calculated for P R and Pccf, and the total frequency for station blackout was evaluated using CESAM(42) . The results of--

this evaluation ~are:

Median = 6.72 x 10-5 Error Factor = 3.1 Mean = 8.46 x 10-5 Stan'dard Deviation = 6.78 x 10-5 6.1.9 Transients Frequency f

As shown on Table 3.2-7, the transients category consists of EPRI NP-2230 I29)

PWR transients 1, 2, 3, 6, 8, 11, 12,.15 through 25, 27, 28, 30, 31, 32, 33 34, 36, 37, 36, 39 and 40. Occurrence frequencies for transients are O presented on Table 6.1-1. These values were combined using CESAM(42) . The results are:

itedian = 8.87 Error Factor = 1.50 Mean = 9.21 Standard Deviation = 2.28 O

6-15 l

13399/(84C2)/ mis-15 6.1.10 Boron Dilution Frequency, EPRI NP-2230 data, as presented in Table 6.1-1, was used for the boron dilution frequency. The values used are:

Median = 2.7 x 10-2/ year Error Frctor = 3.5 Mean = 3.6 x 10-2/ year Variance = 8.3 x 10-4 6.1.11 ATWS Initiators Frequency ATWS is defined to be an anticipated operational occurrence coupled with failure to insert negative reactivity via the control element assemblies.

Since the primary ATWS concern is the peak RCS pressure, ATWS initiators, for this study, are defined to be those transients which tend to produce RCS pressure transients. These include loss of feedwater events, turbine trips, MSIV closures and loss of RCS flow events. In SECY-83-293(48) , the NRC used 4.0 as the number of ATWS initiators of concern. This value is used in this analysis with an error factor of 3.

O 6-16

/~S) 199/(84C2)/ mis-17 O)

% (V TABLE 6.1-1 GENERIC FREQUENCIES FOR PWR TRANSIENT INITIATORS Int. PWR Transient Categories Mean Variance Median 1 Loss of RCS Flow (1 Loop) 4.4 E-1 1.3 E-1 3.2 E-1 2 Uncontrolled Rod Withdrawal 2.0 E-2 3.2 E-4 1.3 E-2 3 CRDM Problems and/or Rod Drop 6.1 E-1 3.1 E-1 4.2 E-1 4 Leakage from Control Rods 2.3 E-2 5.0 E-4 1.6 E-2 5 Leakage in Primary System 1.1 E-1 1.1 E-2 7.3 E-2 6 Low Pressurizer Pressure 3.1 E-2 6.5 E-4 2.3 E-2 7 Pressurizer Leakage 9.6 E-3 1.5 E-4 6.0 E-3 8 High Pressurizer Pressure 2.8 E-2 5.5 E-4 2.0 E-3

{ 9 Inadvertent Safety Injection Signal 5.4 E-2 2.3 E-3 4.0 E-2 10 Containment Pressure Problems 1.0 E-2 1.8 E-4 5.9 E-3 11 CVCS Malfunction-Boron Dilution 3.6 E-2 8.3 E-4 2.7 E-2 12 Pressure / Temperature / Power Imbalance-Rod Position Error 1.5 E-1 2.2 E-2 1.0 E-1 13 Startup of Inactive Coolant Pump 4.3 E-3 5.7 E-4 2.3 E-3 14 Total Loss of RCS Flow 2.8 E-2 5.4 E-4 2.0 E-2 15 Loss or Reduction in Feedwater Flow (1 Loop) 1.8 E+0 9.2 E-1 1.5 E+0 From EPRI NP-2230

13399/(84C2)/ mis-18 TABLE 6.1-1 (Continued)

GENERIC FREQUENCIES FOR PWR TRANSIENT INITIATORS Int. PWR Transient Categories Mesn Variance Median 16 Total Loss of feedwater (All Loops) 1.8 E-1 3.0 E-2 1.1 E-1 17 Full or Partial Closure of MSIV (1 Loop) 2.3 E-1 4.8 E-2 1.5 E-1 18 Closure of All MSIV 3.0 E-2 6.6 E-4 2.1 E-2 19 Increase in Feedwater Flow (1 Loop) 6.4 E-1 3.3 E-1 4.4 E-1 20 Increase in Feedwater Flow (All Loops) 1.6 E-2 3.0 E-4 1.0 E-2 21 Feedwater Flow Instability - Operator Error 1.8 E-1 3.2 E-2 1.1 E-1 22 Feedwater Flow Instability - Mechanical Cause 2.0 E-1 4.0 E-2 1.3 E-1 23 Loss of Condensate Pumps (1 Loop) 1.0 E-1 9.8 E-3 6.8 E-2

? 24 Loss of Condensate Pumps (All Loops) 4.8 E-3 5.7 E-4 2.3 E-3 5 25 Loss of Condenser Vacuum 2.3 E-1 4.2 E-2 1.7 E-1 26 Steam Generator Leakage 3.7 E-2 8.0 E-4 2.7 E-2 27 Condenser Leakage 5.3 E-2 2.6 E-3 3.8 E-2 28 Miscellaneous Leakage in Secondary System 8.8 E-2 5.9 E-3 6.4 E-2 29 Sudden Opening of Steam Relief Valves 3.9 E-2 8.9 E-4 3.0 E-2 30 Loss of Circulating Water 6.3 E-2 2.7 E-3 4.7 E-2

  • From EPRI NP-2230 0 _ -- .

9 _

O - - - - -

h ,

9g/(84C2)/ mis-19 TABLE 6.1-1 (Continued)

GENERIC FREQUENCIES FOR PWR TRANSIENT INITIATORS i

Int. PWR Transient Categories Mean Variance Median

! 31 Loss of Component Cooling 1.5 E-2 8.8 E-2 5.1 E-5 r 32 Loss of Service Water System 1.0 E-2 1.8 E-4 5.9 E-3 j 33 Turbine Trip, Throttle Valve Closure, EHC Problems 1.6 E+0 6.6 E-1 1.3 E+0 l 34 Generator Trip or Generator Caused Fault 4.1 E-1 8.3 E-2 3.2 E-1 l 35 Total Loss of Offsite Power 1.3 E-0 6.4 E-3 1.1 E-1

36 Pressurizer Spray Failure 3.8 E-2 7.8 E-4 2.9 E-2 37 Loss of Power Necessary to Plant Systems 1.1 E-1 1.1 E-2 7.5 E-2 38 Spurious Trips - Cause Unknown 1.3 E-1 1.4 E-2 9.5 E [ 39 Auto Trip - No Transient Condition 1.2 E+0 6.4 E-1 9.8 E-1 40 Manual Trip - No Transient Condition 5.8 E-1 3.0 E-1 3.9 E-1
41 Fire Within Plant 2.3 E-2 4.3 E-4 1.6 E-2 I

i 4 From EPRI NP-2230 i

4 r  ;

13399 /(84C2)/ mis-20 TABLE 6.1-2 INITIATING EVENT OCCURRENCE FREQUENCIES ,

Error Standard No. Initiating Event Median Factor Mean Deviation Variance 1 Vessel Rupture 1.0E-7/yr 10.0 2 Large LOCA 1.00E-4/yr 10.0 2.71E-4/yr 7.37E-4 3 Medium LOCA 6.28E-4/yr 1.9 6.74E-4/yr 2.66E-4 4 Small LOCA 1.95E-2/yr 2.8 2.68E-2/yr 2.67E-2 5 Interfacing System LOCA 1.87E-11/yr 274. 4.48E-9/yr 6.51E-8 6 Steam Generator Tube Rupture 1.0E-2/yr 5.0 7 Large Secondary Side Breaks 1.0E-3/yr 10.0

{ 8 Loss of Offsite Power Station Blackout 4.5E-2/yr 3.0 6.72E-5/yr 3.1 8.46E-5/yr 6.78E-5 9 Transients 8.87/yr 1.5 9.21/yr 2.28 10 Boron Dilution 2.7E-2/yr 3.5 3.6E-2/yr 8.3E-4 11 ATWS (initiators only) 4.0 3.0 0 - - - - -

0 0

13399/(84C2)/ mis-21 (N '

m) 6.2 SPECIAL EVENT TREE ELEMENT Q'JANTIFICATION On the event trees presented in Section 4, there are eight elements which can be quantified without recourse to fault tree analysis. The following subsections describe the quantification of these special elements and the results are sunrnarized in Table 6.2-2.

6.2.1 Failure of Primary Safety Valve to Reseat "Failure of Primary Safety Valve to Reseat" (given that it opened) appears as an element on the Loss of Offsite Power Event Tree (Section 4.7.3.1.3) and t e StationBlackouteventtree(Section4.7.4.1.3). From the NREP Data Base (30) ,

the probability of a primary safety valve failing to reseat is 1 x 10-2/d with g an error factor of 3. All of the PSV's have the same setpoint and thus are assumed to all lift on a challenge. Therefore, the probability of a single PSV failing to reseat is estimated as 4(P1 ) or 4 x 10-2 with an error factor of 3.

f 6.2.2 Fail to Restore Offsite Power I

Two elements, "Fail to Restore Offsite Power in I hour" and "Fail to Restore Offsite Power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />", appear in the Station Blackout event tree (see Sections 4.7.4.1.6 and 4.7.4.1.7). Based on NSAC85 (46) data for loss of offsite power event durations for 1982 through 1984, a mean event duration of 0.71 hours8.217593e-4 days <br />0.0197 hours <br />1.173942e-4 weeks <br />2.70155e-5 months <br /> was calculated. Assuming an exponential distribution, in accordance with NSAC85, A was estimated to be 1.408 per hour. For an exponential distribution:

bl v

6-21 l

l I

13399/(84C2)/ mis-22 a

P(t>a) = e (egn 6.2.2-1) l l

Substituting I hour and 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for "a" in equation 6.2.2-1 yields:

P(t<1) = e-1.408 = 0.244 (eqn 6.2.2-2) and P(t<3) = e-(1.408)(3) = 0.014 (eqn 6.2.2-3)

The variance for both is:

a = = 0.50 ,

(egn 6.2.2-4) 9 6.2.3 RCP Seal Integrity "RCP Seal Integrity" appears as an element on the Station Blackout event tree (Section 4.7.4.1.9) and is defined as loss of RCP seal integrity due to loss of seal cooling. As documented in CE NPSD-340(40) , C-E and the CE0G contend that a Station Blackout will not lead to loss of RCP seal integrity. However, for this analysis, a median probability of 0.05 with an error factor of 5 is used. This is based on 15 events, including actual operating occurrences and tests, in which RCP seals were exposed to loss of seal cooling equivalent to Station Blackout conditions without loss of integrity.

O 6-22

13399/(84C2)/ mis-23

[)

w 6.2.4 MTC Overpressure "MTC Overpressure" appears as an element on the ATWS event tree. In their analysis of ATWS risk presented in SECY-83-293(48) , the NRC used a value of 0.5 for "MTC Overpressure". Best estimate analyses have shown that for a typical System 80 plant, level C stress limit pressures (approximately 3000 PSIA) will not be exceeded for MTCs of -0.68 or less, even for a total loss of main feedwater without turbine trip. For a typical System 80 fuel cycle, the 100% power MTC decreases to -0.68 within first 12% of the fuel cycle.

Therefore, for this analysis, a valve of 0.12 was used as the probability of an adverse MTC.

6.2.5 RPS Mechanical

\

"RPS. Mechanical" appears as an element on the ATWS event tree (see Section 4.8.2.4). This element is defined to be that a scram does not occur due to mechanical failure of the rods to drop into core. For C-E plants, expert opinion is that insertion of 50% or more of the rods will shut the reactor down. Therefore, this _ element is interpreted to be failure of 50% or more of the rods to drop into the core due to mechanical causes.

l l

In WASH-1400 (18) , the probability of a single stuck rod is given as 1.0 E-4/ demand with a range of 3.0 E-5/ demand to 3.0 E-4/ demand. In SECY-83-293

( 8) , the NRC used a valve of 1.0 E-5 as the probability for failure to scram due to mechanical failure of the control rods. This implies a general Beta factor of 0.1 for the probability of failure to scram due to mechanical I failure of the control rods, given that one control rod has stuck.

J 6-23

13399/(84C2)/ mis-24 A review of PWR operating experience from C-Es Reliability Data System (CERDS)

(49) (CERDS is a compilation of NRC Graybook (44) data) indicates that between January, 1961 and November, 1986, U.S. PWRs nad a total of 3832 scrams, wnich is equivalent to 197253 Rod demands. Table 6.2-1 presents the number of scrams and Rod demands by plant. A review of Nuclear Power Experience (43) indicates that over the same time period, there were five (5) events, involving a total of 6 rods, in which rods did not insert on a scram. This corresponds to a probability of a rod sticking out of the core on a scram demand of 3.04 x 10-5/ demand. Applying the general Beta factor of 0.1 implied in SECY-83-293 to this valve yields a probability for failure to scram due to mechanical failure of the control rods of 3.04 x 10-6/ demand. For this analysis, 5.0 x 10-6/ demand, with an error factor of 5, is used as the probability for failure tn scram due to mechanical failure of the control rods.

6.2.6 RPS Electrical "RPS Electrical" appears as an element on the ATWS event tree (Section 4.8.2.2). This element is defined as failure to de-energize the CEDM busses due to failure within the electrical portion of the RPS. In Response to Generic Letter 83-28(55) on the Salem ATWS, a complete analysis of the RPS was perforred. The results of this analysis, as documented in CE NPSD-277(54) ,

show that the probability of failure for the System 80 RPS is 4.08E-6/ demand with an error factor of approximately 5.0. The mean was calculated to be 6.62 x 10-6/d and the variance was calculated to be 2.80 x 10-11 O

6-24

1339g/(84C2)/ mis-25

~'

6.2.7 SPS Electrical (J i "SPS Electrical" appears as an element on the ATWS event tree (Section 4.8.2.3). This element is defined as failure to de-energize the CEDM busses due to a failure within the electrical portion of the Supplementary Protection System (SPS).

The SPS is a four channel safety grade system which will trip the reactor on a 2 of 4 coincidence signal for high pressurizer pressure if the RPS does not trip the reactor. The SPS is diverse and redundant with respect to the RPS.

It has its own cabinets and logic, its own pressure sensors, and it sends its signal to the motor-generator set output contactors instead of the Reactor Trip Switchgear. A previous analysis of an earlier version of the system a with less redundancy showed that the system had a, median unavailability of 2 x 10-2 per demand with an error factor of 5.0, For this analysis, an unavailability of 1 x 10-2 per demand with an error factor of 5.0 will be used.

6.2.8 Main Steam Safety Valves Fail to Open "Main Steam Safety Valves fail to open" appears as an element on all event trees except for the large LOCA and the Medium LOCA event trees. Each steam generator has 10 code safety valves, and there are no dependencies between steam generators. Depending upon the event tree, the success criterion for O 6-25 h , _ . . . .

1339g/(84C2)/ mis-26 this element is:

a) 1 of 20 MSSVs opens; or b) 1 of 10 MSSVs on a specific generator opens.

Therefore, failuro of this element requires failure of 20 of 20 or 1:: of 10 MSSVs.

The failure rate for code safety valve failing to open from the PSA Procedures Guide (5) is 6 x 10-7/ hour. Assuming a test interval of 18 months, this leads to a basic failure probability of 3.9E-2/ demand. NUREG/CR-2770 does not provide any Beta factors for code safety valves. The random failure probability for failure of ten or more safety valves is less than 10-20 . For this study, the probability that 10 of 10 valves would fail to open was assumed to be 10-7 with an error factor of 10. The probability that 20 of 20 valves would fail to open was assumed to be 10-9 with an error factor of 10.

This value is consistent with that used in the decay heat removal studies for System 80 plants (12,13) ,

O 6-26

a 13399/(84Cl)/ mis-27 .,

/~'i TABLE 6.2-1 PWR R00 DEMANDS 1/61 THROUGH.11/86 Number Rod Plant Name of Rods Scrams- Demands Arkansas 1 61 55 3355 Arkansas 2 73 84 6132 Beaver Valley 1 48 135 6480 Byron 1 53 5 265-Callaway 1 53 20 1060 Calvert Cliffs 1 77 78 6006 Calvert Cliffs 2 77 49 3773 Catawba 1 53 9 477 Catawba 2 53 0 --

Connecticut Yankee 45 91' 4095 Cook 1 53 59 3127

. Cook 2 53 47 2491 Crystal River 3 61 79 4819

Davis Besse 1 49 66 3234 Diablo Canyon 1 53 6 318 Diablo Canyon 2 53 2 106 Farley 1 48 91 4368 Farley 2 48 36 1728 Fort Calhoun 1 45 33 1485 Ginna 29 65 1885 Indian Point 2 53 210 11130 l Indian Point 3 53 87 4611 Kewaunee 29 90 2610 Maine Yankee 77 72 5544 i McQuire 1 53 50 2650 l McQuire 2 53 31 1643 Millstone 2 81 5913

( 73 l

O 6-27 l

13399/(84C2)/ mis-23 TABLE 6.2-1 (Continued)

PWR R0D DEMANDS h

, 1/61 THR0llGH 11/86 Number Rod Plant Name of Rods Scrams Demands Millstone 3 61 1 61 North Anna 1 48 58 2784 North Anna 2 48 37 1776 Oconee 1 61 92 5612 Oconee 2 61 48 2928 Oconee 3 61 47 2867 Palisades 41 98 4018 Palo Verde 1 76 1 76 Palo Verde 2 76 0 --

Point Beach 1 37 45 1665 Point Beach 2 37 32 1184 Prairie Island 1 37 66 2442 Prairie Island 2 37 67 2479 Rancho Seco 61 50 3050 H. 8. Robinson 2 41 178 7298 St. Lucie 1 73 59 4307 St. Lucie 2 73 25 1825 Salem 1 53 98 5194 Salem 2 53 44 2332 San Onofre 1 45 '53 2385 San Onofre 2 83 21 1743 San Onofre 3 83 20 1660 Sequoyah 1 53 33 1749 Sequoyah 2 53 23 1219 Surry 1 48 138 6624 Surry 2 48 104 4992 Summer 1 48 21 1008 l

6-28 l

1 l

1

h 1339g/(84C2)/ mis 29 l-

[ TABLE 6.2-1(Continued) j;' PWR R00 DEMANDS I' 1/61 THROUGH 11/86 Number Rod Plant Name of Rods Scrams Demands

! Three Mile Island 1 61 15 900 l- Trojan 53 79 4187 l Turkey Point 3 45 142 6390-

! Turkey Point 4 45 128 5760 Waterford 3 83 9 747 l Wolf Creek 53 6 318 i Yankee Rowe 24 99 2376 Zion 1 53 123 6519 Zion 2 53 141 7473 TOTAL 3832 197253 O

O 6-29

13399 /(84C2)/ mis-30 TABLE 6.2-2 SPECIAL EVENT TREE ELEMENT PROBABILITIES Error Special Event Tree Element Median Factor Mean Variance Failure of Primary Safety Valve to Reseat 4.0E-2/d 3 Failure to Restore Offsite Power within I hour 2.44E-1 0.5 Failure to Restore Offsite Power within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> 1.4E-2 0.5 RCP Seal Integrity 5.0E-2/d 5 HTC Overpressure 0.12/d 1 0.12/d RPS Hechanical 5.0E-6/d 5 8.1E-6/d 1.1E-10 RPS Electrical 4.08E-6/d 5 6.62E-6/d 2.8E-11

.} SPS Electrical 1.0E-2/d 5 HSSVs (10 of 10) 1.0E-7 10 MSSVs (20 of 20) 1.0E-9 10 9 O O

1339/(84C2)/

9 mis-31 J 't 6.3_ HUMAN RELIABILITY QUANTIFICATION

%.,/

Four types of operator actions were addressed in the fault tree models for the front line systems. These types of operator actions are:

1. Pre-existing maintenance errors;
2. failure of the operator to perform relatively simple task during a trcnsient (e.g. manually #ctuate SIAS);
3. failure of the operator to perform a complex / multi-step task during a transient (e.g.usecondensatepumpstodeliverfeedflowtothesteam generators given failure of the auxiliary feedwater system),

O C/ 4. Operator Recovery Actions (e.g. operator starts a standby pump late in ,

the sequence).

Type 1 operator actions were quantified using HEP data from The Handbook of Human Reliability Analysis (27) . Type 2 and Type 3 operator actions were quantified using the above handbook or the HCR Mode 7(26) . Type 4 operator actions were quantified using the HCR model only. The following subsections describe the quantification for all of the operator actions identified in the l

l fault trees grouped by operator action type. The subsection headings include the summary description of the operator action and the code used to label the action in the fault trees. Table 6.3-1 summarizes the results of the operator action quantification. The error factors presented in Table 6.3-1 are based on the values suggested on Table 20-26 in The Handbook of Human Reliability Analysis (27) .

6-31

13399/(84C2)/ mis-32 6.3.1 Pre-existino Maintenance Errors (Type 1) 6.3.1.1 Condensate Pump P018 Suction Valve HV-1 closed due to maintenance error. (MVM05151)

Assumption:::

1. Error mode is from the Handbook of Human Reliability Analysis, Table 20-14, item 7. Operator restores wrong circuit breaker when returning HV-1 to service. HEP value = .003 (.001 to .01)
2. The operator in the control room has light indication of the breaker status. To allow the error to go undetected he would have to fail to recognize the lights ,are not energized. Errer mode is from Table 20-10, item 4. HEP value = .98 (.96 to .996)
3. It is now possible that the pump would be assumed available for service.

The total HEP value at this point is (.98)-(.003) = 2.9 x 10-3

4. Since all procedures require an operational test of equipment being returned to service following maintenance the operator starting the pump would be monitoring pump amps, pressure, etc to verify proper operation.

To verify operability without proper indication he would have to )

erroneously read at least one instrument. Error code from Table 20-5, item 1. HEP = .003 Therefore total HEP = (2.9 x 10-3)(3 x 10-3) = 8.7 x 10-0

= 9 x 10-6 1

6-32 l

13399/(84C2)/ mis-33 6.3.1.2 Condensate Pump P01B Suction Valve HV-2 closed due to maintenance

( )

error. (MVM05152)

Refer to Section 6.3.1.1. Analysis is the same. HEP value is 9 x 10-6 ,

6.3.1.3 Heat Exchanger Bypass Valve SI-688 not closed due to maintenance error. (GVM05083)

Assumptions:

-1. Error is made when the operator misses the procedure step on a checkoff list to close SI-688. Error code is s' rom Table 20-20, item 5 l HEP = .01 (.005 to .05)

O 2. Prior to changing modes into which the CSS is required and then every 31 l days a valve check is required by technical specifications. T'is is done by two independent operators. From Table 20-16, item i HEP is 0.1 for

( first operator. A coupling of .5 is assumed for the two cperators.

l t 3. Total HEP = (.5)(.1)(.01) = 5 x 10-4 l

l 6.3.1.4 Heat Exchanger Bypass Valve SI-693 not closed due to maintenance error. (GVM05093) l l

Refer to Section 6.3.1.3 for SI-688.

HEP = 5 x 10~4 O

~

6-33 l

( , _

13399/(84C2)/ mis-34 6.3.1.5 LPSI Pump Discharge Valve MOV SI-306 not open due to maintenance h

error. (LVM05056)

Assumptions:

1. Operator fails to open the valve after maintenance on the associated LPSI pump. Error code is from Table 20-15, item 3 with Level 1 tagging.

HEP = .001 (.0005 to .005)

2. Technical specifications system requires 2 independent operators check valve lineup. Assuming a .5 coupling, HEP becomes (.001)(.5) = 5 x 10-4 .
3. Technical specifications require pump operability check following

, maintenance. Operator in the control room would have to fail to notice the valve is open during the operability check. This check is done with a written procedure under normal conditions. From Table 20-22, item 3 HEP is .01.

Total HEP = (5 x 10-4)(.01) = 5 x 10-6 9

6-34

' 13399/(84C2)/ mis-35 6.3.1.6 LPSI Pump Manual Discharge Valve SI-435 not open due to maintenance error. (LVM05057)

^

Assumptions:

1. Operator fails to open the valve following maintenance. Error code is from Table 20-15, item 3 with Level 1 tagging, HEP = .001

(.0005 to .005).

2. Technical specifications requires 2 independent operators check system prior to returning it to service. With an assumed coupling of .5, HEP becomes 5 x 10~4 .
3. Technical specifications requires operability check of pump following maintenance. Operator in the controi room performs test with procedure.

l Done under normal conditions. From Table 20-22, item 3 HEP is .01.

~

l Total HEP = (5 x 10'4)(1 x 10-2) = 5 x 10-6 O

6-35

l 13399/(84C2)/ mis-36 I l

6.3.1.7 Divergence of flow to CSS due to mispositioned valve SI-685. g (LVM05060) i Assumptioas:

1. Operator fails to close SI-685 after it has been open for use. Operator has a procedure for this ope stion. Error code from Table 20-22, item 3.

HEP = .01 (.005 to .05) = 1 x 10-2

2. Two independent valve lineups must be perforted prior to entering a mode in which the system is required to be operable. Error code from Table 20-16, item 3 is .01 for first lineup. With an assumed coupling of .5, HEP is 5 x 10-3 ,
3. Total HEP = (1 x 10'2)(!, x 10-3) = 5 x 10-5 6.3.1.8 LPSI Suction Valve SI-683 not open due to maintenance error.

(LVM05071)

Refer to Section 6.3.1.5 for MOV SI-306.

Total HEP = 5 x 10-6 0

6-36

m

.13399/(84C2)/ mis-37 ,

("

(^^

6.3.1.9 Divergence of flow to CSS due to mispositioned valve SI-694.

(LVM05075)

Refer to Section 6.3.1.7 for SI-685.

Total HEP = 5 x 10-5 6.3.1.10 Motor Valve SI-698 not open due to maintenance error. (HVM02080)

Refer to analysis for SI-306 in Section 6.3.1.5.

Total HEP = 5 x 10-6 l

! 6.3.1.11 Manual Valve SI-476 not open due to maintenance error. (HVN02081)

I O

Refer to analysis for 51-435 in Section 6.3.1.6.

Total HEP = 5 x 10-6 6.3.1.12 Manual Valve SI-470 not open due to maintenance error. (HVN02083) 1 Refer to analysis for SI-435 in Section 6.3.1.6.

Total HEP = 5 x 10-6

)

l O 6-37

c 13399/(84C2)/ mis-38 6.3.1.13 Operator fails to load Condensate Pump P01B to Bus. (MPM05466) g h

Assumptions:

1. A loss of Auxiliary (esprgency) Feedwater has occurred.
2. Condersate pump P01B is not aligned to a bus and needs to be aligned to be made available.
3. This will be a high stress funccion.

l

4. An auxiliary operator is sent to clos: the breaker for P018. He goes to wrong breaker and attempts to close it. From Table 20-25, item 7.,

different location.

HEP = 1 x 10'3 Add .25 HEP for stress = .251 Total HEP for operator = 2.51 x 10'I 5 .- Control room operator is waiting for the breaker indicating lights to energtze to indicate the pump is operable, he would have to make error of omission of not noticing that the light is not energized when RO notifies him that breaker is closed. Table 20-10, item 4. HEP = .98 9

6-38

1 13399/(84C2)/ mis-39

6. For the control room operator to attempt to start the pump he would have to fail to netice pump is not running to continue failure to energize.

Table 20-9, item 4. HEP = .01 Total HEP = (2.5 x 10-1)(.98)(1 x 10-2) = 2.45 x 10~3 6.3.1.14 Manual Valve V025 not open due to maintenance error. (AVN02422) -

Assumptions:

1. Operator fails to open V025 following maintenance. He would be using a tagging list for this. Error code from Table 20-14, item 3 HCP = .005 (.002 to .02)

\ 2. Since this is an emergency system a second operator must verify valve ,

lineup. Assume he does not notice first error. HEP = .5  ;.

1

3. Item must be test run for operability per Technical Specifications.  !

Operator in the control room would run pump. Operator at the pump would verify operation. Both have procedures and instrumentation to verify operation. Error code from Table 20-22, item 3a, HEP = .01 Total HEP = (.005) (.5) (0.01) = 2.5 x 10-5 o

O l 6-39 I

13399/(84C2)/ mis-40 6.3.1.15 Motor Driven Pump Suction Valve V021 not open due to maintenance h

error. (AVN02427)

Refer to analysis for V025 in Section 6.3.1.14.

HEP = 2.5 x 10-5 6.3.2 Operator Fails to Perfom Simple Task During Transient (Type 2) 6.3.2.1 Operator Fails to generate SIAS. (FSS05T6)

Assumptions:

1. An event is in progress in which RCS pressure is decreasing.

O

2. There are two licensed operators in the control room, an R0 and an SRO.
3. The operators are aware of the pressure decrease due to alarm and automatic system response.
4. E0P's are being used with the operators attempting to respond to the transient.

O 6-40 1

13399/(84C2)/ mis-41

5. At t = 5 minutes the SIAS automatic initiation setpoint is reached but no

' automatic SIAS occurs. The operators are under a moderately high stress level at this time.

6. The RO, who has average experience, must evaluate the condition, initiate SIAS and monitor its proper actuation.
7. Using the HCR model the HEP for evaluation is:
a. Evaluation task for the R0 assumes average experience, good displays, rule based operator behavior and a moderately high stress level. The time required to evaluate that a SIAS has not occurred at the required setpoint is 30 seconds. The time available would be 2 minutes. HEP = 2.63 x 10-2 O
b. Evaluation task for the SRO assumes expert experience, good displays, rule based behavior and a moderately high stress level.

SR0 behavior is assumed to be closely coupled to R0 so HEP = .5.

c. Total HEP for evaluation is a combination of RO's and SRO s abilities.

Evaluation HEP = (2.63 x 10-2)(.5) = 1.3 x 10-2 l

O 6-41

13399 /(84C2)/ mis-42 i

l l

l

8. Performance requires action by the RO. He must initiate SIAS by pushing l the manual pushbutton. HEP = 3.64 x 10-3 . The SRO will monitor his actions but is highly dependent on the R0. SRO contribution to the action HEP will be .5 or 5 x 10'I .

R0's actions should take 30 seconds. There is 3 mi.utes available.

HEP = (3.64 x 10-3) (5 x 10'1) = 1.8 x 10-3

9. Monitor. Both the R0 and SRO will monitor for proper actuation but since this is a closely coupled event the total monitoring HEP is assumed to be

.5.

Total HEP = ((1.3 x 10-2) + (1.8 x 10-3)) (5 x 10-1)

HEP = 7.4 x 10-3 O

6-42

13399/(84C2)/ mis-43 I

f] 6.3.2.2. Operator Fails to generate RAS. (FSR02017)

%.)

Assumptions:

1. A LBLOCA has occurred, the ECCS systems have actuated.and are transferring water from the RWT to the containment sump.
2. The RAS setpoint will be reached at approximately 20 minutes into the transient. The operators will be under an extreme stress level at that ,

time.

3. The operators are using performance based E0P's which warn them when the RAS should occur and tell them how to verify it has occurred.
4. At t = 20 minutes the RAS setpoint is reached but an automatic RAS does i

not occur. [

i i S. At this time both the R0 and SRO are expecting the RAS to occur. They l

will both be evalu6 ting plant conditions to ensure it does occur. i c-l The HEP for the RO will be: 4.13 x 10-2  ;

The HEP for the SRO will be: 2.52 x 10-2 Total HEP to identify manual RAS required is  !

(4.13 x 10-2)(2.52 x 10-2) = 1.04 x 10-3 i

r O 6-43 t'

1 13399/(84C2)/mls-44 l

6. The R0 must now generate the RAS by pushing the appropriate button. This should take 30 seconds. Time available is 2 minutes. Pushing either of '

two pushbuttons will accomplish the task. HEP = 4.13 x 10-2

7. Adding evaluation and action HEPs to find a total HEP for the task.

1.04 x 10-3 + 4.13 x 10-2 = 4.23 x 10-2

8. Both the R0 and SRO will monitor system response to ensure the RAS occurs. Since the monitoring function is closely coupled with the actuation function we can assign a HEP of .5 to it.

(4.23 x 10-2)(5 x 10-1) = 2.1 x 10-2 Total HEP = 2.1 x 10-2 9

6-44

J13399/(84C2)/als-45' 6.3.2.3 Operator Fails to generate CSAS. (FSA02011)

Assumptions:

1. An event is is progress in which containment pressure is increasing.
2. The R0 and SRO in the Control Room are aware of the pressure increase due to alarm conditions and procedure guidance.
3. The perfomance based E0P's warn the operators that a CSAS should occur at a set centainment pressure; tells them how to verify it does and what to do if it doesn't. The operators would be under a moderately high l- stress level at this time.

V 4. At t = 5 minutes the CSAS setpoint is rear:hed but an automatic CSAS does not occur.

, 5. Both the R0 and the SRO will monitor plant conditions and RAS actuation.

I

a. HEP for RO is 3.64 x 10-3 i
b. HEP for SRO is .5
c. Total HEP for evaluation = (3.63E-3)(.5) = 1.8 x 10~3 i
O

. 6-45 l

13399/(8402)/ mis-46 i

I

6. The R0 must now initiate the CSAS. He does this by pushing either of two l

CSAS pushbuttons.

Action HEP = 6.97 x 10-3 l

l

7. Total HEP for actuation is sum of evaluate and action = 1.8 x 10~3 + 6.97 x 10-3 = 8.77 x 10'3 0

9 6-46

13399/(84C2)/ mis-47 O 6.3.2.4 Operator fails to Generate AFAS. (PSE05115)

)

Assumptions:

1. An event is.in progress which results in a loss of feedwater. This results in decreasing steam generator water levels. ,

1 .

2. The R0 and SRO in the control room are using performance based E0P's and I are under a moderately high stress level. The E0P's identify when the AFAS should occur and what to do if it doesn't occur.

l I.

3. At t = 5 minutes the AFAS setpoint is reached but an automatic AFAS does j not occur.

O 4. Both the R0 and SRO will monitor plant conditions and identify that an AFAS should occur.

a. HEP for RO is = 3.64 x 10-3 (BasedonHCRMedel)
b. HEP for SRO is = 5 x 10~1 (assuming close coupling)
c. Total HEP to identify = 3.64E-3 x 5 x 103 = 1.82 x 10-3
5. The RO must new manually actuate AFAS by pushing either of two AFAS pushbuttons. HEP = 2.63 x 10-2
6. Total HEP for evaluate plus actuate is 1,82 x 10'3 + 2.63 x 10-2 = 2.81 x 10'2 O

6-47

13399/(84C2)/ mis-48

7. Both the R0 and SRO will monitor plant status to ensure that manual AFAS was effective. Since the monitor task is closely coupled to the performance task the HEP = .5.
8. Total HEP for manual EFAS is (2.81 x 10'2)(5 x 10*I) = 1.4 x 10-2 Total HEP = 1.4 x 10-2 O

i O

6-48

13399/(84C2)/als-49 W

(]

V.

' 6.3.2.5 Operator fails to open solenoid valves. (DVS02173)

Assumptions:

1. A reactor trip has occurred as a result of a transient. The operators are using the performance based E0P's to respond to the trip.
2. During the plant response feedwater to the S/G's is lost.  !
3. Following the trip, the AFAS should be generatt.d as the S/G levels decrease. Auto AFAS is not successful, manual AFAS is attempted but is also not successful. A total loss of feedwater condition exists. With ,

4 no feedwater the S/G will boil dry 30 minutes after the AFAS setpoint was reached.

4. In order to prevent core damage, a heat sink must be established within .

l one hour of the time the AFAS setpoint was reached to prevent core damage. The operators are under extreme stress at this time. The E0Ps state that a heat sink must be established but do not provide specific procedural steps for accomplishing this.

5. The success path for this event is to reduce S/G pressure using the ADV's to the point where the condensate pumps can be used to feed the S/G's.
6. Three operators, the R0, an SR0 and an extra SR0/STA will all work on solving this problem. The SRO and the STA will work together and .

therefore be highly dependent upon each other, 6-49

13399/(84C2)/ mis-50

7. Evaluate conditions and reach solution h
a. Since ample time must be available to perform any required actions, the R0 has only 45 minutes to determine required actions. He should be able to do this in 15 minutes.

R0 Evaluation HEP = 1.75 x 10~1

b. The SR0 and STA will also work to solve this problem. SR0 HEP =

8.39 x 10-2 . Since the SR0 and STA work together, multiply by 5 x 10-1 for second person (8.39 x 10-2)(5 x 10~1) = 4.2 x 10~2

c. Total HEP for evaluation = (1.75 x 10"I)(4.2 x 10-2) = 7.35 x 10-3
8. The RO must now open the ADV to decrease steam generator pressure. This 0

is a manual operation. The average time to do this is one minute. The total time allowable is 5 minutes assuming it took the entire 45 minutes allowable to determine this. HEP = 1.68 x 10~2

9. Add evaluative and performance HEP's to get Total HEP = .735 x 10-2 + 1.68 x 10-2 = 2.42 x 10-2 9

6-50

_,, _ _ . _ _ . _ ~ _ _ _ _ .

13399/(84C2)/ mis-51 l

10. Following the R0's action all three operators will evaluate the plant  !

response to ensure his actions were correct and feedwater is reaching the S/G's. Since the evaluative process is closely tied to the perfomance process an HEP of .5 is assumed. t

! 11. Total HEP for the event is (2.42 x 10-2)(5 x 10-1) = 1.21 x 10-2 I

6.3.2.6 Operator fails to open solenoid valves. (DVS02196) l I

i  !

Refer to analysis for DVS02173 in Section 6.3.2.5.

I tiEP = 1.2 x 10-2 [

O t

i h

l I ,

e l

l l

!O 6-51 i

i l

i i

13399/(84C2)/.;1s-52 6.3.2.7 Operator fails to throttle SDC throttle valve / Hx1, Hx2 Bypass g valves. (LVM05173)

Assumptions:

1. A transient has occurred, a controlled depressurization and cooldown has been conducted and the operators are entering shutdown cooling using the SDC heat exchangers as a heat sink.
2. There are three operators present: an RO with average training and two experts, an SRO and an SR0/STA.
3. The operators are using performance based E0P's with check off steps for this evolution.

4 Since we are several hours into the transient and operations have proceeded as planned the operators are in an optimal /nomal stress condition.

5. The R0 will perform the evolution of establishing SDC flow through the Hx and throttling the Hx bypass flow. He will monitor the cooldown rate.

The cooldown rate is a calculation he must perfom with temperatures recorded on a moving chart.

O 6-52

1339g/(84C2)/als-53 Throttle bypass. .For this particular event the cperator will have

~

a.

excellent instrumentation available (flow / valve position) and he

.will be keyed to watching it. The time required to accomplish this event is about.1 minute on average. After throttling the valve he would wait approximately 5 minutes to gauge his cooldown rate.

During this time he would assume he had acted correctly.

HEP = 1.08 x 10'3 (for failing to throttle bypass valve).

6. .lf the cooldewn rate was not correct the RO would open the Hx outlet valve further to acquire more cooling. If he didn't throttle the Bypass (assuming he doesn't find his error) he would wait another 5 minutes to monitor the cooldown rate.

O Since his finding his original error is closely coupled to his original actions assume .5 for an HEP on second throttle event.

(1.08x10'3)(5x10~I)=5.4x10-4

7. If the RO was not getting an acceptable cooldown after 15 to 20 minutes he would notify the SRO that something was wrong. The SRO would then perfom a detailed review of the RO's actions to find out why the cooldown was not working, SRO HEP = 1.08 x 10~3 O

6-53 I

13399/(84C2)/ mis-54

8. Total HEP for event = (5.4 x 10'4)(1.08 x 10-3) = 5.8 x 10-7 h Total = 5.8 x 10~7 O

i i

1 i O l 6-54 i

(

13399/(84C2)/;1s-55 6.3.2.8 Operator Fails to lead and Start Charging Pump. (UPM05411)

Assumptions:

1. The operator is in the process of cooling the plant down after a steam generator tube rupture. This action is part of controlling the primary pressure.
2. The RCPs are not running so the operator must use the auxiliary spray system. Loss of A.C. power is the cause of RCP loss.
3. The operator has 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to start one charging pump.
4. Operator is performing this task with written instructions. Procedure assumed to have no check off. Omissionerroris0.01(Swain, Table 20-20, #5) and EF = 5.
5. Operator could turn on incorrect pump. Cemission error is 0.003, EF = 3 (Swain, Table 20-13,#1).
6. A second operator is present and may make a recove*y action. He is very dependent on first operator. (HEP = HEP x 0.5 Swain, Table 20-24)

Third operator is occupied with the LOOP.

O 6-55

1339g/(84C2)/ols-56

7. Operator may recover by noticing deviant primary pressure in following g two scans of meter without limit marks. HEP = (0.15 x 0.47) HEP, Swain Table 20-12, #2.
8. Operator is under moderately high stress because this sequence is during a loss of offsite power (LOOP is reason RCP's are lost). This is a dynamic task, HEP = HEP x 5, Swain Table 20-23, #4).

Total HEP = (0.15)(0.47)(0.5)(5.0)(0.01 + 0.003) = 2.3E-3 0.3.2.9 Operator Fails to Initiato Auxiliary Spray (PVS02470)

Assumptions:

1. This activity is very similar to the operator action to load and start the Charging Pump (element UPM05all, 6.1.2.8) and the same HEP will apply.

Total HEP = 2.3E-3 0

6-56

13399/(84C2)/als-57 i

6.3.2.10 Operator Fails to Close Volume Control Tank Discharge Valve (Valve CH501). (UZZO5429) ,

Assumptions:

1. The operator is in the process of cooling the plant down after a steam generator tube rupture. This action is part of controlling the primary pressure.
2. The RCPs are not running so the operator must use the auxiliary spray ,

system. Loss of A.C. power is the cause of RCP loss.

f

3. The operator has 40 minutes to close valve CH501 after starting the pump.

O 4. Operator is performing this task with written instructions. Procedure assumed to have no check off. Omission error is 0.01 (Swain, Table l 20-20,#5)andEF=5.

5. Operator could close the wrong valve. Comission error is 0.003, EF = 3 ,

(Swain, Table 20-13, #1).

6. Second and third operators are either occupied or do not have time to correct first operator, i

!O 6-57

13399/(84C2)/ mis-58

7. Operator may recover by noticing deviant prin1ary level in subsequent scan h of meter without limit marks. HEP = (0.15 x 0.47) from Swain Table 20-12, #2.
8. Operator is under moderately high stress because this sequence is during a loss of offsite power (LOOP is reason RCP's are lost). This is a dynamic task, HEP = HEP x 5, Swain, Table 20-23, #4).

Total HEP = (0.15)(5.0)(0.01 + 0.003) = 9.8E-3 0

O O

6-58

13399/(84C2)/ mis-59 6.3.2.11 Operator Fails to Re-Close ADVs (DVS02155)

Assumptions:

1. The operator has identified the transient as a Steam Generator Tube Rupture and identified the SG which has the failure.-
2. The reactor has tripped, and the operator has opened the ADV's on both SG's to cool down the plant.
3. One operator is actively using the ADV on the good SG to control the cooldown.
4. Controlling cooldown with ADV's is a comon and a well understood procedure.

I j 5. Procedure calls for the operator to cool both SG's to below NSSV setting ,

and isolate the bad S.G.

l l

6. Operators are a+. medium stress level because of SG tube rupture event (HEP =HEPx5.0, Swain, Table 20-23,#4).
7. Operator has I hour to close the ADV's.

O 6-59

13399/(84C2)/ mis-60

8. 3 Operators present, (Swain, Table 20-24), h 1st is Lead, 2nd Mildly dependent = 0.15 3rd Highly dependent = 0.5.
9. Operator is actively reading SG 1evel and primary pressure to maintain desired cooldown rate. Primary HEP is quantitative reading of primary temperatureanalogmeter(0.003, Swain 20-25,#1).
10. Operator can recover by reading SG 1evel. This task has a moderate dependency, (HEP Factor = 0.15 Swain Page 20-5).
11. Analysis neglects errors of commission, above is for omission only.
12. Analysis neglects effects of cultiple scanning of primary temperature and SG level.

Total HEP = (5)(3E-3)(0.15)(0.5)(0.15) = 1.7E-4 l

O 6-60

1339g/(84C2)/ mis-61

,, , 6.3.2.12 Operator Fails to Throttle HPSI Flow. (HZZO2338)

Assumptions:

1. Operator is trying to control primary pressure and temperature during a steam generator tube rupture.
2. Pressurizer spray flow from both main and auxiliary sprays is l unavai,lable.

4 3. The operator has several hours to throttle the HPSI.

I

4. This failure is similar to the failure to Start and Load the Charging Pump (6.3.2.8).

Total HEP = 2.3E-3 l

O 6-61 l

e-&=--~-e-Mt- v &r &&y-=,-Pt-- 9m n tePPW -- wT w"rw h - 7 7 C-a '--'Nh-WFT--SYT- T'T' ""T7" -

"T-'""*"" Y --T'- """T'" f~ ~F'

'""Y g-

13399/(84C2)/ mis-62 6.3.2.13 Operator Fails to Start the Third Charging Pump. (UFM05582)

Assumptions:

1. The transient is an ATWS and the operator must satisfy RCS makeup. Two charging pumps are nomally running and the operator must start the third pump manually.
2. The operator knows that the primary safeties have lifted and the HPSIs are not working.
3. The operator is working from a functional oriented guideline and is well aware of the necessity to maintain primary inventory.

4 The operatcr should first turn on the third charging pump in order to O

borate at the beginning of the ATWS transient.

5. As the pressurizer level drops, the operator should try to restore the primary inventory by starting all the possible pumps (3rd Charging plus HPSIs). The high pressure of the primary side should lead the operators to start the charging pump.
6. The emission error rate, commission error rate, stress level effects and l recovery by other operators is the same as 5.3.2.8, Operator fails to i

lead and start charging pump in a S.G. tube rupture.

Total HEP =.2.3E-3 6-62 I

i i

l-

'13399/(84C2)/ mis-63 .

i 6.3.2.14 Operator Fails to Start Holdup Pump A. (UPN05575)

Operator Fails to Start Holdup Pump B. (UPM05580)

Assumptions:

1. The operator has aligned the RWT to the fuel pool (TVNO 5530, Section 6.3.3.10),

t

2. The perfomance of this task is conditionally dependent on the performance of the previous task. A moderate dependency is assumed. The  !

i previous task (TVNO 5530) has a HEP equal to 0.25. .i f

3. From the Handbook of Human Reliability, Page 2C-5, equation 2, the l

dependency model is: i O .

, HEP = (1 + 6 (BHEP))/7  !

F t

Where BHEP = Basic human error probability  :

i l

l Total HEP = 0.35 l

I I

l l

, I I I I

I

O
6-63  !

, t i l I

i

13399/(84C2)/cis-64 6.3.2.15 Operator Fails to Start FPC Pump A.

Operator Fails to Start FPC Pump B.

(TPM05544) h (TPM05554)

Assumptions:

1. The transient is a steam generator tube rupture and the operator is under extreme pressure to control the primary pressure.
2. In a previous action, the operator was to align the refueling water tank to the Fuel Pool (TVN05530, 6.3.3.9).
3. Starting the FPC pumps is assumed to be mildly. dependent on the omission error of the previous task (HEP = 0.25).
4. Swain's dependency model (Swain, Page 20-5, equation 2) was used. This O

is the same as 6.3.2.la.

Total HEP = 0.35 O

6-64

1 -

1339g/(84C2)/cis-65 l(3

, %)

3 6.3.3 Operator Fails to Perform Complex Task During iransient (Type 3) 6.3.3.1 Operator fails to initiate Hot and Cold Leg Irjection. (HZZO5101) i' Assumptions:

1

1. A LOCA has occurred in which the RCS depressurizes to 20 PSIA.

i

2. At t = 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> the operators must establish hot and cold leg injection L via at least 1 HPSI pump.
3. There are three operators in the control room. They are the R0 (performer), SRO (reader / checker), and SR0/STA (checker). All are at optimal awareness. Assume a total value of 0.5 for the SRO and SRO/STA l

' for cheching R0's actions.

l l 4. The operators are using performance based E0P's to direct their actions.

ii. The hot leg injection mJst be initiated within 3.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> of the LOCA to prevent core damage.

O 6-65

13399/(84C2)/ mis-66

6. The RO must: h
a. Open two hot leg injection valves. Since they are located together and operated as a pair they are completely coupled and considered a single action. This action should take approximately four minutes (2 per valve).

HEP = 8.'/ x 10~4

\

b. Close HPSI outlet. One valve - Time = 2 min.

Available time = 26 min.

HEP = 5.88 x 10-6 Run HEP = 8.75 x 10-4

c. The RO must verify his actions by checking ulve positions and monitoring proper flow rates. This takes him approximately two minutes. He has 24 minutes available. This is a skill based action.

HEP = 1.41 x 10-5 Total HEP for the R0 is 8.92 x 10'4

7. Considering the dependency between the performer and the reader / checkers we have a multiplicative HEP of 0.5 or 5 x 10-1 .

=

Total Cum H. (8.92 x 10-4)(.5) = 4.46 x 10-4 O

6-66

1339g/(84C2)/ mis-67

/7 6.3.3.2 Operator fails to align system for alternati secondary heat removal.

V~

(MVZ02951) b Assumptions:

1. A reactor trip has occurred as a result of a transient. During the plant response normal feedwater is lost.
2. There are at least two operators in the control room, an R0 and an SRO.

Ten minutes after the trip a third operator /STA is available.

3. Following the reactor trip an AFAS is generated as a result of low steam generator water levels. An automatic AFAS is generated but does not X occur. Manual AFAS is initiated per procedure. Manual initiation is not successful. Thirty minutes from the time the AFAS was required the S/G will boil dry. Core damage will occur af ter 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
4. The operators (R0, SRO, and other) must recognize that a secondary heat sink must be established. This is stated in the procedures. They must l then determine that the only source of water available on the secondary side is condensate delivered to the S/G by the condensate pumps.
5. Since the procedures don't cover this action the operators must rely on their systems knowledge and operating experience to solve this problem.

They will noe be operating under a high stress level.

l 6-67 t l

1 , -

13399/(84C2)/ mis-68

6. The operators must analyze the conditions to determine that a feed path to the SG's must be made available from the hotwell.
a. R0. Assume extreme stress, good training, kno.;1 edge based action i

required and average experience. Time to recognize feed path needed  !

is 10 minutes. Time available is 20 minutes. Recognition time includes attempts to establish AFW.

l HEP = 3.43 x 10-I

b. The SR0 and STA will be acting together to analyze and solve this problem. They are also coupled to the R0's actions and suggestions.

HEP for both is assumed to be 1 x 10-1 .

c. Total HEP to analyze is 3.43 x 10-2 ,
7. Once the condition has been analyzed the proper line up must be made. An R0 and two non-licensed operators will do this.

l l

9 6-68

13399/(84C2)/ mis-69

8. To establish a successful lineup the R0 must open a minimum of five

(]

V . remotely operated valves. Assume same conditions and stress level for the R0 as before~. Since 20 minutes may have been spent to analyze the action required he now has 30 minutes to accomplish the lineup.

a. open demin bypass -

T1 = 2 min T2 = 30 min HEP = 5.21 x 10-4 b, open FWRV bypass - T1 = 2 min T2 = 28 min l HEP = 7.98 x 10-4 Rue HEP = 1.32 x 10-3

c. open FW-1113 -

T1 = 2 min T2 = 26 min HEP = 1.23 x 10-3 Run HEP = 2.55 x 10-3 f

\ d. open HV-172 -

T1 = 2 min T2 = 24 min HEP = 1.91 x 10-3 Run HEP = 4.46 x 10-3 L

e. open HV-130 -

T2 = 22 min T) = 2 min HEP = 2.99 x 10-3 Total A0 HEP = 7.45 x '10~3

9. The A0's must each open I valve, either valve is sufficient to establish the flow path so only one must actually be opened. These valves bypass the feed pumps. Assume average training for the A0's and good comunications. Since they aren't involved in solving the problem or G

U 6-69

1339g/(84C2)/ mis-70 l

manipulating controls they are under a moderately high stress level not '

an extreme stress level. T 1= 15 minutes, T2 = 30 minutes. This is a knowledge based action since they have to identify and fully open the valves.

HEP for 1 A0 is 2.82 x 10-1 , for 2 it is (2.82 x 10-1)2 = 7.95 x 10-2

10. Total HEP to analyze and establish flo,< path is (3.43 x 10-2) + (.745 x 10-2) + (7.95 x 10-2) = 1.21 x 10-1
11. The RO must now start the condensate pump and monitor his flows to ensure he has accomplished his desired action.
a. Start pump. T1 = 1 min, T2 = 10 min HEP = 4.72 x 10-3
b. Monitor flow rates, etc. T1 = 2 min, T2
  • 9 *I" HEP = 7.35 x 10-2 Total HEP = 7.82 x 10-2
12. The SR0 and STA will also monitor proper flow rates and line up. Since they are coupled to the R0's actions and reports they have a total HEP of 1 x 10-1 ,

Total HEP for monitor is now (7.82 x 10-2)(1 x 10-1) = 7.82 x 10-3 0

6-70

.13399/(84C2)/ mis-71

13. Total HEP for the event becomes 1.El x 10~I + .07 x 10~1 = 1.28 x 10~I Total 1.28 x 10-1 O

O 6-71

1339g/(84C2)/ mis-72 l I

6.3.3.3 Operator fails to depressurize for LPSI injection. (LZZ05165)

Assumptions:

1. A SBLOCA or SGTR has occurred and SIAS has actuated. The RCS is blowing down through the break but RCS pressure is still high. No HPSI pumps are available.
2. Two licensed operators are in control, an R0 and an SRO.
3. With no operator action to replenish the RCS core damage will occur in 30 minutes. The operators are under extreme stress.
4. The only means available to replenish the RCS is with the LPSI pumps, but to use them the RCS must be depressurized by steaming both S/G's through the ADV's at the max steaming rate. This must be started within 10 minutes to allow sufficient depressurization for LPSI injection to start within 30 minutes.
5. The R0 is well trained with average experience. Instrumentation is good.

Since the procedures do not address this event he has to solve it using systems knowledge and experience.

O 6-72 1

I

i 1339g/(84C2)/ mis-73 p

a. Evaluate. The RO must recognize a SBLOCA has occurred and that HPSI is not available. He must then identify the success path of depressurizing the RCS via S/G cooldown. The R0 has four minutes to solve this problem. Average time would be three minutes. From the HCR model the HEP = 5.44 x 10-1 .
b. The SR0 will also attempt to solve the problem but is dependent upon the RO for information. Assume an HEP of 5 x 10-1 for the SRO.

Total HEP for solving tbt event is (5.44 x 10-1)(5 y 10~I) = 2.72 x 10-1

6. After recognizing that the RCS must be depressurized with the S/G's the R0 must establish the max feed / steam rate for each S/G.

O

a. Max feed #1 S/G, HEP = 1.75 x 10-1 Ty = 30 seconds
b. Max feed #2 S/G, HEP = 1.75 x 10-1 T2 = 1.5 minutes
c. Max steam #1 S/G, HEP = 1.75 x 10-1
d. Max steam #2 S/G' HEP = 1.75 x 10~1 Total R0 HEP to establish steam / feed = 7.0 x 10-1
7. Total HEP to establish feed / steam = 2.72 x 10~1 + 7 x 10~1 = 9.72 x 10-1
8. The RO will monitor his instruments and equipment to ensure he has the proper steam and feed rates and that RCS pressure and temperature are decreasing. Tg = 3 min., T2 = 4 min., HEP = 5.44 x 10-1 O

6-73

13399/(84C2)/ mis-74

9. The SR0 will also evaluate but his information is based on R0 input as well as plant informatiot.. His HEP is 5 x 10-I . Total for both is 2.72 x 10-1 .
10. Total HEP for the event is then (9.72 x 10-1)(2.72 x 10-1) - 2.64 x 10~1 O

O 6-74

1339g/(84C2)/ mis-75

) 6.3.3.4 Operator fails to depressurize for LPSI recirculation. (LZZ05166)

Assumptions:

1. An SBLOCA has occurred. The plant and operators have responded per approved E0P's. Nhen the RWT level drops to the RAS setpoint the automatic RAS is initiated. The RAS actuations occur but the HPSI pumps are lost. RCS pressure is above LPSI shut off.
2. The problem now arises that there is no make up for the RCS. The operators must recognize this problem and depressurize to the point where
LPSI recirculation is possitta. They must then initiate LPSI flow.

N 3. There are three operators in control, 1 R0 and 2 SRO's. They are at (d maximum alertness, the instrumentation to recognize this event is excellent (valve position, flow, pressure, temperature, etc.). Stress 4

levels will be moderately high.

't . Following the loss of HPSI, at least I hour is available for actions before core damage will occur.

5. All secondary systems are available.
6. The RO is well trained with average experience. He must analyze the plant conditions and recognize the fact Gat depressurization is necessary. From the HCR model, T3 = 5 mir, T2 = 40 minutes. Allowing 40 minutes for analysis leaves 20 minutes for action. HEP = 2.98 x 10~2 .

6-75

13399/(84C2)/ mis-76

7. The SR0 and STA will also analyze the plaat conditions. Since their information input is partially coupled to the R0's actions and input their combined HEP is assumed to be 5 x 10~1 .
8. Total HEP to identify that LPSI recircul& tion is required is (2.98 x 10-2)(.5) = 1.49 x 10-2
9. Once the operators know what they must do, the R0 must accomplish it.
10. He now has 20 minutes to feed and steam the S/G's to reduce RCS pressure to below the LPSI shut off.
a. Feed S/G HEP = 2.67 x 10-3
b. Steam S/G HEP = 4.46 x 10-3 Run HEP = 7.13 x 10~3
c. Total to accomplish feed / steam = 7.13 x 10-3
11. After accomplishing the feed / steam operation the RO will monitor plant conditions to ensure he has accomplished the task. Ty = 3 min, T2 = 16 min., HEP = 3.83 x 10-2 ,
12. The SR0 and STA will also monitor. Assume combined HEP of 5 x 10-1 since they are dependent upon R0 for seme of their information. Total HEP for monitoring now becomes (3.83 x 10-2)(5 x 10~1) = 1.92 x 10-2 ,

O 6-76

x: ,

i

~' ' '

t .: ,

13399/(84C2)/ mis-77

n

~

'13.~ Total . HEP,-_for-- event- is -

.~ Analyze +. Action.x Monitor = .

1

~

(1.49:x 10-2) + (7.13 xjl0-3)(1.92 x 10~2) = 1.'49-x 10~2 +'1.37._-x 10~4--

i T5talHEP=1.50x10-21 i

l

[' ..

l..

p ,

4 4

Le l'

O 6-77

13399/(84C2)/ mis-78 6.3.3.5 Operator fails to initiate shutdown cooling (LZZO5167)

I I

Assumptions:

1. An SBLOCA has occurred. The operators have progressed to the point where l SDC is required. The plant is stable at the SDC entry point.
2. If the operator fails to initiate SDC there is at least I hour available before core damage will occur.
3. There are three operators in the control room, (R0, SRO, STA), and they are using performance based procedures to direct their actions. They are at optimum levels of stress /cperatien.
4. The SR0 must read the procedure and direct the R0 to place the system in O

SDC.

Ave. Time = 2 min, Time Available = 40 min.

HEP = 2.85 x 10-13

5. The RO will then place the SDC system in service us Mg a written step by step procedure.
a. Operi ist SDC Suction Valve T2 = 38 min T1 = 2 min HEP = 3.60 x 10-10 0

6-78 i

l

1339g/(84C2)/ mis-79

b. Open 2nd Suction.

T1=2 T2 = 36

. HEP = 1.05 x 10-9 c.- Open 3rd Suction T1=2 T2 = 34 HEP = 3.06 x 10-9 1

d. Close normal LPSI Suct. T1 = 2.0 T2 = 32 HEP = 9.08 x 10~9
e. Open SDC X Conn #1 Ty = 2.0 T2 = 30.0 HEP = 2.67 x 10-8
f. Open 500 X Conn #2 T1 = 2.0 T2 = 28.0 HEP = 7.06 x 10-8
g. Shut SDC to CTMT Spray T1 = 2.0 T2 = 26.0 H9T a 2.04 x 10-7
h. Opeo ' Cenn #3 Tg = 2.0 T2 = 24.0 HEP - 7.28 x 10~7
1. Open SDC to Loop T1 = 2.0 T2 = 22.0 HEP = 2.23 x 10~0
j. Start LPSI T1 = 2.0 T2 = 20.0 HEP = 6.93 x 10-6 0  :

6-79 f

1339g/(84C2)/ mis-80 l

k. Start Cooling Water Ty = 2' min T2 " 10 "I" 1 l

HEP = 2.17 x 10-5

1. Open the Outlet T1 = 2.0 T2 = 16 min HEP = 6.92 x 10-5
m. Throttle Bypass T1 = 2.0 T2 " 14 "I"*

Total HEP for establishing SDC is 3.25 x 10-4

6. The R0 will now monitor his actions to ensure he has a proper cooldown.

This will take 5 minutes out of 20 available. This is skill based.

HEP = 3.74 x 10-2

7. The SR0 and STA will also monitor cooldown but their actions are closely linked to the R0. Their combined HEP = 1 x 10-1 .
8. Total monitor HEP = 3.74 x 10-3,
9. Total HEP to establish SDC =

Start x Monitor l

.c, x 10-4)(3.74 x 10-3) 1.22 x 10-6 Total = 1.22 x 10-6 6-80 i

i

13399/(84C2)/ mis-01 6.3.3.6' Boron Dilution Event

'(

Assumptions:

1. Plant is in Hot Shutdown, with all reds in. The secondary side is i

providing decay heat removal. There is a 2% ao SOM.

2. The plant has a maximum charging rate of 132 gpm with suction from the demineralized water tank. Letdown flows to the baron recovery system.

This establishes maximum dilution.

3. It takes 95 minutes to borate to 0 SDM where core would go critical, p 4. The operators do not recognize that the dilution t in progress.

V

5. Dilution must be terminated and boration started within 15 minutes after criticality (T = 110 min) to prevent core damage.

( 6. There are two operators in the control room at all times, an R0 and an SRO.

7. The only action required to emergency borate is to open the boric acid admission valve to the charging pump suction and to start the 8.A. pump or to go to "borate" on the CVCS mode selection switch.

l O

v 6-81 l

1339g/(84C2)/ mis-82

8. A low baron concentration alarm will occur at t = 10 minutes. The operator has 15 minutes to respond to this alarm. Average time should be two minutes. Since this is a shutdown condition assume low vigilance by the operators. Assume knowledge based action since if he used the alarm response procedure it would direct him to check lineups and borate. The operator should respond to the alarm and analyze the situation in two minutes. He has 15 minutes. From HCR model the HEP = 9.84 x 10-3 . At this time only the R0 is involved.
9. If dilution is not terminated a Boron dilution (High CPS) alarm will occur. Assume same conditions and time limits. Once again the R0 does not involve the SR0 in his actions. T1 = 2 min, T2 = 15 min, HEP = 9.84 x 10-3, Running HEP = 9.6 x 10-4 .
10. If the dilution is not terminated a Hi-log power trip will occur and the O

reactor will go critical. The R0 will now be under extreme stress and will request aid from the SR0 who is also under extreme stress.

11. The SR0 will evaluate the plant condition and enter the E0P's. He will now be acting under rule based actions but is heavily stressed. Assume it takes him 3 minutes to analyze and enter the procedures. He has 15 minutes.

HEP = 9.2 x 10-3 9

6-82

13399/(84C2)/ mis-83

12. Total HEP is R0 x SR0 (9.6 x 10-4)(9.2 x 10-3) = 8.84 x 10-6 I

l O

f.

I l

i I

J l

O I

6-83 l l

i

13399/(84C2)/ mis-84 6.3.3.7 Operator Fails to Reopen containment Isolation Valves. (BVD02902)

Assumptions:

1. Operator has I hour to open containment isolation valves.
2. Operator's attention is directed at controlling primary cooldown and SG l level.
1. Operator knows that the bad SG is isolated and he is pleased with that s'ta tus .
4. Opening both isolation valves is considered to be a single action.
5. Omission errors O

Operator fails to identify item in long checkoff list l

(Swain, Table 20-20, #5) HEP = (0.01)

(

6. Moderate Stress, HEP = HEP x 5 = .05
7. Other opera *. ors would not pick it up.

O 6-84

I 13399/(84C2)/ mis-85

[. '

8. Operator must also open another valve. HV2C, in series. .,

Failure to open HV2C is omission error (Swain, Table 20-20, #5)

HEP = 0.01 P

Moderate stress, HEP = HEP x 5. = .05 [

u Total HEP = (0.05 + 0.05) = 0.10 >

l' t r

1 f

. i I

i i

i i

i 1-i I l I [

i l t t

4 l 6-85 j 4

I i

i L_.__..._,_..__..__.____ __ ___._._ _ _ _ . _ ..___ __. _ . ,. . . _ _ . _ _ . _ _ _ _ ____ ..

I 13399/(84C2)/ mis-86 6.3.3.8 Operator Fails to Re-Open Containment Isolation Valves. (BVD05518)

R Assumptions:

1. These valves are in the blowdown line.
2. The transient is a tube rupture and the valves close on a SIAS, MSIS or AFW actuation.
3. Valves are on failed steam generator. Operator must open the valves to prevent over-fi! ling.
4. This operation is similar to the operator failing to Reopen the containment Isolation Valves.(see 6.3.3.7) and the same HEP will be used.

Total HEP = 0.1 0

6-86

[- .q I

13399 /(8402)/ mis-87

/ '

6.3.3.9 Operator Fails to Align the RWT to Fuel Pool. (TVN05530)

Assumptions:

t

1. The transient is a steam generator tube rupture. The operator has lost control of the primary pressure or has failed to isolate the failed steam generator or has not established secondary heat removal.
2. The operator must either open or close 5 specific manual valves located throughout the refueling building.
3. The operator is under extreme stress to gain control of the primary pres 3ure. The valve alignment task could be easily overlooked. The omission error is 0.25, EF = 3 (Swain, Table 20-23,.#5).

l 4. The commission error (opening wrong valve, or failing to open one of the

, valves) is estimated to be the same as the omission error because of the t extreme stress and diverted attention.

1 I

! 5. No credit is given for recovery by other operators.

Total HE9 = 0.25 + 0.25 = 0.5, EF = 2 l

O

! 6-87

13399 /(84C2)/ mis-88 6.3.3.10 Operator Fails to Align Holdup Tank to RWT. (UVN05563) h Assumptions:

1. In a steam generator tube rupture transient, the operator has lost control of the primary pressure, failed to isolate the failed SG or failed to establish secondary heat removal.
2. The operator must open two manual valves (CH-752 and CH-734). This is not covered by Procedures, so it is a knowledge-based task.
3. Because of the loss of primary presture, it is assumed that the operator is under extremely high stress. The HEP for this activity is 0.25 (Swain, Table 20-23, !S).

Total HEP = 0.25, EF = 3 O

6-88

p /~l O 399/(84C2)/: sis-89 V U TABLE 6.3-1 HUMAN ERROR PROBABILITIES Sheet 1 of 6 Component Human Error Errcr Code Description Probability Factor MVM05151 Condensate Pump P01B Suction Valve HV-1 Closed Due to 9 x 10 -6 10 Maintenance Error MVM05152 Condensate Pump P01B Suction Valve HV-1 Closed Due to 9 x 10 ~0 10 Maintenance Error T

o>

GVM05083 Heat Exchanger Bypass Valve SI-688 Not Closed Due to 5 x 10~4 10 Maintenance Error GVM05093 Heat Exchanger Bypass Valve SI-693 Not Closed Due to 5 x 10-4 10 Maintenance Error LVM05056 LPSI Pump Discharge Valve MOV-SI-306 Not Open Due to 5 x 10-6 10 Maintenance Error i

LVM05057 LPSI Pump Discharge Valve SI-435 Not Open Due to Maintenance 5 x 10 10 g Error j

-. .. - - - - . . - - - ~ . - - .,-.. ~ - . - -

NUMMUM 13399/(84C2)/ mis-90 l

TABLE 6.3-1 (Continued) {

HUMAN ERROR PROBABILITIES l l

Sheet 2 of 6 '

Component fiuman Error- Error Code Description Probability Factor LVM05060 Divergence of Flow to Containment Spray System Due to 5 x 10-5 10 Mispositioned Valve SI-685 LVM05071 LPSI Suction Valve SI-683 Not Open Due to Maintenance Error 5 x 10-6 10 LVM05075 Divergence of Flow to Contaiwent Spray System Due to 5 x 10~6 10 Mispositioned Valve SI-694 HVM02080 M0V SI-698 Not Open Due to Maintenance Error 5 x 10-5 10 HVN02081 Manual Valve SI-476 Not Open Due to Maintenance Error 5 x 10-6 10 HVN02083 Manual Valve SI-470 Not Open Due to Maintenance Error 5 x 10 -6 10 MPM05466 Operator Fails to Load Condensate Pump P01B to Bus 2.45 x 10-3 3 AVN02422 Hanual Valve V025 Not Open Due to Maintenance Error 2.5 x 10-5 10 0 0 0

. . ~ . - . . . - . . - - . . . . . - . . . . ,. -. .

199/(84C2)/ sis-91 TABLE 6.3-1 (Continued)

HUMAN ERROR PROBABILITIES Sheet 3 of 6 Component Human Error Error Code Description Probability Factor-AVN02427 Motor Driven Pump Suction Valve V021 Not Open Due to 2.5 x 10 10 Maintenance Error FSS05066 Operator fails to Generate SIAS 7.4 x 10-3 3 FSR02017 Operator Fails to Generate RAS 2.1 x 10-2 3 l FSA020ll Operator fails to Generate CSAS 8.77_x 10-3 3 FSE05115 Operator Fails to Generate AFAS 1.4 x 10-2 3 DVS02173 Operator Fails to Open Solenoid Valves (ADVs) 1.21 x 10-2 3

! DVS02196 Operator Falls to Open Solenoid Valves (ADVs) 1.21 x 10-2 3 l

! LVM05173 Operator Fails to Throttle SDC Throttle Valve /HXI, <10-0 10

ilX2 Bypass Valve l

13399/(84C2)/21s-92 TABLE 6.3-1 (Continued)

!!UMAN ERROR PROBABILITIES f l

Sheet 4 of 6 Component Human Error Error Code Description Probability Factor UPM05411 Operator fails to Load and Start Charging Pump 2.3E-3 5 PVS02470 Operator Fails to Initiate Auxiliary Spray 2.3E-3 5 UZZ05429 Operator fails to Close Volume Control Tank Discharge Valve 9.8E-3 5

?

0 DVSO2155 Operator Fails to Re-Close ADV's 1.7E-4 5 l

( llZZ02338 Operator Fails to Throttle HPSI Flow 2.3E-3 5 l

l UPM05582 Operator Fails to Start the Third Charging Pump 2.3E-3 5 UPM05575 Operator fails to Start Holdup Pump A 0.35 2.5 UPM05580 Operator fails to Start Holdup Pump B 0.35 2.5 O @

O _

4 .

399/(84C2)/ mis-93 ,

^

t l

I +

TABLE 6.3-1 (Continued)

HUMAN ERROR PROBABILITIES Sheet 5 of 6-

l Component Human Error Error Code Description Probability Factor.

3 TPM05544 Operator Fails to Start FPC Pump A 0.35 2.5 TPM05554 Operator Fails to Start FPC Pump B 0.35 2.5

?

i 8 1

i l

a t

-.--.,-,m -,r.., , . - - , , ,r t =M*,-. e*v--v-rw_- +-,--=+=,7v-n--v '

m- - eev e- v-m=w -mv -*-v- - = -+eT>==---- - - t---- - * -

i ,--v w--- - - - - -

13399/(84C2)/.;1s-94 TABLE 6.3-1 (Continued)

HUMAN ERROR PROBABILITIES Sheet 6 of 6

(~.aps . *

  • 4 Human Error Error Code Description Probability Factor HZZ05101 Operator Fails to Initiate Hot and Cold Leg Injection 4.5 x 10-4 10 MVZ02951 Operator fails to Align System for Alternate 1.3 x 10~I 3

, Secondary Heat Removal i

LZZ05165 Operator Fails to Depressurize for LPSI Injection 2.6 x 10-I 3 LZZ05166 Operator Fails to Depressurize for LPSI Recirculation 1.5 x 10-2 3 LZZ05167 Operator Fails to Initiate Shutdown Cooling 1.7 x 10-6 10 Operator fails to Respond to Boron Dilution 8.8 x 10-0 10 BVD02902 Operator Fails to Reopen Containment Isolation Valves 0.10 5 f BVD05518 Operator Fails to Re-Open Centainment Isolation Valves 0.10 5

)

TVN05530 Operator Fails to Align the RWT to Fuel Pool 0.5 2 I

5563 Operator Fails to Align Holdup Ta RWT 0.25'

i 13399/(84C2)/ mis-95 h

6.3.4 . Operator Recovery Actions  !

. \//) I 6.3.4.1 Operator Fails to Open ESF Room Doors. (0RA001)

Assumptions:  :

1. The operators have 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to open the door;.  !
2. It takes the operator 10 minutes to recognize the room is overheating. ,
3. It takes the assistant 20 minutes to get to and open the doors.

1

4. Both operator and assistant have average experience and are using fair ,

displays but under extreme stress. .

I /

!. 5. The operator must have knowledge based skills to diagnose the problem, i

The assistant needs only rule based skill.

i l

6'. Operator HEP = 0.v1 and assistant HEP = 0.036. Total HEP is the sum of the two.

l Total HEP = 0.01 + 0.036 = 0.046, EF = 3 1

l l

lO 6-95 l

l

. . - - . - ~ , . - . , , . _ _ _ , - . . _ _ , _. . - . _ _

13399/(8402)/ mis-96 6.3.4.2 Operator Fails to Start ESF Equipment under Severe Time Constraint.

(0RAC02) i 1

Assumptions:

1. The operator has 30 minutes to diagnose and take action and these actions take 30 minutes to do.
2. The operator has average experience, excellent displays, a rule based task but extreme stress level.

Total HEP = 0.71. EF = l.35 O

O 6-9F

13399/(84C2)/ mis-97 5.3.4.3 Operator Fails to Start the Standby AFW Pump. (0RA003)

[

Assumptions:

l

1. The operator knows that the other AFW pumps have failed.

f 2. The operator has 0.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to start the rtandby AFW pump.

3. It takes the operator 10 minutes to start the pump.
i. 4. The operator has average experience, excellent displays for AFW ficw, is-doing a rule-based activity under extreme stress.

[ e

5. EPRI's HCR model is used.

O

  • Total HEP = 0.071. EF = 3 l

l l

l l

O 6-97 l

13399/(84C2)/m ,-98 6.3.4.4 Operator Fails to Restart the LPSI Pump. (0RA004)

Assumptions:

1. A small LOCA occurred and the HPSI system failed. Depressurization and LPSI injection was successful.
2. Upon changeover from injection to recirculation, the LPSIs automatically turn off.
3. The operator must restart the LPSI pumps.
4. On the average, it takes the operator 5 minutes to restart the pumps and he has 30 minutes to do the task.

O

5. The operator has average skill, good displays. He is doing a rule based task under extreme stress.

Total HEP = 7.0E-3, EF = 5 O

6 98

13399/(84C2)/ mis-99 6.3.4.5 Operator Fails to Open ESF Valve Outside Containment O

Assumptions:

1. The operator has I hour to do job.
2. It takes the operator 10 minutes to diagnose conditions.
3. It takes an assistant operator 20 minutes to find and open the valves.

l

4. The operator has average skill, and is using fair displays. The task requires knowledge based skill and is performed under extreme stress.

. Operator HEP = 0.089.

l S. The assistant has average experience with fair displays (labels). He is doing a skill based activity under moderately high stress. His HEP = 0.068.

l

6. The total HEP is the sum of the two individual HEPs.

Total HEP = 0.068 + 0.089 = 0.157, EF = 3 I

/

O 6-99

13399/(PAC 2)/cis-100 TABLE 6.3-2 OPERATOR RECOVERY ACTIONS Component Human Error Error Code Description Probability Factor ORA 001 Operator Fails to Open ESF Room Doors 0.046 3 ORA 002 Operator Fails to Start ESF Equipment Under Severe Time Constraint 0.71 1.35 ORA 003 Operator Fails to Start the Standby AFW Pump 0.071 3 T

b ORA 004 Operator fails to Restart the LPSI Pump 7E-3 5 ORA 005 Operator Fails to Open ESF Valve Outside Containment 0.157 3

@ O O

13399/(84C2)/ mis-101 t

(mj') 6.4 COMPONENT FAILURE. RATES ,

Component faults identified in the front-line system fault tree models must be

cuantifieri in order to calculate the unavailability for each of the front-line systems. This section describes how component unavailabilities were s calculated. For this study, component hardware failure rates or component hardware unavailabilities resulting from the Nilowing were calculated:

(a) Maintenance (b) Coninon Cause Faults (c) Independent Faults (d) Special Conditions The following subsections provide brief description of each of the above types Cr- of component hardware failure rates or component hardware unavailabilities.

6.4.1 Maintenance Unavailability Maintenance activities which remove components from service and alter the normal system configuration can contribute to system unavailability. This section deals with quantification of component unavailability due to maintenance.

Cerrponent unavailability due to maintenance was calculated for comparents that are usually in a standby state. These components are primarily engineered safety feature system components which are required to respond to transients O

6-101 L_ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ . _ _ _ . _ _ _

13399/(84C2)/ mis-102 or loss of coolant accidents. The operability of these components are governed by the plant's technical specifications. The technical specification does not allow components in redundant trains to be ;n maintenance at the saa:c time. As a modelling convenience, only components in train A are modelled to be in maintenance.

For this study, maintenance performed on engineered safety feature system components is considered to be performed when the component has failed.

Component unavailability contribution is estimated using the following expression:

0 maint

= f

  • A0T where Qmaint is the unavailability due ,to maintenance, f is the maintenance frequency and A0T is the allowed outage time fo maintenance. For estimation purposes, the parameters f and A0T were obtained as follows. The unscheduled maintenance frequency, f, is estimated as the failure probability per test times the number of tests per period. For example, each of the high pressure safety injection pumps is tested once per month and its failure to start probability is 1.00E-3. Based on this information, the expected frequency for maintenance of the high pressure safety injection pumps is 1.00E-3 per month with an error factor of 10.

The allowed outage time is obtained from plant technical specifications. It varies from system to system. For high pressure safety injection, low pressure safety injection, containment spray, shutdown cooling. and essential O

6-102

13399/(84C2)/al's-103 cooling water systems, the allowed outage time varies from six (6) to seventy +

two (72) hours (III. For the chilled water system, the allowed outage time-r varies from six (6) to thirty (30) hours.  ;

Once the expected frequency per unscheduled maintenance and allowed outage

[ time are detemiiled, component unavailability due to maintenance is estimated

$ using the CESAM(42) computer code. This code combines the data uncertainties associated with the expected unscheduled maintenance frequency and the allowed outage time. The estimated unavailabilities for motor-driven puaps due to maintenance are as follows:

(a) ESF motor-driven pumps, except chilled water O = 2.62E-5 maint .

Error Factor = 14.3 (b) Chilled water motor-driven pump 0 = 1.73E-5 maint I

Error Factor = 11.8 9

\

6-103

l'3399/(84C2)/ mis-104 I

Note that maintenance is performed if the pump is observed as being failed during its monthly test.

l The component codes which are used in the fault tree models to represent component unavailable due to maintenance are presented in Table 6.4-1-1.

Also, presented in this table are the component code descriptions and failure rates.

6.4.2 Comon Cause Failure Rates Component failures due to common cause faults are modelled directly in the fault trees. These failures are considered for similar generic component types which are in redundant trains. No specific consideration is given for common cause failures that may occur due to locational dependene; 'his type of common cause failure could impact non-similar components that are in the same general location. Comon cause failures considered include those of the same generic component type and components which are governed by the same test procedures.

O 6-104

13399/(84C2)/ mis-105.

TABLE 6.4.1-1:

s) MAINTENANCE UNAVAILABILITIES Component Unavailability Error Code Description (Median Value) Factor APNV5108- -AFW motor-driven pump isolated for maintenance 2.62E-5 14 APMV5477 Non-essential AFW pump unavailable due to maintenance 2.62E-5 14 CPNV5398 Essential chilled water pump A in maintenance 1.73E-5 11.8 GPMV?523 CSS pump 1 isolated for maintenance 2.62E-5 14 O GHXV5085 SOC heat exchanger unavailable ~

due to maintenance 2.62E-5 14 HPMV2096 HPSI pump 1 isolated for maintenance 2.62E-5 14 i

LPMV5065 LPSI pump 1 isolated for maintenance 2.62E-5 14 UPMV5428 Charging pump 3 isolated for maintenance 2.62E-5 14 e

6-105

1339g/(84C2)/ mis-106 TABLE 6.4.1-1(Continued)

FAINTENANCE UNAVAIL E LITIES h

Component Unavailability Error Code __

Description (Median Value) Factor UPMV5446 Boric acid pump 1 isolated for maintenance 2.62E-5 14 IARV5254 Instrument air dryer assembly isolated for maintenance 1.33E-3 10 IWCV5454 Compressed air train B unavailable due to maintenance 1.33E-3 10 IWCV5455 Compressed air train C unavailable due to maintenance 1.33E-3 10 MPMVS153 Condensate pump P018 unavailablo due to maintenance 1.33E-3 10 The Beta-factor methodIO) was used to estimate comon cause failure rates.

These rates are estimated based on the following expression:

A

  • 8A c

where A is the coman cause failure rate, 8 is the beta-factor and A is the c

overall component failure rate. Note that the values fcr the beta-factor lie between 0 and 1.

O 6-106

13399/(84C2)/ mis-107 D Two steps were followed in estimating component failure rates using the O beta-factor method. They are:

(1) Estimate beta-factor and independent component failure rate distribution (2) Combine the distributions in step 1.

The first step involves estimating the median value and associated error t

factor for the beta-factor which is assumed to be lognormally distributed; and estimating the median value and error factor for the independent component failure rate.

I The second step involves combining the distributions for beta-factor and independent failure rate to determine the comon cause failure rate distribution. These distributions are combined based on the expression for o common cause failure rate using the CESAM code. The results of the CESAM code provide the median and error factor for the common cause failure rate distribution. These values, in addition to values for other types of component unavailability, are then used to quantify system unavailabilities.

The primary sources for beta-factors are References 34 and 36. For those components for which beta-factors could not be obtained, a median value of 0.05 and an error factor of 3 were assumed. Note that the references list upper and lower values to represent the range of beta-factors which are assured to be lognomally distributed. This assumption allows for the O

6-107

n-13399/(84C2)/ mis-108 estimation of a median value and associated error facter which are used to propagate the data uncertainties. Independent component failure rates were cbtained from generic sources. TheseincludeIEEE500(31) ,NREP(30)and Appendix A of Reference 3.

Coman cause failure rates were estimated for each of the generic component types included in the fault tree models. These components include:

(a) Diesel Generators (b) Valves (c) Pumps (d) Heat Exchangers (e) Chillers (f) Compressors g (g) Electrical Buses (h) Batteries (1) Voltage Regulators (j) Transfomers The following subsections provide the estimation of comon cause failure rates for each of the above generic types of component.

9 6-108

13399/(84C2)/ mis-109 6.4.2.1 'Comon Cause Failure Rate for Diesel Generator

-The diesel generator common cause failure rate presented in Appendix A of the Advar;ced Light Water Reactor Requirements _DocumentI3)wasusedin-thisstudy.

This reference represents the current up-to-date failure rates for diesel generators. The failure rate is presented in terms of mean value and variance. The failure rate distribution is assumed to be lognormal. The mean

_ value and variance extracted from Reference 7 are 2.60E-4 and 9.0E-8, respectively. These values were then used to estimate the corresponding l median and associated error factors which are 1.70E-4 and 4.54, respectively.

1 6.4.2.2 Comon Cause Failure Rates for Values i

t 1

The beta-factor method was used to estimate common cause failure for the

! various types of valves included in the fault tree models. These valvos 1

l include:

l (a) Motor-operated i

(b) Manual-operated (c) Solenoid-operated (d) Check Beta-factors for motor-operated, check, and air-operated valves are presented in Reference 34. Beta-factors for other valve types are not presented. A median value beta-factor of 0.05 and error factor of 10 were assumed for valve types for which beta-factors were not presented.

O 6-109

13399 /(84C2)/Ols-110 The following example illustrates the estimation of comon cause failure ratas for motor-operated valves. Comon cause failure rates for other valve types were estimated in a similar manner.

Comon cause failure rate was estimated for motor-operated valves in e two train redundant configuration. The first step in estimating the comon cause failure rate for these valves involves determining the beta-factor distribution. Beta-factors were extracted from Reference 34 and are listed as:

eg = 0.0 su = 0.043 8,= 0.019 where e is the lower value, s is the upper value, and 8 ism the mean value.

O l u Because 8. is zero it cannot be used to estimate the median value for the beta-factor which is assumed to be lognormally distributed. Therefore, the median value for the beta-factor, smed, is conservatively assumed to be 8,.

Once e med and B u are specified, they are then used to estimate the error factor for the distribution. The error factor is defined as:

8 u

EF = S med O

6-110

J13399/(84C2)/als-111  ;

~!

Substituting the values for suand S med in the above expression yields:

}

l 0

EF = g.043 = 2.26 -

f Estimating the comon cause failure rate for motor-operated valves also involves identifying the independent failure rate distribution. This [

distribution is represented in tems of median value and error factor which j are extracted from generic sources, j Once the beta-factor and independent failure rate distributions are

  • I determined, they are combined. This is the second step in estimating the comon cause failure rate. The combination is based on the expression given i in Section 6.4.2. Tha CESAN Code is used to combine the distributions. The results obtained from the CESAM tode represent the comon cause failure rate distribution for motor-operated valves. These results are presented in tems (

r of median value and error factor which are

, Ag = 6.64E-5/D [

EF = 2.86 respectively.  !

r The comon cause failure rate for motor-operated valves in a three train

  • 1 redundant configuration is presented in Table 6.4.2.2-1. Comon cause failure rates for other types of valves are also presented in Table 6.4.2.2-1. These l
failure rates are the results obtained from the CESAM Code.  !

! l l

l 6-111  :

6

- _ . _ . - - - - ---.--_.i

13399/(84C2)/als-112 TABLE 6.4.2.2-1 h

COWON CAUSE FAILURE RATES FOR VALVES Comon Cause III Error (2)

Valve Type Failure Rate Factor Motor 0perated Valves (two valve redundancy) 6.64E-5/D 2.86 fiotor-Operated Valves (three valve re6.ndancy) 1.71E-6/D 4.63 Manual-Operated Valve 4.97E-6/D 4.59 Solenoid Valve 1.69E-5/D 4.18 Check Valve (two valve redundancy) 1.70E-5/D 4.66 Check Valve (three valve redundancy) 2.78E-6/D 6.30 Air-Operated Valve 3.71E-5/D 29.00 i

1. Median Yalve )

th ercentile

2. Ratio of the 95 th to the 50 1

O 6-112

1339g/(84C2)/als-113 6.4.2.3 Comon Cause Failure Rates for Pumps l

1 i The beta-factor method was used to estimate comen cause failure rates ~ for motor-driven pumps. These groups include the HPSI, LPSI, and CSS which

-perform different functions. As a result, different beta-factors are presented in Reference 36 for these pumps. The two step approach described in Section 6.4.2 was followed in estimating comon cause failurs rates. For HPSI.

pumps, the beta-factor values extracted from Reference 4 are:

1 su = 0.041

8g = 0.358 l 8, = 0.187 i

i These values are used to estimate the median beta-factor and associated error factor which are 0.121 and 3.0 respectively. These values along with representative values for independent component failure are then used to

> estimate the comen cause failure rate for HPSI motor-driven pumps.

l Representative median and error factor values for independent component 4

l failure were obtained from generic sources. The estimation was performed using the expression in Section 6.4.2 and the CESAM Code to combine the data uncertainties. The estimated median and error factor for comon cause failure rate distribution obtained from the CESAM results are 1.15E-4/D and 12.6 i

respectively.

l

[

l l

l l

l'O l 6-113

y,.

13399/(84C2)/ mis-114  ; ',') ,

p. - 4 For the LPS! and CSS motor-driven pumps, the beta-factor values extracted from .[  ;.

i Reference 4 are: '7.'.D I 7

p j. .{

8u = 0.001 S c 1 0

g.

sg = 0.422 ).

? 8, = 0.043 I+,ld Y .

The median beta-factor and associated error factor, and common cause failure h-f* rate values for LPSI and CSS motor-driven pumps were estimated in a manner ,.. ,

similar to the HPSI pumps. The estimated median and error factor for comon  % /*'p1 .

[ c % ,'.h t failure rate distribution are 1.93E-5/D and 45.7 respectively. d- gj

- u ..

Y- .  :

& ~v 8 6.4.2.4 Comon Cause Failure Rates for Batteries (g)

,, . T . ;

'- ^

The beta-factor method was used to estimate the common cause failure rate for -

3 batteries. The data used to estimate the median and error factor values for j;:.. :j' .1 j-L v.w g ,.. .

the comon cause failure rate distribution were obtained from Reference 57.

1 ..

e-F- \

p Failure rates in failures per year are presented in Reference 57 for ).;f{f . . . .

rv .-

" independent battery faults as well as common cause battery faults. The , .sil').

equivalent hourly rates are presented below for reference purposes: .

~ :. 3. ;

[ .bd'-

A 3 = 9.93E-7/HR

EF = 3

.g n

i E

where A 3 and EF are the independent failure rate and error factor E respectively.

~

O

=

, 6-114 F

^

A ... ..___ _ _

13399/(84C2)/ mis-115 ,

h v

~A C = 3.88E-7/HR EF = 3 where AC and EF are the common cause failure rate and error factor respectively. The comon cause failure is assumed to represent two batteries failing simultaneously. Using this assumption, a beta-factor for two batteries was estimated. The estimate is the ratio of comon cause failure rate to independent failure rate. The estimated values are 0.391 and 2.5 for the median value and error factor respectively.

i It was also assumed that the beta-factor for two batteries failing is equal to i the beta-factor for three batteries failing as a result of a comon cause.  !

Once the beta-factors for two and three batteries were specified, the following expression was used to determine the comon cause failure rate for <

three batteries. ,

i AC"88A23S where A is the comon cause failure rate, 8 is the beta-factor for two C 2 batteries, 8 is the beta-facter for three batteries given two batteries, and 3

I A is the independent failure rate. The CESAM Code was used to combine the 3

data uncertainties. The results of the CESAM Code provided the comen cause failure rate distribution for three batteries. This distribution is presented ,

in terms of a median value of 1.46E-7/HR and an error factor of 7.17.

i i

O 6-115

1339g/(84C2)/ mis-116 6.4.2.5 Comon Cause Failure Rates for Components with Assumed Beta-Factors Sections 6.4.2.1 through 6.4.2.4 presented brief descriptions on the estimation of comon cause failure rates for those generic component types for which beta-factors could be obtained. The comon cause failure rates estimated in this section are applicable to components for which beta-factors could not be obtained. These components include:

(a) Heat Exchangers (b) Chillers (c) Compressors (d) Electrical Buses (e) Vol+. age Regulators (f) Transformers In this section, a median value of 0.05 and an error factor of 3 were assumed for the beta-factors which are assumed to be legnormally distributed.

The first step in estimating the comon cause failure rate involves identifying the beta-factor and independent failure rate distribution. The beta-factor distribution is represented by an assumed median value of 0.05 and an error factar of 3. The independent failure rate distributions were obtained from generic sources which include References 30 and 31.

O 6-116

13399/(84C2)/ mis-117 b

Once the beta-factor and independent failure rate distributions are specified, the CESAM Code is used to combine these distributions. The combination is based on the expression given in Section 6.4.2. The results obtained from the CESAM Code represent the comon cause failure rate distributions. Table 6.4.2.5-1 contains the' failure rates for those generic components with assumed beta-factors. Note that the failure rates are presented in terms of a eedian value and associated error factor. The error factor is defined as the ratio  ;

of the 95 th to 50 th percentile.

6.4.2.6 Comon Cause Failure Component Codes Comon cause faults were modeled directly in the fault trees. A unique component code was assigned to each type of comon cause failure. For this -

study, Table 6.4.2.6-1 contains these codes along with their associated descriptions and failure rates. Reference sources ~for the failure rates are provided. These references represent sources from which failure rates were extracted or sources from which data was obtained to estimate the failure rates. Reference sources are described on the last page of the table.

[

6.4.3 independent Failure Rates  !

Component faults which are included in the fault tree models are quantified and then used to detemine system unavailabilities. l r

i i

O 6-117 7

o 13399/(84C2)/ Is-118 l

l TABLE 6.4.2.5-1 h COMMON CAUSE FAILURE RATES FOR COMPONENTS WITH ASSUMED BETA-FACTORS Common Cause II) Error (2)

Component Type Failure Rate Factor Heat Exchangers 4.78E-8/HR 12.54 Chillers 4.16E-7/HR 13.29 Compressors 3.01E-6/HR 4.59 Electrical Buses 4.97E-10/HR 4.59 Voltage Regulators 2.61E-7/HR 4.59 h Transformers (a)Startup 6.90E-8/HR 3.77 (b) All others 4.97E-8/HR 4.59 AirFilters 8.21E-8/HR 2.68 Air Coolers 4.97E-7/HR 4.59

1. Median Value per hour
2. Ratio of 95th to 50th percentile O

6-118

TABLE 5.4.2.6-1 COMMON CAUSE FAILURE RATES O . SHEET 1 0F 3 COMPONENT FAIL. RATE ERROR COM MlCRIP110N (MEDIARI FACT. REF.

AVC15102 COM ON CAUSE FAILURE OF Wu IN ECTION CHECK M VES l.7M45/8 5 7 AVC15th COMON CM FAILURE OF WN PUW CHECK MVES 1.7M-0$ll 5 7 AVC15111 Com 0N C20E FA! LURE OF W W liEAN CHECK VALVEl 1.7M-05/8 5 7 AVC15112 Com0N CM FAILURE OF WW STEM !$0LATION VALVES 1.7M45/0 5 7 AVC15449 Com0N CM FAILURE OF NOW4tlGT. WNP CHECE VLV 1.7M-05/0 5 7 AVRI5103 Com0N CAUSE FAILURE OF WN OttfRIBUT!DN DC VALVES 1.71E44/0 5 7 AVMI5tM Com0N CAutt FAILURE OF WW O!ITRIBUTION AC M VES 1.71F4/D 5 7 CHA15357 Com04 CAUW FAILURE OF EllGT. CHILLERS 4.16E47/M 13 3 CHA15365 Com0N CM FAILURE OF elf PUW ROON ACUS 4.97E47/H 5 3 CPMI5354 C020N C M FAILURE OF Ell 0 T. CHILLED NTR PU NS 1.15E44/D 13 10 DCVI5119 Com0N CM FA! LURE OF R!TRola C)(CK VALVER 1.7M-05/0 5 7 DVC15tti COMON CM FAILUM 0F INSTR. AIR CHECK VALVE 1.7M45/0 5 7 GV015124 Com0N C M FA! LURE OF RITR000 RES. VALVES 3.7tE-05/0 29 7 OVPI5116 Com0N CM FAILURE OF ABYs 7.71E45/D 29 7 DVII5120 Com0N CAUSE FAILURE OF MITR000 SOLD 0!D MVES 1.89E45/0 4 7 ECII5221 Com 0N C M FAILURE OF 1E HiiERIES 3.lN-47/M 3 I ECl!5314 C020NCAU$EFA!LUREOFN051EBATTDIES 3.lM-07/H 3 1 ECC15244 C09 0N CAUSE FA! LURE OF 1E DATTD Y CHAR $ DS 4.97E44/H 5 3 ECC15307 Com0N C M FAILURE OF NON-lE HTTD Y CHARG D S 4.97E44/H 5 3 ECll5323 Com0N CAUSE FAILURE OF INVERT./TRANSF. SNITCHEl 4.97E-M/H 5 3 ECR15320 C0'N01 CAUSE FAILURE OF V0LIF4E REILLATORS 2.A1(-07/M 5 3 O

k/

E0015218 EllI5207 Com0N CM FAILURE OF Des COMMON C W FAILURE OF 13.8 KV IUSEE 1.7M44/0 4.97E10/H 5

5 6

3 Ell 152M Com0N C M FAILURE OF 13.8 KV INT. BU NI 4.97E-10/M 5 3 Ell!5212 C0 m0N C W FAILURE OF 4.16 KV BUSES 4.97E-10lH 5 3 Ell!5219 COM ON C M FAILURE OF 125 VOC IUstl 4.97E-10lH 5 3 ElI5222 Com0N CM FAILURE OF 4H V 1E LOAD CDTDS 4.97E 10lH 5 3 EllI5272 Com0N C M FAILURE OF 4 H V N0k tt LOAD C U TERS 4.97E10/M 5 3 El!$295 CCm0N CAUIE FAILURE OF 4H V NOF1E MCCs 4.97E 10/H 5 3 EllI5312 Com0N CAutt FAILURE OF 125 VOC NOF1E 898E8 4.97E10/H 5 3 RBI5325 Com 0N CAU E FAILURE OF N0 6 1E 120 VAC BUSES 4.97E 10lH 5 3 Ell 15328 COMON CM FAILURE OF 4.16 KV NON-1E BUSES 4.97E10/H 5 3 i EM15234 COM ON CAUSE FAILURE OF 4 H V 1E MCCs 4.97E-10/H 3 3 RP15220 Com0N CAUIE FAILURE OF 125 VOC Olli. PANELS 4.97E-10/H 5 3 EIL15213 C0m 0N CAUE FAILURE OF elf TRANSFORMERS 4.97E-00lH 5 3

! [ILI5223 C20N CM FAILURE OF 4H V lt LOAD CGTER IFMRs 4.97E44/H 5 3 EILI5274 Co m0N CAUSE FAILURE OF 4 H V NON lE !C IFMRJ 4.97E-01/H 5 3 EIL15334 COMMON C A M FAILURE OF NORMAL $VCE ITMRS 4.97E44/H 5 3 E1815211 Com0N C M FAILURE OF STARTUP IF mt 6.9X-08/H 4 3 FlA15G99 CCHNICESEFAILUREOFCSAS 2.93E-03/0 5 9 FlE12032 CCm 0N C M FAILURE OF W AS 2.93E-03/0 5 9 FltI2990 C020N C ESE FAILURE OF RAS 2.93E43/0 5 9 Fil15h4 Com0N CAUM FAILtRE OF l!At 2.93E-03/0 5 9 SHIIS0H COMON CAUSE FA! LURE OF SHUTDCNN HEAT EICHANGERS 4.7M-01/H 13 3 SNC15082 C*A 01 C W FAILURE OF $PRAf N0!!LES 4.7 K 10/M 13 3 SPRIS0t2 COMON CM FA!LUPE OF Cll PUWS 1.15E44/0 13 10 SVC15009 COMON CM FA! LUNE OF Cll CHECK MVES t.7M-05/0 5 7 IVRIS0H C;m0N CAUSE FAILUNE OF Cll HEAMR VALVES 6.64E45/0 3 7 O

6-119 l _ _ _ .

TABLE 6.4.2.6-1 (Con 2.)

COMMON CAUSE FAILURE RATES O

SHEET 20F3 CCMONGT FAIL. RATE DROR CCM MSCRIP710N (REDIAul FACT. REF.

HPR12993 CCm0N CM FAILURE OF HP11 PURPS 1.tM-04/0 13 10 HVCI2007 Com0N CM FAILURE OF W11 PUW O!SCH. CK VMS 1.7M45/0 5 7 WVC12785 Com 0N C M FAILURE OF CTMT CHEtt V M S 1.7 M 05/0 5 7 HVCl2966 Com0N CAUSE FA! LURE OF CTNT SUMP CECK VMS 1.7M45/0 5 7 WCI2917 CO M ON C M FA! LURE OF HPSI PUMP O!$CH. CK VALVES 1.7M-05/0 5 7 HYCI2900 CCMON CAUSE FAILURE OF W$1 HEAMR CHECK VALVil 1.70E-05/0 5 7 HVCl2996 CCm0N CM FAILURE OF 14C INECTION CHECK VALVES 1.7M-05/0 5 7 WCI5099 Co m0N CAUSE FAILURE OF RWT CHECK V M S 1.7M-05/0 5 7 WCI5100 Com0N CM FAILURE OF RINI FLON OECE VALVES 1.7M-05/0 5 7 HVM2294 CCMMONCAUSEFAILUREOFHPl!HEAMRVALVES 6.64E-05/0 3 7 WRI2989 Com0N C M FAILURE OF CTRT SUMP 150 V M S 6.6 4 -05/0 3 7 MI29tt CC MON CAUM FAILURE OF MIN! FLON LIE MOVs 6.64t45/0 3 7 WRI2tt$ CO MON CAUSE FAILURE OF HP11 PURP O!SCH. V M S 6.6 4-05/0 3 7 m12999 CO MON C M FAILURE OF leC I N ECTION V M S 6.64E-05/0 3 7 WW12995 CC M ON C M FAILURE OF HP11 PU W O!SCH. V M S 4.97E46/0 3 7 HVII2992 C020N CAUSE FA! LURE OF MIN! FLON LIE SOL VALVER t.Itt-05/0 4 7 IAMI5397 C0 m0N C M FAILURE OF M0!ITURE SEPARATORS 4.97E47/W 5 3

!FA15260 CCMONCAUSEFAILUREOFAIRFILTDI 1.2tt44/H 3 3 IVCI!265 Co m 0N CAUSE FAILURE 0* IA CHECK Y EVES 1.7M-05/0 3 7 IVN15267 C0m0N CM FA! LURE OF MANUAL VMS 4.97t46/9 5 7 INCI5261 COMON CM FAIL'JRE OF IA COMPRES90Rt 3.0E 06/0 5 3 LPMIS064 CCMONCAUSEFAILUREOFLP11 PUMPS 1.15E-04/0 13 10 L1515022 (CMMON C M FAILURE OF l!TI 1.0M 10lH 10 3 LVCI5059 CCm0N CM FAILURE OF LPl! PUMP DISCH CR VLVI  !.7M-05/0 5 7 LYCI!070 CCm04 CM FAILURE OF (ft! PURP CHECK VALVES 1.702-05/0 5 7 LYMI5044 C0 m0N CAUSE FAILURE OF L7l! HOR V M S 6.4 4 -05/0 3 7 LVRI5164 CCm0N C M FAILURE OF SOC CROS40VER VALVE $ 6.6 4 -05/0 3 7 LVM5171 C020N CM FAILURE OF SBC THROTTLE VMS 6.64E45/0 3 7 LVRI5175 CCm0N CM FAILURE OF SDC H lYPAll VALVES 6.6 4 -05/0 3 7 LVM5184 CCm0NCAUSEFAILUREOFSDCSbCT!DNVEVES 6.64( 4 5/0 3 7 MPM5460 C0 90N C M FAILURE OF CCNDU SATE PURPS 1.15E44/0 13 10 RYCI5137 CC m0N C M FAILURE OF $4 0(CK V M S 1.70E-05/0 5 7 RvC15149 CCm0N CM FAILURE OF CCW. PUW CHECK VMS 1.7M-05/G 5 7 RVII5142 CC m0N C M FAILURE OF DC mCOMER CONTROL VALVES 3.7tE45/0 01 7 RVRI5144 CC m0N C M FAILURE OF RFWP DISCH. V M S 6.6445/0 3 7 RVU5145 C0m0N CAutt FAILURE OF WWP BYPASS VMS 4.97E-06/0 5 7 TVII2258 CCm0N CM FA! LURE OF TURl!M 11 PASS VMS 3.7tE-05/0 21 7 UPM5413 CC m0N CAUSE FAILURE OF CHARGING PUMPS 1.tM-04/0 13 10 UPM5440 CCMMON C M FAILURE OF LAW s 2.62E-05/0 14 3 UVCI5417 CC m05 C M FAILURE OF CNS PU W CHECK V M S 1.7H-05/0 5 7 UVC15433 CCm0N CAUSE FAILURE CF Rui 10 CHG PtMP CHECK VLVs 1.70E-05/0 5 7 UVII5407 CC MON CAUSE FAILURE OF AUI SPRAY V M S 1. lit-05/0 4 7 VVOI5402 CCMMON CAUSE FAILURE OF PIR SPRAY CCNTROL VRVES 3.7tt-0$ll 29 7 O

6-120

TABLE 6.4.2.6-1 (Cont.)

COMMON CAUSE FAILURE RATES O .

SE ET 3 0F 3 MFERDCESFORTAllil6.4.2.6-1L6.4.32

1. 'MERIC MTA BASE FOR MTA MS N00ELS CMPTD OF THE Mi!0NAL RELIA 8!LITT EVALUAi!0N PR00AM tu!M', E64-EA-5807, JUNE IM2.
2. 'MACTOR SAFETY STUDY, M Al8EllMDT OF ACCIDDT R!$K IN U.S. ColuqERICAL IRlCLEAR PONER PLMil', NA8N 14M/NUREl-78/014, QCTOIER 1975.
3. FA! LURE MTE EST!MTED letEl ON M ASSUMES NTA-FACTOR.
3. '!EEE BUIN 70 TE CALCEAi!0N MS PMSDTAfl0N OF ELECTRICit, ELECTRONIC, IDl!M ColF0NDT, AND MECMNICE Ety!PMDT MLIAllLliY MTA FOR NUCLEAR PONER BDERATIM IThi!ONE', IEEE Std SM-lM4.
6. 'ADVANCO LIINT MIER REACTOR M9U!MENil DOCUENT: WMNil! A - PRA KEY ASCUfff!ONI 20 GROUNDRULEl', (NAFil, JEY IM7.
7. 'C0ft'9N CAUIE FAULT Mitt FOR YALVEl', NURES/CR 2770, FEMUARY 1983.
8. 'A PR00441LilTIC SAFEff ANALYl!l 0F PC PONER SUPPLY RE9UiRO Dil FOR NUCLEAR PONER PLMil', NUREl-0666, APRIL IHl.
9. 'RPS/ESFAI EITD00 TEIT IITERVAL EVALUAil0N', CD 327, MT 1986.
10. 'C0ful0N CAUSE FA! LURE RATES FOR PURPS', NUMS/CR 20tl, FEBRUMY 1983.

l O

6-121

13399/(84C2)/ mis-122 Independent component failure rates used in this study were extracted from various generic sources. These sources included References 3, 30 and 31.

References 3 and 30 are the major sources of information for mechanical component independent failure rates. Reference 31 is the major source of information for electrical and electronic component independent failure rates.

In order to propagate data uncertainties, component failure rates used in this study are represented by distributions. These distributions are presented in terms of median values and error factors. The error factor is defined as the ratio of the 95 th to 50 th percentile.

The distributions presented in Reference 30 are in terms of median values and error factors. Distributions presented in Reference 31 are in terms of low values, recomended values, and high values. For this study, the failure rates presented in Reference 31 are assumed to be legnomally distributed. It was also assumed that the low and high values represent the 5 th and 95 th percentile of the distribution. Using these assumptions, failure rate data presented in Reference 31 were used to estimate median values and error factors for independent component failure rate distributions. Note that the failure rate distributions presented in Reference 3 are in tems of mean value and variance. These values were used to estimate median value and error factor based on expressions given in Section 5.5.2.2.8 of Reference 6.

Generic component failure data obtained or extracted from References 3, 30 and 31 are presented in Table 6.4.3-1.

O 6-122 L

TABLE 6.4.3-1 GENERIC COMPONENT FAILURE RATdS O

O. SHEET 1 'e 3 FAIL. RATE EMOR MSCRIPi!0N (MU!AN) FACT. REF.

AIR ORYER FAILS to OPDATE 1.0M-05/H 3 1 M0!stuRE MPARAT M FAILS TO OP D ATE 1.0M45/H 3 1 CIRCUITGROKERFAILSTOTRANSFER(400VLCl 2.7 M 03/9 10 2 CIRCU!TIROKERTRIPSSPUR10USLY 1.0M45/H 10 1 CIRCU!TBREAKERFA!LSTOTRANIFER(400VMCC) 2.0M-03/4 10 2 i!E M OKER FAILS TO TRANSFER 2.7M-03/D 10 2 FUSE OPDS PREMTURELY 1.00E-06/W 10 1 MITERY FAILS TO PROV! M PROPER OUTPUT 1.0M46/H 3 1 BATTERYCHARtERFAILS10CPERATE 1.0M4/H 3 1 luYERTERFAILSTOOPERATE 1.0M44/H 3 1 DCMOTOR-MNERATORFAILETOOPERAtt 1.0M4/H 10 t VOLTA 6E REGULATOR FA!LS TO OPREAtt 5.2M46/H 3 5 EMR8ENCY O!ESEL GDEMTOR FAILS TO STMT 6.4M43/D 2 6 EMD6DCT O!ESEL GODATOR FAILS TO RUE 1.2M43/H 3 6 TURI!NE M utRATOR FALLT 1.64E44/H 3 1 AIRFILTERFAILETOOPDATE 1.7M44/H 2 3 AIR FILitR AllDILT IN M!If, l.33E 03/D 10 2 lira!nER/FILTERPLUG40 1.0M45/H 10 t LIMITSWITCHFAILSTOOPDATE 1.00E4410 3 1 MNUAL SuliCH FAILS TO TRAulFit 1.0M44/D 10 t t PRElluRElu!TCHFAILSTOOPERATE 1.0M45/D 3 1 l O t0ROUElu!TCHFA!LSTOOPERAtt 1.0M44/0 3 1 V AIRCOOLERFA!LSTOOPDATE CHILLERFAILStoOPERAtt

.1.0M45/W B.7H46/W to 3 i 5

MAT E! CHANGER LEAtt (TU M !! DEI 1.0M 03/8 10 t HEAT EXCHANGD LEAtt ($ HELL $1 M) 1.0M46/W 10 t H!lH P0eER SOLIO STATI MV!CE FA!LS TO CPERAft 1.0M46/H 10 1 L0s P0utR $;P.!D STATE M VICE FA!LS to OPDATE 1.00E4/W to 1 IlliA8LESFA!LSTOQPERATI t.0M47/8 10 1 TEMIML BOARS OPD CIRCU!T 1.0M47/M to 1 TERMIML 80MB $HORT TO A0JACHT circuli 1.0M-07/W to 1 RELAY CONTACT FA!LS TO OP D OR CLC M t.0M44/B 10 t RELAYCQ!LFA!LlOPtMORSHORT 1.00E46/H 10 t

!!ME DELAf RELAf TRANSFERI PREMTURELY 1.0M44/D 10 t f!ME MLAY RELAT FA!LS TO TRANSFC3 5.0M46/W 3 1 thliRUMENTATION (SO D AL) FAILE TO CPD Aft 1.0M46tM 10 1 OAWER FAILS TO OPERAff 1.0M43/4 10 1 ELECTRICAL tut FAILS TO OPDATE 1.0M48/M 3 1 lulfCH40AFAULT 1.00E40/W 3 i SPURIOUS GRID COLLAPM 4.6M 4 /H 2 1

, IRIO COLLAPlt Du TURIlut TRIP 1.0M43/8 to 2 CR!FICE FA!LS TO REMIN OPD 3.00E-04tl 3 1 CRIFICERUPTURES 1.0M-Cl!4 to 1 O!ESEL4RIVD PUMP FAILS TO START 1.0M 03/D 3 1 O!ESEL DRIVEN PUW FAILS TO RUN l.0M 04/W 30 t M0f0R MlV D PUW FAILS TO START 1.0M-03/D 10 1 MOTOR M!VEN-PUMP FA!LS TO RUX (Not. [WV!R0s.) 1.0M-05/H 10 1 MOTOR MlVD PUMP FA!LS to RUN (ADY. ENVIR0s.) 1.0M-03/W 10 1 6-123 i f

i i

TABLE 6.4.3-1 (Cont.)

i GENERIC COMPONENT FAILURE RATES

~

LHET 2 0F 3 FA!L. RATE ERROR HSCRIPi!ON (MU!M) FACT. REF.

TUtt!E4RIVD PUW FA!LS TO ITMT 2.tM4210 2 6 TURl!E4RIVD PLEP FAILS to PUN. 8!VEN ITART IA3t46/H II 6 LOAS SEIVENCD iMIN NIT ACTUATO t.0M-04/D 5 2 CONTROLlitTENFA!LSTOOPDATE 4.9M-05/W 10 2 TAE UMVAILABLE t 0M-10/H 10 2 CHECKVALVEFAILITOOPD t.0M-04/D 3 i CHECK VRVE FAILS TO CLOSE t.0M-03/D 3 1 CHECK VALVE FAILS TO CLOSE (ICCRLY RAlt) 1.0M46/W 10 1 INTDML LERASE OF CHECK VALVE (MINOR) 1.0M46/H 10 t INIDAAL LEAK 48E OF CHECK VKVE (CATAliROPHIC) 1.0M48/M 100 t CHECK VALVE FAILS TO OPEN (HOURLY R4ft) 1.0M47/M 10 1

! AIRlFLU!D-OPERATO VALVE FAILI TO OPDATE 1.0M-01/3 10 1 A!R/ FLUID-0PDATED VfLVE FAILS TO RCMIN OPEN 3.0M-07/W 3 2 C0XI SAftTY VKVE FAILS TO OPD t.0M-05/D 3 i CO N D SAFETY VALVE FA!LS TO CL0lt. IIVD OP D t.0M-0210 3 1 MOTOR-OPD ATO VALVE FAILI TO OPEN 3.55E43/D 2 6

, MOTOR-0PDAfD VALVE FAILS TO REMIN OPD 1.0M-07/M 3 6 l MOTOR-OPDAttl VALVE FAILS TO CL0lt 4.65E-03/D 2 6 INTERNE LEMAK 0F M0f0R-0PDAfD VfLVE t.00E48/D 100 1 MOTOR-0PERATO VEVE MT OPD  !.0M44/3 3 2 Muual VALVE FAILS TO OPDATE 1.0M44/D 3 1 MMUAL VALVE NOT OPD 1.0M44/l 3 2 MANUAL VALVI FAILI TO REMIN CPEN 3.0M-07/H 3 2 PRillUAt Rti. Y%VE FAILS TO OPO4tt 1.00E-03/0 10 t FRESSURE Ril. V K YE NOT OPEX 1.0M44/D 3 2 RELIEF VP.Vt FAILI TO CPD 1.0M-04/D 10 t RELIEF VALVE FAILI TO CLO6E E!VD CPEN 2.0M-02/D 3 I

' 50LEW0104PDAfD YALyt FAILS TO OPDAft 1.0M43/D 3 1 l ICLD010-OPDATED VKYE NOT OPEN 1.0M44/D 3 1 St0P CHECK VALVE FAILS tl CPD 1.00t44/3 3 1 VACUUR BREMER FA1LS TO OPtX 1.0M-05/D 3 1 VACUUR litEER FA!LS TO CLDIt 1.0M45/8 3 1 CCFRESSORFA!LtTOOPERAft 6.12t-05/H 10 5 CC9ttil0R FAILS TO ITMT 3.0M-04/ D 3 2 FAN FAILI TO STMT 3.0M44/D 3 2 TRANSFORER FAILS TO RDAIN OPDATICML 1.00E-M/W 3 1 LCADCUTER f*ANSFORMD FAULT 1.0M46/M 3 1 MAIN TRANSFORMER FAULT 4.2!E46/W 2 5 STMTUP TRANSF00ER FAULT t.4M46/M 2 5 UNIT A'JI!LIMT TRANSFCRMER FAULT 3.l!!-07/M 3 5 O

6 124 l

TABLE 6.4.3-1 (Cont.)

GENERIC C0ftPONENT FAILURE RATES D

$HEET 3 0F 3 REFERD Cil FOR TAE ! 6.4.1 1

1. 'HERIC DATA BAlt FOR DATA AN8 M0MLS CHAPitR OF THE NAi!ONAL RELIAI!LITY EvelWi!ON PR00RM GUIDE', EM-EA 5847, JUE 1992.
2. 'ROCTM $4FETY STUDY, M AS$illMDT OF ACCINNT RISK IN U.S. COMMERICAL NUCLEAR PONER PLMit', NetH 14MINURtl 75/014. OCTOSER 1975.
3. (NOTUW11
4. (NOTUMD) <
5. 'Itt! IU!N 10 THE CALCEAi!0N ANI Pf1ENTAi!ON OF ELE: TRICE, RECTRONIC, 30814 COMP 0Ntut, AWB MCHMICE EOUIPMENT RE!Ai!LITY BATA FOR NUCLEAR PONER 6tNERAf!N8 STA!!0Nt', !!!! Std 5M-Itl4.
6. 'AHANCES LIGHT WAftR REACTOR REDUIREENil DOCUMDf APP 90!! A - PRA KEY A$$UWil0NEAN8SROUNDRULE5',(DRAFil, JULY 1987.

I i

O 1

l l

l l

P O

6-125

13399/(84C2)/als-126 Component failure modes considered in this study fall into two broad types.

They are failure to change state and failure to continue operating.

The failure mode, failure to change state, is applicable to components which are required to change state in order to respond to an initiating event.

Typical examples of such failure modes are failure of a pump to start, failure of a valve to open and failure of an open relay to close. Failure data for this type of failure mode is described in terms of demand failure probabilities (failure per demand).

The failure mode, failure to continue operating, is applicable to components which are required to operate a response to an initiating event, given that the demand response has been successful. This failure mode is also applicable to components which are operating prior to the initiating event and are required to continue operating after the initiating event occurs. A typical example of such a failure mode is failure of a pump to operate (run). Failure data for this type of failure mode is described in terms of a failure rate (failure per hour).

A unique component code was assigned to each independent fault modeled in the fault trees. Table 6.4.3-2 contains these codes along with their descriptions and failure rates. Reference sources for the failure rates are provided.

These references represent sources from which failure rates were extracted or sources fran which data was obtained to estimate the failure rate. Peference sources are described on the last page of the table. Note that in Table 6.4.3-2 the failure rates are presented as demand failure rates (/0) or operating failure rates (/H).

O 6-126

y l

l TABLE 6.4.3-2 INDEPENDENT COMPONENT FAILURE RATES SHtti10F15 COMPONENT FAIL. RATE ERAGR COM MlCRIPi!ON (ME0!MI FACT. RET.

AK32011 WW lilit!Wi!0N MYE W34 MKR FAILE TO CLC$t 2.0M 03/0 10 2 AK32022 WW OllitlW 110E VALVE WV30 M K.". FAltl TO CL0lt 2.0M43/0 10 2 AKI2023 WW lilitituf!ON EVE W35 NG FAILS TO CL0lt 2.0M43/0 10 2 AKB2024 WW Ollit!Wi!0N VALVE W31 IRKR FA!LS TO CL0$t 2.0M43/0 10 2 AK32025 WW lilit!IUil0E MVE W16 MG FAILS TO CL0$t 2.0M43/0 10 2 AK32026 A6W 0151t19UT10N MVE HV32 NG FA!LS TO CL0lt 2.05E43/D 10 2 AK32027 WW lilittluTION VALVE W37 MKR FAILS TO CLOSE 2.05E-03/0 10 2 AKl2028 MW Ollit!IUTION VALVE W33 IRKR FAILS TO CL0lt 2.05t-03/0 10 2 AKl244 VW MOT 0t4AIVD PWP MKR FAILS TO CLC$t 2.7M-03/0 to 2 AKl5113 ITEM !$0LATION MVE BRG FAILS 10 CL0$t 2.05t43/0 10 2 AKl5114 litM !$0LAi!ON MVt BRG FAILS TO CLOM 2.0M43/8 10 2 AKl5476 #0 &tlSO T. W W P7 : $RKA FAIL $ TO CLOSE 2.70( 4 3/0 10 2 AKl5441 40&ttlGT. WW $UCT. YLV W1 ItKR FAILS TO CLOM 2.0M43/0 to 2 AKl5443 NC&ttlHT. AFWP $UCT. YLV W4 BRER FAILS TO CL0lt 2.05E-03/0 10 2 AIFP2415 TUNilut- MIV D PUMP CONTROL CitCuliti FAULT 1.Mt46/W 10 1 APMJ2423 MW MOTDA-MIVO PUW FA!LS TO ITAtt 1.ME-03/0 to 1 APN5474 NO&ESENT. AFW PUW FAILS TO ITMT 1.0M-03ID 10 1 APMK2424 EW MOT 04-MlVS PUMP FAILS TO OPitATE 1.00E-05/M 10 1 APMK5475 NG& tllD T. W W PUMP FAILS TO OPD Att 1.0M45/H 10 t APTJ2414 AFW Tuul!NE MlVD PUMP FA!Ll TQ ITMT 2.15E-02/O 2 6 APTK2413 WW TUAl!Nt4RIVtX PUMP FA!LI TO QPLAAft 1.63E46/N ll 6 ATHE240 CON 0(NSAitITDAAttTAmtUNAVAILA8LE 1.0M-10/H 10 2

./ AVCA2396 CHECKVALVCV000FAILSTOOPS 1.0M44/0 3 1 AVCA2397 CHECKVRVEV079FAILSTOOPS 1.0M44ID 3 1 AVCA2M5 CHECKVALVEV015FAILSTOOPG 1.00( 4 4/0 3 1 AVCA2M7 M W TO PUMP $UCT. CHECK VALVE V007 FAILS TO OPEN 1.HE44/0 3 1 AVCA24tl WW STEM CHECK MVE V043 FAILS TO QPD 1.0M44/D 3 1 AVCA2420 MW lTEM CHECK VEYE V044 FAILS 10 OPG 1.NE Hl0 3 1 AVCA2421 MW CHECK VALVE V024 FAILS TO OPD 1.0M44/0 3 1 AVCA2428 MS PUMP $UCTION CHECK M YE V022 FA!LS TO OP D 1.ME44/0 3 1 AVCA5105 M W CHECK M YE Vl37 FAILS TO OPS 1.ME-04/0 3 1 AVCA5107 WW CHECK VRVE V138 FA!Ll TO OPG 1.00E44/0 3 1 AVCA3464 MW CHECK M Vt V002 FAlli TO OPD 1.ME-04/5 3 1 AVCA5471 ho&ttlO T. W WP CHECK YALVE V012 FA!LS TO OPEN 1.ME44/0 3 1 AVCA5472 MWCHECKVEVEV000FAILSTOQPU l.0M44IO 3 1 AVMA2416 ITEM 150LAf!ON VALVE W134 FA!Ll TO CPS 3.55E43/D 2 AYMA24tt $1EM ll0LATION YLVE W138 FAILS TO OPD 3.55E43/0 2 6 AYMA2431 M W OllfilIUTION E VE HV30 FAILS TO CP G 3.55E-03/0 2 6 AVMA2432 WW lilit1IUTION E VE UV34 FAILS TO CPU 3.55E-03/0 2 6 AVMA2433 UWOllit!IUTIONVALVIUV35FAILSTOCPtN 3.!!E-03/0 2 6 AVMA2434 MW Ollit!IUf!0N VALVE Wil FAILS TO QPD 3.55E43/0 2 6 AYMA2435 MW0!$1t!Wi!0NVALVEWV12FAILSTOCPEN 3.!!E43/0 2 6 AVMA2436 EW Cllit!IUil0N VALVE W36 FA!LS TO CPD 3.55E43/0 2 6 AVMA2437 MWOllit!IU110NVEYEHV33FAILSTOCPD 3.5!E43/D 2 6 AVMA2438 MW Dilit!IUf!ON MYE W37 FAILS TO QPD 3.!!!43/0 2 6 A065400 WON illOT. WWP $UCTION EVE WI FAILS TO OPD 3.55E-03ID 2 6 AVMAS442 NO& tlM NT. W WP $UCil0E E VE UV4 FAILS TO OP D 3.55E03/0 2 6 AW12412 TURlthE MVE W54 20T QPtu 1.0CE04/0 3 2 O

6-127

TABLE 6.4.3-2(Cont.)

INDEPENDENT COMPONENT FAILURE RATES O

SHEtt20F15 COMP 0NDT FAIL. Raft LAROR CCM MSCR!?ilm (MEDIM) FACT. REF.

AVul2444 MW MA WAL V M V016 WOT OP D 1.0M44/D 3 2 AW124!0 MW TURI. PUMP $UCTI M VALVE V004 NOT OP S 1.00t44/9 3 2 AYN12411 W 1 TURI. P W litAR LINE MAN. V M V002 NOT OP D 1.0M44/B 3 2 AW15109 M W TURR. PUMP IUCTION V M V015 NOT OPD 1.M44/0 3 2 AYullt10 WW MOTOR 4RIVB PW SUCT10N VM V014 NOT OPS 1.00t44/D 3 2 SKl5513 K0tN LINE VM W14 BRER FAILI TO CLDIE 2.0M-43/D 10 2 IKl5515 KDtN LINE VM W1C BRER FA!LI 10 CL0lt 2.05t-93/D 10 2 IKl5516 CTNT !$0LAi!0N Y M UV500P IRER FAILS TO CLOBE 2.05(43/D 10 2 IKl5517 CTMT ISOLAi!0N V M UV5000 HER FAILS TO CLDIE 2.05t-43/D 10 2 BKl5520 ADWN LINE VM W2A BRER FAILS TO CLOBE 2.05t-03/D 10 2 IKl5522 E!ANI LINE VM W2C BRER FAILS TO Cl,0tt 2.0M43/D 10 2 8K15524 CTRT ll0LAi!05 V M UV5002 BRER FAILS TO CLDIE 2.05t43/8 10 2 IKl5326 CTRT ISOLATION V M UV500$ BRER FAILS TO CLOBE 1.05t43/D 10 2 IFLT5504 KCutom Filitt !N0PDAILE 1.Mt45/H 10 1 IVBA2901 CTNT IICLAi!ON V M UY500P FAILE TO Rt-0PS 1.0M-43/O 10 1 DVD42904 CTMT ISOLAi!ON Y M UV?000 FAILS TO Rt-OP S 1.M43/4 10 1 IVDA5514 KDWE LINE VM W1C FAILS TO OPfu  !.0M43/D 10 i BYOA5521 KDWN LINE VM W2C FAILS TO OPD 1.Mt43/D 10 1 IVIA5523 CTMT ISOLAi!ON V M UY500R FAILS TO RE-0PD 1.0M-03/D 10 t BYOA!525 CTRT ISOLAfl0E V M UY5006 FAILI TO RE-OPD 1. M -03/9 10 1 IV905312 KDuu LINE VM W14 FAILS TO REMIN OPS 3.0M47/H 3 2 BVD05319 KDel LINE VM W24 FAILS TO RDAIN OPD 3.00E47/H 3 2 CKl5355 ECW P W A Mtt FAILE TO CLCSE 2.7K-43/D 10 2 CKl5342 (CW P W I DRER FA!LS TO CLO$t 2.70t43/D 10 2 CHAPS 354 (SSDT. CHILLER A FAILS TO OPERAft I.70t44/H 10 5 CHAPS 343 (ISO T. CHILLER I FAILS TO OPERATE I.70t46/H 10 5

, CHAP 5344 LPSI P W R00R ACU I FAlti TO RD 0VE HD T 1.0M45/H 3 1 t CHAPS 344 LPS! PW R00R ACU A FAILS TO RD0VE HDT 1.0M-05/H 3 1 CHAP 5370 HPSI PUMP R00R O A FAILS TO R D0VE HEAT 1.0M-05/H 3 1 CHAPS 372 HPl! PUMP R00R ACU I FAILS TO RDOVE HEAT 1.ME-05/H 3 1 CHAPS 374 Cl PUMP ROOM ACU 4 FAlli TO RDOVE HEAT 1.0M-05/H 3 I l

CHAP 5376 Cl PUMP R0GR ACU l FAILS TO RDOVE HEAT 1.Mt45/H 3 1 i

CHAP 5378 ECWS P W R00R ACU A FAILS TO RD0VE HEAT 1.0M45/H 3 1 CHAP 53H Ecul PUMP R00R ACU I FAILS TO RDOVE HEAT 1.00t45/H 3 1 CHAP 5502 WW PUMP ROOM ACV FAILI TO RDOVE l(Af 1.00E-05/H 3 i CPMJ5352 ($$DT. CHILLED NTR MP A FAILS 10 STMT 1.00(43/D 10 1 CPMJ5340 (5SD T. CHILL D WTR P W I FAILS 10 51 RAT 1.0M43/D 10 1 CPK5353 (ISt1T. CHILLD NTR PUMP A FAILS TO OPERAft 1.0M 05/M 10 t CPK5341 ES$DT. CHILLtl WIR PW l FAILS TO OPERATE 1.0M-45/M 10 1 CYut3289 H A CLE NATER H !$0LAT10N VM NOT QPU l.00E-04/O 3 2 CVW15351 t$$D T. CHILLER A INLETIQUTLIT V M NOT OP D 1.0M44/D 3 2 CVut5354 (ISOT. CHILLER A 150 VALVE NOT OPD 1.0M44/D 3 2 CV415359 ($$D T. CHILLER R INLET /0UTLET V M NOT CPU l.0M-04/D 3 2 CW15344 E550T. CHILLER I 150 VALVE hof CPEN 1.Ht44/I 3 2 CVu!5347 LPSI PUMP I R00R C INLti/0UTLET VALVE NOT OP D 1.ME-44/D 3 2 CVul5349 LPSI P W 4 ROOM ACU INLET /0UTLET V M WOT OPD 1.NE-44/D 3 2 CVul5371 kPS! PURP A ROOM ACU tit.ET/0UTLET VALyt NOT OPD !.00t44/D 3 2 CW15373 HP$t PUMP I RCOR ACU INLti/0UTLET VALVE NOT OPD 1.0M44/D 3 2 6-128

TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAltijRE RATES SHEET 30Fil COMP 0 TOT Fall.RAtt ERROR COM MICRIPi!0N (MEDIM) FACT. REF.

CW15375 CS P W A R00R ACU lit ET/CVTLET M W WOT Q MR 1.0M44/5 3 2 CW15377 Cl PUMP I R00R ACU lil,til0VTLIT R VE NOT OPS 1.0M44/0 3 2 CW15379 ECE3 PlIIP 4 R00R ACU llLET/0UTLIT VALVE NOT OEMI 1.0M44/O 3 2 CWI5341 (CWS PUMP l ROOM ACU INLETIOUTLif MVE NOT OPG 1.ME-04/0 3 2 CVul5349 M A CLI WTR HI !$0LA!!0N M VE NOT OP D 1.0M44/0 3 2 CW15394 W I CLE MTER W ISOLAi!ON E VE NOT OPD 1.0M44/O 3 2 CVul5501 AFW P W R00R ACU INLET /0UTLET VALVE n0T OPDL 1.M44/0 3 2 CWK5390 M A VDf!LATION FM UMYA!LABLE 3.0M44ID 3 2 CWK1311 M A CONTROL A00R AHU AUAVAILAILE 3.0M44/0 3 2 CWK5395 N I VDi!LAi!ON FM UMVAILAILE 3.0M44/6 3 2 CWK5316 M l CONTROL R00A ANU UMVAILAILE 3.0M44/0 3 2 DK32175 A6V VALVE HYll44 COMP IRG FAILS TO CL0tt 2.05t-03/0 10 2 OKl2177 A0V R Yt WY1848 COMP IRKR FAILS TO CLO$t 2.05t-03/0 10 2 DK121H AW VAVl! HY17tA CW IRKR FAILS TO CLOSE 2.05(43/D 10 2 CK12112 ADV M VE WY1718 CORP IRKR FAILS TO CL0tt 2.05E-03/0 10 2 OK321tl AW VALVE WYll5A C W IRER FAILS TO CLO$t 2.0$E43/0 10 2 CKl22M AW E VE WY1858 CORP IRKR FAILS TO CLO$t 2.05t43/O 10 2 DKI2203 AW MVE HYl?tA COMP IRKR FAILS TO CLOSE 2.05t43/0 10 2 CKl2205 AW R VE /f17tl CORP IRKR FAILS TO CLOSE 2.05t-03/0 10 2 DCVA5121 ADY NITR0tu CMCK MYE V339 FAILS TO OPu 1.0M44/D 3 1 DCVAll!6 AW IITR0iG CM CK VALVE V350 FAILS TO QM R l.Mt44/5 3 i DCV45130 A W HlTR06tN CHECK M Yt V340 FAILS TO OPER 1.0M44/O 3 1 DWA5134 ADY u!TR08D CECK VALVI V334 FAILS TO ONE 1.ME-04/0 3 1 0!PP2117 AW IntTR. AIR L!let FREl8uRE IMTR FAILS TO OPERAft 1.0M44/H 10 1 DIPP2113 AW INSTR. AIR 1!NE PRt35URE INTR FAILS TO OM RATE 1.0M44/H 10 1 DINE 2166 AW IITR000 ACCUMll.Af0R 5418 UhAVAILABLE 1.ME10lH 10 2 Dikt2112 A H NITR000t M UMLR.ATOR 56-1A UM VAILAIL1 1.ME10lH 10 2 Otht2209 ADV IITR06DI ACCUMULATOR $648 UhAVAILG.! 1.00t10lH 10 2 DTut2215 ADV N!TR0001 ACCUMULATOR 564A LMVAILABLE 1. W 10/H 10 2 DVCA51:7 AIV INSTRUENT A!R CHECK MVE V346 FAILS TO CPEN 1.ME44/O 3 1 DVCA5125 AW InSTRUENT AIR CHECK RVE V3;7 FAILS TO QPEN 1.0M44/0 3 1 DVCA5121 ADV INSTRUE NT AIR CM CK R VE V358 FAILS TO CPEN 1.0M44/0 3 1 DVCA5133 ADV tulTRUMD i AIR CM CK R VE V344 FAILS TO CPU 1.ME44/O 3 1 DVCl2154 ADV HVII4 ($41) FAILS TO RECLOSE 1.ME-03/0 10 1 DVII2165 ADVHY195(542) FAILSTORECLOSE 1.ME-03/0 10 1 DVDC5123 ADV RITR060 Rti. VALVE PCV11f FAILS TO OPERAft 1.00E-03/O 10 1 DVDC5123 AW N!TR0601 Rti. VALVE PCV303 FAILS TO OPERAft 1.00E43/0 10 1 CVDC5132 AW utiR04 G REI. VALVE PCV323 FAILS TO O MRATE 1. W 43/D 10 1 DVDC5136 AW NITR0001 Ril. VALVE PCV310 FA!LS TO OPERATE 1.00E03/0 10 1 DVD15122 ADV NITR06tN Rti. MVE PCV317 WQT OMN 1.00t44/O 3 2 DVll5127 AW n!TR0601 RES. VALyt PCV303 N0f CMM 1.00t44/0 3 2 DVD15131 ADV WitR060 Atl. VALVE PCV323 WOT OPEN 1.0M 04/0 3 2 DVil5135 AW u!TR0001 Ril. VALVE KV310 h0i CMR 1.00E44/0 3 2 CWI2184 AW lblituMENT AIR MYE V349 N0f CPD 1.NE44/0 3 2 CVul2185 AW u!TR000 RVE V342 NOT OPD 1.Ht44/D 3 2 DW12190 AW IklTRUEuf AIR VAI.VE V353 hof OPu 1.0M-04/O 3 2 Wul!!!! AW uliR000 RVE V354 NOT CPD 1.0M44/O 3 O

2 DW12200 AW u!TR060 M Vt V343 WOT OP D 1.Ht44/0 3 2 6-129 i

i

TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAILURE RATES O

SHEET 4 0F 15 COMPONENT FAIL. Raft ut0R COM MSCRIPi!0N (MOIAU FACT. REF.

DVal2214 M V N!TROSD VLAvt V*,37 NOT OP D 1.0M44/0 3 2 DVPA2174 ATM0$ PEA!C 9td VM WIM FA!LS TO OPD 1.ME-03/0 10 1 DVP42179 ATROSPWi!C DW VG W178 FAILI TO OPD 1.0M-03/8 10 1 DVPA2197 ATM0$PHtt!C DUMP VM W185 FAILS TO OPD 1.0M-03/0 10 1 DVPA2202 ATMOSPHERIC DW VM W179 FAILS TO OPD 1.0M43/0 10 1 OVII5527 MSSVsFAILTORESEAT 1.ME-42/9 3 1 DVSA2176 MV $0LtW10 VM HYll44 FAILS TO OPEN 1.0M43/0 3 1 DVSA2170 ADV SOLD 0!D VM HYll48 FA!LS TO OPD 1.ME43!O 3 1 DYSA2111 ADV $0LD010 VM HY17M FA!LB TO OPtu 1.0M43/9 3 1 DYSA2183 ADV $0LD010 VM HYtfil FAILS TO QPEN 1.0M-03/0 3 1 DVSA2 tit ADV u!Tt00 0 SOL DCII VALVE Pv3138 FAILI TO OP D 1.0M43/0 3 1 DYSA2tt$ ADV u!Ttola 50LD010 VM Pv344 FAILS TO OPD 1.ME-03/9 3 1 Ov5A2199 ADV $0LD010 VM HYt85A FAILS TO OPtX 1.ME-03/0 3 1 DVSA2201 ADV $0LD010 VM HYtI58 FA!LI TO OPD 1.0M-43/9 3 1 DYSA2204 GV $0LD010 VM HY17tA FAILS TO OPD 1.0M43/0 3 1 DVSA22% ADV $0LD010 VM HY1798 FA!LS TO OPtX 1.0M43/0 3 1 DVSA2212 HV I!TROED SOLD 0!D VM PV343 FA!LS TO OPEN 1.ME-03/0 3 1 DYSA22tl M V IITI0E D $0L D010 V M PV313A FAILI TO OPD 1.ME-03/0 3 1 EKA2122 ESF IFE A SUP K Y IR G FA!U TO OP D 2.7M-03/0 10 2 EKA2823 ESF IFE I SUPKY MKA FAILS TO 08D 2.70E43/0 10 2 EK32820 M A SUPPLY IR G FA!LS TO CLOSE 2.7M-03/9 to 2 EKl2921 M I SLPPLY MKA FA!LS TO CLOSE 2.7M-43/9 10 2 EKG5209 13.8 KV INT. IUI A FEtt MG OPDS SPut!OURY 1.0M45/H 10 1 EKG5210 13.8 KV INT. BUS 3 FID 18G CPDS SPURIOURY 1.00E45/H 10 t EKQ5214 (SF IFE A SUPPLY IRG OPDI SPUR 10 CRY 1.0M-05/H 10 1 EK;3215 (SF IFM A FEtt MG Oral SPut!OURY 1.00(45/H 10 1 (BCG5216 ESF IFM I SUPPLY 18G QPDS SPut!OUILY 1.0M45/H 10 1 EKG!217 ISF IFM l Ftti MG CPDI SPut!DURY 2.ME45/H 10 t l EKG5224 LCAO CDTD At FID MKE OPOl SPut!OURY 1.00E-05/W 10 t l EKG5225 LCAO CDitt Al SUPKY MKR OPDI SPut!OURY 1.00E-05/H 10 t EKG5226 LCAO CDTIA A2 FEtt ItG OPOl SPyt!OURY 1.0M45/H 10 1 EK95227 LCAO CDitt A2 SUPKY MKR OPDI SPut!DUSLY 1.00E-05/W 10 1 EK95228 LCAO C ai a A3 FED M G QP D S SPVIIOU R Y 1.00t45/R 10 1 EK45221 LCAOCDittA3SUPKYIRKROPOS$Put!OUILY 1.ME45/W 10 1 EKQ5230 LCAO CDTER 81 FED ItKR QPDI SPut!0URY 1.0M-05/H 10 1 EKtS231 LCAO CDTER 11 SUPKY 18G OPD$ SK1t!00RY 1.ME05/W 10 t (K05232 LOAD Ca ttA 12 FEU ltG QP DS SPyt!DU R Y 1.0M-05/H 10 1 EK95233 LCE CDitt 12 SUPKY MKA OPDS SPut!0URY 1.00E-05/H 10 1 EK95234 LtG CDTER 83 FEU MS OPDS SPUR 10URY 1.00E-05/H 10 1 EKG5235 LCAO CDitt 13 SUPPLY pu OPDS SPUt!0URY 1.00E-05/H 10 1 EKG5237 480 V KC 532 Fita Itti CP DS SPut!OUSLY  !.00E-05/H 10 t EKG5238 400 V MCC 322 FED MKR OPDS SPut!OUSLY 1.00E45/H 10 t EKd239 450 V MCC 521 FEU MKP. CPDS SPut!OUILY 1.0M-05/H 10 1 EKG5240 480 V EC B12 FEU mkt OP DS SPut!OUSLY 1.00t45/H 10 1 (Kt5241 4M V MCC 311 FID lttt OPDS SPut!OUSLY 1.ME45/H 10 1 EK45242 4H V MCC A32 FIES MER OPDI SPut!DUSLY 1.00E-05/H 10 1 EK95243 4 H V MCC A31 FEU ltKR OP DS SPut!OUSLY 1.0M-05/W 10 1 EKG5244 4 H V EC A22 FI D MKR OP DS SPUt!OUSLY 1.ME45/M 10 1 6-130

l l

TABLE 6.4.3-2(Cont.)

INDEPENDENT COMPONENT FAILURE RATES O

V SHtti50F15 1 l

COMP 0MMT FAIL. RATE ERROR COM MICRIPi!0N (MEl!Auf FACT. REF.

EK95245 4M V MCC A21 RD MKR OPD6 N!0URY 1.Mt45/H 10 1 EK05244 4M V MCC 412 Flu IRG OPD8 SPURIQUBLY 1.0M45/H 10 1 EK05247 4M V MCC All Fl u BRKR opt M IPUR!OUR Y 1.0M45/M 10 1 EK95273 4M V LC IM Lt SUPKY MG OPDE SPURIOURY I.Mt45/H 10 1 EKQ3275 LC IFMR L1 LOAS luTER. $#1TCH OPDS M10VILY 1.0M45/H 10 1 EK95276 4M V LC IFM L2 $UPKY BRKR QPDB SPURIOURY 1.Mt45IN 10 1 EK95277 LC IM L2 LOM luTER. SulTCH OPEM $PURIQUGLY 1.0M45/H 10 1 EKQ5278 4M V LC IM L7 luPKY IRQ OPDI $PURIOURY 1.0M45/H 10 1 EK95279 LC IM L7 L048 tuTit. SuliCH OPDS SPURIOuSLT 1.0M45/W 10 1 EK95286 4M V MCC 331 RD 3RER OPDS SPUR 10U6LY 1.Mt45/H 10 1 EK95200 4M V LC IFM Lt SUPKT MG OPDS SPUR 10URY 1.ME-05/H 10 1 EK95290 LC IFR LI LOA 4 INTER. Su!TCH OPilu $P310UILY 1.00E45/H 10 1 EK952f2 4M V LC IFMR L5 $UPKY BRER OPUI SPURIOURY 1.0M-05/H 10 1 EK95214 LC IFM L5 LOA 8 luftR. SulTCH OPDS SPUR 10URY 1.Ht45/H 10 1 EK95296 4M V MCC M2 Ftti IRG OPD8 SPURIOURY 1.0M-05/W 10 1 EK952tl 4M V MCC M0I MD IRKR OPDB SPURIOURY 1.Mt45/H 10 1 EK953M 4M V MCC Ml FID IIER OPDI IPURIOURY 1. % 95/M 10 1 EK95302 4M V EC M7 MD MKR OPDI SPURIOUBLY 1.Mt45/H 10 t l EK95305 4M V MCC M3 RD MG OPD8 SPUR 10URY 1.ME45/W 10 1 EK95321 VOLT. Rfl. M FTD MKR OPDI SPURICURY 1.0M45/H 10 1 O EK95327 EK95330 EK95331 INVERT /TRANSF lutiCH M Ftt! MKR OPO S SPUR 10USLT NORML $VCE IFE A SUPKY 3RKR OPUI SPURIOUSLT 1.Mt45/W l.Mt45/W to 10 1

1 NORML SYCE IF M A FEU M G OP DB SPURIOU R T 1.0M45/H 10 1 EK95336 NORML SVCE IFR B SUPPLY MkA QPtut $PUR!DU?LT 1.00E-05/H 10 1 EK95337 MRML SVCE IFM 3 FEED MG 0P08 SPett0URY 1.0M45/H 10 1 EK05339 4M V Et M4 FED MKR OPD6 SPURIOURY 1.00(45/M 10 1 EK95340 LC ITM L4 LOA 8 ! ITER. SWITCH OPDG SPUR 10VSt.T 1.00E45/W 10 1 EK95341 4M V EC M04 FID IRKR OPD8 SPUR 10U6LY 1.Mt45/H 10 1 EK95344 4M V LC IFM L3 SUPKY MKR OPDS SPUR!OUSLT 1.0M45/H 10 1 (K95346 LC IFR L3 LOA 8 luTER. SuliCH OPOS SPURIOURY 1.00t45/W 10 1 EK95348 4M V LC IFM L4 $UPKY MG OPD5 SPURIOURY 1.0M45/H 10 1 EK95350 LC IFM (4 LOA 8 INT. SuliCH OPD8 $PUR1008LT 1.Mt45/H 10 1 EMP26M IR!l CR LAP 5E ON T3 1!M TRIP 1. % 03/D 10 2 D8P2642 $PURIOUSBRIDCOLLPSE 4.6M-ulH 2 0 tiil2699 T!E MG A FA!LS TO CLO$t 2.7M-03/D 10 2 EIT127M f!E MG I FAILS TO CLC$t 2.70(43/D 10 2 1

ECIP2tSS MTTERY A FAILS TO PROV!M AMOUATE OUTPUT 1.ME-M/H 3 1 ECW2tS7 BATTERY C FAILS TO PROV! M 40GUAft OUTPUT  !.00E-HIH 3 1 ECW2850 MTTDT I FAILS TO PROV!M AM904ft DUTPUT 1.00E-M/H 3 1 ECIP2959 lATT U Y l FAILS TO PROV!M AM OUAft DUTPUT 1.00(-HIH 3 1

EClPS316 MT1ERY N8 FAILS TO PROVI N AM904TE QUTPUT 1.00E-M/H 3 1 l ECIPS3tf MTTERY M FAILS TO PROY!M ADEGUATE CUTPUT 1.0CE-MIN 3 1 Ettv2152 laiTERY A UNAVAILARE 1.0M43/D 6 I ECIV2tS3 MfTERY C UHVAILARE 1.HE-03/8 6 9 ECIV2tS4 MTTERYIUMVAILARE 1.ME-03/0 6 i ECIV2055 MITEkY I Ub4VAILARE 1.Ht-03/D 6 B ECIY5315 MfTERThtVMVAILARE 1.0M-03/D O

6 1 ECiv5310 MTTERY M UMYAILARE 1.0M43/D 6 8 6-131

TABLE 6.4.3-2(Cont.)

INDEPENDENT COMPCNENT FAILURE RATES O

$HEET 6 0F 15 COMP 0GT FAIL. RATE DROR COM MSCRIPi!ON (NEDIAN FACT. REF.

EC2P28% MTTERY CHARER Att FAILS TO OPDAft 1.0M-M/H 3 1 EttP2941 MtTERT CHARER A12 FAILS TO OPDATE 1.0M46/H 3 1 ECCP2h3 IAffDT CMR00111 FA!LS TO QMRATE 1.0M-M/M 3 1 ECCF2964 MTTERY CHM 0ER 312 FAILS TO OPDATE 1.0M44/H 3 1 EttP2h5 MTTERYCHARMA111FAlltTOOPDAft 1.0M44/H 3 1 ECCPS283 BATTERf CMAMR Ctl FA!LS TO OPERAtt 1.NE-MIN 3 1 ECCPS284 lATTUYCHARGERC12FAILSTOCPGATE 1.00E-M/M 3 1 ECCP5285 kiTERY CHAPTER 312 FAILS TO OMRATE 1.00244/H 3 1 ECCF5304 MTTERY CHARTER M1 FAILS TO OPERAft 1.ME-M/M 3 1 ECCP5309 14fiU Y CHARSER M 2 FAILS TO OPD ATE 1.NE44/H 3 1 ECCP5310 BATTERY CHARMA bit FAILS to OMRATE 1.0M-06/H 3 1 ECCP5311 MITERY CHARTER N02 FAILS TO OMRAft 1.ME44/H 3 1 ECIP5314 INVtRTITRANSF. $NITCH M FAILS TO OPD Att 1.0M44/H 3 1 ECRP5322 V0LT. REl. M FAILS TO OMRATE 5.25E-M/H 3 5 0812116 M A FAILS 10 ST MT 6.4M43/8 2 6 EH12917 N I FAILS TO START 6.ME-03/8 2 6 DN2918 M A FA!LS TO OPERATE  !.2M43/H 3 6 00t2919 M i FAILS TO OPD ATI 1.20E43/H 3 6 EllP2643 MIN GDDATOR FAULT  !.64E44/W 3 1 EON 2686 WS F E T ON 13.8 KV (NTD MU! ATE BUS 4 1.00E-04/N 3 1 E u C 647 M F E T ON 13.8 KV INT D MLIIATE BUS I 1.ME44/H 3 1 EUN2693 BUS F E T DN 13.8 KV M A l.00E44/K 3 1 ELIC614 IUS FAULT ON 13.1 KV M I 1.0M44/H 3 1 ELIN2704 108 FAAT ON 4M V LOAD CDTD Lt 1.00!48/H 3 1 ELIN2707 M F E T ON 4 M V LOAD C D TER L2 1.ME41/H 3 1 EllN2712 W S F E T ON 4 M V LDAB CD TER L7 1.ME-ct!H 3 1 Eu c it! W S F E T ON 4.16 KV ESF IUS A 1.00E-M/H 3 1 ELIN2013 WS F E T ON 4.16 KV ESF DVI i 1.00E-04/H 3 1 EUN2826 M F E T ON 4M VAC LOA 8 C DT D At 1.00E-Ol/W 3 1 EUN2127 IUS F E T ON 4 H VAC LOAO CDTER 31 1.00E43/H 3 1 ELIN2828 M FAULT ON IM VAC LOA 8 CD TR 42 1.ME48/W 3 1 EUN2821 M FAAT ON 4H VAC LOAD CDTER 12- 1.NE46/M 3 1 ELM 2830 M F E T ON 4M VAC LOA 8 CD T D A3 1.ME48/H 3 1 EUN2831 W$ FET ON 4M VAC LOAD CDTD B3 1.00E4 TIN 3 1 EUN2648 IUS FAULT ON 125 V K SUI A 1.00E44/H 3 1 EUN2M9 M F E T ON 125 V K M C 1.NE-CIIH 3 1 CLIN 2850 WS F E T ON 125 VK M I 1.ME44/H 3 1 EUN2951 M FAAT ON 125 VK M 0 1.00E-CllH 3 1 ELIN!217 W S FAULT ON 4 M V LC LI 1.0GE-04/H 3 1 Elih5291 WS FA1T ON 4M V LCAB CENTER L5 1.00E-Cl/M 3 1 ELIN53t3 IUS FAULT ON 123 VK NON tE lut hl 1.00E-cl/H 3 1 I Ellk3',17 lul FAULT ON 125 VK NCN !E R$ M 1.HE-01/H 3 1 Eun'326 W3 FAULT 04 n04-tt 120 VAC luS M l.00E44/H 3 1 ELINLM WS FAAT ON 4.16 tv NON-tE M A t.HE48/M 3 1 EUN5333 WI FAR T ON 4.16 KV NON LE M l 1.0M48/H 3 1 EUN5343 M FET ON 4M V LOAD CDTER L3 1.00E44/H 3 1 EUN534T ' WS FAULT ON 400 V LCAO CENTER L4 1.HE41/H 3 1 ELMN2834 WS FAAT Chi 4M V MCC All 1.HE46IH 3 1 6-132

TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAILURE RATES A

SHEET 7 0F 15 CORP 0NENT FAIL. RATE ERROR COM MtCRIPfl04 (MEDIM) FACT. REF.

EUut2839 W S F E T lil 4M V MCC I!! 1.ME40/H 3 1 EUut2944 IUS F E T ON 4M V MCC 412 1.ME40/W 3 1 ELM 2441 But F E T OR 4M V RCC 312 1.0M-M/vl 3 1 ELM 2942 IUS F E T ON 4 M V EC A21 1.ME-M/H 3 1 ELM 2443 IUS FALA.T Ou 4M V RCC 321 1.0M H/W 3 1 I ELM 2H4 WS FALA.T On 400 V MCC A22 1.ME M/H 3 1 ELM 2145 M FAULT OR 400 V RCC 322 1.ME-M/W 3 1 ELM 2444 M FALA.T Ou 4M V MCC A31 1.00E-MIH 3 1 ELM 2947 M FALA.T ON 4M V KC 331 1.0M40/H 3 1 ELMS 2M M F E T DN 4 M V MCC A32 1.ME4tlH 3 1 ELM 52tl kl F E T OK 4M V EC 132 1.0M46/W 3 1 ELM 5297 IUS FALA.T On 480 V MCC M2 1.ME46IN 3 1 ELM 5219 WS FALA.T OR 4M V EC Mt 1.0M-M/M 3 1 ELM 53Cl W8 FAULT ON 400 V KC Mt 1.0M-M/H 3 1 ELM 5304 M FALA.T ON 4M V RCC M7 1.0M44/H 3 1 ELM 53M IUS FALA.T DE 4M V MCC M3 1.ME M/M 3 1 ELM 5344 IUS FAULT ON 4M V RCC M4 1.0M-M/W 3 1 ELM 5342 BUS FALLT ON 4M V RCC M5 1.ME-M/M 3 1 ELPN284 FAULT OR 125 VDC O!ST. P # . A 1.00E M/H 3 1 ELPN2867 FAULT ON 125 VDC O!!T. PANEL I 1.0M-HIM 3 1 EllR2824 LCA8 lHED SEluDCER A CIRCuliRT FALA.t I.ME44/O 5 2 i ESIR2825 LOAO SM) SEGUDCER I CIRCulTRf FAULT l.0M44/0 5 2 EILP2734 4M V LCAO CENTER IF M Lt FAILS TO OPER4ft 1.0M-4/H 3 1 EILP2735 4M V LOA 8 CENTER IFM L2 FAILS TO OPERAft 1.0tE46/H 3 1 EILP2740 4M V LCha C uiER IF M L7 FAILO TO OP D ATE 1.ME-MlH 3 1 EILP2tl4 11 M FAULT 08 ESF SU V!CE IF E A 1.00E44/H 3 1 EILP2015 IF M FAULT On Elf $(RVICE 1FMR I 1.ME-M/M 3 1 EILP2632 IFM FAULT Cu 4M VAC LOAO CatFR Al IFM 1.00E44/H 3 1 EILP2633 IFM FAULT 08 440 VAC LOAI CENTER 11 ITM 1.0M46/W 3 1 (ILP2834 IFM FET ON 4M VAC LOAD CDTER A2 IFMR 1.00E44/W 3 1 EILP2835 IF M F E T CN 400 VAC LOAS CD TER 82 IF M 1.0M HIH 3 1 EtLP2134 IFM FET ON 4M VAC LOAI cater A3 IFM l.00E46/M 3 1 Ell.P2837 IFM FAULT 05 4M VAC LCA8 CDTER 83 IFM 1.0M46/H 3 1 EILPS219 400VLOADCDTERITMRLIFA!LtTOOPDATE 1.00E-MIN 3 1 (ILPS293 4M V LCAO CENTER 1FM L5 FAILS TO CPDATE 1.ME-M/W 3 1 EILP5332 N04ML SYCE IF M A FAILS TO OPERATE 1.00E-H/W 3 1 EILPS338 W ARAL SYCE IFM I FAILS TO OP BAtt 1.00E-H/M 3 1 EILP5345 400VLCAOCEniERL3FAILSTOOPDATE 1.00E-M/H 3 1 EILP5349 400VLOA8CDTERIFRAL4FAILSTOOPERAtt 1.00E H/W 3 1 (IRP2644 PAIR TRANSFCPRER FAULT 4.23E-06/M 2 5

[ISP2649 $1MTUP IFM I FAILS TO CPERAtt 1.43E46/W 2 5 EISP2690 liAATUP IF M A FAILS 10 CFERATE 1.43E-M/W 2 5 EIUP2645 UNIT AullLIMY TRA4SFORPER FET 3.l!E-07/H 3 5 FSAR2009 C$Al IRAll A #0i GDUATED 1.00E 10/D 3 9 FSAR2010 Cl45 TPAll I n0T SO U AT O 1.0M 10/D 3 t FSO202t MA4-2 NOT SDGATED 1.0M 10/0 3 9 FSER2417 M481 nOf GDDATED 1.0M 10/0 3 9 FSM2351 '$PURIOUSR$tt 1.00E46/W 10 1 6-133

TABLE 6.4.3-2(Cont.)

INDEPENDENT COMPONENT FAILURE RATES SM ET I 0F 15 COMP 0MNT FAIL. RAtt (RiOR COM OtlCRIPi!0R (MD!Asl FACT. REF.

FSAR2015 RASTRAIRANOTSOERATE) 1.0M-10/0 3 9 FSRR2016 RAlIRA!RSNOTSEMRATH 1.ME-10/D 3 9 FllRSM7 I!Al A NOT SDDAfD 1.NE 10/0 3 9 FllR5079  !!A8 i NOT 6tMR.ifD  !.ME-10/D 3 1 6K32505 Cl $0LD0!D VALVE $1460 ConP IRKR FAILS TO CL0lt 2.0M-03/D 10 2 SK32507 CS MOTOR YLAVE ll M5 COMP BAKR FAILS TO CLDE 2.0M43/D 10 2 6K12513 Cl MOTOR VALW $1472 ConP IRKR FAILS TO CLOlt 2.0M-03/D 10 2 GKl2511 CS MOTOR VALVE 11471 CCnP BAKR FAILS TO CLOSE 2.0M43/D 10 2 GK32520 C$l P W t CCnP MKR FAILS TO CLCit 2.7M-03/D 10 2 6K12526 Cll P W 2 C W MKR FAILS TO CL0lt 2.7K43/D 10 2 6 HIC 2493 KFECTIVESHUTOCNNHEAT!!CHANGERA 1.0M44/W 10 t SHIC2494 KFICilVE SHU100Nu M AT !!CHAN MR I 1.ME-M/H 10 t SNCf24tl $PRATN0!!Lil'1' CLOG 3.0M44/D 3 1 SNCT2492 $PRATN0!!Lil'2'CLOI 3.Mt44/D 3 1 6PN2521 Cll PW t IIA-P03 FAILS TO ITMi 1.Mt43/D 10 1 SPN2527 Cll PW 2 til-P03 FAILS TO tiMT t.Mt43/D 10 1 IPK2522 Cll P W l 114-P03 FAILS TO QPERAft 1.0M-0$/H 10 i SPM2521 Cll P W 2 Ill-P03 FAILS TO OP DAtt 1.Mt45/H 10 1 GVCA24t$ ClCHECKVALVE11205FAILSTOOPH 1.0M44/D 3 1 BVCA2500 Cl CM CK VLAVE 11 2% FAILS TO OPER 1.Mt44/5 3 i SVCA2509 CS CHECK VALVE 11 164 FAILS TO Orts 1.0M44/D 3 1 EvCA2518 ClCMCKVALvt$1165FAILSTOOPH 1.Mt44/5 3 i GVCA5047 Cl CHECK VALVE $1 157 FA!Ll TO OP Q  !.ME-04/D 3 i BVCA5064 Cl CHECK VEVE $1485 FAILS TO OPtX 1.Mt44/D 3 1 6VCA5094 ClCHECKVLAVE$1484FAILETOOPG 1.00t44/D 3 i BVCA5095 CICHECKVLAvt$1154FAILSTOOPH 1.00E-04/D 3 i GVMA2514 CS MOTOR VEVE $!472 FA!Ll TO QPtu 3.5![-03/D 2 6 6mA2519 CS MOTOR VALVE $1471 F A!Ll TO OPit 3.55(43/D 2 6 6VM425% Cl MOTOR VALVE $1444 FAILS TO CLQSt 4.65t-03/D 2 6 6Wl2508 CS MOTOR VLAVE Il-M5 FAILE TO CLClt 4.65t-03/D 2 6 6VM05093 SDC HEAT E! CHANGER ITPAll VALVE $1493 NOT CLQlO 1.00t44/D 3 2 EVM12511 Cl MOTOR VEVE $1447 NOT OPD 1.Ht44/D 3 2 GVH12517 CSMOTORVEVE11296NOTOPD 1.0M-04/D 3 2 SYM15090 CS MOTOR VEVE 11471 NOT OPS 1.00t44/D 3 2 EvMIS0tl CS MOTOR VALVE $1444 NOT OPG 1.ME-04/O 3 2 6W15096 CS MOTOR V4Vt 51449 NOT OPU l.00E-04/D 3 2 GVM15017 Cl MOTOR VALVE $1479 NOT OPH 1.0M44/D 3 2 Svu!2510 ClMANUALYEVE$1-105NOTOPU l.00E44/D 3 2 GVII2516 ClRANUALVLAYE!!-104NOTCPH 1.0Ct44/D 3 2 BWI!499 IOC WI A tiltui. CLI UTR ll0LA110E VALVE NOT CPEN l.00E-04ID 3 2 GVul5500 SDCHII($$tXT.CLEITR!$0LAi!05VALVENOTCPD 1.0CE-04/D 3 2 HK32013 HPl! PUMP 1litAFAILStoCLC$t 2.70E43/D 10 2 NE32100 HPil PW 2 ltLR FAILS TO CLCit 2.7[-03/D 10 2 kKl2106 HPl! HM VALVI $1437 MKR FA!LI 10 CLOlt 2.05t43/D 10 2 hK32101 EPit HM VALVE $1447 IRER FAILS TO CLClt 2.05t-03/0 10 2 HKB2110 HPl! HM VALYt $1417 MKR FAILI TO CL0lt 2.05E-03/D 10 2 l HK32112 HPll HM VALVI 11427 BAtt FAILS 10 CLClt 2.05t03/D 10 2 l HKl2114 HPl! HM VALVE $1434 MKR FAILS 10 CLCR 2.C!E-03/D 10 2 l

6-134 I

l l

l l

TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAILURE RATES i rm

$Htti t 0F (5 CCAPONENT FAIL.BAft DROR i COM MSCRIPi!ON (MHIAs) FACT. REF.

HKl2tl6 HPli NOR VALVE 11444 BRtt FA!LS TO CLOSE 2.M-03/9 10 2 HKli!!I HPl! HOR MYE $!416 IRER FAILS TO CLO$t 2.W43/8 10 2 HKt2120 W11 WDR VALVE 51426 IRtt FAILS TO CL0lt 2.0M-43/0 10 2 HK32323 CTRT SUW 150 WV 51473 C0W IAEA FAILE TO CL0lt 2.W43/8 10 2 HK32325 CTNT SLPF 1C0 VLV $1474 COW IRfA FAILS TO CL0$t 2.W43/8 10 2 HK12327 CTNT SUMP 150 VLV V-676 CORP DAtt FAILS TO CLOM 2.m43/0 10 2 HEI2329 CTRT $ UMP ll0 VLV $1-475 COMP IRER FAILS TO CL0lt 2.05( 4 3/9 10 2 HK32333 RINI FLOW LINE MOV $1464 IRER FAILS TO CLOM 2.0SE-03/D 10 2 HKl2334 Rful FLN LINE MOV $1447 BRER FA!LS TO CLOSE 2.05t-43/0 10 2 HKl5N1 M6C IWttil0N VEYE $1404 IRKR FAILS TO CLO$t 2.05( 4 310 10 2 HK$5003 N6CINICil0EVKVE$1-321BRERFAILSTOCt0$t 2.0M43/0 10 2 HKB5005 HPl! PUIP O!SCH. MVt 11491 IRER FAILI TO CLOSE 2.0M-03/9 10 2 HKB5Mt H6C INECT!OE VEVE $1409 BRtt FA!LI TO CL0$t 2.0M-43/8 to 2 HKl50ll H6C INECTION VEVE $1331 BRtt FAILS TO CLOtt 2.0M43/8 to 2 HK85013 HPl! PUMP 0!$CH. MVE 51491 BRtt FAILS TO CLOSE 2.0M43/8 10 2 HPMJ2094 HPl! PUMP 1FAILStoSTART 1.0M43/B 10 l HP932101 HPli PUMP 2 FAILS TO START 1.0M-43/8 10 1 HPME2Ctl HPtlPUMP1FAILSTOOPDAft 1.Mt45/M 10 t HPK2142 HPl! PUMP 2FAILSTOOPDATE 1.0M-05/M 10 i Hill 2006 Rt. tun 4VAILAKE 1.00E10/M M 2 HVCA2076 K11 INECTION CMCX VALVE l! 133 FAILS TO OPH 1.0M44/5 3 I Os HVCA2077 Wil (WCCTION CHECK MVE $1113 FAILS TO QPEN 1.0M44/D 3 i HVCA2070 #11 INECT!OE CHECK MVt 51143 FA!LS TO OPD 1.00E44/0 3 1 HYCA2079 HPl! IWCCTIOR CHECK VALVE 11123 FA!LS TO OPD 1.0M44ID 3 i HVCA2012 HPl! CMCK VALVE 11404 FAILS TO CPG 1.0M-44/9 3 i HYtA2014 Rui CHECK VALVE $1 3M FAILS TO OP D 1.Hf44/9 3 1 HvCA2019 HPl! CHEtt V E VE ll H S FAILS to OP O 1.ME-04/0 3 i HVCA2M1 tutCHECKVEVE$130$FAILSTOOPS 1.00(44/D 3 i HVCA2097 RINI FLOW CHECK VALVE 51424 FAILS TO OPO l.0M44/0 3 1 HVCA2103 RINI FLCW CHECE MVE 11-426 FAILS TO OPS 1.Mt44/0 3 1 HVCA2321 CHECE MVE $1-205 FAILI to CPD 1.00E-04/9 3 1 WYCA2322 CHECE VALVE 51 2 % FAILS TO OP D 1.00t-04It 3 i HvCA2t17 H4C IWittlDR CHttt VEVt $1523 FAILS TO OPD 1.0M44/b 3 1 WVCA2ttl H6C INECT!Du CHECE VEYt 11522 FAILS TO CPD 1.NE4410 3 1 WVCASM4 W6C INECTICE CHttt MVt $1533 FAILS TO OPD 1.0M44/D 3 1 HvCASM7 N6C INECTION CHttt YLAVE $1532 FAILS TO CPD 1.40E-04ID 3 1 HvCA5416 Chitt MVE 11237 FAILI TO CPD 1.0M44/5 3 1 HvCA5015 CHECE MVt $1542 FAIL $ TO OPD 1.00t-04/0 3 i HVCA!016 CHECK M Vt $1 217 FAILS TO OP G 1.0M-04/D 3 i HYC450tf CHECE MVE I!440 JAILS TO OPEN 1.00( 4 4/0 3 i HVCA50tl CHttt MVt $1-247 F AILS 10 CPD 1.0M-04/0 3 1 Hvr450lt CHECK VALVE $1543 FolLS TO OPEN 1.00E44/0 3 1 HVCA5020 CHttt MVt $1227 FA!LS TO OPD 1.ME-04/0 3 i HYCA5021 CHitt VEVt $1441 FAlli TO OPG l.00E-04ID 3 i NVRA2107 HPl! KDMR MVt $1437 FAILS TO OPD 3.55t-43/D 2 6 WVMA2109 HPl! HDMR VEVE $1447 FA!LS TO OPS 3.55E-43/0 2 6 WVMA2tti HPl! HEA MR M Vt li d t? FAILS TO OP G 3.!!E-43/8 2 6 O

6-135

TABLE 6.4.3-2(Cont.)

INDEPENDENT COMPONENT FAILIJRE RATES SHEET 100F15 ConP0ENT FAIL. RATE DROR COM DESCt!Pi!0N (RH!ANI FACT. R(F.

M A2113 HPl! HEAKR MVE $1427 FAILS TO DPU 3.55E-03/0 2 6 MA2115 HPl!HDKtVALVE$1634FAILSTOOPG 3.!!I-03/0 2 6 HYhA2117 HPl! HEAKA VEVE $144 FAILS to OPG 3.55E-03/D 2 6 M 42119 HPll HEAKR MYE $1416 FA!Lt TO OPG 3.55(-03/8 2 6 m A2121 HPl! HDKR MVt $1424 FAILS TO OPQ 3.55E43/O 2 6 HVRA2324 CTMT StMP !$0 VALVE $1473 FAILS TO OPD 3.55(-03/D 2 6 M A2326 CTRT SUMP 150 M YE !!4 74 FAILS TO OP D 3.55E43/0 2 6 M A2321 CTRT SunP !$0 VALVE I!476 FAILS 10 OPD 3.55E43/D 2 6 M A2334 CTRT SUMP !$0 VALVE 11-473 FAILI TO CPD 3.5M-03/D 2 6 M A50M H6C INECTION MVE 51404 FAILS TO OPEN 3.55E43/0 2 6 MASH 2 H6C I N ECTION M VE l! 321 FAILS TO CP D 3.55E43/D 2 6 HVM45004 H6C INECTION MVt $1409 FAILS TO OPER 3.5!E-03/0 2 6 M A5010 H6C INECTION VME $1331 FAILS TO OPQ 3.55(-03/D 2 6 m l2334 MINI FLOW LINE ROV 1146 FAILS TO CLCit 4.65E43/9 2 6 m t2337 RIN! FLON L!bt M0V 81447 FAILS TO CLOSE 4.65t-03/O 2 6 ml5M4 :f51 PW IISCH. MYi $1498 FAILS TO CLC$t 4.65E-03/9 2 6 M B50!! HPl! PUMP D!lCH. M YE I!491 FA!Ll TO CLCSE 4.65t-03/D 2 6 m12W3 MANUAL V M 51-470 NOT QPG 1.M(44/D 3 2 HYRt2005 tNTMOTORVALVE$1-531NOTCPD 1.ME44/l 3 2 m12M7 MOTOR M Vt 11 4 91 NOT OP G 1.Mt44/0 3 2 HV512092 RNTMOTORVALVE$1-530hofCPER 1.ME44/O 3 2 M 12098 RINI FLON llo MVt !!444 hof OPER 1.00E44/0 3 2 m 12144 RINI FLON !$0 VALVE l!447 NOT QPEN 1.00(-04/D 3 2 m12Mt RANUAL M YE Il 478 N0i CP D 1.00t44/0 3 2 m120% RANUAL V M 51402 4T CPD 1.ME-04/O 3 2 WVll2332 RINI FLON $0LEWII MYE $!440 FAILS TO CLC$t 1.00( 4 4/O 3 1 HVll2335 R!NI FLON SOLD 0!I VM 11459 FA!LS TO CLOSE 1.ME44/D 3 1 HYl!20t1 RINI FLON 150 MVt I!460 NOT QPEN 1.00E44iG 3 i FV112105 RINI FLON 150 V M I!4 59 h0i CPEN 1.ME44/D 3 1 IARK20$$ R0!ITL1tt SEPAAATOR A FAILS TT) OPDATE 1.00E-05/H 3 1

!AM2054 M0!ITURE SEPARATOR I FA!LI TO CPERATE 1.0Ci-05/M 3 1 IAK2057 R0!ITUNESUARATORCFAILSTOCPERAtt 1.HE-0$lH 3 1

[AAt2042 411 DtTER A FAILS TO CPDAtt 1.00E05/H 3 1 IAAK5253 8129tittiFAILSTOCPEAATE 1.00E45/M 3 1 IKl5263 14 CCMPRES$3R I COW IRKA FAILS TO CLCSE 2.7CE-03/D 10 2 IKl5269 IACCettil04CCCMPltKRFAILSTOCLCit 2.70E-03/D 10 2 ICVAll60 NITR04 0 CHEtt V U t V441 FA!LI TO CPER 1.M(44/0 3 1 IFAt2Mt 14 PRE /AFittFILi(RAFAILSTOQPERATE 1.70E04/M 2 5

! FAT 5254 lAPRE/AFTERFILTERIFAILSTOCFERAft 1.70E46/W 2 5

!!PP5163 IhSTR. AIR List Pttl!URE 1RTR FA!LI TO CFERAit 1.00E44/H 10 1 Ilkt2045 thlitWii AIR Dllit!Wi!CN htt:Et FAULT 1.00E-Cl/W 10 1 ITAE5258 thlitWhi A!R REC (IVER A l2AVAILADLE 1.00(10/H 10 2 ITAE1262 thlit W NT Alt RECE!Vtt I UhAVA!L a t 1.00E10/H 10 2 ITA(3260 thlitWut AIR Ritt!Vtt C L'hAVi! LADLE 1.00(10lH 10 2

. !Th(3154 N!)R06 0 ACCU R ATOR lMA 4!LABLE 1.001 it/W 10 2 IVCA5157 thlTR W VT Alt CHECK V M v440 FAILS TO CPER 1.00(44/D 3 1 IYCA5264 !A Rett!Vit I CHECK M YE V024 FAILS TO CP D 1.ME04/3 3 1 M A5270 14 Ritt!Vit C CHEtt Vet V032 FAILS TO OPEN 1.00( 4 4/0 3 1 6-136

TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAILURE RATES O

SHEET 110F15 COMP 0KMT FAIL. Raft (AkOR COM MSCA! Pit 0E (MillAs FACT. REF.

IVK3162 51T2000 MI. Volt PC11130 FAILS 10 OPIAAft 1.0M43/9 to t IVil5161 IITROIG Mt. VALVE PCV1130 NOT OPtX 1.0M44/5 3 2 tVtA$250 14 DRYtA itAIN I 190 M Vt Voll FAILS TO Ottu 1.Mt44I0 3 1 IVRA3251 !A ORYG iMIN I 110 MYE V013 FA!LS TO OPG  !.Mt44/I 3 I IVtA5244 14 MuutL VALVE V023 FAILS TO OP G 1.00( 4 4/5 3 2 IVue5271 14 MuutL MVt V033 FA!LI TO OPD 1.0M44/B 3 1 IVn02M4 14 Illt. HOR RVil FAILS TO REMlu QPD 3.0M47/H 3 2 IVRM249 1 RAIN A tul!T/0UTLET VEVil FAIL TO MMIN OPtX 1.Mt44/9 3 2 IVa0S217 Att etCE!VER WM MVt VMt FAILS to t[ MIN QPO 3.Mt47/H 3 2 IWM259 COWatllu AIR TRAIN A MVtl Fall TO REMlu OPEN 3.ME47/W 3 2 IVul5159 NITR00tX M YE V439 BOT QPD 1.0M44/0 3 2 l'llA5164 u!Ttola 50LD0!I MVE PVil28 FA!LS TO OPG l.Mt43/8 3 1 luc 12H3 14 C0Wttslot I FAILS TO STMi 3.00t44/0 3 2 luCJ2054 !A COMPttll0R C FAILS TO STMT 3.Mt44/I 3 2 luck 2M4 14 COMPM ll04 4 FA!LS TO QPitAtt 6.12(41/W 10 5 luck 20$1 14COMPRttiORIFAILITOOPGAit 6.12t4 SIN 30 5 luck 20S2 14COMPttll0BCFA!LSTOOPtteit 6.12E4$/M 30 5 LKl5045 LPl! HM VALM 51435 IRGltt FAILS TO CL0lt 2.0$t43/8 10 2 LKIS048 LPll HOR MYE $1445 MEAKER FAILS TO CL0tt 2.0M43/8 10 2 LKIS051 LPll HM VEVE $1615 MEAMA FAILS TO Clost 2.0M43/8 10 2 LKB5054 Ul! HM VEVE I!425 BREAKEt FAILS TO CL0lt 2.0M43/8 10 2 Os LKISMt LPlt PURP 1 M O KER FAILS TO CL0lt 2.7M43/8 10 2 LKIS076 LPl! PUMP 2 NEAKER FAILI TO CL0lt 2.7M43/8 10 2 LKM170 SK CR0ll0VER MW st4N mkt FA!Ll TO CL0lt 2.0$t-03/0 10 2 L K M174 $K THA0TTLE RYt $1457 IRKR FAILS TO CLO$t 2.0 M 03/O 10 2 LKM177 IfPAll MVE Il 3M MKR FAILS TO CLOSE 2.0!*43/3 10 2 LK Mll5 16C SUCT10N EVE 51455 BRKR FAILS TO CLOM 2.0M43/0 to 2 LKBlil7 $K SUCT!DN EVE $1453 84KA FA!LS TO CLQlt 2.05t-03/O 10 2 LKMitt 50C SUCTION RM $1451 BAKA FAill TO CLOM 2.0M-03/0 10 2 LKBSitt S K CR0ll0VEA R VE $1496 BAKA FAILS TO CLO M 2.05t-03/0 10 2 LKIS194 $K TNROTTLE VEVE 11458 BAKA FAILS to CL0lt 2.0M43/O to 2 LKMit6 $K IfPAll VEVE $1307 MKR FAILE TO CL0it 2.0$t-03/9 to 2 LKB5201 IK SVCTION VEVE $1456 BAKA FAILS TO CLClt 2.05t-03/D 10 2

! LKM203 $K SUCTION VEVE l!454 MKR FAILS TO CL0lt 2.05t03/9 10 2 LK M205 $K luCTION VALVE 11452 mkt FAILS TO CLQlt 2.0M-03/0 10 2 1PNSM2 LPl! PtAP 1 FAILS TO ITMT 1.0M 03/0 10 i LPN5077 Ull PUMP 2 FA!LI TO ITMT 1.0M43I0 10 t LPMSM3 Ul! PUMP 1 Fall,8 TO OPER4Tt 1.Mt45/W 10 1 LPM 5078 LPl! PUMP 2 FA!LS TO OPERATE 1.Mt45/M 10 i Lill!029 LOCALFAULil0F$1TI 1.ME10lH 10 2 Lil!5032 LOCAL FAULil 0F IIT 2 1.0M 10/H 10 2 I

LTS15035 LOCALFAULil0Flif3 1.0M 10lH 10 2 I Lill5038 LOCAL FAULil 0F lli 4 1.0M 10/M 10 2

! t,VCA5028 lli ! CHtCK YALVE $1215 FAILS TO QPEN 1.0M-04/O 3 1

, LVCA50!! Sif 2 CHECK VEYE $1223 FAILS TO OPG 1.0M44/0 3 1 l l

LVCA5034 Ili 3 CHECK MYE $1233 FAILI TO OPS 1.0M44/O 3 1 i i

LYCA5037 $1T 4 CHECK VEVE $1145 FAILS TO OPG 1.0M44I0 3 1 l

LVCA5043 Ull IN. CHECK RVE lt 134 FAILS TO OPD 1.00t-0410 3 1 l 6-137

TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAILURE RATES SHEIT !! 0F 15 COMPONUT FAIL. Raft ERROR CCM MSCPIPi!0N (MOIAA) FACT. REF.

LvCA5047 LPl! IW. CHECK VALVE 11444 FAILS TO OPG 1.0M-44/O 3 1 LVCA5M4 LPl! !W. CHECK YALW $1414 FAILS TO QPU l.Mt-94/9 3 i LYCASM3 LPl! IW. CHECK VALVE 51124 FAILS TO OPD 1.M(44/l 3 1 LVCA5058 LPll CECK VALW $1434 FAILS TO OPG l.M(44/O 3 1 LYCA5Mt LPllPUMPCHEttVALVE$1-201FAILSTOOPG 1.0X44/D 3 i LVCA5074 LPl! CECK VALVE $1-444 FA!Ll TO QPQ l.M(44/D 3 i LVCA50H LPllPURPCHECKVALVE$1200FAILSTOQPD 1.M(44/O 3 i LWA5044 LPl! HEAKR VALVE $1435 FAILS TO OPS 3.5M43/O 2 6 LVMA5049 LPl! HDKt VLAW 51445 FAILS TO QPU 3.55E-43/8 2 6 LWA5052 LPll HDKt VALVE $1415 FAILS to OPD 3.55E-43/O 2 6 LVMA5055 LPl! HEAKt VALVI $1425 FAILS TO OPU 3.!K-03/8 2 6 LVMA5169 $0C CR0650Vit VALVI $1444 FAILS TO OPD 3.55E-03/O 2 6 LYMA5143 $0CSUCTIONVALVEI!455FA!LSTOOPD 3.55E-03/D 2 6 LWA5184 SK SUCTION VALVE I!453 FAILE TO OPG 3.55(-43/8 2 6 LVMA5194 IX IUCT10N VEVE $1451 FAILS TO OPS 3.5M43/0 2 6 LYMA51tl $K CRolS0VER VEVE 11496 FA!LS 10 QPD 3.55(-43/4 2 6 LVMA52M SK SUCTION VEVE $1456 FAILS TO OPG 3.5M-03/D 2 6 LWA5202 SK SUCTICN VALVE $1654 FAILS TO QPG 3.5M-43/3 2 6 LWA5204 IK SUCTION VALVE $1452 FAILS TO OPD 3.5M-03/0 2 6 LWC5172 50C THROTTLE VALW $1457 FAILS TO QPtRAft 1.0M47/M 3 6 LWC5176 $DC Hs 1 IfPAll VEVt Il 3M FAILS TO OPDAtt 1.0M-47/H 3 6 LYMC$lt3 10C Tht0TTLE VALW I!444 FA!LS TO OPitAtt 1.05(-07/H 3 6 LWC3195 $K H 2BYPAllVEVESI307FA!LlTOOPRATE 1.05(47/M 3 6 LWT5027 $1TIMOVI!414PLU660 1.0![47/M 3 6 LVRT5030 l!T 2 MCY $1424 PLU660 1.05t47/M 3 6 LVRT5033 IIT 3 MOV $1434 PLU660 1.05E47/M 3 6 LVRT5036 IIT 4 MWV $1444 Pt.U660 1.05E47/H 3 6 LVMI5072 LPl! PUMP IIKH. MOV $1307 NOT OPEN 1.00(-44/O 3 2 LVMISC01 LPlt SUCTION VfLVE !!492 NOT OPD 1.0M44/D 3 2 LWIS073 LPl! PUMP MANCE lllCH. VALW $1447 HT C'EN 1.00E44/O 3 2 MICH457 SYPAll VALVE W-103 MG FAILS TO CLCSE 2.05E-03/9 10 2 RKl5450 MRP O!$CH. VALVE W11 StKR FAILS TO CLCSE 2.Ht41/D 10 2 PKH459 MRP lllCH. VALVE W32 Itti FA!LS TO CLCSE 2.05E-03/D to 2 MKH441 CCNO. PUMP P01A MG FA!LS TO CLCSE 2.70[-43/D 10 2 MKH442 CCNO. NMP Pelt MKR FAILS TO CLCSE 2.70E-43/D 10 2 PKH443 CCW. NMP P019 M[I FAILS TO CLO$t 2.70t4310 10 2

! PK H464 CCal. NMP P0tt SUCT. VLV W4 litt FAILS TO CLC$t 2.05E43/D to 2 i MKH465 CCW. PUMP P0ll SUCT. Vtv W-2 BRKt FAILS TO CLCSE 2.0!E43/D 10 2 MILT 2362 int!OUS H!lM $4 LEVit tu $4-1 1.M(-06/M 10 t MILG2343 $PURIOUSH!ld$4LEVELIN14-2 1.00t06/H 10 t i

RPRJ2160 CCH. NW P014 FAILI TO tiliAtt 1.0M-03/D 10 I

, MPN2162 CC4. NW Pell FA!Ll TO REITART 1.00E43/O 10 t i

MPMJ5155 CC4. NW P01C FAILS TO RtliART 1.0M41/D 10 t l MPM2375 (C@,PUMPP014FAILSTOCPGATE 1.00(-45/M 10 t MPM2377 Cont. NW Pell FAILS TO CPilAtt 1.00(-05/M to 1 MPM5136 CC4. NMP P0lt FAILS TO CPERATE 1. W 45/M 10 i MTHt2364 LCll 0F tv4 hTORT (C0tM ulait HOTHLL) 1. W 10lH 10 2 MWA5131 (41 C4CK VRW V742 FAILS TO CPfl 1.00(44/D 3 1 6-138

1 l

l TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAILURE RATES SNtti13OF15 ,

CCMP0uGT FAIL. TATE EAROR I COM Mltt!Pi!0u (MillAN) FACT. REF. 1 RvCA5139 50-1 CE CE V E W V652 FAILS TO OPEN 1.0M44/9 3 1 MVChilA4 144 CMCE VRVE V693 FA!Ll TD QPtX l.0M44/0 3 1 MVCAll41 $44 CECE VALVE V653 FA!LS TO Opts 1.0M-04/I 3 1 MVCA5154 CONI. PW Peta CHECE VALVE V072 FA!LS to Orm 1.MC44/9 3 1 MVCA5154 Coul. P W PitC CHttt VALVE VtT7 FA!Ll TO OP G 1.0M44/0 3 1 MVCA5165 C0ml. P W P418 CHECE VALVE V074 FAILS TO QP G 1.0M44/0 3 1 MVK3143 MuuCMtCONTROLVALytFVill3FA!LSTOQPDATE I.0M43/0 10 1 MVDC5144 DCuuC M R CONTROL V M E FVll23 FA!LS TO OP O P- 1.Mt4310 10 1 M 12358 DCuuCOER 150. VEYE UV 172 FAILS TO REMIN QPG l.0M43/8 10 1 M l2359 MWNC0ER 150. VALVE UV 135 FA!LS TO REM!u OPD 1.00( 4 3/8 10 1 M32360 00tuC M R 150. VALYt UV-130 FA!LS to R DAlu OPEN 1.00t03/0 10 1 Ml2341 DCWuCMR 150. VALVE UV-175 FA!Ll TO REMIR OPG 1.0M43/0 10 1 MYM2t$$ kP HFAftt BYPAtt VALVE W4103 FAILS TO QPER 3.55t43/0 2 6 MvMH147 MFWP OlEN. VALW WV11 FAILS TO CL0et 4.65E-43/8 2 6 m t5148 MFWP O!KW. VALVE HV12 FAILS TO CLOM 4.65E-03/0 2 6 MA2tS6 MFWP ITPAll VALVE V000 FAILS TO OPD 1.0M44/9 3 1 MYt42tS7 MFWPBYtAllVALVEVillFAILSTOOPS 1.0M44/0 3 1 MVel2tS4 ILOWul0Nu ik VALVE V096 FAILS 10 CLC$t 1.0M44/9 3 i f!EP2257 LCl30FTIVCCuit0LIflTER 1.0M44/W 10 1 T![P2261 CCNDD$tt PKtillAt tuliCH FAILS TO OPitAtt 1.Mt44/M 10 1 TVD 42241 TIVsFAILTOQPH 1.Mt43/8 to O- UK12472 AutSPMTVRVECH205BRERFAILSTOCLCit 2.0$t-43/0 10 1

2 UK12473 401 $PM T VALVE CM 203 Brit FAILS TO CLC$t 2.05t-43/0 10 2 UKl5415 CHMithI PUMP 1 BRtt FA!LS TO CLClt 2.70t43ID 10 2 UKM424 chm 414 PW 3 NKR FA!LS TO CLCit 2.7M43/0 10 2 UK H431 VCT 150 VALVI CH-501 MER FA!LS TO CLCit 2.05[-03/0 10 2 UKM439 MOT 0t OPDAtti VKW CH-514 MER FAILS TO CL0$t 2.0$l-43/8 10 2 UKl!443 IW l MLA FA!LS TO CLO$t 2.7X-43/8 10 2 i

UKH449 I W 2 BAtt FA!LS TO CLC$t 2.70t43/0 10 2 laKH453 ChMl!N8 PURP 2 MIR FA!Ll TO CL0lt 2.70t-03/8 10 2 USCG1583 CMM6!W PURP 1 MKR OPtus $Put!DUSLT 1.0M-0!/M 10 1 UK35544 CMMI!M PUMP 2 NER OPENS $Put!OUSLT 1.0X-05/W 10 1 UFLP5434 KRou luJECTION LIE F!Litt FA!LS TO CPDATE 1.ME-05/H 10 1 UPMJ!412 CHAA6!NI PUMP 1 FA!LS TO STMT l.Mt43/8 10 1 GPMJ5419 CHM 61NS PUMP 2 FA!LS TO ITMT 1.0M43/9 10 1 UPMJ5422 CNMilh6 PURP 3 FA!Ll TO ITMT l.00E-03/3 10 1 GPRJ5441 MMP 1 FAILI 10 STMT 1.ME-03/8 10 1 UPMJ5447 IW 2 FAILS TO STMT 1.00E-03/8 10 l LPME24tl CMM61NI P W ! FAILS TO CPD ATE 1.00(45/H 10 1 UPMt2412 CNM6tW8 PURP 2 FAILS TO CPDAff 1.ME-05/M 10 l LPMt5423 CMMl!NG P W 3 FAILS TO CPD Aft 1.00E-05/W 10 1 GPM!442 S W l FAILS TO GP DATE 1.00E-05/H 10 1 UPM1448 I W 2 FAILS TO CP Daft 1.ME 05/M 10 1 UvCA2474 Aut $ PRAT 1,1NE CHECE VALVE CH-431 FA!Ll TO CPts 1.Mt44/9 3 1 UVCA5410 CHECKVALVECW-639FAILSTOCPts 1.Mt44/0 3 1 UVCA!416 ChME!W PUMP 1 Chttt v4LVE CH428 FAILS TO OPlu 1.ME-04/0 3 i UvCA1420 CMMl!NE PUMP 2 CHECE VALVE CH431 FA!LS TO QPts 1.0M44/0 3 1 O UVCA!426 CHMil d PURP 3 CW3CI YALVI CH-334 FA!LS TO QPts 1.Mt44/0 3 1 6-139

TABLE 6.4.3-2 (Cont.)

INDEPENDENT COMPONENT FAILURE RATES O

54tf 14 0F 15 CCRPOWNT FAIL. Mit [RROR COM MlCRIPi!ON (M0!al FACT. REF.

WCAS432 CMtt VEW CM-Ito FAILS TO OPD 1.0M-44/0 3 1 WCAS435 CHECEVEVECH177FAILETOOPD 1.Mt44/0 3 i WCA5444 LAMP 1 IISCH CM CK V E W CH 154 FAILE TO QPD 1.0M44/0 3 1 WCAS450 lW 2 0!$0N CEtt VEM CH-155 FAILS TO OPD 1.0M-04/0 3 1 Wil2477 CHAR $!NI L! M 153 Velvt CH-240 FAILS TO CLO$t 1.0M-03/0 10 1 WM5452 Ruf O!SCH VEVE CH-532 FAILS TO REMIN OPD 3.NE47/W 3 2 WM5438 M01CR OPERAftl VALW CH-514 FAILS TD QPD 3.55( 4 3/0 2 6 M M430 VCT I!SCHARlt ilo VALVE CH-501 FAILS TO CLOSE 4.65t-03/8 2 6 Wpeus CH6 LIE ISO VALVE CH424 FA!LI TO RDA!N OPD 1.05t-07/W 3 6 M A!434 MMUAL VALVE CH 141 FA!Ll TO DPEN 1.00( 4 4/O 3 1 MM4M MANUAL VRV1 CH429 FAILS TO REMIN QPD 1.Mt44/0 3 2 M 15418 CHAR 6!NS Pimp 1 ISO VALVE FA!LS TO REMIN OPG 1.0M44/0 3 2 Wil5421 CAH6RINI PUMP 2 ISO VEYE FAILS TO RDA!N OPG 1.0M-44/0 3 2 M 1:427 CHAR 6tNI PUMP 3 !$0 VRVE FAILS TO RDA!N OPD 1.Mt44/0 3 2 Wil5437 MRON IulECT!DN FILitR !$0 VALVE NOT OPD 1.0M44/O 3 2 M I5445 LAMP 1!$0VALVEB0fOrtM l.Mt4410 3 2 WsI5451 I W 2 !$0 VALVE NOT OPtX 1.ME-04/0 3 2 WlA1475 AUt LPMT YEVE CW 205 FAILS TO DPD 1.Mt43/8 3 i WIA2476 AUI SPM1 VALVI CH-103 FAILS TO QPD 1.0X43/0 3 i VIC05454 (CNTROL lilTER CAI! NET BRKR OPDS $PUR! dully 1.0M45/W 10 i VIIP543 P!R PRtiluRE CONTROL litter FAILS TO CPEMit 4.tSt45/W 10 2 WCA5319 MIR SPRAT LIE CEtt VALVE RC 244 FAILS TO OPEN 1.0M44/0 3 1 WDA5401 PIR $PMT CCIT. VALVE RC 10M FA!LS TO CPEN 1.Mt43/O to 1 WEA546 PIR $PM Y CCNT. VALVE RC 1 MF FA!SL TO QPEN 1.M(-03/0 10 t L"?!!4M PIR $PMI CCni. VRVE RC 10M 150 VALVE NOT OPD 1.00E-04/O 3 2 fo'%$ Fit LPuf CCuf. VALVI RC 10W !$0 VALVI NOT OrtM 1.00l44/O 3 2 1

1 i

l O

6-140

TABLE 6.4.3-2(Cont.) ,

INDEPENDENT COMPONENT FAILURE RATES SMttiil0F18 ttFttDCtlF04iAllt!6.4.2.61L6.4.32

1. ' Mutt!C Mit Met FOR MT4 AN8 MONLI CMPitt OF THE Mit0ML RCLl481Liff D'ALU4flou P900MA IUIM', fl6-tA 5407, ME 1992.
2. 'ItAtt0R SW ETY STUlf, M A49tl8D tui 0F ACCIDD T R!lt lu U.S. COMMU! CAL uuCLEAR P0utt PLAufl', MSN 1 M4/uutt H 5/014. OCfotti 1975.
3. FA!Lutt RAtt lif! Mitt M$tt on M M8Unt) MTA FACfot.
3. 'Itt! IUlK TO T4 CALCULAt!0E Aus PatlDTAt!OR OF ELitit! CAL, (LICitou!C, SDilu6 COMPouDT, MI ECMMICAL E00!PEuf ttL!MILITY DATA FOR WULCEAR P0utt MuttAtlut ITAil0ul', litt Std SM-itl4. I
6. 'AHANCtl LIINT Mitt MACiot tt0UIRDDil DOCUMDT APPDBll 4 PGA Kti MSUWi!0ml l Aug 640Uh44LLil', (DRW il, hat 1987.
7. ' COMMON CAutt FALLI Mitt FOR VALYtt', uuttIICR 2770, FDtuARY 1963. '

I. 'A PMktlliti!C LWTTY AHLil!I 0F X P0utt SUPPLY MOUlttMutt FOR uuCLDR P0utt PLMil', butti-CMA, apt!L 1981.

9. 'RPS/EUM titDMI TElf luTDv4L DALUA110E', CD-327, M1 lth. i
10. 'COMON CAUlf FA!Lutt RAftl FOR PtWl', uuntl/CR 2Hl. FEltMf 1983.

l 1

i f

l I

O 6-141

13399/(84C2)/zls-142 6.4.4 Special Failure Rates Special Failure rates were estimated for components which are treated as developed events in the fault trees. These components include engineereo safety feature actuation signals, cooling water trains, instrument air, and pump and valve contrcl circuits. The following subsections illustrate how failure rates were estimated for the above developed events.

6.4.4.1 ESFAS Failure Rates Engineering safety features actuation signals (ESFAS) were modeled in the fault trees as developed events. These events included independ.ent and common cause faults. Failure rates for these faults were obtained from CEN 327(58) ,

A review of CEN 327 showed that ESFAS unavailability is dominated by comon cause faults. The developed event failure rate for ESFAS independent faults is negligible. The review shows that the dominant contributions to ESFAS unavailability, excluding recovery action, are as follows:

OPERSPT - Operator sets bistables incorrectly (2,50E-3)

CLPS -

Corcon cause failure of transmitters (3.90E-4)

CBST -

Comon cause failure of bistables (4.40E-5)

CIR - Comon cause failure of initiation relays (3.30E-7)

O

e. m

! (I3399/(84C2)/;1s-143

_q The total ESFAS unavailability obtained from Reference 9 is 2.91E-3. This value was used as'the median value in this study along with an assumed error factor of 5.

l One of the ESFAS addressed in Reference 9 is auxiliary feedwater actuation  ;

signal (AFAS). Certain faults can impact the availability of the RPS and the AFAS. These faults are primarily comen cause faults which include "operator s sets bistable setpoints incorrectly" and "comen cause failure of bistables".  !

For sequences that include failure of the RPS and AFAS, the unavailability of j AFAS is conditioned on RPS failure. To determine the cor.ditional ,

unavailability of AFAS, the dominant cutsets for RPS and AFAS are compared to t identify components which are comon to both systems. Once the comon characteristic are identified, their percentage contribution to the total RPS unavailability is calculated. The calculated value is used as the conditional i failure probability which is used to calculate AFAS unavailability.

l The dominant cutsets for AFAS were presented above. The dominant cutsets for RPS were extracted from CEN-327. They are included below for reference  ;

l l purposes.. ,

I CTCB - Comon cause mechanical failure of trip breakers

[ (2.50E-6) }

3 CCFTCH*0PF*0ERMT - Comon cause failure of trip channels, Failure of i diverse trip parameter Operator fails to initiate manual trip (1,06E-7)

O 6-143

1339g/(84C2)/als-144 CKR*0ERMT - Cocoon cause failure of K-relays, Operator fails to h initiatemanualtrip(1.65E-8)

The RPS unavailability is 2.64E-6. Note that component CCFTCH includes faults that impact the RPS and AFAS. Its percentage contribution to RPS failure is calculated using the following expression:

Q(CCFTCH/RPS)=Q(CEkMT*DPF*CCFTCH) 9 RPS where Q(CCFTCH/RPS) is the percentage contribution et CCFTCH to RPS unavailability and O pp3 is the unavailability of the RPS, Substituting the values from above yields:

Q(CCFTCH/RPS)=f' . 6 = 0.04 This value represents the probability that the "operater sets bistable ,

setpoints incorrectly" or "corren cause failure of the bistables", given that the RPS has failed. The dominant contributors to AFAS unavailability become OPERSPT

  • - 4.00E-2 CBST s

CLPS - 3.90E-4 CIR - 3.30E-7 9 ,

6-144

13399/(84C2)/als-145 ,

s a

(] The median unavailability for AFAS, given RPS failure becomes 4.00E-2 with an i V ,

error factor of 5. i 6.4.4.2 Cooling Water Train Failure Rates i

Cooling water, as a support system, was modeled in the fault trees. It includes essential cooling water, essential chilled water and ESF pump room  ;

cooling. Each of these water systems were included in the front-line system models as developed events which were divided into independent fault events for each train and comon cause faults. A detailed fault tree was developed  ;

i for each of these cooling water systems. These models were then restructured [

into separate subtrees containing independent faults, comon cause faults and f

support systems. The subtrees. for the independent faults and the common cause faults were quantified to obtain the unavaila <ilities for their respective [

s developed events in the front-line system models. The subtrees for the cooling water system support systems were incorporated directly in the l

, front-line system models. The unavailabilities for these developed events are [

presented in Table'6.4.4.2-1. The component codes and their associated descriptions are also presented in Table 6.4.4.2-1. j i

t 6.4.4.3 Instrument Air Failurv Rates i i

. A detatted fault tree was constructed for loss of instrument air. This fault tree was then sirplified by combining appropriate independent faults as developed events. Aporopriate comon cause faults were also combined as developed events. As a result, the simplified fault tree for loss of j l

6 145  !

I

13399/(84C2)/zls-146 instrument air consists of developed events only. It was then integrated in g the appropriate frone 'ine system fault tree models. This approach reduces the neeber of instrument air fault tree events and makes evaluation of front-line fault tree models more efficient. In order to quantify system unavailabilities fer those front-line systems which include instrument air, the developed events for instruraent air were quantified as described below.

The Boolean expression for each instrument air developed event was derived and then us:d as input for the CESAM Code. A demand failure probability or operating failure rate for esc;r element of the boolean expression was also used

  • input. With these inputs, the CESAM Code then calculates the unaga', tbt'ity for the developed events. These unavailabilities are presented in Table 6.4.4.3-1. Note that the unavailabilities are presented as distributions with median values and error factors.

O 6-146

13399/(84C2)/ mis-147 ,

TABLE 6.4.4.2-1 f-~3

-(_,/ ' COOLING WATER DEVELOPED EVENT UNAVAILAP.ILITIES Component Unavailability Error Code Description (Median Value) Factor i CZZX5484 ESF pump room cooling common cause f aults 1.19E-5 5 CZZX5485 LPSI pump A room cooling independent faults 4.75E-4 2 CZZX5486 LPSI pump B room cooling inde, pendent faults 4.75E-4 2 CZZX5487, HPSI pump A room cooling independent faul ts 4.75E-4 2-N- CZZX5488 HPSI pump B room cooling independent faults 4.75E-4 2

, CZZX5489 CS pump A room cooling independent faults 4.75E-4 2

\.

CZZX5490 CS pump B room cooling independent faults 4.75E-4 2 CZZX5493 Essential chilled water icop common cause faults 3.14E-5 8 O 6-147 i

13399/(84C2)/ mis-148 TABLE 6.4.4.2-1 (Continued) '

COOLING WATER DEVELOPED EVENT UNAVAIUBILITIES l Component Unavailability Error Code Description (Median Value) Factor CZZX5494 Essential chilled water loop A independent faults 1.42E-2 4 CZZX5495 Essential chilled water loop B independent faults 6.55E-3 5 Essential cooling water loop comon CZZX5496 cause faults 1.24E-4 18 CZZX5497 Essential cooling water loop A independent faults 2.97E-2 3 CZZX5498 Essential cooling water loop B O

independent faults 1.52E-2 4 CZZX5503 AFW pump room cooling independent faults 4.75E-4 2 l

l l

O 6-148 l

13399/(84C2)/ mis-149 e TABLE 6.4.4.3-1-(Continued) 4V INSTRUMENT AIR DEVELOPED EVENT UNAVAILABILITIES 1

i Component -Unavailability Error

[ Code Description (Median Value) Factor IAINDF Instrument air single independent faults 1.49E-6 3 i-

l. IACCF Instrument air comon cause faults 1.50E-5 3

}

l IAFILTRA Instrument air dryer / filter assembly train A faults 2.99E-4 3 IAFILTRB Instrument air dryer / filter assembly train B faults 3.61E-3 6 IACOMPA Compressed air train A faults 1.66E-3 21 IACOMP3 Compressed air train B faults 9.96E-3 7 IACOMPC Compressed air train C faults 9.96E-3 7 B

b O 6-149 ,

13399/(84C2)/ mis-150 6.4.4.4 Pump and Valve Control Circuit Failure Rates Pump and valve control circuits are included as part of breaker or contactor (circuit interrupter) faults which are modeled directly in the fault trees for front-line systems. In order to estimate breaker or contactor unavailability, failure rates for their control circuits must first be determined. This is accomplished by constructing typical fault tree models for breaker and contactor control circuits. These models were tfan quantified to determine their unavailabilities.

Typica' valve con. : tor control circuit consists of wires, transformer, fuses, switch contacts, and relay contacts. Typical pump breaker control circuit consists of relay contacts, switch contacts, wires, and fuses.

Failure of these components were incluoed in the fault tree models. Failure rates for these components were obtained from WASH 1400(18) . These values were used to estimate unavailabilities for pump breaker and valve contactor control circuits. The estimated median unavailability for a pump breaker control circuit is 1.07E-3 with an error factor of 10. The estimated median unavailability for a valve contactor control circuit is 2.05E-3 with an error factor of 10. The unavailabilities for pump breaker and valve contactor control circuits are assumed to be lognormally distributed, l

O 6-150 l

l

1339h(84Z5)/ mas-1 o

/~]

(>

7.0 ACCIDENT SEQUENCE ANALYSIS 7.1 SYSTEM UNAVAILABILITY ANALYSIS This section presents the results of the fault tree analyses for the front line systems which respond to mitigate the transients and accidents described in Section 4 of this report.

7.1.1 Safety Injection Tanks "Safety Injection Tank Injection" appears as an element in the Large LOCA Event Tree (Figure 4.1-1) and the Medium LOCA Event Tree (Figure 4.2-1). The basic success criterion for this system is that three of the four Safety injection Tanks must deliver their contents to the RCS. For cold leg breaks, one S!T is assumed to feed the break so failure of one of the other three SITS

( results in system failure. For non-cold leg breaks, failure of two of the four SITS is required for system failure. Based on the fault tree analysis, the unavailability prameters for the Safety Injection Tank System are:

Mean =

l _ .

l Median = , ,

ErrorFactor=[

StandardDeviation=]

l O 7-1

1339h(84Z5)/ mas-2 The dominant cutsets for the SIT system all involve the single failure of one of the three series valves between an SIT and its associated cold let injection point. These cutsets contribute 97% of the system unavailability.

7.1.2 Low Pressure Safety Injection System "Low Pressure Safety Injection System Injection" appears as an element on the Large LOCA Event Tree (Figure 4.1-1). "Depressurize RCS and Establish Low Pressure Safety Injection" appears as an element backing up HPSI injection on the Small LOCA Event Tree (Figure 4.3-1), and the Steam Generator Tube Rupture (SGTR) Event Tree (Figure 4.4-1). "Depressurize RCS for Low Pressure Safety Injection System Recirculation" appears as an element backing up HPSI Recirculation on the Small LOCA and SGTR Event Trees.

The basic success criterion for the LPSI system is that 50% of the flow from one LPSI pump must be delivered to the RCS. Where LPSI injection or LPSI recirculation is required due to failure of HPSI injection or HPSI recirculation respectively, the RCS first has to been depressurized to the LPSI pump shutoff head via an aggressive secondary side cooldown using both steam generators. If, following HPSI injection failure, RCS depressurization and LPSI injection is successful, further depressurization is not required for LPSI recirculation, but at least one LPSI pump must be restarted following RAS.

Table 7.1.2-1 presents the LPSI system unavailability parameters. Tabl e 7.1.2-2 presents the dominant cutsets for LPSI injection, and Table 7.1.2-3 presents the dominant cutsets for LPSI Recirculaticn given successful 7-2

l 1339h(84Z5)/ mas-3 l

Depressurization and LPSI injection. Both Depressurization for LPSI injection Os given HPSI failure and Depressurization for LPSI' recirculation given HPS!

recirculation failure were dominated by "failure of operator to initiate aggressive secondary cooldown".

r i

a b

O .

P i  ;

i i.

a i

b l I O 7-3 1

1339h(84ZS)/ mas-4 TABLE 7.1.2-1 LPSI SYSTEM UNAVAILABILITY PARAMETERS Unavailability Error Standard Element Mean Median Factor Deviation Failure of LPSI injection (Base Case)

Failure of LPSI injection (with recovery)

[ Failure to Depressurize for LPSI injection given failure of I! PSI injection failure to Depressurize for LPSI Recirculation given failure of HPSI injection failure of LPSI Recirculation given Depressurization for LPSI injection successful failure of LPSI Recircriation given Depressurization -

for LPSI injection successful (with recovery),

I 1339h(84Z5)/ mas-5 I

TABLE 7.1.2-2 A./ DOMINANT CUTSET GROUPS FOR FAILURE OF LPSI INJECTION l

i l i

)

4 Percent Group Description Contribution l 1 (Loss of Cooling to one LPSI Pump) (Demand Failure of 24.6 %

otherLPSIPump) 2 (Loss of Cooling to LPSI Pump A) (Loss of Cooling to 22.7 %

LPSI Pump B) 3 (LossofCoolingtooneLPSIPump)(Failureofheader 21.1 %

valves for other LPSI Train) l 4 (Demand failure of one LPSI Pump) (Failure of header 10.7 %

, valves for other LPSI Train) 5 (Demand failure of both LPSI Pumps) 6.7 %

6 (Comon cause failure of cooling to both LPSI Pumps) 3.8 %

j 7 (Comon cause failure of both LPSI Pumps) 2.7 %

8' (Comon cause failure of LPSI header valves) 1.5 %

9 (Comon cause failure of SIAS) (Operator fails to 1.0 %

manually initiate SIAS)

Total 94.8 %

7-5

1339h(04Z5)/ mas-6 I

l TABLE 7.1.2-3 DOMINANT CUTSET GROUPS FOR FAILURE OF LPSI RECIRCULATION Percent Group Description Contribution 1 (Operator fails to restart LPSI pumps following RAS) 59.6 %

2 (Loss of cooling to one LPSI train (Failure of sump 7.5 %

isolation valve for other train 3 (Demand failure of one LPSI pump) (Loss of cooling to 6.0 %

other LPSI pump) 4 (Demand failure of one LPSI pump) (Failure of sump 5.8 %

isolation valve for other LPSI train) 5 (Loss of cooling to LPSI Pump A) (Loss of cooling to 4.1 %

LPSI Pump B) 6 (Failure of Train A sump isolation valve) (Failure of 3.1 %

Train B sump isolation valve) 7 (Demand failure of both LPSI pumps) 2.1 %

8 (Failure of LPSI header valve on one train) (Failure of 1.6 %

sump isolation valve on other train) 9 (Failure of LPSI header valve on one train) (Loss of 1.3 %

cooling to LPS! pump in other train) 10 (Loss of cooling to one LPSI pump) (Loss of 480 VAC 1.0 %

load center for other train)

Total 92.1 %

1 7-6 l

l l

1339h(84Z5)/ mas-7 7.1.3 High Pressure Safety Injection System "High Pressure Safety Injection" appears as an element in the Medium LOCA Event Tree (Figure 4.2-1), the Small LOCA Event Tree (Figure 4.3-1), the SGTR Event Tree (Figure 4.4-1), the large Secondary Side Break (LSSB) Event Tree (Figure 4.5-1), the Station Blackout (580) Event Tree (Figure 4.7-2) and the ATWS Event Tree (Figure 4.8-1). "HPSI Recirculation" appears as an element in the Large LOCA Event Tree (Figure 4.1-1), the Medium LOCA Event Tree, the Small LOCA Event Tree and the SB0 Event Tree. "Hot and Cold Leg Recirculation" appears as an element on the Large and Medium LOCA Event Trees.

The success criterion for "Hot and Cold Leg Recirculation" is that recirculation flow must be delivered to the RCS through at least one HPSI cold i

leg injection line and at least one HPSI hot leg injection line. For "HPSI s Recirculation", the success criterion is that at least one HPSI pump must deliver flow from the sump to the RCS via at least two of the four injection lines. The success criterion for HPSI injection for all events except ATWS is that at least one HPSI pump must deliver flow to the RCS via at least two of the injection lines. For ATWS, the "High Pressure Injection" success criterion is at least one HPSI pump must deliver flow to the RCS via at least one injection line or that all three charging pumps must deliver flow to the RC3. For Medium LOCAs, it was assumed that one injection line was feeding the break.

Table 7.1.3-1 presents the HPSI system unavailability parameters for the scenarios discussed above. Tables 7.1.3-2 through 7.1.3-7 present the dominant cutsets for each applicable model.

7-7 l

1339h(84Z5)/ mas-8 TABLE 7.1.3-1 HPSI SYSTEM UNAVAILABILITY PARAMETERS Unavailability _

Error Standard Element Mean Median Factor Deviation Failure of HPSI injection - 2 of 3 lines (Base Case)

Failure of HPSI injection - 3 of 4 lines (Base Case) id Failure of HPSI injection - 3 of 4 lines (with

"' recovery)

Failure of HPSI injection - 3 of 4 lines, given AFW Failure failure of HPSI injection - 4 of 4 lines failure of HPSI Recirculation (Base Case) i Failure of HPSI Recirculation given AFW Failure i Failure of IIPSI Recirculation given HPSI injection

! successful failure of HPSI Recirculation given HPSI injection successful (with recovery)

Failure of hot and cold leg injection (Base Case)

Failure of hot and cold leg injection given HPSI injection successful _-

13...(84Z5)/ mas-9 TABLE 7.1.3-1 (Continued)

I HPSI SYSTEM UNAVAILABILITY PARAMETERS i

i I

Unavailability i

Error Standard Element Mean Median Factor Deviation i _ _

l Failure of hot and cold leg injection given HPSI injection successful (with recovery)

Failure of high pressure injection following ATWS

? (Failure of 4 cf 4 HPSI lines and I of 3 charging - -

  • pumps) j j

1 I

i

)

1339h(84Z5)/ mas-10 .

l TABLE 7.1.3-2 DOMINANT CUTSET GROUPS FOR FAILURE OF HPSI INJECTION - 2 0F 3 LINES  !

Percent Group Description Contribution 1 (Failure of one HPSI pump) (Loss of cooling to other 30.1 %

HPSI pump) 2 (Loss of cooling to HPSI Pump A) (Loss of cooling to 24.4 %

HPSI Pump B) 3 (Loss of cooling to one HPSI pump) (Failure of 9.6 %

injection header valves for other HPSI pump) 4 (Failure of HPSI Pump A) (Failure of HPSI Pump B) 8.3 %

5 (Failure of one HPSI pump) (Failure of injection header 5.3 %

valves for other HPSI pump) 6 (Common cause failure of HPSI pump cooling) 4.0 %

7 (Common cause failure of HPSI system valves) 3.7 %

8 '(Common cause failure of HPSI pumps) 2.8 %

9 (Loss of cooling to one HPSI pump) (Failure of a 480 2.2 %

VAC load center for other HPSI train) 10 (Loss of cooling to one HPSI pump) (Failure of pump 1.5 %

isolation valves for other pump) 11 (Failure of one HPSI pump) (Failure of a 480 VAC load 1.2 %

center for other HPSI train) 12 (Failure of one HPS1 pump) (Failure of pump isolation 1.0 %

valves for other pump)

Total 94.1 4 7-10 l

1339h(84Z5)/ mas-11 l TABLE 7.1.3-3 i DOMINANT CUTSET GROUPS FOR 1

~

FAILURE OF HPSI INJECTION - 3 0F 4 LINES Percent Group Description Cgntribution 1 (Failure of one HPSI pump) (Loss of cooling to other 35.8 %

90SIpump) 2 (Loss of cooling to HPSI Pump A) (Loss of cooling to 28.9 %

HPSI Pump B) 3 (Failure of HPSI Pump A) (Failure of HPSI Pump B) 9.8 %

4 (Comon cause failure of HPS! pump cooling) 4.8 %

5 (Comon cause failure of HPSI system valves), 4.5 %

6 (Comon cause failure of HPSI pumps)- 3.4 %

7 (Loss of cooling to one HPSI pump) (Failure of a 430 2.5 %

VAC load center for other MPSI train) 8 (Loss of cooling to one HPSI pump) (Failure of pump 1.8 %

isolation valves for other pump) 9 (Failure of one HPSI pump) (Failure of a 480 VAC load 1.4 %

center for other HPSI train) 10 (Failure of one HPSI pump) (Failure of pump isolation 1.2 %

valves for other pump) 11 (Loss of cooling to one HPSI pump) (Failure of a 480 1.2 %

VAC motor control center for other HPSI train)  :

Total 95.3 %

l

' 7-11

1339h(84Z5)/ mas-12 TABLE 7.1.3-4 DOMINANT CUTSET GROUPS FOR FAILURE OF HPSI INJECTION - 4 0F 4 LINES Percent Group Description Contribution 1 (Failure of one HPSI pump) (Loss of cooling to other 36.6 %

HPSI pump) 2 (Loss of cooling to HPSI Pump A) (Loss of cooling to 29.6 %

HPSI Pump 8) 3 (Failure of HPSI Pump A) (Failure of HPSI Pump B) 10.1 %

4 (Common cause failure of HPSI pump cooling) 4.9 %

5 (Common cause failure of HPSI system valves) 4.5 %

6 (Common cause failure of HPSI pumps) 3.4 %

7 (Loss of cooling to one HPSI pump) (Failure of a 480 2.6 %

VAC load center for other HPSI train) 8 (Loss of cooling to one HPSI pump) (Failure of pump 1.8 %

isolation valves for other pump) 9 (Failure of one HPSI pump) (Failure of a 480 VAC load 1.4 %

center for other HPSI train) 10 (Failure of one HPSI pump) (Failure of pump isolation 1.2 %

valves for other pump) 11 (Loss of cooling to one HPSI pump) (Failure of a 480 1.2 %

VAC motor control center for other HPSI train)

Total 97.3 %

7-12

)

l l

l l

i

1339h(84Z5)/ mas-13 TABLE 7.1.3-5

( DOMINANT CUTSET GROUPS FOR FAILURE OF HPSI RECIRCULATION 1

I Percent Group Description ,

Contribution 1 (Loss of cooling.to one HPSI pump) (Failure of sump 29.8 %

isolation valve for other HPSI train) 2 (Loss of cooling to one HPSI pump) (Fai.ure of other 19.5 %

HPSIpump) 3 (Failure of one HPSI pump) (Failure of sumo isolation 12,5 %

valve for other HPSI trair) 4 (Loss of cooling to HPS! Pump A) (Loss of cooling to 12.4 %

, HPSIPump_8) 5 (Failure of Train A sump isolation valve) (Failure of 5.7 %

l Train B sump isointion valve) 6 (Failure of HPSI Pump A) (Failure of HPSI Pump B) 5.9 %

7 (Failure of sump isolation valve for one HPSI train) 3.8 %

(Failure of a 480 VAC load center for other HPSI train) 8 (Loss of cooling to one HPSI pump) (Failure of a 480 2.8 %

VAC load center for other HPSI train) 9 (Common cause failure of HPSI system valves) 2.8 %

10 (Comon cause failure of HPS! pump cooling) 2.3 %

11 (Comon cause failure of HPSI pumps) 2.1 %

12 (Loss of cooling for one HPSI pump) (Failure of a 480 1.9 %

VAC motor control center for other train) 13 (Failure of one HPSI pump (Failure of a 480 VAC load 1.7 %

center for other train 7-13

1339h(84Z5)/ mas-14 TABLE 7.1.3-5 (Continued)

DOMINANT CUTSET GROUPS FOR FAILURE OF HPSI RECIRCULATION Percent Group Description Contribution 14 (Failure of one HPSI pump) (Failure of a 480 VAC motor 1.2 %

control center for the other train) 15 (Failure of sump isolation valve for one HPSI train) 1.2 %

(Failure of a 480 VAC motor control center for other

~ train) 16 (Failure of recirculation actuation signal) 1.1 %

Total 98.7%

O I

I 7-14 l

~

1339h(C4Z5)/ mas-15 TABLE 7.1.3-6 00MINANT CUTSET GROUPS FOR HOT AND COLD LEG INJECTION Percent Group Description Contribution 1 (Loss of cooling to one HPSI pump) (Failure of hot leg 22.9 %

injection valve for other train) 2 (Loss of cooling to HPSI Pump A) (Loss of cooling to 13.9 %

HPSIPumpB) 3 (Loss of cooling to one HPSI pump) (Failure of HPSI ~12.5 %

Discharge Isolation valve in other train) 4 (Operator fails to initiate hot & cold leg injection 9.0 %

5 (Failure of HPSI Discharge Isolation Valve .in one 7.9 %

train (Failure of hot leg injection valve in other train 6 (Failure of hot leg injection valve for Train A) 7.3 %

(Failure of hot leg injection valve for Train B)

>O 7 (Failure of one HPSI pump) (Failure of hot leg 3.3 %

injection valve for other train) 8 (Loss of cooling to one HPSI pump) (Failure of a 480 3.1 %

VAC load center for other train) 9 (Comon cause failure of HPS! system valves) 3.0 %

10 (Loss of cooling to one HPSI pump) (Failure of other 2.8 %

HPSIpump) 11 (Comon cause failure of HPSI pump cooling) 2.7 %

12 (Failure of HPSI Discharge isolation valve for Train A) 2.0 %

l (Failure of HPSI Discharge isolation valve for Train B)

I 13 (Failure of hot leg injection valve for one train) 2.0 %

(Failure of a 480 VAC load center for other train) l 7-15 I

1 1339h(84Z5)/ mas-16 TABLE 7.1.3-6(Continued)

DOMINANT CUTSET GROUPS FOR HOT AND COLO LEG INJECTION Percent Group Description Contribution 14 (Failure of one HPSI pump) (Failure of HPSI Discharge 1.8 %

isolation valve for other train) 15 (Loss of cooling to one HPSI pump) (Failure of a 480 1.4 %

VAC moter control center for other train) 16 (Failure of HPSI Discharge isolation valve for one 1.1 %

train) (Failure of a 480 VAC load center for other train)

Total 96.9 %

O 7-16 ,

i i

l

l 1339h(84Z5)/ mas-17 )

i l

TABLE 7.1.3-7 i 1

DOMINANT CUTSET GROUPS FOR i

.HIGH PRESSURE INJECTION FOR ATWS

. Percent Group Description Contribution 1 18.3 %

(Failure of a HPSI HPS! pump) (FailurePump) (Loss pump of a charging of cooling)to the other ,

2 14.7 %

(Loss HPSI ofPump cooling (to HPSI B) Failure of aPump A)pump) charging (Loss of cooling to 3 (Failure of one HPS! pump) (Loss of cooling to other 7.9 %

HPS! pump) (Failure of a charging line valve) 4 6.4 %

(Loss HPSI of Pump coolingB) (to HPSIofPump Failure A) (Loss a charging of cooling)to line valve [

5 (FailureofHPSIPumpA)(FailureofHPSIPumpB) 5.1 % !

(Failure of a chargit g pump) 6 (Failure of one HPS! pump) (Loss of cool'ing to other 4.4 %

O- HPSI pump) (one charging pump out for maintenance) 7 to HPS! Pcmp A) (Loss of cooling to 3.6 % r (Loss HPSIof cooling Pump B) (one charging pump out for maintenance)

(Common cause loss of cooling to HPS! pumps) (Failure 8 2.5 %

of a charging pump) 9 (Failure of HPS! Pump A) (Failure of HPSI Pump B) ' 2.2 %

(Failure of a charging line valve) ,

t 10 (Comon cause failure of HPS! system valves) (Failure 2.2 % j of a charging pump) .

11 (Failure of a HPS! pump) (Loss of cooling to other HPS! 2.1 %

l pump) (Failure of a 480 VAC load center) i 12 (Common cause failure of HPSI pumps) (Failure of a 1.7 %

chargingpump)

I l l

7-17

I 1339h(64Z5)/ mas 48 TABLE 7.1.3-7(Continued)

DOMINANT CUTSET GROUPS FOR HIGH PRESSURE INJECTION FOR ATWS Percent Grouc Description Contribution 13 (Loss of cooling to HPSI Pump A) (L 1 of cooling to 1.7 %

HPSI Pump B) (Failure of a 480 VA~ load center) 14 (Failure of HPSI Pump A) (Failure of HPSI Pump B) (one 1.2 %

charging pump out for maintenance) 15 (Comon cause loss of cooling to HPSI pumps) (Failure 1.1 %

of a charging lir.e valve)

Total 75.1 %

O 7-18

1339h(84Z5)/ mas-19 7.1.4 Containment Spray System O)

Following a breach of the primary system pressure boundary (a LOCA), one of the functions of the containment spray system is to provide cooling of the RCS inventory in the containment sump. Following the RAS, the containment spra,s pumps draw inventory from the containment sump and discharging it back in'.o the containment via the shutdown cooling heat exchangers and the containmen'; spray ,

headers. The success criterion for this system is that one containmeqt spray pump must provide flow from the sump to the spray headers via one shutdown cooling heat exchanger. This system constitutes the element "recirc cooling" on the Large LOCA Event Tree (Figure 4.1-1) and the Medium LOCA F. vent Tree (Figure 4.2-1).

Table 7.1.4-1 presents the unavailability parameters for the containment spray S system during the recirculation phase. Tables 7.1.4-2 and 7.1.4-3 present the a

dominant cutsets for the system.

l j

i 7-19

__.v______ ,._.___.__.-____m_.,, _. y g -,---rm

1339h(8475)/ mas-20 TABLE 7.1.4-1 C0hTAINMENT SPRAY SYSTEM UNAVAILABILITY PARAMETERS Unavailability Error Standard Eltment Mean Median factor Deviation Failure of containment spray recirculation cooling (Base Case)

~

h Failure of containment spray recirculation cooling given itPSI recirculation successful Failure of containment spray recirculation cooling given HPSI recirculation successful -

(with recovery) ~

@ O O

l l

1339h(84Z5)/ mas-21 l

,~g TABLE 7.1.4-2 l DOMINANT CUTSET GROUPS FOR CONTAINMENT SPRAY RECIRCULATION COOLING Percent Group Description Contribution 1 (Loss of cooling to one CS pump) (Failure of sump 14.6 %

isolation valve for other CS train) 2 (Failure of one CS pump) .(Loss of cooling to other CS 11.7 %

pump) 3 (Failure of one CS pump) (Failure of a sump isolation 11.3 %

valve for other CS train) 4 (Loss of cooling to CS Pump A) (Loss of cooling to CS 7.9 %

Pump 8) 5 (Loss of cooling to one CS pump) (Failure of 7.3 %

containment spray valve for other CS train)

(Failure of containment spray valve in one CS train) 6.1 %

O 6

(Failure of sump isolation valve for other train) 7 (Failure of Train A sump isolation valve) (Failure of 6.1 %

! train 8sumpisolationvalve) 8 (Failure of one CS pump) (Failure of containment spray 5.7 %

valve in other CS train) 9 (Failure of CS Pump A) (Failure of CS Pump 8) 4.3 %

10 (Comon cause failure of CS system valves) 4.2 %

11 (Comon cause loss of cooling to CS pumps) 2.3 %

12 (Loss of cooling to one CS pump) (Failure of 480 VAC 2.0 %

j load center for other CS train) l I

13 (Comon cause failure of CS pumps) 1.9 %

l l

l l

t

'O 7.n

1339h(84Z5)/ mas-22 TABLE 7.1.4-2 (Continued)

DOMINANT CUTSET GROUPS FOR CONTAINMENT SPRAY RECIRCULATION COOLING Percent Group Description Contribution 14 (Failure of one CS pump) (Failure of 480 VAC load 1.5 %

center for other CS train) 15 (Failure of Train A containment spray valve) (failure 1.5 %

of Train B containment spray valve) 16 (Loss of cooling to one CS Pump) (Failure of 480 VAC 1.4 %

Motorcontrolcenterforothertrain) 17 (Failure of sump isolation valve for one CS train) 1.3 %

(Failure of a 480 VAC load center for other CS tra'in) 18 (Failure of sump isolation valve for one CS train) 1.2 %

(Failure of a 480 VAC motor control center for other e.S train) 19 (Failure of one CS pump) (Failure of a 480 VAC motor 1.1 %

control center for other CS train) 20 (Failure of RAS) 1,0 %

Total 94.4 %

! 7-22 I

1339h(84Z5)/ mas-23

,-~ TABLE 7.1.4-3

-DOMINANT CUTSET GROUPS FOR CONTAINMENT SPRAY RECIRCULATION COOLING GIVEN HPSI RECIRCU'.ATION SUCCESSFUL 5,'

Percent Group Description Contribution 1 (Loss of cooling to one CS pump) (Failure of sump 18.2 % ,

isolation valve in other train) '

2 (Failure of one CS pump)-(Loss of cooling to other CS 14.4 %  ;

pump) 3 (Failure of one CS pump) (Failure of sump isolation 14.0 %

valve in other train) 4 (Loss of cooling to one CS pump) (Failure of containment 9.0 %

spray valve in other train)  !

l 5 (Failure of containment spray valve in one train) (Failure of 7.5 sumpisolationvalveinother. train) '

6 (Failure of one containment spray pump) (Failure of 7.0 %  ;

containmentsprayvalveinothertrain) t 7 (Failure of CS pump A) (Failure of CS pump 8) 5.3 %

8 (Comen cause failure of CS system valves) 3.8 %

9 (Loss of cooling to one CS pump) (Failure of 480 VAC lead 2.5 % ,

centerforothertrain) 10 (Connon cause failure of CS pumps) 2.4 %

11 (Failure of sump isolation valve la one train) (Failure 2.1 %

l of 480 VAC load center for other train)

! 12 (Failure of one CS pump) (Failure of a 480 VAC load center 1.9 %

for the other train) 13 (Failure of Train A containment spray valve) (Failure of 1.9 %

i train 8containmentsprayvalve) 14 (LossofcoolingtooneCSpump)(Failureofa480VACmotor 1.7 %

l control center for other train) l 7-23 I

i l

1339h(84Z5)/ mas-24 TABLE 7.1.4-3(Continued)

DOMINANT CUTSET GROUPS FOR CONTAINMENT SPRAY RECIRCULATION COOLING GIVEN HPSI RECIRCULATION SUCCESSFUL Percent Group Description Contribution 15 (Failure of sump isolation valve in one train) (Failure 1.4 %

of a 480 VAC motor control center for other train) 16 (Failure of one CS pump) (Failure of a 480 VAC motor 1.3 %

control center for the other train) 17 (Failure of containment spray valve for one train) 1.0 %

(Failure of a 480 VAC motor control center for othertrain)

Total 95.4 %

9 7.E4 e i

~

1339h(8425)/ mas-25 7.1.5 Shutdown Cooling System "Establish Shutdown Cooling" appears as an element on The Small LOCA Event Tree (Figure 4.3-1),TheSteamGeneratorTubeRupture(SGTR)EventTree (Figure 4.4-1), The large Secondary Side Break (LSSB) Event Tree (Figure 4.5-1), The Transient Event Tree (Figure 4.6-1) The Loss of Offsite Power (Loop)EventTree(Figure 4.71),TheStationBlackout(580)EventTree (Figure 4.7-2) and The ATWS Event Tree, in The "Long Tenn Cooling" element, (Figure 4.8-1). The success cr!terion for this element is that shutdown cooling flow must be established using at least one shutdown cooling train.

9 Table 7.1.5-1 presents the unavailability parameters for the shutdown cooling system. Table 7.1.5-2 presents the dominant cutsets for the shutdown cooling system.

~

I I

l 1

1339h(84ZS)/ mas-26 TABLE 7.1.5-1 SHUTDOWN COOLING SYSTEM UNAVAILABILITY PARAMETERS Unavailability Error Standard Element Mean Median Factor Deviation Failure to establish shutdown cooling (Base Case)

Failure to establish shutdown cooling given of:'itte power available

?

S3 Failure to establish shutdown cooling given offsite power unavailable Failure to establish shutdown tooling given failure of AFW Failure to establish shutdown cooling given HPSI failure failure to establish shutdown cooling i (with recovery)

Failure to establish shutdown cooling given AFW failure (with recovery) l Failure to establish shutdown cooling given HPSI i failure (with recovery) -

l 9 -_ -

O O

-1339h(84Z5)/ mas-27 TABLE 7.1.5-2 b

d DOMINANT CUTSET GROUPS FOR FAILURE TO ESTABLISH SHUTOOWN COOLING Percent Group Description Contribution 1 (Loss of cooling to one LPSI pump) (Failure of SDC 16.0 %

i- suctionisolationvalveinothertrain) 2 (Failure of SDC suction isolation valve in train A) 10.2 %

(Failure of SDC suction isolation valve in train B) 3 (Failure of SDC suction isolation valve in one train) 6.7 %

(Failure of SDC crossover valve on other train) 4 ,

(Loss of cooling to LPSI pump A) (Loss of cooling to LPSI 5.8 %

pumpB) 5 (Loss of cooling to one LPSI pump) (Failure of 50C crossover 5.3 %

valveonothertrain) 6 (Failure of SDC suction isolation valve in one train) 5.0 %

(Failure of heat exchanger bypass valve on other train) i . 7 (Failure of SDC suction isolation valve in one train) 5.0 %

!. (Failure of SDC throttle valve in other train) 8 (Loss of cooling to one LPS! pump) (Failure of heat 4.0 %

exchanger bypass valve in other train) 9 (Loss of cooling to one LPS! pum ) (Failure of SOC 4.0 %

throttle valve in other train 10 (Comon cause failure of 50C system valves) 3.7 %

11 (Failure of one LPSI pump) (Failure of 50C suction 3.6 %

isolation valve in other train) 12 (Loss of cooling to one LPS! pump) (Failure of other LPSI 2.9 %

pump) 13 (Failure of 50C suction isolation valve in one train) 2.7 %

(Failure of a 480 VAC load center for other train) 4-l 7-27

1339h(84Z5)/ mas-28 TABLE 7.1.5-2 (' Continued) g DOMINANT CUTSET' GROUPS FOR FAILURE TO ESTA3LISH SHUTDOWN COOLING Percent Group Description Contribution 14 (Loss of cooling to one LPSI pump) (Failure of a 480 2.2 %

VAC load center for other train) 15 (Failure of SDC suction isolation valve in one train) 2.1 %

(Failure of a 480 VAC motor control center for other train) 16 (Common cause loss of cooling to LPSI pumps) 1.7 %

17 (Failure of SDC crossover valve in one train) (Failure 1.7 %

of heat exchanger bypass valve in other train) 18 (Failure of SDC crossover valve in one train) (Failure 1.7 %

of SDC throttle valve in other train) 19 (Loss of cooling to one LPSI pump) (Failure of a 480 VAC 1.7 %

motor control center for otner train) 20 (Common cause failure of 1. PSI pumps) 1.4 %

21 (Failure of SDC throttle valve in one train) (Failure of 1.2 %

heat exchanger bypass valve in other train) 22 (Failure of one LPSI pump) (Failure of SDC crossover valve 1.2 %

inothertrain) 23 (Failure of train A SDC crossover valve) (Failure of 1.2 train 8 SDC crossover valve)

Total 90.8 %

7-28

1339h(84Z5)/ mas-29 .

7.1.6 Auxiliary Feedwater System 8 d

"Deliver Auxiliary Feedwater" appears as an element in the Small LOCA event free (Figure 4.3-1), The Steam Generator Tube Rupture (SGTR) event tree f (Figure 4.4-1),ThelargeSecondarySideBreak(LSSB)eventtree(Figure i 4.5-1), The loss of Offsite Power (LOOP) event tree (figure 4.7-1), The StationBlackout(580)eventtree(Figure 4.7-2)andtheATWSeventtree (Figure 4.8-1). It is also included in the element "Deliver Feed Flow" on the transientseventtree(Figure 4.6-1). The function of the auxiliary feedwater system is to deliver sufficient feedwater flow to the steam generators to meet decay heat removal requirement following a reactor trip. For the SGTR and LSSB event trees, the success criterion for the auxiliary feedwater system is that one of the two category 1 Auxiliary feedwater pumps deliver flow to the unaffected (intact)steamgenerator. For the small LOCA, the LOOP and the ATW5 event trees, the success criterion for the auxiliary feedwater system is j- that one of the two category 1 auxiliary feedwater pumps deliver flow to one of the two steam generators. For the S80 event tree, the success criterion for the auxiliary feedwater system is that the turbine-driven category 1 auxiliary feedwater pump deliver flow to one of the two steam generators. For t he transient event tree, the success criteria for the element "Deliver Feed Flow" are: -

a) For transients not initiated by a loss of main feedwater or loss of 1

! condenser vacuum, ramp back and deliver 5% main feedwater flow to l

one of two steam generators, or deliver flow from one of two l

auxiliary feedwater pumps to one of two steam generators; Q 7-29

1339h(84Z5)/ mas-30 b) For loss of main feedwater or loss of condenser vacuum transients, deliver auxiliary feedwater flow to one of two steam generators For each of event trees discussed above, with the exception of the 580 event tree, use of the startup auxiliary feedwater pump was credited as a recovery action for the element "deliver auxiliary feedwater flow".

Table 7.1.7-1 presents the unavailability parameters for the auxiliary feedwater system. Tables 7.1.6-2 through 7.1.6-4 present the dominant cutset for failure of the auxiliary feedwater system.

O 7-30

,. ,x O ka -

1. a(84ZS)/nes-31 TABLE 7.1.6-1 j UNAVAILABILITY PARAMETERS FOR AUXILIARY FEEDWATER SYSTEM i

Unavailability Error Standard-Element Mean Median factor Deviation Failure to deliver AFW to 1 of 2 generators (Base Case)

Failure to deliver AFW to 1 of 2 generators given RPS Failure Failure to deliver AFW to 1 of 2 generators given LOOP 2

Failure to deliver AFW to 1 of 2 generators given SB0 Failure to deliver AFW to 1 of 2 generators (with recovery)

Failure to deliver AFW to 1 of 2 generators given Loop (with recovery)

Failure to deliver AFW to intact generator (Base Case)

Failure to deliver AFW to intact generator given HPSI failure Failure to deliver AFW to intact generator (with recovery) '

Failure to deliver Feedwater Flow to 1 of 2 generatcrs (Base Case)

(with recovery)

I 1339h(84Z5)/ mat-32 1

TABLE 7.1.6-2 g1 DOMINANT CUTSET GROUPS FOR FAILURE TO DELIVER AFW TO 1 0F 2 GENERATORS l

Percent Group Description Contribution 1 (Failure of turbine-driven AFW pump) (Loss of 58.5 %

cooling of the n.ntor-driven AFW pump) 2 (Failure of motor-driven AFW pump) (Fallure of 5.0 %

turbine-driven AFW pump) 3 (Comon cause failure of AFAS) (Operator fails to 2.3 %

manually initiate AFAS) 4 (Comon cause failure of AFW check valve) 2.1 %

5 (Failure of turbine-driven AFW pump isolation valves) 1.6 %

(Loss of cooling to motor-driven AFW pump) 6 (Failure of turbine-driven AFW pump) (Loss of 480 VAC 1.2 %

center for motor-driven AFW pump train)

Total 70.7 %

7-32 1

1339h(84Z5)/ mas-33 P

TABLE 7.1.6-3

~

DOMINANT CUTSET GROUPS FOR

FAILURE TO DELIVER AFW TO INTACT GENERATORS
Percent Group Description Contribution 1 (Loss of cooling to motor-driven AFW pump) (Failure of 19.9 %

AFW distribution valve from turbine-driven AFW pump) 1 2 (Lossofcoolingtomotor-drivenAFWpump)(Failureof 19.1 %

turbine-driven AFW pump) 3 (Failura cf one AFW pump) (Failure of AFW distribution 11.3 %

valve from other AFW pump) 4 (Failure of AFW distribution valve from motor-driven 5.0 %

AFW pump) (Failure of AFW distribution valve from turbine-driven AFW pump) 5 (Checkvalvetogeneratorfails) 4.0 5 O 6 (Failure of turbine driven pump) (Failure of motor-drivenpump) 1.7 %

l Total 61.0 %

Note: All other cutset groups have a contribution of 0.5% or less.

l i

l i

7-33

1339h(84Z5)/ mas-34 TABLE 7.1.6-4 g

DOMINANT CUTSET GROUPS FOR FAILURE TO DELIVER AFW TO 1 0F 2 GENERATORS GIVEN 580 Percent Group Description Contribution 1 (Failure of turbine-driven pump) 94.7 %

2 (Turbine-driven AFW pump discharge valve not open) 1.3 %

3 (Turbine-driven AFW pump suction valve not open) 1.3 %

4 (Failure of steam supply valve to turbine-driven 0.9 %

AFW pump) 5 (Failure of distribution valve to SG1) (Failure of 0.5 %

distribution valve to SG 2)

Total 98.7 %

O l

l l 7 34 O

1339h(84Z5)/ mas-35 f 7.1.7 Turbine Bypass Valves

( .

The element "steam removal via turbine bypass valves' appears in the small LOCA Event Tree (Figure 4.3-1), the Steam Generator Tuba Rupture (SGTR) Event Tree (Figure 4.4-1), the Transients Event Tree (Figure 4.6-1) and the ATWS Event Tree (Figure 4.8-1) within the "Ste m Removal" element. The function of the turbine bypass valves is to provide a steaming path from the steam generators to the condenser for decay heat removal following a reactor trip.

If the condenser is not available, the turbine bypass valves are prevented from opening to prevent condenser damage. The success criterion for this system is that at least one of eight valves must open to provide a steam removal path from at least one of the two steam generators.

Table 7.1.7-1 presents the unavailability parameters for the turbine bypass valves. Table 7.1.7-2 and Table 7.1.7-3 present the dominant cutsets for the turbine bypass valves.

I i

I 7-35

{

1339h(84Z5)/sas-36 TABLE 7.1.7-1 UNAVAILABILITY PARAMETERS FOR TURBINE BYPASS VALVES Unavailability Error Standard Element Mean Median Factor Deviation Failure of turbine bypass valves: Transients (Base Case)

Failure of turbine bypass valves: Non-transient Failure of turbine bypass valves, offsite power available u _

?

M O -_ - -_ .

O .

O

1339h(84Z5)/ mas -l TABLE 7.1.7-2 DOMINANT CUTSET GROUPS FOR FAILURE OF TURBINE BYPASS VALVES: TRANSIENTS ,

t

, '[

4 P

Percent Group Description Contribution ~ i 1 (Lossofcondenservacuum(initiator))' 83.3 % 7

.2 (Loss of grid on turbine trip) 16.3 %

i Total 99.6 % [

I e

'h l

.[

i I i j

l  !

s 6

! r l

l  !

I i 1

I O 7-27 i

l

1339h(84Z5)/ mas-38 TABLE 7.1.7-3 g DOMINANT CUTSET GROUPS FOR FAILURE TO TURBINE BYPASS VALVES: NON-TRANSIENTS Percent Group De:cription Contribution 1 (Failureof120VACnon-vitalbusprovidingcontrol 57.7 %

power) 2 (Loss of grid on turbine trip) 19.6 %

3 (Consequential loss of condenser vacuum) 12.1 %

4 (Comon cause failure of 120 VAC buses) 3.7 %

5 (Failure of one 13.8ky bus) (Failure of air compressors 3.3 %

on other bus) 6 (Failure of 13.8kv bus A) (Failure of 13.8ky bus B) 1.1 %

7 (FailureofTBVcontrolsystem) 0.9 %

8 (Comon cause failure of TBVs) 0.7 %

Total 99.1%

7-38 O

1339h(84ZS)/ mas-39

~

7.1.8 Atmospheric Dump Valves O

O The element "Steam Removal via the Atmospheric Dump Valves" appears in the small LOCA Event Tree (Figure 4.3-1) the Steam Generator Tube Rupture (SGTR)

Event Tree (Figure 4.4-1), the Large Secondary Side Break (LSSB) Event Tree (Figure 4.5-1), the Transients Event Trea (Figure 4.6-1),theLossofOffsite Power (LOOP) Event Tree (Figure 4.7-1), the Station Blackout (580) Event Tree (Figure 4.7-2) and the ATWS Event Tres (Figure 4.8-1) in the element "Steara Removal". The function of the Atmospheric Dump Valves (ADYs) is to provide a steaming path from the steam generators to atmosphere for decay heat removal

following a reactor trip. Each steam generator has two 100% capacity ADV;.

For the small LOCA, transients. LOOP, SB0 and ATWS Event trees, the success criterion for the ADVs is that one of the four ADVs open to provide a steaming path from one of the steam generators. For the SGTR and LSSB Event Trees, the success criterion for the ADVs is that one of two ADVs on the unaffected generator open to provide steam removal.

l Table 7.1.8-1 presents the unavailability parameters for the ADYs and Tables 7.1.8-2 and 7.1.8-3 present the dominant cutset groups for the ADVs.

I

]

o I

7-3,

1339h(84ZS)/uss-40 TABLE 7.1.8-1 UNAVAILABILITY PARAMETERS FOR THE ATMOSPHERIC DUMP VALVES Unavailability Error Standard Element Mean Median Factor Deviation Failure of ADVs - 4 of 4 (Base Case)

Failure of ADVs - 4 of 4 given failure of TBVs failure of ADVs - 4 of 4, given offsite power available Failure of ADVs - 4 of 4, given offsite power not y available 4

Failure of ADVs - 2 of 2. given offsite power available failure of ADVs - 2 of 2, given offsite power not avaliable -

O O O

1339h(84Z5)/ mas-41 TA8LE 7.1.8-2

,V O DOMINANT CUTSET GROUPS FOR FAILURE OF ATMOSPHERIC OUMP VALVES -

  • OF 4 Percent Group Description Contribution 1 (OperatorfailsteopenADVsonSG1)(Operatorfailsto 50.6 5 openADVsonSG2) 2 (Consnon cause failures of ADVs and supports) 44.0 5 3 (Loss of grid on turbine trip) (Failure of Nitrogen 3.0 %

supplyvalvesforonegenerator)(0peratorfailsto openADVsonothergenerators) 4 (Random failure of both ADVs on one generator) 1.2 5 (operatorfailstoopenADVsonothergenerator)

Total 98.8 5 O

l- 7-41

1339h(84Z5)/ mas-42 TABLE 7.1.8-3 DOMINANT CUTSET GROUPS FOR g

FAILURE OF ATNOSpHERIC DUMP VALVES - 2 0F 2 Percent Group Description Contribution 1 (Operatorfailstoopenvalves) 95.1 %

2 (Loss of grid on turbine trip) (Failure of Nitrogen 2.8 %

supply valves) 3 (Failure of both ADVs) 1.1 %

Total 99.0 %

O 7-42

1339h(84Z5)/ mas-43 A 7.1.9 Alternate Secondary Heat Removal b

The elemcnt "Deliver Alternate Feedwater" appears in the small LOCA event tree (Figure 4.3-1),theSteam.GeneratorTubeRupture(SGTR)eventtree(Figure 4.4-1),theLargeSecondarySideBreak(LSSB)eventtree(Figure 4.5-1),the transient event tree (Figure 4,6-1), the loss of Offsite Power (LOOP) event tree (Figure 4.7-1),andtheStationBlackout(SBO)eventtree. This element is a backup to the auxiliary feedwater system. For the SGTR and LSSB event trees, the success criteria for this element are:

a) align main feedwater system valves to bypass main feedwater pumps, b) start one of three condensate pumps.

c) deliver flow to the intact steam generator.

For all other applicable event trees, the success criteria for this element are:

a) align main feedwater system valves to bypass the main feedwater pumps.

b) start one of three condensate pumps, c) deliver flow to one of two steam generators.

In either case, the actions must be accomplished within one hour of loss of auxiliary feedwater.

Table 7.1.9-1 presents the unavailability parameters for this element and Table 7.1.9-2 presents the dominant cutset groups.

7-43

1339h(84Z5)/ mas-44 TABLE 7.1.9-1 UNAVAILABILITY PARAMETERS FOR ALTERNATIVE SECONDARY llEAT REMOVAL Unavailability Error Standard Element Mean Median Factor Deviation failure to deliver alternate feedwater (Base Case)

Failure to deliver alternate feedwater flow to intact generator Failure to deliver a?te.aate feedwater given offsite power available y failure to deliver alternate feedwater given loss of L

offsite power O O O

11339h(84Z5)/ mas-45 l

TABLE 7.1.9 2

. DOMINANT CUTSET GROUPS FOR ALTERNATE SECONDARY HEAT REMOYAL (BASECASE)

J 4

Percent Group Description Contribution 1 (Operatorsfailtoalignsystemandinitiatecondensate 73.5 %

l flow to generators) 2 (MFW pump discharge valve fails to close) 7.6 5 3 (Feedwater heater bypass valve fails to open) 3.2 %

4 (Failureof13.8kytiebreaker) -

3.1 %

1 i 5 (Loss of grid on turbine trip) 1.5 %

i Total 55.9 %

I O

i i

t i

1 7-45

1339h(84Z5)/ mas-46 7.1.10 .RCS Pressure control g

The element "RCS Pressure Control" appears in the Steam Cenerator Tube Rupture (SGTR) event tree. Following an SGTR, RCS pressure must be maintained at or slightly above the pressure in the ruptured steam generator to minimize leakage to that generator. Pressure control is maintained by throttling the HPSI pumps and by using either the main or auxiliary sprays to depressurize the RCS as the plant is cooled down. The unavailability parameters for this element are:

mean unavailability =

median unavailability =

" ~

error factor =

~ ~

standard deviation =

O Table 7.1.10-1 presents the dominant cutsets for this elenent.

7-46

1339h(84Z5)/ mas-47 TABLE 7.1.10-1 DOMINANT CUTSET GROUPS FOR FAILURE OF RCS PRES $URE CONTROL Percent Grouc Description Contribution 1 (OperatorfailstothrottleHPSIpumps) 63.9 %

2 (Lossofgridonturbinetrip) 28.3 %

3 (Failureofone13.8kybus)(Failureofinstrument 4,8 %

air compressor (s) on other 13.8ky bus) 4 (Failureof13.8kyBusA)(Failureof13.8kyBus8) _

O 1

1 i

l

l a

7-47 I

1339h(84Z5)/ mas-48 7.1.11 Unisolable i.eak in Bad Generator The element "unisolable leak in Bad Generator" appears in the Steam Generator Tute Rupture (SGTR) event tree (Figure 4.4-1)

If an unisolable path exists from the bad steam generator to atmosphere, the bad generator will be at or near atmospheric pressure. Thus, the differential pressure between RCS and the bad generator will remain high with the attendant high leak rate between the RCS and the bad generator. The RCS pressure wou' have to be decreased to atmospheric pressure to terminate the leak. This would have to be accomplished before the available RWT inventory was depleted.

This would be accomplished by cooling and depressurizing the RCS to shutdcwn cooling entry conditions (350'F and 400 psia) using the good generator and the pressurizer sprays. The shutdown cooling system woJ1d then be used to cool and ctoressurize the plant tn atmospheric pressure and less than 212'F.

The success criterion for this e16eent is that there is no unisolable path from the ruptured generator to the atmJsphere.

The potential failure paths for this element ars:

a) one or more MSSVs are stuck open, or b) one or both ADVs are stuck open.

The mechanisms for achieving one of the above two conditions are:

7-48 l

l b

1339h(84Z5)/ mas-49 q a) TBV's fail to open on reactor trip,

) M55V's open on both generators, One or more MS$V's on bad generator fail to reseat; y b) Isolated bad generator begins to fill, m

I Blowdown system unavailable, ADV's on bad generator unavailable, Bad generator fills, I

j MS$V's on bad generator lift.

MSSV falls to reseat; 2

c) ADV's on both generators opened for initial cooldown, ADV o'n bad generator fails to close; i ,

d) !solated bad generator begins to fill,

Blowdown system unavailable,

. Operator opens ADV on bad generator, l

ADV fails to close.

1 l 'The unavailability parameters for this element are:

l Mean Unavailability =, ,

l Median Unavailability =

- ~

j Error Factor =

j Standard Deviation =, ,

i l

l Table 7.1.11-1 presents the dominate cutsets for this element.

l

!o l

7..,

l

1339h(84Z5)/ mas-50 TABLE 7.1.11 1 DOMINANT CUTSET GROUPS FOR UNISOLABLE LEAK IN BAD GENERATOR Group Description Co !r $ution 1 (Failure of one ADV to reclose after opening) 54.4 %

2 (Loss of condenser vacuum followin 44.5 %

one MSSV to reseat after opening) g trip) (Failure of Total 98.9 %

O 7-50 l

l 1339h(84Z5)/ mas-51

+

7.1.12 Refill RWT O  !

l Theelement"RefillRWT"appearsintheSteamGeneratorTubeRupture(SGTR) '

i event tree. ,

If RCS pressure control is not maintained, or if there is an unisolable path to atmosphere from the bad steam generator, there will be continuous leakage from primary to secondary. This leakage will eventually deplete the RWT inventory. Depletion of the RWT inventory will lead to core uncovery and core melt. To prevent this, the RWT inventory must be replenished. I Additional inventory can be supplied to the RWT from the spent fuel pool via  !

t the boric acid makeup pumps, from the hold up tank via the hold up pumps, from  !

i the reactor and equipment drain tanks using the reactor drain pumps, or it can i be batched using the boric acid batching tank with the reactor makeup water pumps supplying water from the reactor makeup water tank.

E A fault tree model was constructed for this element. Preliminary evaluation of this model indicated that the unavailability of this element was completely '

3 domiriated by failure of the operators to initiate refill operations.  !

Therefore, the operator action error rate was used for the unavailability of  !

this element. The unavailability parameters for this element are: f I

~ '

Mean Unavailability =

l i' Median Unavailability =

i

~

i Error Factor =

Standard Deviation =, ,

l O T.,1 i

l

3339h(84Z5)/ mas-52 7.1.13 Maintain Secondary Heat Renosal .

The element "Maintain Secondary Heat Removal" appears in all event trees except for the large and medium LOCA event trees. This element addresses the long tem decay heat removal via secondary system for event sequences in which shutaown cooling could not be established. The general success criteria for this element are:

a) Provide feedwater flow to at least one steam generator and b) remove steam from at least one steam generator. -

The specific success criteria for this element are event sequence specific.

Each sequence in which this element appeared was evaluated to ascertain which systems are available and/or functioning at the time that this element is called upon. An equation was then developed to represent failure of this element based upon the available systens. For example, given a transient for whichauxiliilryfeedwaterwassuccessfulbuttheturbinebypassvalveswere unavailable, the auxiliary feedwater pumps and the condensate pumps would initially be available for feedwater delivery and the ADVs and M55Vs would ir.f tially be available for steam removal. Therefore, the failure equation for this sequence would be:

7-52

'1339h(84Z5)/ mas-53

' Failure to Maintain Secondary Heat Removal f(_

3)

=

[(Failure to deliver AFW flow) and (Failure to establish flow from

'theconde.1satepumps)]

, or

[(Failure of the ADVs) and (Failure of the MSSVs)]

egn. 7.1.13-1 CESAMI42) was used to qualify the sequence specific equations for this element based upon the appropriate system unavailability parameters provided in sections 7.1.1 through 7.1.12 of this report. The resultant unavailability l parameters are presented in Table 7.1.13-1.

l l

9 I

  • l 7-53 i

I

1339h(84Z5)/ mas-54 TABLE 7.1.13-1 UNAVAILABILITY PARAMETERS FOR MAINTAIN SECONDARY HEAT REMOVAL Unavallat.111ty Error Standard Element Mean Median Factor Deviation

~ ~

(AFW Failure)+[(TBV Failure)(4 of 4 ADVs Fe11)(20 cf 20 MSSVs fail)]

(Failure to deliver feedflow to 1 of 2 SGs)+[(TBVs Fail)(4 of 4 ADVs Fall)(20 of 20 MSSVs fail)]

(Failure to deliver AFW to 1 of 2 SGs)+(20 of 20 MSSVs Fall)

?

g (Failure to deliver flow from condensate pumps to 1 of 2 SGs)+[(Failure of TBVs given offsite power available)(Failure of 4 of 4 ADVs given offsite Power available)]

(Failure to deliver AFW to intact SG)+[(Failure of TBVs)(2 of 2 ADVs fail)(10 of 10 MSSVs fail)]

(Failure to deliver AFW to intact SG)+[(2 of 2 ADVs fail)(10 of 10 MSSVs fail)]

(Failure to deliver AFW to intact SG given HPSI failure)+[(2 of 2 ADVs Fall)(10 of 10 MSSVs Fail)]

(Failure to deliser AFW to intact SG)+(10 of 10 MSSVs Fall)

O O O

/h s

./

1. a(84Z5)/ mas-55 TABLE 7.1.13-1 (Continued)

UNAVAILABILITY PARAMETERS FOR MAINTAIN SECONDARY HEAT REMOVAL Unavailability Error Standard Element Mean Median Factor Deviation _

~ ~

(Failure to deliver flow to intact SG from condensate pumps)+[(Failure of TBVs)(Failure of 2 of 2 ADVs))

(Failure to deliver flow to intact SG from condensate pumps)+(Failure of 2 of 2 ADVs)

(Failure of AFW)+[(4 of 4 ADVs failed)(20 of 20 MSSVs Failed)]

Y (Failure to deliver flow to 1 of 2 SGs from _ ~

E condensate pumps)+(4 of 4 ADVs Fall)

1339h(84Z5)/ mas-56 7.2 ACCIDENT SEQUENCE QUANTIFICATION The system accident sequences leading to core damage were identified using event tree analysis. .These system accident sequences are presented on Figures 4.1-1, 4.2-1, 4.3-1, 4.4-1, 4.5-1, 4.6-1, 4.7-1, 4.7-2, and 4.8-1. Each system accident sequence leading to core damage consist of an initiating event and one or more additional elements, each representing either a front line system failure or special element such as "failure to restore offsite power" or "struck rod".

Each system accident sequence leading to core damage was converted to an event sequence equation. The event sequence equations were quantified using CESAM(42) , a Monte Carlo sampling code for equation solution, and the appropriate initiating event frequency from Section 6.1, the appropriate system failure probabilities frem Section 7.1, and the special event probabilities, as applicable, from section 6.2.

Af ter the initial quantification of all event sequence equations, the dominant sequences were identified. The cutsets for the system failure elements in these equations were evaluated to identify possible recovery actions. The system unavailability was then requantified for each system for which any recovery actions were identified. Finally, the dominant event sequence equations were requantified using the system unavailabilities given apprb riate recovery actions. Tables 7.2-1 through 7.2-8 present the text version of the event sequence equations for each initiating event, and the event sequence frequencies with and without recovery.

7-56 1

7 O O O

1. a(84ZS)/ mas-57 TABLE 7.2-1 CORE DAMAE FREQUENCY CONTRIBUTIONS FOR LARE LOCA CORE DAMAGE SEQUENCES SHEET 1 0F 1 1

CORE DAMAGE CORE DAMAE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUpsER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 2 o (Large LOCA) (SIT and LPSI Injection Successful) (HPSI l Recirculation Successful) (Hot and Cold Let Injection Successful) (Failure of Recirculation Cooling) 3 o (Large LOCA) (SIT and LPSI Injection Successful) (HPSI Recirculation Successful) (Failure of Hot and Cold Leg y Injection) 4 o (Large LOCA) (SIT and LPSI Injection Successful) (Failure of HPSI Recirculation)

S o (Large LOCA) (SIT Injection Successful) (Failure of LPSI Injection) 6 o (Large LOCA) (Failure of SIT Injection)

TOTAL

1339h(84ZS)/ mas-58 .

. 1 TABLE 7.2-2 l

CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR MEDIUM LOCA CORE DAMAGE SEQUENCES SHEET 1 0F 1 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY l SEQUENCE CONTRIBUTION CONTRIBUTION l NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 2 o (Medium LOCA) (SIT and HPSI Injection Successful) (HPSI I Recirculation Successful) (Hot and Cold Let Injection Successful) (Failure of Recirculation Cooling) 3 o (Medium LOCA) (SIT and HPSI Injection Successful) (HPSI Recirculation Successful) (Failure of Hot and Cold Leg Injection) 7 E 4 o (Medium LOCA) (SIT and HPSI Injection Successful) (Failure of HPSI Recirculation)

S o (Medium LOCA) (SIT Injection Successful) (Failure of HPSI Injection) 6 o (Medium LOCA) (Failure of SIT Injection)

TOTAL O -- - -- - -

O -

O

(~ O b .(a l'a .(84Z5)/ mas-59

~

TABLE 7.2-3 .

CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR SMALL LOCA j CORE DAMAGE SEQUENCES y)

SHEET 1 0F 3 CORE DAMAGE CORE DAMAGE -

I FREQUENCY FREQUENCY CONTRIB!) TION CONTRIBUTION SEQUENCE NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 3 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

(Successful Delivery of Auxiliary Feedwater) (Steam i'

Removal Successful) (HPSI Recirculation Successful)-

(Failure to Establish Shutdown Cooling) (Failure to Maintain Long Ters Secondary Heat Removal)

~ 6 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

/,. (Successful Delivery of Auxiliary Feedwater) (Steam i

  • Removal Successful) (Failure of HPSI Recirculation) (LPSI Recirculation Successful) (Failure to Establish Shutdown Cooling) (Failure to Maintain Long Tenn Secondary Heat Removal) l l

l 7 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

(Successful Delivery of Auxiliary Feedwater) (Steam Removal Successful) (Failure of HPSI Recirculation)

(Failure of LPSI Recirculation) 9 o (Small LOCA) (Reactor Trip) (hPSI Injection Successful)

(Successful Delivery of Auxiliary feedwater) (Failure of _ -

Steam Removal by TBVs. ADVs) (Steam Removal by Main Steam Safety Valves Successful) (HPSI Recirculation Successful)

(Failure to Maintain Long Term Secondary Heat Removal)

1339h(84Z5)/ mas-60 l

TABLE 7.2-3 CORE DAMAGE FREQUEhCY CONTRIBUTIONS FOR SMALL LOCA CORE DAMAGE SEQUENCES SHEET 2 0F 3 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY CONTRIBUTION CONTRIBUTION SEQUENCE NUMBER SEQUENCE WITHOUT REC 0VERY WITH RECOVERY 10 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

(Successful Delivery of Auxiliary Feedwater) (Failure of Steam Removal by TBVs and ADVs) (Steam Removal by Main Steam Safety Valves Successful) (Failure of HPSI Recirculation)

~ 11 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

In (Successful Delivery of Auxiliary Feedwater) (Failure of Steam Removal by TBVs, ADVs and Main Steam Safety Valves) 14 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

(Failure to Deliver Auxiliary feedwater) (Steam Removal Successful) (Successful Delivery of Alternate feedwater)

(llPSI Recirculation Successful) (Failure to Establish Shutdown Cooling) (Failure to Maintain Long Tern Secondary lleat Removal) 17 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

(Failure to Deliver Auxiliary feedwater) (Steam Removal Successful) (Successful Delivery of Alternate Feedwater)

(Failure of HPSI Recirculation) (LPSI Recirculation Successful) (Failure to Establish Shutdown Cooling)

(Failure to Maintain Long Tenn Secondary lleat Removal) 18 o (Small LOCA) (Reactor Trip) (IIPSI Injection Successful)

(Failure to Deliver Auxiliary Feedwater) (Steam Removal - _

Successful) (Successful Delivery of Alternate Feedwater) ,

(Failure of IIPSI Recirculation) (Failure of LPSI Recirculation)

O O O 15 .(84ZS)/ mas-61

~

! TABLE 7.2-3 l

CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR SMALL LOCA CORE DAMAGE SEQUENCES SHEET ~3 0F 3

, CORE DAMAGE CORE DAMAGE l

FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION. CONTRIBUTION NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 19 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful) )'

j (Failure to Deliver Auxiliary Feedwater) (Steam Removal '

Successful) (Failure to Deliver Alternate Feedwater) 20 o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

(Failure to Deliver Auxiliary Feedwater) (Failure of Steam y Removal) 4 23 o (Small LOCA) (Reactor Trip) (Failure of HPSI Injection)

(Successful Depressurization of RCS and Establishment of i LPSI Injection) (LPSI Recirculation Successful) (Failure

! to Establish Shutdown Coolin i

Term Secondary Heat Removal)g) (Failure to Maintain Long

l 24 o (Small LOCA) (Reactor Trip) (Failure of HPSI Injection) s (Successful Depressurization of RCS and Establishment of LPSI Injection) (Failure of LPSI Recirculation) .

25 o (Small LOCA) (Reactor Trip) (Failure of HPSI Injection)

(Failure to Depressurize RCS and Establish LPSI Injection) ,

TOTAL. '

1339h(84Z5)/ mas-62 TABLE 7.2-4 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR TUBE RUPTURE CORE DAMAGE SEQUENCES SHEET 1 0F 10 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SEQUENCE WITHOUT REC 0VERY WITH RECOVERY 3 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary Feedwater to Intact Steam Generator) (Steam Removal by TBVs from Intact Steam Generator Successful) (Successful Establishment of RCS Pressure Control) (No Unisolable Leak to Atmosphere in Bad Steam Generator) (Failure to y Establish Shutdown Cooling) (Failure to Maintain Long-Term Secondary Heat Removal) k 6 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary Feedwater to Intact Steam Generator) (Steam Removal by TBVs from Intact Steam Generator Successful) (Successful Establistunent of RCS Pressure Control) (Unisolable Leak to Atmosphere in Bad Steam Generator) (Failure to Refill Refueling Water Tank) (Failure to Establish Shutdown Cooling) 8 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Succ.essful Delivery of Auxiliary _ _

Feedwater to Intact Steam Generator) (Steam Removal by TBVs from Intact Steam Generator Successful) (Failure to Establish RCS Pressure Control) (No Unisolable Leak to Atmosphere in Bad Steam Generator) (Failure to Maintain Long-Term Secondary Heat Removal)

O O O

O O .

O 15..(84Z5)/ mas-63 TABLE 7.2-4 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR TUBE RUPTURE CORE DAMAGE SEQUENCES SHEET 2 0F 10 .

CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY CONTRIBUTION CON 1lIBUTION SEQUENCE NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 9 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary Feedwater to Intact Steam Generator) (Steam Removal by TBVs from Intact Steam Generator Successful) (Failure to Establish RCS Pressure Control) (Unisolable Leak to  !

Atmosphere in Bad Steam Generator) ,

12 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI

" Injection Successful) (Successful Delivery of Auxiliary Feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Successful Steam Removal by ADVs from Intact Steam Generator)

(Successful Establisiment of RCS Pressure Control) (No Unisolable Leak to Atmosphere in Bad Steam Generator)

(Failure to Establish Shutdown Cooling) (Failure to Maintain Long-Term Secondary Heat Removal) 15 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary - ,

Feedwater to Intact Steam Cenerator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Successful Steam Removal by ADVs from Intact Steam Generator)

(Successful Establishment of RCS Pressure Control)

' (Unisolable Leak to Atmosphere in Bad Steam Generator)

(Failure to Refill Refueling Water Tank) (Failure to Establish Shutdown Cooling)

1339h(84Z5)/nas-64 TABLE 7.2-4 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR TUBE RUPTURE CORE DAMAGE SEQUENCES SHEET 3 0r 10 CORE DAMAGF CORE DAMAGE FREQUENCY FREQUENCY CONTRIBUTION CONTRIBUTION SEQUENCE NUMBER SE00ENCE WITHOUT REC 0VERY WITH RECOVERY.

17 o (Stea.n Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary

]

Feedwater to Intact Steam Generator) (Failure of Steam Res. oval by TBVs fros: intact Steam Generator) (Steam Removal by ADVs from Intact Steam Generator Successful)

(Failure to Establish RCS Pressure Control) (Successful u Refill of Refueling Water Tank) (Failure to Maintain g Long-Tenn Secondary Heat Removal) 18 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Steam Removal by ADVs from Intact Steam Generator Successful)

(Failure to Establishment of RCS Pressure Control)

(Failure to Refill Refuelir.g Water Tank) 20 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary __

j Feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Failure of Stea:a Removal by ADVs from Intact Steam Generator) (Steam Removal by MSSVs Successful) (Successful Establishment of RCS Pressure Control) (No Unisolable Leak to Atmosphere in Bad Steam Generator) (Failure to Maintain Long-Term Secondary Heat Removal)

G G e-

. . . -. . ~. . _ _ _ _ .

13L..(84ZS)/ mas-65 t

4 l TABLE 7.2-4 j CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR j TUBE RUPTURE CORE DAMAGE SEQUENCES i

SHEET 4 0F 10

! CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION

! NUp6ER SEQUENCE WITHOUT RECOVERY 'WITH RECOVERY j 22 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI

Injection Successful) (Successful Delivery of Auxiliary Feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Failure of I

Steam Removal by ADVs from Intact Steam Generator) 4 (Successful Steam Removal by MSSVs from Intact Steam

' ~ Generator) (Successful Establishment of RCS Pressure In Control) (Unisolable Leak to Atmosphere in Bad Steam Generator) (Failure to Refill Refueling Water Tank)

,i 24 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI a Injection Successful) (Successful Delivery of Auxiliary

feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Failure of Steam Removal by ADVs from Intact Steam Generator)

(Failure to Establish RCS Pressure _ Control)- (No Unisolable Leak to Atmosphere in Bad Steam Generator)

(Failure to Maintain Long-Term Secondary Heat Removal) 25 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary - -

Feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Genern or) (Failure of Steam Removal by ADVs from Intact Steam Generator)

(Failure to Establish RCS Pressure Control) (Failure to Refill Refueling Water Tank)

1339h(8425)/ mas-66 TABLE 7.2-4 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM gel.ERATOR TUBE RUPTURE CORE DAMAGE SEQUENCES SHEET 5 0F 10 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY CONTRIBUTION CONTRIBUTION SEQUENCE NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 26 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Successful Delivery of Auxiliary feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Failure of Steam Removal by ADVs from Intact Steam Generator)

(Failure of Steam Removal by MSSVs from Intact Steam y Generator) 29 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Failure to Deliver Auxiliary feedwater to Intact Steam Generator) (Successful Steam Removal by TBVs from Intact Steam Generator) (Successful Delivery of Alternate feedwater to Intact Steam Generator)

(Successful Establishment of GCS Pressure Control) (No Unisolable Leak to Atmosphere in Bad Steam Generator)

(Failure to Establish Shutdown Ccoling) (Failure to Maintain Long-Term Secondary Heat Removal) 32 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI -

Injection Successful) (Failure to Deliver Auxiliary Feedwater to Intact Steam Generator) (Successful Delivery of Alternate Feedwater to Intact Steau Generator)

(Successful Establishment of RCS Pressure Control)

(Unisolable Leak to Atmosphere in Bad Steam Generator)

(Failure to Refill Refueling Water Tank) (Failure to Establish Shutdown Cooling)

O O O

~ ~

~

13. .(84Z5)/ mas-67 i

i TABLE 7.2-4 l CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR

!, TU8E RUPTURE CORC DAMAGE SEQUENCES SHEET 6 0F 10

' CORE DAMAGE CORE DAMAGE.

FREQUENCY FREQUENCY j SEQUENCE CONTRIBUTION CONTRIBUTION

NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY l 34 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Failure to Deliver Auxiliary Feedwater to Intact Steam Generator) (Successful Steam Removal by TBVs from Intact Steam Generator) (Successful Delivery of Alternate Feedwater to Intact Steam Generator)
(Failure to Establish RCS pressure Control) (Successful l . Refilling of Refueling Water Tank) (Failure to Maintain k Long-Tern Secondary Heat Rczoval) 35 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI j Injection Successful) (Failure to Deliver Auxiliary Feedwater to Intact Steam Generator) (Successful Delivery e of Alternate Feedwater to intact Steam Generator) (Failure I to Establish RCS Pressure Control) (Failere to Refill Refueling Water Tank)

]

36 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Failure to Deliver Auxiliary - -

l

feedwater to Intact Steam Generator) (Successful Steam j Removal by T8Vs from Intact Steam Generator) (Failure to Deliver Alternate Feedwater to Intact Steam Generator) i a

(.

1339h(84Z5)/ mas-68 TABLE 7.2-4 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR TUBE RUPTURF CORE DAMAGE SEQUENCES SHEET'7 0F 10 CORE DAMAGE CORE DAMt.GE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 39 o (Steam Generator Tube Rupture) (Reacto - Trip) (HPSI Injection Successful) (Failure to Deliver Auxiliary feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Successful Steam Removal by ADVs from Intact SteA Generator)

(Successful Delivery of Alternate feedwater to Intact

-4 Steam Generator) (Successful Ertablishment of RCS Pressure 4, Control) (No Unisolable Leak to Atmosphere in Bad Steam

(Failure to Maintain Long-Term Secondary Heat Removal) 42 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Failure to Deliver Auxiliary - _

Feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Successful Steam Removal by ADVs from Intact Steum Generator)

(Successful Delivery of Alternate Feedwater to Intact Steam Generator) (Successful Establishment of RCS Pressure Control) (Unisolable Leak to Atmosphere in Bad Steam Generator) (Failure to Refill Refueling Water Tank)

(Failure to Establish Shutdown Cooling)

O-. _

O _ _ __ -

O .- -

- .-._ . __ _ - _ _ _ . ___ _- _ - - _ -_ - - . . - ~ . . _-__. _ . -- ..

O O O

1. .i(8425)/ mas-69 TABLE 7.2-4 I

CORE CAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR TU8E RUPTURE CORE DAMAGE SEQUENCES SHEET 8 0F 10 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY' SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SfftJENCE WITHOUT RECOVERY WITH RECOVERY 44 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Failure to Deliver Auxiliary Feedwater to Intact Steam Generater) (Failure of Steam l' Removal by TSVs from Intact Steam Generator) (Successful Steam Removal by ADYs fromi Intact Steam Generator)

{ (Successful Delivery of Alternate feedwater to Intact y Steam Generator) (Failure to Establishment RCS Pressure

, a Control) (Successful Refilling of Refueling Water Tank)

  • (Failure to Maintain Long-Tern Secondary Heat Removal)

I

! 45 o (Steam Generator Tube Dupture) { Reactor Trip) (HPSI i Injection Successful) (Failure to Deliver Auxiliary Feedwater to Intact Steam Generator) (Failure of Steam

! Removal by T8Vs from Intact Steam Generator) (Successful i Steam Removal by ADVs from Intact Steam Generator)

(Successful Delivery of Alternate feedwater to Intact l Steam Generator) (Failure to Establishment RCS Pressure Control) (Failure to Refill Refueling Water Tank)

! 46 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI l

Injection Successful) (Failure to Deliver Auxiliary - -

Feedwater to Intact Steam Generator) (Failure of Steam i Removal by T8Vs from Intact Steam Generator) (Successful Steam Removal by ADVs from Intact Steam Generated (Failure to Deliver Alternate feedwater to Intact Steas

. Generator)

-vi.-- - - m,-- -., , =-e ---w- - - - -r---,- - - , . - - - , e- , - - - - , - .- , - , - , . - - -eee - - -e u<- - - - , - - -t - -- -- - . _ _ _ _ - . _

1339h(84Z5)/ mas-70 TABLE 7.2-4 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR TUBE R'JPTURE CORE DAMAGE SEQUENCES SHEET 9 0F 10 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SEQUENCE WITHOUT RECOVERY WITH REC 0VERY 47 o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Injection Successful) (Failure to Deliver Auxiliary Feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) 50 o (Steam Generator Tube Rupture) (Reactor Trip) (Failure of y HPSI Injection) (Successful Delivery of Auxiliary a Feedwater to Intact Steam Generator) (Successful Steam Removal by TBVs from Intact Steam Generator) (Successful Depressurization of RCS and Establishment of LPSI Injection) (Failure to Establish Sirutdown Cosiing)

(Failure to Maintain Long-Term Secondary Heat Removal) 51 o (Steam Generator Tube Rupture) (Reactor Trip) (Failure of HPSI Injection) (Successful Delivery of Auxiliary feedwater to Intact Steam Generator) (Successful Steam Removal by TBVs from Intact Steam Generator) (Failure to Depressurize RCS and Estabitsh LPSI Injection) 54 o (Steam Generator Tube Rupture) (Reactor Trip) (Failure of IIPSI Injection) (Successful Delivery of Auxiliary - -

Feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Successful Steam Removal by ADVs from Intact Steam Generator)

(Successful Depressurization of RCS and Establishment of LPSI Injection) (Failure to Establish Shutdown Cooling)

(Failure to Maintain Long-Term Secondary Heat R'emoval)

O - - --- -

O O

O O O G) .

4

. s9h(84Z5)/ mas-71 TABLE 7.2-4 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STEAM GENERATOR TUBE RUPTURE CORE DAMAGE SEQUENCES SHEET 10 0F 10 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 55 o (Steam Generator Tube Rupture) (Reactor Trip) (Failure of HPSI Injection) (Successful Delivery of Auxiliary feedwater to Intact Steam Generator) (Failure of Steam Removal by IBVs from Intact Steam Generator) (Successful Steam Removal by ADVs from Intact Steam Generator)

(Failure to Depressurize RCS and Establish LPSI Injection) 56~ o (Steam Generator Tube Rupture) (Reactor Trip) (Failure of ilPSI Injection) (Successful Delivery of Auxiliary feedwater to Intact Steam Generator) (Failure of Steam Removal by TBVs from Intact Steam Generator) (Failure of Steam Removal by ADVs from Intact Steam Generator) 57 o (Steam Generator Tube Rupture) (Reactor Trip) (Failure of HPSI Injection) (Failure' to Deliver Auxiliary Feedwater to Intact Steam Generator)

TOTAL

1339h(84ZS)/ mas-72 TABLE 7.2-5 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR LARGE SECONDARY SIDE BREAK CORE DAMAGE SEQUENCES SHEET 1 CF 2 CORE DAMAGE CORE DieAGE FREQUENCY FREQUENCY ,

SEQUENCE CONTRIBUTION CONTRIBUTION-NUMBER SEQUEhCE WITHOUT RECOVERY WITH RECOVERY 3 o (Large Secondary Side Break) (Reat.tcr 1 rip) (Successful Delivery of Auxiliary feedwater) (Successful Steam Removal by ADVs) (Failure to Establish Shutdown Cooling) (Failure to Maintain Long-Term Secondary Heat Removal)

S o (Large Secondary Side Break) (Reactor Trip) (Successful y Delivery of Auxiliary feedwater) (Failure of Steam Removal 2, by ADVs) (Successful Steam Removal by MSSVs) (Failure to Maintain Long-Tera Secondary Heat Removal) 6 o (Large Secondary Side Break) (Reictor Trip) (Successful Delivery of Auxiliary Feedwater) (Failure of Steam Removal by ADVs and MSSVs) 9 0 (Large Secondary Side Break) (Reactor Trip) (Failure to Deliver of Auxiliary feedwater) (Successful Steam Removal by ADVs) (Successful HPSI Injection) (Successful Delivery of Alternate feedwater) (Failure to Establish Shutdown Cooling) (failure to Maintain Long-Term Secondary Heat Removal) 10 o (tai . Secondary Side Break) (Reactor Trip) (Failure to beliver Auxiliary feedwater) (Successful Steam Removal by ADVs) (Successful liPSI Injection) (Failure to Deliver Alternate Feedwater) 11 o (Large Secondary Side Bread) (Reactor Trip) (Failure to Deliver Auxiliary feedwater) (Successful Stea:n Removal by --

ADVs) (failure of liPSI Injection)

O O O 39h(84ZS)/ mas-73 1A8tE 7.2-5 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR LARGE SECONDARY SIDE BREAK CORE DAMAGE SEQUENCES SHEET 2 0F 2 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 12 o (Large Secondary Side Break) (Reactor Trip) (Failure to Deliver Auxiliary Feedwater) (Failure of Steam Removal by ADVs)

TOTAL O

1339h(84ZS)/ mas-74 TABLE 7.2-6 ll3 CORE DAMAGE FREQUENCY CONTRIBuf!0NS FOR TRANSIENTS CORE DAMACE SEQUENCES StiEET 1 0F 1 1

CORE DAMAGE CORE DAMAGE I FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY l 3 o (Transient) (Reactor Trip) (Successful Delivery of Auxiliary Feedwater) (Successful Steam Removal by TBVs or ADVs) (Failure to Establish Shutdown Cooling) (Failure to Maintain Long-Tenn Secondary lleat Removal) .

S o (Transient) (Reactor Trip) (Successful Delivery of l

y Auxiliary Feedwater) (Faliure of Steam Removal by TBVs and

.', ADVs) (Successful Steam Removal by Ma m Steam Safety

(Successful Delivery of Alternate Feedwater) (Failure to Establish Shutdown Cooling) (Failure to Maintain Long-Tenn Secondary lleat Removal)

, 10 o (Transient) (Reactor Trip) (Failure to Deliver Auxiliary Feedwater) (Failure to Deliver Alternate Feedwater) 11 o (Transient) (Reactor Trip) (Failure to Deliver Auxiliary feedwater) (Failure of Steam Removal by TBVs and ADVs)

TOTAL l

9 - - - -

9 __

, i

O O

~

O

, 13 .(8425)/ mas-75 I

- TABLE 7.2-7 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR LOSS OF 0FFSITE j POWER CORE DAMAGE SEQUENCES i SHEET 1 0F 1 i

i CORE DAMAGE CORE DAMAGE i FREQUENCY FREQUENCY

! SEQUENCE . CONTRIBUTION CONTRIBUTION

NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY l 3 o (Loss of Offstte Power) (Reactor Trip) (Successful 1

Delivery of Auxiliary Feedwater) (Successful Steam Removal 1

by ADVs) (Failure to Establish Shutdon:n Cooling) (Failure j to Maintain Long-Tem Secondary Heat Renoval) f 5 o (Loss of Offsite Power) (Reacter Trf o) (Successful

, y Delivery of Auxiliary Feedwatec) (Failure of Steam Removal

) O by ADVs) (Successful Steam Removal by MSSVs) (Failure to j Maintain Long-Tern Secondary Heat Removal)

I 6 o (Loss of Offsite Power) (Reactor Trip) (Successful i Delivery of Auxiliary Feedwater) (Failure of Steam Removal

{ by ADVs and MSSYs) i i 9 o (Loss of Offsite Power) (Reactor Trip) (Failure to Deliver j Auxiliary Feedwater) (Successfui Steam Removal by ADVs) 1 (Successful Deitvery of Alternate Feedwater) (Failure to I Establish Shutdown Cooling) (Fallure to Maintain Long-Tem Secondary Heat Removal) 1 l 10 o (Loss of Offsite Power) (Reactor Trip) (Failure to Deliver j Auxiliary Feedwater) (Successful Steam Removal by ADVs)

] (Failure to Deliver Alternate Feedwater) 11 o (Loss of Offsite Power) (Reactor Trip) (Failure to Deliver '

Auxiliary Feedwater) (Failure of Steam Removal by ADVs).

l TOTAL

. . , _ . _ - - _ - - _ _ _ _ _ . - - . _ . _ . .,,-..._--..._,,_.__.--._-.._c,, _ _ . , . ._ _ . - - - , _ - - _ - _ . . - - . __. _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _

1339h(84Z5)/ mas-76 TABLE 7.2-8 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STATION BLACKOUT CORE DAMAGE SEQUENCES SHEET 1 0F 3 CORE DAMAGE CCRE DAMAGE FREQUENCY FREQUENCY CONTRIBUTION CONTRIBUTION SEQUENCE NUMBER SEQUENCF WITHOUT RECOVERY WITH RECOVERY 3 o (Station Blackout) (Reactor Trip) (Success'ful Delivery of Auxiliary Feedwater from Turbine Pump) (Successful Steam Removal by ADVs) (Successful Restoration of Pow (:r Within 3 Hours) (Failure to Establish Shutdown Cooling) (Failure to Maintain Long-Tern Secondary Heat Removal) y 5 o (Station Blackout) (Reactor Trip) (Successful velivery of 4 Auxiliary feedwater from f"rbine Pump) (Successful Steam

  • Removal by ADVs) (Successful Restoration of Power Within 3 Hours) (Loss of RCP Seal Integrity) (Successful NCS Makeup via HPSI System) (faflure of HPSI Recirculation) 6 o (Station Blackout) (Reactor Trip) (Successful Delivery of Auxiliary feedwater from Turbine Pump) (Successful Steam Removal by ADVs) (Successful Restoration of Power Within 3 Hoers) (Loss of RCP Seal Integrity) (Failure of RCS Makeup via HPSI System) 7 o (Station Blackout) (Reactor Trip) (Successful Delivery of Auxiliary Feedwater from Turbine Pump) (Successful Steam Removal by ADVs) (Failure to Restore Power Within 3 Hours) 9 o (Station Blackout) (Reactor Trip) (Successful Delivery of -

Auxiliary Feedwater from Turbine Pump) (Failure of Steam Removal by ADVs) (Successful Steam Removal by Main Steam Safety Valves) (Successful Restoration of Power Within 3 Hours) (Failure to Maintain Long-Term Secondary Heat Removal)

O O O -

13 (84ZS)/ mas-77 TA8tE 7.2-8 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR STATION BLACK 0UT CL,RE DAMAGE SEQUENCES SHEET 2 0F 3 CORE DAMAGE CORE DAMAGE TRE@ENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION Nt3BER SEQUENCE WITHOUT RECOVERY WITH RECOVERY 11 o (Station Blackout) (Reactor Trip) (Successful Delivery of Auxiliary feedwater from Turbine Pump) (Failure of Steam Removal by ADVs) (Successful Steam Removal by Main Steam Safety Valves) (Successful Restoration of Power Within 3 Hours) (Loss of RCP Seal Integrity) (Successful RCS Makeup via HP!I System) (Failure of HPSI Recirculation) 5 12 o (Station Blackout) (Reactor Trip) (Successful Delivery of Auxiliary feedwater from Turbine Pump) (Failure of Steam Removal by ADvs) (Successful Steam Removal by Main Steam Safety Valves) (Successful Restoration of Power Within 3 Hours) (Loss of RCP Seal Integrity) (Failure of RCS Makeup via HPSI System) 13 o (Station Blackout) (Reactor Trip) (Successful Delivery of Auxiliary feedwater from Turbine Pump) (Failure of Steam Removal by ADVs) (Successful Steam Removal by h in Steam safety Valves) (Failure to Restore Power Within 3 Hours) 14 o (Station Blackout) (Reactor Trip) (Successful Delivery of Auxiliary Feedwater from Turbine Pump) (Failure of Steam Removal by ADVs and Maf,n Steam Safety Valves) 1/ o (Station Blackout) (Reactor Trip) (Failure to Deliver Auxiliary feedwater from Turbine Pianp) (Successful Steam - _

Removal by ADVs) (Successful Restoration of Power Within 1  :

Hour) (Successful Establishment of Alternate Feedwater Flow) (Failure to Establish Shutdown Coolin Maintain Long-Tern Secondary Heat Removal) g) (Failure to

1339h(64Zb)/ mas-78 TABLE 7.2-8 CORE DAP/.6f FREQUENCY CONTRIBUTIONS FOR STATION BLACK 0UT CORE DAMAGE SEQUENCES SHEET 3 0F 3 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY SEQUENCE CONTRIBUTION CONTRIBUTION NUMBER SEQUENCE WITHOUT RECOVERY WITH REC 0VERY 19 o (Station Blackout) (Reactor Trip) (Failure to Deliver Auxiliary feedwater from Turbine Pump) (Successful Steam Removal by ADVs) (Successful Restoration of Power Within 1 Hour) (Successful Establishment of Alternate Feedwater Flow) (Loss of RCP Seal Integrity) (Successful RCS Makeup via llPSI System) (Failure of HPSI Recirculation) 5 20 o (Station Blackout) (Reactor Trip) (Failure to Deliver ,

  • Auxiliary Feedwater from Turbine Pump) (Successful Steam Removal by ADVs) (Successful Restoration of Power Within 1 Hour) (Successful Establishment of Alternate Feedwater Flow) (Loss of RCP Seal Integrity) (Failure of RCS Makeup via HPSI System) 21 o (Station Blackout) (Reactor Trip) (Failure to Deliver Auxiliary Feedwater from Turbine Pump) (Successful Steam Removal by ADVs) (Successful Restoration of Power Within 1 liour) (Successful Establishment of Alternate Feedwater Flow) 22 o (Station Blackout) (Reactor Trip) (Failure to Deliver Auxiliary Feedwater from Turbine Pump) (Successful Steam Removal by ADVs) (Successful Restoration of Power Within 1 Hour) 23 o (Station Blackout) (Reactor Trip) (Failure to Deliver Auxiliary feedwater from Turbine Pump) (Successful Steam Removal by ADVs)

O O O' s, l's g84ZS)/ mas-79

~

TABLE 7.2-9 C9RE DMSGE FREQUEEY CONTRIBUTIONS FOR ATWS CORE DAMAGE SEQUEEES i

SHEET 1 0F 3

}

t CORE DAMAGE CORE DAMAGE l

FREQUEEY FREQUEKY

] CONTRIBUTION CONTRIBUTION SEQUEEE NUMBER SEQUENCE WITHOUT RECOVERY WITH RECOVERY-3 o (Event Initiator) (Mechanical Failure of Rods to Insert)

(Successful Delivery of Auxiliary Feedwater) (Successful Steam Removal) (Successful-HPSI Injection) (Failure to Maintain Long-Tern Secondary Heat Removal) 4 o (Event Initiator) (Mechanical Failure of Rods to Insert) y (Successful Delivery of Auxiliary Feedwater) (Successful Steam Removal) (Failure of HPSI Injection) g S o (Event Initiator) (Mechanical Failure of Rods to Insert)

(Successful Delivery of Auxiliary Feedwater) (Failure of Steam Removal) 6 o (Event Initiator) (Mechanical failure of Rods to' Insert)

(Failure to Deliver Auxiliary Feedwater) 7 o (Event Initiator) (Mechanical failure of Rods to insert and MTC Over Pressure) 10 o (Event Initiator) (Electrical Failure of RPS) (Mechanical Failure of Rods _ to Insert) (Successful Delivery of - a Auxiliary Feedwater) (Successful Steam Removal)

(Successful HPSI Injection) (Failure to Maintain Long-Tenn Secondary Heat Receval)

1339h(8425)/ mas-80 TABLE 7.2-9 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR ATWS CORE DAMAGE SEQUENCES SHEET 2 0F 3 CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY CONTRIBUTION CONTRIBUTION SEQUENCE NUMBER SEQUENCF WITHOUT RECOVERY WITH RECOVERY 11 o (Event Initiator) (Electrical failure of RPS) (Mechanical Failure of Rods to Insert) (Successful Delivery of Auxiliary feedwater) (Successful Steam Removal) (Failure of HPSI Injection) 12 o (Enent Initiator) (Electrical failure of RPS) (Mechanical y

Fi.ilure of Rods to Insert) (Successful Delivery of f, Auxiliary Feedwater) (Failure of Steam Removal)

O 13 o (Event Initiator) (Electrical failure of RPS) (Mechanical Failure of Rods to Insert) (Failure to Deliver Auxiliary Feedwater) 14 o (Event Initiator) (Enectrical failure of RPS) (Mechanical failure of Rods to Insert and MTC Over Pressure) 16 o (Event Initiator) (Electrical failure of RPS) (Electrical failure of SPS) (Successful Delivery of Auxiliary Feedwater) (Successful Steam Removal) (Successful HPS!

Injection) (Failure to Maintain Long-Tern Secondary Heat Removal) 17 o (Event Initiator) (Electrical failure of RPS) (Electrical failure of SPS) (Successful Delivery of Auxiliary _ -

Feedwater) (Successful Steam Removal) (Failure of HPSI Injection)

O O .

O

~

1. a(84ZS)/ mas-81 TABLE 7.2-9 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR ATWS

! CORE DAMAGE SEQUENCES i

SHEET 3 0F 3 CORE DAMAGE CORE DAMAGE ',

FREQUEEY FREQUENCY .

SEQUENCE CONTRIBUTION CONTRIBUTION NUpSER SEQUENCE WITHOUT RECOVERY WITH RECOVERY

.l 18 o (Event Initiator) (Electrical Failure of RPS) (Electrical Failu.e feedwater) of SPS) (Successful (Failure Delivery)of Auxiliary of Steam Removal 19 o (Event Initiator) (Electrical Failure of RPS) (Electrical Failure of SPS) (Failure to Deliver Auxiliary feedwater) j 20 o (Event Initiator) (Electrical failure of RPS) (Electrical Failure of SPS and MTC Over Pressure)

TOTAL

1339f/(83GS)/als-1 8.0 RESULTS O

8.1

SUMMARY

OF RESULTS Based on this analysis, the baseline estimate of the mean core damage frequency attributable to internal events for a generic System 80 plant is

} per year. The5%and95%limitsonthisvalueare[ [and} }

respectively. It must be emphasized that this result was derived using generic failure data and was based upon a generic BOP design.

Table 8.1-1 presents the core damage frequency contributions by initiating

~ ~

event. The dominant initiating events are loss of Offsite Power

~

Transients Steam Generator Tube Rupture ,

and Small LOCA O

Q 8-1

13391/(83GS)/als-2

+.

TABLE 8.1-1 CORE DAMAGE FREQUENCY CONTRIBUTIONS BY INITIATING EVENT CORE DAMAGE CORE DAMAGE FREQUENCY FREQUENCY PERCENT (WITHOUT (WITH OF INITIATING EVENT RECOVERY) RECOVERY) TOTAL Large LOCA Medium LOCA Small LOCA l Vessel Rupture Interfacing System LOCA Steam Generator Tube Ruoture large Secondary Side Break Transients Loss of Offsite Power Station Blackout i ATWS Baron Dilution l

TOTAL 8-2

1339f/(83GS)/ mis-3 Table 8.1-2 presents the dominant accident sequences (all individual sequences with a contribution greater than 10-6). They include one loss of offsite power sequence, two small LOCA sequences, one medium LOCA sequences, three transient sequences, two steam generator tube rupture sequences, an ATWS sequence, the boren dilution sequence and a station blackout sequence. The critical front line systems in these sequences include the High Pressure Safety Injection System for injection and recirculation, the auxiliary feedwater system for short and long term secondary heat removal, and the shutdown cooling system for long-term RCS heat removal.

O l .

l O

l

13391/(E3GS)/ mis-4 TABLE 8.1-2 CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR DOMINANT ACCIDENT SEQUENCES PERCENT Of CORE DAMAGE TOTAL CORE FREQUENCY DAMAGE i SEQUENCE CONTRIBUTION FREQUENCY o (Loss of Offsite Power) (Reactor Trip) (failure to Deliver Auxiliary feedwater) (failure to Deliver Alternate feedwater) o (Small LOCA) (Reactor Trip) (failure of IIPSI Injection) m (failure to Depressurize for LPSI Injection)'

o (Transient) (Reactor Trip) (Auxiliary feedwater and Steam Removal successful in Short Term) (failure to Enter Shutdown Cooling) (failure to Maintain Long Tem Secondary Heat Removal) o (Steam Generator lobe Rupture) (Reactor Trip) (failure of HPSI Injection) (failure to Depressurize for LPSI Injection) o (Transient) (Reactor Trip) (failure to Deliver feedwater)

(failure to Establish Alternate feed flow) o (Anticipated Transient) (Mechanical failure of Rods to Insert)

(MIC Overpressure) e e

~

4

O O O

  • 1391/(83GS)/ mis-5 TABLE 8.1-2 (Continued)

CORE DAMAGE FREQUENCY CONTRIBUTIONS FOR DONINANT ACCIDENT SEQUENCES PERCENT OF CORE DAMAGE TOTAL CORE FREQUENCY DAMAGE CONTRIOUTION FREQUENCY SEQUENCE o (Medium LOCA) (SIT and HPSI Injection Successful) (NPSI Recirculation Successful) (Hot and Cold Leg Injection Successful)

(Failure of Recirculation Cooling) o (Small LOCA) (Reactor Trip) (HPSI Injection Successful)

(Auxiliary feedwater and Steam Removal Successful) (Failure of HPSI Recirculation) (Failure to Establish LPSI Recirculation) o (Station Blackout) (Reactor Trip) (Auxiliary Feeduater -

Turbine and Steam Removal Successful) (Failure to Restore Power Within 3 Hours) k

13391/(83GS)/ mis-6 TABLE 8.1-2 (Continued)

CORE DAMAGE FREQUENCY CONTRIBUTIONS 1 TOR DOMINANT ACCIDENT SEQUENCES PERCENT OF CORE DAMAGE TOTAL CORE FREQUENCY DAMAGE SEQUENCE CONTRIBUTION FREQUENCY o (Steam Generator Tube Rupture) (Reactor Trip) (HPSI Successful)

(Failure to Deliver Auxiliary Feedwater) (Failure to Deliver l

Alternr.te feedwater)

\ ca l ln o (Transient) (Reactor Trip) (Auxiliary Feedwater Successful in Short Tenn) (Failure of Turbine Bypass and Atmospheric Dump Valves) ifailure to Maintain Long Tens Secondary Heat Removal)

TOTAL O O O

13391/(83GS)/als-7 i 8.2 INSIGiTS The following paragraphs discuss some significant insights resulting from this analysis.

8.2.1 ESF Pump Room Cooling In the systems analysis, it was assumed that loss of cooling to an ESF pump room would result in failure of the pump motor. Loss of ESF pump room cooling turned out to be a dominant contributor to the unavailability of individual front-line systems and failure of the essential cooling water system and failure of the essential chilled water system were two of the dominant causes of comon front-line system failure.

p 8.2.2 480 VAC Power V

l l Loss of a 480 VAC load center or motor control center, resulting in failure of a valve, was found to contribute between 4% and 12% to the unavailability of the individual front-line systems. Because the front-line systems were assumed to share load and motor control centers. this wrs also found to be source of comon point failures to multiple front-line systems.

I o .-,

__ - . _ _ ___m__, , _ . . _ , _ . _ _ . . _ _ _ , , _ __ _ _ . . - _ _ _ _

13391/(83GS)/ mis-8 8.2.3 Comon Cause Failures Common cause failures of pumps or valves within individual front-line systems were found to have a moderate impact on the unavailability of the front-line systems. The effect of cross-system comon cause failures was not evaluated in this analysis.

8.2.4 System Success Criteria The success criteria defined for the front-line systems for the various initiating events was found to have some impact on the calculated core damage.

One example of this is that for Medium LOCAs it was assumed that three safety injection tanks were required for system success based on the Chapter 6 licensing analyses. Expert opinion is that two safety injection tanks would be adequate. If this criterion had been used, the frequency for the sequence.

Medium LOCA and failure of the safety injection tanks (one of the dominant sequences), would have been reduced by about an order of magnitude.

8.2.5 Operator Actions In this analysis, the Operator actions that were addressed included pre-existing maintenance errors, operator actions to backup an automatic safety system actuation, manual actions specified in procedures and operator recovery actions. Quantification of the operator error rates, particularly when using the HCR model, was found to be highly dependent upon the assumptiens made about the time available to perform an action, the skill and training of the operators and the availability of procedures.

8-8

1339d/(83GS)/ca '

9.0 REFERENCES

1. 50 FR 32138, "Policy Statement on Severe Reactor Accidents Regarding Future Designs and Existing Plants," August 8,1985, and NUREG-1020, NRC Policy on Future Reactor Designs", July 1985.
2. SECY-86-76, "Implementation Plan for the Severe Accident Policy Statement and the Regulatory Use of New Source-Tenn Information", U.S. Nuclear Regulatory Comission, February 28, 1986,
3. Advanced Light Water Reactor Utilize Requirements Document, EPRI, Draft, April, 1987.

System 80 D CESSAR FSAR, Combustion Engineering, Inc., August, 1985.

4.

5. NUREG/CR-2815; "Probabilistic Safety Analysis Procedures Guide";

Papazoglou, I. A., Burt , R. A.; Brookhaven National Lab.; January 1984.

6. NUREG/CR-2300; "PRA Procedures Guide"; April 1982.
7. Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2 and 3 Final Safety Analysis Report.
8. Supply System Nuclear Project No. 3 Final Safety Analysis Report, Washington Public Power Supply System.

9-1

L-1339d/(83GS)/ca-2 s

9. Waterford Steam Electric Station (WSES) Unit No. 3 Final Safety Analysis g Report.

1

10. San Onofre Nuclear Generating Station (SONGS) Units 2 and 3 Final Safety Analysis Report.

6  :

11. Depressurization and Decay Heat Removal - Response to NRC Questions; CEN-239; June 1983.
i

' 12. Probabilistic Risk Assessment of the Effect of PORVs on Depressurization Z f j and Decay Heat Removal - Palo Verde Nuclear Generating Station Units 1, 2

! and 3; CEN-239, Supplement 3; July 1983.

- 13. Probabflistic Risk Assessment of the Effect of PORVs on Depressurization and Decay Heat Removal - Washington Nuclear Project Unit 3; CEN-239, Supplement 4 (Oraf t); October 1983.

E E 2

?

14 Yackle, T. R., Shiue, Y. L., Wong, M. C., Betancourt, J. M.,

5 Shenoy, S. X.; "Generic PWR Simulator for Personal Computers"; presented f at Thermal-Hydraulic Models for Nuclear Reactor Simulators 1985 National e Heat Transfer Conference; Denver, Colorado; August 4-7, 1985; TIS-7883.

s

15. C-E Emergency Procedure Guidelines, CEN-152, Revision 1, November 1982.

~

16. "Standard Technical Specifications for Combustion Engineering Pressurized Water Reactors", NUREG-0212.

O T -

9-2 E

1339d/(83GS)/ca-3 17 "Technical Specifications - Palo Verde Nuclear Generating Station Unit No. 1"; Docket No. 50-528; NUREG-1133, June 1985.

18. Reactor Safety Study, An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH 1400/NUREG-75/014, October 1975.
19. Zion Probabilistic Safety Study, Comonwealth Edison.
20. Oconee PRA: A Probabilistic Risk Assessment of Oconee Unit 3, NSAC/60, .

June 1984.

21. Interim Reliability Evaluation Program: Calvert Cliffs Unit 1 SAI-001-82-BE, January 15, 1982. .
22. Interim Reliability Evaluation Program: Analysis of the Arkansas Nuci g One - Unit 1 Nuclear Power Plant, SAND 82-0978 NUREG/CR-2787. June 1982.
23. "Probabilistic Safety Study - Westinghouse Adyanced Pressurized Water Reactor"; RESAR-SP190; Westinghouse Electric Corporation; June 1985.

24 Individual Plant Evaluation Methodology for Pressurize cater Reactors";

i Technical Report 86.3A1; Westinghouse Electric Corporation; April 1987,

25. Haasi, D. F., Roberts, N. H., "Fault Tree Handbook", NUREG-0492 U.S.

Nuclear Regulatory Comission, November 1978.

O 9-3 t

1339d/(83GS)/ca-4

26. "Human Cognitive Reliability Model for PRA An.41ysis", NUS-4531 (Draft).

Hannamun, G. W., prepared for EPRI, December 1984

27. Swain, A. D. and Guttman, H. E., Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Operations, NUREG-CR-1278, October 1980.
28. Nuclear Plant Reliability Data System (NPRDS) Reportable System and Component Scope Manual for Combustion Engineering Pressurized Water Reactors; INPO 83-0200, Rev. 2; Institute of Nuclear Power Operations; September 1985.

?.9 . EPRI NP-2230; "ATWS: A Reappraisal, Part 3, Frequency of Anticipated Transients"; January 1982. g

30. Oswald, A. J., Gentillon, C. D., Matthews, S. D., Meachum, T. R.;

"Generic Data Base for Data and Models Chapter of the National Reliability Evaluation Program (NREP) Guide"; EGG-EA-5887; June 1982.

31. IEEE Guide to the Collection and Presentation of Electrical, Electronic, and Sensing Component Reliability for Nuclear Power Generating Stations, IEEE-STD500-1984.
32. EPRI NP-3967, "Classification and Analysis of Reactor Operating Experience Involving Dependent Events", June 1985.

O 9-4

\

1339d/(83G5)/ca-5 ,

?

33. EPRI NP , "Data-based Defensive Strategies for Reducing Susceptibility to Comon Cause Failures" Vol.1 Defensive Strategies, Vol. 2 Data Analysis.
34. NUREG/CR-2770, "Comon Cause Fault Rates for Valves". February 1983.
35. NUREG-CR-2771, "Comon Cause Fault Rates for Instrumentation'and Control Assemblies". February 1983.
36. NUREG-CR-2098, "Comon Cause Fault Rates for Pumps", February 1983.

i-  ;

37. NUREG/CR-2099, "Comon Cause Fault Rates for Diesel Generators",

June 1982. -

38. Vesely W. E. and R. E. Narum, PREP and KITT: Computer Codes for the Automatic Evaluation of a Fault Tree, IN-1349, August 1970.
39. NUREG-1032; "Evaluation of Station Blackout Accidents at Nuclear Power Plants"; U.S. Nuclear Regulatory Comission' May 1985.  !
40. "A Combustion Engineering Review of NUREG-1032. Evaluation of Station i

l Blackout Accidents at Nuclear Power Plants"; C-E NPSD-340; performed by j

! Corr.bustion Engineering for the C-E Owners Group; March 1986. l

'l

[

41. Meyer, S. L.) Djta Analysis for Scientists and Engineers; John Wiley and i

Sons; New York, New York; 1975.  ;

1 9-5 L I

1339d/(83G5)/ca-6

42. CE-CES-49; "Users Manual for CESAM, Combustion Engineering's Monte Carlo Sampling Code"; April, 1985.

l

43. Nuclear Power Experience, Vol. PWR-2.

l l

44. NUREG-0020, "Licensed Operating Reactors, Status Sumary Report", U. S.
Nuclear Regulatory Comission, Vol.10, Number 12; December,1986.

)

45. NSAC/80
46. Wyckoff, H.; "Losses of Offsite Power at U. S. Nuclear Power Plants, All Years through 1984"; NSAC-85 Electric Power Research Institute; April, 1985.
47. NUREG-0651; "Evaluation of Steam Generator Tube Rupture Events"; USNRC; O

March, 1980.

I

48. SECY-83-293; "Amendments to 10CFR50 Related to Anticipated Transients l

without Scram (ATWS) Events"; USNRC; July 19, 1983. )

l l

49. Finnicum, D. J., Rzasa, P. W., Serafin, S. A.; Design and Application of  !

l Combustion Engineering's Reliability Data Systems for Nuclear Steam Supoly Systems; presented at the Eighth Annual Reliability Engineering l Conference for the Electric Power Industry; April 21 - 23, 1981; Portland, Oregon.

l l

9 9-6

1339d/(83G5)/ca-7 l

s

50. 10 CFR Part 50.62; dReduction of Risk from Anticipated Transients without l Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants"; U. S.  !

Nuclear Regulatory Commission. ,

i

51. "Anticipated Transients without Scram for Light Water Reactors"; i-NUREG-0460; U. S. Nuclear Regulatory Comission; April,1978.

1

52. "Rules and Regulations. Title 10, Chapter 1. Code of Federal Regulations-Energy, Part 100, Reactor Site Criteria". U.S. Nuclear Regulatory Connission, as amended through April 30, 1975. j
53. "Users Manual for CENTS, Combustion Engineering Nuclear Transient Simulation Code"; CE-CES-58; Combustion Engineering, Inc.; October,1985.

i

54. Reactor Protection System Test Interval Evaluation, CE-NPSD-277, f

Decembe r,1984. i t

t

55. Generic Letter 83-28; "Required Actions Based on Generic Implications of  ;

Salem ATWS Events"; U. S. Nuclear Regulatory Comission; July 8,1983. l l

56. "Reliability Evaluation of the C-E Proposed Alternate Reactor Trip {

System"; 00000-NSR-ART 1; Combustion Engineering, Inc.; June 1984 f

1 l

F 9-7 i t-  ;

1339d/(83G5)/ca-8

57. A Probabilistic Safety Study Analysis of DC Power Supply Recuirements for Nuclear Power Plants, NUREG-0666, April 1981.
58. RPS/ESFAS Extended Test Interval Evaluation, CEN-327, May 1986.
59. Seabrook Station Probabilistic Safety Assessment, PLG-0365; Prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company; Pickard, Lowe na Garrick, Inc., June, 1984.

O O

9-8 1

Retrieved from "https://kanterella.com/w/index.php?title=LD-88-015,_Nonproprietary_Base_Line_Level_1_PRA_for_Sys_80R_NSSS_Design&oldid=3576484"