ML112070144
| ML112070144 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom, Surry  |
| Issue date: | 07/26/2011 |
| From: | Herrick S, Reggie Sullivan, Azarm A, Jessica Kratchman, Morell M, Zamanali J Information Systems Labs, Office of Nuclear Security and Incident Response, Office of Nuclear Regulatory Research |
| To: | |
| Anderson Joseph , NSIR/DPR 301-415-4114 | |
| References | |
| Download: ML112070144 (64) | |
Text
Letter Report Risk-Informing Emergency Preparedness Oversight:
Evaluation of Emergency Action Levels Using SAPHIRE:
A Pilot Study of Peach Bottom and Surry Prepared by:
Ali Azarm,1 Principal Investigator Sandra Herrick,2 Project Manager Maria E. Morell1 Jalal Zamanali1 Randy Sullivan3 Jessica Kratchman3
- 1. Information Systems Laboratories, Inc.
- 2. U.S. Nuclear Regulatory Commission, Office of Nuclear Regulatory Research
- 3. U.S. Nuclear Regulatory Commission, Office of Nuclear Security and Incident Response 1
Contents
- 1. INTRODUCTION ............................................................................................................... 4 1.1 Background ........................................................................................................... 4 1.2 Objectives .............................................................................................................. 5 1.3 Technical Approach ............................................................................................... 5
- 2.
SUMMARY
OF FINDINGS ................................................................................................ 8 2.1 Generic Insights .................................................................................................... 8 2.1.1 Consistency of Risk Results and Emergency Action Level Classification . 8 2.1.2 Toxic Gas Emergency Action Level ........................................................... 8 2.1.3 Loss of Annunciation ................................................................................. 8 2.1.4 Successful and Effective Manual Scram (Trip) .......................................... 9 2.1.5 Loss of Direct Current ................................................................................ 9 2.1.6 One Source Away from Station Blackout................................................. 10 2.2 Plant-Specific Findings ........................................................................................ 10 2.2.1 Other Plant-Specific Evaluations ............................................................. 14 Toxic Gas Emergency Action Level..................................................................... 14
- 3. ANALYSIS AND FINDINGS OF PEACH BOTTOM Emergency Action Level SCENARIOS ............................................................................................................................... 16 3.1 MU1Loss of All Offsite Power to Essential Busses for Greater Than 15 Minutes 16 3.2 MU6Unplanned Loss of Most or All Safety System Annunciators or Indication in the Control Room ........................................................................................................ 16 3.3 MU7Reactor Coolant System Leakage............................................................ 18 3.4 MA1Alternating Current Power Capability to Essential Busses Reduced to a Single Power Source for Greater Than 15 Minutes Such That Any Additional Single Failure Would Result in Station Blackout ........................................................................ 19 3.5 MA3Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded ............................................................................................................... 20 3.6 MA6Unplanned Loss of Most or All Safety System Annunciation or Indication in Control Room with Either (1) a Significant Transient in Progress or (2) Compensatory Nonalarming Indicators Unavailable ............................................................................... 21 3.7 MS1Loss of All Offsite and All Onsite Alternating Current Power to Essential Busses ............................................................................................................................ 23 3.8 MS4Loss of All Vital Direct Current Power ...................................................... 24 3.9 MS3Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was Not Successful............................................... 25 3.10 MS5Complete Loss of Heat Removal Capability ............................................. 25 3.11 MS6Inability To Monitor a Significant Transient in Progress ........................... 26 3.12 MG1Prolonged Loss of All Offsite Power and Prolonged Loss of All Onsite Alternating Current Power ............................................................................................... 27 3.13 MG3Failure of the Reactor Protection System To Complete an Automatic Scram, Manual Scram Was Not Successful, and There Is Indication of an Extreme Challenge to the Ability To Cool the Core ....................................................................... 28
- 4. ANALYSIS AND FINDINGS OF SURRY Emergency Action Level SCENARIOS .......... 30 4.1 SU1.1Loss of All Offsite Power to Essential Busses for Greater Than 15 Minutes ............................................................................................................................ 30 2
4.2 SU4.1Unplanned Loss of Most or All Safety System Annunciators or Indication in the Control Room ........................................................................................................ 31 4.3 SU6.1Reactor Coolant System Leakage ......................................................... 32 4.4 SA1.1Alternating Current Power Capability to Emergency Busses Reduced to a Single Power Source for 15 Minutes or Longer Such That Any Additional Single Failure Would Result in Station Blackout .................................................................................... 33 4.5 SA2.1Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Trip Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Trip Was Successful ................................................................... 35 4.6 SA4.1Unplanned Loss of Safety System Annunciators or Indication in Control Room with a Significant Transient in Progress ............................................................... 36 4.7 SS1.1Loss of All Offsite and All Onsite Alternating Current Power to Emergency Busses for 15 Minutes or Longer ................................................................. 38 4.8 SS1.2Loss of All Vital Direct Current Power .................................................... 39 4.9 SS2.1Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Trip Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Trip Was Not Successful ............................................................ 40 4.10 SS4.1 Inability To Monitor a Significant Transient in Progress ........................ 40 4.11 SG1.1Prolonged Loss of All Offsite and Onsite Alternating Current Power..... 42 4.12 SG2.1Failure of the Reactor Protection System To Complete Both Automatic and Manual Trip and There Is Indication of an Extreme Challenge to the Ability To Cool the Core .......................................................................................................................... 43
- 5. PROPOSED AREAS FOR FUTURE WORK .................................................................. 45
- 6. REFERENCES ................................................................................................................ 47 APPENDIX A: SPAR MODEL DATA AND RESULTS ............................................................... 48 APPENDIX B: GRAPHICAL RESULTS ..................................................................................... 59 List of Figures Figure 1. Emergency classification ranges derived from conditional core damage probability results ...................................................................................................................... 11 Figure B-1. NOUE CCDPs organized by NEI-99 scenario ........................................................ 60 Figure B-2. Alert CCDPs organized by NEI-99 scenario ........................................................... 61 Figure B-3. SAE CCDPs organized by NEI-99 scenario ............................................................ 62 Figure B-4. GE CCDPs organized by NEI-99 scenario .............................................................. 63 Figure B-5. All CCDPs organized by NEI-99 scenario ............................................................... 64 List of Tables Table 1. Emergency Action Levels Selected for Risk Evaluation ............................................ 7 Table 2. Plant-Specific Observations ..................................................................................... 12 Table A-1. Peach Bottom SPAR Model Data and Results ........................................................ 49 Table A-2. Surry SPAR Model Data and Results ...................................................................... 53 3
- 1. INTRODUCTION 1.1 Background U.S. Nuclear Regulatory Commission (NRC) regulations in Title 10 of the Code of Federal Regulations (10 CFR) 50.47(b)(4) require that nuclear plant licensees use a standard emergency classification (EC) and emergency action level (EAL) scheme. The original EAL scheme was published in Appendix 1 to NUREG-0654, FEMA-REP-1, Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants, issued November 1980 (NRC 1980). The current emergency preparedness (EP) regulations were developed directly after the Three Mile Island nuclear power plant (NPP) accident, which took place March 28, 1979, and published as final in August 1980. As lessons were learned in EAL scheme implementation, improvements were identified and documented in NUMARC/NESP-007, Methodology for Development of Emergency Action Levels (NUMARC-1992), and, subsequently, NEI 99-01, Methodology for Development of Emergency Action Levels (NEI-2008), both of which the NRC also endorsed for use. All NPPs use either NUMARC-007 or NEI 99-01 EAL schemes.
The existing radiological EC levels in which EALs are classified are established by the NRC according to (1) their relative radiological seriousness, and (2) the time-sensitive onsite and offsite radiological EP actions necessary to respond to such conditions. In ascending order of severity, these levels are as follows:
Notification of Unusual Event (NOUE): Events are in process or have occurred that indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs.
Alert: Events are in process or have occurred that involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life-threatening risk to site personnel or damage to site equipment because of intentional malicious dedicated efforts of a hostile act. Any releases are expected to be limited to small fractions of the U.S. Environmental Protection Agency (EPA) Protective Action Guideline exposure levels.
Site Area Emergency (SAE): Events are in process or have occurred that involve actual or likely major failures of plant functions needed for protection of the public or security events that result in intentional damage, or malicious acts; (1) toward site personnel or equipment that could lead to the likely failure of or; (2) prevents effective access to equipment needed for the protection of the public. Any releases are not expected to result in exposure levels that exceed EPA Protective Action Guideline exposure levels beyond the site boundary.
General Emergency (GE): Events are in process or have occurred that involve actual or imminent substantial core degradation or melting with potential for loss of containment integrity or security events that result in an actual loss of physical control of the facility.
Releases can be reasonably expected to exceed EPA Protective Action Guideline exposure levels off site for more than the immediate site area.
4
The NRC has endorsed the alternative EAL schemes in NUMARC/NESP-007 and NEI 99-01 for more than two decades, and licensees have broadly used them. These schemes have greatly improved consistent implementation and eliminated EALs that were not risk significant. Groups of subject matter experts experienced in implementing EALs developed these documents.
Improvements in the specificity of EALs and other enhancements, such as mode applicability, were included in the revisions to the EAL scheme. The NRC reviewed and endorsed these documents. However, there has never been an analysis of EALs using probabilistic risk assessment (PRA) techniques.
The staff of the Office of Nuclear Security and Incident Response requested that the Office of Nuclear Regulatory Research conduct a risk assessment of applicable EALs using available tools. This work is part of a broader effort to more fully risk-inform NRC oversight of nuclear power plant EP. It was anticipated that the study could identify whether any EALs were outliers in terms of risk to the public, as well as any potential gaps in the EALs. Where such issues are identified, changes to NRC-approved EAL schemes could result. The staff recognized that only EALs related to plant system malfunction could be analyzed using current risk assessment tools. Although this limits the extent of the analysis, it was expected to provide insights and perhaps lead to additional assessment tool development.
1.2 Objectives The objective of this study is to use PRA methods to support risk-informed regulatory activities in EP. This study evaluates the risk implications of certain EALs using plant-specific PRA models and calculates results in the form of a surrogate risk metric: conditional core damage probability (CCDP).
CCDP is a Level 1 PRA risk metric as a measure of the significance of specific EALs. The EALs are translated into a scenario that can be analyzed by the assessment tool. CCDP results can be used to compare EALs within an EC for consistency and risk insights. The reader should be aware that CCDP is not truly an equivalent to risk; however, it is a reasonable surrogate for risk.
Peach Bottom Atomic Power Station (Peach Bottom) and Surry Power Station (Surry) were the two pilot plants selected for this study. Peach Bottom represents a typical boiling-water reactor (BWR) 4 design with a Mark I containment, while Surry represents a three-loop Westinghouse pressurized-water reactor (PWR) design with a high-head safety injection system and large dry containment. This report contains the technical approach, a summary of insights, detailed analyses and results of selected EAL scenarios, and recommendations for future studies. This study sets out to establish the feasibility of applying PRA, including Level 2 and Level 3 PRA, to additional applied research for EAL schemes.
1.3 Technical Approach This study used the Systems Analysis Program for Hands-on Integrated Reliability Evaluation (SAPHIRE) software, Version 8.0.7.13 to compute CCDP. The Standardized Plant Analysis Risk (SPAR) models, which are used in conjunction with the SAPHIRE software, were used to perform plant-specific PRA analyses. Peach Bottom Unit 2 SPAR model PBT2-EE-L2-819.exe and Surry Unit 1 SPAR model SURY-EE-817.exe were used to analyze Peach Bottom and Surry EAL scenarios, respectively.
5
The process of evaluating operating events, which is analogous to that used by the Accident Sequence Precursor Program, is applied in order to analyze various EALs. Because of the characteristics of this study, initiating event (IE) analysis is performed to analyze each EAL. An IE, also known as an initiator, is an event that disturbs the steady-state operation of the plant and could lead to an off-normal plant condition. Fundamentally, the analysis starts with the hypothetical occurrence of the IE (a given), determines what else would have to go wrong (generally equipment or human failures) to cause core damage, and uses the PRA model to quantify the CCDP of said event going wrong and leading to core damage. The analysis is conditional upon the initiator occurring.
The PRAs models two types of hazards, either internal or external to the plant, that could cause the occurrence of an IE and degradation of mitigating systems. Internal events are caused by system malfunctions precipitated by hardware failures or human errors within the plant.
Examples of internal events include general transients, loss of offsite power (LOOP), loss of main feedwater (LOMFW) and small loss-of-coolant accidents (SLOCA). External events include fires, floods, seismic events, and other manmade hazards, such as explosions and aircraft impact.
The study used the following general steps to analyze the EAL conditions:
(1) Step 1: Gather all available event information.
(2) Step 2: Map the incident context into the SPAR model (scenario development).
(3) Step 3: Use of PRA to determine the incident-specific risk measure.
The technical basis of EAL thresholds is examined in Step 1 to understand and identify the reasons why an EAL is classified into an EC. Other documents, such as technical specifications (TS), final safety analysis reports, and abnormal and emergency operating procedures, are examined to define the scenario that represents the EAL. These documents constitute what this report defines as all available information for each EAL scenario.
In Step 2, the SPAR model is used to reproduce the scenario described by the EAL and defined in Step 1. This requires the selection of a suitable IE and basic events (BEs) from the plant-specific SPAR model to simulate the EAL scenario. After selecting the suitable IEs and BEs, it is necessary to estimate their probabilities to reproduce the EAL conditions for each analysis.
In Step 3, SAPHIRE computes the CCDP for the modeled EAL conditions and provides the resulting minimal cutsets. A minimal cutset describes the combinations of component failures that cause the top event in a fault tree to occur; in this case, that event is core damage. The analysts perform a detailed examination of the minimal cutsets to ensure the fidelity of the model and the appropriateness of the simulated conditions described in Step 2. If the analysts find any significant deviations, the input conditions to the SPAR model are adjusted and rerun accordingly.
The numerical CCDP results are compared among EALs within the same EC level. The more severe the EC, the higher the resulting CCDP is expected to be. The analysts will also interpret the results among EAL scenarios with similar threshold conditions to provide insights on the results. Table 1 shows all of the selected EALs analyzed using SPAR Level 1 models.
6
Table 1 Emergency Action Levels Selected for Risk Evaluation Peach NEI 99-00 Surry EC Initial Conditions Stated in NEI 99-00, V5 Bottom V5 EAL EAL NOUE Loss of all offsite AC power to emergency busses for SU1 MU1 SU1.1 15 minutes or longer.
NOUE Unplanned loss of safety system annunciation or SU3 MU6 SU4.1 indication in the control room for 15 minutes or longer.
NOUE RCS leakage. Op. modes: power operation, startup, SU5 MU7 SU6.1 hot standby, hot shutdown Alert AC power capability to emergency busses reduced to SA5 MA1 SA1.1 a single power source for 15 minutes or longer such that any additional single failure would result in station blackout.
Alert Automatic scram (trip) fails to shut down the reactor SA2 MA3 SA2.1 and the manual actions taken from the reactor control console are successful in shutting down the reactor.
Alert Unplanned loss of safety system annunciation or SA4 MA6 SA4.1 indication in control room with either (1) a significant transient in progress or (2) compensatory indicators are unavailable.
SAE Loss of all offsite and all onsite AC power to SS1 MS1 SS1.1 emergency busses.
SAE Automatic scram (trip) fails to shut down the reactor SS2 MS3 SS2.1 and manual actions taken from the reactor control console are not successful in shutting down the reactor.
SAE Loss of all vital DC power for 15 minutes or longer. SS3 MS4 SS1.2 SAE Complete loss of heat removal capability (NEI SS4* MS5 n/a Revision 4 only; has been deleted in Revision 5)
SAE Inability to monitor a significant transient in progress. SS6 MS6 SS4.1 GE Prolonged loss of all offsite and all onsite AC power SG1 MG1 SG1.1 to emergency busses.
GE Automatic scram (trip) and all manual actions fail to SG2 MG3 SG2.1 shut down the reactor and indication of an extreme challenge to the ability to cool the core exists.
- This EAL is listed in NEI 99-00, Revision 4, but it is eliminated in NEI 99-00, Revision 5. Peach Bottom EALs refer to NEI 99-00, Revision 4, while Surry EALs refer to NEI 99-00, Revision 5. Therefore, Surry EALs do not have an SS4-equivalent scenario.
7
- 2.
SUMMARY
OF FINDINGS 2.1 Generic Insights A pilot study for risk-informed evaluation of selected EAL conditions was conducted for two plants; one BWR and one PWR. The results of this study provided plant-specific insights, which are summarized in the next section and discussed in more detail for each EAL in Section 3.
These insights were then further examined for their potential generic implications. Those that were common to the two plants were selected as candidates for use in developing generic insights. Although these evaluations are based on only two plants, they were further substantiated with qualitative assessments to ensure that future changes as a result of additional plant-specific evaluation will be minimal. These generic insights are discussed below.
2.1.1 Consistency of Risk Results and Emergency Action Level Classification The analysis results show general consistency between the EAL classification and the CCDPs estimated using the risk models (see Figure 1 in Section 2.2). Therefore, a higher EC generally corresponded to a higher risk as estimated by the associated CCDP. This general consistency resulted in establishing CCDP ranges to differentiate between different ECs. These risk ranges were used (and could be used generically) to discriminate among the EALs representing NOUE, Alert, SAE, and GE. The risk ranges also facilitated the identification of those EAL conditions whose calculated risk metric resided outside of the applicable risk range.
2.1.2 Toxic Gas Emergency Action Level EALs define the release of toxic gas into vital areas that jeopardizes operation of operable equipment as an Alert. This has resulted in several Alerts being declared due to the spurious actuation of fire suppression systems (generally Halon or carbon dioxide) in a vital area.
Spurious actuations are defined as scenarios in which the suppressant is discharged when there is no fire in the area. Discharge due to seismic events, thermal effect of a steam leak, random component failures, or maintenance mishaps are typical examples of spurious actuations. In many cases, the spurious actuations will not have any impact on plant systems and components. However, the affected areas have to be evacuated and no personnel are allowed in until the Halon is completely purged. The plant-specific risk results for the two pilot plants for emergency diesel generator (EDG) rooms and switchgear rooms are summarized in Section 2.2. With the exception of control room abandonment, which is covered under a different EAL, the risk analysis did not identify any of the analyzed conditions to be risk significant. The general conclusion is that the temporary presence of fire suppressants in a critical area for less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> during power operation will not pose any significant risk increase as long as the actuation is found to be spurious.
2.1.3 Loss of Annunciation Loss of majority of the control room annunciators or indicators during plant operation or post transients is covered under several EALs. The risk study shows that the loss of annunciators and the loss of indicators are not equivalent events considering the resultant CCDPs. The loss of annunciators is expected not to cause any major difficulty in the control room operator's ability to recover from a transient, as long as the control room indicators remain operable.
8
For some plant conditions; annunciators are the primary means that alerts operators to take immediate actions. These include loss of a vital bus, flooding in a critical safety area, and trip or failure of an operating safety critical component that affects the plants critical parameters. Loss of indications would reduce the ability of the operators to monitor safety critical parameters and systems. The impact of loss of indicators on the operators ability to perform various actions is reduced as more time becomes available.
The EAL threshold conditions do not specify the relative importance of the loss of different types of annunciators or indicators, even though they require different operator diagnosis and recovery actions. As different types of operator actions have various human error probabilities (HEPs), the CCDP associated with the loss of different types of annunciators or indicators is different. Also, Technical Specifications state different requirements for different loss of instrumental signals. Loss of some important signals requires initiating hot shutdown within one hour; while loss of lesser important signals allows time for repair before initiating hot shutdown.
Therefore, a more precise definition of loss of 75% of safety-related annunciators or indicators would improve the PRA quantification for these EAL scenarios and allow a risk-informed design of these EALs.
There is a possibility that the loss of annunciators or indicators condition is caused by the loss of an electrical bus. However, the operators generally rely on the annunciators and/or indicators to monitor loss-of-bus or under-voltage conditions. If there is a loss of annunciators or indicators, the operator may not be able to diagnose the loss-of-bus condition. The staff recommends the loss of a single bus condition be address in the EAL threshold conditions.
2.1.4 Successful and Effective Manual Scram (Trip)
Manual scram of the reactor after a failure of automatic scram has the EC of an Alert. Failure of automatic scram in general is a risk-significant event and would require post-incident examination to ensure that the underlying causes are identified and future occurrences are eliminated. However, from the viewpoint of this EAL scenario, which assumes that timely and effective manual scram has terminated the adverse impact of the failure of automatic scram, the expected risk is considered to be low for both PWRs and BWRs.
However, for some transients, the failure of automatic scram could result in a spike in power level and, consequently, the reactor pressure could increase so quickly that manual scram cannot prevent the initial pressure spike. The pressure spike could result in the opening of primary relief valves, with a potential for a subsequent failure of at least one valve to close.
Under this conservative assumption, the scenario would lead in a loss of primary inventory. The risk metric results for BWRs even under such a severe condition are low, indebted to multiple redundant and diverse means to inject into vessel. However, if such condition occurs, the Alert could also be generated by other EALs dealing with loss of primary coolant.
Therefore, the EALs associated with failure of automatic scram with successful manual scram for BWRs could be considered for potential reassignment to a lower EC. Additional plant-specific analyses would be needed before any proposed changes for PWRs.
2.1.5 Loss of Direct Current Loss of all vital direct current (DC) power in a BWR will generally cause loss of reactor core isolation cooling (RCIC), high-pressure coolant injection (HPCI), LOMFW, and loss of the 9
breaker control power for all 4,160-volt (V) and 480-V breakers. Similarly, for PWRs, loss of DC generally causes LOMFW and loss of control power to all trains of 4,160-V and 480-V switchgear, resulting in failure of remote breaker operation for all trains of the safety systems.
Although in Surry loss of DC power does not result in failure of the turbine-driven auxiliary feedwater (TDAFW) pump, it is considered to be a plant-specific feature that is not shared by other PWRs. Under prolonged loss of DC power with no recovery actions and no TDAFW for PWRs, core damage is predicted in about an hour. However, following a loss of all DC power, manual local operation of the breakers can be credited as recovery actions to compensate for loss of control power. In addition, local manual start and flow control of some injection trains can also be performed. Availability of alternating current (AC) power would facilitate the success of these local manual actions by providing sufficient lighting and ease of access.
However, none of these recovery actions are currently modeled in PRA.
Therefore the loss of total DC power and plant response, including possible recovery actions, has to be given additional attention. The current conservative assumptions and lack of credit to the potential recovery actions in PRA appear to be generic. This issue can benefit from additional plant-specific risk evaluations and developing the required recovery models.
2.1.6 One Source Away from Station Blackout If the plant experiences a LOOP and the emergency AC is degraded to a single power source for greater than 15 minutes, an Alert would be declared. The risk evaluation of this EAL revealed some generic needs for further clarifications of the EAL condition for at least two areas: the definition of a single AC power source and the treatment of nonsafety alternate AC power sources. These are discussed below:
Depending on plant-specific features, a single emergency power source (i.e., one EDG) may not be sufficient to bring the plant to a stable shutdown. As an example in Peach Bottom, the successful operation of two EDGs is needed to achieve a stable shutdown.
Therefore, if the above EAL condition lasts for several hours with no other power sources recovered except one EDG, it could result in core damage. Therefore, for a prolonged condition when only one EDG is available for the Peach Bottom case discussed above, risk information indicates that the Alert classification could be elevated to an SAE or GE.
An alternate AC (AAC) source could be a black-start diesel generator (DG), an offsite hydro unit, or an AC source provided by gas turbines. The alignment and loading of the AAC power source is in most cases manual. Therefore, it would take some time to utilize the alternate AC source. If this time is less than 15 minutes, then the alternate AC source could be explicitly credited as a single source of AC for this EAL or assumed to have failed. On the contrary, if the AAC source alignment and loading would take more than 15 minutes, the EAL condition could only be met if at least one other source of emergency AC, excluding the AAC, were available (see the discussion on the Conowingo AC source for Peach Bottom in the next section). It should be noted that, if the 15 minute time limit is changed (i.e., increased) in light of future evaluations, this condition could become more problematic. Further clarifications are needed to specify the conditions that meet the intent of this EAL generically.
2.2 Plant-Specific Findings 10
This section discusses plant-specific findings obtained as a result of the EAL risk evaluations for Surry and Peach Bottom NPPs. The discussion is limited to those EALs for which the calculated surrogate risk metric (i.e., CCDP) does not fall within the range associated with their EC level. This study established the ranges identified in Figure 1 because no previous tabulation of EC versus CCDP existed. These ranges were created for the purpose of clear and logical explanation of risk information, and they carry no regulatory significance. The EALs that resided outside these ranges are the focus of this section and are highlighted in Figure 1.
CCDP Range CCDP Range 1.00E+00 MS4 PROL MG3 SG2.1 SG1.1 GE MS4 LOW SS1.2 MG1 1.00E-01 MS6 LOCHS/LOMFW SS2.1 TRANS/LOMFW MS3 IORV SS1.1 1.00E-02 MS3 TRANS SAE MS5 SA1.1 1.00E-03 MA6 LOCHS/LOMFW (I) MS1 SS4.1 LOCHS/LOMFW MA1 SA4.1 LOMFW (I) 1.00E-04 Alert SU6.1 SA2.1 TRANS/LOMFW SU1.1 1.00E-05 MA3 (IORV) SA 4.1 LOCHS (I)
MU1 SA4.1 LOMFW (A) NOUE MA6 LOCHS/LOMFW (A) 1.00E-06 MU7 SA4.1 LOCHS (A) 1.00E-07 SU4.1 (I)
MA3 (TRANS) 1.00E-08 MU6 (I) Non Risk SU4.1 (A)
Significant 1.00E-09 1.00E-10 MU6 (A) 1.00E-11 NOUE - PBT NOUE - Surry Alert - PBT Alert - Surry SAE - PBT SAE - Surry GE- PBT GE- Surry Figure 1 Emergency classification ranges derived from conditional core damage probability results Table 2 lists the EALs highlighted in Figure 1 and any other EAL that provided significant insight. This table contains the reason why CCDP values do not fall within the expected EC level. It also includes proposed changes to the EAL, if found to be justified. Section 3 contains further analysis of these and every EAL examined in this study.
11
Table 2 Plant-Specific Observations Peach EC Bottom Significant Observations Possible Risk-Informed Changes EAL NOUE MU6 The CCDP associated with loss of Separate the annunciators from the annunciators is consistently below the indicators and assign it to a lower associated EAL threshold lines. classification Alert MA1 The threshold condition states that one The threshold conditions may need to be source of AC for the plant is required to revised to better define the single source cope with SBO. However, Peach for the plant to handle SBO conditions.
Bottom requires at least two EDGs during a LOOP in order not to enter into an SBO condition.
Alert MA3 The CCDP associated with failure of Assign it to a lower classification.
automatic scram under the condition that manual scram is successful is lower than the EAL risk classification threshold for Peach Bottom.
Alert MA6 The CCDP associated with loss of Assign it to a lower classification.
annunciators is consistently below the associated EAL threshold lines.
SAE MS1 The CCDP associated with SBO lasting Considering the assumptions in greater than 15 minutes is slightly lower interpreting and mapping the EAL than the SAE threshold for Peach conditions, as well as the optimistic Bottom. assumptions within SPAR models, no recommendations are made for this EAL.
SAE MS4 The CCDP associated with loss of all Loss of total DC and plant response, vital DC power for 15 minutes or longer including possible recovery actions, have for Peach Bottom exceeds the EAL risk to be given additional attention.
threshold for SAE. Considering the current conservative assumptions and lack of credit to potential recovery actions, no recommendations are made for this EAL at the present time.
12
Surry EC Significant Observations Proposed Changes EAL NOUE SU1.1 The CCDP associated with LOOP to No recommendation is proposed, emergency busses lasting greater than considering that the CCDP associated 15 minutes for Surry is slightly higher with this EAL condition is slightly over the than the NOUE threshold for Surry risk threshold. Such small differences are NPP. expected to be within the SPAR model precisions.
NOUE SU4.1 The CCDP associated with the loss of Separate the annunciators from the annunciators is consistently below the indicators and assign it to a lower associated EAL threshold lines when classification.
annunciation only is lost (indicated by an (A) on Figure 1 SU4.1 data points).
NOUE SU6.1 The CCDP associated with this EAL Considering the current conservative condition is higher than the associated interpretation and mapping of this EAL to EAL threshold lines. the PRA domain, no reclassification is proposed for this EAL condition at present time.
Alert SA1.1 The CCDP associated with loss of this Although it is not recommended to change EAL condition for Surry is higher than the EC of this EAL, clarifications may be the upper threshold for Alert proposed needed to better define this EAL, due to by this study. the plant-specific features of Surry.
Alert SA4.1 The CCDP associated with loss of Assign it to a lower classification.
annunciators is consistently below the associated EAL threshold lines.
SAE SS1.2 The CCDP associated with loss of all Loss of total DC and plant response, vital DC power for 15 minutes or longer including possible recovery actions, has to for Surry slightly exceeds the EAL risk be given additional attention. Considering threshold for SAE. the current conservative assumptions and lack of credit to potential recovery actions, no recommendations are made for this EAL at the present time.
SAE SS4.1 The CCDP associated with this EAL No changes to the EAL are was below the associated EAL recommended, because the low CCDP threshold lines. resulted from interpretation of the EAL condition, plant-specific features of Surry, and the assumptions of the SPAR models. Evaluation of similar EAL conditions for other plants could help to better understand its risk significance.
13
2.2.1 Other Plant-Specific Evaluations Several additional plant-specific case studies were performed that were not covered by the standard EAL conditions described in the previous section. These case studies included partial EAL conditions or new EAL conditions for which risk insights could be used to support or refute a regulatory decision. Two of these case studies are discussed here: (1) spurious Halon actuations and (2) total loss of AC and DC.
Toxic Gas Emergency Action Level EALs define the release of toxic gas into vital areas that jeopardizes operation of operable equipment as an Alert. This has resulted in the several Alerts being declared because of the spurious actuation of fire suppression systems (generally Halon or carbon dioxide) in a vital area. Spurious actuations are defined as scenarios in which the suppressant is discharged when there is no fire in the area. Discharge due to seismic events, thermal effect of steam leak, random component failures, or maintenance mishaps are all within such category of events. In many cases, the spurious actuations will not have any impact on plant systems and components. However, the affected areas have to be evacuated and no personnel are allowed in until Halon is completely purged. The plant-specific risk results for the two pilot plants for EDG rooms and switchgear rooms are summarized in Section 2.2. With the exception of the abandonment of the control room, which is covered under a different EAL, the risk analysis did not find any of the analyzed conditions to be risk significant. The general conclusion is that the temporary presence of fire suppressants in a critical area for less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> during power operation will not pose any significant risk increase as long as the actuation is found to be spurious.
For activations in the EDG room, the affected diesel was assumed not to be available for a period of one shift (8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), with no recovery actions allowed within this period. The loss of the EDG was assumed because the heating, ventilation, and air conditioning system would be isolated. For the switchgear room, all manual recovery actions were assumed not to be possible during the period of maximum 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, the assumed time required to purge the suppressant and make the switchgear room accessible. The incremental core damage probability (ICDP), which is approximately equivalent to CCDP for about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, is estimated and shown below for each plant:
Plant Name ICDP for EDG Room ICDP for Switchgear Room Surry 8.3E-9 5.7E-9 Peach Bottom 2.1E-9 2.4E-9 Therefore, the general conclusion is that the temporary presence of fire suppressants in a critical area for less than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> during power operation will not pose any significant accident risk as long as the actuation is found to be spurious. The EAL classification, therefore, should be driven by other conditions in the plant before the actuation.
Total Loss of Alternating and Direct Current There is currently no EAL for a total loss of AC and DC power. This case is modeled by assuming a LOOP, failure of all EDGs to start, and loss of DC power. All of these failures are assumed to have occurred at time zero. The plant response will be quite similar to that of loss of all DC, except that the success of any of the manual recovery actions is unlikely in a 14
prolonged loss of AC and DC power. There could be some plant-specific features that could slow the degradation in a loss-of-AC/DC event. For example, at Surry, the TDAFW could be started and then inject into steam generators (SGs) at a maximum flow. Such uncontrolled injection (blind operation of TDAFW) will overfill the SG and consequently fail the TDAFW.
Although it would be unlikely that the operators succeeded in local manual control of the TDAFW flow during total loss of AC and DC, the noted plant-specific feature could postpone the core damage. In the case of Peach Bottom, when no recovery actions are assumed, a CCDP of 1 is estimated. The general conclusion is that prolonged loss of AC and DC power could eventually result in core damage; however, the timing of the core damage and the radioactive releases would be driven by plant-specific features.
15
- 3. ANALYSIS AND FINDINGS OF PEACH BOTTOM EMERGENCY ACTION LEVEL SCENARIOS 3.1 MU1Loss of All Offsite Power to Essential Busses for Greater Than 15 Minutes Emergency Action Level Threshold Conditions (1) loss of power to 2 emergency auxiliary transformer (OAX04) and 3 emergency auxiliary transformer (OBX04) for greater than 15 minutes Mapping of Emergency Action Level Scenario to the SPAR Model:
(1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related. The two emergency auxiliary transformers would instantly fail due to LOOP.
(2) All EDGs were assumed to start automatically due to the LOOP. Because the EDGs were available, there would be no test and maintenance being performed on the EDGs, nor did common cause failure among the EDGs occur simultaneously. If an EDG had failed to start, the plant potentially would be in a different EAL, which deals with LOOP and degraded emergency AC.
(3) All batteries and batteries chargers were assumed to be operable, because the EDGs were able to charge the batteries and supply power to the battery chargers. There was no common cause failure of the batteries and battery chargers that could affect their functions.
(4) All EDG load sequencers were assumed to be operable in this scenario. Otherwise, the EDGs would not be able to supply power to the safety-related loads.
(5) Because the duration of the LOOP in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of offsite power was not possible within 30 minutes. The failure probabilities of recovering offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.
SPAR Model Result and Findings The CCDP of this EAL scenario is 2.25E-6, which is within the result range of other NOUE EAL scenarios.
3.2 MU6Unplanned Loss of Most or All Safety System Annunciators or Indication in the Control Room Emergency Action Level Threshold Conditions (1) unplanned loss of most (approximately 75 percent) safety system emergency core cooling system (ECCS), containment isolation, reactor scram, process radiation monitoring) annunciators for greater than 15 minutes 16
OR (2) unplanned loss of most (approximately 75 percent) indications associated with safety functions (reactivity control, reactor coolant system (RCS) inventory, decay heat removal, fission product barrier) for greater than 15 minutes Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators Only (Threshold Condition 1):
(1) As the plant is assumed to be stable and in automatic operation at the start, the operator would not perform any manual actions. Therefore, no initiator was selected in the SPAR model.
(2) The loss of annunciation would only affect the manual restart of RCIC, if RCIC needed to be restarted.
(3) The loss of annunciation was assumed to have an insignificant impact on late recovery actions. Therefore, all the late recovery actions were assumed to have nominal human error probabilities (HEPs).
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators Only (Threshold Condition 2)
(1) As the plant is assumed to be stable and in automatic operation at the start, the operator would not perform any manual actions. Therefore, no initiator was selected in the SPAR model.
(2) The loss of indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual depressurization, manual start of high pressure and low pressure injections, manipulation of RCIC were selected and their associated HEPs were adjusted based on the SPAR-H NUREG guidance [Ref. 10].
(3) The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance [Ref. 10].
(4) The loss of indication was assumed to have an insignificant impact on late recovery actions. Therefore, all the late recovery actions were assumed to have nominal HEPs.
SPAR Model Results and Findings The CCDPs of Case 1 and Case 2 calculated at 15 minutes are 6.73E-11 and 6.97E-9, respectively, which are below the results range of other NOUE EAL scenarios. These CCDPs are calculated at 15 minutes after the loss of annunciators (Case 1) or indicators (Case 2) occurs; the CCDPs would increase if the duration is longer. The following graph shows the CCDPs for both cases from 15 minutes to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, assuming that no transients have occurred during that period.
17
Peach Bottom MU6 [15min. - 8hr.]
1.E-06 1.E-07 1.E-08 CCDP 1.E-09 1.E-10 Case 1: Loss of Annunciation Case 2: Loss of Indication 1.E-11 0 2 4 6 8 Hours The loss of annunciators modeled in Case 1 has less impact on the HEP values. The staff recommends eliminating the loss of annunciation portion of the EAL threshold conditions in the MU6 scenario. However, the loss of indication modeled in Case 2 has a more severe impact on the HEP values. The CCDP would be significantly higher if the condition lasts longer, and possibly meet the range of other NOUE EAL scenarios. Therefore, the staff recommends keeping the loss of indication in the threshold conditions.
3.3 MU7Reactor Coolant System Leakage Emergency Action Level Threshold Conditions (1) unidentified primary system leakage greater than 10 gallons per minute (gpm)
OR (2) identified primary system leakage greater than 25 gpm Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the RCS leakage was conservatively modeled as an SLOCA event, because SPAR models do not have any surrogate for events involving leak rates less than an SLOCA. In SPAR models, the SLOCA initiator (IE-SLOCA) was defined as a coolant pipe break that can be mitigated with high-pressure safety injection.
(2) The threshold conditions indicated that the TS limit of RCS leakage was exceeded (Ref. 5). Therefore, the operator was required to shut down the plant. The manual scram was assumed to be successful.
(3) The leakage was considered to be very small; therefore, it could be compensated by injection from the condensate storage tank or by use of high-pressure injection systems.
18
However, the operator was required to refill the refueling water storage tank (RWST).
Therefore, the nominal failure probability of operator action (1E-3) from the SPAR-H guidance (Ref. 10) was assigned to the operator action of refilling the RWST.
SPAR Model Result and Findings The CCDP of this EAL scenario is 9.85E-7, which is within the range of other NOUE EAL scenarios.
3.4 MA1Alternating Current Power Capability to Essential Busses Reduced to a Single Power Source for Greater Than 15 Minutes Such That Any Additional Single Failure Would Result in Station Blackout Emergency Action Level Threshold Conditions (1) AC power capability to unit 4-kilovolt (kV) safeguards busses is reduced to only one of the following sources for greater than 15 minutes:
2 emergency auxiliary transformer (OAXO4) 3 emergency auxiliary transformer (OBX04)
E1 emergency diesel generator E2 emergency diesel generator E3 emergency diesel generator E4 emergency diesel generator AND (2) Any additional single power source failure will result in a unit blackout.
Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related. The two emergency auxiliary transformers would instantly fail due to LOOP.
(2) Emergency diesel generator 1 (EDG1) was assumed to start automatically to provide a single power source to meet the second threshold condition. Because EDG1 started successfully, there should not be any test and maintenance being performed on EDG1.
There was no common cause failure of the EDGs that could affect the operation of EDG1.
(3) Emergency diesel generator 3 (EDG3) and the station blackout (SBO) DG were both assumed to be inoperable, because EDG1 was assumed to be the only power source available in this scenario.
(4) The batteries were assumed to be operable because EDG1 was able to charge the batteries. There was no common cause failure of the batteries that could affect their functions.
19
(5) The EDG load sequencers for EDG1 and EDG3 were assumed to be operable in this scenario. Otherwise, EDG1 and EDG3 would not be able to supply power to the safety-related load.
(6) Because the duration of LOOP in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of offsite power was not possible within 30 minutes. The failure probabilities of recovering offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.
SPAR Model Result and Findings The CCDP of this EAL scenario is 4.41E-4, which is within the result range of other Alert EAL scenarios. However, the EAL says that only one source of AC is available. In this study, the scenario was modeled in accordance with the EAL threshold conditions; i.e., only one EDG is assumed to be available. However, in Peach Bottom, each EDG depends on another EDG to complete the emergency power system requirement (Ref. 4). The threshold conditions may need to be revised to better define the single source for the plant to handle SBO conditions.
3.5 MA3Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded EAL Threshold Conditions (1) A reactor protection system (RPS) setpoint was exceeded.
AND (2) Automatic scram did not reduce reactor power to subcritical with power below the heating range (1.00E +0 percent).
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling a Transient with Reactor Pressure Spike (1) In this scenario, a transient was in progress, but the automatic scram system failed.
Before the operator could scram the reactor, the reactor pressure would increase. This pressure increase could potentially be sufficient to cause the safety relief valves (SRVs) to open. These SRVs would remain open until the primary pressure returned to normal.
Therefore, the initiator for an inadvertent open relief valve (IE-IORV) was selected in the SPAR model.
(2) The electrical scram system and the alternate rod insertion (ARI) system were assumed to have failed.
(3) The operator was assumed to have scrammed the reactor successfully.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Modeling a Transient without Reactor Pressure Spike 20
(1) In this scenario, it was assumed that the operator was able to scram the reactor before the reactor pressure spiked and the SRVs opened. Therefore, the initiator for general transients (IE-TRANS) was selected in the SPAR model.
(2) The electrical scram system and the ARI system were assumed to have failed.
(3) The operator was assumed to have scrammed the reactor successfully.
SPAR Model Results and Findings The CCDPs of Case 1 and Case 2 of this EAL scenario are 4.43E-6 and 5.59E-8, respectively.
Case 1 is considered to be the upper bound for this EAL; Case 2 is considered to be the lower bound. The CCDPs of both cases are below the result range of other Alert EAL scenarios. A timely and effective manual scram would alleviate the adverse impact of the failure of automatic scram. Under the worst condition in which there would be the potential for a stuck-open SRV, the resulting CCDP would still be lower than the EAL classification threshold. By design, Peach Bottom has several redundant systems capable of mitigating loss-of-coolant accidents (LOCAs),
including those caused by stuck-open SRVs. Therefore, it is expected that the resulting CCDP will be lower for Peach Bottom.
3.6 MA6Unplanned Loss of Most or All Safety System Annunciation or Indication in Control Room with Either (1) a Significant Transient in Progress or (2) Compensatory Nonalarming Indicators Unavailable Emergency Action Level Threshold Conditions (1) a. unplanned loss of most (approximately 75 percent) safety system annunciators, (ECCS, containment isolation, reactor scram, process radiation monitoring) for greater than 15 minutes OR
- b. unplanned loss of most (approximately 75 percent) indications associated with safety functions (reactivity control, RCS inventory, decay heat removal, fission product barrier) for greater than 15 minutes AND (2) a. significant transient in progress (turbine trip, reactor scram, ECCS actuation, runback greater than 25 percent power change, thermal power oscillations greater than 10 percent)
- b. compensatory nonalarming indications (computer points) unavailable Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators Only (Threshold Condition 1.a.) with Loss of Condenser Heat Sink (1) The loss-of-condenser-heat-sink (LOCHS) initiator (IE-LOCHS) was selected to model the significant transient in progress.
21
(2) The operator was assumed to have scrammed the reactor successfully.
(3) The loss of annunciation would only affect the manual restart of RCIC, if RCIC needed to be restarted.
(4) The loss of annunciation was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators Only (Threshold Condition 1.b.) with Loss of Condenser Heat Sink (1) The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.
(2) The operator was assumed to have scrammed the reactor successfully.
(3) The loss of indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual depressurization, manual start of high-pressure and low-pressure injections, and manipulation of RCIC, were selected and their associated HEPs were adjusted based on the SPAR-H NUREG guidance (Ref. 10).
(4) The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance (Ref. 10).
(5) The loss of indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 3: Modeling Loss of Annunciators Only (Threshold Condition 1.a.) with Loss of Main Feedwater (1) The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.
(2) The operator was assumed to have scrammed the reactor successfully.
(3) The loss of annunciation would only affect the manual restart of RCIC, if RCIC needed to be restarted.
(4) The loss of annunciation was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 4: Modeling Loss of Indicators Only (Threshold Condition 1.b.) with Loss of Main Feedwater (1) The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.
(2) The operator was assumed to have scrammed the reactor successfully.
22
(3) The loss of indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual depressurization, manual start of high-pressure and low-pressure injections, and manipulation of RCIC, were selected and their associated HEPs were adjusted based on the SPAR-H NUREG guidance (Ref. 10).
(4) The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance (Ref. 10).
(5) The loss of indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
SPAR Model Results and Findings The CCDPs for Case 1, Case 2, Case 3, and Case 4 of this EAL scenario are 2.55E-6, 5.87E-4, 2.45E-6, and 5.87E-4, respectively. The CCDPs of Case 1 and Case 3 are below the result range of other Alert EAL scenarios, while the CCDPs of Case 2 and Case 4 are within the result range of other Alert EAL scenarios. In Case 1 and Case 3, the loss of annunciators is expected to result in a minimal impact on the control room operators ability to recover from a transient, as long as the associated control room indicators remain operable. There are two different transients modeled, LOMFW in Case 1 and Case 2, and LOCHS in Case 3 and Case 4. The resulting CCDPs were the same for these initiators, because the operators are expected to perform similar recovery actions in these cases.
3.7 MS1Loss of All Offsite and All Onsite Alternating Current Power to Essential Busses Emergency Action Level Threshold Conditions (1) loss of power to 2 emergency auxiliary transformer (OAX04) and 3 emergency auxiliary transformer (OBX04)
AND (2) failure of E1, E2, E3, and E4 EDGs to supply power to unit 4-kV safeguards busses AND (3) failure to restore power to at least one unit 4-kV safeguards bus within 15 minutes from the time of loss of both offsite and onsite AC power Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related.
Emergency busses H and J would instantly fail due to LOOP.
(2) When LOOP occurred, all EDGs were assumed to be inoperable to model the SBO condition.
23
(3) Because the duration of SBO in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of any of the EDGs or offsite power was not possible within 30 minutes. The failure probabilities of recovering one of the EDGs or offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, and 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> were calculated based on the condition that there was no successful recovery of any of the EDGs or offsite power during the first 30 minutes.
SPAR Model Result and Findings The CCDP of this EAL scenario is 4.81E-4, which is below the result range of other SAE EAL scenarios. The EAL is interpreted as a loss of all EDGs simultaneous with a LOOP lasting more than 15 minutes. However, the Conowingo River offsite power supply is assumed to be energized and can be aligned after 15 minutes. Therefore, in the first 15 minutes, the EAL condition is met, although the Conowingo River offsite power supply is available. However, if the Conowingo River offsite power supply is aligned in less than 15 minutes, this EAL will not be activated. The SPAR model assumes that the Conowingo reliability is more than 99.7 percent.
This high reliability assigned to the Conowingo River offsite power supplys availability and alignment is a major factor that contributes to a lower risk significance value being estimated.
3.8 MS4Loss of All Vital Direct Current Power Emergency Action Level Threshold Conditions (1) loss of all vital DC power based on less than 107.5 volts direct current (VDC) on 125-VDC battery busses 2(3)0D021, 2(3)0D022, 2(3)0D023, and 2(3)0D024 for greater than 15 minutes Mapping of Emergency Action Level Scenario to the SPAR Model (1) Loss of all vital DC is assumed to cause losses of RCIC and HPCI (closure of steam admission valves), LOMFW and isolation of main steamlines, and loss of the breaker control power for all 4,160 volts alternating current (VAC) and 480-VAC breakers.
Therefore, the LOMFW initiator (IE-LOMFW) was selected.
(2) All of the vital DC busses were assumed to have failed.
(3) To fail the main steam system, the main steam isolation valves were assumed to be closed.
SPAR Model Result and Findings The CCDP of this EAL scenario is between 0.1 and 1, which is higher than the result range of other SAE EAL scenarios. Under the prolonged condition of loss of DC with no recovery actions, core damage is expected in about an hour due to repeated cycling of SRVs and no inventory makeup. However, in loss of all DC power, manual local operation of the breakers can be credited as recovery actions to compensate for loss of control power. The operator could also initiate or recover the RCIC or HPCI by local manual opening of the steam admission valves. Additional local manual actions required for flow control of RCIC and HPCI can also be performed. Availability of AC power would facilitate the success of these local manual actions by providing sufficient lighting and ease of access. However, none of these recovery actions are currently credited in SPAR models. Therefore, the CCDP lies between a value of 0.1 and 1.
24
3.9 MS3Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was Not Successful Emergency Action Level Threshold Conditions (1) Automatic scram, manual scram, and ARI were not successful from the reactor console as indicated by either of the following:
- a. Reactor power remains greater than 4 percent.
- b. Torus temperature greater than 110 degrees Fahrenheit and boron injection are required for reactivity control.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling a Transient with Reactor Pressure Spike (1) In this scenario, a transient was in progress, but the automatic scram system failed. The reactor pressure would increase and the pressure could potentially be sufficient to open the SRVs. These SRVs would remain open until the primary pressure returned to normal. Therefore, the initiator for an inadvertent open relief valve (IE-IORV) was selected in the SPAR model.
(2) The electrical scram system and the ARI system were assumed to have failed.
(3) The operator was assumed to have failed to scram the reactor.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Modeling a Transient without Reactor Pressure Spike (1) In this scenario, it was assumed that the transient would not lead to a high enough pressure to open the SRVs. Therefore, the initiator for general transients (IE-TRANS) was selected in the SPAR model.
(2) The electrical scram system and the ARI system were assumed to have failed.
(3) The operator was assumed to have failed to scram the reactor.
SPAR Model Results and Findings The CCDPs for Case 1 and Case 2 of this EAL scenario are 9.86E-3 and 8.30E-3, respectively.
The results of both cases are within the result range of other SAE EAL scenarios.
3.10 MS5Complete Loss of Heat Removal Capability Emergency Action Level Threshold Conditions (1) The heat capacity temperature limit (T-1 02 Curve T/T-1) is exceeded.
25
Mapping of Emergency Action Level Scenario to the SPAR Model (1) The LOCHS initiator (IE-LOCHS) was selected in the SPAR model to mimic the occurrence of LOCHS.
(2) The condensate storage tank was assumed to have failed to eliminate all possibility of recovering cooling supply provided by the condensate system.
(3) All of the residual heat removal motor-driven pumps were assumed to have failed, to model the total loss of residual heat removal capability and the low-pressure injection capability.
(4) All of the suppression pool motor-operated valves in the injection path were assumed to have closed, so that there would be no suppression pool cooling available.
SPAR Model Result and Findings The CCDP of this EAL scenario is 5.09E-3, which is within the result range of other SAE EAL scenarios.
3.11 MS6Inability To Monitor a Significant Transient in Progress Emergency Action Level Threshold Conditions (1) There is loss of most (approximately 75 percent) safety system annunciators (ECCS, containment isolation, reactor scram, process radiation monitoring) for greater than 15 minutes.
AND (2) Indications needed to monitor safety functions (reactivity control, RCS inventory, decay heat removal, fission product barrier) are unavailable.
AND (3) A significant transient is in progress (turbine trip, reactor scram, ECCS actuation, runback greater than 25 percent power change, thermal power oscillations greater than 10 percent).
AND (4) Compensatory nonalarming indications (computer points) are unavailable.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Loss of Condenser Heat Sink (1) The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.
(2) The operator was assumed to have scrammed the reactor successfully.
26
(3) The loss of both annunciation and indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual depressurization, manual start of high-pressure and low-pressure injections, and manipulation of control rod drive (CRD) injection and RCIC, were selected. It was conservatively assumed that the operator was unable to perform any of these actions in this scenario.
(4) The loss of both annunciation and indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Loss of Main Feedwater (1) The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.
(2) The operator was assumed to have scrammed the reactor successfully.
(3) The loss of both annunciation and indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual depressurization, manual start of high-pressure and low-pressure injections, and manipulation of CRD injection and RCIC, were selected. It was conservatively assumed that the operator was unable to perform any of these actions in this scenario.
(4) The loss of both annunciation and indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
SPAR Model Results and Findings The CCDPs for Case 1 and Case 2 of this EAL scenario are both 8.00E-2. The results of both cases are within the result range of other SAE EAL scenarios. This EAL scenario does not have a time threshold requirement stated in the threshold conditions. To account for the time these remained failed, the CCDP calculated was multiplied by the probability (0.08) of shutting down the reactor from the remote shutdown panel.
3.12 MG1Prolonged Loss of All Offsite Power and Prolonged Loss of All Onsite Alternating Current Power Emergency Action Level Threshold Conditions (1) loss of power to 2 emergency auxiliary transformer (OAX04) and 3 emergency auxiliary transformer (OBX04)
AND (2) failure of E1, E2, E3, and E4 EDGs to supply power to unit 4-kV safeguards busses 27
AND (3) a. Restoration of at least one unit 4-kV safeguards bus within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is not likely.
- b. Reactor pressure vessel (RPV) level cannot be determined to be greater than
-172 inches.
Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related.
Emergency busses H and J would instantly fail due to LOOP.
(2) When LOOP occurred, all EDGs were assumed to be inoperable to model the SBO condition.
(3) Because the duration of SBO in this scenario was greater than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, it was assumed that the recovery of any of the EDGs or offsite power was not possible within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
The failure probabilities of recovering one of the EDGs or offsite power in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> were calculated based on the condition that there was no successful recovery of any of the EDGs or offsite power during the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
(4) The RPV level condition could not be modeled because the model does not contain events that are related to the RPV level.
SPAR Model Result and Findings The CCDP of this EAL scenario is 2.36E-1, which is within the result range of other GE EAL scenarios.
3.13 MG3Failure of the Reactor Protection System To Complete an Automatic Scram, Manual Scram Was Not Successful, and There Is Indication of an Extreme Challenge to the Ability To Cool the Core Emergency Action Level Threshold Conditions (1) Automatic scram, manual scram, and ARI were not successful from the reactor console as indicated by either of the following:
- a. Reactor power remains greater than 4 percent.
- b. Torus temperature greater than 110 degrees Fahrenheit and boron injection are required for reactivity control AND 28
(2) a. RPV level cannot be restored and maintained greater than -195 inches.
- b. The heat capacity temperature limit (T-102 Curve T/T-1) is exceeded.
Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, a transient was in process, but both the automatic scram and manual scram failed. The reactor pressure and temperature would increase and lead to an LOMFW event. Therefore, the initiator for LOMFW (IE-LOMFW) was selected in the SPAR model.
(2) The electrical scram system and the ARI system were assumed to have failed.
(3) The operator was assumed to have failed to scram the reactor.
(4) The SRVs were assumed to have failed to open to model the degenerating heat removal capability in the reactor.
SPAR Model Result and Findings The CCDP of this EAL scenario is 1, which is within the result range of other GE EAL scenarios.
29
- 4. ANALYSIS AND FINDINGS OF SURRY EMERGENCY ACTION LEVEL SCENARIOS 4.1 SU1.1Loss of All Offsite Power to Essential Busses for Greater Than 15 Minutes Emergency Action Level Threshold Conditions (1) loss of all offsite AC power to Unit 1 4,160-V emergency busses H and J for greater than 15 minutes Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related.
Emergency busses H and J would instantly fail due to LOOP.
(2) EDG1 (which is the dedicated EDG) and EDG3 (which is a swing EDG aligned to Unit 1) were assumed to start automatically due to the initiation of LOOP. Because EDG1 and EDG3 were available, there would be no test and maintenance being performed on the EDGs, nor common cause failure among the EDGs. The SBO DG does not start automatically. The operator would start the SBO DG if EDG1 were lost.
(3) All batteries were assumed to be operable because the EDGs were able to charge the batteries. There was no common cause failure of the batteries that could affect their functions.
(4) The batteries would not be depleted as long as an AC power source was available, as they would be recharged by this source. In an SBO sequence, the battery depletion depends on the likelihood of recovering a source of AC power. The probability of battery depletion at the fourth hour was set to the product of the probability that no offsite power would be recovered in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (1.537E-1) and the nonrecovery probability of an EDG in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (5.568E-1). Therefore, the battery depletion probability at the fourth hour was calculated to be 8.56E-2.
(5) All EDG load sequencers were assumed to be operable in this scenario. Otherwise, the EDGs would not be able to supply power to the safety-related loads.
(6) Because the duration of LOOP in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of offsite power was not possible within 30 minutes. The failure probabilities of recovering offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.
SPAR Model Result and Findings The CCDP of this EAL scenario is 1.18E-5, which is slightly higher than the result range of other NOUE EAL scenarios. The EAL is interpreted as a grid-related LOOP. The resulting CCDP is about 1.18E-5, which is slightly larger than 1.0E-5 threshold. No specific reason could be found based on examination of minimal cutsets. The slight discrepancy is attributed to Surry plant-specific characteristics and is partly driven by the higher likelihood of Westinghouse reactor coolant pump (RCP) seal failures during SBO scenarios.
30
4.2 SU4.1Unplanned Loss of Most or All Safety System Annunciators or Indication in the Control Room Emergency Action Level Threshold Conditions (1) unplanned loss of most (approximately 75 percent) or all of either of the following:
- a. annunciators (panels A through K)
- b. indicators associated with safety-related structures, systems, and components on the unit main control room (MCR) bench boards 1 and 2 and vertical boards 1 and 2 for greater than 15 minutes Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators Only (Threshold Condition 1.a.)
(1) As the plant is assumed to be stable and in automatic operation at the start, the operator would not perform any manual actions. Therefore, no initiator was selected in the SPAR model.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators Only (Threshold Condition 1.b.)
(1) As the plant is assumed to be stable and in automatic operation at the start, the operator would not perform any manual actions. Therefore, no initiator was selected in the SPAR model.
(2) The loss of indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual crosstie of auxiliary feed water (AFW) from Surry Unit 2 (if needed), manual feed and bleed operations (if needed), manual operation of the feed water system by means of maintaining the hotwell condenser level (if needed), aligning chilled water supply to cool the switchgear room (if normal cooling to switchgear room failed) were selected and their associated HEPs were adjusted based on the SPAR-H NUREG guidance [Ref. 10].
(3) The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance [Ref. 10].
(4) The loss of indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
SPAR Model Results and Findings The CCDPs of Case 1 and Case 2 calculated at 15 minutes are 2.75E-9 and 5.55E-08, respectively, which are below the results range of other NOUE EAL scenarios. These CCDPs are calculated at 15 minutes after the loss of annunciators (Case 1) or indicators (Case 2) occurs; the CCDPs would increase if the duration is longer. The following graph shows the 31
CCDPs for both cases from 15 minutes to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, assuming that no transients have occurred during that period.
Surry SU4.1 [15min. - 8hr.]
1.E-05 1.E-06 CCDP 1.E-07 1.E-08 Case 1: Loss of Annunciation Case 2: Loss of Indication 1.E-09 0 2 4 6 8 Hours The loss of annunciators modeled in Case 1 has less impact on the HEP values. The staff recommends eliminating the loss of annunciation portion of the EAL threshold conditions in the SU4.1 scenario. However, the loss of indication modeled in Case 2 has a more severe impact on the HEP values. The CCDP would be significantly higher if the condition lasts longer, and possibly meet the range of other NOUE EAL scenarios. Therefore, the staff recommends keeping the loss of indication in the threshold conditions.
4.3 SU6.1Reactor Coolant System Leakage Emergency Action Level Threshold Conditions (1) Unidentified or pressure boundary leakage is greater than 10 gpm.
OR (2) Identified leakage is greater than 25 gpm.
Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the RCS leakage was conservatively modeled as an SLOCA event, because SPAR models do not have any surrogate for events involving leak rates less than an SLOCA. In SPAR models, the SLOCA initiator (IE-SLOCA) was defined as a primary break that can be mitigated with high-pressure safety injection.
(2) The threshold conditions indicated that the TS limit(s) of a primary system leakage was/were exceeded (Ref. 9). Therefore, the operator was required to shut down the plant. The manual trip was assumed to be successful.
32
(3) The leakage was very small and could be compensated by the high-pressure injection system.
(4) It was assumed that no human errors had occurred before this event during the calibration, test, and maintenance processes.
(5) All batteries were assumed to be operable in this scenario.
SPAR Model Result and Findings The CCDP of this EAL scenario is 4.05E-5, which is higher than the result range of other NOUE EAL scenarios. This EAL condition is modeled by an SLOCA initiator within SPAR models.
SLOCAs are leaks in the RCS pressure boundary into the containment, with nominal leak rates that are equivalent to those that would be produced by ideal break sizes from about 1/2 inch to 2 inches in diameter. Such LOCAs are in excess of normal charging capacity (around 80 gpm at nominal reactor operating pressure). Simulating this EAL condition with an SLOCA is, therefore, considered conservative. For RCS leakage of the magnitudes quoted by this EAL condition, the operator will perform a normal reactor shutdown to meet the plants TS. Reactor trip due to SLOCA is by far more severe than the stated EAL condition. The assumption of SLOCA resulted in a higher CCDP than expected. This EAL can be best described by a range of CCDPs from approximately 1.3E-7 to 3.6E-5, with the lower bound being a manual trip and the upper bound being an SLOCA initiator.
4.4 SA1.1Alternating Current Power Capability to Emergency Busses Reduced to a Single Power Source for 15 Minutes or Longer Such That Any Additional Single Failure Would Result in Station Blackout Emergency Action Level Threshold Conditions (1) AC power capability to Unit 1 4,160-V emergency busses H and J is reduced to a single power source for greater than 15 minutes.
AND (2) Any additional single failure would result in loss of all AC power to the emergency busses.
Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related. The two emergency auxiliary transformers would instantly fail due to LOOP.
(2) EDG1 was assumed to start automatically to provide a single power source to meet the second threshold condition. Because EDG1 started successfully, there should not be any test and maintenance being performed on EDG1. Also, there was no common cause failure of the EDGs that could affect the operation of EDG1.
(3) EDG3 and the SBO DG were both assumed to be inoperable because EDG1 was assumed to be the only power source available in this scenario.
33
(4) The batteries were assumed to be operable because EDG1 was able to charge the batteries. There was no common cause failure of the batteries that could affect their functions.
(5) During the SBO, if AC power sources could have been recovered in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the depleting batteries would have been recharged. Therefore, the recovery of an AC source could prevent battery depletion and should be credited in the SPAR model. The AC recovery could be achieved by either recovering offsite power or recovering one of the EDGs. The battery depletion probability at the fourth hour was the product of the nonrecovery probability of offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (1.537E-1) and the nonrecovery probability of an EDG in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (5.568E-1). Therefore, the battery depletion probability at the fourth hour was calculated to be 8.56E-2.
(6) The EDG load sequencers for EDG1 and EDG3 were assumed to be operable in this scenario. Otherwise, EDG1 and EDG3 would not be able to supply power to the safety-related loads.
(7) Because the duration of LOOP in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of offsite power was not possible within 30 minutes. The failure probabilities of recovering offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.
SPAR Model Result and Findings The CCDP of this EAL scenario is 2.38E-3, which is above the result range of other Alert EAL scenarios. This is mainly attributed to the plant-specific features in Surry. The EAL condition is interpreted as a grid-related LOOP with only the dedicated EDG (EDG1) feeding Unit 1.
Another option to simulate this EAL condition is to assume that only EDG3 is available and feeding bus J of Unit 1. This case was not considered due to complications that could result from a dual-unit LOOP and the potential use of a swing EDG for the opposite unit.
In Surry, the EDGs are self-cooled (water cooled with water-air radiators), are provided with self-contained starting air systems and batteries, take suction directly from outside air, and are each provided with separate day tanks and two fuel oil transfer pumps. The fuel in the day tank is sufficient for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The probability of failure of the EDGs to run is therefore expected to be less than at other PWRs and is not expected to contribute significantly to CCDP.
However, a detailed examination of the cutsets indicated that the dominant contribution to risk is failure of the running booster service water (SW) pump that cools the charging pumps. As a result of this failure, the running charging pump would eventually fail (typically within 30 minutes) and the seal injection cooling to the RCP seals would be lost. However, the seal cooling provided by CCW and the running SW pump (not the booster pumps) should not be affected. At Surry, however, there are other plant-specific features that would cause the failure of RCP seal cooling. This is explained in the following paragraph.
Surry EDG3 feeds J bus, which feeds two instrumentation air compressors. In contrast, EDG1 feeds H bus, which does not support any compressor. The SBO DG (AAC) is also capable of supporting an instrument air compressor. In the scenario simulated here, in which the AC source is from EDG1, no instrument air compressor will be available. The loss of instrument air 34
is, therefore, assumed after some time. As a result, the CCW to the RCP thermal barrier heat exchanger will be isolated.
The combined effect of loss of RCP seal cooling and seal injection would result in a consequential SLOCA via RCP seal failure in Westinghouse plants. The high-pressure injection would also not be available due to loss of the running SW booster pump. The consequential RCP seal LOCA would result in early core damage in about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> if no recovery action took place.
4.5 SA2.1Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Trip Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Trip Was Successful Emergency Action Level Threshold Conditions (1) An automatic trip failed to shut down the reactor, and manual actions (i.e., trip pushbuttons) taken at the MCR bench board successfully shut down the reactor as indicated by reactor power less than 5 percent.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling a Transient with Primary Pressure Spike (1) In this scenario, a transient was in progress, but the automatic trip system failed. Before the operator had a chance to trip the reactor, the primary pressure would increase. This pressure increase could potentially be sufficient to cause the pressurizer power-operated relief valves (PORVs) and the SRVs to open. As a result, the turbine would trip and stop the steam supply to the SG. Therefore, LOMFW would have occurred and the initiator for an LOMFW event (IE-LOMFW) was selected in the SPAR model.
(2) PORV and SRV stuck-open events were generic issues in PWRs. Therefore, it was conservatively assumed that the SRVs would remain open during the transient.
(3) Because the automatic trip failed, the reactor protective system analog process logic modules, the bistable channels, and the undervoltage drivers were assumed to have failed.
(4) The operator was assumed to have tripped the reactor successfully.
(5) For the reactor to trip successfully, the reactor trip breakers and the rod cluster control assembly must be manually operable.
SPAR Model AssumptionCase 2: Modeling a Transient without Primary Pressure Spike (1) In this scenario, it was assumed that the operator was able to trip the reactor before the primary pressure spiked and the SRVs opened. Therefore, the initiator for general transients (IE-TRANS) was selected in the SPAR model.
(2) PORV and SRV stuck-open events are generic issues in PWRs. Therefore, it was conservatively assumed that the SRVs would remain open during the transient.
35
(3) Because the automatic trip failed, the reactor protective system analog process logic modules, the bistable channels, and the undervoltage drivers were assumed to have failed.
(4) The operator was assumed to have tripped the reactor successfully.
(5) For the reactor to trip successfully, the reactor trip breakers and the rod cluster control assembly must be manually operable.
SPAR Model Results and Findings In this scenario, the CCDPs for Case 1 and Case 2 are 4.71E-5 and 4.30E-5, respectively.
Case 1 is considered the upper bound for this EAL, while Case 2 is considered the lower bound.
Both cases are within the result range of other Alert EAL scenarios.
4.6 SA4.1Unplanned Loss of Safety System Annunciators or Indication in Control Room with a Significant Transient in Progress Emergency Action Level Threshold Conditions (1) There is unplanned loss of most (approximately 75 percent) or all of either of the following:
- a. annunciators (panels A through K)
- b. indicators associated with safety-related structures, systems, and components on unit MCR bench boards 1 and 2 and vertical boards 1 and 2 for greater than 15 minutes AND (2) a. A significant transient is in progress.
- b. PCS is unavailable.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators Only (Threshold Condition 1.a) with Loss of Condenser Heat Sink (1) The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.
(2) The operator was assumed to have tripped the reactor successfully.
(3) After the operator tripped the reactor, the loss of annunciation condition would have an insignificant impact on other operators actions. Therefore, no HEP adjustment was needed.
36
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators Only (Threshold Condition 1.b.) with Loss of Condenser Heat Sink (1) The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.
(2) The operator was assumed to have tripped the reactor successfully.
(3) The loss of indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual crosstie of AFW from Surry Unit 2 (if needed), manual feed-and-bleed operations (if needed),
manual operation of the feedwater system via maintaining the hotwell condenser level (if needed), and aligning the chilled water supply to cool the switchgear room (if normal cooling to the switchgear room failed), were selected and their associated HEPs were adjusted based on the SPAR-H NUREG guidance (Ref. 10).
(4) The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance (Ref. 10).
(5) The loss of indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 3: Modeling Loss of Annunciators Only (Threshold Condition 1.a.) with Loss of Main Feedwater (1) The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.
(2) The operator was assumed to have tripped the reactor successfully.
(3) After the operator tripped the reactor, the loss of annunciation condition would have an insignificant impact on other operators actions. Therefore, no HEP adjustment was needed.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 4: Modeling Loss of Indicators Only (Threshold Condition 1.b.) with Loss of Main Feedwater (1) The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.
(2) The operator was assumed to have tripped the reactor successfully.
(3) The loss of indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual crosstie of AFW from Surry Unit 2 (if needed), manual feed-and-bleed operations (if needed),
manual operation of the condense and feed water system via maintaining the hotwell condenser level (if needed), and aligning the chilled water supply to cool the switchgear room (if normal cooling to the switchgear room failed), were selected and their associated HEPs were adjusted based on the SPAR-H NUREG guidance (Ref. 10).
37
(4) The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance (Ref. 10).
(5) The loss of indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.
SPAR Model Results and Findings The CCDPs for Case 1, Case 2, Case 3, and Case 4 of this EAL scenario are 1.50E-7, 7.40E-6, 4.27E-6, and 3.60E-4, respectively. The CCDPs of Case 1, Case 2, and Case 3 are below the result range of other Alert EAL scenarios, while the CCDP of Case 4 is within the result range of other Alert EAL scenarios. In Case 1 and Case 3, the CCDPs are below the normal result range because the loss of annunciators is expected to result in a minimal impact on the control room operators ability to recover from a transient, as long as the associated control room indicators remain operable. Case 2, which modeled the LOCHS and 75 percent of the indications, is lower than Case 4, which modeled the LOMFW and 75 percent of the indications.
The reasons for this discrepancy stem from the assumptions of SPAR models. SPAR models credit recovery of the main feedwater (MFW) system in LOCHS, but such credit is not provided for LOMFW initiators. In fact, the results from the two analyses will be closely comparable if the recovery credit for the MFW system is removed. This latter case is similar to EAL condition MA6 for Peach Bottom for loss of indication with significant transient in progress, where the results for both LOCHS and LOMFW were approximately the same.
4.7 SS1.1Loss of All Offsite and All Onsite Alternating Current Power to Emergency Busses for 15 Minutes or Longer Emergency Action Level Threshold Conditions (1) loss of all offsite and onsite AC power to unit 4,160-V emergency busses H and J for greater than 15 minutes Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related.
Emergency busses H and J would instantly fail due to LOOP.
(2) When LOOP occurred, all EDGs were assumed to be inoperable to model the SBO condition.
(3) During the SBO, if AC power sources could have been recovered in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the depleting batteries would have been recharged. Therefore, the recovery of an AC source could prevent battery depletion and should be credited in the SPAR model. The AC recovery could be achieved by either recovering offsite power or recovering one of the EDGs. The battery depletion probability at the fourth hour was the product of the nonrecovery probability of offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (1.537E-1) and the nonrecovery probability of an EDG in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (5.568E-1). Therefore, the battery depletion probability at the fourth hour was calculated to be 8.56E-2.
(4) Because the duration of SBO in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of any of the EDGs or offsite power was not 38
possible within 30 minutes. The failure probabilities of recovering one of the EDGs or offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> were calculated based on the condition that there was no successful recovery of any of the EDGs or offsite power in the first 30 minutes.
SPAR Model Result and Findings The CCDP of this EAL scenario is 3.02E-2, which is within the result range of other SAE EAL scenarios.
4.8 SS1.2Loss of All Vital Direct Current Power Emergency Action Level Threshold Conditions (1) loss of all vital DC power based on less than 105-V DC bus voltage indications for greater than 15 minutes Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, LOMFW was assumed to occur upon the loss all vital DC power. The LOMFW was assumed to occur due to a series of competing faults, including the loss of control of feedwater-regulating valves causing feedwater isolation. Therefore, the LOMFW initiator (IE-LOMFW) was selected.
(2) All of the vital DC busses were assumed to have failed.
(3) The TDAFW system in Surry did not require DC power to start. However, the TDAFW flow had to be controlled manually to prevent SG overfill and failure of the pump due to water carryover. The Surry SPAR model originally associated several different HEPs to this operator control action. These HEP values vary depending on the conditions imposed by the scenario of the accident. An HEP of 0.3 was applied when all AC and DC were lost, while an HEP of 0.03 was used when all instrument air was lost. In this scenario, an HEP of 0.1, which is a generic PRA value used by other plant-specific SPAR models for TDAFW flow control, was assigned.
SPAR Model Result and Findings The CCDP of this EAL scenario is 1.52E-1, which is within the result range of other SAE EAL scenarios. The PRA model for Surry does not credit the specific recovery actions that could possibly be performed during loss of all DC. These are described below.
In loss of all DC, manual local operation of the breakers can be credited as recovery actions to compensate for loss of control power; for example, for starting and controlling the motor-driven AFW pumps. Availability of AC power facilitates the success of these local manual actions by providing sufficient lighting and ease of access. Success of such recovery actions would eliminate the need for manual flow control of TDAFW or significantly reduce the length of time that manual control is needed. The flow control of TDAFW is only needed for sufficient time to either recover DC or perform other recovery actions involving the manual breaker operations.
39
4.9 SS2.1Failure of Reactor Protection System Instrumentation To Complete or Initiate an Automatic Reactor Trip Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Trip Was Not Successful EAL Threshold Conditions (1) An automatic trip failed to shut down the reactor and manual actions (i.e., trip pushbuttons) taken at the MCR bench board do not shut down the reactor, as indicated by reactor power greater than 5 percent.
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Modeling a Transient with Primary Pressure Spike (1) In this scenario, a transient was in progress, but the automatic trip system failed. The primary pressure would increase and the pressure could potentially be sufficient to open the PORVs and the SRVs. As a result, the turbine would trip and stop the steam supply from the SGs. Therefore, LOMFW would occur, so the initiator for an LOMFW event (IE-LOMFW) was selected in the SPAR model.
(2) Because the automatic trip failed, the reactor protective system analog process logic modules, the bistable channels, and the undervoltage drivers were assumed to have failed.
(3) The operator was assumed to have failed to trip the reactor.
(4) The reactor trip breakers and the rod cluster control assembly were assumed to have failed, such that the manual trip process could not be completed.
SPAR Model AssumptionCase 2: Modeling a Transient without Primary Pressure Spike (1) In this scenario, it was assumed that the transient would not lead to a high enough pressure to open the PORVs and SRVs. Therefore, the initiator for general transients (IE-TRANS) was selected in the SPAR model.
(2) Because the automatic trip failed, the reactor protective system analog process logic modules, the bistable channels, and the undervoltage drivers were assumed to have failed.
(3) The operator was assumed to have failed to trip the reactor.
(4) The reactor trip breakers and the rod cluster control assembly were assumed to have failed, such that the manual trip process could not be completed.
SPAR Model Results and Findings In this scenario, the CCDPs for Case 1 and Case 2 are both 4.92E-2. Both cases are within the result range of other SAE scenarios.
4.10 SS4.1 Inability To Monitor a Significant Transient in Progress Emergency Action Level Threshold Conditions 40
(1) There is loss of most (approximately 75 percent) or all annunciators (panels A through K) associated with safety-related structures, systems, and components on unit MCR bench boards 1 and 2 and vertical boards 1 and 2.
AND (2) PCS is unavailable.
AND (3) There is complete loss of ability to monitor any critical safety function status.
AND (4) Any of the following significant transients is in progress:
- a. automatic turbine runback greater than 25 percent thermal reactor power
- b. electrical load rejection greater than 25 percent full electrical load
- c. reactor trip
- d. safety injection activation
- e. thermal power oscillations of greater than 10 percent Mapping of Emergency Action Level Scenario to the SPAR ModelCase 1: Loss of Condenser Heat Sink (1) The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.
(2) The operator was assumed to have tripped the reactor successfully.
(3) The loss of both annunciation and indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual crosstie of AFW from Surry Unit 2 (if needed), manual feed-and-bleed operations (if needed), manual operation of the feedwater system via maintaining the hotwell condenser level (if needed), and aligning the chilled water supply to cool the switchgear room (if normal cooling to the switchgear room failed), were selected. It was conservatively assumed that the operator was unable to perform any of these actions in this scenario.
(4) The loss of both annunciation and indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs (Ref. 10).
Mapping of Emergency Action Level Scenario to the SPAR ModelCase 2: Loss of Main Feedwater (1) The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.
(2) The operator was assumed to have tripped the reactor successfully.
41
(3) The loss of both annunciation and indication would significantly impact the operators actions during the first hour. Therefore, the most significant human actions, which included manual crosstie of AFW from Surry Unit 2 (if needed), manual feed-and-bleed operations (if needed), manual operation of the feedwater system via maintaining the hotwell condenser level (if needed), and aligning the chilled water supply to cool the switchgear room (if normal cooling to the switchgear room failed), were selected. It was conservatively assumed that the operator was unable to perform any of these actions in this scenario.
(4) The loss of indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs (Ref. 10).
SPAR Model Results and Findings The CCDPs of Case 1 and Case 2 of this EAL scenario are both 9.47E-1. The results of both cases are below the result range of other SAE scenarios.
4.11 SG1.1Prolonged Loss of All Offsite and Onsite Alternating Current Power Emergency Action Level Threshold Conditions (1) loss of all offsite and onsite AC power to Unit 1 4,160-V emergency busses H and J AND EITHER (2) restoration of any 4,160-V emergency bus within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> not likely OR (3) CSFST core coolingRED or ORANGE path Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected because the majority of LOOP events in the United States are grid related.
Emergency busses H and J would instantly fail due to LOOP.
(2) When LOOP occurred, all EDGs were assumed to be inoperable to model the SBO condition.
(3) During the SBO, if AC power sources could have been recovered in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the depleting batteries would have been recharged. Therefore, the recovery of an AC source could prevent battery depletion and should be credited in the SPAR model. The AC recovery could be achieved by either recovering offsite power or recovering one of the EDGs. The battery depletion probability at the fourth hour was the product of the nonrecovery probability of offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and the nonrecovery probability of an EDG in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
42
(4) Because the duration of SBO in this scenario was greater than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, it was assumed that the recovery of any of the EDGs or offsite power was not possible within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
The failure probabilities of recovering one of the EDGs or offsite power in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> were calculated based on the condition that there was no successful recovery of any of the EDGs or offsite power during the first 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
SPAR Model Result and Findings The CCDP of this EAL scenario is 3.86E-1, which is within the result range of other GE EAL scenarios.
4.12 SG2.1Failure of the Reactor Protection System To Complete Both Automatic and Manual Trip and There Is Indication of an Extreme Challenge to the Ability To Cool the Core Emergency Action Level Threshold Conditions (1) An automatic trip failed to shut down the reactor and all manual actions do not shut down the reactor, as indicated by reactor power greater than 5 percent.
AND EITHER:
(2) CSFST core cooling is RED.
OR (3) CSFST heat sink is RED.
Mapping of Emergency Action Level Scenario to the SPAR Model (1) In this scenario, a transient was in demand, but both the automatic and manual trip failed. The primary pressure and temperature would increase and lead to an LOMFW event. Therefore, the initiator for LOMFW (IE-LOMFW) was selected in the SPAR model.
(2) Because the automatic trip failed, the reactor protective system analog process logic modules, the bistable channels, and the undervoltage drivers were assumed to have failed.
(3) The operator was assumed to have failed to trip the reactor.
(4) The reactor trip breakers and the rod cluster control assembly were assumed to have failed, such that the manual trip process could not be completed.
(5) The AFW system and the manual action to crosstie the AFW from Unit 2 were assumed to have failed to model the degenerating condition of the core cooling.
SPAR Model Result and Findings The CCDP of this EAL scenario is 1, which is within the result range of other GE EAL scenarios.
43
44
- 5. PROPOSED AREAS FOR FUTURE WORK The methodology and the limited pilot applications described in this report demonstrated the feasibility of using risk-informed approaches for streamlining EP. This study focused on the use of one of the PRA-generated risk metrics (CCDP). It was limited to Level 1 PRA for internal event initiators, and it was applied to one BWR and one PWR plant.
Extending the study by use of Level 1 PRAs, which include external events, can generate the CCDPs associated with floods, fires, high winds, seismic events, and other natural accidents.
Use of Level 2 and 3 PRAs can generate additional information on other risk metrics, such as containment failure modes, containment failure probabilities, release timing, release magnitudes, and public doses.
Finally, dynamic PRAs equipped with the insights from severe accident analysis would provide the critical timing of the accident progression and radiological releases.
Using the insights gained from this studyboth generic and plant-specificand our understanding of the capabilities of the current state-of-the-art PRA methodologies, we propose the following areas for further evaluation:
(1) Perform additional plant-specific analyses using Level 1 internal event PRAs to develop generic and plant-specific insights to confirm, modify, or add to what was identified in this study. The additional plant-specific studies may require site visits to extend the PRA models to address the specific issues identified (see Chapter 2). At minimum, the following issues must be addressed:
- a. Examine the plant response, including the possible recovery actions on loss of total DC. Develop and extend the existing PRA models such that plant-specific risk evaluations for total loss of DC can be explicitly evaluated.
- b. Examine the basis of the time threshold of 15 minutes for loss of electric power supplies. In several EALs (MA1 and SA1.1), the time threshold of 15 minutes is used to differentiate between temporary, self-correcting electrical disturbances and prolonged losses of power. Although 15 minutes is an appropriate threshold for discrimination between temporary and prolonged disturbances, it is not indicative of any risk threshold. More appropriate risk-informed time thresholds should be developed. A preliminary study was performed as a part of this activity, which examined the timing of various accident sequences for Surry and Peach Bottom (see NUREG-1953, Confirmatory Thermal-Hydraulic Analysis To Support Specific Success Criteria in the Standardized Plant Analysis Risk ModelsSurry and Peach BottomDraft Report for Comment, issued November 2010 (Ref. 11)). This preliminary examination indicated that a threshold time of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> may be more appropriate for losses of either AC or DC, whereas 15 minutes is more appropriate for losses of both AC and DC.
- c. Further examine the risk evaluation of the plant-specific features associated with loss of AC and DC, one AC source away from SBO, and primary leakage in excess of TS limits. The insights gained from these evaluations are to be used to streamline the associated EAL conditions.
45
(2) Examine the feasibility of using Level 2 PRA models to streamline the EALs associated with fission product barriers and radiological effluent. A preliminary study, currently ongoing for Peach Bottom, has shown that several of the EAL conditions for fission product barriers are overlapping and, therefore, could be streamlined. It is proposed to use Level 2 PRA to examine these EALs for a small sample of plants.
(3) Some of the SPAR models have included or are in the process of including external event models, such as fire, flood, seismic events, and high wind. Such models could allow risk evaluations of natural and manmade hazards, as well as fire and explosion EALs. Plant-specific risk evaluation using external-event PRAs to perform a feasibility study is also proposed as future work.
(4) Perform a risk evaluation of multiple overlapping EALs to decide if the EAL classification should be elevated based on synergistic effects. In this proposed effort, we would examine the feasibility of evaluating the risk of two overlapping EAL conditions; for example, alert due to a fire and alert due to a design-basis earthquake. The objective would be to verify under what conditions the risk associated with the overlapping EAL conditions would increase sufficiently to require elevation of the EP classification.
46
- 6. REFERENCES
- 1. Nuclear Energy Institute, NEI 99-01, Methodology for Development of Emergency Action Levels, Revision 4, January 2003; Revision 5, February 2008.
- 2. Exelon Nuclear, Radiological Emergency Plan for Peach Bottom Station, EP-AA-1007, Exelon Nuclear Standardized Radiological Emergency Plan, Revision 20, March 2010.
- 3. Schroeder, John A., Idaho National Laboratory, Standardized Plant Analysis Risk Model for Peach Bottom 2, March 2011.
- 4. Exelon Nuclear, Peach Bottom Atomic Power Station Units 2 & 3, Updated Final Safety Analysis Report, Revision 8, January 1990.
- 5. Peach Bottom Technical Specification.
- 6. Virginia Electric and Power Company (Dominion), Surry Power Station Emergency Plan, Revision 54, December 2008.
- 7. Schroeder, John A., James K. Knudsen, and John P. Poloski, Idaho National Laboratory, Standardized Plant Analysis Risk Model for Surry Units 1 and 2 (ASP PWR A1),
January 2011.
- 8. Virginia Electric and Power Company (Dominion), Surry Updated Final Safety Analysis Report, Revision 32, September 2000.
- 9. Surry Power Station Units 1 and 2 Technical Specification.
- 10. U.S. Nuclear Regulatory Commission, NUREG/CR-6883 (INL/EXT-05-00509), The SPAR-H Human Reliability Analysis Method, August 2005.
- 11. U.S. Nuclear Regulatory Commission, NUREG-1953, Confirmatory Thermal-Hydraulic Analysis To Support Specific Success Criteria in the Standardized Plant Analysis Risk ModelsSurry and Peach BottomDraft Report for Comment, November 2010.
47
APPENDIX A: SPAR MODEL DATA AND RESULTS 48
Table A-1 Peach Bottom SPAR Model Data and Results PBT EAL Initiating PBT EAL Threshold Conditions Components Failure CCDP EAL Class Event MU1 NOUE 1. Loss of power to 2 emergency auxiliary IE-LOOPGR DCP-BAT-CF-BATT = FALSE; 2.25E-06 transformer (OAX04) and 3 emergency DCP-BAT-CF-U2BATT = FALSE; auxiliary transformer (OBX04) for DCP-BAT-LP-BATTA = FALSE;
>15 minutes. DCP-BAT-LP-BATTB = FALSE; DCP-BAT-LP-BATTC = FALSE; DCP-BAT-LP-BATTD = FALSE; DCP-BCH-CF-CHRS = FALSE; DCP-BCH-CF-U2CHRS = FALSE; EPS-DG-CF-START = FALSE; EPS-DG-FS-DGA = FALSE; EPS-DG-FS-DGB = FALSE; EPS-DG-FS-DGC = FALSE; EPS-DG-FS-DGD = FALSE; EPS-DG-TM-DGA = FALSE; EPS-DG-TM-DGB = FALSE; EPS-DG-TM-DGC = FALSE; EPS-DG-TM-DGD = FALSE; EPS-SEQ-CF-DGNS = FALSE; EPS-SEQ-FO-DGA = FALSE; EPS-SEQ-FO-DGB = FALSE; EPS-SEQ-FO-DGC = FALSE; EPS-SEQ-FO-DGD = FALSE; OEP-XHE-XL-NR01HGR=7.410E-1:
OEP-XHE-XL-NR02HGR=4.317E-1; OEP-XHE-XL-NR12HGR=2.430E-2; OEP-XHE-XL-NR30MGR=TRUE; MU6 NOUE UNPLANNED loss of most (approximately N/A RCI-XHE-XL-RSTRT=True; 6.73E-11 75%) 1. Safety system annunciators, OR
- 2. Indications associated with safety functions.
MU6 NOUE UNPLANNED loss of most (approximately N/A ADS-XHE-XM-MDEPR=1.5e-2; 6.97E-09 75%) 1. Safety system annunciators, OR HCI-XHE-XO-ERROR=1.963e-2;
- 2. Indications associated with safety HCI-XHE-XO-ERROR1=1.597e-1; functions. HPI-XHE-XO-ERROR=1.963e-2; LPI-XHE-XM-ERROR=9.911e-3; RCI-XHE-XO-ERROR=9.911e-3; MU7 NOUE 1. Unidentified or pressure boundary IE-SLOCA CDS-XHE-XM-RFLLT = 1E-3; 9.85E-07 leakage into the drywell >10 gpm, OR RPS-SYS-FC-ARI = FALSE;
- 2. identified leakage into the drywell RPS-SYS-FC-ELECT = FALSE;
>25 gpm. RPS-SYS-FC-HCU = FALSE; RPS-SYS-FC-MECH = FALSE; RPS-SYS-FC-PSOVS = FALSE; RPS-SYS-FC-RELAY = FALSE; RPS-XHE-XM-SCRAM = FALSE 49
PBT EAL Initiating PBT EAL Threshold Conditions Components Failure CCDP EAL Class Event MA1 Alert 1. AC power capability to unit 4-kV IE-LOOPGR DCP-BAT-CF-BATT=FALSE; 4.41E-04 safeguard busses reduced to only one of the DCP-BAT-CF-U2BATT=FALSE; following for >15 minutes: 101 or 201 DCP-BAT-LP-BATTA=FALSE; safeguard transformer, D11(21) or D12(22) DCP-BCH-CF-CHRS=FALSE; or D13(23) or D14(24) diesel generators; DCP-BCH-CF-U2CHRS=FALSE; AND 2. any additional single power source EPS-DGN-CF-START=FALSE; failure will result in a unit blackout. EPS-DGN-FS-DGA=FALSE; EPS-DGN-FS-DGB=TRUE; EPS-DGN-FS-DGC=TRUE; EPS-DGN-FS-DGD=TRUE; EPS-DGN-TM-DGA=FALSE; EPS-SEQ-FO-DGA=FALSE; OEP-XHE-XL-NR01HGR=7.410E-1:
OEP-XHE-XL-NR02HGR=4.317E-1; OEP-XHE-XL-NR12HGR=2.430E-2; OEP-XHE-XL-NR30MGR=TRUE; MA3 Alert A reactor protection system setpoint was IE-IORV RPS-SYS-FC-ELECT = TRUE; 4.43E-06 exceeded AND automatic scram did not RPS-XHE-XM-SCRAM = FALSE; reduce reactor power to subcritical with RPS-SYS-FC-ARI = TRUE power below the heating range (1.00 E+0%).
MA3 Alert A reactor protection system setpoint was IE-TRANS RPS-SYS-FC-ELECT = TRUE; 5.59E-08 exceeded AND automatic scram did not RPS-XHE-XM-SCRAM = FALSE; reduce reactor power to subcritical with RPS-SYS-FC-ARI = TRUE power below the heating range (1.00 E+0%).
MA6 Alert 1. Loss of most (approximately 75%) IE-LOCHS RCI-XHE-XL-RSTRT=TRUE; 2.55E-06 a) safety system annunciators; AND RPS-XHE-XM-SCRAM=FALSE; b) indications associated with safety functions; AND 2. a) a significant transient in progress, OR b) compensatory nonalarming indications unavailable.
MA6 Alert 1. Loss of most (approximately 75%) IE-LOCHS ADS-XHE-XM-MDEPR=1.5e-2; 5.87E-04 a) safety system annunciators, OR HCI-XHE-XO-ERROR=1.963e-2; b) indications associated with safety HCI-XHE-XO-ERROR1=1.597e-1; functions; AND 2. a) a significant transient in HPI-XHE-XO-ERROR=1.963e-2; progress, OR b) compensatory nonalarming LPI-XHE-XM-ERROR=9.911e-3; indications unavailable. RCI-XHE-XO-ERROR=9.911e-3; RPS-XHE-XM-SCRAM=FALSE MA6 Alert 1. Loss of most (approximately 75%) IE-LOMFW RCI-XHE-XL-RSTRT=True; 2.45E-06 a) safety system annunciators, OR RPS-XHE-XM-SCRAM=False; b) indications associated with safety functions; AND 2. a) a significant transient in progress, OR b) compensatory nonalarming indications unavailable.
50
PBT EAL Initiating PBT EAL Threshold Conditions Components Failure CCDP EAL Class Event MA6 Alert 1. Loss of most (approximately 75%) IE-LOMFW ADS-XHE-XM-MDEPR=1.5e-2; 5.87E-04 a) safety system annunciators; AND HCI-XHE-XO-ERROR=1.963e-2; b) indications associated with safety HCI-XHE-XO-ERROR1=1.597e-1; functions; AND 2. a) a significant transient in HPI-XHE-XO-ERROR=1.963e-2; progress, OR b) compensatory nonalarming LPI-XHE-XM-ERROR=9.911e-3; indications unavailable. RCI-XHE-XO-ERROR=9.911e-3; RPS-XHE-XM-SCRAM=FALSE MS1 SAE 1. Loss of power to 2 emergency auxiliary IE-LOOPGR EPS-DGN-FS-DGA=TRUE; 4.81E-04 transformer (OAX04) and 3 emergency EPS-DGN-FS-DGB=TRUE; auxiliary transformer (OBX04); AND 2. failure EPS-DGN-FS-DGC=TRUE; of El, E2, E3, and E4 emergency diesel EPS-DGN-FS-DGD=TRUE; generators to supply power to unit 4-kV EPS-XHE-XL-NR01H=9.172E-1; safeguards busses; AND 3. failure to restore EPS-XHE-XL-NR02H=8.018E-1; power to at least one unit 4-kV safeguards EPS-XHE-XL-NR30M=TRUE; bus within 15 minutes from the time of loss OEP-XHE-XL-NR01HGR=7.410E-1; of both offsite and onsite AC power. OEP-XHE-XL-NR02HGR=4.317E-1; OEP-XHE-XL-NR12HGR=2.430E-2; OEP-XHE-XL-NR30MGR=1; MS4 SAE Loss of all vital DC power based on <105 VDC IE-LOMFW DCP-BDC-LP-DI=TRUE; 1.00E+00 on unit 125 VDC battery busses 1(2)FA, B, C, DCP-BDC-LP-DII=TRUE; and D for >15 minutes. DCP-BDC-LP-DIII=TRUE; DCP-BDC-LP-DIV=TRUE; MSS-MSV-OC-STEAM=TRUE; MS3 SAE Automatic scram, manual scram, and ARI IE-IORV RPS-SYS-FC-ELECT = TRUE; 9.86E-03 were not successful from the reactor RPS-XHE-XM-SCRM = TRUE; console as indicated by EITHER: a) reactor RPS-SYS-FC-ARI=TRUE; power remains >4%, OR b) suppression pool temperature >110F AND boron injection required for reactivity control.
MS3 SAE Automatic scram, manual scram, and ARI IE-TRANS RPS-SYS-FC-ELECT = TRUE; 8.30E-03 were not successful from the reactor RPS-XHE-XM-SCRM = TRUE; console as indicated by EITHER: a) reactor RPS-SYS-FC-ARI=TRUE; power remains >4%, OR b) suppression pool temperature >110F AND boron injection required for reactivity control.
MS5 SAE Heat capacity temperature limit (T-102 IE-LOCHS CDS-TNK-HW-CST = TRUE; 5.09E-03 Curve SPIT-1) exceeded. RHR-MDP-CF-START = TRUE; SPC-MOV-CF-INJEC = TRUE; MS6 SAE 1. Loss of most (approximately 75%) safety IE-LOCHS ADS-XHE-XM-MDEPR=1.5e-2; 8.00E-02 system annunciators; AND 2. indications CRD-XHE-XM-PUMP=TRUE; associated with safety functions; AND 3. a CRD-XHE-XM-VLVS=TRUE; significant transient in progress; AND HCI-XHE-XO-ERROR=TRUE;
- 4. compensatory nonalarming indications HCI-XHE-XO-ERROR1=TRUE; unavailable. HPI-XHE-XO-ERROR=TRUE; LPI-XHE-XM-ERROR=TRUE; RCI-XHE-XL-RSTR=TRUE; RCI-XHE-XO-ERROR=TRUE; RPS-XHE-XM-SCRAM=FALSE 51
PBT EAL Initiating PBT EAL Threshold Conditions Components Failure CCDP EAL Class Event MS6 SAE 1. Loss of most (approximately 75%) safety IE-LOMFW ADS-XHE-XM-MDEPR=1.5e-2; 8.00E-02 system annunciators; AND 2. indications CRD-XHE-XM-PUMP=TRUE; associated with safety functions; AND 3. a CRD-XHE-XM-VLVS=TRUE; significant transient in progress; AND HCI-XHE-XO-ERROR=TRUE;
- 4. compensatory nonalarming indications HCI-XHE-XO-ERROR1=TRUE; unavailable. HPI-XHE-XO-ERROR=TRUE; LPI-XHE-XM-ERROR=TRUE; RCI-XHE-XL-RSTR=TRUE; RCI-XHE-XO-ERROR=TRUE; RPS-XHE-XM-SCRAM=FALSE MG1 GE 1. Loss of power to 2 emergency auxiliary IE-LOOPGR CWG-XHE-XL-NR01H = TRUE; 2.36E-01 transformer (OAX04) and 3 emergency CWG-XHE-XL-NR02H = TRUE; auxiliary transformer (OBX04). AND 2. failure EPS-DG-FR-DGA = TRUE; of El, E2, E3, and E4 emergency diesel EPS-DG-FR-DGB = TRUE; generators to supply power to unit 4-kV EPS-DG-FR-DGC = TRUE; safeguards busses; AND 3. a) restoration of a EPS-DG-FR-DGD = TRUE; least one unit 4-kV safeguard bus within 2 EPS-XHE-XL-NR30M = TRUE; hrs. is not likely, OR b) RPV level cannot be EPS-XHE-XL-NR90M = TRUE; determined to be > -172. EPS-XHE-XL-NR01H = TRUE; EPS-XHE-XL-NR02H = TRUE; OEP-XHE-XL-NR30MGR = TRUE; OEP-XHE-XL-NR90MGR = TRUE; OEP-XHE-XL-NR01HGR = TRUE; OEP-XHE-XL-NR02HGR = TRUE OEP-XHE-XL-NR12HGR = 5.632E-2 MG3 GE 1. Automatic scram, manual scram, and ARI IE-LOMFW RPS-SYS-FC-ELECT = TRUE; 1.00E+00 were not successful from reactor console as RPS-XHE-XM-SCRM = TRUE; indicated by EITHER a) reactor power RPS-SYS-FC-ARI=TRUE; remains >4%, OR b) torus temperature PPR-SRV-CC-SRSV=TRUE
>110F AND boron injection required for reactivity control; AND 2. a) RPV level cannot be restored and maintained > -195, OR b) heat capacity temperature limit (T-102 Curve T/T-1) exceeded.
52
Table A-2 Surry SPAR Model Data and Results SURY EAL Initiating Surry EAL Threshold Condition BEs Modified CCDP EAL Class Event SU1.1 NOUE Loss of all offsite AC power to Unit ( ) IE-LOOPGR DCP-BAT-LP-CF-1AB = FALSE; 1.18E-05 4,160-V emergency busses H and J for DCP-BAT-LP-1BATA4HR = 8.56E-2;
>15 minutes. DCP-BAT-LP-1BATB4HR = 8.56E-2; DCP-BAT-LP-2BATA4HR = 8.56E-2; DCP-BAT-LP-2BATB4HR = 8.56E-2; DCP-BAT-LP-BATTA = FALSE; DCP-BAT-LP-BATTB = FALSE; EPS-DGN-CF-FSALL = FALSE; EPS-DGN-FS-DG1 = FALSE; EPS-DGN-FS-DG3 = FALSE; EPS-DGN-TM-DG1 = FALSE; EPS-DGN-TM-DG3 = FALSE; EPS-SEQ-CF-DG123 = FALSE; EPS-SEQ-FO-DG1 = FALSE; OEP-XHE-XL-NR01HGR=7.410E-1; OEP-XHE-XL-NR02HGR=4.317E-01; OEP-XHE-XL-NR03HGR=2.748E-01; OEP-XHE-XL-NR04HGR=1.864E-01; OEP-XHE-XL-NR06HGR=9.756E-02; OEP-XHE-XL-NR08HGR=5.735E-02; OEP-XHE-XL-NR30MGR=TRUE; SU4.1 NOUE Unplanned loss of most (-75%) or all of N/A N/A 2.75E-09 EITHER: Annunciators (Panels 'A' thru 'K')
Indicators associated with safety-related structures, systems and components.
SU4.1 NOUE Unplanned loss of most (-75%) or all of N/A AFW-XHE-XM-XTIE = 7.896E-1; 5.55E-08 EITHER: Annunciators (Panels 'A' thru 'K') CDS-XHE-XM-LVL = 1.963E-2; Indicators associated with safety-related CHW-XHE-XE-BCKUP = 1.963E-2; structures, systems and components. HPI-XHE-XL-RWST2 = 5.558E-1; HPI-XHE-XM-ALT = 1.963E-2; HPI-XHE-XM-FB = 5.558E-1; HPI-XHE-XM-MDP1C = 3.336E-1; 53
SURY EAL Initiating Surry EAL Threshold Condition BEs Modified CCDP EAL Class Event SU6.1 NOUE Unidentified or pressure boundary leakage IE-SLOCA CSR-LIC-CF-100ABCD = FALSE 4.05E-05
>10 gpm OR identified leakage >25 gpm. CSR-XHE-XM-MISCALIB = FALSE CSR-XHE-XR-FLANGE = FALSE CSR-XHE-XR-RSP2A = FALSE CSR-XHE-XR-RSP2B = FALSE DCP-BAT-CF-1AB = FALSE DCP-BAT-CF-2AB = FALSE DCP-BAT-LP-1BATA4HR = FALSE DCP-BAT-LP-1BATB4HR = FALSE DCP-BAT-LP-2BATA4HR = FALSE DCP-BAT-LP-2BATB4HR = FALSE HPR-XHE-XM-RECIRC = FALSE LPR-SMP-PG-SL = FALSE RPS-BME-CF-RTBAB = FALSE RPS-CCP-TM-CHA = FALSE RPS-CCX-CF-4OF6 = FALSE RPS-CCX-CF-6OF8 = FALSE RPS-ROD-CF-RCCAS = FALSE RPS-TXX-CF-4OF6 = FALSE RPS-TXX-CF-6OF8 = FALSE RPS-UVL-CF-UVDAB = FALSE RPS-XHE-XE-NSGNL = FALSE RPS-XHE-XE-SIGNL = FALSE SA1.1 Alert AC power capability to Unit ( ) 4,160-V IE-LOOPGR DCP-BAT-CF-1AB = FALSE; 2.38E-03 emergency busses H and J reduced to a DCP-BAT-LP-1BATA4HR=8.56E-2; single power source for >15 minutes (any DCP-BAT-LP-1BATB4HR = 8.56E-2; additional single failure would result in loss DCP-BAT-LP-2BATA4HR = 8.56E-2; of all AC power to the emergency busses). DCP-BAT-LP-2BATB4HR = 8.56E-2; DCP-BAT-LP-BATTA = FALSE; DCP-BAT-LP-BATTB = FALSE; EPS-DGN-CF-FSALL = FALSE; EPS-DGN-FS-DG1 = FALSE; EPS-DGN-FS-DG3 = TRUE; EPS-DGN-FS-SBO = TRUE; EPS-DGN-TM-DG1 = FALSE; EPS-SEQ-CF-DG123 = FALSE; EPS-SEQ-FO-DG1 = FALSE; OEP-XHE-XL-NR01HGR=7.410E-1; OEP-XHE-XL-NR02HGR=4.317E-01; OEP-XHE-XL-NR03HGR=2.748E-01; OEP-XHE-XL-NR04HGR=1.864E-01; OEP-XHE-XL-NR06HGR=9.756E-02; OEP-XHE-XL-NR08HGR=5.735E-02; OEP-XHE-XL-NR30MGR=TRUE; 54
SURY EAL Initiating Surry EAL Threshold Condition BEs Modified CCDP EAL Class Event SA2.1 Alert An automatic trip failed to shut down the IE-LOMFW PPR-MOV-FC-RC1535=TRUE; 4.71E-05 reactor and manual actions (i.e., trip PPR-MOV-FC-RC1536=TRUE; pushbuttons) taken at the main control PPR-SRV-CO-TRAN=TRUE; room (MCR) bench board successfully shut PPR-SRV-OO-155-1A=TRUE; down the reactor as indicated by reactor RPS-BME-CF-RTBAB=FALSE; power <5%. RPS-CCX-CF-40F6=TRUE; RPS-CCX-CF-60F8=TRUE; RPS-ROD-CF-RCCAS=FALSE; RPS-TXX-CF-40F6=TRUE; RPS-TXX-CF-6OF8=TRUE; RPS-UVL-CF-UVDAB=TRUE; RPS-XHE-XE-NSGNL=FALSE; RPS-XHE-XE-SIGNL=FALSE SA2.1 Alert An automatic trip failed to shut down the IE-TRANS PPR-MOV-FC-RC1535=TRUE; 4.30E-05 reactor and manual actions (i.e., trip PPR-MOV-FC-RC1536=TRUE; pushbuttons) taken at the MCR bench PPR-SRV-CO-TRAN=TRUE; board successfully shut down the reactor as PPR-SRV-OO-155-1A=TRUE; indicated by reactor power <5%. RPS-BME-CF-RTBAB=FALSE; RPS-CCX-CF-40F6=TRUE; RPS-CCX-CF-60F8=TRUE; RPS-ROD-CF-RCCAS=FALSE; RPS-TXX-CF-40F6=TRUE; RPS-TXX-CF-6OF8=TRUE; RPS-UVL-CF-UVDAB=TRUE; RPS-XHE-XE-NSGNL=FALSE; RPS-XHE-XE-SIGNL=FALSE SA4.1 Alert Unplanned loss of most (-75%) or all of IE-LOCHS RPS-XHE-XE-NSGNL = FALSE; 1.50E-07 EITHER: a) annunciators (panels A RPS-XHE-XE-SIGNL = FALSE through K) OR b) indicators associated with safety-related structures, systems, and components; AND EITHER: a) a significant transient in progress, OR b) PCS is unavailable.
SA4.1 Alert Unplanned loss of most (-75%) or all of IE-LOCHS AFW-XHE-XM-XTIE = 7.896E-1; 7.40E-06 EITHER: a) annunciators (panels A CDS-XHE-XM-LVL = 1.963E-2; through K) OR b) indicators associated with CHW-XHE-XE-BCKUP = 1.963E-2; safety-related structures, systems, and HPI-XHE-XL-RWST2 = 5.558E-1; components; AND EITHER: a) a significant HPI-XHE-XM-ALT = 1.963E-2; transient in progress, OR b) PCS is HPI-XHE-XM-FB = 5.558E-1; unavailable. HPI-XHE-XM-MDP1C = 3.336E-1; RPS-XHE-XE-NSGNL = FALSE; RPS-XHE-XE-SIGNL = FALSE 55
SURY EAL Initiating Surry EAL Threshold Condition BEs Modified CCDP EAL Class Event SA4.1 Alert Unplanned loss of most (-75%) or all of IE-LOMFW RPS-XHE-XE-NSGNL = FALSE; 4.27E-06 EITHER: a) annunciators (panels A RPS-XHE-XE-SIGNL = FALSE through K) OR b) indicators associated with safety-related structures, systems, and components; AND EITHER: a) a significant transient in progress, OR b) PCS is unavailable.
SA4.1 Alert Unplanned loss of most (-75%) or all of IE-LOMFW AFW-XHE-XM-XTIE = 7.896E-1; 3.60E-04 EITHER: a) annunciators (panels A CDS-XHE-XM-LVL = 1.963E-2; through K) OR b) indicators associated with CHW-XHE-XE-BCKUP = 1.963E-2; safety-related structures, systems, and HPI-XHE-XL-RWST2 = 5.558E-1; components; AND EITHER: a) a significant HPI-XHE-XM-ALT = 1.963E-2; transient in progress, OR b) PCS is HPI-XHE-XM-FB = 5.558E-1; unavailable. HPI-XHE-XM-MDP1C = 3.336E-1; RPS-XHE-XE-NSGNL = FALSE; RPS-XHE-XE-SIGNL = FALSE SS1.1 SAE Loss of all offsite and onsite AC power to IE-LOOPGR DCP-BAT-LP-1BATA4HR=8.56E-2; 3.02E-02 Unit ( ) 4,160-V emergency busses H and J DCP-BAT-LP-1BATB4HR=8.56E-2; for >15 minutes. DCP-BAT-LP-2BATA4HR=8.56E-2; DCP-BAT-LP-2BATB4HR=8.56E-2; EPS-DGN-FS-DG1=TRUE*;
EPS-DGN-FS-DG3=TRUE*;
EPS-DGN-FS-SBO=TRUE; EPS-XHE-XL-NR01H=9.172E-1; EPS-XHE-XL-NR02H=8.018E-1; EPS-XHE-XL-NR03H=7.173E-1; EPS-XHE-XL-NR04H=6.5E-01; EPS-XHE-XL-NR06H=5.465E-01; EPS-XHE-XL-NR08H=4.687E-01; EPS-XHE-XL-NR30MIN=TRUE; OEP-XHE-XL-NR01HGR=7.410E-1; OEP-XHE-XL-NR02HGR=4.317E-01; OEP-XHE-XL-NR03HGR=2.748E-01; OEP-XHE-XL-NR04HGR=1.864E-01; OEP-XHE-XL-NR06HGR=9.756E-02; OEP-XHE-XL-NR08HGR=5.735E-02; OEP-XHE-XL-NR30MGR=TRUE; SS1.2 SAE Loss of all vital DC power based on IE-LOMFW (AFW-XHE-XM-CNTRL1=1E-1) 1.52E-01
<105-volt DC bus voltage indications for DCP-BDC-LP-1A = TRUE;
>15 minutes. DCP-BDC-LP-1B = TRUE; DCP-BDC-LP-1E = TRUE; DCP-BDC-LP-1F = TRUE; DCP-BDC-LP-2A = TRUE; DCP-BDC-LP-2B = TRUE 56
SURY EAL Initiating Surry EAL Threshold Condition BEs Modified CCDP EAL Class Event SS2.1 SAE An automatic trip failed to shut down the IE-LOMFW RPS-BME-CF-RTBAB=TRUE; 4.92E-02 reactor and manual actions (i.e., trip RPS-CCX-CF-40F6=TRUE; pushbuttons) taken at the MCR bench RPS-CCX-CF-60F8=TRUE; board do not shut down the reactor as RPS-ROD-CF-RCCAS=TRUE; indicated by reactor power <5%. RPS-TXX-CF-40F6=TRUE; RPS-TXX-CF-6OF8=TRUE; RPS-UVL-CF-UVDAB=TRUE; RPS-XHE-XE-NSGNL=TRUE; RPS-XHE-XE-SIGNL=TRUE SS2.1 SAE An automatic trip failed to shut down the IE-TRANS RPS-BME-CF-RTBAB=TRUE; 4.92E-02 reactor and manual actions (i.e., trip RPS-CCX-CF-40F6=TRUE; pushbuttons) taken at the MCR bench RPS-CCX-CF-60F8=TRUE; board do not shut down the reactor as RPS-ROD-CF-RCCAS=TRUE; indicated by reactor power <5%. RPS-TXX-CF-40F6=TRUE; RPS-TXX-CF-6OF8=TRUE; RPS-UVL-CF-UVDAB=TRUE; RPS-XHE-XE-NSGNL=TRUE; RPS-XHE-XE-SIGNL=TRUE SS4.1 SAE Loss of most (-75%) or all annunciators IE-LOCHS AFW-TDP-FR-1P2 = TRUE; 9.47E-04 (panels A through K) associated with AFW-XHE-XM-XTIE = TRUE; safety-related structures, systems, and CDS-XHE-XM-LVL = TRUE; components on Unit ( ) MCR bench CHW-XHE-XE-BCKUP = TRUE; boards 1 and 2 and vertical boards 1 and 2; HPI-XHE-XL-RWST2 = TRUE; AND PCS is unavailable; AND complete loss HPI-XHE-XM-ALT = TRUE; of ability to monitor any critical safety HPI-XHE-XM-FB = TRUE; functions status; AND significant transient is HPI-XHE-XM-MDP1C = TRUE; in progress. RPS-XHE-XE-NSGNL = FALSE; RPS-XHE-XE-SIGNL = FALSE SS4.1 SAE Loss of most (-75%) or all annunciators IE-LOMFW AFW-TDP-FR-1P2 = TRUE; 9.47E-04 (panels A through K) associated with safety- AFW-XHE-XM-XTIE = TRUE; related structures, systems, and CDS-XHE-XM-LVL = TRUE; components on Unit ( ) MCR bench CHW-XHE-XE-BCKUP = TRUE; boards 1 and 2 and vertical boards 1 and 2; HPI-XHE-XL-RWST2 = TRUE; AND PCS is unavailable; AND complete loss HPI-XHE-XM-ALT = TRUE; of ability to monitor any critical safety HPI-XHE-XM-FB = TRUE; functions status; AND significant transient is HPI-XHE-XM-MDP1C = TRUE; in progress. RPS-XHE-XE-NSGNL = FALSE; RPS-XHE-XE-SIGNL = FALSE 57
SURY EAL Initiating Surry EAL Threshold Condition BEs Modified CCDP EAL Class Event SG1.1 GE Loss of all offsite and onsite AC power to IE-LOOPGR EPS-DGN-FS-DG1=TRUE; 3.86E-01 Unit ( ) 4,160-V emergency busses H and J EPS-DGN-FS-DG3=TRUE; AND EITHER: restoration of any 4,160-V EPS-DGN-FS-SBO=TRUE; emergency bus within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is not likely EPS-XHE-XL-NR01H=TRUE; OR CSFST core coolingRED or ORANGE EPS-XHE-XL-NR02H=TRUE; path. EPS-XHE-XL-NR03H=TRUE; EPS-XHE-XL-NR04H=TRUE; EPS-XHE-XL-NR06H=8.407E-01; EPS-XHE-XL-NR08H=7.211E-01; EPS-XHE-XL-NR30MIN=TRUE; OEP-XHE-XL-NR01HGR=TRUE; OEP-XHE-XL-NR02HGR=TRUE; OEP-XHE-XL-NR03HGR=TRUE; OEP-XHE-XL-NR04HGR=TRUE; OEP-XHE-XL-NR06HGR=5.240E-01; OEP-XHE-XL-NR08HGR=3.077E-01; OEP-XHE-XL-NR30MGR=TRUE; SG2.1 GE An automatic trip failed to shut down the IE-LOMFW RPS-BME-CF-RTBAB=TRUE; 1.00E+00 reactor and all manual actions do not shut RPS-CCX-CF-40F6=TRUE; down the reactor as indicated by reactor RPS-CCX-CF-60F8=TRUE; power >5% AND EITHER: CSFST core RPS-ROD-CF-RCCAS=TRUE; coolingRED, OR CSFST heat sinkRED RPS-TXX-CF-40F6=TRUE; mode. RPS-TXX-CF-6OF8=TRUE; RPS-UVL-CF-UVDAB=TRUE; RPS-XHE-XE-NSGNL=TRUE; RPS-XHE-XE-SIGNL=TRUE; AFW-XHE-XM-XTIE=TRUE; AFW-TDP-FS-1P2=TRUE; AFW-MDP-FS-1P3B=TRUE 58
APPENDIX B: GRAPHICAL RESULTS 59
CCDP for NOUE Scenarios 1.00E-04 Peach Bottom Surry SU6.1 1.00E-05 SU1.1 NOUE Range MU1 1.00E-06 MU7 CCDP or Delta CDP 1.00E-07 SU4.1(I) 1.00E-08 MU6(I)
SU4.1(A) 1.00E-09 1.00E-10 MU6(A)
(A) = Loss of Annunciators; (I) = Loss of Indications Circled data point indicated the CCDP of that EAL is 1.00E-11 out of the expected range of the EC.
SU1 SU3 SU3 SU5 Figure B-1 NOUE CCDPs organized by NEI-99 scenario 60
CCDP for Alert Scenarios 1.00E-02 Peach Bottom Surry SA1.1 1.00E-03 MA6 LOCHS (I)
MA1 MA6 LOMFW (I)
SA4.1 LOMFW (I) 1.00E-04 Alert Range SA2.1 LOMFW CCDP or Delta CDP SA2.1 TRANS 1.00E-05 SA4.1 LOCHS (I)
MA3 SA4.1 LOMFW (A)
IORV MA6 LOCHS (A)
MA6 LOMFW (A) 1.00E-06 SA4.1 LOCHS (A) 1.00E-07 MA3 TRANS (A) = Loss of Annunciators; (I) = Loss of Indications Circled data point indicated the CCDP of that EAL is out of the expected range of the EC.
1.00E-08 SA5 SA2 SA4 SA4 Figure B-2 Alert CCDPs organized by NEI-99 scenario 61
CCDP for SAE Scenarios 1.00E+00 MS4 Prolonged Peach Bottom Surry SS1.2 1.00E-01 MS4 Short duration MS6 LOCHS/ MS6 LOMFW SS2.1 TRANS/ SS2.1 LOMFW SS1.1 CCDP or Delta CDP 1.00E-02 MS3 IORV SAE MS3 TRANS Range MS5 1.00E-03 SS4.1 LOCHS/ SS4.1 LOMFW MS1 (A) = Loss of Annunciators; (I) = Loss of Indications Circled data point indicated the CCDP of that EAL is 1.00E-04 out of the expected range of the EC.
SS1 SS2 SS3 SS4 Figure B-3 SAE CCDPs organized by NEI-99 scenario 62
CCDP for GE Scenarios SG2.1 1.00E+00 MG3 Peach Bottom Surry CCDP or Delta CDP SG1.1 GE Range MG1 (A) = Loss of Annunciators; (I) = Loss of Indications Circled data point indicated the CCDP of that EAL is out of the expected range of the EC.
1.00E-01 SG1 SG2 Figure B-4 GE CCDPs organized by NEI-99 scenario 63
CCDP for All Modeled EAL SG2.1 1.00E+00 MS4 HIGH MG3 Peach Bottom Surry SG1.1 GE SS1.2 MG1 1.00E-01 MS4 LOW MS6 LOCHS/ MS6 LOMFW SS1.1 SS2.1 TRANS/LOMFW 1.00E-02 MS3 IORV SAE MS3 TRANS MS5 SA1.1 MA6 LOCHS/ MA6 LOMFW (I) 1.00E-03 MA1 MS1 SS4.1 LOCHS/ LOMFW SA4.1 LOMFW (I) 1.00E-04 SA2.1 LOMFW Alert SU6.1 SA2.1 TRANS CCDP or Delta CDP SU1.1 1.00E-05 SA4.1 LOCHS (I)
MA3 IORV SA4.1 LOMFW (A) NOUE MU1 MA6 LOCHS/ MA6 LOMFW (A) 1.00E-06 MU7 SA4.1 LOCHS (A) 1.00E-07 SU4.1(I)
MA3 TRANS 1.00E-08 Non Risk MU6(I)
SU4.1(A) Significant 1.00E-09 1.00E-10 (A) = Loss of Annunciators; (I) = Loss of Indications MU6(A)
Circled data point indicated the CCDP of that EAL is out of the expected range of the EC.
1.00E-11 SU1 SU3 SU3 SU5 SA5 SA2 SA4 SA4 SS1 SS2 SS3 SS4 SS6 SG1 SG2 Figure B-5 All CCDPs organized by NEI-99 scenario 64