Text

An Assessment of Core Damage Frequency for Byron/Braidwood Backit Appeal Review
	ML16214A199
Person / Time
Site:	Byron, Braidwood
Issue date:	08/11/2016
From:	Buell R, James Chang, Don Helton, John Lane, Selim Sancaktar, Schroeder J; Office of Nuclear Regulatory Research
To:	;
	Coyne K
References
	Download: ML16214A199 (48)
	v • d • e

1 An Assessment of Core Damage Frequency For Byron/Braidwood Nuclear Power Plants Supporting Backfit Appeal Review Panel ML16214A199 Prepared by RES/DRA Selim Sancaktar, Don Helton, James Chang, John Lane Robert Buell (INL), John Schroeder (INL)

August 11, 2016

2 Contents Executive Summary...................................................................................................................... 4

1.

Introduction and Objective..................................................................................................... 6

2.

Modeling Information and Assumptions................................................................................. 7 2.1 Method and Model.......................................................................................................... 7 2.2 Success Criteria............................................................................................................. 9 2.3 Pressurizer Overfill and SI Termination.......................................................................... 9 2.3.1 Consequential LOCAs and Spurious SI Event...................................................... 10 2.3.2 Steamline Break Events........................................................................................ 10 2.3.3 CVCS Malfunctions............................................................................................... 10 2.3.4 Other SRV Failures............................................................................................... 11

3.

CDF of Plant Configurations................................................................................................ 12

4.

Results and Insights............................................................................................................ 14

5.

References.......................................................................................................................... 18 Appendix 1. Event/Procedural Narratives.................................................................................. 19 A.1-1 Inadvertent Safety Injection (ISINJ).............................................................................. 19 A.1-2 Main Steam Line Break................................................................................................ 24 A.1-3 Chemical and Volume Control System (CVCS) Malfunction........................................ 26 Appendix 2. Human Error Probability Estimates........................................................................ 28 Appendix 3. Classification of Plant Conditions from UFSAR..................................................... 35 Appendix 4. Byron SPAR Model................................................................................................ 39 D.1 Inadvertent Safety Injection Event Tree........................................................................... 39 D.2 Steam Line Break Containment Event Tree.................................................................... 41 D.3 Notes on SRV Failures................................................................................................. 46 D.4 Notes on How Model Cases Were Run........................................................................ 46

3 Acknowledgement It is imperative to mention the substantial contribution by Kevin Coyne to this project, technical, inquisitive and otherwise.

4 Executive Summary By memo dated June 22, 2016, the Executive Director for Operations (EDO) established a Charter for a Backfit Appeal Review Panel to assess several issues associated with a backfit determination for the Byron and Braidwood sites (ML16173A311). The NRC staff had previously determined that the Byron and Braidwood sites were not in compliance with 10 CFR 50.34(b) because certain condition II events (faults of moderate frequency) could result in water relief through unqualified pressurizer safety relief valves (SRVs) that may allow the event to lead to a more serious condition. The EDOs Backfit Appeal Review Panel charter specifically requested information on the contribution to overall plant risk of the current configuration at Braidwood and Byron. This document provides a risk analysis intended to support resolution of this charter item.

The analysis contained in this report was narrowly focused on the backfit question under review by the Appeal Review Board and is intended to provide additional context and insights to the Board. As such, other applications of this information may not be appropriate unless this limitation is recognized.

This report provides a calculation of plant core damage frequency (CDF) for the representative unit (Byron Unit 1) for plant configurations where the pressurizer pilot operated relief valve (PORV) block valves may be in different open or closed position during power operation, to provide additional information to decision makers. Additionally, the potential risk benefit of meeting regulatory requirements is estimated to provide additional information to the Backfit Appeal Review Panel.

The Byron Unit 1 SPAR model is used to analyze the plant CDF. It is deemed that the risk analysis results (plant CDF for internal events at power) for Byron Unit 1 reasonably represent those of Byron Unit 2, Braidwood Unit 1 and Braidwood Unit 2. The Byron and Braidwood plants are similar and, in fact, share the same UFSAR. The known minor differences between the units are not considered to significantly impact the results for this analysis.

An enhanced SPAR model has been used for this analysis to make plant CDF estimates for internal events at power. The analysis is supplemented by thermal hydraulic estimates (for time windows) and specific HRA analysis for key operator actions, both performed specifically for this report.

Two cases as defined below are studied and their CDs are calculated:

CASE-A - plant as operated, assuming realistic values for human actions.

5 CASE-B - plant with a perfect backfit that will always prevent pressurizer overfill and a subsequent challenge to the SRVs. This is modeled by assuming operator actions to unblock a blocked PORV and terminate safety injection are always successful.

The base CDF (Case-A) is 1.4E-05/year. The CDF difference between Cases A and B (CDFA -

CDFB) is calculated to be 1.5E-07/year. This is a measure of maximum benefit that may be attained with a perfect backfit that avoids the issue (e.g. consequential small LOCA due to SRV failure after pressurizer overfill). This value is below the very small CDF delta risk threshold of 1E-06/year.1 It is recommended that this delta CDF be considered as the best estimate benefit from a perfect backfit that would reduce the pressurizer overfill and stuck open SRV concern. It should be also noted that any practical backfit remedy is not expected to be completely effective. Therefore, this delta CDF represents the maximum possible benefit from any backfit plant change. The actual risk benefit would be lower.

An additional insight gained from this analysis is the plant risk impact of the closure of both pressurizer PORV block valves during operation. The plant CDF increases by approximately 40%

when the PORV configuration goes from both valves unblocked to both PORV valves blocked.

In addition, when no PORV relief path is available (e.g., both PORV valves blocked and operator actions to unblock them fail) during an inadvertent safety injection event, the pressurizer would become water solid and the SRVs challenged after approximately 20 minutes. However, when a PORV relief path is available (and the PORV is assumed capable of passing water), pressurizer pressure can be maintained below the SRV lift setpoint with full safety injection flow. Although it is assumed that the PORV would eventually fail due to repetitive cycling (either in the fully open or closed position), this provides more time for operator action to terminate pressurizer overfill and avoid a safety relief challenge. Therefore, the availability of a PORV relief path provides a longer time window for operator action to terminate injection flow and therefore reduces the human error probability of operator actions to terminate injection flow.

1 Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2 - May 2011.

6 An Assessment of CDF for Byron/Braidwood NPPs

1.

Introduction and Objective By memo dated June 22, 2016, the Executive Director for Operations (EDO) established a Charter for a Backfit Appeal Review Panel to assess several issues associated with a backfit determination for the Byron and Braidwood sites (ML16173A311). The NRC staff had previously determined that the Byron and Braidwood sites were not in compliance with 10 CFR 50.34(b) because certain condition II events (faults of moderate frequency) could result in water relief through unqualified pressurizer safety relief valves (SRVs) that may allow the event to lead to a more serious condition. The EDOs Backfit Appeal Review Panel charter specifically requested information on the contribution to overall plant risk of the current configuration at Braidwood and Byron. This document provides a risk analysis intended to support resolution of this charter item.

The following paragraph taken from the NRCs reaffirmation of the backfit decision (ML16095A204) summarizes the original NRC concern and assessment of the non-compliance:

..The analyses in the Braidwood and Byron Updated Final Safety Analysis Report (UFSAR) Sections 15.5.1, 15.5.2, and 15.6.1 are required to show that Condition II events will not cause a more serious event. This is not the case and thus, the UFSAR does not demonstrate compliance with GDCs 15, 21, and 29 and the plant-specific design basis with respect to progression of Condition II events. The UFSAR analyses of reactor coolant system mass addition (Condition II) events predict water relief through pressurizer relief valves that are not water qualified, which could result in a relief valve sticking open and causing a small break loss of coolant accident (Condition III event). Thus, Braidwood and Byron are not in compliance with 10 CFR 50.34(b). The NRC erred in approving a sequence of events that allowed the inadvertent operation of the emergency core cooling system, chemical and volume control system malfunction, and inadvertent opening of a pressurizer safety or relief valve analyses in the 2001 and 2004 Safety Evaluations (ADAMS Accession Nos. ML011420274 and ML042250516, respectively) to credit water relief through pressurizer safety valves (PSVs) that were not water qualified. The NRC has consistently applied the prohibition of progression of Condition II events, and the 2001 and 2004 approvals occurred because the NRC staff understood the PSVs to be qualified for water relief when, in fact, they were not. The licensee must take action to resolve the non-compliance, and there are a number of regulatory options available2 This report provides a calculation of plant core damage frequency (CDF) for the representative unit (Byron Unit 1) for plant configurations where the pressurizer pilot operated relief valve (PORV) block valves may be in different open or closed position during power operation, to 2 Byron-Braidwood UFSAR Section 15 defines inadvertent opening of a pressurizer safety or relief valve as a Condition II event. Since PRA models do not examine initiating events and consequential events in terms of Condition-N events, this report deliberately minimizes the use of Condition-N nomenclature in its plant risk modeling and assessment. However, Appendix 2 provides a description of the Condition-N events for Byron and Braidwood.

7 provide additional information to decision makers. Additionally, the potential risk benefit of meeting regulatory requirements is estimated to provide additional information to the Backfit Appeal Review Panel. The analysis contained in this report was narrowly focused on the backfit question under review by the Appeal Review Board and is intended to provide additional context and insights to the Board. As such, other applications of this information may not be appropriate unless this limitation is recognized.

Section 2 discusses the methods and risk model used to perform the analyses. Section 3 applies the method to base plant configurations and other conditions of interest. Section 4 discusses results and insights. Supporting technical discussions and calculations made for this effort are summarized in the Appendices.

2.

Modeling Information and Assumptions 2.1 Method and Model The NRCs stated assessment is that Byron/Braidwood UFSAR analyses of certain faults of moderate frequency (Condition II) include cases where water relief through unqualified pressurizer safety relief valves (SRVs, a.k.a., PSVs) could result in a relief valve failing open and causing a more serious small break loss of coolant accident (SLOCA). The specific initiating events of interest include the following:

Inadvertent operation of the emergency core cooling system during power operation (UFSAR Subsection 15.5.1),

Chemical and volume control system malfunction that increases reactor coolant inventory (UFSAR Subsection 15.5.2),

Inadvertent opening of a pressurizer safety or relief valve (UFSAR Section 15.6.1).

However, if either of the pressurizer PORV flow paths are available (i.e., both the PORV and its block valve are capable of opening), then the SRV challenge could be prevented if safety injection is terminated in a timely manner. The PORVs and their associated flow paths can provide an acceptable relief path for a Condition II event3 until the Pressurizer Relief Tank (PRT) is filled4.

The PORVs can be opened either by a proceduralized operator action, or, if the PORVS are aligned for automatic operation, by pressurizer pressure reaching PORV setpoint(s), which are lower than those of SRVs. During operation, PORV block valves can be closed to support routine testing and maintenance or to isolate an inoperable PORV. Therefore, this analysis assesses the impact on a units CDF for internal events due to a unit operating with different PORV block valve configurations (e.g. closed or open during power operation). If at least one block valve is open 3 The relief capacity of a single PORV at full RCS pressure was estimated to be approximately 40% greater than the injection rate from two high pressure emergency core cooling pumps. If it is assumed that the SRV lifting setpoint is unaffected by the presence of water due to pressurizer overfill and decay heat removal capability is maintained, the flow through a single PORV is sufficient to prevent an SRV challenge.

4 Once the PRT rupture disk fails, the event becomes more serious.

8 and no additional component or human failures are postulated (including timely operator action to address rising pressurizer level), then pressurizer overfill (that results in passing water through SRVs) would not be expected during an inadvertent safety injection event. For some other scenarios (where the RCS makeup rate is lower), operation of the PORVs may be sufficient to prevent a pressure challenge to the SRVs. However, dependence on the continued successful operation of PORV relief valve(s) during a prolonged overfill event may not be reliable since repeated cycling (opening and closing) of the PORVs may lead to their failure.

The Byron Unit 1 SPAR model is used to analyze the plant CDF. It is deemed that the risk analysis results (plant CDF for internal events at power) for Byron Unit 1 reasonably represent those of Byron Unit 2, Braidwood Unit 1 and Braidwood Unit 2. The Byron and Braidwood plants are similar and, in fact, share the same UFSAR. The known minor differences between the units5 are not considered to significantly impact the results for this analysis.

Since spurious Safety Injection (SI) was previously subsumed within the General Transients initiating event in the SPAR model, proceduralized operator actions are introduced into the SPAR model for opening of closed block valves, and termination of SI (prior to pressurizer overfill). The human error probabilities of such operator actions are estimated based on contemporary HRA methods (see Appendix 2).

Three basic plant operation cases based on the position of the two PORV block valves during power operation are defined:

Case-1 Both block valves A and B are open. This is the most favorable case from a CDF point of view.

Case-2 One block valve is closed, the other is open.

Case-3 Both block valves are closed. This is the least favorable case from a CDF point of view.

There is an implied assumption here that the PORV is functional (i.e., the PORV block valve is closed for reasons other than a failed6 PORV).

5 For instance, Byron and Braidwood Units 1 use BWI steam generators, while Unit 2 at both sites use Westinghouse D5 steam generators; thus there are differing primary-side and secondary-side operational and off-normal set-points between Unit 1 and Unit 2 at each site. The sites also obviously have different site characterizations.

6 6 In this context, a failed PORV is considered to be a PORV that is not capable of performing its pressure relief function when unblocked. For this analysis, when the block valve is closed, it is considered to be for conditions when the PORV is still available to perform a pressure relief function (e.g., the block valve is closed to mitigate minor PORV seat leakage).

9 2.2 Success Criteria A summary of key success criteria used for pressurizer overfill potential and termination of SI injection in applicable event trees is given below.

Success Criteria -1 If at least 1 pressurizer PORV path is open (both PORV and its block valve), SRVs will not pass water upon spurious actuation of SI (both SI pumps + both charging pumps). Note that the PORV is assumed to eventually fail after repeated open/shut cycles and/or the pressurizer relief tank will overfill requiring the termination of injection (see also success criteria 3)

Success Criteria -2 If operators terminate SI before the calculated time windows for spurious safety injection, steam line break, or SGTR, an RCS LOCA due to a failed SRVs (due to passing water) will not occur. As discussed in Appendices 1 and 2, the time window for operator action under these conditions is assumed to be 40 minutes.

Success Criteria-3 In spurious SI and SLB events, SI must eventually be stopped (or throttled) in a timely manner to prevent pressurizer overfill, rupture disc failure for the pressurizer relief tank, or PORV failure even if a pressurizer PORV path is initially open.7 SLOCA definition in SPAR Model between 3/8 in.

and 2 in Exceeds normal charging flow. Normal charging cannot maintain pressurizer level.

of charging and SI pumps actuated upon ESF signal 2 charging and 2 SI pumps Total flow from these pumps will determine the time to PORV/SRV challenge, etc.

2.3 Pressurizer Overfill and SI Termination In spurious SI and steamline break events, safety injection must be stopped in accordance with procedures in a timely manner to prevent pressurizer overfill, which is postulated to cause SRV failure and a small LOCA. Moreover, in some CVCS malfunction events where the pressurizer level is increasing, the operators must stop or control charging flow and letdown to terminate the event to prevent pressurizer overfill which will cause SRV LOCA.

These three situations are discussed below as a part of assessment of risk for an initiating event leading to a consequential SLOCA. The events themselves are described in greater detail in Appendix 4.

7 The reason that long-term reliance on PORVs (as opposed to terminating SI) is unacceptable is because repeated cycling of the PORVs increases the probability that they will fail. If it is assumed that the repeated PORV cycling would ultimately lead to them failing closed and no other leakage is present, the CCPs are capable of lifting the SRVs at Byron/Braidwood. If instead the PORVs fail open after repeated cycling, a SLOCA is initiated. Thus, this success criteria is used in not accepting long-term reliance on the PORVs (and thus requiring that SI be terminated in some reasonable timeframe).

10 2.3.1 Consequential LOCAs and Spurious SI Event In SPAR models, like in other PRA models, an initiating event may develop into another more consequential event due to additional component failures or failure of operator actions. In such cases, the affected accident sequences in the event tree are transferred to the more consequential event tree. In simpler cases, such sequences are resolved within the event tree.

Examples of such transfers are consequential LOCAs (PORV/SRV LOCAS, reactor coolant pump (RCP) seal LOCAs), consequential steam generator tube ruptured (SGTRs), consequential LOOP, and anticipated transients without SCRAM (ATWS).

Development of relatively benign and common initiating events into more serious (consequential) events is of interest and is further discussed here. The first candidate condition II initiating event in which a consequential PORV/SRV LOCA may develop due to additional failures or plant condition (e.g. initially-closed PORV block valves) is the spurious SI actuation event (IE-ISINJ).

This event tree is further discussed in Appendix 4.

2.3.2 Steamline Break Events In a SLB event, an SI signal is produced due to shrinkage of RCS inventory, thus lowering of the pressurizer level. However, there is no actual RCS inventory loss due to this initiating event. An SI signal will occur based on low steamline pressure, the pressurizer level will rise and, unless SI is stopped or controlled, the pressurizer will overfill. The, SRVs will then pass water and a SLOCA will be postulated, as in the ISINJ event.

SI termination in SLB event trees is routinely modeled. If it fails the accident sequence is transferred to SLOCA. For completeness of CDF assessment, two SLB ETs are added to the SPAR model. Thus, contribution of potential consequential LOCAs from SLB events inside and outside of containment are included in the CDF assessment.

2.3.3 CVCS Malfunctions The operators respond to CVCS malfunctions that could increase the water level in the pressurizer by using Abnormal Operating Procedures (AOPs). If the event is not terminated and the pressurizer level continues to increase, a reactor trip is generated. This event is subsumed in the Transients Initiating event category and is not explicitly modeled in PRAs.

The frequency of CVCS malfunction AND failure to terminate it before reactor trip is not readily available. In addition, as discussed in Appendix A, there is expected to be at least 50 minutes available before pressurizer overfill during a CVCS malfunction event. Therefore, in the judgment of the authors, the contribution of this event to plant risk is small and would not affect the insights; thus it is not further pursued in this study.

11 2.3.4 Other SRV Failures Random failures of SRVs to open prematurely (spurious opening), and fail to close when needed (fail to reclose), are not further studied in this report since they are deemed to be lesser contributors to plant risk, compared to the failure modes included in this study (e.g. failure due to passing of water after pressurizer overfill). The base SPAR model has SRVs fail to open and also fail to reclose modes included in response to PORV paths failing. The success criterion used is that if SRVs open and reclose, then consequential SLOCA is avoided. A sensitivity analysis (setting SRV failure to reclose basic event to failure) using this model indicated that the delta CDF was insignificant (e.g. third significant figure change in CDF). Thus, this was not further pursued.

It is believed that further pursuing these types of additional failure modes would not provide new insights, and would also further complicate the Boolean logic of the model and would require additional data research, which is beyond the scope of this study.8 8 The base model was run with the change set that sets the 3 SRV Fail to Reclose basic events set to TRUE; the CDF change was in the third significant figure. Spurious opening of SRVs are not included in the existing SLOCA frequency. Although there is insufficient data available in the Operating Experience database to calculate an initiating event frequency for spurious SRV opening with high confidence, based on small number of operating events, the risk contribution from a spurious SRV opening is considered to be negligible. SRV leakage due to pressurizer overfill with conservative success criteria already provides a non-insignificant delta CDF and is expected to bound the small risk contribution from spurious openings. See also Appendix 4, Section D.3 for Notes on SRV Failures For additional details.

12

3.

CDF of Plant Configurations The revised SPAR model uses information from the last benchmarking activity of the Byron/Braidwood SPAR models (i.e., comparison with the utility PRA models) to arrive at a probability of one PORV block valve being closed during power operation of 0.06339. In addition, we will postulate that the plant would be in a condition with both PORV block valves closed 1% of the time (assuming random occurrence of this with the above values would give a probability of 0.004). Thus we will use the following plant conditions to estimate the CDF:

87% of the time, the plant will be operating with both block valves open; 12% of the time, the plant will be operating with one block valve closed, the other open; 1% of the time, the plant will be operating with both block valves closed.

This information was used in the Byron SPAR Model to quantify the plant CDF for internal events, and identify failure combinations (cutsets) containing random failures, common cause failures, human errors, test and maintenance unavailabilites, etc. that lead to core damage.

Table 3.1.1-1 summarizes the CDF of the basic plant configurations (cases) for the base case (current Byron/Braidwood configuration):

Table 3.1.1-1 Plant CDF (internal events) for Basic Plant Configurations (Cases)

Case Description CDF Case-0 Both block valves are open 1.36E-05 Case-1 One block valve is open, the other is closed 1.78E-05 Case-2 Both block valves are closed 1.89E-05 The block valve configuration percentages presented in Section 2.3 are used along with these CDF results to arrive at the base plant CDF (for internal events):

CDF = 0.87

1.36E-05 + 0.12

1.78E-05 + 0.01

1.89E-05 CDF = 1.41E-05 per year of power operation (8760 hours0.101 days 2.433 hours 0.0145 weeks 0.00333 months ).

Table 3.1.1-2 provides the CDF results by initiating event categories.

9 The base SPAR model uses a similar value of 0.05.

13 Table 3.1.1-2 Plant CDF by Initiating Events Block Valve Configurations (see Table 3.1.1-1)

IE Name Description IE Frequency Case-0 CDF Case-1 CDF Case-2 CDF 1

IE-DLOESW LOSS OF ESW AT BOTH UNITS (1 AND 2) 2.19E-04 4.14E-06 4.14E-06 4.76E-06 2

IE-ISINJ INADVERTENT SAFETY INJECTION 1.47E-02 1.27E-07 2.01E-07 2.58E-07 3

IE-ISL-HPI ISLOCA IE 2-CKV HPI INTERFACE 2.18E-06 3.05E-09 3.05E-09 3.05E-09 4

IE-ISL-LPI ISLOCA IE 2-CKV LPI INTERFACE 2.18E-06 3.04E-08 3.04E-08 3.04E-08 5

IE-ISL-RHR RHR PIPE RUPTURES 3.76E-06 5.09E-07 5.09E-07 5.09E-07 6

IE-LDCA LOSS OF DC BUS 111 3.69E-04 1.39E-07 1.41E-07 1.50E-07 7

IE-LDCB LOSS OF DC BUS 112 3.69E-04 6.31E-09 8.28E-09 8.85E-09 8

IE-LLOCA LARGE LOCA 2.50E-06 5.09E-08 5.09E-08 5.09E-08 9

IE-LOAC141 LOSS OF AC BUS 141 3.34E-03 1.61E-06 1.61E-06 1.69E-06 10 IE-LOAC142 LOSS OF AC BUS 142 3.34E-03 7.09E-07 7.10E-07 7.15E-07 11 IE-LOCCW LOSS OF COMPONENT COOLING WATER 2.46E-04 2.65E-07 2.67E-07 2.93E-07 12 IE-LOCHS LOSS OF CONDENSER HEAT SINK 5.86E-02 9.70E-07 1.26E-06 1.33E-06 13 IE-LOESW LOSS OF ESSENTIAL SERVICE WATER 2.46E-04 1.28E-07 1.28E-07 1.36E-07 14 IE-LOMFW LOSS OF MAIN FEED WATER 6.89E-02 1.13E-06 1.48E-06 1.56E-06 15 IE-LONSW LOSS OF NON-ESSENTIAL SERVICE WATER 2.46E-04 3.96E-09 5.20E-09 5.46E-09 16 IE-LOOPGR GRID RELATED LOOP 1.22E-02 3.58E-07 3.73E-07 4.04E-07 17 IE-LOOPPC PLANT CENTERED LOOP 1.93E-03 1.03E-08 1.26E-08 1.45E-08 18 IE-LOOPSC SWITCHYARD RELATED LOOP 1.04E-02 1.22E-07 1.34E-07 1.50E-07 19 IE-LOOPWR WEATHER RELATED LOOP 3.91E-03 1.85E-07 1.90E-07 2.02E-07 20 IE-MLOCA MEDIUM LOCA 1.50E-04 6.63E-07 6.63E-07 6.63E-07 21 IE-SGTR SG TUBE RUPTURE 2.07E-03 9.34E-08 9.34E-08 9.36E-08 22 IE-SLBIC STEAM LINE BREAK INSIDE CONTAINMENT 3.12E-04 6.31E-09 7.88E-09 1.11E-08 23 IE-SLBOC STEAM LINE BREAK OUTSIDE CONTAINMENT 6.55E-03 1.24E-07 1.57E-07 2.27E-07 24 IE-SLOCA SMALL LOCA 3.67E-04 1.33E-06 1.33E-06 1.33E-06 25 IE-TRANS TRANSIENT 6.90E-01 7.62E-07 4.21E-06 4.24E-06 27 IE-XLOCA REACTOR PRESSURE VESSEL RUPTURE 1.00E-07 1.00E-07 1.00E-07 1.00E-07 Total =

8.78E-01 1.36E-05 1.78E-05 1.89E-05

14

4.

Results and Insights An enhanced SPAR model has been used for this analysis to obtain plant CDF estimates for internal events at power. The analysis is supplemented by thermal hydraulic estimates (for time windows) as given in Appendix 1, and specific HRA analysis for key operator actions, as given in Appendix 2. In this section, three scenarios labeled as Case-A, Case-B and Case-C are analyzed:

CASE-A plant as operated, assuming realistic values for human actions.

CASE-B plant with a perfect backfit that will always prevent pressurizer overfill and a subsequent challenge to the SRVs. This is modeled by assuming operator actions to unblock a blocked PORV and terminate safety injection are always successful.

The human error probability (HEP) values of the relevant operator actions for the cases studied are shown in Table 4-1. The plant CDF for all internal events for each case is calculated. The CDF results are summarized in Table 4-2.

It should be noted that, although the issue at hand focuses on spurious SI events and CVCS malfunctions, termination of SI injection appears routinely in SLB and SGTR events; these events are included in the PRA model used for this analysis.

Plant as Operated (CASE-A)

In Section 3, the plant operating condition mix of 87% of the time, the plant will be operating with both block valves open; 12% of the time, the plant will be operating with one block valve closed, the other open; 1% of the time, the plant will be operating with both block valves closed; is used to estimate the average internal events CDF as 1.41E-05 for a year of power operation (8760 hours0.101 days 2.433 hours 0.0145 weeks 0.00333 months ). The results are provided in Table 4-2.

Plant with Perfect Overfill Protection (CASE-B)

This case is simulated by setting the operator action failure probability of Terminate SI Injection to zero. The results are presented in Table 4-2.

The average CDF difference between the two cases is the maximum expected CDF reduction if a perfect backfit is implemented. Using the assumptions stated in Sections 2 and 3, the difference in CDF is 1.5E-07/year. It should be also noted that any backfit remedy is not expected

15 to be perfectly effective. Therefore, this delta represents the maximum possible benefit from any backfit plant change. Actual risk benefit would be lower.

An additional insight gained from this analysis is the plant risk impact of the closure of both pressurizer PORV block valves during operation. As shown in Table 4-2, the plant CDF increases by approximately 40% when the PORV configuration goes from both valves unblocked to both PORV valves blocked. In addition, when no PORV relief path is available (e.g., both PORV valves blocked and operator actions to unblock them fail) during an inadvertent safety injection event, the pressurizer would become water solid and the SRVs challenged after approximately 20 minutes. However, when a PORV relief path is available (and the PORV is assumed capable of passing water), pressurizer pressure can be maintained below the SRV lift setpoint with full safety injection flow. Although it is assumed that the PORV would eventually fail due to repetitive cycling (either in the fully open or closed position), this provides more time for operator action to terminate pressurizer overfill and avoid a safety relief challenge. Therefore, the availability of a PORV relief path provides a longer time window for operator action to terminate injection flow and therefore reduces the human error probability of operator actions to terminate injection flow.

16 Table 4-1 HEP Values of Relevant Operator Actions in the Cases Studied Alias (*)

Basic Event Name Basic Event Description Case-A HEP Case-B HEP OPA-1 HPI-XHE-XM-THRTL1 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (OPA ISINJ) 1.00E-03 0

OPA-2 HPI-XHE-XM-THRTL2 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (OPA SLBOC) 3.73E-03 0

OPA-3 PPR-XHE-XM-UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3 2.25E-03 0

OPA-4 HPI-XHE-XM-THRTL1-DEP OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (OPA-1 after OPA-3 fails) 5.01E-01 0

OPA-5 HPI-XHE-XM-THRTL3 OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (OPA SLBIC) 1.25E-03 0

(**)

HPI-XHE-XM-THRTL OPERATOR FAILS TO CONTROL/TERMINATE SAFETY INJECTION FLOW (SGTR) 2.00E-03 0

(*) Aliases are introduced to avoid using long basic event names in discussions in the report sections.

(**) This HEP was already in the SPAR model; the others in the table are analyzed in Appendix 2.

17 Table 4-2. Change in CDF with Overfill Protection Case Description Both block valves open during operation one block valve open during operation Both block valves closed during operation Average (*)

CDF0 CDF1 CDF2 CDF A

Plant as operated 1.358E-05 1.781E-05 1.893E-05 1.41E-05 B

Perfect overfill protection 1.343E-05 1.766E-05 1.850E-05 1.40E-05 A-B Delta CDF 1.5E-07 1.5E-07 4.3E-07 1.5E-07

(*) average CDF = 0.87* CDF0 + 0.12* CDF1 + 0.01* CDF2 Note: Calculations performed using a greater number of significant digits than shown in the table.

18

5.

References

1. BYRON SPAR Model 8.27, modified for this project by addition of 4 ETs.

2. 2BEP-0, Reactor Trip or Safety Injection, Rev. 201 WOG 2

3. 1BEP-ES-1.1 SI Termination, Rev. 200, WOG 2

4. 2BEP-2 Faulted Steam Generator Isolation, Rev. 200, WOG 2

5. SPAR-H Step-by-Step Guidance, INL/EXT-10-18533, Revision 2, May 2011.

19 Appendix 1. Event/Procedural Narratives A.1-1 Inadvertent Safety Injection (ISINJ)

Initial conditions and initial fault: Unit operating at 100% power when an instrumentation failure (or other spurious cause) results in an SI signal (both channels).

Subsequent plant response: The safety injection (SI) signal will cause the reactor protection system to send a reactor trip signal10, resulting in reactor trip. Pressurizer level will shrink, and pressurizer pressure will drop, due to this trip. The SI signal will also isolate letdown, and cause the charging pumps to automatically realign from their normal charging alignment (drawing from the VCT and injecting through the normal charging line) to their ECCS injection alignment (drawing from the RWST and injecting through the SI injection lines). The turbine and main feedwater pumps will trip, and auxiliary feedwater will initiate and maintain SG levels at their post-trip setpoint11. Condenser steam dumps (a.k.a., turbine bypass valves) will modulate in an attempt to maintain no-load Tave on the primary side. ECCS will begin injecting: both centrifugal charging pumps will actually inject, while SI pumps will be dead-headed. RHR pumps and cold-leg accumulators will also be dead-headed. The mismatch between injection and letdown will cause the pressurizer level to increase, which will compress the steam bubble in the pressurizer and cause primary-side pressure to increase. The addition of the cold RWST water will tend to decrease Tave. Pressurizer sprays will actuate to counteract the pressure increase, but this does not change the mass imbalance since the water is being pulled from one of the cold legs. Barring operator action, the pressure will increase to the point that a PORV or SRV (depending on the position of the PORV block valves) will lift on steam relief. Subsequently, the pressurizer will overfill and the PORVs/SRVs will pass water.

Procedural path:

For the initial procedural narrative, it is assumed that no subsequent failures (beyond the inadvertent SI) occur. At a high-level, the operator response to this event will be to:

Ensure that the SI was not caused by a main steam line break, primary-side pipe break, or SG tube rupture; Determine that ECCS is not required, and Secure ECCS.

More specifically, upon the SI and reactor trip, the operators will enter E-0 [1BEP-0 at Byron Unit 112], Reactor Trip or Safety Injection. Early steps in this procedure will involve commencing evaluation of Emergency Plan conditions, verifying reactor and turbine trip13, verifying power to 4kV ESF busses, and checking SI status. At this point a 9-page balance-of-plant verification will be initiated in parallel to continuing with E-0. Subsequent E-0 steps will involve verifying ECCS 10 Note that there are ECCS malfunctions that may not cause a reactor trip, but these are not considered further in this description. They are considered in the PRA modeling, in that RPS success is queried, and failure leads to transfer to the ATWS event tree.

11 Failure of AFW is also not further considered in this plant response description, but is considered in the PRA modeling, in that failure of AFW results in querying of FR-H.1 actions (primary-side feed and bleed).

12 The readily available version of this procedure was Revision 201 (Circa 2010).

13 If reactor trip indications are not satisfied, operators are directed to FR-S.1 (Response to Nuclear Power Generation/ATWS).

20 pump actuation, verifying fan coolers have transferred to accident mode, verifying that containment isolation Phase A and containment ventilation isolation have occurred, verifying AFW operation, verifying ECCS pump operation, and determining if main steam isolation is required (in this case it would not be; whereas for a steam line break automatic closure would be expected).

E-0 would go on to direct the operators to check the need for containment sprays (not needed in this case), verify AFW flow14, verify ECCS valve alignment, and check pressurizer PORVs and spray valves. Step 18 of E-0 is the first place where operators are directed to close, and if necessary block, a PORV if it appears to have failed open (pressure less than 2315 psig and PORV indicates open). This is also the step when operators are directed to open a PORV block valve if both PORVs are blocked and either is available (un-failed). If a PORV is failed-open and cannot be blocked, the operators are directed to transition to E-1 [1BEP-1 at Byron Unit 1], Loss of Reactor or Secondary Coolant. If PORVs are behaving normally, operators will proceed to checking pressurizer spray status. Next operators will verify that RCS temperature is at or trending to no-load Tave (557F for Byron Unit 1), and check whether RCS conditions prompt stopping the RCPs (for this event, they wont). Next operators will confirm that SG secondary pressure boundaries are intact, that SG tubes appear intact, and that there are no indications of a primary-side LOCA. Having found no indications of these conditions, at Step 24 of E-0 operators are directed to check if ECCS flow should be reduced, based on:

Acceptable RCS subcooling; Sufficient secondary-side heat removal capability; RCS pressure stable or rising; and Pressurizer level greater than 12%.

For an uncomplicated inadvertent SI event, the above conditions would prompt operators to transfer to ES-1.1 [1BEP ES-1.1 for Byron Unit 115], SI Termination. (Note that the critical safety function status trees are not invoked on this procedure path.)

Steps 1-3 of ES-1.1 direct operators to reset SI and containment isolation, and to establish instrument air to containment. Step 4 directs operators to stop all but one charging pump.

Depending on the plant response to reducing charging flow, operators will either be directed to transfer to ES-1.2 [1BEP ES-1.2 at Byron Unit 1], Post LOCA Cooldown and Depressurization (if RCS pressure is dropping), or remain in ES-1.1 (otherwise). If remaining in ES-1.1, operators are directed (Steps 6-9) to terminate high-head SI (centrifugal charging and SI pumps) and re-establish normal charging flow (centrifugal charging pumps). Subsequent steps in ES-1.1 are focused on stopping RHR pumps, re-establishing letdown, and generally preparing the plant for entry in to 1BGP 100-5, Plant Shutdown and Cooldown.

A graphical representation of this procedure path is provided in Figure A1-1.

Effect of general post-trip complications: Any number of complications car arise following the inadvertent SI, such as:

Pre-existing plant conditions (e.g.., equipment out-of-service)

Operator error SI/trip-induced loss-of-offsite power (a.k.a., LOCA-LOOP) 14 If AFW flow cannot be established, and SG levels in all SGs have dropped below 10% narrow range level, Step 15 will direct the operators to enter FR-H.1 (Response to Loss of Secondary Heat Sink).

15 The readily available version of this procedure was Revision 200 (Circa 2010).

21 Partial SI actuation Failure-to-start of charging pump(s)

Failure of fan coolers to transfer to accident mode Failure of containment isolation Phase A or containment ventilation isolation Failure of AFW MSIV closure or containment spray actuation (unexpected)

PORV fails open Failed PORV cannot be blocked closed Etc.

Some of these failures would lead to a substantively similar procedural path (e.g., failure of fan coolers to transition to accident mode would prompt additional manual actions but no procedural diversion), while other failures would lead to notably different procedural paths (e.g., a relief valve being stuck-open and unisolable would lead to a LOCA-response procedural path). For a real-world example of a complicated response to an inadvertent SI, see Attachment 2 of Millstone Power Station Unit 3 - NRC Special Inspection Report 05000423/2005012 [ML051860338].

Timing considerations:

A notional early-event plant response timeline is presented in Table A1-1. These time estimates were generated based on consideration of three sources: (i) hand calculations using readily-available Byron design/operation information, including dated information designated as For Training Purposes Only, (ii) the aforementioned Millstone event timeline, and (iii) a side calculation using the Byron Unit 1 (revision 8) MELCOR model and MELCOR v2.1.7044. These estimates reflect a situation where at least 1 PORV is available (and operates), no relief valves fail open during their early operation, and both trains of ECCS actuate and inject. Based on this information, it is estimated that the operators have roughly 10 minutes to secure charging pumps in order to avoid PORV cycling, and roughly 15-20 minutes to avoid passing water through the PORVs. If the PORVs are not available, the SRVs would be expected to begin passing water at approximately 20 minutes. In the case that only one train of ECCS actuates and injects, these values would be roughly double the stated values. A range is given for the latter value because the methods for generating these timing estimates did not consider the potential for water entrainment as the relief valves cycle with a nearly full pressurizer.

The time estimated (~20 minutes) is the time the pressurizer goes solid, and represents a minimum time for the SRV passing water (neglecting entrainment). The time at which the SRV passes water is dependent on the availability and reliability of the PORVs when passing water.

To the extent that the PORV(s) provide the necessary relief path, and that the PORV(s) reclose after SI is terminated, a much longer time may be available to terminate SI. To balance the desire to not rely on sustained PORV performance under such conditions, but to acknowledge that a much longer time may be available, an alternate time of 40 minutes is proposed for the purpose of assessing HEP sensitivity to the time available.

22 Table A1-1. Inadvertent SI Notional Plant Response with no Operator Action Event Time estimate (minutes)

Notes SI actuation 0

Reactor trip 0

Reactor trips on SI signal Pressurizer high-level alarm 10 MCR annunciator Pressurizer PORV begins cycling with steam relief 10 High pressurizer level reactor trip setpoint reached 15 Reactor is already tripped Pressurizer level at 100%

indicated level 18 Pressurizer becomes water solid 19 If available, the PORVs are assumed to be capable of passing water and avoiding a challenge to the SRVs. If no PORV relief path is available, the SRVs would be expected to begin passing water at this time.

PORVs are assumed to fail after repeated open/close cycles 40 Even if available, repeated open/close cycles of the PORVs would be expected to eventually cause the PORV to fail either open or closed.

This establishes the time window for operator action to terminate safety injection flow.

23 Figure A1-1. Notional Procedural Path for Inadvertent SI

24 A.1-2 Main Steam Line Break Initial conditions and initial fault: Unit operating at 100% power when a break on the secondary-side (e.g., spurious lift of a SG relief valve, degradation-induced pipe rupture) occurs.

Subsequent plant response: The initial plant response will be fundamentally tied to the size of the secondary-side break. Here it is assumed that the break is relatively large, leading to fairly rapid depressurization of the secondary-side. Such a condition would lead to a relatively rapid:

SI signal (steamline pressure < 614 psig),

Reactor trip (overpower T or SI-initiated), and MSIV closure (steamline pressure < 614 psig or steamline pressure change rate of > 165 psig over a time interval of 50 seconds).

For simplicity, it is assumed here that the above responses occur within the first minute (a reasonable assumption for large breaks). With an early reactor trip, an early SI actuation, and the faulted SG isolated, the subsequent plant response is functionally similar to the inadvertent SI previously discussed16.

Procedural path:

Again, the presumption here will be that the steam leak is large enough to result in relatively quick secondary-side depressurization, such that reactor trip and SI occur prior to operator actions prompted by the steam leak. In such a condition, operators will enter E-0 upon reactor trip or SI.

The initial pass through E-0 will be very similar to what was previously characterized for an inadvertent SI event, with notable deviations being:

E-0 Step 13 will direct the operators to ensure MSIVs (and MSIV bypass valves) have closed, and to close them if they are not already closed (and conditions warrant);

E-0 Step 14 will direct operators to stop all RCPs if containment sprays have actuated on high containment pressure (20 psig)17.

E-0 Step 21 will direct the operators to E-2, Faulted Steam Generator Isolation, if any SG pressure is dropping in an uncontrolled manner, or any SG is completely depressurized.

As such, for a steam line break outside of the MSIV (of the size presumed here), the inadvertent SI situation previously described remains applicable, from an HRA context and sequence timing perspective (and the previously provided timings and context are assumed to apply).

However, for a steam line break inside of the MSIV, a different procedural path applies, since the operators will be directed to E-2 prior to reaching the step that would otherwise direct them to ES-1.1. E-2 [1BEP-2 at Byron Unit 118], Steps 1-2 re-verify MSIV closure and a faulted SG. Step 3 has the operators identify the faulted SG. Step 4 has the operators attempt to isolate the faulted SG by closing auxiliary feedwater isolation valves, confirming main feedwater to the faulted SG 16 This assertion is stated from the perspective of PRA/HRA modeling, not safety analysis. It is recognized that from a safety analysis perspective, the limiting core response (e.g., DNBR) is different for these events.

17 With the RCPs tripped, Step 19 will direct the operators to check RCS temperatures using cold leg thermocouples rather than Tave.

18 The readily available version of this procedure was Revision 200 (Circa 2010).

25 is isolated, verifying that the SG PORV is closed (and blocking it if it is not), and verifying SG blowdown and blowdown sample isolation valves are closed. Steps 5-6 direct operators to monitor auxiliary feedwater pump suction pressure and check secondary radiation. Step 7 of E-2 mirrors Step 24 of E-0, in checking if conditions warrant reduction of ECCS flow. If they do, then operators are directed to transition to ES-1.1, and the procedural path then resumes that previously discussed for the inadvertent SI situation. Put more simply, a steamline break upstream of the MSIV will mirror the procedural path for a steamline break downstream of the MSIV or an inadvertent SI, except that an additional procedure and 6 extra steps apply.

Effect of general post-trip complications: The situation here is similar to that previously described for an inadvertent SI.

Timing considerations: Per the proceeding discussion, the sequence timing in Table A1-1 is also applied here.

26 A.1-3 Chemical and Volume Control System (CVCS) Malfunction Initial conditions and initial fault: Unit operating at 100% power; a myriad of malfunctions can occur that will result in a myriad of different plant responses - two specific malfunctions are considered here:

1. A malfunction in CVCS or operator error causes isolation of normal letdown;

2. The controlling pressurizer level transmitter (LT) fails low.

Subsequent plant response:

Letdown isolation: In this case, a mis-match between charging and letdown will cause pressurizer level to gradually rise. If in auto, the pressurizer level controller will attempt to address the mis-match by reducing charging flow. If this does not happen, a pressurizer high-level alarm will occur at 70%. If no action is taken, a reactor trip will occur when pressurizer level reaches 92%19. Upon reactor trip, pressurizer volume will shrink (level will drop). If the mis-match persists and no action is taken, the pressurizer will eventually over-fill (but no SI signal would be generated unless a relief valve fails open).

Controlling pressure LT fails low: In response to this failure, charging will maximize while letdown will isolate. No immediate reactor trip or SI signal is generated. The preceding description applies, on a somewhat faster timescale.

Procedural path:

The plant-specific annunciate response procedures are not available, but would likely direct the operators (upon the high pressurizer level alarm) to investigate and address the cause of the rising pressurizer level. The plant-specific abnormal operating procedures (AOPs), as of the 2010 versions readily available, do not appear to directly address this situation:

1BOA ESP-2, Rev 000, RE-ESTABLISHING CV LETDOWN UNIT 1 1BOA PRI-1, Rev 105, EXCESSIVE PRIMARY PLANT LEAKAGE UNIT 1 1BOA PRI-2, Rev 104, EMERGENCY BORATION UNIT 1 1BOA PRI-4, Rev 102, ABNORMAL PRIMARY CHEMISTRY UNIT 1 1BOA PRI-12, Rev 102, UNCONTROLLED DILUTION UNIT 1 1BOA RCP-1, Rev 102, REACTOR COOLANT PUMP SEAL FAILURE UNIT-1 1BOA RCP-2, Rev 103, LOSS OF SEAL COOLING UNIT 1 Once a reactor trip occurs, then the operators will enter E-0. At Step 4, operators will be directed to ES-0.1 [1BEP ES-0.1 at Byron Unit 120], Reactor Trip Response. Step 3 of this procedure will direct the operators to check pressurizer level, which (assuming the condition has gone undetected until this point) is the next opportunity for the operators to recognize the high pressurizer level and/or the failed level transmitter. This step also directs the operators to verify that charging and letdown are in service, restore charging and letdown, and verify that pressurizer level is trending toward program level.

19 This assumes that pressurizer sprays adequately control pressure as the steam bubble is squeezed; otherwise a reactor trip on high pressurizer pressure may also be relevant.

20 The readily available version of this procedure was Revision 200 (Circa 2010).

27 Effect of general post-trip complications: Examples of complicating factors include:

Pre-existing plant conditions (e.g.., equipment out-of-service)

Operator error PORV/SRV fails open Failed PORV cannot be blocked closed Timing considerations: Timing estimates are provided in Table A1-2 based on simple mass balance calculations. The maximum charging flow for Byron/Braidwood is not known to the authors. It is known that the high charging flow alarm setpoint is 150 gpm, and that the main control board flow readouts highest indication is equivalent to this value. Thus, for the sake of this estimate, it will be assumed that the maximum flow is somewhat higher than the alarm value, and a charging/letdown mis-match of 180 gpm is arbitrarily chosen.

Table A1-2. CVCS Malfunction Notional Plant Response with no Operator Action Letdown isolation Controlling pressure LT fails low Event Time estimate (minutes)

Notes Time estimate (minutes)

Notes PRZ Hi-level Alarm 10 Assumed charging /

letdown mis-match = 120 gpm 7

Assumed charging / letdown mis-match = 180 gpm; based on a look at the available material, it does not appear that the failed level transmitter will affect reactor trip on high-level Reactor trip 34 23 PRZ overfill 80 53

28 Appendix 2. Human Error Probability Estimates 5 new human failure events (HFE) are introduced into the Byron SPAR model due to the new event tree models, namely ISINJ, SLBIC and SLBOC. The human error probabilities of these events are calculated in this appendix and are used in the model.

SAPHIRE software has a convenient tool to calculate and document basic event probabilities for HEPs, using the basic principles of the SPAR-H model (Reference 5). This tool is used to calculate the 5 HEPs and the calculation details are presented in Tables A2-1 through A2-5.

In addition, an exhaustive HRA analysis of these HFEs has been performed using the details of the procedure steps, various HRA quantification models, and the similar events that either happened or simulated in the past. This work is documented in a report in ADAMS as ML16223A729. The observations and insights from this reference are used in making the calculations in this appendix. The reference also provides alternative calculations for the HEPs, using different sets of plausible assumptions. This provides a good insight into the modeling uncertainties inherent in the HEP estimations in PRA.

The HEPs calculated in Tables A2-1 through A2-5 are summarized below.

OPA-1 SI termination for ISINJ 1.00E-03 OPA-2 SI termination for SLBOC 3.73E-03 OPA-3 Open Block Valves 2.25E-03 OPA-4 SI termination for ISINJ - dependent on failure of OPA-3 5.01E-01 OPA-5 SI termination for SLBIC 1.25E-03

29 Table A2-1. Estimation of OPA-1 HEP Description/ Shaping Factor Distrib. Type/ PSF Probability/

Multiplier Event Notes SI termination for ISINJ Log Normal 1.00E-03 Diagnosis is Modeled Nominal Value 1.00E-02 Time available for both OPA-3 and OPA-1 is 40 minutes.

Available Time Extra time 100%

1.00E-01 The justification for extra time is that based on the KAERI's time data that calculated an estimated about 306 seconds of time required. The KAERI's time is considered as optimistic for real events. A factor of 3 is multiplied to the 306 seconds to cover the time distribution. The time available is 40 minutes. This results in extra time.

Stress/Stressors Nominal 100%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training Nominal 100%

1.00E+00 Procedures Diagnostic/Symptom oriented 100%

5.00E-01 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00 Action is Modeled Nominal Value 1.00E-03 Available Time Nominal time 100%

1.00E+00 Stress/Stressors Nominal 100%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training High 100%

5.00E-01 Terminate SI is frequently trained in simulator training.

Procedures Diagnostic/Symptom oriented 100%

1.00E+00 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00

30 Table A2-2. Estimation of OPA-2 HEP Description/ Shaping Factor Distrib. Type/ PSF Probability/

Multiplier Event Notes SI termination for SLBOC Log Normal 3.73E-03 Diagnosis is Modeled Nominal Value 1.00E-02 5% probability that false secondary radiation alarms are create due to steam misleading operators. This is reflected in the model as Ergonomics/HMI as missing/misleading.

Available Time Nominal time 5%

1.00E+00 This is to account for the situation that a MSLB outside of containment may cause the secondary radiation monitors to fail high due to elevated area temperatures. The false radiation indications affect the diagnostic step on transitioning from E-2 to E-3. The false alarms will slow down the operator in implementing E-2.

Available Time Extra time 95%

1.00E-01 The extra time is based on the Turkey Point 3 event that takes 15 minutes to isolate the SI. The 15 minutes is considered equivalent to the time spent on E-2. The 15 minutes is considered not covering the time required to implement the E-0 and ES-1.1. Based on the 40 minutes time available, the Extra Time is determined as the status.

Stress/Stressors High 5%

2.00E+00 This is to account for the stress based on the perception of encountering a MSLB & SGTR event.

Stress/Stressors Nominal 95%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training Nominal 100%

1.00E+00 Procedures Diagnostic/Symptom oriented 100%

5.00E-01 Ergonomics/HMI Missing/misleading 5%

5.00E+01 This is to account for the situation that a MSLB outside of containment may cause the secondary radiation monitors to fail high due to elevated area temperatures. The false radiation indications affect the diagnostic step on transitioning from E-2 to E-3.

Ergonomics/HMI Nominal 95%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00 Action is Modeled Nominal Value 1.00E-03

31 Available Time Nominal time 100%

1.00E+00 Stress/Stressors High 5%

2.00E+00 Stress/Stressors Nominal 95%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training High 100%

5.00E-01 Terminate SI is a frequently trained action in simulator training.

Procedures Diagnostic/Symptom oriented 100%

1.00E+00 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00

32 Table A2-3. Estimation of OPA-3 HEP Description/ Shaping Factor Distrib. Type/ PSF Probability/

Multiplier Event Notes Open Block Valves Log Normal 2.25E-03 Diagnosis is Modeled Nominal Value 1.00E-02 Available Time Nominal time 100%

1.00E+00 The time available is 20 minutes. The time required is based on the 3 times of KAREI data that is about 480 seconds (6 minutes). This results in a Normal time available.

Stress/Stressors Nominal 100%

1.00E+00 Complexity Obvious diagnosis 100%

1.00E-01 This is a procedure led detection on PZR block valve status indication.

Experience/Training High 100%

5.00E-01 This step is in E-0 that almost all licensed operator simulator training scenario will run through this step.

Procedures Diagnostic/Symptom oriented 100%

5.00E-01 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00 Action is Modeled Nominal Value 1.00E-03 Available Time Nominal time 100%

1.00E+00 Stress/Stressors Nominal 100%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training Nominal 100%

1.00E+00 Procedures Diagnostic/Symptom oriented 100%

1.00E+00 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00 Dependency is not Modeled

33 Table A2-4. Estimation of OPA-4 HEP Description/ Shaping Factor Distrib. Type/ PSF Probability/

Multiplier Event Notes SI termination for ISINJ -

dependent on failure of OPA-3 Log Normal 5.01E-01 Diagnosis is Modeled Nominal Value 1.00E-02 Available Time Extra time 100%

1.00E-01 The justification for extra time is that based on the KAERI's time data that calculated an estimated about 306 seconds of time required. The KAERI's time is considered as optimistic for real events. A factor of 3 is multiplied to the 306 seconds to cover the time distribution. The time available is 40 minutes. This results in extra time.

Stress/Stressors Nominal 100%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training Nominal 100%

1.00E+00 Procedures Diagnostic/Symptom oriented 100%

5.00E-01 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00 Action is Modeled Nominal Value 1.00E-03 Available Time Nominal time 100%

1.00E+00 Stress/Stressors Nominal 100%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training High 100%

5.00E-01 Terminate SI is frequently trained in simulator training.

Procedures Diagnostic/Symptom oriented 100%

1.00E+00 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00 Dependency is Modeled Same Crew, Close in Time, Different Location, Additional Cues High Dependence Dep. = (1+P)/2

34 Table A2-5. Estimation of OPA-5 HEP Description/ Shaping Factor Distrib. Type/ PSF Probability/

Multiplier Event Notes SI termination for SLBIC Log Normal 1.25E-03 Diagnosis is Modeled Nominal Value 1.00E-02 Available Time Extra time 100%

1.00E-01 The extra time is based on the Turkey Point 3 event that takes 15 minutes to isolate the SI. The 15 minutes is considered equivalent to the time spent on E-2. The 15 minutes is considered not covering the time required to implement the E-0 and ES-1.1. Based on the 40 minutes time available, the Extra Time is determined as the status.

Stress/Stressors Nominal 100%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training High 100%

5.00E-01 Operator runs about 3 MSLB simulator scenarios per year.

Procedures Diagnostic/Symptom oriented 100%

5.00E-01 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00 Action is Modeled Nominal Value 1.00E-03 Available Time Nominal time 100%

1.00E+00 Stress/Stressors Nominal 100%

1.00E+00 Complexity Nominal 100%

1.00E+00 Experience/Training High 100%

5.00E-01 Terminate SI action is frequently trained in simulator training.

Procedures Nominal 100%

1.00E+00 Procedures Diagnostic/Symptom oriented 100%

1.00E+00 Ergonomics/HMI Nominal 100%

1.00E+00 Fitness for Duty Nominal 100%

1.00E+00 Work Processes Nominal 100%

1.00E+00

35 Appendix 3. Classification of Plant Conditions from UFSAR This information is taken from the Byron-Braidwood UFSAR.

CHAPTER 15.0 - ACCIDENT ANALYSES 15.1.1 Classification of Plant Conditions Since 1970, the American Nuclear Society (ANS) classification of plant conditions has been used which divides plant conditions into four categories in accordance with anticipated frequency of occurrence and potential radiological consequences to the public. The four categories are as follows:

Condition I:

Normal Operation and Operational Transients.

Condition II:

Faults of Moderate Frequency.

Condition III:

Infrequent Faults.

Condition IV:

Limiting Faults.

The basic principle applied in relating design requirements to each of the conditions is that the most probable occurrences should yield the least radiological risk to the public and those extreme situations having the potential for the greatest risk to the public shall be those least likely to occur.

Where applicable, reactor trip system and engineered safeguards functioning is assumed to the extent allowed by considerations such as the single failure criterion, in fulfilling this principle.

15.1.1.1 Condition I - Normal Operation and Operational Transients Condition I occurrences are those which are expected frequently or regularly in the course of power operation, refueling, maintenance, or maneuvering of the plant. As such, Condition I occurrences are accommodated with margin between any plant parameter and the value of that parameter which would require either automatic or manual protective action. Inasmuch as Condition I occurrences occur frequently or regularly, they must be considered from the point of view of affecting the consequences of fault conditions (Conditions II, III and IV). In this regard, analysis of each fault condition described is generally based on a conservative set of initial conditions corresponding to adverse conditions which can occur during Condition I operation.

A typical list of Condition I events is listed below:

a.

Steady-state and shutdown operations

1.

Power operation (>5 to 100% of rated thermal power),

2.

Startup (keff > 0.99 to <=5% of rated thermal power),

3.

Hot standby (subcritical, residual heat removal system isolated),

4.

Hot shutdown (subcritical, residual heat removal system in operation),

36

5.

Cold shutdown (subcritical, residual heat removal system in operation),

and

6.

Refueling

b.

Operation with permissible deviations Various deviations which may occur during continued operation as permitted by the plant Technical Specifications must be considered in conjunction with other operational modes. These include:

1.

Operation with components or systems out of service,

2.

Radioactivity in the reactor coolant, due to leakage from fuel with cladding

defects, (a) Fission products (b) Corrosion products (c) Tritium

3.

Operation with steam generator leaks up to the maximum allowed by the Technical Specification 3.4.13, and

4.

Testing as allowed by Technical Specifications and the Technical Requirements Manual (TRM)

c.

Operational transients

1.

Plant heatup and cooldown (up to 100degF/hour for the reactor coolant system; 200 degF/hour for the pressurizer during cooldown and 100 degF/hour for the pressurizer during heatup),

2.

Step load changes (up to +/- 10%),

3.

Ramp load changes (up to 5%/minute), and

4.

Load rejection up to and including design full load rejection transient 15.1.1.2 Condition II - Faults of Moderate Frequency These faults, at worst, result in the reactor trip with the plant being capable of returning to operation.

By definition, these faults (or events) do not propagate to cause a more serious fault, i.e., Condition III or IV events. In addition, Condition II events are not expected to result in fuel rod failures or reactor coolant system or secondary system overpressurization.

For the purposes of this report, the following faults are included in this category:

a.

Feedwater system malfunctions that result in a decrease in feedwater temperature (Subsection 15.1.1),

b.

Feedwater system malfunctions that result in an increase in feedwater flow (Subsection 15.1.2),

c.

Excessive increase in secondary steam flow (Subsection 15.1.3),

37

d.

Inadvertent opening of a steam generator relief or safety valve (Subsection 15.1.4),

e.

Loss of external electrical load (Subsection 15.2.2),

f.

Turbine trip (Subsection 15.2.3),

g.

Inadvertent closure of main steam isolation valves (Subsection 15.2.4),

h.

Loss of condenser vacuum and other events resulting in turbine trip (Subsection 15.2.5),

i.

Loss of nonemergency ac power to the station auxiliaries (Subsection 15.2.6),

j.

Loss of normal feedwater flow (Subsection 15.2.7),

k.

Partial loss of forced reactor coolant flow (Subsection 15.3.1),

l.

Uncontrolled rod cluster control assembly bank withdrawal at a subcritical or low power startup condition (Subsection 15.4.1),

m.

Uncontrolled rod cluster control assembly bank withdrawal at power (Subsection 15.4.2),

n.

Rod cluster control assembly misalignment (dropped full length assembly, dropped full length assembly bank, or statically misaligned full length assembly) (Subsection 15.4.3),

o.

Deleted

p.

Chemical and volume control system malfunction that results in a decrease in the boron concentration in the reactor coolant (Subsection 15.4.6),

q.

Inadvertent operation of the emergency core cooling system during power operation (Subsection 15.5.1),

r.

Chemical and volume control system malfunction that increases reactor coolant inventory (Subsection 15.5.2),

s.

Inadvertent opening of a pressurizer safety or relief valve (Section 15.6.1), and

t.

Break in instrument line or other lines from reactor coolant pressure boundary that penetrate containment (Subsection 15.6.2).

15.1.1.3 Condition III - Infrequent Faults By definition Condition III occurrences are faults which may occur very infrequently during the life of the plant. They will be accommodated with the failure of only a small fraction of the fuel rods although sufficient fuel damage might occur to preclude resumption of the operation for a considerable outage time. The release of radioactivity will not be sufficient to interrupt or restrict public use of those areas beyond the exclusion radius.

A Condition III fault will not, by itself, generate a Condition IV fault or result in consequential loss of function of the reactor coolant system or containment barriers. For the purposes of this report the following faults are included in this category:

a.

Steam system piping failure from zero power and full power (minor) (Subsections 15.1.5 and 15.1.6),

b.

Complete loss of forced reactor coolant flow (Subsection 15.3.2),

c.

Rod cluster control assembly misalignment (single rod cluster control assembly withdrawal at full power) (Subsection 15.4.3),

38

d.

Inadvertent loading and operation of a fuel assembly in an improper position (Subsection 15.4.7),

e.

Loss of coolant accidents resulting from a spectrum of postulated piping breaks within the reactor coolant pressure boundary (small break) (Subsection 15.6.5),

f.

Gaseous radwaste system leak or failure (Subsection 15.7.1),

g.

Liquid radwaste system leak or failure (Subsection 15.7.2),

h.

Postulated radioactive releases due to liquid tank failures (Subsection 15.7.3), and

i.

Spent fuel cask drop accidents (Subsection 15.7.5).

15.1.1.4 Condition IV - Limiting Faults Condition IV occurrences are faults which are not expected to take place, but are postulated because their consequences would include the potential of the release of significant amounts of radioactive material. They are the most drastic which must be designed against and represent limiting design cases.

Condition IV faults are not to cause a fission product release to the environment resulting in an undue risk to public health and safety in excess of guidelines values of 10 CFR 100 for TID-14844 based dose analyses and 10 CFR 50.67 for AST based analyses.

A single Condition IV fault is not to cause a consequential loss of required functions of systems needed to cope with the fault including those of the emergency core cooling system and the containment.

For the purposes of this report, the following faults have been classified in this category:

a) Steam system piping failure from zero power and full power (major) (Subsections 15.1.5 and 15.1.6),

b) Feedwater system pipe break (Subsection 15.2.8),

c) Reactor coolant pump shaft seizure (locked rotor) (Subsection 15.3.3),

d) Reactor coolant pump shaft break (Subsection 15.3.4),

e) Spectrum of rod cluster control assembly ejection accidents (Subsection 15.4.8),

f) Steam generator tube failure (Subsection 15.6.3),

g) Loss of coolant accidents resulting from the spectrum of postulated piping breaks within the reactor coolant pressure boundary (large break) (Subsection 15.6.5), and h) Design basis fuel handling accidents (Subsection 15.7.4).

39 Appendix 4. Byron SPAR Model The existing Byron Standardized Plant Analysis Risk (SPAR) model (Version 8.27) was supplemented with three additional initiating events for completeness related to this analysis, by considering those events that are of relevance to this analysis that are typically subsumed in the General Transients category or not modeled in SPAR models. These three initiating events are inadvertent safety injection (SI), steam line breaks (SLB) inside and outside the containment.

In steam generator tube rupture (SGTR), SLB, and spurious SI event tree models, an event tree node for failure of SI termination exists. For SGTR this node determines what downstream success paths are viable (residual heat removal versus RWST refill). For SLB and spurious SI, if this node fails, the event is assumed to continue as a SLOCA, with the underlying assumption that the SRVs will pass water and continue to do so. Note that this failure is separate from SLOCA through a failed-open PORV path. Section 2.2.1 summarizes the success criteria used for potential pressurizer overfill and SI termination.

D.1 Inadvertent Safety Injection Event Tree The following provides a description of the SPAR model Inadvertent Safety Injection event tree.

Event tree specific success criteria are provided, followed by a description of the event tree headings and the event tree structure. Figure D-1 shows the inadvertent safety injection event tree.

D.1.1 Success Criteria Successful plant response to an inadvertent safety injection initiating event requires successful reactivity control, early decay heat removal and inventory control, and long-term decay heat removal. If the reactor fails to trip and insert enough negative reactivity by the control rods to shut down the reactor, the sequence transfers to the ATWS event tree. Successful operation of secondary cooling (AFW) provides initial decay heat removal. Control of makeup involves several operator actions and/or equipment operations. Unblocking PORV block valves (UNBLOCK), if closed, allows PORVs to relieve pressure buildup in lieu of opening the code safeties. If either PORV path is available and functional, opening of the code safeties is assumed to be precluded.

Reduction of injection flow up to and including termination (CSI) is then required to prevent the charging/safety injection pumps from overfilling the pressurizer. Overfilling of the pressurizer can cause an excessive number of relief/safety valve lifts and potentially lead to release of water through the valves. Passing water through these valves is expected to result in an elevated failure rate. The position of the PORVs and code safety valves is then determined with unmitigated failures in the open position transferring to the small loss of coolant event tree (SLOCA) for additional evaluation.

Feed and bleed cooling can provide successful decay heat removal given secondary cooling is

40 unavailable or the RCS is experiencing loss of inventory. For feed and bleed cooling success, a single PORV is required to open if a charging pump is available for injection. Two PORVs are required to open and remove the decay heat during small loss-of-coolant events if only the safety injection pumps are available for injection to replenish the lost RCS inventory.

D.1.2 General Description/Philosophy D.1.3 Top Event Descriptions The inadvertent safety injection event tree has the following events arranged in the approximate order in which they would be expected to occur following the event.

IE-ISINJ Initiating event is an inadvertent safety injection. The primary issue associated with an inadvertent safety injection is the starting of all ECCS equipment including the CVCS and SI pumps and isolation of letdown. Continued operation of high-pressure injection pumps will lead to the pressurizer going solid and the passing of water through the PORVs and/or code safety valves.

RPS This top represents the success or failure of the reactor protection system (RPS) to insert enough negative reactivity by the control rods to shut down the reactor.

AFW Auxiliary feedwater (AFW) system is used to remove decay heat via the steam generators given MFW is not available. The main feedwater system will isolate given a reactor trip. This will require the use of the AFW system to provide flow to the steam generators. Success implies automatic actuation and operation of the AFW system. The AFW system supplies sufficient cooling water to the steam generators to remove decay heat from the reactor. The success criteria are one-of-two AFW trains to three-of-four steam generators.

UNBLOCK This top represents the operator action to open, if closed, the pressurizer block valves. Success is defined as at least one PORV path available for pressure relief or depressurization.

CSI This top event represents the success or failure of an operator to control the injection of the high pressure injection pumps. Success implies the operator took control of the high-pressure pumps (CVCS & SI) to either terminate flow or to lower the flow rate of the pumps.

FAB Success or failure of feed and bleed cooling is represented by this top event.

Feed and bleed cooling is required given secondary cooling is unavailable.

Success requires one-of-two PORVs for successful depressurization when a charging pump is available for injection. Both PORVs are required for depressurization when only the SI pumps are available for injection. An operator is required to open the PORVs and the PORV block valves if they are closed.

Success also requires the CVCS/SI system(s) to provide flow to the RCS cold legs.

41 HPI This top event represents the success or failure of the high pressure injection system to provide makeup water to the RCS. Success implies automatic actuation and operation of the HPI system (i.e., safety injection (SI) pumps and charging (CVC) pumps). The pumps take suction from the refueling water storage tank (RWST) and provide flow to the RCS cold legs. The HPI system provides sufficient water to keep the core covered. The success criteria are one-of-two SI trains or one-of-two CVC trains supplying at least two-of-four cold legs.

HPR This top event represents the success or failure of high pressure recirculation.

Success requires the HPI pumps (SI or CVC pumps) to take suction from the discharge of the RHR pumps and deliver the water to the RCS. HPR will provide long-term cooling for the reactor given the HPI system was successful in supplying early makeup water to the reactor. HPR is required if residual heat removal cannot be established. The decay heat will be removed from the containment sump by the RHR pump train heat exchangers. An operator action is required to align the RHR pump discharge to the HPI pump suction and verify that the containment sump valves are open and the RWST suction valves are closed. The success criteria are one-of-two RHR trains (and their respective heat exchangers) providing flow to one-of-four HPI trains (one-of-two SI or one-of-two CVC trains).

D.2 Steam Line Break Containment Event Tree The following provides a description of the SPAR model Steam Line Break event tree. Event tree specific success criteria are provided, followed by a description of the event tree headings and the event tree structure. Figure D-2 shows the steam line break event tree. NOTE: The event tree logic is identical between the steam line breaks inside and outside containment. The difference is contained in the associated fault tree. The initiator specific logic is turned on/off with the use of house events.

D.2.1 Success Criteria Successful plant response to a steam line break initiating event requires successful reactivity control, early decay heat removal and inventory control, and long-term decay heat removal. If the reactor fails to trip and insert enough negative reactivity by the control rods to shut down the reactor, the sequence transfers to the ATWS event tree. Due to the rapid decrease in steam pressure associated with a steam line break; this event has the potential of inducing a steam generator tube rupture (SGTR). If a steam generator tube rupture does occur, the sequence is transferred out to the SGTR event tree for more detailed evaluation. Successful operation of secondary cooling (AFW) provides initial decay heat removal. Isolation of the faulted steam generator (MSI) is initiated to control cooldown and to terminate the mass and energy releases.

The feed flow paths into as well as the steam paths exiting the faulted generator must be isolated.

The steam line isolation criterion is dependent on whether the break location is inside or outside the containment. Additionally, failure to isolate the faulted steam generator following a break is assumed to require high-pressure injection (HPI) to recover pressurizer level due to the RPV

42 coolant shrinkage. Finally, an unisolated break inside the containment is also assumed to actuate containment sprays and lead to the need for sump recirculation (HPR).

The status of the reactor pressure vessel (RPV) coolant inventory is evaluated in the C-SLOCA node. Primary coolant shrinkage due to the rapid cooldown is expected to result in a safety injection signal on low pressurizer level. If this injection is not controlled or terminated, overfilling of the pressurizer will occur. Opening and reclosing of PORVs to relieve pressure is also considered within this node. If RPV inventory is being lost, the scenario transfers to the SLOCA event tree for further evaluation.

Feed and bleed cooling can provide successful decay heat removal given secondary cooling is unavailable or the RCS is experiencing loss of inventory. For feed and bleed cooling success, a single PORV is required to open if a charging pump is available for injection. Two PORVs are required to open and remove the decay heat during small loss-of-coolant events if only the safety injection pumps are available for injection to replenish the lost RCS inventory.

D.2.2 General Description/Philosophy D.2.3 Top Event Descriptions The steam line break event tree has the following events arranged in the approximate order in which they would be expected to occur following the event.

IE-SLBIC Initiating event steam line break inside/outside containment. (IE-SLBIC/IE-SLBOC). The steam line break event tree structures are nearly identical. The only differences are in the MSI and HPR fault tree logic. Logic differences within the MSI fault tree are actuated using initiator specific house events. The HPR fault tree is set to FALSE in the SLBOC event tree.

RPS This top represents the success or failure of the reactor protection system (RPS) to insert enough negative reactivity by the control rods to shut down the reactor.

ISGTR This top represents the likelihood of the event causing a steam generator tube rupture. The increased differential pressure across the steam generator tube sheet/tubes from the initiator increases the likelihood of a tube rupture.

AFW Auxiliary feedwater (AFW) system is used to remove decay heat via the steam generators given MFW is not available. The main feedwater system will isolate given a reactor trip. This will require the use of the AFW system to provide flow to the steam generators. Success implies automatic actuation and operation of the AFW system. The AFW system supplies sufficient cooling water to the steam generators to remove decay heat from the reactor. The success criteria are one-of-two AFW trains to three-of-four steam generators.

MSI This top represents the operator action to isolate the steam line that contains the break. This top also contains the hardware required for isolation. For steam line breaks outside containment (SLBOC), all MSIVs must close to isolate steam

43 flow. For steam line breaks inside containment (SLBIC), only the MSIV of the faulted steam generator needs to be closed. In addition, feedwater flow to the faulted steam generator must also be secured.

C-SLOCA This top event represents the various pathways leading to a consequential small loss of coolant (SLOCA) event. These paths include failure of operators to control the injection of the high pressure injection pumps. Success implies operators take control of the HPI pumps and lower the flow rate of the pumps. Failure of the pressurizer PORVs to reclose if opened also lead to a SLOCA as well as a loss reactor coolant pump seal cooling.

FAB Success or failure of feed and bleed cooling is represented by this top event.

Feed and bleed cooling is required given secondary cooling is unavailable.

Success requires one-of-two PORVs for successful depressurization when a charging pump is available for injection. Both PORVs are required for depressurization when only the SI pumps are available for injection. An operator is required to open the PORVs and the PORV block valves if they are closed.

Success also requires the CVCS/SI system(s) to provide flow to the RCS cold legs.

HPI This top event represents the success or failure of the high pressure injection system to provide makeup water to the RCS. Success implies automatic actuation and operation of the HPI system (i.e., safety injection (SI) pumps and charging (CVC) pumps). The pumps take suction from the refueling water storage tank (RWST) and provide flow to the RCS cold legs. The HPI system provides sufficient water to keep the core covered. The success criteria are one-of-two SI trains or one-of-two CVC trains supplying at least two-of-four cold legs.

HPR This top event represents the success or failure of high pressure recirculation.

Success requires the HPI pumps (SI or CVC pumps) to take suction from the discharge of the RHR pumps and deliver the water to the RCS. HPR will provide long-term cooling for the reactor given the HPI system was successful in supplying early makeup water to the reactor. HPR is required if residual heat removal cannot be established. The decay heat will be removed from the containment sump by the RHR pump train heat exchangers. An operator action is required to align the RHR pump discharge to the HPI pump suction and verify that the containment sump valves are open and the RWST suction valves are closed. The success criteria are one-of-two RHR trains (and their respective heat exchangers) providing flow to one-of-four HPI trains (one-of-two SI or one-of-two CVC trains).

44 Figure D-1: Inadvertent Safety Injection Event Tree IE-ISINJ INADVERTENT SAFETY INJECTION RPS REACTOR SHUTDOWN AFW AUXILIARY FEEDWATER FAILS TO PROVIDE FLOW UNBLOCK OPERATOR FAILS TO OPEN PORV BLOCK VALVES PER OPA-3 CSI TERMINATE OR CONTROL SAFETY INJECTION PZR-PORV-SRV-ISINJ PORV PATHs ARE CLOSED FOLLOWING INADVERTENT SI FAB FEED AND BLEED HPR HIGH PRESSURE RECIRCULATION End State (Phase - CD) 1 OK PZR-PORV-SRV-ISINJ 2

SLOCA 3

OK PZR-PORV-SRV-DEP 4

SLOCA 5

OK PZR-PORV-SRV-ISINJ1 6

SLOCA 7

SLOCA 8

OK 9

CD 10 CD 11 ATWS

45 Figure D-2: Steam Line Break Event Tree IE-SLBIC STEAM LINE BREAK INSIDE CONTAINMENT RPS REACTOR SHUTDOWN ISGTR INDUCED SGTR AFW AUXILIARY FEEDWATER FAILS TO PROVIDE FLOW MSI SG & MSS LINE ISOLATION (STEAM LINE BREAK)

C-SLOCA CONSEQUENTIAL SMALL LOCA FAB FEED AND BLEED HPI HIGH PRESSURE INJECTION HPR HIGH PRESSURE RECIRCULATION End State (Phase - CD) 1 OK 2

SLOCA 3

OK FALSE IN SLBOC 4

CD 5

CD 6

OK 7

CD 8

CD 9

SGTR 10 ATWS 11 CD

46 D.3 Notes on SRV Failures The small LOCA frequency we use is for pipe-break events, and we currently have zero events cataloged in our initiating event database (either initial plant fault or functional impact)

INL specifically tracks the stuck open valve cases and have no initial plant fault initiator events for these cases. We do have some functional impact events coded, giving the following PWR, G2, Stuck open safety valve, frequency 1.5E-3 per rcry PWR, G4 Stuck open pressurizer PORV frequency 9.0E-4 rcry The functional impact category should provide an occurrence bound on the idea of consequential small LOCAs from the TRANS/stuck open RV sequences which are included in the model.

There are 2 PWR stuck open SV events as follows, by initial plant fault:

1) Calvert Cliffs 1, 1994, QR5 turbine trip, actually described as the SV leaking by its seat at 25 gpm, so not really much of a stuck open SV event

2) Fort Calhoun, 1992, QC4 loss of ac I&C bus, closer to a real SV event, with failure to re-seat and a leak rate of 200 gpm.

So a conditional probability could be worked out using either or both of these events. The question would be what to use in the denominator. Could use the number of Q events, or some sub-set. Would lead to a higher conditional probability than we now calculate.

For PWR stuck open PORV we have the following event:

1) Calvert Cliffs, 2006, QR0 RCS high pressure (RPS trip), the PORV remained open for about 90 seconds, allowing pressure to drop to 1500 psia, when it should have re-closed at about 2400 psia. So this event was really only a temporary stuck open PORV.

Again, what to use in the denominator? All Q events?

So maybe nothing more needs to be done, but the above data could be used if needed.

D.4 Notes on How Model Cases Were Run The original Byron SPAR model version 8.27 already has 2 basic events for pressurizer PROV block valves being in a closed position during power operation. These basic events are assigned the probability of 0.0633 in the modified SPAR model. However, these probabilities are not used in calculation of the CDF for the 3 plant configuration cases Case-0, Case-1 and Case-2. For these cases, three change sets are used to replace these basic events with combinations of TRUE and FALSE values (corresponding to failure probabilities of 1 and 0, respectively). Table D.4-1 shows the assigned values discussed above.

47 Table D.4-1 Basic Event Probabilities Assigned to Block Valves via Change Sets for Cases 0, 1 and 2 Basic Event Probability Basic Event Name Description Base SPAR Model Case-0 Case-1 Case-2 PPR-MOV-FC-8000A PORV 8000A BLOCK VALVE CLOSED DURING POWER 6.33E-02 FALSE TRUE TRUE PPR-MOV-FC-8000B PORV 8000B BLOCK VALVE CLOSED DURING POWER 6.33E-02 FALSE FALSE TRUE These cases are solved with a cutoff probability of 1E-12 using the SAPHIRE software.

For Cases B and C, additional change sets are made to replace the HEP values with new ones.

These replacements are shown in Table 4-2.

Thus, a total of 9 runs are made with SAPHIRE version 8.1.4.4, three plant configuration cases for each of the Cases A, B and C which are defined in Section 4. The resulting CDFs are obtained from the minimal cutsets as given in the standard output Table J-2 of SAPHIRE.

The dependent HFE event, OPA-4, was placed in the cutsets through a rule in the event tree post-processing file.

48 LAST PAGE

ML16214A199

Text

Navigation menu

Search