ML17158B731
| ML17158B731 | |
| Person / Time | |
|---|---|
| Site: | Susquehanna  |
| Issue date: | 07/17/1996 |
| From: | Poslusny C NRC (Affiliation Not Assigned) |
| To: | Byram R PENNSYLVANIA POWER & LIGHT CO. |
| References | |
| NUDOCS 9607240222 | |
| Download: ML17158B731 (52) | |
Text
~PS R50I, (4
Cg"o Cy A.
++*gk UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 2055&4001 July 17, 1996
~QQ~$ pi I+
~o - 387 Hr. Robert Byram Senior Vice President-Nuclear Pennsylvania Power and Light Company 2 North Ninth Street Allentown, PA 18101
SUBJECT:
DRAFT 1982-83 PRECURSOR REPORT
Dear Hr. Byram:
Enclosed for your information are excerpts from the draft Accident Sequence Precursor (ASP) Report for 1982-83 (Enclosure 1).
This report documents the Accident Sequence Precursor (ASP)
Program analyses of operationa'1 events which occurred during the period 1982-83.
We are providing the appropriate sections of this draft report to each licensee with a plant which had an event in 1982 or 1983 that has been identified as a precursor.
At least one of these precursors occurred at the Susquehanna Steam Electric Station.
Also enclosed for your information are copies of Section 2.0 (Enclosure 2) and Appendix A (Enclosure
- 3) from the 1982-83 ASP Report.
Section 2,0 discusses the ASP Program event selection criteria and the precursor quantification process; Appendix A describes the models used in the analyses.
We emphasize that you are under no licensing obligation to review and comment on the enclosures.
The analyses documented in the draft ASP Report for 1982-83 were performed primarily for historical purposes to obtain the 2 years of precursor data for the NRC's ASP Program which had previously been missing.
We realize that'ny review of the precursor analyses of 1982-83 events by affected licensees would necessarily be limited in scope due to: (1) the extent of the licensee's corporate memory about specific details of an event which occurred 13-14 years
- ago, (2) the desire to avoid competition for internal licensee staff resources with other, higher priority work, and (3) extensive changes in plant design, procedures, or operating practices implemented since the time period 1982-83, which may have resulted in significant reductions in the probability of (or, in some cases, even precluded) the occurrence of events such as those documented in this report.
The draft report contains detailed documentation for all precursors with conditional core damage probabilities
> 1.0 x 10
- However, the relatively large number of precursors identified for the period 1982-83 necessitated that only summaries be provided for grecursors with conditional core damage probabilities between 1.0 x 10 and 1.0 x 10 '.
We are currently preparing the report for publication.
We will respond to any comments on the precursor analyses which we receive from licensees.
The Ngg Pb07240222 9b0717 PDR
'ADOCK 05000387 P
PDR III'IgC88$ M<
R.
Byram responses will be placed in a separate section of the final report.
Pennsylvania Power E Light is on distribution for the final report.
Please contact me at (301) 415-1402 if you have any questions regarding this letter.
Any response to this letter on your part is entirely voluntary and does not constitute a licensing requirement.
Sincerely, Docket No. 50-387
Enclosures:
1.
2.
3.
Chester
- Poslusny, Senior Project Manager Project Directorate I-2 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation Draft ASP Report for 1982-83 Section 2.0 from 1982-83 ASP Report Appendix A from 1982-83 ASP Report cc w/encls:
See next page DISTR I BUTION:
Docket File
'UBLIC PDI-2 Reading SVarga JZwolinski JStolz MO'Brien CPoslusny OGC ACRS WPasciak SHays OFFICE NAME sl n
PDI-2 PM'Poslusny:smm P
2 D
JSt DATE
/
/96 9/
/96
/
/96 OF ICIA CORD COPY DOCUMENT NAME:
A:USUS(UEHANNAiSU-ASP82. LTR
'0 I
(
I
)I I
I
'4w, J
R.
Byram responses will be placed in a separate section of the final report.
Pennsylvania Power
& Light is on distribution for the final report.
Please contact me at (301) 415-1402 if you have any questions regarding this letter.
Any response to this letter on your part is entirely voluntary and does not constitute a lice'nsing requirement.
Sincerely, Docket No. 50-387 Chester
- Poslusny, Senior Project Hanager Project Directorate I-2 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
Enclosures:
l.
Draft ASP Report for 1982-83 2.
Section 2.0 from 1982-83 ASP Report 3'.
Appendix A from 1982-83 ASP Report cc w/encls:
See next page
t 1
Hr. Robert G.
Byram Pennsylvania Power
& Light Company Susquehanna Steam Electric Station, Units 1
& 2 CC:
Jay Silberg, Esq.
- Shaw, Pittman, Potts
& Trowbridge 2300 N Street N.W.
Washington, D.C.
20037 Bryan A. Snapp, Esq.
Assistant Corporate Counsel Pennsylvania Power
& Light Company 2 North Ninth Street Allentown, Pennsylvania 18101 Hr. J.
H. Kenny Licensing Group Supervisor Pennsylvania Power
& Light Company 2 North Ninth Street Allentown, Pennsylvania l8101 Hrs. Haitri Banerjee Senior Resident Inspecto}
U. S. Nuclear Regulatory Commission P.O.
Box 35 Berwick, Pennsylvania 18603-0035 Hr. William P. Dornsife, Director Bureau of Radiation Protection Pennsylvania Department of Environmental Resources P. 0.
Box 8469 Harrisburg, Pennsylvania 17105-8469 Hr. Jesse C. Tilton, III Allegheny Elec. Cooperative, Inc.
212 Locust Street P.O.
Box 1266 Harrisburg, Pennsylvania 17108-1266 Regional Administrator, Region I U.S: Nuclear Regulatory Commission 475 Allendale Road King of Prussia, Pennsylvania 19406 Hr. Karold G. Stanley Vice President-Nuclear Operations Susquehanna Steam Electric Station Pennsylvania Power and Light Company Box 467 Berwick, Pennsylvania 18603 Hr. Herbert D. Woodeshick Special Office of the President Pennsylvania Power and Light Company Rural Route 1,
Box 1797 Berwick, Pennsylvania 18603 George T. Jones Vice President-Nuclear Engineering Pennsylvania Power and Light Company 2 North Ninth Street Allentown, Pennsylvania 18101 Dr. Judith Johnsrud National Energy Committee Sierra Club 433 Orlando Avenue State College, PA 16803 Chairman Board of Supervisors 738 East Third Street
- Berwick, PA 18603
B.57 LER No. 3SV/82-061 Event
Description:
ESW Pumps B and D Fail to Start Date ofEvent:
Plant:
December 22, 1982 Susquehanna 1
B.57.1 Summary On December 22, 1982, while performing the Loss of Offsite Power (LOOP) Test, the B and D emergency service water (ESW) pumps failed to start.
This resulted in a loss of train B of ESW which would have subsequently failed residual heat removal (RHR) pumps B and C.
Earlier in the day the reactor scramed following turbine valve fast closure.
The conditional core damage prnbability estimated for this event is 7.2 x 10~.
B.57.2 Event Description On December 22, 1982, while performing the LOOP Test, the B and D ESW pumps failed to start. This resulted in a loss of train B of ESW. The operators manually started the pumps prior to overheating of the serviced equipment (i.e., RHR pumps B and C, etc.). An investigation revealed that the pump B failure was the result of loose wires on a relay terminal, while the pump D failure was the result ofloose wires on relay terminals, a loose states link, and an out ofadjustment instantaneous contact.
These problems were corrected, train A equipment examined to determine whether the same failures were present (they were not), and thc pumps retested.
Earlier in the day, as part ofscheduled startup testing, generator output breakers were opened, causing a reactor scram on turbine control valve fast closure trip..
B.57.3 Additional Event-Related Information Susquehanna's emergency service water system consists oftwo independent divisions (trains A and B), each of which is designed to supply 100 percent ofthe flowrequired by one division in both units plus cooling for four emergency diesel generators (i.e., DGs A, B, C, and D). Each division has two motor-driven pumps, each of which is capable ofproviding sufficient flow to remove the heat from the loads cooled by the division. ESW pumps A and C comprise train A and pumps B and D comprise train B. Train B provides cooling for diesel generators A, B, C, and D, pump cooling for RHR pumps B and C, plus cooling for other loads.
Susquehanna's RHR pumps can bc operated in several modes.
These include low pressure coolant injection (LPCI), suppression pool cooling, shutdown cooling, containment spray, reactor head spray, and fuel pool cooling. Susquehanna's IPE submittal states that the RHR pumps can be operated 30 minutes without pump cooling.
LER No. 387/82-061 Enclosure 1
B.57-2 B.57.4 Modeling Assumptions The event was modeled as a transient with hvo ESW pumps (train B) failed. This failure results in the loss of the B and C RHRpumps owing to loss ofpump cooling. Unavailability ofthese two pumps affects RHR. To rcflect the potential failure ofthe other hvo pumps due to the same failure mode, trains 1 and 2 ofRHR, LPCI, and RHR(SP COOL) model were set to failed. The potential for common-cause failure exists, even when a component is failed.
Therefore, the conditional probability of a common-cause failure was included in the analysis for those components that were assumed to have been failed as a part of the postulated event.
The nonrccovery probability for RHR was revised to 0.054 to reflect the RHRSW failures (based on data included in "Faulted Systems Recovery Experience," NSAC-161, May 1992). For sequences involving potential RHR or PCS recovery, the nonrecovery estimate was revised to 0.054 x 0.52 (PCS nonrecovery), or 0.028.
B.57.5 Analysis Results The estimated conditional core damage probability for the event is 7.2 x 10~. The dominant sequence highlighted on the event tree in Figure B.57.1 (to be provided in final report) involved a transient initiator followed by successful reactor shutdown, failure ofthe power conversion system, no more that one safety reliefvalves failing to close, success ofthe main feedwater system, and failure ofthe residual heat removal system.
LER No. 387/82-061
TRANS Rx SHUT-DOWN SAVs CLOSE FW HPCI HPCS SAVsl ADS CAD PUMPS
{$NJ)
I.PCI RHASW
{INJ)
END STATE
'EO.
NO.
<2 vtvs (psn 2vbs n
>2 vIvs cpon OK OK CD OK CD OK CD OK CD OK CD OK CD OK CD CD OK CD CD OK CD OK CD OK CD OK CD CD OK CD OK OK CD OK CD CD CD OK CD OK CD OK CD OK CD CD ATWS 101 102 103
$ 04 105
$ 05 107 108
$ 09
$ 10 111 112 113 114
$ 15 115 117 118 118 120 121 122 123 124 125 125 127
'I28 128
$ 30 131 132
$33 134 135 135
$ 37 135
$38 140 141
$ 42 143 144 145 148 147-
B.57-4 CONDITIONALCORE DAMAGEPROBABILITYCALCULATIONS Event Identifier:
387/82-061 Event
Description:
ESIJ pcs B and D fail to start
~
Event Date:
December 22, 1982 Plant:
Susquehanna 1
INIT IATIHG EVENT HON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS 1.0E+00 SEQUENCE CONDITIONAL PROBABILITY SUHS End State/Initiator CD Probability TRANS Total 7.2E-04 7.2E-04 SEQUENCE COHDITIOHAL PROBABILITIES (PROBABILITY ORDER)
Sequence 103 trans -rx.shutdown pcs srv.ftc.<2 -mfw RNR.AHD.PCS.NREC 105
.trans -rx.shutdown pcs srv.ftc.<2 mfw -hpci RHR.AHD.PCS.HREC
- non-recovery credit for edited case SEQUEHCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)
Sequence 103 trans -rx.shutdown pcs srv.ftc.<2 -mfw RHR.AHD.PCS.HREC 105 trans -rx.shutdown pcs srv.ftc.<2 mfw -hpci RHR.AND.PCS.NREC
- non-recovery credit for edited case SEQUENCE HOOEL:
d:iaspimodelsibwrc8283.cmp BRANCH HODEL:
d:iaspimodelslsusque.82 PROBABILITY FILE:
d:iaspimodeisibwr8283.pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES End State CD CD End State CD CD Prob 6.0E-04 1.1E-04 Prob 6.0E-04 1.1E-04 H Rec**
2.5E-02 9.5E-03 H Rec>>>>
2.5E-02 9.5E-03 Branch trans loop
'oca rx.shutdown pcs srv.ftc.<2 srv.ftc.2 System 1.5E-03 1.6E-OS 3.3E-06 3.5E-04 1.7E-01 1.DE+00 1.3E-03 Hon-Recov 1.DE+00 2.4E-01 6.7E-01 1.0E-01 1.DE+00 1.0E+00 1.DE+00 Opr Fail LER No. 387/82-061
B.57-5 srv.ftc.>2 mfw hpci 2.2E-04 4.6E-01 2.9E-02 1.DE+00 3.4E-01 7.0E-01 rcI C srv.ads crd(inj) cond lpcs LPCI Branch Hodel:
Train 1
Cond Train 2 Cond Train 3 Cond Train 4 Cond Serial Compone rhrsw(inj)
RHR Branch Hodel:
Train 1
Cond Train 2 Cond Train-3 Cond Train 4 Cond RHR.AND.PCS.HREC Branch Hodel:
Train 1
Cond Train 2 Cond Train 3 Cond Train 4 Cond RHR/-LPCI Branch Nodeit Train 1
Cond rhr/lpci rhr (spcool )
rhr(spcool)/- lpci ep ep.rec rpt slcs ads.inhibit man.depress 1.0F.4+ser Prob:
Prob:
Prob:
Prob:
nt Prob:
1.0F.4+opr Prob:
Prob:
Prob:
Prob:
'I.OF.4+opr Prob:
Prob:
Prob:
Prob:
1.0F.1+opr Prob:
branch model file
- forced Event Identifier: 387/82-061 6.0E-02 3.7E-03 1.0E-02 1.DE+00 1.7E-03 1.1E-03 1.0E-02 1.0E-01 3.0E-01 5.0E-01 1.0E-03 2.0E-02 1.5E-04 1 'E-02 1.0E-01 3.0E-01 5.0E-01 1.5E-04 1.0E-02 1.0E-01 3.0E-01 S.OE-01 O.OE+00 O.DE+00 1.DE+00 2.1E-03 2.0E-03 1.4E-03 2.1E-01 1.9E-02 2.0E-03 O.DE+00 3.7E-03 1 'E-01
> 1.DE+00
>> 1.DE+00
) 1.5E-01
> 1.0E+00
> 1.0E+00
) 1.5E-01
> 1.0E+00
> 1.DE+00
> 1.5E-01
> 1.5E-01 7.0E-01 7.0E.01 1.DE+00 3.4E-01 1.DE+00 1.DE+00 1.DE+00 1.6E-02
> 5.4E.02 8.3E-03
> 2.8E-02 1.0E+00 1.DE+00 1.DE+00 1.DE+00 8.7E-01 1.DE+00 1.DE+00 1.BE+00 1.DE+00 1 'E+00 1.0E-02 1.0E.02 1.0E-03 1.0E-02 1.0E-05 1.0E-05 1 'E-05 1.0E-05 1.0E-03 1.0E-03 1 'E-02 1.0E-02 1.0E-02 Dolan 01-10-1996 16103:17 Event Identifier: 387/82-061 LER No. 387/82-061
~
~
B.58-1 B.58 LER No. 387/83-051 Event
Description:
RCIC System Unavailable Owing to Governor Valve Problem Date of Event:
March 22, 1983 Plant:
Susquehanna 1
B.58.1 Summary On March 22, 1983, in response to a low reactor pressure vessel (RPV) water level signal following a scram, thc reactor core isolation cooling (RCIC) system initiated and then tripped on turbine overspeed.
The conditional core damage probability estimated for the event is 1.2 x 10'.
B.58.2 Event Description On March 22, 1983, in response to a low RPV water level signal following,a scram, the RCIC system initiated and then tripped on turbine overspeed.
Operations personnel manually started RCIC immediately after the overspeed trip, the high pressure injection system started, and vessel level was recovered and maintained.
Investigations revealed the overspeed trip was caused by slow response ofthe governor valve during system start.
The slow response was caused by dirt deposition in the opening ofthe pilotvalve. This was corrected on May 17, 1984 by installing a new upmaded governor in which the pilot valve opening was enlarged.
The scram was caused by an operator error that allowed air to be injected into the reactor vessel via the condensate demincralizers, resulting in high main steam radiation signals.
B.58.3 Additional Event-Related Information The RCIC system consists of a single turbine-driven pump that can provide primary coolant makeup at a maximum rate of600 gpm. The RCIC pump is provided with two suction sources.
The primary source is the condensate storage tank (CST), with the suppression pool providing the secondary source.
The system is designed to swap from the CST to the suppression pool on low CST level.
B.58.4 Modeling Assumptions Given that a plant trip occurred, this event was modeled as a transient initiator. The main steam isolation valves (MSIVs) are assumed to have closed as a result of the high main steam radiation signals.
This willresult in unavailability ofthe power conversion system (PCS) and the main feedwater (MFW) system since Susquehanna uses turbinedriven MFWpumps. In addition, Susquehanna's IPE submittal states that flowthrough the MSIVs is needed for the turbine-driven MFW pumps; thus, it is assumed that thc use of the MSIV bypass valves to supply steam for the MFW pumps is not appropriate.
RCIC was assumed failed owing to the governor valve problem.
Short-term recovery of PCS or MFW was not considered since the MSIVs had closed.
Recovery of LER No. 387/83-051
~
~
B.58-2 RCIC was considered since the control room operator manually started RCIC immediately after the over speed trip. This action was assumed to take place in the control room with a failure probability of 0.01. Thus, the probability ofnonrecovery ofRCIC was set to 0.052 (p(nrec) = 0.01+ 0.06
- 0.7) to account for the fact that RCIC might also fail from other causes.
The nonrecovery probability for PCS was revised to 0.11'o reflect the MSIVclosure. Combining this value with the estimated long-term RHR nonrccovery probability of0.016 (see Appendix A) results in a combined nonrecovcry probability for RHR and PCS of0.0018.
B.58.5 Analysis Results The estimated conditional core damage probability for the event is 1.2 x 10'. The dominant sequence highlighted on the event tree in Figure B.58.1 (to be provided in final report) involved a transient initiator followed by successful reactor shutdown, failure ofthe power conversion system, no more than one safety relief valves failing to close, success ofthe main feedwater system and failure ofthc residual heat removal system.
LER No. 387/83-051
~
~-
TIIAMS SHUT.
DOWN PCS SAVE CLOSE FW SIIVal ADS CAD PUMPS (IIII)
2VW 8
>2~ 0040 OK OK CD OK CO OK CO OK CO OK CD OK CD OK CO CO OK CO CD OK CO OK CD OK CO OK CO CO OK CO OK CO OK CO OK CD CD CO OK CO OK CO OK CD OK CO CO ATWS 101 102 103 104 105 108 107 10&
109 110 111 112
'I13 114 115 118 117 118 11Q 120 121 122 123 124 125 128 127 128 129
'I30 131 132 133 134 135 138 137 138 139 140 141 142 143 144 145 148 142
B,58-4 CONDITIONALCORE DAMAGEPROBABILITYCALCULATIONS Event Identifier:
387/83.051 Event
Description:
March 22, 1983 Plant:
Susquehanna 1
INITIATING EVENT NON'-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS 1.0E+00 SEQUENCE COHDITIOHAL PROBABILITY SUMS End State/Initiator CD Probability TRANS Total 1.2E-OS 1.2E-05 SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)
Sequence End State Prob N Rec**
103 trans
'105 trans 414 'rans 413 trans 412 trans 138 trans
-rx.shutdown
-rx.shutdown rx.shutdown rx.shutdown rx.shutdown
-rx.shutdown PCS srv.ftc.<2 -MFll RHR.AHD.PCS.HREC PCS srv.ftc.<2 MFlJ -hpci RHR.AND.PCS.HREC rpt
-rpt slcs
-rpt -slcs PCS ads. inhibit PCS srv.ftc.2 hpci srv.ads CD CO CD CD CD CO 6.8E-06 3.4E-06 6.7E-07 4.1E-07 3.4E-07 3.3E-07 1.2E-03 6.1E-04 1.0E-01 1.0E-01 1.0E-01 4.9E-01
"" non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)
Sequence 103 trans -rx.shutdown PCS srv.ftc.<<2
-MFW RHR.AND.PCS.HREC 105 trans -rx.shutdown PCS srv.ftc.<2 MFM -hpci RHR.AHD.PCS.HREC 138 trans -rx.shutdown PCS srv.ftc.2 hpci srv.ads 412 trans rx.shutdown -rpt -slcs PCS ads.inhibit 413 trans rx.shutdown -rpt slcs 414 trans rx.shutdown rpt
" non-recovery credit for edited case End State CD CD CD CD CD CD Prob 6.8E-06 3.4E-06 3.3E-07 3.4E-07 4 ~ 1E-07 6.7E-07 N Rec~*
1.2E-03 6.1E-04 4.9E-01 1.0E-01 1.0E-O'I 1.0E-01 SEQUENCE MODEL:
BRANCH MODEL:
PROBABILITY FILE:
d: iaspimodelsibwrc8283.cmp d: iaspimodelsisusque.82 d: iaspimode Isibwr8283. pro Ho Recovery Limit BRANCH FREQUENCIES/PROBABILITIES Branch System Hon-Recov Opr Fail LER No 387/83-051
v+
I
B.5S-5 trans loop Event Identifier: 387/83-051 1.5E-03 1.6E-05 1.BE+00 2.4E.01 loca rx.shutdown PCS Branch Model:
Train 1
Cond srv.ftc.<2 srv.ftc.2 srv.ftc.>2 MFll Branch Model:
Train 1
Cond hpci RCIC Branch Model:
Train 1
Cond srv.ads crd(inj) cond lpcs lpci rhrsw(inj) rhr RHR.AND.PCS.HREC Branch Model:
Train 1
Cond Train 2 Cond Train 3 Cond Train 4 Cond rhr/- lpci rhr/lpci rhr(spcool) rhr(spcool)/- lpci ep ep.rec rpt slcs ads.inhibit man.depress 1.0F.1 Prob:
1.0F.1 Prob:
1.0F.1 Prob:
1.0F.4+opr Prob:
Prob:
Prob:
Prob:
- 1. 7E-01 1.0E+00 1.3E-03 2.2E-04 4.6E-01 4.6E-01 2.9E-02 6.0E-02 6.0E-02 3.7E-03 1.0E-02 1.0E+00 1.7E-03 1.1E-03 2.0E-02 1.5E-04 1.5E-04 1.0E-02 1.0E-01 3.0E-01 5.0E-01 O.OE+00 1 'E+00
- 2. 1E-03 2.0E-03 1.4E-03 2.1E-01 1.9E-02 2 'E-03 O.OE+00 3.7E-03
> 1.0E+00
> 1.0E+00
> 1.0E+00
> 1.0E+00
> 1.0E+00
> 1.5E-04 3.3E-06 3.5E-04 1.7E-01
> '1.0E+00 6.7E-01 1.0E-01 1.0E+00 1.BE+00 1 'E+00 1.0E+00 3.4E-01 7.0E-01 7.0E-01
> 5.2E-02 7.0E-01 1.0E+00 3.4E-01 1.0E+00 1.0E+00 1.0E+00 1.6E-02 8.3E-03
> 1.8E-03 1.0E+00 1.0E+00 1.0E+00 1.0E+00 8.7E-01 1.0E+00 1.BE+00 1.0E+00 1.BE+00 1.0E+00 1.0E.02 1.0E-02 1.0E-03 1.0E-02 1.0E-05 1.0E-05 1.0E-05 1.0E-05 1.0E-03 1.0E-03 1.0E-02 1.0E-02 1 'E-02 branch model file
- forced Dolan 01-10-1996 16:37:48 Event Identifier: 387/83-051 LER No. 387/83-051
B.59-1 B.59 LER No. 3S7/S3-103 Event
Description:
RCIC System Unavailable Owing to Governor Valve Problem Date ofEvent:
July 7, 1983 Plant:
Susquehanna 1
B.59.1 Summary On July 7, 1983, during testing to demonstrate the operability ofthe reactor core isolation cooling (RCIC) system, the RCIC turbine tripped. RCIC had also tripped two days earlier, during response to a scram. The conditional core damage probability estimated for the event is 1.4 x 10'.
B.59.2 Event Description On July 7, 1983, during testing to denionstrate the operability ofthe reactor core isolation cooling (RCIC) system, the RCIC turbine tripped.
Prior to the test, on July 5, a plant trip had occurred, RCIC was demanded.
and subsequently tripped.
Based on vendor recommendations, clearanccs between the governor valve and bonnet guide sleeve were measured and found restrictive.
The governor valve was reworked to updated vendor specifications and the system successfully retestcd.
The scram on July 5, 1983, was caused by main steam line radiation spikes associated with placing condensate demineralizers in service.
B.59.3 Additional Event-Related Information The RCIC system consists of a single turbine-driven pump that can provide primary co~;!ant niakeup at a ma~urn rate of600 gpm. The RCIC pump is provided with two suction sources.
Thc primary source is the condensate storage tank (CST), with the suppression pool providing the secondary source.
The system is designed to swap from the CST to the suppression pool on low CST level.
B.59.4 Modeling Assumptions Given that a plant trip had occurred on July 5 with a demand for RCIC, this event was modeled as a transient initiator. The main steam isolation valves (MSIVs) are assumed to have closed as a result ofthe radiation spikes.
This willresult in unavailability ofthe power conversion system (PCS) and the main feedwater (MFW) system since Susquehanna uses turbineMven MFW pumps. In addition, Susquehanna's IPE submittal states that flow through the MSIVs is needed for the turbine-driven MFW pumps; thus, it is assumed that the use ofthe MSIV bypass valves to supply steam for the MFW.pumps is not appropriate.
RCIC was assumed failed owing to the governor valve problem. Short-term recovery ofPCS or MFWwas not considered since the MSIVs had closed.
Recovery ofRCIC was not considered since RCIC had tripped twice in two days. The nonrecovery probability I ER No. 3S7/S3-103
B.59-2 for PCS was revised to 0.11 to reflect the MSIVclosure.
Combining this value with the estimated long-term RHR nonrecovery probability for RHR and PCS of.0018.
B.59.5 Analysis Results r
The estimated conditional core damage probability for the event is 1.4 x 10'. The dominant sequence highlighted on the event tree in Figure B.59.1 (to be provided in final rcport) involves a transient initiator followed by successful reactor shutdown, failure ofthe power conversion system, no more than one safety reliefvalves failing to close, success ofthe main feedwater system, and failure ofthe residual heat removal system.
LER No. 387/83-103
TRANS Aa SHUT-DOWN SAVa CLOSE FW HPCI HPCS SAVal ADS CAD PUMPS (IILI)
LPCI AHASW (IN))
END STATE.
SEQ.
NO.
2vtva n
>2 viva open OK CD OK CD OK CD OK CD OK CD OK CD OK CD OK CD CD OK CD OK CD OK CD OK CD CD OK CD OK CD OK CD OK CD CD CD OK CD OK CD OK CD OK CD CD ATWS 101 102 103 104 105 108 107 108
$ 09 110 1$ 1 112 113 114 115 118 117 118 110 120
$2$
122
$ 23 124 125 128 127 128 120 130 131 132 133 134 135
$ 38 137 138 130
$40 141
$ 42 143
$44 145
$48 147.
B.59-4 CONDITIONALCORE DAMAGEPROBABILITYCALCULATIONS Event Identifier:
387/83-103 Event
Description:
Susquehanna 1
INITIATINGEVENT HON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS 1.DE+00 SEQUENCE CONDITIONAL PROBABILITY SUMS End State/Initiator CD TRANS Total Probability 1.4E-05 1 ~ 4E-05 SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)
Sequence End State Prob N Rec**
103 trans -rx.shutdown 105 trans -rx.shutdown 119 trans -rx.shutdown rd(inj) 414 trans rx.shutdown 413 trans rx.shutdown 412 trans rx.shutdown
'138 trans -rx.shutdown rpt
-rpt slcs
-rpt -slcs PCS PCS srv.ftc.2 ads. inhibit hpci srv.ads PCS srv.ftc.<2
-MFH RHR.AND ~ PCS.NREC PCS srv.ftc.<<2 MFII -hpci RHR.AND.PCS.HREC PCS srv.ftc.<2 MFM hpci RCIC srv.ads c
CD CD CD CD CO CD CD 6.8E-06 3.4E-06 1.7E-06 6.7E-07 4.1E-07 3.4E-07 3.3E-07 1.2E-03 6.1E-04 1 'E-01 1.0E-01 1.0E-01 1.0E-01 4.9E-01
- 'non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)
Sequence'nd State Prob N Rec""
103 105 119 138 412 413 414 trans -rx.shutdown trans -rx.shutdown trans -rx.shutdown rd(inj) trans -rx.shutdown trans rx.shutdown trans rx.shutdown trans rx.shutdown PCS srv.ftc.2
-rpt -slcs PCS
-rpt slcs rpt hpci srv.ads ads.inhibit PCS srv.ftc.<2
.MFM RHR.AND.PCS.HREC PCS srv.ftc.<<2 MFM -hpci RHR.AND.PCS.HREC PCS srv.ftc.<2, MFli hpci RCIC srv.ads c
CD CD CD CO CD CD CD 6.8E-06 3.4E-06 1.7E-06 3.3E-07 3.4E-07 4.1E-07 6.7E-07 1 'E-03 6.1E-04 1.7E-01 4.9E-01 1.0E-01 1.0E-01 1.0E-01
- non-recovery credit for edited case SEQUENCE MODEL:
BRANCH MODEL:
PROBABILITY FILE:
No Recovery Limit d: Rasp lmode lsibwrc8283. cap d: iasphmodelsisusque.82 d:
clasp lmodel sibwr8283. pro LER No. 387/83-103
B.59-5 BRANCH FREQUENCIES/PROBABILITIES Event Identifier: 387/83-103 Branch System Non-Recov Opr Fail trans loop loca rx.shutdown PCS Branch Model:
Train 1
Cond srv.ftc.<2 srv.ftc.2 srv.ftc.>2 MFW Branch Model:
Train 1
Cond hpci RCIC Branch Model:
Train 1
Cond srv.ads crd(inj) cond lpcs lpci rhrsw(inj) rhr RHR.AND.PCS.NREC Branch Model:
Train 1
Cond Train 2 Cond Train 3 Cond Train 4 Cond rhr/-lpci rhr/lpci rhr(spcool
)
rhr(spcool)/- lpci ep ep.rec rpt slcs ads.inhibit man.depress 1.0F.1 Prob:
1.0F.1 Prob:
1.0F.1 Prob:
1.0F.4+opr Prob:
Prob:
Prob:
Prob:
1.5E-03 1.6E-05 3.3E-06 3.5E-04 1.7E-01 1.7E-01 1.DE+00 1.3E-03 2.2E-04 4.6E-01 4.6E-01 2.9E-02 6.0E-02 6.0E-02 3.7E-03 1.0E-02 1.DE+00 1.7E-03 1.1E ~ 03 2.0E-02 1.5E-04 1.5E 04 1.0E-02 1.0E-01 3.0E-01 5.0E-01 O.DE+00 1.0E+00 2.1E-03 2.0E-03 1.4E-03 2.1E-01 1.9E-02 2.0E-03 O.DE+00 3.7E-03
> 1.DE+00
> 1.DE+00
> 1.DE+00
> 1.DE+00
> 1.DE+00
> 1.DE+00
> 1.5E-04 1.DE+00 2.4E-01 6.7E-01 1.0E-01 1.DE+00 1.DE+00 1.DE+00 1.CE>00 3.4E-01 7.0E-01 7.0E-O1
> 1.DE+00 7.0E-01 1.DE+00 3.4E-01 1.DE+00 1.DE+00 1.DE+00 1.6E-02 8.3E-03
> 1.8E-03 1.DE+00 1.DE+00
'.DE+00 1.DE+00 8.7E.01 1.DE+00 1 'E+00 1.DE+00 1.DE+00 1.DE+00 1.0E-02 1.0E-02 1.0E-03 1.0E-02 1.0E-05 1.0E-05 1 ~ OE-05 1.0E-05 1.0E.03 1.0E-03 1.0E-02 1.0E-02 1.0E-02 branch model file
- forced Dolan 01-10-1996 11:21:32 Event Identifier: 387/83-103 LER No. 387/83-103
B.60-1 B.60 I.ER No. 387/83-120 Event
Description:
RCIC System Unavailable Owing to Governor Valve Problem Date of Event:
Plant:
August 28, 1983 Susquehanna 1
B.60.1 Summary During a post-scram vessel level fluctuation on August 28, 1983, the reactor core isolation cooling (RCIC) system initiated and then tripped on turbine overspecd 3 seconds later. The conditional core damage probability estimated for thc event is 1.2 x 10'.
B.60.2 Event Description During a post-scram vessel level fluctuation on August 28, 1983, the RCIC system initiated and then tripped on turbine overspeed 3 seconds later. Operations personnel established manual control ofRCIC and adjusted turbine speed to maintain proper vessel level. Investigations revealed the overspeed trip was caused by slow response of the governor valve during system start. The governor valve linkage travel was reduced by one-quarter inch'nd the system successfully retested.
The scram occurred when a main turbine stop valve opened causing an MSIV isolation to occur. A scram followed owing to the MSIVs being less than 94% open. Spurious actuation ofmain steam line pressure switches is considered to be the cause ofthe scram.
B.60.3 Additional Event-Related Information The RCIC system consists of a single turbine-driven pump that can provide primary coolant makeup at a ma~urn rate of600 gpm. The RCIC pump is provided with two suction sources.
The primary source is the condensate storage tank (CST), with the suppression pool providing the secondary source.
The system is designed to swap &om the CST to the suppression pool on low CST level.
B.60.4 Modeling Assumptions Given that a plant trip occurred, this event was modeled as a transient initiator. The main stcam isolation valves (MSIVs) were closed as a result ofthe MSIVisolation. This willresult in unavailability of the power conversion system (PCS) and the main feedwater (MFW) system since Susquehanna uses turbine-driven MFW pumps.
In addition, Susquehanna's IPE submittal states that flowthrough the MSIVs is nccdcd for the turbine-driven MFW pumps; thus, it is assumed that the use ofthe MSIVbypass valves to supply steam for the MFW pumps is not appropriate.
RCIC was assumed failed owing to the governor valve problem. Short-term recovery ofPCS or MFWwas not considered since the MSIVs had closed.
Recovery ofRCIC was considered since manual control LKRNo. 387/83-120
B.60-2 of RCIC was established after the over speed trip. This action was assumed to take place in the control room with a failure probability of0.01. Thus, the probability ofnonrccovery ofRCIC was sct to 0.052 (p(nrec) = 0.01
+ 0.06
- 0.7) to account for the fact that RCIC might also fail from other causes.
The nonrecovery probability for PCS was revised to 0.11 to reflect thc MSIVclosure.
Combining this value with thc estimated long-term RHR nonrecoveiy probability of0.016 (sec Appendix A)results in a combined nonrecovery probability for RHR and PCS of.0018.
B.60.5 Analysis Results The estimated conditional core damage probability for the event is 1.2 x 10'. The dominant sequence highlighted on the event tree in Figure B.60.1 (to be provided in final report) involved a transient initiator followed by successful reactor shutdown, failure ofthe power conversion system, no morc than one safety reliefvalves failing to close, success ofthe main feedwatcr system, and failure ofthe residual heat removal system.
LER No. 387/83-120
TRANS Rx SHUT-DOWN SAVs CLOSE HPCI HPCS SAVal ADS CAD PUMPS (INJ)
LPCI RHASW (IN3)
END STATE 8EO.
NO.
<2 vive open 2 elva n
>2 vtva open OK QK CO OK CD OK CD OK CO OK CD OK CD OK CD CD OK CD CD OK CD OK CO OK CO OK CD CD OK CD OK CO OK CD OK CD CD CD OK CD OK CD OK
, CD QK CD CD ATWS 101 102 103 104 105 108 107 108 109
$ 10
$ 11 112 113 114 115 118 1$ 7
$ 18 119 120 121 122
$23 124 125 128 127 128 129 130 131 132 133
$ 34 135 138 137 138 139 140 141 142 143 144 145 148 147
B.60-4 CONDITIONALCORE DAMAGEPROBABILITYCALCULATIONS Event Identifier:
387/83-120 Event
Description:
August 28, 1983 Plant:
Susquehanna 1
IHITIATIHG EVENT NON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS 1.0E+00 SEQUENCE CONDITIONAL PROBABILITY SUMS End State/Initiator CD TRANS Total Probability 1.2E-05 1.2E-05 SEQUEHCE COHDITIOHAL PROBABILITIES (PROBABILITY ORDER)
Sequence End State Prob H Roc**
103 trans -rx.shutdown 105 trans -rx.shutdown 414 trans rx.shutdown 413 trans rx.shutdown 412 trans rx.shutdown 138 trans -rx.shutdown PCS srv.ftc.<2
-MFW RHR.AHD.PCS.NREC PCS srv.ftc.<2 MFW -hpci RHR.AND.PCS.HREC IPt
-rpt slcs
-rpt -slcs PCS ads.inhibit PCS srv.ftc.2 hpci srv.ads CD CD CD CO CO CD 6.8E-06 3.4E-06 6.7E-07 4.1E-07 3'E-07 3.3E-07 1.2E-03 6.1E-04 1.0E-01 1.0E-01 1.0E-01 4.9E-01
- non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUEHCE ORDER)
Sequence 103 trans -rx.shutdown PCS srv.ftc.<2
-MFW RHR.AHD.PCS.NREC 105 trans -rx.shutdown PCS srv.ftc.<2 MFW -hpci RHR.AHD.PCS.HREC 138 trans -rx.shutdown PCS srv.ftc.2 hpci srv.ads 412 trans rx.shutdown -rpt -slcs PCS ads.inhibit 413 trans rx.shutdown -rpt slcs 414 trans rx.shutdown rpt
- non-recovery credit for edited case End State CO CD CD CD CO CD Prob 6.8E-06 3.4E-06 3.3E-07 3.4E-07 4.1E-07 6.7E-07 N Rec**
1.2E-03 6.1E-04 4.9E-01 1.0E.01 1.0E-01 1.0E-01 SEQUENCE MODEL:
BRANCH MODEL:
PROBABILITY FILE:
d: iasphmodelsibwrc8283.cmp d: iaspimodeisisusque.82 d: laspimodei slbwr8283.pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES LER No. 387/83-120
B.60-5 Branch trans loop System 1.5E.03 1.6E-05 Hon-Recov 1.DE+00 2.4E-01 Dpr Fail loca rx.shutdown PCS Branch Model:
Train 1
Cond srv.ftc.<2 srv.ftc.2 srv.ftc.>2 MFW Branch Model:
Train 1
Cond hpci RCIC Branch Model:
Train 1
Cond srv.ads crd(inj) cond lpcs lpci rhrsw(inj) rhr RHR.AHD ~ PCS.HREC Branch Model:
Train 1
Cond Train 2 Cond Train 3 Cond Train 4 Cond rhr/-lpci rhr/lpci rhr(spcool) rhr(spcool)/-lpci ep ep.rec rpt slcs ads.inhibit man.depress 1.0F.1 Prob:
1.0F.1 Prob:
1.0F. 1 Prob:
1.0F.4+opr Prob:
Prob:
Prob:
Prob:
branch model file
- forced Event Identifier: 387/83-120 3.3E-06 3.5E-04 1 'E-01
> 1.0E+00 1.7E-01
> 1.0E+00 1.DE+00 1.3E-03 2.2E-04 4 'E-01
> 1.DE+00 4.6E-01
> 1.DE+00 2.9E-02 6.0E-02
> 1.DE+00 6.0E-02
> 1.DE+00 3.7E-03 1.0E-02 1.DE+00 1.7E-03 1 ~ 1E 03 2.0E-02 1.5E-04 1.5E-04
> 1.5E-04 1.0E-02 1.0E-01 3.0E-01 5.0E-01 O.DE+00 1.DE+00 2.1E-03 2.0E-03 1.4E-03 2.1E-01 1.9E-02 2.0E-03 O.DE+00 3.7E-03
- 6. 7E-01 1.0E-01 1.DE+00 1.DE+00 1.DE+00 1.DE+00 3.4E.01 7.0E-01 7.0E-01
> 5.2E.02 7.0E-01 1.0Ei00 3.4E-01 1.DE+00 1.DE+00 1.DE+00 1.6E-02 8.3E-03
> 1.8E-03 1.DE+00 1.DE+00 1.DE+00 1.DE+00 8.7E-01 1.0E+00 1.DE+00 1.DE+00 1.DE+00 1.DE+00 1.0E-02 1.0E-02 1.0E-03 1.0E-02 1.0E-05 1 'E-05 1.0E-05 1.0E-05 1.0E-03 1.0E-03 1.0E-02 1.0E.02 1.0E-02 Dolan 01-10-1996 17:10:06 Event Identifier: 387/83-120 LER N0..387/83-120
C.51 LER No. 387/83-106 Event
Description:
Date ofEvent:
Plant:
HPCI Pump Fails to Deliver Required Flow August 2, 1983 Susquehanna 1
Summary On August 2, 1983, during the quarterly surveillance for high pressure coolant injection (HPCI) verification, the HPCI pump failed to reach required speed and discharge pressure for 5000 gpm flow. A scram occurred during July, within one half of the apparently quarterly surveillance intervals.
This event was analyzed as a scram with HPCI assumed unavailable. The conditional core damage probability estimated for this event is 6.2 x 10 The dominant sequence involves a the transient initiator followed by successful reactor shutdown, failure of thc power conversion system, no more than one safety relief valve failing to close, success ofthe main fecdwater system, and failure ofthe residual heat removal system.
Summarized Precursors
2-1 2.0 Selection Criteria and Quantification 2.1 Accident Sequence Precursor Selection Criteria The Accident Sequence Precursor (ASP) Program identifies,and documents potentially important operational events that have involved portions of core damage sequences and quantifies the core damage probability associated with those sequences.
Identification ofprecursors requires the review ofoperational events forinstances in which plant functions that provide protection against core damage have been challenged or compromised. Based on previous experience with reactor plant operational events, it is known that most operational events can be directly or indirectly associated with four initiators: trip I'which includes loss of main feedwater (LOFW) within its sequences],
loss-of-offsite power (LOOP), small-break loss-of-coolant accident (LOCA),and steam generator tube ruptures (SGTR) (PWRs only). These four initiators are primarily associated with loss ofcore cooling. ASP Program staff members examine licensee event reports (LERs) and other event documentation to determine the impact that operational events have on potential core damage sequences.
2.1.1 Precursors This section describes the steps used to identify events for quantification. Figure 2.1 illustrates this process.
Acomputerized search of the SCSS data base at the Nuclear Operations Analysis Center (NOAC) of the Oak Ridge National Laboratory was conducted to identifyLERs that met minimum selection criteria for precursors.
This computerized search identified LERs potentially involving failures in plant systems that provide protective functions for the plant and those potentially involving core damage-related initiating events. Based on a review ofthe 1984-1987 precursor evaluations and all 1990 LERs, this computerized semch successfully identifies almost all precursors and the resulting subset is approximately one-third to one-half of the total LERs. It should be noted, however, that the computerized search scheme has not been tested on the LER database for the years prior to 1984. Since the LER reporting requirements for 1982-83 were different than for 1984 and later, the possibility exists that some 1982-83 precursor events were not included in the selected subset. Events described in NUREG -0900~ and in issues ofNuclear Safety that potentially impacted core damage sequences were also selected for review.
Those events selected for review by the computerized search ofthe SCSS data base underwent at least two independent reviews by different staff members. The independent reviews of each LER were performed to determine ifthe reported event should be examined in greater detail. This initial review was a bounding review, meant to capture events that in any way appeared to deserve detailed review and to eliminate events that were clearly unimportant. This process involved eliminating events that satisfied predefined criteria for rejection and accepting all others as either potentially significant and requiring analysis, or potentially significant but impractical to analyze. Allevents identified as impractical to analyze at any point in the study are documented in Appendix E. Events were also eliminated from further review ifthey had littleimpact on core damage sequences or provided littlenew information on the risk impacts ofplant operationforexample, short-term single failures in redundant systems, uncomplicated reactor trips, and LOFW events.
Selection Criteria and Quantification Enclosure 2
2-2 LERs requiring review Does thc event only involve:
~ component failure (no loss of redundancy)
~ loss of redundancy (single system)
~ seismic qualiflication/design error
. environmental qualiflcation/design error
~ prc-critical cvcnt
~ structural degradatlon
~ design error discovered by re-analysis
~ bounded by trip or LOFW
~ no appreciable safety system impact
~ shutdown. related event
~ post-core damage impacts only Ycs Reject an event be reasonably analyzed by PRA.based modelss No Identify as potenually significant but impractical to analyze Perform detailed review, analysis, and quantification Define impact ofcvcnt in terms of initiator obscrvcd and trains of systems unavailable.
Modifybranch probabilities to reflect event.
ASP models tant drawings.
system descriptions, FSARs, etc.
Calculate condidonal probabillry associated with event using modilied cvcnt trccs.
Does operational event involve:
~ a core damage in!fetor
~ a total loss of a system
~ a loss of redundancy in two or morc systems
~ a reactor trip with a degraded midgating system No Reject Is conditional probability 2 104 No Reject based on low probability Yes Document as a precursor Figure 2.1 ASP Analysis Process Selection Criteria and Quantification
2-3 LERs were eliminated from further consideration as precursors ifthey involved, at most, only one of the following:
a component failure with no loss of redundancy, a short-term loss of redundancy in only one system, a seismic design or qualification error, an environmental design or qualification error, a structural degradation, an event that occurred prior to initialcriticality, a design error discovered by reanalysis, an event bounded by a reactor trip or LOFW, an event with no appreciable impact on safety systems, or an event involving only post core-damage impacts.
Events identified for further consideration typically included the following:
~
unexpected core damage initiators, (LOOP, SGTR, and small-break LOCA);
all events in which a reactor trip was demanded and a safety-related component failed; all support system failures, including failures in cooling water systems, instrument air, instrumentation and control, and electric power systems;
~
any event in which two or more failures occurred; any event or operating condition that was not predicted or that proceeded differently from the plant design basis; and any event that, based on the reviewers'xperience, could have resulted in or significantly affected a chain ofevents leading to potential severe core damage.
Events determined to be potentially significant as a result of this initial review were then subjected to a thorough, detailed analysis. This extensive analysis was intended to identify those events considered to be precursors to potential severe core damage accidents, either because of an initiating event, or because of failures that could have affected the course ofpostulated off-normal events or accidents. These detailed reviews were not limited to the LERs; they also used final safety analysis reports (FSARs) and their amendments, individual plant examinations (IPEs), and other information related to the event of interest.
The detailed review of each event considered the immediate impact of an initiating event or the potential impact of the equipment failures or operator errors on readiness of systems in the plant for mitigation of off-normal and accident conditions. In the review of each selected event, three general scenarios (involving both the actual event and postulated additional failures) were considered.
Ifthe event or failure was immediately detectable and occurred while the plant was at power, then the event was evaluated according to the likelihood that it and the ensuing plant response could lead to severe core damage.
Ifthe event or failure had no immediate effect on plant operation (i.e.', ifno initiating event occurred), then the review considered whether the plant would require the failed items for mitigation of potential severe core damage sequences should a postulated initiating event occur during the failure period.
Selection Criteria and Quantification
~
~
2-4 Ifthe event or failure occurred while the plant was not at power, then the event was first assessed to determine whether it impacted at-power or.hot shutdown operation. Ifthe event could only occur at cold shutdown or refueling shutdown, or the conditions clearly did not impact at-power operation, then its impact on continued decay heat removal during shutdown was assessed; otherwise it was analyzed as ifthe plant were at power. (Although no cold shutdown events were analyzed in the present study, some potentially significant shutdown-related events are described in Appendix D).
For each actual occurrence or postulated initiating event associated with an operational event reported in an LER or multiple LERs, the sequence of operation of various mitigating systems required to prevent core damage was considered. Events were selected and documented as piecursors to potential severe core damage accidents (accident sequence piecursors) ifthe conditional probability ofsubsequent core damage was at least 1.0 X 10~ (see section 2.2). Events of low significance are thus excluded, allowing attention to be focused on the more important events.
This approach is consistent with the approach used to define 1988-1993 precursors, but differs from that of earlier ASP reports, which addressed all events meeting the precursor selection criteria regardless ofconditional core damage probability.
As noted above, 115 operational events with conditional probabilities of subsequent severe core damage a
1.0 X 10'~ were identified as accident sequence precursors.
'I 2.1.2 Potentially Significant Shutdown-Related Events No cold shutdown events were analyzed in this study because the lack of information concerning plant status at the time of the event (e.g., systems unavailable, decay heat loads, RCS heat-up rates, etc.) prevented development of models for such events. However, cold shutdown events such as a prolonged loss of RHR cooling during conditions ofhigh decay heat can be risk significant. Sixteen shutdown-related events which may have potential risk significance are described in Appendix D.
2.1.3 Potentially SigniTicant Events Considered Impractical to Analyze In some cases, events are impractical to analyze due to lack of information or inability to reasonably model within a probabilistic risk assessment (PRA) framework, considering the level ofdetail typically available in PRA models and the resources available to the ASP Program.
Forty-three events (some involving more than a single LER) identified as potentially significant were considered impractical to analyze. It is thought that such events are capable of impacting core damage sequences.
However, the events usually involve component degradations in which the extent ofthe degradation could not be determined or the impact of the degradation on plant response could not be ascertained.
For many events classified as impractical to analyze, an assumption that the affected component or function was unavailable over a 1-year period (as would be done using a bounding analysis) would result in the conclusion that a very significant condition existed. This conclusion would not be supported by the specifics ofthe event as reported in the LER(s) or by the limited engineering evaluation performed in the ASP Program.
Descriptions ofevents considered impractical to analyze are provided in Appendix E.
Selection Criteria and QuantHication
2-5 2.1.4 Containment-Related Events In addition to accident sequence precursors, events involving loss of containment functions, such as containment cooling, containment spray, containment isolation (direct paths to the environment only), or hydrogen control, identified in the reviews of 1982-83 LERs are documented in Appendix F. It should be noted that the SCSS search algorithm does not specifically seaich forcontainment related events. These events, ifidentified for other reasons during the search, are then examined and documented.
2.1.5 "Interesting" Events Other events that provided insight into unusual failure modes with the potential to compromise continued core cooling but that were determined not to be precursors were also identified. These are documented as "interesting" events in Appendix G.
2.2 Precursor Quantification Quantification of accident sequence precursor significance involves determination ofa conditional probability ofsubsequent severe core damage, given the failures observed during an operational event. This is estimated by mapping failures observed during the event onto the ASP models, which depict potential paths to severe core damage, and calculating a conditional probability of core damage through the use of event trees and system models modified to refiect the event. The effect of a precursor on event tree branches is assessed by reviewing the operational event specifics against system design information. Quantification results in a revised probability ofcore damage failure, given the operational event. The conditional probability estimated for each precursor is useful in ranking because itprovides an estimate ofthe measure'of protection against core damage that remains once the observed failuies have occuned. Details ofthe event modeling process and calculational results can be found in Appendix A ofthis report.
The frequencies and failure probabilities used in the calculations are derived in part from data obtained across the light-water reactor (LWR) population for the 1982-86 time period, even though they are applied to sequences that ate plant-specific in nature.
Because ofthis, the conditional probabilities determined for each precursor cannot be rigorously associated with the probability ofsevere core damage resulting from the actual event at the specific reactor plant at which it occuned.
Appendix Adocuments the accident sequence models used in the 1982-83 precursor analyses, and provides examples of the probability values used in the calculations.
The evaluation of precursors in this report considered equipment and recovery procedures believed to have been available at the various plants in the 1982-83 time frame. This includes features addressed in the current (1994) ASP models that were not considered in the analysis of 1984-91 events, and only partially in the analysis of 1992-93 events.
These features include the potential use of the residual heat removal system for long-term decay heat removal following a small-break LOCA in PWRs, the potential use of the reactor core isolation cooling system to supply makeup following a small-break LOCA in BWRs, and core damage sequences associated with failure to trip the reactor (this condition was previously designated "ATWS,"and not developed).
In addition, the potential long-term recovery ofthe power conversion system forBWR decay heat removal has been addressed in the models.
Selection Criteria and Quantification
2-6 Because'f these differences in the models, and the need to assume in the analysis of 1982-83 events that equipment reported as failed near the time of a reactor trip could have impacted post-trip response (equipment response following a reactor trip was required to be reported beginning in 1984), the evaluations for these years may not be directly comparable to the results for other years.
~ Another difference between earlier and the most recent (1994) precursor analyses involves the documentation ofthe significance of precursors involving unavailable equipment without initiating events. These events are termed unavailabilities in this report, but are also referred to as condition assessments.
The 1994 analyses distinguish a precursor conditional core damage probability (CCDP), which addresses the risk impact of the failed equipment as well as all other nominally functioning equipment during the unavailability period, and an importance measure defined as the difference between the CCDP and the nominal core damage probability (CDP) over the same time period. This importance measure, which estimates the increase in core damage probability because of the failures, was referred to as the CCDP in pre-1994 reports, and was used to rank unavailabilities.
For most unavailabilities that meet the ASP selection criteria, observed failures significantly impact the core damage model. In these cases, there is littledifference between the CCDP and the importance measure.
For some events, however, nominal plant response dominates the risk.
In these cases, the CCDP can be considerably higher than the importance measure.
For 1994 unavailabilities, the CCDP, CDP, and importance are all provided to better characterize the significance of an event.
This is facilitated by the computer code used to evaluate 1994 events (the GEM module in SAPHIRE), which reports these three values.
The analyses of 1982-83 events, however, were performed using the event evaluation code (EVENTEVL) used in the assessment of 1984-93 precursors.
Because this code only reports the importance measure for unavailabilities, that value was used as a measure ofevent significance in this report. In the documentation ofeach unavailability, the importance measure value is referred to as the increase in core damage probability over the period of the unavailability, which is what it represents.
An example of the difference between a conditional probability calculation and an importance calculation is provided in Appendix A.
2.3 Review ofPrecursor Documentation With completion of the initial analyses of the precursors and reviews by team members, this draft report containing the analyses is being transmitted to an NRC contractor, Oak Ridge National Laboratories (ORNL),
for an independent review. The review's intended to (1) provide an independent quality check ofthe analyses, (2) ensure consistency with the ASP analysis guidelines and with other ASP analyses for the same event type, and (3) verify the adequacy of the modeling approach and appropriateness of the assumptions used in the analyses. In addition, the draft report is being sent to the pertinent nuclear plant licensees for review and to the NRC staff for review. Comments received from the licensees within 30 days will be considered during resolution ofcomments received from ORNL and NRC staff.
'I 2.4 Precursor Documentation Format The 1982-83 precursors are documented in Appendices B and C. The at-power events with conditional core damage probabilities (CCDPs) >1.0 x 10're contained in Appendix B and those with CCDPs between 1.0 x 10'and 1.0 x 10~ are summarized in Appendix C. For the events in Appendix B, a description of the event Selection Criteria and Quantification
2-7 is provided with additional information relevant to the assessment of the event, the ASP modeling assumptions and approach used in the analysis, and analysis results. The conditional core damage probability calculations are documented and the documentation includes probability summaries for end states, the conditional probabilities for the more important sequences and the branch probabilities used.
A figure indicating the dominant core damage sequence postulated for each event willbe included in the final report. Copies of the
~ LERs are not provided with this draft report.
,2.5 Potential Sources ofError As with any analytic procedure, the availability ofinformation and modeling assumptions can bias results. In this section, several of these potential sources oferror are addressed.
Evaluation ofonly a subset of1982-83 LERs. For 1969-1981 and 1984-1987, all LERs reported during the year were evaluated for precursors. For 1988-1994 and for the present ASP study of 1982-83 events, only a subset of the LERs were evaluated after a computerized search ofthe SCSS data base. While this subset is thought to include most serious operational events, it. is possible that some events that would normally be selected as precursors were missed because they were not included in the subset that resulted from the screening process.
Reports to Congress on Abnormal Occurrences'NUREG-0900 series) and operating experience articles in Nuclear Safety were also reviewed for events that may have been missed by the SCSS computerized screening.
2.
Inherent biases in the selection process.
Although the criteria for identification of an operational event as a precursor are fairly well-defined, the selection of an LER for initial review can be somewhat judgmental. Events selected in the study were more serious than most, so the majority of the LERs selected for detailed review would probably have been selected by other reviewers with experience in LWR systems and their operation. However, some differences would be expected to exist; thus, the selected set ofprecursors should not be considered unique.
3.
Lack ofappropriate event information. The accuracy and completeness of the.LERs and other event-related documentation in refiecting pertinent operational information for the 1982-83 events are questionable in some cases. Requirements associated with LER reporting at the time, plus the approach to event reporting practiced at particular plants, could have resulted in variation in the extent of events reported and report details among plants. In addition, only details of the sequence (or partial sequences for failures discovered during testing) that actually occuned are usually provided; details concerning potential alternate sequences ofinterest in this study must often be inferred. Finally, the lack of a requirement at the time to linkplant trip information to reportable events required that certain assumptions be made in the analysis ofcertain kinds of 1982-83 events. Specifically, through use of the "Grey Books" (Licensed Operating Reactors Status Report, NUREG-0200)'~ it was possible to determine that system unavailabilities reported in LERs could have overlapped with plant trips if it was assumed that the component could have been out-of-service for Vi the test/surveillance period associated with that component. However, with the linkbetween trips and events not being described in the LERs, it was often impossible to determine whether or not the component was actually unavailable during the trip or whether it was demanded Selection Criteria and Quantification
~
J
r
~
~
2-8 during the trip. Nevertheless, in order to avoid missing any important precursors for the time period, any reported component unavailability which overlapped a plant trip within i/z of the component's test/surveillance period, and which was believed not to have been demanded during the trip, was assumed to be unavailable concurrent with the trip. (Ifthe component had been demanded and failed, the failure would have been reported; ifit had been demanded and worked successfully, then the failure would have occurred after the trip). Since such assumptions may be, conservative, these events are distinguished from the other precursors listed in Tables 3.1 - 3.6. As noted above, these events are termed "windowed" events to indicate that they were analyzed because the potential time window for their unavailability was assumed to have overlapped a plant trip.
Accuracy ofthe ASP models and probability data.
The event trees used in the analysis are plant-class specific and reflect differences between plants in the eight plant classes that have been defined. The system models are structured to reflect the plant-specific systems, at least to the train level. While major differences between plants are represented in this way, the plant models utilized in the analysis may not adequately reflect all important differences.
Modeling improvements that address these problems are being pursued in the ASP Program.
Because of the sparseness ofsystem failure events, data from many plants must be combined to estimate the failure probability of a multitrain system or the frequency of low-and moderate-frequency events (such as LOOPs and small-break LOCAs). Because of this, the modeled response for each event willtend toward an average response for the plant class. If systems at the plant at which the event occurred are better or worse than average (diffiicultto ascertain without extensive operating experience), the actual conditional probability for an event could be higher or lower than that calculated in the analysis.
Known plant-specific equipment and procedures that can provide additional protection against core damage beyond the plant-class features included in the ASP event tree models were addressed in th'e 1982-83 precursor analysis for some plants. This information was not uniformly available; much ofit was based on FSAR and IPE documentation available at the time this report was prepared. As a result, consideration of additional features may not be consistent in precursor analyses ofevents at different plants. However, analyses ofmultiple events that occurred at an individual plant or at similar units at the same site have been consistently analyzed.
Difficultyiti determining the potential for recovery offailed equipment.
Assignment of recovery credit for an event can have a significant impact on the assessment ofthe event. The approach used to assign recovery credit is described in detail in Appendix A. The actual likelihood offailing to recover from an event at a particular plant during 1982-83 is difficult to assess and may vary substantially from the values currently used in the ASP analyses. This difficultyis demonstrated in the genuine differences in opinion among analysts, operations and maintenance personnel, and others, concerning the likelihood of recovering from specific failures (typically observed during testing) within a time period that would prevent core damage followingan actual initiating event.
I Assumption ofa 1-month test interval. The core damage probability for piecursors involving Selection Criteria and Quantification
J lg
~
2-9 unavailabilities is calculated on the basis ofthe exposure time associated with the event. For failures discovered during testing, the time period is related to the test interval. A test interval of 1 month was assumed unless another interval was specified in the LER. See reference 1
for a more comprehensive discussion of test interval assumptions.
Selection Criteria and Quantification
Appendix A:
ASP MODELS ASP MODELS Enclosure 3
t~
l
~
A-2 A.O ASP Models This appendix describes the methods and models used to estimate the significance of 1982-83 precursors.
The modeling approach is similar to that used to evaluate 1984-91 operational events.
Simplified train-based models are used, in conjunction with a simplified recovery model, to estimate system failure probabilities specific to an operational event.
These probabilities are then used in event tree models that describe core damage sequences relevant to thc event.
The event trees have been expanded beyond those used in the analysis of 1984-91 events to address features ofthe ASP models used to assess 1994 operational events (Ref. I) known to have existed in the 1982-83 time period.
A.l Precursor Significance Estimation TheASP program performs retrospective analyses ofoperating experience.
These analyses require that certain methodological assumptions be made in order to estimate the risk significance of an event. Ifone assumes, following an operational event in which core cooling was successful, that components observed failed were "failed"with probability 1.0, and components that functioned successfully were "successful" with probability 1.0, then one can conclude that the risk ofcore damage was zero, and that the only potential sequence was the combination ofevents that occurred. In order to avoid such trivial results, the status ofcertain components must be considered latent.
In the ASP program, this latency is associated with components that operated successfully these components are considered to have been capable offailingduring the operational event.
Quantification ofprecursor significance involves the determination ofa conditional probability ofsubsequent core damage given the failures and other undesirable conditions (such as an initiating event or an uncxIicctcd reliefvalve challenge) observed during an operational event.
The effect ofa precursor on systems addressed in thc core damage models is assessed by reviewing the operational event spccifics against plant design and oiicnitinginfamation, and translating thc results ofthc review into a revised model for the plant that reficcts the observed failures. The precursors's significance is cstimatcd by calculating a conditional pmbability ofcore damage given the observed failures.
The conditional probability calculated in this way is useful in ranking because itprovides an cstiimitc ofthe measure ofprotection against core dmnage remaining once the,observed failures have occurred.
A.1.1 Types ofEvents Analyzed Two differen types ofevents me akiicssed inpecursor quantitative analysis. In the first, an initiatmg event such as a loss ofoffsitc power (LOOP) or small-break loss of coolant accident (LOCA) occurs as a pmt ofthe precursor.
The pmbability of core damage for this type ofevent is calculated based on the required plant rcslxxi.e to the particular initiatiiigevent and other failures that may have occurzed at the smne time. This type ofevent includes thc "windowai"events subscttcd forthc 1982-83 ASP piogrmn and discussed in Section 2.2 ofthc main report.
'Ibe sccoad type ofevent mvolvcs a failure oadition that existed over a period oftime during which an initiating event could have, but did not occur. The probability ofcore damage is calculated based on the required plant response to a set ofpostulated initiating events, considering the failures that wcie observed.
Unlike an initiating event asscamcnt, where a pmtiaiiar initiatingevent is assuntxi to occur withprobability 1.0, each initiatingcvcnt is assumed to occur with a probability based on the initiating event &equeacy and thc faihae duration.
ASP MODELS
A-3 A.1.2 Modi6cation ofSystem Failure Probabilities to Refiect Observed Failures The ASP models used to evaluate 1982-83 operational events describe sequences to core damage in terms of combinations of mitigating systems success and failure following an initiating event.
Each system model iepiescats those combinations oftrain or component failures that willresult in system failure. Failures observed during an operational event must be represented in terms of changes to one or more of the potential failures included in the system models.
Ifa failed component is included in one ofthe trains in the system model, the failure is reQectcd by setting the probability for the impacted train to 1.0. Redundant train failure probabilities are conditional, which allows poteatial common cause failures to be addressed. Ifthe observed failure could have occurred in other similar components at thc same time, thea thc system failure probability is increased to represent this. Ifthe failure could not simultaneously occur in other components (for example, ifa component was removed Rom service for pievcative maintcinnce), then the system failure probability is also revised, but only to reQect the "removal" of the unavailable component &om the model.
Ifa failed component is not specifically included as an event in a model, then the failure is addressed by setting elements impacted by the failure to failed. For example, support systems are not completely developed in the 1982-83 ASP models. A breaker failure that results in the loss ofpower to a group ofcomponents would be represented by setting the elements associated with each component in the group to failed.
OccasionaHy, a pnxursor occurs that cannot be modelled by modifying probabilities in existing system models.
In such a case, the model is revised as necessary to address the event, typically by adding events to the system model or by addressing an unusual initiating event through the use ofan additional event tree.
A.1.3 Recovery from Observed Failures The models used to evaluated 1982-83 events address the potential for rccovcry ofan entire system ifthe system fails.
This is the same approach that was used in the analysis of most precursors through 1991.'n this approach, the potential for recovery is addressed by as'signing a recovery action to each system failure and initiating cvcat.
Four classes were used to describe the dMerent types ofshort-tenn recovciy that could be involved:
'ater precursor analyses utilize Time-Reliability Correlations to estimate the probability offailing to recover a failed system when recovery is dominated by operator action.
ASP MODELS
~
~ ~
A-4 Recovery Class Rl R4 Likelihood ofNon-Recovery'.55 0.10 0.01 Recovery Characteristic Thc failurb did not appear to bc rccovcrablc in thc required period, either from thc control room or at thc failed cquipmcnt.
Thc failure appeared rccovcrable in the required period at the failed cquipmcnt, and the cquipmcnt was acccssiblc; rccovcry from thc control room did not appear possible.
\\
Thc failure appeared rccovcrablc in thc required perio from the control room, but recovery was not routine or involved substantial operator burden.
Thc failure appcarcd rccovcrablc in thc required period from thc control room and was considered routine and procedurally based.
The assignment ofan event to a recovery class is based on engineering judgment, which considers the specifics ofeach operational event and the likelihood ofnot recovering &om the observed failure in a moderate to high-stress situation followingan initiating event.
Substantial time is usually available to recover a failed residual heat removal (RHR) or BWR power conversion system (PCS).
For these systems, the nonrecovery probabilities listed above are overly conservative.
Data in Refs. 2 and 3 was used to estimate the followingnonrecovery probabilities for these systems:
BWRRHR system BWR PCS PWR RHR system System nonrecove 0.016 (0.054 iffailures involve service water) 0.52 (0.017 forMSIVclosure) 0.057 Itmust be noted that thc actual likelihood offailingto recover Gem an event at a particular plant is dificultto assess and may vary substantially &om the values listed.. This dmlculty is demonstrated in the genuine di6'cnxxes inopinion among analysts, operations and maintenttnce personnel, ctc., concerning the likelihoodof recovering specific failures (typically observed during testing) within a time period that would prevent core damage followingan actual initiating event..
A.1-4 Conditional Probability Associated with Each Precursor e
e As described earlier in this appcndnt, the calculation process for each precursor involves a determination of mitiators that must be modeled, plus any modifications to system probabilities necessitated by ftuitnes observed Ibese nomecovcry probabilities are consistent with values specified in M.B. Sattison et al., "Methods Improvcntats Incorporated into the SAPHIRE ASP Models," Proceedings ofthe U.S. Nuclear Regulatory Commission 74eetyMcond Water Raptor Safety Information Nearing, NUREG/CP4140, Vol. 1, April 1995.
ASP MODELS
~ 1 1
r7 I
L
A-5
'in an operational event.
Once the probabilities that reflect the conditions ofthe precursor are established, the sequences leading to core damage are calculated to estimate the conditional probability for the precursor.
This calculational process is summarized in Table A.l.
I Several simplifiedexample that illustrate the basics ofprecursor calculational process follow. It is not the intent ofthe examples to describe a detailed precursor analysis, but instead to provide a basic understanding of the process.
The hypothetical core damage model for these examples, shown in Fig. A. 1, consists of initiator I and four systems that provide protection against core damage: system A, B, C, and D. In Fig. A.l, the up branch reptcscttts success and the down branch failure foreach ofthe systctns.
Three sequences result in core damage
>> ifcompleted: sequettce 3 P /A("/"represents system success) B C], sequence 6 (IA/B C D) and sequence 7 (I A B). In a conventional PRA approach, the &equency ofcore damage would be calculated using the &equency of the initiating event I, X(l), and the failure probabilities for A, B, C, and D jp(A), p(B), p(C), and p(D)].
Assuming Ag) = 0.1 yt'nd p(Aji)= 0.003, p(BjIA)= 0.01, p(Cjl) = 0.05, and p(DjIC)= 0.1, the &equency of core damage is determined by calculating the &equency ofeach ofthe three core damage sequences and adding the &equencies:
0, 1 yr
~ x (1 - 0.003) x 0.05 x 0. 1 (sequence 3) +
0.1 yr' 0.003 x (1- 0.01) x 0.05 x 0.1 (sequence 6) +
0.1 yr' 0.003 x 0.01 (sequence 7) 4 99 x 10< yr.> (sequence 3) + 1 49 x 10< yr t (sequence 6) + 3.00 x 10< yr t (sequence 7)
=5.03 x 10" yr'n a nominal PRA, scqucnce 3 would be the dominant core damage sequence.
Thc ASP program calculates a conditional probability ofcore damage, given an initiating event or component failures. This probability is diQerent than the Gequency calculated above and cannot be directly compared with it.
E le 1
E A
Asstnne that a precursor involving initiating event I occurs.
In response to I, systems A, B, and C start and operttte correctly and system D is not demanded.
In a precursor initiating cvcnt assessmcnt, thc ggggljan% ofI is set to 1.0. Although systems A, B, and C were successful, naninal failure probabilities are assumed.
Since system D was not demanded, a nominal failure probability is assutncd forit as well. Thc conditional probability ofcore damage associated withprecursor Iis calculated by summing the conditional probabilities for the three sequences:
1.0 x (1- 0.003) x 0.05 x 0.1 (settuettce 3) +
1.0 x 0.003 x (1 - 0.010) x 0.05 x 0.1 (sequence 6) +
1.0 x 0.003 x 0.01 (sequence 7)
'Qe notation p(B jIA)means the probability that B hils, given I occuaed and A hiled.
ASP MODELS
gl rg C
I
A-6
= 5.03 x 10'.
If,instead, B had failed when demanded, its probability would have been set to 1.0. The conditional core damage probability for precursor IB would be calculated as 1.0 x (1 - 0.003) x 0.05 x 0.1 (sequence 3) + 1.0 x 0.003 x 1.0 (sequence 7) = 7.99 x 10'.
Since B is failed sequence 6 cannot occur.
le 2. Condition Assessment.
Assume that during a monthly test system B is found to be failed, and that the failure could have occurnxl at any time during the month. The best estimate for the duration ofthe failure is one halfofthe test period, or 360 h. To estimate the probability ofinitiatingevent Iduring the 360 h period, the yearly Griqua~ oflmust be converted to an hourly rate. IfI can only occur at power, and the plant is at power for 70% ofa year, then the frequency for I is estimated to be 0 1 yr'/(8760 h/yr x 0.7) = 1.63 x 10 h'f, as in example 1, B is always demanded followingI, the probability ofI in the 360 h period is the probability that at least one I occurs (since the failure ofB willthen be discovered), or el@) "faiiluredursrxe= I el 6385 "360 =5 85 x 103 Using this value for the probability ofI, and setting p(B) = 1.0, the conditional probability ofcore damage for precursor B is calculated by again summing the conditional probabilities for the core damage sequences in Fig.
A. 1:
5.85 x 10(1-0.003) x 0.05 x,0.1 (sequence 3)+5.85 x 10 x 0.003 x 1.0 (sequence 7)
=4.67 x 10-s As before, since B is failed, sequence 6 cannot occur.
Thc conditional probability is the probability of core damage in the 360 h period, given the failure ofB. Note that the donunant core damage scqucncc is sequence 3,.with a conditional probability of2.92 x 10'. This sequence is unrelated to the failure ofB. The potential failure ofsystems C and D over the 360 h period stilldrive thc core damage risk To undeatmxi thc signi6amcc ofthe failure ofsystem B, another calculation, an importance measure, is required.
The importance me@me that is used is equivalent to risk achievement worth on an interval scale (sce Rcf. 4).
In this calculation, the increase in core damage probability over the 360 h period due to the failure of B is cstimatcd:
p(cd [ B) - p(cd). For this example the value is 4.67 x 10 - 2.94 x 10'.73 x 10', where thc second term on the Idt side ofthe equation is calculated using the previously dcvelopcd pmbability ofI in the 360 h period and nominal failure probabilities forA, B, C, and D.
For most conditions idcntificd as precursors in the ASP program, the importance and the conditional core damage probability are numerically close, and either'can be used as a significance measure forthe precursor.
- However, for some events typically those in which thc components that are failed arc not the prinuuy mitigating plant features'axitioaal cae damage probability can bc significantly higher than thc importance. In such cases, it is important to note that the potential failure of other components, unrelated to the precursor, are still dominating thc plant risk ASP MODELS
A-7 The importance measure for unavailabilities (condition assessments) like this example event were previously referred to as a "conditional core damage probability" in annual precursor reports before 1994; instead ofas the increase in core damage probability over the duration ofthe unavailability. Because the computer code used to analyze 1982-&3 events is the same as was used for 1984-93 evaluations, the results for 1982-83 conditions are also presented in the computer output in terms of "conditional probability," when in actuality the result is an linpoftalice.
A.2 Overview of 1982-83 ASP Models Models used to rank 1982-83 precursors as to significance consist ofsystem-based plant-class event trees and simplified plant-specific system models. These models describe mitigation sequences for the followinginitiating events: a nonspecific reactor trip [which includes loss offeedwatcr (LOFW) within the model), LOOP, small-break LOCA, and steam generator tube rupture [SGTR, pressurized water reactors (PWRs) only].
Plant classes were defined based on the use ofsimilar systems in providing protective functions in response to transients, LOOPs, and small-break LOCAs. System designs and specific nomenclature may differ among plants included in a particular class; but functionally, they are similar in response.
Plants where certain mitigating systems do not exist, but which are largely analogous in their initiator response, are grouped into the appropriate plant class.
ASP plant categorization is described in the followingsection.
The event trees consider two end states:
success (OK), in which core cooling exists, and core damage (CD), in which adequate core cooling is believed not to exist.
In the ASP models, core damage is assumed to occur followingcore uncoveiy. Itis acknowledged that clad and fuel damage willoccur at later times, depending on the criteri used to define "damage," and that time may be available to recover core cooling once core uncovery occurs but before the onset ofcore damage.
However, this potential recovery is not addressed in the models.
Each event tree describes combinations ofsystem failures that willprevent core cooling, and makeup ifrequired, in both the short and long term Priinaiy systems designed to provide these functions and alternate systems capable ofalso performing these functions are addressed.
The models used to evaluate 1982-83 events consider both additional systems that can provide core protection and initiating events not included in the plant-class models used in the assessment of 1984-91 events, and only partiaUy included in the assessment of 1992-93 events.
Respcaise to a failure to trip the reactor is now addressed, as is an SGTR in PWRs. In PWRs, tbe potential use ofthe residual heat removal system followinga small-break LOCA (to avoid sump recirculation) is addressed, as is the potential recovery ofsecondary-side cooling in the long tarn followingthe initiationoffeed and bleed. Inboilingwater reactors (BWRs), the potential use ofreactor core isolation cooling (RCIC) and the control rod drive (CRD) system for makeup ifa single reliefvalve sticks open is addressed, as is the potential long-term recovery ofthe power conversion system (PCS) for decay heat removal in BWRs. These models better reQect the capabilities ofplant systems in preventing core damage.
ASP MODELS
"1>
g~)
rl P"