ML18025B876
| ML18025B876 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 08/31/1982 |
| From: | Bertucio R, Leahy T, Mays S, Poloski J, Sullivan W, Trainer J EG&G, INC., ENERGY, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1241 EGG-2199, NUREG-CR-2802, NUDOCS 8209270137 | |
| Download: ML18025B876 (123) | |
Text
NUREG/CR-2802 EGG-2199 Distribution Category:
RG, XA INTERIM RELIABILITYEVALUATIONPROGRAM:
ANALYSIS OF THE BROWNS FERRY, UNIT 1, NUCLEAR PLANT MAIN REPORT EG&G Idaho, Inc.
S. E. Mays J. P. Poloski W. H. Sullivan J ~ E. Trainer Energy Incorporated, Seattle Office R. C. Bertucio T. J. Leahy Published July 1982 EG&G Idaho, Inc.
Idaho Falls, Idaho 83415 Prepared for the U.S. Nuclear Regulatory Commission Washington, D.C.
20555 Under Sandia National Laboratories Purchase Order No. 62-7776 FIN No. A1241 REGUIATOHY DOCKET FUF COPy
ABSTRACT A probabilistic risk assessment (PRA) was made of the Browns Ferry, Unit 1, nuclear plant as part of the Nuclear Regulatory Commission's Interim Reliability Evaluation Program (IREP). Specific goals of the study were to identify the dominant contributors to core melt, develop a foundation for more extensive use of PRA methods, expand the cadre of experienced PRA practitioners, and apply procedures for exten-sion of IREP analyses to other domestic light water reactors.
Event tree and fault tree analyses were used to estimate the frequency of accident sequences initiated by transients and loss of coolant accidents. External events such as floods, fires, earthquakes, and sabotage were beyond the scope of this study and were, therefore, excluded. From these sequences, the dominant contributors to probable core melt frequency were chosen. Uncertainty and sensitivity analyses were per-formed on these sequences to better understand the limitations associated with the estimated sequence frequencies.
Dominant sequences were grouped according to common containment failure modes and corresponding release categories on the basis of comparison with analyses ofsimilar designs rather than on the basis of detailed plant-specific calculations.
" Each of eight dominant sequences for Browns Ferry, Unit 1, were initiated by postulated plant tran-sients. Six of the eight sequences involved failure of the long-term decay heat removal functions of the residual heat removal system. These sequences account for 73Vo of the sum of the dominant sequence fre-quencies. The other two sequences involved an anticipated transient without a (subsequent) scram and account for 27oIo of the sum of the dominant sequence frequencies.
While no LOCA-initiated sequences were dominant contributors to the frequency of core melt accidents, two of the eight dominant sequences involved transient-induced stuck-open relief valve scenarios.
The results show that the single most important factor in reducing the risk of a core melt accident at Browns Ferry, Unit 1, is providing reliable long-term decay heat removal capability; the next most impor-tant factor would be providing more reliable means to ensure that the reactor can be rapidly shut down and maintained subcritical.
FIN No. A1241Interim Reliability Evaluation Program
SUMMARY
Probabilistic risk assessment (PRA) techniques offer important analytical tools for the safety evaluation of nuclear power plants. Toward this end, the Three Mile Island Action Planl identiTies the Interim Reliability Evaluation Program (IREP) as a high priorityeffort to apply PRA techniques in the measure-ment of public health and safety risk of nuclear power plants. Because of plant-to-plant differences in design and operation, it is desirable to apply these techniques to other reactor plants in addition to those already studied.
The purpose of the current program, then, is to apply PRA techniques to several plants. Specific goals include:
1.
Identify accident sequences that dominate the contribution to core melt.
2.
Develop a foundation of information for additional and more extensive application of PRA techniques.
3.
Expand the cadre of experienced PRA practitioners.
4.
Develop procedures for the uniform application of PRA techniques to other domestic light water reactors.
EG&G Idaho, Inc., was contracted by Sandia National Laboratories to perform the IREP assessment of the Browns Ferry Nuclear Plant, Unit I (BF1). Analytical support was furnished by Energy Inc., Seattle office. Battelle-Columbus Laboratories provided analyses for grouping the dominant sequences according to release categories.
The BF1 IREP team identified and estimated the frequency of potential core melt sequences caused by loss of coolant accidents (LOCAs) and transients. The dominant sequences were identified and release categories similar to those defined in WASH-1400 were assigned to each of these sequences.
In the course of the analysis, many engineering insights important to risk were identified. This section of the report sum-marizes those insights and the dominant sequence evaluation.
Engineering Insights The single most important engineering insight relating to risk is the dependence of BF1 on the residual heat removal (RHR) system for long-term decay heat removal. For the majority of the accident initiators, the power conversion system (PCS) is unavailable. Therefore, only the RHR system in either the torus cooling or the shutdown cooling mode is available to remove decay heat from the reactor.
Six of the eight dominant sequences identified involve failure of the torus cooling and shutdown cooling modes of the RHR system. These sequences account for approximately 7310 of the sum of the dominant sequence frequencies. Therefore, no significant reduction in core melt frequency can be achieved without reducing the unavailability of the RHR system or providing an alternate means of long-term decay heat removal. Thus, the RHR system is the most risk-critical system at BF1.
Of the three dominant sequences involving a loss of offsite power, failure of the emergency equipment cooling water (EECW) system accounts for approximately 4070 of the initial core melt frequency value.
While consideration of potential recovery actions makes EECW system failure a nonsignificant con-tributor to the final frequency of these sequences, it would seem feasible that the system could be designed and operated in such a way that the dependence on operator recovery actions is minimized.
The rupture disks on the exhaust lines of the reactor core isolation cooling (RCIC) and high pressure coolant injection (HPCI) systems affect the unavailability of these systems. These devices are intended to
be last-resort safety devices to prevent a rupture of the turbines or turbine exhaust lines. Premature failure of these rupture disks leads to isolation of the system when no such isolation is required. Therefore, rup-ture disk failures contribute significantly to RCIC and HPCI system unavailabilities.
Scheduled testing and maintenance accounts for approximately 25Vo of the HPCI system unavailability.
That is, one fourth of the probability of the HPCI system being unavailable when required is due to the operators making the system unavailable in order to test or maintain the system. This value seems to be high in light of scheduled testing and maintenance contributions of other systems. This indicates that a close examination of the scheduled testing and maintenance requirements may be needed to ensure that the benefit of frequent testing is balanced against the unavailability caused by that testing.
Dominant Sequences Eight dominant sequences were identified for BF1. Table S-I lists these sequences along with the sequence frequencies, calculated error factors and containment failure mode frequencies. Each error fac-tor represents an upper 951o sequence frequency bound divided by the corresponding frequency point estimate.
The containment failure modes are identical to those of WASH-1400. For these particular sequences, the release categories are a - I, y' 2, and y - 3, where the Numbers I, 2, and 3, refer to the WASH-1400 release categories.
Table S-1.. Dominant sequences versus containment failure modes Sequence Frequency Error Factor Containment Failure Mode Frequenciesa TURBRA TUB TPRBRA TKRBRA TUQRBRA TABM TPKRBRA TPQRBRA Final 9.7 x 105 5.1 x 10 5 2.8 x 10 5 9.3 x 10-6 4.1 x 106 3.7 x 10-6 1.6 x 10-6 12x 10-6 2.0 x 10"I 8.7 5.0 2.8 9.0 15.3 4.6 2.8 4.7 5.6 9.7 x 109 5.1 x 109 2.8 x 10 9 9.3 x 10 8 4.1 x 10-10 3.7 x 10 10 1.6 x 10-8 1.2 x 10 10 1.3 x 10-7 1.9 x 10 5 1.0 x 10 5 5.6 x 10 6 1.9 x 10-6 8.2 x 10-7 7.4 x 107 3.2 x 10-7 2.4 x 10-7 3.9 x 10 5 7.8x105 4.1 x 105 2.2x105 7.4 x 10-6 3.3 x 10-6 3.0 x 10-6 1.3 x 10-6 9.6 x 107 1.7 x 10<
a.
Probabilities of containment failure modes:
a (in-vessel steam explosion) a (in-vessel steam explosion)
(release through annulus)
(direct release to atmosphere) 0.01 for LOCAs 0.0001 for transients 0.8 0.2.
Several of the dominant sequences have similar phenomonology and system responses and will be grouped together in this discussion. Each is discussed individually in the main report and Appendix C.
Transients with DHR Failure Three sequences, TURERA, TKRBRA, and TUQRBRA, involve transient initiators with subsequent failure of the torus cooling and shutdown cooling modes of the RHR system. In each case, a transient is followed by a reactor scram and successful overpressure protection. In one case, TKRBRA, a relief valve fails to reseat causing steam to be discharged from the reactor to the torus. In each case, one of the high pressure injection systems (RCIC or HPCI) operates to maintain reactor water level. However, failure of the RHR system to remove the decay heat being transferred from the reactor to the torus eventually results in an inabilityto pump the torus water back to the reactor due to excessive torus water temperatures.
Core uncovering and core melt ensues.
The dominant contributors to the unavailability of torus cooling and shutdown cooling modes of RHR are control circuit faults associated with motor-operated valves. In particular, minimum-flow bypass valve faults contribute approximately Igloo to the total system unavailability of 7.6 x 10 5. Figure S-l is a sequence evaluation diagram illustrating RHR failure for these sequences.
Since the high pressure systems can operate for several hours before the torus water temperature becomes excessive, there are recovery actions available to the operator. One potential recovery action is to use the PCS to remove decay heat from the reactor. Since some transient initiators may preclude use of the PCS and since PCS recoverability is not easily quantifiable, no credit was taken for PCS recovery in the final sequence frequency. However, control circuit faults were considered to be recoverable in this time frame. The operator could manually operate the valves or bypass/repair the control circuits. Inclusion of recovery potential reduced the unavailability of the torus cooling and shutdown cooling modes from 7.6 x 10 > to 5.7 x 10 5. This value was used to calculate the final sequence frequency of Table S-l.
Loss of Offsite Power with DHR Failure Three sequences, TPRBRA, TPKRBRA, and TPQRIIRA, involve a loss of offsite power and subse-quent failure of the torus cooling and shutdown cooling modes of the RHR system. The phenomonology of these three sequences is identical to the three described in the previous section. The differences between these sequences and the previous sequences are in the initiator frequency and effect of the initiator on system unavailabilities.
The dominant contributors to the unavailability of torus cooling and shutdown cooling can be separated into two parts:
EECW-related faults and non-EECW-related faults. Failure of the EECW system will eventually cause failure of all the emergency diesel generators, thereby precluding use of the RHR system.
The non-EECW faults are primarily combinations of diesel generator faults which of themselves disable the RHR system. The unavailability of torus cooling and shutdown cooling is the sum of these two values (2.0 x 10
+ 2.9 x 10
= 4.9 x 10
). Figure S-2 is a sequence evaluation diagram describing RHR failure for these sequences.
As before, the high pressure systems can operate for several hours before the torus water overheats. This allows time for the operators to take recovery actions. Among the recovery actions available is restoration of offsite power. WASH-1400 data suggest that offsite power can be restored 9710 of the time before the torus water overheats. For the other 3'f the time, the operators could manually start additional pumps to serve the EECW function before total diesel power failure occurred. The operators could also isolate nonessential EECW loads so that fewer than three of four pumps would be needed to.serve the vital loads.
Taking these factors into account reduces the unavailability of torus cooling and shutdown cooling from 4.9 x 10 2 to 9.4 x 10+. This value was used to calculate the final sequence frequency of Table S-l.
RB and RA faults 7.6 x 10 6.2 x 10-5 Independent faults 1.4 x 10-5 Common faults 3.1 x 10 Torus cooling faults 2.0 x 10 Shutdown cooling faults 1.3 x 10-5 MOV 71 and MOV 302 control circuit faults 1.0 x 10 MOV 71 and MOV 302 faults Appendix B Section 2.2 Appendix B Appendix B Appendix B INEL2 1674 Figure S-l. Residual heat removal failure for transient sequences with normal power available.
Transients with Failure to Scram Two sequences, TUB and TABM,involve failure of the control rod drive system to insert enough rods to make the reactor subcritical. For the first sequen'ce, TUB, a transient that disables the PCS is followed by a failure to scram. The resulting power level causes the relief valves to liftand dump steam to the torus. This coolant loss rate is greater than the high pressure system makeup rate. Therefore, core uncovery and core melt occurs. For the second case, TABM, the PCS is available. However, the turbine bypass valves cannot pass more than 300ro rated steam flow. Without successful recirculation pump trip reactor power may remain significantly higher than 301o. Therefore, the relief valves open to dump steam to the torus. This causes depletion of the water in the condensate storage tank (CST) and a trip of the feed pumps. Main steam isolation valve closure follows and this sequence is then identical to TUB.
The value for failure to scram (3.0 x 10 5) was taken from Reference 3. The complexities of precisely modeling how many rods in which patterns must fail to insert in order to remain critical was considered to be beyond the scope of this analysis.
vi
RB and RA faults 4.9 x 10-2 3.0 x 10 4
Independent faults 4.9 x 10 Common faults 7.2 x 10 Torus cooling faults 4.2 x 10-2 Shutdown cooling faults 2.9 x 10 Electric power faults 2.0 x 10 EECW faults Appendix B Appendix B Combination of three diesels Appendix B INEL2 1673 Figure S-2. Residual heat removal failure given a loss of offsite power.
The lack of adequate models to determine plant thermodynamics under the failure to scram conditions previously described, along with the rapid development of events in such a scenario, resulted in the deci-sion to exclude operator recovery actions for these sequences.
Therefore, no credit for operator recovery is taken in calculating the final sequence frequency of Table S-l.
Conclusion The single most important factor in reducing the risk of a core melt accident at BF1 is providing reliable long-term decay heat removal capability; the next most important factor would be providing more reliable means to ensure that the reactor can be rapidly shut down and maintained subcritical. The analysis sug-gests that no significant reduction in the core melt frequency can be achieved without making improvements in these two areas.
FOREWORD This report describes a risk study of the Browns Ferry, Unit 1, nuclear plant. The study is one of four such studies sponsored by the NRC Office of Research, Division of Risk Assessment, as part of its Interim Reliability Evaluation Program (IREP), Phase II. Other studies include evaluations of Arkansas One, Unit 1, by Sandia National Laboratories; Calvert Cliffs, Unit 1, by Science Applications, Inc.; and Millstone, Unit 1, by Science Applications, Inc. EG&G Idaho, Inc. was assisted by Energy Inc., Seattle, in its evaluation of the Browns Ferry, Unit 1, plant. Battelle-Columbus Laboratories provided information regarding the fission product releases that result from risk-significant accident scenarios. Sandia National Laboratories has overall project management responsibility for the IREP studies. Italso has responsibility for the development of uniform probabilistic risk assessment procedures for use on future studies by the nuclear industry.
This report is contained in four volumes:
a main report and three appendixes. The main report provides a summary of the engineering insights acquired in doing the study and a discussion regarding the accident sequences that dominate the risks of Browns Ferry, Unit l. It also describes the study methods and their limitations, the Browns Ferry plant and its systems, the identification of accidents, the contributors to those accidents, and the estimating of accident occurrence probabilities. Appendix A provides supporting material for the identification of accidents and the development of logic models, or event trees, that describe the Browns Ferry accidents. Appendix B provides a description of Browns Ferry, Unit 1, plant systems and the failure evaluation of those systems as they apply to accidents at Browns Ferry.
Appendix C generally describes the methods used to estimate accident sequence frequency values.
Numerous acronyms are used in the study report. For each volume of the report, these acronyms are defined in a listing immediately following the table of contents.
ACKNOWLEDGMENTS The authors wish to express their thanks to several individuals who have made important contributions to this study report:
Joe Murphy of the Nuclear Regulatory Commission, Dave Carlson of Sandia National Laboratories, and Jonathan Young of Energy Inc. for their technical comments as the study pro-gressed; Cindy Gentillon for her assistance in incorporating review comments into the final report; Paul Adye for his technical editing of the final report; Kim Culbertson for her typing of the several drafts and final text of this report; Pat Virgilfor proofreading the copy; and Debi Iverson for her typesetting and final layout of the report.
CONTENTS ABSTRACT
SUMMARY
n1 FOREWORD.
v1n ACKNOWLEDGMENTS 1X NOMENCLATURE X1V 1.
INTRODUCTION.
2.
IREP METHODOLOGY 2.1 Information Base..
2.2 Methodology 3.
PLANT DESIGN.
3.1 General.
3.2 Accident Mitigation Functions.
3.3 Front-Line and Support Systems.
4.
INITIATINGEVENTS 10 13 4.1 Introduction 13 4.2 Identification of Potential Core-Related Initiating Events.
4.3 Initiating Event/Mitigating System Dependencies.
5.
ACCIDENT SEQUENCE DELINEATION 5.1 Introduction 5.2 LOCA Functional Event Trees.
5.3 Transient Functional Event Trees.
13 18 22 22 22 34 6.
SYSTEMS ANALYSIS 40 6.1 Front-Line Systems Description.
6.2 Support Systems Description.
7.
ACCIDENT SEQUENCE QUANTIFICATION.
7.1 General Approach.
42 62 76 76
7.2 Data Sources.
76 7.3 System Unavailabilities...
76 7.4 Sequence Frequencies.
76 7.5 Candidate Dominant Accident Sequences.
77 7.6 Example Calculation.
77 8.
RESULTS 81 8.1 General.
81 8.2 Dominant Sequences.
81 8.3 Containment Response and Release Categories.
85 8.4 Engineering Insights.
88 8.5 Uncertainty Analysis.
93 8.6 Sensitivity Analysis.
8.7 Limitations of the IREP Methodology and Uses of the Models.
94 95 8.8 Application of Results.
96 REFERENCES APPENDIXES (Each appendix is published as a separate volume)
APPENDIX AEVENT TREES APPENDIX BSYSTEM DESCRIPTIONS AND FAULTTREES APPENDIX CSEQUENCE QUANTIFICATION FIGURES S-l.
Residual heat removal failure for transient sequences with normal power available..
v1 S-2.
Residual heat removal failure given a loss of offsite power.
1.
IREP methodology vn 2.
Emergency core cooling systems.
3.
Core standby cooling systems performance capability bar chart 4.
LOCA functional event treebreak inside containment 5.
LOCA functional event treebreak outside containment.
14 23
6.
LOCA systemic event tree for large liquid break, suction-side of recirculation, pumps (LS).
27 7.
LOCA systemic event tree for large liquid break, discharge-side of recirculation pumps (LD).
28 8.
LOCAsystemic event tree for large steam break (LV).
29 9.
LOCAsystemic event tree for intermediate liquid break (IL).
10.
LOCAsystemic event tree for intermediate steam break (IV).
30 31 11.
LOCAsystemic event tree for small liquid-line or steam-line break (S) 32 12.
Transient functional event tree.
35 13.
Transient systemic event tree where PCS is unavailable (TU).
38 14.
Transient systemic event tree where PCS is available (TA).
15.
RHR/RHRSW/EECW interplant power dependencies.
39 43 16.
RCIC system.
17.
RHR system, Loop I 46 18.
HPCI system.
19.
Automatic depressurization system 48 51 20.
Core spray system.
52 21.
Vapor suppression part of the primary containment 54 22.
CRDH system.
23.
Scram discharge volume equipment.
56 57 24.
Main steam system.
58 25.
Condensate and feedwater system.
26.
RPT circuit.
27.
EPS diagram showing AC and DC systems.
59 61 63 28.
RHRSW system.
65 29.
RHRSW/EECW system power dependencies.
66 30.
EECW system.
31.
Keep-full system 68 70 32.
CCW system.
71 xn
33.
Simplified RCW system diagram.
73 34.
RPS Channel A.
74 35.
Transient systemic event tree for PCS unavailable 78 36.
Core melt sequence frequencies versus initiators (recovery actions not considered)..
89 37.
Core melt sequence frequencies versus failed function (recovery actions not considered)..
TABLES 91 S-1.
Dominant sequences versus containment failure modes.
tv 1.
Information sources for IREP 2.
Front-line systems for LOCA and transient functions...
3.
Front-line versus support systems.
4.
LOCA mitigation success criteria.
12 15 5.
LOCA pipe rupture frequencies.
16 6.
Transient initiator groupings and frequencies.
7.
Transient mitigation success criteria.
8.
LOCAinitiator effects on mitigating systems.
18 19 20 9.
Front-line and support system list 40 10.
RHR operational mode success criteria.
47 11.
Transients where the PCS is unavailable 79 12.
Candidate dominant sequences.
81 13.
Dominant sequences.
82 14.
Dominant sequences versus containment failure modes.
15.
Dominant sequence uncertainties.
86 93
NOMENCLATURE A
A AC ACC ADS AH AO APRM AT ATWS The complement of A (a success event ifA is a failure event). (A may also be used to mean "unavailability.")
Alarm Alternating current Accumulator Automatic depressurization system Alarm-high Air operator Average power range monitor Anticipated transient Anticipated transient without scram BF1 BI BWR Browns Ferry, Unit 1, nuclear plant Break isolation Boiling water reactor CAD CCW CD CE CIS Clg COND CR-3 CRD CRDH CRDHS CRW CS CS&T CSCS CSS CST CV Containment atmosphere dilution Condenser circulating water Complete dependence Conductivity element Containment isolation system Cooling Main condenser Crystal River, Unit 3, nuclear plant IREP study Control rod drive Control rod drive hydraulic Control rod drive hydraulic system Clean rad waste Core spray Condensate storage and transfer Core standby cooling system Core spray system Condensate storage tank Control valve D
DC DEP DG DHR Diff DPI DPIS DPS DPT Demand Direct current Depressurization Diesel generator Decay heat removal Different Differential pressure indicator Differential pressure indicating switch Differential pressure switch Differential pressure transmitter EAC ECCS ECI EECW EHC EMI Equipment area cooling Emergency core cooling system Emergency coolant injection Emergency equipment cooling water Electro-hydraulic control Electrical Maintenance Instruction xtv
'PS ESFAS Equipment Operating Instructions Electric Power Research Institute Electrical power system Engineered safety features actuation system F()
FCV FE FI FIC FLS FMEA FR FS FSAR FT FWC FWCS Frequency of initiator in parentheses Flow control valve Flow element Flow indicator Flow indicating controller Front-line system Failure mode effects analysis Flow recorder Flow switch Final Safety Analysis Report Flow transmitter Feedwater control Feedwater control system G
GOI Green General Operating Instructions H
H/L HCU HCV HEP HPCI HPCS HPI HS HSS HVAC HX High High/low Hydraulic control unit Hand control valve Human error probability High pressure coolant injection High pressure core spray High pressure injection Handswitch High speed stop Heating, ventilation, and airconditioning Heat exchanger I&C I&E IMI INJ IREP IRM Instrumentation and control Inspection and enforcement Instrument Maintenance Instruction Injection Interim Reliability Evaluation Program Intermediate range monitor L
LA LD LER LIC LIS LL LOCA LOSP LPCI LPI LS LSS LT Low Level alarm Low dependence Licensee Event Report Level indicating controller Level indicating switch Low-low Loss of coolant accident Loss of offsite power Low pressure coolant injection Low pressure injection Limitswitch Low speed stop Level transmitter XV
M MCR MD MGU MMG MMI MO MOV MSC MSI MSIV MSL Motor (operated valve)
Main control room Moderate dependence Master governor unit Motor generator Mechanical Maintenance Instruction Motor operated Motor-operated valve Manual speed control Main steam isolation Main steam isolation valve Main steam line NA; N/A NC NMS NO Not applicable Normally closed Neutron monitoring system Normally open OI OL OP OP(C)
OP(O)
Operating Instructions Overload Overpressure protection Overpressure protection (relief valves closed)
Overpressure protection (relief valves open)
PA PB PCIS PCS PCV PG PI PORV PRA PS PSCWT PT PWR Pressure alarm Pipe break Primary containment isolation system Power conversion system Pressure control valve IREP Procedure Guide Pressure indicator Power-operated relief valve Probabilistic risk assessment Pressure switch Pressure suppression chamber water transfer Pressure transmitter Pressurized water reactor Q()
QA Unavailability of system in parentheses Quality assurance R
RBCCW RBEDT RCB RCIC RCS RCW RCWS Recirc RFP RFPT RFWPT RHR RHRSW Red Reactor building component cooling water Reactor building equipment drain tank Reactor coolant boundary Reactor core isolation cooling Reactor coolant system Raw cooling water Raw cooling water system Recirculation Reactor feed pump Reactor feed pump turbine Reactor feedwater pump turbine Residual heat removal Residual heat removal service water xvt
RV(O)
RWCU RX Reactor motor-operated valve Remote manual switch Reactor protection system Recirculation pump trip Reactor subcriticality; reactor shutdown; reactor scram Relief valve (closed)
Relief valve (open)
Reactor water cleanup Reactor S/D S/RV S/V SBCS SBGT SCI SD-BD SDV SIV SJAE SLCS SORY SRM Shutdown Safety relief valve Safety valve Standby coolant supply Standby gas treatment Short-term containment integrity Shutdown board Scram discharge volume Scram instrument volume Steam jet air ejector Standby liquid control system Stuck-open relief valve Source range monitor TA TCV TD TDC TDPU TE TIP TMI TR Trans TS TVA Temperature alarm Turbine control valve Time delay Time delay contact Time delay pickup Temperature element Traversing in-core probe Three Mile Island Temperature recorder Transient Technical Specifications; torque switch Tennessee Valley Authority UV Undervoltage V
VB VO VS VSS VWI Volts Vacuum breaker Valve open Vapor suppression Vapor suppression system Vessel water inventory An insignificant quantity, generally less than 10 g xvn
INTERIM RELIABILITYEVALUATIONPROGRAM:
ANALYSIS OF THE BROWNS FERRY, UNIT 1, NUCLEAR PLANT MAIN REPORT 1.
INTRODUCTION Probabilistic risk assessment (PRA) techniques offer important analytical tools for the safety evaluation of nuclear power plants. Application of such techniques to commercial nuclear plants has (a) provided useful information on accident sequences, (b) identified many strengths and weaknesses in the design and operation of the plants, (c) provided insights into the importance of accident contributors, and (d) pro-vided rough estimates of the likelihood ofserious accidents. Recent evidence tends to suggest that plant-to-plant differences in design and operation may give rise to significant differences in both the likelihood and the event-sequence of accidents. Therefore, the application of PRA techniques to many reactor plants appears to be desirable.
The need for PRA application is reflected in the Three Mile Island Action Plan,l which identiTies the Interim Reliability Evaluation Program (IREP) as a high priority effort. The IREP is intended to apply PRA techniques to several nuclear power plants and then to develop procedures for the consistent analysis of other plants. The IREP has the following specific objectives:
1.
Identify those accident sequences that are the principal risks to public health and safety.
2.
Develop a foundation of information for subsequent, more intensive, application ofPRA techniques on the subject plants.
3.
Expand the cadre of experienced practitioners of risk assessment methods within the NRC and the nuclear power industry.
4.
Develop procedures for codifying the use of these techniques to other domestic lightwater reactor plants.
Phase I of the IREP study was a reliability analysis of the Crystal River, Unit 3, facility.4 Using methodological insights gained from the Crystal River study, the Phase II IREP studies were initiated in September 1980 to analyze four plants:
1.
Browns Ferry, Unit 1 (BF1),
by a
team from EG&G Idaho, Inc.,
and Energy Incorporated.
2.
Arkansas Nuclear One, Unit I, by a team from Sandia National Laboratories, Science Applications, Inc. (SAI), and Arkansas Power and Light Company.
3.
Calvert Cliffs, Unit 1, by a team from SAI, Evaluation Associates, and NRC.
4.
Millstone, Unit 1, by a team from SAI, Northeast Utilities, and NRC.
The principal analysts responsible for conducting the Browns Ferry risk assessment were Steve Mays, Walt Sullivan, John Poloski, and Jack Trainer ofEG&G Idaho, Inc., Bob Bertucio and Tim Leahy of the Seattle Office of Energy Incorporated, provided analytical support to assist EG&G Idaho in the early
phases of the study. Utility support from Tennessee Valley Authority (TVA) was coordinated by Mark Linn with assistance from Terry Tyler, Henry Jones, and Tom Barkalow. Unlike other IREP teams who had a full-timeparticipant from the utility,the Browns Ferry team relied on telephone calls, mail, and occasional meetings with TVApersonnel for information exchange. The TVAsupport included documen-tation of plant design, analyses beyond those found in the Final Safety Analysis Report (FSAR), and verification of system operating characteristics.
Responsibility for overall technical management of the study rested with Sandia National Laboratories.
Periodic reviews to assure the quality of the product were conducted by Sandia and NRC personnel not involved directly with the work of any one team, with the assistance of Energy Incorporated.
This report is one of a series of four reporting the results of these Phase IIstudies. Separate reports will be issued regarding procedures for conducting future analyses of the same scope and breadth as these four
- studies, and detailing the technical and methodological insights and nuclear safety perspectives gained from this activity.
The reader is cautioned that while it is our opinion that these studies represent the state-of-the-art within their scope, they are incomplete. External events (earthquakes, fires, etc.) are not included, and the assign-ment of accident sequences to release categories was performed in a subjective manner with limited plant-specific calculations. Thus, this portion of the study relied heavily on analyses performed previously on similar facilities. Other limitations are discussed in detail in Section 8.7. While accident sequence and release category frequencies were quantified, they are. of value primarily in comparative analyses, and the absolute values determined should not be used without a clear appreciation of their inherent uncertainties.
The principal product obtained is the integrated engineering logic presented in the plant and system models and the insights into plant features contributing significantly to risknot the specific values computed for accident frequencies.
The main body of this report is essentially a condensation of the more detailed information supplied by the three appendixes. A general discussion of the methodology used to conduct the risk assessment is pro-vided in Section 2. Section 3 describes the general design of the plant including a brief discussion of the systems that perform the functions to mitigate the effects of loss of coolant accidents (LOCAs) and tran-sient events at BF1. Section 4 defines the accident initiating events that were considered for BF1 and how their associated frequencies were estimated. Section 5 presents the event trees that display the functional relationships between systems designed to respond to a potential accident initiator. Event trees were pro-vided for the various LOCA and transient initiator groupings; a discussion of each is also given in Section 5. A more detailed description of the various plant systems (and their associated support systems) that affect the mitigation of a LOCA or transient is provided in Section 6. The assumptions that went into the construction of fault tree models, as well as the insights gained from each of these models, is provided for each system.
The methodology for accomplishing the quantification of the accident sequences displayed by the event trees is discussed briefly in Section 7. An example calculation for a representative event tree sequence is also given in this section. The selection of the final dominant accident sequences is provided in the results, Section 8. Each of the dominant sequences is discussed on an individual basis.
More detail supporting each of the sections can be found in the appendixes. The appendixes are organized as follows:
Appendix AEvent Trees. Applicable to Sections 2, 3, 4, and 5 of main report.
Appendix BSystem Descriptions and Fault Trees. Applicable to Sections 2, 3, and 6 of the main report.
Appendix CSequence Quantification. Applicable to Sections 2, 5, 7, and 8 of the main report.
2.
IREP METHODOLOGY To provide guidance for the IREP analyses and to assist in consistency among the four IREP teams, pro-cedures5 for conducting the analysis were developed.
The four teams generally followed the same approach. Even though these procedures had never been used in their entirety, and it was recognized that some flexibilityin approach would be necessary.
- 2. I Information Base The IREP analyses represent an integrated plant systems analysis. Detailed analyses were performed on those systems required to respond to a variety of initiating events and on those systems supporting the responding systems. The analysis included unavailabilities during test and maintenance activities, human errors that could arise in restoring the systems to operability following test and maintenance and in response to accident situations, and a thorough investigation of support system faults that could affect operations of more than one front-line system.
To perform the analysis, considerable, and occasionally very detailed, information was obtained from the plant. The sources of information used in the analysis are listed in Table 1.
Table 1.
Information sources for IREP Final Safety Analysis Report (FSAR)
System description and plant drawings Other analyses of the plant or a similar plant ModiTied WASH-1400 (Reference
- 2) data base EPRI NP-801 (Reference 7)
Licensee event reports for the plant and similar plants System performance documentation Electrical one-line drawings Control and actuation circuitry drawings Test and maintenance procedures Emergency procedures Plant logs NUREG/CR-1278 (Reference 8)
Plant visits Discussions with and review by plant personnel
The final FSAR and plant system descriptions and drawings provided the basic inforination base for the analysis. This was supplemented by information contained in other studies of the plants (where available).
To identify initiating events and initiating event frequencies, EPRI NP-801,7 was used as the basic source. Additional insights were obtained through reviewing licensee event reports for the plant and for plants ofsimilar design. To identify the systems needed to respond to an accident and their success criteria, the FSAR was used. In some instances, documentation from the plant or vendor was obtained suggesting and supporting the use of less stringent success criteria.
To construct the fault tree models, detailed drawings were obtained, particularly for electrical systems and control and actuation circuitry. Test, maintenance, and emergency procedures were reviewed to identify potential human errors to be included in the plant models.
Data for quantifying the fault trees were a mixture of generic and plant-specific data. Basic hardware failure rate data were obtained from a modified WASH-1400 data base assembled by NRC personnel par-ticipating in IREP. For particular components, plant-specific data obtained from plant logs were used.
Plant-specific test and maintenance frequencies obtained from plant logs were used in the analysis. Data for human error rates were obtained from NUREG/CR-1278 8 In addition to the above documentation, the utility personnel participating in the study served as con-tacts with the plant to obtain more information when needed. Each team visited their plant to view par-ticular equipment and to discuss questions with plant personnel. The IREP team prepared periodic letter reports that the utilities reviewed to ensure the accuracy of information.
2.2 Methodology The IREP analyses consisted of eight tasks:
1.
Plant familiarization.
2.
Event tree construction.
3.
Systems analysis.
4.
Human reliability and procedural analysis.
5.
Data base development.
6.
Accident sequence evaluation.
7.
Containment analysis.
8.
Interpretation and analysis of results.
The relationships between these tasks are illustrated in Figure 1. Each is discussed briefly below.
2.2.1 Plant Familiarization.
The initial task of the analysis was to become familiar with the plant. This was done by identifying those functions that must be performed to prevent core melt or to mitigate its con-sequences.
By reviewing the FSAR and other documentation, the systems that perform these functions, termed "front-line systems," were identified.
Initiating events for consideration in the analysis were determined from EPRI NP-801 and licensee event reports. These were grouped such that all initiating events requiring the same systems to respond were
Event tree construction Plant.
familiarization Accident sequence evaluation Containment analysis Interpretation and analysis of results Systems analysis Human reliability and procedural analysis Data base development lNEL2 1639 Figure l.
IREP methodology.
placed in the same group. LOCAs were generally grouped into three or four groups. This grouping was by size of LOCA since mitigating requirements generally depend on the size of the break. Transients fell into three to six groups. The grouping often reflected equipment lost as a result of the initiating event.
For each initiating event grouping, the criteria for successful system operation to mitigate the accident were determined.
This information was usually found in the FSAR. Utility and vendor calculations sometimes indicated that the FSAR criteria were too conservative.
Where appropriate documentation existed, the IREP teams used the more realistic criterion.
A final task during plant familiarization was to identify system dependencies.
Systems that support the front-line systems were identified; dependencies among various support systems were also noted.
Upon completion of plant familiarization, the following information was available:
1.
The necessary functions to prevent core melt or to mitigate its consequence.
2.
The systems that perform these functions (Le., front-line systems).
3.
The initiating events included in the analysis and grouped according to mitigating requirements.
4.
The systems required to respond to each initiating event group and the criteria for system success.
5.
Dependencies between front-line and support systems and among support systems.
Completion of this task set the groundwork for construction of the models used in the study. The systems to be analyzed were identified, and the number of and headings for event trees were defined.
2.2.2.Event Tree Construction.
The accident sequences to be analyzed in IREP were. delineated by event trees. Functional event trees were constructed to clarify functional dependencies.
From;these and information developed in the plant familiarization activity, systemic event trees were constructed.
Sequences delineated on the systemic trees were analyzed in the study.
Separate systemic event trees were constructed for each initiating event group. Each event tree has a dif-ferent structure since the initiating events were grouped according to mitigating requirements. Different mitigating requirements result in different tree structure. Headings for the event trees correspond to the systems responding to the initiating event. Only front-line systems appear on the trees. System dependen-cies and dependencies arising from phenomenological aspects of the accident are reflected in the tree structure.
2.2.3 Systems Analysis.
Fault tree models were constructed for each front-line system. Support system fault trees were constructed to further model the particular interfaces with the front-line systems. The fault tree modeling approach used in this analysis is discussed in Section 6. Top events for the front-line system fault trees correspond to the success criteria defined in the plant familiarization task. The fault trees were developed to the component level. Component faults that affected only the particular component were grouped as "local faults." Faults that could affect multiple components, generally those faults associated with support systems, were further developed. The level of detail in the fault trees generally corresponds to the detail of available data.
In addition to hardware faults, the fault trees include unavailability due to test and maintenance, human errors associated with failing to restore components to their operable state followingtest and maintenance, and human errors associated with accident responses.
Human reliability analysis is discussed in the next section.
The detailed development contained in the system fault trees facilitated identification of hardware, test and maintenance, and human error faults that could cause multiple component failures. These three classes ofcommon mode failures were explicitlymodeled in the fault trees. Other potential common mode failures, such as environmental conditions or manufacturing defects, were not considered in the study.
2.2.4 Human Reliability and Procedural Analysis.
Test, maintenance, and emergency procedures were reviewed to determine potential human errors. Human errors associated with failing to restore the system to its operable state following test and maintenance were included explicitly in the fault trees.
Potential operator errors in response to an accident were included in a limited way. The emergency pro-cedures expected to be used in response to each accident sequence were reviewed to identify actions expected to be performed. Incorrect performance or omission of the actions were postulated and included in the model. The investigation, however, was limited to those actions expected to be performed, rather than postulating all actions an operator might take.
2.2.5 Data Base Development.
A modified WASH-1400 data base was used for quantification of hardware faults. In some instances, plant-specific data were used instead. Test and maintenance intervals and durations were obtained, where possible, from discussions with plant personnel and from reviewing plant logs. Estimated upper values were chosen for human error rates for initial calculations. For those human errors that appeared in potentially dominant accident sequences, detailed analyses were performed with the assistance of human-factors specialists. This approach to human error quantification permitted more efficient use of limited human-factors expertise.
2.2.6 Accident Sequence Evaluation.
For each accident sequence, an initial frequency was calculated.
This was performed by logically combining the initiating event and the system successes and failures to develop combinations of failures that could result in the accident sequence.
Frequencies assigned to the initiating events and probabilities assigned to each failure were combined to produce a frequency for each sequence.
The evaluation process was an iterative one. Initial calculations used generic data and upper bound human error rates. From these initialcalculations, a collection of potentially dominant accident sequences was chosen.
These were chosen based on a certain frequency below which none of the sequences were expected to contribute significantly.
The potentially dominant sequences were examined more closely to ensure that the probabilities chosen were as accurate as they could be and to develop better human error rate estimates.
The potential for recovery actions that would terminate the sequence was evaluated in a gross manner.
More refined calculations resulted in a list of dominant accident sequences.
2.2.7 Containment Analysis.
Each potential dominant accident sequence was evaluated by Battelle-Columbus Laboratories to determine the expected mechanism of containment failure and the associated probability of failure, and to characterize the potential radioactive release. This analysis was quite limited in nature, relying primarily on insights developed from similar analyses in the past, but was supplemented by further calculations where necessary.
2.2.8 Interpretation and Analysis of Results.
The dominant accident sequences in terms of risk (the highest probability sequences in the most severe release categories) were examined to develop engineering insights from the analysis. Those plant features contributing most significantly to risk were identified; these results constitute the principal results of the study. Limited uncertainty and sensitivity analyses were performed to ascertain a rough estimate of uncertainty in results and to identify those assumptions which, ifchanged, could significantly alter the results.
- 3. PLANT DESIGN 3.1 General BFI is a General Electric designed boiling water reactor (BWR) of the BWR-4 product line, with a Mark I (drywell and torus) containment. The TVAowns and operates the unit, which is located with two essentially identical units along the Tennessee River near Decatur, Alabama. Unit 1 began operating in August 1974 and has a rated power of 3293 MW thermal (1100 MW electric). The primary differences in the reactor systems of this plant compared with earlier BWR plant designs include:
1.
Variable speed recirculation pumps that discharge into jet pumps arranged around the periphery of the reactor vessel.
2.
An integrated core standby cooling system (CSCS) including high pressure coolant injec-tion (HPCI), low pressure core spray, automatic depressurization (ADS), and residual heat removal (RHR) systems.
3.
An integrated RHR system providing low pressure coolant injection (LPCI), shutdown cooling, and containment cooling modes of operation.
4.
A reactor core isolation cooling (RCIC) system instead of an isolation condenser for mitigating transients where the reactor is isolated from the main condenser.
5.
LPCI loop selection logic has been disabled and the LPCI discharge header cross-connect valve closed.
The containment design features include:
1.
A drywell enclosing the reactor coolant system.
2.
A wetwell (or torus) connected to the drywell and designed to provide energy suppression in the event of a LOCA and to provide a source of water for injection into the reactor.
3.
Areactor building surrounding the drywell and torus that houses the CSCS and provides a second barrier between the reactor and the plant environment, Figure 2 provides a simplified diagram of the safety-related design features.
3.2 Accident Mitigation Functions The plant functions necessary to prevent core melt and mitigate radiological consequences of accidents fall into two groups. One group is the functions necessary to mitigate a loss of coolant accident (LOCA) while the other group is the functions necessary to mitigate a transient. The following sections generally describe the functions and the systems that perform these functions. More detailed function and system descriptions willbe found in Sections 4 and 6, respectively.
3.2.1 LOCA Niitigators. There are four functions required to mitigate the effects of a LOCA. These are reactor subcriticality, short-term containment integrity (SCI), emergency coolant injection (ECI), and decay heat removal (DHR).
Reactor subcriticality is necessary to stop the fission chain reaction so that the heat generated in the core is reduced. This action limits the thermodynamic conditions that the remaining functions must mitigate.
The control rod drive (CRD) system performs this function.
Drywell MO Main steam line Feedwater line To turbine From reactor feed pump MO MO To containment spray Reactor vessel Relief safety valves MO TQ containment spray MO MO Wetwell MO RHR system pumps MO RHR system pumps Condensate storage tank MO MO RHR service water HPCI RHR heat exchangers MO MO Core spray INEL2 1640 Figure 2.
Emergency core cooling systems.
SCI is necessary to ensure that any radioactivity released from the reactor coolant system boundary is not allowed to escape into the atmosphere.
This is accomplished by ensuring that the pressure rise in the containment is limited to less than the containment design pressure.
The vapor suppression system performs this function.
ECI ensures that the water lost from the reactor due to the LOCA is replaced. This action keeps the core covered and provides heat transfer from the fuel rods to prevent melting. The HPCI system provides high pressure injection while the core spray and LPCI systems provide low pressure injection. The ADS depressurizes the reactor so that the low pressure systems can operate.
DHR is the method by which heat from fission product decay is removed from the reactor to the ultimate heat sink, the Tennessee River. The RHR system provides this function in either shutdown cooling or torus cooling modes.
3.2.2 Transient Mitigators. There are four functions required to mitigate the effects of a transient. For purposes of this analysis, a transient is any event that challenges the reactor protection system (RPS) to initiate a reactor scram.
The transient mitigating functions are reactor subcriticality, overpressure protection, vessel water inventory (VWI), and DHR.
The reactor subcriticality function for transient initiators is identical to that for LOCAinitiators, except that successful reactor subcriticality can also be achieved if the power conversion system (PCS) remains available following the initiator and both recirculation pumps trip. It is recognized that in this latter case the reactor is not actually subcritical. However, the resulting power level after successful recirculation pump trip is such that the capacity of the PCS is adequate to remove the heat being generated. In this case, as long as the PCS is available, the core willbe cooled. IfPCS becomes unavailable, it is assumed the core willmelt.
The overpressure protection function is required to ensure two actions. First, the relief valves must open to maintain reactor pressure below the emergency stress limits. Otherwise, some part of the reactor coolant boundary may rupture. Second, all the relief valves involved in this pressure limiting action must. reclose after pressure falls below the relief valve setpoint to prevent an uncontrolled release of reactor coolant inventory.
The VWI function is analogous to the ECI function for LOCA initiators. The HPCI or RCIC system can provide high pressure coolant injection. For some transients, the PCS can also provide both the VWI and DHR functions. Ifthe PCS is not available, isolation of the main condenser from the reactor vessel with the main steam isolation valves is necessary for successful VWI.Manual depressurization of the reac-tor vessel using the relief valves permits any of the low pressure systems, [Le., core spray, LPCI, conden-sate system, or standby coolant supply (SBCS) system] to provide injection.
The DHR function for transients is the same as that described previously for LOCAs except for the case when PCS can provide long-term decay heat removal.
3.3 Front-Line and Support Systems Front-line systems are those that directly perform the functions for mitigating the effects of a LOCA or transients. Support systems are those systems that effect LOCA or transient mitigation by way of their effect on the front-line systems. Table 2 lists the front-line systems for each mitigating function mentioned in Section 3.2. Table 3 lists both the front-line and support systems and their interdependencies.
10
Table 2.
Front-line systems for LOCA and transient functions LOCA Functions Systems Transient Functions Systems RSa SCI CRDHS VSb RSa OPc CRDHS, RPT Relief valves ECI High pressure systems:
HPCI VWI Main steam isolation:
MSIVs Low pressure systems:
ADS CSd LPCI High pressure systems:
HPCI RCIC PCS DHR RHR Low pressure systems:
Manual depressurization CSa LPCI Condensate SBCS DHR RHR, PCS a.
RS = reactor subcriticality b.
VS = vapor suppression c.
OP = overpressure protection d.
CS = core spray.
11
Table 3.
Front-line systems versus support systems Support Systems Front-Line Systemsa AC DC Power Power EACb EECW RHRSW RCW Circulation Water Keep-Full RPS System Operator RCIC RHR (shutdown cooling)
RHR (torus cooling)
X X
X X
X X
X EOI-74 X
EOI-74 RPT HPCI ADS Core spray SBCS PCS CRD X
X X
X X
X X
X EOI-74 EOI-1,2,3 EOI-85 Relief valves Vapor suppression MSI X
X a.
The front-line systems are given a one-letter name on the systemic event trees (see Table A-12).
b.
Equipment area cooling.
- 4. INITIATINGEVENTS 4.1 Introduction Accident-sequence definition is one of the major steps of a risk assessment. It consists of defining a list of potential accident-initiating events and developing event trees to define the accident sequences that could result from these initiating events. Event tree development is discussed in Section 5 of this report.
4.2 Identification of Potential Core-Reiated Initiating Events As a starting point for the risk assessment, potential initiating events that could lead to the release of significant amounts of radioactivity to the environment had to be identified. The initiating event list developed here is for core-related accidents with the plant at or near full power. Significant fuel pin damage can only take place if, as the result ofgreatly increased fuel temperatures, the fuel melts (or at least the cladding melts, which could, in turn, cause the fuel to collapse).
In order for the fuel or cladding to melt, an imbalance must occur between the heat generated in the core and the heat removed from the core. Thus, potential accidents that could not cause this imbalance are excluded from consideration of being core-related risks. There are two ways ofcreating a heat imbalance in the fuel: inadequate heat removal for the designed amount of heat generated (either at power or after shutdown) or excessive power generation due to failure to scram.
4.2.1 Inadequate Heat Removal.
Heat removal during normal power operation is accomplished by the PCS, which consists primarilyof the main steam, condensate, and feedwater systems. For inadequate heat removal to occur during power operation, this normal heat flowsystem must be disrupted by transients or LOCAs that disable the PCS, or by LOCAs that result in loss of reactor vessel coolant inventory. Tran-sients can cause the PCS to be unavailable either directly by failing PCS systems or indirectly by isolation of the main condenser from the reactor by events that result in closure of the main steam isolation valves (MSIVs). Similarly, LOCAs cause the MSIVs to close upon low reactor vessel level.
Heat removal during shutdown (i.e., decay heat removal) can be accomplished by the normal heat flow system (i.e., by PCS) ifavailable or by the RHR system. Inadequate decay heat removal would occur if both of these heat flow systems were disabled.
4.2.2 Failure to Scram.
The second possible means of creating a heat imbalance in the fuel is for the reactor power to be greater than the capacity to remove heat. The transient initiators used in this analysis are defined as malfunctions or failures in the mechanical/electrical systems that result in a demand for trip of the control rods (scram) and removal of heat from the reactor core. Actions such as scrams as part of a planned shutdown or transients that do not result in a challenge to the reactor RPS to initiate a scram were not considered.
The transient and accident mitigating systems are designed to operate only with the reactor subcritical (i.e., with the reactor only producing decay heat)
~ Only the PCS system is capable of removing significant heat from the reactor while maintaining reactor water level. Therefore, for all initiators where the PCS system is unavailable and the reactor is not made subcritical, it was assumed that the mitigating systems willnot be able to keep the core covered and core damage willoccur. For those initiators where the PCS is not disabled by the transient and insufficient rods do insert, the PCS can still remove the reactor heat and maintain water level provided recirculation pump trip (RPT) is successful. RPT is necessary to ensure that the resultant power level is within the capacity of the bypass valves to relieve steam to the condenser.
4.2.3 Initiating Event List. As discussed
- above, three major initiating event categories were defined:
(a) LOCAs, (b) transients that disable PCS, and (c) transients that do not affect PCS.
13
LocA Irririerors-initially,breaches of the reactor coolant boundary that lead to LOCAs inside and out-side of containment were considered. However, it was determined that a rupture in an interfacing system that results in a LOCA outside primary containment always requires at least two valve failures. The probability of such an occurrence coupled with the probability of the rupture and subsequent emergency core cooling system (ECCS) failure is several orders of magnitude less than for ruptures inside contain-ment. The rationale for exclusion of interfacing system LOCAs is provided in Section 5. Therefore only breaks inside the primary containment were considered for this analysis.
Break size ranges were developed based on system mitigation requirements. The ranges ofbreak sizes for steam and liquid breaks were defined from the CSCS performance capability bar chart, Figure 6.3-1 of the Browns Ferry FSAR. This figure is shown as Figure 3. In general, the CSCS that are required for the various break ranges are indicated; speciTic CSCS performance is delineated in Table 4. The frequencies of pipe rupture as an initiating event for these various LOCA sizes are listed in Table 5.
Small tetetmedtete~
Auto-depressurizatlon Large Steam breaks HPCI Maximum steam pipe break size LPCI Core spray 0.12 Intermedlat e Small 1.4 Large 4.1 Liquid breaks Auto-depressurization HPCI Maximum recirculation pipe break size (with equalizer line closed)
LPCI Core spray 0.0 0.1 0.2 1.0 2.0 3.0 4.0 4.3 Break area (ft )
Scale changes INES 2 1641 Figure 3.
Core standby cooling systems performance capability bar chart.
14
Table 4.
LOCA mitigation success criteria Reactor Subcriticality Shor(-Term Containment Integrity Emergency Coohnt Injection Decay Heat Removal Large BreakLiquid Line-0.3 to 4.3 ft -Suction 2
No morc than 30 rods scattered throughout the core not fully inserted Adequate suppression pool level and no bypass leakage from drywell to wetwell Two core spray loops and two of four LPCI pumps of Two of four RHR pumps with associated heat exchangers in torus cooling mode oi'our of four LPCI pumps or No more than five adjacent rods not fully inserted of One of two core spray loops and two of four LPCI pumps (one LPCI pump per injection loop)
One of four RHR puinps with associated heat exchangers in shutdown cooling mode Large Break-Liquid Line-0.3 to 4.3 ft -Discharge 2
No more than 30 rods scattered throughout the core not fully inserted or No more than five adjacent rods not fully inserted Adequate suppression pool level and no bypass leakage from drywell to wetwell Two core spray loops or One of two core spray loops and onc of two LPCI pumps on unaffected side Two of four RHR pumps with associated heat exchangers in torus cooling mode of One of four RHR pumps with associated heat cxchangers in shutdown cooling mode Large Break-Steam Line-l.4 to 4.l ft2 No more than 30 rods scattered throughout the core not fully inserted of No more than five adjacent rods not fully inserted Adequate suppression pool level and no bypass leakage from drywell to wetwell Two core spray loops of Four of four LPCI pumps or One of two core spray loops and one of four LPCI pumps Two of four RHR pumps with associated heat exchangers in torus cooling mode of One of four RHR pumps with associated heat
<<xchangers rn shutdown cooling mode Intermediate Break-Liquid Line-O.I2 to 0.3 ft2 No more than 30 rods scattered throughout the core not fully inserted of No morc than five adjacent rods not fullyinserted Adequate suppression pool level and no bypass leakage froin drywell to wetwell One of one HPCI pump of Four of six ADS relief valves and One of I'our LPCI pumps of Two of four RHR pumps with associated heat exchangers in torus cooling mode of One of four RHR pumps with associated heat cxchangers m shutdown cooling mode One of two core spray loops 15
Table 4.
(continued)
Reactor Subcriticality Short-Term Containment Integrity Emergency Coolant Injection Decay Heat Removal
'Intermediate Break-Steam Line0.12 to I.4 ft2 No more than 30 rods scattered throughout the core not fully inserted oi'o more than five adjacent rods not fully inserted Adequate suppression pool level and no bypass leakage from drywell to wctwell One of one HPCI pump or One of four LPCI pumps of One of two core spray loops Two of four RHR pumps with associated heat exchangers in torus cooling mode or One of four RHR pumps with associated heat exchangcrs in shutdown cooling mode Small Break-Liquid or Steam-Up to 0.12 ft2 No morc than 30 rods scattered throughout the core not I'ully inserted or Adequate suppression pool level and no bypass leakage from drywell to we(well One of one HPCI pump of Four of six ADS relief valves and one of four LPCI pumps Two of four RHR pumps with associated heat exchangers in torus cooling mode or No more than five adjacent rods not I'oily inserted or Four of six ADS relief valves and one of two core spray loops One of four RHR pumps with associated heat exchangers in shutdown cooling mode Table.5.
LOCA pipe rupture frequencies Type Size Location Frequency (per reactor-Year)
Liquid Large Suction side Discharge side 9.9 x 10-6 3.9 x 10 5 Steam Liquid Steam Liquid or steam Large Intermediate Intermediate Small 5.2x105 9.0x105 2.1 x 10+
1.0 x 10-3 16
Initiating event frequencies for the various liquid and steam LOCAbreak sizes were generally derived by multiplyingthe probability for a given break size times the relative frequency the break occurs in a specific portion of that size piping. One basic assumption was that, within a given break range category, (e.g.,
intermediate piping, 2 to 6 in.), the rupture was equally likely to occur in any of the piping, whether it be for liquids or steam. The probability for a given break size was taken from Table III6-9 of WASH-1400.
The BFI plant piping isometrics for the systems that comprise the primary pressure boundary were examined to determine the relative probability the break occurs in a specific portion of the piping. Sec-tion 2.1 of Appendix A provides an example calculation for LOCA initiator frequency.
Transient-induced LOCAs were treated as a special category of LOCAinitiators. Failure of a sufficient number of safety relief valves to open following a transient initiating event was assumed to result in a primary system pressure boundary rupture. Failure of these valves to reclose after opening or failure of isolation valves in the main steam lines to close (when PCS is not available) willalso result in a LOCA initiator. As discussed in Section 3 of Appendix A, both failure of a sufficient number of safety relief valves to open and failure of the MSIVs to close were determined to be insignificant compared to other LOCA initiator frequencies. However, the LOCA initiator due to a stuck-open-relief-valve (SORY) is the most likelyof all LOCAinitiators and is similar to an intermediate steam-break.
Section 3 ofAppendix A addresses these particular LOCA initiators.
These initiating event designators and their associated frequencies are shown in Table C-10 of Appendix C.
Transient Initiators-The initial set of transient initiators identified for this analysis were those listed in EPRI NP-801. Table A-5 ofAppendix A defines this list of transient initiators. Section 14, "Plant Safety Analysis," of the Browns Ferry FSAR indicated those transients that result in thermal-hydraulic, flux, pressure, or similar reactor parameters to challenge the RPS to initiate a scram.
The Licensee Event Reports (LERs)9 submitted by Browns Ferry were examined to determine ifthere existed events not identified in EPRI NP-801. No other additional events were identified from this set of LERs. Each of the transient initiators were further examined along with various electric power bus and cooling water system failures to identify transient initiators effects on front-line system availability. This analysis is described in Section 4.3.2. The set of transient initiators were then examined and grouped according to common mitigating requirements.
Only the availability of the PCS varied and,
- hence, initiating events were grouped according to their effect on PCS availability. Seven of the 37 EPRI NP-801 events were classified as transient initiators that resulted in PCS being unavailable for mitigation of the transient.
Of the remaining 30 events, 8 were identified as having no effect on PCS availability and 22 were con-sidered not applicable for this study. Reasons for exclusion of these events are briefly summarized in Table A-6 of Appendix A.
One final consideration to the transient event was given in the case of the loss of offsite power (LOSP) event. This LOSP event was originally grouped as a PCS unavailable transient initiator. However, due to the dependency of other mitigation systems on this event, this particular event was treated separately in the transient event tree analysis.
The frequency of the transient initiators was estimated using the techniques discussed in EPRI NP-801.
An example of these methods is illustrated in Section 2 ofAppendix A. Table 6 lists the frequency of these transient initiators. The transient frequencies were estimated using two methods. The first method used strictly the plant-specific data found in EPRI NP-801
~ The second method was to obtain all pertinent BWR experience from EPRI NP-801 and to calculate the frequency based on the BWR data set. For this analysis, the plant-specific data were used in the transient event tree quantification.
The transient mitigation success criteria are given in Table 7.
17
'Table 6.
Transient initiator groupings and frequencies Frequencies (events/year)
BF1 BWRs Group 1-Transients that cause PCS to be unavailable a0 b.
C.
.d.
f.
MSIV closure Loss of normal condenser vacuum Pressure regulator fails open Loss of feedwater flow Loss of offsite power Loss of auxiliary power Increased feedwater flow at power 0.58 0.56 0.
0.51 0.03 0.
,.0.05 0.24 0.41 0.25 0.17 0.11 0;03 "0.18 Totals 1.73 1.39 Group 2-Transients that do not cause PCS to be unavailable a.
b.
C.
d.
e.
f.
~g h.
Electric load rejection Electric load rejection with bypass failure Turbine trip Turbine trip with bypass failure Inadvertent closure of one MSIV Pressure regulator fails closed Bypass/control valve fails causing pressure increase Recirculation control fails causing increased flow 1.02 0.
0.58 0.
0.
0.
,0.05 0.03 0.74 0.
0.77 0.
0.10 0.11
.0.25 0.10 Totals
'1.68 2.07 4.3 Initiating Event/Mitigating System Dependencies In addition to identifying the initiating events, it is important to determine what effect the initiator may have on those systems designed to respond to the accident. In some cases, the initiating event may originate in a mitigating system. The resulting accident sequence could be significant since the normal level of redundancy in mitigating systems has been degraded.
The following sections discuss the LOCA and transient initiator effects on mitigating systems.
4.3.1 LOCA Initiator Effects on Mitigating Systems.
Some of the LOCAinitiators have the potential to render LOCA mitigation systems partially or completely inoperable. For example, a break on the discharge piping of a recirculation loop renders one loop of LPCI inoperable. To account for this possibil-ity in the sequence calculations, the following procedure was used.
If a LOCA initiator could disable a mitigating system, the length of piping for the mitigating system susceptible to that LOCA was calculated using TVAsupplied isometric drawings. Then, the total length of piping susceptible to that initiator was calculated. Table 8 provides a list of the systems and the percentage of their piping susceptible to a particular LOCA initiator. It was assumed that for a particular break size, 18
1 Table 7.
Transient mitigation success criteria Antklpatol Tramieat Reactor Shutdown CRD RPT OP(O)
Overprcssule Protection OP(C)
MSI Vegel Water inventory HPCI DEP IN)
DHR RHR Tmngcals where PCS is avaBable No more than 30 rofh fail to insert No more than live adjacclll rods fail to inseg Both recirculating pump grip NA AB rclicf valves mck>>ec Coadenscf available Feed system providing makeup hlSIVs shut Turb(g valves and bypass valves shut HPCI RCIC hlanual operation of at least four relief valves OneLPCI pump of One core spray loop One lxx>>ter and one condcmatc pump Two RHR pumps and two heat cxchangers ia toms cooling alodc One RH R pump and one heat exchanger in shutdown cooling mode One RHRSW pump in SBCS mode Tfaaskflts whcrc PCS is unavailabk No more than 30 rods faB to itiSCrt No more than five adjacent rods fail to inscft Direct scram 2 of l3 valves Fhtx scam 7 of I3 valves Prcssure scrala IO of 13 valves AB relict valves rccluse NA hlSIVs shut or Turbine valves and bypass valves shut HPCI RCIC Manna) operation of at kast four rclicfvalves One LPCI pump or One core spray kiop or One booster and onc condensate pulnp Two RH R pumps and two heat cxchangcrs in torus cooling nlodc One RHR pump and onc heat exchanger in shutdown cooling mode One RHRSW pump ln SBCS mode a.
Relief valves open OP(O) aad rcdose OP(C).
- b. Ifboth recircuhtion pumps trip and PCS remains avaihble. the resulting power kvel is such that the capacity of the bypass valves h adequate to rcmove U>> heat being generated.
c.
Even though relief valve action h not required sofnc rriiefvalves willopen.
d.
MSI only necessary ifPCS fails.
e.
Although PCS is unavaihbk, the condensate system may sriiB be operable.
Table 8.
LOCA initiator effects on mitigating systems LOCA Type Mitigating Systems Lost Piping Susceptible to LOCA (0I'0)
Remarks Large break on discharge of recirculation loops One LPCI loop and one shutdown cooling discharge path NA Both are lost due to break location Large break on suction of recirculation loops Large steam Intermediate steam Intermediate liquid Allof shutdown cooling or None None HPCI or One core spray loop or None One LPCI loop and one shutdown cooling discharge path or Allshutdown cooling or None 55 (suction of recirculation Loop A) 45 (suction of recirculation Loop B) 23.2 (HPCI) 3.8 (core spray) 73.0 (other piping) 78.2 (discharge of Loop A or B) 11.2 (suction of recirculation Loop A) 10.6 (suction of recirculation Loop B)
Suction for both shutdown cooling loops coines from recirculation
'oop A
Majority of piping susceptible to LOCA does not affect mitigating systems Small liquid or steam Steam Liquid Steam and liquid HPCI or One core spray loop or One LPCI loop and one shutdown cooling discharge path or Allshutdown cooling or None 16.3 (HPCI) 1.3 (core spray) 23.3 (recirculation discharge) 3.4 (suction or recirculation Loop A) 55.7 (other piping)
Assumes small break can occur in larger pipirig and renders mitigating systems unavailable as in large break cases
the LOCA was equally likely to occur at any point on the piping susceptible to the LOCA. The unavailability of the mitigating systems was calculated considering the effect of the initiator. Therefore, the sequence frequency is the sum of two terms. The first term is the product of the probability of a break occurring in a location that affects the mitigating systems and the unavailabilities of those systems. The second term is the product of the probability of the break occurring in a location that does not affect the mitigating systems and the unavailability of those systems under that condition. Section 2.3.4 of Appendix C provides an example of this method.
4.3.2 Transient Initiator Effects on Mitigating Systems InrrodocrIon-Transient initiators are identified in Section 4.2 and are grouped according to their effect on the PCS availability. However, it was necessary to examine these events further in order to determine if these could originate in mitigating systems or affect front-line systems other than the PCS.
Procedure-The goal of the transient initiator analysis was to identify those plant failures at a component or system level that could impact mitigating systems availability. The identification of transient initiator effects was done by a three part process as described below:
Task 1. Consequence Evalualion ofElectrical FailuresFailure ofeach plant electrical bus was postulated. Equipment powered by the bus was tracked and the effect of its failure on the plant was identified.
Task 2. Consequence Evaluation ofCooling System FailuresFailure of each cooling system was postulated.
Loads cooled by the system were tracked and the effect of their loss on the plant was identified.
Task 3. Causal Analysis of Transient Categories Causal-type failure analysis was performed on the 15 transient categories. The BF1 study identified 15 transient initiator categories. These were selected from EPRI NP-801. The causal analysis is similar to fault tree analysis in that events that can lead to occurrence of some undesired initiating event category are logically depicted.
concIosIons-The ultimate purpose of this effort was to identify possible dependencies in the core damage sequences not readily apparent from prior analysis. The results of Tasks 1 and 2 above are presented in tabular form in Tables A-7 to A-10 of Appendix A; Task 3 results are represented by causal failure diagrams in Figures A-1 to A-7 of Appendix A. A discussion of these results can be found in Section 2 of Appendix A. From these tables and charts the following conclusions can be drawn:
1.
The only significant power failure that results in a scram and causes loss of a front-line system (i.e., the PCS) is a LOSP event.
2.
Equipment cooling system failures were not considered to be significant transient initiators because of the allowable time for the operator to recover, e.g., to initiate alternate cooling systems.
3.
The events in front-line or support systems that can initiate a transient category do not degrade the ability of the plant to respond to the accident. As can be seen by Figures A-1 to A-7 of Appendix A, the only initiating event failures identified that originate in mitigating systems were double failures in the electrical power system (EPS), e.g., failures in 250 V DC powered instrumentation and control (1&C) buses or 120 V AC RPS buses.
4.
Failure of HPCI and RCIC upon loss of 250 V DC nonclass 1E power is possible but relatively improbable.
21
- 5. ACCIDENT SEQUENCE DELINEATION 5.1 Introduction-In general, the initiators listed previously in Tables 5 and 6 for LOCAs and transients, respectively, alone do not lead directly to fuel damage and release ofradioactivity to the environment, but must be com-bined with other system failures. Event trees are used to display. the functional relationships between systems designed to respond to a potential accident initiator.
5.2. LOCA Functional Event Trees The LOCA functional event trees are shown in Figures 4 and 5. The purpose of these trees is to show the functions, necessary to successfully terminate a LOCA sequence at BFI. A LOCA outside of the contain-ment requires different functions for accident mitigation than the functions required for a break inside containment. This distinction made it necessary to construct two separate functional event trees for this plant.
S.2.1 LOCA Functional Event Tree Breaks Inside Containment. If a LOCA occurs inside the primary containment boundary, there are three basic functions required for accident mitigation. These functions are successful reactor shutdown, containment integrity, and core cooling. For this plant, it is necessary to consider core cooling during two different phases of the accident.
These phases are the immediate core protection or coolant injection/reflood phase of the accident and the long-term protection or decay heat removal phase of the accident. Consequently, core cooling is considered in two different places on the functional event tree. This, in effect, gives a total of four functions to be considered on the.
functional event tree for breaks inside containment. These functions together with the initiating event are depicted as event tree headings on the,.functional event tree shown in Figure 4.
Function Descriptions-In the following paragraphs, each function and its relationship to other functions.
willbe described. The LOCA, or pipe break, is the initiating event for the accident sequences depicted in the functional event tree.
Reector Sobcrltlcality-Ifa LOCAinside the containment takes place, it is necessary to immediately stop significant power or heat generation due to the sustained fission process within the reactor. This is accomplished by rapid insertion of the control rods into the core. This is the purpose of the reactor sub-criticalityfunction. It was assumed that when reactor subcriticality is unsuccessful, the accident-mitigating functions willnot successfully cool the core, the core will melt and, as a result, the containment will be breached and radioactivity willbe released to the plant environment.
Upon successful completion of reactor shutdown, it immediately becomes necessary to confine the coolant inventory lost from the break to the inside of the primary containment boundary and to replace the coolant inventory that has been and is being lost out of the break.
Short-Term Contelnment Integrity-Successful containment of the coolant inventory lost from the break will prevent radioactive products contained or entrained in the coolant from being released into the environment. However, since BWRs characteristically contain large volumes of hot coolant, the release of this coolant into the containment atmosphere willrapidly pressurize the containment. Ifthis pressurization is not reduced or limited by some overpressure protection system, it is assumed that the containment will rapidly overpressurize and rupture. The purpose of the SCI function is to provide this immediate contain-ment protection during the coolant injection phase of the LOCA.
Functioning of the SCI has a direct side benefit. The physical scrubbing of the coolant by the torus water while the coolant is being forced through the torus water results in some of the radioactive particulates entrained in the coolant being transferred to the torus water. This, in effect, removes radioactivity from 22.
PB RS SCI ECI DHR LOCA Reactor Subcrlticallty Short-term Containment Integrity Emergency Coolant Injection Decay Heat Removal X = Function failure Sequence Number 1
R S
S C
I E
D C
H I
R Remarks Core cooled X
Slow melt X NIA Melt X
Core cooled Slow melt X NIA Melt NIA NIA Melt X
NIA NI Melt INEL2 1642 Figure 4.
LOCA functional event treebreak inside containment.
PB Bl RS ECI DHR LOCA Break Isolation Reactor Subcriticality Emergency Coolant Injection Decay Heat Removal X = Function failure Sequence Number 1
B I
R E
S C
I D
H R
Remarks Transient sequence X
Core cooled Slow melt X
X NIA Melt NIA NIA Melt INEL2 1643 Figure 5.
LOCA functional event treebreak outside containment.
the coolant, which results in less radioactivity buildup in the containment atmosphere. Ifthe containment is subsequently breached such that the containment atmosphere is released to the environment, the
'resulting release will not be as severely radioactive as a release associated with the direct discharge of coolant to the environment.
Should the SCI function fail and the containment rupture, radioactivity willbe released to the environ-ment. However, the physical failure of the containment does not necessarily preclude other functions from being performed ifthe rupture occurs above the water line of the torus. As long as torus water is available, coolant injection can succeed, regardless of the state of the containment. Therefore, the event tree still shows branches for other accident-mitigating functions even though the SCI function has failed.
Since SCI is immediately activated by the physical processes of the LOCA, it is shown on the event tree prior to the remaining accident-mitigating functions. In other words, this function should precede the remaining functions by some finite time, and chronological ordering of the functions willplace SCI before the remaining functions.
Emergency coolant In/ection-Even though the reactor is shut down, a significant amount of heat will still be generated in the fuel rods by the decay of the fission products contained within the fuel rods. This decay heat must be removed or the fuel rods willmelt. Consequently, it is necessary to replace the coolant lost through the break or the core willbe uncovered, the heat removal capability willbe lost, and the core willmelt.
The injection of relatively cool water into the core at a rate that is greater than the loss of coolant through the break is the purpose of the ECI function. There are two sources of injection water for the ECI function, the condensate storage tank (CST) and the torus. Only a limited amount of coolant (approx-imately 135,000 gallons) is available in the CST, requiring an eventual transfer of suction from the CST to the torus for those systems initiallyaligned to the CST. Consequently, as the torus water is injected into the core by the injection systems, the core is cooled, and a closed loop is formed by the injection pumps, the core, and the torus. This loop forms a recirculation flow path for the water and ensures a continuous source of water for injection. Thus, successful performance of this function willreflood the core and pro-vide initial cooling of the core subsequent to the LOCA. Should ECI fail, it is assumed that the melt scenario discussed above willtake place and the core willmelt.
Upon successful completion of SCI and ECI, it becomes necessary to remove the decay heat from the torus water so that long-term core cooling can be maintained.
Decay Heat Remova/-In the injection phase of the accident, discussed above, heat is continually being transferred from the core to the torus. The torus water is then pumped back into the core. This cycle will continually add heat to the torus and willultimately cause loss of recirculation capability due to loss of net positive suction head to the pumps. The purpose of the DHR function is to remove this heat directly from the torus or prevent further heat buildup in the torus by removing the heat directly from the reactor coolant circulating around the core. These two modes of the RHR system are known as the torus cooling mode and the shutdown cooling mode, respectively. Success of the DHR function by either mode provides long-term core cooling and protection of the containment from overpressurization.
Heat is removed from the torus by the RHR heat exchangers installed in the discharge paths of the RHR pumps. River water is pumped through one side of these heat exchangers while the torus water passes through the other side. The heat in the torus water is transferred to the river water and the torus water is cooled.
Heat is removed from the reactor coolant circulating around the core in much the same way as it is removed from the torus. The RHR pumps are aligned to take a suction from recirculation Loop A and discharge back into one of the recirculation discharge loops via the RHR heat exchangers. Again, the decay heat is transferred to the river water. Of course, ifthe break is located on the suction side of recirculation Loop A, this method of decay heat removal willnot be available.
25
Should DHR fail, it is assumed that the core willmelt and the containment willfail due to the inabilityto continue pumping water from the torus back to the reactor.
Sequence Descrlptlons-The following paragraphs discuss the sequences shown in the LOCA functional event tree for breaks inside containment as depicted in Figure 4.
Sequence 1 (no faiiuresJ-Sequence 1 is the LOCA sequence with all functions working as expected. In this sequence, the core is cooled and no radioactivity is released to the environment.
Sequence 2 (DHR fallureJ-In Sequence 2, the DHR function is unavailable after successful performance of the other functions. In this case, decay heat cannot be removed and, eventually, the core willmelt, the containment willbe breached, and radioactivity willbe released to the atmosphere.
Sequence S (Ecl fe(iureJ In Sequence 3, ECI fails, which causes a relatively rapid core melt and, thus, precludes the success of the DHR function.
sequence 4 (Scl (e(iureJ-As discussed earlier, the failure of SCI does not necessarily preclude the suc-cess of the ECI or DHR functions. This is depicted in Sequence 4. In this sequence, the core is cooled even though the containment has been breached by the failure ofSCI. The resulting radioactivity release willnot be as severe as a release following core melt because, in this sequence, the core is still cooled.
Sequence 5(SC(end DHR failureJ-Sequence 5 results when both SCI and DHR fail. In this case, the con-tainment is breached by the loss of the SCI function and the core eventually melts because the DHR function fails.
sequence 6 (scl end Ecl failure/-Sequence 6 results when SCI and ECI. both fail. Since the core cannot be cooled and the containment has already failed, core melt willoccur and radioactivity willbe released to the environment. No sequence branch is necessary for DHR because the core has melted before this function can mitigate the accident.
Sequence 7(no m(tlgetlng functlonsJ-As discussed earlier, when the reactor cannot be shut down follow-ing a LOCA, it is assumed that the accident mitigating functions willnot successfully cool the core, the core willrapidly melt and, as a result, the containment willbe breached. In this case, a branch is stillshown for the SCI function because, ifthis function is successful, fission products entrained in the coolant willbe scrubbed by the torus water, and the resultant radioactivity release willnot be as severe as when the SCI fails to function at all. Sequence 7 depicts a failure of the reactor to shut down with subsequent success of the SCI function.
It should be noted that even with SCI function success, the containment willeventually rupture due to the core melt. But the consequences of the resulting release may be different from those resulting from Sequence 8.
Sequence g (screm end SCI fa((ureJ-Sequence 8 results when reactor subcriticality fails and SCI fails. In this case, the core melts rapidly and the containment is breached with resultant release of radioactivity to the environment. ECI and DHR willnot mitigate the accident.
The LOCA systemic event trees are presented in Figures 6 through 11. The purpose of these trees is to show the interrelationships among the various systems that perform the functions previously discussed.
Specific system success criteria are provided in Tables A-2 and A-3 of Appendix A.
5.2.2 LOCA Functional Event Tree-Breaks Outside Containment. If a LOCA occurs outside of the primary containment boundary, there are only two basic functions available for mitigating the LOCA once it is determined that the break cannot be isolated. These functions are successful reactor shutdown and core cooling. Containment overpressure protection willnot be necessary because all heat, nonconden-sable gases, and radioactivity willbe transmitted outside of the containment by the break. Core cooling is 26
u 2
~
2 ~
PB RS SCI ECI DHR X = Function failure LOCA LS CRD 8
VS C
2 CS Loo 4 I~CS Loo 2 LPCI 2 Lpol.dill 4 LpCI A
B ~
GB GC A
T~olus Cl S~IC Cl RB Rp Sequence DesIgnator S
E D
C C
H I
I R
Remarks Break Size (ft ): 0.3 to 4.3 Legend:
S/D = Shutdown Clg = Cooling LSRBRA LSGp,RBRA LSGAG8 LSFARBRA LSFp,GB LSFAFBRBRA SFAFBGC
- LSCRBRp, LSCGARBRp LSCGAGB LSCFARBRA LSCFAGB LSCFp,FBRBRp, FAFB C LSB LSBC X
X X
X X
X X
X X
X X
X X
X X
X X
X X
I X
x I
X X
I X
X I
X X
I X
X I
IA Nl I Nl Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Sfow melt Melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow mell Melt Melt Melt INEL2 1631 Figure 6.
LOCA systemic event tree for large liquid break, suction-side of recirculation pumps (Lg.
PB RS SCI ECI DHR X = Function failure LOCA Lp CRD B
Break Size (ft ): 0.3 to 4.3 L~eend:
S/D = Shutdown Clg = Cooling
~V C
S~CS Loo s PCS Loo FA FB 1 LPCI Gp T~orus Cl
~SIO Cl RB RA Sequence Designator LpRBRA LDFARBRA LDFAGD LDFAFB LpCRBRA L'pCFARBRA LDCFAGD LpCFAFB LpB LpBC S
E D
C C
H I
I R
X NIA X NIA NI NIA NI NIA Remarks Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt Melt Melt INEL2 1632 Figure 7.
LOCA systemic event tree for large liquid break, discharge-side of recirculation pumps (LD).
S
~
~
~
PB RS SCI ECI DHR X = Function tailure LOCA Ly CRD B
VS C
2 cs Loops r~cs Loo 1 Lpcr 4 Lpcr FA FB GP GC T~orus Cr
~SID Cr RB RA Sequence Designator S
E D
C C
H I
I R
Remarks Break Size (ft ): 1.4 to 4.1 Legend:
SID = Shutdown Clg = Cooling LVRBRA LVFARBRA LyFAGB LyFAFBRBRA LVABC LyCRBRA LVCFARBRA LUCFAGD LyCFAFBRBRA LVCFAFBGC LyB LyBC X
X NIA X
X NIA X
X NIA X
X N/A NIA NIA Nl N/A Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow melt Melt Melt Melt INEL2 1633 Figure 8.
LOCA systemic event tree for large steam break (Ly).
PB RS SCI ECI DHR X = Function failure LOCA CRD B
VS C
HPCI D
AOS r~CS Luu 1 LPCI E
FB GD Taurus Cl S/O Clg RB RA S
E D
C C
H I
I R
Remarks Break Size (ft2): 0.12 to 0.3 Legend:
SID = Shutdown Clg = Cooling Sequence Designator ILRBRA L BRBRA ILFBGp ILDRBRA ILDFBRBRA ILDFBGD ILDE ILCRBRA IICFBRBRA ILCFBGD IICDRBRA ILCDFBRBRA ILCDFBGp ILCDE ILB ILBC X
X X
X X
X X
X X
X X
X X
X X
X X
N/A X
X NIA X
NIA X
X NIA X
X NIA X NIA NIA NIA NIA NIA Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt Melt M It INEL2 1634 Figure 9.
LOCA systemic event tree for intermediate liquid break (Ig.
PB RS SCI ECI DHR X = Function tailure LOCA ly CRD B
VS C
~ICS Loo I LPCI
~p Torus Clg
~S/D Cl
~B A
Sequenc~
Designator R
S S
C I
E D
C H
I R
Remarks Break Size (ft2): 0.12 to 1.4
~Le end:
S/D = Shutdown Clg = Cooling From-~
transient systemic event trees (Figures A-13 and A.14) lyRBRA lyDRBRA Core cooled Core cooled X
Slow melt Core cooled Core cooled X
Slow melt Core cooled Core cooled lyDFARBRA lyDFBGD IVCRBRA IYCDRBRA IVCDFBRBRA IUCDFBGD lyB lyBC X
X X
X X
X X
X X
X X
X N/A X
X N/A N/A N/A N/A N/A Slow melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt Melt INEL2 1635 Figure 10.
LOCA systemic event tree for intermediate steam break (Iy).
PB RS SCI ECI DHR X = Function failure LOCA S
CRD B
VS C
~D Torus Clg glg Clg llg Rrr Sequence Designator S
C I
E D
C H
I R
Remarks Break Size (ft ): Less Than 0.12 Legend:
S/D = Shutdown Clg = Cooling SRBRA SDRBRA SDFBRBRA SDFBGD SDE SCRBRA SCDRBRA SCDFBRBRA SCDFBGD SCDE SB SBC X
NIA I NIA Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt Melt Melt INEL2 1636 Figure 11.
LOCA systemic event tree for small liquid-line or steam-line break (S).
still needed during the injection and long-term decay heat removal phases. This results in only three func-tions to be considered on the functional event tree for breaks outside containment. These functions, along with the initiating event and break isolation, are depicted as event tree headings in the functional event tree shown in Figure 5.
Function Descriptions-In order for a break outside the containment to become a LOCA, the break must be incapable of being isolated. Otherwise, the accident becomes a transient in which the break is isolated and, depending on break location, the PCS may or may not be available for mitigation of the transient.
The second heading on the event tree, break isolation, reflects whether or not the break is isolated.
Reactor Subcritlcailty and Emergency Coolant Injection-The reactor subcriticality and ECI functions are identical to the corresponding functions discussed for the LOCA functional event tree for breaks inside containment.
Decay Heat Remove/-If a break occurs outside of the containment, the coolant emitted from the break does not enter the torus as it does when the break occurs inside the containment. Thus, no closed loop is formed to return coolant to the core from the torus. Thus, the DHR function is different from that discussed earlier for a break inside containment.
For the break inside containment, the DHR function basically involves cooling of the torus water. Since a break outside the containment willeventually lead to loss of torus water, itwillbe necessary to replenish the torus water for successful long-term cooling of the core.
It should be noted that, in this case, the DHR function appears to be a continuous form of injection rather than torus recirculation. This is in effect, the case. Failure of the DHR function willeventually lead to core melt.
Frequencies of LOCA Outside Containment-Initially breaches of the reactor coolant boundary that lead to LOCAs inside and outside of containment were considered. However, it was determined that a rupture in an interfacing system that results in a LOCA outside primary containment always requires at least two valve failures. The probability of the rupture and subsequent failure to isolate is several orders of magnitude less than for ruptures inside containment. Similarly, for low pressure systems connected to the reactor coolant boundary but not normally operating when the reactor is at pressure, at least two valve failures must occur for the low pressure system to rupture due to exceeding its design pressure. Therefore, only breaks inside the primary containment were considered for this analysis. The rationale for exclusion of the break outside containment initiators is provided in the following sections.
Large Breaks-A large liquid break on the suction side of the reactor coolant recirculation pump cannot normally occur outside containment since there are two normally closed flow control valves (FCV-7448 and 47) on either side of the containment penetration.
A large liquid break on the discharge side of recirculation pumps in the RHR injection piping would require failure of the testable check valve (CV-74-54). From Section 2 of Appendix A, the frequency for a large pipe rupture was I x 10"I per reactor-year (Table III6-9 of WASH-1400). Section XIof the ASME Boiler and Pressure Vessel Code,10 provides that the test frequency for check valves is at least once every 3 months. Failure frequency of a check valve in the severe internal leak mode is 3 x 10 7 per hour. The resultant unavailability based on a 3 month testing interval is 3 x 10"I. Thus, the failure frequency for a large break LOCA in the RHR injection piping outside the primary containment is (1 x 10 I)
(3 x 10+) = 3 x 10 8 per reactor-year which is insignificant compared to a large discharge break inside containment (3.9 x 10 5).
Large steam breaks were also insignificant. Section 2.13 of Appendix B shows a failure probability of 1.1 x 10 7 for failure of both MSIVs to close in a given steam line. A large steam break could also occur in the core spray, HPCI, or feedwater piping outside containment. For this failure to occur and not be 33
isolatable would require failure of a check valve and would be similar to the large liquid break frequency shown previously, 3 x 10 g. This value is insignificant compared to the frequency of 5.2 x 10 5 for the large steam break inside containment.
Intermediate Breaks-The only intermediate size liquid break piping that interfaces with the primary coolant pressure boundary is that of the reactor water cleanup system. For a break to occur outside con-tainment in the reactor water cleanup piping and not be isolatable would require the failure of an electric motor-operated valve to close (e.g., FCV-69-1), given the intermediate break. The valve failure rate is 1 x 10 3 per demand.
The intermediate break frequency is 3 x 10"I per year. This results in a relative initiator frequency of (3 x 10+)(I x 10 3) = 3 x 10 7, compared with a frequency of 9 x 10 5 for an intermediate break inside containment. In addition, hand control valve (HCV-69-500) can be utilized to isolate the break.
An intermediate size steam break could occur outside containment in the RCIC or feedwater piping. For this break to occur and not be isolatable would require failure of a check valve (CV-3-572) to close, given the intermediate break. In this case, the valve failure rate is 1 x 10+ per demand. This results in a relative initiator frequency of (3 x 10 4)(1 x 10"I) = 3 x 10 g, compared with 2.1 x 10+ for an intermediate steam break inside containment. In addition, hand control valve (HCV-3-66) can be utilized to isolate the break.
Although intermediate size breaks can occur on larger size piping, the frequency of these breaks and failure to isolate the large line is likewise insignificant.
Smaii sreaks-No small liquid or steam breaks were identified that interface with the primary coolant pressure boundary under the guidelines of NPRDS11 for excluding lines 1-1/4-in. diameter or less.
Although small size breaks could occur on large or intermediate piping, the break frequency and probabil-ity of failure to isolate makes these events insignificant compared to small breaks inside containment.
6.3 Transient Functional Event Trees For purposes of this analysis, a transient is any event that causes thermal-hydraulic, flux, pressure, or similar reactor parameters to challenge the RPS to initiate a scram. Actions, such as a scram, as part of a planned shutdown or transients that do not directly result in a challenge to the RPS were not considered.
The transient functional event tree is shown as Figure 12.
5.3.1 Function Descriptions Reactor sobcriticality-The control rods should insert upon receipt of a scram signal caused by the tran-sient. It is necessary for the control rods to insert in order to ensure that the reactor power level after the transient is low enough to allow the transient mitigating systems to function. Failure to insert a sufficient number of rods to achieve subcriticality after a transient with the PCS unavailable willresult in a core melt.
However, ifboth reactor coolant recirculation pumps trip and the PCS remains available, the resulting power level is such that the capacity of the bypass valves is adequate to remove the heat being generated.
Overpressure protection-Following a loss of the PCS as a heat sink for the reactor, reactor pressure will increase sharply due to the decay heat generated by the core. It is necessary for a sufficient number ofrelief valves to open to limitthis pressure rise in order to prevent exceeding reactor design pressure limits. It is also necessary that any relief valves which open in response to this pressure rise reclose when the pressure has dropped below the setpoint of the relief valves. Thus, there are two different ways the overpressure protection function can fail. One involves allowing pressure to get high enough to cause a break somewhere in the system, while the other involves a LOCA due to failure of a relief valve to reclose when necessary.
34
AT RS OP VWI DHR Transient Reactor Subcrltlcality Overpressure Protection Vessel Water Inventory Decay Heat Removal X = Function failure Sequence Number 1
R S
0 P
V D
W H
I R
Remarks Core cooled X
Slow melt X
NIA Melt N/A N/A LOCA sequence NIA N/A NIA Melt INEL2 1644 Figure 12.
Transient functional event tree.
Failure of a sufficient number of relief valves to open was an insignificant LOCA initiator as discussed in Section 2.5 of Appendix B. Failure of the safety relief valves to reclose was the most likelyof the LOCA initiators. This initiator is similar to an intermediate steam break and was treated by transferring to the appropriate LOCA systemic event tree.
vessel weter Inventory-The PCS (ifit remains available) can provide both the VWI and DHR functions by removing steam from the reactor, condensing the steam, and returning the water to the reactor via the feed pumps.
Ifthe main condenser becomes unavailable as a heat sink, it is necessary to isolate the reactor from the remainder of the PCS in order to prevent a loss of VWI at a rate greater than the capability of the mitigating systems to replace the water. Failure to isolate could result in a LOCAoutside the containment.
However, both MSIVs in a given line must fail to close for this condition to occur.
Once the reactor is subcritical, a substantial amount of residual heat and fission product decay heat will still be produced in the reactor. This heat willcause vessel pressure to rise and willresult in either manual or automatic operation of the relief valves to reduce pressure in the reactor vessel, as discussed above.
When the relief valves open to depressurize the vessel, the vessel inventory decreases because the steam passing through the valves is directed to the torus. Therefore, there are systems that must operate to inject water into the vessel to replace the lost inventory. Ifthe systems capable of injecting water into the reactor do not maintain adequate VWI, a core melt results.
Decay Heat Remove/-Even though replacement ofVWIwillcool the core, the torus willheat up as a result of open relief valves. Therefore, a means ofdirectly cooling the core to prevent opening of relief valves or a means of removing heat from the torus must be established. Failure to remove heat from the core or the torus could result in containment overpressure, and ultimately, core damage.
5.3.2 Sequence Descriptions.
The following paragraphs discuss the sequences shown in the transient functional event tree as depicted in Figure 12.
sequence t (no fe((uresJ-Sequence 1 represents the normal course of events where all functions are successful and the core remains covered and cooled.
sequence 2 (oHR fe((ureJ-After successfully accomplishing the reactor subcriticality, overpressure protec-tion, and VWIfunctions, the DHR function fails. With long-term decay heat removal capability lost, the reactor begins to heat up. This heat is transferred by relief valve action to the torus and causes the torus water to heat up. Eventually, the torus water becomes too hot to be pumped back into the reactor to replace the steam lost through the relief valves. Therefore, core uncovery occurs, and core melt and containment failure result.
sequence 3 (vyy((e((oreJ-After the reactor subcriticality and overpressure protection functions succeed, the systems designed to maintain vessel water level fail. This causes the core to uncover, that results in a core melt. This sequence is more severe than Sequence 2 since core melt occurs sooner (when the reactor is generating more decay heat).
Sequence 4 (overpressure protection fnllureJ-After a successful reactor shutdown, either an insufficient number of relief valves fail to open to limitthe pressure rise or one or more of the relief valves fail to close when reactor pressure drops below the relief valve setpoint. Either of these conditions results in a LOCA inside containment.
sequence 5 (reactor sober(tice((ty (e((ureJ-After the transient initiating event, the CRD system does not function to bring the reactor to a subcritical condition. Ifthe PCS is unavailable, the relief valves willcon-tinue to open and dump steam to the torus. The systems available to replace this lost inventory are not designed to replace the inventory as fast as the reactor is losing it. Consequently, the core willuncover and a rapid core melt willoccur. Even ifthe PCS remains available followingthe initiator, failure of the reactor 36
recirculation pumps to trip willresult in power level beyond the capability of the bypass valves to remove steam to the condenser. The feed pumps willeventually trip due to decreased inventory in the condensate storage tank (CST) caused by steam being dumped in the torus instead of returned to the condenser. The core uncovers and core melt occurs. This sequence, like Sequence 3, is more severe than other core melt sequences of this event tree due to the rapid core uncovery and the high reactor power level at the time of uncovery.
The transient systemic event trees are presented in Figures 13 and 14. The purpose of these trees is to show the interrelationships among the various systems that perform the functions previously discussed.
Specific system success criteria are provided in Table A-3 of Appendix A.
37
AT RS AT RS OP OP MSI HPI VWI LPI DHR RHR X = Function failure Trans TU CRD B
~Le end:
SID = Shutdown Clg = Cooling Trans = Transient RV(OI RV(C)
~Loo Clg Clg DEP COND 1 LPCI SBCS ru W
F GP X
TURBRA TUQRBRA TUQDRBRA TUQDWRBRA TUQDWFBRBRA TUQDWFBGPRBRA TUQDWFBGDX TUQDV TUN UK TUJ TUB R
0 V
S P
W I
X X N/A X NIA X
NIA N/A NIA NIA N/A NIA N/A N/A Remarks Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt LOCA Initiator LOCA Initiator LOCA Initiator Melt INFI 0 tL't7 Figure 13.
Transient systemic event tree where PCS is unavailable (TU).
~
~
~ ~
AT RS OP VWI DHR AT Trans TA CRD
~Pum s
Re circ RytOl RytCl M
J K
D LPI DEP COND Loop 1 LPCI SBCS V
W F
~D X
RHR Torus S/D Clg Sequence Designator 0
V D
P W
H I
R Remarks X = Function failure Le end:
n+-'c rc = Recirculation SID = Shut down Clg = Cooling Trans = Transient Tp,PRBRA
- TpPQRBRp, TAPQDRBRp, TAPQDWRBRp, Tp PQDWFBRBRA TAPQDWFBGDRBRp, TAPQDWFBGDX TAPQDV TAPN TAK TABP TABM X
I I
NI X
X X
IA X
NI X
Nl I
I I
I I
NI Core cooled Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt LOCA Initiator LOCA Initiator Core cooled Melt Melt INEL2 1638 Figure 14.
Transient systemic event tree where PCS is available (TA).
- 6. SYSTEMS ANALYSIS The systems affecting mitigation of a transient or LOCA fallinto two categories. Front-line.systems'are those systems that directly affect the mitigation of a transient or LOCA, while:support systems affect mitigation ofa transient or LOCAonly by their effect on front-line systems. Table 9.lists the front-line and support systems for BF1.
Table 9.
Front-line and support system list Front-Line Systems Reactor core isolation cooling (RCIC)
High pressure coolant injection (HPCI)
Automatic depressurization system (ADS) and safety relief valves Core spray Vapor suppression Control rod drive (CRD)
Power conversion (PCS)
Standby coolant supply (SBCS)
Recirculation pump trip (RPT)
Main steam isolation (MSI)
Support Systems AC power and DC power RHR service water (RHRSW)
Emergency equipment cooling water (EECW)
Keep-full system Condenser circulating water (CCW)
Raw cooling water (RCW)
Reactor protection system (RPS)
Equipment area cooling (EAC) 40
Based on the success criteria specified by the event tree analyses, fault trees were constructed and quan-tified for each front-line and support system, with the exception of the PCS, CRD system, RPS, keep-full
'system, and condenser circulating water system. For the first three systems listed, experience data from U.S. power reactor operating plants or values from WASH-1400 (BF1 is functionally identical to the Peach Bottom Plant analyzed in WASH-1400), or similar NRC-sponsored studies, such as NUREG-0460, were utilized. The latter two systems were determined to be insignificant contributors to front-line system unavailabilities, as is discussed in this section.
The success criteria from the event tree analyses define the top event for each fault tree. Construction of fault trees followed the guidelines of the abbreviated fault tree approach, I and the parent tree/daughter tree concept as presented in the IREP procedures guide. The parent tree was constructed first and represented the logic associated with the top event down to the subsystem, pipe segment, or similar level without specifically identifying the components involved. The daughter trees then expanded the inputs to the parent trees down to the component level. These daughter trees were generally divided into two parts:
local faults (faults of components in that system) and interfacing faults (faults associated with operators or support systems). The interfacing faults identified locations where transfers were made to other fault trees. The local faults were then listed using tabulation OR gates. Each fault event in the tabula-tion OR gate is described by an eight-character code. This eight-character event naming code is described in Attachment A to Appendix B. Fault tree construction also conformed to the following guidelines:
1.
System faults that could also be LOCA or transient initiators are explicitly included.
2.
Passive failures are excluded except for single failures that fail an entire system or are either LOCA or transient initiators.
3.
Flow diversions are explicitlyincluded for fluid delivery systems ifthe diversion can cause the system to fail to meet its success criteria and the probability of the diversion is comparable to other system faults.
4.
Spurious control faults are excluded unless the component would receive additional signals to change state during the course of a LOCA or transient.
5.
Operator errors of commission are excluded for components not specifically identified in procedures as requiring operator manipulation.
6.
Operator action to "back up" automatic actions are excluded from the fault trees and discussed under recovery operations.
7.
Valve (or other component) mispositioning prior to a LOCA or transient is excluded if valve position indication is available in the control room and is monitored once every shift or if the mispositioned valve receives an automatic signal to return to the proper state after a LOCA or transient.
Browns Ferry is a three-unit nuclear station. The three units are not independent and, in fact, share many systems between the units. The front-line and support systems for Unit 1 that are shared with other units are as follows:
Residual heat removal system Electric power system (AC and DC)
Residual heat removal service water system Emergency equipment cooling water system 41
~
Raw cooling water system
~
Power conversion system
~
Control rod drive hydraulic system.
Although the study was intended to address only Unit 1, the large number of shared systems between units made it necessary to address the effects of certain failures (e.g., loss of offsite power) on a plant-wide basis. Figure 15 illustrates some of these interunit and intersystem dependencies.
As a general rule, only those portions of shared systems dedicated to Unit 1 were modeled. In other words, no credit was taken for cross-connects to other units. There are of course exceptions.
These are detailed in Section 1.2 of Appendix B.
6.'t Front-Line Systems Description This section provides an overall description of the front-line systems. System description, assumptions, interfaces, and fault trees are discussed in more detail in Appendix B of this report.
6.1.1 Reactor Core Isolation Cooling System.
The purpose of the RCIC system is to provide a source of high pressure coolant makeup water to the reactor vessel in case of a loss of feedwater flow transient.
The RCIC system is also used to maintain the reactor in a hot standby condition.
For events other than pipe breaks, the RCIC system has a makeup capacity sufficient to prevent the reac-tor vessel water level from decreasing to the level where the core is uncovered. This is accomplished. without the assistance of an ECCS.
RCIC system operation is designed to be completely independent of AC power. Only DC power from the plant batteries and steam extracted from the reactor vessel are necessary for startup and operation of the system.
Descript/on-The RCIC system consists ofa steam turbine assembly that drives a constant-flow pump and includes the associated piping, valves, controls, and instrumentation. Figure 16 is a simplified diagram of the system.
The RCIC turbine is driven by steam that is generated in the reactor vessel. The steam is extracted from main steam Line C upstream of the MSIV. The turbine exhaust is directed to the suppression pool. The turbine-driven pump is provided with two sources of water for injection into the reactor vessel.
Demineralized water from the CST is used normally but water from the suppression pool is also available.
The RCIC system controls automatically start the system and bring it to the design flow rate of 600 gpm within 30 sec after receipt of a reactor vessel low-low water level signal. The system is designed to deliver the design flow rate to the core at reactor vessel pressures ranging from 1120 psig down to 150 psig. The RCIC system automatically stops when a high water level in the reactor vessel is signaled, when steam sup-ply pressure drops below 50 psig, or when other system parameters generate a trip signal.
Appiicatlon-The RCIC system appears only in the transient event trees. Its design basis is to provide makeup coolant to the reactor following a closure of all MSIVs. Therefore, the system is not capable of providing makeup coolant to the reactor during LOCAs.
Assumptions-There were no major assumptions that significantly affected RCIC system unavailability.
ins/ghrs-Failure of the first of two rupture disks is the dominant contributor to RCIC unavailability.
This failure accounts for approximately 501o of the RCIC unavailability. The purpose of the rupture disks 42
To Unit 1 MOV reactor vessel HX Unit 2 north header HX I
~ Pump 1A Pump 18 8
C HX I
Unit 3 HX River To Unit 1 reactor vessel t
RHR Pump 1C MOV HX River MOV SBCS Unit 2 EECW HX south header Unit 3 HX MOV HX Unit2 HX Unit 3 HX To Unit 1 MOV reactor vessel River RHR Pump 1D EECW Pump A3 RHRSW Pumps At A2 EECW Pump 83 81 RHRSW Pumps 82 EECW Pump C3 RHRSW Pumps C1 C2 EECW Pump D3 RHRSW Pumps D1 D2 I
)
Ir~
I I
I L
I I
I-n 9
l I
I I
l DG A
DG 8
DG C
DG D
DG 3A DG 38 DG 3C DG 3D Units 1 and 2 diesel generators Unit 3 diesel generators INEL21442 Figure 15.
RHR/RHRSW/EECW interplant power dependencies.
a t
CST Condensate supply header FCV 2-170 1.2-705 Locked open FCV FCV 2-171 7346 FCV 71 ~19 HPCI pump suction line HPCI pump test line FCV 71-38 71 556 71 502 CST suction line 0.416 in.
r-FCV 71-25 I
FCV FCV 71.8 71.3 FCV 712 Main steam line C.
Lube oil cooler Cooling water supply line Pump Reactor vessel Barom.
cond. ~ RCIC steam supply line
~ Trip throttle FCV valve 71 9 I
Hydraulic I
oil suppiy I
FCV Turbine governor 71.10 valve I
I Turbine OO FCV 71-34 Minimum.flow bypass valve 71-547 0.375.ln.
orifice I
1.5 In orifice Minimum.flow bypass line Turbine exhaust line Cooling water return line Attached oil pump HCV 71.14 71.580 RCIC test'ine 69-579, 69 580 return Locked HCV open 3 ~ 66 Suppression pool HCV HCV 75-1 71-16 Locked Locked open open C."p.y I
suction header 71-508 Isolation Rupture sensor disks T.
FCV 71.17 FCV 71-18 Suppression pool suction line Figure 16.
RCIC system.
FCV 71.37 FCV FCV 71 39 71-40 3-572 Discharge line 3-568 Feed Line B INEL2 1443 I
~
~
~ ~
is to prevent a turbine exhaust line blockage from damaging the turbine. In theory, the rupture disks should only be challenged by a double fault such as the discharge check valve failing to open and the high exhaust pressure trip failing to shut the turbine steam inlet. In practice, the cyclic heating load on the rup-ture disks leads to fatigue failure. A pressure switch between the first and second disk senses this failure and isolates the turbine. This is unnecessary ifthe second rupture disk is still intact. Therefore, failure of the first rupture disk leads to turbine isolation even though there is no exhaust line blockage and the second rupture disk is still functional. A factor of two reduction in RCIC unavailability could be achieved by modifying the sensors/circuitry to isolate RCIC on failure of the second rupture disk and only alarm on failure of the first disk.
6.1.2 Residual Heat Removal System.
The RHR system provides water at low pressure to the reactor to restore and maintain water level following a LOCA. It also provides a means of removing the residual heat of the reactor after shutdown either by directly cooling the reactor water or by cooling of the torus water.
Descrlpilon-The RHR system consists of two loops. Each loop has a suction line, two pump and heat exchanger combinations, and a discharge line. The loops take suction on the suppression pool (torus) or the reactor recirculation Loop A. Each loop discharges to the reactor, containment sprays, or torus cool-ing headers, depending on the mode of RHR operation. The LPCI mode takes water from the torus and pumps it into the reactor recirculation discharge piping. Shutdown cooling takes water from recirculation Loop A, cools it in the heat exchanger, and returns it to the reactor via the same discharge path as the LPCI modes. In the torus cooling mode, water is taken from the torus and cooled in the heat exchangers.
The torus cooling discharge path is either to the torus spray header or torus test return line. SBCS uses the RHR service water (RHRSW) system to inject river water into the reactor via the same discharge path as LPCI (on Loop 2 only). Figure 17 shows a simplified drawing of Loop I of the RHR system. The RHR system drawing shows all the major components included in the fault trees. The valves are shown in their normal positions with the suction aligned to the torus. Loop 1 is shown in the drawing; Loop 2 is similar.
There are four modes ofRHR operation modeled in the fault trees. These are the LPCI mode, shutdown cooling mode, torus cooling mode, and SBCS mode. The LPCI mode is automatically initiated upon receipt of a low level signal or a high drywell pressure signal coincident with low reactor pressure signal. All other modes of RHR operation are manually initiated. The logic circuitry provides reactor pressure interlocks to prevent system overpressurization during shutdown cooling and provides signals to open and close the minimum-flow bypass valves for each loop.
There are six system interfaces with the RHR system. These systems are AC and DC power, logic initia-tion circuitry, keep-full system, emergency equipment cooling water (EECW), raw cooling water, and RHRSW system. There are multiple combinations of AC and DC power necessary to operate the RHR system depending on which mode of RHR is in use. The logic circuitry provides automatic initiation signals and protective interlocks to prevent overpressurization of the RHR system whenever the raw cooling water system cannot. The EECW system provides room cooling and pump seal cooling for the RHR system. The keep-full system ensures that the discharge piping of each RHR loop is filled with water. This prevents water hammer damage when the pumps start. The RHR service water system provides cooling to the RHR heat exchangers for the shutdown cooling, torus cooling, and containment spray modes of RHR operation.
Application-The RHR system appears in every event tree in one or more modes. Table 10 summarizes the success criteria for each mode of RHR operation and lists which event tree applies to each mode.
Assumptions-Failure of the minimum-flow bypass valves to close when required can allow 10'/o of rated flow to be diverted from the desired path. This analysis assumes this causes failure of that loop since no analyses are available to show that 90ii/o of rated flow is sufficient. Also, ifthe LOCA initiator is a break on a recirculation loop discharge side, this analysis assumes that the RHR loop which discharges to that loop is likewise failed due to flow diversion.
45
Keep. full system FCV-74 60 FCV 74.61 PCV 74 53 I
Outside I
Inside containment I containment I
I I
I HCV.74.55 I
FGV-68-79 Reactor FCV.68-1 FCV.68-3 FCV-74-52 PCV 74.58 FCV.68-71 I FCV-74.54 Recirculation P
PUIUP B Recirculation Pump A FCV.74.57 PCV 74.59 FCV 74-07
)
FCV-74-48 L
FCV-74.47 Suppression pool E
Loop 2 Loop 2 HCV-74.83 FCV.74-13 HCV-74-22 RHR/RHRSW Heat Exchanger C RHR Pump C FCV-74.12 FCV.74.101 (Loop 2 only)
FCV.74-02 HCV 74-10 RHR/RHRSW Heat Exchanger A RHR Pump A C
FGV-74.01 INEL2 1448 Figure 17.
RHR system, Loop 1.
Table 10.
RHR operational mode success criteria Designation Success Criteria Applicable Event Trees GA Two LPCI pumps in the same loop deliver rated flow to the core Large suction break GB Two LPCI pumps in different loops deliver rated flow to the core Large suction break GC Four LPCI pumps deliver rated flow to the core Large suction break; large steam break GD One LPCI pump delivers rated flow to the core Large discharge break; large steam break; intermediate breaks; small breaks; transients RA One pump and heat exchanger circulating reactor coolant All RB Two pumps and heat exchangers circulating torus water All RS One RHRSW pump delivering rated flow to reactor through RHR Loop 2 Transients Instghrs-Other than the main condenser, the RHR system is the only system capable oftransferring reac-tor decay heat to the river. Therefore, for LOCA initiators and transients where PCS is not available, it is the only system available to remove decay heat. This fact makes the RHR system the limitingfactor affect-ing core melt frequency. No matter what actions are taken to improve the reliabilityof other systems, the core melt frequency can never be made less than the frequency of core melt sequences where RHR fails.
Furthermore, this analysis has shown that core melt sequences resulting from RHR failures constitute over 701o of the frequency of the total dominant sequences even after recovery is considered. Therefore, the RHR system must be considered to be the most risk critical system at BF1.
6.'i.3 High Pressure Coolant Injection System.
The HPCI system is one of the ECCS at BF1. The primary purpose of the HPCI system is to provide a supply of cooling water to reflood the reactor core in the event of a LOCA that does not result in depressurization of the reactor vessel. The HPCI system is designed to provide this function unassisted for all liquid breaks less than 0.12 ft2 in area (or approxi-mately 5 in. in diameter) or all steam breaks that are less than 1.4 ft2 (or approximately 16 in. in diameter). The HFCI system can also be used to provide makeup water to the reactor during periods when the reactor is at or near normal operating pressure and is isolated from normal makeup sources.
Doser/ptlon-HFCI system operation is designed to be completely independent of AC power. Only DC power from the plant batteries and steam extracted from the reactor vessel are necessary for startup and operation of the system. The HPCI system consists of a steam turbine assembly that drives a constant-flow pump and includes the associated piping, valves, controls, and instrumentation. Figure 18 is a simplified diagram of the system.
The HPCI turbine is driven by steam that is generated in the reactor vessel. The steam is extracted from main steam Line B upstream of the MSIVs. The turbine exhaust is directed to the suppression pool. The turbine-driven pump, which actually consists of main pump and booster pump driven by the HPCI turbine 47
Condensate supply header CST FCV 2.170 1-2.705 Locked open FCV FCV 2 171 73-36 FCV 73.40 Cooling water supply line RCIC pump suction line RCIC pump test line FCV 73.35 73.566 Gland seal condenser return 73.505~ CST suction line FCV 73.2 Main steam Line 8 Gland seal condenser supply 0.459.ln orifice FCV 73.18 FCV 73-19 HPCI steam supply line Turbine stop Hydraulic valve I
oil I
suppiy Turblnel Governor valve IT I
I I
Reactor vessel Turbine o
PCV Lube oil FCV FCV 73-43 73.16 73-3 Lube oil cooler FCV 73-30 1.25-in.73-559 orifice I
I Minimum flow bypass valve 4 In.
orifice Minimum.flow bypass line Turbine exhaust Pump Lube oil cooler return line Attached Auxiliary oil oil pump pump HCV 73-23 73-603 Locked open Isolation sensor FCV 73.26 73.25 73.517 FCV 73.27 Rupture disks line HPCI test line
~
Suppression pool t
FCV 7344 69-624 RWCU return FCV FCV 73 44 73-45 Locked HCV open 3-67 Locked open Suppression pool suction line Discharge line 3-554 Feed Line A INEL2 1479 Figure 18.
HPCI system.
through a speed reducer, is provided with two sources of water for injection into the reactor vessel. Ini-tially, demineralized water from the CST is used. This provides reactor-grade water to the reactor vessel for the case where the need for HPCI is rapidly satisfied. After the water in the CST is depleted, the CST low level signal willautomatically shift suction to the suppression pool.
The HPCI system is designed to start and inject water into the reactor vessel without operator action.
However, the system can be operated manually. When reactor vessel level decreases to 476.5 in. above vessel zero or when drywell pressure increases to 2 psig, the HPCI logic circuitry sends an initiation signal to various HPCI components to start the system. The turbine control system willmaintain turbine speed to provide constant-flow to the reactor vessel until a turbine trip signal or an isolation signal shuts the system down.
Appllcarlon-The HPCI system appears in the event trees for intermediate and small breaks and all tran-sients. It does not appear in event trees for large breaks since depressurization willoccur too fast for the HPCI system to be useful.
Assumprlons-A major assumption associated with the HPCI system is that suction transfer from the CST to the torus is required for LOCAs but not for transients. The minimum level of the CST is based on having sufficient volume to replace inventory lost due to decay heat for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. For LOCAs, the rate of inventory loss is much higher and therefore requires the transfer.
Insights-The rupture disk arrangement for the HPCI system is almost identical to that of the RCIC system. Depending on whether the initiator is a LOCAor transient, rupture disk failure accounts for about 31 and 450I'0, respectively, of the HPCI unavailability. For the same reasons mentioned in Section 6.1.1, this contribution could be eliminated by modification of the sensors and circuitry.
Routine scheduled tests and maintenance account for over 2510 of the HPCI system unavailability for LOCA sequences (about 14%%uo for transients). The purpose of routine testing is to verify operability and limitunavailability by discovering faults as soon as practical for standby systems.
Since the testing itself accounts for one quarter of the unavailability, it would be desirable to review the testing duration and fre-quency to determine ifa more optimum schedule can be arranged that willreduce the testing contribution to unavailability without causing component unavailabilities to significantly increase.
6.1.4 Automatic Depressurlzatlon System and Relief Valves.
The reactor and the steam system are protected from overpressure by 13 relief valves. The 13 valves are distributed among the four main steam lines and located upstream of the main steam isolation valves. Each valve discharges to the suppression pool. The relief valves are designed to maintain primary system pressure below the emergency stress limit of 1350 psig at all times. ADS is provided to reduce reactor pressure whenever the high pressure makeup systems are unable to maintain reactor water level. This allows the core spray system or the LPCI system to maintain water level. The ADS is used in an intermediate or small break LOCAifthe HPCI system fails.
The depressurization is accomplished through automatic opening of 6 of the 13 safety relief valves to vent steam to the suppression pool.
Descrlptlon-BF1 has 13 identical Target Rock two-stage safety relief valves. When operating in the over-pressure relief mode, the valves are operated by the self-contained pilot valve. The valves are set as follows:
~
Five valves at 1105 psig
~
Four valves at 1115 psig
~
Four valves at 1125 psig.
At their rated setpoints, the 13 valves provide a total relief capacity of 741o of rated steam flow.
49
ADS uses 6 of the 13 relief valves. The ADS itself is nothing more than the instrumentation and control required to automatically open the six valves. Each valve relieves approximately 800,000 Ib/hr at 1000 psi.
ADS activation of a relief valve involves energizing a solenoid, which allows compressed air from the drywell control air system to pressurize a pneumatic actuator which in turn opens the relief valve. The valve willremain open until closed by the operator. AllADS valves are equipped with an accumulator on the air line. A simplified diagram of ADS is shown in Figure 19. Depressurization will occur if three conditions exist:
~
Reactor water level at Level 1 (-143 in.)
~
High drywell pressure (+2 psig)
~
Sufficient LPCI or core spray pumps are operating to ensure that makeup water is available after depressurization.
All relief valves can be manually activated from the control room. This serves as a backup to ADS should depressurization be required and the activation logic fails.
Successful ADS requires that four of the six valves open when required to depressurize the reactor. Suc-cessful overpressurization protection depends upon the availability of the bypass valves and the signal causing the reactor scram. Ifthe bypass valves are available, no relief valves are required. Ifthe bypass valves are unavailable, then the number of valves varies as shown below:
~
Direct scram 2 of 13
~
Flux scram 7 of 13
~
Pressure scram 10 of 13.
/nslghts-Since the ADS logic requires both a low level signal and a high drywell pressure signal, ADS will not actuate during transients ifHPCI and RCIC fail because no high drywell signal is present. Therefore, the operator must manually depressurize the reactor vessel. Removal of the high drywell signal input would not increase the system unavailability and would allow ADS to automatically function for transients where HPCI and RCIC fail. This would significantly increase depressurization reliability (approximately two orders of magnitude).
6.1.5 Core Spray System.
The core spray system along with its control and instrumentation is one of several ECCSs used to inject coolant onto the reactor core following LOCA (pipe break) or a transient.
The core spray system is designed to prevent excessive fuel cladding temperature for a pipe break of up to 4.0 ft2 by spraying water onto the reactor core.
Descr1ptlon-The core spray system consists of four pumps divided into two parallel systems, which are identical and are physically and electrically independent.
Each system contains two AC motor-driven centrifugal pumps, a core spray sparger, and interconnecting pipes and valves.
The pumps in each loop are connected in parallel. Both pumps in a loop must operate since, with only one pump operating in a loop, the core spray system will not deliver the required flow to those fuel assemblies located near the vertical centerline of the core. The arrangement of the core spray system is shown in Figure 20.
The controls and instrumentation for the core spray system include the sensors, relays, wiring, and valve-operating mechanisms used to start, test, and operate the system. Logic control power for each of the core spray loops comes from separate 250 V DC buses. The signals used to initiate the core spray system are:
50
Typical non.ADS valve (Typical of 5)
+AH e
I TR 1 '
I I
I I
I t I t I
I r t '
i I ItI I I
) I I
) I I
II I I l I t
I Airsupply Bellows pA failure H
PS Vent Backup control
~AO transfer switch I
TE J
I Main steam line II RMR~g Air supply A
PA PS L
C Vent 4
~
AD I
ADS ------ '
Backup control~
transfer switch ~II PS TE Reactor vessel p
Typical ADS valve (Typical of 6)
Suppression pool Figure 19.
Automatic depressurization system.
INEL2 1487 51
Primary containment FCV 75-54 HCV 75.55 Locked open HCV 75-27 FCV 75-53 M
Locked open
+
Itic 7&611 FCV 75-51 M
2 In.
Keep.
full system 75.49 F
75.49 M
FCV 75 50 3 In. minimum flow bypass Locked open FCV M 75.26 Primary containment Suppression pool FCV 75.25 M
10.ln. pump test 10 in. pump test e@~~, S~
FCV Locked open 3 In. minimum flow bypass FCV 75.22 75.21 FT FCV 75.21 Locked HCV open 75.18 75.537C Locked HCV open 7510 75.537A I
t FCV 7&37 M
M HCV 75-46 75.537 D
~o HCV 7548 Locked open 4d 75.5378 HCV 75.45 10 Locked open HCV 7&36 Locked open 18 o HCV
$ HCV 1C F7517 1A
'~ 756 g Locked open g Locked
~ open SuppressIon pool ring header HCV 751 Locked open HCV 75.29 Loop 1 Loop 2 FCV 75 11 FCV 752 FCV 7549 FCV 7&30 Condensate supply system HCV 75.12 Locked closed HCV Locked closed 753 Locked closed HCV HCV 75-40 75-31 Lockedclosed INEL 2 1499 Figure 20.
Core spray system.
1.
Low-low-lowreactor water level (470 in.) ~
2.
High drywell pressure (+2 psig) concurrent with low reactor vessel pressure (less than or equal to 450 psig).
These signals seal in and have to be manually reset when the initiating condition has cleared. No operator action is necessary for proper core spray system operation.
Application-The core spray appears on every event tree in one of two modes. One mode requires that both loops deliver rated flowto the spray spargers above the core. The other mode requires only one of the two loops to function.
Assumptions-As with the RHR system, the minimum-flow bypass valves for each loop must shut to ensure that flow is not diverted from the injection path. Failure to close these valves is assumed to failthat loop even though a significant portion of rated flow is not diverted. Likewise, ifthe LOCA initiator is a break on one of the core spray discharge lines, that loop is considered to be failed.
insights-The design basis for the core spray system is to provide core cooling by spraying water on the fuel elements followinga large break. As noted earlier, both pumps in a loop must operate to provide the required spray. However, the core spray system can also provide inventory makeup capabilities during transients. In this case, the spray effect is not the crucial feature but flow rate is. However, the initiation circuitry is set up such that ifone pump in a loop does not have power, the other pump is prevented from starting even ifit has power available. This appears to be an unnecessary increase in the unavailability of the loop especially when flow rate, not spray effectiveness, is the desired feature.
6.1.6 Vapor Suppression System.
The vapor suppression system is designed to direct the LOCA effluents to the pressure suppression chamber to prevent containment overpressurization following a pipe rupture in the drywell. The suppression chamber receives this flow, condensing the steam portion and leaving the noncondensable gases and fission products. The suppression chamber-to-drywell vacuum breakers limit the pressure differential between the drywell and suppression chamber.
Desciiptlon-Figure 21 represents the basic configuration of the vapor suppression system as part of the primary containment. Large vent pipes form a connection between the drywell and the pressure chamber.
A total of eight circular vent pipes are provided, each having a diameter of 6.75 ft. The pressure suppres-sion chamber is a steel pressure vessel in the shape of a torus located below and encircling the drywell. It contains approximately 135,000 ft3 of water as a maximum and has a net air volume above the water pool of approximately 119,000 ft3. The eight drywell vents are connected to a 4-ft, 9-in. diameter vent header in the form of a torus, which is contained within the airspace of the suppression chamber.
Frojecting downward from the header are 96 downcomer pipes (24-in. diameter) terminating approximately 4 ft below the surface of the water. Vacuum breakers (18-in. diameter) discharge from the suppression chamber into the drywell to equalize the pressure differential and to prevent a backflow of water from the suppression pool into the vent header system. Success criteria for the vapor suppression system is defined as adequate suppression pool level and no bypass leakage from drywell to wetwell.
Application-The vapor suppression system appears on all of the LOCA event trees. Since the system is designed to respond only when there is a breach in the primary coolant boundary into the drywell, it will not be found on the transient trees.
Assumptions-It is conservatively assumed that any of the faults identified (i.e., pipe ruptures or any vacuum breaker failed open) would result in failure of the vapor suppression to perform its function following a LOCA of any size. Faults of wetwell water level being too high, too low, or too hot are assumed to be insignificant contributors to vapor suppression failure due to instrumentation redundancy and frequency of operator observance of this instrumentation.
53
Drywall head Drywell flange Cooling 1 In. steel plate Drywell shear Iug support Reactor pressure vessel Drywell head bolt Drywell flange InsIde bulkhead Drywell Core Water seal and support extension Outside bulkhead Shield wall Radial beam Radial beam Jet deflector Vent
~Water level
~ Pressure suppression chamber Water level Personnel air lock and two equipment hatches 81.fn. diameter Expansion joint Manway Sphere Vent header (57.ln. diameter)
Vacuum breaker Downcomer pipe (29 In. diameter)
INEL2 1540 Pressure suppression chamber Figure 21.
Vapor suppression part of the primary containment.
)
~
~'
6.1.7 Control Rod Drive System.
The CRD system is designed to supply and control hydraulic pressure and flow to the CRD mechanisms. Water is supplied to the hydraulic control units (HCUs). Each HCU controls the flow to and from an individual drive. Water that is discharged from the drives during a scram flows through the HCUs to the scram discharge volume. During normal operation rod positioning, this discharge flows through its HCU and exhaust header to the reactor vessel.
Description-A simplified schematic of the CRD hydraulic system is shown as Figure 22. This figure shows one of the 185 HCUs and scram valve arrangements, which is typical ofall the units. During a reac-tor scram, the scram inlet valves and scram discharge valves open, allowing water from the CRD hydraulic system to flow into the drives, thereby inserting the control rods. Operation of the scram inlet valves and the scram discharge valves is controlled by the scram pilot valves. The pilot valves are operated by signals recieved from the RPS. Two scram pilot valves for each HCU control both the scram inlet valve and scram discharge valve for that HCU. The scram inlet and discharge valves are designed to open on loss of air pressure. The pilot valves are normally energized and are aligned to provide air pressure to the scram inlet and discharge valves, thus keeping them closed. Upon loss of electrical signal, the pilotvalve inlet ports are closed and the exhaust ports are opened, which depressurizes the scram inlet and discharge valves. This opens the valves, inserts the rods, and trips the reactor. The scram accumulators store sufficient energy to insert a rod during scram independently of any other energy source. Each accumulator is a water volume stored under nitrogen pressure.
The scram discharge volume, which is provided by the instrument volume and the scram discharge
- headers, is designed to contain water from all the drives during a scram. During normal plant operation, the volume is empty with both its drain valve and its two vent valves open. These valves close upon receipt of a scram signal. During a scram, the scram discharge volume is partly filled with water, which is discharged from above the drive pistons. An isometric view of the scram discharge volume equipment is included as Figure 23.
The success criteria for the CRD system requires that no more than 30 distributed or 5 adjacent rods fail to insert. The 30 rods are considered conservative for maintaining the reactor subcritical. The 5 rods are to prevent a localized criticality.
Applications-The CRD system appears on every event tree.
The system is required for reactor subcriticality in the event of a LOCA or transient.
Assumptions-As noted previously in Section 6, the unavailability for the CRD system for this analysis was taken from NUREG-0460. The complexity of determining "how many rods in what patterns fail to insert by how much and by what means" was considered beyond the scope of this analysis.
6.1.8 Power Conversion System.
The PCS provides a means of bringing the reactor to a stable shut-down condition following a transient event that does not preclude PCS availability. The PCS can provide both the VWIand DHR functions by removing steam from the reactor, condensing the steam, and return-ing the water to the reactor via the condensate and feedwater systems. Successful PCS operation requires that the condenser is available and the feed system is providing makeup water to the reactor vessel.
Doscrlprlon-The PCS consists primarily of the main steam, condensate, and feedwater systems.
SimpliTied flow diagrams for these systems are provided by Figures 24 and 25.
During normal operation, steam from the reactor flows directly to the main turbine generator via the main steam lines. Condensed extraction steam is cascaded through the feedwater heaters to the main con-denser where it is deaerated and collected in the condenser hotwell along with condensed steam from the turbine exhaust and miscellaneous drains from the turbine cycle. Condensate pumps, taking suction from the hotwell, pump the condensate through the air ejector condensers, gland exhaust condensers, and filter/demineralizers to the condensate booster
- pumps, which increase the condensate pressure and discharge through the low-pressure heaters to the reactor feed pump suctions. The reactor feed pumps discharge through the high-pressure heaters to the reactor.
55
75 pslg Instrument air F-35A DC F-35B DC Pl P
PA M/L S46 0
Vent Control room RMS Backup scram valves, S.37A Vent RPSA RPSB Charging water S-39B
~
~ S-39A Vent AC AC RPS B RPS A Scram solenoid valves Vent Vent All solenolds shown ln the normal o eratln condition Valve Power Operating Condition Scram Condition Note: Scram Inlet and outlet isolation valves (F.39A and F-39B) are air.to close, while scram discharge volume vent and drain valves (F-37 A, B, C) are air-to.open N2 H20 F39A Scram Inlet A
Instrument volume From other scram outlet valves Scram discharge volume F470 F-378
~ Rod block H
LS - ----~Scram F.35A De.ener Ized F45B De.ener Ized S.36 De.ener Ized S.39B Ener ized S.39A Ener ized S.37A Ener Ized S-37B Ener ized F-39A Closed F49B Closed F-37B 0 en Ener ized Ener ized De.ener ized De-ener Ized Deener Ized De.ener Ized
.De.ener Ized 0 en 0 en Clo'sed F47A 0 en Closed N2 charging F.37A RBEDT F-37C 0 en Closed
+When solenoid Is actuated, the dotted port and the closed port willswitch positions INEL2 1542 Figure 22.
CRDH system.
C 5)
IA Ol UJ2:
~O ~%
0Q b
0 K
Q pQog ID E
L 0
5)D C5 C
5>
E
~ m
~ p C
h oh C
ill~
E I0 Ol
~0 0
co (9
'D C5 C
CO Ol cn g E
c5 M
C Ol CO C)
'D Ol C
dl T
6
'2 0
cO 0
8 CO Vl
'D C5 ED C
A C
c5
'D 0
C C4 57
Temperature Instrumentation typical of all relief valves TE TA I
I 1.1 1-22 1.18 14 Reactor vessel 1-30 1-41 1-31 Relief valves (13) capacity:
CRW 810,000 Iblhr 4 1105 pslg 4 1115 pslg 5 1125 pslg 1-34 HPCI 1-23 Steam Line B 1.179 1.5 Steam
~ Line A 1.42 1.180 Steam Line D Steam Line C RCIC I
FT E
DPIS F
I FI E
I drains Fl E
DPIS Fresh water control system (typical of 4)
Primary containment 1.26 FC 1.14 FC 151 C
1.37 Main steam C
line Isolation valves 127 FC 1 ~15 CV FC CV FC CV C
1.52 FC O
TE (Typical of 16) o cvo CL
'raIns A Condenser con r Ile I
thru I
B C
RFP turbines I A Condenser l
LCV I
I B
Condenser L
c C
Condenser FC PC Gland seal To turbine stop and control valves 1st stage 2nd SJAE supply 3rd Ai Off.gas Bj pre-heater PC FC INEL 2 1545 Typical Figure 24.
Main steam system.
58
@El Healer kotatloh Talrea 120'F Mp 2.72 A4 drain cooler Mo 24s Mtl 29$
05 From FIC on condenser pwnp dischaipe 249 Ap 2473 Reclrcukl ~ to Ohdehsel 247$
348 3572 To lead
~~P spalpeis skater kotatlon Tahoe Mp 212S 243 Mp Feed pump 2.9$
Mp A3 heater 115 291'F Mp 2 108 Mp San up Clean up ratwn Mp Bne Slarlwp bypass 3 19 FE 391 Fl 3\\2 Mp FE Fl 35 Mp FE 392 313 Malrl~l AO 320 FB tyyokal ot 37 Maumum-liow fechcutatloh Tl TE FE 3.568
" *2 heater 339 Ao 3$3 0
'L Ap 34 El-PB tyyplcsl ot 37 PA L
2487 2459 2451 2458 2458 2-550 A
B
~ Booster pumps 2~
245l 24IF CR Bampk aladon Resin AO trap Conden set alit ttypkal ol pl CE 9a FC To leedwater control
$5$I TE FE MO 378 HPCI QH Prhhary Ccht alnrheht 0 371 Fl FT 2.190 M
Mp BJAE ondenser 0
MP B
245 241 at HOOd sprays tyypkal ot 31 FE 2418 2417 B
2471 2428 0
2-509 240$
A 33'I 2413 QO tyypkMol B, C Hotweh rha keep UC LT Mp AC
--El coAdeAser store pe lank OPAH FE Seam E;
seal I
Fic J To recucutate on ~
condensw booster pump dtscharpe PT Pl FR Ao Condenser makeup Fresh water condenser staape tank LT IHEL2 15MI Figure 25.
Condcnsat>> and Teed water system.
59
Under abnormal conditions requiring an emergency shutdown from power, the followingaction occurs ii'he PCS is not rendered unavailable by the initiating event. The main turbine is trippec and is isolated from the main steam system by the turbine stop valves and turbine control valves. There are nine turbine bypass valves that open to take stcam from ahead of the turbine stop valves and discharge to the con.
denser. The bypass valves are sized to pass up to 30v/s of maximum turbine design flow. The, condensed steam drops to the lower section of the condenser, called the condenser hotwell. The operator manually trips all but one of the operating condensate pumps taking Iuction from the condenser hotwell. The con-densate discharge passes through fllter/demincralizcrs to the suction header for the condensate booster pumps. The operator manually trips all but one of the operating condensate booster pumps. The remaining /
condensate booster pump dbcharges through a series of heaters to raise th>> condensate water temperature.
The feedwatcr system is actually an extension of the condensate system, which (a) receives water I'rom the condensate system at booster pump discharge pressure, (b) increases the pressure via a stcamdriven reactor feed pump, and (c) feeds the reactor through ihe high pressure heaters, which further raise the temperature of the feedwater. The feedwater flow ls combined into a 30.in. mixing header and then is divided Into two 24-In. lines to feed the reactor through the feed sparger rings. The operator trips ail but one of the operating reactor feedwater pumps.
wppuceuon-The PCS appears only on the event tree for transients where PCS Is available. The PCS acts as a heat sink for reactor decay heat following a tmnsient where reactor subcriticality Is achieved. Ifsub-criticality is noi achieved but the recirculation pumps are tripped, the PCS has adequate heat removal capacity to remove the heat being generated at the resulting reactor power level.
/tssvmpvonz-As noted previously in Section 6, the unavailability for PCS used in this analysis was based on experience data from U.S, power reactor operating plants.
6.1.9 Standby Coolant Supply System.
The SBCS system is a special mode of alignment of the RHRSW system to the RHR system (o provide a standby source of coolani to the reactor. The D supply header of the RHRStV system contains piping and valves that cross.connect the RHRSW system with the RHR systein. The purpose of this crosstie Is to Inject RHRStV into the reactor vessel or containment, via the RH R piping, for final flooding ifall other sou tccs ofcoolant are <<xpended. This mode ofcoolant injec-tion to the reactor is included in the description of the RHRSW sysiem (Section 6.2.2).
6.1.10 Recirculation Pump Trip System.
During abnormal conditions that lead to sharp increases in reactor system pressure, the RPT system ensures a rapid trip of the recirculation pumps. This action reduces the flow through the core allowing for more void formation and a corresponding reduction in reactor power.
nerertpvon-The RPT system consists of the control circuits for the recirculation pump motor generator breakers and poflions of the RPS that actuate the trip. The 250 V DC system provides power to the RPT control circuitry. The circuit requires power to function, Figure 26 is a simplified diagram of a RPT circuit.
anriueeuon-The RPT function only appears on the transient event tree where PCS is avaihble. For the case where the reactor subcriticality systems fall to shut down the reactor, successful RPT ensures that the resulting reactor power level is within the capacity of thc PCS to remove the heat and maintain reactor coolant inventory. Failure of the RPT would allow power leveb to remain too high for the PCS to accomplish these tasks and a core melt would eventually occur.
6.1.11 Main Steam isolation System.
The purpose of the main steam Bolation (MSI) system Is to isolate the reactor from the main condenser when the PCS is unavailable to maintain reactor water level.
Fuse RPS signal 250 V DC control power Auxiliarycontact (shut when breaker closed)
Trip coil (opens breaker when energized)
Auxiliarycontact (shut when breaker closed)
Fuse INEL2 1547 Figure 26.
RPT circuit.
Descrlprfon-There are eight MSIVs, two in each of the four main steam lines leading to the common manifold in the turbine building. From the common manifold, there are four lines leading to the main tur-bine, each having a turbine stop valve and turbine control valve. There are nine bypass valves, arranged in parallel, that can dump steam directly to the main condenser. Figure 16 presented a simplified drawing of the main steam system.
The MSIVs are closed automatically ifthe reactor water level reaches the low level setpoint. The valves are air-operated to open and spring loaded to shut upon loss of air to the valves. The low level initiation circuitry deenergizes an AC and DC solenoid valve, which causes the air supply to the valve to rapidly bleed off. This action causes the valves to close. The valves may also be closed from the control room by the operator.
The turbine stop valves, control valves, and bypass valves receive their control signals from the pressure regulator via the electro-hydraulic control system. Under normal conditions these valves open and close to maintain a constant pressure at the common manifold. Following a scram, the turbine stop valves and con-trol valves receive signals to shut, while the bypass valves open as necessary to maintain the pressure at the common manifold below a preset pressure. As long as pressure in the manifold remains below this value, the bypass valves willremain shut. The operator may manually open or shut the bypass valves from the control room.
MSI failure is defined as the inability to isolate the reactor from the main condenser when reactor water level is low. This will occur ifany two MSIVs in the same steam line fail to close and the turbine stop, control, and bypass valves fail to close.
Appllcarlon-The MSI function appears on the transient event trees. It is necessary to isolate the reactor whenever the PCS is unavailable in order for the other mitigating systems to be able to function properly.
Assumptions-In quantifying the MSI fault tree, no credit was taken for operation of the turbine stop, control, or bypass valves. These valves are controlled by the pressure regulator and the electro-hydraulic control system.
Neither of these systems were modeled in this analysis.
Instead, it is conservatively assumed that the added redundancy of these valves provides no additional isolation protection.
61
6.2 Support Systems Description This section provides an overall description of the support systems. The systems and fault trees appear in more detail in Appendix B of this report.
6.2.1 Electrical Power System.
The Browns Ferry electric distribution system is a complex arrange-ment of switches, transformers, generators, batteries, and other devices needed to provide power to the various pumps, valves, and control circuits. In general, the system consists of two parts:
an AC and DC distribution system (Figure 27). The AC system consists of two parts, those buses powered only by offsite power and those buses powered by either offsite power or emergency onsite diesel generators.
Description-The AC system consists of a distribution system powered by offsite power and a distribution system powered by either offsite power or emergency onsite diesel generators.
Figure 27 shows those AC system buses directly associated with Unit 1 that receive power from offsite power or the diesel generators.
Breakers shown in solid black (filled in) are normally closed.
Each 4160 V shutdown board has two offsite power supplies. Automatic transfer from one to the other offsite supply occurs ifone is lost. Ifboth offsite sources are lost, the diesel generator for that bus receives an automatic start signal. When the diesel is successfully started, the output breaker willautomatically close to supply power to the shutdown board if there is no offsite supply. Supplying a shutdown board from its corresponding Unit 3 shutdown board (and vice versa) is a manual operation.
The 480 V shutdown boards each receive power from a normal and alternate transformer powered by the 4160 V shutdown boards. Transfer from one power source to the other is a manual operation.
Each 480 V RMOV (reactor motor-operated valve) board has two power sources. RMOV Boards 1D and 1E have AC-to-DC motor generators providing power from the 480 V shutdown boards. RMOV Boards 1D and 1E automatically transfer from one power supply to the other on undervoltage. Transfers for RMOV Boards 1A, 1B, and 1C are manual operations.
There are four DC systems at Browns Ferry. The 48 and 24 V DC systems do not directly supply any of the loads necessary for accident or transient mitigation. Figure 27 also shows the 250 V DC system as it applies to accident and transient mitigation loads. Breakers shown in solid black (filled in) are normally closed. Each battery board is supplied by a battery and a normal and alternate battery charger. The alter-nate charger for each board is shared by all three battery boards. Each battery charger has two sources of AC power. Each DC RMOV board receives power from one of two of the battery boards. Alltransfers of power supplies in this system are manual operations. The 125 V DC system consists of the batteries and chargers associated with starting and controlling the diesel generators.
Each diesel has its own 125 V DC system, which is independent of the other diesels'25 V DC system.
Appiicarion-A fault tree eXiStS fOr eaCh interfaCe betWeen the EPS and a frOnt-line SyStem. ThuS, there are many EPS fault trees. Every system except vapor suppression and overpressure protection (relief valves) has an EPS interface.
Assumptions-EPS buses powered only by offsite power were not modeled.
Instead the house event HOUSELOP was used to describe the unavailability for these buses. Thus, when HOUSELOP is "on" that bus fails. Otherwise, the value for frequency of loss of offsite power (LOSP) was used for those bus unavailabilities, which, represents the dominant contributor to bus failure.
Normally open or closed breakers not required to change state do not appear in the fault trees.
Since each diesel generator's support systems are unique to that diesel except for EECW cooling, the support systems are not explicitlyshown except for the EECW cooling. This includes starting air, lube oil, fuel oil, and others.
62
Offslte power DG A
SD3A DG B
Offslte power SD3B Offslte power DG C
Olfslte S03C power DG D
SD30 Offslte power DG 3A Offsite SDA power DG 3B SDB DG 3C Offslte power SDC Offslte power DG 3D SDD SDA SDB SDC SDD SD3A SD3B SD3C SD3D SGT TS1A TS1E TS1B TS2A TS2E TS2B TDA TDE TDB TS3A TS3E TS38 S1A S1B S2A S2B DAA DAB S3A I
M M
G G
AR1A AR1B AR1C 2
0 ur M
M G
G Battery 1 BC1 Battery 2 BC2A Battery 3 BC3 AR1D AR1E Battery B01 Battery BD2 Battery BD3 DR1A DR18 DR1C INEL2 1552 Figure 27.
EPS diagram showing AC and DC systems.
6.2.2 Residual Heat Removal Service Water System.
The primary purpose of the RHRSW system is to provide an assured heat sink for long-term heat removal when the normal means of heat removal through the main condensers is not available or cannot be used. A second purpose of the RHRSW system is to provide an assured supply of water for the EECW system. This system supplies cooling water for various auxiliary systems and for items of equipment that support shutdown operations.
The EECW system is discussed in a separate section of this report. Finally, the RHRSW system-to-RHR system cross-connection provides added long-term redundancy to other emergency core cooling and containment cooling methods.
Descrlprion-The RHRSW system, as considered in this analysis, consists of eight service water pumps, four service water headers, four service water heat exchangers and the associated piping, valves, controls, and instrumentation. Figure 28 is a simplified composite diagram of the system. Since the system consists of four nearly symmetric trains, a composite diagram more simply illustrates the system. Figure 29 shows the electrical power dependencies for this system. There are eight service water pumps associated with the RHRSW system. Four pairs of pumps are connected to the four RHRSW headers. Each pair is designed to supply only one header according to the following configuration:
Pump Pair Header Al, A2 Bl, B2 Cl, C2 Dl, D2 A
B C
D As Figure 29 shows, each pump pair supplies only one supply header and, in turn, each supply header sup-plies only one Unit 1 RHR heat exchanger. Each service water pump has the capacity to supply 100Vo of the cooling water required by one RHR heat exchanger.
No cross-connections exist between the service water supply headers but there is a cross-connection to the EECW system on each train. Control of the RHRSW system is entirely manual.
The D supply header contains piping and valves that cross-connect the RHRSW system with the RHR system. Although it is only used as a last resort, this cross-connection provides a method of injecting river water directly into the reactor vessel or primary containment via the RHRSW system and the RHR piping.
In the highly unlikely event that all other sources of injection water were unavailable, this source could be used to keep the reactor core covered and the containment cooled. When the RHRSW system is cross-connected to the RHR system in this manner the resulting configuration is referred to as the SBCS. Control of SBCS is also manual.
Application-Since the RHRSW system provides cooling to the shutdown cooling and torus cooling modes of the RHR system, it contributes to every event tree through its effect on RHR unavailability. The SBCS mode appears only on the transient trees.
Assumptions-The four RHRSW pumps dedicated to the EECW headers are considered unavailable for use in the RHRSW cooling system.
Since three of four EECW pumps are required when that system operates, it is likely that no spare pump willbe available anyway.
Insights-The procedure for establishing SBCS flow to the reactor requires operation of RHRSW and RHR system valves such that the cross-connect valves are opened before the RHRSW heat exchanger discharge valve is shut. This allows a flow path from either the reactor or torus (depending on the RHR mode line up) directly to the river until the operator closes the heat exchanger discharge valve. Operator failure to close the valve or valve failure would allow the torus (or reactor water) to drain to the river. Since after a LOCA or transient this water may be contaminated, the consequences of such a discharge could be serious. Installing a check valve in the cross-connect line and changing the procedure to require shutting the heat exchanger discharge valve first would reduce the likelihood of this sequence.
Intake station RHRSW pump A1 0 502 B1 522 C1 546 D1 565 503 523 547 566 C and D supply headers only r-1
'CV IL EECW systems HCV-67-88 HCV.67-89 FGV.67-49 FCV-67-48 504 524 544 563 Unit 1 RHR Loop 2 FCV 74.101 Qo 23.57 74.100 FCV I
Unit 2 i RHR Loop 1 I
I I
I D supply header only FCV Intake station RHRSW pump A2 B2 C2 D2 526
.542 561 507 527 543 562 HCV 23.31 23.43 23.37 23-49 03 530 550 569 RHR HX A 23-34 B 23-46 C 23.40 D 23-52 FGV River Supply header n
Pipe number n 0
INEL2 1584 Figure 28.
RHRSW system.
River River River River MOV MOV MOV MOV A
heat exchanger B
heat exchanger C
heat exchanger MOV D
heat exchanger EECW north header Unit 2 heat exchanger EECVV south header Unit 2 heat exchanger EECW north header SBCS Unit 2 heat exchanger EECW south header Unit 2 heat exchanger Unit 3 heat t
exchanger Unit 3 heat exchanger t
MOV Unit 3 heat exchanger t
MOV Unit 3 heat t
exchanger A3 A1 A2 B3 B1 B2 C3 C1 C2 D3 D1 D2 I
l I
I I
I I
I I
I
'f
" 'f L
I I
t-Ph p
I I
I I
I J
I I I I
I I
DG A
DG B
DG C
DG D
DG 3A DG 3B DG 3C DG 30 INEL"2 1585 Figure 29.
RHRSW/EECW system power dependencies.
P tL2.3 Emergency Equipment Cooling Water System.
The purpose of th>> EECW system is to supply cooling water to safety related components ln the core spray, RHR, and diesel generator systems. The EECW system performs this function by supplying water from the intake station to heat exchangers In the previously mentioned safety systems.
This cooling water then flows through the heat exchangers and discharges back to Wheeler Reservoir through yard drainage, nvsenpeton-A simplified diagram ofthe EECW system is provided by Figure 30. The EECW system is a Class I safety related system thai serves all three of the Drowns Ferry nuclear units. Ejther of two independent piping headers (north and south headers) can supply the safety. related cooling loads. The EECW system uses 4 of the l2 RHRStV pumps to supply the two EECW headers (two pumps per header) according to the followingconfiguration:
~pp I
4 North South A3, C3 B3, D3 The remaining eight pumps serve the RHRSW system. Four of ihese eight pumps may be valved into the EECW system Ifneeded; however, the RHRSW is comidered to be a separate support system and is treated independently from the EECW system in Section 6.2.2.
Under worst~se conditions such as exist followinga LOSP transient, maximum design flow rates are required at all three units resulting ln total station fiow requirement of 9900 gpm. Since each pump is designed to deliver approximately 4500 gpm, three of four pumps assigned to EECW are necessary to supply the EECW system design requirements.
The EECW system is noimally in standby readiness with the A3, 83, C3, ard D3 RHRSW pumps aligned to EECW service. The RHRSW pumps aligned to EECW willautomatically start on:
I.
Low RCW header prcssure.
2.
Any time a diesel generator or core spray pump Is startedi a.
The two RHRSW pumps (B3 and D3) aligned to EECW and powered from shut-down boards In Units I and 2 will start automatically in less ihan 30 sec after starting of a diesel generator or core spray pump in Unit I or 2.
b.
Thc two RHRSW pumps (A3 and C3) aligned to EECW and powered from shut-down boards In Unit 3 willstart automatically in less than 30 sec after starung of a diesel generator or core spray pump in Unit 3.
3.
ECCS initiation signals of high drywell pressure (+2 pslg) or low.low.lowreactor vessel water level (-I43.5 in.) in any unit (part of ihe core spray initiation logic).
ap~reavon-Thc EECW system contributes to every event tree through its contribution to RHR system seal coolers and room coolers necessary for shutdown cooling or torus cooling. When offsite power is available, this contribution is small since the raw cooling water system is normally used to supply these loads. Under LOSP conditions, raw cooling water is unavailable and the EECW system failure contributes not only to RH R failure but also to every AC powered system through its contribution to the loss of diesel generator engine cooling.
snsrrrars-Under LOSP conditions, the EECW system becomes a major contributor to core me! t frcquen-cics due to Its effect on the unavailability of diesel generators and. therefore, all AC power. The EECW system in this case represents a common mode I'ailure mechanism for AC power since all eight diesel generators receive cooling from EECW. Several steps could be taken to mitigate its effects. Sectionaiizing 67
~alrlh heasv
<<Il 402 501 Dlsclwye lo 7srd dralnaye 522 52'I dnyrne 8 401 420 Core sOISF roonl coeur IAIIC COrO Sores rome coeur 18f10 410 Dlsclwye lo 7Vd Enylne C 51$ sl ~
524 427 fnylne D 504 507 Ihw I and 2 Drssel Generalors 5<<I 57 ~
SOV HX IA IA 557 RHR roorh Cascara IC SCS S72 SOV S41 HX IC 571 550 455 Seal HX 18 4N 18 400 RHR roora Coolers 10
<<0 41 ~
HX 502 10 7ss 71 ~
715 71 ~
Enyere SC 712 715 7ss 721 725 72s Enylne 20 722 725 724 Dilchuye lo 7ud rhVasya 515 554 I~
557 RHR Sends Dnrl S Dhsol Gsneralors DHCharye lo Sud dralnaye Dram QF~ F RHR Ea 7anl drahraye rr ss (FFCV V 515 AS Al A2 85 IN 82 CS Cl CS 02 01 05 IHKL2 1772 Fjord 30.
EECW'17<<c 68
t'
the headers would allow the operators to keep some generators running if EECW flow was degraded instead of the "all or none" situation. Aligningmore RHRSW pumps to the EECW mode would also help.
It seems reasonable that the EECW system which requires automatic starting and running should have more pumps dedicated to its headers than the manually initiated RHRSW headers which would normally be operated later in the transient or LOCA sequence. This is especially true since the success criteria for the EECW system are much more restrictive in required equipment and time available to recover from failure than for the RHRSW system.
6.2.4 Keep-Full System.
The function of the keep-full system is to keep full of water the core spray system Loops 1 and 2 and the RHR system Loops I and 2. The critical section of piping in both systems (i.e., the piping that must remain fullof water) is the section from the core spray/RHR pumps discharge check valves to the normally closed core spray/RHR injection valves. Keeping this section of piping fullof water willensure that no piping damage willresult from water hammer upon core spray or RHR system initiation.
Description-The keep-full system consists of two pumps, a head tank, and various valves and piping.
Figure 31 is a simplified diagram of the keep-full system. The head tank pumps water from the torus via the core spray pump suction line and maintains head tank water level while pressurizing the system to greater than 48 psig. The pumps automatically cycle on high and low head tank levels. The system head tank has a capacity of 3090 gallons. When the system pumps are not running, the water level in the head tank maintains a static head of greater than 48 psig on the system by virtue of head tank elevation above the system. This ensures that the associated core spray and RHR system piping is fulland pressurized at all times that the keep-full system valves are aligned to supply water to the associated core spray and RHR loops.
Appiicetfon-The keep-full system will be required to operate if gross leakage develops in the core spray/RHR loops:
(a) as a result of component rupture or operator error, or (b) if an operator inten-tionally drains a loop, in which case the associated keep-full system supply line should be isolated. In the former case, the rupture or operator error causes loop failure regardless of the status of the keep-full system. In order to intentionally drain a loop, the operator must violate a number of procedures and ignore several indications and alarms in order to cause failure of the keep-full system. This operator action is incorporated in the test and maintenance contribution to the failure rates of the core spray and RHR systems. Since faults in the keep-full system willnot disable the RHR or core spray system unless a fault in the RHR or core spray systems has already disabled them, it is unnecessary to model keep-full system faults.
6.2.5 Condenser Circulating Water System.
The condenser circulating water (CCW) system is designed to provide an efficient means of rejecting waste heat by providing flow to the condensers that condense steam formed during the power generation cycle or following plant shutdown.
Descrlprlon-The CCW system is designed to provide a flowof 630,000 gpm to the condenser during open cycle operation and 30,000 gpm to the auxiliaries of each unit. The system consists of three pumps per unit, each with a capacity of 220,000 gpm at a design head pressure of32.5 ft. The fullpower requirements of each generating unit are satisfied by that unit's respective group of three CCW pumps. A simplified diagram of the CCW system is shown a Figure 32.
Each of the three pump discharge lines are equipped with a 96-in. diameter motor operated butterfly valve. The three discharge lines are brought together into a single culvert, whose cross section varies throughout its length from an 18.5 ftin diameter circle to a 14.5 ft square. The CCW is carried to the con-denser via this culvert. The condenser discharge passes to the discharge culvert and on to either the warm water channel, the cooling towers, or the discharge diffusers.
The Unit 1 condenser is actually composed of three condensing units (1A, IB, and 1C). Each condenser unit is served by two inlet lines and two discharge lines. Each inlet and discharge line is equipped with a motor-driven flowcontrol valve. The CCW system is normally operating during plant operation; all valves are normally open and all pumps are normally running.
69
615 Filter D
I e
To atmosphere Level switches LS (4)
Head tank Locked open 616 Locked open 608 607 606 Core spray Loop 1 FCV FCV 598 Pump A 600 602 Locked open 611 610 Core spray Loop 2 Core spray suction header 57 58 612 599 Pump B 601 603 Locked open 74.793 74.792 74 804 RHR Loop 1 Note: Allvalve numbers have a "75" prefix, unless otherwise designated.
Locked open
.74.801 74.802 74.803 RHR Loop 2 INEL2 1610 Figure 31.
Keep-full system.
Unit 1 condenser 1C RCW intake Unit 2 condenser Unit 3 condenser RCW Intake RCW Intake 18 Circulating water pumps Circulating water pufllps 1A 18 1C 2A 28 2C 3A 38 3C 1A Traveling screens Traveling screens Intake structure Traveling screens To cooling towers Liquid rad waste discharge Note: The intake structure also serves as a source of water for:
- 1. RHR service water system
- 2. Emergency equipment cooling water system
- 3. Fire protection system
- 4. Water treatment plant Gate 16 Gate 1A RCW discharge INEL2 1611 To dlffusers Figure 32.
CCW system.
Appiicnrion-The CCW system operates during normal. power operation. For this rea.on, CCW is not required to change state in response to the LOCA or transient condition nor are componer ts of the system required to change state or position. During normal power operation, three CCW pumps serve Unit 1.
Following scram, only one CCW pump is required to condense shutdown steam. A fault tree model of the CCW system was not constructed since the CCW system is in operation during normal power operation and the operational requirements in terms of CCW pump availability are less stringent following scram than they are during power operation, and since CCW may be obtained from Units 2 or 3.
6.2.6 Raw Cooling Water System.
The raw cooling water system (RCWS) furnishes cooling water to various nonsafety-related in-plant cooling loads during normal operations. The purpose of the RCWS, as it relates to this analysis, is to remove heat from the RHR pump seals and room coolers under shutdown conditions other than LOSP conditions. The RCWS is not a safety-related system nor does itinterface with any safety-related systems other than this interconnection with the RHR pump seals and room coolers. The purpose of this interconnection is to obviate the need for operation of the EECW system during normal shutdown.
Description-The three-unit Browns Ferry plant has 11 main raw cooling water pumps of which two are spares. Units I and 2 are supplied by six raw cooling water (RCW) pumps with one common spare. Suc-tion headers for Units 1 and 2 are interconnected. All of the RCW pumps discharge into a common (three unit) cooling header system. Three pumps are required for each unit during normal operations.
Upon normal unit shutdown, there is stilla need by that unit for at least one RCW pump for miscellaneous cooling services. The RCWS pumps are supplied 4160 V power from the nonsafety-related unit buses.
Under LOSP conditions, the D spare pump can be manually connected to the Units 1 and 2 4160 V shut-
,down Board A bus supplied by diesel Generator A. However, no credit is taken for this manual connection for the LOSP transient. In the event the pressure in the RCW header that supplies the RHR cooling loads decreases to a preset value, pressure switches sense the drop and start the EECW pumps. Figure 33 is a simplified drawing of the RCWS.
Appiicotion-The RCWS can provide room and seal cooling for the long-term DHR functions ofthe RHR system during all LOCAs and transients where offsite power is not lost. For LOCA sequences, the EECW system automatically starts but the RCWS is also available. Therefore, for all sequences except the LOSP sequences, failure of room and seal cooling to the RHR system requires failure of both the RCWS and the EECW system.
6.2.7 Reactor Protection System Description.
The RPS monitors key plant parameters in order to protect against conditions that could damage the fuel or reactor pressure boundary integrity. The RPS automatically initiates a reactor scram to preserve cladding integrity, protect the reactor coolant pressure
- boundary, minimize the energy that must be absorbed following a LOCA, and prevent subsequent recriticality.
Descripti'on-The RPS includes the sensors, relays, and switches that detect abnormal conditions and initiate a rapid insertion of the control rods to shut down the reactor. The system consists oftwo independ-ent trip systems (A and B) each having two automatically initiated scram channels (Al, A2, Bl, and B2) and one manual scram channel (A3 and B3). Scram initiation requires a trip of at least one channel from each trip system. Power to each RPS trip system is supplied from an independent RPS bus fed by an AC-to-DC motor generator. The RPS channels are designed to initiate a scram upon loss of power to the system. Figure 34 shows RPS Channel A. Channel B is similar.
Application-The Browns Ferry RPS is very similar to the Peach Bottom system modeled in WASH-1400 and was not analyzed for this report. As mentioned in Section 2.9 ofAppendix B, NUREG-0460 provided the value for failure to achieve subcriticality (3 x 10 5 per demand). This value takes into account RPS failures. For the majority of accident sequences, no mitigating systems other than the CRDH system required use of the RPS. For one case, transients where the PCS is available and the reactor subcriticality systems fail, the RPT requires an input from the RPS. The value used for RPS failure in this case is the 1.9 x 10-6 value for common mode failures from WASH-1400. This value was chosen since it represents failures that would disable both the reactor subcriticality systems and RPT system.
72.
North header 24 707 FCV-24-135 To RHR Pump 1A and 1C seal and room coolers.
Continued on EECW system Figure 30 PI RCW Pump A
Strainer 24-730 FCV-24-138 To other RCW cooling loads To RHR Pump1B and 1D seal and room coolers.
Continued on EECW system Figure 30 Pl Pl RCW Pump B
RCW Pump C
RCW Pump D
Pump suction header Strainer Strainer Unit 1 intake River water Strainer suction header Pl To Unit 2 RCW pumps RCW header to other units RCW header to other units INEL 2 1612 Figure 33.
Simplified RCW system diagram.
Test switch Turbine stop valve 90% tails open Turbine control valve fast clos ures Scram discharge volume level high Condenser low vacuum MSL Isolation valve 90%
Valve open 30% first stage pressure bypass Closed for keylock bypass and mode switch In shut down or refuel High high inoperative Closed for mode bypass
~ switch not in run and <1055 psig u
down I
mode automatic reset Mode switch (open In shut down)
Neutron monitoring instrument trips for initial fuel loading only Dry well pressure 2 psig Reactor water level Iow Reactor high pressure MSL high fad NMS NMS KA1 KA1 Bypass t IRMA' I
I Bypass I
KA3 KA3 Inoperative downscafe average power range monitor A
High high inoperative bypass Main steam run Average power
~range monttor High high inoperative downscale average power range monitor KA5 E
KA5 Brassard Seato steam IRM A run verage power range monitor Bypass High high A
KA7 KA7 KA9 KA9 Note: Contacts shown for normal power operation (energized)
NMS IRM C I
Average power range monitor C
L I
IJ NMS IRM C qAverage power I range monitor I
E I
J A9 KA11 Manual scram I
J KA11 KA11 114C 114A Reactor protection system Trip Logic A1 114 C 114A Reactor protection system Trip Logic A2 114C 114A Reactor protection system Trip Logic A3 INEL2 1614 Figure 34.
RPS Channel A.
6.2.8 Equipment Area Cooling System.
The equipment area cooling (EAC) system is not a system, per se. In this analysis, the EAC system is considered to be the particular area fan, the associated cooler, the cooling water interface with the cooler, and the power supply and control circuit for the fan.
Description-The EAC system is designed to cool the air in a specific area or room in the plant or to cool the air surrounding a specific component. This analysis determined that the only EAC system important for correctly modeling front-line system response was that associated with each of the RHR pumps. That is because the RHR pumps run for long periods in some modes of operation, while the remaining ECCS pumps run for relatively short periods.
Application-The EAC system associated with each of tPe RHR pumps is required to run when the RHR system is aligned to the shutdown cooling or torus cooling modes of operation. In either of these modes, the RHR pumps could be required to run for long periods (i.e., greater than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />). Consequently, lack of area cooling for the pump surroundings willultimately lead to RHR pump failure.
75
- 7. ACCIDENT SEQUENCE QUANTIFICATION 7.1 General Approach Accident sequence quantification is a building block process.
From the failure data and fault tree models, system unavailabilities can be calculated. The Boolean combination of systems from the systemic event trees combined with the system unavailabilities yields the functional unavailabilities. Combinations of functional unavailabilities and initiator frequencies produces accident sequence frequencies. Appen-dix C of this report describes in more detail the methodology for accomplishing this task. This section presents a general description of this procedure.
7.2 Data Sources Table CP of Appendix C provided the majority of the failure data for quantification of fault trees.
Most of this information comes directly from the WASH-1400 report; since failure data were not available for every component in the fault trees, other sources of data were occasionally used.'Maintenance and testing contributions to system/component unavailabilities were derived from information provided by the utilitycompany. A data summary table for each system appears in Appendix B, which describes the failure data and their sources.
Human errors of omission were included where appropriate in the fault tree models for errors involving test and maintenance, and those involving errors in response to an accident situation. Emergency operating instructions were reviewed with regard to potential accident sequences to determine the required human interactions with mitigating systems in response to the accidents. Section 3.2 of Appendix C describes in more detail these operator response errors. Explicit human error models were developed based on the pro-cedures found in NUREG/CR-1278. It was especially important to create these models for human error events that affected multiple systems. For example, miscalibration of reactor vessel level switches could result in failure of the CSBCs to be auto-initiated when required. These human error models can be found in Section 4 of Appendix B.
7.3 System Unavailabilities The Reliability Analysis System (RAS) computer code13 provided unavailability calculations based on the fault trees and failure data. The code calculates time dependent system unavailabilities using one algorithm to generate minimal cut sets and another to evaluate the unavailability associated with these cut sets.
The code also ranks the cut sets from highest to lowest in terms of contribution to system unavailability.
7.4 Sequence Frequencies The Boolean combination of systems combined with the sequence initiator produced the sequence fre-quencies.
These frequencies served as the basis for determining the candidate dominant accident sequences.
The process includes:
1.
Accounting for commonalities between systems using the COMCAN IIcomputer code and special bounding techniques.
2.
Accounting for success events by recognizing when they can potentially be significant, and evaluating them.
3.
'Accounting for the effect of the initiator on the mitigating systems.
76
7.5 Candidate Dominant Accident Sequences Sequences from the systemic event trees with frequencies greater than 1 x 10 ~ per reactor-year were designated as candidate dominant accident sequences.
Appendix C presents each of the 11 candidate dominant sequences and discusses the major contributors to the sequence frequency. The potential for recovery was considered for those sequences where the dominant contributors to sequence frequency were recoverable.
Recovery considerations required taking into account such factors as the amount of time available for the recovery action, where the action must be taken, and what must be done to repair the fault. The candidate dominant sequence frequencies were requantified considering the potential for recovery.
7x6 Example Calculation Sequence TUQRBRA is one of the dominant sequences that demonstrates the process of quantifying sequence frequencies.
Figure 35 is the systemic event tree that includes this sequence.
Table 11 lists the unavailabilities for the systems associated with this sequence. The sequence is initiated by a transient that causes the PCS to be unavailable. Following a successful scram and relief valve cycling, the RCIC system fails. The HPCI system operates to maintain reactor water level but the torus cooling and shutdown cooling modes of the RHR system fail.
The unavailability of the mitigating systems for this sequence, Q(QRBRA), is equal to the unavailability of the Boolean combination of the systems making up the sequence.
The bar over a system designator indicates success for that system. A system designator without a bar indicates system failure. The term COM(
) indicates the value of the commonalities between the systems indicated in parentheses.
The unavailability of the mitigating systems is 3.2 x 10 6 as shown below.
BRA BAJAKAQADARBARA B
A B
AA(BUJUKUD)]
= Q[Q A (R A RA)] - 0
)
+
= Q(Q) Q(
B A A) + o
= Q(Q)[Q(RB)Q(RA) + COM(RB A RA)]
= (0.042)((3.1 x 10
)(2.0 x 10
) + 1.4 x 10
)
= 3.2 x 10 where the Q in parentheses represents the RCIC system code.
The term COM[Q A RB A RA A (B U J U K U D)] accounts for the effect of the success of the scram, relief valve, and HPCI systems on the failed systems. In this case, that effect is negligible. The term COM(Q A RB A RA) accounts for commonalities between the RCIC, torus cooling, and shutdown cool-ing modes of RHR. This term is also negligible. The term COM(RB A RA) accounts for commonalities between torus cooling and shutdown cooling modes of RHR. This term is not negligible and has a value of 1.4 x 10 5. It consists of common minimum-flow bypass valve faults and common support system faults.
77
AT AT RS RS OP OP MSI HPI VWI LPI DHR RHR X = Function failure Trans TU CRD B
~RV 0
~RV
~Le end:
S/D = Shutdown Clg = Cooling Trans = Transient MSIV RCIC HPCI
F GP X
FB Torus SID Clg Clg RB RA Sequence Designator TURBRA TIJQRBRA TUQDRBRA TUQDWRBRA TUQDWFBRBRA TUQDWFBGPRBRA TUQDWFBGDX TUQDV TUN TUK TUJ TUB X
NIA X
NIA X
X NIA X NIA NIA N/A NIA NIA NIA NIA 0
V 0
P W
H I
R Remarks Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Core cooled Core cooled Slow melt Melt Melt LOCA Initiator LOCA initiator LOCA Initiator Melt INEL2 1637 Figure 35.
Transient systemic event tree for PCS unavailable.
7
Table 11.
Transients where the PCS is unavailable System Designator System System Unavailability D
FB GD CRD Relief valves (opening)
Relief valves (closing)
RCIC HPCI Manual depressurization Core spray LPCI Condensate SBCS Q(B)
= 3.0x 105 Q(J)
= 7.2x 109 Q(K) 5 7 x 10-2 Q(Q) 4 2 x 10-2 Q(D)
= 4.4x 102 Q(V)
= 3.0 x 103 Q(FB) = 6.6 x 10<
Q(GD) = 1.1 x 10+
Q(W)
= 7.0x 103 Q(X)
= 4.2x 102 The sequence frequency P(TUQRBRA) is then equal to the product of the initiator frequency F(TU),
and the unavailability of the mitigating systems Q(QRBRA). The initial sequence frequency is 5.5 x 10 6 per reactor-year as shown below.
P(TUQRBRA = F(TU (QRBRA
= (1.7)(3.2 x 10
)
= 5.5 x10 Considering recovery options reduces Q(BARBRA)to 2.4 x 10 6. The unavailability of torus cooling and shutdown cooling is reduced from 7.6 x 10 > to 5.7 x 10 5, while the unavailability of RCIC is unchanged since the majority of its faults are not recoverable. The mitigating system unavailability then is the product of RCIC unavailability, Q(Q), and the unavailability of torus cooling and shutdown cooling considering recovery, Q(RBRA considering recovery). This value is 2.4 x 10 6 as shown below.
Q(QRBRA) = Q(Q)Q(RBRA considering recovery)
= (0.042)(5.7 x 10
)
= 2.4x10 79
The final sequence frequency is the product of the initiator frequency F(TU) and the unavailability just derived, Q(QRBRA). Thus, the final sequence frequency P(TUQRBRA) is equal to 4.1 x 10-per reactor-year as shown below.
= (1.7)(2;4x 10
)
= 4.1x10 80
8.
RES U LTS 8.1 General The quantification of the systemic event trees resulted in 11 candidate dominant sequences.
Each of these sequences had an initial frequency value greater than 1.0 x 10 6 per reactor-year. The final value for each sequence consisted of the initial frequency modified by potential recoverability. Table 12 lists these 11 sequences giving the initiator, initial frequency, and final frequency.
8.2 Dominant Sequences The dominant sequences appear in Table 13. These eight sequences all have final frequencies greater than 1.0 x 10 6 per reactor-year.
Six of these sequences are transient sequences, while the other two are transient-induced LOCAs. Six of the sequences involve failure to remove long-term decay heat from the reactor, while two involve failure to acheive subcriticality. A general discussion of these sequences is presented in the followingsections; a more detailed treatment can be found in Section 4.2 ofAppendix C, which includes a systemic event tree representation of the sequence as well as a graphic display of the dominant contributors to the sequence frequency.
8.2.1 Transients Without PCS and with DHR Failure (TURBRA). In this sequence, a transient occurs that renders the PCS unavailable as a heat sink for the reactor. A reactor scram occurs and the Table 12.
Candidate dominant sequences Frequency (per reactor-year)
Initiator Transient-induced LOCAs LOSP-induced LOCAs Transient with PCS unavailable Transient with PCS available LOSP Designator TKRBRA TpKRBRA TpKDFBGD TURBRA TUQRBRA TUB TUQDV TABM TpRBRA TpQRBRA TPQDFBGDX Initial 1.2x105 8.3 x 10 5 2.5 x 10,6 1.3 x 10+
5.5x106 5.1 x 10 5 9 2 x 10-6 3.7 x 10-6 1.5 x 103 6.2 x 105 1.2 x 10-6 Final 9.3 x 10-6 1.6x106 8.7 x 10-8 9.7x105 4.1 x 106 5.1 x 105 5.5 x 107 3.7 x 10-6 2.8x105 1 2 x 10-6 3.6x10 8 81
Table 13.
Dominant sequences Initiator Designator Frequency (per reactor-year)
Transients without PCS Transients without PCS LOSP.
Transient-induced LOCA Transients without, PCS Transients with PCS LOSP-induced LOCA LOSP TURBRA TUB TpRBRA TKRBRA TUQRBRA TABM TpKRBRA TpQRBRA 9.7 x 10 5 5.1 x105 2.8 x 10 5 93 x 10-6 4.1 x 106 3.7 x 106 1.6 x 106 1.2 x 106 nuclear chain reaction is stopped. As reactor decay continues to add heat to the coolant, reactor pressure increases until the relief valves open. Steam from the reactor is passed to the torus to reduce reactor pressure.
Once pressure drops below the relief valve setpoints, the valves reclose until pressure increases again. This process is repeated until action is taken to remove decay heat by another means. Since the main condenser is not available as a heat sink, the MSIVs automatically shut to prevent excessive loss of reactor water inventory. Following this action, the RCIC system automatically starts to replace the inventory lost during relief valve operation. At this point, the reactor decay heat is being transferred to the torus water either by relief valve action or by operation of the RCIC system. However, the RHR system is the only system capable of removing the decay heat. Its failure causes the torus water temperature to increase until it can no longer be used to replace the lost reactor coolant inventory or condense the steam from the RCIC turbine discharge. As a result, the ECI systems willbe unable to replace lost coolant, and vessel water level willdecrease until core uncovery occurs. A core melt will then occur.
The RHR system can provide the DHR function in either the torus cooling mode or the shutdown cool-ing mode.'Torus cooling is the normal mode for this sequence. Both modes must be inoperable in order for the DHR function to fail. The unavailability of the shutdown cooling mode is dominated by control circuit faults of the three suction valves, resulting in the valves failing to open. These faults account for 841o of the 1.9 x 10 unavailability for shutdown cooling. Torus cooling unavailability is dominated by operator failure to initiate the system and combinations of control circuit faults of RHR and RHRSW system motor-operated valves. The unavailability of both modes is 7.6 x 10 5 and is dominated by combinations of control circuit faults. The minimum-flow bypass valves failing to close account for approximately 18'f the 7.6 x 10 5 unavailability for both systems.
There are approximately 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available for the operators to take corrective action for this sequence before core melt occurs. This estimate is based on the time it takes to deplete the CST and heat the torus water to a temperature that prevents the RCIC system from pumping the water, assuming no con-tainment back-pressure.15 There are two paths the operators may pursue to prevent a core melt. One path involves recovering the PCS as a heat sink for the reactor. The other involves recovery of the RHR system in torus cooling or shutdown cooling modes.
82
The ability to recover the PCS depends upon the transient initiator. Some initiators may be easily bypassed or repaired while others may not. For example, ifa loss of feedwater flowwere caused by a fault in the automatic level controller, the operator could manually control the flowafter opening the MSIVs. If the loss of feed flowwere due to a mechanical failure of the pumps, then recovery would be unlikely within the time of this sequence. No credit for PCS recovery was considered since there is inadequate information available on which to base a probability of recovery.
Since the dominant contributors to failure of both the torus cooling and shutdown cooling modes are control circuit faults, it is possible that the operators could either bypass the faulty control circuits or operate the valves manually. During the Browns Ferry fire ofMarch 1975, the operators demonstrated the ability to improvise a fix on the relief valves so they could be operated. The final sequence frequency of 9.7 x 10 5 per reactor-year reflects recoverability of control circuit faults.
8.2.2 Transients Without PCS and with RS Failure (TUB). In this sequence, a transient occurs that causes the PCS to be unavailable as a heat sink for the reactor. However, an insufficient number ofcontrol rods insert to make the reactor subcritical. As a result, the reactor continues to generate considerable heat depending upon the number and location of control rods that fail to insert. Because the reactor has been isolated from its normal heat sink, pressure rises until the relief valves open and begin to pass steam from the reactor to the torus. The rate of inventory loss due to relief valve action in this case is higher than the makeup capacity of the high pressure systems. Therefore, water level steadily decreases until core uncovery and core melt occur.
The CRD system unavailability, taken from NUREG-0460, is 3.0 x 10 5. As noted in NUREG-0460 and WASH-1400, the exact number of rods that must fail to insert and the position and relative location of those rods is not easily calculated and is considered to be beyond the scope of this analysis. Therefore, the NUREG-0460 value of 3.0 x 10-5 was used in lieu of a specific evaluation by the Browns Ferry IREP team.
For this sequence, there is very littletime for the operator to take recovery actions. No credit is given for operator recovery during the first 5 min of a transient or LOCA. Furthermore, the actions available for the operator are neither clearly defined nor easily quantifiable. Therefore, the final sequence frequency of 5.1 x 10 5 per reactor-year takes no credit for operator recovery actions.
8.2.3 Loss of Offsite Power with DHR Failure (TPRBRA). After a LOSP, a reactor scram occurs.
The relief valves open to relieve the reactor pressure increase caused by the turbine trip without bypass that follows a LOSP. The relief valves successfully reclose and the MSIVs isolate the reactor from the con-denser. The RCIC system maintains reactor water level. Subsequently, the RHR system fails to remove the reactor decay heat. A sustained loss of RHR cooling willcause torus water temperature to increase until the ECI systems are incapable of pumping the torus water. Water level willdecrease and core uncovery will then occur, followed by core melt.
The dominant contributors to RHR unavailability for this sequence fallinto two groups:
EECW related faults and non-EECW related faults. Failure of the EECW system to provide its required cooling willeven-tually result in a loss of all diesel generators.
The dominant contributors to the EECW system unavail-ability are combinations of two or more diesel generators failing to start. The non-EECW faults result in a direct failure of the RHR system to provide cooling. These faults are also dominated by combinations of diesel faults (three or more failing diesels, not necessarily the same as those for EECW failure).
There are several factors, involved in RHR recoverability for this sequence.
Given successful RCIC operation, at least 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> are available for the operator to take action to recover the RHR system.
One potential recovery option is the restoration of offsite power. Figure III6P of WASH-1400 indicates that offsite power can be recovered 9710 of the time within 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The restoration of off-site power changes the DHR unavailability from 4.9 x 10-> to 7.6 x 10 5.
83
Another potential recovery option is for the operator to manually start and valve into service additional RHRSW pumps to the EECW headers to provide the necessary cooling. The operator cauld also act to isolate nonessential EECW loads so that the flow from less than three of four pumps would still be suffi-cient. Flow from two of four pumps provides 9110 of rated flowso that judicious isolation of other loads might allow two of four pumps to provide the required flow.
The operator could also attempt to restart diesel generators that have initiallyfailed to start. However, the success or failure of such action depends largely on the original cause of the failure to start. No credit is taken for this action.
The final sequence frequency takes into account the probability of failing to recover offsite power and the probability of failing to recover the EECW system. It does not reflect any credit for restarting diesel generators.
The final sequence frequency is 2.8 x 10 5 per reactor-year.
8.2.4 Transient-Induced SORY with DHR Failure (TKRBRA). The transient-induced SORV occurs when any transient (except a LOSP, which is covered separately) results in a reactor scram, relief valve opening, and a failure of one or more relief valves to reclose. This action is similar to an intermediate steam break in all but two respects. First, the steam discharges directly to the torus; consequently, there is no drywell pressure increase and, therefore, no high drywell initiation signal for the ECI systems. Second, because the steam goes directly to the torus, the SCI function of the intermediate steam break tree is not applicable.
Following the transient-induced SORV, the HPCI system successfully operates to maintain reactor water level. In this case, the HPCI systems actuate on low level. Subsequently, the RHR system fails to remove the reactor decay heat. This'failure allows torus water temperature to rise to the point where the HPCI system can no longer pump the torus water back to the reactor to maintain level. Consequently, core uncovery occurs and a core melt ensues. The dominant contributors to RHR system failure in this sequence are the same as that for sequence TURBRA discussed previously in Section 8.2.1.
Likewise, the recoverability factors are essentially the same for this sequence. The final sequence frequency is 9.3 x 10 6 per reactor-year.
8.2.5 Transients Without PCS and with RCIC and DHR Failure (TUQRBRA). This sequence is the same as TURBRA in Section 8.2.1 except that the RCIC system fails to operate to maintain reactor water level. Instead, the HPCI system operates to maintain level. Subsequent failure of torus cooling and shut-down cooling eventually causes a core melt. The most dominant contributor to RCIC failure is rupture disk failure in the drive turbine steam exhaust line. Should one of these two disks rupture, a pressure switch signal willbe generated that isolates RCIC.
The recovery factors for torus cooling and shutdown cooling are the same as in sequence TURBRA.
Thus, the final frequency for this sequence is 4.1 x 10-6 per reactor-year.
8.2.6 Transient with PCS and with RS and RPT Failure (TABM). For this sequence, a transient occurs that does not directly cause a failure of the PCS system. However, an insufficient number ofcontrol rods insert to stop the nuclear chain reaction. Therefore, reactor power remains high. Ifthe recirculation pumps are tripped, then the reactor power level willbe reduced to within the capacity of the bypass valves to remove heat to the condenser.
Failure of the RPT feature allows reactor power to remain above the bypass valve capacity. Therefore, reactor pressure increases and the relief valves open to dump the excess steam into the torus. As a result, torus water temperature rapidly rises until the water can no longer con-dense the steam. Since the steam added to the torus is not condensed and returned to the reactor via the PCS system, the water supply to the feed pumps rapidly decreases until the feed pumps trip. Subsequently, reactor water level rapidly drops until core uncovery occurs and core melt ensues.
The dominant con-tributor to this sequence is a reactor protection system (RPS) failure that prevents actuation of a reactor scram or a recirculation pump trip. The operator could manually initiate these actions. However, the time available for the operator to take these actions is very short, and the final sequence frequency takes no credit for such action. The final sequence frequency is 3.7 x 10 6 per reactor-year.
84
8.2.7 LOSP Induced SORY and with DHR Failure ITpKRBRA). The phenomenological effects of a LOSP induced SORV are identical to those described in Section 8.2.4 for a transient induced SORV. The differences in the sequences lie in the frequency of occurrence and the unavailabilities of the mitigating:
systems due to the LOSP.
The dominant contributors to DHR unavailability for this sequence are identical to those for the LOSP with DHR failure (sequence TpRBRA) discussed in Section 8.2.3. The potential recovery actions for this sequence are the same as sequence TpRBRA. Applying these recovery factors results in a final sequence frequency of 1.6 x 10 6 per reactor-year.
8.2.8 Loss of Offsite Power and with RCIC and DHR Failure (TPQRBRA). This sequence is the same as TpRBRA except that the RCIC system fails to operate to maintain reactor water level. Instead, the HPCI system operates to perform this function. Subsequent failure of torus cooling and shutdown cooling lead to a core melt.
The recoverability factors associated with torus cooling and shutdown cooling are the same as the sequence TpRBRA. Therefore, the final frequency for this sequence is 1.2 x 10 per reactor-year.
8.3 Containment Response and Release Categories 8.3.1 Introduction.
The dominant BF1 core melt sequences are listed in Table 14 along with the applicable containment failure modes. The accident processes, timing of core melt, containment failure modes, and consequences of fission product releases to the atmosphere for these sequences have been estimated based primarily on previous analyses for other BWRs. Previously analyzed BWRs include the Grand Gulf and Peach Bottom plants. The Peach Bottom plant, which was also analyzed in WASH-1400, is quite similar to BF1, and many of the present conclusions regarding BFI are based on these analyses. In
- addition, a few MARCH code16 calculations were performed specifically for BF1. However, no plant-specific CORRAL17 calculations were undertaken.
The containment failure modes (a, 7, and y') listed in Table 14 for the various sequences are the same as those employed for the BWR in WASH-1400, Appendix I, Section 2.2. The notations for the fission pro-duct release categories are also the same. In WASH-1400, the probability of containment overpressure failure in the event of core meltdown was found to approach unity. Failure with direct release of the radioactivity to the atmosphere was assessed to occur about 20%%uo of the time (y' 0.2); in the remaining cases (y 0.8), fission products were released into the annular region between the drywell liner and the concrete wall. Release to the atmosphere via the annulus results in additional fission product removal, which reduces the accident consequences.
Fission product deposition in this annulus was intended to represent removal by passage through secondary containment structures.
The probabilities of release directly to the atmosphere and through the annulus were based in WASH-1400 on an analysis of the layout and structural strength of the building enclosing the wetwell or torus. No such analysis is available for BF1. Thus, the relative magnitudes of the y'nd y probabilities for BF1 are uncertain.
The probability that a steam explosion in the reactor vessel causes containment failure is assessed in Table 14 to be e = 0.01 for LOCAs and a = 0.0001 for transients. The higher value is identical to that in WASH-1400. The lower value is based on recent research that indicates steam explosions are suppressed at high system pressures.
Thus, for cases in which core meltdown occurs with the primary system at high
- pressure, steam explosions are assessed to be less likely.
Table 14 contains no assessment of the consequences of containment isolation failure or failures of the standby gas treatment system. These containment failure modes did not contribute significantly to the WASH-1400 consequences, and are thus judged not likelyto contribute significantly to the risk associated with the core melt sequences in Table 14.
85
Table 14.
Dominant sequences versus containment failure modes Containment Failure Mode Frequenciesa Sequence Frequency TURBRA TUB TPRBRA TKRBRA TUQRBRA TABM TPKRBRA TPQRBRA
~ 5
, Final 9.7 x 105 5.1x10 5 2.8 x 10 5 9.3 x 106 4.1 x 106 3.7x 106 1.6x106 1.2 x 10-6 2.0 x 104 9.7 x 109 5.1 x 105 2.8 x 10 9 9.3 x 108 4.1 x 10-10 3.7.x 10-10 1.6x108 1.2 x 10 10 1.3 x 107 1.9 x 10-5 1.0x10 5 5.6x106 1.9 x 10-6 8.2 x 107 7.4 x 107 3.2 x 10 7 2.4 x 10-7 39 x
105
'7.8 x 10 5 4.1 x 10-5 2.2 x 106 7.4 x 106 3.3 x 106 3.0 x 106 1.3 x 10 6 9.6 x 107 1.7 x 104 a.
Probabilities of containment failure modes:
a (in-vessel steam explosion) cr (in-vessel steam explosion)
(release through annulus)
(direct release to atmosphere) 0.01 (LOCAs) 0.0001 (transients) 0.8 0.2.
Allcontainment failure modes of dominant sequences fell into WASH-1400 release categories as follows: n - 1, T' 2, T - 3. Other release categories versus failure modes are possible for T and T'odes, but none of these sequences were dominant.
The core melt accidents in which containment failure occurs with direct release to the atmosphere (y'ases) fall into three categories. The most severe accidents (i.e., those with the greatest fission product releases) are those in which core meltdown occurs while the pressure suppression pool is ineffective in scrubbing fission products. This generally occurs for meltdown sequences in which the DHR systems fail.
In accident sequences in which the suppression pool temperatures remain low, significant scrubbing of fis-sion products may occur. These accidents generally involve early failure of the primary coolant makeup system. Other types of meltdown accidents, including those that involve failures in the reactor shutdown system, are discussed in more detail below.
8.3.2 Failure of Decay Heat Removal System.
In a transient or LOCA in which the DHR systems fail, water makeup to the primary system can generally be maintained initiallyby injection from the CST.
Ifthe operators choose to maintain sufficient makeup to just compensate for decay heat boiloff, the CST will empty (135,000 gallons assumed injected) after about 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />.a The operators would then be
- a. The accident timing is obtained from a MARCH calculation for a transient with DHR failure. Thc timing for LOCAs could be somewhat shorter.Nor large LOCAs the suppression pool temperature would be 20 to 30'F greater due to heating by the primary system blowdown at the time of depletion of the CST. Thus, for some LOCAs ECC pump cavitation may be concurrent with switch over to injection from the suppression pool.
86
expected to switch to injection of water from the suppression pool. However, in the absence of DHR, MARCH calculations indicate the suppression pool temperature would be increased to about 200'F and the containment pressure to 21 psia. TVAsystems analysts said that BFI measurements show ECI pump cavitation will occur if the suppression pool temperature exceeds 185 to 190'F with the containment at 1 atm. These measurements imply pump cavitation is likelyifthe subcooling of the suppression pool is less than TSAT - TPOOL = 212 (185 to 190) = 17 to 12'F.
At 21 psia, the suppression pool is 30'F subcooled at the time of switch over to ECI injection from the suppression pool. Thus, pump cavitation is unlikely at this time even though the pool temperatures exceed the 185 to 190'F range. MARCHcalculations were performed in which ECI pump cavitation (failure) was assumed when the subcooling fell below 10'F. ECI failure occurred for this case at 21.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> with the containment at a pressure of 27.3 psia and the suppression pool at 235'F. With no primary system
- makeup, the core starts to uncover at 25.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and core melting at 26.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Containment over-pressure failure (180 psia) is predicted to result from the release of steam and hydrogen from the primary system, which accompanies bottom head failure at about 27.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />.
CORRAL calculations indicate a BWR Category 2 release for this sequence for direct release to the atmosphere, and a Category 3 release for release through the drywell annulus. (Note:
Release categories are defined in WASH-1400.) No credit is given in these release calculations for potential scrubbing while the suppression pool is saturated or after the containment fails.
8.3.3 Failure of Primary Coolant Makeup.
Accidents develop quickly in which there is no primary coolant makeup following a LOCA or transient. For a large LOCA, core melting may start in several minutes. For a transient with boiloff through the safety valves at a nominally constant pressure of 1100 psia, core melting is delayed until about 100 min. The suppression pool willremain well subcooled in these accidents even in the absence of DHR (RHR failure), so there is significant scrubbing of fission products in the pool as long as the containment remains intact.
For LOCAs, MARCHcalculations indicate containment overpressure failure shortly after bottom head melt through. For transients, MARCH indicates containment failure is delayed a few hours after bottom head failure. Because of the delayed containment failure, significant scrubbing of the fission products released during the concrete melting phase of the accident could take place. For the LOCAs, the fission products released during the concrete melting phase are not scrubbed because of containment failure. Most of the fission products released during the core heatup and meltdown phase of the accident are scrubbed by the pool for both LOCAs and transients. The difference in timing of containment failure results in BWR Category 3 releases for LOCAs and Category 4 releases for transients for direct containment leakage to the atmosphere. For release through the annulus, Category 4 releases are predicted for both LOCAs and transients.
The difference in timing of containment failure for transients and (pipe-break) LOCAs is due to the presence of water on the drywell floor and, consequently, in the reactor cavity for LOCAs.a Rapid vaporization of this water by the molten debris following bottom head melt through results in a pressure spike that is likelyto produce containment failure. For transients, there is generally littlewater in the reac-tor cavity because the primary system blowdown is released in the wetwell and condensed directly in the suppression pool. However, operation of building coolers and sprays in the drywell increases the amount ofwater on the drywell floor for transients. A MARCHcalculation that considered drywell building cooler operation indicated insufficient accumulation of condensate on the drywell floor to threaten containment upon vaporization. Use of the RHR in a drywell spray mode could add sufficient water to the drywell floor that the subsequent pressure generation could threaten containment. However, operation of the contain-ment spray is generally inconsistent with the assumed unavailability of primary system makeup. Thus, for a.
Battelle-Columbus Laboratories has not been able to definitively establish that water enters the reactor cavity for BFt LOCAs.
However, this is believed to be the case for the similar Peach Bottom plant.
87
the ECI and VWI sequences, the containment spray is taken to be inoperative, and would not provide a means of placing water on the drywell floor. Thus, only LOCAs are likely to have significant water accumulation on the drywell floor.
8.3.4 Failure of Reactor Shutdown System.
Following failure of the reactor (subcriticality) shut-down system, changes willoccur in the core fuel temperatures, the water temperature in the core, and the steam or void fraction due to coolant boiling. Due to these changes (which naturally affect neutron kinetics and reactivity) the core power level will change. The subsequent core behavior is sensitive to the actual power level achieved. For the transient analyzed in WASH-1400, the core power level'was calculated to stabilize at about 3010 of rated power. Under steady state conditions, the BF1 high pressure injection system can provide sufficient makeup to compensate for the coolant boiloffat power levels up to about 25Vo. Thus, at a 30%%u'0 power level, there would be a net coolant loss from the system and core uncovery would eventually occur. However, even in the situation where adequate makeup is initiallyprovided, ECI failure would be expected to occur relatively quickly. This occurs because, for high core power levels, the RHR system is unable to prevent rapid heatup of the suppression pool. Thus, safety pumps taking suction from the suppression pool may fail due to cavitation as discussed previously for sequences involving failure of the DHR systems.
Alternatively, the pumps may fail following containment failure due to pool overheating.
A MARCH calculation for a transient with a sequence similar to that discussed above indicates RHR failure at 24 min at a suppression pool temperature of 252'F and a containment pressure of 28 psia. ECI failure follows shortly at 27 min when the injection switches from the CST to the suppression pool. Core uncovery starts at 28 min and core melting at 46 min. Containment failure is predicted shortly after bot-tom head failure. Because of the high suppression pool temperatures, little fission product scrubbing is expected. The fission product releases fall into BWR Categories 2 and 3, depending on whether release occurs directly to the environment or through the annulus. These results and accident behavior are similar to those discussed under failure of the DHR systems. The accident timing is greatly accelerated however.
Battelle-Columbus Laboratories has not made neutron kinetics calculations for LOCAs involving failures of the shutdown system. Thus, for LOCAs, an equilibrium or steady-state core power level similar to that for transients is not known. A similar behavior would be expected. In any case, assumption of a behavior similar to that for transients would conservatively place their fission product releases in the BWR release Categories 2 and 3. Since the LOCAs contribute little to the cases involving reactor shutdown failure, this assumption has insignificant impact on the overall consequences.
8.4 Engineering Insights In the course of performing this analysis, many engineering insights were gained. Some are significant with respect to the frequency of core melt while others are significant only on a systemic level and have no affect on other systems. This section details some of the insights judged to be important by the BFI IREP team.
8.4.1 Core Melt Frequency Versus Initiators. Figure 36 is a plot of the core melt sequences with fre-quencies greater than 1.0 x 10 8 per reactor-year versus the sequence initiators. The values plotted are fre-quencies without recovery included. From this plot it is easy to see that transient core melt sequences occur more frequently than transient-induced SORY sequences and LOCA sequences.
Furthermore, within the LOCA sequences, small break-initiated core melt sequences have higher frequencies than intermediate or large break sequences.
These findings are very significant. They indicate that the risk of core melt is orders of magnitude more likely from transients or small LOCAs than from larger LOCAs.
88
10
- TPRBRp, 10-4 USA TPQR BRA TUB TPKRBRA 10-6 TUQDV TUQRBRA TABM TKRBRA TPKDRBRA Note: The sequence frequencies shown do not account for recovery. Recovery was considered in the determination of final frequencies for the eight dominant sequences.
10-6 TPQDFBGDX TPB,TAPRBRp, TKDRBRA DFB D
SRBRA 10 7
10-6 TABP TUQDRBRp TPQDV TAPQDV TUQDWFBGDX TAPQRBRp TAPQDWFBGDX TPQD B A Transients TPKDRBRA Stuck. open relief valve ILRBRA RBRA LDRBRA SCRBRp, SCDRBRp, SCDFBRBRA SCDFBGD SB LDFAFB LDFAGD LSRBRp,lyRBRp lyCRBRA,lyCDRBRp,lyCDFBRBRA,IyDFBGD LSFAGB LOCAs INEL2 1645 Figure 36.
Core melt sequence frequencies versus initiators (recovery actions not considered).
89
8.4.2 Core Melt Frequency Versus Failed Function.
Figure 37 is a plot of core melt sequences versus failed function. As with Figure 36 the frequencies plotted do not include recovery values. Again it is easy to see that core melt sequences resulting from DHR failure are more frequent than those caused by reactor subcriticality failures and those caused by ECI/VWI failures.
These findings are also significant. They indicate that the risk of core melt from failures of the RHR system is much higher than from failures of either the scram or injection systems. In fact, DHR failures account for about 73Vo of the sum of the final dominant sequence frequencies. The remaining 271o were failure to scram sequences and none were sequences involving failure to inject. This indicates that the RHR and scram systems are the two most important systems with respect to core melt frequency and that no significant improvement in the overall core melt frequency can be achieved without first improving the reliability of these two systems.
8.4.3 RHR System Contribution.
Since 731o of the sum of the final dominant sequence frequencies is due to sequences involving RHR failures, it is appropriate to discuss this system further. In actuality, there are two different modes of RHR that must fail in order to cause failure of the long-term decay heat removal function.
One might expect that the unavailability of both the torus cooling and shutdown cooling modes of the RHR system would be quite low due to the built-in system redundancy. Indeed, the unavailability of torus cooling and shutdown cooling is 7.6 x 10 5 (before considering recovery). This factor is offset by the fact that, for any LOCA and many transients, the probability is unity that the RHR system alone will be required to perform the long-term decay heat removal function. Therefore, no matter what combination of systems succeed in providing the scram, overpressure protection, and ECI or VWI functions, the RHR system in either the torus cooling or shutdown cooling mode will be required to function in order to prevent a core melt from occurring.
In the absence of another means of removing decay heat, the RHR unavailability deserves additional attention. At first glance, the arrangement of four separate pump and heat exchanger combinations (two of which are needed for torus cooling and only one for shutdown cooling) would seem to provide the multi-ple redundancy necessary to limitthe unavailability of torus cooling and shutdown cooling. The fact that they utilize different discharge paths would also tend to support this conclusion.
However, the four-loop redundancy is compromised by combining the pump discharges into two discharge paths. Thus, failure of any pair of two valves in opposite discharge paths negates the pump redundancy. Furthermore, failure of the minimum-flow bypass valves for the two paths poses a common failure mode for both torus cooling and shutdown cooling. This tends to negate the apparent redundancy of the discharge paths previously noted.
Unlike the torus cooling mode that has two separate suction paths, the shutdown cooling mode has only one. In that path, failure of any one of three valves to open disables the entire shutdown cooling mode.
This is the reason that shutdown cooling unavailability is approximately an order of magnitude higher than torus cooling unavailability.
Together these factors tend to reduce the apparent redundancy of the two modes of RHR operation.
Therefore, instead of two systems with low unavailabilities being combined (as in core spray and LPCI) two systems with higher unavailabilities and several commonalities are combined.
The result is an unavailability for these two modes that is not as low as might be originally expected.
In order to reduce the frequency of the sequences involving RHR failure, there appears to be at least three choices:
l.
Ensuring the PCS is available with a high reliability.
2.
Changing the RHR system to eliminate those factors previously mentioned that compromise the four pump and heat exchanger redundancy.
90
10
- TPRBRp, Note: The sequence frequencies shown do not account for recovery. Recovery was considered in the determination of final frequencies for the eight dominant sequences.
10-4 TtJRBRA
- TpKRBRp, TPQRBRA TUB 10 TKRBRA TUQRBRA TUQDV 10-6 10-7 TpPRBRA TKORBRA SRBRA TUQDRBRp
- ILRBRp, SDRBRA LDRBRA SCRBRp,, SCDRBRA,SCDFBRBRA Tp BM TPB TABP TPKDFBGD TPQDFBGDX TKOFBGD TPQDV TaPQOV SCDFBGD, SCDE TUGDWFBGDX
- TpPQRBRp, TPKDRBRA
- TPQDRBRp, LSRBRa,lyRBRA lyCRBRa,lyCDRBRa,lyCDFBRBRp, 10 6
DHR failure SB RS failure Tp,PQ DWFBG DX LDFAFB LoFaGo lyCDFBGD LSFAGB ECllyWI failure INEL2 1646 Figure 37.
Core melt sequence frequencies versus failed function (recovery actions not considered).
91
3.
Designing a separate system capable of removing reactor decay heat.
None of these apparent remedies would be easy or inexpensive. However, it is apparent from the domi-nant sequences that no significant reduction in the core melt frequency willoccur without some change that reduces the probability of DHR failure.
8.4.4 HPCI and RCIC Unavailabilities.
The dominant contributors to the unavailabilities of the HPCI and RCIC systems are the rupture disks. Although only two of the dominant sequences involve failures of the HPCI or RCIC systems, this failure mode is significant for another reason.
The rupture disks were installed as a backup to the normal turbine trip features to prevent turbine damage due to high exhaust pressure. In order to damage the system in this manner, two failures must occur:
a flow blockage in the exhaust line and failure of the turbine to isolate on a high exhaust line pressure signal. Under these conditions, the rupture disks are designed to break to provide a depressurization path for the exhaust line.
It appears as ifthe designers recognized the potential for system failure ifone rupture disk were to fail prematurely. Therefore, two disks in series were provided. Then, as a means of verifying disk integrity, a pressure detector was located between the disks. This detector was used to generate a turbine isolation signal upon failure of the first disk as an added safety precaution.
Routine operation and testing of these systems often leads to fatigue failure of the first rupture disk and subsequent turbine isolation. Therefore, the condition currently exists where a backup equipment protec-tion feature (which is not even required until two other independent failures have occurred) is spuriously isolating a front-line system when no such isolation is necessary.
In addition, this spurious isolation constitutes the dominant failure mode for these two systems.
For the HPCI system, an additional 25%%uo of that system's unavailability is due to required testing. This particular value is significantly higher than the testing and maintenance contribution of any other system analyzed. The relatively high HPCI unavailability (compared to other front-line systems) makes the testing contribution even more significant. It appears that the testing schedule and the testing effect on system operability should be reviewed to ensure that the optimum reliability is being achieved.
8.4.5 EECW Unavailability During a Loss of Offsite Power.
Under most transient and LOCA sequences, the EECW unavailability is not a significant contributor to the core melt frequency. However, under LOSP conditions, EECW failure contributes significantly as a common mode failure of all the diesel generators and, therefore, all AC powered systems.
There are three dominant sequences where EECW failure contributes to mitigating systems unavailabilities. As noted in the sensitivity analysis and the sequence evaluations in Appendix C, EECW failures do not contribute significantly to the dominant sequences when recovery factors are considered.
EECW recovery actions essentially consist of providing additional EECW flow from standby pumps via cross-connect piping. In the event that flow from three of the four EECW pumps is not available, the operator can readily align the RHRSW Cl or C2 pump to the EECW north supply header by opening a motor-operated flow control valve (FCV-67-49) from the main control room.
However, it would appear to be a better engineering practice not to rely on the recoverability of the EECW systems as a means of minimizing its impact on these sequence frequencies.
Instead, methods of minimizing its impact without considering later recovery would seem to be more judicious. It appears that sectionalizing the headers and/or aligning more pumps to automatically supply the EECW headers are among the most likelycandidates for such an effort. The D pumps can be aligned to the EECW south sup-ply header by opening a motor-operated valve (FCV-67-48); however, the technical specifications require that at least one of the Dl or D2 pumps be available as the SBCS system pump. In order to use the Dl pump for EECW supply, the discharge header cross-connect valve (563) would have to be closed. This 92
valve is a normally open manual valve remotely located at the pumping station. By keeping the valve (563) closed, the RHRSW Dl pump could be used for EECW supply and the D2 pump could be used for RHRSW or SBCS ifneeded.
8.5 Uncertainty Analysis Uncertainty analyses were performed on the dominant accident sequences.
The MOCARS computer code18 was used to perform a Monte Carlo simulation of system unavailabilities based on basic event information and the system cut sets. The lognormal distribution was used as the distribution for each basic event and for the initiating events. The resulting system distributions were then combined and analyzed to produce the sequence values. Error factors were obtained by dividing the value of the distribution at the 95%0 quantile by the point estimate. The analyses included MOCARS runs on the initialand final sequence frequencies. The sum of the initialsequence frequencies and the sum of the final sequence frequencies were also analyzed. Table 15 summarizes the analysis results.
Appendix C presents insights on the uncertainty analysis in detail. The following list summarizes the major points.
l.
A relatively high error factor of 10 was used for control circuit faults since their unavailability estimates were based on generic models. A MOCARS evaluation of the generic control circuit model substantiated the conservative nature of this assumption.
Since control circuit faults have a dominant effect on torus cooling and shutdown cooling, this conservativism is largely responsible for the high error factors in some of the sequences.
2.
The uncertainty after recovery is about a factor of2 less than that before recovery in spite of the conservative control circuit error factor. Control circuit faults are considered to be recoverable when there is enough time (a) to repair or bypass the control circuits, (b) to Table 15.
Dominant sequence uncertainties Sequence Designator Initial Frequency Error Factor Final Frequency Error Factor TURBRA TUB TpRBRA TKRBRA TUQRBRA TABM TpKRBRA TpQRBRA Total 1.3 x 10"I 5.1 x 10-5 1.5 x 103 1.2x 10 5 5.5 x 106 3.7 x 10-6 8.3 x 105 6.2 x 105 1.9x103 20.5 5.0 5.6 21.5 36.3 4.6 6.7 10.7 5.8 9.7 x 10 5 5.1 x 10 5 2.8 x 105 9 3 x 10-6 4.1 x 106 3.7 x 10 6 1.6 x 10-6 1.2 x 10-6 2.0 x 10+
8.7 5.0 2.8 9.0 15.3 4.6 2.8 4.7 5.6 93
manually operate a valve, or (c) to valve in another pump, as is the case with long-term decay heat removal. Thus, it is not surprising that the final sequence error factors, like the frequencies themselves, reflect the decreased dependence on control circuit faults after considering recovery.
3.
Despite the fact that some sequences have relatively high error factors, their effect on the cumulative frequency error factor is relatively modest.
4.
The cumulative frequency error factors before and after recovery are about the same, indicating that the cumulative frequency error factor is not significantly affected by recovery factors nor by the wide error spread of a few sequences.
8.6 Sensitivity Analysis After selection of the dominant sequences and evaluation of the uncertainties associated with each, it is important to examine the assumptions and uncertainties that went into the original values. A sensitivity analysis can aid in understanding the contributors to dominant sequence frequencies. The method of per-forming such an analysis is to identify potential uncertainties and recalculate the sequence frequencies to show how much variations in that input parameter changes the final value.
Review of the dominant sequences revealed several areas where a sensitivity analysis would be desirable.
These areas are summarized below.
1.
The RHR trees assumed that failure of the minimum-flow bypass valves to close would disable the RHR loops. Since about 90Vo of the flow per loop would not be diverted by such a failure, what would be the effect on sequence frequency ifsuch failures did not disable the RHR loops?
2.
For the LOSP initiated sequences, failure of EECW was an important contributor to the sequence frequencies. The analysis assumed that three of four pumps were needed to sup-ply adequate cooling. Since two of four pumps provides up to 91%0 of the necessary cool-ing, what change to the sequence frequency would occur if the EECW model were changed to require only two of four pumps for successful cooling?
3.
The transient-induced LOCA initiator frequencies were derived from the transient systemic event trees using the WASH-1400 failure data for relief valves. What would be the change in these sequences if the generic SORY frequency from EPRI NP-801 were used instead?
4.
Unavailabilities for valve and pump control circuits were based on analysis of typical systems. A more detailed analysis of the corresponding systems would be possible. In par-ticular, what would be the effect of modeling differences between AC-and DC-powered valve control circuits and of modeling the effect of 4160 V AC rather than 480 V AC motor control circuits?
The methodology for this analysis was to replace the changed event(s) in the event or fault trees with the new value and reevaluate the sequence frequency. The results of the three analyses were that 1.
Removal of the minimum bypass valve faults reduced the initial frequency by a factor of only 3.8 but reduced the final frequency of the affected sequences by a factor of 22. This is because many of the minimum-flowbypass valve faults are not recoverable, while many of the other faults of the shutdown cooling and torus cooling systems are recoverable.
2.
Changing EECW success criteria from three of four to two of four pumps reduced the initial sequence frequency for affected sequences by a factor of 1.6 but had no significant effect on the final frequencies.
3.
Plant-specific SORV frequencies would increase the affected sequences by a factor of approximately 6.0. Using generic frequencies (from General Electric plants) produced results comparable to those from the event trees (about 0.25 increase).
4.
For both the generic control circuits analyzed, the differences in power assumptions do not have a significant influence on system unavailabilities.
Section 6 of Appendix C provides additional detail on these analyses.
8.7 Limitations of the IREP Methodology and Uses of the Models The quantitative results of this IREP study must be viewed and used with a thorough understanding of the limitations of the methodology used. As previously identified, this is principally a reliability study.
While inferences regarding risk-dominant accident sequences can be obtained from the analysis, a detailed risk analysis was not performed, nor was it intended. The analysis leading to the grouping of accident sequences into release categories relied heavily on previous studies performed on similar plants without extensive plant-specific analysis. Recognizing the inherent uncertainties in this type of categorization, the information generated was not used as an input to a calculation of consequence distribution. External
.events such as earthquakes, fires, floods, and other influences from without were not considered. Thus, the quantitative results must be regarded as being incomplete from a risk point of view.
In utilizing the results of this study, the following limitations should be recognized:
1.
The generic data base used in the quantification analyses was very similar to the WASH-1400 data base (although with larger error bounds), with some modifications resulting from limited analyses of licencee event report (LER) submittals. Plant-specific data was utilized when the analyst found it different from the generic base. However, the detailed comprehensive examination of plant logs necessary to fullyevaluate in-plant data was not performed.
2.
Human performance was modeled using the techniques described in NUREG/CR-1278.
However, the systematic bias in human response (either positive or negative) that may result because of morale or management practices was not included. In addition, human acts of commission were, in general, not included in the analysis.
3.
An attempt was made to couple the root cause of the initiating event with system faults in analyzing accident sequences.
The technique used is believed to be reasonably efficient to identify single failures that may initiate a transient and degrade the performance of one or more safety systems.
However, multiple fault scenarios of this type may have been omitted.
4.
Coupling of faults associated with design, fabrication, or environmental conditions was not treated explicitly.
There were also several assumptions made throughout the analysis regarding the depth of analysis that could influence the results. In many cases, these assumptions were made based on judgement that further modeling was not probabilistically important. The depth of the analysis in many ways defines the level of interactions or dependencies considered and, while we believe the assumptions made are valid, the possibility exists that additional dependencies might be identified with further analysis. Examples of the type of assumptions made include:
(a) including only those single passive failures that can fail an entire 95
system, and (b) ignoring misposition faults for valves that automatically are commanded to the proper position by the engineered safety features actuation system and for valves that have posi:ion indicated in the control room and are monitored each shift using a checkoff procedure.
The incompleteness and subjectivity associated with the aforementioned topics does not invalidate the analysis performed. The important product of this project is the framework of engineering logic generated in constructing the models, not the precise numbers resulting from the mathematical manipulations of these models.
The patterns, ranges, and relative behaviors that are obtained can be used to develop insights into the design and operation of a plant that can only be gained from an integrated consistent approach such as this IREP analysis.
These insights are applicable to utility and regulatory decision making, although they should not be the sole basis for such decisions. By comparative evaluations, those features of the plant that are predicted to have a more significant influence on risk can be identified and utility and regulatory efforts can be focused on them to determine ifthey are acceptable. Similarly, regulatory efforts addressed to items having an insignificant'influence on predicted risk should also be evaluated. The ranking of risk dominant accident sequences provides a framework for future value-impact analysis of potential plant modifications.
8.8 Application of Results The general views regarding the usefulness of the IREP analyses expressed above suggest several con-crete applications that can be made. They are presented below in the form of suggestions to utilities for applications of the results. In many cases, the models may have to be modified somewhat to achieve the various goals. However, we have attempted to construct them in such a manner as to minimize the dif-ficulty associated with such use. It is desirable for these models to be maintained in a current status and used as tools in operations management.
Specific suggestions for utilities and regulators are discussed below:
Operator Training and Simulator Design.
The IREP study generated a catalog of severe accident sequences, with rough assessments of the likelihood, severity, and principal root causes of each. Some of these could be included in operator training and simulator design. This information can also be used as a starting point for further studies intended to assess the similarity of the symptom profile among accidents requiring different operator response and to survey the hazards associated with misdiagnosis or less-than-optimum recovery actions. A natural follow-up is an assessment of the adequacy of instrumentation and status monitoring equipment.
Emergency Planning.
The catalog of accident sequences and the likelihood estimates emerg-ing from this IREP study can be used to train emergency response personnel in what to expect.
IREF results can also serve as a basis to improve the set of symptoms to be used as trigger points for the declaration of site or general emergencies, and they can be used in developing guides on the diagnosis and prognosis of accidents as they develop.
Adequacy of Procedures.
It is common in studies, such as the IREP studies, to discover a few instances in which emergency procedures or maintenance procedures should be improved and which are of prime importance to the accident susceptibility of the plant. The results herein should be studied to determine ifthis is the case here. Beyond these lessons, the IREP models can be used to measure the importance ofindividual procedures to safety and to explore the risk associated with errors in following procedures.
Adequacy of Limiting Conditions of Operation.
An IREP study provides the tools with which to optimize allowable outage times and surveillance intervals. The IREP models can also be used in evaluating requests from utilities to continue power generation when equipment is out of service beyond their specified allowable outage times.
96
Systems Integration Reviews.
An IREP study is designed to model explicit functional dependencies among systems. It is not uncommon to discover that an auxiliary system is a weak link with respect to reliabilityin such a manner that it governs plant risk. This IREP study pro-vides visibilityfor recognizing the followingsystem dependencies:
hard-wired systems interac-tions, human behavior that can couple the unavailability of several safety systems, and the importance of auxiliary systems to safety. Although such findings are not complete or precise, they represent a vast improvement on safety analyses done to date.
Significance of Component Reliability. The IREP models can be used to develop quan-titative measures of importance to safety for the reliability of components, trains, whole
- systems, and classes of accident sequences.
These methods enable the use of cost-benefit analyses on reliability improvements for components, and the more discriminating use of the more expensive qualification or in-service inspection techniques.
System Reliability. Estimates of system reliability are produced in an IREP study. Quan-titative measures of the importance of system components can be calculated from the IREP models and the more likely failure modes that are believed to dominate the unavailability of
'hese systems can be identified. With this information one can assess the possibility that a failed system could be repaired before its failure reaches a point of no return under accident condi-tions. Operators can be trained in fault diagnosis and in quick fixes. The adequacy of diagnostic instrumentation and status monitoring can be assessed.
Surveillance practices can be altered to improve the availability of particularly critical systems.
Accident Sequences.
In addition to identifying accident sequences and estimating their fre-quency, the IREP models can also serve as a test-bed with which to explore the effects of changes in design or operations practices. Possible improvements may be obvious in light of the results. In other cases, the effectiveness of hypothetical improvements can be assessed (within the limits of the completeness of the models). A particularly valuable use of these models lies in the evaluation of risks associated with changes, i.e., willa fixfor one safety problem make dif-ferent accident sequences more likely? The IREP study results provide a tool that can be used to address such questions.
Evaluation of Operating'ccurrences.
The IREP models and results can be used to
. evaluate whether a fault occurring in plant operation or testing was a precursor of a more serious event, and to evaluate its importance. One can explore each of the classes of severe acci-dent sequences for the role that might have been played by the precusor. In addition, patterns of licensee-reported events or trends can be assessed for risk significance with the IREP models.
Validation of IREP Analyses.
The occurrence of faults or errors in the operation or testing of the plant can be used to update, validate, or improve the completeness or accuracy of the IREP models and the projected failure frequencies. Doing so has the dual advantage ofimprov-ing the IREP model for its many other uses as well as assessing the safety significance of the operating experience.
Design Errors and Generic Safety Issues.
There are several classes of safety problems in reactor plants that IREP studies do not analyze. Among these are susceptibility to fires, floods,
- sabotage, earthquakes, design or installation errors that are not revealed by the explicitly known, hard-wired functional dependencies among systems, and effects assumed to be negligi-ble in the IREP study, such as the role of snubber failures. However, the models generated in IREP can be used to put such concerns into perspective once the concern has been explicitly postulated.
For example, one can use IREP to assess which accident sequences might be affected by the postulated safety issue and estimate at what level of severity the deficiency, if any, might emerge (from the background of minor contributors to risk) into one of the domi-nant concerns. Thus, IREP can be useful even in contexts in which its predictive power is poor.
97
It should be noted that none of the uses suggested above depend upon the predictions of risk. They all depend upon measures of importance and upon the kind of accident sequences to which the subject plant is susceptible.
Some of the applications are sensitive to the limitations of the study, particularly in completeness and quantitative accuracy.
Nonetheless, the applications can be tailored to the known limitations and the models can provide a coherent framework to address the "what if"questions concerning its accuracy in these applications.
The suggested applications of the models in this report do not require a precise analysis of the phenomenology of reactor accidents.
Phenomenological
- analyses, etc.,
need only be good enough to develop the general forms of the accident processes, although there are rare occasions when uncertainties in the modeling of accident processes can make large differences in the course or consequences of reactor accidents.
In general, formal, plant-specific consequence analysis is unnecessary for these applications. It is useful to identify accident sequences, their associated release categories, and to do emergency planning using this information.
It is hoped that studies similar to this IREP analysis will be a means by which safety issues can be mutually understood by the NRC and the licensees. The methods employed in the IREP studies provide a systematic way of identifying safety issues and putting these issues into proper perspective, and at the same time improve the cost-effectiveness and risk-relevance of NRC regulatory initiatives.
98
REFERENCES NRC Action Plan Developed as a Result of the TMI-2 Accident, NUREG-0660, Rev. I, August 1980,Section II.C.
Reactor Safety StudyAn Assessment ofAccident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), October 1975.
Anticipated Transients without Scram, Vol. I, NUREG-0460, April 1978, p. 28.
A. A. Garcia, R. T. Liner, P. J. Amico, and E. V. Lofgren, Crystal River-3 Safety
- Study, NUREG/CR-2515, SAND81-7229/1, Science Applications, Inc., December 1981.
D. D. Carlson, Interim Reliability Evaluation Program Phase II, Procedures
- Guide, NUREG/CR-2728, SAND82-1100, Sandia National Laboratories, to be published.
Browns Ferry Nuclear Plant Final Safety Analysis Report, NRC Docket 50-259, Tennessee Valley Authority, September 1970.
F. L. Leverenz, Jr., J. M. Koren, R. C. Erdmann, and G. S. Lellouche, A Tlat A Reappraisal, Part II: Frequency of Anticipated Transients, EPRI NP-801, Electric Power Research Institute, June 1978.
A. D. Swain and H. E. Guttman, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREG/CR-1278, SAND80-0200, Sandia National Laboratories, October 1980.
Licensee Event Reports, Output of Browns Ferry 1, 2, and 3 Events from 1969 to Sept. 1980, Tennessee Valley Authority, September 1980.
ASME Boiler and Pressure Vessel Code,Section XI, "Rules for Inservice Inspection of Nuclear Power Plant Components,"
Subsection IWV, Division 1, ASME, July 1980.
Reporting Procedures Manual for the Nuclear Plant Reliability Data Systetn, NPRDS Manual No. 270, Southwest Research Institute, December 1979.
M. E. Stewart, "Interim Reliability Evaluation Program, Browns Ferry Fault Trees," International ANS/ENS Topical Meeting on Probabilistic Risk Assessment, Port Chester, NY, September 20-24, 1981, Log No. VIII.7.
N. H. Marshall, et al., User's Guide for the ReliabilityAnalysis System (RAS), TREE-1168, EG&G Idaho, September 1977.
N. H. Marshall, et al., COMCAN11: A Computer Program for Common Cause Failure Analysis, TREE-1289, EG&G Idaho, September 1978.
Browns Ferry Nuclear Plant Final Safety Analysis Report, NRC Docket 50-259, Tennessee Valley Authority, September 1970, Appendix Q, Question 4.8.
R. O. Wooten and H. I. Avci, MARCH (Meltdown Accident Response Characteristics)
Code Description and User's Manual, NUREG/CR-1711, BMI-2064, Battelle-Columbus Laboratories, October 1980.
99
17.
R. J. Burian and P. Cybulskis, CORRAL2 User's Manual, Battelle-Columbus Laboratories, January 1977.
18.
S. D. Matthews and J. P. Poloski, MOCARS: A Monte Carlo Code forDetermining Distribution and Simulation Limits and Ranking System Components by Importance, TREE-1138, Rev. 1, EG&G Idaho, August 1978.
100
m Heater Isolation valves 120'F MO 2-72 MO 2-84 MO 2.96 A.5 drain cooler 8.5 A-5 heater 8-5 A4 heater From FIC on condenser pump discharge 2-29 AO 2-572 2-573 Recirculate to condenser Feedwater pump suction trip
%<100 psig ps Pl (Typical of 3) I AO 3-6 A4 heater Heater isolation valves MO 2-124 5 MO 2-12 2-83 MO Feed pump 2-95 297'F MO 6 MO 2-108 MO Start.up bypass 3.94 3-12 MO 3.93
+5 MO 3.92 3.19, FE FI(
r FE Fl FEt Fll Start up Clean up return recirculation MO line RCIC Condenser (typical of 3) 3-13 Main condenser AO 3.20 FS (Typical of 3)
Minimum.ilow recirculation 2-575 3-66 3-572 To feed
~~P spargers Pl 3.75 MO PT TE FE A.1 heater A.2 heater MO AO j
2-567 2.559 2-551 367 3-558 To feedwater control 3-554 TE FE MO 3-76 8-1 8.2 MO 2-562 2-554 2-54F 2.S66 2.558 2-550 Booster pumps HPCI CI Primary containment MO 3.77 Hood sprays 3-24 LA L
H r
LS (Typical of 8, C condensers)
(Typical of 3)
PS PA L
PI PT CR Sampie station CE Resin AO trap Condenser demlneralizer O
(typical of 9)
FC FE 2 190 Fl FE SJAE condenser MO MO 2-35 241 240 WAE condenser MO MO FE (Typical of 3)
PI 2-509 2-508 A
2-518 2.517 8
2.527 2.526 C
Condensate pump Pl p504
~
2-513 2-522 Hotwell makeup LIC LT MO AC FR Condenser reJect to condenser storage tank DPI DPAH Steam seal condenser Qptt condenser booster pump discharge 8500 gpm I
I FIC To recirculate on FT PT Pl Condenser makeup Fresh water condenser storage tank MO LT LIC Hotwell~ J INEL2 1546 Figure 25.
Condensate and fccdwater system.
59
Under abnormal conditions requiring an emergency shutdown from power, the followingaction occurs ifthe PCS is not rendered unavailable by the initiating event. The main turbine is tripped and is isolated from the main steam system by the turbine stop valves and turbine control valves. There are nine turbine bypass valves that open to take steam from ahead of the turbine stop valves and discharge to the con-denser. The bypass valves are sized to pass up to 301o of maximum turbine design flow. The condensed steam drops to the lower section of the condenser, called the condenser hotwell. The operator manually trips all but one of the operating condensate pumps taking suction from the condenser hotwell. The con-densate discharge passes through filte/demineralizers to the suction header for the condensate booster pumps. The operator manually trips all but one ofthe operating condensate booster pumps. The remaining condensate booster pump discharges through a series of heaters to raise the condensate water temperature.
The feedwater system is actually an extension of the condensate system, which (a) receives water from the condensate system at booster pump discharge pressure, (b) increases the pressure via a steam-driven reactor feed pump, and (c) feeds the reactor through the high pressure heaters, which further raise the temperature of the feedwater. The feedwater flow is combined into a 30-in. mixing header and then is divided into two 24-in. lines to feed the reactor through the feed sparger rings. The operator trips all but one of the operating reactor feedwater pumps.
Applicetion-The PCS appears only on the event tree for transients where PCS is available. The PCS acts as a heat sink for reactor decay heat following a transient where reactor subcriticality is achieved. Ifsub-criticality is not achieved but the recirculation pumps are tripped, the PCS has adequate heat removal capacity to remove the heat being generated at the resulting reactor power level.
Assumptions-As noted previously in Section 6, the unavailability for PCS used in this analysis was based on experience data from U.S. power reactor operating plants.
6.1.9 Standby Coolant Supply System.
The SBCS system is a special mode of alignment of the RHRSW system to the RHR system to provide a standby source of coolant to the reactor. The D supply header of the RHRSW system contains piping and valves that cross-connect the RHRSW system with the RHR system. The purpose of this crosstie is to inject RHRSW into the reactor vessel or containment, via the RHR piping, for final floodingifall other sources of coolant are expended. This mode of coolant injec-tion to the reactor is included in the description of the RHRSW system (Section 6.2.2).
6.1.10 Recirculation Pump Trip System.
During abnormal conditions that lead to sharp increases in reactor system pressure, the RPT system ensures a rapid trip of the recirculation pumps. This action reduces the flow through the core allowing for more void formation and a corresponding reduction in reactor power.
aescriprion-The RPT system consists of the control circuits for the recirculation pump motor generator breakers and portions of the RPS that actuate the trip. The 250 V DC system provides power to the RPT control circuitry. The circuit requires power to function. Figure 26 is a simplified diagram of a RPT circuit.
Application-The RPT function only appears on the transient event tree where PCS is available. For the case where the reactor subcriticality systems failto shut down the reactor, successful RPT ensures that the resulting reactor power level is within the capacity of the PCS to remove the heat and maintain reactor coolant inventory. Failure of the RPT would allow power levels to remain too high for the PCS to accomplish these tasks and a core melt would eventually occur.
6.1.11 Main Steam Isolation System.
The purpose of the main steam isolation (MSI) system is to isolate the reactor from the main condenser when the PCS is unavailable to maintain reactor water level.,
60
6.2.3 Emergency Equipment Cooling Water System.
The purpose of the EECW system is to supply cooling water to safety-related components in the core spray, RHR, and diesel generator systems. The EECW system performs this function by supplying water from the intake station to heat exchangers in the previously mentioned safety systems.
This cooling water then flows through the heat exchangers and discharges back to Wheeler Reservoir through yard drainage.
Descnprron-A simpliTied diagram of the EECW system is provided by Figure 30. The EECW system is a Class I safety-related system that serves all three of the Browns Ferry nuclear units. Either of two independent piping headers (north and south headers) can supply the safety-related cooling loads. The EECW system uses 4 of the 12 RHRSW pumps to supply the two EECW headers (two pumps per header) according to the following configuration:
Header Pump Pair North South A3, C3 B3, D3 The remaining eight pumps serve the RHRSW system. Four of these eight pumps may be valved into the EECW system ifneeded; however, the RHRSW is considered to be a separate support system and is treated independently from the EECW system in Section 6.2.2.
Under worst-case conditions such as exist followinga LOSP transient, maximum design flow rates are required at all three units resulting in total station flow requirement of 9900 gpm. Since each pump is designed to deliver approximately 4500 gpm, three of four pumps assigned to EECW are necessary to supply the EECW system design requirements.
The EECW system is normally in standby readiness with the A3, B3, C3, and D3 RHRSW pumps aligned to EECW service. The RHRSW pumps aligned to EECW willautomatically start on:
1.
Low RCW header pressure 2.
Any time a diesel generator or core spray pump is started:
a.
The two RHRSW pumps (B3 and D3) aligned to EECW and powered from shut-down boards in Units 1 and 2 will start automatically in less than 30 sec after starting of a diesel generator or core spray pump in Unit 1 or 2.
b.
The two RHRSW pumps (A3 and C3) aligned to EECW and powered from shut-down boards in Unit 3 willstart automatically in less than 30 sec after starting of a diesel generator or core spray pump in Unit 3.
3.
ECCS initiation signals of high drywell pressure (+2 psig) or low-low-lowreactor vessel water level (-143.5 in.) in any unit.(part of the core spray initiation logic).
Applioarjon-The EECW system contributes to every event tree through its contribution to RHR system seal coolers and room coolers necessary for shutdown cooling or torus cooling. When offsite power is available, this contribution is small since the raw cooling water system is normally used to supply these loads. Under LOSP conditions, raw cooling water is unavailable and the EECW system failure contributes not only to RHR failure but also to every AC powered system through its contribution to the loss of diesel generator engine cooling.
Inslghcs Under LOSP conditions, the EECW system becomes a major contributor to core melt frequen-cies due to its effect on the unavailability of.diesel generators and, therefore, all AC power. The EECW system in this case represents a.common mode failure mechanism for AC power since all eight diesel generators receive cooling from EECW. Several steps could be taken to mitigate its effects. Sectionalizing 67
FCV 17 M
FCV 25 M
626 647 Discharge to yard drainage Engine A cooler 529 528 522 521 Engine B cooler 631 630
$ 629 542 541 570 Core spray 551 room cooler 1AIIC Core spray room cooler 1BIID RCW 610 1B 744 691 693 694 Engine 3A 692 695 696 701 703 704 Engine 3B 702 705 706 cooler Discharge to yard drainage FCV ~
Discharge to yard drainage 625 624 Engine C cooler 628 627 Engine D SO8 SO7 Unit 1 and 2 Diesel Generators 503 Q 574 Seal HX 1A 572 571 1A RHR room coolers 1C 562 Seal HX 1C 611 Seal HX 1B 609 RHR room coolers ID 606 616 Seal HX 1D 614 613 743 711 713 714 712 71S 716 Engine 3C cooler 721 723 724 Engine 3D 722 725 726 cooler Discharge to yard drainage 513$
520$
557 FCV 18 M
FCV 22 M
RHR 601 PumPs FC 26 M
Unit 3 Diesel Generators 622 Dlsctla yard itI rge to ramage South header FCV M 598 Discharge to yard drainage
~MFG 619 Drain HCV FCV M Drain FCV M Drain RHR 592 RHR RHR RHR FCV M 48 595 594 597 FCV M 11 Drain A3 A1 A2 B3 BI B2 C2 C1 C3 D2 D'I D3 M
M M
M M
M INEL2 1772 Figure 30.
EECW system.
68