ML18025B878

From kanterella
Jump to navigation Jump to search
Interim Reliability Evaluation Program:Analysis of the Browns Ferry,Unit 1,NUCLEAR Plant.Appendix A-Event Trees. Docket No. 50-259.(Tennessee Valley Authority)
ML18025B878
Person / Time
Site: Browns Ferry Tennessee Valley Authority icon.png
Issue date: 08/31/1982
From: Bertucio R, Leahy T, Mays S, Poloski J, Sullivan J, Sullivan W, Trainer J
EG&G, INC., ENERGY, INC.
To:
NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
References
CON-FIN-A-1241 EGG-2199, NUREG-CR-2802, NUREG-CR-2802-APP-A, NUDOCS 8209270446
Download: ML18025B878 (72)
v  d  e


Text

N U R EG/C R-2802 EGG-2199 Distribution Category: RG, XA INTERIM RELIABILITYEVALUATIONPROGRAM:

ANALYSIS OF THE BROWNS FERRY, UNIT 1, NUCLEAR PLANT APPENDIX A EVENT TREES EG&G Idaho, Inc.

S. E. Mays J. P. Poloski W. H. Sullivan J E. Trainer

~

Energy Incorporated, Seattle Office R. C. Bertucio T. J. Leahy Published July 1982 EG&G Idaho, Inc.

Idaho Falls, Idaho 83415 Prepared for the U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Under Sandia National Laboratories Purchase Order No. 62-7776 FIN No. A1241 REGULATORY DORET FILE COPKj

FOREWORD This report describes a risk study of the Browns Ferry, Unit 1, nuclear plant. The study is one of four such studies sponsored by the NRC Office of Research, Division of Risk Assessment, as part of its Interim Reliability Evaluation Program (IREP), Phase II. Other studies include evaluations of Arkansas One, Unit 1, by Sandia National Laboratories; Calvert Cliffs, Unit 1, by Science Applications, Inc.; and Millstone, Unit 1, by Science Applications, Inc. EGKG Idaho, Inc. was assisted by Energy Inc.", Seattle, in its evaluation of the Browns Ferry, Unit 1, plant. Battelle-Columbus Laboratories provided information regarding the fission product releases that result from risk-significant accident scenarios. Sandia National Laboratories has overall project management responsibility for the IREP studies. It also has responsibility for the development of uniform proba-bilistic risk assessment procedures for use on future studies by the nuclear, industry.

This report is contained in four volumes: a main report and three appendixes. The main report provides a summary of the engineering insights acquired in doing the study and a discussion regarding the accident

,sequences that dominate the risks of Browns Ferry, Unit l. It also describes the study methods and their limitations, the Browns Ferry plant and its systems, the identification of accidents, the contributors to those accidents, and the estimating of accident occurrence probabilities.

Appendix A provides supporting material for the identification of accidents and the development of logic models, or event trees, that describe the Browns Ferry accidents. Appendix B provides a description of Browns Ferry, Unit 1, plant systems and the failure evaluation of those systems as they apply to accidents at Browns Ferry. Appendix C generally describes the methods used to estimate accident sequence frequency values.

Numerous acronyms are used in the study report. For each volume of the report, these acronyms are defined in a listing immediately following the table of contents.

CONTENTS F OREWORD ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ t ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ A- ii N OMENCLATURE ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ A-v FRONT-LINE AND SUPPORT SYSTEMS .. ~ ~ ~............ ~............... A-1

2. INITIAT/NG EVENT INVESTIGATIONS A-7 2..1 LOCA Initiators A-7 2.2 Transient Initiators A-9 2.3 Initiator Effects On Mitigating Systems A-15
3. LOCA AND TRANSIENT SYSTEMIC EVENT TREES ........................ A-38 3.1 LOCA Systemic Event Trees A-38 3.2 Transient Systemic Event Tree Description ................. A-53
4. SEQUENCE DEPENDENT OPERATOR ACTIONS A"59 4..1 Introduct1on A-59
4. 2 Sys tern/ Sequence Operator Actions A-59
5. REFERENCES ..............-................ ~ ~ . . ~ ~ ~ ~ ~ . A-63 FIGURES A-l. Causal failure diagram for MSIV closure A-31 A-2. Causal failure diagram for loss of condenser vacuum ............ A-32 A-3. Causal failure diagram for loss of feedwater ................... A-33 A-4. Causal failure diagram for generator load reject A-34 A-5. Causal failure diagram for turbine trip A-34 A-6. Causal failure diagram for turbine trip without bypass A-34 A-7. Causal failure diagram for closure one MSIV A-35 A-8. LOCA systemic event tree for large liquid break, suction-side of recirculation pumps (LS) A-39 A-9. LOCA systemic event tree for large liquid break, discharge-side of recirculation pumps (LD) A-40

A-10. LOCA systemic event tree for large steam break (LL) A-41 A-11. LOCA systemic event tree for intermediate liquid break (IL) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ A-42 A-12. LOCA systemic event tree for intermediate steam break (Iy) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 1 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ A-43 A-.13..LOCA systemic event tree for small liquid-line or steam-line break (S) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ A-44 A-14. Transient systemic event tree where PCS is unavailable (TU) A-54 A-15. Transient systemic event tree where PCS is available (TA) A-55 TABLES A- l. Front-line systems versus support systems...................... A-2 A-2. LOCA mitigation success criteria A-3 A-3. Transient mitigation success criteria A-6 A-4. LOCA pipe rupture frequencies A-7 A-5. Transient initiator categories A-9 A-6. Transient initiator groupings and frequencies A-14 A-7. LOCA initiator effects on mitigation systems A-17 A-8. Electrical equipment failure summary A-18 A-9. Electrical equipment failure chart details A-22 A-10. Cooling wa ter failure chart A-30 A- 11. Event tree legend A-45 A-12. Front-line systems legend ... A-46 A-iv

NOMENCLATURE The complement of A (a success event if A is a failure event). (A may also be used to mean "unavailability.")

A Alarm AC Alternating current ACC Accumulator ADS Automatic depressurization system AH Alarm-high AO Air operator APRM Average power range monitor AT Anticipated transient ATWS Anticipated transient without scram BFl Browns Ferry, Unit 1, nuclear plant BI Break isolation BWR Boiling water reactor CAD Containment atmosphere dilution CCW Condenser circulating water CD Complete dependence CE Conductivity element CIS Containment isolation system Clg Cooling COND Main condenser CR-3 Crystal River, Unit 3, nuclear plan t IREP study CRD Control rod drive CRDH Control rod drive hydraulic CRDHS Control rod drive hydraulic system CRW Clean rad waste CS .Core spray CS&T Condensate storage and transfer CSCS Core standby cooling system CSS Core spray system CST Condensate storage tank CV Control valve D Demand DC Direct current DEP Depressurization DG Diesel generator DHR Decay heat removal Diff Different DPI Differential pressure indicator DPIS Differential pressure indicating switch DPS Differential pressure switch DPT Differential pressure transmitter EAC Equipment area cooling ECCS Emergency core cooling system ECI Emergency coolant injection EECW Emergency equipment cooling water EHC Electro-hydrauli.'c control A-v

EMI Electrical Maintenance Instruction EOI Equipment Operating Instructions EPRI Electric Power Research Institute EPS Electrical power system

~

ESFAS Engineered safety features actuation system l

F( )

~ ' Frequency of initiator in parentheses FCV Flow control valve FE Flow element FI Flow indicator FIC Flow indicating controller FLS Front-line system FMEA Failure mode effects analysis FR Flow recorder FS Flow switch F SAR Final Safety Analysis Report FT Flow transmitter FWC Feedwater control FWCS Feedwater control system G Green GOI General Operating Instructions H High H/L High/ low HCU Hydraulic control unit HCV Hand control valve HEP Human error probability HPCI High pressure coolant injection HPCS High pressure core spray HPI High pressure injection HS Handswitch HSS High speed stop HVAC Heating, ventilation, and airconditioning HX Heat exchanger I6C Instrumentation and control I&E Inspection and enforcement IMI Instrument Maintenance Instruction INJ Injection IREP Interim Reliability Evaluation Program IRM Intermediate range monitor L Low LA Level alarm LD Low dependence LER Licensee Event Report LIC Level indicating controller LIS Level indicating switch LL Low-low LOCA Loss of coolant accident LOSP Loss of offsite power LPCI Low pressure coolant injection LPI Low pressure injection

LS Limit switch LSS Low speed stop LT Level transmitter M Motor (operated valve)

MCR Main control room MD Moderate dependence MGU Master governor unit MMG Motor generator MMI Mechanical Maintenance Instruction Mo Motor operated MOV Motor-operated valve MSC Manual speed control MS1 Main steam isolation MSIV Main steam isolation valve MSL Main steam line NA; N/A Not applicable NC Normally closed NMS Neutron monitoring system No Normally open OI Operating Instructions OL Overload OP Overpressure protection OP(C) Overpressure protection (relief valves closed) op(o) Overpressure protection (relief valves open)

PA Pressure alarm PB Pipe break PCIS Primary containment isolation system PCS Power conversion system PCV Pressure control valve PG IREP Procedure Guide PI Pressure indicator FORV Power operated relief valve PRA Probabilistic risk assessment PS Pressure switch P SCWT Pressure suppression chamber water transfer PT Pressure transmitter PWR Pressurized ~ater reactor Q( ~ ) Unavailability of system in parentheses QA Quality assurance R Red RBCCW Reactor building component cooling water RBEDT Reactor building equipment drain tank RCB Reactor coolant boundary RCIC Reactor core isolation cooling RCS Reactor coolant system RCW Raw cooling water RCWS Raw cooling water system Recirc Recirculation

RFP Reactor feed pump RFPT Reactor feed pump turbine RFWPT Reactor feedwater pump turbine RHR Residual heat removal RHRSW Residual heat removal service water RMOV Reactor motor-operated valve RMS Remote manual switch RPS Reactor protection system RPT Recirculation pump trip RS Reactor subcriticality; reactor shutdown; reactor scram RV(C) Relief valve (closed)

RV(0) Relief valve (open)

RWCU Reactor water cleanup RX Reactor S/D Shutdown S/RV Safety relief valve s/v Safety valve SBCS Standby coolant supply SBGT Standby gas treatment SCI Short-term containment integrity SD-BD Shutdown. board SDV Scram discharge volume SIV Scram instrument volume SJAE Steam jet air ejector SLCS Standby liquid control system SORV Stuck-open relief valve SRM Source range monitor TA .Temperature alarm TCV Turbine control valve TD Time delay TDC Time delay contact TDPU Time delay pickup TE Temperature element TIP Traversing in-core probe TMI Three Mile Island TR Temperature recorder Trans Transient TS Technical Specifications; torque switch TVA Tennessee Valley Authority Undervoltage V Volts VB Vacuum breaker VO Valve open VS Vapor suppression VSS Vapor suppression system VWI Vessel water inventory 4

An insignificant quantity, generally less than 10 A-viii

INTERIM RELIABILITY EVALUATION PROGRAM:

ANALYSIS OF THE BROWNS FERRY, UNIT 1, NUCLEAR PLANT APPENDIX A EVENT TREES

1. FRONT-LINE AND SUPPORT SYSTEMS One of the initial tasks undertaken in this study was that of front-line and support system identification. A front-line system is defined as a system whose function is necessary to successfully mitigate the effects of a loss-of-coolant accident (LOCA) or operational transient at BFl. A support system is defined as a system that affects the course of an accident or transient only by way of its effect on the operation of a front-line system.

This section contains a list of the front-line and support systems used in this study as well as a table of front-line system success criteria, i.e., minimum equipment needed for LOCA and transient mitigation. The front-line versus support system list is given in Table A"1. LOCA mitiga-tion success criteria are given in Table A-2. Transient mitigation success criteria are given in Table A-3. Success is defined as the minimum equip-ment combinations needed for accident mitigation.

Front-line system response for a specific LOCA or transient mitigation is discussed in detail in Section 3. Detailed system functions and descrip-tions are contained in Appendix B, Section 1.

TABLE A-1. FRONT-LINE SYSTEMS VERSUS SUPPORT SYSTEMS S0 port Systems Keep=

Front-Line AC DC Circulation Full a ~Oerator Systems Power Power EAC EECW RHRSW RCW Water RPS ~Sstem RCIC RHR (shutdown cooling) X X ~

EOI-74 RHR (LPCI)

RHR (torus cooling) X X EOI"74 RPT HPCI ADS Core spray X X SBCS EOI-74 PCS X EOI-1,2)3 CRD X EOI-85 Relief valves X EOI-100-1 Vapor suppression MSI

a. The front-line systems are given a one-letter name on the systemic event trees (see Table A-12).
b. Equipment area cooling.

1 TABLE A-2. LOCA MITIGATION SUCCESS CRITERIA Short-Term Reactor Subcriticalit Containment Integrit Emergenc Coolant In'ection Deca Heat Removal Large Break Liquid Line 0.3 to 4.3 ft2 Suction No more than 30 rods Adequate suppression Two core spray loops and two of Two of four RHR pumps scattered throughout pool level and no four LPCI pumps with associated heat the core not fully bypass leakage from exchangers in torus inserted drywell to wetwell or cooling mode or Four of four LPCI pumps or No more than five or One of four RHR pumps adjacent rods not with associated heat fully inserted One of two core spray loops and exchangers in shutdown two of fourLPCI pumps (one LPCI cooling mode pump per injection loop)

Lar e Break Li uid Line 0.3 to 4.3 ft2 Discharge No more than 30 rods Adequate suppression Two core spray loops Two of four RHR pumps scattered throughout .pool level and-no with associated heat the core not fully bypass leakage from or exchangers in torus inserted drywell to wetwell cooling mode One of two core spray loops and or one of two LPCI pumps on 07 unaffected side No more than five One of four RHR pumps adjacent rods not with associated heat fully inserted exchangers xn shutdown cooling mode

TABLE A-2. (continued)

Short-Term Reactor Subcriticalit Containment Integrity Emergenc Coolant In'ection Deca Heat Removal Lar e Break Steam Line 1.4 to 4.1 ft2 No more than 30 rods Adequate suppression Two core spray loops Two of four RHR pumps scattered throughout pool level and no with associated heat the core not fully bypass leakage from or exchangers in torus inserted drywell to wetwell cooling mode Four of four LPCI pumps or ,or or No more than five One of four RHR pumps

'adjacent rods not One of two core spray loops and with associated heat fully inserted one of four LPCI pumps exchangers in shutdown cooling mode Intermediate Break--Li uid Line 0.12 to 0.3 ft2 No more than 30 rods Adequate suppression One of one HPCI pump Two of four RHR pumps scattered throughout pool level and no with associated heat the core not fully bypass leakage from or exchangers in torus inserted drywell to'wetwell cooling mode Four of six ADS relief valves or 'or and No more than f ive One of four RHR pumps adjacent rods not One of four LPCI pumps with associated heat fully inserted exchangers in shutdown or cooling mode One of two core spray loops

TABLE A-2. (continued)

Short-Term Reactor Subcriticality Containment Integrit Emergenc Coolant In ection Deca Heat Removal Intermediate Break Steam Line--0.12 to 1.4 ft2 No more than 30 rods Adequate suppression One of one HPCI pump Two of four RHR pumps scattered throughout pool level and no with associated heat the core not fully bypass leakage from or exchangers in torus inserted drywell to wetwell cooling mode One of four LPCI pumps or or or No more than five One of four RHR pumps adjacent rods not One of two core spray loops with associated heat fully inserted exchangers in shutdown cooling mode Small Break Li uid or Steam-"U to 0.12 ft2 No more than 30 rods Adequate suppression One of one HPCI pump Two of four RHR pumps scattered throughout pool level and no with associated heat the core not fully bypass leakage from or exchangers in torus inserted drywell to wetwell cooling mode Four of six ADS relief valves or and one of four LPCI pumps or No more than five or One of four RHR pumps adjacent rods not with associated heat fully inserted Four of six ADS relief valves exchangers in shutdown and one of two core spray loops cooling mode

TABLE A-3. TRANSIENT,MITIGATION'SUCCESS CRITERIA Over ressure '.Protection Vessel, Water Inventor DHR Reactor Shutdown Anticipated RHR Transient CRD Op(O) OP(C) PCS MSI ,HPCI DEP

,Two,RHR pumps Transients .No.nore Both recircu- NA All relief Condenser MSIVs shut HPCI Manual One;I.PCI pump and two heat where PCS is than 30 lation,pumps valves .available operation of or or at least four or exchangers in available rods fail tripb :teclosec torus cooling to insert and relief valves

'Turbine RCIC One cote node or Feed systen .valves and spray loop providing bypass valves

'r or No nore makeup ,shut One RHR,pump than five and one heat adjacent One booster

.rods fail .and one con- exchanger .in densate pump shutdown

to insert cooltng node or One in RHRSW'ump SBCS mode RHR pumps Transients No note Direct .scree .All .relief NA ,MSIVs shut HPCI Manual One LPCI pump

,and two heat where PCS is than 30 2 of;13 valves valves operation of unavailable rods fail reclose or or at least four .ot exchangers in to insert 'Flux scram relief valves torus cooling 7 of .13 .valves Turbine '.RCIC One core mode or valves and ,spray .loop Pressure, scram bypass valves ot No.nore than .five

10 of ',13,valves shut One or'wo or booster One RHR pump and one heat adjacent exchanger .in rods r'fail and one con-densace pumpe ;shutdown to insert cooling node One RHRSW punp in

.SBCS mode

a. ,Relief valves openiOP(0) .and reclose OP(C).
b. If both recirculation pumps .trip and,PCS remains available, the resulting power, level is, such that ',the capacity of the bypass valves is adequate to remove the heat being, generated.

c Even though relief valve action is not,required-some relief valves will open.

d. MSI only necessary .if PCS fails.
e. Although PCS is unavailable,:the, condensate system,nay still 'be operable.
2. INITIATING EVENT INVESTIGATIONS This section describes how initiating events were identified for BF1 and how frequency of occurrence values were derived for those accident initiators. It also describes special investigations to identify potential dependencies between the. accident initiating events and the mitigating systems needed to cope with those initiators.

2.1 LOCA Initiators The initiating event frequencies for the various LOCA pipe rupture sizes are listed in Table A-4. These initiating event frequencies for the various liquid and steam LOCA break sizes were derived by multiplying the probability for a given break size times the relative probability the break occurs in a specific portion of that size piping. It was assumed that within a given break range category (e.g., intermediate piping, 2 in. to 6 in.) the rupture was equally likely to occur in any of the piping, whether it be for liquids or steam.

TABLE A-4. LOCA PIPE RUPTURE FREQUENCIES Frequency

~Te Size Location ( er reactor- ear)

Liquid Large Suction side 9.9 x 10-6 Discharge side 3.9 x 10"5 Steam Large 5.2 x 10 5 Liquid Intermediate 9.0 x 10 5 Steam Intermediate 2.1 x 10"4 Liquid Small 1.0 x 10 or

-steam Table III 6-9 of WASH-1400 provided the following median pipe rupture probabilities:

Piping Rupture Rate Pi e Ru ture Size ( er lant er ear)

Small lx103 Intermediate 3x104 Large 1 x 10"4 A-7

Differing success requirements for emergency coolant injection systems for types of liquid breaks (suction versus discharge) and steam breaks required that separate LOCA event trees be drawn. The above LOCA rates are not apportioned as to steam and liquid piping nor do they account for the suction versus discharge break effects. Thus, BF1 piping isometrics for those systems that interface with the primary pressure boundary were examined to determine for a given break. size:

1. What portion of the piping represented liquid versus steam.
2. For liquid breaks, what portion of the piping was a suction versus discharge side break.

The piping examination was not required for small LOCA piping since the small LOCA event tree was valid for liquid or steam breaks, and the ECI success criteria for both type breaks were the same. In addition, 'the pip-ing was only considered up to the first valve that could isolate the break.

As discussed in Section 5 of the main volume, breaks outside containment are relate.vely unimportant from a probability standpoint'rom the plant piping isometrics, it was determined that the length of liquid and steam piping susceptible to a large-size break is:

Length Feet Percent of Total Pi in Liquid discharge 348.4 38.5 Liquid suction 89.3 9;9 Steam 466.5 51.6 Total 904.2 100.0 Thus, the probability for a large liquid break occurring on the dis-charge side of a recirculation pump was determined by multiplying the large pipe rupture rate times the relative probability the break occurs in the discharge piping:

(1 x 10 4 per reactor-year)(38,5X) = 3.9 x 10 5 per reactor-year.

Similarly, the suction-side break frequency was determined to be 9.9 x 10 per reactor-year, and the frequency of large steam breaks to be 5.2 x. 10 per- reactor-year..-

The intermediate LOCA frequencies were calculated in the same manner with the exception that the large break liquid and steam piping lengths were added to the intermediate piping lengths since an intermediate size break (i.e., a partial break) can occur in the larger piping. The same rationale was applied to breaks in small piping.

A-8

2.2 Transient Initiators Malfunctions, failures or faults in the mechanical/electrical systems that result in a demand for trip of the control rods (scram) and removal of heat from the reactor core are transient initiators. The transient initi-ators used in this analysis are referred to as events, that is, failures or faults in systems that result in a demand for trip of the control rods (scram) and,removal of heat from the reactor core. Therefore, only those events that require a scram and have the potential of overheating the core were considered as valid transients. Transients that could possibly lead to LOCA were treated with an appropriate transfer to the LOCA event trees.

The transient initiators identified for this analysis were taken from EPRI NP-801. Table A-5 defines these transient initiators. The LERs TABLE A-5. TRANSIENT INITIATOR CATEGORIES

1. Electric load rejection Occurs when electrical grid disturbances result in significant loss of load on the generator. Also included are intentional generator trips.
2. Electric load rejection Identical to Number 1 except that the with turbine bypass valve turbine bypass valves do not open failure simultaneously with shutdown of the turbine.
3. Turbine trip Occurs when any one of a number of turbine or nuclear system malfunctions requires the turbine to be shut down.

Turbine trips that occur as a byproduct of other t'ransients, such as loss of con-denser vacuum or reactor high level trip, are not included. Intentional turbine trips are also included.

4. Turbine trip with turbine Identical to Number 3 except that the bypass valve failure turbine bypass valves fail to open.
5. MSIV closure Occurs when any one of various steam line and nuclear system malfunctions requires termination of steam flow from the vessel, or occurs by operator action.
6. Inadvertent closure of one Occurs when only one MSIV closes (the MSIV rest remaining open) due to operator or equipment error.
7. Partial MSIV closure Occurs when partial closure of one or more MSIVs results from a hardware or human error.

A-9

TABLE A-5. (continued)

8. Loss of normal condenser Occurs when either a complete loss or vacuum decrease in condenser vacuum results from a hardware or human error.
9. Pressure regulator fails Occurs when either the controlling open pressure regulator or backup regulator fails in an open direction. The failure causes a decreasing coolant inventory as the mass flow of water entering the vessel decreases.
10. Pressure regulator fails Occurs when either the controlling closed pressure regulator or backup regulator fails in a closed direction. The failure causes increasing pressure and thus decreasing steam flow from the vessel.
11. Inadvertent opening of a Occurs when a safety/relief valve sticks safety/relief valve (stuck) open. Due to an operator or equipment error, a single safety/relief valve can be opened, increasing steam flow from the vessel. If the valve cannot be closed, a

'scram is initiated. This transient includes only those openings that cannot be subsequently closed before a scram occurs.

12. Turbine bypass fails open Occurs when equipment or operator error results in inadvertent or excessive open-ing of turbine bypass valves so as to decrease vessel level.
13. Turbine bypass or control Occurs w'hen either operator error or valv'es cause increase equipment failure causes the turbine pressure (closed) bypass or control valves to close, resulting in increased system pressure.
14. Recirculation control Occurs when a failure, of a flow failure-increasing flow controller, either in one loop or the master flow controller, causes an increasing flow in the core.
15. Recirculation control Occurs when any flow controller failure failure decreasing flow causes a decreased flow to the core.
16. Trip of one recirculation Occurs when one recirculation pump trips pump due to a hardware or'human error.
17. Trip of .all recirculation Occurs with the simultaneous loss of all

'pumps recirculation pumps.

TABLE A-5. (continued)

18. Abnormal startup of idle Occurs when an idle recirculation pump is recirculation pump started at an improper power and flow condition. The increased flow could cause a flux spike, or core inlet subcooling, if the loop has been idle so as to allow coolant in the pump loop to cool.
19. Recirculation pump seizure Occurs when the failure of a recirculation pump is such that no coastdown occurs and a sudden flow decrease ensues.
20. Feedwater increasing flow Occurs when any event causes increasing at power feedwater flow at power. Excluded (see Number 26) are increasing flow events during startup or shutdown when manual feedwater control is being used.
21. Loss of feedwater heater Occurs when the loss of feedwater heating is such that the reactor vessel receives feedwater cool enough to exceed core scram parameters.
22. Loss of all feedwater flow Occurs with the simultaneous loss of all main feedwater flow, excluding that due to loss of station power (see Number 31).
23. Trip of one feedwater pump Occurs when the loss of one feedwater (or condensate pump) pump or condensate pump is such that a partial loss of feedwater occurs.
24. Feedwater low flow Occurs when any plant occurrence causes decreasing feedwater flow at power.

Excluded are events at low power (see Number 25).

25. Low feedwater flow during Occurs when any event results in low feed-startup-'or shutdown water flow at essentially zero power.

This definition includes only startup or shutdown operations.

26. High feedwater flow during Occurs when excessive feedwater flow startup or shutdown occurs during startup or shutdown. ,The reactor is essentially at zero power.
27. Rod withdrawal at power Occurs when one or more rods are withdrawn inadvertently in the power range of pl'ant operation.
28. High flux due to rod Occurs when inadvertent withdrawal of a withdrawal at startup rod causes a local power increase.

TABLE A-5. (continued)

29. Inadvertent insertion of Occurs when any malfunction causes an rod or rods inadvertent insertion of rod or rods during power operation.
30. Detected fault in reactor Occurs when a scram is initiated due to an protection system indicated fault in the reactor protection system. An example is the indication of a high level in the scram discharge volume.
31. Loss of offsite power Occurs when all power to the plant from external sources (the grid or dedicated transmission lines from other plants) is lost. This event requires the plant emergency power sources to be available.
32. Loss of auxiliary power Occurs when the loss of incoming power to (loss of auxiliary the plant results from onsite failures transformer) such as the loss of an auxiliary transformer.
33. Inadvertent startup of Occurs when any of the systems inadver-HPCI/HPGS tently start up supplying high pressure cold water to the vessel.

In general, a BMR will have either a HPCI system or a HPCS system.

34. Scram due to plant Occurs when a scram, either automatic or occurrences manual, is initiated by an occurrence that does not cause an out-of-tolerance condi-tion in the primary system, but requires shutdown. Examples are turbine vibration, off-gas explosion, fire, and excess con-ductivity of reactor coolant.
35. Spurious trip via Occurs when a scram resulting from hard-instrumentation, RPS fault ware failure or human error in instrumen-tation or logic circuits occurs.
36. Manual scram no out-of- Occurs when a manual initiation of a tolerance condition scram, either purposely or by error, occurs and there are no out-of-tolerance conditions.
37. Cause unknown- Occurs when a scram occurs, but the cause is not determinable.

A-12

submitted for Browns Ferry were examined to identify those transient initi-ators not identified in EPRI NP-801. No other additional events were iden-tified from this set of LERs. Each of the transient initiators pertaining to various electric power bus and cooling water system failures were further examined to identify transient initiator effects on front-line system availability. This analysis is described in Section 2.3.2. The transient initiators were grouped according to their effect on mitigating systems.

The transient initiators were subsequently grouped according to their effect on the PCS since this was the only mitigating system found to be affected by the transients. Seven of the 37 EPRI NP-801 events were classi-fied as transient initiators that resulted in PCS being unavailable for mitigation of the transient. Of the remaining 30 events, 8 were identified as having no effect on PCS availability and 22 were considered not applic-able for this study. Reasons for exclusion of these events are summarized in Table A-6, which lists the transient initiators and their frequencies.

One final consideration to the transient-type event was given in the case of the LOSP event. The LOSP event was originally grouped as a PCS-unavailable transient initiator. However, due to the dependency factor of this event with other mitigation systems, this particular event was treated separately in the transient event tree analysis.

The frequencies of the transient initiators were estimated using the techniques discussed in EPRI NP-801 (see Table A-6). The transient frequencies were estimated based on the BF1-specific data and all pertinent BMR experience in EPRI NP-801. For this analysis, the plant-specific fre-quencies were used in the transient tree quantification.

To illustrate the method used to calculate the frequency of the various transient initiators used in this study, the electric load rejection event will be utilized. From EPRI NP-801, the expected frequency for the event is calculated according to a 40 year life of the reactor plant by the following formula:

E(transient frequency) = [frequency of first year + 39 x (remaining years average)]

40.
a. Data from EPRI NP-2230, a recent revision to EPRI NP-801, were not available in time for use in this study. NP-2230 data produce different results than those reported in EPRI NP-801 because of the inclusion of events occurring at BFl between January 1977 and April 1980 and, to a lesser extent, because of the omission of events occurring between October 1973 and August 1974 prior to commercial operation. In particular, a LOSP occurring at BF1 in late 1978 early 1979 and reported in NP-2230 increases the esti-mated frequency of that event by a factor of nearly seven. NP-2230 esti-mates for other transients that cause the PCS to be unavailable are lower than those in EPRI NP-801, and estimates for those that keep it available (Group 2, Table C-6) are higher. However, the differences here involve factors of less than three, and thus do not have an. appreciable effect on numercial results of this study.

TABLE A-6. TRANSIENT INITIATOR GROUPINGS AND FREQUENCIES Frequency (events/ ear)

Transient BF1 BWRs Grou 1 Transients That Cause PCS to be Unavailable a ~ MSIV closure. 0.58 0.24

b. -

Loss of normal condenser vacuum. 0.56 0.41 c~ Pressure regulator fails open. 0. 0.25

d. Loss of feedwater flow. 0.51 0.17
e. Loss of offsite power. 0.03 0.11
f. Loss of auxiliary power. 0. 0.03 go Increased feed flow at power. 0.05 0.18 Total 1.73 1.39 Grou 2 Transients That Do Not Cause PCS to be Unavailable
a. Electric load rejection. 1.02 0.74
b. Electric load rejection with bypass failure. 0. 0.

C ~ Turbine trip. 0.58 0.77

d. Turbine trip with bypass failure. 0. 0.
e. Inadvertent closure of one MSIV. 0. 0.10
f. Pressure regulator fails closed. 0. 0.11 go Bypass/control valve fails causing pressure increase. 0.05 0.25
h. Recirculation control fails causing increased flow. 0.03 0.10 Total 1.68 2.07 Grou 3 Transients from EPRI NP-801 Not A licable a ~ Partial MSIV closure partial failures not addressed since full closure is addressed above.
b. Inadvertent open safety/relief valve (stuck) considered in LOCA analysis.

c ~ Recirculation control fails causing decreased flow less severe than trip of all pumps (FSAR 14.5.5.3).

d. Trip of one recirculation pump less severe than trip of all pumps (FSAR 14.5.5.2).
e. Trip of all recirculation pumps no scram occurs (FSAR 14.5.5.3).

Abnormal startup of recirculation pumps no scram occurs (FSAR 14.5.'6.2)'.'

go Recirculation pump seizure less severe than trip of all pumps (FSAR 14.5.5.4).

Bypass valves fail open mild transient, no scram occurs (FSAR Q14.5).

1 ~ Loss, of, feedwater heater no scram occurs (FSAR 14.5.2.1).

Trip of one feedwater pump no scram occurs.

TABLE A-6. (continued)

Frequency (events/ ear)

Transient BFl BWRs Grou 3 (continued)

k. Low feedwater flow--less severe than loss of feed flow.

Low feedwater flow during startup or shutdown-startup and shutdown transients not considered.

m. High feedwater flow during startup or shutdown same as above.
n. Rod withdrawal at power no scram occurs (FSAR 14.5.3.1).

0 ~ High flux rod withdrawal during startup s'tartup transients not considered.

po Inadvertent rod insertion no scram occurs.

q. Detected faults in reactor protection system not applicable.

Inadvertent HPCI initiation less severe than increased feedwater flow at power.

S ~ Scram due to plant occurrence no challenge of reactor protection system.

Spurious trip no challenge of reactor protection system.

U~ Manual scram no challenge of reactor protection system.

v ~ Cause unknown not applicable.

The load rejection occurrences experienced at BFl during the first 4 years of operation are as follows:

Year 1 2 3 4 Occurrences 4 0 1 1 The number of occurrences for the fourth year is for only 1.3 months (0.11 year) of data. By the above formula, the expected frequency for electric load rejection event at BF1 is calculated to be 1.02 events per reactor-year, that is:

E(electric load rejection) = [4 + 39 (2  : 2.11)] -: 40

= 1.02 events per year.

2.3 Initiator Effects On Miti atin S stems In addition to identifying the initiating events, it is important to determine what effect the initiator may have on those systems designed to respond to the accident. In some cases, the initiating event may originate

in a mitigating system. The resulting accident sequence could be signifi-cant since the ability of the plant to cope with the accident has been degraded. The following sections discuss the LOCA and transient'nitiator effects on mitigating systems.

2.3 ' LOCA Effects On Miti ation Some of the- LOCA initiators have the potential to render LOCA mitiga-tion systems partially or completely inoperable by virtue of the system location of the LOCA.

If a LOCA initiator could disable a mitigating system, the length of piping for the mitigating system susceptible to that LOCA was calculated using TVA supplied isometric drawings. Then, the total length of piping susceptible to that initiator was calculated. It was assumed that for a particular break size, the LOCA was equally likely to occur at any point on the piping susceptible to the LOCA.

Table A-7 provides a list of the systems lost and the percentage of their piping susceptible to a particular LOCA initiator. These values are used in the quantification of LOCA sequences. The quantified systemic tree in Section 2 -of Appendix C provides an example of how sequence frequencies were obtained using these values.

2.3.2 Transient Initiator Effects On Miti ation Transient initiators were identified as discussed in Section 2.2 and were grouped according to their effect on the PCS availability. However, it was necessary to examine the plant further to determine whether these transients could originate in mitigating systems or affect front-line sys-tems other than the PCS. The goal of this transient initiator analysis was to identify those plant failures at a component or system level that could effect mitigating systems availability. The identification of transient initiator effects was done by a three part process as described below:

1. Consequence evaluation of electrical failures Failure of each plant electrical bus was postulated. Equipment powered by the bus was tracked and the effect of its failure on the plant was identified.
2. Consequence. evaluation of cooling s stem failures Failure of each cooling system was postulated. Loads cooled by the system were tracked and the effect of their loss on the plant was identified.
3. Causal anal sis of transient cate pries Causal-type failure analysis was performed on the 15 transient categories retained for this study, as discussed in Section" 2.2. The. causal analysis is similar to fault tree analysis in that events that can lead to occurrence of an initiating event are logically depicted.

This evaluation was not intended to be all-encompassing. Some appro-priate constraints were imposed to limit the depth of the investigation.

The primary constraint was that the analysis only apply to identification of"failures that could affect other systems. Failures that are internal to

TABLE A-7. LOCA INITIATOR EFFECTS ON MITIGATING SYSTEMS Piping Susceptible to LOCA LOCA T e Miti atin S stems Lost (X) Remarks Large break on discharge One LPCI loop and one shutdown cooling NA Both are lost due to break location of recirculation loops discharge path Large break on suction All of shutdown cooling 55 (suction of recirculation Suction for both shutdown cooling loops of recirculation loops or Loop A) comes from recirculation Loop A None 45 (suction of recirculation Loop B)

Large steam None Intermediate steam HPCI 23.2 (HPCI) Majority of piping susceptible to LOCA or does not affect mitigating systems One core spray loop 3.8 (core spray) or None 73.0 (other piping)

Intermediate liquid One LPCI loop and one shutdown cooling 78,2 (discharge of Loop A or B) discharge path or All shutdown cooling 11.2 (suction of recirculation or Loop A)

None 10.6 (suction of recirculation Loop B)

Small liquid or steam HPCI 16.3 (HPCI) Assumes small break can occur in larger or piping and renders mitigating systems Steam One core spray loop 1.3 (core spray) unavailable as in large break cases or Liquid One LPCI loop and one shutdown cooling 23.3 (recirculation discharge) discharge path or Steam and liquid All shutdown cooling 3.4 (suction or recirculation or Loop A)

None 55.7 (other piping)

a system and have no consequences outside the system, (i.e., failures that have no capability to introduce dependencies in other systems) were of limited interest. For example, failure of feedwater control may result in the loss of feedwater. But other than the main feedwater system, no other mitigating systems are affected by this internal initiating event. However, an initiating event such .as,LOSP not .only. fails..PCS,,but,.results-ig .the.--: ..

common dependenceof the mitigating, systems powered by onsite electrical power sources, which significantly increases their probability of failure.

II A second guideline was to examine failures to a level of detail com-mensurate with that found in the interfacing FMEAs of Appendix B, that is, to only postulate single failures. However, in many cases, the postulated failure was only significant when other concurrent conditional events or failures were considered, and these were noted as such.

Operator action was generally ignored in this evaluation. This is consistent with the rationale that no credit for operator action is taken during the first 10 min of the transient. This assumption was conservative because, in reality, operator action occurs early in most transients. Many of the failures examined are clearly annunciated and represent familiar transients for the trained operator.

Postulated Electrical Faults. The results of the first task pertaining to the effects of electrical equipment failures are summarized in Table A-8.

  • . More detail is shown in Table A-9. A wide variety of sources were utilized for information. The most useful source was the FMEAs generated by TVA4 in response to NRC Inspection and Enforcement Bulletin 79-27. [These are cited in Table A-9 as "I&C FMEA (79-27)"]. The postulated fault for the electrical systems was one wherein all loads powered by the bus in question were assumed to fail. Mechanisms for this failure mode were not postulated.

TABLE A-8. ELECTRICAL EQUIPMENT FAILURE

SUMMARY

Scram on Single FLS or E ui ment ~ Failure Conditional Events to Scram CSCS Failed 4160 V SD-BD A No l. Erroneous signal in RPS, RHR Pump A Channel B core spray Pump A

2. Failure of 250 V DC RMOV 1A
3. Existing failure of FSV-1-15B, FSV-1-27B, FSV-1-38B, FSV-1-52B 4160 V SD-BD B No None NA A-18

TABLE A-8. (continued)

Scram on Single FLS or E ui ment Failure Conditional Events to- Scram CSCS Failed 4160 V SD-BD C No 1. Erroneous signal in RPS, RHR Pump B Channel A core spray Pump B

2. Failure of 250 V DC RMOV 1B
3. Existing failure of FSV 1-14B~ FSV 1 26Bs FSV-1-51B 4160 V SD-BD D No None NA Offsite power Yes All PCS 500 kV system Yes None 161 kV system No NA None 4 kV unit board No NA None (any one board) 4 kV recircula- No NA None tion board 480 V SD-BD or No For RMOV 1A failure, see 480 V RMOV (any RPS A one board) For RMOV 1B failure, see RPS B RPS Bus A No l. Erroneous signal in RPS, None Channel B
2. Failure of 250 V DC RMOV 1A 3 ~ Existing failure of FSV-1-15B, FSV-1-27B, FSV-1-38B, FSV-1-52B RPS Bus B No 1. Erroneous signal in RPS, None Channel A
2. Failure of 250 V DC RMOV 1B A-19

TABLE A-8. (continued)

Scram on Single FLS or E ui ment Failure "~

Conditional Events to Scram CSCS Failed

~ ~

RPS Bus B 3. Existing failure'f (continued) FSV-1-14B, FSV-1-26B, FSV-1-37B, FSV-1-51B 250 V DC RMOV 1A No NA HPCI system failed Core spray B and D failed RHR B and D failed 250 V DC RMOV 1B No NA ADS failed RHR A and C failed Core spray A and C failed 250 V DC RMOV 1C No NA RCIC system failed Two ADS valves fail 250 V DC Yes Operator fails to terminate PCS nonclass lE feedwater on high reactor unavailable water level annunciation 250 V DC turbine No Significant generator load PCS failed building distri- change demand bution board Battery Board 1 Yes See 250 V DC nonclass lE See 250 V DC RMOV lA See 250 V DC turbine distribution Battery Board 2 No NA See 250 V DC RMOV lc A-20

TABLE A-8. (continued)

Scram on Single FLS or E ui ment Failure Conditional Events to Scram CSCS Failed Battery Board 3 No NA See 250 V DC RMOV 1B Battery Board 4 No NA I&C Bus A Yes Drywell air unavailable MSIV isola-tion reset unavailable I&C Bus B No Leaky MSIV accumulators Drywell air unavailable Unit-preferred No Power demand change PCS failed bus RCIC system failed 24 V DC Channel A No Failure 24 V DC Channel B 24 V DC Channel B No Failure 24 V DC Channel A 48 V DC No 125 V DC No NA diesel control Unit Yes Condenser nonpreferred unavailable Plant preferred Yes Cold weather Feedwater unavailable

a. HPCI system and RCIC system could fail due to water in the steam line, but these, systems not required during over fill. ADS operability unknown due to the possibility of water in steam line.

A-21

TABLE A-9. ELECTRICAL EQUIPMENT FAILURE CHART DETAILS Failed E ui ment Scram T c Prima Failure Effects Disabled S stems/Seconder Effects Comments Notes References 4160 V SD-BD A None 1 ~ Loss of RPS Bus A. 1, Outboard MSIVs go into "half- 1 If any signal requirement in isolate" state. Channel B is satisfied, the

2. No other loads essential to normal , reactor will scram.

operation are povered by this 2. RPS goes into "half scramu state.

board. '2. Alternate pover source for RPS bus

3. RHR Pump A inoperable. is manual trans'fer.
4. Core spray Pump h inoperable. 3. Rcfs. EOI-5 I&C FMEA (79-27) 45N-724-1 45N-749-1 45N-751-1.

4160 V SD-BD B None 1. No equipment essential for Unit 1 1. RHR Pump C inoperable, 1. Refs. same as above.

normal operation is powered from this board, 2. Core spray Pump C inoperable.

4160 V SD-BD C None 1. Loss of RPS Bus B. l. Inboard MSIVs go into "half l. If an erroneous..signal is made up isolate" state, through Channel A, thc reactor vill 2 ~ No other loads essential for normal scram and/or isolate.

operation are powered by this 2. RPS goes into "half scram" state.

board. 2. Alternate power source for RPS bui

3. RHR Pump B inoperable. rs manual transfer.
4. Core spray Pump B inoperable. 3. Refs. same as above.

4160 V SD-BD D None 1, No equipment essential for Unit 1 1. RHR Pump D inoperablc. 1. Refs. same as above.

normal operation is powered by this board. 2. Core spray Pump D inoperable.

Complete loss of Yes, scram on 1. Loss of RPS Buses A and B. 1. Reactor scrams on loss of RPS 1. Plant undergoes complex sequence of offsite pover loss of RPS bus ~ events upon loss of offsite power; buses 2. I&C Bus h and B lost until diesels only thc most significant affects availgblc. 2. Reactor isolates on loss of RPS were noted.

bus ~

2. Diesels start on- low voltage.

500 kV system Yes, if above 1. Ccncrator trip. l. 4 kV unit, boards auto-transfer to 1. Refs.-EOI-5 30'over; start board. 15N500-1.

generator trip 2, Loss of power to 4 kV unit boards, 4 kV common boards, and 4 kV 2. Pover to recirculation boards not recirculation boards. necessary if reactor is less than 302 pover.

161 kV system None l. 4 kV common boards auto-transfer. 1. Refs. EOI-5 15N500-1.

TABLE A-9. (continued)

Failed Equi ent Scram T e Primer Failure Effects Disabled S stems/Seconda Effects Comments Notes References 4 kV unit None, assuming 1. Loss of one unit board disables: l. Unit will 'run back to 92X power if 1. Refs. EOI-5 boards loss of one one CCW pump one condensate train is lost. 15W500-1.

board one condensate booster pump one condensate pump 2. 480 V unit boards auto-transfer to one raw water cooling pump. alternate power supply.

2 ~ Loss of corresponding 480 V unit board.

4 kv No 1. Power lost to recirculation Pump YC 1. Loss of both recirculation pumps recirculation sets. does not cause a scram.

boards 480 V SD-BD None, assuming 1. Loss of RPS Bus A if RHOV IA or 1. "Half scram" and "half-isolate" 480 V RMOVs only one RMOV SD-BD IA fails. states occuro or one shut-down board 2 ~ Loss of RPS Bus B if RMOV 1B or 2. All other I&C buses are on non-fails SD-BD 1B fails. interruptable power supplies (with respect to 480 V board failures).

RPS Bus A None 1. Channel A of the RPS logic is 1. RPS in "half scram" state. 1. Any erroneous signals in Channel B tripped. logic vill scram reactor and/or

2. Outboard MSIVs in "half isolate" trip HISVs.
2. Miscellaneous false isolation and state.

trip signals vill occur. 2. Refs. EOI-5 I&C FMEA (79-27) 45W 710 4.

RPS Bus B None 1. Channel B of the RPS logic is 1. RPS in "half scram" state. 1. Any erroneous signal in Channel A tripped. logic vill scram and/or isolate

2. Inboard MSIVs in "half isolate" reactor.
2. Miscellaneous false isolation and state.

trip signals vill occur. 2. A failed 250 V solenoid on inboard MSIV will cause valve to close.

One <<losed.HSIV will not directly trip plant.

3. Refs. EOI-5 I&C FMEA (79-27) 45W 710 4.

250 V RHOV 1A None 1. HPCI system inoperable. 1. Loss of bus is annunciated in HCR. l. If a 120 V AC solenoid on the out-Operator can transfer to battery board HSIVs is failed, that MSIV

2. Core spray Train B and D Board 2 ~ will close; one MSIV closure may inoperable. cause a scram but multiple faults are required.
3. RNR Train B and D inoperable.
2. Refs.45N712-1
4. S/RV 1-41 and 1-4 inoperable in I&C FHEA (79-27).

manual initiation mode.

TABLE A-9. (continued)

Failed E ui ent Scram T e Prima Failure Effects Disabled S stems/Seconder Effects Comments Notes References 250.V RMOV 1A 3, Transfer to alternate power supply (continued) 5. Two valves in backup scram system is manual.

are inoperable.

6. Solenoids on outboard MSIVs close.

7, Recirculation Pump A speed is fixed. Pump can be tripped.

250 V RMOV 1B None 1, ADS inoperable. 1. No shutdown cooling. l. See above cocment.

2 ~ S/RV 1 18 ~ 1 19> 1 31) 1 42) 1 179 2. Loss of bus is annunciated in MRC. 2. Refs. 45N712-2 inoperable in manual activation Operator can transfer to battery I&C FMEA (79-27).

mode ~ Board 1.

3. Transfer to alternate power supply
3. RHR Train A and C inoperable. is manual.
4. Core spray Train A and C inoperable.
5. Recirculation Pump B speed is fixed. Pump can be tripped.
6. FCV-74-47 fails as is.
7. Solenoids on inboard MSIVs close.

250 V RMOV 1C None 1. RCIC system inoperable. 1. Same as 2 above. 1. Refs. 45N712-3.

I&C FMEA.(79-27) ~

2. S/RV 1-23, 1-5, 1-180, 1-34 inoper-able in the manual initiation mode. 2. Transfer to alternate power supply is manual.

250 V DC Yes, pressure 1. All main turbine trips except the 1. Manual control of feedwater is 1. Loss of bus voltage is not nonclass lE regulator following are lost: lost; automatic control between annunciated.

power closes a. High vibration. 3000 and 5500 rpm is unaffected.

b, Back-up overspeed. 2. Refs.I&C FMEA" (79-27).

c. Loss of both turbine speed feed- 2. Power loss to PT-1-16A and back channels. PT-1-16B cause pressure regulator 3. Transfer to alternate power supply
d. Manual trip. to fail closed. (batcery Board-2) is manual.

2, hll RFPT are lost. Feedwater can 4. Reactor scram on high pressure; be manually terminated by closing turbine trip. on'verspeed. Feed-valve in steam supply line. water drops to~low speed stop.

Bypass fails closed.

3. Motor speed changer on RFPT is inoperable.
4. EHC instrumentation is lost.

~~

TABLE A-9. (continued)

Failed Equi ment Scram T e Primar Failure Effects Disabled S stems/Seconds Effects Comments Notes References 250 V DC No direct 1. Loss of alcerrex excication system. 1. Loss of ability to regulate exci- If significant change in grid turbine scram signi- tation voltage of che main demand occurs vhen Alterrex is out, building ficant grid 2. Loss of control pover to: generator. a generator trip vill occur, caus-distribution demand change a. 4 kV unic boards. ing a scram if above 30X power.

board vill cause b. 4 kV recirculation boards. 2. If generator trip occurs before scram c. 4 kV common boards. control power is restored, 'these Normal povez supply is battery

d. 4 kV unit boards. boards cannot be transferred to Board 1 with manual transfer.
e. 480 V unit boards. offsite power. The generator
f. 480 V common boards. nomally supplies these boards Transfer is manual.

through TUSS-1A and 1B.

Refs. 1&C FMEA (79-27).

250 V DC battery If in feedvater l. Loss of nomal power to: 1. See other sections for effects If feedvater control is in Board 1 control a. 250 V DC lQRV 1A. of loss of 250 V DC boa'rds. Channel A, feedvater vill go to Channel A, b. 250 V DC nonclass 1E. high speed stop. Turbine will not scram will c. 250 V DC turbine building 2. Failure of feedwater inverter trip on vater Level 8. RFPT vill occur due distribution. causes feedvater to go co high noc trip on water Level 8. Reactor to high reactor d. Feedvater inverter. speed stop if in Channel A control. vill not scram until turbine trips water level e. 480 V shutdown load shed (likely on high vibracion or manual Logic A. 3. Failure of feedvater inverrer trip).

If in feedvacer has no effect if in Channel B.

concrol 2 ~ If feedvater control is in Channel B, no Channel B, there is no irminent direcc scram; direct scram. Manual feedvater significant control is lost. Master governor grid demand unit controls feedvater betveen

.change will 3000 and 5500 rpm. Should the load cause scram demand the turbine to trip (on backup overspeed) and subsequent Pressure regu- reactor scram, three feedvater lator will pumps drop co their lov speed stop fail closed (manual speed control unavailable).

causing high Qhen generator trips, the 4 kV unit pressure scram boards lose power; this vill fail condensate pumps, which vill subse-quently fail (or trip) feedwater pumps ~

If boards are switched to offsite power before generator trip, feed-water will be available and will fill up vessel, unless manually teminated. (Installation of generator breakers vill eliminate need for manual pover change, i.e., CCW condensate pump vill be available.)

TABLE A-9. (Continued)

Failed E ui ment Scram T e Prima Failure Effects Disabled S stems/Seconds Effects Comments Notes References 250 V DC battery 3. Refs. 45N701 Board 1 I&C FMEA (79-27) ~

(continued)

4. Third alternative is that pressure regulator fail closed; scram on high pressure.

250 V DC baccery None 1. Loss of normal pover supply to: 1. No significant effects on Unit 1.

Board a. 250 V DC RHOV-IC.

Refs.

2

b. 480 V shutdovn load shed 2~ 45N702 Logic B. I&C 45N702 250 V DC battery None 1. Loss of normal power supply to: 1. No significant. effects on Unit l.

Board 3 a ~ 250 V DC RMOV 1B ~

b. Control bus for 480 V SD-BD lb. 2. Refs. 45N703 I&C FHEA'(79-27).

250 V DC battery None 1. Pover lost to all DC air compres- 1. No significant effects on Unit l.

Board 4 sors on the diesels.

2. Refs,"-45N704'&C
2. Power lost to main turbine DC FMEA (79-27) ~

emergency bearing oil pump.

I&C BQ@ A If feedvater l. If feedvater control in Channel B, l. Effect of recirculation pump speed 1. Channel B is preferred operating, vill control system RFPT goes to high speed stop. If mismatch unknown. mode, so it is likely a scram in Channel B, in Channel h> no effect. LT-3-60 occur on high water level.

reactor vill goes to zero 2. Dryvcll cooling lost.

2. All trips are available to main scram on L-8 turbine trip; 2. Feedwater bypass valve to condenser 3. Air to inboard MSIVs and safety turbine and RFPT.

delayed scram opens. relief valves isolated. HSIV and may occur on ADS valves have accumulator inside 3. CSCSs are unaffected.

high dryvell 3. Recirculation Pump A speed fixed, isolation.

pressure due to 4 ~ HSIVs may drift closed if accumu-loss of cooling 4. Recirculation Pump B speed goes to 4. SJAE-B vill stare on lov conden- lators leak.

5 502. ser vacuum (25 in. high).

Scram may occur 5. Loss of some CSCS instrumentation on turbine trip 5. FCV-32-62 (dryvell control air suc- 5. RHR, CSS, RHRSW are noC disabled. increases chance for operator due to lov con- tion valve) fails closed. error.

denser vacuum if SJAE-B does 6. SJAE-h fails. Auto-start of SJAE-B 6. Normal power source co I&C Bus A is 480 V SD-BD lh, through a 480/120 V not catch on loss of Train h also fails.

pressure rise transformer. Auto-transfer to

7. HSIV isolation reset signal fails. 480 V SD"BD 2A.

Scram may occur if MSIV accumu- 8. Loss of some RHR-I inscrumentacion. 7. Refs. EOI-5 lator leaks 4> 5'W710-4

9. Loss of some CSS-I instrumentacion. I&C FMEA (79-27).

TABLE A-9. (Continued)

Pailed Equi ment Scram T e Prima Failure Effects Disabled S stems/Seconder Effects Comments Notes References I&C Bus A 10. Loss of some RHRSH-I 8. I&C Bus A is fed from bus at (continued) instrumentation. battery Board 1. Transfer to bus at battery Board 2 is automatic.

Buses at battery board fed from 480 V shutdown boards.

I&C Bus B Delayed trip 1. FSV-32-63 fails closed. Dryvell 1. Dryvell cooling is lost. 1. Reactor scram is not obvious.

may occur on control air lost.

high drywell 2. Air to inboard MSIVs and safety 2. CSCS are unaffected.

pressure due to Z. Recirculation Pump 8 speed is relief valve is lost. MSIVs and loss of dryvell fixed. ADS valves have accumulator inside 3. MSIVs may drift closed if cooling isolation. accumulators leak.

3. Recirculation Pump A speed goes to Delayed scram 50X. 4. Normal pover source for Bus B is may occur if 480 V SD-BD 1B. Auto-transfer to SJAE-B is oper- 4. Feedwater control unaffected. 480 V SD-BD 3Bo ating. Scram may occur if 5. SJAE-B inoperable. SJAE-A is 5. Refs. EOI-5 MSIV accumu- normally in use. 45H710-9 lator leaks I&C FMEA (79-27) ~
6. Loss of some RCIC system instrumentation.
7. Loss of some RHR-II instrumentation.

Unit preferred None, unless 1. Recirculation pump speed locks in l. As long as turbine is operating, 1. Unit preferred is a continuous bus power demand on both pumps. EHC is powered by permanent mag- power supply. driven by motor-changes and net on shaft. Should trip occur, generated set.

feedwater 2. EHC loses normal power source. EHC is inoperable, thereby failing flux/flow level turbine bypass. 2. All CSCSs, except RCIC system mismatches 3. CRD positioning capability lost. operable.

occur 2. Scram capability exists. No rod

4. RCIC system start logic fails. positioning available. 3. Refs. EOI-6 45H710-4
5. Power lost to: 3. Loss of pover to LC-46-5 causes I&C FMEA (79-27) ~
a. LM-46-6. master government to lock in place.
b. LT-3-206. Operator must take manual control
c. LC-46-5 (master feedvater vith manual speed control.

controller).

d. LC-3-53 (safety valve level controller).

24 V DC None 1. Power lost to EHC master trip 1 ~ EHC will not trip unless both A 1. Refs.-EOI-5 Channel A Solenoid A. and B solenoid are tripped. 1&C FMEA (79-27) ~

2. Various process radiation monitors 2. Loss of intermediate range monitor lost. and source range monitor vill cause a "half scram."

TABLE A-9. (Continued)

Failed E ui ment Scram T e Prima Failure Effects Disabled S stems/Seconds Effects Cocmcnts Notes References 24 V DC 3. Channels h and C source range Channel B monitor lost.

(continued)

4. Channels A, C, E, and G intermediate range monitor lost.

24 V DC None 1. Power lost to EHC master trip ~ See cocments above. 1. Refs. EOI-5 Channel B Solenoid B. I&C FMEA (79-27).

2. Various process radiation monirors inst'
3. Channels B and D source range monitors lost.
4. Channels B, D, F, and 11 intermediate range monitor lost.

48 V DC system None 1. Annunciator system lost. 1. No significant affects 1&C FMEA (79-27).

125 V DC None diesel control power system Unit Eventually, 1. SJAE exhaust valves close. 1. Condenser vacuum will gradually 1. Refs. I&C FMEA (79-27).

nonpreferred . loss of be lost. At 600 psig (reactor bus condenser 2. Recirculation scoop tube positioner pressure) the vacuum pumps can be vacuum locks in place. used.

3. All high point vent valves in RHR, CSS, HPCI, RCIC system will fail closed.
4. Reactor manual control lost.
5. FCV-68-3, FCV-68-79 jog circuit power is lost.

Plant preferred None I ~ TM 24 70 ~ TM 24 80 > TM 24 85 1. These valves sre the RCN valves 1. Orderly shutdown recomnended.

bus open upon loss of power. to the RFPT coolers. In cold weather, this will cause curbine 2. Refs. EOI-5 oil overcooling and subsequent '&C FHEA (79-27)>

turbine vibration.

As can be seen from Tables A-8 and A-9, the most significant power failure that results in a scram and causes loss of a front-line system (i.e., the PCS) is a LOSP event. The effect of this important transient on the mitigating systems was accounted for separately during sequence quantification.

Failure of the 250 V DC nonclass 1E bus or battery Board 1, since it supplies power to 250 V DC nonclass 1E bus, also causes a scram on high reactor pressure due to the pressure regulator failing closed. Manual con-trol of feedwater is lost including reactor feedwater pump trip on high reactor water level. If the operator fails to respond to high reactor water level annunciation (i.e., manually terminate feedwater, or, in the case of loss of battery Board 1, manually transfer power to battery Board 2) a pos-sible overfill condition could occur. The HPCI and RCIC systems could be inoperable due to water in the steam lines, and relief valve operability is not known under this condition. BFl EOI-5, Section M, delineates the pro-cedures the operator should follow given this initiator. Immediate operator action requires manual transfer of the affected board to the alternate source. Subsequently, the procedure requires that if a reactor scram occurs, the operator should manually trip the main turbine and close the high and low pressure steam supply to the reactor feed pump turbines. The latter action is required to terminate feed pump flow since manual control is inoperative (i.e., the operator can stop flow but he cannot control it).

Thus, the probability of losing a DC bus (approximately 10 ) times the probability of the operator failing to subsequently respond to terminate feedwater flow (approximately 10 ) makes this scenario insignificant when compared to other transient sequences.

Postulated Cooling System Failures. The cooling water systems and the drywell atmospheric cooling system were treated in an analogous manner to the electrical'systems. The results are .shown in the cooling water failure chart, Table A-10.

Cooling system failures are not as significant as electrical system failures. Loss of cooling loads does not represent as dynamic a situation as loss of electrical power. System response and plant response is gradual with significant time for operator action or recovery by alternate cooling systems. Failure of cooling systems is not considered to be a significant transient initiator.

Causal Anal sis of Transient Cate pries. Causal-type failure analysis was performed on the.l5 transient categories identified previously in Sec-tion 2.2. Causal analysis is similar to fault tree analysis in that events that can lead to occurrence of some undesired initiating event category are depicted. However, in keeping with the rationale of identifying events that can affect other systems, as discussed previously in Section 2.3.2, only those events that could originate in front-line or support systems and cause the transient are represented on the. causal failure diagrams.

The 15 transient categories applicable to BFl are:

1. Closure of all MSIVs (Figure A-l).
2. Loss of condenser vacuum (Figure A-2).

A-29

TABLE A-10. COOLING WATER FAILURE CHART Failed Equi ment 'Scram/T e Failure Effects Disabled S stems/Seconda Effects Comments Notes References Reactor building None 1. Loss of recirculation pump cooling. 1. No CSCS affected.;

closed-cycle cooling 2. Loss of dryvell cooling.

Drywell 1. Loss of dryvell cooling. 1. If failure mode of the drywall air l. If scram on drywel'1 isolation, ADS atmosphere is through isolation, dryvell pres- valves vill not be available if cooling system sure vill increase, causing reactor their accumulators leak.

None'rima 2.

scram If failure mode is through loss of

2. Operator instructed to vent drywell to the vapor space. above the heat sink, temperature vill increase ~ uppression pool.

but pressure may not. Operator will initiate manual shutdown. 3. Ref. EOI-26.

RHRSH None 1. No RHR heat exchanger cooling available.

EECN Raw cooling, Eventually 1. Loss of EHC cooling. 1. Loss of generator cooling is likely 1. NO CSCS equrpment rs drsabled.

water to be the first thing to cause a

2. Loss of turbine oil coolers. trip0 2. EECM provides backup vater supply to critical
3. Loss of reactor building ccmponent 2. If EHC has no cooling, turbine loads.'.

cooling vater heat sink. bypass will not be available.

Loss of generator cooling. 3. Feedwater probably not available.

5. Loss of reactor feedwater pump turbine cooling.
6. Loss of condensate pump cooling.
7. Loss of drywall cooling (through RECCNs).

Fall RPS Bus A False Indication (double) from PS 1.72, PS-1.76, PS.1.82, PS-1.86 Fail RPS Bus B 825 pslg turbine inlet pressure Bypass falls open EHC failure (no external failure of Interest)

TCV falls open Reaater water Lever 2 Feedwater tattere (see Figure A-3)

Closure 1 High steam MSIV at )100% (see Figure A.7)

Closure line flow of all MSIVs Steam line break (not of,interest)

Indication of:

high steam line temp high steam line flow (Not caused by power failures) high steam line radiation Failure RPS Bus A (double)

Failure 250 V RMOV.1A Failure RPS Bus B (double)

Failure 250 V RMOV.1B INEL 2 1624 Figure A-1. Causal failure diagram for MSIV closure.

3. Pressure regulator fails open.
4. Loss of feedwater flow (Figure A-3).
5. Loss of offsite power (LOSP).
6. Loss of auxiliary power.
7. Increased feed flow at power.
8. Load rejection (Figure A-4).
9. Load rejection with bypass failure.'0.

Turbine trip (Figure A-5).

11. Turbine trip with bypass failure (Figure A-6).

Failure RPS Bus A Power failure (double) to pressure switches Failure RPS Bus B Open vacuum breaker (not of Interest) -- '-

Loss of two or more CCW pumps - LOSP Loss of condenser vacuum Failure SJAE A Failure I & C Bus A (double)

Failure SJAE 8 Failure I 8 C Buss B Exhaust valves Failure unit non.preferred bus close INEL 2 1625 Figure A-2. Causal failure diagram for loss of condenser vacuum.

12. Inadvertent closure of one MSIV (Figure A-7).
13. Pressure regulator fails closed.
14. Bypass valve fails, causing pressure increase.
15. Uncontrolled increase in recirculation flow.

Causal failure diagrams were prepared for those transient initiator categories where failures in other systems can cause the initiating event and at; the same time, nulify portions of the mitigating systems. No dia-grams were drawn for those-ini'ti.ating events that have a direct causal relationship (transient Categories 3, 5, 6, 7, 9, 13, 14, and 15).

Figures A-1 through A-7, as noted above, represent the causal failure dia-grams for the remaining seven transient categories. These diagrams should be read from right to left, because the causes of the event are depicted to the right. All branch points can be considered as OR logic except where noted by "double," indicating AND logic, i.e., where multiple failure .con-ditions must exist. A discussion of each of the 15 categories follows:

A-32

Failure feedwater, Inverter, and control In Channel A Trip on high water Level 8 Failure I 8 C Bus A, and control In Channel 8 Loss Loss of two or more of condensate pumps LOSP feedwater Internal failure (not of interest)

INEL 2 1626 Figure A-3. Causal failure diagram for loss of feedwater.

1. Closure of all MSIVs--This can be caused by steam line breaks, low turbine inlet pressure, or low reactor water level. There are no other single failures outside the system that can cause this event.
2. Loss of condenser vacuum--Many actions start to happen on loss of condenser vacuum. The second steam jet air ejector starts at 25 in. Hg, reactor scrams at 23 in., turbine trips at 22 in.,

bypass valves close at 7 in., and RFPT occurs at 7 in. The initiation logic for these actions were determined to be powered as follows:

SJAE A start I&C Bus A SJAE B start I&C Bus B RPS scram RPS Buses A and B Turbine trip Instrumentation and trip solenoid power by 250 V DC nonclass lE Bypass valve Controlled and powered by electro-hydraulic control power sources (i.e., 250 V DC nonclass 1E and 120 V AC unit preferred)

RFPT Instrumentation and trip solenoid powered by 250 V DC nonclass 1E.

3. Pressure re ulator fails o en This will cause a scram through MSIV closure caused by low turbine inlet pressure or a direct scram from high reactor water level.

A-33

Plant external causes (not of concern) 40% mismatch Load ~

between stator, curren> Tufbogenerator Internal

~: -': 'eJectlon causes'not

", and turbine of concern) crossover pressure Failure of power to pressure transmitter, causing erroneous reading INEL 2 1627 Figure A-4. Causal failure diagram for generator load reject.

86 protective generator functions Turbine trip Generator load reject 14 turbine protective functions INEL 2 1628 Figure A-5. Causal failure diagram for turbine trip.

Loss of 250 V DG non.1E power Turbine trip No Indication from with bypass PT-1-16A and PT-1-16B failure MSIV closure In Steam Line A INEL 2 1629 Figure A-6. Causal failure diagram for turbine trip without bypass.

A-34

Loss of drywell air I 8 C Bus A or B fall (double)

Accumulator leak Failure RPS Bus B (double)

FCV-1.14 close Failure FSV-1.14B Failure 250 V RMOV-1B (double)

Failure FSV-1-14C MSIV closure, Steam Line A Loss of drywall air I 8 C Bus A or B fall (double)

Accumulator leak Failure RPS Bus A'double)

FCV-1.15 close Failure FSV-1.15B Failure 250 V RMOV.1A (double)

INEL 2 1630 Failure FSV-1.15C Figure A-7. Causal failure diagram for closure one MSIV.

4~ Loss of feedwater This was interpreted to occur in two ways:

(a) reduction of feedwater flow such that water level reaches Level 2, closing the MSIV's, and (b) feedwater increases to water Level 8, whereupon reactor trips, feedwater trips, and the turbine trips. Operator action is required to restore feedwater. Water level was assumed to drop to water Level 2, whereupon MSIVs close

"'('making feedwater .unavailable) 'and HPCI 'system starts." Bot'h'o'f "'

et-0>\

~

y~

~ ~ P 'I

~

~

cases were addressed in the causal chart.

"'hese 5 ~ Loss of offsite ower The dependencies of the front-line systems on offsite power are clearly documented in all fault tree work to date. No further analysis was done.

6. Loss of auxiliar ower Loss of incoming power to the'lant due to yard station faults is similar to transient Category 5. No further analysis was done.
7. Increased feedwater flow This is addressed in the causal chart, Figure A-3.
8. Load re'ection--There is one load reject trip function i.e., a greater than 40/ mismatch between stator electrical current and turbine crossover pressure. This trips the turbine, which scrams the plant if above 30% power. It was assumed that the originating faults for load reject are largely external to the plant. Con-sequently, no further analysis of this transient was done.
9. Load re'ection with b ass failure--No single event was found to cause this transient. There were no occurrences of this category reported in EPRI NP-801 for any BWRs.

10.

trip. They were considered beyond the scope of the study.

Turbine tri with b ass failure Failure of the 250 V DC nonclass lE power supply has been identified to cause turbine trip and no bypass. Lack of the 250 V DC nonclass 1E fails power to PT-1-16A and PT-.1-16B, which are redundant pressure inputs to the electro-hydraulic control. No pressure indication will cause the pressure regulator to close. The reactor will scram on high pressure or high flux. The bypass will also be unavailable since it 'is controlled by the electro-hydraulic control.

Closure of MSIVs on steam Line A will also cause the same event, because both pressure detectors are on Line A, downstream of the MSIVs.

There were no occurrences of this category reported in EPRI NP-801 for any BWR.

12. Inadvertent closure of one MSIV This event will not cause a scram through RPS logic. Depending on power level, it'ay cause a trip through high flux or high steam line flow. Additionally, if steam Line A is isolated, the pressure regulator will fail closed.

A-36

13. Pressure re ulator fails closed--See causal sheet, Figure A-6.

Same as Category 11.

14. B ass valve fails closed, causin ressure increase--This tran-sient can be initiated by operator error or electro",hydraulic control failures. These failures were considered beyond the scope of this study.
15. Recirculation flow increase--No external failures were identified that can cause this event.

Conclusions. The only significant power failure that causes scram'nd a loss of a front-line system is the LOSP. This event will cause PCS to be unavailable, and the effect is immediate. Failure of HPCI and RCIC upon loss of 250 V DC nonclass 1E power is possible, but relatively improbable.

Loss of equipment cooling water systems is not significant because of the allowable time for the operator to recover, e.g., to initiate alternate cooling systems. The causal diagrams indicate that multiple failures must coexist in mitigating systems in order to produce a transient initiator.

A-37

3. LOCA AND TRANSIENT SYSTEMIC EVENT TREES A functional event tree describes the meaningful outcomes of accident sequences, given that mitigating functions either respond or do not respond to an accident initiator. A systemic event tree describes the meaningful outcomes of accidents, given that systems (i.e. systems provided to perform the mitigating functions) either respond or do not respond to an accident initiator. This section describes the systemic event trees developed in this study.

3.1 LOCA S stemic Event Trees The LOCA systemic event trees are shown in Figures A-8 through A-13.

The purpose of these trees is to show the interrelationships among the various systems that perform the functions necessary to successfully miti-gate the effects of a LOCA. These systems are defined as front-line systems since their success or failure will directly affect the course of the accident. The event tree headings consist of various arrangements of these front-line systems in order of their response requirements or inter-dependencies necessary for the systems to mitigate the accident. The func-tion that the system (or systems) is performing is listed in the area above the system identification block.

The systemic event trees begin with an initiating event; then each front-line system necessary for mitigation of the particular event is chal-lenged for success or failure progressing from left to right across the tree. This develops the meaningful accident sequences in terms of the sys-tem interrelationships. If no branch is depicted for a particular system on the tree, it is assumed the system's response will not affect the con-sequences associated with that sequence or that system operation is pre-cluded by other systems operation or phenomenological considerations. Each sequence is given a unique identification code based upon the initiating event identifier 'and the systems which fail for that particular sequence.

LOCA initiating events for BFl were identified by break size and break location with respect to fluid initially discharged from the break. This was necessary because it was determined that the front-line system responses and the consequences associated with the various initiating events varied with break size and break location. For example, a large suction-line break in the recirculation system requires different system responses than a large discharge-line break in the same system. Where different system responses are required, it is usually necessary to construct a different event tree to adequately illustrate those responses. As a result, a number of LOCA initiating events were identified and six systemic event trees were con-structed to illustrate the system responses to these LOCAs.

~ Since many LOCA initiatin'g events are used in this analysis, a mnemonic coding scheme was developed to identify each initiating event. Break size was considered the most important factor in LOCA initiating event identifi-cation. Three break sizes were identified for this analysis large (L),

intermediate (I), and small (S). An L, I, or S is used to identify each LOCA break size. A subscript denotes the fluid initially discharged from the break: L for liquid, V for vapor. During the course of the study, it A-38

PB SCI ECI DHR X = Function failure 2 LPCI T~o'usCI R S E D LOCA CRD VS 2 CS Loo s I~Co Loo 2 LPCI.diff 4 LPCI S~ICCI Sequence S C C H Remarks LS B C FA FB GB GC RB RA DesIgnator I I R Break Size (II2): 0.3 to 4.3 Core cooled Core cooled Legend: LSRBRA Slow melt Core cooled SID = Shutdown Core cooled Clg = Cooling LSGARBRA X Slow melt LSGAGB Nl Melt Core cooled Core cooled LSFARBRA Slow melt LSF*GB Melt Core cooled Core cooled SFAFBRBRA Slow melt LSFAFBGC Melt X Core cooled X Core cooled LSCRBRA X Slow melt X Core cooled X Core cooled SCGARBRA X Slow melt LSCGAGB X Melt X Core cooled X Core cooled LSCFARBRA X X Slow melt LSCFAGB X I Melt X Core cooled X Core cooled QCFAFBRBRA X X Slow melt LSCFAFBGC X X Nl Melt SB X IA Nf Melt SBC X X I Nl Meit INEL 21631 Figure A-8. LOCA systemic event tree for large liquid break, suction-side of recirculation pumps (Ls).

PB RS SCI ECI DHR X = Function failure LOCA CRD ~V ~2CS Loo s I~CS Loo 1 LPCI T~orus Cl ~S/C Cl R S E D Lp 8 C FA FB Gp RB RA Sequence S C C H Remarks Designator I I R Break Size (ft2): 0.3 to 4.3 Core cooled L~eend: Core cooled LpRBRA Slow melt SID = Shutdown Core cooled Clg = Cooling Core cooled LDFARBRA X Slow melt LpFAGp X N/A Melt LDFAFB X NIA Melt X Core cooled X Core cooled LDCRBRA X Slow melt X Core cooled X Core cooled LpCFARBRA X .X Slow melt LpCFAGD X X NIA Melt LpCFAFB X X NIA Melt LpB X NI NIA Melt LpBC X X NI NIA Melt INEL 2 1632 Figure A-9. LOCA systemic event tree for large liquid break, discharge-side of recirculation pumps (LD).

X = Function failure PB RS SCI ECI DHR S E D LOCA CRD VS 2 CS Loops I~CS Loo I LPCI 4 LPCI T~oros Cl ~SIC Cl Sequence C C H Remarks Ly B C FA FB GD RB RA C Designator I I R Core cooled Break Size (ft ): 1.4 to 4.1, Core cooled Legend: I.VRBRA Slow melt SID = Shutdown Core cooled Clg = Cooling Core cooled LVFARBRA X Slow melt LyFAGB X NIA Melt Core cooled Core cooled LVFAFBRBRA X Slow melt LVFAFBGC X NIA Melt X Core cooled X Core cooled LVCRBRA X Slow melt X Core cooled X Core cooled LyCFARBRA X X Slow melt LUCFAGD X X NIA Melt X Core cooled X Core cooled LyCFAFBRBRA X X Slow melt LyCFAFBGC X X NIA Melt LyB NIA NIA Melt LyBC NIA NIA Melt INEL 2 1633 Figure A-10. LOCA systemic event tree for large steam break (LL).

PB RS SCI ECI DHR X = Function failure R S E 'D LOCA CRD vs HPCI ADS I~CS Loo I LPCI T~orus Cl SID CIO Remarks C S C C H B D E FB Gp RB RA I.

I R Sequence Break Size (ft ): 0.12 to 0.3 Designator Core cooled Legend:

Core cooled Sfp = Shutdown ILRBRA X Slow melt Clg = Cooling Core cooled r

Core cooled ILFBRBRA X Slow melt ILFBGp N/A Melt Core cooled Core cooled ILOR BRA X Slow melt Core cooled Core cooled II DFBRBRA X Slow melt ILDFBGD X N/A Melt ILOE X NIA Melt X Core cooled X Core cooled ILCRBRA X Slow melt X Core cooled X Core cooled ILCFBRBRA X X Slow melt ILCFBGp X NIA Melt X Core cooled X Core cooled ILCORBRA X Slow melt X Core cooled X Core cooled ILCDFBRBRA X X Slow melt IICDFBGp X X NIA Melt ILCDE X X NIA Melt ILB N/A N/A Melt ILBC N/A NIA I INEL 2 1634 Figure A-ll. LOCA systemic event tree for intermediate liquid break (IL) ~

X = Function failure PB RS Scl ECI DHR R S E D LOCA CRD yS HPCl CS Loo 1 LPCI Torus Clg ~SID Cl Remarks ly B C 1

B ~D ~B A Sequence Designator S C I

C I

H R

Break Size (ft2): 0.12 to 1.4 Core cooled

~Le end: Core cooled S/D = Shutdown lyRBRA Slow melt From Clg = Cooling

~ Core cooled Core cooled transient systemic lypRBRA Slow melt event trees Core cooled (Figures A-13 and A-14) Core cooled lypFARBRA X Slow melt lyDFBGp X NIA Melt X Core cooled X Core cooled lyCRBRA X Slow melt X Core cooled X Core cooled lyCDRBRA X Slow melt X Core cooled X Core cooled lyCDFBRBRA X X Slow melt lyCDFBGp X X N/A Melt lyB N/A N/A Melt lyBC NIA NIA Melt INEL 2 1635 Figure A-12. LOCA systemic event tree for intermediate steam break (Iy).

X = Function failure PB RS SCI ECI DHR R S E D LOCA CRD VS HPCI ADS 1 CS Loop 1 LPCI Torus Clg S/D Clg Sequence S C C H Remarks S B C ~j) Ilg . Rg, Designator I I R Core cooled Break Size (ft ): Less Than 0.12 Core cooled Legend:

SRBRA Slow melt SID = Shutdown Core cooled Clg = Cooling Core cooled SDRBRA X Slow melt Core cooled Core cooled SDFBRBRA X Slow melt SDFBGD X N/A Melt SDE X NIA Melt X Core cooled X Core cooled SCRBRA X Slow melt X Core cooled X Core cooled SCDRBRA X X Slow melt X Core cooled X Core cooled SCDFBRBRA X X Slow melt SCDFBGD X X NIA Melt SCDE X X NIA Melt SB X I NIA Melt SBC X I N/A Melt INEL 2 1636 Figure A-13. LOCA systemic event tree for small liquid-line or steam-line break (S).

was determined that a recirculation pump suction-line break required dif-ferent system responses than a recirculation pump discharge line break.

Since these are both liquid line breaks, any initiating event involving these break locations will have an S (suction) or D (discharge) substituted for the L that would normally be present for the subscript letter.

For example, a large break on the recirculation pump suction line requires a specific front-line system response for accident mitigation.

This LOCA initiating event identification code is LS. In contrast, a small break on the recirculation pump suction line has the same system response requirements as any small break, regardless of the break location or the fluid being discharged from the break. Therefore the identification code for any small break is S. Table A-ll provides a listing of the various initiating event identifiers used in this study.

TABLE A-11. EVENT TREE LEGEND Initiating Event Identifier Initiatin Event Description LS Transients where PCS is unavailable LD Large discharge-side break LU Large steam break IL-- Intermediate liquid break IU Intermediate steam break Small liquid or steam break Transients where PCS is unavailable TA Transients where PCS is available Tp Loss of offsite power transient The event tree headings that follow the LOCA initiating event heading identify the front-line systems that are necessary to mitigate the LOCA. A letter with no mnemonic connotation was arbitrarily assigned to each system.

That letter represents the system throughout the event tree discussion. In cases where a combination of various configurations of the same system could satisfy a particular function and thus appreciably affect the course of the sequence, each definition of success was listed as a system heading, and the original system code letter (or identifier) with an arbitrary subscript was assigned to the specific system success definition. For example, the core spray system has two success definitions, depending upon the initiat-ing event. The core spray system code is F. FA represents successful operation of two core spray loops. FB represents successful operation of A-45

core spray loop. Specific system success definitions are discussed in

'ne Appendix B. The success codes, like the front-line system codes, preserve their identity throughout the analysis. Table A-12 provides a listing of the various front-line system identifiers used in the event tree headings.

TABLE A-12. FRONT-L'INE'SYSTEMS'EGEND'

RPT MSIV PCS RCIC RA RHR (shutdown cooling) One RHR pump and associated heat exchanger RB RHR (torus'ooling) Two RHR pumps and associated heat exchangers Manual depressurization Booster and condensate pumps X RHR (SBCS mode)

A-46

Each sequence on an event tree is assigned a unique identifier. The identifier consists of the initiating event letter code along with the sys-tem(s) failure code associated with a particular sequence. For example, the sequence identifier for a large suction-side liquid break with subsequent failure of the torus and shutdown cooling modes of RHR would be designated LSRBRA. This identifier will always refer to this sequence throughout this analysis.

Following each sequence (right side of figure) is an entry in a table that shows the front-line system function failures associated with each sequence. The table also contains a remarks section that shows the sequence effects on the reactor core.

Specific conditions and requirements that govern the construction of each event tree will be covered in the following discussion. Detailed sys-tem descriptions for the front-line systems discussed in the following sections will be found in Appendix B.

The success criteria delineated for each of the accident mitigating systems are based primarily on information contained in the Browns Ferry FSAR. In many cases, discussions with TVA personnel provided further clarification or supporting analyses that resulted in the specific system success criteria as given in the following sections.

3.1.1 Large Suction-side Break(L )

The systemic event tree for large breaks on the suction side of the recirculation pumps is shown in Figure A-8. The initiating event (LS) for this tree is a pipe break in the range from 0.3 to 4.3 ft (approximately-to-28 in. diameter). This is a liquid break somewhere on the suction side of the large recirculation pumps used for recirculation of the primary coolant within the reactor vessel.

Front-Line S stem Requirements. The following front-line systems will be required to mitigate the effects of the initiating event.

Control Rod Drive (B) Successful operation of the CRD system will be necessary to successfully perform the reactor subcriticality function.

For this analysis, the control-rod drive system is considered to be failed if: (a) more than 30 control rods throughout the core fail to fully insert, (b) more than five adjacent control rods fail to fully insert.

Va or Su ression (C) Successful operation of the vapor suppres-sion system will be necessary to successfully perform the SCI function. For the vapor suppression system to successfully prevent drywell pressure from exceeding design limits, LOCA effluents must be discharged from the drywell to the torus water. Therefore, the vapor suppression system is considered to be failed if bypass leakage exists between the drywell and torus airspace such that the LOCA effluents are not driven through the downcomer pipes and below the surface of the torus water where the condensibles are condensed.

Bypass could occur if one or more more of the 12 vacuum breakers were open during a small LOCA or if two or breakers are open during a large LOCA.

with position indication lights These vacuum breakers are normally closed, A-47

~ =, " ~ in the control room. They should be forced closed by the accident, and they

. would not be opened until long after the initial occurrence of the accident when the pressure in the wetwell might exceed the drywell pressure.

Should the torus rupture, the accident would be much more severe if the rupture were to occur below the minimum water surface because vapor suppres-,

sion would be ineffectiv'e,'"and the br'eak could threaten"'a .sour'ce of water for ECI and DHR.

Core S ray (F); Low Pressure Coolant In'ection (G) Successful operation of the core spray system in conjunction with the low pressure coolant injection (LPCI) system will be necessary to successfully perform the ECI function. Failure to provide at least one of the following arrange-ments of the core spray and low pressure coolant injection systems will result in failure of the ECI function:

1. Two of two core spray loops (FA), and any two of four LPCI pump combinations [i.e., two LPCI pumps in the same LPCI loop (GA) or two LPCI pumps in different LPCI loops (GE)] ~

2 ~ One of two core spray loops (FE), and two LPCI pumps in different loops (GH).

3. Four of four LPCI pumps (GC).

Residual Heat Removal Successful operation of the RHR system will be necessary to successfully perform the DHR function. Failure to provide at least one RHR pump with its associated heat exchanger will result in failure of the DHR function.

There are two valve alignments or operating modes of the RHR system that are available for successful performance of this function. The torus cooling mode (RE) pumps water from the torus, through the RHR heat.

exchangers, and returns it to the torus. The shutdown cooling mode (RA) pumps water from the suction side of recirculation Pump A, through the RHR heat exchangers, and back into the discharge side of recirculation Pump A.

Failure to provide at least two pumps and the two associated heat exchangers in the torus cooling mode (RE) or at least. one pump and its associated heat exchanger in the shutdown cooling mode (R<) will result in failure to adequately remove decay heat from the core.

Front-Line S stem Interrelationshi s. Mhen a large break occurs on the suction side of the recirculation pump (LS), the CRD system is immediately challenged. Should CRD fail, a vapor suppression system branch is still included because, if the vapor suppression system is successful, the radio-activity release as a result of the imminent, core, melt and su/sequent .

containment failure will be less severe than' release with no.vapor .sup-pression action. A no-decision branch is included for the ECI systems if CRD fails. It is assumed that core melt will result due to the "chugging" phenomenon. Chugging refers to the situation where the reactor becomes critical due to the introduction of relatively cold water into the core, the water heats up and causes voiding which, in turn, cause the reactor to become subcritical, and the process repeats. It was assumed that sustained chugging will ultimately lead to core melt.

A-48

With CRD success> a branch for vapor suppression system is necessary.

If vapor suppression fails, core melt will not necessarily ensue. Branches will still be necessary for ECI systems. Vapor suppression success will lead to branches for the core spray and LPCI systems.

Core spray and LPCI system branches follow the logic discussed in the front-line system requirements section. Should these systems fail to per-form the ECI function, the core will rapidly melt, and no branches will be necessary for RHR. When these systems are successful, the torus cooling or shutdown cooling modes of RHR will have branches. ECI is required through-out the accident; RHR functionability is dependent upon ECI success.

When the RHR system fails to perform the DHR function, decay heat will not be removed. Long-term cooling is therefore lost and ultimately the core will melt and containment overpressure failure will result. And, as indi-cated above, if the break occurs in Loop A, the DHR function is unavailable in the shutdown cooling mode whereby water is taken from Loop A, cooled, and returned to Loop A.

3.1.2 Large Discharge-Side Break (L )

The systemic event tree for large breaks on the discharge side of the recirculation pumps is shown in Figure A-9. The initiating event (LD) for this tree is a pipe break in the same range as the suction-line break (LS). This, too, is a liquid break. However, the break is located on the discharge side of the recirculation pumps.

A point of interest with this break is the effect that it has with regard to LPCI system response. The LPCI system is designed and operated such that each of the two LPCI discharge headers delivers flow to a separate recirculation loop. The LPCI header discharges to the recirculation system on the discharge side of the recirculation pump and prior to the recircula-tion pump discharge nozzles. Since the LPCI discharge header cross-connection valve is shut and deenergized, a break in the recirculation pump discharge line automatically precludes the use of one loop (two pumps) of the LPCI system. This is because the flow from the LPCI pumps in the broken loop is lost through the break. Therefore, some of the branches for acci-dent mitigation available in the large suction break event tree will not be available for discharge-line breaks that are in the same range of break sizes.

Front-Line S stem Requirements. With the exception of the front-line system requirements for the ECI function, all front-line system requirements for this initiating event are the same as the requirements for mitigation of the large suction-side break (LS). The ECI requirements are as follows:

Core S ra (F); Low Pressure Coolant In ection (G)--Successful operation of the core spray system in one arrangement, or the core spray in conjunction with the low LPCI system in another arrangement, will be neces-sary to successfully perform the ECI function. Failure to provide at least one of the following system arrangements will result in failure of the ECI function for this initiating event:

A-49

1. Two of two core spray loops (FA).
2. One of two core spray loops (FB) and one of two LPCI pumps (GD) ~

Front-Line S stem Interre'1'ationships;.- Th'e fro'nt-line 'system inter-relationships for -this initiating event are" the same as for the large suction-side break (LS). LPCI Loop A and LPCI Pumps A and C are unavail-able if the break should occur in Loop A because the coolant would be lost out the break.

3.1.3 Large Steam Line Break (L )

The systemic event tree for large steam breaks is shown in Figure A-10.

The initiating event (L~) for this tree is a pipe break in the range from 1.4 to 4.1 ft2 (approximately 16 to 27 in. diameter).

Front-Line S stem Re uirements. All front-line system requirements for this initiating event are similar to the requirements for mitigation of the large suction-side break (LS) except the front-line system requirements for the ECI function.

Core S ra (F); Low Pressure Coolant In ection (G) Successful operation of the core spray system in conjunction with the LPCI system will be necessary to successfully perform the ECI function. Since this is a steam break instead of a liquid break, the thermohydraulic effects of the break will be considerably different from those associated with liquid breaks. As a result, the system response requirements for performance of the ECI function will be different from those necessary for liquid break mitigation.. Failure to provide at least one of the follow'ing system arrangements will result in failure of the ECI function:

1. Two of two core spray loops (FA).
2. One of two core spray loops (FB) and one of four LPCI pumps (GD).
3. Four of four LPCI pumps (GC).

Front-Line S stem Interrelationshi s. The front-line system inter-relationships for this initiating event are the same as for the large suction-side break (LS).. The break location should have no effect on the

~

availability of front-line systems to cope with the accident.

3.1.4 Intermediate Liquid, Break (I )

I The systemic event tree for intermediate liquid-line break is shown in Figure A-ll. The initiating event (IL) for this tree is a liquid-line break ranging from 0.12 to 0.3 ft2 (approximately 4 to 7 in. diameter).

Front-Line S stem Re uirements. With the exception of the front-line system requirements for the ECI function, all front-line system requirements for this initiating event are the same as the requirements for mitigating the large suction-side break (LS).

A-50

HPCI (D); ADS (E); Core S ra (F); LPCI (G) Since a liquid-line break in the xntermedx.ate range wall not depressurxze the reactor as quickly as a large break, the low pressure core spray system or LPCI system will not effectively perform the ECI function until reactor pressure has been lowered to the core spray/LPCI upper operating pressure limit, which is approxi-mately 350 psig. Therefore, the HPCI system or the ADS must operate in order for the reactor pressure to decrease fast enough to allow the core spray or LPCI systems to adequately provide the ECI function. It should be noted that, for the intermediate liquid-line break, the HPCI system will not in itself provide adequate ECI function. However, the combination of the HPCI flow and depressurization of the reactor due to HPCI operation (steam is withdrawn from the reactor to run the HPCI turbine-driven pump) allows HPCI to be an alternate depressurization method, allowing the low pressure systems to inject the additional water for successful ECI.

Failure to provide at least one of the following arrangements of these systems will result in failure of the ECI function for an intermediate liquid-line break (IL):

l. One of one HPCI pump (D) and one of four LPCI pumps (GD) or one of two core spray loops (FB).
2. Four of six ADS relief valves (E) and one of four LPCI pumps (GD) or one of two core spray loops (FB).

Front-Line S stem Interrelationships. The front-line system inter-relationships for this initiating event are similar to those for the large suction-side break (LS). The only difference is that for the intermediate liquid-line break the HPCI or ADS systems must assist the ECI function. ECI function failure will still have the same results.

3.1.5 Intermediate Steam Break (I )

The systemic event tree for intermediate steam-line breaks is shown in Figure A-12. The initiating event (I~) for this tree is a steam-line break ranging from 0.12 to 1.4 ft (approximately 5 to 16 in. diameter).

Front-Line S stem Requirements. With the exception of the front-line system requirements for the ECI function, all front-line system requirements for this initiating event are the same as the requirements for mitigation of the intermediate liquid break (IL).

HPCI (D); Core S ray (F); LPCI (G)=For this initiating event (Iy), the HPCI system will provide adequate flow for successful ECI. Thisas is because a steam-line break with equivalent size and upstream pressure a liquid-line break will pass more heat per unit time. This in turn will drop pressure faster with less loss of coolant inventory than an equivalent liquid-line break. The steam flow through the break will depressurize the reactor rapidly enough for operation of the core spray or LPCI systems so no operation of the ADS is necessary. Failure to provide at least one of the following system arrangements will result in ECI failure for this initiating event:

A-51

1. One of one HPCI pump (D).
2. One of two core spray loops (FB).
3. of four LPCI pumps (GD)

One ~

~, ~ ~

Front-Line S stem Interrelationshi s. The front-line system inter"-

relationships for this initiating event are similar to those for the inter-mediate liquid-line break (IL) The only difference is that, for the

~

intermediate steam break, the HPCI system will successfully perform the ECI function without assistance from the core spray or LPCI systems, and ADS pressure relief is not required for core spray/LPCI success.

3.1.6 Small Li uid or Steam Break (S)

The systemic event tree for a small liquid-line or steam-line break is shown in Figure A-13. The initiating event (S) for this tree is a liquid-line or steam-line break that is less than 0.12 ft2 (approximately 5 in.

d iame ter) .

Front-Line S stem Requirements. With the exception of the front-line system requirements for the ECI function, all front-line system requirements for this initiating event are the same as the requirements for mitigation of the intermediate liquid break (IL).

HPCI (D); ADS (E); Core Spra (F); LPCI (G) The HPCI system is designed to perform the ECI function without assistance from any other ECI front-line system when the LOCA (whether liquid or steam) is in the small-break range. That is, HPCI provides sufficient flow to compensate for the liquid of steam loss from the break (as opposed to an 'intermediate liquid break). Thus, for this initiating event (S), the successful operation of the HPCI system will adequately perform the ECI function regardless of reac-tor pressure. Should the HPCI system fail, the ADS system must depressurize the, reactor for successful operation of the core spray or LPCI systems.

Failure to provide at least one of the following system arrangements will result in failure of the ECI function for this initiating event:

l. One of one HPCI pump (D).
2. Four of six ADS relief valves (E) and one of four LPCI pumps (GD) or one of two core spray loops (FB).

Front-Line S stem Interrelationshi s. The front-line system inter-relationships for this initiating event are similar to those for the inter-mediate liquid break (IL). The only difference is that, unlike the intermediate break event sequence, the reactor will not depressurize imme----

. diately following the break. This will preclude the use of the core spray or LPCI systems for ECI because they are not effective at high reactor pressures. Therefore, some means of high pressure injection is necessary for performance of the ECI function at high reactor pressure. This is accomplished by the HPCI system. For this break range, the HPCI system will deliver adequate injection flow regardless of the break location.

Should the HPCI system fail to perform this function satisfactorily, the A-52

ADS system will activate on increasing drywell pressure and depressurize the reactor so the core spray and LPCI systems can perform the ECI function.

As in the other cases, should ECI fail, the core will melt.

3.2 Transient S stemic Event Tree Descri tion The transient systemic event tree identifies the combinations of sys-tems necessary to achieve the functional success described in the functional event tree description. There are two systemic event trees describing the two categories of transients: those where the PCS is unavailable (Figure A-14) and those where the PCS is available (Figure A-15).

Specific conditions and requirements that govern the construction of each event tree will be covered in the following discussion. Detailed sys-tem descriptions for the front-line systems discussed in the following sections are found in Appendix B.

3.2.1 Transients Where PCS is Unavailable (T )

The systemic event tree for transients that render the PCS unavailable for accident mitigation is shown in Figure A-14.

Front-Line S stems Re uirements. The following front-line systems will be required to mitigate the effects of the TU transients.

Control Rod Drive (B) Successful operation of the CRD system will be necessary to successfully perform the reactor subcriticality function.

For this analysis, the control-rod drive system is considered to be failed if: (a) more than 30 control rods throughout the core fail to fully insert, (b) more than five adjacent control rods fail to fully insert.

Overpressure Protection The overpressure protection function consists of a two-part requirement on the primary system safety relief valves. The first requires that a sufficient number of relief valves open (Event J) to limit the pressure rise 'to below emergency stress levels.

Depending upon the transient and whether or not the reactor scram was caused by a direct signal (valve position for example) or an indirect signal (high flux or high pressure), a different number of valves must open to accomplish this function (see Table A-3). Sequence TUJ is probabilistically insig-nificant because of the large number of relief valves available (13) versus the maximum number required (10) per Table A-3. It was therefore not considered further in the analysis.

The second part of overpressure protection requires that all relief valves reclose (Event K) after pressure has been reduced below their set-points. Failure of either of these functions results in a transient-induced LOCA sequence.

MSI; HPI; LPI Successful operation of the VWI function requires isolation of the main condenser from the reactor vessel and injection of water from either the high or low pressure systems.

For this analysis, main steam isolation (Event N) is considered to succeed if:

A-53

AT RS -OP VWI DHR AT Trans TU RS CRD 8

~RV

~

0 OP

~RV C MSI MSIV RCIC HPI HPCI DEP COND W

LPI

~Loo FB 1 LPCI GD SBCS X

oru Clg RB RHR Clg RA Sequence R

S 0

P X = Function failure V

W I.

0 H

R Remarks Deslgnatori end:

Core cooled

~Le Core cooled S/D = Shutdown Clg = Cooling TURBRA X Slow melt Trans = Transient Core cooled Core cooled TUQRBRA X Slow melt Core cooled Core cooled TBQDRBRA X Slow melt Core cooled Core cooled TUQDWRBRA X Slow melt Core cooled Core cooled TUQDWFBRBRA X Slow melt Core cooled Core cooled TUQDWFBGPRBRA X Slow melt TUQDWFBGDX X NIA Melt TUQDV X NIA Melt TUN NIA LOCA Initiator X'IA TUK X NIA LOCA Initiator TUJ X NIA NIA LOCA Initiator TUB NIA NIA NIA Melt INEL 2 1637 Figure A-14. Transient systemic event tree where PCS is unavailable (TU).

AT "'s OP VWI DHR X = Function failure AT RS RPT OP PCS MSI HPI LPI RHR R 0 V Reclrc Torus S/D S P W Trans CRD RV(O) RV(C) PCS MSIV RCIC HPCI DEP COND Loop 1 LPCI SBCS Clg Clg Sequence Remarks Pumps TA M J K P Q 0 V W F ~D X RB R Designator I Core cooled L~eend: Core cooled Aeecrc = Recirculation Core cooled SID = Shut down, TAPRBRA Stow melt Clg = Cooling Core cooled Trans = Transient Core cooled TAPQRBRA Slow melt Core cooled Core cooled TAPQDRBRA Slow melt Core cooled Core cooled TAPQDWRBRA Slow melt Core cooled Core cooled TAPQDWFBRBRA Slow melt Core cooled Core cooled TAPQDWFBGDRBRA X Slow melt TAPQDWFBGDX Nl Melt TAPQDV I Melt TAPN I LOCA InItiator TAK X  ! LOCA Initiator X I I Core cooled TABP X I X I Melt ABM X NI NI NI MeIt r INEL 2 1638 Figure A-15. Transient systemic event tree where PCS is available (TA) ~

I

1. Either an inboard or II an outboard valve in all four main steam lines shuts.
2. All four turbine valves and all four bypass valves shut.

HPI is considered to succeed if either the RCIC or HPCI succeed.

LPI will fail if one of the following LPI systems in conjunction with manual depressurization is not provided:

l. One of four LPCI pumps (GD).
2. One of two core spray loops (FB).
3. One booster and one condensate pump (W).
4. One RHRSW pump in the SBCS mode (X).

It should be noted that the one booster and condensate pump (Event W) may still be available depending on how the transient effects the PCS; i.e.,

the PCS can be unavailable but the condensate and booster pumps might still work.

Residual Heat Removal Successful operation of the RHR system will be necessary to successfully perform the DHR function. There are two valve alignments or operating modes of the RHR system that are available for suc-cessful performance of this function. The torus cooling mode (RB) pumps water from the torus through the RHR heat exchangers and returns it to the torus. The shutdown cooling mode (RA) pumps water from the suction side of recirculation Pump A through the RHR heat exchangers and back into the discharge side of recirculation Pump A. Failure to provide at least two pumps and the two associated heat exchangers in the torus cooling mode (RB) or at least one pump and its associated heat exchanger in the shut-down cooling mode (RA) will result in failure to adequately remove decay heat from the coze.

Front-Line S stem Interrelationshi s. For transients where the PCS is unavailable, the CRD system must respond to achieve reactor subcriticality.

Should CRD fail, a core melt is assumed. With CRD success, the safety relief valves must open to relieve primary, system pressure. Failure of these valves to open is assumed to result in a primary system pressure boundary rupture. Failure of these valves to reclose after opening or failure of isolation valves in the main steam lines to close will also result in LOCA initiation. Failure of a sufficient number of safety relief valves to open and failure of isolation valves in the main steam lines to close were determined to be probabilistically, insignificant compared .to other LOCA initiation frequencies. However, initiation LOCA due to a SORV is the most likely of all LOCA initiators and is similar to an intermediate steam line break. However, since reactor subcriticality is already success-ful and no choice for short-term containment integrity is required (the discharge from the relief valves goes directly to the torus), this LOCA sequence transfers directly into the intermediate steam break systemic event tree (Figure A-12) at the ECI decision branchpoint. This initiator is designated TUK for transients where PCS is unavailable and TPK for the LOSP transient.

A-56

The HPI systems branches follow the logic discussed in the front-line systems requirements section. Should these systems fail to perform the VWI function, manual depressurization will be necessary in order that one of various LPI systems can function. VWI failure will result in a rapid core melt and no branches are developed for RHR. When VWI is successful, the torus cooling or shutdown cooling modes of RHR will have branches.

When the RHR system fails to perform the DHR function, decay heat will not be removed. Long-term cooling is therefore lost and ultimately the core will melt and containment failure will result.

3.2.2 Transients Where PCS is Available (TA)

The systemic event tree for transients where the PCS remains available for accident mitigation is shown in Figure A-15.

Front-Line S stems Re uirements. The front-line systems needed to cope with transients where PCS is available are as follows:

Control Rod Drive (B)--The success requirements for the CRD system are the same as described previously for the TU transient systemic event tree.

Reactor Pum Tri (M) For one special case, failure to achieve a subcritical condition with the control rods after a scram does not neces-sarily result in a core melt. If the RPT system and PCS are available to remove heat via the bypass valves, then core melt will not occur. The resulting power level after successful RPT is such that the capacity of the bypass valves is adequate to remove the heat being generated. Successful RPT requires that both recirculation pumps trip upon receipt of the proper reactor protection system signals.

Over ressure Protection Since the PCS is still initially avail-able following the initiating event, sufficient steam is being removed so that no relief valves are required to open (Event J). However, it is likely that some may open and therefore are required to reclose (Event K). Failure of any valve to reclose results in a LOCA initiation.

Power Conversion S stem (P) The PCS provides both the VWI and DHR systems function by removing steam from the reactor, condensing the steam, and returning the water to the reactor via the feed pumps. Successful PCS operation requires that the condenser is available and the feed system is providing makeup water to the reactor vessel.

The success criteria for the remaining functions and systems are the same as those described previously for the systemic event trees for the transients where PCS is unavailable.

Front-Line S stem Interrelationships. For transients where the PCS remains available following the initiating event, the CRD system is chal-lenged to provide a reactor scram. CRD failure does not necessarily result in a core melt if the recirculation pumps trip and PCS remains available.

Either failure of either pump to trip or subsequent loss of the PCS results in a core melt. With CRD success, spurious actuation of relief valves could A-57

result in a SORV condition. This LOCA initiator transfers to the 'inter-mediate steam break LOCA systemic event .tree (Figure.A-12) at, the ECI dec'ision '.branchpoint. Th'is initiator is designated TA'K for:transients where PCS is .available.

The PCS (if ix remains .available'),can,'.be. used to.bring. the reactor: to," "

a stab1e .shutdown ~condition. If the,PCS fails, before hot shutdown is

.achieved, MSI will .be required so that the,HPI and .LPI systems can function.

The front-1ine system interrelationships for the HPI, L'PI,,and RHR systems are 'the .same as, discussed, previously for the TU transient systemic event tree.

~ g

~ ~ I II A-58

4. SEQUENCE DEPENDENT OPERATOR ACTIONS 4.1 Introduction The BF1 is designed to provide automatic safety system response to accidents that could occur at the plant. The plant EOIs tell the operator to verify that all automatic actions have occurred and, if not, place con-trols on manual and make corrective manipulations. However, the operator is cautioned not to place controls on manual unnecessarily when automatic control is functioning properly unless some unsafe plant condition will result.

In some cases, the operator is instructed to take equipment out of service when it is no longer needed or when less than full system response is required. For example, for a large break LOCA, EOI-36 instructs the operator in Step IV.A, "Subsequent Operator Actions," to do the following:

When reactor level approaches normal, upon SRO approval, start reducing the number of LPCI and core spray pumps until equilib-rium is reached before the vessel is completely filled.

The following safety systems at BFl rely solely on manual actuation for proper system operation:

o RHRSW o RHR

~ EPS (bus transfers) o ADS (manual depressurization)

~ SBCS.

Of these systems, only the manual operation of the RHR, and associated service water system, and manual depressurization of the reactor vessel were important from an accident sequence standpoint. The correct manual opera-tion of the RHR and RHRSW systems is obviously required for a LOCA or tran-sient sequence (where PCS is unavailable) to eventually result in successful long-term DHR core cooling. Similarly, since the transient initiators do not result in automatic ADS actuation (the high drywell pressure signal is not present as it is for a LOCA), depressurization by the operator of the reactor vessel with the relief valves is required to allow the LPI systems to function, given that the HPI systems have failed.

4.2 S stem/Sequence O erator Actions The following sections describe the operator actions required for each of the above systems, the coded event name that appears on the fault trees, and the rationale for the failure probability value assigned to the event.

A-59

4.2.1 Residual Heat Removal Service Water

'When which one it is is to determined by the operator that a RHRSW pump is needed and be used, the appropriate pump is started. After the pump is running, the service water discharge valve for the associated heat exchanger.,is op'ened until the desired"flow is, reached: All of these actions:

~

". i are done from the control room.

The coded event name on the RHRSW fault tree for the operator failing to initiate cooling is SOI023 D, where S is the RHRSW system identifier; OI023 refers to Operating Instruction 23, which establishes the procedure; and D is the failure-mode code for operator response error,. The blank space is filled in with A, B, C, or D depending upon the appropriate RHRSW header.

An explicit human error model was developed for failure to perform this action using Swain and Guttmann's human reliability handbook. The HEP obtained from this model is 5.5 x 10 per act. The human error models that were, developed can be found in Section 4 of Appendix B,.

4.2.2 Residual Heat 'Removal All modes of RHR operation, other than the LPCI mode are manually initiated. In the torus cooling mode, the operator must start the RHR pumps and align the discharge valves to the desired flow path. In the shutdown cooling mode, the operator must align the suction valves of the desired RHR

.loop to the recirculation Loop A, start a RHR pump,,and align the discharge valves to the recirculation loop discharge path desired. All .of these actions are done from the control room. Operation in either of these modes requires that the RHRSW system be put into service. 01-74 governs the pro-cedure for establishing the above-mentioned RHR modes. The EOIs for the potential accidents at BF1 instruct the operator to: "If necessary., initi-ate suppression pool cooling to maintain suppression pool, temperature below 95'.F." 'This can 'be achieved by removing heat directly 'from, the 'torus (torus cooling mode) or by removing, heat from 'the reactor core directly, thereby preventing further heat from being, added to the suppression, pool (shutdown cooling .mode).

The coded event, names on the '.RHR fault'tree .for the operator Sail'ing to initiate cooling are 'RRB0001D for .'torus .cool'ing and RRA0001D for shutdown cooling, ~espectively.

Detailed:human reliability;models:were not developed for:t'he operator response to initiate these modes of RHR cooling since the actions .required of the operator are very similar 'to those required for establishing RHRSW flow. ,However, since, explicit models were not developed, a conservative estimate of 10 per .act was used for each RHR cooling mode rather .than the 5,.5 x 10 4 per act probability obtained from quantification of the RHRSW HEP model. Since these, actions did not contribute s'ignificantly,to

.any probabilistically significant accident sequences (even using this con-servative value) a detailed model was .not constructed.

A-60

4.2.3 Automatic De ressurization S stem As previously mentioned, for those transient accident sequences where the high pressure systems (HPCI and RCIC) are failed, the operator must use the safety relief valves to depressurize the reactor vessel in order for the LPI systems to function. BFl GOI-100-1 governs these actions for those sequences where the PCS is not available. GOI-100-1, Step VII, "Emergency Shutdown with MSIVs Closure," Item I states:

If MSIVs cannot be reopened, start suppression pool cooling with RHR Sys. per OI-74. Upon the shift engineer's approval, start depressurization of the reactor at a rate to decrease temperature

<90'F per hour by manually operating relief valves. Alternate relief valve operations so that each valve is opened approxi-mately the same amount of time.

Since only 4 of 13 valves are required to successfully depressurize, failure of the operator to perform this act when required dominates the probability of failure for this function. This event is Event V on the transient systemic event trees.

An explicit HEP model was developed for this important operator response. A value of 3 x 10 per act was obtained from this model.

This model is included in Section 4 of Appendix B. Further investigation revealed that recovery actions should be considered for this model. A recovery model was developed that resulted in an HEP of 1.8 x 10 Details of this model are also included in Section 4 of Appendix B.

4.2.4 Electrical Bus Transfers EOI-5 for BF1 covers a variety of postulated EPS bus failures. Sub-sequent operation actions called for in these procedures provides for manual transfer to alternate equipment (such as battery chargers) on buses to restore a given bus to service. These transfers basically require opening a circuit breaker to isolate the failed source and then closing the breaker to the alternate power source. These events are coded in the basic form of ACB D, where:

A = system identifier for the EPS CB = code for circuit breaker D = failure mode code for operator response error.

No explicit models were developed for "Operator fails to initiate transfer." Due to the limited action required of the operator (i.e., open-ing and closing circuit breakers in the main control room), an assigned value of 10 per act was felt to be conservative since these actions are similar to those required for placing RHRSW in service. Transfers as a means of recovery, as such, were not important to sequence quantification for two reasons:

l. Electrical bus failures were dominated by local bus faults that would not be corrected by transferring to alternate power sources.
2. In a separate analysis (discussed in Section 1.3.2), various electrical buses were postulated to be failed to determine the effect on mitigating systems. The only significant bus failure identified was LOSP. LOSP becomes important with subsequent loss of the diesel generators. Under these conditions alternate power sources (other than. battery systems) are not available.

4.2.5 Standb Coolant Su 1 S stem The SBCS is a special mode of aligning the RHRSW to provide a "last-ditch" effort to provide river water injection to the core via the RHRSW and RHR systems. EOI-41 instructs the operator to verify that one of the two D header pumps, Dl or D2, is running. Then the cross-connect valves between the RHRSW and RHR systems are opened and the D heat exchanger outlet valve closed.

The coded event name on the SBCS fault tree model for the operator failing to initiate cooling is XEOI041D, where:

X system identifier for the SBCS EOI041 = EOI-41 D failure mode code for operator response error.

A value of 5 x 10 per act was obtained from a human error modeL for these required actions. The model for this action is presented in Section 4 of Appendix B.

No sequences involving SBCS failure were probabilistically important since before the SBCS would be used, the high pressure injection systems would have to be failed along with the other low pressure systems, i.e.,

the condensate system, core spray system, and LPCI system.

A-62

REFERENCES

1. Reactor Safet Stud An Assessment of Accident Ris'ks in U.S. Com-mercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), October 1975.
2. F. L. Leverenz, Jr., J. M. Koren, R. C. Erdmann, and G. S. Lellouche, ATWS: A Reappraisal Part II: Frequenc of Antici ated Transients, EPRI NP-801, Electric Power Research Institute, June 1978.
3. A. S. McClymont and B. W. Poehlman, ATWS: A Reap raisal, Part 3:

Fre uenc of Antici ated Transients, EPRI NP-2230, Electric Power Research Institute, January 1982.

4. R. B. Ruger, Browns Ferr Nuclear Plant Bus Failure Analysis, Rev. 0, Tennessee Valley Authority, June 1980.

5.'rowns Ferr Nuclear Plant Units 1 and 2 Emergenc Core Cooling S stems Low Pressure Coolant Injection Modifications for Performance Improve-ments, Rev. 1, TVA's proposal to NRC for changes to Technical Specifi-cations (J. E. Gilliland to B. C. Rusche), February 12, 1976.

6. A. D. Swain and H. E. Guttman, Handbook of Human Reliabilit Anal sis with Em hasis on Nuclear Power Plant Ap lications, NUREG/CR-1278, SAND80-0200, Sandia National Laboratories, October 1980.

A-63

A'%

l

Retrieved from "https://kanterella.com/w/index.php?title=ML18025B878&oldid=2419194"