ML18025B880
| ML18025B880 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 08/31/1982 |
| From: | Bertucio R, Leahy T, Mays S, Poloski J, Sullivan W, Trainer J EG&G, INC., ENERGY, INC. |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1241 EGG-2199, NUREG-CR-2802, NUREG-CR-2802-APP-C, NUDOCS 8209270448 | |
| Download: ML18025B880 (97) | |
Text
N U R EG/CR-2802 EGG-2199 Distribution Category: RG, XA I NTE R I M RELIABILITYEVALUATION PROGRAM:
ANALYSIS OF TH E B ROWNS FE R RY, UNIT 1, NUCLEAR PLANT APPENDIX C SEQUENCE QUANTIFICATION EG&G Idaho, Inc.
S. E. Mays J. P. Poloski W. H. Sullivan J E. Trainer
~
Energy Incorporated, Seattle Office R. C. Bertucio T. J. Leahy Published July 1982 EG&G Idaho, Inc.
Idaho Falls, Idaho 83415 Prepared for the U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Under Sandia National Laboratories Purchase Order No. 62-7776 FIN No. A1241 gggyoi tjggg '( le.E0P7,
FORENORD This report describes a risk study of the Browns Ferry, Unit .1, nuclear plant. The study is one of four such studies sponsored by the NRC Office of Research, Division of Risk Assessment, as part of its Interim Reliability Evaluation Program (IREP), Phase II. Other studies include evaluations. of Arkansas One, Unit 1, by Sandia National Laboratories; Calvert Cliffs, Unit 1, by Science Applications, Inc.; and Millstone, Unit 1, by Science Applications, Inc. EG6G Idaho, Inc. was assisted by Energy Inc., Seattle, in its evaluation of the Browns Ferry, Unit 1, plant. Battelle-Columbus Laboratories provided information regarding the fission product releases that result from risk-significant accident scenarios. Sandia National Laboratories has overall project management responsibility for the IREP studies. It also has responsibility for the development of uniform proba-bilistic risk assessment procedures for use on future studies by the nuclear industry.
This report is contained in four volumes: a main report and three appendixes. The main report provides a summary of the engineering insights acquired in doing the study and a discussion regarding the accident sequences that dominate the risks of Browns Ferry, Unit 1. It also describes the study methods and their limitations, the Browns Ferry plant and its systems, the identification of accidents, the contributors to those accidents, and the estimating of accident occurrence probabilities.
Appendix A provides supporting material for the identification of accidents and the development of logic models, or event trees, that describe the Browns Ferry accidents. Appendix B provides a description of Browns Ferry, Unit 1, plant systems and the failure evaluation of those systems as they apply to accidents at Browns Ferry. Appendix C generally describes the methods used to estimate accident sequence frequency values.
Numerous acronyms are used in the study report. For each volume of the report, these acronyms are defined in a listing immediately following the table of contents.
CONTENTS F OREWORD ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ t~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C-ii N OMENCLATURE C-vii 1 APPROACH ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~ ~ ~ ~ C-l 1.1 System Unavailabilities C-l 1.2 Treatment of Commonalities C-3 1.3 Treatment of Complement or Success Sets C-8 1.4 Treatment of Initiator Effects on Mitigating Systems ...... C-9
'1.5 Treatment of Potential Logic Loops C-9
- 2. EXAMPLE CALCULATION C-12 2.1 Initiator Frequency C-12 2.2 Example System Unavailabilities C-12 2.3 Sequence Calculations C-15
- 3. FAILURE DATA C-21 3.1 Component Failure Data C"21 3.2 Human Error Rates ................................ '....... ~ C-21 3.3 Recovery Factors C-31
- 4. CANDIDATE DOMINANT SEQUENCES C-32 4.1 Introduction C-32 4.2 Sequence Evaluation C-32 4.3 Dominant Sequences C-77
- 5. UNCERTAINTY ANALYSIS ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C-80 5.1 Introduction ................................. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C-80 5..2 Methodology C-80 5..3 Data Base C-80 5..4 Re su 1 'ts ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ t ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
C-81 5.5 Insights on Uncertainty Analysis C-81
- 6. SENSITIVITY ANALYSIS C-83 6.1 Introduction C-83 6.2 Scope of Analysis C-83 6.3 Evaluation C-84 R EFERENCES .................,....... ... . ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C-87 FIGURES C-l. RHR/RHRSW/EECW system power dependencies C-10 C-2. LOCA systemic event tree for intermediate steam break (IV),
with system and sequence values filled in C-13 C-3. LOCA systemic event tree for large liquid break, suction-side of recirculation pumps (LS) C-33 C-4. LOCA systemic event tree for large liquid break, discharge-side of recirculation pumps (LD) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ - ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C-34 C-5. LOCA systemic event tree for large steam break (LV) C-35 C-6. LOCA systemic event tree for intermediate liquid break (Il,) C-36 C-7 ~ LOCA systemic event tree for intermediate steam break (IV) C-37 C-8. LOCA systemic event tree for small liquid or steam b reak (S) C-38 C-9. Transient systemic event tree where PCS is unavailable (TU) C-39 C-10. LOSP-induced transient systemic event tree (PCS unavailable)
( Tp) o ~ ~ ~ ~ ~ ~ ~ ~ t ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ C-40 C-11. Transient systemic event tree where PCS is available (TA) C-41 C-12. Transient-induced SORV LOCA systemic event tree (intermediate steam break) '(TK) C-42 C-13. LOSP-induced SORV LOCA systemic event tree (intermediate steam break) (TpK) C-43 C-14. Systemic event tree showing the TPRERA sequence C-52 C-15. Dominant contributors to the unavailability of torus cooling and shutdown cooling given LOSP ................................ C-53 C-16. Systemic event tree showing the TPQRERA sequence C-55
C-17. Dominant contributors to the unavailability of RCIC, torus cooling, and shutdown cooling given LOSP C-56 C-18. Systemic event tree showing the TURBRA sequence C-58 C-19. Dominant contributors to the unavailability of RHR systems following a transient which disables the PCS (normal power available) C-59 C-20. Systemic event tree showing the TUQRBRA sequence C-61 C-21. Dominant contributors to the unavailability of the RCIC and RHR systems following a transient which disables the PCS
( normal power available) C-62 C-22. Systemic event tree showing the TPKRBRA sequence C-63 C-23. Systemic event tree showing the TKRBRA sequence C-65 C-24. Systemic event tree showing the TUQDV sequence 1 C-67 C-25. Dominant contributors to the unavailability of RCIC, HPCI, and manual depressurization following a transient which disables the PCS (normal power available) C-68 C-26. Systemic event tree showing the TPQDFBGDX sequence C-70 C-27. Dominant contributors to the unavailability of RCIC, HPCI, LPCI, core spray, and SBCS given LOSP C-71 C-28. Systemic event tree showing the TPKDFBGD sequence C-73 C-29. Dominant contributors to the unavailability of HPCI, LPCI, and core spray, given LOSP and SORV C-74 C-30. Systemic event tree showing the TUB sequence C-76 C-31. Systemic event tree showing the TABM sequence C-78 C-32. Dominant contributors to the unavailability of the CRD and RPT systems following a transient where the PCS is available C-79 TABLES C-l ~ Component unavailabilities C-4 C-2. Intermediate steam break ECI criteria .......................... C-14 C-3. Decay heat removal failure criteria C-15 C-4. IREP data Table 3A and 3B C-22 C-v
C"5. Component data not available in Table C-4 C-6. Nonrecovery factors C-j. Sequence frequencies greater than 10
-8 by initiator ............
C-8. Systemic sequence frequencies in decreasing order of magnitude .................................. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
C-9. Candidate dominant sequences C-10. Initiator des'ignators C-ll. Front-line systems unavailabilities C-12. System combinations of importance C-13. Commonalities of importance C-14. Dominant sequences C-15. Dominant sequence uncertainties
,C-vi
NOMENCLATURE The complement of A (a success event if A is a failure event). (A may also be used to mean "unavailability.")
A Alarm AC Alternating current ACC Accumulator ADS Automatic depressurization system AH Alarm-high AO Air operator APRM Average power range monitor AT Anticipated transient ATWS Anticipated transient without scram BF1 Browns Ferry, Unit 1, nuclear plant BI Break isolation BWR Boiling water reactor CAD Containment atmosphere dilution CCW Condenser circulating water CD Complete dependence CE Conductivity element CIS Containment isolation system Clg Cooling COND Main condenser CR-3 Crystal River, Unit 3, nuclear plant IREP study CRD Control rod drive CRDH Control rod drive hydraulic CRDHS Control rod drive hydraulic system CRW Clean rad waste CS Core spray CS&T Condensate storage and transfer CSCS Core standby cooling system CSS Core spray system CST Condensate storage tank CV Control valve D Demand DC Direct current DEP Depressurization DG Diesel generator DHR Decay heat removal Diff Different DPI Differential pressure indicator DPIS Differential pressure indicating switch DPS Differential pressure switch DPT Differential pressure transmitter EAC Equipment area cooling ECCS Emergency core cooling system ECI Emergency coolant injection EECW Emergency equipment cooling water EHC Electro-hydraulic control C v11
EMI Electrical Maintenance Instruction EOI Equipment Operating Instructions EPRI Electric Power Research Institute EPS Electrical power system ESFAS Engineered safety features actuation system F( ~ ) Frequency of initiator in parentheses FCV Flow control valve FE Flow element FI Flow indicator FIC Flow indicating controller FLS Front-line system FMEA Failure mode effects analysis FR Flow recorder FS Flow switch FSAR Final Safety Analysis Report FT Flow transmitter FWC Feedwater control FWCS Feedwater control system G Green GOI General Operating Instructions H High H/L High/low HCU Hydraulic control unit HCV Hand control valve HEP Human error probabi:lity HPCI .High pressure coolant injection HPCS High pressure core spray HPI High pressure injection HS Handswitch HSS High speed stop jjVAC Heating, ventilation, and airconditioning HX Heat exchanger I6C Instrumentation and control I 6E Inspection and enforcement IMI Instrument Maintenance Instruction INJ Injection IREP Interim Reliability Evaluation Program IRM Intermediate range monitor L Low LA Level alarm LD Low dependence LER Licensee Event Report LIC Level indicating controller LIS Level indicating switch LL Low-low LOCA Loss of coolant accident LOSP Loss of offsite power LPCI Low pressure coolant injection LPI Low pressure injection
LS Limit switch LSS Low speed stop LT Level transmitter M Motor (operated valve)
MCR Main control room MD Moderate dependence MGU Master governor unit MMG Motor generator MMI Mechanical Maintenance Instruction MO Motor operated MOV Motor-operated valve MSC Manual speed control MSI Main steam isolation MSIV Main steam isolation valve MSL Main steam line NA; N/A Not applicable NC Normally closed NMS Neutron monitoring system NO Normally open OI Operating Instructions OL Overload OP Overpressure protection OP(C) Overpressure protection (relief valves closed)
OP(O) Overpressure protection (relief valves open)
PA Pressure alarm PB Pipe break PCIS Primary containment isolation system PCS Power conversion system PCV Pressure control valve PG IREP Procedure Guide PI Pressure indicator PORV Power-operated relief valve PRA Probabilistic risk assessment PS Pressure switch PSCWT Pressure suppression chamber water transfer PT Pressure transmitter PWR Pressurized water reactor Q( ~ ) Unavailability of system in parentheses QA Quality assurance R Red RBCCW Reactor building component cooling water RBEDT Reactor building equipment drain tank RCB Reactor coolant boundary RCIC Reactor core isolation cooling RCS Reactor coolant system RCW Raw cooling water RCWS Raw cooling water system Recirc Recirculation
RFP 'Reactor feed pump RFPT Reactor feed pump turbine RFMPT Reactor feedwater pump turbine RHR Residual heat removal RHRSW Residual heat removal service water RMOV Reactor motor-operated valve RMS Remote manual switch RPS Reactor protection system RPT Recirculation pump trip RS Reactor subcriticality; reactor shutdown; reactor scram RV(C) Relief valve (closed)
RV(0) Relief valve (open)
RWCU Reactor water cleanup RX Reactor S/D Shutdown
'S/RV Safety relief valve s/v 'Safety valve
- SBCS Standby coolant supply
'SBGT Standby gas treatment SCI 'Short-term containment integrity SD-BD Shutdown board
'SDV Scram discharge volume SIV Scram instrument volume SJAE Steam jet air ejector SLCS Standby liquid control system SORV Stuck-open relief valve SRM Source range monitor TA Temperature alarm TCV Turbine control valve TD Time delay TDC Time delay contact TDPU Time delay pickup TE Temperature element TIP Traversing in-core probe TMI Three Mile Island TR Temperature recorder Trans Transient TS Technical Specifications; torque switch TVA Tennessee Valley Authority UV Undervoltage V Volts VB Vacuum breaker VO Valve open VS Vapor suppression VSS Vapor suppression system VMI Vessel water inventory An insi'gnificant quantity, generally less than 10
'C-x
INTERIM RELIABILITY EVALUATION PROGRAM:
ANALYSIS OF THE BROWNS FERRY, UNIT 1, NUCLEAR PLANT APPENDIX C SEQUENCE QUANTIFICATION
- 1. APPROACH The purpose of Appendix C is to describe the method used to quantify the accident sequences defined in Appendix A that result in a core melt.
The basic approach to calculate a sequence frequency is to multiply the probabilities associated with the various events depicted in the accident sequence. That is, the frequency of the sequence is equal to the frequency of the initiating event multiplied times the probability of system (or sys-tems) failure. Sequence quantification was based on the systemic event trees for LOCAs and transients. For each system, the unavailability was calculated from the fault trees using the Reliability Analysis System (RAS) computer code. System minimal cut sets of order five or more and having a probability value less than 10 were truncated.
Dependencies were incorporated in the risk analysis at various stages.
During event tree formulation, functional dependencies between the various accident mitigating systems were depicted in the accident sequence con-struction. The fault trees for the front-line systems were constructed considering potential interface dependencies such as human error, test and maintenance, and support systems. Finally, in the event tree quantifica-tion system fault trees were reduced by Boolean techniques using the COMCAN code to pinpoint any further common dependencies between systems.
The potential for recovery was considered for those sequences where the dominant contributors to sequence frequency were recoverable.
I 1.1 S stem Unavailabilities Each front-line and support system fault tree was evaluated using the RAS computer code. The RAS code resolves the fault tree into its minimal cut sets and evaluates the system unavailability based on the failure data associated with the basic events. RAS calculates a time dependent unavail-ability that was specified for this analysis as 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The analysis con-sidered stable hot shutdown as successful core cooling. After discussion with TVA personnel, the time limit of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> was chosen as a reasonable limit for reaching stable hot shutdown conditions.
The RAS code calculates component unavailabilities based on the failure rate data. Failure rates may be entered either as demand rates or hourly rates.
1.1.1 Demand Failure Probabilities Standby safety systems are characterized by having many components that are required to change state when the system is demanded. The RAS computer code treats the demand failure probabilities for these components as a con-stant unavailability. That is, these values are unaffected by the length of time the system is required to operate (8-hour mission time as noted C-l
above). However, it is possible that these components could have been tested, found to be failed, and undergoing repair at the time the accident or transient places the demand for the component. This unscheduled main-tenance contribution to the unavailability of the component (and therefore, system) is negligible compared with demand failures when the component repair time is small compared to the testing interval. This is shown as follows:
Q
= (unavailability on demand) + (unavailability due to unscheduled maintenance)
+ D R=Q (1+ T/T),
T where QD
= demand unavailability T = testing interval TR = repair time.
If TR << T, then Q
=
QD (1 + 0)
= QD ~
A review of Browns Ferry component data shows that this is the case.
Typically, TR is less than 3 days and T is 1 month. Thus, the unscheduled maintenance contribution at Browns Ferry is negligible for demand failures.
1.1.2 Time-De endent Failure Probabilities Some of the failure modes considered for components of standby safety systems are characterized as "fails to continue to run/operate given the initial demand on the component was successful." The RAS computer code calculates a time-dependent unreliability (ATm) for these component failure modes based on the mission time; that is, the component is required to work for the length of the mission (Tm). Since the operability of the component is known at essentially mission time zero (given that the demand was successful), it is not necessary to consider any unavailability contribution due to unscheduled maintenance.
However, for components with failure rates (X) given per hour, where it is not known at mission time zero if the unavailability component is in a failed state, it is necessary to determine the component manually based on this point estimate the testing interval and repair time and then to enter as a constant unavailability to the RAS code.
The unavailability for these components depends primarily on the time to detect faults, which depends on their testing interval (T). Assuming that the accident or transient is equally likely to occur at any time during C-2
the testing interval results in an average value for the component unavail-ability of XT/2. The time to detect failures was based on the testing frequencies in the surveillance procedures associated with the components of the system being modeled. For example, if the surveillance procedures for a certain system required a system flow check be performed once per month, then this test frequency was used to determine the time to detect failures associated with the pump in that system.
addition to this average unavailability over the testing interval, it is Innecessary to account for the component unavailability due to unsched-uled maintenance. That is, for components with hourly failure rates where it is not known at mission time zero if it is in a failedthe state, a modifica-tion to the unavailability must be made to account for fact that the component may be undergoing repair at mission time zero due to a fault that occurred within the span of mission time zero minus the component repair time.
Correction to the unavailability is made in the following manner. The probability of the component entering a failed state during any testing interval is estimated as XT, where T is the testing interval. The main-tenance unavailability during any testing interval equals the probability of being in a down state times the fraction of the interval during which the component is in repair. This fraction is the repair time TR divided by the testing interval T. Thus, the unavailability due to unscheduled maintenance is (XT)(TR/T), which equals XTR. The unavailability for these components is modified by adding this factor to the previously calculated fault detection based value. This combined value is entered into the RAS code as a constant unavailability.
Q
= (average unavailability over testing interval)
+ (unavailability due to unscheduled maintenance)
XT/2 + XTR
= X(T/2 + TR) .
Repair times were taken from Table III 5-2 of WASH-1400" for pumps, valves, diesels, and instrumentation. Electrical components (other than diesels) were assumed to have the same repair rate as that shown for instrumentation (7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />). Table C-l summarizes the treatment of component unavailabilities used for system quantification.
1.2 Treatment of Commonalities Wherever possible, the RAS code was used to evaluate the unavailability of combinations of systems. However, due to the complexity of the indivi-dual system fault trees, computer core space, and processing time limita-tions, this method was not viable for some system combinations and the following approach was used.
1.2.1 Use of COMCAN The unavailability of two systems in an AND logic configuration is equal to the product of the individual unavailabilities if the cut sets for C-3
TABLE,C-l'. COMPONENT UNAVATLABIZiITIES Unavailability without'nschedul'ed Unscheduled F Failure Mode Maintenance ina1'ails to. start/operate when QD-, QDTR/T, QDx requi'red Fails; to continue to run/ >Tm. None'Tm, operate;., given- start Fails t'o>> run/operate XT/2 XTR (T/2'+
successful'tart not given TR)'D demand" unavailability" TR repair time T'L testing interval Tm mission time TR ((
the two systems are independent. If dependent cut sets exist, then the unavailability of the combined systems equals the product of the independent cut. sets plus the value of the dependent sets. Equations (Cl) and (C2) apply.
Q(A A B) = Q(A)Q(B), if A and B are independent (Cl)
Q(A A B) = Q(AI)Q(BI) + Q(D), if A and B are dependent, (C2) since Q(A) Q(AZ) + Q(D)
Q(B) Q(BI) + Q(D),
where Q(AI) = unavailability of cut sets in A independent of B Q(BI) = unavailability of cut sets in B independent of A Q(D) = unavailability of dependent cut sets in both.
To calculate the unavailability of the dependent cut sets for the two systems, the COMCAN code was used to identify the commonalities between the systems. The COMCAN code does not quantify the commonalities, but identi-fies those combinations of similar events which can cause both systems to fail.
C-4
The fault tree models for the systems evaluated on COMCAN were modified so that the first three characters in the eight-character code for each support system were the same (SUP). This allowed COMCAN to identify all combinations of support systems that could cause both systems to fail.
COMCAN also identified, based on the first three characters in the eight-digit code, all combinations of similar basic events (i.e., those with the same three characters) that could cause both systems to fail. These cut sets were then evaluated manually or using RAS.
The unavailability of the potentially dependent cut sets identified by COMCAN were compared to the unavailability of the systems assuming independ-ence. If the unavailability of these common sets was at least two orders of magnitude less than the unavailability of both systems assuming independ-ence, then the unavailability assuming independence was used. If the unavailability of the common sets was less than two orders of magnitude smaller than the unavailability assuming independence, the sum of the two was used to represent the unavailability of the two system combination.
Equations (C3) through (C5) apply.
Q(A A B) = Q(A )Q(BI ) + Q(D). (C3)
I If Q(D) << Q(A)Q(B), then Q A B = Q A Q B = Q A Q B (ca)
If Q(D) >
100 then Q(A A B) Q(AI)Q(BI) + Q(D) ol Q(A)Q(B) + Q(D). (c5)
Note that the product of Q(A)Q(B) is always greater than or equal to Q(AI)Q(BI). No attempt was made to determine Q(AI) or Q(BI).
Instead, the minimal conservatism caused by using Q(A) and Q(B) in the equations for finding Q(A A B) was not significant enough to justify the time and expense of calculating Q(AI) or Q(BI) (by removing Q(D) from the fault trees for A and B and recalculating their unavailabilities using RAS).
1.2.2 Treatment of Commonalities Not Found Usin COMCAN A potential problem involved with using COMCAN in this manner to cal-culate the unavailability of two systems is that only those cut sets that are combinations of events with the same first three characters in their code identifier are identified. Although COMCAN has other uses, this analysis used the code only in one mode of operation as described before.
Therefore, if a cut set X exists in System A and a cut set XY exists in System B where the first three characters of the basic event Y are different from those in X, COMCAN will not identify either cut set as a potential common candidate. Although X and XY are not the same cut set and are thus only partially dependent, the dependence that comes from X having an effect on both systems must be accounted. Equations (C6) through (C9) apply to this situation.
C-5
Let Q(A) = Q(A ) + COM(A A B) + Q('X), and (c6)
Q(B) = Q(BI) + COM(A I"l B) + Q(XY),
(c7)'here Q(AZ) and Q(BI) are defined as befo're COM(A A B) = unavailability of commonalities found using COMCAN Q(X) unavailability of a cut set in A Q(XY) unavailability of' cut:- set in B;,
then B Q AI Q BI COM A + B Q XY (cs)'C9) but using COMCAN as previously described only produces Q(A A B) = Q(A')Q(B) + COM(A'A B).
The problem of identifying all the X,XY combinations possible between two systems at this point is impractical. Therefore, a numerical bounding analysis was used to determine whether or not such a combination, if it existed, would have a value large enough to cause a significant nonconserv--
ative error in the evaluation of Q(A A B) previously discussed.
In order for the X,XY combination to be important, the unavailability Q(XY) must be on the same order of magnitude as Q(A A B) previously calcu-lated. The RAS code lists cut set probabilities in descending order of magnitude such that the unavailability of the first cut set listed is always greater than or equal to that of the second cut set listed.
Equations (C10) and (Cll) apply.
From RAS, Q(A) Q(A1) + Q(A2 + ' . + Q(A ), (C10) where Q(A1) Q(A2) Q(A ) (Cll)
Therefore, the highest valued cut set for Systems A and B is readily identified and hereafter identified as AT or BT. Thus, if the X,XY combination exists, Q(X) < Q(AT) and Q(XY) < Q(BT) ~
Assuming that the X,XY combination exists and that the unavailability Q(XY) is greater than or equal to one tenth of the value of Q(A A B) calcu-lated previously, a lower bound on the value of Y can be determined.
Equations (C12) through (C19) apply.
C-6
Q(A R B) (C12)
Q(XY) >
Q (A ) > Q(X), (C13) then Q(A Y) > Q(XY). (C14)
Therefore, Q(A Y) > Q(XY) > , or (C15) 10 Q(A R B) (C16)
Q(P Y) >
But Q(A Y) = Q(A )Q(Y) (C17) since they are independent.
Thus, Q(AT)Q(Y) >
10, and (C18)
> Q(A R B) (C19)
Q(Y) 10'Q(Q)
Using this lower bound for Q(Y), the basic event list for System B is searched to see if any basic events exist in B with unavailabilities greater than Q(Y). If not, then there can not exist any X,XY combinations whose unavailability Q(XY) is significant compared to Q(A R B).
If there are basic events in B that have unavailabilities greater than Q(Y), a list of these events is made. Then the cut set list of System B is examined. Each cut set containing a basic event from the list is examined to see if its comembers appear as cut sets of A. If not, then no X,XY com-binations of significance exist. If the comembers are cut sets of A by themselves, then the value of that XY type cut set is added to the pre-viously calculated value of Q(A R.B). The process is then repeated to determine if any X,XY combinations exist where X is in System B and XY is in A.
It should be noted that this method will detect dependencies not found using COMCAN that are within one order of magnitude of the value of Q(A R B). Dependencies with values less than Q(A R B)/10 may not be located. The choice for Q(A R B)/10 as a bounding value is an arbitrary C-7
one based on engineering judgement and familiarity with the systems. The bounding value could be chosen as Q(A A B)/100 or Q(A A B)/1000 if desired.
The latter choices merely expand 'the scope of the manual search of the sys-tem cut set lists. The method described above is conservative, however, because: Q(AT) is an upper bound for the unavailability of potential cut sets X of A completely contained in cut sets of B; and an examination of the Browns Ferry cut set lists, for cases where this issue applies, shows that Q(AT) is always several orders of magnitude greater than the highest-valued unavailability of a cut set in A containing any basic events that are also in B.
1.3 Treatment of Com lement or Success Sets It is necessary in sequence quantification to account for the effect of success of one system in an AND combination with failure of another.
Since the RAS code does not deal with complement or success sets, they were treated in the following manner. If the systems are totally independent then Equation (C20) applies.
Q(A AIB) = Q(A)Q(B), (C20) where A designates success for A.
If there are common cut sets between A and B, then Equations (C21) and (C22) apply.
(AAP)Q(A)Q(BZ) (C21)
Q(A A B) = Q(A) (Q(B) COM(AAB)]$ (C22)
, where COM(A A B) = value of common cut sets of A and B Q(BI) value of cut sets of B independent of A.
A screening tool used in the sequence quantification determines when potential commonalities of significance may exist. If Q(B) >> Q(A), then even if all of A is assumed to be common with B, Q(B) is still essentially equal to Q(BI). If Q(B) < Q(A), then a COMCAN search is used to identify the potential commonalities. If the unavailability of the commonalities COM(A A B) is much less than Q(B), then again Q(B) is essentially equal to Q(B ). Otherwise, Q(B ) is calculated by subtracting COM(A A B) from Q(B).
I I Also, since Q(A) equals 1 Q(A) and Q(A) is usually small, Q(A) = 1 in most cases. Therefore, Equation (C23) applies.
Q(A A B) -" Q(B) COM(A A B). (C23)
C-8
Therefore, success sets, or complements, are accounted for by either
-recognizing the nonsignificant potential impact or by evaluating the known commonalities for significance and including their effect where appropriate.
1.4 Treatment of Initiator Effects on Miti ating Systems Some of the LOCA initiators have the potential to render LOCA mitiga-tion systems partially or completely inoperable. To account for this possibility in the sequence calculations, the following procedure was used.
If a LOCA initiator could disable a mitigating system, the length of piping for the mitigating system susceptible to that LOCA was calculated using TVA supplied isometric drawings. Then, the total length of piping susceptible to that initiator was calculated. It was assumed that for a particular break size, the LOCA was equally likely to occur at any point on the piping susceptible to the LOCA. The unavailability of the mitigating systems was calculated considering the initiator affecting the system and then without considering the effect of the initiator. Therefore, the sequence frequency is the sum of two terms. The first term is the product of the probability of a break occurring in a location that affects the mitigating systems and the unavailabilities of those systems. The second term is the product of the probability of the break occurring in a location that does not affect the mitigating systems and the unavailability of those systems under that condition. The example calculation in Section 2 provides an example of this method.
For transient initiators, Section 2.3.2 of Appendix A describes the methodology for identifying potential transient initiators that would affect the unavailabilities of the mitigating systems. Only the loss of offsite power (LOSP) event was significant in this regard. A separate event tree exists for this particular initiator.
1.5 Treatment of Potential Lo ic Loo s A potential problem in the quantification of TPRERA, as well as the other sequences involving loss of offsite power (TPQRERA and TPKRERA),
is the presence of loop dependencies. That is, the EECW system requires electrical power in order to function. Given a loss of offsite power, this power must come from the diesel generators. However, the diesel generators need EECW or they will eventually fail.
This problem was resolved by recognizing three important considera-tions. First, the diesels can operate for some finite time without rated flow from the EECW system. Second, the diesels that supply EECW are not all the same as those supplying power to other mitigating systems.and EECW Figure C-1 shows the power dependencies between the RHR, RHRSW, systems. Third, EECW represents a common mode failure not only of the diesel generators but all AC powered mitigating involving loss of offsite power systems'herefore, quantification of sequences requires a special process. First, the unavailability of EECW is calculated assuming that diesel failures are not caused by loss of EECW. In other words, EECW does not cause its own failure. Then, the mitigating are calculated assuming successful EECW operation. This systems'navailabilities C-9
River River River River To Unit 1 To Unit 1 MOV MOV To Unit 1 MOV reactor vessel reactor vessel reactor vessel I RHR RHR f I RHR A Pump 1A Pump 18 8 Pump 1C Pump 10 C
HX HX MOV HX SBCS EECW Unit 2 EECW Unit 2 EECW north header south header Unit 2 HX south header HX Unit 3 Unit 3 MOV HX Unit 3 HX HX T
1 I I EECW RHRSW EECW RHRSW EECW RHRSW EECW RHRSW Pump Pumps I Pump Pumps Pump Pumps Pump Pumps A3 A1 A2 I 83 81 82 C3 C1 C2 D3 D1 D2 I
n I
I I (
I I
I I I
I I
DG DG DG DG DG DG DG DG A 8 C D 3A 38 3C 30 Units 1 and 2 diesel generators Unit 3 diesel generators tNEL21442 Figure C-1. RHR/RHRSW/EECW system power dependencies.
value added to the EECW unavailability represents the total system -unavail-ability. That is, the system unavailability can be dichotomized into the unavailability due to EECW faults and the unavailability assuming EECW works. When considering the case where two or more AC systems must fail, the EECW unavailability is treated as a common mode failure of both AC sys-tems. Thus, for a general sequence, the frequency is given by the following equations.
F(seq) = F(LOSP)[Q(DC powered systems) A Q(AC powered systems)]
F(LOSP)Q(DC systems)[Q(AC systems given EECW works)'U Q(EECW)]
F(LOSP)Q(DC systems)Q(AC systems given EECW works)
+ F(LOSP)Q(DC systems)Q(EECW).
In general, the unavailability of EECW was about an order of magnitude higher than the unavailability of the combinations of AC powered systems.
Therefore, these sequences tended to be dominated, at least in part, by EECW faults.
- 2. EXAMPLE CALCULATION The intermediate steam break was chosen for this example calculation since its sequence quantification requires the use of all the methods described previously. All of the intermediate steam break sequences are evaluated in this example. Figure C-2 is the systemic event tree for the intermediate steam break with the system and sequence values filled in.
2.1 Initiator Frequenc The intermediate steam break frequency was determined,to be 2.1 x 10 per reactor-year. Since 70% of all piping susceptible to intermediate breaks is steam piping, the remaining 30% of the piping would cause an intermediate liquid break if it ruptured. The WASH-1400 frequency of x3 10 4 per reactor-year was used as the frequency of all intermedi-,
ate breaks. Assuming that an intermediate break was equally likely to occur at any point in the piping susceptible to intermediate breaks, the. frequency of intermediate steam breaks .would -be 70% of 3 x 10 , or 2.1 x 10 per reactor-year.
2..2 Exam le S stem 'Unavailabilities 2.2.1 Reactor Subcriticalit
'The unavailability for the-reactor subcriticality function was taken from NUREG-0460 to.be 3 x 10 per demand. A qualitative model was developed (in Appendix B, Section 2.9.4) for the control rod drive mechanism but was not quantified since insufficient data exists for estimating the occurrence .rate for common mode failures identified in the model.
2.2.2 Vapor Sup ression System Short-term containment integrity (SCI) is maintained and containment overpressurization is prevented by directing the steam from the break through the downcomer piping to a position below the water level of the torus. This action condenses the steam formed and provides a "scrubbing" effect to trap radioactivity from the steam in the torus water rather than allowing it to remain airborne. Failure of the vapor suppression system will result in a containment rupture and a release of radioactivity. The amount of radioactivity released depends on the performance of the ECI and DHR systems.
Bypass leakage from the drywell to the airspace of the wetwell could pressurize the wetwell airspace to the same pressure as the drywell, pre-venting the pressure differential required to force the steam through the downcomer piping into the pool of water in the suppression chamber (torus).
Therefore, the quenching and scrubbing features will not be accomplished and overpressurization will result. The RAS code was used to evaluate the vapor suppression system unavailability from the fault tree given in Appendix B, Section 2.8.4, and the value 3.7 x 10 was obtained. Dominat cut sets are listed in Table B-53 of Appendix B.
- G-,12
X = Function failure PB RS SCI ECI DHR S E D LOCA CRD VS PIPCI ~1CS Loo I LPCI Torus Clg ~S/D Cl Sequence Sequence C C H Remarks ly B C FB ~D ~B A Designator Frequency(t) I I R Break Size (ft ): 0.12 to 1.4 Core cooled Core cooled
~Le end:
SID = Shutdown 2 x 10 x 10 Slow melt 3.1 x 10 IVRBRA 1.6 Clg = Cooling From transient
-~ Core cooled Core cooled systemic 2 x 10 4.5 x 10 Slow melt event trees 0.065 3.1 x 10 V BRA Core cooled (Figures C.g, C-10, and C-11) Core cooled 2x10 <<1.0 X 10 -8 X Slow melt 6.66 x 10 4 3.1 x 10 'V FARBRA 4
lyDFBGD <<1.0 x 10 8 X NIA Melt 1.1x10 Core cooled Core cooled 1.3x10 8 Slow melt lyCRBRA 4 Core cooled 2.1 x 10 4 (2) Core cooled 3.7 x 10 8
lyCDRBRA 1.3x 10 Slow melt Core cooled Core cooled lyCDFBRBRA 1.3 x 10 X Slow melt lyCDFBGD 13x10 8 X NIA Melt 3 x 10 lyB 6.3 x 10 NIA NIA Melt 3.7 x 1 ly BC <<1.0 x 10-8 NIA NIA Melt (1) Sequence values include contributions from system commonalities, but INEL 2 1748 do not Include operator recovery actions.
(2) Conditional probability of torus failure gives VS failure~0.162.
Figure C-2. LOCA systemic event tree for intermediate steam break (IV), with system and sequence values filled in.
2.2.3 Emer enc Coolin Durin In'ection There are three systems available to mitigate the intermediate liquid break. These are the HPCI, core spray, and LPCI systems. The designations for these systems for the systemic event trees are D, FB, and GD, respectively. Table C-2 lists each system, its failure criteria, the unavailability for each calculated by the RAS code, and Appendix B tables for lists of dominant cut sets. Operation of any of these three systems is sufficient to perform the ECI function.
TABLE C-2. INTERMEDIATE STEAM BREAK ECI CRITERIA Appendix B Dominant Cut Set System Table Designation Failure Criteria Unavailabilit Number D HPCI fails to inject rated flow 6.5 x 10-2 B-33 to core FB Less than one of two core spray 6.6 x 10 4 B-47 loops delivers rated flow to core GD Less than one of four LPCI 1.1 x 10"4 B-17 pumps delivers rated flow to B-18 core 2.2.4 Deca Heat Removal There is only one system that performs the DHR function, the RHR sys-tem. However there are two modes of RHR used to mitigate the intermediate liquid break: torus cooling (RB) and shutdown cooling (RA). Either torus cooling or shutdown cooling must operate to remove decay heat from the reactor to prevent containment overpressurization and eventual core melt.
Table C-3 summarizes the failure criteria for each mode of RHR opera-tion and presents Appendix B dominant contributor tables, and the unavail-ability from the RAS code for each. It is noteworthy that, although RA only requires one of four pumps and heat exchangers where RB requires two of four, the unavailability of RA is significantly higher than that of R~. This is because shutdown cooling (RA) uses a single suction line with three MOVs, whereas torus cooling (RB) uses a double suction line with no valves required to change position.
'6-14
TABLE C-3. DECAY HEAT REMOVAL FAILURE CRITERIA Appendix B Dominant Cut Set System Table Designation Failure Criteria Unavailabilit Number RA Less than one of four pump and 2.0 x 10 2 B-19 heat exchanger combinations B-20 recirculating reactor coolant RB Less than two of four pump and 3.1 x 10 B-2 1 heat exchanger combinations recirculating torus water 2.3 Sequence Calculations There are 10 core melt sequences on the intermediate steam break sys-temic event tree. Six sequences involve failure of the DHR function, two involve failure of the reactor subcriticality function, and two involve failure of the ECI function. The sequences are designated by the initiating event letter code, IV, and the system(s) failure code associated with the particular sequence.
2.3.1 Sequence IVRBRA In this sequence the reactor subcriticality, vapor suppression, and HPCI systems perform satisfactorily, but the torus cooling and shutdown cooling modes of the RHR system fail. The unavailability of torus cooling and shutdown cooling for this sequence is 7.6 x 10 as shown below.
Q(RBRA) = Q(B A C nDn RB n RA)
= Q(RB A COM[RB A RA) RAA(B U CUD) ]
Q(R A R ) COM(R B A R A B) COM(R B A R A C) COM(R A R A
A D)
A A A Q(R B AR) A 0-0
= (3.1 x 10 )(2.0 x 10 ) + 1.4 x 10
= 7.6 x 10 C-15
The term COM((RBA Rg A (B U C U D)] accounts for success of the systems preceeding RB A R~ precluding some failure modes of RB A R~.
In this case, they are negligible. The term COM(RB A R~) accounts for commonalities between RB and R~. These commonalities were identified using the methods of Section 1.2 above. Three dominant cut set tables in Appendix B (Tables B-19 through B-21) apply to the RHR system (two tables for two loops of Rg and one table for RB). However, cut sets that simultaneously fail all three systems cannot be readily identified from these tables. Rather, a case-by-case examination of potential commonalities flagged by COMCAN runs was required. The results showed that commonalities between RB and Rp are primarily due to minimum-flow bypass valve faults.
Since the initiator has no effect on torus cooling or shutdown cooling, the sequence frequency is equal to the product of the initiator frequency and the systems unavailability:
P(I R R ) = F(I ) Q(R R )
= (2.1 x 10 )(7.6 x 10 )
-8 1.6 x 10 2.3.2 Sequence IVDRBRA This sequence is similar to the previous one, but in this sequence the HPCI system fails. The core spray system operates to replace the lost reac" tor coolant. Subsequently, torus cooling and shutdown cooling fail. The -6 unavailability for HPCI, torus cooling and shutdown cooling is 4.9 x 10 as shown below.
Q(DR R ) = Q (B A C A D A FB A R A R~)
Q(DA R B
A R~) COM(DA R A R A (B UC UFB)]
= Q(D A R A R ) 0
= Q(D) Q(R A R ) + COM (D A R A R )
(0.065)(7.6 x 10 ) + 0
=
-6 4.9 x 10 The term COM{(D A RB A R~ A (B U C U FB)] accounts for the success of the reactor subcriticality, vapor suppression, or core spray systems precluding some failure modes of D A RB A R~. In this case, they are negligible. The term COM(D A RBA R<) accounts for commonalities between the HPCI system and RB A R~. These are also negligible.
Unlike the previous sequence, the initiator can affect the mitigating systems for this sequence since 23.2/ of the piping susceptible to inter-mediate steam breaks is HPCI piping. The first term in the equation below, 0.232 F(ly)Q(RBRA), represents the frequency when the break is on the HPCI line. Note that D does not appear in this term since it is assumed that the break disables HPCI. The term 0.768F(I~)Q(DRBRA) represents the sequence frequency for intermediate steam breaks that do not affect HPCI operability.
P(I DR R ) = 0.232 F(I~) Q(R RA) + 0.768 F(I ) Q(DR R )
= (0.232)(2.1 x 10 )(7.6 x 10 ) + (0.768)(2.1 x 10 )(4.9 x 10 )
= 3.7 x 10 + 8.0 x 10
= 4.5 x 10 2.3.3 Sequence IyDFBRBRA After successful operation of the reactor subcriticality and vapor suppression systems, both the HPCI and core spray systems fail. The LPCI mode of RHR functions properly but torus cooling and shutdown cooling fail. The unavailability for the mitigating systems for this sequence is negligible as shown below.
Q(DFBRBRA Q(B ACA D A FB A GD A RB A RA
= Q(DA F B
A R B
A RA)
COM[DA FB ARBA RA A(B UC UGD))
COM(DA FBA R A RAA B)
B B coM(D A F B
n R B
A R A c)
COM (D n F B
n R B
n RA n G,)
= Q(D A F B
A R B
A R A
) COM(D n F B
A R B
AR AG ) 0 0
= Q(D) Q(FB B
-COM(DAF A R AR AG )
= Q(D) Q(F ) Q(R A R A) + 0 COM(D A F A R A R A G ).
B B The term COM[D n FB A RB A RA A (B U C U GD)] accounts for success of the reactor subcriticality, vapor suppression, or LPCI mode of RHR precluding some failure modes of D A FB A RB A RA. In this case the contribution from reactor subcriticality or vapor suppression is negligible.
However, the success of the LPCI mode precludes the dominant contributors to failure of RB A R~. Therefore, the value of Q(DFBRBRp,) is much less than the 3.9 x 10 9 value obtained by ignoring the success of the LPCI mode.
r Since the initiator frequency for this sequence is 2.1 x 10 4 and the unavailability Q(DFBRBRp,) must be less than 3.9 x 10 , the sequence frequency will be much less than 1.0 x 10 . As discussed later, 1.0 x 10 was chosen as the initial screening value for determining candidate dominant sequences. Since it is obvious that this sequence frequency will be less than 1.0 x 10 , no further quantification is necessary.
2.3.4 Sequence IyDFBGD Following successful reactor subcriticality and vapor suppression sys-tem operation, none of the ECI systems operate to restore reactor vessel water level. The unavailability for the mitigating systems for this sequence is 7.2 x 10 , as shown below.
Q(-DF G ) = Q(B A CA DA F AG )
= Q(D AF A G ) COM[D A F AG A (B U C)J
= Q(DA F A-G ) 0 B D
= Q(D) Q(FBAGD) + COM(D A FB A GD)
= Q(D) Q(F A G ) + 0
= Q(D) 'Q'FB GD
+ COM FB A GD (0.065)(7.3 x 10 + 3.4 x 10
-9 7.2 x 10 The term COM[D A FB A GD A (B U C)j accounts for success of either reactor subcriticality or vapor suppression precluding some failure modes of D A FB A GD. In this case they are negligible. The term COM(D A Fq A GD) accounts for commonalities between the HPCI system and the combination of FB A GD. The term COM(FB A GD) accounts for commonalities between FB A GD that are primarily due to combinations of electric power faults.
In this sequence also, the initiator can effect the mitigating systems since 23.2% of piping susceptible to intermediate steam breaks is HPCI piping and 3.8% is core spray piping. The term 0.232 Q(FBGD) accounts for that percentage of breaks that disables HPCI. Therefore, D does not appear in this term. The next term, 0.038 Q(DFB'GD), accounts for those breaks that disable one core spray loop. The term FB'epresents the unavailability of the remaining loop; its probability is less than that
of FE since there are no longer two loops available in this case. The last term, 0.730 Q(DFEGD), accounts for breaks not occurring on any of the mitigating systems. As with the previous sequence, this sequence is designated as having a frequency less than 1 x 10 P(I DF G ) = F(I )[0.232 Q(F G ) + 0.038 Q(DF 'G ) + 0.730 Q(DF G ))
(2.1 x 10 )[(0.232)(l.l x 10 ) + (0.038)(0.065)(5.7 x 10 )
+ 0.730 (7.2 x 10 )]
(2.1 x 10 )(2.6 x 10 + 1.4 x 10 + 5.3 x 10 )
(2.1 x 10 )(4.5 x 10 )
-8 1 x 10
- 2. 3. 5 Sequences IycRHRA, IycDRgRA, IqcDFpRERA, and IycDFHGD These sequences are identical to the four sequences just discussed except that the vapor suppression system fails to operate properly and over-pressurization of the containment occurs. Overpressurization causes the containment to rupture. This could impact the ability of the ECI and DHR functions if the rupture occurs below the water line of the torus. Assuming that the break is equally likely to occur anywhere on the primary contain-ment boundary, the probability of the break occurring below the torus water line is equal to the ratio of surface area of the containment below the water line to the total surface area (about 0.162). Therefore, the unavail-ability of the ECI and DHR systems given vapor suppression system failure is 0.162 + 0.838 (the unavailability for those systems from the vapor sup-pression system success sequences). In each case, the dominant contributor to ECI or DHR failure is where the rupture occurs below the torus water line. Thus, the unavailability of the mitigating systems for these sequences are equal and have a value of 6.0 x 10 as shown below. The designator X in this case represents the combination of any of the four previous ECI or DHR systems.
q(cx) = q(i n c n x)
= q(c n x) coH(s n c n x)
= q(c n x) 0
= q(c)(0.162 + 0.838 q(x))
= Q(C)(0.162)
=
-5 6.0 x 10 C-19
Therefore, the sequence frequency for each of these -sequences is equal.
The value of the frequency is the product of the init.iator frequency and the systems unavailability.
P(I CX) = F(I )Q(CX)
(2.1 x 10 )(6.0 x 10 )
-8 1.3 x 10 2.3.6 Sequences IqB and IyBC In both of these sequences, an intermediate steam break .is followed by a failure to scram. While both sequences result in a core melt, they are treated as distinct sequences since the operability of .the ~vapor suppression system can effect the magnitude of the radionuclide release by "scrubbing" some of the fission products prior to containment failure. .The unavailabilities and sequence .frequencies are given below.
Q(B) .Q(B A C)
= Q('B) COM('B~A C)
-5 0 3.0 x 10
-5
=3.0x 10 Q(BC) = Q(B A C)
= Q('B) Q(C) + COM(B A C)
= (3,.0 x 10 )(3.,7 x 10 ) + 0
-8 1.1 x 10 P(T B) = F(I ) Q(B)
(2.1 x 10 )(3.0 x 10 )
=
-9 6.3 x 10 P(I BC) = F(I ) Q(BC)
(2.1 x 10 )(1.1 x 10 )
1.'0 x 10
-8 C-20
- 3. FAILURE DATA 3.1 Com onent Failure Data Each of the failure events identified in the various fault trees and described by the eight-character event-naming code was assigned failure data so that fault tree quantification based on these events could be accomplished.
In general, the recommended data base provided by NRC (Table C-4) was utilized to obtain this failure data. WASH-1400 was the major source of the tabular data. However, in some instances, the WASH-1400 data is sup-plemented by data found in the various LER Data Summary NUREGs. For the Browns Ferry study, the generic WASH-1400 data was applied where appropriate.
Occasionally, a failure rate that corresponded directly to a specific component failure mode could not be determined from the data in Table C-4.
In these cases, other methods were used to determine an acceptable failure rate for the component in question. Table C-5 lists these failure modes and the corresponding failure rates that were used in the BF1 study. Most of these additional failure modes considered could be related to a similar failure mode category in the WASH-1400 data, with three exceptions:
- 1. Rupture disk leakage/rupture failure rates were estimated by using plant-specific data supplied by TVA.
- 2. No data source was available for the probability of heat exchanger or strainer plugging; an estimate of 1.0 x 10 per hour was used for these modes.
- 3. Since many of the motor-operated valves (MOV) and pump control circuits were similar in design, generic probability values were derived for output failure of typical MOV and pump motor control circuits. These values varied depending on whether the circuit was tested or demanded on a monthly or quarterly basis. The auto-initiation logic placing the "demand" on the control circuit was explicitly modeled in every case. The analysis of the generic control circuits can be found in Section 5 of Appendix B.
The repair times for components was taken from Table III 5-2 of WASH-1400, Summary of Major Maintenance Act Duration, for pumps, valves, diesels, and instrumentation. Electrical components (other than diesels) were assumed to have the same repair rate as that shown for instrumentation (7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />).
3.2 Human Error Rates Human errors of omission were included where appropriate in the fault tree models for errors involving test and maintenance, and those involving errors in response to an accident situation. Surveillance and maintenance instructions were reviewed to identify potential human errors during testing or maintenance and are discussed in Appendix B on a system-by-system basis.
Emergency operating instructions were reviewed with regard to potential
TABLE C-4. IREP DATA TABLE 3A AND 3B Mechanical Components (from WASH-1400-, Table III, 4-1) .
Failure Rate Assessed Error Com onent and Failbre Mode ~TB Range Median Factor Pumps (includes driver)
Motor and turbine driven (generic class)
Failure to start on demand Da 3E-4 3E-3 lE-3 3 Failure to run, given start (normal environments) 0 3E-6 3E-4 3E-5 10 Failure to run, given start (extreme, post accident 0 1E-4 1E-2 1E-3 10 environments inside containment)
Failure to run, given start (postaccident; after 0 3E-5 3E-3 3E-4 10 environmental recovery)
Turbine driven pumps Failure to start on demand (failure rates shown are in lE-3 lE-2 3E-3 addition to WASH-1400 values)
Failure to run, given start (failure rates shown aie in 1E-5 lE-4 3E-5 addition to WASH-1400 values)
Valves Motor operated Failure to operate (includes driver) Db 3E-4 3E-3 1E-3 3 Failure to remain open (plug) Dc 3E-5 3E-4 lE-4 3 Failure to remain open (plug) S 1E-7 lE-6 3E-7 3 Rupture S 1E-9 1E"7 1E"8 10 Solenoid operated Failure to operate Db 3E-4 3E-3 lE-3 3 Failure to remain open (plug) D 3E-5 3E-4 lE-4 3 Rupture S 1E-9 lE-7 1E-8 10
TABLE C-4. (continued)
Mechanical Components (from WASH-1400, Table III 4-1)
Failure Rate Assessed Error Com onent and Failure Mode ~Tpe Ran e Median Factor Valves (continued)
Air-fluid operated Failure to operate Db 1E-4 lE-3 3E-4 3 Failure to remain open (plug) D 3E-5 3E-4 lE-4 3 Failure to remain open (plug) S lE-7 lE"6 3E-7 3 Rupture S 1E-9 1E-7 lE-8 10 Check valves Failure to open D 3E"5 3E-4 lE-4 Internal leak (severe) D 1E-7 lE-6 3E-7 3 Rupture S 1E-9 1E-7 1E-8 10 Vacuum valve Failure to operate 1E-5 lE-4 3E-5 Manual valve Failure to operate (failure rates shown are in addition 3E-5 3E-4 lE-4 to WASH-1400 values) lE-4 Failure to remain open (plug) 3E-5 3E-4 3 Rupture lE-9 1E-7 1E-8 10 Primary safety valves (PWR)
Fail to open (failure rates shown are a revision of lE-3 lE-2 3E-3 WASH-1400 values)
TABLE C-4. (continued)
Mechanical Components
( from MASH-1400, Table III 4-1)
Failure Rate Assessed Error Com onent and Failure Mode ~T6 Ran e Nadiaa Factor Valves (continued)
Primary safety valves (PWR) (continued)
Premature open (failure rates shown are a revision of lE-6 1E"5 3E"6 WASH-1400 values)
Failure to reclose (given valve opened) (failure rates Dd 3E-3 3E-2 1E-2 shown are a revision of WASH-1400 values)
Primary safety valves (BWR)
Fail to open ( failure rates shown are a revision of 3E-3 3E-2 lE-2 WASH-1400 values)
Premature open (failure rates shown are a revision of 1E-6 1E-5 3E-6 WASH-1400 values)
Fail to reclose (given valve opened) (failure rates 1E-3 lE-2 3E-3 shown are a revision of WASH-1400 values)
Test valves, flow meters, orifices Failure to remain open (plug) 1E-4 lE-3 3E-4 3 Rupture 1E"9 1E-7 lE-8 10 Pipes Pipes <3-in. diameter (per section)
Rupture/plug S + D 3E-11 3E-8 1E-9 30 Pipe >3-in. diameter (per section)
Rupture/plug S + D 3E"12 3E-9 1E-10 30
TABLE C-4. (continued)
Mechanical Components
( from WASH-1400 Table III 4-1)
Failure Rate Assessed Error Com onent and Failure Mode TVVt8 Ran e Median Factor Clutch, mechanical Failure to operate lE-4 1E-3 3E-4 Scram rods (single)
Failure to insert 3E-5 3E-4 1E-4 Electrical Components (from WASH-1400, Table III 4-2)
Clutch, electrical Failure to operate Da lE-4 lE-3 3E-4 3 Premature disengagement 0 lE-7 1E-5 1E-6 10 Motors, electric Failure to start Da lE-4 1E-3 3E-4 3 Failure to run, given start (normal environment) 0 3E-6 3E-5 lE-5 3 Failure to run, given start (extreme environment) 0 lE-4 1E-2 lE-3 10 Relays Failure to energize Da 3E-5 3E-4 lE-4 Failure of NO contacts to close, given energized 0 1E-7 1E-6 3E-7 Failure of NC contacts by opening, given not energized 0 3E-.8 3E-7 1E-7
TABLE C-4. (continued)
Electrical Components (from WASH-1400, Table III 4"2)
Failure Rate Assessed Error Com onent and Failure Mode ~TB Ran e Median Factor Short across NO/NC contact 0 1E" 9 1E-7 1E-8 10 Coil open 0 1E" 8 1E-6 1E-7 10 Coil short to power 0 1E-9 1E-7 1E-8 10 Circuit breakers Failure to transfer Da 3E"4 3E-3 1E-3 Premature transfer 0 3E-7 3E-6 1E-6 Switches Limit Failure to operate lE-4 1E-3 3E-4 Torque Failure to operate 3E-5 3E-4 1E-4 Pressure Failure to operate 3E-5 3E-4 lE-4 Manual Failure to transfer 3E-6 3E-5 1E-,5
TABLE C-4. (continued)
Electrical Components (from WASH-1400 Table III 4-2)
Failure Rate Assessed Error Com onent and Failure Mode ~T8 Ran e Median Factor Switch contacts Failure of NO contacts to close given switch operation 1E-8 lE"6 lE-7 10 Failure of NC contacts by opening, given no switch 3E-9 3E-7 3E-8 10 operation Short across NO/NC contact 1E-9 1E-7 lE-8 10 Battery power system (wet cell)
Failure to provide proper output 1E-6 lE-5 3E-6 Transformers Open circuit primary or secondary 3E-7 3E-6 lE-6 Short primary to secondary 3E-7 3E-6 1E-6 Solid state devices, high power applications (diodes, transitors, etc.)
Fails to function 0 3E-7 3E-5 3E-6 10 Fails shorted 0 1E-7 lE-5 1E-6 10 Solid state devices, low power applications Fails to function 0 1E" 7 1E-5 lE-6 10 Fails shorted 0 lE-8 lE"6 lE-7 10
TABLE C-4. (continued)
Electrical Components (from WASH-1400, Table III 4-2)
Failure Rate Assessed Error Com onent and Failure Mode ~TB Ran e Median Facto'r Diesels (complete plant)
Failure to start D 1E-2 lE-1 3E-2 3 Failure to run, emergency conditions, given start 0 3E-4 3E-2 3E-3 10 D ie s el s ( engine only)
Failure to run, emergency conditions, given start 0 3E-5 3E-3 3E-4 10 Instrumentation general (includes transmitter, amplifier, and output devices)
Failure to operate 0 lE-7 1E-.5 1E-.6 10 Shift in calibration 0 3E-6 3E-4 3E-5 10 Fuses Failure to open D 3E-6 3E-5 1E-5 Premature open 0 3E-7 3E-6 lE-6 Wires (typical circuits, several joints)
Open circuit 0 lE=.6 lE-5 3E-6 3 Short to ground 0 3E-8 3E-6 3E-7 10 Short to power 0 1E-9 lE-7 lE-8 10
TABLE C-4. (continued)
Terminal boards Open connection 0 1E-8 lE-6 1E-7 10 Short to adjacent circuit 0 1E-9 lE-7 lE-8 10
- a. Demand probabilities are based on the presence of proper input control signals. For turbine driven pumps, the effect of failures of valves, sensors, and other auxiliary hardware may result in significantly higher overall failure rates for turbine driven pump systems.
- b. Demand probabilities are based on presence of proper input control signals.
- c. Plug probabilities are given in demand probability, and per hour rates, since phenomena are generally time dependent; but plugged condition may only be detected upon a demand of the system.
de These rates are based on LERs for Babcock 6 Wilcox pressurizer PORV failure to reseat, given the valve has opened.
Abbreviations:
D = Demand failure rate (failures per demand) 0 = Operating failure rate (failures per hour of operation)
S = Standby failure rate (failures per hour of standby)
S + D = Standby or operating failure rate (failures per hour) ~
TABLE C-"5. COMPONENT DATA NOT AVAILABLE IN TABLE C-4 Failure Unavailability Com onent Mode Calculation Remarks Stop check valve Does not 1 x 1'0 Used check valve .rate open Governor control valve Does not 3x1'04 Used data for air/
operate fluid operated valves Rupture disks Leakage/ 2.1 x 10-2 X = 5.7 x 10 5/hr rupture (based 'on information
'from TVA)
Time-delay .relays Premature 1x104 Used relay failure-close to-energize rate Heat exchanger Plugged 1 x106 Engineering judgement Strainer Plugged lx 106 Engineering judgement
~. MOV control circuit 'No 'output 3.2 x 10 3 Generic rate based on (8.8 x 10 3) monthly testing (quarterly)
Pump control circuit No output 2..9.x 10 3 Generic rate based on (8.4 x 10 3) monthly testing (quarterly) accident scenarios to determine the required human interactions with miti-gating systems in response to the accidents. Section 4.2 of Appendix A describes in more detail these operator response errors.
Initial screening guidelines suggested that human error events in the models be assigned a probability value of 0.1. This proved to be too con-servative and tended to mask significant hardware contributions to system unavailability. Thus, initial screening values were refined on a case-by-case basis using engineering judgement.
For those systems where the reduced human error rates still made a significant contribution to the probability of failure, an explicit human error model was developed based on the procedures found in the Sandia pub-lication, NUREG/CR-1278. It was especially important to create these models for human error events that affected multiple systems. For example, miscalibration of reactor vessel level switches could result in failure of the core standby cooling systems to be auto-initiated when required. These human error models can be found in Section 4 of Appendix B.
C-30
3.3 Recover Factors For the candidate dominant accident sequences, the potential for recovery was considered in the final sequence frequency. To determine recoverability, the dominant contributors to the sequence frequency were examined to determine answers to several questions:
- l. Are the failure modes of the dominant contributors ones that allow for recovery? For example, an initiation fault may be recoverable by having the operator manually starting a system/component, whereas a mechanical failure of a valve may not be recoverable.
- 2. How much time is available to take the recovery action?
- 3. What must be done to repair the fault, and where must the action be taken? The only faults considered recoverable when the time available was less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> were those where simple action by the operator, such as throwing a switch or pushing a button in the control room, would correct the fault. Local faults recover-able from outside the control room where the recovery time avail-able was more than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> were also considered.
Recoverable faults were requantified by multiplying the fault unavail-ability by the probability of nonrecovery factor. Table C-6 summarizes these factors.
TABLE C-6. NONRECOVERY FACTORS Probability of Time Available to Recover Nonrecover Factor Less than 5 min l. 00 5 to 10 min 0 '5 10 to 20 min 0.10 20 to 30 min 0.05 30 to 60 min 0.03 More than 60 min 0.01 More than 2 hr 0.01 (outside control room)
C-31
- 4. CANDIDATE DOMINANT SEQUENCES 4.1 Introduction Figures C-3 through C-13 are the systemic event trees. As an initial -8 screening tool,only sequences with frequencies greater than 1.0;,x 10 were considered significant. From the systemic event trees listed above, Table C-7 lists by initiating event those sequence frequencies greater than 10 . Table C-8 lists these systemic event tree sequence frequencies in decreasing order of magnitude. Of these sequences, those with frequencies greater than 1.0 x 10 were chosen as the candidate dominant sequences.
Table C-9 lists these sequences along with the sequence initiator, the sys-temic event tree sequence designator, the initial sequence frequency, final sequence frequency after recovery has been considered.
and'he In the following section, the quantification for each candidate dom-inant sequence is discussed. Each candidate sequence is identified by a letter designator representing the initiator (see Table C"10) and a group of letters corresponding to the systems that fail for the sequence. The sequences are also described by a written description that includes the initiator and the system(s) that must fail to cause the sequence to occur.
Each candidate sequence is discussed in terms of what happens, what its initial frequency is, what the dominant contributors are, and what, if any, recovery actions are possible. Where availability of data permits, the sequence frequencies were refined to take into account recovery actions.
For clarification, three tables are provided to assist the reader in understanding how the values for the sequence frequencies were determined.
Table C-ll lists the various front-line systems and their corresponding designators and unavailabilities for various accident conditions.
Appendix B gives the dominant cut sets for each system.
Table C-12 lists the unavailabilities for important combinations of systems. The table lists the independent, commonality, and net unavail-abilities for these combinations. Appendix B contains the dominant cut sets for each system but does not show implicitly the source of commonalities between systems. Table C-13 lists the system combinations of Table C-12 that have significant commonalities and briefly describes the major contributions to each.
4.2 Sequence Evaluation There are 11 candidate dominant accident sequences. Six of these sequences involve failure of the DHR function to remove decay heat, three involve failure to inject water, and two involve failure to scram. All of the candidate dominant sequences involve transient initiators.
4.2.1 Loss of Offsite Power with DHR Failure (TPRBRA)
For this sequence, the LOSP transient results in a reactor scram and the reactor vessel is isolated from the steam system by the main s'team isolation valves (MSIVs). The primary relief valves lift to relieve reactor vessel pressure and reclose when pressure falls below the valve setpoint.
1 PB Rs SCI ECI DHR LOCA Ls CRD B
vs C
2LPCI A
2LpCIdiff GB 4Lpcl GC Torus CI RB S~IDCI RA Sequence Designator Break Size (ft ): 0.3 to 4.3 Leceend:
LSRBRA S/D = Shutdown Clg = Cooling LSGARBRA LsGAGB LSFARBRA LSFAGB LSFAFBRBRA LsFAFBGC LSCRBRA LSCGARBRA LSCGAGB LS AR BRA LsCFAGB LSCFAFBRBRA LS AFB C LSB LSBC INEL 21749 Figure C-3. LOCA systemic event tree for large liquid break, suction-side of recirculation pumps (LS) ~
PB RS SCI ECI PHR LOCA Lp CRD B
VS C
pcs Loo s FA r~cs Loo FB r Loci Go T~orus Cl RB
~S/C Cr RA Sequence Designator Break Size (ft ): 0.3 to 4.3 Lien d: LpRBRA S/D = Shutdown Clg = Cooling LpFARBRA LoFAGo LpFAFB LpCRBRA DFABA LDCFAGD LDCFAFB LpB LpBC INEL 2 1750 Figure C-4. LOCA systemic event tree for large liquid break, discharge-side of recirculation pumps (LD).
PB RS SCI ECI DHR LOCA CRD VS 2 CS Loops 1 CS Loop 1 LPCI 4 LPCI T~orus Cl ~SIC Cl Sequence Ly 8 C FA FB GD GC RB RA Designator Break Size (ft ): 1.4 to 4.1 Legend: LyRBRA SID = Shutdown Clg = Cooling LYFARBRA LUFAGB LyFAFB BRA LVFAFBGC LyCRBRA LVCFARBRA LyCFAGD LVCFAFBRBRA LyCFAFBGC LyB LyBC IN EL 2 1751 Figure C-5. LOCA systemic event tree for large steam break (LV).
CV
+
O o K CC a) O IA CC cCl) tO mO CU O K CC G C CC K (9 K K (9 C) CU CO CV O'n Q) CU Q)
K CU CO IL IL CC O
IL IL IU OOO 0 UI K IL IL CU 0)
Co O O OOO J 0 00 0 0J 0J 0J J J z CU CO O
OK Co 0
CIl a CC O
0 O J Q O
0 ICI u) IL 0
ch)0 Cl 0
AI c
O c O
c U II m
e Ol Ool m J V$ 0
'C-36
PB RS SCI ECI DHR LOCA CRD VS HPCI ~ICB Loo I LPCI Torus Clg ~S/D Cl Sequence ly B C ~D ~B A Designator Break Size (ft2): 0.12 to 1.4
~Le end:
S/0 = Shutdown
'YRBRA Clg = Cooling From transient systemic IYDRBRA event trees (Figures C-9, C-10 and C-11) lyDFARBRA IYDFBGD lyCRBRA IYCDRBRA IYCDFBRBRA IyCDFBGD lyB ly BC INEL 2 1753 Figure C-7. LOCA systemic event tree for intermediate steam break (Iy).
PB RS SCI ECI DHR LOCA CRD VS HPCI AOS 1 CS Loop 1 LPCI Torus Clg SIO Clg Sequence S B C D ~j) ITS Designator Break Size(ft ): Less Than 0.12 Legend:
SRBRA S/D = Shutdown Clg = Cooling SDRBRA SDFBRBRA SDFBGD SDE SCRBRA SCDRBRA SCDFBRBRA SCDFBGD SCDE SB SBC INEL 2 1754 Figure C-8. LOCA systemic event tree for small liquid or steam break (S).
AT RS OP VWI DHR AT RS OP MSI HPI LPI RHR 1 CS Torus SID Trans CRD ~RV 0 RV(C) MSIV RCIC HPCI DEP COND
~LOO 1 LPCI SBCS
~CI 8 J K W GP X ~CI TU F8 RA Sequence
~Le end: Designator SID = Shutdown Clg = Cooling Trans = Transient TURBRA TUQRBRA UQ RB A UQ "BRA TUQDWFBRBRA TUQDWFBGPRBRA TUQDWFBGDX TUQDV TUN TUK LOCA s TUJ TUB INEL 2 1755 Figure C-9. Transient systemic event tree where PCS is unavailable (TU).
AT RS OP VWI DHR AT RS OP MSI HPI LPI RHR 1 CS Torus SID Trans CRD RV(O) RV(C) MSIV RCIC HPCI DEP COND 1 LPCI SBCS
~Loo ~CI ~CI Tp 8 J N Q D W+ FB GD X B A Sequence Designator Legend:
SID = Shutdown Clg = Cooling Trans = Transient TpR BRA
+Probability of W is 1.0 for LOSP TpQRBRA TpQDRBRA TpQDFBRBRA TpQDFBGDRBRA TPQD B D TpQDV TpN TpK LOCAs TpJ TpB INEL 2 1647 Figure C-10. LOSP-induced transient systemic event tree (PCS unavailable) (Tp).
AT RS OP VWI DHR AT RS RPT OP PCS MSI HPI LPI RHR Recirc COND 1CS SBCS orus I Trans
~A CRD B
Pumos- RV(O)
J RV(C)
K PCS P
HPCI D
DEP V W 1LPCI GD X Sequence Designator L~eend:
Recirc = Recirculation S/0 = Shutdown TAPRBRA Clg = Cooling Trans = Transient TAPQRBRP, TAPQDRBRA TAPQDWRBRP TP,PQDWFBRBRA TP,PQDWFBGDRBRP, TP,PQDWF BGDX TAPQDV j
TAPN ) LOCAs TAK TABP TABM INEL 2 1756 Figure C-ll. Transient systemic event tree where PCS is available (TA).
PB RS SCI ECI DHR LOCA CRD VS HPCI ~ICB Loo I LPCI Torus Clg ~S/D Cl ty B C ~D ~B A Sequence Designator Break Size (ft ): 0.12 to 1.4
~Le end:
SID = Shutdown Clg = Cooling TKRBRA TK From transient systemic event trees RBRA TKDFBRBRA TKDFBGP INEL 2 1757 Figure C-12. Transient-induced SORV LOCA systemic event tree (intermediate steam break) (TK).
PB RS SCI ECI DHR LOCA CRD VS HPCl ~ICBLoo ILPCI Torus Clg ~S/D Cl ly B C ~D ~B A Sequence Designator Break Size(ft ): 0.12 to1.4
~Le end:
SID = Shutdown Clg = Cooling TpKRBRA TpK From transient systemic event trees TpKDRBRA TpKDFBRBRA TpKDFBGD INEL 2 1758 Figure C-13. LOSP-induced SORV LOCA systemic event tree (intermediate steam break) (TPK).
TABLE C-7. SEQUENCE FREQUENCIES GREATER THAN 10 BY INITIATOR Sequence Sequence Sequence Sequence Desi nator F~ce uenc Desi nator ~Pre uenc LSRBRA 1.7 x 10 8 TURBRA 1.3 x 10 4 LSFAGB 1.1 x 10 8 VQRBRA 5.5 x 106 TUQDRBRA 2.4 x 10 LDRBRA 6.3 x 10 8 TUQDWFBGDX 4.1 x 10 8 LDFAGD 2.0 x 10-8 TUQDV 9.2 x 10 6 LDFAFB 2.6 x 10 8 TUB 5.1 x 10 5 ILRBRA 1.4 x 10 TpRBRA 1.5 x 10 TpQRBRA 6.2 x 10 IVRBRA 1.6 x 10 8 TpQDRBRA 17x108 IVCRBRA 1.3 x 10 TpQDFBGDX 1.2 x 10 6 IVCDRBRA 1.3 x 10-8 TpQDV 1.7 x 10"7 IVCDFBRBRA 1.3 x 10 8 TpB 9.0 x 10 7 IVCDFBGD 1.3 x 10-8 TAPRBRA 8.9 x 10 7 SRBRA 5.3 x 10 7 TAPQRBRA 3.7 x 10 8 SDRBRA 1.2 x 10 TAPQDWFBGDX 2.8 x 10-8 SCRBRA 6.0 x 10 8 TAPQDV 6' x 10 8 SCDRBRA 6.0 x 10 TABP 3.5 x 10 7 SCDFBRBRA 6.0 x 10 8 TABM 3.7 x 10 6 SCDFBGD 6.0 x 10-8 SCDE 6.0 x 10 8 TKRBRA 1.2 x 10 SB 3.0 x 10 8 TKDRBRA 7 ~ 8'x 10 TKDFBGD 3.9 x 10 7 8 3 x 10 5 TpKRBRA 3.3 x 10 8 TpKDRBRA 2.5 x 10 6 TpKDFBGD C-44
TABLE C-8. SYSTEMIC SEQUENCE FREQUENCIES IN DRCREASING ORDER OF MAGNITUDE Sequence Sequence Sequence Sequence
~Desi nseon Fre uenc Desi nator ~Fiequenc TpRBRA 1.5 x 10 LDRBRA 6.3 x 10 8 TURBRA 1.3 x 10 4 SCRBRA 6.0 x 10-8 TpKRBRA 8.3 x 10 5 SCDRBRA 6.0 x 10 TpQRBRA 6.2 x 10 5 SCDFBRBRA 6.0 x 10 8 TUB 5.1 x 10 SCDFBGD 6.0 x 10-8 TKRBRA 1.2 x 10 5 SCDE 6.0 x 10-8 TUQDV 9.2 x 10 6 TUQDWFBGDX 4 1 x 10 8 TUQRBRA 5.5 x 10-6 TAPQRBRA 3.7 x 10 8 TABM 3.7 x 10 6 TpKDRBRA 33x108 TpKDFBGD 2.5 x 10 6 SB 30x 108 TpQDFBGDX 1.2 x 10 6 TAPQDWFBGDX 2 8x 10-8 TpB 9.0 x 10 7 LDFAFB 2.6 x 10 8 TAPRBRA 8.9 x 10 LDFAGD 20x108 TKDRBRA 7.8 x 10 7 Tp QDRBRA 1.7 x 10"8 SRBRA 5.3 x 10 LSRBRA 1.7 x 10-8 TKDFBGD 3.9 x 10 7 IVRBRA 1.6 x 10-8 TABP 3.5 x 10 IVCRBRA 13x1088 TUQDRBRA 2.4 x 10 7 IVCDRBRA 1.3 x 10 TpQDV 1.7 x 10 IVCDFBRBRA 13x108 ILRBRA 1.4 x 10 7 IVCDFBGD 1.3 x 10-8 SDRBRA 1.2 x 10 LSFAGB 1.1x 10 8 TAPQDV 6.3 x 10-8 c-45
TABLE C-9. CANDIDATE DOMINANT SEQUENCES Se uence Frequence Sequence Sequence Initiator Designator Initial Final Transient-induced LOCAs 1.2 x 10 5 9.3 x 10 TKRBRA LOSP-induced LOCAs TpKRBRA 8.3 x 10 5 1.6 x 10 TpKDFBGD 2.5 x 10 8.7 x 10-8 PCS unavailable TURBRA 1.3 x 10 4 9.7 x 10 5 TUQRBRA 5.5 x 10-6 4.1 x 10"6 TUB 5.1 x 10 5.1 x 10 TUQDV 9.2 x 10 6 5.5 x 10 PCS available TABM 3~7 x 10-6 3.7 x 10 6 1.5 x 10 3 2.8 x 10 LOSP TPRBRA TpQRBRA 6.2 x 10 1.2 x 10-6 TPQDFBGDX 1.2 x 10 6 3.6 x 10-8 C-46
TABLE C-10. INITIATOR DESIGNATORS Frequency Desi nator Initiator ( er reactor-year)
LS Large suction break 9.9 x 10-6 LD Large discharge break 3.9 x 10 5 LV Large steam break 5.2 x 10 IL Intermediate liquid break 9.0 x 10 IV Intermediate steam break 2.1 x 10 4 S Small liquid or steam break 1.0 x 10 TU Transients where PCS is unavailable 1.70 Tp Loss of offsite power transient 3.0 x 10 2 A Transients where PCS is available 1 ~ 68 TK Transient induced SORV 1.63 x 10 1 TPK Loss of offsite power-induced SORV 1.7 x 10 3 Two additional initiators are defined in this table. In each case they represent transient-induced SORVs. The designator TK is used to represent the combined frequency for a SORV from both the PCS available and PCS unavailable transient event trees. The designator K represents a system that is described for both of these cases in Table C-ll. TpK represents the frequency for a SORV from the PCS unavailable transient event tree for only the special case where LOSP was the initiator. Each of these initiators transfer to the intermediate steam break LOCA systemic event tree at the ECI systems branch point. The LOSP transient-induced SORV was treated independently from the PCS unavailable category due to the important dependencies of the mitigating systems on emergency onsite AC power.
TABLE C-11. FRONT-LINE SYSTEMS UNAVAILABILITIES Desi nator S stem S ecial Conditions Unavailability Control rod drive 3.0 x 10 Vapor suppression 3.7 x 10 4 HPCI LOCA initiator 6.5 x 10 2 Transient initiator 4.4 x 10-2 ADS 3.2 x 10 4 FA Core spray Normal power 5.2 x 10-2 (two core spray loops)
C-4 7
TABLE C-ll. (continued)
~Desi nator S stem S ecial Conditions Vnavailabilit FB Core spray Normal power 6.6 x 10 4 (one core spray loop) LOSP 9 ' x 10 4 Steam break on core 2.6 x 10-2 spray pipe GA RHR (LPCI mode) 6.6 x 10 4 (two LPCI pumps in same loop)
GB RHR (LPCI mode) 2.1 x 10-2 (two LPCI pumps, one in each loop)
GC RHR (LPCI mode) 5.0 x 10 (four LPCI pumps)
GD RHR (LPCI mode) Normal power 1.1 x 10 (one LPCI pump) LOSP 2.7 x 10-4 Break on recirculation 1.0 x 10-2 discharge Relief valves (opening) 7.2 x 10 Relief valves (closing) Transients without PCS 5.7 x 10 Transients with PCS 3.9 x 10 2 8.7 x 10 3 Recirculation pumps Main .steam isolation 4.4 x 10 7 valve Power conversion system 7.0 x 10 3 RCIC 4.2 x 10-2 RA RHR (shutdown cooling) Normal power 2.0 x 10-2 LOSP 4.2 x 10-2 Break on recirculation 3.1 x 10-2 discharge RB RHR (torus cooling) Normal power 3.1 x 10 3 LOSP 7.2 x 10 3 Manual depressurization 3.0 x 10 3 Condensate pumps 7 x 10 3 RHR (SBCS mode) Normal power 4.2 x 10-2 LOSP 4.6x10 2 C-.48
TABLE C-12. SYSTEM COMBINATIONS OF IMPORTANCE Unavailabilit Special S stem Combination Conditions Inde endent Common Net Normal power 6.2 x 10 5 1.4 x 10 5 7.6 x 10 5 RAA RB LOSP 3.0 x 10 4 4.9 x 10 2 4.9 x 10 2 recir- 1.6 x 10 3 1.6 x 10 3 Break on C culation discharge GAA GB 1.4 x 10 5 4.2 x 10 4 4.3 x 10 4 FAA GB 1.1 x 10 4.6 x 10 1.1 x 10 FBAGC 3.3 x 10 2.5 x 10 3.6 x 10 FAAGD Break on recir- 5.2 x 10 " 2.4 x 10 5.2 x 10 culation discharge No break 5.7 x 10 6 1.9 x 10-8 5.7 x 10-6 x 10 6 2 3 x 10 6 DAE 2 3 FBAGD Break on recir- 6.6 x 10 6 2.3 x 10 8.9 x 10 6 culation discharge No break 7.3 x 10 8 3.4 x 10 8 1.1 x 10 LOSP 1.5 x 10 2 1 x 10-2 2.2 x 10-2 D AFBAGD No break 7.2 x 10 9 2.4 x 10-6 2.4 x 10-6 Break on recir- 5.8 x 10 s 5.8 x 10 7 culation discharge Break on core 1.9 x 10 1.9 x 10 spray pipe 3 LOSP 1.5 x 10 C 1.5 x 10 QAD Transients 1.8 x 10 3 2.4 x 10-6 1.8 x 10 QADAFBAGD Transients 2.0 x 10-10 2.4 x 10 2.4 x 10"6 QADAV Transients 5.4 x 10 6 5.4 x 10 6 QADAFBAGDAW Transients 1 7 x 10 8 s 1 ~ 7x108 PAW Transients 4.9 x 10 6 7.0 x 10 7.0 x 10 PA QADAV Transients 3.8 x 10 8 3.8 x 10 8 PAQADAFB A GD Transients 1.7 x10 8 17x108 C-49
TABLE C-12. (continued)
Unavailabilit Special System Combination Conditions Net nwnx 2
FBAGDA X LOSP 1.5 x 10 2.1 x 10 2.2 x '10 QADAFBAGDAX LOSP 3.8 x 10 2.4 x 10 4.0 x 10 BAM Transients 2.6 x 10 1.9 x 10 6 2.2 x 10 6 TABLE C-13. COMMONALITIES OF IMPORTANCE Commonalities S stem Combination S ecial Conditions Unavailable Remarks Normal power 1.4 x 10 5 Minimum-flow RAA RB bypass valves LOSP 4.9 x 10 2 Diesel gener-ator and EECW .faults
.GA A GB 4.2 x 10 4 Minimum-flow bypass valves and loop dis-charge valves FA AGB 4.6 x 10 6 Electric power faults FB AGC 2.5 x 10 6 Electric power faults FA AGP Break on recircula- 2.4 x 10 Electric tion discharge power faults No break 1.9 x 10-8 Electric power faults FB AGD Break on recircula- 2.3 x 10-6 Electric tion discharge power faults No break 3.4 x 10 Electric power faults C-50
TABLE C-13. (continued)
Commonalities S stem Combination S ecial Conditions Unavailable Remarks LOSP 2.1 x 10-2 Primarily EECW faults DAFBAGD Transients 2.4 x 10-6 Maintenance QAD Transients error to Q A D A FB A GD Transients level Q A D I"l FB A GD A X LOSP switches PAW Transients 7 x 10 3 Assumed that PCS failure causes con-densate pump failure FB AGDAX LOSP 2.1 x 10-2 Primarily EECW faults BAM Transients 1.9 x 10-6 Reactor pro-tection system common mode failures The operator maintains normal reactor vessel water level using RCIC, a sys-tem that will automatically initiate on low reactor vessel level. Following successful coolant injection, the torus cooling (RB) and shutdown cooling (R~) systems fail. A sustained loss of these systems will result in the inability to provide makeup water to the reactor to replace the inventory lost due to boil off caused by decay heat. A core melt will eventually occur. The initial value for this sequence is 1.5 x 10 per reactor-year based on an initiating frequency of 3 x 10 per reactor-year and an unavailability of 4.9 x 10 for the combination of RB and Rp.
Figure C-14 is the systemic event tree for the LOSP transients The RHR system in either shutdown cooling or torus cooling mode removes the reactor decay heat. The 4.9 x 10 unavailability for RB and Rg is comprised of 2.9 x 10 due to failures of RB and Rp independent of EECW faults and 2.0 x 10 due to EECW faults. The 2.9 x 10 unavailability is dominated by combinations of electric power system unavailabilities due primarily to diesel generator faults. The remaining 2.0 x 10 contribution to DHR failure comes from the unavailability of the EECW system to provide its required cooling given a LOSP. If the EECW fails, all diesel generators will eventually fail and the RHR system will be unavailable. The major contributor to the EECW unavailability is com-binations of two or more diesel generators failing to start. These diesels are not necessarily the same as those that fail Ry and Rp, directly.
Section 1.5 details the procedure for handling thxs type of potential logic
AT RS OP VWI DHR AT RS OP MSI HPI LPI RHR 1 CS Torus SID Trans CRD RV(O) RV(C) MSIV RCIC HPCI DEP COND 1 LPCI SBCS Clg Clg L~oo Tp 8 J K N Q D W+ FB GD RB RA Sequence Designator Legend:
SID = Shutdown Clg = Cooling Trans = Transient TPRBRA
+Probability of W is 1.0 for LOSP TPQRBRA TPQDRBRA TPQDFBRBRA PFBDBA TPQDFBGDX TpQDV TpN LOCAs TpJ TpB INEL 2 1759 Figure C-14. Systemic event tree showing the TpRBRA sequence.
loop. Essentially, the RE and RA unavailability is split into two por-tions, with the unavailability assuming EECW works added to the unavail-ability of EECW. Each of the candidate dominant sequences involving loss of offsite power is treated similarly. Figure C-15 is a sequence evaluation diagram showing the dominant contributors to the unavailability of RE and RA.
Should this sequence occur, the RCIC system providing the VWI function can continue to do so for approximately 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> without RHR operation.
This estimate is based on the time it takes to deplete the condensate stor-age tank and to heat the torus water to a temperature that prevents the RCIC system from pumping the water, assuming no containment backpressure. .7 With containment backpressure considered, operation of RCIC can continue for approximately 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> before containment failure occurs, followed by an inability to pump the torus water back to the core.
RBARA fall 4.9x 10 3.0x10 4 4.9x10 Independent Common failures failures 7.2 x 10 42x10 2 2.9x10 2.0 x 10 Electric EECIN RB RA falls falls power falls faults Appendix B, Appendix B, Appendix B, Table B.25 Tables B.23 and B.24 Table B.83 Combination of three dlesels INEL 2 1648 Figure C-15 'ominant contributors to the unavailability of torus cooling and shutdown cooling given LOSP.
C-53
There are several viable recovery considerations available to the operators during this .time period. One is a restoration of offsite power.
If offsite power is restored within the 6 to 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> period, the unavail-ability of the DHR function changes from 2.9 x 10 to 7.6 x 10 Another recovery consideration is the restoration of EECW. The success criteria used in this analysis requires three of the four EECW pumps to operate to provide cooling to all of the EECW loads. Two of four pumps will provide up to 91X of rated flow and would provide the operator with some grace period to restore the lost pumps or valve in spare pumps from the RHRSW system. The operator could also isolate flow to nonessential loads supplied by EECW so that the flow of two pumps would provide suf-ficient cooling. The operator actions to restore EECW fall within the recovery guidelines as discussed previously in Section 3.3. That is, for the time period considered, there is only a 10 probability that the operator will not take corrective action during this time.
From the WASH-1400 data (Figure III 6-4), approximately 97X of all offsite power outages can be repaired in 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Using the WASH-1400 restoration figure plus the recovery factor for providing the EECW with sufficient pumping capability, the probability for RE and RA failure is given by:
Q(R R ) = (0.97)[probability of R R failure with LOSP recovered]
+ (0.03)[probability of R R failure with LOSP not recovered]
(0.97)(7.6 x 10 ) + (0.03)[R RA failure + EECW failure]
(0.97)(7.6 x 10 ) + (0.03)[(2.9 x 10 ) + (2.0 x 10 )(0.01)]
7.4 x 10 + (0.03) (2.9 x 10 )
-4
= 9.4 x 10 P(T R RA) = F(LOSP) Q(RE A RA)
= (3 x 10 )(9.4 x 10 )
-5
= 2.8 x 10 per reactor-year.
4~2~2 Loss of 0f fsite Power with RCIC and DHR Failure (TPQRERA)
This sequence is essentially identical to sequence TPRERA except that the RCIC system fails but the HPCI system operates to maintain reactor water level. Subsequently, the torus cooling and shutdown cooling modes of RHR fail to remove decay heat. Sustained failure of these two modes will result j.n torus water heating to the point that the HPCI system can no longer pump'water to the core. A core melt would then occur. This sequence is highlighted on the systematic event tree Figure- C-16. Its initial value
AT RS OP VWI DHR AT RS OP MSI HPI LPI RHR 1CS Torus S/D Trans CRD RV(O) RV(C) MSIV RCIC HPCI DEP COND Loo 1 LPCI SBCS ~CI ~CI Tp B J K N Q D FB D X Sequence RB RA Designator Legend:
SID = Shutdown Clg = Cooling Trans = Transient Tp RBRA
+Probability of W Is 1.0 for LOSP TPQRBRA TpQDRBRA TpQDFBRBRA TpQDFBGDRBRA TpQDFBGDX TpQDV TpN TpK LOCAs TpJ TpB INEL 21771 Figure C-16. Systemic event tree showing the TpQRgRA sequence.
.is G.2 -x .10 , based on a 3 x 10 . ;.per year '.probabil'ity for '.the LOSP
!init'iator.and 2.'1 x 10" for the .unavailabi;lity of Q O'RpA RA..
- Figure C-.17 is,a sequence evaluation diagram showing the, dominant contributors ".to "the unavai:lability of'Q A;Rp A-'RA.
The dominant .contributors to .'torus coo'ling,and shutdown cooling,fai:lure
- for .this, sequence are the same .as for sequence TPRgRA. ~ Therefore,
- the recovery factors for these two systems, are "the same. .RCIC is essenti-ally unaffected by t'e LOSP. Its dominant contributors .are rupture-.disk and control circuit faults, which are not recoverable under the guide'1'ines,.
Therefore, no credit .is taken for recovery of the RCIC system. 'The unavailability of the mitigating .systems becomes 3.9 x 10 ~. The '.final sequence value then is 1.2 x 10 , as shown below.
Q(QR R ) = Q(Q) Q(R R considering -recovery)
= Q(Q) Q(R R from .sequence T R R )
QllRBARA 6 fall .3.2 x 10 32x10 6 Independent Common failures failures
'None significant 7.6x10 4.2x10 RBnRA Q falls fails Figure C-'19 Appendix 8, INEL 2 1649 Table B.6 Figure C-17. Dominant contributors to the unavailability of RCIC, torus cooling,,and shutdown cooling given LOSP.
C-56
(0.042)(9.4 x 10 )
=3.9x10 -5 P(T QR R ) = F(LOSP) Q(QR R )
B A (3 x 10 )(3.9 x 10 )
-6
= 1.2 x 10 per reactor-year.
in parenthesis (Q) represents the RCIC system code.)
4.2.3 Transients Where PCS is Unavailable and DHR Fails (TURBRA)
For this sequence, the RS, OP, MSI, and RCIC systems succeed and the long term decay heat removal of torus cooling and shutdown cooling fails.
This sequence is similar to the previously-discussed sequence (TPRBRA) except that offsite power remains available. The initial screening value for the frequency of this sequence is 1.3 x 10 per reactor-year, based on an initiating frequency of 1.70 per reactor-year and an unavailability of 7.6 x 10 for the combination of RB and RA. The sequence is outlined on the systemic event tree, Figure C-18.
In this sequence, the RHR system in shutdown cooling or torus cooling mode provides the decay heat removal. Both modes must be inoperable to fail the function. The unavailability for both systems is 7.6 x 10 Control circuit faults for the suction and discharge motor-operated valves and the minimum-flow bypass valves dominates this unavailability. It was assumed during the fault tree analyses of the core spray and RHR systems that minimum flow bypass valves failing to close could divert sufficient flow in a given loop to cause failure of that coolant path. Section 6 pro-vides a sensitivity analysis of this assumption. Figure C-19 is a sequence evaluation diagram showing the dominant contributors to the unavailability of RB A RA'or these transients, even though the PCS was originally lost due to MSIV closure, the potential exists to recover the main condenser as a heat sink. This depends on the cause of the transient. For example, if the transient were initiated by a fault in the feed pumps that was not immedi-ately repairable, then the PCS could not be used. If the transient was due to faulty automatic level control, the operator could manually control level with the feed pumps after reopening the MSIVs. However, there is inade-quate data available on which to base a probability of PCS recovery.
Recovery of the RHR system due to the dominant faults (control circuit faults) would involve either manual operation of the affected valves or bypass/repair of the faulted control circuit. In either case, the control room operator would have to recognize the cause of the valve's failure to operate and dispatch personnel to operate/repair the valve. Given that the RCIC system has been successful, the operator would have at least 6 to
AT RS OP VWI DHR
.AT Tra'ns TU RS CRD RV 0 OP RV(C)
K MSI MSIV N
DEP COND W
Torus Cl RHR
~CI R
Sequence
~Le end: Designator S/D = Shutdown Clg = Cooling Trans = Transient TURBRA TUQRBRA TUQDRBRA O
I TUQDWRBRA c0
'UQDWFBRBRA TUQDWFBGPRBRA TUQDWFBGPX TUQDV TUN TUK LOCA s TUJ TUB INEL 2 1755 Figure C-18. Systemic event tree showing th'e TURBRA s'equence.
RARA 7.6 x 10 fall 6.2 x 10 1.4 x 10 Independent Common failures failures 3.1 x 10 2.0 x 10-2 1.3 x 10 1x 10-6 Control RB RA Valve fails fails circuit faults faults RCK0302G, RCK0071G RVMOO?1N, RVM0302N Appendix 8, Appendix 8, Table 821 Tables 8.19 and 8.20 INEL 2 1761 Figure C-19. Dominant contributors to the unavailability of RHR systems following' transient which disables the PCS (normal power available). I 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to accomplish this recovery as discussed previously in Sec-tion 4.2.2. The recovery guidelines provide for a probability of non-recovery for these faults of 0.01. The unavailability of RB and Ry due to both independent and common control circuit faults is 1.9 x 10 . The remaining unavailability not subject to recovery is 5.7 x 10 5. The final sequence value is 9.7 x 10 5, as shown below.
Q(R RA) = (0.01) (recoverable faults) + (nonrecoverable faults)
= (0.01)(1.9 x 10 ) + 5.7 x 10
= 5.72 x 10
-5 P(T R R ) = F(T ) Q(R r.l R A
) = (1 7)(5.7 x 10 )
U B A U B
-5
= 9.7 x 10 per reactor-year.
4.2.4 Transients Where PCS is Unavailable and RCIC and DHR Fail (TUQR8RA)
This sequence is essentially identical to sequence TUR8RA
-except that the RCIC system fails but the HPCI system operates to maintain reactor level. Subsequent failure of torus cooling and shutdown cooling will event-ually .lead to a core melt. This sequence is shown on the systemic event tree Figure C-.20. '.Its initiator frequency is 1.7 per reactor-year and
'5.5 x 10 per reactor-year is the screening sequence value. Figure C-21 is a sequence evaluation diagram showing the dominant:contributors to the initial~value of 3.2 x 10 for the unavailability .of Q A R8 A RA.
The dominant contributors for torus cooling and shutdown cooling fail-ure are the same for this sequence as for sequence TUR8RA. The recovery factors are also the same. The RCIC system dominant faults involve rupture disks and control circuits,and are independent of the torus cooling and shutdown cooling faults. These faults are not:recoverable under"-the guidelines, so .no credit is taken for RCIC system recovery. Therefore, the unavailability of the mitigating systems considering recovery is 2.4 x 10 -6 as shown below.
Q(QR R ) = Q(Q) Q(R R considering recovery)
= Q(Q) Q(R'R for sequence T'R R )
= (0.042)(5.7 x 10 )
-6
= .2.4.x 10 P(T = F(TU Q(QR8RA QR8RA (1.7)(2.4 x 10 )
-6
= 4.1 x 10 per reactor-year.
4.2.5 LOSP-Induced Stuck Open Relief Valve (SORV) with DHR Failure (TPKRpRA)
In this sequence, the LOSP causes a turbine trip without bypass, a reactor scram, main steam isolation, and opening of the relief valves.
However, one or more of the relief valves fail to reclose after pressure has fallen below the relief valve setpoint. This is equivalent to an inter-mediate steam break with one exception. The steam from the relief valves does not go into the drywell. Rather, it goes to the torus water directly.
After the HPCI system has succeeded in restoring reactor vessel level to normal, the torus cooling and shutdown cooling systems fail. The initial value for this sequence is 8.3 x 10 5, based on an initiating frequency of 1.7 x 10 per year and 4.9 x 10 for the unavailability of Rg A RA.
The marked systemic event tree is Figure C-22.
C-60
AT RS OP VWI DHR AT RS OP MSI HPI LPI RHR 1 CS Torus SID Trans CRD RV 0 RV(C) MSIV RCIC HPCI DEP COND
~Loo 1 LPCI SBCS
~CI K W ~CI TU B N F GD RA FB Sequence
~Le end: Designator S/D = Shutdown Clg = Cooling Trans = Transient TURB RA TUQRBRA TUQDRBRA TUQDWRBRA TUQDWFBRBRA TUQDWFBGDRBRA TUQDWFBGDX TUQDV TUN LOCAs TUJ TUB INEL 2 1755 Figure C-20. Systemic event tree showing the TUQR~RA sequence.
QARBARA fall 21x 10 2.1 x 10 0 Independent Common failures failures None significant 4.9 x 10 4,2 x 10 RBARA 0 fall fails Figure C.15 Appendix B, INEL 2 1763 Table B4
'Figure C-21. Dominant contributors to the unavailability of the RCIC and RHR systems following a transient which disables the PCS (normal power available).
The RHR system in shutdown cooling or torus cooling mode provides the long term cooling. As was the case in the sequence TPRBRA of Section 4.2.1, the unavailability of the DHR function is 4.9 x 10 . The dominant con-tributor sequence evaluation diagram for that sequence applies to this sequence as well.
Preliminary phenomenological calculations being performed at INEL on 8 indi-BF1 as part of the Severe Accident Sequence Analysis (SASA) program cate that core temperatures will start to rise rapidly in as little as 30 min if the HPCI system does not function to replenish lost coolant inven-tory. Even with successful HPCI, torus water temperature will rise and eventually reach a temperature where the HPCI system will no longer have sufficient net positive suction head to maintain reactor level. The time available to recover is approximately the same as the LOSP with RB and R failure. For this sequence, since HPCI is successful, it was assumed that at least 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> are available to restore offsite power. Using the WASH-1400 restoration figure and recovery factors based on 6 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, the probability for RB and RA failure is the same as for sequence TPRBRA (9.4 x 10 ) ~ The final sequence value is then 1.6.x 10
.'C-62
PB RS Sci Eci DHR LOCA CRD HPCI ~ICB Loo I LPCI Torus Clg ~S/D Cl ly B VS C lBD ~B A Sequence Designator Break Size(ft ): 0.12 to 1.4
~Le end:
SID = Shutdown Clg = Cooling TpKRBRA From--
transient TpK systemic event trees TpKDRBRA TpKDFBRBRA TpKDFBGD INEL 2 1758 Figure C-22. Systemic event tree showing the TpKR~RA sequence.
P BA P BA (1.7 x 10 ) (9.4 x .10 )
-6 P(T KR R ) = 1.6 x 10 per reactor-year.
4.2.6 Transient-Induced SORV with DHR Failure (TKRBRA)
For this sequence, a transient causes a reactor scram and a number (depending on the initiator) of relief valves open. When pressure falls below the relief valve setpoint, one or more relief .valves fail to close, and the reactor continues to blow down to the torus. When low water level is reached, the MSIVs shut and the HPCI system initiates. Following suc-cessful ECI by the HPCI system, the torus cooling and shutdown cooling systems fail. The initial value for this sequence is 1.2 x 10 per reactor-year, from a frequency of 1.63 x 10 per year for the initiator and an unavailability of 7.6 x 10 for the combination of RA A RB.
The sequence is shown on the systemic event tree, Figure C-23.
This sequence is similar to the LOSP-induced SORV sequence of Section 4.2.5 except that the unavailability for the RB and RA combina-tion is much lower because offsite power is available. However, the initi-ator frequency is approximately two orders of magnitude higher than for the LOSP-induced SORV sequences. The RHR system provides the long-term decay heat removal function in either the shutdown cooling or torus cooling mode.
The unavailability for both modes is 7.6 x 10 5. The major contributors to this unavailability are control circuit faults of the minimum-flow bypass valves and the suction and discharge path MOVs. The dominant contributor sequence evaluation diagram of Section 4.2.3 applies for this sequence also.
As with the sequence TURBRA of Section 4.2.3, recoverability of the torus cooling and shutdown cooling systems is either by manual operation/repair of faulted RHR valve control circuits or by recovery of the PCS as a heat sink if possible. However, recovery of PCS is not easily quantifiable. Therefore, the final sequence probability for this sequence does not include a probability of recovery of PCS. The recoverability of RB and RA has been previously accounted for (5.7 x 10 ). Therefore, the final sequence value is 9.3 x 10 , as shown below.
P(TKRBRA F(TK) Q(RB A RA (0.163)(5.7 x 10 )
-6 9.3 x 10 per reactor-year.
4.2.7 Transients without PCS with VWI Failure (TUQDV)
A transient occurs that causes the reactor to scram and the MSIVs to close. After the relief valves open to relieve the increase in reactor pressure, all the valves reclose. This action repeats as reactor decay heat
,C-64
PB RS SCI ECI DHR LOCA CRD VS HPCI ~ICS Loo I LPCI Torus Clg ~S/D Cl ly B C ~p ~C Sequence Designator Break Size(ft ): 0.12 to 1.4 Lece end:
SD = Shutdown Clg. = Cooling TKRBRA From transient TK systemic event trees TKDRBRA TKDFBRBRA TKDFBGP INEL 2 1757 Figure C-23. Systemic event tree showing the TKR>RA sequence.
causes pressure to rise due to the lack of a heat sink. When low reactor level is reached, the HPCI and RCIC systems (D and Q, respectively) fail to operate to restore water level. As the water level continues to drop due to relief valve action, the operator fails to manually depressurize the reactor. If this condition persists, core melt occurs. The initial proba-bility for this sequence is 2.8 x 10 5 per reactor-year, based on an initiating event frequency of 1.70 per year and 5.4 x 10 for the unavailability of Q R D A V. The systemic event tree showing this sequence is Figure C-24.
The unavailability of HPCI and RCIC combined is 1.8 x 10 and is dominated by rupture disk faults and control circuit faults of the MOVs in each system. The probability of failure to manually depressurize is dominated by failure of the operator to initiate depressurization, since only 4 of 13 valves are required to open for successful depressurization.
Figure C-25 is a sequence evaluation diagram of the dominant contributors for this sequence. During the injection phase, there is little time avail-able (30 to 40 min) for the operator to dispatch personnel to correct faults involving the HPCI and RCIC MOVs. If the operator fails to depressurize, then water level continues to decrease and the low pressure systems such as core spray, LPCI, and the condensate system cannot provide water to the reactor because reactor pressure is too high.
The probabilit~ of the operator failing to depressurize was originally taken to be 3 x 10 , based on the human error modeling guide of NUREG/CR-1278. This model, shown in Section 4.2 of Appendix B, does not include recovery because it was developed for initial screening purposes.
However, recovery from an initial operator error in failing to depressurize is likely because of the heavy emphasis on depressurization given to opera-tors during their training and the ease with which this action can be carried out. Since this recovery relates to operator error rather than actions directly mitigating the effect of hardware faults, the nonrecovery factors of Table C-6 are not applicable. Therefore, a more detailed opera-tor action model was developed, considering not only the time frame for operator action but also the effect of additional operators in the control room. The new model, presented in Section 4.3 of Appendix B, shows that a consideration of recovery reduces the human error probability of failure to depressurize by a factor of 0.06. The final sequence frequency is then 5.5 x 10 7 per reactor-year, as shown below.
Q(QDV) = (0.06) Q(Q A D A V)
(0.06)(5.4 x 10 )
=
-7 3.2 x 10 P(T QDV) = F(T ) Q(QDV)
U (1.7)(3.2 x 10 )
-7
= 5.5 x 10 per reactor-year.
'C-66
~ ~ ~ ~
AT RS OP VWI DHR AT RS OP MSI HPI LPI RHR 1 CS Torus SID Trans CRD RV(VO RV(C) MSIV RCIC HPCI 0EP COND 1 LPCI SBCS ~CI Cl
~Loo TU B J k W FB GD X RB RA Sequence end: Designator
~Le SID = Shutdown Clg = Cooling Trans = Transient TUR BRA TUQRBRA TUQDRBRA TUQDWRBRA TUQDWFBRBRA TUQDWFBGDRBRA TUQDWFBGPX TUQDV TUN LOCAs TUJ TUB INEL 2 1755 Figure C-24. Syst:emic event tree showing the TtjQDU sequence.
anOnv 5.4x10 6 fail 5.4 x 10 Independent Common failures failures None significant 3 x 10 1.8x 10-3 V ano falls fall Operator falls to depressurlze 1.8x 10 Independent Common failures failures None 4.4x10 4.2x10 significant HPCI RCIC fails falls Appendix B, Appendix B, INEL 2 1650 Table B-32 Table B4 Figure C-25. Dominant contributors to the unavailability of RCIC, HPCI, and manual depressurization following a transient which disables the PCS (normal power available).
C-68
4.2.8 Loss of Offsite Power with VWI Failure (TPQDFBGDX)
After a LOSP, a turbine trip without bypass and a reactor scram occur.
The relief valves open to relieve the pressure increase caused by the loss of the heat sink and reclose when pressure falls below the relief valve setpoint. This cycle continues until a low reactor water level is reached. At this point, the HPCI and RCIC systems (D and Q) fail to operate to maintain reactor water level. As the water level continues to drop due to relief valve action, the operator successfully depressurizes the reactor, but the core spray, LPCI, and SBCS systems (FB, GD, and X, respectively) fail to restore water level and core melt occurs. The initial value for reactor-this sequence is 1.2 x 10 per reactor-year, based on 1.70 per year for the frequency of LOSP and 4 x 10 for the unavailability of D A FB A GD A X. 'his sequence is highlighted on Figure C-26, the systemic event tree for the LOSP transient.
The unavailability of the injection systems for this sequence, i.e.,
the unavailability of HPCI and RCIC, is 1.8 x 10 and is essentially unaffected by the loss of offsite power. The unavailability of core spray, LPCI, and SBCS is affected by the LOSP and is 1.5 x 10 . This number is primarily due to diesel generator faults. Additionally, failure of the EECW system to provide its required cooling will cause the loss of all diesels and, thus, AC power for the RHR and core spray pumps. The EECW unavaila-bility is 2.0 x 10 . The EECW value is dominated by combinations of failure of two diesels to start. These are not necessarily the same diesels that cause core spray and LPCI failure. Figure C-27 is a sequence evalua-tion diagram showing the dominant contributors to the mitigating systems unavailability.
Should this sequence occur, with the injection systems failed there are approximately 30 to 40 min before boiloff reduces reactor coolant inventory to a point where core temperature begins to rapidly rise. There are several viable recovery considerations available to the operators during this time period. One is a restoration of offsite power. From WASH-1400 (Figure III 6-4), approximately 70/ of all offsite power outages can be repaired in 30 to 40 min. If LOSP is restored, this sequence is essentially the same as the transients without PCS with VWI failure, sequence TUQDWFBGDX ~
Similarly, as with the LOSP with DHR failure sequence TPRBRA of to Section 4.2.1, the EECW success criteria require three of four pumps operate. If only two of four pumps operate, up to 91/ of rated flow is available. Two additional RHRSW pumps are available for EECW service by opening (from the control room) one MOV for each pump.
Considering recovery, the unavailability of the injection systems -8 becomes 1.2 x 10 . The final sequence frequency is then 3.6 x 10 as shown below.
Q(QDF B G D X) = (0.70)(injection systems failure with LOSP recovered)
+ (0.30)(injection systems failure without LOSP recovered)
(0.70)(unavailability of sequence T QDWF G X)
AT RS OP VWI DHR AT RS OP MSI HPI LPI RHR 1 CS Torus S/D Trans CRD RV(O) RV(C) MSIV RCIC HPCI DEP COND 1 LPCI SBCS ~CI ~CI
~Loo Tp B J K N Q D GD X RA Sequence FB RB Designator Legend:
S/D = Shutdown Clg = Cooling Trans = Transient TpRBRA 8 Probability of W is 1.0 for LOSP TpQRBRA TpQDRBRA TPQDFBRBRA TpQDFBGDRBRA TPQDFBGDX TpQDV TpN TpK LOCAs TpJ TpB INEL 2 1767 Figure C-26. Systemic event tree showing the TpQDFBG+ sequence.
QrlDAFBAGpAX 4.0 x 10 fall 4.0x 10 Independent Common failures failures None significant 1.8x10 2.2x10 QAD FBAGpAX fell fall Figure C.25 1.5 x 10 2.0 x 10 Non EECW EECW failures falls Appendix 8, 8
1.5 x 10-8 2.1x10 Table 84t3 Common Independent failures failures Diesel 9.6 x 10 2.2 x 10 faults Core spray GpAX falls lail Appendix 8, Table 848 Independent 2 10 Common 0.7x 10-failures failures 2.7x10 4 4.6 x10 Valve laults LPCI SBCS falls falls Appendix 8, Appendix 8, INEL 2 1651 Table 822 Table 8 55 Figure C-27. Dominant contributors to the unavailability of RCIC, HPCI, LPCI, core spray, and SBCS given LOSP.
+ (0.30)(failure;- of HPCL and RCIC)
" [(failure of LPCI, coie spray,,and SBCS) + (failure of EECW).
'operator nonrecovery).] .
=-(0.70)(1.7. x. 10 )
+ (0.30) (1.8. x 10. )[1.5 x 10 +.(2.0'x 10(0.03)]
='. 2, x 10, + 1 ..2.' 10
-6 1.2 x 10 P(TPQDFBGDX)F(TP)Q(QDFgGBXD)
(3 x 10 )(1.2 x 10 )
-8
= 3.6 x 10 per reac.tor-year.
- 4. 2. 9 LOPS-Induced SORV with ECI Failure (TPKDFBGD)
A LOSP causes a reactor scram and turbine trip without bypass. After the relief valves open. to relieve the pressure increase caused by the. loss of the heat sink, one or more of the relief valves fail to reseat when pressure drops below the relief valve setpoint.. When water level drops to the low level point, the. MSIVs shut but the HPCI system does not operate to refill the reactor. Subsequently, as level and pressure drop, neither the core spray nor LPCI systems operate to fill the reactor and a core melt
-6 per reactor-occurs. The initial value for this sequence is 2.5 "3
x 10 year based on an initiating frequency of 1.7 x 10 per reactor-year and an unavailability of 1.5 x 10 for the combination of D, FB, and GD.
The sequence is shown on the systemic event tree, Figure C-28.
The unavailability for the injection systems for this sequence is based on failure of the HPCI, core spray, and LPCI systems to operate. The HPCI unavailability is essentially not affected by the LOSP. The unavailability of core spray an'd LPCI, however, is dominated by combinations of diesel -2 generator faults. Furthermore, the EECW unavailability (2.0 x 10 ) also contributes to the probability of core spray and LPCI failure. Figure C-29 is a sequence evaluation diagram showing the dominant contributors to the mitigating systems unavailability.
As mentioned before in other LOSP sequences, the EECW success criteria was three of four pumps operating. Since two of four pumps can provide at least 91X of rated flow and since two other RHRSW pumps are readily avail-able to,provide flow to the EECW header, EECW is subject to recovery V
considerations.
Approximately 30 min is available for recovery while the relief valve remains stuck open. As discussed in previous sequence descriptions,
PB RS SCI ECI DHR LOCA CRD HPCI ~ICC Loo I LPCI Torus Clg S/D Clg ty B VS C ~D ~s ~a Sequence Designator Break Size (ft ): 0.12 to 1.4
~Le end:
S/D = Shutdown Clg = Cooling TpKRBRA From-transient TpK systemic event trees TpKDRBRA TpKDFBRBRA P BGD INEL 2 1758 Figure C-28. Systemic event tree showing the TpKDFBGD sequence.
pAFBAGp- 1.5 x 10, 3 fall 1.5 x 10 0'ndependent Common'ailures failures.
None=
tt slgnlflcanti 2.2x 10 2 0.065:
FBAGp HPCI fall falls Appendix 8, Table 8 33 1.5x10 2.0 x 10-2 Non.EECW EECW failures falls Appendix 8, Table 8.83 2.6x10 1.5 x 10 Independent Common failures failures Combination of three g.sx 10-4 2.7x10 4 dlesels Core spray LPCI fails fails Appendix 8, Appendix 8, Table 8.48 Table 8 22 INEL 2,1652 Figure C-29. Dominant contributors to the unavailability of HPCI, LPCI, and core spray, given LOSP and SORV.
C-74
approximately 70/ of the offsite power outages can be repaired during this time. If offsite power is restored, this sequence becomes very similar to the transient-induced SORV sequence, TKDFBGD.
Considering the potential recovery of offsite power and the EECW sys-tem, the injection system unavailability becomes 5.1 x 10 . The final sequence frequency is then 8.7 x 10 , as shown below.
Q(FBGD)- = (0.70) (unavailability with LOSP recovered)
+ (0.30) (unavailability with LOSP not recovered)
(0.70) (injection systems for sequence TKDF G )
+ (0.30)(failure of HPCI)[(failure of core spray and LPCI to operate) + (failure of EECW) (operator nonrecovery)]
(0.70)(2.4 x 10 ) + (0.30)(6.5 x 10 )
[(1.5 x 10 ) + (2.0 x 10 )(0.05))
Q(DFBGD = 1.7 x 10 + 4.9 x 10
-5 5.1 x 10 P(T KDF G ) = F(T K) Q(DF G )
P B D P B D (1.7 x 10 )(5.1 x 10 )
-8
= 8.7 x 10 per reactor-year.
4.2 '0 Transients Without PCS with Failure to Scram (TUB)
In this sequence, a transient occurs that makes the main condenser unavailable as a heat sink. Failure of the reactor to scram allows reactor power to remain high. As a result, the pressure increases until the relief valves open. The HPCI and RCIC systems are not capable of providing makeup to the reactor as fast as steam is being lost to the torus via the relief valves. Therefore, the core uncovers and melts. The initial value for this sequence is 5.1 x 10 5, based on an initiating frequency of 1.70 per reactor-year and an unavailability of 3 x 10 for failure to scram. The sequence is shown on the systemic event tree, Figure C-30.
Since core uncovery in this scenario will occur within the first 10 min (depending on power level), the recovery guidelines do not allow for con-sidering operator action to correct the condition. Therefore, the final
-5 sequence value is the same as the initial value of 5.1 x 10 C-75
AT RS OP VWI DHR AT Trans TU RS CRD B
~RV J
0 OP RVIC)
K MSI MSIV N
DEP V
COND W
~Loo F
oM Cl RHR
~CI R
Sequence
~Le end: Designator SID = Shutdown Cig = Cooling Trans = Transient TURBRA TUQRBRA TUQDRBRA TUQDWRBRA TUQDWFBRBRA TU WFBGPRBRA TUQDWFBGDX TUQDV TUN TUK LOCA s TUJ TUB INEL 2 1755 Figure C-30. Systemic event tree showing the TUB sequence.
The unavailability for the reactor s"ram function is 3.0 x 10 ~ ~
This number was taken from the ATWS document NUREG-0460. This analysis did not evaluate the probability of failure to scram using the fault tree methodology. As noted in WASH-1400 and NUREG-0460, the exact number of rods that must fail to insert and the relative position of those rods is not easily calculated and was considered beyond the scope of this analysis.
Thus, the NUREG-0460 probability value for failure to reach subcriticality was used in lieu of a specific evaluation of the reactor subcriticality function.
4.2.11 Transients with PCS with Failure to Scram and Recirculation Pum Trip Failure TABM In this sequence, a transient occurs that does not cause the MSIVs to close. The PCS is available both as a heat sink and a source of makeup water to the reactor. If the RPT is successful, the resulting reactor power level is within the capacity of the bypass valves to remove heat from the reactor. Failure of the RPT allows reactor power level to remain above the capacity of the bypass valves. Therefore, reactor pressure increases until the relief valves open. The feed pumps are able to maintain level but the steam going through the relief valves to the torus does not return to the condenser to be reinjected to the core. Thus, condensate storage tank level decreases until the condensate and feed systems trip. At this point, reac-tor water level decreases until the MSIVs close making the PCS unavailable.
Level continues to drop until core uncovery occurs and a core melt ensues.
The initial value for this sequence is 3.7 x 10 , based on an initiating frequency of 1.68 per reactor-year and 2.2 x 10 for the unavailability of the combination of B and M. The sequence is shown on the systemic event tree, Figure C-31. Figure C-32 is a sequence evaluation diagram showing the dominant contributors to the mitigating systems unavailability.
The dominant contributor to failure of both the reactor scram system and the RPT is failure of the reactor protection system to initiate either one. This value was taken to be 1.9 x 10 from the WASH-1400 report, since no analysis of the reactor protection system was done for the present report.
The potential recovery actions for this sequence involve manually scramming the reactor or operator trip of the recirculation pumps. The time available to do either of these is a function of the reactor power level.
Since the reactor power/bypass valve mismatch could be as high a 70% of full power, the time available for operator action would be minimal. Therefore, no credit is taken for operator action to prevent a core melt for this sequence. The final sequence value is then 3.7 x 10 4.3 Dominant Sequences Those sequences from Table C-9 that have final sequence frequencies greater than 1.0 x 10 per reactor-year are the dominant sequences.
There are eight dominant accident sequences. Six of these are transient sequences, while the other two are transient-induced LOCAs. Table C-14 lists these sequences in decreasing order of frequency.
C-77
AT RS OP VWI DHR AT Trans
~A RS CRD B
RPT Recirc
~Purn s RV(O)
J OP RV(C)
K PCS PCS P
DEP V
COND W
~B 1LPCI GP SBCS X
Clg RHR Clg Sequence Designator Legend:
S/D = Shutdown TAr RBRA Clg = Cooling Trans = Transient TAPQRBRA TAPQDRBRA TAPQDWRBRA TAPQDWFBRBRA TAPQDWFBGPRBRA TAPQDWFBGDX TAPQDV TAPN }
(
TABP TABM INEL 21770 Figure C-31. Systemic event tree showing the TABM sequence.
2.2 x 10 8AM fall 2.6x10 19x10 6 Independent Common failures failures RPS common mode failure 3x10 6.7x10 Reactor Recirculation subcritlcality pump trip falls fails Appendix 8, Appendix 8, Section 2.9 Table 857 INEL 2 1653 Figure C-32. Dominant contributors to the unavailability of the CRD and RPT systems following a transient where the PCS is available.
TABLE C-14. DOMINANT SEQUENCES Sequence Se uence Initiator Desi nator x 10 5 Transient without PCS TURBRA 9 7 Transient with PCS TUB 5.1 x 10 5 Loss of offsite power TPRBRA 2.8 x 10 5 Transient-induced LOCAs TKRBRA 9.3 x 10-6 Transient without PCS TUQRBRA 4.1 x 10-6 Transient with PCS TABM 3.7 x 10-6 1.6 x 10 6 LOSP-induced LOCAs TPKRBRA 6
Loss of offsite power TPQRBRA 1.2 x 10 C-79
- 5. UNCERTAINTY ANALYSIS 5.1 Introduction The point estimate of the frequency of each dominant sequence appears in Table C-14. In addition to knowing the point estimate of the frequency for these sequences, it is also useful to understand the uncertainty associated with each point estimate. The uncertainty analysis of this report only propagates errors associated with the given basic event failure rates and initiating event frequencies. Other uncertainties associated with quality assurance, success criteria, etc., are not included. The results of this analysis, therefore, only evaluate the uncertainty associated with the failure rate data base. The main purpose of the uncertainty analysis is to provide those using this report with additional perspective on the results. When evaluating potential design or operational changes, it may well be useful to examine changes to the uncertainty bounds as well as to the point-value estimates.
The uncertainty bounds for each sequence were determined by assigning an uncertainty bound and a distribution to each basic event and sequence initiator. The MOCARS computer code uses this information along with the cut sets for the systems to perform a Monte Carlo simulation that describes the resulting distribution for the systems. In much the same way as point estimates were obtained, the COMCAN code was used to identify cut sets com-mon to two or more systems. These cut sets were also evaluated using the MOCARS code and appropriately combined to generate the distribution for the sequence.
The upper bound value was chosen to be the value of the sequence dis-tribution at the 95/ quantile. In other words, 95/ of the distribution values generated by MOCARS were less than or equal to the upper bound value.
Rather than expressing this upper bound as a fixed value, it is associated with the point estimate by an error factor that equals the upper bound divided by the point estimate.
5.3 Data Base Table C-4 gives the error factors used for the basic event point esti-mates for most of the basic events. For human error probabilities and the generic control circuit models, an error factor of 10 was used. Most hard-ware failure data had error factors of three. Using an error factor of 10 for these two cases is, therefore, more conservative and puts the uncer-tainty for these events on the same level as short circuits, valve ruptures, and similar passive failures where the data base is sparse.
The lognormal distribution was chosen as the distribution for each basic event and for the initiating events. The lognormal distribution is commonly used in analyses where the uncertainty associated with the data is expressed in orders of magnitude differences from the point estimate.
The dominant sequence initiators are all transients or transient-induced LOCAs. The point estimates for these initiators came from EPRI C-80
NP-801 as noted in Appendix A, Section 2.2. While EPRI NP-801 did assign 95% upper bound values on transient initiator frequencies, these bounds were assigned on a generic basis (i.e., BWRs, PWRs). Since the point estimates used for sequence frequency calculations were Browns Ferry-specific and EPRI NP-801 did not assign uncertainty bounds on a plant-specific basis, an error factor of three with a lognormal distribution was assigned for each initia-tor. Compared with the EPRI NP-801 generic data, an error factor of three is more conservative as is the assumption of a lognormal distribution.
5.4 Results Table C-15 summarizes the results of the uncertainty analysis. Each dominant sequence is listed in descending order of the final frequency.
Both the initial sequence frequency and error factor and the final sequence frequency (considering recovery) and error factor appear in the table. In addition, the sum of the dominant sequence frequencies and its associated error factor is shown. The error factor for the sum represents the result of a MOCARS evaluation of the sum of the dominant sequence distributions.
5.5 Insights on Uncertaint Anal sis In Section 4, the effect of control circuit faults on sequence fre-quencies involving failure of torus cooling and shutdown cooling is dis-cussed. Table C-15 shows another aspect of the control circuit fault contribution. This contribution is to the uncertainty. Because of the assumption of an error factor of 10 for control circuit faults and their dominance in the point estimate of some sequences, control circuit faults TABLE C-15. DOMINANT SEQUENCE UNCERTAINTIES Sequence Initial Error Final Error Desi nator Frequenc Factor ~Feequeuc Factor TURB RA 1.3 x 10 4 20.5 9.7 x 10 5 8.7 TUB 5.1 x 10 5.0 5.1 x 10 5.0 TPRBRA 1.5 x 10 5.6 2.8 x 10 5 2.8 TKRBRA 1.2 x 10 21. 5 9.3 x 10-6 9.0
, TUQRBRA 5.5 x 10-6 36.3 4el x 10-6 15. 3 TABM 3.7 x 10 6 4.6 3.7 x 10-6 4.6 TPKRBRA 8.3 x 10 5 6.7 1.6 x 10-6 2.8 1.2 x 10 6 4.7 TPQRBRA 6.2 x 10 10. 7 Total 1.9 x 10 3 5.8 2 0 x 10 4 5.6 C-81
are large contributors to the error factor associated with the initial fre-quency of these sequences. After adjusting for recovery, but keeping an error factor of 10, the error factor for the final frequency is reduced considerably. These control circuit faults were considered to be recover-able whenever there is enough time (a) to repair or bypass the control cir-cuits, (b) to manually operate a valve, or (c) to valve in another pump, as is the case with torus cooling and shutdown cooling (long-term decay heat removal). Therefore, their contribution to the final sequence frequency was less than their contribution to the initial sequence frequency. Similarly, the final frequency error factor is less sensitive to control circuit faults than its corresponding initial frequency error factor.
Another example of this particular sensitivity is that the uncertainty for sequence TURERA initially is quite a bit higher than for sequence TpRERA.
In the case of sequence TFR~RA, the dominant faults were combinations of diesel generator faults (error factor of three) instead of control circuit faults (error factor of 10) as in sequence TURERA.
Thus, it is apparent that the high error factors in some dominant sequence initial values are associated with the conservatism in the choice of the error factor of 10 for control circuit faults. Furthermore, when recovery is considered, the uncertainty diminishes by approximately a factor of two even when the conservative error factor of 10 is carried through.
To further demonstrate the, conservative nature of the error factor used for control circuit faults, a MOCARS evaluation of the generic model using the data of Table C-4 was performed. This analysis provided an error factor of 2.1, which is considerably less than the assumed value of 10.
Another interesting insight comes from the sequence totals before and after recovery is considered'ven when control circuits are considered in their conservative case, the total core melt frequency error factor is only 5.8. After considering recovery, the error factor drops to 5.6. Thus, despite the fact that some sequences have relatively high error factors, their effect on the cumulative core melt frequency error factor is rela-tively modest. Furthermore, consideration of recovery actions reduces the cumulative frequency by approximately one order of magnitude while maintain-ing approximately the same error factor. This tends to indicate that the error factor for the cumulative core melt frequency is not significantly affected by recovery factors or by the wide error spread of a few sequences.
C-82
- 6. SENSITIVITY ANALYSIS 6.1 Introduction After selection of the dominant sequences and evaluation of the uncer-tainties associated with each, it is important to examine the assumptions and uncertainties that went into the original values. A sensitivity analysis can aid in understanding the contributors to dominant sequence frequencies. The method of performing such an analysis is to identify potential uncertainties and recalculate the sequence frequencies to show how much variations in selected input parameters change the final value.
6.2 Sco e of Anal sis Review of the dominant sequences revealed several areas where a sen-sitivity analysis would be desirable. These areas are summarized below.
- 1. The RHR trees assumed that failure of the minimum-flow bypass valves to close would disable the RHR loops. Since about 90% of the flow per loop would not be diverted by such a failure, what would be the effect on sequence frequency if such failures did not disable the RHR loops?
- 2. For the LOSP initiated sequences, failure of EECW was an important contributor to the sequence frequencies. The analysis assumed that three of four pumps were needed to supply adequate cooling.
Since two of four pumps provides up to 91% of the necessary cool-
"ing, what change to the sequence frequency would occur if the EECW model were changed to require only two of four pumps for successful cooling?
- 3. The transient-induced LOCA initiator frequencies were derived from the transient systemic event trees using the WASH-1400 fail-ure data for relief valves. What would be the change in these sequences if the generic stuck open relief valve frequency from EPRI NP-801 was used instead?
- 4. Unavailabilities for valve and pump control circuits were based on analysis of typical systems. A more detailed analysis of the corresponding systems would be possible. In particular, what would be the effect of modeling differences between AC- and DC-powered valve control circuits, and of modeling the effect of 4160 V rather than 480 V AC motor control circuits?
Other areas considered for sensitivity analysis include the usage of cross-connects between the three units at Browns Ferry in recovery actions for the dominant sequences. Cross-connects are described in Appendix B Section 1.2, but no credit was taken in the analysis for their use. While they do represent a potential resource for cooling the core, their compon-ents are tested less frequently than ECCS and operators must follow com-plicated, seldom-used procedures to bring them online. Their impact on recovery possibilities is thus judged to be minimal, and sensitivity studies to consider their effect were not performed.
The remaining sections describe the sensitivity analysis results for the four topics listed above.
6.3 Evaluati:on In order to answer the questions previously noted, the fault trees or the initiator values were changed. The resulting sequence -frequencies are presented for comparison.
6.3.1 Exclusion of Minimum-Flow B ass Valves Removal of minimum-flow bypass valve faults from the RHR fault trees reduces torus cooling unavailability from 3.1 x 10 to 1.7 x 10 Shutdown cooling unavailability decreases from 2.0 x 10 to 1.0 x 10 The commonalities between torus cooling and shutdown cooling are reduced to 2.4 x 10" when the bypass valves are removed, since the original values contained both support system and minimum-flow bypass valve faults. There-fore, the unavailability of torus cooling and shutdown cooling 'becomes 2.0 x 10 . This value is approximately 3.8 times less than the value obtained with the minimum-flow bypass valves considered in the RHR model.
Considering potential recovery further reduces the unavailability of torus cooling and shutdown cooling without the bypass valves. Of the 1.0 x 10 unavailability for shutdown cooling, approximately 2.3 x 10 represents nonrecoverable faults. The remaining 7.7 x 10 is potentially recoverable. Applying the recovery guidelines discussed previously in Sec-tion 3.3 produces a final unavailability for shutdown cooling of 2.4 x 10 Of the torus cooling unavailability of 1.7 x 10" , approximately 1.1 x 10 is nonrecoverable. The remaining 6.0 x 10 4 is potentially recoverable.
The resulting torus cooling unavailability is then 1.1 x 10 . The com-monalities of torus cooling and shutdown cooling are also recoverable.
Therefore, the resulting unavailability is 2.6 x 10 . This value is approximately 22 times lower than the unavailability after recovery with the bypass valves included.
Because the minimum-flow bypass valves are common to both the torus cooling and shutdown cooling fault trees, exclusion of these two valves reduces the prerecovery unavailability of the systems. Since many of the minimum-flow bypass valve faults were not recoverable, postrecovery unavailabilities are not affected as much when the valves remain in the tree (7.6 x 10" to 5.7 x 10 5) as when they are removed (2.0 x 10 to 2.6 x 10 ). This indicates that the torus cooling and shutdown cooling unavailabilities are sensitive to minimum-flow bypass valve faults, especially when recovery is considered.
Therefore, for those dominant accident sequences involving transients other than LOSP where shutdown and torus cooling fail (RBRA), the final sequence frequencies would be reduced approximately by a factor of 22 if faults associated with the minimum-flow bypass valves were not considered.
For LOSP-initiated sequences, failure of RBRA is dominated by faults other than those associated with the bypass valves, and no change in sequence frequency would be realized.
C-84
6.3.2 Modification of EECW Success Criteria As noted in the discussions of candidate dominant sequences, for LOSP initiators, the EECW system represents a common mode failure for all the AC systems. The success criteria for EECW in these sequences was three of four pumps operating. Since two of four pumps can provide up to 91% of the design flow requirements, it would be desirable to understand how those sequence frequencies would be affected if two of four pumps were sufficient.
Evaluation of the EECW system with a success criteria of two of four pumps under a LOSP condition reduces the unavailability from 2.0 x 10 to 2.3 x 10 . For the three LOSP initiated dominant sequences, this change would reduce the unavailability of torus cooling and shutdown cooling from 4.9 x 10 to 3.1 x 10 , thereby reducing the initial sequence frequency for these sequences by a factor of 1.6. Since the EECW contribu-tion after recovery is considered negligible for these sequences (even with the original 2.0 x 10 value for three of four pumps), the final sequence frequency for these sequences would not be affected by the change in EECW success criteria to two of four pumps.
6.3.3 Transient-Induced SORV Initiator The frequency of transient-induced stuck open relief valves in this analysis is based on the EPRI NP-801 frequencies for transients and the failure data for failure of the relief valves to reclose after a demand (see the treatment of System K in Appendix B, Section 2.6). It is desirable to investigate how using the EPRI NP-801 value for SORV frequency would change these sequence frequencies.
From the EPRI NP-801 data, the frequency of a SORV for BFl is 0.95 per reactor-year compared to an average of 0.2 per reactor-year for General Electric (GE) plants. The transient event tree analysis for BFl -yielded a frequency of SORV initiators of 0.16 per reactor-year. Using the BF1-specific number would increase the sequence frequency of transient induced SORVs by a factor of 5.9. Using the GE average only increases the frequency of a factor by 1.25.
This information tends to indicate that the event tree frequency deter-mination for SORVs matches well with the industry average data but not with the BFl-specific data. It should be noted that the three-stage relief valves originally installed at BFl are being replaced by two-stage versions.
Therefore, the previous plant-specific data for SORVs may now be unrepre-sentative of the current design. Also, the EPRI NP-801 data for BF1 was based on the first 37 months of operation. Accounting for subsequent opera-tion may change the plant-specific frequency. In fact, EPRI document NP-2230 contains updated information and revisions to the original EPRI NP-801 data. This document reflects a much larger data base than EPRI NP-801, but the GE,average value changes only from 0.20 to 0.21. The BF1-specific value is reduced to 0.05, and the average of BF-1, -2, and -3 is 0.31. In light of the GE average and updated BF1 specific data, the BF1 event tree determined frequency (0.16) seems to be reasonable.
C-85
The impact of this frequency on the overall BFl core melt frequency estimate is insignificant, since SORV-initiated sequences contribute only 5% to the dominant sequence total and the final frequency estimate has a large error factor.
6 '.4 Use of Generic Control Circuit Unavailabilities The generic control circuit analysis for valves in Appendix B, Section 5, is based on AC power supplies. The resulting unavailability estimates were also used for DC valve control circuits in the PRA. The effect of this assumption on dominant sequence frequencies was investigated by identifying the main differences between AC and DC valve control circuits and computing generic unavailability estimates for DC circuits. The details of this analysis are reported in Appendix B, Section 5.2. The result is that DC valve control circuit unavailability is 15% less than the corres-ponding AC unavailability with monthly testing and 19% less with quarterly testing.
Similarly, a generic 4160 V AC motor control circuit was analyzed to assess the difference in unavailability associated with the higher voltage system as opposed to the 480 V AC generic motor control circuit orginally used for all motor control circuits in the PRA. This analysis, documented in Appendix B, Section 5.3, shows no change in unavailability for the cir cuits with monthly testing. The unavailability with quarterly testing was 8.4 x 10 for the generic motor control circuit originally analyzed and
- 7. 1 x 10 for a 4160 V AC circuit, which represents a drop in unavailability of 15%.
These results show that, for both the generic control circuits ana-lyzed, the differences in power assumptions do not have a significant impact on system unavailabilities ~
C-86
REFERENCES
- 1. N. H. Marshall, et al., User's Guide for the Reliabilit Anal sis S s-tem (RAS), TREE-1168, EG&G Idaho, September 1977.
- 2. N. H. Marshall, et al., COMCAN II: A Com uter Pro ram for Common Cause Failure Anal sis, TREE-1289, EG&G Idaho, September 1978.
- 3. T. Tyler, M. Linn, H. Jones, and T. Barkalow, private communication (discussions with Browns Ferry IREP team), TVA Nuclear Engineering Branch, Knoxville, TN, March 9 and 10, 1981.
- 4. Reactor Safet Stud An Assessment of Accident Risks in U.S. Commer-cial Nuclear Power Plants, WASH-1400 NUREG-75 014), October 1975.
- 5. Anticipated Transients without Scram, Vol. 1, NUREG-0460, April 1978,
- p. 28.
- 6. A. D. Swain and H. E. Guttman, Handbook of Human Reliabilit Anal sis with Em hasis on Nuclear Power Plant A lications, NUREG/CR-1278, SAND80-0200, Sandia National Laboratories, October 1980.
- 7. Browns Ferry Nuclear Plant Final Safety Anal sis Re ort, NRC Docket 50-259, Tennessee Valley Authority, September 1970, Appendix Q, Question 4.8.
- 8. B. F. Saffell, Three Station Blackout Se uences at the BF Unit 1 Plant Conducted as Part of the Severe Accident Se uence Analysis SASA , EG&G letter report to R. E. Tiller, November 1981.
- 9. S. D. Matthews and J. P. Poloski, MOCARS: A Monte Carlo Code for Determinin Distribution and Simulation Limits and Rankin S stem Com-onents b Im ortance, TREE-1138, Rev. 1, EG&G Idaho, August 1978.
- 10. A. S. McClymont and B. W. Poehlman, ATWS: A Rea praisal, Part 3:
Frequenc of Antici ated Transients, EPRI NP-2230, Electric Power Research Institute, January 1982.
C-87