ML18029A176
| ML18029A176 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 10/15/1984 |
| From: | Mills L TENNESSEE VALLEY AUTHORITY |
| To: | Harold Denton Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 8410190320 | |
| Download: ML18029A176 (57) | |
Text
REGULATORY NFORMATION DISTRIBUTION SY TEM (RIDS)
ACCESSI'ON NQR: 8410190320 DOC o DATE: 84/10/15 NOTARIZED: YES, FACIL:50 259 Br owns Fer r y Nucl ear Power Stationi Uni t 1> Tennessee AUTH BYNAME AUTHOR AFFILIATION MILLS',M~
Tennessee Valley Authority REC IP, NAME RECIPIENT AFFILIATION DENTONgH ~ Rp Office of Nuclear Reactor Regulationg Director
SUBJECT:
For wards comments on interim reliability evaluation program studyiper 821223 request.Pr ogram is not rish assement assessment, Plant sys 8 operations model should follow actual plant operations DISTRIBUTION CODE+
A001D COPIES RECEIVED:LTR ENCL SIZE; TITLE:
OR Submittal:
General Distribution DOCKET 05000259 NOTES:NMSS/FCAF
- 1cy, 1cy NMSS/FCAF/PM, OL:06/26/73 05000259 RECIPIENT ID CODE/NAME NRR ORB2 BC 01 INTERNAL: ADM/LFMB NRR/DE/MTEB NRR/DL/ORAB NRR/DSI/RAB RGN2 COPIES
'TTR ENCL 7
7 1
0 1
1 1
0 1
1 1
1 RECIPIENT ID CODE/NAME ELD/HDS4 NRR/DL DIR TB 04 COPIES LTTR ENCL EXTERNAL: ACRS NRC PDR NTIS NOTES:
09 02 6
1 1
1 LPDR NSIC 03 05 TOTAL NUMBER OF COPIES REQUIRED:
LTTR 28 ENCL 25
I
'1 V
n 4
A 4't. mN I
~
C lf W
g lf,
TENNESSEE VALLEYAUTHORITY CHATTANOOGA. TENNESSEE 37401 400 Chestnut Street Tower II October 15, 1984 Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555
Dear Mr. Denton:
In the Matter of the Tennessee Valley Authority Docket Nos.
50<<259 50<<260 50-296 By letter from D. B. Vassallo to H. G. Parris dated December 23,
- 1982, we received the Interim Reliability Evaluation Program (IREP) study performed by NRC consultants for the Browns Ferry Nuclear Plant unit 1.
The letter requested that TVA review the IREP study report and provide our comments.
We have reviewed the subject report and are submitting our comments as an enclosure.
The additional time needed for our review was discussed and coordinated with your staff.
If you have any additional questions, please get in touch with us through the Browns Ferry Project Manager.
year Subscribe
~a g sworn to efo e me this
& day of Very truly yours, TENNESSEE VALLEY AUTHORITY Chk.
L. M. Mills, anager Nuclear Licensing 1984
'otary Public
',My Commission Expires Enclosur e cc (Enclosure):
U.S. Nuclear Regulatory Commission Region II ATTN:
James P. O'Reilly, Regional Administrator 101 Marietta Street, NW, Suite 2900 Atlanta, Georgia 30323 Mr. R. J. Clark Browns Ferry Project Manager U.S. Nuclear Regulatory Commission 7920 Nor folk Avenue
PDR An Equal Opportunity Employer
C E
'I I
I,
\\
I' A
I 1
1 f'
f 0
(
D C
C f'" 1 CV f
C C,
1 1
F
'V V, ~
h II 1 f- ~
f '
If
~
I
,1
~
~
f C I 1
1" V
ENCLOSURE TVA COMMENTS ON INTERIM RELIABILITYEVALuariu~
PROGRAM (IREP)
STUDY OF BROWNS FERRY NUCLEAR PLANT UNIT 1
An extensive review of t'e NRC IREP study on Browns Ferry Unit 1 Nuclear Plant (NUREG/CR-2802) has been performed by TVA.
The IREP study represents a relatively detailed first effort to assess the frequency of core melt at the BFN plant.
It is recognized that the IREP study was performed'nder a limited scope and limited manpower and time constraints.
- However, a much more detailed and extensive study would be required to develop an accurate estimate of the core melt frequency useful for decision making.
A summary of the more important IVA comments and insights is contained in the ensuing discussion, followed by a tabulation of specific comments listed by report page number.
a
~ It must be emphasized that the IREP study is not a risk assessment; it is a reliability study and as such, conclusions about risk should not be made.
External events were not included, only a limited containment analysis was performed, and no consequence analysis was performed; all of which must be done before conclusions pertaining to risk can be properly made.
Therefore, 1REP conclusions regarding risk are not necessarily valid.
b.
In many cases, the IREP analysis consists of overly simplified models of the plant systems and the plant operations.
A model should follow as closely as possible the actual plant operation.
Simplifications are justified only if they do not have a significant impact on the results and
'f the analyst is cognizant of the direction in which the results are influenced.
For example, the electric power system at Browns Ferry is very complex, but the IREP model for electric power is overly simplistic.
Among other simplifications, the analysis does not include a calculation of the unavailability for boards dependent on offsite power only.
Another example of over simplification in the electric power systems analysis is that no credit was taken for the Unit 3 capability to supply Unit 1 power buses.
In this case the analysis is simplified but it does not reflect how the plant is actually designed to operate and results in unduly large calculated unavailabilities for the system.
- c. It was concluded in IREP that, "the RHR system is the most risk-critical system."
This conclusion cannot be substantiated since the study made only an estimate of the core melt frequency.
Also, the IREP conclusions pertaining to the RHR system were made without regard to the following:
(1)
RHR system failures tend to be late in the event sequence.
This would allow significant time to take mitigative actions such as recovery of failed equipment or recovery of the Power Conversion System.
Such recovery actions were not modeled in the IREP study.
(2)
For late melt scenarios, there are other considerations that should be included in a risk assessment which would more accurately model the plant and tend to minimize the estimated risk from late melt scenarios.
These include evacuation of the population downwind and radioactive fission product plate out.
~
~
(3)
The RHR system analysis contained some extremely conservative assump-tions.
For example, it is assumed that a
10 percent flow reduction due to an open miniflow bypass line, will fail the system.
Recent analyses show that RHR can accomplish its safety functions with the mini-flow bypass line open.
(4)
No credit was taken for the RHR system crossties between units, even though these connections are a part of the Browns Ferry design.
This success path would be much preferred to admitting river water directly to the vessel via the Standby Coolant Supply mode of the RHR Service Water System's modeled in the study.
(5)
The analysis does not include consideration of the Reactor Water cleanup
- System, which has the capability to remove the decay heat generated a few hours after shutdown.
d.
As stated
- above, a major deficiency of the IREP analysis is that no credit is taken for Power Conversion System recovery.
This is contrary to industry wide plant'perating experience.
Experience has shown it is very likely during the course of an actual event sequence that feedwater will be recovered and access to the main condenser will be re-established.
The use of these systems is not unusual; in fact it is the preferred path in most cases.
While such recovery actions may be difficult to model, they should be included in the analysis if the model is to reflect actual plant operation.
e.
The IREP study advances several recommendations to improve system reli-ability, but fails to recognize the full impact of such recommendations.
For example, one such recommendation having to do with the Automatic Depressurization system (ADS) states, "Removal of the high drywell signal input would not increase the system unavailability and would allow ADS to automatically function for transients where HPCI and RCIC fail.
This would significantly increase depressurization reliability (approximately two orders of magnitude)."
- However, IREP failed to recognize that removal of the drywell pressure signal from the ADS initiation logic would signifi-cantly increase the probability of an inadvertent ADS actuation.
The occurrence of an inadvertent ADS actuation was apparently not analyzed in the IREP study.
The net benefit of such a change must be evaluated before such a recommendation is made.
f.
Plant Control Air and Raw Cooling Water (RCW) are examples of potentially important systems that were not emphasized in the IREP study.
Events such as a loss of control air or a loss of RCW were not considered as initiating events. 'hese are potentially multi-unit events that can seriously impact the systems used to respond to the resulting transient.
Nowhere in the IREP study is consideration given to other support systems such as Drywell Control Air or Reactor Building Closed Cooling Water (RBCCW).
Each of these systems should at least have been qualitatively addressed in order to determine what degree of quantitative analysis is appropriate.
Additional detailed comments follow.
J
MAIN.REPORT "In the majority of the accident intiators the power conversion system (PCS) is unavailable."
Browns Ferry Nuclear Plant has had very few transients in which the PCS was unavailable, at least for any significant length of time.
In addition, loss of the PCS at full power does not necessarily imply that the main steam, condensate, and feedwater systems are unavailable for decay heat removal.
"The RHR system is the most risk-critical system."
The IREP study determined core melt frequency and included some WASH-1400 type containment analysis but risk was not determined.
It is inappropriate to state that RHR is the most risk-critical system when risk was not determined.
RHR failure tends to be late in the accident sequence when substantial time exists to take miti-gating actions and to evacuate the population downwind.
In addition, recent industry and NRC work shows that radioactive fission product plateout will significantly reduce the release to levels much lower than previously thought.
It is not clear why Emergency Equipment Cooling Water (EECW) should only be important for loss of offsite power sequences.
It is still a common failure point of the RHR and Core Spray systems for sequences in which Raw Cooling Water (RCW) is failed.
This is particularly important if loss of RCW is the initiating event.
"Scheduled testing and maintenance accounts for 25 percent of the HPCI system unavailability.... This value seems to be high in light of the scheduled testing and maintenance contributions of other systems."
It must be pointed out that HPCI is a single train system while others typically have some redundancy.
It would be more realistic to compare testing and maintenance of HPCI/RCIC systems (treating them as redundant trains of a single system) to other systems; or better yet, compare HPCI testing'and maintenance to that of a single train of another system.
No credit is taken for PCS recovery.
This is contrary to nuclear power plant operating experience.
Either the initiating event frequency should reflect the fraction of nonrecovery
- events, or the event tree should account for PCS recovery.
The last paragraph indicates that operator action is required to reduce EECW loads in order to allow successful operation with less than three of four pumps.
This is not correct since, if header pressure falls, the nonessential loads are automatically shed.
ATWS is modeled as core'elt in the IREP study.
However, analysis shows that power level and vessel inventory will balance at lower than normal levels (i.e., the power level will not stay at 100 percent) such that HPCI can provide time for operator action to initiate manual rod insertion or the standby liquid control (SLC)
C
MR-p.2-system or to perform other actions as necessary.
Since ATWS is very important in the IREP study, the model used should be as accurate as possible.
N External events were excluded from consideration in IREP.
These should be included if risk is to be determined.
The BPNP fire should serve as a point of reference for this.
MR-p,6-
"Only front-line systems appear in the trees."
This makes tracking support system dependencies extremely difficultif not impossible.
The event tree structure used in IREP, for instance, cannot account for the fact that each 4-kV shutdown board supplies power to much equipment in various systems.
MR-p.6-
"... mitigating requirements
[for LOCAs] generally depend on the size of the break..."
The requirements also depend heavily on
" the location of the break, and upon what equipment (ECCS) could be lost due to the break.
MR-p.7-The statement was made that upper-bound Human Error numbers were used for a first cut and then later reduced for dominant sequences.
It is not clear whether all sequences were then reevaluated to see if some of the previously "insignificant sequences" moved up, or whether the analysis then concentrated only on the initially dominant sequences.
MR-p.7-It is not clear how the uncertainty analysis was performed.
The quantification of a particular sequence using point estimates may appear to be small, but if the sequence had
- a. large error spread about the mean, it could potentially be significant and may be overlooked if based only on the point estimate.
An estimate of the uncertainty must be included to properly assess the importance of the sequence.
MR"p.ll"12 and p B"255 The RPT system described by IREP is not to be considered redundant to the control rod drive hydraulic system when PCS is available.
The RPT system described was designed to ensure rapid negative reactivity insertion late in the fuel cycle for turbine initiated transients.
Therefore, the RPT system as described should not be considered as a front-line or support system.
However, there are some signals independent of the RPS (low water level and high reactor pressure) that trip the feeder breakers to the recirculation pump M-G sets.
These signals are the ones that should have been considered by IREP.
MR~. 12, Table 3 "
Core Spray needs EECW for area cooling.
RPS does not require ac power to shut down the reactor.
The relief valves do not need power to open or reclose in the overpressure mode.
Relief valves do need control air to open in remote-manual mode.
The main steam isolation valves do not need ac or dc power to isolate.
MR-p
~ '12 and 40, Table 9
Consideration should be given to other support systems such as station air, drywell control air, or Reactor Building Closed Cooling Water (RBCCW).
Each of these systems should at least be qualitatively
addressed in order to determine what degree of quantitative analysis is appropriate.
MR"p.15 The lOCA mitigation success criteria for Decay Heat Removal (DHR) implies that the RHR shutdown cooling mode can be used..
Use of this mode would require adequate water level in the reactor vessel and manual actions to bypass the group 2 isolation signal.
M-p.15, Table 4, MR-p.32 and MR-p.42-We disagree with the statement "the (RCIC) system is not capable of providing makeup coolant to the, reactor during LOCAs."
In 1REP the RCIC system is assumed to be ineffective in mitigating IOCAs and is excluded from the IOCA trees.
In reality, RCIC would be sufficient for IOCAs that do not result in rapid vessel depressurization.
MR-p.17-The probability that the MSRVs do not open on demand for over-pressure events is not insignificant, as stated in IREP.
Documented events at US BWRs indicate that coupled hardware failures are not insignificant.
MR-p.17-The pipe break model from WASH-1400 is based on the break probability per foot.
This is an inadequate treatment, especially if one con-siders recent experience with stainless steel intergranular stress corrosion cracking at welds.
- Thus, the probability that a break occurs in carbon steel (steam) piping should not be assumed to be the same as the probability that a break occurs in a stainless steel pipe carrying liquid.
MR-p.l7-
"Only the availability of the PCS varied and hence initiating events were grouped according to their affect on PCS availability."
This implies that support system failure effects upon ECCS systems do not exist.
This is incorrect since electric power, raw cooling water, control air, EECW, the common actuation sensors, etc.,
do affect ECCS.
MR-p.18-In the IREP study there is no apparent consideration for feedwater pump ramp up (or other transients that cause a scram with resultant
~
feedwater over flow) with a failure to trip the feedwatei pumps.
Such a scenario could fillthe main steam lines with water thereby rendering feedwater, HPCI and RCIC unavailable.
The study should have considered this type of scenario.
MR-p. 18 The Category labeled, "Group 2 - Transients that do not cause PCS to be unavailable",
includes:
Turbine trips with bypass failure; load reject, with bypass failure, and pressure regulator fails closed.
These transients should not be included under the PCS available category.
A distinction, between loss of the condenser as a heat sink and loss of condensate as an injection source must be made since one does not necessarily imply the other.
MR-p.20-The IREP analysis for large break IOCAs (recirculation loop breaks) appears to assume that the recirculation discharge valves close.
The probability of these valves closing must be included in the analysis.
-3"
MR-p.21-The loss of control air and the loss of raw cooling water as initiating events appears to have been ignored, even though they are potentially multi-unit events that could seriously degrade the systems used to respond to the transient.
MR-p.25 "
The Condensate Storage Tank (CST) normally contains.about 375,000 gallons of water.
The IREP study assumes only the minimum of 135,000 gallons is available to HPCI/CS/RCIC.
The amount present should be modeled using a probability.
MR-p.25-MR-p.33-The implication is made that core uncovery equals core melt.
This is incorrect, especially for a BWR.
For example, some recircu-lation line breaks will preclude reflooding above approximately 2/3 core height, but analysis by GE determined that the core would remain cooled by water at that height.
7 The value=of 1.1 x 10 given for failure of both MSIVs to close in one line is too low if consideration is given to common mode failures.
Also, because of the cross connection, all four main steam lines must be considered for a main steam line break.
MR-p.33-The interfacing IOCA does not necessarily require two independent valve failures to occur.
Consideration must be given to the following causes:
(1) a common initiation event that opens two valves (e.g., fire)
(2) one valve inoperable due to latent effect (e.g.,
check valve stuck open from last test)
(3) the effects of motor operated valve stroke tests.
MR-p.33 A feedwater break outside containment would require one or two check valves failing to close in either of two lines.
The check valves are normally open and nontestable (thus the comparison to the RHR injection line case is not applicable here).
In addition, the WASH-1400 pipe break frequency is not applicable for the HPCI injection line, as it is susceptible to water hammer on start (as is CS and RHR).
Apparently no consideration was given to pipe breaks in ECCS lines upon demand of the system in response to a transient.
MR-p.34-The frequency of a Reactor Water Cleanup (RWCU) break outside con-7
- tainment, according to the IREP analysis, is 3 x 10 per year S
compared to 9 x 10 per year for breaks inside containment.
The RWCU break outside containment should not be ignored based only on frequency.
Such a break could cause a breach of containment, and fail other ECCS due to harsh environment.
This would be much worse as far as risk is concerned.
The relative risk is a major point that must be kept in mind.
Also, the statement is made that isolation is possible, following a
RWCU break, via HCV 69-500; however, this valve is inside con-tainment and a containment entry is probably precluded by the heat and radiation that would be associated with such a break.
Small lines should not be excluded.
Just because they are not.
reportable to the Nuclear Plant Reliability Data System (NPRDS) does not mean they are unimportant.
Small line failures are more likely than large break IOCAs.
Such breaks could be outside containment, could involve a line in or around instrument panels and could be unisolatable.
Only comparing the frequency of unisolatable breaks outside containment to that of breaks inside containment is not sufficient to exclude those breaks'rom the analysis.
IREP transferred a stuck open relief valve (SORV) to the LOCA tree.
Apparently more than one stuck open relief valve was not considered (either as an initiating event or as the result of MSRV failure in response to an overpressure event).
It should be noted that BWR experience indicates that most SORVs or inadvertently open relief valves occur as the result of an initial blowdown followed by failure to reclose.
This apparently was not modeled.
"...high reactor power level at the time of core uncovery..."; is an inappropriate description of an ATWS sequence.
The core melt would occur at decay power levels, not at 100 percent power.
The core would be undermoderated with no water in the region, and therefore subcritical.
With water in the core region, the fuel will not overheat and melt.
The dependencies between CS, RHR, torus cooling, and shutdown cooling make the tree split fractions quite dependent.
It is,not clear from the analysis that this was properly accounted for.
RHR is not a shared system.
There are crossties between units 1
and 2 and between units 2 and 3 but the systems are not shared..
Also, the PCS is not a shared
- system, only portions are shared, with most of the system unitized.
The assumption that 10 percent flow reduction fails the RHR system is overly conservative especially if this dominates the system unavailability.
Recent analyses show that RHR can accomplish its safety functions with the mini-flow bypass line open.
IREP states that a change in the sensors/circuitry to isolate RCIC on failure of the second rupture disk would reduce RCIC unavail-ability by a factor of 2.
This may be impractical due to the configuration of the system piping.
Such statements about system modifications should not be made without a more detailed analysis of the system design and configuration.
A review of Browns Ferry Nuclear Plant specific data shows only one documented failure of the RCIC system due to the rupture disc.
A reduction by a factor of two in system unavailability seems overly optimistic.
n<
MR-p.45-Torus spray is used in conjunction with drywell spray to reduce primary containment temperature and pressure, if necessary.
The description incorrectly implies the equivalence of the torus cooling return line and the torus spray line.
MR-p.45-IREP states that the cyclic heat load on the RCXC rupture discs causes them to fail, however, it has not been established that this is the cause.
MR-p.45-The statement, "The logic circuitry provides automatic initiation signals and protective interlocks to prevent overpressurization of the RHR system whenever the raw cooling water system cannot,"
needs clarification.
MR-p.4'6-Figure 17 This figure does not show the locked open manual valves in the mini-flow bypass lines.
This gives the mistaken impression that there is only one valve available to control the bypass flow.
In reality it
-would be possible for the operator to manually close the bypass lines from each RHR pump, if necessary.
In the interim, 90 percent of the flow would still be going to the desired path.
MR-p.47-Systems other than RHR also contribute to core melt frequency.
The RHR system should not be declared the most risk-critical unless a
ri;sk assessment is performed.
The IREP study is not a risk assess-ment, it is a reliability study and as
- such, conclusions about risk should not be made.
MR-p.47-If credit is taken for the RER cross-tie capability between the three units the reliability of delivering RHR flow could be sub-stantially increased.
MR-p.49-HPCI starts automatically when reactor vessel level decreases to 470 inches above vessel zero.
MR-p.50-MR-p.50-
"Removal of the high drywell signal input would not increase the system unavailability and would allow the ADS to automatically function for transients where HPCI and RCXC fail.
This would significantly increase depressurization reliability (approximately two orders of magnitude)."
This statement fails to recognize that removal of the drywell pressure signal from ADS initiation logic would significantly increase the probability of an inadvertent ADS actuation.
Inadvertent ADS actuation was apparently not analyzed in the IREP study.
The benefit versus risk of such a change must be evaluated before such a statement can be made.
Xt is not clear how (or if) IREP traced the dependency of the ECCS on dc power.
This should be clarified.
MR-p ~ 51 "
Figure 19 The new two-stage relief valves do not have bellows and therefore have no bellows failure annunciator circuits.
~
~
MR-p.52 "
Figure 20 has an error'n it.
There is no cross-tie between the two core spray loops mini-flow lines.
(There is no line connecting
'CV 75-17 and HCV 75-36.)
Pumps A and C have one mini-flow line and pumps B and D have another separate mini-flow line.
This comment also applies to Figure B-15 on page B-174.
MR-p.53-MR-p.53 -.
The low-low-low reactor water level is 407 inches, not 470 inches.
The assumption that failure of the mini.-flow bypass valve to close will fail the core spray system is overly conservative.
The three-inch mini-flow bypass could not divert enough flow to completely disable the core spray loop.
MR-p. 55 Each control rod drive hydraulic control unit is equipped with a check valve that allows reactor water (at pressure above approxi-amtely 850 psig) to insert the control blades.
This is redundant to the scram accumulators.
MR-p. 60 The PCS should be broken up into its various subsystems according to function.
For example, a loss of feedwater event does not necessarily preclude the use of a single condensate pump/condensate booster pump train for low pressure injection.
MR-p. 61 IREP is inconsistent in referring to the various reactor water levels.
In some cases measurement from instrument zero is used.
At other times, measurement from vessel zero, low, low-low, and low-low-low are used.
These are not used consistently nor correctly.
MR-p.62-Transient and LOCA event models with offsite power initially available must also include the probability of loss of offsite power following a trip of one or more of the units.
MR-p. 64 The EECW success criteria of three out of four pumps is too conservative and restrictive for most events.
MR-p. 77 Q
(QR R ) is a very confusing notation, where Q stands both for unavailability and for RCIC.
MR-p. 77 MR-p. 77 The sample calculation needs brackets to delineate the parts:
Q(Qn BRRA)
COM( [QQRBA RA] R fB0 S V KU D] ]
COM(R R R ) appears to consist of terms for the mini-flow valves and support system faults, but the pumps seem to have been left out.
PMR-p.78>>
RCIC will not depressurize the reactor without assistance of the relief valves; therefore, the shutdown cooling mode of RHR is not applicable to the branch in'hich RCIC only is running for high pressure makeup.
Depressurization by HPCI alone is possible to about 150 psi, but some assistance is still needed to drop the pressure down enough to get the shutdown cooling suction valves open.
It is very unlikely that the shutdown cooling mode of RHR will work if the LPCI mode failed.
Thus, the conditional failure probability for that sequence should be approximately l.
It is stated that failure of the torus cooling mode of RHR is mainly due to operator failure to initiate the system.
This seems very unlikely when you consider the redundant indicator
- alarms, operator training, and the length of time available to start the'ystem in that mode.
Also, if torus. cooling is not
- actuated, the drywell will pressurize and cause the 2.0 psig limit to be reached causing actuation of other systems including ADS.
The sequence TP R should be modeled as TP
, with quantification as follows:
3 S
Q(TpB) = (1.7)(3.1 x 10
+ 1.4 x 10
)
3
= (1.7)(3.11 x 10
)
3
= 5.3 x 10 This change is needed because the shutdown cooling mode of RHR is not accessible in the sequence.
The grouping of all transients into two or three (including LOSP) categories complicates consideration of recovery of the PCS.
Recovery of the PCS should be included as should operation of the Reactor Water Cleanup system as a decay heat removal path:
The actions 'necessary to recover the PCS or 'utilize RWCU could be simpler and more likely than operator recovery of RHR system faults.
The IREP study assumes that the ATWS sequence with a loss-of-PCS transient leads to a core melt.
The statement that operator actions are not clearly defined, is incorrect.
The actions are, in fact, laid out in the Emergency Operating Instructions, (EOI) and Emergency Procedure Guidelines (EPGs).
The reactor operators.
are to attempt to manually scram the reactor, start inserting rods individually, initiate torus cooling when necessary, and initiate
~standby liquid control if necessary.
The water input via HPCI, RCIC, or CRD will be balanced by the steaming rate at some water level.
This balance provides time to shut down the reactor with SLC if necessary.
For a loss of offsite power event, operators at Browns Ferry are taught to parallel DGs and backfeed a unit board for each unit in order to utilize the normal systems (i.e., re-establish PCS).
This should be incorporated into the model.
MR-p.84 "
MR-p. 85 A stuck open relief valve or an inadvertently open relief valve does not necessarily eliminate the PCS (observed from operational experience);
- thus, the sequence should be divided into TU and T,
Reliance on the containment analysis performed for WASH-1400 is inadequate since it fails to consider:
1.
Debris bed cooling.
2.
Recent steam explosion analyses.
3.
Recent overpressure failure analysis of MARK-I containment, etc.
The containment work for IREP is of limited value in this study since risk was not calculated.
MR-p.90 "
the probability is unity that the RHR system alone will be required to perform the long-term decay heat removal function."
This statement is incorrect if proper consideration is given to other plant systems such as recovery of PCS and use of the Reactor Water Cleanup system.
MR-pi90 The IREP recommendations for improving the RHR system may not be pertinent if the analysis were more realistic.
A more realistic analysis would include:
1.
Recovery of PCS.
2.
Reanalysis of RHR to eliminate some of the extremely con-servative assumptions, for example, the assumption that 10 percent flow reduction through the mini-flow path is a system failure.
3.
RWCU capability to remove decay heat after a few hours.
MR-p.94-The sensitivity analysis showed that, assuming the 10 percent bypass flow did not fail the RHR system, a reduction in core melt frequency, (for those sequences where it appears) of a factor of 22 is obtained.
Since RHR appears in sequences comprising 85 percent of the core melt frequency this would result in a reduction of the core melt frequency of an order of magnitude and a reordering of the dominate sequences, as follows:
-9"
~Se uence
&PA TUB TPRBRA TMBRA TUQR RA TABM P VA TPQ BRA Final Fre uenc w/B ass 5
9.7 x 10 5
5.1 x IO 5
2.8 x 10 6
9.3 x 10 6
4.1 x 10 6
3.7 x 10 6
1.6 x 10 6
1.2 x 10 4
2x10 Final Fre uenc w/o B ass 6
4.4 x 10 5
5.1 x IO 6
1.3 x 10 7
4.2 x 10 7
1.9 x 10 6
3.7 x 10 S
7.3 x 10 s
5.5 x 10 5
6.1 x 10 The new dominant sequences would be:
~Se uence TU BRA TABM TpR R T QDV TKRBR TUQRBR TPKDFBGD F~Fre uenc 5
5.1 x 10 6
4.4 x 10 6
3.7 x 10 6
1.3 x 10 7
5.5 x 10 7
4.2 x 10 7
1.9 x 10 6
8.7 x 10 5
6.2 x 10 Percent of Total 7/
20/
Therefore, this one change in assumptions'ould result in a reduc-4 5
tion in core melt frequency from 2 x 10 to 6 x 10 and result in new dominant sequences.
The importance of systems to core melt would also change.
Failure to scram (event B) would then contribute over 80 ercent of the fre uenc
-10"
S If
APPENDIX A p.A"8 The probability that a break occurs in a liquid or steam line was assumed to be equal.'here is no physical basis for the assump" tion.
Recent experience with intergranular stress corrosion cracking of stainless steel piping in a liquid environment tends to support the concept of unequal probabilities.
~ p.A-9 and A-23 The closure of one MSIV at power will cause the initiation of a group 1 isolation signal (on high steam flow), causing the other MSIVs to close and a reactor scram.
Thus, there is no difference between one MSIV closing and a complete isolation event.
p.A-10 Initiator category No. 9.
The pressure regulator failing open causes a decrease in vessel inventory due to excessive steam flow, and not a decreasing water flow into the vessel as stated in the report.
- p. A-10,"
Initiator category No. 11.
A stuck open MSRV (as an initiator, not as a failure following another initiating event) will not in itself cause a scram.
The torus will heat up and the operator..
must take action to scram the reactor.
Without operator action the turbine control valves will close somewhat to maintain reactor
- pressure, thus causing a new equilibrium condition to exist with the MSRV open.
p.A-10 Consideration should be given to an inadvertent Automatic Depressurization System (ADS) actuation (i.e., six MSRVs opening simultaneously) with the reactor at power.
p.A The following events were incorrectly categorized as "PCS available" and should be put in the "PCS unavailable" category:
Electric load rejection with bypass failure.
Turbine trip with bypass failure.
p.A Inadvertent closure of one MSIV (causes group isolation).
Pressure regulator fails closed.
Some of the group 3 transients are not correctly categorized:
(1)
"abnormal startup of recirculation pumps" has in the past caused a scram; (2)
"loss of feedwater heater,"
can cause a scram, depending on the plant conditions, and has done so in the past.
(3)
"trip of one feedwater pump" can cause a level 3 trip if no action is taken, as two FM pumps are not sufficient to provide 100 percent<makeup (two will provide about 90 percnet of full flow).
1
-11"
Manual scrams (which in the past have typically occurred from approximately 30-40 percent of full power),
and spurious other scrams do occur qui'te frequently, and can potentially challenge the ECCS, and therefore should be included in the analysis.
Steam line breaks inside the drywell potentially could disable ADS valves, or other ECCS equipment.
It is not clear that such considerations were included in the analysis.
The study stated that "operator action was ignored" for the examination of the effects'n interfacing systems.
For the response of HPCI/RCIC, ignoring operator action for the first 10 minutes will probably cause the vessel to fill, tripping both HPCI and RCIC, and thereby causing RCIC to be unavailable for automatic restart.
Loss of reactor zone ventilation (secondary conainment isolation system isolation due to power loss could be a cause of ventilation
,loss) will result in a group 1 isolation (high main steamline area temperature) and a unit strip.
This does not appear in the table".
Loss of condenser vacuum such that the reactor and turbine trip, does not necessarily imply that the condenser is totally unavail" able.
The trip setpoint for the reactor is approximately 23 inches of mercury, but the bypass valves can still pass steam to the condenser until vacuum is down to about seven inches of mercury, After a reactor trip from full power, the loads on the condenser are greatly reduced.
The mechanical vacuum pumps and the auxiliary boiler feed to the steam jet air ejectors should be included in possible recovery actions for the condenser.
It is stated that closure of MSIVs in main steam line A would cause a pressure regulator failure since both pressure switches that feed to the electrohydraulic control units are in that line.
- However, the MSLs are headered such that pressure will be main-tained on the downstream side of the outboard isolation valve by the other main steam lines.
Thus, the pressure regulator should not fail closed under these circumstances; but, the other MSIVs are likely to close on a group 1 isolation.
Failure of the vapor suppression system should impact the unavail" ability of the ECCS.
The torus could fail below the water line,"
thus eliminating the torus as a water suction source for the ECCS pumps and flooding the corner rooms; or high temperature steam filling the reactor building could cause equipment failure thereby disabling the ECCS.
"12"
0
~
~
p.A"53-Operating experience for BWRs indicates that failure of relief valves to open on demand for overpressure control is.not negligible.
p.A "All four turbine valves and all four bypass valves shut."
This should read; all four turbine stop valves and all bypass
- valves, (all open valves of a possible
- 9) shut.
p.'A-60 "
It is not clear how sequence level operator actions were incorporated into the analysis.
For example, suppose that top event R
failed'ue to operator error.
Then top RA operator error'should be greater due to coupling between the tops.
This could significantly decrease the supposed redundancy of systems due to the common cause mechanism.
'p.A"61 B-147 and B"171 The normal depressurization mode success criteria for ADS should be four out of six for rapid depressurization or one out of six with HPCI/RCIC makeup (not 4 of 13).
The seven non-ADS MSRVs do not have accumulators and must be assumed to be failed upon loss of drywell control air, which isolates at level 3.
Therefore, unless the drywell air supply to the valves is somehow included in the model, the success criteria should be four out of six.
In addition, HPCI/RCIC requires manual operator actions for proper control.
Operator action is thus required to depressurize the reactor.
A proper coupling factor must be supplied.
Apparently, this consideration was not 'included in IREP.
p.A-61 II BF1 GOI-100-1 has been revised and the reference to it is no longer applicable.
EOI-5 has been cancelled.
- Its contents have been incorporated into OI-57 (Electrical System Malfunctions - Section V).
I
APPENDIX B p.B "up to 90 percent cumulative importance."
The term
~im ortanee appears to'be misused to mean unavailability or possibly undependability.>>
p.B p.B Control air should be included in 'the list of shared systems.
The success criteria for the Power conversion System (PCS) is not clear.
It was stated'earlier that, only the PCS is capable of removing react'or heat at" >30 percent.
However, this page implies the analysis was.based on only one operating Condenser Circulating Wa'ter (CCW) pump and (perhaps) only one feedwater
- pump, one condensate booster
- pump, and one condensate pump.
This needs to be clarified.'.B p.B The statement that "the other four diesel generators are dedicated to unit 3" is incorrect.
For example, loads from the "unit 3" diesel generators that affect unit 1 include; RHRSW. pumps, EECW pumps, SBGT
- board, and battery board 3.
The crosstie of the Vnit 1 RHR syst'm to unit 2 should be included in the analysis.
It is a viable success path,, and would be pre-ferred to pumping river water into the. reactor vessel in an emergency.
In addition, the ability, to cr'osstie the units 1 and 2 4-kV shutdown
- boards, and unit' boards, is ignored, even though such crossties are required and explicitly incorporated into the plant design.
p.B a T
p.B p B "¹ credit was tak'en for unit 3's capability to supply unit 1
power buses..."
~ For a loss. of offs'ite power event, the operators are instructed to parallel the diesels and backfeed unit boards in order to use the normal feedwater path.
The model should follow the actual plant operation unless the simplifications do not significantly affect the results.
The dc power system is not independent from ac.'power.
The dc
. battery boards are no'rmally supplied from 4-'kV boards via 480-V ac shutdown boards.
.This closely ties the battery boards to the ac power distribution system.
The dc power system model should reflect this.
All test procedures contain steps to return a test channel or loop to operability; but errors can still occur.
Just because the procedures call 'for equipment restoration, it does not follow that the probability of those errors
= 0.
In addition, it is inconsistent to conclude that such errors are insignificant and then state that an analysis was not performed.
l l
4.
I
p.B Units 1 and 2 have three RCW pumps each and a spare shared between them.
Unit 3 has four RCW pumps and a spare.
The EECW system supplies selected RCW loads if the RCW system cannot maintain adequate pressure.
s Section 1.3 states that test and maintenance restoration errors were not included because procedures require that the component having maintenance be verified to be operable.
However, if the
~astern is aot verified to be operable, it may not be.
There is no guarantee that a valve will not be misaligned or a switch left in the wrong position.
Verifying one component's operability may not verify system operability.
p.B-7 RCIC can provide makeup for IOCAs that do not result in rapid vessel depressurization.
p.B-9 and B-20 RCIC will start automatically when reactor vessel water level reaches 470 inches above vessel zero.
p.B RCIC automatically isolates when high steam line differential'-
pressure reaches 435 inches of water or 150 percent of rated steam flow.
p.B-17 Table B-2:
SI 4.2.B-31 disables RCIC because FCV 71-9 is auto-matically closed by an isolation signal from relay 13A-K15.
SI 4.2.B-32. is performed monthly; the sensors ar' replaced every three months.
In the IREP study, there is no consideration given to latent human errors which leave the system unavailable.
One such error. is leaving the controller in the "manual" position.
p.B-19 For HPCI/RCIC the IREP study addressed only scheduled maintenance.
HPCI/RCIC unscheduled maintenance is also important and should not be ignored.
Whenever HPCI or RCIC are out of service due,to unscheduled, maintenance the Technical specifications impose 'a seven-day limiting condition of operation.
p.B The RCIC analysis should include operator action.
With a constant flow system like RCIC, there will be a point at which the system flow will exceed the decay heat boiloff rate, and the vessel level will increase.
Thus, the operator must take manual control of RCIC, or the system will trip on level 8 and not automatically restart.
For RCIC, operator actions are ~ecessarI and must be considered.
p.B The technical specifications require that if a system is determined to be inoperable, the redundant system must be verified to be operable.
If the system is verified to be operable by testing, it may be unavailable du'r'ing the test.
These dependencies should be considered.
"15"
I J
I
No credit is taken for RCXC injection during small break LOCAs with the reactor at high pressure (i:.e.,
>150 pounds per square inch).
The analysis should include.this source of makeup for this type of event.
Valve FCV 2"170 is in a common suction path from the CST,,and must also be considered as a 'potential common failure point of, HPCI and RCIC.
. Major assumption 7 assumes that a failure of the level switch will prevent draining the drain pot.
This is not true because the line will already have been isolated during RCIC operation.
Also, refer to the previous comment on MR-P.25 regarding the amount of water available in the CST.
Table B-4:
FCV 71-P should be labeled FCV 71-8.
In addition, FCV-71-10 is normally open and is not demanded to change position when the RCIC system is demanded.
The level switches that initiate RCIC also go to all the ECCS and must be considered on a common cause basis.
(Table B-4) and p.B-35:
Basic event QPASSIVE is given a demand failure rate; a failure rate per hour would be more appropriate.
Figure B-5; this figure should show the additional valves in the mini-flow bypass lines and the unit crossties.
It should also note that the mini-flow isolation valve (FCV 74-07) is normally open.
The first paragraph under Instrumentation and Control, should say that Division I provides signals to RHR pumps A, B, and C and the Loops I and II valves and that Division II provides signals to RHR pumps A, B, and D and also to the Loop I and II valves.
The mini-flow bypass valves are controlled by both Division I and Division II power (via automatic transfers) with control being from mechanical switches associated with the valve control circuit.
Table B-8; the Division I and II logic component remarks are incorrect.
The operation of only one pump in a loop would be lost if the Division I or II logic was lost (see comment above).
. Figure B-6; this portion of RHR initiation circuitry should show the redundant start for RHR pump B.
Page B-47 should show the redundant start for RHR pump A.
The pump test breakers are not racked out for the entire duration (four hours) of the auto-initiation test.
Figure B-7; the failure of FCV 74-58 and FCV 74-72 should not be dependent on faults of their companion valves (FCV 74-59 and, FCV 74-73, respectively) for torus cooling.
d
~ 'I
p.B-76 Figure B-7; the initiation circuit faults for RHR pumps A and B
should be revised to reflect that both divisions of logic would have to fail before these pumps would not receive an initiation"'ignal.
(See previous comments on RHR pump logic.)
p.B-112 and B-116 Valve CV-73-43 should be labeled PCV-73-43.
As with RCIC, the failure of the HPCI condenser equipment should be modeled as leading to HPCI system failure.
For proper long-term HPCI operation, the gland seal exhauster and the HPCI gland steam condensate pump must be operable.
p.B-116 and B-120-The HPCI turbine is automatically isolated at a
room temperature of 200 F. It should be stated that the equipment area cooling system is not quantified as a contributor to HPCI unavailability p.B-117 and B"120 The HPCI system will automatically start on a low reactor vessel water level of 470 inches above vessel zero.
The HPCI system automatically isolates when the high steam line differential pressure equals 150 percent of design flow.
p.B-121 The HPCI system is subject to unplanned and unscheduled mainten-'nce.
This apparently was not considered by IREP.
In addition, the effects of HPCI/RCIC maintenance and RCIC/HPCI testing should be considered.
p.B-121 As required by the Technical Specifications, a HPCI operability test, is also performed if RCIC is not available.
p.B-122-Third paragraph under "Automatic Operation"'should read as follows:
"When the condensate header low level setpoint is reached (522 feet and 6 inches decreasing) or when the suppression pool water level increases to +7 inches,..."
The turbine steam supply valve is FCV 73-16 instead of FCV 73-18.
p.B"123 Table B"27:
During SI 4.2.B-36, power is also removed from FCVs 73-2, 73-3, 73-26, and 73-27.
For the quarterly calibration in SI 4.2.B-37, all 16 sensors are physically removed and replaced by a spare set.
p.B-124-During SI 4.2.B-42A, power is also removed from FCVs 73-2, 73-3, 73-26, 73-27, 73-34, 73-35, 73-36, and 73-40.
p.B-126 Table B MMI 23 is performed once every three months.
p.B-132 hnd B"134 Apparently the torus is not considered as a redundant source of water for HPCI, but it is required for a LOCA and ignored for a transient.
If the CST path is failed, the suction transfer to the torus should be conside'red.
Failure of CST suction valves will not necessarily fail HPCI for transients or LOCAs since the
transfer to torus may be available.
IREP should include this suction path.
p.B-133 and B-142-The failure probability for the HPCI/RCIC rupture disk is given as an hourly failure rate.
This failure data would be more appropriately represented as a per demand failure rate since that is when a rupture disc failure is likely to occur and be detected.
- p. B-134 p.B-141 and B-,144 p.B-145 p.B-146-Major assumption 7 should also state that the drain pots are isolated during HPCI operation.
Basic event MPASSIVE, is given a demand failure rate; a failure rate per hour would be more appropriate.
6 Basic event OPSLLCLX is given a failure rate of 2'.4 x 10
/D on Table B-30, which does not agree with the failure rate of 5
2.4 x 10
/D given in Sect'ion B.4.
Cutset MCK016UF in Table B-32 should be MCK016UG.
MSRV tailpipes each have two vacuum breakers.
Each line is equipped with both a temperature sensor and an acoustic monitor to detect relief valve actuation.
- p. B-146 The statement is made that a MSRV opened by the solenoid will
" remain open until closed by the solenoid.
This is incorrect.
The spring in each MSRV will close the valve at about 20 psig (over tailpipe pressure) regardless of the status of the solenoid.
p.B-146 Drywell control air suction is isolated by high drywell pressure or reactor water at level 3.
The drywell control air receivers will supply pressure to the system for some time after the suction is isolated.
Also, the supply lines are not isolated and could be supplied via a manual transfer to the station air supply.
p.B-146-p.B-147 The high drywell pressure signal is a +2.5 psig, not 2 psig.
In addition, a confirmatory signal of level 3 is required, and the cycling of a two-minutes delay timer.
The pressure permissive signal indicates that any one RHR or two particular CS pumps are running.
Any two CS pumps may not give the permissive signal.
p.B-147 The MSRVs are typically tested just before reactor shutdown to refuel, pressure tested during the outage, and then tested upon startup.
The logic is tested once every six months and each time HPCI is declared inoperable
(-2 times per year).
Also, the sensors are tested once per month.
p.B"147 The Technical Specification limitations given for ADS are not correct.
The Technical Specifications state that if three ADS valves are known to be inoperable, the reactor may remain in operation for a period not to exceed seven days, provided the HPCI system is operable.
p.B-147 p.B-148-Unscheduled maintenance during operation can be performed not only on the ADS actuation logic but can also be performed on the control circuits for any of the MSRVs.
Only mechanical main-tenance on'the valves themselves cannot be performed during operation.
An MSRV can be declared inoperable and be tagged out of service during plant operation.
Such periods of valve unavail-ability should be accounted for.
I The Target Rock two-stage MSRVs do not have bellows, and the bellows alarm. circuits have been disabled for those valves.
For the seven non-ADS-MSRVs, the backup transfer swi'tch is really just a disconnect switch.
Those valves. do not have backup control.
The MSRV tailpipe's are equipped with acoustic monitors as well as the temperature switches.
p.B"149 through B-151 Valves PCV 1-180, and PCV 1-179 are not manual valves.
These valves would be more appropriately referred to as non-ADS-MSRVs.
p.B-149 and B-150 Valves PSV 1-22 and PSV 1-30 have two sources of control power with an automatic transfer.
Both power sources must fail in order to disable the remote manual and ADS modes.
- p. B"151 Table B-34, last column across from PSV 1-5 should say,
" Valve will not actuate except on high steam pressure."
- p. B"152 and B-153 The logic power for the CS/RHR relays is not "shown on the diagram.
This should be included for consistency since the other power sources are shown.i p.B-154 "
Assumption No.
2 is not a very good assumption.
Drywell control air could easily fail or be isolated, the accumulators could leak or the check valves could fail to reseat.
p.B-154-Assumption failure of considered initiating plants.
No.
5 is probably acceptable for the ADS analysis, but the vacuum relief valves in the open positon must be as an initiating event or a complication to another event.
It has happened several times at different t
- p. B-154 p.B-155 The failure of 250-V RMOV Bd 1A will fail half (one train) of the ADS logic, and is therefore not "inconsequential."
By not analyzing the common mode failue mechanisms, the IREP study may have overlooked the dominant failure mode for the MSRVs.
-19"
p.B-155 The air system is tested (per MMI-42) during shutdown, including the leak-tightness of the MSRV air check valves.
p B-158 The ADS fault tree has a box "operatox miscalibrates sensors."
The ADS logic sensors are very insensitive to their calibration.
The more likely way for an instrument technician to fail the sensors is to leave them valved out.
p.P-158-The meaning of basic event B42B44AJ or B42B44BJ is not clear.
These are listed as pump A "and pump C pressure
- switch, and pump B
~ and pump D pressure switch, respectively, but the CS and RHR pressure switches are included elsewhere.
p.B-159 There is a single cut set in the tab OR; BPS100AW, listed as pressure switch 10-100A, which fails relays 2E-K6 and 2E-K7. It is not clear what that switch is. It has the designation of an RHR switch.
p.B-159 Tab OR lists basic event OPS072AO--which is not in the basic event table B-35.
p.B-162 thru B-167-This table is confusing because of the mixture of the GE and TVA designators for the level 1 level switches (LIS 3-58A, B, C, D),
(2-3-72A, B; 2-3-79A, B), and the level 3 switches.
Either one or the other identification schemes should be used, not both.
The testing unavailability for two level switches (LIS 3-184 and LIS 3-58A) are listed as different, for no obvious reason.
The switches are, for all practical purposes, identical.
LXS 3-184 and 3-185 are tested per one procedure, and LIS 3-58A, B, C, and D are tested per another, very similar, procedure.
p.B>>169 and B"453-The dominant cut set for ADS was found to be miscalibration of the ADS drywell pressure switches.
These. switches are normally set to 2.5 psig, and could be miscalibrated up to say 6 psig.
With the range of pressures that are expected following an accident, it is difficult to see how a difference of 3-1/2 psi could be con-sidered a failure.
The drywell pressure switches have a very narrow range and miscalibration is not likely to result in failure.
p.B-169-The following ADS failure modes were apparently not considered:
(1) testing errors (other than miscalibration)
(2) maintenance on logic circuits (3)'aintenance to ADS valves (4) multiple, coupled MSRV failures (5) operator interference "20-
~'$
p.B-169 Some MSRVs are effectively tested by transients in which they actuate.
In addition,
~ the functioning of the valve (except 'for the pilot and the setpoint) can be tested via the remote-manual mode.
p.B-171 Assumption No.
2 is inconsistent with statement on p.B-170 concern" ing MSRV success criteria-with turbine bypass available.
p.B-,173 "
The third sentence in the opening paragraph of Section B-2.7 should say that the core spray system begins pumping when the reactor vessel pressure decreases to 450 psig.
This sentence should also say that the rated flow is delivered at the vessel when the reactor vessel pressure drops below 289 psig.
p.B"177 Item No.
6 should not be placed in the list of items that occur upon receipt of a level 1 signal.
p.B"188-Table B-40, the expected frequency of the pump oil change should be "once every two operating cycles.",
This comment also applies to the paragraph on maintenance on page B-177.
Also, this maintenance is only performed during outages when the reactor is not critical (per the BFN Electrical Maintenance Instruction) and therefore does not contribute to system unavailability.
This also applies to Table'-45, page B-231.
p.B-189 p.B"190 "
Item No. 6; "5-kV" shutdown board should be "4-kV" The third sentence in the second paragraph in Section 2.7.4 assumes the failure of the mini-flow bypass valve will fail the entire loop.
This is overly conservative.
This comment also applies to the fault tree (Figure B-17) on page B-192 and B-193 and the events on pages B-215 and B-217 (Table B-44).
p.B"192, B-193, B-212 and B-213; Figure B"17 Not all of the Loop 1 and 2 test and maintenance acts that are listed, contribute to system unavailability.
For example, events 042B241J and 0142B24J are pressure differential tests which do not make the core spray system inoperable.
This comment also applies to events 042B242J and 0242B24J on page B-214 to Table B-45 on page B-231.
p.B-211 Major assumptions 3 and 5; assuming the CST is unavailable, contributes to an artifically high unavailability for the core spray system.
The CST is an important alternate source of water.
p.B-245 thru B"250 The scram hydraulic system has recently been redesigned; and the new configuration has already been installed at the plant.
The description of the system as presented in IREP is therefore outdated (especially concerning the scram discharge volume drain and vents).
p.B-255-
"No credit was taken for condensate system restoration following a loss of offsite power..."
This is a very conservative assumption, and is contrary to the procedures for a loss of offsite power.
The plant operators are instructed and trained to backfeed the unit boards in order to re-establish the condensate system.
"21-
~ '
p.B-260-The MSRVs are used for overpressure protection, pressure
- control, and as a depressurization method.
They do not belong in the description of the MSIVs.
p.B-260 "
The MSIVs close on a group 1 isolation s'ignal*, which involves more than just the level 2 signal.
p.B-262-The statement that maintenance of the MSIVs is not permitted during power operation is incorrect.
The Tech Specs require the affected main steam line to be isolated if a MSIV is inoperable, which can be done if the reactor power is decreased from full power.
The MSIV components are not all physically located at the valve on the main steam line; control circuitry is located in the MCR, at the backup control panel, etc.
Thus, it is possible for maintenance to be performed on an MSIV during power operation.
p.B-265 The calculation of the probability of isolation failure is incorrect.
Under the conditions of the IREP analysis, the probability should be:
4 x (probability both MSIVs fail to close in a MSL)
+ (level switches miscalibrated) x (failure of operator to close MSIVs)*
=4 (3x10
/D)
+ (24x10
)(9x10
)
= 3.6 x 10
+ 2.16 x 10
= 3.82 x 10 Additionally, the IREP computation fails to include the following.
considerations:
(1)
(2)
(3)
(4) coupled MSIV failures level switch test unavailability level switch maintenance unavailability level switch coupled failures.
pp B"266 to B-350 Following are general comments pertaining to the electric power
" system analysis:
1.
The analysis does not include a calculation of the unavail-abilities for:
f a.
Boards dependent on offsite power only.
b.
120-volt ac boards - (ISC,
- RPS, and the unit preferred boards).
2.
Did not include DG auxiliaries in determining DG unavailability.
I P
3.
The IREP study assumed control power independence.
The dc battery boards are normally supplied from 4-kV boards via 480-v ac shutdown boards.
This closely ties the battery boards to the ac power distribution system.
4.
The documentation is inadequate to substantiate the control power unavailability given.
5.
The analysis consists of one control power unavailability when in fact there are three different control power sources utilized.
6.
Table B-58 is the failure modes and effects analysis for the electric power system but does not match the list of boards for which fault trees were generated.
The information con-tained in the column labeled, "local effects on front line system" is in error.
Inclusion of fans in this table with no explanation of their use is inappropriate.
7.
The following testing and maintenance activities were not included in the analysis:
a.
TI33-EECW flow verification to DG.
b.
Auto transfer test on 480-volt RMOV boards D&E.
c.
Maintenance on 480-volt M-G sets.
d.
Relay functional tests on 4-kV shutdown boards.=
8.
Table B Failure data summary - no explanation or justi-fication is given for the repair time used in the unavail>>
ability cglculations.
The value of A for HOUSELOP should be 3.4 x 10
/hr rather than 2.7 x 10 9.
Tables B-64 through B-69 lists the results of the electric power system unavailabilities.
The following errors exist in these tables; Table B-64, 5.2E-7 should be 7.8E-8.
Table B-69, 1.9E-2 should be 2.9E-3.
In addition, the following board unavailabilities, for which fault trees were developed, are missing:
a.
480-volt shutdown boards.
b.
Battery chargers.
c.
250-volt dc battery boards.
10.
The assumption that offsite power cannot be recover'ed for a period of eight hours is unrealistic and overly conservative.
-23"
The unavailability calculation of the unit batteries due to testing is unrealistic.
Each battery is load tested, but the test does not take seven days as was assumed in the analysis.
In addition, since the loads are shifted to an alternate supply, they are not failed during the test (although the dependence upon ac feed is shifted).
The failure probability of 3 x 10
/hr given for battery chargers seems to be unrealistically small.
A recommended value of 1.83 x 10 s'for all failure modes is given by IEEE 500 (IEEE Std 500 - 1984, page 61).
The RHRSW system tie to the RHR system provides another path for low pressure injection (in this case, of river water), to the vessel.
However, there still must be a way to remove decay heat.
Eventually, the torus and ultimately the drywell willfillwith
.water if the RHRSW pumps just pump water into the containment.
A closed loop or even an open (steaming to atmosphere) cooling loop must be established for the reactor to be considered in a stable configuration.
It is stated, incorrectly, in the text that the Dl RHRSW pump receives control power from the dc bus'n 4-kV shutdown board 3EC.
The control power comes from board 3ED.
The maintenance model (i.e.,
one scheduled maintenance act per pump per year) is inadequate.
RHRSW/EECW pumps are taken out of service quite often, and the system analysis should account for the way in which that is done (RHRSW/EECW pumps are governed by the Technical Specifications).
The limiting condition of opera-tion criteria involves the number of RHRSW/EECW pumps aligned to either the RHRSW system or the EECW system).
In addition, the following statement is made pertaining to the Technical Specification limitations on RHRSW and
- EECW, "Due to the relatively complicated nature of these specifications, no attempt was made to discriminate between the requirements for the two systems..."
This statement is an indication of a consistent shortfalling of the IREP analysis which is due primarily to the limited'cope and time constraints under which the study was performed.
The complexity of a system is an inadequate basis for failure to accurately model that system.
The success criteria given in the licensing documents call for two RHRSW pumps per unit in the process of shutting down.
This implies that six RHRSW pumps are neede'd for a common three unit event (such as a loss of offsite power, loss of RCW, loss of control air, etc.).
This apparently was not considered in the IREP analysis.
The alignment of an RHRSW swing pump to EECW is not unusual.
r U
T n
4
p.B-368 p.B"381 "Pump discharge piping air release valve fault's are considered to be insignificant."
This is not a realistic statement.
While the flow from one valve is not sufficient to fail an individual pump, the flow can (and has in the past) lead to pump room flooding (which can disable three RHRSW/EECW pumps).
adequate time is available for EECW recovery considerations."
This should read "adequate time
~ma be available..."
Depending upon what systems/equipment have failed following a loss of offsite power, there may or may not be adequate time to recover EECW.
This should be evaluated on a sequence specific basis.
p.B-383-Room cooling for the core spray pumps was dismissed,"
due to the relatively short period of time required for low pressure core spray injection..."
For transients and some IOCAs in which Core Spray can meet the injection requirements, a success path exists with Core Spray injecting to the vessel and 'RHR cooling the toxus.
In this case the Core Spray pumps will have to run for much longer than ten minutes.
p.B"389 The failure probability for "manual valve does not remain open,"
is given as a per demand failure rate.
It would be more appropri-ate to present the data for this failure mode as an hourly failure rate.
p.B"391 In order to use RHRSW pumps Cl and C2 for EECW, the "C" RHRSW header must also not be in use, or else the flow will divide between the headers.
(Without a pump aligned to the "C" RHRSW
- header, the plant would enter a limiting condition of operation to shutdown.)
To use only pump Cl for EECW, the manual valve to RHRSW would have to be closed at the intake pumping station.
Also, if both the Cl and C2 pumps are discharging to the EECW
p.B-392-It is possible to have offsite power available, and still require a diesel generator to supply a shutdown board (due to in plant equipment failure).
This possibility is not considered by the IREP analysis.
p.B-417 It appears, from the cut set list, that the analysis assumed that two EECW pumps on the same header is not sufficient for the loads.
This is incorrect.
P.B"422-The backfeed operation is contained in a procedure for loss of offsite power, and the operators are trained on the simulator to perform the operation.
It should not be ignored.
In addition, due to the quantity of operations necessary, it may or may not be conservative to ignore these operations.
p.B-425)
B-426, and MR"p.72 Browns Ferry has 12 RCW pumps.
Units 1 and 2 each have three and
'hare a
common spare.
Unit 3 has five pumps of which one is a
spare.
Under normal unit shutdown, at least two RCW pumps per unit are required for miscellaneous cooling loads.
-25"
The EECW pumps will receive a start signal when there is low RCW pressure to the station air compressor or RBCCW heat exchangers.
There are no pressure switches that sense low pressure to the RHR loads
=and then start'he EECW pumps.
p.B-426 Figure B-40 and MR-p-73 Check valve 24-707 and 24-730 are located downstream of the air-operated valves24-135 and 24"138.
p.B-427 "the house event represents a failure rate of 2.7 x 10
/hr for LOSP at Browns Ferry subsequent to occurrence of any other initiating event."
This appears to ignore the probability of loss of offsite power due to a single or multiple unit trip of the BFN reactors.
This should be represented as a
probability per unit trip.
p.B-433'hru B-456-Regarding the references to NUREG/CR-1278, in numerous places the page and table numbers are inaccurate if the 1980 Draft Report was used.
Also, extreme care.should be taken in using these numbers since there is little collected data to back them up.
The uncertainty in these numbers must be considered, especially when human error is a significant contribution to system unavail-ability.
The following examples are.given:
The major contributor to ADS failure was miscalibration of the drywell pressure switches.
The switches will still provide their input when their setpoint is reached.
It may be'utside the tech spec limit, but the function will still be performed.
This comment also applies to all miscalibration errors 'considered by IREP.
A very signficant human error that was discussed, is the operator failing to initiate torus and shutdown cooling.
This error should be very insignficant due to the high importance torus cooling receives in the emergency operating instructions and surveillance requirements.
There is also a significant time frame to recover from any mistake.
However, it is the most significant contributor to failure of torus cooling in the IREP study.
p.B-434 The human error rate for failing to initiate standby coolant supply (SBCS) is also unrealistic.
This mode of the RHRSW system will be used as a "last resort" and, therefore, is very likely to be implemented when absolutely required.
A general screening criteria to identify important human error scenarios seems to be inadequate.
It is not possible to attempt to properly model human error without consideration of the specific scenario involved, the sequence of operator actions, and the potential errors.
p.B"436 and p.B-452 The Event B for improperly used checkoff provisions should have a human error probabil'ity of 0.50.
This, in turn, changes x to 0.252.
Reevaluating the event tree in Figure B-44, gives a new 4
human error probability of 1.9 x 10 Likewise, the frequency of Event F should also be changed to 0.252.
P
~
t
The probability of success on tasks A and B should be 0.9995.
Assumption 2 is incorrect.
There is no need to obtain the shift engineers'ermission to transfer RCIC suction.
Consideration should be given to the following scenario:
(1) mechanic disables (valved out or miscalibrated) one level switch.
(2) mechanic proceeds to test the redundant switch, causing it to be unavailable for response."
(3)
Initiating event occurs in this interval or the mechanic himself cause the initiating event.
The joint human error probability for the level switches, is 6
calculated to be 2.4 x 10, Repeatedly throughout the report 5
this number is referenced to as 2.4 x 10
-27"
4 4
APPENDIX C The unscheduled maintenance is not negligible for system components at BFNP.
Not all maintenance actions are initiated by failures detected during monthly SIs.
In addition, many components have
'long permissible repair times (7 days, 30 days) which can appreci-ably increase the component unavailability.
Some maintenance actions can affect more than one component.
(For
- example, maintenance on a valve in a common discharge line can render two RHR pumps unavailable.)
The example given for the incorporation'of EECW into the prob-ability of losing ac power is incorrect.
It must be recognized that dc power is also dependent on the ac sources.
- Thus, a loss of all ac (offsite and onsite) will eventually result in the loss of dc (after depletion of the unit batteries in about six hours).
Calling such a state "stable" is inappropriate.
- Thus, under the boundary conditions of the IREP study, the example sequence should be:
F(seq)
= F(LOSP)
Q(EECW).
The comparison of Top events RA and R
is incorrect.
Top R (shutdown cooling) requires two suction and one discharge (three total) valves to open.
Top R requires the discharge valves to the torus to open, and the LPCI valves to close (the RHR system will probably receive an auto start signal during the IOCA, and will automatically align to inject to the vessel.
To establish
. flow to the torus, the injection valve must be closed).
h Also, it is stated that the success criteria for Top R (torus cooling) is 2/4 pumps.
H'owever, if one LPCI pump is injecting to the vessel, the success criteria for Top R is reduced to 2/2, since both pumps in the other loop would be required for success of Top R
- Finally, RHR in the shutdown cooling mode will most likely be unavailable for use due to a group 2 isolation signal.
Sequence I DF R
R
'was dismissed without considering the effects og the initiator on either D or FB.
A steamline break could have an effect on HPCI or CS and would increase the sequence probability.
- Thus, the screening criteria was applied too soon.
In general, the sequence quantification expressions appear to be inadequate and incorrect.
For instance, consider the 'expression for the sequence I DF G
The expression does not account for commonalities between events D and F
or D and G
The only common points that are analyzed are for (D, FB, and GD) and for (FB and GD).
-28
0 0
il
The assumption that a vapor suppression failure will fail the containment such that the ECCS is affected only 16 percent of the time is not adequate.
(1)
There is no evidence that the primary containment is just as likely to fail at any given spot.
(2)
Failures of the containment above the torus waterline could disable equipment in the reactor building due to the harsh environment.
The stated loss of offsite power frequency of 1.70 per reactor year must be an error.
A frequency of 3.0 x 10
~ is given in Table C-10 on page C-47.
Xn an earlier section it was stated that the human error prob-ability associated with the standby coolant supply system was based on a long lead time before this unusual mode would be challenged.
However, for sequence Tp QD f GD X, it is stated that core uncovery will occur in approximately 30 minutes.
These are inconsistent.
The probability of a stuck open relief valve failure at BFNP appears high and probably includes data for the old three-stage Target Rock MSRVs, which are no longer used.
The lists of references found at the end of each major section are inadequate.
All of the TVA supplied documents should be referenced with appropriate revision numbers and dates.
This is necessary to"establish the plant configuration at the time of the analysis.
Without such documentation the analysis cannot be accurately checked or reproduced.
"29-
A