Text

Discusses Opinion That Scenario Surrounding TMI-2 Incident Was Thoroughly Evaluated by WASH-1400
	ML19220C700
Person / Time
Site:	Crane
Issue date:	04/04/1979
From:	Bickel J; Advisory Committee on Reactor Safeguards
To:	; Advisory Committee on Reactor Safeguards
References
	ACRS-SM-0083, ACRS-SM-83, NUDOCS 7905140048
	Download: ML19220C700 (22)
	v • d • e

~.

'T,

~ i:'.::

~

c-

n. s +n'

(([7,3v.([/

'M UNITED STATES

,h NUCLEAR REGULATORY COf.if.ilSSION b

a('.O'[.[E, c

ADVISORY COMMITTEE ON REACTOR SAFEGUARDS ik7 WASHINGTON. D. C. W.55

/k 7 f" i

April 4,1979 I

i.

l l

l.

ACRS MEMBERS i

THE THREE MILE ISLAND UNIT 2 INCIDENT AND A QUICK COMPARISON WITH THE WASH-1400 EVALUATION.

It is of interest to note that what appears to be the scenario surrounding the recent Three Mile Island Unit 2 incident was evaluated in a bounding sense by the Reactor Safety Study (WASH-1400).

I have enclosed the relevant sections of the report for your information.

Of particular interest is the WASH-1400 quantification of Safety Relief Valve failure to reseat (page V-38) and its impact on the transient.

J.i&

'/'6<

John H. Bickel ACRS Fellow i

7 9 0 514 0 0 V8 101 145 s

,.s....

.3 g..

Coy

'.)

Hot shuth

5%. Q downF TE R$

MTEg R CS VCVC HTEg CP SE O.

CORE STATUS AND REMARKS A

B C

O I E

P A

O.K.

A7 Retwrn to Mot sowtoown (HTEw)

AE Remain At Hot Shutdown AC Eveatwas Meit. f no Coerator Action Tenen ACD LOCA w tm core Melt A8 Poemose O.K.

A8F Poe,oie O.K Remain at Hot Sn too.m A8E Core Me<t ABD H.gn RCC Premte Leve'. LCCA w th Core Me't A8C M.gn RCS Premre Level. LOCA witm Core Meat

"^

ABCD Very W.gn RCS Preswee Level. LOCA evitn Core Men i

Lagend.

A: TE Traan.ent E veat 8: RS

- Reactor S/cratra C: HTEM-Heat Treasfee to E a voameat De mq Cooldown of RCS to -150*8 sad A00 osia v

r 0; OP

- Overgeste Proimon of spector Cootant System E.

VCVC -

Rector w eue. Cwt v onwm Coatrol 7

HTEC-Heat Tra s'er to Eassonme9t Ow mg Cold Shwicown of RCS frorn C 150* F and S 400 PSI A r

(Two i net.on. sho n for como.etenes tut e of e.m ted ete est to in.s stwov of PW R trane.ent eveno)

FIGURE I 4-13 runctional Event Tree - FWR Transient Events I

is ees 15' s ss

6 sai so-cy 3 a-as eCS a8 *5 vo va l

T K

W L

p g

y hCJS 6

W 4

1 T

I Tw f?P S 4 (9

a Tu ky W lh 7

TML

$?...

m

, J }_

. aM" J

(,.sC,cc.l wd v 9s F

e,: % A)

/

11 Tu

(

b 12 Taw g

y 13 TEU ta TEC i

0 E

6 17 TKM M

18 Tuww 19 TEMU 70 TawQ h ye, A

21 frMou u.te s,,a J ;)

n Te u

T..,<

(Nk 24 T a MLP FIGURE I 4-14 FWR Transient Event Tree j]

m -n tam d.ee a o

..a

% ck%/du,. emlid w,% 1%

ce4 inu.

g' s

.y u

_ _wa y _n TABLE I 4-9 PV; W SIENTS t.

Unlikely Initiating Events Likely Initiating Events 1.

Rupture of High Energy Piping 1.

Turbine Trip in Secondary Coolant System, a) Rupture of Main Feefeater 2.

Spurious Signals f rom SICS Lines, b) Ruptu.a of Lines in Main Stes: Syste: Cal 3.

Loss of Condenser Vacuu:

2.

Rupture of Steam Cenerator 3

4.

Inadvertent Closure cf Main Steam (See Preceding Discussions in Line Isolation valves section 4.1.5 for Cover age) 5.

Less of Main Station Generator 3.

Rupture of Control Rod Mechan-with Failure to Relay Auxiliary 1sm Housing on Rea: tor Vessel Loads (e.g., Main Feed ater Pu=ps, Leading to Small LOCA and Con-Condensate Pu=ps) to AC Power trol Rod Ejection (See Preced-Inceming f rc= Of fsi te Network.

ing Discussions in secticns 4.1.3 and 4.1.4 for Coverage) 6.

Loss of Main circulating Water Pu=ps for Condenser Cooling 4.

Abrupt Seizure of All Main RCS Recirculation Pu=ps 7.

Loss of Main Feedsater Pumps 8.

Loss of Condensate P2ps 5.

Startup of Inactive Reactor Coolant Loop with Ab rupt Open-9.

Loss of AC Pouer Incoming from ing of Both Isolation Valves in One RCS Leop in PWR Plants Offsite Network Employing RCS Loop Isolation Valves 10.

Inadvertent opening of Stea:

Generator Power-Operated Relief Valves (-10% Sudden Load Dewd)

These ruptures are included some-what arbitrarily within the Un-II.

Increase in Win Feedwater F1w; likely Event Category. How ev e r,

Malfunctions in Feedsater Flow failures of lines in the PWR secondary coolant sys tems have Control occur' red principally during 12.

Malfunctions of Control Resulting plant testing and start-up per-in Inadvertent Opening of All iods. These types of f ailures Turbine Stea= Bypass Valves (:40%

have included inadequate initial Sudden Load Demand) design of relief valve headers in the stes: supply lines, dis-13.

Uncontrolled Rod k'ithdrawal a) At charge of secondary coolant from Full Powe r, b) At Startup leaking feedsater valves, dis-charge of secondary coolant fro:n 14.

Control Rod Asserbly Drop cracks in main feedwater lines, etc. The RCS cooldown transients 15.

Boron Dilution by Malfunctions in stemning from these failures Chemical volume and Control System would be less severe than those included under No. 12 of the Like-16.

Startup of Inactive Reactor Coolant ly Event Category above. The po-Loop (in P*.R with So RCS Loop Iso-tential impact of such high energy lation Valves) line failures in specific Icca-tions of the plant, since they 17.

Accidental Opening of Pressurizer might co.monly interac: with and Saf ety or Relief Valves affect availability of the plant ESFs, was considered as part of 18.

Less cf RCS Coolant Flcv (Main RCS this study. Refer to Appendices

$ni Ta'l Circulating Punp Malfunctions)

II and IV.

tui Fig. I 4 Fig. I 4-14 Table I 4 4 3

3 1

g

,- ry,

a

-'~~-,--..--..._

.a g, Qg*%d fML lut (Co < cr u (55CI 5fc.w.12 >5Ith p

G.n J 6M k +ruma ~%&$gspgk 1,.ysQ g - M din M Fe1 nt h & onyressd.pa

(- twt { h cal & ++

3LE V 3-7 PWR TRANSIENT SEQ"ENCES vs. FILEASE CATEOORIES Core Melt lNoCoreMelt i

Pelease categories g

1 2

3 4

5 6

7 8

9 Dcminant F'a7 Transient Accident Sequences w;5. - s " '

nc.5'-y DC.-s M -B DC.5 ' -c nc.-c 6 x10-7 6x10-6 t

3x10-8 7 x10- 7 6x10-8 3.x10. -...

DC3'-6 TKQ-a TKQ-8 TKQ-c 2 x.104 3x10-8 3xlo-10 3mic-6 TKAQ-a D0Q-c lx10-8 1x104 Cther Transient Accident Sequences

-v:I'-s MC' y nc.P-s l

OC.P-3 DC.C'-c W -c DCT*-s DC.C ' - 6 TKP-s TKP-8 nc.T'-c TKP-c i

m 0' 2 DC.T' y TKQU-2 30"-8 VC 0'-c TKQU-t TK O T-3 nC.T ' - 6 D XJ-s TM-8 TKOT-c 3 XJ-:

7405 2 n10' y TKMP-3 TKMOV-g UQO-c D0'.00 c 300 3 DC.C'-6 TKMQU-s

,_Tr?_"c9_..

TKCB-c DOC'-c n?qT-2 D?iOT y D?C.-s TMLOU-g D2;T-c n?C.-r _

~

I 74.N E s D?qT-6 PCQU-s 320.P-S' TEMQG-c T"J' U-c l

32'00-s D2";3 y W"J-s Tr?iOC-f nZOB-c TiOC.P-c DCP0'-2 30:03-6 T Q -s D10-!

UC P5'-c TV.' Q-c DC.P5'-2 D".MQG 7 WC' c DC ? T'-s Da+0G-6 W T'-c DC PO' s TKOC y DC.PO' c e

Tr'PC s TKoC-6 TKP3-c l n.P F 2 3QG-T TKPC c j TKP 3-2 TKQG-6 n.PT g

' TKPO-m TKOT-Y UPO-c l *KOUC-s TKQT-6 UQUS g TKQtT= 3 TK05-Y TKQUC c WQUG-a nCB-6 TKQi.T, g DrJC-3 TLMPC'-Y TK;UO c TcCT-2 TLT C' - 6 rsC g i UNJ3-a T*.9 5'-T TKML*3 c Tc UG-m T:.XP S'- 6 yyJ0 g TC'P C-2 TLT G'-6 nr.T. g Tr2C'T-1 T "?C' -i n.:-

D.T S-s

!L.T T'-T n2ePS g DLT G-2 TLMP T'-6 narPG g DLT UC-3 TXPC-7 TKyJT g Tr?QCT-3 TKPT-Y nO".0UC c D?i;UC-3 TKP3-Y Dy;U3 g 30'.;L"8-s TKPG-Y n;eaLT g TK"LC-s TKPC-6 nyQuG. g n2CT-3 TKPT-6 D?1C c 700.3-s TKP3-6 n?c,5,

DOC-3 TKPG-6 32C.T c g

g SEQUC'- 2 TyQUC-6 nyL; g g

DC.0L'B'- s 3QUT-6 m QUC' g

. U"J UT' s

KOU3-6

-vtQU5' g l PC.07C' s TKQUG-6 na,:,,QUT*

~

(

ACCIDEST SEQUENCES vs. RELEASE CATEGORIES T ABLE V "J-6 Pk*R SF.ALL LOCA S2 Core Melt l No Core Melt j

t Release Categories 4

6(

I 9 "I 1

2 3

4 5

6 7

A:cident Sequences Dominant Sca11 IDCA S2 S D-C 5 8-E 2

3 D-8 5 56 2

2 1x10-10

{x10-9 9x10 8 1x10-12

xio-8 8x10 3 9x10-6

$ D-3 2

S 5-a 5,3-y 2

2

$ '"> c 5,H-c S H-$

2 2

1x10-9

x10-10 6x10-8 1x10-8 2x10-8 8x10-6

$ H-3 5 T-a 32HF-y 2

2

$ T-6 5;ET-c

$ C>s

$ 3-6 2

2

-10 1x10-7 1x10-9 2

1x10-10 4x10 5 C-6 2

S;G-a 9x10-10 2x10-6 S C-6 S;Cs ix10-s Cther S-all toCA S, Accident Sequences S HI-S 52HTI-c S2HI-c 5 30I-8 2

$Hn-2 S;H TI-6 S;HI-2 2

S;LC-2 S;HTI-$

S;CI-6 S;LG-!

S;HG-8 S;0T-c S;HG-g 2

S HU-I

$ 0TI-c S LCI-8 S;HCI-S 2

2 S KT-8 52H0-2 2

S HOI-C S;KC-2 2

5 LT-c 2

3 DI-8 2

5 KU-8 2

S,3K-2 S;KTI-6 S;CI-6 2

S 01-c S L-!

S;LTI-c 2

S KOI-8 2

5 KC y 5; HOI-6 2

SjCI-s S 00-*

2 S LI-f S2BK-t 2

S TI-6 2

$ KC-!

S DI-s S;K-S S;KT-c S20CI-c 2

S;TI-s 2

S EK Y 2

L S2 - c S;HF-o S;EK-$

S;DC-s 5;KI-6 S;KTI-c 2

32

-c S2LI-c K

S DC-6 S;0TI-8 2

52LG-c

$;LT-6 S;0F-3 5 LOI-t 2

S 0TI-o S2LU-8 2

K 32 -t 5 C>5 S;LC-S 2

8 KI-*

2 S K-S S;KG-c S;Ch $

2 S;C> 4 S ;KI-o 3 KOI-C 2

5 KG-S S;LC-6 2

S KCI-S S;ET-S 2

S 0T-3 S,KT-u 2

5:5-8

${KTI-o S;HT-6 S;L-,

S,LI-o S{LC-a S LCI-o 2

S;LT-s 5 LTI-2 2

-6

-12

-8

-0

-5 1 x 10 3 x 10 3 x 10 2 x 10 f 3 x 10 3 x 10' 0 2 x 10 p

(alNo seTaences in these categories are shown since negligible radicactivity release is expected to occur when all ESTs properly eperate.

101 10

t

cluded contributed about 11 failures, contributed significantly to or less across the whole the risk a sse ssment.

spe ctrum of consequences as In quantifying (T),

the first step can also be seen in Table V data involved exanination c f applicable 3-16.

from nuclear pcwor plant o pe ra t ing 2.

n e above result f or the DWR e xpe rience for 1972 (Re f.

2).

Bis indicated a total of about 10 shutdowns would also be relatively per reactor year, of which.7 were due to unaffected for large values equipment malf unctions, operator errors, of ECF.

For exa ple, if an 10-1 etc., and caused rapid shutdcwn by means the reactor prctection sys tem (RPS).

ECT value as large as of Three of the ten shutdowns were orderly, were to be applied, the result would be that the shutcewns f or such items as leaks, large ICCA contributions slow would increase to less than ma in ten anc e,

etc.

Of the seven TPS 15% cver the entire release

trips, 3

per year we re due tc spectrum.

Simila r to the 1.n_te rrup tion s.of ma in f ee dwa te r and.

PWR results above, a high included a bo ut 2 per 10 years that were Based on level of confidence regard-due to loss of o ff-site power.

ing the likelihood of Ecr the above data, a median value of 10 was f eilure was not required for used for T, with an error bound of 2 to cover a variation be tween 5 and 20 purposes of this risk study.

transients per year.

transients involving loss of main QUANTIFICATION OF TRANSIENT 2 se 4.3 ECT TREM

.eedwater and loss of of f-site power are of particular in te re st.

The _ loss.o f

"*in f _'.e dwate r incre a se s dependence _ on As discussed in section 4.3 of Appendix portion of the study's effort was bcekup systems 'f or removal of. core decay heat in_a_ shu_tdown The loss of off-I, a

contributions focused on assessing risk a

power causes a loss of main from transient e ven t s.

t was demon-site the

- his need feedwater and can potentially af fect strated in A pendix I that t

examination of antici-availability of back-up heat reroval involve onl'y at pated transients and that less likely All the above transient events

~

systems.

in the quantification of transients do not centribute to accident

~ ' ~ - - - ~

were included the PWR and SWR transient event trees.

risk.

2e transient trees p re sented in sections 4. 3.1 and 4. 3. 2 o f Appendix I 4.3.1 PWR TPA'ISIENT TREE QUANTIFICATION i den ti fie d the systems which can af fect the course of events af ter an initiating This section will present the quantifi-transient.

Wnere they were available, for catien of the various events, except system failure probabilities e s timate d T (the tr ar s ien t even ts), which have by the fault trees presented in Appendix discussed above.

Table V 4-16, II were used in quantifying the been accident sequences. In already presented, su rarizes the proba-values used in this analysis, transient tree bility The material belcw presents a discussion addition, data available from reactor ope ra tin g e xpe rience were used to estimate the unavailability of systems of the raticnale for the selection of (s uch as the ma in f ee dwa t e r. sys t e-',.).

informatien in that table.

Summaries o f the PWR and EWR system Peactor Prctecticn System (X)_

failure p robabilitie s applicable to trans ient event trees are p re sen ted in Tables V 4 -1 and V 4-2, re spe c tively.

The median f ailure prcbability used for the reactor protection system (RPS)

The probabilities of the dominant which serves to trip the reactor control accident sequences f rom these trees were and te rmin ate core pcwer was rods Tables V 3-14 3.6 x 10-5 with an error spread of about previously presented in and V 3-16.

3 based on fault tree analyses presented The follcwing two sections will present in Appendix II.

Use of this probability value f or RPS is censidered to be some-the values of f ailure probability for each of the headings in the PWR and SWR what conservative in those transient wh ich result from loss of of f-events site AC pewar since the pcwor loss would

trees, r e spe c tive ly.

The discussion below presents the values of the transient e ven t (T) for both trees.

be e xpe c te d to interrupt hciding power for the rods, causing the control rods Each tree was analy:ed as appropriate to to drop into the core.

For this partic-this identify the particular transient events iDi Ue the us

which, along with the other systeni ular transient event, T

\\

conservatism did not lead to dominant Probability of Failure core melt sequences.

for AFWS For all events 3.7 x 10-5 Secondary Steam 9elieI and Pewer not including (error spread

,y en ve r s : en sys cm (M)

Lo s s o f o f f-of about 3)

E Chis column heading represents portions of the pcwer cenversion system that pro-For transient 1.5 x 10-4 vides for main feedwater delivery to the e ven t re sul tin g (errer spread steam generators as described in sore frca loss of o f about 3)1 detail in section 4. 3.1 of Appendix I.

o f f-site powe r.

As noted earlier, o pe rating experience indicates that t he ma in feedsater (KFW) delivery can be interrupted approximate-The f unction o f secondary steam relief as discussed in section 4. 3.1 of An=en-ly three times per year.

The probabill-s e' 'e ra l dix I requires operation of but v

ty o f recove ry of the ma in feedwater of a large numbe r of the sa fe ty and system f ollowin g its interruption de-relief valves provided in tne secondary pends on the ir it i atin g fault and the steam system.

The probability of f ail-time window available te restere the ure of c.hc of the valves to o pen is system to operation.

The ti.e available about 10-5 per deman d based c, data to restore main feedwater celivery de-presented in Appendix III.

As will be pends en whether or not o the r systems subsequent 1v shown in section 4.3.2, the such as the auxiliary feedwater system probability'e f a large numher of the jAFWS) o pe ra ted o r wh( ther or not the secondary system valves' f ailing to APa t rip pe d.

If, icr example, the RPS o pe rate such that the function of f ails to operate fol cwing interruptien se con da ry steam relie f would be lost is Of MTW d el ive ry, high RCS pressure very small and was de te rmine d to be levels could be reached in a

few negligibly small when com=ared to the min ute s, and the likellhood of recovery likelihood of f ailure of either the ATWS of main feedwater in this pericd is very o r +'he P CS.

small.

On the other hand, if RP S o pe r-stes follcwing this event but the ATWS Reactor Coolant Svstem (RCS) Safety and f ails to operate, the time period avail-Relle: valves cren tP) able for recevery of m! would be about 1/2 to 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months pric: to boiling off the The operation of the RCS safety and re-water inventory of the stean generators lie f valves serves to limit RCS pressure an d loss c. core heat removal capabill-cy.

In order to cover both these cases, levels and they are designed to co p r' e n when the RCS pressure exceeds set es-the following values were used for the sures. As discussed in sectica 4. 3.1 of

robability of n en-recove ry of main Appendix I, analyse s have indicate d that feedwater f ollowing its interruption

the most severe potential o ve ry re s s e vent for the PWR is the interrupti c:

main feedwater delivery coupled wit.

a

%1/2 to 1 Several failure of the RPS to trip the reacter hour minutes centrol reds.

For. this situaticn, od-est RCS overpressures occur even with Chree feedwater operation of all pressurizer safety and shutdowns per relie f valvos.

Failure of cne or more year 10-2 (10) 1 of the three pressurizer safety valves could hewever significantly increase the

css of o f f-site RCS overpressure and thus increase the AC powe r a t 0.2 likelihood of an RCS rupture.

Accord-events per year 2 x 10-1 (3) 1 1 It should be noted that t h is n um be r wa s Fecondary Steam Felief and Auxiliary derived from Appendix II cen s i de rin g t eedwa te r Sy s tem (L) that the e me rgency on -s it e AC power source would have diccel loads g re a t l y Ch e failure probability for the auxilia-reduced for the tran s ie n t event.

Cem-ry feedwater system was de ve lo pe d by pa red to the LOCA e ven t s,

the dicscl fault tree analyse s which are presented eme rgency loads are a bo u t halved.

tius in Appendix II.

The fa: lure probabili-a factor of approx.mately 3

was ties of interest used in asse ssmen t o f c re di te d to the availability of the the PWR transient e ven t tree wc ro as e nc ryon ey dicsol generators for the follows:

transient.

10i 1b)

A i

l*

.,a-.

t ingly, the failure of one of t b _- three with an error spread of a bo u t 3 as p re ss u r i ze r sa fe ty valves

'.a open was de veloped by fault tree analyscs pre-doered to be a failure in thi3 cvent.

A sented in Appendix Il.

probability of 3x 10-5, with an e rror spread of a bout 3,

was applied for Residual Heat Removal System (W) f ailure of t hose valv?s to open.

Estimates on the availability o f the Reactor Coclant_ System (RCC) Relie f and RHRS were not made for the present sa f ety valves rati to Close (0) ana lyse s for the reasons discussed in section 4. 3.1 o f Appendix I.

The RSTJ If the relie f and sa f e ty valves fail to was shown on the PWR transien t tre e

% ~

close when the RCS pressure level re-principally f or c0mple tene ss.

Its use turns to below the valve set pres s ure,

depends on the s uccessful operatica cf

/

the RCS cculd depressurize.

In the PWR, CVCS in ccn j un ction with either the i f the valves fail to reclose, theY operation of ma in feedwater system er provide a path for ecolant loss (% 1/2 " '

the auxiliary fe e dwa te r system.

Mcw-di ame te r), causin g a small RCS LOCA: !

e ve r,

it is only used at cold shutdcwn thus the core cooling and containment !

and bo th MFW and AFWS could serve as ESFs would be utilized.1 Operating data for the PWR have shewn such a f ailure,'

backup heat removal systems.

of the RCS safe ty and relief valves to Additienal Censiderations re clo se following a tr an sient e ven t.

Accordingly, the failure probability for' In conside rin g the PWR transient event the PWR s a fe ty and relie f valves to resulting from the loss of off-site AC reclose, ba sed on PWR reactor operating.

pcwer, a sequence to core melt (TM,) was e xpe rie n ce, was e st ima te d to be about-10-2 with an error spread of 10.

found that had an important probability con tributi ca a cross the entire release N

s pe c trum.1 This sequence represented Chemical volume and Control System (U) total loss of all feedwater (main and a uxiliary; and thus represented a loss As briefly described in secticn 4.3.1 of of both normal and alte rnate plant heat Ap pen di x I, the chemical volume and cen-removal systems.

If both t h.e main trol sys tem (CVCS) is used in normal fee dwate r an d the " aux 111arv feedwater plant operation for purposes of control-systems f ail to operate ~~fol[owing tn s ling the RCS coolant volume and bo ren tran s ien t'," ' the n the^ ~s teih" de'ne rators concentrations, and assists in ecoling would' be emptie'd within aboEt 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

- ~

~~

for the main RCS circulating pumps.

The The discharge of RCS co'clani~ through thIe CVCS pumps also serve to deliver concen-p re s s uri ze sajeyy an g,, r pTie f ' '_va lve s.

~

r trated boren and emergency coolant to (which would be caused by the loss of the core durin g LCCAs an d transient plant heat removal) would result in ~~the events which cause RCS cooldewn.

There-eventual uncovering ~of the reactor core,

fore, the failure probability for the Within about 2 to 3 ~h eufs' ~ ~ core ha ft' CVCS was taken to be failure of the CVCS would be uhyprwail~~TEntainrent ESTs in the HPIS mode of de live ry.

The could mitigate the release of radioac-probability value used was 8.6 x 10-3 tivity in this core me lt sequence; however, the availabi..ity of the cen-tainment ESFs and their use fulness would be conditicnal on recovery of AC power y

within this time period.

The overall It should be noted here that for select elements of probability that were asso-PWR transient sequences that involve ciated with the TML sequence, in cluding failure of the reactor protection sys-the availability of containment ESFs an d tem (RPS) to trip the reactor control the con ta inr.cnt failure modes, a re 11-rods and a failure of the RCS safety /

lustrated in Fig. V 4-2 through the use relie f valves to reclose, the PNR small o f a simplified event tree.

LOCA event tree s were considered to be applicable.

However, the small LOCA Consider, as an example frcm the simpil-fled e ven t tree a bo ve,

the sequence trees shew that, when the reactor pro-TMLB,-c, where B, represen ts the prcha-tection sys tem f ails to ope rate, a core melt was censidered to occur.

This bility o f ncn-recovery of o f f-site an 7

decision on the s ma ll LOCA tre e s wa s on-site AC power in a bo ut 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months 1.

made because core te mpe ra ture Ic ve l s they both failed.

Th is sequence was fo und to be one o f t he more Tiso t t an t could poten tially become unacceptably high i f RPS fails.

The same core melt enes, and the e le ment s of probability decisien wa s made rega rding the appli-are:

cable transient e ven t sequences.

This is believed to be a conservative deci-sion.

3 1

j E ^j See Tablo V 3-14.

I IJL s

t 1

l 1

T M L 3'

c Probability I

Values So urce

[-

6 x 10*7 PTMLh,-c = P xP xP)xP x $xP6 p

-2 x o Appendix III,

-1

=

y 2 4

1 section 6.3 where:

P

-: x 10'I Fig. III Loss o f of f-site AC power (repre-2 P

=

y sents an interruption of the main Appendix III f ee dwate r delive ry provided by 4

P

~1.5 x 10 Appendix II and the plant pcwcr ccn ve rsion sys-3 tem, PCS).

Appendix III

-1 P

~5 x 10 Fig. III Non-recovery of off-site pcwer in 4

P

=

2 about 1/2 to 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (represents (approximate Appendix III ratio o f the loss of feedwater de live ry pro.

3 hour3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months value vided by the plant pcwer conver-to the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months sion system, PCS).

value)

Failure of auxil.ary fee dwate r P

=

3 P

1 Appendix III system, ATWS, (principal f ailures 5

include f ailure of on-site emer-gency AC power and the failure of P

=0.2 Attachrent 1 to 6

the steam turbine driven auxalia-this appendix ry feedwater punp).

Non-recovery of of f-site AC power P

=

4 for the containren t ESTS within a period of about 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months up to rationale for the selection of informa-abot 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months f ollowing the tran-tion in that table.

siens event.

Reactor Shutdown (C)

N n-recovery of on-site energency P

=

S AC power for the centainment ESFs Reactor shutdown can be accomplished in within a period of about I hour one of two ways, either by the reactor up to about 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months following the protection system (RPS) or by the com-t r an sien t e ve n t.

bination of recirculation pump trip and operator actions to rende-the reactor Probability that cen t a inrent suberitical.

The median ilure prcba-F

=

6 "5 with an eventually ruptures by the path bility of the RPS is 1.3 >

involving a reltthrough of the error spread of 3 base. on the fault conta inrent ve ssel base cat.

tree analysis shown in Appendix II.

The failure of the recirculation pump trip Probability values for the above ele-and the operator actions to render the rents of sequence TMLB -c are based on reactor suberitical is controlled by the the following table.

probability that the operator will fail to initiate the liquid poison injection The remaining t ransien t s equences, e. g.,

IMLn'-s TMLD'-8, etc.,

were evaluated in like manne r.

Given that elect ric Simplified Fault Tree For Event C power is available to o p2 rate the con ta inme n t ESFs, those s eq uen ce s in-e.~.e volving failure of centairment

ESFs,

'*[*

e.g.,

TMLC-a, T.'" F-8,

etc., relied on n 3. oA probability values de ri ve d from fault

(~'5 tree analyses presented in Appendix II.

-=

4.3.2 BWR TRANSIENT TREE QUANTIFICATICN i

i This section will present the quantifi-us io. io:

r-=

cation of the various events, except

'nr transient events

(?),

which have been discussed in provicus sections.

T.ible V

4-2, summarizes the results of this analysis.

The material below r

i cresents a discussion of the rationale

,** * -", [ i,

9r the selection of informa tion in that

',,a-;--- - -

table.

I s

~

I The functions required following a.

value of 10 per year for likely events FWR transient events in order to is derived frcm cperating experience from U.S.

FWR and SWR plhnts, which perform a saf e shutdcwn and cool-l reveals that unplanned shutdewns have down of the plant.

occurred fren various equipment malfunc-and b.

The FWR transient event tree in tions or failures, cperator errors, related operational transients (Fef. 3),

terms of systems necessary to per f o rm the functions of safe shutdown and cooldown.

on the other hand, there are about 150 reactor years of experience in which no occurred.

c.

The definitions of system success /

unanticipated transients have failure that are needed to assist these data the unanticipated tran-in the development cf fault trees From sient occurrence ra*e is pretably less and in quantification of the PWR 10'3 per re>ctor year.

than 10-2 to Since the amount of experience is small, transient event tree, these data can be supplemented by estimates of systems and reliability PWR Functions and Functional considerations.

An examination cf the 4.3.1.2 Event Tree.

various factors involved in the occur-cf unanticipated transients and a other analy-The functicns tha t must be performed rence ecmparisen with experience, following the transient event in order

ses, s.nd nc=ters obtained in the study to preclude core damage are:

is actually much suggest that the rate less than 10-2 or 10-3; therefore 5 has been selected for use in the 1.

The fission process must be I

terminated.

illustrative ecmparisens *.ade in Figs.

4-11 and I 4-12.

It sh1uld be noted that even if a high rate is used, say 2.

The reactor ecolant pressure must be limited to a value that will not 10-3, the unanticipated transient tree caure failure of the reactor would still not centribute significantly coolant system (RCs).

to the everall risk.

must 3.

An adequate coolant inventory The principal aim of this portion of the be maintained within the RCS.

Reactor Safety Study was to assess these more f:equent anticipated transient 4.

The core shutdown heat energy must events and to establish their increment-al contribution to the public risk.

To be transferred to the environment.

assist in this effort, detailed FWR and on

the, BWR transient event trees were developed These functions are illustrated functional event tree presented in Fig.

and are discussed in sections 4.3.1 and

[74;137 This figure indicates that"Ithe 4.3.2 respectively.

core is not damaged if all four.func-tions cited above are pe rf o rmed.sgj-c e s s f_ul,1y.

If any of functicns_(lt, 4.3.1 FWR TRANSIENTS not successful, core (3), or (4) is ~

As indicated in section 4.3 of this damage and melt could occur.

If func-Appendix, only likely transient events tien (2) is not successful, LOCA could need to be covered by a transient event result and the pcssible accident se-tree.

Table I 4-9 centains a list of quences tha t might subsequent 1y' cccur all transients identified as being are evaluated using the FWR LCCA and the~

centainment event' trees previously applicable to the FWR plant,

'~

described.

A PWR event tree in terms of systems was 4.3.1.1 FWR Transient Event Tree developed frcm the functional tree using Development.

the same logic that was described in The PWR transient event tree presented section 2 of this Appendix. This logic in Fig.

I 4-14 was developed using first requires that the systems that are functional logic similar to that ad-able to perform each of the basic dressed in some detail in section 2 of functions be identified. This identifi-this Appendix for develcpment of the cation is summarized in Table I 4-10.

logic used to develop the PWR antic-LOCA event trees.

The functional logic The underlying the FWR transient event tree ipated transient tree, Fig. I 4-14, ia is summari:ed below to emphasize the briefly discussed in the following various system relationships that exist paragraphs.

can operate to make for the FWR.

The systems that the reactor suberitical are shown in This section discusses:

101 154 T.CA

\\

Table I 4-10 Included is the reactor internals could potentially cause protection system, RPS, which can trip disruptien of the core gecretry and reactor control reds and the chemical result in elting of the core.

Where volu.e control system (CVCS) which could very high RCS overpressure levels provide alternate shutdcwn capability by resulted, it was assumed that the RCS delivery of a concentrated borcn solu-would rupture and that core elt would j,

tion into the PCS.

Certain transients such as those that cause,_an.interruptio5~

{cccur.

(2)~~If the required valves open 7 but fail to reclose, then~the resuR ~Ts~

or loss of the normal heat re eval f in ef fectjdy.all_LCCA, with ecclant systems (e. g., main feedwat,er le11very,

, discharge occurrl_ng frca the pressurizer to the steam generators)ilW 'to ~ prevent' recuired rapid (diffeisnt vanor space.

Since these situa tions are ---

" power shutdown in or

~

and must be evaluated through overpressure of the BCS.

The delivery use of different 14CA event trees, two of concentrated boron solution by the separate columns were used in the PWR CVCS purps would not be rapid enough in transient event tree, such cases to prevent RCS overpressure, although eventually sufficient boron "The column HTEC indicates that the heat [

-q could be delivered to rake the reactor

' transf er to the environment can be ac.

subcritical.

Fapid shutdown can be Icomplished by the plant residual heatI acccmplished only by the control rods.

removal system (PERS).

This sysum is a j Therefore, only the RPS was included i low pressure system that would be used under the column heading Reactor Sub-

to transfer core decay heat once the,

critical. The CVCS is shown under a

. plant cperator decides to bring thet.',

separate heading (VCVC).

The VCVC

plant to cold shutdown after any i function is needed to enable coolant

'particular transient event that hasnotj makeup to be provided for control of resulted in a rupture of the RCS.

To,

coolant centraction during cocidown, and

' bring the plant to cold shutdewn (to.

to ensure shutdown margin during

!where use cf the RRRS is permissible, cooldown of the plant if the transient requires used of the CVCS and either the event leeds to a decision to bring the

.PCS or the ATWS.

The PEP.S is depicted ~

plant to the cold shutdewn condition.

'by a

single column heading en the tree and has been included principally for The column HTEq (Hoat Transfer Enviren-iccepleteness.

Should the RHES be incp-ment - het shutdown) indicates that dur-jerable, the plant could remain at hot ing hot shutdown, core heat can be shutdcwn conditiens with either the PCS satisfactorily transferred to the envi-gr the ATWS providing for the required ronment after the transient event har decay heat removal from the core.

occurred providing that portiens of the.

L power ccnversion system (PCS) are oper-4.3.1.3 PWR Transient Event Tree able, er that the auxiliary feedwater (Sys tems ).

system (ATWS) is operable. Successful operation of the PCS requires availabil-The PWR transient event tree is pre-ity of A.C.

pcwer from ncn-emergency sented in te =s of systems in Fig.

I sources. Since the availability of the 4-14 The rationale used to develop PCS can depend on the specific transiint this tree was su carized above.

The event and the ATWS may not, these individual colu n headings of the sys-systems were treated as separate columns tems tree are discussed and defined in on the PWR transient event tree, Fig.

I secti.on 4.3.2.5.

The PWR transient 4-14.

event tree is generalized and is intended to apply to all anticipated The colunn RCS-CP indicates _that.the RCS transients which require that the pressure limiting function is. performed __

reactor be safely shut devn and cooled by the pressurizer safety valve and the-and which are not the result of a LCCA.

pcwer operated relief valves. These are two pessible failure godes._ First;.. tee The tree and accerpanying chart, Fig. I valves may fall to cpen and second, once 4-11, tcgether shcw in a 1cgical manner cpened, the valves rav_f_ ail _to.

reclose.

those These two pcssibilities result in dif-certinations of system cperations that will adequately cool the core and ferent situations:

(1) if the safety those sequences of system failures that valves fail to open,, the RCS pressure will either cause a LCCA or result in boundary would be subjected to very high core melting.

A cceplete set of trees pressure levels and in all likelihcod is formed by the anticipated transient rup tur e of the BCS would occur and

tree, the LCCA event trees, and the provide the necessary relief. If the containment event trees.

These repre-pressure level were to beccee very high, sent coverne of all irportant situa-not only would the rupture of the RCS

t. ions forsceable by this study whereby result in a LOCA but also the b1cwdown ccre melt loads en the core and reactor vessel could potentially occur as a result of malfunction or failure of the 101 15 4 s

i -

i s

plant's mechanical or electrical equip-the control rods fail to insert and the anticipated transient event is relative-ment.

ly slow, the delivery of concentrated 4.3.1.4 PWR Transient Event Tree boren to the RCS via the CVCS pu ps Definitions.

could serve to limit the core pcwcr increases and bring the reactor subcrit-This section defines the systems repre-ical at the hot standby condition within sented by the event columns of the PWR about 5 to 10 minutes.*

transient event tree.

Minimum operabil-ity states are presented belew for those If the anticipated transient event systems needed to carry out the core requires the plant to be further cooled down and depressurized frem the hot shutdcwn and cooling functions following a transient event.

Less than the de-standby condition, the addition of boren by the CVCS pumps is used to ensure that fined minimum operability state for a gisen system constitutes failure for a safe shutdown margin

(-lt ek/k) is maintained through the RCS ccoldewn to that system.

the cold shutdcwn condition (5150*F and 400 ps1*

Transient Event:

"'E As noted previously, the PWR transient The initiating events are malfunctions, event tree is censidered applicab le to failures, or faults in the plant equip-both slcwly oecurring and rapidly ment or in the statio: 's electrical occurring anticipated transients,

and, network that result in a transient being since only the reactor protection rystem

.mposed en the PWR reactor coolant (PSS) would be effective in limiting system and core tha t (1) leads to a core pcwer for both, the PSS and demand for the cperation of the reactor boration functions are presented sepa-protection system (PSS) to cause trip of rately en the tree.

the reactor control rods to shutdcwn the reactor core and (2) requires operation railure of RPS is conservatively defined of the plant normal or alternate heat as the failure of the centrol reds to removal systems to ensure cooling of the insert into the reacter core with no reactor core.

Other sequences which more than two adjacent rods failing to potentially result in RCS cverpressures insert on demand.

that could cause a rupture of the RCS boundary are included within the Secondary Stes i Relie f and Power Conver_-

applicable PWR LCCA event trees pre-sien System - 55R anc KSlM) sented previously in section 4.1 of this Appendix.

This column heading includes portions of the PWR pcwer conversion system which Reactor Protecticn System: RPS are normally in use (1) to raintain an adequate coolant inventory within the The process of making the reactor PWR steam generators, and (2) to trans-suberitical at hot shutdcwn (cr standby) fer heat to the environment follcwing a is accerplished, normally, by a rapid transient event.

To be successful, this insertion of the, control reds, which portion of the pcwcr conversion systen after an interruption of holding pcwer must include the partial operation of to the breakers, would be released t the main feedwater and condensate sys-drop by gravity into the PWR core.

tem, which is used to deliver condensate Within several seconds the drop (or frcm the turbine condenser to the steam insertien) of the control rods makes the generators following a transient event.

reactor suberitical at the hot shut dcwn These modes of partial PCS cperation are condition (about - 547 *r and 2250 psi).

discussed below.

The rapid insertion of the control rods serves to arrest core power increases Given a turbine trip, the steam frcm the for all transient events.

Mcwever, for steam generators is norrally "du ped",

these transient events which may ini-er bypassed, into the condenser via the tially result in a rapid cooldown cf the turbine steam bypass system. To enable RCS, the core can return to critical,

and, as previously noted, the delivery of concentrated boron solution to the RCS would assist in returning the core to a subcritical condition.

Although y

such cooldcwn transients cause reactiv-Only in the case cf tho se unlikely ity to increase, the fuel damage from initiating events (e.g.,

events 2 these events would be limited to the through 5, Table I 4-9) would substan-release of radioactivity into the

RCS, tial core damage and pc tential melt be even if delivery of the concentrated expected to occur with f.ilure of the boron failed to occur. Alternately, if RPS to operate.

101 156

..~.

/

I heat to be reroved via this system, a could not, therefore, be restored for vacuum in the condenser must be main-this transient event until a restoration ta:ned. This requires that the tran-of AC power was accorplished. As s uming sient event must not involve a loss of that the reactor protection system condenser vacuum.

The cperation of air operates to reduce core power level, a ejectors and the circulating vater total lack of feedwater delivery to the system enables the condenser vacuum to s te am generatcrs to remove heat be raintained, provided that a breach of generated by the core would result in the condenser has not cccurred. If the the steam generators boiling dry on the main feedwater pumps are driven by order of about 1/2 hour.

An alternate turbine steam, as is the case for many feedsater supply is, heweve r, provided

WR designs, then less of condenser by the auxiliary feedwater system vacuum can also result in a loss of the (AFWS).

Operation of this alternate main feedwater pumps.

If the main feed-feedwater system in conjunction with water purps are electrically driven, as steam relief to the atmosphere through in the case of the FWR studied, then safety valves would result in successful loss of condenser vacuum would only cooling of the core follcwing all result in less of the turbine steam transient e ven ts involving the bypass system and not the main feedwater interruption and loss of normal PCS heat pumps.

In the situation where condenser reroval capability. Should the auxil-vacuum has been lost, the electrically ia ry fe e dw a te r system f ail on demand, driven main feedwater and condensate the time available for the plant opera-purps could be used to provide water tor to restore operation of either the makeup to the steam generators, and heat PCS or the

AFWS, wi thou t risking an could still be rejected to the environ-excessive loss of PCS coolant from the ment via the steam generator safety RCS pressuri:er safety and relief valves valves. This would lead to acceptable and tnus a

core

melt, wculd be heat rejection to the atmosphere, but, approximately 1 to 1 1/2 hours. A loss eventually, the condensate supply from of AC power to the station auxiliaries the condenser would beccme exhausted.

In excess of this time, i t.

conjunction wi th a lo s s o f the ATWS, could result in Regardless of whether the main feed core melting.

pumps are steam driven er electrically driven, the cendensate pumps (which are For the PCS to successfully perform the driven electrically in all FWR cases of function of transferring core heat to which this study is aware) wculd be the environment requires certain compo-needed to enable water makeup to be nents to be cperable and certain condi-provided frcm the condenser hotwell to tions to be in existence as described the steam generators. Assuming failure below. Failure of PCS is defined to of the condenser vacuum cccurs and have cecurred when these operable states affects operability of the main feed-and conditions are not met for the water pumps, the condensate pumps could system.

potentially be used to deliver water to the steam generators.

In this

case, a.

Successful water makeup requires at action by the plant operator would be least ene cceplete train of the needed, however, to depressurize the condensate and main feedwater pip-steam generators.

This is so because ing system to be intact and the design of the condensate purps would operable to deliver water from the not permit water delivery against the condenser hot well to the steam high steam pressure conditions (51100 generaters. A limiting condition psi) that would. prevail in the steam for cperability of the condensate generators, if steam discharges to the and main feedwater pumps is the at=csphere at set po int pressures of the requirerent that sufficient AC steam generator safety valves.

The electrical power be available to plant cperator could manually operate drive the pumps.

If the main the pcwer-cperated relief valves provid-feedwater purps are not cperable, ed for the steam generators and, in this success ful PCS performance requires way, depressurize the steam generators cperability of the condensate to permit water makeup to be provided by purps, with cperator action taken the condensate pumps.

Since the conden-to reduce the pressure level in the sate pumps are electrically driven and steam generators in order to are required for each transient event in acccamodate coolant delivery at a order for the PCS to be functional, the lower pressure by the condensate principal cer.ren fault leading to a less pumps. Cperability of the pcwer of PCS would te the less of AC pcwer to operated relief valves in the main the station auxiliaries (main feedwater steam system is also required to

pumps, condensate purps, circulating permit the successful performance water pumps, etc.).

The PCS function of the condensate pumps.

104 197

/'

(

3 b.

Successful heat removal frcm the system safety valves core requires steam relief from the located on each main generators.

This function can be staan line; accomplished cy (1) operation of the tutbine bypass valves to the (2) no less than two of condenser when availability of con-three of manually denser vacuum permits; or (2) oper-operable and pov.r ation of the main steam system operated main steam saf ety valves when both the conden-relief valves.

sate and main feedwater pumps are operable; or, (3) operation of the main steam system power operated b.

Auxiliary Feedwater and Cendensate relief valves under operator con-5elivery Functicn ( Ara 5 ) -

trol when only condensate pumps are operable.

Either:

(1) operability of the one If the heat is removed from the core by steam turbine driven steam relief to the atmosphere via auxiliary feedwater e i the r the main steam system safety pump delivering water valves or the main steam system power from the 100,000 gal-operated relief valves, the availability lon condensate storage of makeup water frcm the PCS is consid-tank until the tank is ered to be limited to the inventory of exhausted

(%8 hours) condensate initi:11y residing in the and then frcm the cendenser betwell.

If heat is removed plant fire protection by steam relief to the cendenser via system thereafter un-operation of the turbine steam bypass til such time as the valve system, the availability of makeup plant is successfully water to the steam generaters is not cooled dcwn and de-limited by a loss of condensate to the pressurized to permit atmosphere. Ccnditions permitting heat core heat removal to to be removed via the turbine steam be continued without bypass valve system also require that dependence on the th e main steam line isolation valves be AIWSi open and that the condenser vacuum be maintained within acceptable limits by, (2) operability of cne of (1) operability of the condenser air the two electrically ejector system; and (2) cperability of driven auxiliary feed-the circulating water system for con-denser cooling.

water pumps delivering water as described above.

Secondary s t e am Felief and Auxiliary ree: water system-S5R anc AJ%5 The time period of interest for hot standby cr cooldewn operations for In the absence of M, above, the feed-either the PCS cr AFWS would normally be water delive ry equivalent to the flow expected to be

-6 hours following a from at least one of the three auxiliar{

transient.

feedwater pumps was used as the basis for the definition given below of failure for the auxiliary feedwater RCS Safety / Relief valves Opent S/R VO systcm.

Tcilure of this alternate heat rencval function, provided by the sec-This column heading represents the ondary steam relief and auxiliary feed-cpening of the FCS pressurizar safety or water rystem, is considered to occur safety and relief valves to I Lmi t the when at least the principal ecmpenents rise in the reactor coolant pressure listed belcw are not cperating followin9 immediately fellcwing the initiating the transient event:

transient event.

Not all anticipated transient events (e.g.,

turbine trip) a.

Steam Relief Function (SS R) :

require operability of the safety valves, since the surge capacity of the Either:

(1) no less than one of pressurizer would suffice to accept the the five main steam transient event with but a small surge in the pressure being seen.

For mere severe transients, such as those involv-

)The minimum operability requirement ing failure of the RPS to terminate ccre fcr powe r, the cperability of the pressuriz-the AFWS was based en analysis of ATWS er safety valves would be required. to transients as provided in WCAP-8096.

prevent a rupture of the RCS,

\\

,e

4 f.

Three RCS pressurizer safety valves and Chemical volure two relief valves (pewer cperated) are

-~"

Central System:

CVCS-provided fer the PWR.

For those antici-This system is norrally in

_e d" ring pated transients where RPS cperates to all powe r operations to control the t e rmina t e core power, the cperation of volume of RCS coolan;, condition the cnly two of three of the pressurizer chemistry of ccolant, and assist in safety valves would suffice to limit the cooling of tha main RCS circulating RCS overprecsure transient to less than, pumps. As wi in detail or about, 110 percent of RCS design subsequently,{'bediscussed the chemical volume and pressure. Sequences one through nine control system provides for multiple include these possibilities.

functions to be carried out during plant operations, during transients, or during LOCA events.

For example, if a cooldown For those anticipated transients where transient or a LOCA event cccurs, an RPS f ails to termir.a te core power (i.e.,

eutceatic alignment of the CVCS pumps the ATWS transients), the operation of takes place so the pump delivers

~

three o' three pressurizer safety valves emergency coolant and concentrated boron would be needed to Ibr.it the RCS pres-solution to the reactor core.

This sure level to less than about 150 realignment of the CVCS system places percent of the RCS design pressure, the system into the high pressure Operation of the two pressuri:er relief injecticn system (HPIS) tode of opera-valves with the operation of the three tion.

Also, the CVCS pumps can be used safety valves would be expected to with suction to the purps realigned to further reduce the RCS pressure level to deliver concentrated boron solution from less than, or about, 125 percent of the beric acid tanks *3AT's) in the plant.

RCS design pressure.

In ge.eral, the This second mode cf realignment can be specific RCS pressure level that results initiated by the plant operater should.

from the ATWS transients will depend he elect to use this realignment for considerably en the specific combina-ene rg en cy borction to provide for a tions of systers operating during the backup shutdown capability.

transient event.

As noted previously, the interruption or loss of the PWR main For purposes of failure definition fer feedwater system potentially given rise the CVCS during transient events, the to the most severe RCS overpressure previous definition, developed for the levels.

The pessible variations in the High Pressure In]ection System (sae predicted RCS cverpressure levels were small LOCA - sections 4.1.2 and 4.1.3) considered by the study,

and, for reflecting failure to be less than the sequences in which the safety valves delivery from one of three HPIS pumps, failed to cperate, it was assured that is considered to be conse rvatively the result was an RCS rupture with applicable to the transient event tree.

core relt.

No ecmmonly accepted, specific

design basis" ccmbination of systens to Residual Heat Raroval Sy tem:

RHRS be used for analysis of ATWS has yet emerged (Ref. 4).

Mcwever, for purposes In the PWR plant studied, the RERS would of this study, a reasonably conservative no r=a lly provide for continuity of definition has been selected which cooling after the PCS cr ArWS has been encenpasses all anticipated transient used in conjunction with the CVCS to events and the ATWS events. Failure of cool and depressurize the plant from the the RCS safety / relief valves to cpen is hot shutdcwn (or standby) ccnditions.

defined as being the cperatien of less The RHRS has been included in the

tree, than three of the three RCS pressuri:er principally for completeness.2 No rmal-safety valves.

ly, the RHRS would not be used following 1See Appendix II - Tault Tree Analysis, Safety /Felief Val /es Reclose: SR/VR High Pressure Injection System.

-9 The RCS pressurizer safety / relief valves ~ e"2 The RHRS was not evaluated by use of that open as a result of a transient the fault tree tec hn iqu e s as described event must reclose to prevent a dis-t in Appendix II for a number of the PWR charge of an ex-essive qu an ti ty of ESFs.

This increment of study effort cooIant frca the RCS.

Otherwise, a could be accerplished at a later time valve sticking open follcwing the tran-if additional ccepleteness is felt to Sier.t event of interest wculd result in be warranted.

For the reasons outlined a loss of coolant event covered under above, the risk the previously described small LOCA to PWR transient events did not require centribution portaining eve't trees.

this incremental effort.

g

\\S9

Sm.ww 4..

w._..__,.

.m.

(

l and in the quantification of the BWR a transient event unless an extended transient event tree.

shutdcwn period (for maintenance pur-poses, refueling activities, etc.) was 4.3.2.2 BUR Functions and Functional planned. Unless the FCS cr ATWS oper-ates in conjunction with the cvCS Event Tree.

following a transient event to allow for reduction in the RTS pressure, the The functions that must be performed cperation cf the PERS would not be following the transient event in order permissible.

This is so because the to preclude core damage are:

RHRS is a low design pressure system The reactor must be made suberiti-that can operate only after the RCS a.

pressure is reduced to less than 600 cal; psi.

Alternately, if FRRS operation The reactor coolant pressure must be were satisfactorily instituted in ap-b.

linited to a value that will not proxicately 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months following a planned shutdewn, and if subsequently, faults or cause the failure of the reactor coolant pressure beundary (RCPB);

malfunctions developed in the FRPS, the option would exist to reinstitute the heat removal capability of the ATWS.

c.

An adequate coolant inventory must This option would exist for a finite be maintained within the reactor time during the shutdown period until vessel; such time as, for exa ple, the reactor vessel head was unbolted in preparation d.

The shutdown core heat energy must be transferred to the environment.

for refueling activities to take place.

Since the intent of this portion of the study was to focus on those transient These functions are illustrated on the events that experience shcws to occur functional event tree presented in Fig.

frequently during reactor operations, I

4-15 This figure indicates that the core is not damaged if all of the four the cperability state of the PRF.S system was considered to te of limited inter-functions cited above are performed successfully. On the other hand, if any est.

of the four functions above is not successful, the core could melt.

4.3.2 BWR TPX;SIENTS A BWR event tree in terms of systems was As in the case of PWR transients treated developed from the functional tree using in section 4.3.1, enly likely transient the same logic that was described in the events are covered in the BWR transient section on event tree development, sec-tree (see also section 4.3).

Table I tion 2 of this appendix. This logic 4-12 contains a ccrplete list of all f rst requires that the svstems that are transients indentified as being applica-able to perform each of the basic fune-ble to the SWR plant.

tions be identified.

This identifica-tion is summarized in Table I 4-13, 4.3.2.1 BWR Transient Event Tree This information was used in conjunction Development.

with the functional event tree of Fig. I 4-15 to develop the BWR transient event The BWR transient event tree pressanted tree (F ig. I 4-16).

The logic utilized developed using functional to develop the anticipated transient herein was logic similar to that addressed in some tree is briefly discussed in ths= follow-of this appendix.

ing paragraphs.

detail by section 2 The functional logic underlying the BWR transient is surrari:ed below to e pha-The svstems that operate to make the size the varicus systen relationships reactor suberitical appear in Table I

~

that exist for the BWR.

4-13 only in the function colu-n entitled " Reactor Suberitical*,

RS.

is also This section discusses:

Therefore, this column headin5 used in the systems event tree.

a.

The functions required following a shutdown from power operation and The pressure limiting function is the systems available to perform performed by the safetv valves and the these functions.

safety / relief valves, a s' shown in the b.

The BWR transient event tree in terms of systems.

Detailed definitions of the systems c.

The detailed definitions of system operation that are required for success success / failure that are needed in (or failure) are presented in section 101 16D.3.2.4.

the development of the fault trees s

-s_.---

. i g

t s

auc.

e.

e

~.

f r.,

p.. = i.

cw a.%.*

c..

to.

s,ar se m.

s,ee%

ce +<es Q**===

oE na

[.e7 O K.

ma

.o

.-e*

uci

. io4 o E.

ha

.,p

'A

-,'g te

, en f o E-l -i?t u.m e.i e. v., Lac, t.

o n.

ma I ' "'

==a

... w t 04

,.e o+ o.r t.

w=

-4. me pers t Lee Lam, frement@

o K.

=a I

. io 2 o n.

WA

,..; 2.o 6

,,, 7 wet.

<te4 e 4 le2

^, a

.,e 7 we.

<ie4

-w) ?$

w,.

<3en e..u.,

e,q..eua i.

.e w

1, a

o z_

m a.

.,o 2 ou

=A

..o 2 o n we,

. ie to

- ton

. ed u..

sies

p. e.cc.*u c.sT.

-= 58 a m we

,c. m NOTES 1.

The power conversion system (POS) essentially consists off the main feedwater and ecnden-sate system. The f ailure probacility is est1 rated without benefit cf rigerous analysis 1 however, the value chosen is en the low side so as net to bias the results. PCS is not shewn in part b of Tig. I 4-11 sir.ce it cannot cperate withcut eff-site electric power.

2.

The alternate heat rencval system is the auxiliary feef ater system (ATWS). Tigures a and b indicate different failure probabilities because of its dependence en a diesel generater that is shared between two facilities when off-site power is lost.

(See Appendix II.)

3.

The value of 4 x 10~ / year for the prt bability of less of of f-site power fcr lcncer than abcut 30 minutes is derived from data on electrical systers in the U.S. in additicn to nuclear systems.

4.

Tigure I 4-11e shows an arbitrarily chcsen trL9sient cf scre type that has not yet occurred in the 150 reacter years of creration of ec:rercial nuclear pcwer plants.

5.

Figure I ~-Ild shows a tree that covers such unanticipated transients as rod ejecticn and steL9 generator rupture; their prcbacility is very low, but they have the characteristic that /05 cannot serve a useful function if RPS f ails.

FIGURE I 4-11 Si: plified PWR Transient Event Tree 101 161

i vessel or less than anc of threc IIPIS Cour hea t exchangers during the fir 3t 24 pumps delivering bara teel wa ter from the hours; thercaf ter only one is required.

RWCT.

This definition is applicabic only to the three loop PWR design under H - rmeroency Cnolant necirculation:

consideration.

.N LC3 When a small LOCA is caused by a' break Failure of ECR is defined as failure to between <2" and 6* in diancter i n '- the deliver water from the containment surp RCS vapor space (pressurizer), the req-to the reactor cold legs by at least one uisito pressurizer low level signals for high head pump taking wac tion from the automatic initiation of the high pres-discharge frem one low haad pump.

ECR sure injegtion system (llP IS ) may not be failure is also considered to be failure obtained.1 to switch to hot Icq injection at about 1 day after the initiating event occurs.

Actuation of ECI cither manually or ultimately by high containment pressure I - Sedium Hydroxide Addition: SHA may have to be relied upon in this situation.

Vendor analyses of these Same as for large LOCA.

pressurizer vapor space breaks

have, however, indicated that a delay of about 4.1.3 PWR S? TALL LOCA r/ENT TREE - S2 50 minutes could be tolerated in the 3a-As indicated in scetion 4,

the sccond RCS.)cumulators category of small breaks pertains to a HPIS provided that 2 of deliver coolant into the break area of about 1/2 to 2 inches in diameter.

The event tree shewn in Fig.

When the small LOCA is caused by breaks between

-2" and 6"

in diameter in the I.

4-4 illustrates the systens used to mitigate this incident and the possible RCS liquid region above the reactor

, folicwing this initiating core, the delivery from less than 1 of sequences event.

This tree results from substitu-3 accumulators is considered failure of tion of the appropriate CSF's shown in ECI.

Table I 2-1 into the functional event tree shown in Fig.

I 2-8.

The event F - Containment Scray Recirenlation re s applicable yo any break location System: C3 RS in the RCS that discharges the primary coolant to the containment atmosphere.

As in the large oipe break LCCA, f a ilure For breaks in this range, the use of of CSRS constitutes delivery c., recircu-auxiliary feedwater (AFWS) is assumed to lation spray water through spray no::les

~e required for approximately one-half u

at less than the equivalent of the out-put of 2 of 4 recirculation spray pumps

^Y U$waugment heat removal f cm the RCS 5

and u.ereby control the RCo pressure, for about the first twenty-four hours C lumn headings for the event tree are after the incident or less than the discussed be l cw.

Table I 4-4 presents equivalent of the cutput of one recircu-Y a us and containment fail-lation spray pump thereafter. Note that

, r this event trec.

for a break of

-2 to 6 inches diameter outside the reactor vessel cavity, CSRS

~

DEFINIT!CNS does not depend on the previous opera-tion of the containment spray injection S2 - Initiatine Event system (CSIS) to build up sufficient inventory in the sump.

The initiating event is a random rupture in the RCS boundary dur'.ng normal full-C - Containment Heat Remova l Sys tem-power operation.

This creates a break arca ranging frcm 1/2 to 2. inches in diameter through which lesn of coolant Failure of CHRS constitutes delivery of occurs.

The rupture could cccur in service water to less than two of the either the liquid or vapor-space regions of the RCS, above or below the core.

This event requires CCC injection via the high pressure coolant in ] c e tio.)

y For example, when pressurizer safety system (!!P IS ).

valves inadvertently open and discharge to the pressurizer quench tank.

D-Electric Power - EP 1 ctric power cor siderations are the 2These modes of actuation arc accounted same as on the larqc LOCA event tree in for in the fault trec evaluation model section 4.1.1, execpt that evaluation of for the small LOCA CCCS.

Refer to the fault trees requires connideration Appendix II.

'N of clectric power distribution to both N:

I-45 101 162 s

(-

)

~

the hiqh pressure coolant injection s/s-requires success of CSIS as discussed ten and the auxiliary feedwater system below.

(ArWS) as well as the other CSFs previ-ously considered. These considerations D-rmeracncy Coolant Inicction - ECT are necessary for ccanleteness but were not found to significantly affect the ECI failure is Icss than the equivalent probability of electric power availabil-in delivery of one of three high hoat ity to the appropria te ESFs follcwing a injection pumps.

Accumulators are not specific LOCA.

required.

K-Reactor Protection Svstem - RPS F - Containment Spray Recirculation System - CShS Same as for 51 described previously.

)

'This is the same as the large LOCA with

~L-Secondarv Steam Relief and the period of operation dependent on how

, Auxiliary reeduater - Sia & AFWS

, " C LC S is initiated, as discussed for CSIS l

/\\ above.

CSRS can depend on water deliv-To augment heat removal from the RCS, cred by CSIS to the containment sump for

! heat frcm the primary system is trans-its supply and is assumed to fail if

? ferred to water in the srcam generators CSIS fails.

l which is provided by the auxiliary feed.

g water system, and the resultant steam is C - Centainment Heat Re oval System -

discharged to the outside atmosphere via,j CH RS 3

two of three powcr-operated relief -

I valves or two of fifteen mechanical This is the same as the.arge LOCA.

safety valves.1 Auxiliary feedwater '

H-Emeracnev Coolant Recirculatien -

. delivery failure is considered to be ECR

^

,less than full delivery frem one of two

-~~

half-si:c electric-driven feedsater This is the same as the small LOCA 51

. pumps or the equivalent flow from the !

except that the switchover to hot '. e c

. full-si:c steam-driven auxiliary feedwa- (

injection is not required because the ter pump.

The period of demand and I core is not uncovered during the inci-operation for the SSR and AFWS are about dent if ECI is successful.

1/2 day f or the small LOCA event.

I-Sedium Hydroxide ?ddition - SHA C - Containment Spray Injection System -

CSIS This is the same as the large LOCA.

This is the same as the large LOCA 4.1.4 PWR REACTOR VESSEL RUPTURE except that automatic initiation via the For the purposes of this study, it was consequence limiting control system convenient to class vessel rupture into (CLCS ) cannot be expected for about 30 two categories which can have different minutes follcwing the incident because consequences:

of the slow rico in containment pres-sure.

This allows for a somcwhat higher a.

Potential ruptures in the vessel prcbability of operator-initiated CSIS, were considered that could be of which is censidered desirable as CSRS such size and location that they are essentially equivalent to pipe breaks and thus ECI and ECp would be 1

expected to cool the core.

If the A

unique feature for steam relief rypture is of such si:o as to bc exists for this-PWR to permit atmo-within pipe break size limit 9 spheric steam relief af ter about 1/2 equivalent to about the doubic-ended hour.

This feature includes a decav bregk of the largest RCS p.pc

(- 10 heat release control valve, operated ft. ) and if it were to be generally from the nain control rocm, and a line located above the core region, then that discharges to the atmosphere from ECCS should bc able to cool the core the residual heat release header.

as well as if the break were in the Operator usage of this featuro at p2pe.

Dreaks such as these are periods greater than about 30 minutes c vered by the previously procented could augment or back up the secondary LOCA trcos.

Since it is expected steam relief capability defined above.

that the likelihood of vessel rup-This feature has not been included in the above definition be cau se its inclu-si on would not be expected to chango 3

the overall availability of SSR and Sco previous LOCA sections 4.1.1, AFWS locause of the dominance of the 4.1.2, and 4.1.3 for ECI and ECH APWS contribution, definitions.

1o\\

\\63

\\

,4 1

,y e

/*

,- *}

l ture of this size would be far denner but in less likely.1 tience the smaller than tha t of pipe ruptures, steam generator ruptura is not an in-this would not repremnt a siqnifi-portant factor in the risks due to cant contribution to the study's transient events.

risk assessment.

With respect to a LOCA induced by a steam generator rupture, those sequences b.

Potentially large ruptures in the which could potentially involve a sig-vessel were considered that could nificant release of radioactivity must prevent effective cooling of the damage the RCS, The distinguishinq fes-core by ECCS.

Since certain of ture of a LOCA induced by steam genera-these ruptures appeared to be capa-tor failure is the addition of the ble of causing nisstles (such as the energy in the affected generator to that reactor vessel head) with sufficient of the RCS in blowing down to the con-momentum to rupture the containment, ta inmen t. This incremental energy would this area was examined with some have a snall offect on the containment care., The presence of a polar crane pressure, but o the rwi se the situation weighing 200 tons was determined to would be much like other LOCAs, It be a sufficient obstruction to pre-should also be noted that even a severe rupture of the steam generator would vent even a very large missile from ponctrating the top of the contain-result in a LOCA no larger than the equivalent of a doubic-ended break, rent.

Thus it is, in general, ex-pected that this type of vessel Further, the probability of a severe rupture would cause a core melt rupture is low, of the order of failure inside an intact containment.

of the reactor pressure vessel, which is much less than the failure probability of piping.

Thus, the rupture of a FWR E7 wever, because of the physical steam generator does not contribute pl,nt layout, there is some small importantly as a LOCA path, pronability that a large vessel mis-sile could in fact impact directly on the containment and penetrate 4.1.6 PWR RCS RUPTURE INTO INTERFACING through the wall.

This type of rup-SYSTEMS ture could involve a core meltdown in a non-intact containment.

Part of this study of the LOCAs included the investigation of a number of piping systems that connect to the reactor In these cases, the reactor vessel coolant system and also go through the rupture leads directly to core containment.

Such connections have the melting and the only ESTs of inter-potential to cause a LOCA in which the est,are those which remove radioac-interior of the reactor vessel may tivity and decay heat from the con-communicate to the environment.

All, tainment a tmo sp he re.

This can be except the LPIS check valve situation se}intheeventtree shown in Fig, discussed below, were dismissed for any or a

combination of the following reasons:

4.1.5 PWR STEAM GENERATOR RUPTURES a.

The multiplicity of barriers that Consideration was also given to the would be required to fail would consequences that would f ollow f rom rup-render the LOCA much 1 css probable tures in either the primary or secondary than the check valves.

side of one stcan generator. Scmc 30 possible accident sequences cre identi-b.

Failure of the barriars would not sicd using event

trees, ut t..e end involve loss of vital safeguards and result is either a rapid cooldewn tran-the loss of PCS coolant could be 8

^*

accommodated within the design of the interfacing systems through Transients arc more ecmprehensively dis-safety and relief provisions, and cussed in section 4.3.1, but it should the coolant loss could be controlled be noted here that stean generator in-or contained without a core melt duced transients do not load to core occurring.

melt but could cause release of gaseous radioactivity into the RCS from the fuel-clad gap.

In magnitude this result is roughly comparahlo to a transient y

induced by the inadvertent full-opening Table I 4-10, section 4.3.1, PWR Tran-of the turbine bypass valves to the con-sients, in thin Appendix.

01 164 I-47 g

.e s_

I

~

c.

Failure of the barriers would sidered to result in core melt and the involve a LOCA into the containment daminant radioactivity release path and would, therefore, bc covered by would occur throuch the ruptured LPI previous LOCA event trees, system into a safcquards building that houses the ifI system.

The discharge of RCS coolant and steam into the safe-During the courso of this

stuh, i

guards building would cause loss of potential deficiency was identift,-!

leakage integrity of the safeguards the design of a portion of the emergency building.

Radioactivity deposition and core cooling system (CCCS) which uses platcout in the safcquards building has double (in-series) check valves as been estimated to be small since the barriers between the low pressure injec-stcaming rate would tend to rapidly tion system (LPIS) which is outside the sweep the fission products frem the containment and the high pressure RCS small volume building to the atmosphere.

which is inside the containment. Figure I

4-6 shows the configuration of inter-Column heading EP reflects the availa-est.

Corm n failure of these double bility of electric power to operate the barriers could result in a LOCA that high pressure injection system (HPIS) suddenly discharges into the LPIS system cump which is reflected under column and bypasses the containment. The LPIS

'eading ECI.

There would be no ECI suc-h system, with its low design pressure, cess in terms of oreventing a core melt.

could fail due to everpressure er dynam-However, if the ' accumulators and the ic loadings be yond its desigt.,

thus HPIS

operated, core melt could be resulting in core melting.

In this delayed until after the coolant deliv-situation, containment ESFs would be of ered from the RWST has been depleted.

no interest since the release of radio-For example, if only one of the three activity would largely bypass the con-HPIS pumps were to operate, the rate of tainment system.

RWST depletion wot.ld be less and core melt could be advantageoo-ly delayed for The check valves, when functioning as a about 10 to 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months .

I more than 1 double barrier between tne interfacing HPIS pump we re to o; ' we, or if the systems, make the probability of LOCA containment ESFs were t-actuated by due to rupture of both barriers small.

the plant operator, or i: the LPIS pumps In this specific design, however, no would operate to increase RWST deple-test provisions et procedures were found

tion, then core melt could occur in to exist which would assure availability about 1 to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

This was the of double barriers for plant operation.

expected time of melt considered for LPIS pumps and lines are required to be purposes of determining the potential flow tested at least yearly to ensure radic, activity release, tha t p a rge of coolant to the RCS occurs.

These tests do not, however, The column heading RPS represents suc-ensure that the check valves rescat or cess or failure of the reactor protec-that both check valves would be effec-tion system to initiate trip of the tive as barriers.

It is possible there-reactor control rods :nd is illustrated fore that one check valvo could be, stuck merely to indicate that core melt could open and only one barrier would indcod be hastened slightly in time if failure be offective during plant e Thispossibilitywasconsideredgeration.

of RPS occurred. Column headings EP and and the RPS on the event tree could be readily probability of failure of the LPIS check excluded from the tres since the valvos leading to an uncontrolled 10gs probability of f'ailuro for cach is small R

LOCA was estinated to be about 4 x and their failure would simple hasten It was found that conthly testing, for the time of melt.

exampic, could also reduce this proba-bility by more than an order of 4.2 llWil I.OSSOl?.COOI. ANT ACCIDENTS magnitude.

Reactor coolant system (RCS) ruptures 4.1.7 Event Tree for LPIS Check which result in loss of coolant acci-Valve.

dents can be categorized as a function of rupture locaticn.

RCS rupturcs ins W W conta h n h ky am The event tree for the LPIS check valve distinguished frcm rupturcs outside the shows the possibic sequence of events primary c ntainment.

resulting from rupture of the LPIS check valve barriera. All sequences are con-Evaluation has shown th 3 t the signi fi-cant loss-of-coolant accidents can be covered by four ma pr a::cident categor-y

les, and t.hese are treated in the Hefer to section 4 of Appendix V.

following subcections:

10\\

165

e

-: w a _ -

w

" ~~ :n y

w 4,m-s_ -

e

, i ~-

v j

f-e pace,a,s;t Tv y3[,{n a

afaf a t aCTC a etw: vat ecog S,e -

.gg, Sv5fiv5 CO% 3i f icae ataCTCn Te aN5,f =1 C a i T *ca t g.,, g g y ; n,

vtaan TV s 413*

g.

et esa

" '05 I

0

. to

,. 3 e t C wes

- 3 a10 4

8 a t s '0 M*M

.t a tg Pas s - very Lam in-M -I e M6

= t e of es.g 9

I

? e 10 M*'t

=8e97 e a 10 j 4

8

1 s 10 Wa#

- A e 10 y

0%.w e.x y, e-.-t o,r. ~.

on se a

- 3 * '0' '#

-397 1

I icd

-tc'y-..i.s

- i. io 'a w.,

em e - we.meam 1.~.

% =,. a.m.

.. is

-NCTTES-the scram :ystem and (2)

(1)

The systems available to make the reacter s'.bcritical ares j

ion.

Either of these the co-bination of reactor coolant pu p trip and. 521e poisen in ect 1.

However, there may for the very likely and less likely tezasients.

be sor-e very rapid unanticipated transients for which cnly the scram system operatesth systems is sufficient Therefore, quickly enough to be effective.

suberitical is higher for the unanticipated transients.

l are The *.ystems available to maintain an adequate inventery of water in the reactor vesse the reacter ccre the high pressure coolant injection system (HPC15),

2.

Pi and the low pressure e-ergency core cooling syste.ms.

the feedwater system, isolation ecoling system (R;103),

loss of eff-site pcwer increases the probability of f ailure of scme of these systems. as indica,ted in Fig. I 4-12b.

to the envirer. ment arer (1)

The systems available to transfer fissien product decay heatthe ec-banation of the residual heat reecval (MR) sys-3.

the power eenversten syste-and (2) loss of off-site power increased (NPSW) system, The tem and high pressure service water 1 4-12b.

the probability of f ailure of both of these systems, as indicated in Fig.

FIGURE I 412 Simplified PNR Transier.t Event Tree 101 166

,1,

,,_11 _,1,

,_1, r-

%

ML19220C700

Text

Navigation menu

Search