ML19312E278
| ML19312E278 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 06/02/1980 |
| From: | NRC COMMISSION (OCM) |
| To: | |
| Shared Package | |
| ML19312E276 | List: |
| References | |
| NUDOCS 8006040125 | |
| Download: ML19312E278 (87) | |
Text
y.
e i
f
! O i
l i
i I
I 1
i i
t t
1 i
5 i
1
.4 1
l i
i TMI-1 POTENTIAL CORE DAMAGE ACCIDENT SEQUENCES AND PREVENTIVE AND MITIGATIVE MEASURES I
7 1
J J
I
'i i
'l
)
4 4
2 4
l p.es\\ 6
.m
,,_.._, _ _.,,. _,-. _,.. ~, _.. _
~
~_
=
I 2
i INTRODUCTION i
In response to the Board's Order of March 31, 1980, the NRC staff, using event i
trees, has identified those accident sequences with reasonable nexus to the i
TMI-2 accident along with those measures that the NRC has required or may require the licensee to take to reduce the likelihood of such sequences.
1
(
i il J
a
(.
I 4
t i
i 4
1 I
f I
l i
.., _ - _. _.., _.... -. -, - -. - ~.. - -. - -.
l i
GENERAL In order to describe the possible accident sequences with reasonable nexus to the Three Mile Island, Unit 2 (TMI-2) accident, we have developed two event j
trees which have as initiating events a loss of main feedwater (LMFW) transient and a small break loss-of-coolant accident (LOCA).
For completeness, it was necessary to develop a tree applicable to any size LOCA; the small break LOCA is a special case, as can be seen from the discussion that follows.
In developing these two event trees, certain simplifying assumptions were made to eliminate from further consideration any possible sequences which are not considered sequences with reasonable nexus to the TMI-2 accident.
For this reason, failure of automatic (or manual) reactor scram, which would lead to a set of anticipated transient without scram (ATWS) sequences, has not been included on either event tree.
Another event which has not been included is loss of alternating current (ac) electric power.
Since this would involve the failure of the offsite ac power source coupled with the failure of the emergency power diesel generators to start, it does not represent a condition with reasonable nexus to the TMI-2 accident.
On February 7, 1980, the licensee submitted a generic report prepared by Babcock & Wilcox and a plant-specific report for TMI-l regarding emergency feedwater system (EFWS) reliability.
These reports indicate that the EFWS for TMI-l has no dependencies on ac electric power which would lead to loss of system function in the event of a loss of all ac electric power.
Although the staff review of this report is not yet complete and we have expressed concern about the possibility of steam admission valve failure leading to a turbine-driven AFWS pump overspeed trip, we believe that this concern can be resolved to the staff's satisfaction and any dependency (if it ex'sts) eliminated.
In developing the event trees, it was assumed that the TMI-1 plant design has incorporated all of the modifications required by the Commission Orders and Office of Inspection and Enforcement (IE) Bulletins.
One example of a case where this affects the event trees is the required change in the relative position of the high pressure reactor trip and pressurizer electromatic pressure relief valve setpoints, coupled with the required installation of a number of anticipatory reactor trips.
As a result of these modifications, the t
pressurizer relief valve will not be challenged during a loss of feedwater transient, provided that the EFWS starts automatically and provides flow to the steam generators with no delay, as designed.
In the pre-TMI-2 accident configuration, the pressurizer relief valve would have always been challenged by this transient.
The method used in developing the two event trees was as follows.
Given the two initiating events, loss of main feedwater and loss-of-coolant accident, the method presented in Appendix I to WASH-1400 was then followed.
- Briefly, this consists of identifying the functions which must be performed by systems and equipment following the initiating event in order to preclude core damage.
Table 1 identifies those functions for the case of a loss of main feedwater transient.
In the case of a LOCA, the functions required are identified in Table 2.
For a LOCA, tnese functions are performed by the engineered safety features (ESF) systems.
It should be emphasized that degraded operation of ESF systems was not considered.
That is, systems were assumed to operate as designed or were treated as failed.
Referring to Table 2, if ECI fails, serious core damage will result whether or j
not ECR functions.
On the other hand, if ECI is successful and ECR fails, l
serious core damage or melt will result.
Should PAHR fail, the containment would fail, and ECR would ultimately fail because of loss of sump inventory,
(
leading to serious core damage or melt.
During a LOCA, containment integrity can fail by two basic mechanisms:
(a) the containment can fail to isolate, and (b) many physical processes may occur following core melt or failure of function (4) that can cause rupture of containment integrity.
Failure of the PARR function has no influence on the cendition of the core.
It could, however, increase the severity of the accident consequences.
EVENT TREES The drawing of event trees was performed by indicating the above-identified functions (as modified by the simplifying assumptions previously described),
together with the initiating events, loss of main feed.*ater (Tree T) and LOCA (Tree S), as event tree headings in roughly chronclogical order.
Each tree proceeds from lef t to right by the addition under each heading of branches -
(
Table 1 Functions Which Must be Performed Following a Loss of Main Feedwater Transient in Order to Preclude Core Damage
(
(1) The fission process must be terminated.(a)
(2) The reactor coolant pressure must be limited to a value that will not 4
cause failure of the reactor coolant system (RCS).
l (3) An adequate coolant inventory must be maintained within the RCS.
(4) The core shutdown heat energy must be transferred to the environment.
If all four functions cited above are performed successfully, the core is not damaged.
If any of functions (1), (3), or (4) is not successful, it is possible that core damage and melt could result.
If function (2) is not successful, a LOCA could result.
1 i
i
(") Note:
As discussed previously, this event tree development assumed that i
function (1) was successful.
4 i
1 l i i
-w
,rwe
,+m,---
e m - e
-r,-,n,-
-s-y
~wvv-
" wen
T Table 2 Functions Which Must be Performed by Engineered Safety Features Following a LOCA in Order to Preclude Core Damage (1) The fission process must be terminated.
(2) Emergency core cooling to minimize core damage, which in turn keeps the release of radioactivity from the fuel into the containment at low levels.(b)
(3) Post-accident radioactivity removal (PARR) to remove from the containment atmosphere the radioactivity in order to minimize potential releases to the environment.
(4) Post-accident heat removal (PAHR) to remove the core decay heat from the containment.
(5) Containment integrity to prevent the radioactivity not removed by PARR from being dispersed into the environment.(c)
(8 As discussed previously, this event tree development assumed that function (1) was successful.
(b)The performance requirements for emergency core cooling change greatly with time.
It is convenient, therefore, to separate emergency core cooling into two discrete time phases:
an emergency cooling injection mode (ECI) to cover the initial period of LOCA, and a long-term recirculation mode (ECR) for the rest of the time.
(c)0f interest in this effort were event sequences leading to a core melt situation with reasonable nexus to the TMI-2 accident.
Consideration of containment integrity would require a separate containment event tree.
Since this function would be of interest only if one wanted to exa.T.ine containment integrity failures given that an accident resulted in a core melt, it was not considered further in this effort.
corresponding to two alternatives:
successful performance of function (upper branch) and failure (lower branch).
Referring to Sequence No. 2 on Event Tree T, reading events from left to right yields the sequence of events Ti.P 5 Q.
In the notation used in this study, 3 2 barred quantities represent successes, unbarred quantities represent failures.
This sequence can be written more simply in terms of failures as TQ.
The situation described by TQ is as follows.
A loss of main feedwater occurs (event T).
It is assumed that reactor trip occurs.
Although sufficient feedwater is provided to at least one steam generator for secondary heat removal, by either the EFWS or by recovery of the main feedwt.er system, the start is delayed (event i.).
The resulting pressure transient exceeds the setpoint for reactor coolant system pressure relief (event Pg).
The pres-surizer power-operated relief valve (PORV) opens to relieve primary system pressure (event E ), as designed.
However, the PORV fails to close (event Q),
2 which results in a small-small LOCA.
Failure to establish makeup would ultimately result in serious core damage or melt.
Note the case of the requirement for primary system pressure relief.
In this case, the desired event is the failure to exceed the primary system relief setpoints, in contrast to the other headings on Event Tree T, in whicn success is the desired event.
Tables 3 and 4 contain the event definitions for Event Trees T and S, respectively.
The definitions of the success requirements for equipment for loss of main feedwater transients are presented in Table 5.
For the purposes of this discussion, the spectrum of LOCAs has been classified into four categories according to break size as follows:
Large LOCA - A breach of the RCS with a flow area greater than 1 ft2 (diameter > 13. 5").
Medium LOCA - A breach of the RCS with a flow area greater than 0.4 ft 2 and less than or equal to 1 ft2 (13.5" > diameter > 8.5").
6-
s 1
Table 3 Event Definitions for Event Tree T Depicting Loss of Main Feedwater Transient (LMFW)-Offsite Power Available T
Loss of Main Feedwater - Interruption of the main feedwater flow to the steam generators.
L Emergency Secondary Heat Removal - Failure to provide sufficient feedwater flow (dafined as 6% of maximum MFW flow) to at least one steam generator by some time Ti and maintain it for an extended period of time by one of the following methods:
(1) Automatic activation of the emergency feedwater system (EFWS).
(2) Manual actuation of EFWS (if automatic actuation fails).
(3) Manual recovery of the main feedwater system.
P Primary System Pressure Relief Requirement - Failure to challenge the t
systems provided for reactor coolant system pressure relief.
P Primary System Pressure Relief - Failure of sufficient relief and/or 2
safety valves to open and relieve excess primary system pressure.
Q Primary System Integrity - Failure to reseat of any relief and/or safety valves which opened.
In the case of relief valve failure to reseat, this includes failure of the operator to isolate the relief valve.
Primary System Makeup - Failure to establish flow from the borated water storage tank (BWST) to the RCS using at least one high pressure injection (HPI) pump (for the purpose of a " feed and bleed" operation).
Note:
This function has been incorporated with the emergency core cooling system (ECCS) functions on the LOCA event tree since it is of interest primarily in cases where emergency feedwater has failed and it is necessary to establish a " feed and bleed" operation using the HPI system, which is part of the ECCS (to feed), and the pressurizer relief valva (to bleed) for heat removal. _
.~.
Table 4 Event Definitions for Event Tree S Depictina Loss-of-Coolant I
Accident (LOCA) with Offsite Power Available l
B LOCA - A breach of the pressure boundary of the reactor coolant system I
(RCS) which causes an uncontrolled loss of water inventory.
I D
Emergency Coolant Injection (ECI) - Failure to provide sufficient water to the core to prevent core melt during the injection phase of a LOCA.
(Includes primary system makeup considerations from Event Tree T.)
]
R Post-Accident Radioactivity Removal (PARR) - Failure to remove radioactivity from the containment atmosphere.
Failure of thic function has no effect I
On the condition of the core, but does affect the severity of the consequences.
P Post-Accident Heat Removal (PAHR) - Failure to remove the core decay heat from the containment to prevent its overpressure.
H Emergency Coolant Recirculation (ECR) - Failure to provide sufficient 1
i water to the core to prevent core melt during the recirculation phase of a LOCA.
(
1 1
i I,
j 1
1
Table 5 Definition of Equipment Success Requirements for LMFW Transient Emergency Primary Primary Primary Primary Secondary hstem System System System Heat Pressure Pressure Integrity Makeup Removal Relief Relief Requirement Automatic RCS Pressure 1/3 Safety /
All S/RVS 1/3 HPI or Manual Exceeds relief Reseat Pumps Actuation of Relief valves Aligned EFWS or Setpoints (S/RVS) to borated Recovery of opens water MFW (6% full storage power flow) tank (BWST)
Small LOCA - A breach of the RCS with a flow area greater than 0.087 ft2 and less than or equal to 0.4 ft2 (8.5" 1 diameter > 4").
Small-Small LOCA - A breach of the RCS with a flow area less than or eaual to 0.087 ft2 (4" g diameter).
Using the above classification scheme, the functional headings on the LOCf, event tree have been restated in terms of the engineered safety features system; for TMI-1.
Emergency Coolant Injection has been expanded in terms of system requirements for various break sizes as shown below.
ECI for Large LOCA - Failure to provide flow to the RCS from 2 out of 2 core flooding tanks and at least 1 out of 2 low pressure trains (taking suction from the barated water storage tank (BWST)).
ECI for Medium LOCA - Failure to provide flow to the RCS from (a) 2 out f 2 core flooding tanks and at least 1 out of 2 low pressure trains (ta. sing suction from the BWST) or (b) 2 out of 2 low pressure trains (takino suction from the BWST).
ECI for Small LOCA - Failure to provide flow to the RCS from at least 1 out of 2 high pressure trains and 1 out of 2 low pressure tr; ins (taking suction from the BWST).
ECI for Sma'l-Small LOCA - FailLre to provide flow to the RCS from at least 1 out of 2 high pressure trains (taking suction from the BWST).
In order to relate the PARR and PAHR functional headings to specific TMI-1 systems, it was also necessary to consider these functions as being composed of two phases:
the injection phase and the recirculation phase.
Using this consideration, PARR and PAHR have been expanded in terms of the cesign bases for the reactor building spray and air cooler systems as shown below.
l PARR (Injection Phase) - Failure to provide flow from at least 1 out of 2 reactor building spray system pumps, taking suction from the borated water storage tank, through its associated spray header into the containment atmosphere.
PAHR (Injection Phase) - Failure to remove steam (heat) from the containment atmosphere using either 2 out of 2 reactor building spray system pumps in the injection mode or 2/5 reactor building air cooler units.
PARR (Recirculation Phase) - Failure to provide flow from at least 1 out of 2 reactor building spray system pumps, taking suction from the reactor building sump, through its associated spray header into the containment atmosphere.
PAHR (Recirculation Phase) - Failure to remove steam (heat) from the containment atmosphere using either 2 out of 2 reactor building spray system pumps in the recirculation mode or 2/5 reactor building air cooler units.
Emergency Coolant Recirculation (ECR) has been expanded as follows:
ECR for Large, Medium and Small LOCA - Faiiure to provide flow to the RCS from at least 1 out of 2 low pressure trains (taking suction from the reactor building sump) in the recirculation mode.
ECR for Small-Small LOCA - Failure to provide flow to the RCS froin at least 1 out of 2 high pressure trains with its associated low pressure train (taking suction from the reactor building sump) in the recirculation mode.
The definitions of the success requirements for engineered safety features equipment for LOCA events are summarized in Table 6.
After Event Trees T and S were drawn, paths across each tree were traceu by choosing a branch under each successive heading.
Each path corresponds to an accident sequence. As indicated on Event Tree T, some sequences initiated by a loss of feedwater transient result in a LOCA.
Hence, in those cases, it is necessary tc..ove to Event Tree 5 to complete the accident sequence.
A brief description of each accident sequence that leads to a LOCA or to a severe core damage or core melt situation is presented following the event trees. =, -
._s
=
sp l ata le t.
Def iniliun of LSI tquipment Suct ess Hequirements tur LOCA t wents Recirtulation Phase InjectionPhase
~
Pust-Accident Pos t-Acc id.en t
' ailluaE RS fsiergency "ailiuattivlj l iiw rg.;e.ry Pint-As c ial.;#g R
R Post-Accident
'IOLA Site lleat Memoval Removal Core Coultug fle.at Removal Removal Core Cooli g u-4"D
'2/2 Heactor tildg.
1/2 kh51 1/2 lilyle Pres-2/2 Heactor Bldg.
1/2 ke$N 1/2 tilgh Pressure (0.0-0.08/ IL3)
Spray Systesis isi t ous>>
sure frains lia
$siray System lei l uuges Irains in Wecircula-(small small)
Injection Nde (ktlSI) lujet.t ion Nde Necisc. A de (WBSN) tion Nde (HPks)
AND (ItP15 )
Wittitow Pressure W/Associateil low 1/2 RBSI asid 2/5 Nccirc. (LPR$)
Pressure traisi in Rea(tur Bldg. Air iteet lattianger Necirculation Mode Couler Units (NBCS)
OH (tPRS) 1/2 RBSH and
- Druus blda 2/S HBCS preh ure 6isly 4"-il. S"O Some es alsove Saisie as above 1/2 llPis
$ame a:, above Salise as above 1/2 t ow Pressus'e M
(0.061-0.4 IL3)
AND lrdins in Net ie s.uld-(small) 1/2 low Pressure Lion Nde trains in injection Mode (IPIS) u.S*-la.b'D Some as above Same as above 2/2 LPIS Sasitt-as above Same es above Same as aleuve (0,4-1.0 st3)
OH (medba) 1/2 (Pis and 2/2 Cure iloud
~
Ianks (Cil) l for for t.)I tine break Cii Hrea(
1/1 IPIS and I/1 (PNS, etc.
- 3. b"- 3b"D Same as above Same 45 above 1/2 iPlh Same as aliuve Same as atiuve Same as above (1.0-/.! Ild) and (terge) 2/2 CiI JED b
EVENT TREE T Requirement Primary Emerg.
for Primary System Primary Sec.
System Press.
Pressure System MFW Ht. Removal Relief Relief integrity Sequence T
L P1 P2 Q
Sequence Resuits Number Comments Q
P2 T
S 1
Q TQ LOCA 2
2 L
P3
$n TP S
4 e
1 o
Qo en T
2s
- E y P2 1
TL LOCA 5
L P2 TLP LOCA 6
2 l
S: Safe Condition Expected (Some Fuel Damage May ReSuih _
EVENT TREE S LOCA ECl PARR PAHR ECR Sequence B
D R
P H
Sequence Results N o.
H B
S 1
P H
BH CM 2
R P
BP CM 3
D H
BR S
4 P
R P
B 2,3,6,7 from TREE T
D BD CM 7
I S: Safe Condition Expected (Acceptable Fuel Damage Results) __
Sequence:
BH (5 )
2 Initiator:
LOCA Sequence
Description:
The S LOCA sequence represents successful operation of emergency coolant 2
injection and of post-accident radioactivity removal and post-accident heat removal (represented by the reactor building spray and reactor building air cooling systems).
The nuclear services closed cooling water system (NSCCWS) and at least one loop of the decay heat closed cooling water system (DHCCWS) operate as designed throughout the accident.
Emergency coolant recirculation fails, resulting in serious core damage or melt.
t 3
I i
Sequence:
BP (5 )
3 Initiator:
LOCA Sequence
Description:
The 5 LOCA sequence represents successful operation of emergency coolant 3
injection and of post-accident radioactivity removal (represented by the reactor building spray system). However, post-accident heat removal fails, causing the containment to fail, and leading to failure of emergency coolant recirculation, which ultimately leads to serious core damage or core melt.
Y j
l - - - - -
Sequence:
BRH ($ )
3 Initiator:
LOCA Sequence
Description:
The 5 LOCA sequence represents successful operation of emergency coolant 3
injection and post-accident heat removal.
Post-accident radioactivity removal fails, but this does not cause core melt.
However, emergency coolant recirculation fails.
This results in serious core damage or melt.
l i
i
(
i
. n---
.e-e
,,e.-.
1 -. -
Sequence:
BRP (5 )
8 Initiator:
LOCA Sequence
Description:
The 5 LOCA sequence represents successful operation of emergency coolant 8
injection only.
Both post-accident radioactivity removal and post-accident 1
heat removal fail.
Failure of PAHR leads to eventual failure of emergency coolant recirculation. This results in serious core damage or core melt.
4 t
i i
l 4
1 i
4 1
i r l-
Sequence:
BD (5 )
7 Initiator:
LOCA Sequence
Description:
In the LOCA sequence 5, emergency coolant injection fails.
Failure of ECI 7
results in core melt regardless of the success or failure of subsequent ESF functions.
Sequence:
T 5 2 2 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The primary relief and safety valves open as designed, but at least one relief or safety valve fails to close, which results in a small-small LOCA.
Emergency coolant injection, post-accident radioactivity removal, and post-accident heat removal (represented by the reactor building spray and reactor building air cooling systems) successfully operate.
The nuclear services closed cooling water system (NSCCWS) and at least one loop of the decay heat closed cooling water system (DHCCWS) operate as designed throughout the accident.
However, emergency coolant recirculation fails, resulting in serious core damage or melt.
J f
I I i
3 Sequence:
T Ss 2
Initiator:
Loss of main feedwater transient Sequence
Description:
4 Reactor trip occurs.
Either the emergency fledwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The primary relief and safety valves open as designed, but at least one relief or safety valve fails to close, which results in a small-small LOCA.
Emergency coolant injection and post-accident radioactivity removal (represented by the reactor building spray system) operate successfully.
However, post-accident heat removal fails, causing the containment to fail, and leading to failure of emergency coolant recirculation, which ultimately leads to serious core damage Or core melt.
1
_~-
D
Sequence: T2 Ss Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs. Either the emergency feedwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The primary relief and safety valves open as designed, but at least one relief or safety valve fails to close, which results in a small-small LOCA.
Emergency coolant injection and post-accident heat removal operate successfully.
Post-accident radioactivity removal fails, but this does not cause core melt.
However, emergency coolant recirculation fails.
This results in serious core damage or melt.
T - -
Sequence:
T Ss 2
Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is statted manually) or the main feedwater system is recovered, but the start is del ayed, requiring primary pressure relief. The primary relief and safety valves open as designed, but at least one relief or safety valve fails to close, which results in a small-small LOCA.
Emergency coolant injection operates successfully.
Both post-accident radio-activity removal and post-accident heat removal fail.
Failure of PAHR leads to eventual failure of emergency coolant recirculation.
This results in serious core damage or melt.
i i
J i
l 1
a ;
Sequence: T 5 2 7 Ini ciator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The primary relief and safety valves open as designed, but at least one relief or safety valve fails to close, which results in a small-small LOCA.
Emergency coolant injection fails.
Failure of ECI results in core melt regardless of the success or failure of subsequent ESF functions.
(Note:
Although the sequence T2 S indicates a result of core melt, it most 7
closely follows the TMI-2 accident sequence.
Since degrees of degradation of engineered safety features have not been considered (notably ECI, where the fact is that, at TMI-2, HPI did initiate and operate until terminated prematurely by the operator), the predicted results may be more severe.
4
' i
Sequence:
T S 3 2 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The relief valve and both safety valves fail to open, causing the reactor coolant system to overpressurize and rupture, resulting in a LOCA with possible core melt, depending on the type of RCS rupture.
Assuming a potentially recoverable situation, emergency coolant injection, post-accident radioactivity removal, and post-accident heat removal (represented by the reactor building spray and reactor building air cooling systems) operate successfully.
The nuclear services closed cooling water system (NSCCWS) and at least one loop of the decay heat closed coo!ing water system (DHCCWS) operate as designed throughout the accident.
Emergency coolant recirculation fails, resulting in serious core damage or melt. i
Sequence:
T 5 3 3 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The relief valve and both safety valves fail to open, causing the reactor coolant system to overpressurize and rupture, resulting in a LOCA with possible core melt, depending on the type of RCS rupture. As.Jming a potentially recoverable situation, emergency coolant injection and post-accident radioactivity removal (represented by the reactor building spray system) operate successfully.
However, post-accident heat removal fails, causing the containment to fail, and leading to failure of emergency coolant recirculation, which ultimately leads to serious core damage or core melt.
1
Sequence: T S 3 3 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The relief valve and both safety valves fail to open, causing the reactor coolant system to overpressurize and rupture, resulting in a LOCA with rossible core melt, depending on the type of RCS rupture.
Assuming a potentially recoverable situation, emergency i
^
coolant injection and post-accident heat removal operate successfully.
Post-accident radioactivity removal fails, but this does not cause core melt.
However, emergency coolant recirculation fails.
This results in serious core damage or melt.
I 1
1 il d,
Sequence: T3 So Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is j
started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The relief valve and both safety valves fail to open, causing the reactor coolant system to overpressurize and rupture, resulting in a LOCA with possible core melt, depending on the type of RCS rupture.
Assuming a potentially recoverable situation, emergency coolant operates injection successfully.
Both post-accident radioactivity removal and post-accident heat removal fail.
Failure of PAHR leads to eventual failure of emergency coolant recirculation.
This results in serious core damage or melt.
. t
Sequence:
T S 3 7 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
Either the emergency feedwater system starts (or is started manually) or the main feedwater system is recovered, but the start is delayed, requiring primary pressure relief.
The relief valve and both safety valves fail to open, causing the reactor coolant system to overpressurize and rupture, resulting in a LOCA and possibly core melt, depending on the type of RCS rupture. Assuming a potentiailu recoverable situation, emergency coolant injection fails.
Failure of ECI results in core melt regardless of the success or failure of subsequent ESF functions.
1 i
Sequence: T S 3 2 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful.
The primary relief and safety valves open to relieve primary system pressure, as designed, but at least one relief or safety valve will remain open to provide primary 4
system pressure relief unless the operator establishes heat removal through manual initiation of the HPI system and operation of the pressurizer relief valve according to procedure.
Emergency coolant injection, post-accident radioactivity removal, and post-accident heat removal (represented by the reactor building spray and reactor building air cooling systems) operate successfully.
The nuclear services closed cooling water system (NSCCWS) and at least one loop of the decay heat closed cooling water system (DHCCWS) operate as designed throughout the accident.
Emergency coolant recirculation fails, resulting in serious core damage or melt.
4 l
Sequence:
T S 3 3 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs. The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful.
The primary relief and safety valves open to relieve primary system pressure, as designed, but at least one relief or safety valve will remain open to provide primary system pressure relief unless the operator establishes heat removal through manual initiation of the HPI system and operation of the pressurizer relief valve.
Emergency coolant injection and of post-accident radioactivity removal (repre-sented by the reactor building spray system) operate successfully.
- However, post-accident heat removal fails, causing the containment to fail, and leading 1
to failure of emergency coolant recirculation which ultimately leads to core meit.
6 f 1
4 Sequence:
T S 3 3 Initiator:
Loss of main feedwater transient l
Sequence
Description:
i Reactor trip occurs.
The emergency feedwater system fails to start and attempts j
to recover it or to recover main feedwater flow are unsuccessful.
The primary relief and safety valves open to relieve primary system pressure, as designed, but at least one relief or safety valve will remain open to provide primary system pressure relief unless the operator establishes heat removal through manual initiation of the HPI system and operation of the pressurizer relief valve.
Emergency coolant injection and post-accident heat removal operate successfully.
Post-accident radioactivity removal fails, but this does not cause core melt.
However, emergency coolant recirculation fails.
This results in serious core damage or melt.
4 1 i 1
Sequence:
T S.
3 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful.
The primary relief and safety valves open to relieve primary system pressure, as designed, but at least one relief or safety valve will remain open to provide primary system pressure relief unless the operator establishes heat removal through manual initiation of the HPI system and operation of the pressurizer relief valve.
Emergency coolant injection operates successfully.
Both post-accident radio-activity removal and post-accident heat removal fail.
Failure of PAHR leads to eventual failure of emergency coolant recirculation.
This results in serious core damage or core melt.
i i
I i i I
Sequence:
T 5 3 7 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs. The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful.
The primary relief and safety valves open to relieve primary system pressure, as designed, but at least one relief or safety valve will remain open to provide primary i
system pressure relief unless the operator establishes heat removal through manual initiation of the HPI system and operation of the pressurizer relief valve.
Emergency coolant injection fails.
Failure of ECI results in core melt regardless of the success or failure of subsequent ESF functions.
i i
1
Sequence:
T S 7 2 Initiator: Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful.
The primary relief valve and both primary safety valves fail to open as designed to relieve the primary system pressure.
This causes overpressurization and rupture of the reactor coolant system, resulting in a LOCA with possible core melt, depending on the type of RCS rupture.
Assuming a potentially recoverable situation, emergency coolant injection and post-accident radioactivity removal and post accident heat removal (represented by the reactor building spray and reactor building air cooling systems) operate successfully.
The nuclear services closed cooling water system (NSCCWS) and at least one loop of the decay heat closed cooling water system (DHCCWS) operate as designed throughout the accident.
Emergency coolant recirculation fails, resulting in serious core damage or melt.
1 -
i Sequence:
Ts 53 Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful.
The primary relief valve and both primary safety valves fail to open as designed to relieve the primary system pressure.
This causes overpressurization and rupture of the reactor coolant system, resulting in a LOCA with possible core melt, depending on the type of RCS rupture.
Assuming a potentially recoverable situation, emergency coolant injection and post-accident radioactivity removal (represented by the reactor building spray system) operate successfully.
However, post-accident heat removal fails, causing the containment to fail,
^,
and leading to failure of emergency coolant recirculation, which ultimately leads to core melt.
i 4
Sequence:
Ta Ss l
Initiator:
Loss of main feedwater transient Sequence
Description:
i j
Reactor trip occurs.
The emergency feedwater system fails to start and attempts t
1 to recover it or to recover main feedwater flow are unsuccessful.
The primary relief valve and both primary safety valves fail to open as designed to relieve the primary system pressure.
This causes overpressurization and rupture of the reactor coolant system, resulting in a LOCA with possible core melt, depending on the type of RCS rupture. Assuming a potentially recoverable l
situation, emergency coolant injection and post-accident heat removal operate successfully.
Post-accident radioactivity removal fails, but this does not cause core melt. However, emergency coolant recirculation fails.
This results l
in serious core damage or melt.
4 1
i l
1 1 i i.
Sequence:
Ts Sa Initiator:
Loss of main feedwater transient Sequence
Description:
Reactor trip occurs.
The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful. The primary relief valve and both primary safety valves fail to open as designed to relieve the primary system pressure.
This causes overpressurization and rupture of 4
the reactor coolant system, resulting in a LOCA with possible core melt, depending on the type of RCS rupture.
Assuming a potentially recoverable j
situation, emergency coolant injection operates successfully.
Both post-accident radioactivity removal and post-accident heat removal fail.
Failure of PAHR leads to eventual failure of emergency coolant recirculation.
This results in serious core damage or core melt.
i l
I d -.
Sequence:
T S,
Initiator:
Loss of main feedwater transient Sequence
Description:
~
Reactor trip occurs.
The emergency feedwater system fails to start and attempts to recover it or to recover main feedwater flow are unsuccessful.
The primary relief valve and both primary safety valves fail to open as designed to relieve the primary system pressure. This causes overpressurization and rupture of the reactor coolant system, resulting in a LOCA with possible core melt, depending on the type of RCS rupture.
Assuming a potentially recoverable situation, emergency coolant injection fails.
Failure of ECI results in core melt regardless of the success or failure of subsequent ESF functions.
i j -
FUNCTIONAL FAILURES AND MEASURES TO REDUCE THE POTENTIAL FOR FAILURE
'he following discussion will consider ways in which the functional failures defined in Tables 3 and 4 can occur in terms of system and equipment failures and the measures that the NRC has required or may require the licensee to take through Commission Orders, Office of Inspection and Enforcement Bulletins, the TMI-2 Action Plan, or otherwise, to reduce the potential for such failures.
Event Tree T Loss of Main Feedwater Failure of the main feedwater system can result from random component failures, or from maintenance-related failures, or from operator error that affect both turbine-driven main feedwater pump trains.
These can occur as follows:
1 (1) Main feedwater pump FW-P-1A failure.
(2) Failure of valves, piping, etc., in suction to main feedwater pump FW-P-1A (3) Failure of valves, piping, etc. in discharge of main feedwater pump FW-P-1A train (4) Main feedwater pump FW-P-1B failure.
(5) Failure of valves, piping, etc., in suction to main feedwater pump FW-P-1B (6) Failure of valves, piping, etc. in discharge of main feedwater pump FW-P-1B train.
If main feedwater pump FW-P-1A fails or a failure of components in the suction or che discharge of main feedwater pump FW-P-1A occurs coupled with the failure of main feedwater pump FW-P-1B or a failure of components in the suction or the discharge of main feedwa+.er pump FW-P-1B occurs, both redundant trains of main feedwater will fail.
Ways in which (1) and (4) can occur include loss of steam supply, and turbine failure. Ways in which (2) and (5) can occur include piping rupture, condensate system failure, and valve failure. Ways in which (3) and (6) can occur include piping rupture and feedwater regulating valve failure. l
Preventive maintenance-related failures include pump train out of service for maintenance and valve misalignment when returned to service following maintenance.
Since the main feedwater system is not a safety grade system, it is assumed that the occurrence of loss of feedwater transients cannot be eliminated and emphasis should be placed on coping witn and mitigating these transients. A number of the measures considered for implementation by the NRC related to main feedwater system failure and the reduction of the potential for such an occurrence are listed in Table 7 which follows.
l -
. ~.. -
Table 7 1
Measures to Raeice Potential for Occurrence of Los's of Main Feedwater i
August 9, 1979 Action Order Item Other Reference i
1.
ICS failure modes and effects analysis -
1 (long-term)
Determine how failure of the integrated control system will affect the potential for the occurrence of a loss of main 1
2.
Action Items 1 through 13 from. Table 16 5
4 l
I l
i l
i, i
l
.r
- l i
d
- 42 l
l
Emergency Secondary Heat Removal Failure of this function consists of failure of the emergency feedwater system to start (either automatically or manually) within the specified time and failure to restart the main feedwater system and failure to provide the required feedwater flow to at least one steam generator sufficient for decay heat removal and maintain that flow for an extended period of time.
Emergency feedwater (EFW) system failure occurs when the required flow cannot be provided to at least one steam generator from the turbine-driven EFW pump oi from both motor-driven EFW pumps for an extended perio'.
EFW system failure d
can result from random component failures, from preventive maintenance-related failuies, or from operator error.
Such failures consist of failure of the turbine-dri en EFW pump train coupled with a failure of one of the two motor-driven EFW pump trains.
Failures which can defeat the pump trains are listed below.
(1) Motor-driven EFW pump A failure (2) f ailure of piping, valves, etc. in suction to motor-driven EFW pump A (3) Motor-driven EFW pump B failure (4) Failure of piping, valves, etc., in suction to motor-driven EFW pump B (5) Failure of velves, piping, etc., in discharge of motor-driven EFW trains (6) Turbine-driven FCW pump failure 1
(7) Failure of piping, valves, etc., in suction to turbine-driven EFW pump (8) Failure of valves, piping, etc., in discharge of turbine-driven EFW train.
Failure of motor-driven EFW pump A, or failure of components in the suction to motor-driven EFW pump A, g failure of motor-driven EFW pump B, or failure of components in the suction to motor-driven EFW pump B, or failure of components in the discharge of the motor-driven EFW trains, and failure of the turbine-driven EFW pump, or failure of components in the suction or the discharge of the turbine-driven EFW train will cause failure of the EFW system.
This involves simultaneous failure of two independent, diverse, redundant, safety-grade EFW trains.
Ways in which these failures can occur include:
(a) Failure of EFW actuation circuit components common to both feedwater trains (e.g., ICS failures which interact with circuitry).
(b) Preventive maintenance outages affecting one EFW pump coupled with component failures affecting either or both of the other EFW pumps.
(c) Pump failures involving control circuit failures, mechanical failures, plugging of the suction strainers, or inadequate steam supply to the turbine-driven EFW pump.
(d) Human errors involving misalignment of EFW system valves following testing or maintenance, failure to manually start EFW pumps in a timely manner according to procedures if automatic actuation fails, failure to switch EFW pump suction to a secondary source of EFW before drawdown of the primary EFW source, and failure to take corrective action upon indication of EFW malfunction.
As noted previously, the licensee's study of EFW system reliability identified no ac electric power dependencies which would cause EFW system failure in the event of a loss of all ac power.
The NRC staff's review of the licensee's February 7,1980 submittal regarding the EFW reliability study has not yet been completed. Although the staff has expressed concern about potential steam admission valve failure resulting in a turbine overspeed trip in the event of a loss of all ac power, there is reasonable assurance that this concern can be resolved to the staff's satisfaction so that such dependency (if it does exist) will be eliminated.
Failure to restart the main feedwater system can be caused by:
(a) Failure of actuation circuitry, (b) Human failure involving failure to restart the system or failure to correct the fault (if correctable) which initiated the loss of feedwater event.
(Discussed previously.) -
Measures which have been cor.sidered by the NRC to reduce the potential of fai'ure of the emergency secondary heat removal function are listed in Table 8 below.
Table 8 Measures to Reduce Potential for Failure of Emergency Secondary Heat Removal Function August 9, 1979 Action Order Item Other Reference 1.
ICS failure modes and effects analysis -
1 (long-term)
Determine how failure of the integrated control system will affect EFWS reliability.
2.
EFW timeliness and reliability requirements -
1 To assure the timely availability of the emergency feedwater system even under adverse conditions, implement the eight items specified in Enclosure 1 of the licensee's June 28, 1979 letter as discussed in Order Item la, and the eight additional items also discussed in the SER under Order Item la, as follows.
From licensee's June 28, 1979 letter:
(1) Automatic initiation of the motor-driven EFW pumps upon loss of both feedwater pumps or loss of four (4) Reactor Coolant Pumps.
(2) Modification of the AFW control valves such that they fail open on loss of air.
(3) Automatic block loading of the motor-i driven EFW pumps on the diesel.
l (4) Incorporation of AFW in the TMI-1 technical specifications as specified in IE Bulletin 79-05A, item 8.
Verification that technical specifi-cation requirements of AFW capacity are in accordance with the accident analysis will be conducted.
(5) Provide indication in the control room of AFW flow to each Steam Generator.
(6) Provide procedures and training to assure that AFW is available and properly applied when required.
Procedures will identify the need to verify proper operation when AFW is initiated.
Table 8 (Continued)
August 9, 1979 Action Order Item Other Reference (7) To a:3ure that AFW will be aligned in a timely manner to inject on all AFW demand events when in the surveillance test mode, procedures will be implemented and training conducted to provide an operator at the necessary location in communications with the control room during the surveillance mode to carry out alignment changes necessary upon AFW demand events.
(8) Design review and modifications, as necessary, will be conducted to provide control room annunciation for all auto start conditions of the AFW system.
From SER, under Item 1(a):
(1) Provide redundant level indication and control room alarms for the primary EFW system water supply.
(2) Perform an endurance test on all EFW system pumps.
(3) Revise emergency procedures to assure proper transfer of EFW supply to alternate sources when required.
(4) Provide automatic termination of EFW flow to a depressurized steam generator and automatic supply to the intact steam generator.
(5) Evaluate the need for automatic protection of EFW system pumps on loss of unprotected primary EFW system water source (following a seismic event or tornado).
(6) Verification that EFW system initiation and operation is assured independent of any alternating current power source for at least two hours. l i
Table 8 (Continued)
August 9, 1979 Action Order Item Other Reference (7) Verification that a postulated break in the steam line to the turbine-driven EFW pumps will not result in adverse environmental conditions which would compromise operability of the motor-driven EFW pumps and their associated flow path.
(8) We noted that the EFW pump discharge line cross tie contains two normally open motor-operated valves.
Upon loss of offsite power or loss of main feedwater, a single passive failure, such as pipe rupture in one EFW discharge line, could render both EFW trains inoperable.
The licensee should address this concern.
3.
Independence of EFW from ICS - Implement 1
operating procedures for initiating and controlling EFW independent of Integrated Control System (ICS) to assure that ICS failure will not adversely impact EFWS l
performance.
4.
Required EFW train operability review -
2 To assure that sufficient EFW flow is provided to the steam generators in a timely manner, if needed, implement procedures which assure that two inde-pendent EFW flow paths, each with 100%
flow capacity, are operable at any time when heat removal from the primary system is through the steam generators, with appropriate limiting conditions for operation when this capability is not available.
5.
Reliability engineering and risk assessment Action Plan II.C.2 program (IREP) - NRC will use risk assessment methods to identify particularly high risk accident sequences and dominant contributors at individual plants and will determine regulatory initiatives which may affect the EFW system to reduce these high risk sequences...
Table 8 (Continued)
August 9, 1979 Action Order Item Other Reference 6.
Requirement for flow indication and 8
Action Plan II.E.1.2 automatic initiation of auxiliary feedwater - The emergency feedwater system must start automatically and provide indication of EFW flow to each steam generator as specified by Items 2.1.7.a and 2.1.7.b of NUREG-0578 to assure that an adequate supply of EFW flow will be provided to the steam generators in a timely manner and can be monitored by the operator ir the event that the main feedwater system is not available.
7.
Systems interaction program (Unresolved Action Plan II.C.3 Safety Issue A-17) - Expand ongoing NRC staff work on systems interaction, incorporating it into an integrated plan for addressing the broader question of system (e.g., the AFW system) reliability in conjunction with IREP and other efforts.
C 8.
Program to evaluate and improve auxiliary Action Plan II.E.1.1 feedwater system (AFWS) reliability - To assure that the EFW system will provide sufficient EFW flow to the steam generators in a timely manner, the licensee will (1) perform simplified auxiliary feedwater system reliability analyses that use event-tree and fault-tree logic techniques to determine the potential for AFWS failure under various loss of main feedwater transient conditions, with particular emphasis being given to determining potential failures ti.at could result from human errors, common causes, single point vulnerabilities, and test and maintenance outages; (2) complete a deterministic review of the auxiliary feedwater system using the acceptance criteria of Standard Review Plan Section 10.4.9 as principal guidance; and (3) reevaluate the AFW system flow design bases and criteria.
9.
Action Items 1 through 31 from Table 16.
Primary Pressure Relief Requirement Failure to require primary pressure relief consists of failure to challenge the systems provided for reactor coolant system pressure relief (pressurizer power-operated relief valve, Code safety valves).
In this case, failure of the function is the desired event. Ways in which the potential for challenges to the primary system pressure relief system can be reduced include:
(a) Raise the primary system pressure relief setpoint relative to the reactor trip on high pressure setpoint.
(b) Install a reactor trip based on parameter (s) other than pressure that will scram the reactor as early in the transient as possible.
(c) Ensure that sufficient feedwater flow from the EFW system is supplied to the steam generators in a timely manner to maintain an effective heat sink.
Measures considered by the NRC which reduce the potential for requiring 4
i primary system pressure relief are listed in Table 9 below.
t l
[
=
m x -
Table 9 Measures to Reduce the Potential for Requiring Primary System Pressure Relief August 9, 1979 Action Order Item Other Reference 1.
Required changes to PORV setpoint -
2 Modify the high pressure reactor scram setpoint and the PORV opening setpoint such that reactor scram will preclude opening of the PORV for a spectrum of anticipated transients, including a loss of main feedwater.
2.
Anticipatory reactor trips - The 2
licensee must provide for NRC review a design review and implementation schedule for a safety grade automatic anticipatory reactor scram for loss of feedwater, turbine trip, or significant reduction in steam generator level in order to preclude challenges to the PORV should one of these events occur.
3.
EFW timeliness and reliability 1
requirements - Upgrade the timeliness See Action Item 2 and reliability of the emergency in Table 8 feedwater system by performing the items specified in Enclosure 1 of the licensee's June 28, 1979' letter to preclude challenges to the PORV in the event of a loss of main feedwater.
4 Required EFW train operability review -
2 Implement procedures which assure that two independent EFW flow paths, each with 100% flow capacity, are operable in a timely manner upon loss of main feedwater to preclude challenge to PORV.
Table 9 (Continued)
August 9, 1979 Action Order Item Other Reference 5.
Program to evaluate and improve.
Action Plan II.E.1.1 auxiliary feedwater system reliability -
The licensee will (1) perform simplified auxiliary feedwater system reliability analyses that use event-tree and fault-tree logic techniques to determine the potential for AFWS failure under various loss of main feedwater transient conditions, with particular emphasis being given to determining potential failures that could result from human errors, common causes, single point vulnerabilities, and test and maintenance outages; (2) complete a deterministic review of the auxiliary feedwater system using the acceptance criteria of Standard Review Plan Section 10.4.9 as principal guidance; and (3) reevaluate the AFW system flow design bases and criteria.
Failure to provide sufficient EFW flow to the steam generators in a timely manner could result in a challenge to the PORV.
6.
Requirement for flow indication and 8
Action Plan II.E.1.2 automatic initiation of auxiliary feedwater - The emergency feedwater system must start automatically and provide indication of EFW flow to each steam generator in a timely manner in the event that the main feedwater system is not available, thereby precluding challenges to the PORV.
7.
Action Items 1 through 19 from Table 16 Primary System Pressure Relief Failure of this function occurs when the pressurizer electromatic relief valve and both code safety valves fail to open as designed to provide primary system pressure relief. Ways in which the above-identified failures can occur include:
(1) Failure of electromatic relief valve opening mechanism (includes actuation circuitry)
(2) Failure to achieve required discharge flow through relief valve into pressurizer quench tank -- could be caused by a partially open relief valve or by the relief valve isolation valve being closed.
(3) Failure of the opening mechanisms on both Code safety valves.
(4) Human error involving failure to detect a stuck-closed pressurizer electromatic relief valve and to take corrective action to open it manually, or failure to detect and open the block valve, if closed.
Measures which the NRC has considered to reduce the potential for failure of the primary system pressure relief functior, are listed in Table 10 below.
4 4, _ _.
l Table 10 Measures to Reduce the Potential for Failure of the Primary System Pressure Relief Function August 9, 1979 Action Order Item Other Reference 1
1.
Testing of relief and safety valves -
8 Action Plan II.D.1 Demonstrate by testing and analysis that the relief and safety valves, block valves, and associated piping in the reactor coolant system are qualified for the full range of operating and accident conditions, thereby assuring that they will perform their pressure relief function as designed.
2.
Direct indication of relief and safety 8
Action Plan II.D.3 valve position - Will provide the operator with 1 more positive indication of valve pos', tion so that a PORV that fails to open as designed can be directly diagnosed and corrective action taken.
3.
Requirement for emergency power for 8
Action Plan II.G.1 pressurizer equipment - Develop procedures and modifications to upgrade motive and control components to safety grade criteria and electric power from emergency power sources for the power supplies for pressurizer relief valves, block valves, and level indicators, thereby providii.g assurance that the PORV will function to provide pressure relief, if challenged.
Primary System Integrity Failure of this function involves failure to fully reseat of any pressurizer relief or code safety valves after opening.
In the case of a pressurizer relief valve, also involved is the failure to isolate the relief valve using the block valve. Ways in which failure can occur include:
i (1) Failure of relief valve closure mechanism (including actuation circuitry)
(2) Failure of relief valve body (e.g., damage caused by slug impact)
]
(3) Failure of Code safety valve closure mechanism I
(4) Failure of safety valve body (e.g., damage caused by slug impact)
(5) Human failure involving failure to detect a stuck-open relief valve and isolate it using the block valve.
(6) Failure of block valve closure mechanism (including actuation circuitry),
if relief valve sticks open.
(7) Failure of block valve body (e.g., damage caused by slug impact, design flow underspecified) a (8) Valve seat failure (9) Valve position indication failure, if safety or relief valves do not reseat.
Measures considered by the NRC to reduce the potential for failure of the primary system integrity function are listed in Table 11 as follows: l l
l
~
Table 11 Measures to Reduce the Potential for Faifure of Primary System Integrity Function August 9, 1979 Action Order Item Other Reference 1.
Testing of relief and safety valves -
8 Action Plan II.D.1 Demonstrate by testing and analysis that the relief and safety valves, block valves, and associated piping in the reactor coolant system are qualified for the full range of operating and accident conditions, thereby assuring that they will 4
perfor-their pressure relief 1
function and reseat as designed.
2.
Direct indication of relief and safety 8
Action Plan II.D.3 i
valve position - Will provide the operator with a more positive indication of valve position and therefore provide additional assurance that the integrity of the reactor coolant pressure boundary can be maintained or a loss of integrity directly diagnosed.
3.
Requirement for emergency power for 8
Action Plan II.G.1 pressurizer equipment - Develop procedures and modifications to upgrade motive and control components to safety grade crite-ia and electric power from emergency power sources for the power supplies for pressurizer relief valves, block valves, and level indicators, thereby providing assurance that the PORV will function to provide pressure relief and reseat, i
if challenged.
1 4.
Action Items 1 through 7, 10 through 15, i
19 through 22, and 25 from Table 16 1
l i
Event Tree S LOCA Emphasis in this discussion has been placed on dealing with and mitigating the effects of LOCAs.
One important aspect of this subject is reducing the potential for a small-small LOCA caused by a stuck-open pressurizer power-operated relief valve. This effort has been discussed previously in the discussion of Event Tree T, in the event heading Primary System Integrity.
Emergency Coolant Injection ECI for Large LOCA - failure of this function consists of failure to provide flow to the RCS from at least one out of two low pressure trains taking suction from the borated water storage tank and two out of two core flooding tanks.
In order for this function to fail, both low pressure trains and one core flooding tank must fail.
Failure of both low pressure trains and one core i
flooding tank consists of component failures and preventive maintenance-related failures. Ways in which these failures can occur are as follows:
(1) Low pressure injection (LPI) pump A failure (2) Failure of piping, valves, etc., in suction to LPI pump A (3) Failure of piping, valves, etc., in discharge of LPI train A (4) Low pressure injection (LPI) pump B failure (5) Failure of valves, piping, etc., in suction to LPI pump B (6) Failure of piping, valves, etc., in discharge of LPI train B (7) Core flooding tank A failure (8) Failure of components in core flooding tank A discharge to RCS l !
l
1 j
(9) Core flooding tank B failure (10) Failure of components in core flooding tank B discharge to RCS When (1), (2) or (3), and (4), (5), or (6) and (7) or (8) or (9) or (10) occur, the function will fail.
This involves the simultaneous failure of two independent, redundant, safety grade LPI trains and one of two passive, inde-pendent, safety grade core flooding systems.
Ways in which these failures can occur include:
(a) Loss of all ac electric power (since this involves the failure of the offsite ac power source coupled with the failure of the two emergency diesel generators to start, it does not represent a condition with reasonable nexus to the TMI-2 accident).
(b) Preventive maintenance outages affecting one LPI pump coupled with component failures affecting the other LPI pump.
(c) Human error involving premature termination or throttling of LPI flow to the RCS once it has been initiated automatically by a non-spurious actua-tion signal, ignoring procedures, subcooling, etc.
(d) Failure of independent, redundant, safety grade decay heat removal closed cooling water system loops (not a condition with reasonabie usxus to the TMI-2 accident).
(e) Failure of safety grade nuclear services river water system (not a condition with reasonable nexus to the TMI-2 accident).
ECI for Medium LOCA Failure of the function consists of failure to provide flow to the RCS from (a) at least one out of two low pressure trains (taking suction from the borated water storage tank) and two out of two core flooding tanks, or (b) two out of two low pressure trains taking suction from the BWST.
The failures involved in this case are combinations of the same failures discussed for the large LOCA.
In this light, using the notation identified above, if (1), (2),
or (3) and (4), (5), or (6) and (7) or (8) or (9) or (10) and if (1), (2), or (3) or (4), (5), or (6) occur, the function will fail.
This involves the simultaneous failure of two independent, redundant, safety grade LPI trains and one of two redundant, passive, safety grade core flooding systems or the failure of one of two independent, redundant, safety grade LPI trains.
The same system failures discussed previously also apply to the medium LOCA Case.
Small LOCA For this type of LOCA, if both high pressure trains or both low pressure trains (taking suction from the BWST) fail, the function will fail.
Failure of both high pressure trains consists of preventive maintenance-related failures and component failures.
Failures which can defeat both high pressure trains are listed below.
(l') Failure of HPI pump A (2') Failure of piping, valves, etc., in suction to HPI pump A (3') Failure of piping, valves, etc., in discharge of HPI train A (4') HPI pump B failure (5') Failure of piping, valves, etc., in suction to HPI pump B (6') Failure of piping, valves, etc., in discharge of HPI train 8 Failures which defeat the low pressure trains have been discussed previously under Large LOCA.
Using the notation from that discussion along with the above-defined notation, if (1) or (2) or (3) and (4) or (5) or (6) or (l') or (2') or (3') and (4') or (5') or (6') occur, either both high pressure trains or both low pressure trains will fail.
This involves the simultaneous failure of two independent, redundant, safety grade HPI trains and two independent, redundant, safety grade LPI trains.
In addition to the ways in which failures (1) through (6) can occur (stated previously), the failures (l') through (6')
can occur in a number of ways, including:
't _-,
(a) Loss of all ac electric power (as discussed previously, this does not represent a condition with reasonable nexus to the TMI-2 accident).
(b) Failure of the nuclear services closed cooling water system (not a condition with reasonable nexus to the TMI-2 accident).
(c) Failure of the nuclear services river water system (not a condition with reasonable nexus to the TMI-2 accident).
(d) Preventive maintenance outages affecting one HPI pump coupled with component failures affecting the other HPI pump.
(e) Human error involving premature termination or throttling of HPI flow to the RCS, once it has been initiated automatically by a non-spurious actuation signal, ignoring procedures, subcooling, etc.
Small-Small LOCA Stated in terms of the discussion for small LOCA given above, if both high pressure trains fail, that is, if (l') or (2') or (3') and 4') or (5') or (6') occur, this function will fail.
This involves the si.nultaneous failure of two independent, redundant, safety grade HPI trains.
Ways in which these failures can occur have been discussed previously.
Measures considered by the NRC which reduce the potential for ECI failure during a LOCA of any size are listed in Table 12 as follows:
1 4 1 l
Table 12 Measures to Reduce the Potential for ECI Failure August 9, 1979 Action Order Item Other Reference 1.
Required safeguards termination criteria -
2 Review actions directed by the operating procedures and training instructions to ensure that operators do not override automatic actions of engineered safety features unless their continued operation will result in unsafe plant conditions.
This assures that sufficient emergency t
core coolant will be injected to cool the core.
2.
Required emergency procedures and 2
Action Plan I.C.1 training for inadequate core cooling -
To provide assurance that a situation involving inadequate core cooling will not result in serious core damage, perform analyses and develop guidelines and procedures related to inadequate core cooling (Item 2.1.9.b of NUREG-0578).
3.
Requirement for a subcooling meter in 8
Action Plan II.F.2 PWRs - In order to provide the reactor operator with instrumentation, procedures and training necessary to readily recognize and implement actions to correct or avoid conditions of inadequate core cooling, install a primary coolant saturation meter to provide on-line indication of coolant saturation conditions.
4.
Instrumentation for inadequate core 8
Action Plan II.F.2 cooling (short-term) - The licensee shall develop procedures to be used by the operators to recognize inadequate core cooling with currently available instrumentation so that appropriate actions may be taken to avoid serious core damage, i l l
Table 12 (Continued) l August 9, 1979 Action Order Item Other Reference 5.
Requirement for unambiguous indication 8
Action Plan II.F.2 of inadequate core cooling - The licensee shall provide a description of any additional instrumentation or controls (primary or backup) proposed for the plant to supplement the devices identified in response to 4 and 5 above, giving an unambiguous, easy-to-interpret indication of inadequate core cooling so that appropriate actions may then be taken by the operator to avoid serious core damage.
6.
Reliability engineering and risk assessment Action Plan II.C.2 program (IREP) - NRC will use risk assess-ment methods to identify particularly high risk accident sequences and dominant i
contributors at individual plants and will determine regulatory initiatives that could affect the ECCS to reduce these high risk sequences.
7.
Research program on ECCS effectiveness Action Plan II.E.2 (LOFT, etc.) - Research focusing on small breaks and transients whote purpose is to obtain a better understanding of ECCS performance.
Included are experimental research in the loss of fluid (LOFT) test facility, systems engineering, and material effects programs, as well as analytical methods development and assessment in the code development program.
8.
Systems interaction program (Unresolved Action Plan II.C.3 Safety Issue A-17) - Expand ongoing NRC staff work on systems interaction, incorporating it into an integrated plan for addressing the broader question of system (e.g., the ECCS) reliability in conjunction with IREP and other efforts.
9.
Action Items 1 through 31 from Table 16. !
l j
Post-Accident Radicactivity Removal In order for the PARR function to fail, either the injection phase or the recirculation phase of PARR must fail.
Such failures do not represent a condition with reasonable nexus to the TMI-2 accident.
Failure of the injection phase of PARR requires failure of both trains of the reactor building spray system operating in the injection mode (taking suction 1
from the BWST) to provide flow through the associated spray headers into the containment atmosphere.
Failure of the recirculation phase of PARR requires failure of both trains of the reactor building spray system operating in the recirculation mode (taking suction from the reactor building sump) to provide flow through the associated spray headers into the containment atmosphere.
The discussion which follows applies equally to both phases of PARR.
The only difference lies in the alignment for the suction of the spray pumps.
l Failures of the reactor building spray system trains consist of component failures and preventive maintenance-related failures.
Failures which can defeat the spray system trains in either mode are as follows:
(1) Spray pump BS-P-1A failure (2) Failure of piping, valves, etc., in suction to spray pump BS-P-1A A (3) Failure of valves, piping, etc., in discharge of spray system train A (4) Spray pump BS-P-18 failure (5) Failure of piping, valves, etc., in suction to spray pump BS-P-1B (6) Failure of piping, valves, etc., in discharge of spray system train B. _. _ -
i If (1), (2) or (3) and (4), (5), or (6) occur, the spray system will fail.
This involves simultaneous failure of two independent, redundant safety grade 4
spray system trains. Ways in which these failures can occur include:
(a) Failure of either or both spray headers (b) Failure of spray nozzles (not a condition with reasonable nexus to the TMI-2 accident)
(c) System not aligned in correct mode (taking suction from BWST for injection, from reactor building sump for recirculation).
(d) Preventive maintenance outages affecting one spray pump coupled with component failures affecting the other spray pump.
(e) Pump failures involving control circuit failures, mechanical failures, plugging of the suction due to debris (f) BWST failure (not a condition with reasonable nexus to the TMI-2 accident)
(g) Loss of spray solution iodine removal capability (not a condition with reasonable nexus to the TMI-2 accident) l l
(h) Reactor building sump failure (not a condition with reasonable nexus to 4
the TMI-2 accident)
(i) Loss of all ac electric power (as discussed previously, this does not represent a condition with reasonable nexus to the TMI-2 accident)
(j) Failure of nuclear services river water system (not a condition with reasonable nexus to the TMI-2 accident)
(k) Human error involving valve misalignment following testing or maintenance, premature termination of spray once system has been actuated by a non-spurious signal, ignoring procedures.,
T
.t t
(1) Failure of nuclear services closed cooling water system (not a condition with reasonable nexus to the TMI-2 accident)
Measures that the NRC has considered to reduce the potential for PARR function 4
failure are listed in Table 13 below:
.t 1
4 i
4 l
f i
l i
2 i
i I
I t -
I t
i Table 13 Measures to Reduce the Potential for PARR Failure August 9, 1979 Action Order Item Other Reference 1.
Required safeguards termination criteria -
2 To assure that sufficient capability for post-accident radioactivity removal is available as needed, during an accident, review actions directed by the operating procedures and trair.ing instructions to ensure that operators do not override automatic actions of engineered safety features unless their continued operation will result in unsafe plant conditions.
2.
Reliability engineering and risk assessment Action Plan II.C.2 program (IREP) - NRC will use risk assess-ment methods to identify particularly high risk accident sequences and dominant contributors at individual plants and i
will determine regulatory initiatives which may affect PARR to reduce these high risk sequences.
3.
Systems interaction program (Unresolved Action Plan II.C.3 Safety Issue A-17) - Coordinate and expand ongoing NRC staff work on systems interaction, incorporating it into an integrated plan for addressing the broader question of system (e.g., the reactor building spray system) reliability in conjunction with IREP and other efforts.
4.
Correct defective welds in safety-related
- 00R Activities systems - To provide further assurance of reactor building spray system availability in case of an accident, the licensee shall undertake a program to detect and correct defective welds in certain safety-related systris, including reactor building spray systems.
5.
Action Items 1 througn 13, 16 through 18, 20 through 26, and 31 from Table 16.
h Post Accident Heat Removal In order for the PAHR function to fail, either the injection phase or the recirculation phase of PAHR must fail.
Failure of the injection phase of PAHR involves failure of four out of five reactor building air cooling units.
Failure of the reactor building air cooling units consists of component failures and preventive maintenance-related failures.
Failures which can defeat the reactor building air cooling units are as follows:
(1) Failure of air cooling Unit 1 cooling coils (2) Failure of air cooling Unit 1 motor-driven fan (3) Failure of air cooling Unit 2 cooling coils (4) Failure of air cooling Unit 2 motor-driven fan (5) Failure of air cooling Unit 2 cooling coils (6) Failure of air cooling Unit 3 motor-driven fan (7) Failure of air cooling Unit 4 cooling coils (8) Failure of air cooling Unit 4 motor-driven fan (9) Failure of air cooling Unit 5 cooling coils (10) Failure of air cooling Unit 5 motor-driven fan.
(11) Failure of common ductwork (12) Failure of common housing
' i l
(13) Failure of interior pressure relief valves (14) Failure of exterior pressure relief valves If any four of the five units suffer failures of either the cooling coils or the fan, the air coolir system will fail.
If (11), (12), (13), or (14) occur, the system may fail (csaending on extent of damage incurred by failure).
If the reactor building spray system in the injection mode (discussed previously) suffers a failure of one train, coupled with the failure of the air cooling system, the injection phase of PAHR will fail.
For the recir;ulation phase of PAHR, the failure requirements for the reactor building air cooling system are the same as for the injection phase.
The failure requirements for the recirculation chase of the reactor building spray system have been discussed previously.
If four out of five reactor building air cooling units fail, coupled with the failure of one spray system train operating in the recirculation mode, the recirculation phase of PAHR may fail.
In addition to the discussion about the spray system failures, ways in which the above-specified failures can occur include:
(a) Loss of all ac electric power (as discussed previously, not a condition with reasonable nexus to the TMI-2 accident)
(b) Failure of the nuclear service river water system (NSRWS) (not a condition with reasonable nexus to the TMI-2 accident)
(c) Failure of nuclear services closed cooling water system (not a condition with reasonable nexus to the TMI-2 accident)
(d) Human error involving maintenance-induced failures and inadvertent termination of air cooling system once it has been automatically initiated.
i Measures considered by the NRC to reduce the potential for failure of the PAHR function are listed in Table 14 below.
Table 14 Measures to Reduce the Potential for Failure of PAHR t
August 9, 1979 Action Order Item Other Reference 1.
Required safeguards termination criteria -
2 To assure that sufficient containment heat removal capability is available as needed during an accident, review actions directed oy the operating procedures and training instructions to ensure that operators do not override' automatic actions of engineered safety features unless their continued operation will result in unsafe plant conditions.
2.
Reliability engineering and risk assessment Action Plan II.C.2 program (IREP) - NRC will use risk assess-ment methods to identify particularly high risk accident sequences and dominant contributors at individual plants and will determine regulatory initiatives which could affect the PAHR to reduce these high risk sequences.
3.
Systems interaction program (Unresolved Action Plan II.C.3 Safety Issue A-17) - Expand ongoing NRC staff work on systems interaction, incorporating it into an integrated plan for addressing the broader question of system (e.g., the reactor building spray and air cooling systems) reliability in conjunction with IREP and other efforts.
4.
Correct defective welds in safety-related D0R Activities systems - To assure sufficient spray system heat removal capability in the event of an accident, the licensee will undertake a program to detect and correct defective welds in certain safety-related systems, including reactor building spray systems.
5.
Action Items 1 through 31 frcm Table 16. l
Emergency Coolant Recirculation ECR for Large, Medium and Small LOCAs Failure of this function consists of failure to provide flow to the RCS from at least one out of two low pressure trains taking suction from the reactor building sump in conjunction with cooling by the associated decay heat removal subsystem.
In order for this function to fail, both low pressure trains and the associated decay heat removal subsystems must fail.
Failure of both low pressure trains and their associated decay heat removal subsystems consists of component failures and preventive maintenance-related failures.
These failures can occur as follows:
(1) Low pressure injection (LPI) pump A failure (2) Failure of piping, valves, etc., in suction to LPI pump A (3) Failure of piping, valves, etc., in discharge of LPI pump A train (4) Low pressure injection (LPI) pump B failure (5) Failure of piping, valves, etc., in suction to LPI pump B (6) Failure of piping, valves, etc., in discharge of LPI pump B train (7) Failure of decay heat removal subsystem associated with LPI train A (8) Failure of decay heat removal subsystem associated with LPI train 8.
If (1), (2), (3), or (7) and (4), (5), (6), or (8) occur, then the ECR function will fail.
Ways in which these failures can occur include:
(a) Loss of all ac electric power (as discussed previously, not a condition with reasonable nexus to the TMI-2 accident)
(b) Failure of decay heat closed cooling water system (not a condition with reasonable nexus to the TMI-2 accident)
(c) Failure of nuclear services river water system (not a condition with reasonable nexus to the TMI-2 accident)
(d) Preventive maintenance outages affecting one LPI pump coupled with component failures affecting the other LPI pump (e) Human error involving failure to perform the actions required by procedures for switchover of LPI system from injection mode to recirculation mode (automatic system being installed)
(f) Human error involving premature termination or throttling of the LPI system flow (g) Failure of reactor building sump (not a condition with reasonable nexus to the TMI-2 accident).
Small-small LOCA Failure of ECR for this case consists of failure to provide flow to the RCS from at least one out of two high pressure trains with its associated low pressure train taking suction from the reactor building sump in conjunction with cooling by the associated decay heat removal subsystem.
In order for this function to fail, both independent, redundant, safety grade high pressure trains and the associated safety grade decay heat removal sub-systems must fail. These failures can occur as follows:
l (1) High pressure injection (HPI) pump A failure (2) Failure of valves, piping, etc., in suction to HPI pump A (3) Failure of piping, valves, etc., in discharge of HPI train A (4) Low pressure injection (LPI) pump A failure (5) Failure of piping, valves, etc., in suction to LPI pump A (6) Failure of piping, valves, etc., in discharge of LPI train A (7) HPI pump B failure (8) Failure of piping, valves, etc., in suction to HPI pump B (9) Failure of piping, valves, etc., in discharge of HPI train 8 (10) LPI pump B failure (11) Failure of piping, valves, etc., in suction to LPI pump B (12) Failure of piping, valves, etc., in dischagge of LPI train B.
(13) Failure of decay heat removal subsystem associated with LPI train A.
.i (14) Failure of decay heat removal subsystem associated with LPI train B.
If (1), (2), (31. (4), (5), (6), or (13) and (7), (8), (9), (10), (11), (12) or (14) occur, then ECR will fail.
Ways in which these failures can occur include:
(a) Loss of all ac electric power (as discussed previously, not a condition with reasonable nexus to the TMI-2 accident)
(b) Failure of decay heat closed cooling water system (not a condition with i
reasonable nexus to the TMI-2 accident) 1 -
(c) Failure of nuclear services river water system (not a condition with reasonable nexus to the TMI-2 accident)
(d) Failure of nuc'sar services closed cooling water system (not a condition with reasonable nexus to the TMI-2 accident) i (e) Preventive maintenance outages affecting one LPI (or one HPI) coupled with component failures affecting the other LPI (HPI) pump.
(f) Human error involving failure to perform the actions required by procedures for switchover of HPI and LPI systems from the injection mode to the recirculation mode.
(g) Humar error involving the premature termination or throttling of engineered safety features (h) Failure of reactor building sump (not a condition with reasonable nexus to the TMI-2 accident).
Measures considered by the NRC to reduce the potential for ECR failure during a LOCA of any size are listed in Table 15 below.,
Table 15 Measures to Reduce the Potential for ECR Failure August 9, 1979 Action Order Item Other Reference 1.
Required safeguards termination criteria -
2 To assure sufficient emergency core coolant will be recirculated to cool the core, review actions directed by the operating procedures and training instructions to ensure that operators do not override automatic actions of engineered safety features unless their continued operation will result in unsafe plant conditions.
2.
Required emergency procedures and training 2
Action Plan I.C.1 for inadequate core cooling - To assure that actions may be taken in the event of an inadequate core cooling situation to avoid serious core damage, provide analyses and develop guidelines and procedures related to inadequate core cooling (Item 2.1.9.b of NUREG-0578).
3.
Requirement for a subcooling meter in PWRs -
8 Action Plan II.F.2 In order to provide the reactor operator with instrumentation, procedures and training necessary to readily recognize and implement actions to correct or avoid conditions of inadequate core cooling, install a primary coolant saturation meter to provide on-line indication of ccolant saturation conditions.
4.
Instrumentation for inadequate core cool' g 8
Action Plan II.F.2 (short-term) - The licensee shall develop procedures to be used by the operators to recognize inadequate core cooling with currently available instrumentation so that appropriate actions may be taken to avoid serious core damage.
5.
Requirement for unambiguous indication of 8
Action Plan II.F.2 inadequate core cooling - The licensee shall provide a description of any addi-tional instrumentation or controls (primary or backup) proposed for the plant to supple-ment the devices identified in response to 1 and 4 above, so that the operator may take appropriate actions to avoid serious core damage. _.-g
>m y
Table 15 (Continued)
August 9, i979 Action Order Item Other Reference 6.
Reliability engineering and risk assessment Action Plan II.C.2 program (IREP) - NRC will use risk assess-ment methods to identify particularly high risk accident sequences and dominant contributors, at individual plants and will determine regulatory initiatives that could affect the ECCS to reduce these high risk sequences.
7.
Research program on ECCS effectiveness Action Plan II.E.2.2 (LOFT, etc.) - Research focusing on small break: and transients whose purpose is to obtain a better enderstanding of ECCS performance.
Included are experimental research in the loss of fluid (LOFT) test facility, systems engineering, and material effects programs, as well as analytical methods development and assessment in 4
the code development program.
t Systems interaction program (Unresolved Action Plan II.C.3 Safety Issue A-17) - Expand ongoing NRC staff work on systems interaction, incorporating it into an integrated plan for addressing the broader question of system (e.g., the ECCS) reliability in conjunction with IREP and other efforts.
9.
Action Items 1 through 31 from Table 16.
1 1
i.
f 7
7n addition to those measures identified with specific functions in Tables 7 through 15 above, a number of measures considered by the NRC are applicable to all of the functional headings on Event Trees T and S.
These are identified in Table 16 below.
I h
t I
i 4
i j
l l
t I
1
Table 16 Generally Applicable Measures to Reduce the Potential for 'ifety Functions Failure August 9, 1979 Action Order Item Other Reference 1.
Requirement for licensee review of operating 8
Action Plans I.C.5, experience - Review operating experience, I.E identify potentially serious reliability problems, and take appropriate corrective action.
1 2.
Operational quality assurance program -
6 Action Plan I.C.6 Assures the quality of operation of safety-related plant systems by the use of improved procedures governing system startup, operation, shutdown, and maintenance.
3.
Verify management and technical capability -
6 Action Plan I.B.1 Assure that (1) operations staff size, (2) education and experience of operations staff members, (3) plant operating and emergency procedures, (4) management awareness of and attention to safety matters, and (5) numbers and types of personnel available to respond to transients and accidents are adequate.
4.
Verify capability of safety review and 6
operational advice - Assure the adequacy of groups providing safety review and operational advice.
5.
Review training of operations staff -
6 Action Plan I.A.2 Assure the adequacy of the capability of operators and supervisors to understand and control complex reactor transients.
4 6.
Review facility procedures - Assure the 6
Action Plan I.C adequacy of the procedures for dealing l
with abnormal conditions and emergencies.
7.
Review plant maintenance capability -
6 l
Assure the capability of the support l
organization performing maintenance on plant systems.
i 8.
Requirement for shift turnover procedure -
8 Action Plan I.C.2 Assure that each oncoming shift is aware of critical plant status information and system availability befcre assuming duty. -
Table 16 (Continued)
August 9, 1979 Action Order Item Other Reference 9.
Requirement relating to shift manning -
Action Plan I.A.1.3 Assure that qualified individuals are readily available in the event of abnormal or emergency situations.
10.
Requirement for upgrading operator training Action Plan I.A.2 and qualifications - Improve the capability of operators and supervisors to understand and control complex reactor transients and accidents, and improve the general capability of the operations organization to respcnd rapidly and effectively to upset conditions.
11.
Requirement for an onsite safety engineering Action Plan I.B.1.2 group - Establish a full-time, dedicated onsite safety engineering group which would perform careful reviews of reported plant operating experience and that from plants of similar design to improve plant 1
reliability.
12.
Systematic assessment of licensee safety -
Action Plan I.B.2.4 NRC will annually evaluate each licensee's performance rega-ding enforcement actions, licensee event reports, technical and management performance, significant personnel and organizational changes, licensee safety attitude, and observations by IE to assure acceptable level of performance.
13.
Requirement for a shift technical advisor -
8 Action Plan I.A.l.1 Provide technical advisors with engineering i
expertise and special training in plant dynamics to provide on-shift advice and assistance.
14.
Required review of the TMI-2 accident -
2 Review the chronology and circumstances surrounding the March 28, 1979 TMI-2 accident for the purposes of understanding the sequence of events to preclude such an accident at TMI-1.
I I
l -
L Table 16 (Continued)
August 9, 1979 Action Order Item Other Reference 15.
Required review of plant transients -
2 Review transients similar to the Davis Besse event and any other which contain similar elements from the TMI-2 accident which have occurred at any facility operated by the licensee, identifying significant deviations from expected performance and providing details and an analysis of the safety significance to the NRC, together with a description of any corrective actions taken.
16.
Required valve position review - Review 2
all safety-related valve positions to assure that engineered safety features and related equipment can perform their intended functions.
17.
Required safety-related valve positioning 2
procedures - Review all safety-related valve positioning requirements and related procedures, such as those for naintenance and testing, to assure that such valves are returned to their correct positions following necessary manipulations.
18.
Required safety-related system operability 2
review - Provide maintenance and test procedures to assure (1) verification by inspection of the operability of redundant safety-related systems before removing any safety-related system from service and (2) verification of the operability of all safety-related systems when they are returned to service following maintenance or testing.
19.
Required personnel awareness of action taken 2
during TMI-2 accident - All operating and maintenance personnel should be made aware of the extreme seriousness and consequences of the simultaneous blocking of both EFW trains at the TMI-2 plant and other actions taken de'ing the accident..
Table 16 (Continued)
August 9, 1979 Action Order Item Other Reference 20.
Retraining of operators - Include in the 1
retraining of all Reactor Operators and Senior Reactor Operators training in the areas of small break LOCAs, including revised procedures and the TMI-2 accident.
21.
Program of analysis, procedures, and 1
Action Plan I.C.1 training related to small breaks, transients, and accidents - Improve procedures to provide greater assurance that operator and staff actions are technically correct, explicit and easily understood for normal, transient, and accident conditions.
22.
Requirement for an onsite technical support 8
Action Plan III.A.1.2 center - Establish a center outside of the control room that provides plant status and diagnostic information for use by technical and management personnel in support of reactor command and control functions in the event of an accident or off-normal event.
23.
Requirement for an onsite operational 8
Action Plan III. A.1.2 support center - Establish a primary operational support area for shift personnel to be in direct communication with the control room and other operations managers for assignment to duties in support of emergency operations.
24.
Requirements related to simulator use and Action Plan I.A.4 development - Establish a high level of realism in the training and retraining of operators involving multiple failures and errors (such as occurred at TMI-2).
Improve ope ators' diagnostic capability and general knowledge of plant systems.
25.
Long-term program for continuing improvement Action Plan I.C.9 to plant emergency procedures - Optimize the written text in plant procedures and establish the proper interrelationships among administrative, operating, test and surveillance procedures.
! i l
I I
Table 16 (Continued)
August 9, 1979 Action Order Item Other Reference 26.
Revisions to scope and criteria for licensing Action Plan I.A.3.1 examinations - Upgrade the requirements and procedures for nuclear power plant operator and supervisor licensing to assure that safe and competent operators and senior operators are in charge of the day-to-day operation of nuclear power plants.
27.
Requirement for control room access 8
Action Plan I.C.4 procedures - Establish procedures to limit the access of personnel to the control room and establish a clear line of authority for coping with operational transients and accidents.
28.
Requirement for a control room design study -
Action Plan I.O.1 Improve the ability of control room operators to prevent accidents or cope with accidents by improving the information provided to them.
29.
Requirement for clear definition of shift 8
Action Plan I.C.3 supervisor responsibilities - Revise as necessary plant procedures and directives to assure that the duties, responsibilities, and authority are properly defined to establish a definite line of command and clear delineation of the command decision authority of the control room supervisor.
30.
Requirement for review of shift supervisor 8
Action Plan I.A.1.2 duties - Reduce ancillary responsibilities of the shift supervisor, such as administrative functions that detract from or are ';bordinate to the management responsibility for assuring the safe operation of the plant.
31.
Requirement for plant drills for emergency Action Plan I.A.2.5 procedures - Conduct in plant drills by shift operating personnel including simulation of normal and off-normal maneuvers in walk-through drills to assure competency of personnel and adequacy of procedures. _.
. _. - = _
I Although the event trees T and S only carried the sequences out to the stage i
j where either severe core damage or core melt was indicated, the NRC has also given consideration to measures for dealing with or mitigating a degraded core I
or a situation involving inadequate core cooling.
The measures which have been considered are identified in Table 17 below.
4 d
I i
I
~
1 l
I V
t 4
i i
! i l'
Table 17 Measures to Deal Effectively With and Mitigate the Consequences of a Degraded Core or Core Melt Action Order Item Other Reference 1.
Upgrade of emergency plans to satisfy Regulatory Guice 1.101 3
Action Plan III.A.1 2.
Establishment of an emergency operations center 3
Action Plan III.A.1 3.
Upgrade of offsite monitoring 3
Action Plan III.A.1 4.
Assessment of state and local emergency plans 3
Action Plan III.A.1 5.
Requirement to conduct a test exercise of the emergency plan 3
6.
Review of managerial capability and resources 6
Action Plan I.B.1 7.
Review capability safety review and operatianal advice 6
8.
Review training of operations staff 6
' Action Plan I.A.2 9.
Review facility procedures 6
Action Plan I.C 10.
Review plant maintenance 6
11.
Program on radiation source control Action Plan III.D 12.
Siting policy rulemaking Action Plan II.A 13.
Requirement for post-accident sampling capability 8
Action Plan II.B 14.
Requirement for shielding to allow post-accident access to vital areas 8
Action Plan II.B 15.
Requirement for training to mitigate core damage Action Plan II.B 16.
Program to upgrade state and local government preparedness Action Plan III.B j
17.
Program for improved radiological effluent monitoring Action Plan III.D.1 18.
Program to study radioiodine pathways Action Plan III.D.2 -.
Table 17 (Continued)
August 9, 1979 Action Order Item Other Reference 19.
Program to study liquid pathways Action Plan III.D.3 20.
Program to study offsite dose monitoring and calculations Action Plan III.D.4 21.
Program to upgrade licensee emergency preparedness 3
Action Plan III.A.1 22.
Program to upgrade licensee emergency support facilities Action Plan III.A.2 23.
Program to maintain supplies of thyroid blocking agent Action Plan III.A.3 24.
Long-term program to improve licensee emergency preparedness (amend 10 CFR Part 50 and Appendix E)
Action Plan III.A.2.1 25.
Program to improve NRC preparedness Action Plan III.A.3 26.
Requirement for dedicated hyrdrogen recombiner penetrations 8
Action Plan II.E 27.
Requirement for improved containment isolation dependability 8
Action Plan II.E.4 28.
Plan for criteria for gross containment integrity check Action Plan II.E.4 29.
Requirements and restrictions on containment purging Action Plan II.E.4 30.
Research on phenomena associated with core degradation and fuel melting Action Plan II.B.5 31.
Requirement to comply with CSB Technical i
Position 6.4 00R activities 32.
Environmental qualification program for containment isolation valves NRR Program 33.
Addition or hydrogen recombiners Voluntary addition 34.
Required emergency procedures and training for inadequate core cooling 2
Action Plan I.C.1 35.
Improvement in post-accident monitoring II.F.B.3 _ _. _
Table 17 (Continued)
August 9, 1979 Action Order Item Other Reference 36.
Improve filter Tech Specs 00R activities 37.
Automatic switchover to ECCS recirc mode D0R activities 38.
Improve uneven drawdown of RB spray system D0R activities