ML20009A519
| ML20009A519 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 06/30/1981 |
| From: | BABCOCK & WILCOX CO. |
| To: | |
| Shared Package | |
| ML20009A517 | List: |
| References | |
| PROC-810630, NUDOCS 8107130263 | |
| Download: ML20009A519 (34) | |
Text
- -- - - - - - - - -
E F
besic u
a l
I .
e
~
l ..
l
~
l .-
- b
, .. . s -
1 Engineering Services l
I I
I 8107130263 810709 Babcock &Wilcox I DR ADOCK 05000 a worrmou ngpany
i f Docket No. 50-346 License No. NPF-3 Serial No. 726 July 1, 1981
) Attachment 2 1
lI i
1 I
lI l 1
l lI 1
ABNORMAL TRANSIENT I UPERATING GUIDELINE
! (ATOG)
PROGRAM DESCRIPTION l June 1981 I
I I
I Prepared for B&W Owners Group ATOG Subcommittee by Babcock & Wilcox Company Nuclear Power Generation Division I ,
--,,---,,,.,,-----.,,.-,-----,.--,,--n,,. - . , - - , . . . . - - - - - - - - - - - - - , - - - -
I Abstract T'he Abnormal Transient Operating Guideline ( ATOG) program was initiated by the B&W Owners Group in the fall of 1979 to evaluate plant response to certain transients and develop plant specific emergency procedures for the operator.
The products of the program include Safety Sequence Diagrams (SSD's), Event Trees (ET's), System Auxiliary Diagrams (SAD's), Engineering Analysis, Emergency Guidelines and the. basis for those guidelines. The diagrams (SSD's, ET's and SAD's) served as a basis for 'ully understanding plant response to the transients selected coupled with subseq"ent component f ailures. Engineering analysis provided the time element associated with operator action and brackets for expected parameter response.
Certain limitations had been placed on the events analyzed and depth of analysis based on probability of occurrence, consequence and realistic benefits.
These limitations were identified uo both the participating utilities and the NRC prior to program initiation in 1979.
I The Operating Guidelines produced in the ATOG program reflect a sympton oriented approach to casualty control and provide continuity between traditional l
r event oriented procedures. The guideline directs the operator's attention to I
three basic plant symptoms which reflect the thermaldynamic status of the system. Part II of the guideline provides the engineering basis from which the actions directed in Part I are derived. It is intended as a training manual which .<ill enhance the operator's understanding of plant behavior and casualty control.
The guidelines are further supported by a pressure-temperature video display which was developed in the ATOG program. This display provides a selective grouping of critical plant parameters which the operator needs during l
transient conditions. The disolay coualed with the symotom oriented guidelines provide strong suoport to the operator in his effort to insure plant safety.
I
I TABLE OF CONTENTS Pace I. Introduction 1 II. Establishing the Basis for Guidelines 3 A. Safety Sequence Diagrams (SSD's) 3 B. Event Trees 3 C. System Auxiliary Diagrams (St9's) 11 O. Analysis 13 E. Simulator 16 F. Transient Information Document (TID) 16 I III. Operating Guidelines '. 9 A. Event vs. 3ymptom Oriented Procedures 19 B. ATOG Part I Organization 22 C. ATOG Display 24 D. Use of Part I Guideline 25 '
E. AT0G Part II Crganization 25 F. Human Factors Input 27 G. Extent of ATCG Coverage 27 IV. Conclesion 29 I
I I
I I
I
I Abnormal Transient Operating Guidelines ( AT0G)
Program Description I I. Introduction The Abnormal Transient Operating Guideline ( ATOG) Program was under-taken in the fall of 1979 by the B&W Owners Group to evaluate, on a realistic basis, plant response to certain initiating events and to develop new emergency guidelines based on this evaluation. The scope of the complete program included development of the following plant specific products:
I A. Safety Sequence Diagrams (SSD's)
These diagrams were prepared for ecch event evaluated and were designed as building blocks for subsequent event tree development.
The SSD's organize and present raw plant data in terms of systems and components. They identify all systems involved in achieving a safety function.
B. Event Trees These diagrams werc developed on a plant specific basis for the events ariulyzed. They systematically identify various plant conditions which can evolve following a postulated initiating event.
l l They identify consequences of multiple f ailures and final plant status for multiple combinations of failures.
l C. System Auxiliary Diaorams (SAD's)
The diagrams provide input information for determining corrective actions in the operating guidelines. They show supporting i
- systems essential to the operation of the system having a direct input to plant response. They identify instrumentation rcouired to verify proper operation of the supporting systems.
'I E
!I l
L
I D. Engineering Analysis he purpose of this effort was to realistically predict plant behavior for selected branches of the event trees and provide these results as input to the operating guidelines. It identified the time element associated with operator action and brackets of expected parameter response for the transients analyzed.
E. Operating Guidelines
- 1. Part I - Provides the actual guidelines to be used by plant cperator in the cuntrol room, based on results of realistic engineering analysis. These guidelines received extensive review by plant operation and training personnel and substantial input by professional procedure writers.
- 2. Part II - Provides the engineering basis for the operator actions identified in Part I and a description of the plant response to certain initiating events and subsequent multiple failures.
The following text provides a more detailed description of each aspect of the ATOG program, including the initial assumptions and bounding conditions imposed on the analysis and subsequem guidelines.
I II 1
I lI lI
'I
'I 2
II. Establishing the Basis for Guidelires Before emergency plant guidelines could be developed, considerable work had to be performed to gain a detailed understanding of the response of each plant to an initial upset coupled with subseauent failures. A detailed discussion of the various steps taken to enhance this understanding is contained below.
A. Safety Sequence Diagrams (SSD's)
A Safety Sequence Diagram was developed for each event considered in the ATOG program for each olant. The purpose of these-diagrams was to condense multitudes of plant specific data and I information into a usable form for subsequent event tree development.
The diagrams contain all relevant system information and setpoints which may be called upon to achieve a stable plant condition following a plant upset. Each diagram received extensive utility review and approval before being issted as a final document.
B. Event Trees Event Trees were developed from the information provided frcm SSD's coupled with additional plant data. These diagrams identified the multiple paths which a given transient could take by considering subsequent combinations of failures following an initiating event.
Each diagram received extensive review and approval by utility engineering and operational staff before final issue.
l The following is a more detailed explanation of the event tree develo pment.
ll
- I lI
- I
_7_
I
- 1. Assumotions Used: This section discusses the difference between l
the planned assumptions used in developing the Event Tree and the actual disposition of these assumptions af ter the event trees and guidelines were completed.
- a. Initial:
The basic approach taken for developing event trees is to combine an initiating event with consequential f ailures which can stem from the event itself or from operator actions. A ccnsequen+.ial f ailure is defined here as a failure of any active fluid system component that is challenged by the I initiating event or by operator action. For example, on a loss of feedwater the increasing steam pressure will initiate turbine bypass valve action. Because the turbine bypass valves were required to open during this transient (challenged to do something), the event tree will consider the possibility that they work properly or fail. Equipment not challenged by the event (e.g., reactor building coolers) will not appear on the tree.
Actual: No Change.
- b. Initial:
Plant operation prior to the abnormal transient was in the power range 15% to 100% power.
Actual:
15% to 100% PWR plus anytime the Rx is critical.
Additionally, the thermodynamic principles apply anytime the RCS is full and pressurized. The guidelines may have to be expanded to cover some things such as ESFAS in low pressure I bypass before they would apply to pre-event initial conditions all the way to cold shutdown. They now cover post-reactor trip all the way to cold shutdown.
I
_4_
L F
L
- c. Initial:
I All systems (safety and non-safety) will be considered to be armed and ready.
L Actual:
No change. However, this is not important if the plant is L initially at power and within tech spec limits. The initial equipment that is not in service will not affect the structure of the guideline (or 'he operator's response).
- d. Initial:
Failure to trip ( ATWS) will not be considered.
Actual:
ATWS is considered to the following extent: the operator is instructed to manually trip the Rx, check that control rods are on the bottom and that neutron counts are decreasing. If not, he is instructed to start emergency boration.
{
- e. Initial:
Instrumentation readouts which provide the operator with information upon which he bases his actions will be assumed to read correctly. Instrumentation readouts which degrade and become biased because of adverse containment environments
( will be factored into the analysis and guidelines.
Actual:
No change, reliability of inputs to ATOG display cannot be overemphasized. Additionally, the AT0G display contains a margin to saturation line which allows for expected instrument errors under adverse conditions.
l u
r
- f. Initial:
l Consequential failures because of " common mode" effects will '
not be considered. Simultaneous f ailures of two identical l components because of an inherent design flaw, while statistically possible, are remote and will not be l considered. Common mode failures of equipment because of external causes (flood, fire, etc.) are also remote and will not be considered. Common mode failures because of incorrect
. operator decisions will be considered.
I Actual:
The guidelines, as written, do cover " common mode" effects to l
some extent. Such natural disasters as fires, flooding, earthquake, et. al., affect equipment operability and performance. If the equipment won't work or functions improperly, symptoms are affected. ATOG detects and treats symptoms through available equipment. Therefore. using a l
I groundrule of working with the installed plant, fires and
)
- loods won't change the guidelines.
l The real value of studying such things is not to answer the question, "What should the operator do during a flood?" But f rather. "What can be done, in advance, to the design, location or protection of the equipment to mitigation the affects of a flood?" Such a study may produce equipment changes that would require guidelines changes but that is a I second order effect.
I l
I 1
I l
I _a_
l
k
- g. Initial:
[ Systematic failures (i.e. those failures which assume an entire system to be defeated) will not be considered. except
( for those cases where an error of operator decision is possible. An exception is the Emergency Feedwater System:
r L because of its past history it is assumed to fail completely.
Aho, the loss of offsite power event tree will investigate L failure of both diesel generators to start.
Actual:
F L
The complete loss of safety grade systems was not considered s to be a realistic failure. However, as the program L
developed, some system failures were evaluated. The following safety system failures are covered by ATOG: main steam safety valves fail open, PZR code relief valve fails
[ open, safety grade EFW system fails to start or fails to control, and the operator mistakingly stops HPI.
Additionally, the AT0G program includes cause wheels which address complete failures of safety systems.
- h. Initial:
Operator Actions
( (1) The operator acts only when required by existing procedures (e.g., trip RCP's on a low pressure safety
( actuation signal).
(2) During the course of the event, the operator will be
[ required to operate individual components. Assumptions for operator error at this time will be to assume a mistake of action. The error to be assumed will be p
complete, i.e., he will not manipulate one of two identical components correctly and the other incorrectly.
L
[
(3) The operator error to be assumed will not be random. He l will focus on the component to be manipulated and not on some other component that is unrelated. The event trees .
I will show two error situations: 1) The operator fails to take action entirely (no action regardless of the time):
I or 2) An incorrect manipulation that results in the worst condition. The analysis will be based on a selection of
- , one of the two circumstances.
(4) For evaluation purposes, the operator will not be assumed 4
to correct errors, even though information will be i avail able.
Actual:
I No Change.
i
- I j 2. Selection Criteria for Initiating Events *
- a. Event occurs with some frequency and the operator action is d
expected (excessive feedwater, loss of off site power, loss of main feedwater).
I b. The event, while possible, is rarely seen, is confusing to
- the operator and he is not sure how to recognize / mitigate it
! (steam generator tube rupture, small break LOCA).
- c. The events cover 80%-90% of everything that can happen to the c
j RCS (overcooling, undercooling, loss of inventory).
- d. The operator has time to recognize and do something about the event, therfore, it makes sense to write guidelines (this excludes major steam line breaks, major LOCA's, rod ejections
- as initiating events to be studied. Many FSAR events are desian considerations, not operator action studies).
l
- Included as initiating events were loss of main feedwater, loss of offsite power, excessive main feedwater, small steam line break, and steam generator tube rupture.
I l
j -a-
_ a
r
- 3. Uses of Event Trees
( a. Event trees are interim products. They are used to develop guidelines. The operator does not use event trees.
- b. Event trees were studied to find repetitive patterns and common end points. The study showed that although many
[ failures can occur. the symptoms of unbalanced heat transfer that result from these failures followed a few common L patterns or trends.
- c. Selected event tree branches were analyzed using computer L
codes to obtain parameter trends and define times available y for operator action.
L
- d. Every reactor trip that has occurred at a B&W 177 FA plant that started as one of the initiating events evaluated, was compared to the event trees to ensure the paths were covered and thereby help confirm the methodology.
- e. Event trees were used to pick scenarios to use on the simulator to test the guidelines.
- f. Event trees were simplified and modified into logic diagrams which include appropriate operator corrective actions as defined by the guidelines. These logic diagrams were
( included in ATOG Part II to be used to train the operator in transient behavior and guideline use.
r L
r L
c p l
- 4. Methodology for Construction of Event Trees Event tree construction began by defining the main success
~
path. This is the plant normal response to the initiating event with no subsequent failures. The path included all the steps i
required to achieve the basic safety functions (reactivity control, primary inventory control, etc.) and bring the plant to steady state conditions. The equipment available to perform any one safety function (and alternates based on failure of that equipment) was defined on safety sequence diagrams (SSD's). An i
SSD was developed (and reviewed by the the Utilities) for every l initiating event used for event tree construction. The SSD's essent'. ally provided the building blocks for the event trees.
- All of these safety functions must be satisfied or steady state I
is not attained. The blocks on the main branch were not intended f to be time sequenced, however, they should fol' in a logical order. For example, the correct operator response for high pressure injection (HPI) control (turn it off or let it run) depends, somewhat, on the ability of the plant to control emergency feedwater (EFW). Therefore, HPI was normally considered after EFW on the event trees.
f fter completing the main success path, failure paths were j developed from the top of the tree downward (see assumptions used for types of failures considered). In general, the failure paths illustrated automatic system response based on plant design. The
, o7erator was added to the tree only when specifically required to do something by an existing procedure (e.g., open the PORV and star *. HPI on a complete loss of feedwater). Otherwise, the event tree proceeded as if the operator did nothing. (The guidelines identiff operator action
'I
'Il 1
L
~
l O to regain plant control). For example, if the plant has a steam
{ line rupture matrix and the casualty is stuck open turbine byp' ass valves, the main steam isolation valves will shut and the plant
[ will come to steady state. Otherwise, the plant will continue in an uncontrolled cooldown.
I When a failure path is developed, all the safety functions on the main path below the peint of departure of the failure branch were also considered on the failure branch. This pattern 1
l was repeated on subsequent or multiple failures. To avoid needless confusion and repetitio i not all subsequent safety functions were physically displiyed on the event tree. Some failures are more important to -safety that they override other l
cor.dderations. For example, a f ailure path showing loss of main and emergency feedwater did not consider pressurizer heater failures.
) 1
- 5. Review of Event Trees
- Each event tree received an internal B&W QA review prior to being released to the respective customer for a utility engineering and operations staff review. Utility comments were subsequently incorporated into final diagrams along with the l results of the analysis phase for each event.
I k C. System Auxiliary Diagrams (Cause Wheels)
- 1. System Auxiliary Diagrams (SAD's or Cause Wheels) were developed l on a plant specific basis to identy supporting systems essential to the operation of the system having a direct input to I plant response. They also identify instrumentation required to verify proper operation of the supporting systems. Each SAD l
received extensive utility engineering and operational staff review prior to final issue.
1
~
L The SAD's serve as an aid to the operator in the event that
[ a critical system required to support the guidelines, fails. For example, the operator may be required to initiate high pressure injection (HPI), If this fails, the operator has a diagram (cause wheel) which shows HPI in the center (the hub) and r
L various arrows (spokes) pointing toward HPI which identify everything required to make HPI initi.Ttion successful. Pump L power supplies, required cooling / lube oil sources, major inli ae 7 valve positions, ventilation cooling, etc., are all identified ,
I along with available instrumentation to verify proper operation of the system (e.g., HPI). This cause wheel can be used as a rapid troubleshooting aid to restore HPI. Only those items that are within the operator's ability to control and can be accomplished quickly, are included. Corrections that are long term (e.g., replace pump impeller) are omitted.
- 2. Cause Wheels were developed for the following systems / components:
- Main F/W System (loss of flow)
- Auxiliary F/W System (loss of flow)
- Steam Line Pressure Components (loss of pressure)
[ - Turbine Bypass
- Steam Safety Valves
- MADV's
- Turbine Controls
- ECCS Systems (Failure to Deliver Water)
- Makeup L - HPI
- LPI
[
l
- Containment Cooling Systems (f ailure to depressurize)
? - BLOG Spray
.DG Coolers 1
- Containment Isolation (failure to isolate) l - Boron Addition (inability to add boron)
! - Components for R. C. Pressere Control 1
- Pressurizer Heaters l
- Pressurizer Spray it 0. Analysis l
i i 1. The critical item in producing a symptom-oriented guideline was developing a thorough understanding of expected plant responses j during many varied abnormal transients. Tnis analytical effort i
j took several different forms.
.g Im a. Existing plant casualty procedures were investigated for l
l common symptoms. Few single alarms or parameters were found to uniquely identify a transient. Similarly, some parameters were common to all transients. One event found throughout f the study was a reactor trip. Consequently, it is used as l
the key for entering the abnormal guidelines.
i b. Event trees (discussed earlier) for various initiating events and consequential failures were developed.
- c. Actual operating transients were investigated, again looking for patterns. This ti'me the emphasis was on parameter trends and the time available for operator action. Finally, where
?cessary, computer simulations were run to complete the baseline and fill voids in understanding plant response.
Because the output was to be used in developing operating guidelines, realistic inputs were used (as opposed to bounding safety analysis assumptions).
lI lI l
l 1
l I
- 2. The basic transient ccde used for the computer simulation portion of the AT0G program was TRAP 2. The version used for the Arkansas, Nuclear One guidelines had an equilibrium pressurizer l model. Therefore, on transients with insurges into the pressurizer, these insurge rates were used as input into the DYSID code (a non-equilibrium pressurizer model) and the reactor coolant system pressure response was obtained. The combination of these two codes was used as input in developing Part II of the guidelines. In the case of a steam line break inside the reactor building the CONTEMPT Code was used to predict building pressure I response.
,I
- 3. The origir_1 intent was to analyze the main success path, and each single failure path off the main success path for each event tree prepared for the lead plant ( ANO-1). This lead to identifying 32 paths for analysis. However. after conducting some analysis, it was determined that several of paths among the various event trees would yield repetitive results. After further examination, total number of analyzed paths was reduced.
Justification for not conducting computer analysis for additional failure paths was provided.
Additionally, each event tree path that ended in a LOCA was reviewed to verify that it was bounded by existing ECCS analyses.
I I
I I I
1 I -
- 4. The Computer Simulation Portion of the Analytical Work was:
- a. Used to obtain parameter trends and transient times to be used as' examples in Part II of AT0G (operator training).
- b. Used to verify (or correct) event tree logic. For example, l
the original excessive main feedwater event tree showed l 4
i transient termination by an automatic steam line brco' system actuation. The analysis showed this wouldn't happen and the event tree was revised accordingly.
- c. Used in Part I guideline development. For example, one idea considered was to give the operator time to restore feedwater I to the steam generator on a complete loss of FW by allowing him to delay once through cooling (HPI and open PORV) under these cor.ditions until RCS subcooling margin was lost.
However, a realistic analysis of this transient showed that this cotld i take 35 or 40 minutes, which was far in excess of i
previously generated 20 minute limits. The guidelines were revised to key operator action within the, allowable time limits. Another example was a proposal to identify the steam generator with a steam leak by differential pressure between the two generators. However, analysis showed that this differential pressure, because of the thermal mixing on the primary side, was transitory. Again, the guidelines reflect a more positive approach for identification.
- d. Used to enhance emineer and operator understanding of a Steam Generator Tube Rupture (SGTR) event. This is a continuing effort and the guidelines are beir.; refined as our knowledge increases. ATOG, although not complete in this area, is far more comprehensive than any existing SGTR procedu.e in use today.
I e. Compared to actual plant transient data as verification and to strengthen confidence in the guidelines and in the examples ised in the training manual (Part II).
i .
i
- 5. Analysis of follow-on plants (after Arkansas Nuclear One) was l used to provide justification that their plant response closely l l resembled that of the lead plant such that the AP&L guideline l analysis could be considered generic (i.e. benchmark that plant !
against AP&L). t?:.e the event trees showed equipment differences that were severe enough such that similarities were in doubt, that event tree bratich received computer analysis.
i i
! E. Simulator i
The B&W simulator was utilized to:
- 1. Test var lous guideline ideas during the developmental phase.
- 2. Allow operators (under observation of professional procedure writers) to test various guideline formats and provide input on guideline developinent.
l 3. Test and develop the ATOG display.
j 4. Test the final guidelines by inputing n.ultiple failure event tree paths and using the guidelines to recover the plant.
i
! F. Transient Information Document (TID)
After the engineer completed his analysis of the expected plant response for a particular initiating event and subsequent failures he ,
documented the results in a transient information document (TID).
These documents, (1) tie the analyses phase to Part II of the 1 guidelines, (2) tie the follow-on plant analysis back to the ANO work l and (3) provide a traceable list of references vack to the AT0G input material. A TID is producad for every initiating event for each follow-on plant. The type of information contained in the TID is:
t i
I l
l l i e--__-__-- _ _ _ _ _
- 1. Introduction This section identifies the event, the plant, and the event tree.
- 2. Major Plant Differences j The AT0G Proaram assumes the plant can be brought to a safe l shutdown if five major " functions" are controlled:
- a. Reactivity
- b. Primary Inventory
- c. Primary Pressure
- d. Secondary . Inventory
- e. Secondary Pressure '
This section discusses what systems are used to control these I functions for the particular event and how these systems compare sith the lead plant. The comparison emphasizes those differences which affect plant performance and include a discussion of the system's properties (i.e., flows, pressures, etc.) and the function (i.e., actuation setpoints and what the system does af ter actuation) .
- 3. Plant Data Data from actual plant transients is important as a basis for the AT0G guideline. It provides information on plant response; and j provides confirmation on TRAP 2 predictions.
Plant data for a single representative plant transient (if available) is presented an'd each TID includes plots of the data and a discussion of the event. Several of the AT0G Part II Appendices contain a similar presentation.
I
). .- - - - - - _ - - - - _ - - -
4
- 4. Predicted Plant Performance
{ This section is the most important part of the TID. It discusses how a plant will respond to a given event compared to the lead plant. To make,this comparison, the analyst utilized 4 four sources of information:
- TRAP 2 analysis for AN0
- TRAP 2 analysis made for follow-on plant
! - Plant data docuinented in the TID, and
- Plant comparisons as documented in the TID The TID documents that (1) the lead plant analytical work applies to the plant of interest directly, or (2) identifies the l expected plant responw, if it is different.
4 Each of the appendices to AT0G, Part II discusses a
- particular trantient. This discussion includes a descriotion of the general transient (i.e., the event tree's main success path)
- and the transient in conjunction with loss of one of the control l l functions. <
In order that the output from the TID's properly support the l Part II guideline, each TID provides:
- A description of how each section of the AP&L Appendix must be !
I changed to make it valid for the plant unde consideratior. '
and reasons for the changes:
l .
- Additional information which the analyst feels should be
{
included in the Appendix: and
- A plant specific plot for each figure in the Appendix (if I
different from AP&L) 4 5. Additional Pertinent Information ;
This section includes additional information which the l analyst feels is important to the transient evaluated. For example, the analyst studying Loss of Offsite Power may want to discuss components loaded onto the diesel generators.
- 6. References I TID.
This section includes a list of all references used in the l
i I
l t
l III. Operating Guidelines '
! A. Event vs. Symptom Oriented Procedures
- 1. The traditional approach to transient and accident control has been to develop many " emergency" procedures, each based on a postulated event such as loss of main feedwater. The operator was then required to study this event and memcrize its symptoms and imediate actions. If a loss of feedwater occurred, he was expected to recognize it, perform the appropriate imediate actions, and then use the even-oriented loss-of-feedwater procedure for determining follow-up actions. This approach has several inherent drawbacks:
- a. The operator must correctly diagnose, at time zero, the initiating event. He does this mentally, based on training or prior experience. After taking several actions, depending on this instant e taluation, he then picks up the event-oriented procedure that fits his diagnosis. If he were treating a small steam line break inside the reactor building but actually had a small loss of coolant accident (LOCA) inside the building, he is now tracking through the wrong procedure. He will eventually recognize this misinterpretation: however, by then he is well into the transient and possibly confused.
- b. Procedures must be written to cover every conceivable initiating event. If the operator correctly diagnoses a loss of non-nuclear instrumentation power and no procedure covers that event, his actions will be based on the experience of a particular operator.
I '
I I
I !. .
- c. If more than one erent contributes to the transient, the operator will find himself working two or more procedures at the same time. For instance, if a main steam s'afety valve failed to reseat following the loss of main feedwater, the operator would have to use the loss of feedwater procedure and small-steam-line-break procedure (if available). These procedures may conflict and he must decide a priority between them - with no convenient method of shifting between the two procedures. It is possible to I write a procedure cunbining these two events: however, if just a few more f ailures are considered (e.g., PORV or spray valve I remains open), the number of combinations of failures along with possible initiating events quickly becomes large. Even if this were attempted, the operator's ability to pick the correct procedure would certainly diminish.
- d. Because of these limitations, most operators are likely to use no specific procedure. They will use training, experience, intuition, etc. to bring the plant under control. They will then choose what they think is the closest procedure to what is happening and confirm their actions or see if thq overlooked anything.
- 2. To correct these drawbacks, it was necessary to step back from the traditional approach and examine what the operator is attempting to do during post reactor trip abnormal transient control. He can best protect the health and safety of the public by guarding the integrity of the more. To do this he must ensure the continuous removal of decay heat from the fission products to the ultimate heat sink. By adjusting the priorities and concentrating efforts of maintaining proper heat transfer along this path, he can protect the core and minimize radioactive release. To give the operator this capability, I a concept of symptom-oriented (as opposed to event-oriented)
I _ _ _ - _ _ _ _ _ - _ _ _ - - _ _ _ _ _ _ _ _ _ - _ _ _
procedures was investigated. The symptoms are based on upsets in the j heat transfer from the core to the coolant and from the coolant to the steam generators. The symptom-oriented procedures thus focus on core cooling first and on event identification second.
- 3. The three symptoms of primary interest to the operator are adequate subcooling of the primary system inventory, inadequate primary-to-( secondary heat transfer, and excessive primary-to-secondary heat f transfer. These symptoms are important for the following reasons:
- a. Adequate primary inventory subcooling. If the operator knows the primary fluid is in a liquid state, he is assured that it is I available and capable of removing heat from the core and transferring it to the steam generators.
I If subcooling is lost, these issues are in doubt and he is therfore, directed to make every effort to regain subcooling.
- b. Inadequate primary-to-secondary heat transfer. This symptom addresses the heat transfer coupling across the steam generators.
It describes the ability of the system to keep the flow of energy moving from the reactor coolant systen to the ultimate heat sink.
The operator monitors the relationship between the reactor coolant cold leg temperature and steam generator secondary side saturation temperature. Following a reactor trip, these two values should be nearly equal under good heat transfer conditions. If this coupling is broken, the procedure outlines appropriate corrective actions to restore it.
- c. Excessive primary-to-secondary heat transfer. In this case, the symptom is indicative of a secondary side malfunction (e.g., loss of steam pressure control or steam generator overfill). The heat !
transfer is again unbalanced and the operator's attention is directed toward specific actions to restore this balance.
I I _ _ _ _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ - _ _ _ _ - _
!I ~
- 4. By tracking these basic symptoms the operator can quickly focus on '
I f problems without having to check a large number of parameters. At I
the same time, by their nature the symptoms allow a rapid elimination of problem sources and still keep the emphasis on core protection.
Additionally, the symptoms are so basic the procedure inherently covers many more initiating events than those initially studied.
This happens because initiating events cause equipment to fail and equipment failures affect these symptoms. As the operator follows the procedure to treat the symptom he will probably identify and correct the cause.
B. AT0G Part I organization l
- 1. Once the symptoms were identified and a method of rronitoring those symptoms developed, the next step was to reduce this information into something useful to the operator. The Abnormal Transient Operating Guidelines consist of two parts. The first part is procedural 1
guidance to be used in the control room during transients. The l second part, a much larger volume, is a training aid explaining the I design bases for, and the use of the procedures.
The organization of Part I is illustrated below:
Section I Immediate Actions Section M Vitai System status verification Section III A. Treatment of lack of adequate subcooling margin B. Treatment of lack of pr imary-to-secondary heat transfer C. Treatment of too much primary-to-secondary heat transfer D. Follow-up actions for OTSG tube rupture E. Cooldown procedures o Large LOCA o Normal o Saturated RCS o HPI cooling o Solid water cooldown o Cooldown following ICC F. Followup actions for ICC
- 2. The immediate actions are common to every reactor trip and must be performed regardless of the cause. The vital system status verification is a short checklist used to determine a baseline for possible operator actions. This checklist considers instrumentation power supplies, ESFAS status, steam line break protection system status, etc. The operator the'1 monitors basic plant parameters for the three symptoms previously discussed. If everything is normal, the plant has responded as designed and come to a steady post-trip I condition. No further action is required. However, if the operator diagnoses an imbalance in one of the basic symptoms. he is directed to the appropriate section for follow-up actions. These sections treat the symptoms and do not require the operator to determine the cause. It is expected, however, that as he treats the symptoms he will find the original problem.
- 3. Treating the symptoms will allow the plant to be brought to a stable condition. This could very well be "off normal" from what the operator normally sees. Accordingly, various cooldown procedures are provided to give him guidance on long-term recovery from thase possible conditions.
I I
I I
I I
\
C. ATOG display
- 1. The information required to identify and track the symptoms of interest is already available in power plant control rooms. It ,
f simply consists of reactor coolant system hot and cold leg temperatures, reactor coolant system pressure, steam generator pressure, and access to steam tables. The problem is how these variables :an be best displayed to give the opeator a simple and logical method of monitoring the symptoms of interest. The solution developed in AT0G is shown in Figure 1 which is basically a pressure-temperature (P-T) display with a saturation curve included.
The area above and to the left of this curve is the subcooled region.
The area below and to the right is superheat. Reactor coolant system l l
hot leg temperature (Thot) and cold leg temperature (Tcold) are input to this display and plotted as functions of j I reactor coolant system pressure. Steam generatcr pressure is also input. The saturation temperature for this input pressure is I displayed as a vertical line. The subcooled margin line accounts for potential instrumentation inaccuracies with the objective of assuring l
}
subcooling above that line.
I
- 2. A typical plant response to a reactor trip is shown in Figure 2. For I simplicity, only reactor coolant hot leg temperature is plotted.
With the reactor coolant pumps running (forced circulation) and the I comparatisely small amount of energy being added to the coolant by l
decay heat, the cold leg temperature is also expected to settle out close to this hot leg temperature. Additionally, because the differential temperature across the steam generator tubes is small, both of these temperatures should approach the saturation temperature of the secondary side of the steam generator (SG Tsat). The Figure also shows steam pressure moving from its pre-trip value up to the steam safety valve setpoint and back to its post-trip value. As long as Thot, Tcold, and SG Tsat remain within a
" post-trip window", the plant is responding normally.
I - _ _ _ _ _ _ .__ __-___-- __ __
t i
l ll .-
1 C3 iI M
w o
= o
>=
Q r=-
l x >_ a.
e >- o< i >- =
< - zu >- - >-
i w a>m = z-mz a.
< o a- =
ce o .-
a a- o w- -= x -
r a. w u o a m -
mw >- - as o o- >- >-
a m cm > o O = - < o i
>- = w >- - o >- a -
o t, n a - >- = n m o
. oao < *- ou h O X X as w G. M I ,
oo e as < o zo- .-
- a. w a n o, <
.a w
A E o o-a >-
h-z i -
-a o4 a- =
Q w
I u u o z x =
. o => = = - o - .
x - o s. x c a w .o -. u x o w = -
= = {
= ~
,E.- 3, .
g , r- - , -
I [
i l
[ .
l t J 1 -
K e
a) i 1 1 W I L1 e Z Q
~
=y e-4 I C m IVs1 SS E
=
5a8
= n
=
l l
. - u.
< ~
/ -
w w I - +
W Z
M C
4 c- ",,.
L&md &
a M" I CZ C""3 -
= 0 C3 C C3C C: C= o C.)
I O =*: *
- f/3 2E s
m -
- u E *
.1 3er o I >"" c3 -
g
>=- C3 M Z w Q" CE
% BE D O'I C o m -
I W ,o, c2 c3 o U ~ ?S w C3 0 .a: -
hd W Z
.I - >. -
t/1 m.J l
l
=
t t. t. t i ! I il I t f C, O C3 C C3 C Q C O C C O O =
Q Q C3 C C3 C3 c3 C3 CD C3 C3 23 O
I 4J3
- CN C D 4.2 T N C3 C3 T
== --*
es N N N .- == ==-
is. *.:nse.2d =l'.90 CE31s W2 ' a:l:M 2 0' - 2 8'd
M M M M M M M M M M M M M m M M M~M'W l 2600 2400 -
POST TRIP
. 2200 -
~
g r-- 7g ~
5 SUBC00 LED
---[
S a
2000 -
REGION p
[ SUPERHEAT REGION
[ 1800 -
t
% 1600 -
$ 0 g "
g 1400 -
o o "
00 -
STEAM PRESSURE -
E
[- 1000
) \ - -- ~
d END POINT-POST TRIP WITH FORCED CIRCULATION (T HQT &TCOLD) AND FOR
<> NATURAL CIRCULAT10N (TCOLD)
M 800 -
~
<E g NORMAL OPERATING P01',T-POWER 600 -
PERATION (THDT)
SUSC00 LED NARGIN NO POINT-POST TRIP WITH NATURAL .
400 -
l___j CIRCUL ATION (TH0T)
LINE I t I l l 400 450 500 550 600 650 700 Reactor Coolant And Steam Dutlet Temperature-F FIGURE 2
D. Use of Part I Guideline
- 1. The ATOG display provides a constant feedback to the operator on his success or failure after taking each step in Part I. This display should be checked frequently to make sure things are progressing as expected. It will thus give the operator early indications of
( subsequent failures that are delayed after the initial event, or multiple f ailures that were covered by the predominent event and didn't appear until that one was corrected.
- 2. The guidelines are constructed such that the operator makes an attempt to correct the problem with a given piece of equipment or system (e.g., EFW to correct loss of main feedwater). If that f ails he is instructed to go on to the next step (e.g., HPI cooling). The failure of the EFW system is not given priority attention in the body of Part I, protection of the core is.
- 3. The operator is given frequent "present plant sta;us" (PPS) aids throughout the procedure to help him maintain pro'>er orientation.
- 4. If new symptoms a,] pear he is instructed to recycle (go to the section
{
that treats that symptom) to the appropriate part of the procedure.
E. AT0G Part II Organization
(
- 1. Part II is used away from the control room (classroon study). It is intended to train the operator in how to use Part I and build up his confidence in the symptom-oriented approach to transient control.
- 2. Part II is divided into two volumes, " Fundamentals of Reactor Control for Abnormal Transients", and a " Discussion of Selected Trarsients" Volume one covers the following topics:
- a. Heat transfer it transport from the fuel to the condenser.
It concentrates on explaining the equipment influence on this heat flow and the operator's ability to control that equipment.
(
(
~ '~
- b. Use of Pressure - Temperature (P-T) Diagrams - A discussion of the mechanics of reading the basic AT0G display.
~
through the basic types of abnormal transients from reactor trip #
to steady state giving ATOG display interpretations and correct operator responses. This chapter is vital to the operator's "
understanding of Part I. It is an entire transient management approach. .
- d. Backup Cooling Methods - Explains the various options available when the steam generator or the reactor coolant pumps are not capable of supporting a normal cooldown. Typical subjects are:
recovery from loss of r.atu al circulation, reflux boiling, HPI 5 (once through) ccoling and inadequate core cooling considerations.
, e. Best Methods of Equipment Operation - Presents guidance on -
equipment sequences such as throttling or stopping HPI, tripping and restarting RCP's, cooling down on one steam generator, etc.
- f. Stability Determination - Presents considerations for defining the end of the abnormal transient including LOCA and non-LOCA -
events.
- 3. Volume two of Part II presents discussions on each of the transients ;
studied during the development of the guidelines. Each transient is
~
broken down into a discussion of the main success path (expected design response) and compound multiple f ailure paths. A logic diagram for study of the overall transient is provided along with several examples of typical P-T responses for that transient.
Correct operator actions are presented and referenced back to a 1 similar action in Part I. The intent is to convince the operator 3 that Part I will protect the plant regardless of the sequence of -
failures or initiating events.
!g .
F. Human Factors Input Kinton, Incorporated was retained as a human facta consultant for the AT0G Program. Their participation was as follows:
- 1. Conducted site visits to each program participant to interview {
operators for input to guideline format and level of detail required.
- 2. Participated in training simulator experiment with AP&L operators using A10G draft guidelines to handle various multiple casualties.
The major observation was that inexperierced operators used the guidelines, those with many years of plant opeiation did not. The conclusion was that the guidelines organized into written procedure I what the operator has been doing all along (i.e., handling transients on a symptom approach until steady state is achieved).
- 3. Reviewed cause wheels and provided alternate formats. *
- 4. Developed logic diagrams for Part I as an alternate or redundant format for the action portion of the guidelines.
- 5. Completed a detailed review of Part I and Part II of ATOG and issued i
a findings report.
G. Extent of AT0G Coverage
- 1. As a minimum ATOG rep'. aces the five transients (plus LOCA and ICC) studied to develop the guidelines.
- 2. Any initiating event which affects the thermodynamic symptoms covered by ATOG will be handled (from a core protection standpoint) by the AT0G guidelines. The guidelines continue directing the operator to alternate equipment until the plant is stablized or the limits of the design are reached.
1 I
I I
l l
l
I '
- 3. ATOG as an integrated method of post-trip transient control is better than any existing approach now being used. The guidelines can be l implemented with their present scope and used in parallel with the utility's existing (fire, flood, earthquake) procedures. This will l
at least maintain the present level of effectiveness of existing procedures while gaining the advantage of the AT0G' procedures.
- 4. The guidelines are flexible and capable of easily being expanded.
The inclusion of inadequate core cooling and thermal shock considerations are such examples. In a like manner if remotely operat'i hot leg vents or reactor vessel water level are added to the plants, ATOG can again be expanded to include them. Similarly, the guidelines for handling a degraded core could be added.
I guidelines are complete enough to be useful now and should be The implemented as quickly as possible. ATOG may ;ot cover all hypothetical event, but it is not incorrect.
I I I l I )
I I
I I
I lI l
__ a
IV. Conclusion The AT0G program, as directed by the B&W Owners Group, is an ambitious effort to provide new plant emergency procedures and analysis on a plant specif'c basis. It was initially undertaken in response to NUREG-0578 and th9 Utilities' desire to re-evaluate existing procedures and practices. The program -is broader in scope and more detailed in l analysis than that required at the time of initiation. It involves the collection of up-to-date plant specific data from each of the operating B&W plants, development of sequence diagrams and event trees for each [
transient unoer consideration, detailed analysis (on a realistic basis) for many of the possible paths a transient scenario could take, and the ,
development of plant specific guidelines.
The program has proven extremely successful in achieving the primary goal of simplifying the operator's problem of recognizing and mitigating plant failures. By providing symptom oriented guidelines and a supporting parameter display system, the program has bridged the gap I between single failure transients. The operator is no longer required to determine the initiating event before taking corrective action. By utilizing the guidelines and display, he can monitor the thermaldynamic
. state of the plant, recognize his approach to limits and obtain positive feedback from his cor. ective action. Additionally, the Part II of the guideline provides the operator a comprehensive training manual to enhance his understanding of realistic plant behavier during transients.
The three basic elements of the p ogram (procedures, training and display system) form the triad for improved plant operations and safety.
The ATOG program is not complete in its coverage. It does not cover all possible plant transients or all plant conditions. Necessary limitations and boundaries were placed on the program in order to keep it manageable and on a realistic schedule. Events selected for inclusion in the program were those that were frequent in occurence or were difficult I
to recognize or had significant consequences if not controlled. It is a i first step in a new frontier of emergency plant control. As a result, ti.e ATOG guidelines can be readily incorporated into the existing structure of emergency procedures and can be easily expanded to address additonal considerations.
The ATOG guidelines are the most comprehensive emergency guidelines l issued to the B&W plants. They are thorough in their coverage of the events corsidered and provide significant understanding of plant transient behavior. They should be implemented into plant operation on a trial basis and further refined through operating experience.
t5 l
I I
I I
I I
I I
I I - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _