ML20034B051
| ML20034B051 | |
| Person / Time | |
|---|---|
| Site: | South Texas  |
| Issue date: | 01/23/1990 |
| From: | Sype T, Tyrus Wheeler SANDIA NATIONAL LABORATORIES |
| To: | NRC |
| Shared Package | |
| ML20034B049 | List: |
| References | |
| NUDOCS 9004250266 | |
| Download: ML20034B051 (62) | |
Text
$
s,
- i, -
~
DRAFT South Texas PSA Review Evaluation of Internal Event Acefdent Frequency Estimates and containment linning Interi: Keport January 23, 1990 Prepared by:
Timothy A. Wheeler Teresa T. Sype Sandia National laborsteries Division 6412-P.O. Box $800' Albuquerque, New Mexico 87185 John L. Darby, ?ob Valsh Science and Engineerin;, Associates,'Inc.
SEA Plaza 6100 Uptown Blvd.
N.E., suite 700-Albuquerque, New Mexico 87190 i
i 9004250266 900410 FF;DR ADOCK 05000498 PDC l
j
-O.
b hhf Foreword i
e The objective of this review is to evaluate the South Texas Project (STP)
Probability Safety Analysis (PSA) for the USNRC.
The PSA was reviewed for thoroughness of. analysis, accuracy in plant modeling. legitimacy of assumptions, and overall quality of the work.
The review is limited to i
the internal event analysis. A review of the fire accident analysis will be presented in a later report.
l This review is. not a pass / fail evaluation of the adequacy of the. PSA.
The adequacy of the analysis depends on the intended uses' and must be addressed on a case by. case basis by the licensee and the NRC..
This review identifies strengths, weakness, and areas where additional 3
clarification would assist the NRC in evaluating the PSA for specific d
regulatory purposes, i
It should be noted that the. licensee, Houston 1.ighting and Power, did not see any of the comments in this review prior to its release to the NRC.
The licensee has not had the opportunity to respond to any statement made i
or question raised by this interia report.. Some of the concerns ' raised a
by this review will undoubtedly be resolved after further communication with the licensee.
1 i
.l l
d i
J l
t
?
5 I
i iii s
a
+
4+
r w
o L
DRAFT i
t f
1.0 INTRODUCTION
This report summarizes a review of the South Texas Proj ec t (STP)
{
JP Probabilistic Safety Assessment (PSA).(D The PSA was produced by i
Houston Lighting and Power Company (!!LP) using the servir:es of Pickard.
Love, and Garrick, Inc. (P14).
The review was conducted by Sandia National Laborator; es (SNL) with i
assistance from Science and Engineering Associates, Inc. (SEA).
This i
report focuses on internal initiating events only, The May 1989 version of the PSA was reviewed. Other material utilized in the review included:
An 'up to date -Pinal Safety Analysis Report (PSAR),tn System Descriptions as included in the PSA, nuturous Piping and Instrumentation Diagrams (P& ids), logic diagrams, elementary viring t
diagrams, technical specifications = and _ emergency operating. procedures j
(EOP).
A two. day site visit in November, 1989 supplemented this written material.
In Section 2 the assumptions rsgarding the plant systems which were.
j
'i incorporated into the PSA are discussed. This section serves as a review of how accurately the PSA reflects the plant as characterized in the PSAR.
In Section 2.1 the system success criteria for responding to the various transient events are covered.
Section 2.2 is an evaluation of the support system requirements identified in the PSA for the various i
In Section 2.3 assumptions regarding the configuration of the systems. and human actions for both normal and emergency operations are' systems discussed.
Section 3 contains the review of the application of PRA methons to the analysis.
Section 3.1 is a discussion of the Initiating Event analysis, l
Section 3.2 contains the review of the event trees, and the ~ system i
modeling is reviewed in Section 3.3.
'!he quantification process is reviewed in Section 3.4.. and the defining of plant damage st'ates is discussed in Section 3.5.
An overview of the dominant sequence s is in -
Section 3.6.
Section 4.0 is a review of the PSA documentation, and Section 5.0-is a discussion of special topics and insights regarding the PSA.
Conclusions are in Section 6.0.
.6 Review comments in Sections 2 through 4 of this report are categ'arized into three areas:
A. Good Insights and Important Assumptions.
5 B. Items insufficiently explained.
i C. -Potential Problems to be Resolved.
)
I g
1 b
,,... ~., _
...,,r.
-.m.
6 w
1 DRAFT J
1.1 Methodolorical overview The ' rethodology used in the STP PSA is referred to as 'a "large event.
F tree - small fault tree" technique, This methodology, developed by PLC Inc., emphasizes the development of very _large accident sequence event i
trees with: many detailed" top events. or split fractions in' the PLG j
terminology.
Each event - tree top event 'is' modeled by. a: single j
independent logic model such as a n fault ' tree ' or block diagram.-
This 1
process is significantly different than. - the methodology employed in NUREG 1150 N and : other NRC sponsored risk ' analyses.
'Ihe ' NRC programs
~1arge fault tree" use' what is described as a "small event. tree approach, where. relatively simple event trees are developed to describe
- accident ' sequences,- and extensive, highly - dependent fault trees.are developed to model the top events.
The PLG methodology does not - model dependencies ~ between systems -.and components explicitly in the top event or system models.
Support systems' and even operator actions are included as - top events in the event trees along with front line systems..Each path through a particu'.,~ event treeL 1
defines a unique sequence of events.. and-dependencies 'betw* cn. events in -
the same sequence are handled by' developing a model for each event which=
~
is dependent on any preceding event in the sequence. - For example,.if.a particular sequence includes loss of _ electrical power _. as one top event and loss of Auxiliary Feedwater System -(AFWS).- a subsequent top event, then a fault tree for loss of AFWS given loss - of electrical! power 11s i
developed.
This is in contrast to the typical NRC, method where : event trees define combinations of front line: system failures..The NRC method-t models system dependencies by developing a fault tree for.each front line-
.4-system with support system fault trees linked or, attached ' to. the; front line trees.
The two methods result in very - different representations.. of final l
accident sequences which can render comparisons of.results between i
i studies very difficult.
The NRC method propagates l basic' event faults from the system fault trees. through ' the < event trees to.the sequence end states.
It does this by first linking support system' fault trees to front line fault trees, then merging the appropriate. front line trees for~
each sequence, and then using Boolean-reduction to ' arrive, at a unique sequence expression with minimal cut sets of basic events.
The - PLG technique passes no basic event information fron'the system level models to the event trees, but rather each. top event is quantified separately and the resulting-value (or distribution 1 for the f uncertainty '
1 quantification) is propagated through the event tree model.
The result is that accident sequence models look very different between the two methodologies.
PIA accident sequence models have no cut set or-basic event representation, but are combinations of split fractions (top events) which have been modeled specifically to account for the relationships between the top events for each sequence.
Ther NRC method yields sequence expressions in the form of Boolean: equations with cut sets of basic events from the system fault trees.
2
Vf e
DRAFT.
Because of the fundamental differences-between the methods, results must be compared carefully.-
A direct comparison between sequences from the two methods is not always possible.
Comparisons must be made between ip similar types of accident sequences (e.g.,- e.:.ation blackout).
Importance measures cannot be directly compared between methodologies as well, because of the different-techniques of propagating basic event failures through the accident sequence analysis.
Other differences. exist, including common cause failure modeling, methods of sampling of. uncertainty distributions, and failure rate values.
However, much-of the work P14 has done on common cause failures has been incorporated into the common cause. analysis of NUREG 1150.
In addition, many of the P14 basic event failure rates share common industry data with -
the NUREG 1150 data base. Differences between NUREG 1150 and the STP PSA regarding failure rates for'similar components may arise~.
However, this last difference is more indicative of analyst choice or interpretation of data rather than fundamental methodological differences.
It should be noted that the purpose of this review is not to evaluate the
~
validity of. tho' PIE methodology for PRA.
Both methods can produce correct results when applied properly.
The purpose ofLthis review is to evaluate the quality, thoroughness, and accuracy of the STP PSA analyses and to assess the legitimacy of the results.
1.2 Limitations of the Analysis The STP PSA represents a detailed Level I. risk.ana' lysis.
The sophistication of the various models.and analyses-is generally consistent with state-of-the-art PRA ' practices.
But as such, this analysis has limits of scope which are characteristic of PRA state of the art.
Areas and issues not treated here include:
o Partial Failures Design Adequacy e
Adequacy of Test and Maintenance Practices e
Effect of Aging on component Reliability and Break in Phenomena e
Adequacy of Equipment Qualification e
Environmentally Related Common Cause e
e similar Parts Related Common Cause Sabotage e
A further limitation of the STP PSA, which is consistent with current PRA practice, is.the steam generator tube rupture initiator:(SGTR).
The STP PSA considered only single tube ruptures. -Multiple tube rupture events have not been considered in even the most recent PRAs.
9 3
i i
s a
1 DRAFT 2.0 PIANT ASSUMPTIONS j
This section of the report summarizes the review of the plant' model to
]
which PSA techniques were applied.
A great ' deal 'of effort was~ put forth in the' PSA to understand plant systems.
Section 5.4 of the PSA and the System Descriptions,in the PSA provide excellent. details of system operations, limitations, interfaces, and assumptions used to create risk models.
The' event sequence diagrams of Section 5.4 are well thought out and _useful.
2.1 Success criteria Criteria of special importanes are discussed in this section as they l
relate to system success.
2.1.1 Transients A. Good Insights and Important Assumptions.
I It is conservatively assumed that main feedwater is isolated following.
[ Reference 1.-Pages 5.4-10, 5.4 12, and 5.4 28)^
It is conservatively assumed that steam dump utilizing the turbine bypass.
system is not available following reactor trip. -[ Reference 1,
Page 5.4 28) criteria for Reactor Coolant Pump -(RCP). seal cooling is provided, l
including the ability to utilize the positive displacement charging pump; powered from the Technical Support Center - (TSC) diesel generator given '
.t isolation of letdown.
[ Reference 1, Pages 5.413 and 5.4 35)-
Seal-failure is assumed to result in a. small' 1DCA which is equivalent' to a.
~
hole 0.5 to 2 inches in diameter.
[ Reference 1,~
Pages 5.4 35, and Section 5.4.6, definition of small IDCA)
Using the Moody.Model as described in Reference 3, a< two inch hole discharges about 240 lbm/sec (water); Table B.3 of NUREG-1150, Reference 4, indicates that for a total of three RCPs.using older design seal -O rings, the leak ratei can be substantially greater than 240 lbm/sec.
The PSA addressed = this - concern L
by performing a sensitivity analysis on seal,- leak' rate'.
Using a. leak rate of 1900 gpa (approximately equal to the maximum RCP leak rate -in.
NUREG-1150), the overall core melt frequency increased by only 24.
[ Reference 1, Section 2.2.3)
~'
The PSA did consider both pressure and temperature limitations on the use of'RHR. [ Reference 1, Page 5.4 17]
To maintain hot standby for an extended period'of ' time, makeup water to the Auxiliary Feedwater Storage Tank (AWST) must be provided.
This l-requirement was factored into the PSA.
[ Reference 1. Page 5.4 27)
The PSA recognizes that an Engineered Safeguard Features Actuation Signal (ESFAS) isolates normal charging and letdown but does not isolate seal inj ec tion.
(Reference 1, Pages 5.4 30 and 5.4 35) 4
.~.
b D%
A good discussion of how transients can progress to Loss of Coolant Accidents (14CAs) was provided.
[ Reference 1, Pages 5.4 30 and 5.4 401 The PSA accounts for the need to depressurize the primary system if a transition from hot standby to RHR cooling mode is desired.
(Reference 1, Pages 5.4-18]
Depressurization can be achieved by spray, control of makeup and letdown, or use of primary PORVs.
It is implicit in the PSA, that during cooldown, pressurizer heaters are not required to maintain subcooling margin and allow use of RCPs.
Ambient heat losses from the pressurizer and insurge of primary water to compensate for primary thermal contraction should not decrease pressure significantly when compared to the decrease in saturation pressure as primary temperature is reduced.
Should a transient event change to a small LOCA. High Head Safety Inj ec tion (HHSI) will be required.
[ Reference 1 Page 3.4-16)
For sufficiently small LOCAs, eventual recirculation from the sump will require high head pumps given the inability to sufficiently depressurize the primary.
The high head pumps pull directly from the sump during recirculation.
Decay heat removal and containment cooling are provided by Reactor Containment Fan Coolers (RCFCs), not by the RHR heat exchangers.
(Reference 1. Page 5.4-8 and 5.4 19] Containment cooling is discussed more fully in Section 2.1.8 of this report.
The discussion of transients in Section 5.4 of the PSA provides good insight into required operator actions.
For example, following a normal trip with no transition to a LOCA, the operator must:
control letdown and makeup, control main feedwater if available or auxiliary feedwater if actuated, control cooldown with turbine bypass steam dunp or steam generator PORVs, control RCS pressure, borate as required, and initiate RER if return to power is not an option.
B.
Items Insufficiently Explained Pressurized Thermal Shock (PTS) is of concern following a reactor trip if turbine trip fails and any Main Steam Isolation Valva (MSIV) fails to close.
PTS is a possibility if the operator fails to manual.ly throttle high head injection to maintain primary pressure within allowable limits as primary temperature decreases during the uncontrolled cooldown.
[ Reference 1. Pages 5.4-16 and 5.4-32]
Numerical values for the failure of the operator to throttle hi h head injection and for the subsequent 5
conditional probability of vessel failure from PTS could not be located in the PSA.
[Re ference 1, Table 5.4-5 does not provide a systems analysis reference section for Top Event VI. Reactor Ves sel Remains Intact During PTS Challenge.
f Successful end states following a transient are: het standby, hot shutdown with Residual Heat Removal (RHR) cooling the plant toward cold shutdown, or return to power.
There appears to be some confusion in nomenclature; numerous statements appear to refer to hot standby ks hot
{
shutdown (Reference 1 Pages 5.4 27, 5.4-29, 5.4 37.]
In hot shutdown i
l 5
i
s DRAFT RHR can be in operation; RHR cannot be in operation during hot standby if
~
the definitions of Table 1.2 of L Reference 5 are followed.
The nomenclature in 'the 'PSA should be consistent with that in. the Technical
' ir -
Specifications, q
l C. Potential-Problems to be Resolved Successful feed and bleed requires at-least one train of High Head Safety.
'j Inj ec tion (HHSI) and manual opening ' of both pressurizer = _PORVs before steam generator dryout.
[ Reference 1 Pages 5.4 19 and, 5.4 29. )
High head charging pumps are not: necessary for feed and bleed because the 1
secondary water inventory in the steam - generator! provides for heat J
removal. during the. first 30 minutes of-the transient after which decay '
heat.is sufficiently. low to tallow depressurization : with.the PORVs and-I makeup with~HMSI. ' Section 5.1 of-Reference -1 claims that. over' one hour is available before steam generator. dryout.
The ' time to dryout ; was,
discussed during the site s visit in November 1989.-
A key parameter.-
1 affecting time to dryout is how many fullipower seconds ' occur between-1 loss of feedwater and reactor trip.
Reactor - trip on low level.will:
j probably result in ' dryout in, about 30 minutes, while if. credit for.
4 1
earlier reactor trip on overtemperature delta T can be assured,- dryout l.
may not occur until after one hour.
During the November meeting H1AP.
agreed to resolve this but has yet to-do so.ts),
4 l
'l i
2.1.2 Large LOCAs i
i A. Good Insights and'Important Assumptions j
A large 14CA is a major breach in' the primary system piping that' rapidly 4
I depressurites the primary system.
As primary fluid ' flashes, both ' water -
q and vapor blowdown through the break with-incomplete phase separation'and y
the vessel retains little water-until Emergency: Core L Cooling ' System (ECCS) injection occurs.
The PSA categorizes breaches greater ~ than a six inch diameter equivalent as a large ' LOCA. -
[ Reference 1 Page 5.4-143.)
This is a reasonable definition for m 'large LOCA, because at
- 1 normal system pressure a six inch hole discharges' about 2200 lb/sec-(water)(3), and the maximum ECCS injection rate from one ' train of 'HHSI-and Low Head Safety Injection (IRSI). is 4000 gym -or 560 lb/sec with a -
completely depressurized primary-[ Reference 2,'
Figure 15.6 54.). 'Ihus, a j
six inch hole exhibits the characteristics of ' a major breach:
rapid depressurization, emptying of the. vessel, and the need for 1RSI.
B.
Items Insufficiently Explained The PSA assumes that accumulator injection is not' required ' following. a large LOCA.
[ Reference 1 Pages 5.4-143.)
This assumption needs to be justified.
During the November 1989 site visit, H1AP agreed -to. address,
this item by either ' documenting the acceptable ECCS performance without accumulators or by adding a requirement for accumulator injection in the follow on 14 vel II PSA, but has yet to do so.<s)
The large IACA event tree does not address the effect of failure to
[
isolate containment on the ability to reflood the core.
If the 6
r I
a DRAFT /'
containment pressure is lower than the minimum back pressure used in the IDCA licensing analyses, reflood occurs at a lower rate. [ Reference 6, Sections 6. 2.1.1.1. 6 and 6. 3. 3, and Figure 6. 2.1. 5. Re ference 7, Section p
6.2.1.5.)
The PSA does not address long term switch over from cold to hot leg recirculation to avoid boron precipitation.
2.1.3 Medium LOCAs I
A. Good Insights and Important Assumptions A medium IDCA covers a range of breach sizes between a large and a small IDCA. At the upper end of the range, a medium lhCA is like a large LOCA.
At the small end of the range, a medium IDCA is like a small IDCA where injection does not utilize MSI.
The PSA categorization of breaches between two and six inch equivalent diameter as medium 14CAs is reasonable.
[ Reference 1 Page 5.4 129.)
LHSI would never be activated for a two inch break since at 300 psia (MSI shutoff) one RHSI train can inject 1200 gpm (168 lb/s) while the break flow would only be about 100 lb/s (water) using Moody's model.
[ Reference 2,
Section 6.3 and Figure 15.6 54, Re fe rence 3.]
It is 3
assumed in the PSA that no steam generator heat removal is required to B
remove decay heat, due to enthalpy losses out the break. This is a valid assumption.
At 2500 psig (safety valves setpoint) a two-inch hole relieves 240 lb/s (water), and 1.7x105 Btu /s or 110 lb/s (steam) and 1.2x105 Btu.
[ Reference 3 Reference 8.)
The change in enthalpy of l
1.2x105 Btu /s can match decay heat at about 300 seconds after reactor trip [ Reference 2 Figure 6,2.1.1-18.]
During the first 300 seconds the excess decay heat would heat up the primary by about 15 degrees F at most, which would not saturate the primary.
B. Items Insufficiently Explained The PSA assumes that accumulators are not needed to mitigate a medium IDCA.
The resolution of this item is discussed in Section 2.1.2 along with large IDCAs.
2.1.4 Small lDCAs A. Good Insight and Important Assumptions A small LOCA requires HHSI for makeup and also requires steam generator cooling.
Phase separation in the vessel occurs following a small IDCA if the RCPs are tripped.
Breaches small enough to be handled by the normal Chemical and Volume Control System (CVCS) are categorized as transients.
The PSA categorizes breaches between 0.5 and two-inch equivalent diameter as small IDCAs.
[ Reference 1. Page 5.4-109.)
Based on Table 9.3-9 of l
Reference 2, the CVCS can match a leak of about 150 gpm (hot fluid) in excess of 100 gpm normal letdown since the maximum CVCS injection is 230 gpm charging plus 20 gpm seal injection.
150 gpm (hot fluid) is 14 lb/s.
At normal primary pressure a 0.5 hole will discharge about 15 lb/s.m j
l l
l 7
4 j
DRAF.
~
Even if reactor trip on-low pressure should occur no ESFAS actuation vill occur since CVCS makeup can exceed loss through the hole. above the ESTAS -
low pressure trip setpoint of-1850.psig.(5).Thus, 0.5 inches is an appropriate lower limit for small IDCAs.. A two inch upper _ limit for a small LOCA is' acceptable.
However,. the: details of primary to secondary cooling vary for different sizes of small IDCAs.- For example,;with steam generator cooling, the primary temperature 'will; approximately equal the'
~ secondary temperature, about 550 de5rees F.
Saturation pressure at $50 degrees' F. is about 1000_ psia.
At 1000 psia one train of HHSI' supplies about 700 gpm or 98: lb/s, but a break of size two inches relieves water in' excess of this HHSI inj ection' rate - at.1000 psia., - Thus, for ;certain small lhCAs-the primary system-will-depressurize to saturation,' flashing will occur,. and condensation cooling of the primary. side in the steam generators will..be required.ce)- ;However, one train of HHSI:will, indeed,_
mitigate such a small IDCA.
3 In the recirculation mode, for breaches in tha lower end of the small LOCA size range recirculation cooling villibe vith HHSI. 'The'PSA claims that.in this situation, RCFCs can-remove decay heat and cool containment.
-[ Reference 1.
Page 5.4 121.). For hi h end small LOCAs, the primary 5
system will depressurize to the point where 11151 -can be used, which-provides for heat removal through the; R}iR ' heat-exchanger.
Containment cooling is discussed in Section 2.1.8 of this report.
Given a small IDCA without Turbine Trip or MSIV closure,. concerns related e
to PTS are he.ndled as they were for a transient. (Reference 1. Pages 5.4-110.and 5.4 124.)
- 5. Items Insufficiently Explained' The PSA does not-discuss breach of an instrument tube as a uniquefsmall 14CA.
This. breach is special because of. its -location being below the core.
All other small thCAs (which are in elevated piping) will' uncover (steam out the break) prior to water level falling below the top of -the core if the RCPs are tripped.
However, the small size of'the instrument tube (probably 5/8 inch) should ensure.that-HHSI-can makeup the loss and retain subcooled natural circulation to. the ' steam ; Senerators - without break uncovery being ~ necessary.(8)
That is, the - generic. small' IDCA success criteria probably covers instrument tube IDCAs.
The PSA should i
address instrument tube LOCAs and ensure they are cover 3d' within the generic small IDCA category.
2.1.5 SGTR A. Good Insights and Important Assumptions j
The description of a Steam Generator Tube Rupture (SGTR) accident in Section 5.4 of the PSA is very thorough.
The PSA conservatively assumes core damage if the primary cannot be-cooled to hot shutdown and RHR initiated.
(Reference 1, Page. 5.4 102. )
It is possible to mitigate a SGTR by remaining in hot standby below the.
1 8
-=
--y-.-
- - - - +
.m-.-
_r.
,e.
r-y,wf,r"-
.t DRAFT."
steam generator PORV setpoint on the bad steam generator provided makeup to the A WST is available.
A The PSA conservatively assumes primary pressure must be controlled with spray, auxiliary spray or primary PORVs duringlcooldown. [ Reference l',
Pages 5.4 106 and 5.4-107. ]
Plant-Emergency' Operating Procedures (EOP) do cover cooldown' following a SGTR without pressurizer pressure control-or with a saturated primary.(10.11) 2.1.6 V Sequence A. Good Insights and Important Assumptions The V sequence is an-interfacing systems 14CA that bypasses containment.
It should be noted that the ~ RHR pumps and heat exchangers ~ are inside containment at STP and thus their associated piping is not a potential.
initiator for the V sequence.
B. Items Insufficiently Explained The PSA did not explicitly quantify the-V sequence, claiming that since at least three valves in series must fail, the frequency of the. sequence will be less than that that calculated for Seabrook.(12)' The frequency of-a large early release at Seabrook -is small when consideration -' of.
mitigating actions.is incorporated subsequent to:the, initiator.
Without more discussion of the ability of the South Texas Plant to mitigate the initiating event, this comparison-of.the two plants;is' questionable even though the frequency of the initiating event is :probably lower for the Scuch Texas Plant than for the Seabrook plant.
This concern should be addressed in the PSA. (Reference 1, Page 5.4-151 and table 5.4 30.]-
)-
Table 5.4-31 of the PSA is entitled"" Piping. Systems Connected to the RCS".
This table fails to include the ' four-inch letdown line which penetrates containment.
This line is not of concern for the V sequence due to the presence of flow orifices in the line inside containment which limit flow through a line break outside containment to within the CVCS makeup capability.-
(Reference 2, Section 15.6.2.2. )
A break in-- the letdown line outside containment is thua categorized as a transient, not a 14CA. This point should be discussed in the PSA.
a 2.1.7 ATWS A. Good Insights and Important Assumptions The discussion in - the PSA for, the Anticipated Transient without Scram (ATWS) sequence is very thorough.
Vessel failure is assumed to not occur if ASME level C service conditions are maintained which correspond to an upper limit on primary pressure of 3200 psig.
If 3200 psig primary pressure is exceeded, a small IDCA is -
postulated to occur.
[ Reference 1, Page 5.4-42. )
The PSA1 requires boration given failure of rods to insert, to mitigate the ATUS.
I 9
i q
DRAFT 1
o lower pressure to allow'for inventory makeup.
reduce power and_
d
[ Reference 1, Page 5.4 41.)
Boration is necessary to i-l 2.1~.8 Containment Cooling
~
B. Items Insufficiently Explained-
- I
~
s l
The. PSA implies that spray; injection and spray recirculation are = not I
required for containment integrity, but_ are helpful for - fission. product removal. [ Reference 1,. Page 5.4 144. )
Containment pressure will' exceed 1
the cal _culated pressures of Section' 6.2, Reference. 2, if. there is no i--
spray injection, but apparently it would' not exceed the design 'value 'of
' 56.5 psig.
However, the effect of no containment _ spray injection on!
i containment pressure is not explicitly discussed..
I Without spray recirculation, thermodynamic equilibrium between; the sump j
water and the-containment atmosphere is less closely. achieved.
This.
f means the. sump may be boiling which is acceptable because adequate -NPSH
_i for the ECCS pumps is available if the vapor pressure for the sump water
~
o I
is as low as the containment pressure due to, vapor and air. - [ Reference 2, Section 6.3.2.2.}
Spray recirculation removesi no -- energy ' f rom
,1 containment at STP, but does help establish thermodynamic eqailibrium.
j l
Section 5.4 of the PSA states that'~ during recirculation, either one RHR heat exchanger or two RCFCs can maintain containment-integrity and match decay heat.
[ Reference 1, Pages 1 5.4-148, 5.4-149,- 5.4 76.).
These criteria are in conflict with those of-Section 16 of the PSA which states-j both one RCFC - and one recirculation heat.' removal path' are-required.
[ Reference 1, Page 16.1 5. ]' Also, Section'16-implies that recirculation always removes heat which is not true at STP when recirculating with HHSI-
-1 i
pumps; only recirculation' with = LHSI pumps utilizes' the. RHR heat exchangers.
The discrepancies between Sections-5.4 and 16 of - the. PSA l-should be resolved, j
i The PSA does not reference the basis for: the adequacy of contain::ent l
cooling with one LHSI loop in recirculation. or two RCFCs.
A rough i
calculation supports this criteria, but it is not justified in. the PSA.
.j l
The design maximum temperature of the ECCS pumps is 300 degrees F.
[ Reference 2. Table 6.3-1).
If it is assumed that the sump water reaches-e this temperature and that the containment : sprays are not working,-
thermodynamic equilibrium between the sump and ' containment would = not be established.
The sump would be boiling - and total containment pressure would be 68 psia, slightly below the containment design pressure of 71.2 1
4-i ~
psia.. At 68 psia, air pressure is about 19 psia >and hence vapor pressure is about 49 psia.
Saturation pressure at 49 psia ~is 280 degrees F.
With containment atmosphere at 280 degrees F,
two RCFCs can remove about 220x10s Stu/hr from the containment; and with the sump water 1 att 300 degrees F, one RHR heat exchanger (IJ{SI) ' can' remove about 200 X10s Btu /hr from the sump water.
[ Reference 6. Figure 6.2.1.1.-3 and Table 6.2.11-5.) Decay heat would not reach 200x10s Beu/hr until approximately. 4000 s after reactor trip.
[ Reference 2, Figure 6.2.1.1-18.)
If recirculation is initiated at 1200 s (a reasonable time based on.information in the FSAR) with the containment atmosphere at 235 degrees F, decay heat would 10
DRAFP be about 280x10s. Btu /hr [ Reference 2 Table 6.2.1.1 and ~. Figure
~
6.2.1.1 18.)
The - mismatch can be conservatively estimated as 00x105
)
Btu /hr into containment for 2800 - s.
Thus,. a - total. of 62x105 Btu are s
p added to containment before minimum containment cooling can match decay heat.
This mismatch is acceptable - because about-190x10s Btu would be required.to generate saturated vapor in containment from 235 degrees F to 280 degrees F.
Equipment operability under. these minimum containment.
cooling conditions is not discussed in the PSA..
j 1
It is claimed in the PSA that a hole in containment greater than or equal to three-inches e in diameter will not allow containment to pressurize.
[ Reference 1,. Page 5.4 73.) The basis for this-claim is not clear. At a design pressure of 71.2 psia,. a 'three-inch hole will relieve' about -
2.2x104 lb/hr of saturated vapor.
(Based on equations in Reference 13.)--
If it is assumed that all. decay-heat generates steam and an enthalpy of' phase change of 900 Btu /lb is used, this' relief rate can match 1.98x107 Btu /hr of decay heat.
However this level =of decay heat.is.not. reached until about los seconds after reactor trip.. (Reference 2. Figure 6.2.1.1 18.) The PSA does not justify the three-inch limit.
In accident. scenarios in which recirculation from the sump;is available~,
but with no containment heat removal via RHR heat exchanges or RCFCs,-
d core melt is assumed to occur prior to containment failure. ' [Re fe rence '
l 1 Page 5.4 121, 5.4-135,5.4 146. )
This is reasonable using 300 degrees F as the design limit for ECCS pumps since as previously discussed the l
300 degrees F limit should be reached before ~. the ' containment design
.l pressure is reached. This point-should be clarified in.the PSA..
j The PSA does not consider the possibility for early. containment failure except for failure - to isolate.
(
Reference:
- 1. ~ Section 5.4.4 - and; Table.
16.1 6)
Early containment failure is. failure before or during core melt due to causes other than failure to isolate < containment.
Ittis stated in NUREG 1150 that early containment : failure at L large' dry PWR containments is of lov likelihood; however, direct containment heating following high pressure melt, or in vessel steam explosion can cause early containment failure.
These points should be mentioned in the Level 1 PSA but do not:
have to ba substantiated until the Level II-PSA is ccepleted.
2.2 Suceert System Recutrements Tables 5 ~.3 1 and 5.3 2 of tha_ PSA summarize intersystem dependencies.
The, system - descriptions - appended to the PSA. provida more details. on.
support interfaces.
2.2,1 Electric Power Aa Good Insights and Important Assumptions System dependencies on electric power for motive power appear to - be completely identified.
The 4160 Vac system incluoes the 480 Vac system.
(Reference 1 system description 1 assumption J6-)
Sources of electric power consist of:
offsite power, the three 4160 Vac 1E trains including 480 Vac, the four DC 1E trains, and the four Vital 120 Vac trains.
11
l_-
'i
=.
g L.-*
E DRAFT' s
The following requirements were correctly identified in the PSA:
p Pressurizer PORVs require DC to'open.
Pressurizer PORV block valves require'480 Vac to close.
Steam Generator' PORVs 'use hydraulic actuators and require 480-Vac.
They also require 120 Vac-and the' Qualified Display Processing System (QDPS).
l Auxiliary Feedwater train D requires'DC power to open isolation
~
valves,.no AC power is: required for train D.. Trains A, B, and C require 4160 Vac for pump motors and 480:Vac-for isolation valve.
j motors; DC power is required - to close the circuit breakers to a
start the pumps.. (4160 Vac motors are across the line' starting;
't
.and do-not use motor starters.)
MSIVs fail closed on loss of DC.
Turbine bypass valves require DC to open.
i TheLCVCS centrifugal starting pumps require 4160'Vac for motors and - DC for closing circuit braakers.
' The. CVCS _ positive displacement pump motor requires 480 Vae. ' Valves 1 require '480 g
Vac.
s The HHSI and the 1.HSI. require 4160 Vac. for pump motors and. DC for circuit breakers.
All, motor ' operated valves - (MOVs) are correctly aligned for injection,but. 480 Vac is.. required.to operate' valves when switching to racirculation.
The_ Containment Spray System.- (CSS) requires' 4160 Vac for' pump motors, 480 Vac for valves, and DC for circuit breakers.
~
S.e RCPCs require - 460 Vac for fan motors and DC for circuit breakers.
Containment isolation requires'480 Vac and DC.
RHR, Component Cooling Water (CCW) and. Essential Cooling Water :
(ECW) require 4160 Vac for pump motors, 4804 Vac for valves, Land DC for circuit breakers.-
Essential chilled water requires 480 Vac for pump motors.
The PSA identifies a requirement for_1E DC also; however, this may g
not be necessary. These motors. use motor starters in a motor -
control center and the AC l power for closing contactors is derived from a stepdown transformer in the 480 Vac supply
-[ wiring diagram 9ECH0701). Only if circuit. breakers upstream of l
the contactors are open is 1E DC required to close them.
l 12 1
'~
a
. - - -. _. ~.. -.,,., -. -,.., - -
- -,,,.,,., - 1
~
(
DRAFT' L
2.2.2 Instrumentation and control The electrical requirements for Instrumentation and Control (I&C) were p
reviewed for both. automatic control, and indication as required for i
manual ~ control.
A. Cood Insights and Important. Assumptions The following I&C dependencies for automatic, actuation' were correctly identified in the PSA:
y Automatic actions to trip the reactor and actuate. safety.
~,
equipment do not require control power. iThe Reactor Protection I
' System (RPS) and the ' ESTAS ' both de energize to trip except for the final bistable for initiating containment spray, (Reference 2, Section 7.3.1.2.2.1.)
1E DC is required for closing and tripping circuit breakers -in-4160 Vac and 480 Vac circuits.
t 1E DC is required for diesel generator field flashing and ' emf.
- control (The diesel generators do not' use -dedicated batteries, as verified.in Reference.6.)
l 1E DC is required for the EST Diesel Cenerator-Load Sequencers.
AC for 480 Vac. motor starters in Motor Control Centers (MCC) is-
~
derived from the 480 Vac distribution to the MCC via a stepdown
~
transformer.
The following I&C dependencies for: reading instrumentation in conjunction with subsequent manual. actions were correctly L identified.in the PSA (power for actuated components was discussed in the previous section):'
i l
Solid State Protection System (SSPS) is i. necessary ' toi reset ESFAS.
SSPS requires 120 V vital ac.
i QDPS and associated inputs are needed. to monitor. plant.
conditions.
QDPS requires 120 V vital ac.
For control of Auxiliary Feedwater, QDPS and - DC power are l
required for train D; QDPS and 120.Vac are -required for trains A, B,.and C.
s
. Switching ECCS ' from inj ection to recirculation mode requires r
SSPS for actuation on low RWST level.
Essential chilled water needs QDPS for ECW valves on chillers.-
13~
~
-. - -. =
2,_.__
DRAFT 1
Other systems ; need,I&C to provide information required for'
-manual control; however, the ability to -manually control these _
i systems is not critical.
Such systems include:- CVCS, CCW, ECW,.
j N
RHR heat exchangers/ bypass, and boron addition.
1 B. Items Insufficiently Explained.
l
- t..
i For control of HHSI, QDPS is required.
Without information' on 8
pressurizer level, throttling of ' HHSI as required.(for. example-to avoid-j PTS) is'not possible.
This dependence is not identified in. Table 5.3 2 of the PSA.
J 2.2.3 HVAC/ Room Cooling i
.p Room cooling is required to-maintain equipment within design temperature limits.
Heat sources within a room include:
hot. fluid',~ motors, and electrical switchgear.
Heat removal is 'provided by building Heating Ventilating and Air Conditioning (HVAC) systems or by dedicatedgoom-
)
coolers.
The requirements for safety grade cooling as discussed in.section 9".4 of 1
Reference - 2 were compared to the dependencies indicated in Tables 5.3 1-and 5.3-2 of the PSA.
A. Cood Insights and Important Assumptions The following dependencies for HVAC/ Room Cooling were fcorrectly-identified in.the PSA:
- Control room HVAC Requires. Essential Chilled Water to coolf.the chiller condensers in Air' Handling Units:(AHU)..
1 Essential Chilled Water requires \\ECW for~ a heat sink.
l l
Electrical switchgear requires the Electrical Auxiliary Building (EAB) HVAC.
l l
EAB HVAC requires Essential Chilled Water' to. cool' AHUs. '(Once l
through EAB HVAC.is discussed in Section 2.3.2 of this report.)
CCW pump rooms require. supplementary coolers cooled by ECV.
]
This is an additional dependence'of CCW on ECW besides the need.
l for CCW heat exchanger cooling.
Systen Description 7 of L the PSA for CCW indicates that ECW is necessery for both ~ CCW han exe. hanger cooling and for supplementary coolers.
41 Diesel Generator rooms require once through ventilation using 1
i supply fans and intake / exhaust louvers., This dependence is not
, s explicitly identified in Table 5. 3 - l'; however,. System Description 1 of the PSA for electrical power verifies that this dependence is considered as part of the standby power system itself.
l l
'14
DRAFT The ECW pump rooms require once through ventilation using supply fans and intake / exhaust louvers. This dependency is included as part of the ECW system itself.
[ Reference 1. System Description P
4, Section J.9.).
B. Items Insufficiently Explained The CVCS pump rooms require supplementary coolers cooled by CCW.
This is an additional dependence-of CVCS on CCW besides lube oil-cooling for the centrifugal charging pumps.
System Description-10 Section C of the PSA for CVCS indicates CCW is required for coolin5 all CVCS pump rooms.
However, Section 1, assumption 9 of this system description states. that analyses - performed' by HMP indicates -loss of ' room cooling for the positive displacement pump is acceptable.-
This ; analysis should be.
referenced, because an important finding of the PSA is that RCP seal injection can be provided by the PDP powered.off the TSC diesel generator following station blackout.
C. Ictential Problems'to be Resolved ECCS pump rooms require Essential Chilled Water according to Reference 2, Section 9.4 This dependence-is not included in Table 5.3 2 of the PSA for LHSI, HHSI, and CSS. Table 5.3 2 does indicate that the ECCS: pump rooms require EAB HVAC.
Based on Reference. 6,
'this entry is not necessary since it evidently accounts for an indirect dependence of the pump motors on the EAB.HVAC.
The EAB. HVAC is necessary for cooling of the ECCS dependency on the 4160-Vac power supply switchgear for the ECCS-pumps. -.. but this dependence is ' already included ' as part of the ECCS dependency on the 4160 Vac system.
. tates with System Description 10 for ' safety _ injection..- assumption J-2, s
respect to ECCS pump room cooling-"...it is-assumed that room cooling is not necessary due to natural convection that will be available'.=m This assumption is not justified.
During the November, -1989_ site visit,' HMP stated that they are investigating this issue.m During a tour:of the plant in November, it was noted that the ECCS pump rooms are open to the Fuel' Handling Building-Also, the RHR heat exchangers are inside they are at?some plants.
containment, not in the ECCS pump rooms as Thus, heat removal requirements ? for these-rooms may ' be - pssible by natural circulation alone but this claim must be. substantiated.
The utility supplied information on this-issue in a' letter dated January 16,- 1990 from - S..
D.. Phillips,. Support Licensing.*, In tho ' letter,
transient heatup analyses _ of the ECCS pump rooms were discussed. -The analysis of most significance to the ECCS roca. cooling dependency issue.
is a study of the temperature profile of the pump rooms with no room cooling available, including the FHB:HVAC system.
The.FHB and ECCS are linked by lar6e passage ways which could allow for significant air flow between the two volumes. The analysis also assumed no natural convection between the pump rooms and the FHB.
Thus, the analysis looked at heatup.
in " sealed" ECCS pump-rooms.
- Letter to T. A. Wheeler from S. D. Phillips.
15 I
h.h.. d*.n
-c The analysis showed that an " enveloping temperature was reached in three days " W Unfortunately, the letter did not state what this enveloping
.p temperature was._
If this temperature.was assumedj to be 300 degrees F (maximum operating temperature of the ECCS pumps), then this analysis' could be flawed.- Electrical and control cooponents which arellocated in
-the pump rooms may have-a significantly lower maximum. operating temperature.
If the analysis correctly -accounted = for the! maximum operational temperature: 'of these components, then the three day time
' period until this enveloping temperature ;is reached provided a very long-recovery time window.' - Loss of' ECCS pump room cooling is most probably.
not important in this circumstance.
However, if' the maximum operating temperature of. the ~ electrical and control components : was not correctly-incorporated into the analysis, thenL the. issue of ECCS' room cooling dependency has not been resolved.
2.2.4 Cooling Water A. Cood Insights and Important Assumptions This section discusses the requirements for direct cooling of equipment; room cooling was discussed in the previous section.
The following requirements were verified to be correctly considered by the PSA:
Emergency Diesel Cenerators are cooled by' ECW 1
CCW is cooled by ECW Essential Chilled Water is cooled by ECW RHR Heat Exchangers are cooled by CCW RCFCs are cooled by CCW CVCS centrifugal charging pumps lube oil is cooled by CCW RCP seals are cooled by either seal injection or' CCW RCP motor is cooled by CCW RCP pump thermal barrier is cooled by CCW Auxiliary feedwater pumps are self cooled PDP pump in CVCS is self cooled [ Systems Description 10,Section I, Reference 1.]
- HHI, 1111 and CSS pumps are all self cooled. [ Reference 2 and Reference 6.)
16
J l
2.2.5 Instrument Air
~
A. Good Insights and Important Assumptions Loss ~ of Instrument Air (IA) is an' initiating event because, among other things, it causes loss of main. feedwater.
The PSA does include' loss of IA as an initiator.
[ Reference.1, Table ' 5.2.1. ]
This=section reviews the -impact of the -loss of-IA on mitigating. systems.
I A. wasj not considered to be required for any mitigating system in the PSA; IA'is'not included in the system dependency Tables 5.3 1 and 5.3 2:of'the PSA.
Section 9.3.1.3.1 of Reference 2 states that no safety components require accumulators to function properly.
This design feature means that loss of IA is not of concern for safety related components at STP.
(. At other plants where accumulators are required,- loss of IA should. be-considered because without recharging, accumulators may leak due toi check _ valve '
failures.)
IA is required for some non safety components at ;STP.. Air starting for DGs is provided by dedicated airL compressors.and storage 4 receivers which are separate from.the IA system.
[ Reference.2, Page 8.3-6 and page 8.3-24. )
Using Table 9.3-2 of Reference 2. the effect of loss of-IA was examined
'for impact on the PSA.
This review provided the following.results:
Main Steam System MSIVs Fail closed (FC). This has no effect on the PSA since the PSA assumed main feedwater and turbine bypass
~
are not available after reactor trip as1 discussed 'in Section 1.1.1 of this report.
RHR heat exchanger valves Fail Open ' (FO) and heat 1 exchanger bypass valves FC. This has no effect on the PSA..
CCW radiation monitoring valves 'FC. - This has no effect on the PSA.
All air operated components in ECW, CVCS, control room HVAC, and EAB HVAC fail to safe position.
This-has no' impact on the PSA.
Diesel Generator ventilation dampers FO.
This has no impact on the PSA.
All air operated components in essential; chilled water fail to safe position. This has no impact on the PSA.
Cross connect valves in.the AW 'FC.
This has no impact on the PSA since cross connection was'not considered.
[ Reference-5)
TBVs FC.
This has no effect on the PSA due to no credit being given for steam dump after trip.
Main feedwater flow control valves FC.
Als o,' steam to pump.
turbines is lost since MSIVs FC.
This'has no effect on the PSA since no credit was given to main feedwater after trip.
17 a
c:
1
ECW intake = structure - ventilation components fail.to safe
.N position. This has no impact on the PSA.
The assumption that IA-is not required as an important mitigating system f
in the PSA appears to.be correct.
B. Items Insufficiently Explained Loss of'IA has no effect on 'the PSA model_ as long as.no credit _ is given
~
for main feedvater or for turbine bypass steam dump after' a. trip.
A more complete discussion-of the justification for not concluding;' IA in. the plant model-would clarify this: point.
2.3 System'Lineues and onerations-This section highlights important aspects - of the PSA related. to standby system availabilities and off normal lineups : available to mitigate accidents.
2.3.1 Normal A. Good Insights and Important Assumptions' At power, standby system known unavailabilities are limited byL the' technical specifications.m Major; asymmetries in: train unavailabilities as modeled in the PSA are summarized in this subsection.D s
For AW, train D has a different unavailability than trains A, B, or C.
because D is 'curbine driven, DC controlled, and A, B, Hand C are motor.
driven, AC controlled.
Technical specification 3.7.1.2 of Reference 5 places more stringent operability: requirements on trains B and;C than on train A, (This is probably because A and D share the'same ESF: actuation'
~
~
channel A.)
The PSA indicatts that ' the failure rate for trairr A' is higher than the failure rate for Train B or C.
In particular, failure rates for A and B (or C) are respectively:
8.6x10 2 (split fraction:CDF) and 5.1x10*2 (CDH).
(System Description 9,' Reference 1).
For ECW, the PSA assumes train A is running, C is standby autostart, and B is off but available for manual start.
(System De s cription. :4 Assumption J.5, Reference 1) Thus the failure rate for B is highest, and the failure rate for C 'is higher that for'A.
In particular, failure rates for A, B, and C are, respectiveky: 9.4x10 ' (Wil), 1.3x10-1 (W13)'-
and 9.6x10-8 (W14).
For EAR HVAC, the PSA assumes Trains A and B are running and Train:C is.
on standby, Thus failure of Train C is higher than A. or B.
(S9 stem Description 6, Assumption J.1, Reference 1.]
In. particular, failure rates for A (or B) and C are, respectively: 6.8x10 ' (Fil),
4'. 5x10 2 (F13).
-18
d'
- DRAFT
~
2.3.2 Emergency A. Good Insights and Important Assumptions JP -
Cross connection ' of AW among steam generators was-not considered as a possibility in the PSA (8) This is a conservative assumption.
Feed and Bleed success criteria ~ is based on Westinghouse calculations which justify the use of one HHSI train and-both pressurizer.PORVs.
[ Reference 1, Page 5.4-29)- Credit for_using only one PORV or vessel head I
vent is not given in the PSA.
RCP_ seal injection during station blackout is possible using _the PDP charging pump powered by the TSC diesel generator.
[Referencer 1, Page 1
5.4 35)
ESTAS reset is required to throttle HHSI (to prevent PTS). [ Reference 1, Page 5.4 14)
']
ECCS switchover from injection to recirculation is automatic.
1
~
Primary PORV motor operated block valves can be closed given failure of a:
'}
PORV to reset.
[ Reference 1 Page 5.4 22)
(Steam. generator PORV block valves are manual valves, locked open.)
RCPs are tripped upon loss of _ CCW to bearing oil coolers to avoid i
I vibration induced seal.1DCAs'.
[ Reference 1, Page-5.4 25]
AW Storage Tank (AWST) makeup is required to remain-in hot standby.
[ Reference 1. Page 5.4 27]-
Following an ATWS with inability to insert rods, boration is' required.
[ Reference 1. Page 5.4-41]
On HHSI recirculation with no.RCFCs, no containment heat. removal is available.
Operators can attempt to depressurize _the ' primary with tho steam generator PORVs to allow LHSI recirculation and heat' removal by RHR' j
heat exchangers.
[ Reference 1 Page 5.4-69)
-I Following a SCTR, operator action is required to isolate the bad generator and cooldown to hot shutdown where RHR can be used.
[ Reference 1, Section 5.4.5)
The PSA conservatively does not taket credit for the following scenarios given SGTR:
Primary depressurization without PORVs, spray, or ' auxiliary spray.
[ Reference 1 Page 5.4 106)
Remaining at hot standby below setpoint of PORV on. bad steam generator with makeup to AWST.
[ Reference 1. Page 5.4 102)
Using turbine bypass steam dump as a way to depressuri:e-secondary.
[ Reference 1, Page 5.4-102) 19 l
4
.?
[3.}, th L
Isolation of bad steam' generator with other downstream valves if the MSIV fails to close given operator ; action.
[ Reference -1,
.Page 5.4 107) e B. Items' Insufficiently Explained If' normal EAB HVAC.is unavailable due = to loss of cooling to ANU chiller condensers, the PSA assumes that' once through (smoke purge) operation of EAB': HVAC' will. prevent components from overheating.. [ Reference-1;-System-Description. 6,. Section; B.6' E.6, J.3, - and-J.5)
This. is ; an? important.
-point;: the PSA should reference the ' actual calculation justifying once
- through cooling with no AHU cooling.
-The System Description for AW states that decay heat removal with one steam ' generator is acceptable provided-the PORV; setpoint :is reduced, within120. minutes - af ter trip L to -lower the steam generator secondary; temperature. -[ Reference 1,
System Description : 9,- assumption. J
- 2. f and.
item B). The '. Plant Model implies that one ' steam generator fed.with ;AW can. remove ' decay heat without its PORV-being available.
[ Reference 1.
Page 5.4 33) This difference in assumptions should be. cleared'up..
L
{
r-i
~
l l
l
-3 f
1 l
20
DRAFT.'
3.0 PROBABILISTIC SAFETY ANALYSIS FOR STP.
This section of - the report summarizes the review of the application of PSA techniques to the South Texas Flant.
3.1 Initiatine Events A.
Good Insights and Important' Assumptions The - PSA performed a comprehensive identification of. initiating events.
(Reference 1, Section 5.2]
The following three methods were -used to identify initiating events:
Master 'Imgic Diagram. Heat.Salance Tault Tree. and Tailure Modes and Effects Analysis.: The final selection _and.
grouping of initiating events is reasonable.
[ Reference 1. Section 5.2.4 '
and Tables 5.2 8)
The. Failure Modes and Effects Analysis ' (FMEA) focused' on plant' specific support. system failures of significance as initiating events..The TMEA was applied, to some degree, to all-212 STP~ systems and subsystems. 'The FMEA did not consider coincident, multiple if ailures among systems;_
however, such. occurrences are sufficiently rare as to he ' eliminated ~ from consideration.
(The initiating phase of t an ' accident can be defined 1as.
covering the time from the first event-until reactor trip should occur, about ten seconds at most.
The likelihood _ of subsequent failures' occurring during this short interval is small. ' Failures following the initiating phase are modeled as mitigating system failures.)
B.
Items Insufficiently Explained Minor comments on the identification of initiating events are as follows:
~
High and medium - energy line. breaks and. cracks should-be discussed more comple tely - as potential initiating a events.
14CAs, main-steam line breaks, and feedwatsr line ' breaks are considered; however, the FMEA did: not explicitly address other breaks such as one in the - high energy steam line to ' the -
auxiliary feedwater train D drive turbine.- Such events may be bounded by other_ events retainsd - for detailed. analysis as described in Section 5.2.4 of the PSA.-
The PSA does not justify excluding core blockage as.an initiating event.
Tables 5.2-6 and 5.2 7 indicates this event.
y was identified but screened from further analysis.m 3.2 Event Trees I
1 A.
Good Insights and Important Assumptions The P14 technique uses the large event tree, small fault tree approach.
This technique develops models. for a system which reflect the' effect of prior system successes and failures.
Event tree linking is used to correctly select the appropriate combination'of system models for.a given
1 accident sequence. That is, the ordering of split fractions (top' events) 21 3
s 1
DRAF6 in a particular sequence determines the appropriate system model to be -
used.-
A split fraction is the = conditional - probability of a system ip success _ or failure dependent-on all' previous _ system-successes and:
l failures.
j
~
~
The STP PSA contains four stages of _ event trees:
two support and. two l
frontline.
The first stage levent tree is for the= electric power system,
.l while the second stage eventstree covers sechanical support systems. The third stage event tree models frontline systems through the early phase ofran accident while the forth and _- final stage event tree models frontline systems during the latter_. Phase of an accident.
Section t. 3.5 of the PSA summarizes eventLtree. linking which is a complex process. The i
procedure, as described,_ does indicate. how a given L split : fraction ' is properly quantified; that is, the procedure' addresses all prior failures-and successes which form _ pre-existing _ conditions that af fect.the -
particular fault tree to.be selected for each system in_a given accident sequence.
Both support system - dependencies and the Leffect of the f
initiating event on the split fraction quantification are described.
~!
d The event trees are very complex due to the nature of the'PLC technique-.-
_ l!
The PSA does an excellent job of -describing; the -event - tree development.
The Event Sequence Diagrams-(ESDs) which were' developed'as precursors to.
the' f rontline system event trees: 'are extremely _ useful both as a development tool and as a road map for. review.
The PSA is careful - to.
point out simplifying assumptions-used in developing the event trees.
One preliminary concern about the event? tree linking Espproach _is how l
system dependencies are. handled.
That is, if a support system functions in a degraded manner, it may-still: impact quantification of ' another system. -The PSA can account for such effects in either of_two ways:
an.
event tree may have more than two branches at a given event [ Reference 1, i
Pa6e 4.13), or special events can be added to the event tree.cs) t It is concluded that the STP event trees.and the techniques utilized for event tree linking adequately account for accident sequence delineation L
and dependent effects.
3.3 System Modeline
-A.
Good Insights and Important Assumptions The STP PSA does not provide graphic fault trees consisting ofia road map of component failures combined in, "and" and "or" gates. ' Due to the l
nature. of the PLC techniques, the system component failures. can be developed without such a graph.
Support system failures are ' considered.
as boundary conditions on a system and are. incorporated into-sequence i
models by event tree linking as described in Section 3.2 of this report.
Instead of graphic fault trees, block-diagrams are utilized and Boolean equations for block failures are developed.
(Reference 1, Section 4.2.2.1.1]
22
e L
DRAF'T 8.
Items Insufficiently Explained.
The System Descriptions appended to the PSA adequately document system 8'
failure models~ at the component level; however, the documentation is not i
easy to review.
3.4 Ouanti fic at19.D j
This section provides a short summary of the PIE PSA techniques for quantifying internally initiated core. melt sequences and a discussion of the quantification aspects of the STP PSA.
i 3.4.1 Techniques A.
Good Insights and Important Assumptions The quantification technique is discussed in sections 4 and Appendix A of the PSA.m System level-quantification-is accomplished by convoluting Discrete Probability Distributions.(DPD)- for. constituent components. according to -
the failure. or success logic created ~ to model the system.
Independent-failures of identical components.within a given system are correlated (DGs fail to start for example);-there. appears to be no correlation for identical components among ' different systems 3 (MOVs : fail to open for example).
Common mode ' dependent failures are modeled using the Multiple Greek Letter (MGL) method.
The DPD technique enables.all types of probability distributions to be - convoluted ~ even if: they are not well-behaved, lognormal in form.
i The result of a system quantification is a probability distribution for a d
split fraction of an event' tree.
As summarized in' Section 3.2 of this i
report, event tree linking is used to assemble the. appropriate split
'l fractions - into an event sequence, and intersystes dependencies are accounted for by development of system failure models for each split i
fraction which as specified by the large event ' trees? with appropriate boundary conditions for. linking.
The system quantification.. is rigorous in terms of consideration of probability distributions of constituent components; the resulting system probability distributics is a logical convolution of all component probability distributions - rather than a point estimate quantification followed by an uncertainty. nodel applied to important component failures.
q Accident Sequences are quantified using point estimates-(means) for each constituent split fraction. The PIA method tends to generate an unwieldy number of sequences, so the point estimate quantification is used to l
screen out nondominant sequences from further - analysis.
Important sequences are then subjected to a Monte Carlo uncertainty analysis and sequence probability distributions are produced.
-These probability distributions provide the final quantified results for the PSA. N 23
~
y 1
s-41' i
DRAFT C.
Potential Problems to be Resolved.
There. appears' to be no correlation for identical components in different l
8F systems.
For example, similar events (e.g.,
MOVss fail to open)'in two l-different system models (e.g., AFWS, ECCS) would_not be. correlated even'+
if their quantification is based on the same entry in the data base.
3.4.2
-Data Base A.
Good Insights and Important Assumptions l
~
The PLG = generic _ data base: was the source-of. data - for the. STP PSA.'
]
[ Reference 1. Station 7)
This extensive. data base ~provides probability.
distributions. for. numerous component specific failures due to:
hardware failures, common cause effects, and maintenance unavailability.
No STP:
plant specific data.was incorporated into the -STP, specific data base, because the data :was developed prior to plant operation; however, the-generic data was screened for applicability to STP components.
J The data base is comprised cf both nuclear power plant experience : and
- )
industry data compilations. : Component specific failure quantifications-are provided in Section'7 of the PSA.
For some of the failure rates contributing to the more - probable core damage sequences at STP, Table ~3.4".2 1 compares the mean1 values used 'in
_l the STP PSA with the generic ASEP mean values.(4L l
Table 3.4.2 1 Sample Mean Failure Rates Mean of PLG ASEP ggmeonent Failure Mode Distribution
-Value (Mean)'
)
o Loss of off site power 0.09/yr.
-.0.11/yr*
o Diesel Generator, fail to 0.10/ demand 0.08/ demand-start and run 24~hr (excluding test and maintenance) o Turbine Driven AFW Pump, 0.06/ demand 0.04/ demand fail to start and run 24 hr (excluding test and maintenance)
The PLC data base appears to be slightly more conservative than the ASEP data base; however, the difference is not substantial.
Generally, the data base for the STP PSA is extensive and the quantification methods are j
state of the art.
Component specific data is provided in Section 7 of the PSA in tabular form; the mean, fifth percentile, median, and ninety fifth percentile B. Items Insufficiently Explained
- l i
+l
- Sequoyah specific analysis.uo) 24 L
DRAFT points of the distribution for each specific failure are provided.
These data tables do not provide units of the data, although the units can be deduced from the numerical values and from discussions accompanying the p
tables.
In addition, there is no information on the specific distributions used to model the frequency distributions.
It is not possible to reconstruc-r understand the nature of the frequency distributions based on ilmited information provided.
For instance, Section 7 ef the PSA contuns several examples of deriving a distribution based on different types of data (e.g.,
generic data, operating experience).
Some c, the examples yield discrete distributions (see page 7.3-6 of Reference 1).
Others yield continuous distributions which may be well defined, such as legnormal (Page 7.3-11). or numerically generated (Page 7.3 14).
It is impossible to tell from the tables of the PSA data base which of these types of distribution is used for each frequency distribution.
3.4.3 Testing and Maintenance A. Good Insights and Important Assumptions Testing and Maintenance unavailabilities are discussed in Section 7.5 of the PSA m Constituent causes include:
repairs during operation, repairs following scheduled testing, scheduled testing, unscheduled repairs and testing, and preventative maintenance.
Probability distributions on both the frequency and duration are used to develop unavailability probability distributions for a specific component.
The PLC generic data base served as the source of data.
Plant specific features and site specific maintenance policies and procedures were used to correctly apply the generic data for frequency of maintenance to specific components.
Plant specific technical specifications and component specific mechanical details were used to correctly apply the generic data for duration of maintenance to specific components.
The STP PSA considered asymmetries in train unavailabilities within a given system. This aspect was discussed in Section 2.3.1 of this report.
Different maintenance-caused unavailabilities among trains within a given system can result due to the following reasons:
A train may be operating, in auto standby, or in manual standby.
(ECW for example.)
One train may be comprised of different hardware than another.
(AW turbine driven, DC controlled train D for example, as contrasted with motor driven, AC controlled trains A, B,
and C.)
Technical specifications may allow different outar,e times among trains (AW Train A can be inoperable longer than Trains B or C.)
The plant specific maintenance data for the STP PSA appears reasonable.
l 25 I
i
~
h c.-
i DRAF.
3.4.4' Common Cause i
A. Good Insights and Important Assumptions l
p Common cause failures are modeled in' the PIA generic. data base through:
1 l
the Multiple Creek Letters (MGL)L method.
This method can, be.used to quantify common'cause failures among more than two identical components.
i j
l The PLG. generic data base was used as the basis. for common cause parameter' quantification.(18)
Data from this. data base was screened for l
applicability to S*fP.
The consideration ' of common cause in the STP PSA appears complete..
Section' 7.4 of the PSA discusses common cause failures.(1) l I
1 3.4.5 Human Factors A.
Good Insights and Important Assumptions' f
The human error rates (HERs) used in the'STP PSA were compared to values-used for similar human errors by other-PRA studies. : The majority of the higher than those ' used by other. studies,- the South Texas values were
]
remainder were within the same range of - values.
This - somewhat tempers the concerns addressed in this section 'regarding the lack of documentation.
B.
Items Insufficiently Explained The comments presented in this section follow Section 15 of-the STP PSA,(1) 1.e., the comments on Section 15.1 and 15.2 are ordered such that they follow the presentation of the methodology in. Sections 15.1 and 15.2.
l The human actions analysis methodology. is a combination of variations. of three methodologies ; SLIM, SHARP, and' THERP.(17) How these methodologies are varied from their original derivation'and why they have been changed is not documented.
Alse, _as with many other HRA methodologies, SLIM has not been universally accepted by the HRA community.
Section-15.1 and 15.2 l
The goals listed for the human reliability; analysis (see page ' 15.1 1, fourth paragraph) are important.
One goal that has. not been. mentioned i
but is equally important, is the ability of an individual not' involved in the original analysis to use the methodology presented ' to ' obtain.
i i
duplicate Human Error Rate. (HER) values.'
The methodology presented-l should enable the reader to reproduce the results.
l L
The last paragraph of Section 15.1 states, "The methodology developed and-l used in evaluating the dynamic human actions in the ' event sequences and j
l the recovery actions in this study is relatively new, it is believed to
(
be a significant improvement over previous methodologies by providing a greater traceability to basic factors affecting human performance." What is the difference between the new methodology and that used previously j
j l
26 i
l
DRAFT and what accounts for the "significant. improvement"? In Section 15.2, the-first paragraph attempts to describe 1 the new methodology, "PLC has i
adopted an application of SLIM to quantify tho' event level dynamic
.j 8'
operator actions in the plant response model of a.PRA."
No reference has' been.given for SLIM.
There are several versions of SLIM available. the 1
mejority of which are the SLIM-MAUD version.. Therefore the version i
referenced in.' this review for comparison purposes is, The Use of j
Performance Shanine Factors And Ouantified Excert Judrement in ' the Evaluation of' Human Reliability? An Initial Accraisal, by = David. E.
Embrey. t ze)
Documentation of the differences between David Embrey's SLIM i
version and that chosen for the STP_ PSA along' with justification for _ the changes would - help : validate the methodology - by emphasizing. any improvements made.
i There are some problems associated with the'PRA application of SLIM. The-following-statements are _ excerpted from various sections of CRS Project i
RS688(1s> which evaluated and compared various HRA methods. The ~ following l
statements from Reference 19 highlight one' HRA expert's opinion on why SLIM has-limited use'as an HRA procedure.
SLIM uses individual judgements ' combinedL statistically, _it requires j
~
structure and guidance for these judgments.
Evidence on the i
consistency 'and validity-of SLIM ~ is unconvincing,, more research - is -
I required.
Direct outputs from SLIM are interval scale numbers called.
SLI numbers ranging from 0 to 100. -The SLI numbers must be-converted
~
to estimated HEPs by means of calibration using-- HEPs from some objective source.
Use of estimates obtained. from some other 4
psychological. scaling technique should not be used to calibrate. SLIM estimates.
Calibration _ data can consist of in plant.HEPs-or training simulator HEPs that are plant specific.
If simulator data are used as calibrators, analysts need to recognize the problem of-the validity of the simulator data themselves.
Calibrators are - required! for each l
homogeneous - subset of tasks.
The flexibility of SLIM enables. it to-I treat any aspect of human behavior.
KeepL in mind' that the-direct outputs of SLIM are interval. scale -values, ' and must be calibrated if they are to be converted to HEPs to be used'in a PRA.
SLIM stresses J
the importance of specifying. relevantTPerformance Shaping Factors -
(PSFs) so that all judges have-the same PSFs~ in mind. when making judgments.
Judges consider one PSF at a. time and do not appear'to be
' l:
instructed on how to handle any interactions.
There is no method for handling discrepant group opinions in the consensus. mode. Another objection to the methodology is the ' assumption that the likelihood of error in a particular situation depends on the combined effects of a small set of PSFs.
Section 15.2 of ~ the PSA, page 15.2-1, states. "Seven PSFs have been selected to span the range of problems that operators face".
A Per--
formance Shaping Factor is any factor that _. influences human behavior.
PSFs may be external to the operator or may be _ a part of his or her internal characteristics.
As can be seen from its description, PSFs can be chosen from a wide variety of factors.
The STP PSA does not document how their PSTs were narrowed dovn to seven or why these. are the most 27
DRAFT i
important.
Following are some quotations on' PSFs from the Embrey reportysi:
iP '
i
...a team of expert judges decides on a set of PST which are deemed to
(:
be the major-determinant of reliability in the broad category of tasks being_ considered.
.. -. The composition of the panel' of judges could include. operators, supervisors, human factors specialists...and other experts with insight l-into the : factors which could impact reliability.
The derivation of the -initial PSF set will involve direct interaction between _ subject J
{
matter experts in ' order to arrive st a consensus 1 for the - task l
categories concerned.
...If a group of _ judges is asked to _ derive a global' set of PSF for a task category,: it is possible. that they may have ' differing mental:
models of the ways in which the PSF should be weighted or. can combine, to produce the resulting probability of task success. 1The imposition.
[
'of the simple reliability model on the experts judgement'is a means =of-increasing the homogeneity-of their : perceptions : of - the situation.
l thereby assisting in reaching a consensus.
l For the STP PSA, was a team of expert judges used' to ' decide-on_ the FSFs?
Who were they and what are their credentials? Was a simple reliability model used?-
t The PSA describes an. operator response form developed to document the l
factors affecting operator performance.. Is Table 15.2-1, the scenario
~
l sheet form, the operator response form?_ If the scenario l sheet form is the operator response form, it,doesn't; appear to provide a " qualitative-assessment of the problems that the: operator _will face while undertaking an action" as described in the documentation. ' If thes's forms - are not equivalent, where is the operator response form and what-is the scenario sheet form?
The third paragraph _ of Section 15.2 states,1"The - quantitative evaluation of the HER is accomplished by assessment teams of operators and PRA team members...".
Who were the people used as the expert judges?
Did the mix ~ of individuals used -as judges provide varying sources of information?: What training was. provided to these experts?
The following-statements are some excerpts' from the Embrey ' 1983 reportus) regarding expert judges:
Multiple experts with varying sources of information are the most effective estimators of likelihoods as long as they are all reasonably-knowledgeable regarding the area being considered, Training in probabilistic thinking can improve the judges' estimates, i
Training should also acquaint the judges with known biases which can affect judgements.
Is the weight of each PSF,w, the normalized weight?
The derivation of s
the Success Likelihood Index (SLI)' or Failure Likelihood Index (FLI) by i
28 m
+ -
m-.-.--,--.-.--w-.--.
.,.4,r, m.
+=ww
+-,-.w
,e n-,-
e-w w--
e
,g---
DRAFTL."
the weight: for: each PSF.:
Af ter reading through the.
Embrey normalizes of the Section 15 documentation: it does appear: that_ the normalized '
rest wei ht is used.'
5
. p l
The calibration tasks are selected from HERs determined by PRAs'of other~
=j nuclear power plants.
As stated previously, use : of estimates obtained.
other psycho ogical scaling-technique should not be' used to
+
l from some calibrate SLIM estimates.
The STP PSA adaptation of SLIM resulted in a series of steps.
The first step refers to the, methodology outlined. in Steps 1 and _2 of SHARP. There-c is no reference given for-SHARP.
Therefore the assumed version used is
~
EPRI NP 5546. W Step 1 also mentions a split fraction failure criteria.
but doesn't define the term.
9 Step 4 refers to,the methodology outlinedfin Step 3 of SHARP-and to Table 15.2 1 (the scenario sheet form).
It is implied that use of the scenario-i sheee form implements the Step - 3 SHARP methodology.
But, the' scenario-doesn' t -document : the operating experience : (e.g., ' plant specificL form event write ups, LERs and events from other plants) that were scrutinized.
for the' tasks to identify mishaps and corrective actions taken. Nor:does
(
it document ' the influence parameters -(e.g., method of detection, ; alarms available. coordination required). This is a large deviation from step 3 of SHARP.
Was the intent' to detailitha - task without ) including. the.
influence parameters?
A thermal hydraulic analysis is mentioned but no -
further information is given.
A brief overview of what was done would be -
- helpful, t
Each of the seven PSFs ~have 'a descriptivei scaling guide- (see Table 15.2-
- 2) that provides a method of achieving consistency when using several'.
judges.
The scaling - guides--look - reasonable - but Lthere is no, expert i
discussion of the methodology;and-individuals used to develop it.
Step 8 mentions a IDTUS 12-3 program that was developed to aid -in. the _
classification of operator actions-in'Eroups having similar PST weights.
No discussion of the methodology used for the program.was provided.
None of the steps addressed what> would' happen 'if no - consensus could be
'l l-reached for the final rating of the group?
section 15.3 The expected omission error rates and commission error rates (see Tables 15.31 and 15.3-2 respectively) are presented with no indication of where the rates originate or why these particular values are appropriate.
=)
~
Justification is not given for the use of Figt.re 15.31 to determine-the The Seabrook PSA'T was given as the source of - the
- calibration error.
figure, but more specifics on its weation in the document would? be; helpful.
A RISKMAN designator is mentioned on page 15.3-2 but no definition -of:
this term has appeared in Section 15.
29 I
,+ -, -. -
-...-n--
DRAFT A future consideration for the human error designators used in Table 15.3 4 is to crie designators that yield a description of the human error being modeled.
This would eliminate the need to check back on the table for a memory refresher of what the human error designator represents.
The description of Table 15.3 4 on page 15.3 2,
...and then the upplicable situation from Table 15.3 3" leads to the eclumn labeled,
" Applicable Situation from Table 15 6", on page 15.3 6. Should these both indicate Table 15.3 2?
It is not immediately obvious where the cumulative HER mean values on Table 15.3 4 originate.
After some trial and error it was determined that they are an addition of the applicable situations from. Tables 15.3 1 and 15.3 2. Better documentation would eliminate the trial and error process.
The designator ZHE018, has two cumulative HER mean values associated with it, 6.1E.3 and 9.4E.3.
Is this intentional?
The human error rates listed on Table 15.3 4 vere compared to the values used for similar human errors from the Crand Culf-l-
and Peach Bottom NUREG 1150 analysis.cao.at)
The majority of the South Texas values were higher, while the remainder were similar to those used in NUREC 1150.
Section 15.4 Section 15.4 oegins with a description of what was done by the analysts from steps 4 through 11 in the methodology section (15.2).
This brings up:
(1) What was done for step 17 What were some of the functions humans perform at each branch point in the preconstructed event tree? What classification system was chosen to ensure that significant human interactions are identified? What completeness checks were done?
(2) What was done for step 27 What screening technique was used to rank and select key interactions for detailed. analysis? What were the results? Vhat was the cut off parameter?
Were selected operator actions observed in the plant environment?
(3) What was done for step 37 The PSFs described in Section 15.2.. are not presented as the final set of PSFs.
But - Section 15.4 doesn't indicate anything else.
The comments on Section 15.1 and 15.2 on the scenario sheets, are applicable for this section also.
Section 15.4, page 15 4 1, third paragraph states,
...five full operating crews evaluated the dynamic human actions following a briefing on methodology.' The PSA does not expand on this, and it is not possible to ascertain whetbe the briefing incorporated probabilistic training and debiasing as recommendert by Embrey (18)
The third paragraph of Section 15.4 sentions use of the letters H. M and L to provide input for the PSF weighting factor.
But no discussion on what de te rmine s an H. M or L evaluation for PSFs is given.
These evaluations don't appear to follow Embrey's SLIM methodology. Also, what given to the eight evaluation teams (i.e.,
what documents, was instruction) to aid them in their evaluations?
30
O
(
The HL&P training staff evaluation (Table 15.4 32) and the single shift supervisor evaluation (Table 15.4 33) contain all 43 actions.
Sone j,
comment on this would be helpful.
The human action identifiers HEOLO2 and HEOL01, on Table 1B.4 39 were labeled HEOL2 and HE0L1 on all of the other tables.
The fourth paragraph on page 15.41 of the PSA states,' Weighting factors of 10, 5. - and 0 were assigned to PSF weights with letters H. M and L, respectively.
Then, these weighting factors were normalized to sum to one for each evaluated human action.
Finally, these normalized PSF weights were averaged over all eight evaluations of the human actions."
Use of this method yields an PSF weight averaged across all eight teams for each of the seven PSTs. The human actions are theri grouped according-to similar PSF weights over all seven PSFs.
Three events were chosen to follow this methodology; HEOCH01, HE0806 and HE0502.
(Our copy of the report is missing. page 15.4 73, which restricts the number of PSPs available for review.)
To11owing the methodology description, the first step is to normalize the weighting factors to sua to one for each evaluation.. Then average these over all eight evaluations.
The PSTs checked were task complexity and stress, respectively. These are documented on Table 3.5.4 1.
Table 3.5.4 1 Task Complexity and Stress PSF Weights HEOCH01 HE0806 HEOS02 Evaluation Te ams Normalized Normalized Normalized
,gT.T fort PSF for!
PST for?
Task Stress Task Stress Task Stress Complexity Complexity Complexity Team 1 5/45 5/45 5/45 5/45 5/45 5/45 Team 2 5/35 5/35 10/70 10/70 5/35 5/35 Tema 3 5/35 0
5/55 10/55 10/55 0
Team 4 10/30 0
5/30 5/30 0
0 Team 5 0
0
,0 10/35 10/20
~0 Team 6 5/30 5/30 5/50 10/50-10/45 5/45 Tema 7 0
0 10/40 0
0 0
Team 8 0
5/30 0
10/40 5/25 5/25 Average over all 8 evaluation teams:
.1121
.0734
.0764
.1985
.1698
.0706 STP results (from Table 15.4 39):
.12
.08
.09
.19
.17
.07 31-1
DRAFT-
\\
i As can be seen, the values derived here do not exactly match the numbers from the STP PSA.
Perhaps the methodology has been misinterpreted, but 1
independent checks by several analysts came to the same conclusion..
p
)
Tables 15.4 34 through 15.4 38 are the five operating crew performance-j l
shaping factor evaluation sheets. The documentation states.
- Members of i
each operating crew worked together to develop one evaluation sheet / crew.' How were diss5reements handled?
I More information is necessary on how the 30 dynamic human actions are l
classified into six groups, this is difficult to duplicate without a j
A more detailed copy of the 14T05 12-3 program used to do this task.
description than that provided or an example would help.
j 1
l Use of SLIM requires that the SLI (or FLI) numbers be converted to
,i estimated HEPs by means of calibration from some objective source (e.g.,
in. plant HEPs or training simulator HEPs that are plant specific). As
]
j sentioned previously, the calibration task data source used -by STP.was l
other PRA studies.
An impressive amount of effort went into the.
l i
collection of the data.
However, there is some concern with using data from other PRA studies ss the calibration points.
One study, the Euror'enn Benehmark Exereine On W=an Reliability Analvais,(s23 reports:
... SLIM results were shown to be extremely (too?) dependent on data used as reference points for calibration. When no good reference data are available, application of SLIM is not indicated.
The results of i
the test and maintenance case show.that there is a good agreement l
between the estimates obtained by a same team (sic) using THERP and l
however, it is our belief that the sensitivity of SLIM to the SLIM.
anchor point probabilities and the fact that those probabilities were, either explicitly. or implicit!f t taken from the THERP data base, create strong dependency between the SLIM and THERP results.*
.The l
operational transient study case in states, "Considering the results within a same team- (sic), the SLIM results always agree quite well i
with the results obtained by other methods, but this-could be due to the calibration anchor points used.
As already pointed out during the discussion of the test and maintenance results, this calibration has j
large impact on the values obtained.'
f i
The calibration data chosen for each group of operator actions have PSFs i
associated with them, see Tables 15.4 47 through 15.4 52.
How were i
these determined? It would appear that some judgement or interpretation i
is' required by the analysts to get these, The dynamic actions human error rates Table 15.4 23, are reasonable.
The values are consistent with those used in other PRA studies.
1 Section 15.2, the methodology, needs to tie into Section 15.4, the
.i practice, more explicitly.
It's not always clear how the two sections relate.
i j.
l c
r P
a 32
+.
1 - y V
DFIAFT
~
Section 15.5
+
Since the evaluation of the recovery actions follows the nethodology presented in section 15.2 (as does Section 15,4), the comments made on Section 15.4 apply for Section 15.5 as well.
The tables of recovery actions, Tables 15.5 19 and 15.5 70, for some recovery actions and some. Pits, have notinalized the weishtIng factors.
Is chere any particular ressen that some are normalised and some aren't?
What is meant in the remarks column by the M:2.2 2. M:4.0 3, L:1.6 3, etc.?
The recovery actions human error rates, Table 15.5 37, look reasonsble.
The values are consistent with those used in other PRA studies.
Section 15.6 Overall the description of the methodology used for electric power recovery actions was good, There were a few items that were not clear which will be discussed in the following paragraphs.
There was no reference fox the $7ADIC computer code.
A better I
description of the code is required before an underetanding of what the code does is possible.
QDC is a subroutine of what progrant it is assumed _the STADIC code but-it's not stated in the document.
It's not clear how boundary conditions for a specific event scenario defines the power failure. function or how the nature and timing of,the failures determine the recovery distribution.
An example would help clarify what was done, y
The tables presented on pages 15.6 7, 15.6-8, 15.6 9 and ' 15.6 16 hava l
values that can be associated with several other values.
For example, i
the table on page 15.6 8 has a 0,5 value for time following operator response that corresponds to a probability of 0.20 and 0.10.
N'hich value is used?
Justification for the probability values used on the table presented on page 15.6 9 would be helpful.
A MAPP analysis is sentioned on page 15. 6 13 but no reference or information about it is provided.
l 3.5 Binnine of Core Melt Seouaneen A. Good Insights and Important Assumptions To simplify the PSA, various pinch points are utilized.. [ Reference 1, Section 4.1.3.2.2.)
A pinch point is a stage of the analyeis for which the subsequent modeling is independent of how the stage was achieved.
Every accident sequence that results in core seit can be categorized by 33
o O
DRAFT the timing of the melt, the thermodynamic state of the primary system at the point of melt, and the status of plant systems when the melt occurs.
Thus, core melt is a pinch point in the analysis. Although a lavel I PSA P
does not evaluate source terms, consideration of the state of containment is prudent to employ in the _Lavel 1 PSA to adequately consider dependence among core coolin.. and containment.
Thus, the state of containment and its associated protection systems such as isolation, heat removal, and fission product scrubbing, are appropriate to include in the categorization of core salt accident sequences.
The STP FSA bins core melt sequences into four Plant Damage States (PDSs).
[ Reference 1, Figure 4.16, Figure 5.1 1 and Table 16.16.) The four PDSs are:
PDS Croup I:
cora melt with intact containment.
PDS Croup II:
core melt with late containment failure.
PDS Croup III:
core melt with small early release.
PDS Croup IV:
core melt with large early release.
B. Items Insufficiently Explained Although it is not required to rigorously justify the containment model in a Level 1 PRA, numerous aspects of the STP PSA containment model should be justified by the Level II PSA, or its equivalent.
These aspects are discussed in Section 2.1.8, containment Cooling, of this report and they are, in summary; The impact of no spray injection on containment integrity.
The miniaun complement of c or.tainment cooling components required for long tera heat removal.
Equipment operability under these conditions.
The justification for three. inch equivalent diameter containment bypass as a criterion for containment pressurization.
The assumption of core melt prior to containment failure given tra heat removal.
The possibility for early containment failure due to means other than failure to isolate.
3.6 Dominant Seouences Section 2 of the STP PSA provides results of the.1Avel 1 PSA.
[ Reference j
1]
The conclusion of the analysis is that the mean frequency of core melt is 1.7x10** per reactor per year, and is dominated by internal initiating events.
The dominant sequence has a mean frequersy of 1.2x10 5 and twenty other sequences have a mean frequency greater than 10*8 These. twenty one sequences constituce about 34% of the total core 34
4-ge b[
D [ [s*<FG melt frequency; the remaining 664 is due to many sequences, each of low frequency, ip Table 2.1 3 of the PSA summarizes the top twenty one sequences.
.This table alone does not provide sufficient detail to evaluate the sequences in terms of constituent event tree split fractions. An additional table.
" Analysis of Additional Top Ranking sequences to Hean Core Damage *, was provided which enables each sequence to be examined in terns of contributing split fractions.
This information is reproduced here as Table 3.6 1.
With this additional table, it is possible to rgfer to the appropriate split fractions in the System Description notebooks of the PSA and identify 60minant component specific failures contributing to the sequence of interest.
The remainder of this section is based on a detailed review of this table; reference to sequence number is consistent with this table in which the sequences are ordered in terms of decreasing frequency.
Section 2.2 of the PSA summarizes the importance of various initiating events and mitigating system failures.
The following conclusions were determined by review of Table 3.61 along with the System Descriptions.
The conclusions agree with the results of Section 2.2 of the PSA.
A. Good Insights and Important Assumptions The twenty one dominant sequences may be categorized by initiating event as follows:
Eight are station blackout sequences initiated by loss of offsite power; Sequences 1, 2, 5, 6.-11, 12, 13 and 15.
Five are initiated by loss of offsite power followed by loss of main feedwater; Sequences 10, 14, 17, 18, and 19.
Two are initiated by normal reactor trip; Sequences 7 and 21.
Two are initiated by a steam generator tube rupture; Sequences -
16 and 20.
Two are initiated by loss of EAS HVAC which leads to station blackout; sequences 3 and 4.
One is initiated by loss ef'sain feedwater, Sequence 8.
One is initiated by normal turbine trip, Sequence 9.
Station blackout is involved in ten of these twenty one sequences, eight of which are initiated by loss of offsite power and two of which are initiated by loss of cooling for electrical switchgear.
Four of the twenty one sequences are initiated by anticipated transients; namely, reactor trip, turbine trip, and loss of main feedwater.
Two of the twenty one sequences are cause by a steam generator tube rupture.
The importance of mitigating system failure, excluding recovery, in the twenty one dominant sequences can be summarized as follows:
35
DRAFT Tailure of one, two, or three Diesel Generators (DG) occurs in i
I twelve sequences. Failure of three DGs occurs in sequence 1 and 12.
Tailure of two DGs occurs in seven sequences; Sequences 2.
5, 10, 11, 14, 15, and 18.
Tailure of one DG occurs in three 8'
l sequences; Sequences 6, 13, and 17.
Failure of turbine driven ATW train D occurs in eleven sequences; Sequences 1, 2, 3, 10, 11, 13, 14.-17, 18. 19, and 21.
i Failure of required operator action occurs in five sequences; Sequences 7, 8, 9, 16 and 20.
14ss of RCP seal cooling occurs in four sequences; Sequences 4, j
5, 6, and 12.
i Failure of actor driven ATW trains occurs in six sequences; sequences 10, 14, 17, 18, 19 and 21.
Lass of ECW train 8 occurs in six sequences; Sequences 2, 6, 13.
l 15, 17 and 19.
less of EAS HVAC train C occurs in four sequences; Sequences 5, 6, 11, and 13.
l Small IDCA due to a stuck open PORV contributes to one sequence;
)
Sequence 15.
l None of the twenty one dominant sequences are initiated by.a lhCA. There are no dominant sequences involving IDCA initiators followed by loss of recirculation cooling (commonly labeled as AH, SgH, and S H sequences from the NRC event tree method).
Such sequences were dominant in some of the NUREG 1150 PWR studies.
Dominant contributors to. such sequences include failure to switch over from injection cooling to recirculation cooling, and loss of ECCS pump and room cooling.
Since the STP ECCS pumps are self cooled, draw suction directly from the susp and tho' PSA assumes no forced cooling is required for the ECCS pump rooms, failure of the ECCS systems to mitigate a 1hCA is of low probability.
As pointed out in Section 2 2 3 of this report the PSA 'does not fully justify the
' l assumption that ECCS pump room cooling is not required.
Transient induced 1,0CAs occur in five of.the twenty one dominant sequences; Sequences 4~,5,6,12.and 15.
In each of these sequences, station blackout is involved and hence no ECCS is available due - to lack of electrical l
motive power for injection pumps.
l l
Station blackout by itself does not lead directly to an RCP seal failure, The PDP charging pump can be powered by the TSC diesel generator and seal l
failure occurs only if this capability is also lost.
Four station blackout sequences involve loss of RCP seal cooling from the PDP; numbers 4,5,6, and 12.
As discussed in Section 2.2.3 of this report, the PSA 3
should reference the calculation supporting the assumption that PDP room-1 cooling is not required.
t r
36
---,-+-y
.-.w.,
. -. -.,,., -, - - ~
2 s....,
v e.
2_,.
e,
.w.,-.+
4 h
DRAFT The STP plant has one turbine driven AW train, Train D.
Of the ten dominant seqaences involving station blackout, five involve loss of AW p
train, D; numbers 1,2,3,11 and 13.
Loss of ECW train B contributes to six dominant sequences, while loss of Train A or B contributes to none of the twenty one dominant sequences.
This is reasonable based on the assumption that ECW Train B is not as available as train A or C as discussed in Section 2.3.1 of this report.
Loss of EAB HVAC train C contributes to mitigating system failures in two of the; dominant sequences, while loss of Train A or B contributes to mitigating system failures in none of the twenty one dominant sequences.
This is reasonable based on the assumption that EAB HVAC train C is not as available as Train A or 8 as discussed in Section 2.3.1 of this report.
Both of the SGTR initiated dominant sequences involve operator failures to establish RHR cooling and hence negate the driving pressure for the loss of coolant out an unisolated, ruptured steam generator.
Operator actions also contribute to mitigating system failures following three doninant sequences initiated by anticipated transients (reactor trip, turbine trip, and loss of main feedvater).
The System Descriptions included as part of the PSA can be used to identify specific mitigating system component related failures of significance to the twenty one dominant sequences.
This can be done by identifying component failures contributing most to the split fractions within each dominant sequence. The following component specific failures are important:
Diesel generator failures are dominated by independent hardware failures of the required number of diesel generators to run for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the mission time.
AW train D failures are dominated by failure of the turbine driven A W pump to start and run for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
1.CW train B failures are dominated by preventative maintenance.
EAB HVAC train C failures are dominated by maintenance.
loss of PDP cooling to RCP seals is dominated by hardware and maintenance failures.
B. Items Insufficiently Explained The table of the twenty-one dominant accident sequences, (Table 3.61 of this report) was not incorporated into the PSA itself.
The tabular saammary of dcainant sequences in the PSA did not provide the information needed to de te rmine exactly which split fractions constitute each dominant sequence.
37
L DRAFT C. Potential Problems to be Resolved The table of dominant accident sequences appears to disagree with the j
system Description split fraction quantificationm for sequences involving failure of actor driven auxiliary feedvater trains:
i For Sequences 10 and 17 in' fable 3.6 1, the failure of A W train i
D and train C is attributed to split fraction ATP, yet System i
Description 9 (AW) identifies ATP as the failure of AW Train D and Train A.
[
e For Sequence 14, the-failure of AW train D and Train l B is
~
e attributed to split fractie. AFF.
r For Sequence 18, the failure of A W Train D (turbine driven) and e
Train A is attributed to split fraction AM; yet the System Description 9 identifies AM as the failure of two actor driven i
trains.
e For Sequence 19, the failure of. AW Train D and Train C is attached to split fraction AF0,. yet. the System Description 9 identifies AF0 as the failure of two actor driven and one I
turbine driven AW trains.
The System Description split fractions indicate that AW train A failures are more likely than Train 8 or C failures as expected based on the discussion in Section 2.3.1 of this report. This trend is not consistent with Table 3.6 1.
Further codusion arises from conflicting descriptions of the same top j
event bets $ta Table 3.61 and Section 2.2 of the PSA.
For example, in l
Sequence 1 of Table 3.6 1, top event (or split fraction) G3 is described l
as loss of "All Three Diesel Generators Supplying Safety Related 4160V Buses."
In Table 2.2 2 of the PSA, it is also described as loss of all three DCs.
However, in Table 2.2 3 of the PSA, G3 is described as
- i
' Failure of Diesel Generator 13 Civen that Diesel Generators 11 and 12 Have railed.'
Such inconsistencies make it very difficult to understand the sequence models.
5 h
l I
i i
?
t h
38 i
r,,_... -,
,,m
,.4
7J[iD S 4.0 DOCUMENTATION iP This section summarizes the adequacy of the documentation provided in the PSA. (13 4.1 Methodelerv A. Good' Insights and Important Assumption The.P14 methodology is adequately described in the STP PSA.
A simple,
complete example application of the methodology would assist in understanding the nuances of the techniques.
4.2 Plant Medal A. Good Insights and Important Assumptions The documentation of the behavior of plant systems.is well documented in the PSA. (1)
The format of the System Descriptions is well suited to updating the PSA as plant modifications are performed.
The System Descriptions do not include simplified drawings.
This is a i
disadvantage for the reviewer of the PSA; however, it does provide one important advantage for on site application of the PSA.
If analysts use controlled plant drawings (P& ids, viring diagrams, electrical one line and metering drawings, etc.) they are more likely to correctly evaluate the system. specific implications of complex' design modifications.
The System Descriptions do not include _ fault tree graphs consisting of "and" and "or gates.
System block diagrams and Boolean equations a
adequately document > the system model since the system model logic in the large event tree, small fault tree technique employed by P14 is not extremely complex.
4.3 PSA Avelications and Results A. Good Insights and Important Assumptions Overall the documentation of the application of the PSA techniques to the plant model is quite good.
r8. Items Insufficiently Explained Documentation of the dominant sequences does not indicate which split fractions contribute to each sequence; Table 2.1-3 of the PSA does not provide this information.
Table 3.2 1 of this report does identify sequence specific split fractions but it is not included in the PSA.
i 39
DRAFT,!
t 6
5.0 SPECIAL TOPICS i
This section discusses the results of the STP PSA in the context of the j
plant design.
j p
5.1 Discussion of value'for overall core Meir Freeuenev The mean.value for core melt at STP is 1.7x10" per reactor year and is dominated by ' internal initiating events.
This value is larger than one l
aight. expect given that STP has three. ECCS trains and four AW trains.
Mean core melt frequencies from internal initiators at other plants have l
been calculated as:(*)
I f
4.1x10 s for Surry 4.5x10 s for Peach Bottoa 5.7x10 s for Sequoyah' 4.0x10's for Grand Culf 3.4x10*' for Zion l
t Although direct comparisons. of means are not valid for determining sweeping conclusions; they are useful for evaluating trends, j
l Five possibla reawns for the higher mean frequency at STP are:
PW Raw Data Values as compared with other Data Base Values that have been used.
Conservative quantification of DG Silures.
J
[
f l
Only one turbine driven AN train.
}
The separation between the two units.
A t
Conservative quantification of Human Error.
l The first four of these possibilities are discussed in this section; the sixth is discussed in Section 5.4 of this report.
As discussed in Sectior, 3.4.2 of this report,~ the PM data base appears i
to be slightly more c+r.servative than other data bases; however, this j
difference should not have a major effect on overall results.
j Twelve of the twenty one dominant sequences involve direct failure of one l
l or more DGs following loss of offsite power. gault exposure time _of 24 j
y l
hours was used for the DCs (Reference 1 System Description 1 iten B.6);
however, in the event sequencer., only one hour was allowed for recovery 4
of offsite power [ Reference 12). Failure to run for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> contributes i
substantially to DC feilures.
[Referer.co 1. Table ~ 7.3-1 and System Description 1 Split Fractions C1, C2, 33.] A less conservative approach could change each of these sequences by about a factor of 0.5.
Assuming j
, s..
50% of overall core melt is due to such sequences, the mean frequency of i
core melt could be changed by a factor of about 0.75.
i 40 t
+
~...,-.-_s.
DRAFT e
An additional conservatism is the LOSP recovery model.
The STP PSA alieved only one hour to restore offsite power, yet the mission time of
_these sequences is 24 bours.
Furthermore, the value -f or' fillirig to restore offsite power with!n one hour is 0.47, versus NWEG 1150 va'ues of 0.44 for Surry, 0.19 for Sequoyah, 0.19 for Grand Gulf and 0.1; for Peach Bottom.
The value used for the STP PSA may be accurata for the regional grid at STP, but the recovery model used to quantify LoSP sequences (only iour for recovery of any power related fault) causes the
~
STP PSA results to be very dependent on the one. hour recovery event.
NUREC-1150 14SP recovery failures drop to IE 2 aft:i approxintely 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />.
STP has only one turbine driven, DC controlled AW train.
An additional AC independent AW train would lower those sequence frequencies where station blackout is followed by loss of all AW.
However, reelacement c; an existing AC dependent A W train ' tith another AC independent AW train
=
should not significantly lower the overall core seit frequency.
Such a replacement would result in 14SP sequence models involving loss of all feedvater, with failure of two diesel genarators and failure of two turbine driven AW trains.
1.0 S P sequenc.es involving loss of all feedvater currently include failur6s of threa DCs and failure of one turbine AW train.
The failure rates for a DC and for a turbine driven AW pump are numerically close; split iraction C1 (one DG fails) is 0.12 and split fraction A R (one AW train fails) is 0.11.
Thus, replacement of one motor driven AW train with another turbine driven AW train i
should not provide si6nificant benefits.
The two units at STP are totally separated except for the common main reservoir and essential cooling pond.
This separated design has advantages in that important support systems such as component cooling water and service water are not shared.
However, tha ability to manually 2
cross tie between units could assist in recovery giwa an accident at one 8
unit.
The tradeoffs between enhanced rect.very and the potential for additional, subtle failures arising from such a capability need to be evaluated before the effect of such a capability on core melt itsqancy 3
.:an be evaluated.
Cross tie capability has the potential f.
sovering core melt frequency.
$.2 Imot rtance of Station Blackout
=
of the twenty one dominant sequences, tan involve station blackout; eight are initiated by loss of offsite power end two are initiated by loss of EAB HVAC.
Loss of EAB HVAC results in overheating of electrical l
switchgear which renders all 4160 Vac 480 Vae safety telated power
=
unavailable even without loss of offsite power.
Following station blackout, core seit occurs due to loss of turbine driven AFW train D in five of these sequences, while core melt occurs due to loss of PDP P.CP seal injection in four of these sequences.
Core melt occurs due to failure of a pressuriter PORV to reclose in one of these sequences.
The STP PSA concludes that 53% of overall core damage is due to loss of
=
offsite power as an initiating event.
Of the tventy one dominant sequences, thirteen are initiated by loss of offsite power and of these 41
a DRAFT ~'
ei he lead to station blackout.
Additional station blackout tiiirteen, t
sequences atisa from overheating of electrical switchgear due to loss of EAB HVAC.
Thus, station blackout contributes substantially to the overall core melt frequency.
1 5.3 contribution Jf IDCAa to' Core Melt; 1DCAs as initiating events contribute little to core melt.
(Reference 1, Table 2.2 1)
None of the twenty one dominant sequences are initiated by a 14CA.
This is probably due to the fact -that the ECCS pumps are self cooled and the PSA assumed that no forced cooling 1. is required for the ECCS pap rocas.
This lack of ' support system dependency for the ECCS pumps rendars their failures relatively unlikely.
Transients loading to small IDCAs occur in five of the twenty one 4
In each of these five sequences. ECCS is unavailable dominant sequences..
to station blackout.
Four of the five sequences involve RCP seal-due failure due to loss of PDP supplied seal injection; one sequence involves a stuck open pressuricer PORV.s w
g k
?
b.
e 0
42 s
+
-- - u E
z
?
1l' DRAFT 6.0 CONC 1.USIONS This section summarizes the conclusions of this review with respect to P
internal events.
In general, the STP PSA is a state.of-the art risk assessment.
The detail to which the plant was modeled and the engineering analyses i
justifying, this model are usually good, although certain parts of the analyses are not sufficiently justified.
Section 5.4 and the Systen, Descripticar document the plant model.
The data base method is well i
described.
The PLC methodology is sufficiently described and its application to STP is cevered; however, a simple example of the methodology would aid in understanding the nuances of the techniques.
The dominant sequences are not adaquately described in the PSA so that split fractions contributing: to dominant sequences can be easily identified.
The most significant concern regarding the PSA is a lack of f
documentaticn to support the Human Error Analysis.
A summary of those review comments previously specified in this report as potentini problems to be resolved, is as follows:
The time to steam generator dryout following loss of all feedwater is not fully justified.
(Section 2.1.1 of this report)
The ability of equipment in the ECCS pump rooms to operate i
without forced cooling to the rooms is not fully justified.
(Section 2.2.3 of this report)
The confusion regarding labeling split fractions AFP, AFQ, and AFD in the dominant sequences (Table 3.6 1) should be resolved.
(Section 3.6 of this report)
A summary of those revisw comments previously specified as items insuf ficiently-explcined, is as follows:
Quentification of the PTS split fraction is not clearly p rcivide d.
(Section 2.1.1 of this report)
The use of the nomenclature " hot standby" and " hot shutdown" are inconsistent with the definitions in the Technical Specifications.
(Section 2.1.1 of this report)
Accumu1.ator injection following large or medium 14CAs is assumed to not be required.
This assumption is not justified.
(Sections 2.1.2 and 2.1.3 of this report)
The effect of early failure to isolate containment on reflood, following a large lhCA, is not addressed.
(Section 2.1.2 of thir *ceport) 43 n..
e m
t DRAFT.
R l
l l
The need to switchover from cold to het les recirculatien to l
I woid boron precipitation is not addressed.
(Section 2.1.2 of this report) j ne instrument tube breach as a potentially unique small 10CA is l'
not discussed.
(Section 2.1.4 of this report) ne ability of STP to siti ate a V sequence 10CA should be 5
c discussed to justify screening'such sequences from the analysis..
j (Section 2.1.6 of this report)-
l A discussion of the letdown line break is not provided.
(Section 2.1.6 of this report) j f
Minimum containment coolin5 requirements. are not sufficient 1v i
discussed.
(Section 2.1.8 of this report)
{
e The assumption of no early' containment failure is not discussed.
(Section 2.1.8 of this report)
The three. inch criterion for containment pressurization in not t
justified.
(Section 2.1.8 of this report)
I&C necessary for throttling HHSI' is not included.
(Section i
~
2.2.2 of this report)
[
The ability of equipment in the PDP pump room to operate without forced cooling to the room is not justified.
(Section 2.2.3 of this report) l The exclusion of IA from the sitigating systems is-not clearly justified.
(Section 2.2.5 of this report)
+
I The ability of EAR HVAC to provide adequate cooling in' a once through mode with no cooling provided to ANUS is not explicitly justified.
(Section 2.3.2 of this report) i ne acceptability of one steam generator. in' removing decay heat without its PORV being available is not clarified' in the System Description for A W.
(Section 2.3.2 of this report)
Se screening of high and ' medium energy line breaks and cracks i
as initiating events except for 1DCAs, main steam line breaks, and feedwater line breaks is not justified.
(Section 3.1 of p
this report)
T l
Se justification for excluding core blockage as an initiating event is not provided.
(Section 3.1 of this report) l Units in the data base tables of Section 7 are not provided, i
(Section 3.4.2 of this report) b 44
~
1.
DRAFT T.e majority of the ygs used for the Haan Error Rates (HERs) are conservative, the remainder are similar to values' used in y
p other PRA studies.
The HEP. values used do not seem unreasonable but, how these values were derived is not. always.cle ar.
(Section 3.4.5 of this report)
The table of the tventy one dominant sequences which identifies split fractions contributing to each sequence. Table 3.6 1 is not included in the PSA.
(Section 3.6 and Section 4.3 of this report)
Quantification of 14SP sequences are such that the exposure time
_ for,,,_tihe,. Qand t.he time for recovery of Tffsite pover are inconsistent.
(Section 5.1 of this report) 45
l 4-
)
L
/.
j.
REPtuncts l
1.
Pickard. Lowe, a.nd Carrick, Inc., South Texas Proieet Prebabilistie i
l i
e
$4(a u ssessment. Houston Lighting and Power Company, PLC.0675, l
@;, 1989.
l 2.
FicQ Safety Analysis Renert., South Texas Preiset Units 1 and 2, Dockst Nos 50-498 and 50 499, July,1978 with amendments.
l 3.
Lewis, E. E., F.uslasr Power 1;s.neter Safety, John Wiley and Sons, r
Inc., 1977. Figure fi 19.
4.
Severe Accident Risk:
An Assessment for Five US Nuclear Power Planta NUREC 1150, June,- 1989.
5.
Houston L15 ting and Power Company, Written Responses to Issues h
Related to STP PSA received November 29, 1989.
6.
Technical Specifications. South Texas Proieet Units Nos. 1 and 2, Docket Nos. 50 498 and 50 499, NUREG 1334, January,1989.
7.
Standard Review Plan for the Review of Safety Analvs.ls Retiertr, for Nuclear Power Plants. INR Edition, NUREG.0800, June, 1987.
.cr -.
8.
Keenan, J. H., and Keyes, F. C., Thermodynamie Frenerties of Steam, John Wiley and Suns. Inc.,1936.
9.
generie Evaluation of Feedwater Transients and Small Break tons.of.
Coolant Ace [ dents in Westinthouse Desianed Ooeratine Plants, NUREG.
l 0611, January,1980. Figure VIII 1 and related discussion.
10.
"SGTR with loss of Reactor Coolant, Saturated Recovery Desired,"
STP Procedure E0P.1P0F05.EO.EC32.
11.
"SGTR without Pressurizer Pressure Control," STP Procedure E0P.
1 POP 05.EO.EC33.
12.
Pickard, Love, and Carrick. Inc. Seabrook Station Probabilistic Safety Arsessment, Public Service of New Hampshire, PLC 0300, December 1983.
13.
Flow of 1:1uids throurh yalves. Fittines. and Pine, Crane Technical Paper No. 410, Twenty Third Printing, 1989.
l 14.
- Bertucio, R.C.,
et al.,
Analysis of Core Damare Treauency from-Internal Eventst Seauovah. UnL1; 1, NUREG/CR.4550/ Vol. 5, SANDB6 2084, February 1990.
15.
Berry, et al., Review and Evaluation of the Zion Probabilistie ig fe ty St.u.dy, NUREC/CR 3300, SAND 83 1118, Volume 1, Sandia National Laboratories, Albuquerque, New Mexico, May 1984.
46
DRAFT Mosleh A., et al., A Database for Probabilistic Risk Assessment of 16.
//
1XRs, Pickard, Love, and Garrick Inc., P14 0500,1988.
P 17.
- Swain, A.D.,
and H.E.
Guttmann, Handbook of Human Reliability Analysis with Emehasis on Nuclear Power Plant Acelfcations, NUREG/CR.1278, U.S. Nuclear Regulatory Commission, August 1983.
18.
- Embrey, D.
E.
.The Use of Perfernance Shaninn Tacters and Ouantified Excert Judement in the Evaluation of Muran Reliabilitvt An Initial Aceraig.al NUREC/CR-2986, SNL.NUREG.51591, May 198t*
19.
Swain.
A.
D.,
Concarative Evaluation of Methods for Hunan Reliability Analysis, GR$ Proj ect RS 688, Cese11schaft fur.
Reaktorsicherheit (CRS) abH, Forschungs gelande, 8046 Carching, Pederal Republic of Germany, July 1988.
20.
- Drouin, M.
T.,
et al., Analysis of Core Damate Trecuenevt Crand Culf. Unit 1 Interaal Events, NUREG/CR.4550, SANDB6 2084 Vol. 6 Rev. 1 Part 1 Sept. 1989.
21.
Kolaczkowski, A.
M.,
et al.,
Analysis of Core Darace Trecuenevt Peach Bottom. Unit 2 Internal Events, NUREG/CR.4550, SAND 86 2084, Vol. 4 Rev. 1, Part 1. August 1989, 22.
- Poucet, A.
.The Eurocean Benehmark Exareise On Human Reliability Analysis, Proceedings. of the International Topical Meeting on-Probability Reliability, and Safety Assessment PSA '89, American Nuclear Society, Inc., La Gran5e Park, Illinois, April 2 7, 1989 (pp. 103 110).
23.
- Spurgin, A.J.,
Benehmark of systematie Human Action Reliability Procedure (SHARP), NP 5546. Electric Power Research Institute, Palo Alto, CA, December 1987, i
4 47 n/-
5 i
l 8f Appendix 1: LIST OF ACR0hTMS APW Auxiliary FeedUster j
AFWST Auxiliary FeedWater Storage Tank AHU Air Handling Unit A0V Air Operated Valve ATWS Anticipated Transient Without Scram CCF Common cause Failure i
l CCW Component Cooling Water l
CDF Core Damage Frequency CET Containment Event Tree l-CIS Containment Isolation System CSS Containment Spray Systes i
CST Condensate Storage Tank-l CVCS Chemical and Volume Control System l
DCH Direct Containment Heating l
DG Diesel Generator DHR Decay Heat Removal.
+
DPD Discrete Probability Distribution EAB Electric Auxiliary Building ECCS Energency Core Cooling System ECP Essential Cooling Pond ECW Essential Cooling Water E0P Emergency Operating Procedure
-4 ESD Event Sequence Diagram EST Engineered Safety Feature ESTAS Engineered Safety Feature Actuation Systes l
l FC Fail Closed FHB Fuel Handling Building FMEA Failure Modes and Effects Analysis TO Fail Open FSAR
' Final Safety Analysis Report RBFT Heat Balance Fault Tree HEPA Hi5h Efficiency Particle Air HER Human Error Rate HHSI Hi6h Head Safety Injection HL&P Houston Lighting & Power Company HP1 High Pressure Injection HVAC Heat, Ventilating, and Air conditioning IEC Instrumentation and Control IPE Individual Plant Examination IVC Isolation Valve Cubicle LCO Limiting Conditioning for Operation LHSI Low Head Safety Injection LOCA Loss of Coolant Accident LOOP Loss of offsite Power (preferred) i e
48
e DRAFT 9
Appendix 1: LIST OF ACRONYMS (Continued)
LOP Less of Power 8*
LOSP Loss of Offsite Power LVR Light Water Reactor MAB Mechanical Auxiliary Building MCC Motor Control Center MDP Motor-Driven Pump MFW Main FeedWater MCL Multiple Greek Letters MLD Master Logic Diagram MOV Motor.0perated Valve MSIV Main Steam Isolation Valve MSL Mean Sea Level NPSH Not Positive Suction Head NRC U.S. Nuclear Regulatory Commission D&M Operation and Maintenance Manual PDP Positive Displacement Pump PDS Plant Damage Scate P&lD Piping and Instrumentation Diagras PLC Pickard. Love and Carrick, Inc.
PORV Pouer. Operated Relief Valve PRA Probabilistic Risk Assessment PSA Probabilistic Safety Assessment PSF Performance Shaping Factor PTS Pressurized Thermal Shock PWR Pressurized Water Reactor QA Quality Assurance QDPS Qualified Display Processing System RCB Reactor Containment Building RCPC Reactor containment Fan Cooler RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Removal RPS Reactor Protection System RPV Reactor Pressure Vessel RWST Refueling Vater Storage Tank 580 Station Blackout SCS Secondary Coolant System 1
SGTR Steam Generator Tube Rupture SIS Safety Injection System,
SRV Safety Relief Valve SSE Safe Shutdown Earthquake SSPS Solid State Protection System Sir South Texas Project TBS Turbine Bypass Systen TBV Turbine Bypass Valves TDP Turbine Driven Pump 49 I
Y Table 3.6-1 Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 1)
Split Mean Frequency Fraction Event Description (per year)
Identifier Reference (FSA)
Sequence Element 9.0 x 10-2 IDSF Chapter 7.6 Initiating Event Imss of Offsite Power (See Note 1 Below) 4.5 x 104 C3 Appendix F: Book I All Thris Diesel Generators Supplying System Failures Safet.y ! elated 4160V Buses d-Following 1.1 x 10-1 APR Appendix F: Book 9 Initiating Event Turbine Driven Auxiliary Feedwater Fump 8.0 x 10-1 RECV5 Chapter 5.6 Failure to Recover Auxiliary Recovery Actions
-Feedwater Before Steam Cenerator Dryout (See Note 2 Below) 4.7 x 10-1 ORL Chapter 15.6 Failure to Recover Offatte Feuer Within One Nour-8.4 x 10-1 ONC Chapter 15.6 Failure to Recover at least One Failed Diesel Generator Within one Nour 1.2 x 104 Total E; p.we Frequency (See Note 3 Below)
IDSF. initiating Event Frequency is given as 1.29 x 10-8 events per year in Table 7.6-1.
Since this for the time that the plant is frertuency is based on a calendar year, a 0.7 fsetor is applied to account Note 1:
This applies to all sequences with the IRSF initiator.
i Combination of Equipment Failures Not Recoverable Before Steam Generator Dryout and Operator Errors at power.
This also applies to all sequences with the RECVS recevery factor.is included in the Total Note 2:
Auxiliary Feedwater Recovery.
The Frequency for Successful Operation of the Remaining Systems is not shown, but lies to each sequence identified in this table.
Note 3:
- amience Frennency. TI *,
~
~..mm_,
%A Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 2)
Split Mean Frequency Fraction Sequence Element Event Description (per year)
Identifier Reference (PSA)
Initiating Event less of Offsite Power 9.0 x 10-2 IDSP Chapter 7.6 System Fallures Diesel Generators A and C, 1.9 x 10-2 C2 Appendix F: Book 1 Following Initiating Event Essential Cooling Train B (Hence 1.3 x 10-1 UBE Appendix F: Book 4 Diesel Generator B)
Turbine Driven Auxiliary Feedwater 1.1 x 10-1 AFR Appendix F: Book 9 Pump Recovery Actions Failure to Recover Auxiliary 8.0 x 10-1 RECTS Chapter 5.6 Feedwater Before Steam Generator Dryout Failure to Recover Offsite Power 4.7 x 10-1 ORK Chapter 15.6 Within One Hour Failure to Recover at Imast One 8.4 x 10-1 OME Chapter 15.6
~
Failed Diesel Cenerator Ulth One Hour Total Sequence Frequency 5.6 x 10-s
{
V T
Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mesa Core Damage Frequency l
l (Sequence 3) t Split Mean Frequency Fraction Sequence Elem e Event Description (per year)
Identifier Reference (FSA) e Initiating Event less of Electrical Auxiliary 6.0 x 104 IDEAR Chapter 7.6 Building HVAC Cooling System Failures All Three Safety Related 4160V Buses 1.00 N/A N/A j
Following (Direct Failure)
,' p Initiating Event Turbine Driven Auxiliary Feedwater 1.1 x 10-1 AFR Appendix F: Book 9 Pump Recovery Actions Failure to Recover Turbine Driven 8.0 x 10-1 RECV5 Chapter 5.6 Auxiliary Feedwater Pump Before i
Steam Generator Dryout i
i Total Sequence Frequency 4.5 x 10-8 c
l 4
f 1
4
'[
b D
4
,e..-
.,r,,
w
-v.
y y
+,,.w-m-
-...-...-%...,......._,~..4.m,
y O
~2 Table 3.6-1 (Cont.)
p Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency g
(Sequence 4)
Split Mean Frequency Fraction l
Sequence Element Event Description (per year)
Identifier Reference (FSA)
I e
Initiating Event less of Electrical Auxiliary 6.0 x 10-5 IDEAR Chapter 7.6 Building HVAC Cooling P.
System Failures All 1hree Safety Related 4160V Buses 1.0 N/A N/A Folle L g (Ditect Failure
'Init8atitsg Event Positive Displacement Charging Pump 9.3 x 10-2 FDH Appendix F: Book 10 (Seal IDCA - No Makeup)
Recovery Actions None N/A N/A N/A t
Total Sequence Frequency 4.3 x 10-s l
i
_s,
)y.
i i
,,s
,,v-s +
.e, e e
n
<,em,m.<,
v.,-
w v-
+
+ +., -, - ~,
-~,-~w
+.
,en,
,-+w.e
.w -a
-, =., -, - -
Y i
Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 5) v-Split Mean Frequency Fraction j
Sequence Element
. Event Description (per year)
Identifier Reference (FSA)
I Initiating Event 1 mss of Offsite Power 9.0 x 10-2 IDSF Chapter 7.6 System Failures Diesel Generators A and B.
1.9 x 10-2 C2 Appendix F: Book 1 Following Initiating Event Electrical Auxiliary Building HVAC 4.5 x 10-2 FCM Appendix F: Book 6 Fan Train C q-Technical Support Center Diesel 2.0 x 10-1 FDJ Appendix F: Book 10 Generator and Positive Displacement Charging Pump Recovery Actions Failure to Recover.Offsite Power 4.7 x 10-1 ORK Chapter 15.6
-84 fore 4 "a!.r e-Overheats
..r.1[.:.
o.I :
-*!4vTf Failure to Recover at Imast One.
8.4 x 10-1 OMB Chapter 15.6 Failed Diesel Generator Bef e
-Switehgear Overheata _.
,.W,-
.i
-409/L.
Total Sequence Frequency 3.6 x 10-s
, s., t pd. v e
0
+ww,e
-e-.,m.,
.-g#_y..m._y,,,.
o T
d y
Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 6) i Split Mean Frequency Fraction i
Sequence Element Event Description (per year)
Identifier Reference (PSA)
Initiating Event Imse of Offsite Power 9.0 x 10-2 IDSP Chapter 7.6 System Failures Diesel Generator A; 1.2 x 10-1 CAA Appendix F: Book 1 Following Initiating Event Essential Coo 11ag Train B (Diesel 1.3 x 10-8 WBE Appendix F: Book 4 i
)
Cenerator B); and i
Electrical Auxiliary Building MVAC*
4.5 x 10-2 FCM Appendix F: Book 6 M-Train C f
Technical Support Center Diesel 2.0 x 10-1 FDJ Appendix F: Book 10 l
Cenerator and Positive Displacement Charging Pump Recovery Actions Failure to Recover Offsite Power 4.7 x 10-1 ORJ Chapter 15.6 t
l Before Switchgear Overheats Failure to Recover at Least One 8.4 x 10-1 OMA Chapter 15.6 I
Switchgear Failed Diesel Generator Before Overheats Total Sequence Frequency 2.6 x 10-s l
t
- s..,,
l,.v. 1
+w-*
h-
--7 e e-r
~
^%.
r e'*-***
- -de
- N--
- t="
+**
- " ~ * *
-***w*'4**
-+--re-" =
- I g.
l Table 3.6-1 (Cont.)
l Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 7)
Split t
Mean Frequency Fraction l
Sequence Element Event Description (per year)
Identifier Reference (PSA) 1.4 x 10+8 RT Chapter 7.6 Initiating Event Reactor Trip Systen Failures No System Failures - Failure of 2.7 x 10-e DNA Chapter 15.4 Following long-Terp Operator Actions to l
Initiating Event Stabilite the Flant Recovery Actions None N/A N/A N/A 2.6 x 10-s Total Sequence Frequency 4
9 4
O e
...w,.
e
. +,
_a,e+
s-%g.
.aen
-r w-~=
-*++5----
- -~-
- we+
+t+*-
F-m
- w-as w - mm
~oww a*w--+-ee-
=-u
+ = -*
e==
- w
=
w*
m e
- v*--
e-
T l
Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 8)
A I
Split Mean Frequ-ncy Fraction Sequence Element Event Description (per year)
Identifier Reference (FSA)
Initiating Event Partial loss of Main Feedwater Flow 1.1 x 10" F1JHV Chapter 7.6 System Failures No System Failures - Failure of 2.7 x 10-5 DNA Chapter 15.4 p
Following long-Ters Operator Actions to Initiating Event Stabilize the Plant R;covery Actions None N/A N/A N/A Total Sequence Frequency 2.2 x 10-s S
}
e res i+
g
- ~
r-n.
t.u w.em w' wFi iTe+-
m 6-H-*'
e-%+-e' w
i+e ee
-e2
.sm-a6
-w.
..m..--.
w
l
~
t
!A Tabic 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency.
- M-
~
.a (Sequence 9)
Split Mean Frequency
. Fraction Sequence Element Event Description (per year)
Identifier Reference (PSA) -
1.1 x 10+e TT Chapter 7.6 Initiating Event Turbine Trip
(
- P system Failures
. No Systes Failures - Failures of 2.7 x 10-s ONA Chapter 15.4 Following Isng-Tera Operator Actions to Initiating Event Stabilize the Plant Recovery Actions None N/A N/A N/A 2.0 x 10-s Total Sequence Frequency N
g
.g.
,x m x
Y
.m....-
g.
{g'.-
.v*
%7 k6 Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean. Core Damage Frequency (Sequence 10)
. Split Mean Frequency Fraction-Sequence Element-Event Description (per year)
Identifier Reference (PSA) 9.9 x 10-2 K.OSP Chapter 7.6 Initiating Event Imss-of offsite Power 1.9 st 10-2
. C2 Appendix F: Book 1 System Failures Diesel Generators A and B Initiating Event Turbine Driven and Motor Driven 4.9 x 10-3 AFF Appendix F: Book 9 Following Train C Aux 111ery Feedwater Pumps Closed imop RNR Coo 11n6 Disabled 1.0 N/A N/A.
' Recovery Actions Failure 'to Recover Offsite Power 4.7 x 10-1 ORK Chapter 15.6.
Within One hour Failure to Recover at w est One 3.4 x 10-1 OMB Chapter 15.6 Feiled Blesel Generator Within One Bour 2.0 x-10-s Total Sequenen Frequency 4
e--W-pr
.. - -.m...
..,.t.ri N;.,....gy-..
.i>p
.i->ig a..
ig.-.
a ma:1iy.
i.rar_emeteA.-Ciaw. art rA.;.
..i.gi.i=93-qy ir..9
-p.t p.i..
.L
._ i i.r
.A-e--rm=%..w
1-Y Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damnge Frequency (Sequence 11) l t
r i
Split
' Mean Frequency Fraction Sequence Element Event Description (per year)
Identifier Reference (PSA)
.J Initiating Event Imse of Gifsite Power 9.0 x 10-2 LDSP Chapter 7.6 System Failurem
' Diesel Censrators A and B, 1.9 x 10-2 C2 Appendix F: Book 1 i
F'ollowing i
Initiating Event
' Electrical Auxiliary Building HVAC 4.5 x 10-2 FCM Appendix F: Book 6 Train C Turbine 3 riven Auxiliary Feedwater 1.1 x 10-1 A' fR
- Appendix F: Book 9 Train-l Reccvery Actions Fa11 tere to Recover.Offsite Power 4.7 x 10-1 ORK
- Chapter 15.6 I
'Befora Switchgear overheats; Failure to Recover at least'One 8.4 x 10-t
. OMB.
Chapter 15.6 Failed Diesel Generator Before Switchgear. Overheats Failure.to Recover Auxiliary
_8.0.x 10-1 RECV5 Chapter 5.6 Feedwater Before Steam Generator l
Dryout
Total Sequence Frequency-II.9 x 10-s 1
'l
- .,j i
C,..'.
- s. d wp v
e
,e-e w en
'.ee e'
etw-w i w.-
M'y.-
F
-v' rm,e ve w e
.a-.+r e-e e
w we-s ms-+
D r
wa X-*
w -
w<- ire v m-viis -
---4m-___m,.a m.-
-.m =
ll g,
-Table 3.6-1 (Cont.)
Additional-Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 12)-
Split l
~
Mean Frequency Fraction Sequenta Element Event. Description (per year)
Identifier Reference (PSA)
L
-Initiating Event Imse of Offsite Power 9.0 x 10-2 1DSP Chapter 7.6 System. Failures LAll'Three Diesel Generators 4.5 x 10-3 G3 Appendix F: Book 1 Following Supplying Safety Related 4160V Buses Initiating Event Technical Support Center Diesel 2.0 x 10-1 PDJ Appendix F: Book 10 Generator and Positive Displacement Charging Pump a
Rccovery Actions
. Failure to Recover Offsite Power-
' 4.7 x 10-1 ORL Chapter 15.6-Within One Hour Failure to Recover at least' One Failed 8.4 x 10-1 OMC Chapter 15.6
' Diesel Generator Within One Hour Failure to Recover-at 14ast One Failed. 7.7 x 10 RECv2 Chapter 5.6
}
Diesel Generator;or Offsite Power-Before RCP Seal-IDCA Uncovers Core (Conditional on Failure to. Recover i
Power Within One Hour) i Total Sequence Frequency-1.8 x 10-6 I'
I pa~,,,0
=
t.
ee %
'f
--*-t---
- sk%-'w e -
e/e -
e w -1
--A
-r s
-.4 7
+
- C A-~Mv+
'9'-
F eeo v-*
r +:-Ft'-
's
- F
- +-"
e
T Table 3.6-1 (Cont.)
Additions 1 Analysis of Top-Ranking Seeluences for Mean Core Damage Frequency.
(Sequence 13)
Split Fraction Mean Frequency Reference (PSA)
(per year)
Identifier Event Description Sequence Element 9.0 x 10"2 IDSP Chapter 7.6-loss.of Offsite Power Initiating Event 1.2 x 10-1' CAA Appendix F: Book 1 Diesel Generator A; System Failures 1.3 x 10-1 WBE Appendix F: Book 4
- Following-Essential Cooling Train 8 (Diesel Initiating Event Cenerator B); and 4.5 x 10-2 FCN Appendix F: Book 6 Electrical Auxiliary Building HVAC Train C -
1.1 x 10-1 AFR Appendix.F: Book 9 Turbine Driven Auxiliary.Feedwater
' Train 4.7 x 10-1 ORJ~
Chapter 15.6 Failure to: Recover Offsite Power Recovery Actions Before Switchgear_ Overheats 8.4 x 10-1 OMA Chapter 15.6 Failure to Recover at Imast One Failed Diesel'Cenerator Before -
Switchgear Overheats
' 1.7 x 10-s Total Sequence Frequency.
.g-
?'
. s:
e N
{.
'~
,]* '
' *h -
. *=
Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 14)
Split Mean Frequency Fraction
' Sequence Element Event Description
. (per year)
Identifier Reference (PSA) 1 Initiating Event loss of Offsite Power 9.0 x 10-2 IDSP Chapter 7.6 l
. System Failures.
Diesel Generators A and C 1.9 x 10-2 G2 Appendix F:
Book 1
- Following 4.9 x 10-3 AFP Appendix F: Book 9 Initiating Event Turbine Driven and Motor Driven Train B Auxiliary Feedwater Pumps I
Closed imop RHR Cooling Disabled 1.0 N/A N/A Rccovery Actions
- Failure to Recover Offsite Power 4.7 x 10-1 ORK Chapter 15.6 Within One Hour' Failure to Recover at least One Failed 8.4 x 10-1 OMB Chapter 15.6 Diesel Generator Within One Hour i
il Total Sequence Frequency 2.0 x 10-s - f i~
.j u
1
T Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 15)-
Split Mean Frequency Fraction Sequence Element Event Description (per year)
Identifier Reference (PSA).
..Init ent less of Offsite Power 9.0 x 10-2
- IDSP Chapter 7.6
-Sys' s C. " re s Diesel Generators A and C, 1.9 x 10-2 C2 Appendix F: Book 1 Foli dn<
Init. at ir-S ?' rent
' Essential Cooling Train B (Hence 1.3 x 10-1 WBE Appendix F: Book 4 Diesel Generator B) 1.
' Pressurizer PORV Stuck Open 5.0 x 10-2 PRA Appendix F: Book'11' Failure Recover Offsite Power 4.7 x 10-8 ORK Chapter 15.6 Recovery Actions Within Hour Failure to Recover at 14ast One 8.4 x 10-1 OMB Chapter 15.6 FailedDieselGeneratorWithingh Hour Failure to Recover Offsite Power 4.9 x 10-1 RECV8 Chapter 5.6
^
or at Least One 'of the failed Diesel (See Note 4 Below)
Generators Before--the Core Uncovers due to the Stuck Open PORV.(Con-ditional on Failure-to Recover Power Within One Hour)
I'
.1.5x 10-5 Total Sequence Frequency.
4
- ' Note 4: During HIAP's Review,.- it was discovered that RECV7 is appropriate when ' two - Diesel Generators Have Failed..
~
RECV7 is'5.2:x 10-1 As a result, the Sequence Total Frequency should.be 1. 6 x 10-s,-
wwsg-vv 1,
-*y.-
..---4.
J-arw
-r c
r.++-
-L v
p r
g-
.g.
5
-c-w
.s=i,,
~p.g-
=4%-
r -e ew w-i e
e
,e-
ME M.
., i \\
I, y
Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency M
(Sequence 16)
Split Mean Frequency Fraction Event Description (per year)
Identifier Reference (PSA)
Sequence Element
- 2. 8 ' x 10-2
' SGTR -
Chapter 7.6 Initiating Event
-Steam Generator Tube Rupture 3,1 x 10-3 ODA chapter 15.4
. System Failurew Failure to Depressurize Reactor Following Coolant System Below Steam Generator
~
Initiating Event PORV Setpoint FailuretoCoolDownkad)AlignPlant 2.9 x 10-z OAA Chapter 15.5 R2covery Actions for Closed 1 mop RHR' Cooling Tota 1' Sequence Frequency
. 1.4 x'10-s um.
Z"__.").___
gr-imm.ilP'..P+--
m
y-j Table 3.6-1 (Cont.)-
Additional Analysis of Top-Ranking Sequences'for Mean Core Damage Frequency (Sequence 17)
?-
3
+
Split Mean Frequency Fraction Sequence Element
-Event Description (per year)
Identifier.
Reference (PSA)
- Initiating Event Loss of Offsite Power 9.0 x 10-2 1DSP~
Chapter 7.6 System Failures Diesel Generator A; 1.2 x 10-1 GAA Appendix F: Book 1-Following Initiating Event Essential Cooling Water Train B:
1.3 x 10-8 WBE Appendix F: Book 4 (Hence Diesel Generator B) 2 f
Turbine Driven Trai land Motor 4.9 x 10-3 AFP Appendix F: Book 9 Driven Train C Auxiliary Feedwater Pumps
~
l Closed Imop RHR Cooling ^ Disabled 1.0 N/A-N/A Recovery Actions Failure to Recover Offsite Power 4.7 x 10-1
.ORJ C1.epter 15.6 Within One Hour Failure to Recover.. at Imast One Failed ~ 8.4 x 10 OMA Chapter 15.6 Diesel Cenerator Within One Hour' I
Total Sequence Frequency'-
1.4 x 10-s
- r j-
. s.
t m~
~
w s.3
._. ;+-,~.,,,,
f
- a_3,
p '.
9 Q,
Table 3.6-1 (Cont.)
Additional Analysis of Top-Ranking Sequences for Mean Core Damage Frequency (Sequence 18)
Split Mean Frequency
. Fraction Sequence Element Event Description (per year)
Identifier Reference (PSA) 9.0 x 10-2 LOSP Chapter 7.6 Initiating Event inss of Offsite Power
' System Failures Diesel Generators B and C 1.9 x 10-2 C2 Appendix F: Book 1 Followirg Initiating Event Turbine Driven Train D and Motor 1.9 x 10-2 AFQ Appendix F: Book 9 Driven Train A Auxiliary Feedwater Pumps Closed Imop RHR' Cooling Disabled 1.0 N/A N/A
- R;covery Actions Failure to Recover Offsite Power 4.7 x 10-8 ORK Chapter 15.6 Within One' Hour
' Failure?to Recover at Imast'One 8.4 x 10-1 OMB' Chapter 15.6 Failed Diesel Generator Within One Hour 1.4 x 10-s Total Sequence Frequency e
'a-E~x
.m s--
-mw.-_
..m%-.,,7,-,
.xw-
___,,u.
,,[,.
- Y y
Table 3.'6-1 (Cont.)-
Additional ' Analysis of Top-Ranking. Sequences for Mean Core Damage Frequency.
(Sequence 19)
. / ~.
Split Meen Frequency-Fraction Sequence Element Event Description (per year);
' Identifier Reference (PSA) i Initiating Event less of Offsite Power
- 9.0 x 10-2 IDSP Chapter 7.6.
System. Failures Essential Cooling Water Train B' 1.3 x 10-1 UBC Appendix F: Book 1
' Fallowing.
(Hence Diesel Generator Train ~B)
- i l-
. Initiating Event a.8 x 10**
AM.
Appendix F: Book 9-Turbine Driven Aux 111ery Feedwater g,
f -
Pump D and~ Motor Driven Pump C
[
N Failure to Recover Offsite Power 4.7 x 10-1 ORI Chapter 15.6 R c~'ery Actions l
Within One Hour
' i Total Sequence Frequency 1.1 x 10-s i
4 s
..O s,4,
-m-m-
--&--,r, y
?
e-p e,n vs e.H
< ~
3,s.s.36-r r
w y, 's r
p of m c-
-_n_,_
,._s
..~%.,._
w-
~,
_ g, q
l 4
Table 3.6.1 (Cont.)
Additional Analysis of Top-Ranking Fequences for Mean C >re Dassage Frequency (Sejuence 20)
Split Mean Frequency Fraction Sequence Element Event Description
-(per year)
Identifier Reference (PSA) p Initiating Event Steam Generator Tube Rupture 2.8 x 10-2 SGTR Chapter 7.6 System Faf1 aces None N/A N/A N/A Racovery Actions Failure to Isolate Stuck Open FORV 2.4 x 10-2 SIA Appendix F: Book 8 or Safety Valve on'Affected Steam
-Generator-Failure to Align Plant for Closed 2.6 x 10-3 OCA Appendix F: ' Book 17
/
$e
.Imop Cooling Total Sequence Frequency 1.1 x 10-e
.,9 m
.,./
.)
A
~.Ux.... ~ - -
.L..,-~~;
.%.-..a,
.-.s w A ?--. N --
--.--m:s*
1
-u
.,-N-~-
.l'-
- - - --~----
w.
.-w
.._a g
l-3
y 4
~
_/
.... a
.Sy
_a Table 3.6-1 (Cont.)
Additional Analysle of Top-Ranking Sequences for Mean Core Damage Frequency
'M
' i (Sequence 21)'
.j t
Split Mean Frequency Fraction Sequence Element Event Description (per' year)
Identifier-Refetence (PSA)
V g._.
Initiating Event Reactor Trip 1.4 x 10
.RT Chapter 7.6
~
.A System Failures All-Four-Auxiliary Feedwater Trains 3.4 x 10-5 CDA-Appendix Fi Look 9 Following 3.8 x 10 AFA Initiating Event l~
Recovery Actions Failure to Start Riced and Feed
'. 8 x 10-2 OBA-Chapter 15.4 Cooling Through Both Pressurizer
-PORVs 3
Failure to Recover Auxiliary 1.0-N/A
'N/A Feedwater Flow Before the Steam Generators Dryout
/
V'
.j
. Total'Segsence Frequency 1.1 x 10-s af Y-
,i g
.[ i
~
e
_ p-]
s
, ~._
m - --
+-
< ^ -
=-
.;/~^
u. m.