ML20043A368
| ML20043A368 | |
| Person / Time | |
|---|---|
| Site: | Sequoyah  |
| Issue date: | 04/30/1990 |
| From: | Bertucio R, Brown S EI SERVICES, INC., SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1228 NUREG-CR-4550, NUREG-CR-4550-V5R1P1, NUREG-CR-4550P1, SAND86-2084, NUDOCS 9005210262 | |
| Download: ML20043A368 (422) | |
Text
{{#Wiki_filter:- l NUREG/CR-4550 SAND 86-2084 i Vol. 5, Rev.1, Part I t Ana:ysis of l Core Damage Frecuency: Sequoyah, Unit 1 Internal Events Prepared by R. C. llertucio, S it. brown Sandia National 1 aboratories , Prepared for U.S. Nuclear Regulatory Commission PD AD K O 00 27 P PDR o
I 4 i 5 AVAILABILITY NOTICE
. Availability o' Reference Materials Cited in NRC PutAcations Most documents c!ted in NRC publications will be available from one of the following sources:
1, The NRC Public Document Room,2120 L Street, NW, Lower Level Washington, DC 205$5
.2. ~ The Superintendent of Documents U.S. Government Printing Office, P,0, Box 37082, Washington, DC 20013-7082
- 3. . The Natk>nal Technical information Service Springfield, VA 22161 Although the lating that followo represents the majority of documents cited in NRC publications, it is not Intended to be exhaustive.
Referenced documents available for inspection and copying for a fee from the NRC Pub!!c Document Room include NRC correspondence and internal NRC memoranda: NRC Office of Inspection and Enforcement bullotlns, circulars, Information notices, inspection and investigation notices; Licensee Event Reports: ven-dor reports and correspondence; Commission papers; and applicant and licensee documents and corre-spondonce. .
, The followir.g documents in the NUREG series are available for purchase from the GPO Sales Program:
formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and , brochures, Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and. Nuclear Regulatory Commission Ismances, Documents available from the National Technical Information Service include NUREG series reports and
- technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commis. +
sion, forerunner agency to the Nuclear Regulatory Commission. Documents available from public and special technical libraries includs all open Eterature items, such as
- i books, Journal and periodical articles, and transactions, Federal Register notler s federal and state legista-tion, and congressional reports can usually be obtained from those Rbrarles. /
Documents such as theses, dissertations, foreign reports and translations, and non NRC conference pro-ceedings are avaltable for purchase from the organization sponsoring the publication cited. j Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the / Office of Information Resources Management' Distribution Section, U.S. Nuclear Regulatory Commission, , Washington, DC 20555, Coples of industry codes and standards used in a substantive manner in the NRC regulatory process are 'I maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are ava!lable there for refer. ' ence use by the pubRc, Codes and standards are usually copyttghted and may be purchased from the originating organization or, if they are Amulcan National Standards, from the American National Standards institute,' 1430 Broadway, New York, NY 10018, DISCLAIMER NOTICE ' This report vvas prepared as an account of work sponsored by an agency of the United States Govemment. Neither the United States Govemment nor any agency thereof, or any of their employees, makes any warranty, 'j expresed or implied, or assumes any legal liability of responsibility for any third party's use, or the results of i' such use, of any information, apparatus, product or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights, u __ _ _____________m__________ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . _ _ _ _ _ _ _ _ ____ ______
- v. .
1 L - N UR EG/CR--4550 ;
' S AN D86-2084 Vol. 5, Rev.1, Part 1 -
r h Analysis of " Core Damage. Frequency: Sequoyah, Unit 1 1 '
- InternalLEvents >
'r Manuscript Completed: March 1990' Date Published: April 1990 i
l Prepared by it. C.13crtucio,' S. II, llrown' Program Manager: A. I.. Camp
- Principal Investigator: W.11. Cramond Team Leader: 11. C. liertucio' - .
l Sandia National laboratories j ' Albuquerque. NM 87l85
*E. I. Services i Kent, WA 98031 i
^
Prepared for Division of Systems Research 3
. OITice of Nuclear Regulatory Resenreh !
U.S. Nuclear Regulatory Comuission Washington,' DC 20555
. NRC FIN Al228
__d
o ABSTRACT, ! s- .j This document contains the - accident sequence - analyses - of ; internally-initiated events for the Sequoyah, Unit 1 nuclear power-plant.. This is one of the five. plant analyses _ conducted as part of-the NUREG 1150 effort by the Nuclear : Regulatory Commission - (NRC). NUREG 1150 documents the risk of _ a selected group of nuclear power plants. The. work performed and-described here is an extensiveireanalysis of that published in. February: 1987 as NURE0/CR-4550, Volume 5. It addresses comments from. numerous reviewers .end significant changes to , the plant systems 'and procedures made since the ' first report. The . uncertainty analysis! and presentation -
-of_results are also much-improved.
t The mean ' core damage frequency at SequoyahJ was calculated to be 5.7E-5 perJyear, with- a. 95' percent upper bound of _.1' 8E 4 ~and 5 percent lower , bound : of 1.2E 5 per_ year. - 1.oss of coolant type accidents were the
]
largest' contributors. to core' damage frequency, accounting for j approximately 62 percent .of the total. The next most dominant type of accidents were station. blackout.(lossiof all AC power). These sequences , account for : 26 porcent of core --damage frequency. No . other - type _ of ' D ' sequence accounts for more than 10. percent'of core damage frequency.
- The numerical results are dominated-by failure to initiate high pressure recirculation due to operator error-following loss of coolant: accidents.
Considerable offort was expended on the modeling of very small'LOCAs-and atation blackout sequences _ including the development-- of a reactor-coolant pump seal LOCA model'through elicitation of expert opinion.- i This ' report evaluates core damage frequency from internally initiated { events. The consequences of these accidents 'are evaluated and reported 1 under separate cover, i i
- l I
-l 4
I 1 l i l i i tilliv l
v=
;s.
- s ,
CONTENTS-Seeel2D 2a&E I
- 1. EXECUTIVE
SUMMARY
..............................-..... .... 1 1.
1.1. O BJ E CT IV E S 1 . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -.1 l ' ; 1.2 AP PROACH . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . 1 - 1 i
'1. 3 R E S U LT S - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 - 2 , ;
i
.1. 4 CON C LU S I ON S 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . 117 - 'l 1.4.1 Plant Specific 1 Conclusions ................. 1-8 a
- 1.4.2, Accident Sequence' Conclusions ............... 1-9 ll 1.4.3 Plant DamagesState Conclusions ............. 1-10 .!
- 1. 4'. 4 Uncertainty Considerations ................. 1 10-1.4.5~ Comparison to RSSMAP ....................... 1 11
~2. PROGRAM SCOPE ............-................................ 2-1
'3- . PROG RAM REV I EW . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . 3 1 : <- !
3.1 S ENIOR CON SULTANT - CROUP . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 1 -[
.3.2 QUALITY CONTROL' CROUP ,............................ 3 1 3.3 UTILITY INTERFACE ......................... ........ 3 .
1
-3.4 UNCERTAINTY REVIEW PANEL . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 3.5 PEER REVI EW PANEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2 l l
3.6 AMERICAN. NUCLEAR SOCIETY COMMITTEE ................. 3-3 3.7 PUBLIC COMMENTS ....................,,..e,......... 3-3
- 4. TASK DESCRIPTIONS ................-....-,..................'.4.1-1
~4.1 TAS K FIDW CHART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 .1 - 1 i
4.2 P LANT FAMILI ARI ZATION . . . . . . '. . . . . . . . . . . . . . . . . . . . . . . . 4 . 2 1 , 4.2.1 Initial Plant Visit........................,4.2 1 i 4.2.2 Information 0btained....................... 4.2-2 ' 4.2.3 . Subsequent Plant Visit During the Reanalysis Phase............................ 4.2-2 4.3 INITIATING EVENT IDENTIFICATION AND GROUPINC....... 4.3-1 4.3.1 Initiating Event Identification............ 4.3-3 4.3.2 Support System Failures.................... 4.3-3 I i V 1,' l
A qpp
'6* * '
,d ' ' '
m; l7,< ;a > , ,,h su . CONTENTS;(Continued) Seetion. Eagn 4;3.3 ;Specia1 1nitiators'.- 7 4.3 10' 4.3.'3.1 Interfacing.LOCA.. ..................... 4.3-10
; 4. 3.3. 2 Reactor- Vessel Rupture . . . . . . . . .'. . . . . . . . . 4. 3 10 4.3.4' Final Initiating-Event Selection........... 4.3 11n 4.3.5- Important Assumptions........-..............'.4.3 11 4.4 EVENT TREE ANALYS I S . . . . . . .1. . . . . . . . .. . . . . . . . . . . . . . . . . 4 . 4 1 14.4.1 -Event Tree Assumptions.....-................ 4,4 1- J J 4.4.2 Loss ofL0ffsite Power (TI) Event. Tree....... 4.4-5 7' 4.4.3: -Transient With PCS Unavailable (T2)
Event. Tree............. ..........-,........L. 4.4 13 4.4.4 ITransient With.PCS Initially Available
-(T3) Event Tree'............................. 4;4 16 4.4.5 loss ~ of One DC Bus '(Txx)1 Event Tree . . . . .:. . 4.4 19) ,
4,4. 6' Steam. Generator. Tube Rupture- (Tso) !
' Event Tree.'..,.. ..',...................... ....4.4~21 ,
4.4.7 , Large ~ LOCA - ( A) Event Tree'. . . . . . '. .. . . . . . . . . . . '. 4. 4 a 2 7: 4.4.8 Medium LOCA _ (Sg) Event Tree . .-. . . . .-. . . . . . . . . 4.4- 3 3 ! 4.4. 91 ~ Small : LOCA: (S 2 ) Event ' Tree . . . . . . . . . . . . . . . . . 4.4' 36 4.4.10 -- Very Small1 LOCA ~ (S 3 ) - Event Tree . . ... . . . . . . . . 4.4 42 4.4.11' Anticipated Transient Without Scram-Event Tree................................. 4.4 4.4.12 Event Tree, Nomenclature.................... 4.4 51' i 4.5 PLANT DAMACE STATE DEFINITION...................... 4.5 1. 4.5.1 . Event Tree / Plant Damage State Analysis: _ y Process.............-,......................4.5-1 .; 4.5.2 Definitions of the Plant Damage S ta te I nd ic a to rs . . . . . . . . . . . . . . . . . . . . .' . . . . . . 4 , 5 - 2 j 4.5.3 Plant' Damage State-Analysis................. 4.5 4' 1 4.6 SYSTEM ANALYSIS...............a.................... 4.6 1 4.6.1 System,Modeling and Scope.-.............'.... . 4.6 1-4.6.2 Cold Leg Accumulator Model...-.............. 4.6 5 ' 4.6.3- Safety Inj ection System Model . . . . . . . . . . . . . . 4. 6-8 4.6.4 ' Charging System Model . . . . . . . . . .-. . . . . . . . . . . . 4. 6 15 4.6.5 Low Pressure Injection / Recirculation (LPI/LPR) System Model......................,4.6 24 4.6.6 Auxiliary Feedwater System (APW) Model.... .4.6 32 2 4.6.7 Primary Pressure Relief System (PPRS) M o de 1' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . 6 , 3 8 > 4.6.8 Containment Spray' System (CSS) Model....... 4.6 42 4.6.9 Component _ Cooling Water (CCW) System , i Mo d e 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 , 6 - 4 8 4.6.10 Service Water' System (SSW) Model. . . . . . . . . . . 4.6-57. 4.6.11 Electric Power System (EPS) Model.......... 4.6-68 4.6.12 Instrument Air System (IAS) Model.......... 4.6 75 i l vi
3 b l CONTENTS.(Continued)
-Section- Eag,c 4.6.13' Engineered Safety Features Actuation ,
, System (ESPAS) Mode 1....:..................... 4.6-76 4.6.14- Power Conversion System (PCS) Model. ...... 4.6 79 4.6.15' Reactor Protection-System (RPS) Model...... 4.6 81 ,
4.6.16- Ice Condensor System (ICS) Model........... 4.6-82 . 4.6.17 Heating,. Ventilation ~and' Air .
't
~
~ Conditioning (HVAC) System Mode 1~........... 4.6-85, '
4.6.18 System Analysis Nomenclature............... 4.6-86 4.7 ANSLYSIS OF DEPENDENT FAILURES;...................... 4'.7-11 4.7.1 Subtle Interactions.'.........-.............. 4.7-l' 4.7.2 . Common Cause' Analysis........i...
. . . . . . . . . . . 4 4 . ,7 - 9 '
4.8 HUMAN ' RELI ABILITY ANALYS I S . , . . . . . . . . . . . . . . . . . . . . . . . 4 8 - 1 -
~
4.8,1 Summary of Methodology and Scope...........,4,8 1-Human Actions Analyzed..................... 4.8-2
~
4.8.2 4.8.3 Analysis of Pre-Initiator Errors........... 4.8L2 4.8.3'.1 Drain Plug Removal After.Rafueling (RFC XHE DRNPLC)............................. 4.8-4. t . 4.8.3.2 Miscalibration of-Multiple (RWST Water. . Level Sensors - (RWT XHE-MSCAL) . . . . . . . . . . . . . . ,4. 8-4 . 4.8.4- Analysis-of Post-Initiator Operator Actions.................................;... 4.8L5. 4.8.4.1 Quantification of Skill Based Actions...... 4.8-5 4.8.4.2 Quantification of Rule Based Actions,...... 4.8-7 4.8.4.3 Recirculation Switchover. (Cold Leg) Du r ing L0CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . 8 10
- r. 4.8.4.4 Hot' leg Recirculation Switchover ..
r l (LPR XHE-FO-H0TL).....,.'................r.. 4.8-12 *
- i. 4.8.4.5 Feed and. Bleed Cooling l (HPI-XHE-FO FDBLD)..'.... ................... 4.8-13
! 4.8.4.6 HRA of Operator. Actions During ATWS........ 4.8-14 ! 4.8.4.7 Operator Actions During Steam Cenerator l= . Tube-Rupture (SGTR)(RCS XHE DPRZ-TSG)...... 4.8-18 4.8.5 Innovative Recovery........................ 4.8-17. 4.8.6 Assumptions Used During Sequoyah HRA.......,4.8 16 l . .
- i. 4.9 DATA . BAS E D EVE LhPM ENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . 9 - 1 l: 4.9.1 Sources of Data Base Information............ 4.9 l. 4.9.2 Data Base Description...................... 4.9-1 L -
U 4.10 ACCIDENT SEQUENCE QUANTIFICATION . . . . . . . . . . . . . . . . . . . 4.10-1. 4.10.1 Ceneral Approach........................... 4.10-1 , 4.10.2 Identification of Sequences Analyzed....... 4.10-1. 4.10.3 Application of Recovery Actions'........ ... 4.10-1~ 4.10.4 Assessment of the Impact of Operator Actions....................-................ 4.10-8 , l I l > I
.)
, vil j u -
~
{
}
i , . - _ . _ _ _ . . _ _ ,_____._&_ _'
.I' a- <g CONTENTS (Continued)
Section'- EA&R 4.11L P1hNT DAMAGE STATE QUANTIFICATION................... 4.11-l' 4.11;1 -; Quantification fo containment; Isolation i
-- Fa i l u r e . . . . . . . . . . . . . . . . . . . . . - . .. . - . . . . . . . . . . . 4 .11 - 1^
o4.11.2-: Quantification of Air Return Fan Fai1urei..........'.......................... 4.11 2 14 . 1 1 . 3 - Unavailability of Hydrogen Ignitors......... 4.11 2
'4.11.41 Quantification of Plant Damage States...................................... 4.11 2 4.12 ? UNCERTAINTY ANALYSIS..-............................... 4.12 1 1 14.12.1 Sources and Treatment of-Uncertainties..... 4.12 1 4.12.2 Development of. Parameter Distributions..... 4.12,2 .
4.12.3 Elicitation of Expert Opinion.............. 4.12 2: ; 4.12.4 .Quantification!of Accident Sequence . Uncertainty................................. 4.12-4 [ 1 1
- 5. R E S U LT S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 5 1 5.1 CHARACTERIZATION OF CORE DAMAGE FREQUENCY =
AND UNCERTIANTY AT.SEQUOYAH ....................... 5 11 5.2 ACCIDENT l S EQUENCE RESULTS . . . . . .. . . . . . . . . . . . . . . '. . . . . 5-13 ! 5.2.1 Accident Sequence -S 0cH2 3 ......-............ 5-15 5.2.2 Accident Sequence SBO'- L'..............-... 5 15- l
-5.2.3 Accident Sequence3 S 0c'Ha .................. 5 15- !
5~2.4 Accident Sequence S H3 2..................... 5 16 , 5.2.5 Accident Sequence;S H22 'a -*............. 5-16 5.2.6 Accident Sequence: SB0 SLOCA ' . . . . . . . . . . . . . 5-16 , S'2.7
. Accident Sequence'T 21 L ~P 3. ................... 5-17; 5.2.8 Accident.. Sequence S Hi4 . . . . . . . . . . . . . . . . . . . . . . 5 17 .
5.2.9 Accident Sequence $ H23 ..................... 5-18 5.2.10 Acc ident , Sequence TKRZ , . . . .. .-. . ... . . . . . . . . . . . 5 18 5.2.11- Acc ident Sequence Tsa0 0Qs . . . . . . . . . . . . . . . . . . . 5-18 1 5.2.12' Accident Sequence AD 3 ..................... 5-19 ' 5.2.13 Accident Sequence V ..........-............. 5-19 i 5.3 PLANT DAMAGE STATE GROUP ' RESULTS . . . . . . . . . . . . . . . . . . 5 20 1 5.3.1 -PDS Group 1 Slow Blackout ...............5'21 1 5.3.2 PDS Group 2 Fast Blackout ............... 5 21 l 5.3.3 PDS Group 3 LOCAs ....................... 5 21 ! 5.3.4 PDS Group 4 - Interfacing LOCA............. 5-21 5.3.5 PDS Group 5 - Transients .................. 5 23 .i 5.3.6. PDS Group 6 - ATWS .................. ..... 5 23 J 5.3.7 PDS Group 7 - Steam Generator Tube Rupture ................................... 5-23 l
'1 l
4 viii 1
CONTENTS (Continued) F Section - Eggg > 5.4 IM PORTANCE MEASURES . . . . . . . . . . . . , . . . . . .,. . . . . . . . . . . . 5 2 3 ;
^t 5.5 COMPARISON OF SEQUOYAH RESULTS WITH-0THER-STUDIES .......-.....................:.......... .-... 5-28-' .
.6,0 LCONCLUSIONS ........................'.............i.....4 . . . 6 - l' .
6.1 PLANT ~ SPECIFIC CONCLUSIONS:........................ 6 2-6.2 ACCIDENT SEQUENCE ' CONCLUSIONS L . .. . . . . . . . . . . . .~. . . . . ... 6 3 l 6.3 UNCERTAINTY CONSIDERATIONS!,,........................ 6 4I 6.4 COMPARISON TO.RSSMAP ~.;.c............................ . 64 [ 3 e
7.0 REFERENCES
.............................................. 7-1.- l
?
t hb 4 f i
.(
l: i-l: l .. 1-1' l l' I
?
I f l ix y ....s
.n D ,
o I. ' 3. tj LIST OF FIGURES, 1 Finure' 'fAga' 11L Accident Group Contributions to Total Core-Damage , Fre que ncy . fo r Se quoyah . . . .. . . . . . . . . . . . . . . - . . . . . . . . . . . '. . . . . '.1 4 - {' 12 Distribution Functions for. Core Damage' Frequency f o r ' S e q uoy ah =. . :. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 - 5 4.1-1: PRA Task Flow Charti..................................... 4.1-2: 4.4 1- Event Tree: for T - Los 3 s o f O f fs i te Powe r . . . . . . . . . . . . . . . ~ 4. 4 - 7 4.4-2 Event Tree ' for _ Tg 1 . S tation Blackout . . . . . . . . . . . . . . . . . . . . 4.4-8. 4.4-3 . Event Tree for T . Los s : o f Main. Fe edwa te r . . . . . . . . . . . . . . 4' 4 - 15 4 14.4 4 Event Tree for T 3- Turbine ; Trip with'MFW l Init_ially Available.........v....-.4..................... 4.4-18
~
14,4 5 . Eve n t Tre e . fo r Tug n Lo s s o f DC Bus . . . . . . . . . . . . . . . . . . . . ,4' . 4 2 2 -
.4.4-6s< - Event Tree for Tso '- Steam Generator Tube .
Rupture.............................'...................... 4.4-25 4 '.'4 Event . Tree . fo r ! A - : Large LOCA . ..-. . . . . . . . . '. . . . . . . . . . . . . . . . 4. 4 - 3 2 ; 4.4-8 Event' Tree for 53 . Medium.14CA........;................. 4.4 37 4.4 9 Eve n t Tre e fo r ' S a ' S mall LOCA . . . . . . . . . . . . . . . . . . . . . . . . . . , 4 . 4 - 41 - 4.4 10? Event Tree - for S .3 - Ve ry Small LOCA . . . . . . . .'. . . . . . . . . . . . . 4. 4 45 .; 4.4-11, Event' Tree for,TK1 : Anticipated Transient-Without Scram............................-................ 4.4 50. 4.5 1 Plant _ Damage State: Tree for T3 - Station
-Blackout..........................-...................... 4.5 12 4.542 Plant Damage- State Tree = for 2T -- Loss of Main Feedwater.......................................... 4.5-13 ,
-4.5-3 Plant Damage State Tree for Tam - Loss of'DC Bus........'........................................,4,5-14 4.5-4 Plant Damage State -Tree - for Tm - ~ Steam Cenerator Tube Rupture............................................ 4.5e15 i 4,5-5 Plant Damage State Tree (for.A 'Large3LOCA.............. 4.5-16 4,5 6 ' Plant DamagelState Tree for Si - Medium 1DCA............ 4.5-17 4 4.5-7 Plant Damage State. Tree for S2 -fSmall'LOCA............. 4.5-18
~4.5-8 Plant Damagef State- Tree' for S 31 - -Very Small LOCA.............................................. 4.5-19
. Ei
'4.5 Plant DamageiState Tree for TK - Anticipated Transient Without Scram..........................-....... 4.5-20 ;
C 4.6-1 Simplified Schematic of Cold Leg Accumulators. . . . . . . . . . . 4.6L 7 ! 4.6-2 Simplified Schematic of Safety Injection f System.................................................. 4'6-12 4.6-3 : Dependency- Diagram for Safety Inj ection System. . . . . . . . . . 4'.6-13 > 4.6 4 Simplified Schematic of Charging System................. 4'.6-19 4.6-5 -Dependency Diagram for charging System.................. 4.6 20 4.6-6 Simplified Schematic of thentow Pressure . Inj ection/ Recirculation Sys tem. . . . . . . . . . . . . . . . . . . . . . . . . . 4. 6-2 8 . j 4 '. 6 - 7 Dependency Diagram for Low; Pressure ' F Inj ection/ Recirculation Sys tem. . . . . . . . . . . . . . . . . . . . . . . . . . 4. 6 29 1 h 4.6-8 Simplified Schematic of the Auxiliary , Feedwater System........................................ 4.6-36 1 1 x
.g.
.i J
k 4 4 Y
-I LIST _OP FIGURES (Continued)
F1Eure Iggg. 4.6 9' Dependency Diagram for;the Auxiliary Fe e dwa t e r - Sy s t e m . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . 6 - 3 7 - 4.6 10 Simplified Schematic of-the Primary-Pressure
. Relief System.........:................................... 4.6 40-E 4.6 11 Dependency Diagram for the Primary Pressure
. Re l i e f. Sy s t e m . . . . . . . .' . -. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . 6 41 14.6-121 Simplified . Schematic of the Containment .
li . Spray System............................................ 4.6-46
'4.6 13: Dependency Diagram =for the' Containment ..
S p ray Sys te m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . 4 . 6 - 4 7 4.6 14 Simplified Schematic of the Component Cooling . , Water System...... ................................. _..... 4.6-54 L 4.6-15.
-Simplified Schematic of the Service Water '
. System............................ ............'......... 4.6-63 3 4.6 16 Dependency Diagram for the: Service Water System.....................,.. ................... 4'.6 67 4.6 17 : Simplified Schematic of the Electric Power.
~
System.................................................. 4.6-73 , 4'6 18 Simplified Schematic'of the Ice condenser System.................................................. 4.6-84 5-1: Total Internal: Event Core Damage Frequency for '
!Sequoyah ........................................'....... 5-6
~
o 52- ' Probability? Distribution for Sequoyah Core l Damage a Frequency ............................................... 5 ' e v l-l t i f l I x1
~
1-
.o d
y LIST OF TABLES: , Table EA&R l
' Dominant Accident Sequence Groups .........c............. 1 3"
~
11A 1 . Comparison of NUREG/CR-4550, Revision 1 and RSSMAP Sequences Frequencies'.............x.'............~.1-13
'4.2 1 < - Initial List ofESystems to be Examined and.
Information Requirements................................ 4.2 4;2-2 -Initial: List of Potentially Important; Operator Procedures and Recovery Actione ....-.................... 4.2 5 4.2-3 . Plant Specific Analyses of Events and Operations........ 4.2-7 4.3 1= . Initiating Event Categories Used in the
- S e quoy ah P RA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . :. '. . . 4 . 3 - 2 4.3 2 Sources: of Initiating Event Candidates .~ . . . . . . . . . . . ... . . '. . .4. 3-4 4.3-3 Summary of' Loss of Supoort Systems-as Initiators........ 4.3-5' 4.3 47 Transient Initiating Events............................. 4,3-12 4.3-5 LOCA Initiating Events................................... 4.3 15 i 4.3 6. Initiating Event Assumptions............................ 4,3-16 j I4.4 1 Event Tree Assumptions............. ................ ... 4.4 2 ~j 4.4 Ti Transient Success Criteriat Summary Information . . . . . . . 4.4 6 !
4.4-3 T2 Transient ; Success Criteria : Summary ~Information . . . ... . . 4.4 _d 4.4 4 T3 Transient Success Criteria- Summary ' Information . . . . . . . 4.4-17 i 4.4-5 Tai Transient Success Criteria Summary: j I n f o rma t i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . 4 - 2 0 ' 4.4 61 Tm Transient Success Criteria Summary i Informationc.............1.............................. 4.4-24 'j 4.4 7 Large LOCA Success Criteria ~ Summary ! Information.............................................. 4.4 28 .i 4.4-8 Medium LOCA Success Criteria Summary , Information............................................. 4.4-34 ] 4.4-9' Small LOCA Success Criteria Summary Information............................................. 4.4-38 4.4-10 Very Small LOCA Success Criteria Summary j Information............................................. 4.4-43
.4.4-11 ATWS Success' Criteria. Summary Information................ 4.4-48, j 4.4-12 Event ~ Tree-Identifiers.................................. 4.4-52 4 4.5-1 Category Definitions for PDS Indicators................. 4.5-6 j 4.5-2 List of Dominant Core Damage Sequences and Point ,
4 Estimate Frequencies.................................... 4-5-8 . 4.5 3 Source of Dominant Core Damage Sequences..................'4.5-10 4.5-4 Plant Damage State Groupings,~............................4.5-11 0 4.6-1 System Modeling in the Sequoyah PRA...................... 4.6-3 4.6-2 Safety Injection / Recirculation Component Status , and Dependency Summary.................................. 4.6-11 l
'4.6-3 Charging ' Injection / Recirculation Component Status-and Dependency Summary........................... 4.6-18 ,
is 4.6-4 LPI/LPR Component Status and Dependency Summary......... 4.6-27 4.6-5 AFW Component Status and Dependency Summary............. 4~.6-35 , 4.6-6 CSS Component Status and Dependency Summary............. 4.6-45 i i xii m__ ___._m______-_m. - -
LIST OF TABLES.(Continued) W IAhlt EA&R 4.6 7 CCW Component Status and Dependency Summary............. 4.6 4 ', 6 - 8 Interfaces Between CCW and Systems Su . by C CW . . . . .= . . . . . . . . . . . . - . . . . . . . ...................
. . . . . . . p p o r t e d 4.6 53 4.6 9 SWS Component-Status and Dependency-Summary............. 4.6 60 4.6-10 . Interfaces Between SWS"and Other Systems................ 4.6 62 4.6 11 AC/DC Power, Supplies and Dependencies................... 4.6 71 4.6 12< ESPAS Instrumentation Summary............'..-.............. 4.6 78 4~.6 13 System Identifiers........................................ 4.6 87 4.6-14 EventLand Component Type Identifier..................... 4.6 90-14.6 15 : Failure Mode Codes.-....................................... 4.6 93 4.6 LSymbols Used'in the System Schematics................... 4.6-95 4.7 1 Ceneric List of Potential Subtle Interactions....-....... 4.7 2;
'4.7 2 ;
. Applicability of Ceneric. Subtle Interactions j to Sequoyah.............................................
4.7-4
'4.7-31 Common Cause Failures,.................................. 4.7-10 !'
4.8-1 HRA for Restoration' Errors............................;.,4.8 3 ' 4.8-2 Human Reliability, Analysis Summary...................... 4.8 8 4.8-3 Cround Rules for-Sequo,yah HRA........................... 4.8 19 4.9 1 I n i t i a t i ng Eve n t Da ta . . . . . . . . . .. . . . . . . . . . . . -. . . . . . . . . . . . . . 4 '. 9 2 4,9-2 i Human : Reliability- Analysis' Description. . . . . . . . . . . . . . . . . . 4. 9 3 4.9-3 Re c ove ry Ac t ion - S ummary . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . :. 4 . 9 - 5 4.9-4: Beta Factor rault Summary................................ 4.9 8' 4.9-5 Sequoyah Data Tab 1e...................................... 4.9 9 i 4.10-1 Accident Sequences Quantified Before Recovery. . . . . . . . . . . 4.10 9 - ' 4.10 2 Recovery Action Descriptions....................... 4.10 3 Re c ove ry Ac ti ons . . . . . . . . . . . . . . . .. . . . . . . . . . . . . ...... . . . . . 4.10-20
. . . . . . 4 .10 18 .j 4.10 4- Dominant Accident Sequences Prior to Recovery. . . . . . . . . . . 4.10-22 4.10-5 Dominant Accident Sequences Quantified Before and After Recovery...................................... 4.10-30' 4.10 6 Impact of Operator Actions.............................. ,
4.10 34 1 4.11 1 Plant Damage State Assignment of Dominant Core Damage Sequences..............................
.{
......... 4.11-4 d 4.11 2 Plant Damage States Above 1E-9..........................,4.11-6 4.11-3 j Plant Damage State Groupings............................ 4.11-7 51 Top Cut' Sets for the Total Sequoyah Core Damage Fr e q ue nc y . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6 5-2 Description of Important Sequoyah Events ........ ...... 5-7 i 5-3 Sequoyah Accident Sequence Core Damage Frequencies............................................. 5 14 54 Plant Damage State Group Frequencies ................... 5-22 ;
5-5 Top Events for Risk Reduction at Sequoyah .............. 5-25 ' 5-6 Top Events for Risk Reduction at Sequoyah .............. 5 26 5-7 Top Events for Uncertainty Importance at Sequoyah ...... 5-27 l 5-8 Comparison of Core Damage Frequencies Due to Internal Initiators . . . . . . . . . . ,
....................... 5 29
( r xii1/ xiv l
7 FOREWORD This is one of numerous documents that support the preparation of - the. NUREG 1150 document by . the NRC Office of Nuclear Regulatory Research, a Figure 1 illustrates the front end documentation.- There are d three = interfacing programs at Sandia National Laboratories performingLthis work: the Accident Sequence ' Evaluation Program (ASEP),: the Severe Accident Risk Reduction _ Program (SARRP), and the Phenomenology = and Risk Uncertainty-Evaluation Program (PRUEP), " The ' Zion PRA was performed at Idt.ho1 National'. Engineering ~ Laboratory and Brookhaven National Laboratory. Table 1 - is' a list- of th'e original primary documentation and the-corresponding revised documentation," There are several > items that should-be noted. First, in the ori inal B NUREC/CR 4550; report, Volume-2 was=to be h. a summary of the~1nternal analyses. This report was deleted. In Revision'
-1, Volume 2 now is the? expert judgment elicitation covering all plants.
Volumes ,3 and 4' include external events analyses for Surry and Peach 1 -] Bottom, respectively,_ i j . I The revised NUREG/CR 4551 covers . the analysis- include' d in.- the original ! NUREG/CR-4551 and NUREC/CR 4700, , However, it is different from NUREG/CR- ;j 4550 in that the results from the expert judgment clicitation are Biven in- 1 four parts to Volume 2 with each part covering one category of-issues._ The 'L accident progression event trees are given in. the1 appendices for'.each of l the plant. analyses.
,1 Originally, NUREG/CR-4550 was' published without the- designation " Draft for Comment." _Thus, this revision of NUREG/CR-4550 is designated Revision 1.
The label Revision 1 is used consistently on all volumes except Volume 2, J which was not part of the original documentation..
~^
i NUREG/CR 4551 was originally published as a " Draft for Comment"- so, in its final' form no Revision 1 designator. is required to distinguish it from e the previous I documen atation, '
,4 There are 'several other reports published in association with NUREC-1150, i These are: '
NUREC/CR 5032, SAND 87-2428, ' Modeline Time to Recovery and Initiating I Event Freauenev for Loss of Off-site Power Incidents at Nuclear' Power-Plants, R. L. Iman and - S . C. , Hora, - Sandia National- Laboratories, !
. Albuquerque, NM, January 1988, i
NUREC/CR-4840, SAND 88-3102, Recommended Procedures for External Event 1
' Risk Analyses for NUREG-1159, M. P. Bohn and J. A. Lambright, Sandia National Laboratories, Albuquerque, NM; November 1989. '
r 4 s Xv i
l . w y T^x ti [ METHODOLOGY < k T
-A
[ EXPERT PANEL RESULTS [ PROJECT STAFF RESULTS -f" l L l g\ -T y Q g m- h lNTERNAL ((lNTERNAL EVENTS EVENTS APPENDIX - f< EXTERNAL EVENTS 'G l !l h l. g - y}
, ER 'C Q . (INTERNAL EVENTS
;m
*g l =[lNTERNAL EVENTS APPENDlX g -
-( ,
- N, [ EXTERNAL EVENTS - ,
S .< A. 3 b [lNTERNAL EVENTS g $ C
) z [lNTERNAL EVENTS APPENXIX'- if g i g % 1g 1 3- : E _ [lNTERNAL EVENTS
[ INTERNAL EVENTS APPENXIX. f*,5 l 3 i-N- T g
& -< E- -
@ ~ [lNTERNAL EVENTS 6 N -T dh 1h
'm
=
* :O' 4
[ RISK MANAGEMENT'- x 1 e <,
}-[ ,
f i z $ E [BACK END l-g Q $ '-/1 , m o - T E @ [. DOCUMENTATION G;gf. 5% ( . g1 m q 4
.g
._.1__ _ . _ _ . . _ _ . _ . _ _ _ . - - . . . _ _ _ _ _ . _ . . . . . - , . _ _ . - . . . . _ . , - - . . - . . _ - . . , ~ . _ . _ _ .
_ _ : e. L., b Y t
~
Table 1.I NUREC-1150 Analysis Documentation l Oririnal Documentation v NURIC/6L 4550 . IRFIEC/CR-4551 . MUREG/tR-4700 Analysis of Core Damage Frequency Evaluatico m Severe-Accident' ' Contalment Event Analysis From Internal Events Risks anc. d.e Potential for for Potential Severe Accidents- . Risk Reduction
- Volume 1; Methodology volume 1' Surry Unit 1 ~ Volume 1 .-Surry Unit 1 2 -Summary (Not Published) '2. Sequoyah Unit 1 . 2 Sequoyah Unit.1
'3 Surry Unic'1 3 Peach Botton Unit 2 - 3 ' Peach Botton Unit 2 4 Peach Botton Unit 2 4 Crand Gulf Unit 1 4 Crand Colf Unit 1 5 Sequoyah Unit'l 5 Zion Unit 1 6 Crand Culf Unit 1 7-Zion Unit'1 Revised Documentation L ..
I NUREC/CR-4550 Revision 1 NUREC/CR-4551,' Evaluation i .- Analysis of Core Damage Frequency 'of Severe Accident Risks ~ l N l '$ volume 1 Methodology . . Volume 1 Methodology: l 2 Part 1 Expert Judgment Elicit. Expert Panel 2 Part 1 Expert Judgment Elicit.--Ia vessel l Part 2 Expert Judgment Elicit.--Project Staff Part 2 Expert Judgment Elicit.--Contairunent I. 3 Part 1 Surry Unit.1 Internal Events . J
- Part 3 Expert Judgment Elicit!--Structural I Part 2 Surry Unit 1 Internal Events App. : Part 4 Expert Judgment Elicit.--Source-Term t Part 3 Surry Unit 1 External Events , ' Part 5 Expert Judgment' Elicit. ;Supp. Calc.
l 4 Part 1 Peach Botton Unit 2 Internal Events Part 6 Expert Judgment Elicit.--Proj. Staff ' Part 2 Peach Botton Unit 2 Internal Events App. ' Part 7. Expert Judgment Elicit.--Supp. Celes
'rart 3 Peach Botton Unit'2 External Events Part 8 Expert Judgment- Elicit.--MACCS Input-5 Part 1 Sequoyah Unit.11. Interna 1' Events 3.Part 1 Surry Unit 1 Anali and Results Part 2' Sequoyah Unit 1 Internal Events App. 'Part 2 Surry Unit 1 Appendices 6.Part 1 Grand Gulf Unit ~1 Internal Events 4 Part 1 Peach Botton Unit 2 Anal. and Results Part 2 ~'Crand Culf Unit 1 Internal. Events App.
-Part 2 Peach Botton Unit 2 Appendices 7 Zion Un!t 1 Internal Events -5 Part 1 Sequoyah Unit 2 Anal.'and Results' Part 2 Sequoyah Unit 2 Appendices ,l
- 6'Part 1 Crand Culf Unit-1 Anal. and Results .
Part 2 Crand Culf Unit-l Appendices- -
' 7 Part i Zion Unit1 Anal, and Results-Part 2 Zion Unit 1 Appendices
-.,.c. . _. --eg-- r w.-.-, p- . ~ . - --e I- -- e %^ 5 [. .r%~ '- =-y. - * * #-w W-^ ~
s' ' w * '-W "N V"- "'r*" 'Wv'~- ~ ^ m~""rr*'9" -
+ # a~-" rw
- w^t
i, h .'
'NUREG/CR 4772', SAND 86-1996,. Aceident 'Seauence Evalus t i on,Pronram D. Swain -III, Sandia
~
lluma n: Reliability Analysis ' Procedure , ~ A. E : National Laboratories, Albuquerque , = NM, February 1987 ' , NUREG/CR 5263, SAND 88 3100, The Ri sk" M ana cement Implications of NUREG-1150 MethodsJand'Results.,- A..C. Camp et al., Sandia. National; Laboratories, Albuquerque:,-NM, December'1988. A lluman Reliability Analysis for the-ATWS Acc! dent Secuence with tiEIV ' il Closure at the Peach Bottom - Atomic Power Station, . A-3272,E W. J. Luckas, tJr. et al. ,: Brookhaven National: Laboratory;- Upton, NY,1966. ; 4 A brief flow chart : for; the documentation 'is given in Figure ' 2. Anyf ' relatede supporting" documents .to the - back-end< NUREG/CR-4551 analyses f are delineated ,in .NUREC/CR 4551. A completeilist of the revised- NUREG/CR-4550, volumes.and parts isigiven below. , General NUREG/CR-4550, Volume 1, Revision.'1, SAND 8692084, Analysis of ' Core ' Damano Freauencv! Methodolocv Guidelines for Internal Events. NUREG/CR 4550, . Volume 2, S AND86 2084,. Analysis of Core Damare-
.Freauency from Internal ' Events : Expert Judgment Elicitation ' on Internal Events -Issues ' Part 11 Expert ' Panel = Resul es -. Part 2:
- Proioct Staff Results.
- Parts l'and 2 of. Volume 2, NUREG/CR-4550 are. bound together. This1 volume was-not part of' the - original documentation and .was .first published in-
- 1. April 1989 and : distributed in May '1989 with . the title: Analysis of. Core ;
Damage . Frequency - from Internal L Events: Expert Judgment Elicitation. In ' t retrospect, a more descriptive title would be: . Analysis of Core Damage- '
+
i' Frequency: Expert Judgment' Elicitation on~ Internal Events (Issues. . i ! l EBIII I NUREG/CR-4550', Volume.3, Revision l', Part 1,' SAND 86-2084, Analysis of Core Damane Freauency: Gurry Unit 1 Internal' Events. , i t NUREC/CR-4550, Volume ~3, Revision 1,'Part 2, SAND 86-2084, onalysis o( Core Damace'Frecuency: Surry Unit 1 Internal Events Annendices. + NUREC/CR 4550, Volume 3, Revision 1. Part 3, SAND 86-2084, Analysis of' Core Damare Freauency -Surry Unit 1 External Events. 4 i xv111 J
-.i FRONT-END ANALYSIS BACK-END ANALYSIS.
NURFC/CR-4550 . NUREC/CR-4551 REVISION'1 ' FIANT DAMACE STATE FREQUENCIES: SEQUOYAH ' ACCIDENT FROGRESSION 1
.SE000YAH : . UNIT >I UNIT I & RISK REDUCTION AND AND RISK .-i UNCERTAINTY HEASURES -
.l
~
1
' I
_ NUREC/CR-4550 REVISION 1- .{ VOL. 1-NETIl0DOIACY l BACK-END SUFFORT.
'l- DOCUMENYATION' .
^
_ NUREC/CR-4550. REVISION 1 E VOL. 2 EXPERT OFINION ,3URRY X PUICH OSTTWO MUREC- _ NUREC/CR-5032 IASF ~1150 _SE000 TAN'
'IE FREq AND RECOVERY iCRANDCULF ..
,zl0N _
_ .NUREC/CR-4772
'HRA-PROCEDURES t
~
Figure 2. Sequoyah!Related Documentation.; ec. _.____ . __ _ _ _ _ _ '__
'r "#
- _ "'T""' (#*' -'M ' T "'l "*' ' " 'F*" '"'W"- T"'"' 5"** 'T [
- d- D o' "t' * '*w '*<M YT t'*P'*
u-- - - _i... -e-.. .2 %i2.a. .m_.
f
- Peach Bottom- 3 s
NUREG/CR 4697, EGG-2464", Containment Ventine ' Analysis - for- the- Pen.p.h Bottom Atomic' Power Station, D;'J- . Ilansen et al. .. . Idaho National 1 Engineering Laboratory (EG&G Idaho,' Ine ): February 1987. NUREG/CR;4550, Volume -4, Revision 1,: Part 1, SAND 86 2084, Analvsis of-Core Damare-Freauenevi tPeach Bottom Unit-2' Internal Events. 1 NUREG/CR-4550, Volume 4, Revision 1,.Part 2, SAND 86-2084, Analpsis of Core "Damace Frecuency!- Peach- Bottom Unit 2 Internal = Events i Annendices. s . lNUREC/CR-4550, Volume'4',-Revision.1,.Part 3, SAND 86 2084, Analysis of Core Damane Frecuency Peach Bot' tom Uniti2 External Events. , Seauovah-4 LNUREG/CR 4550,-Volume 5,. Revision 11,.Part l',; SAND 86-2084,. Analysis of: Core Damane Freauency: Secuovah Unit 1' Internal Events, NUREG/CR 4550, Volume 5, Revision 1, Part 2,-1 SAND 86 2084, An'a lysis of - Core Damare Freauency: Seouovah Unit 1 Internal Events Annendices. 3 Grand Gulf 4 NUREG/CR-4550, Volume'6,-Revision 1,LPart 1,. SAND 86 2084,2 Analysis of ', Core Damare Frecuenev: Grand Gulf Unit'l Internal Events. l NUREG/CR-4550, Volume 6, Revision 1, Part 2,.< SAN 086-2084, Analysis ofl Core Damare Freauency; Grar,d ' Gul f Unit 1 Internal Events Annendices, i i Zion
'NUREG/CR 4550, Volume 7, Revision 1l. ECC-2555, i Analysis 'of Core-Damare Freauency: Zion-Unit 1 Internal Events. .;;
f L
]
1 l l
< l XX
.54 -
i 1 1 ACRONYMS AND INITIALISMS~ ,
', ACOs accumulators:
ACP -AC power: system-ADS, ' automatic depressurization system ADV automatic-depressurization valve; , AFW -auxiliary ~feedvater system or'energency feedwaterLsystem E ANS American Nuclear:Societ'y .j AO _ auxiliary operator 40V; air operated valve ARF . ~ air-return fan system
~ASEP Accident to:uence Evaluation: Program
;ASME =American stiety of Mechanical Engineers ATWS: ' anticipated transient without-scram-BAT boric' acid transfer-BCLi Bar.telle Columbus Laboratory- .l BHEP ' basic human _ error probability j
' BIT: boron injection tank >
BOPL balancelof' plant CCP centrifugal charging = pump- d CCS ' component cooling water _ system- ! CCU - containment atmosphere-cleanup l l 'CCW = component cooling water' 'l CDF core'damcge frequency; . l CDS. condensate system ! CET- containment event tree -] CFC- containment emergency fan cooler system ; CGC containment combustible- gas control
- CHP charging pump' system ,
CHR containment heat removal 1 1 CHW chilledLwater system CIS containment isolation system
~
.j CKV . check valve !
CLS consequence. limiting control system { CPC charging pump cooling 1 CR control room CRD control rod drive CSA control and service area CSC closed cycle cooling . i CSF critical safety. function CSI containment spray . injection . CSR containment spray recirculation j CSS containment-spray system- ! CST condensate storage tank' l CVC chemical and< volume control ! DCP DC power DG,DGN diesel generator DWS drywell (wetwell) spray mode of RHR system l
}
XXI l _~
_~_ _ _ _ - _ _ _ _ _ _ _ _ - 6 ECA' . emergency contingency. actions
~
ECCS- ' emergency core cooling system:? EDP engine driven pump . .
- EHV. Lemergency heating. ventilation, and air ennditionin6 system
- EIL 1 Energy International. -
. EP, emergency procedures EPS- electric' power system:
- EPV: explosive: valve.
. EQ ' fenvironmentally qualified' ERCW :emergencyLraw cooling water ESF: .
engineered safety'. feature
- ESFAS . engineered safety; feature actuation system-ESW . essential service water. systemi
. F6B feed and' bleed FCV. iflow1 control' valve
- FHS _ fuel; handling system' . . .
-j FMEA - Failure Mode and -Effect Analysis' '
F0 -fails open FRC " functional 1 restoration guidelines-FRP' functional restoration procedures ' FSAR. Final Safety Analysis Report-
~ FW- feedwater HCI high. pressure coolant' injection HCS: high pressure core spray HCV' hydraulic control valve-HDV bydraulic valve
- HPI. high pressure ) injection HPR high pressure recirculation H PT -- Human Performance Technologies HRA human reliability analysis.
high pressure service water HSW ' HTX,HX heat exchanger HVAC heating,1 ventilation, and air conditioning-IA instrument-air , IAS- instrument air system ICS. ice condenser system IDCOR Industry Degraded Core Rulemaking Program IE initiating event
.INEL Idaho National Engineering Laboratory:
, ISO isolation condenser system ISR inside containment spray recirculation LC ' locked closed y LCI low pressure coolant injection i low pressure coro spray
. LCS .
LCV - level epntrol valve- , LER licensee event report l LFT SET large fault tree - small event tree ID locked open LOCA loss of coolant accident l xxii
+ , ?
s
=
IDSP , loss of offsite-power LPI- low pressure injection . LPR- low pressure recirculation MLVR - light water-reactor-
.MCC- - motor control' center MCW main. circulating water MD1 motor driven MFW main'feedwater-LMOV . motor operated valve'-
MSIV' main steam isolation valve. main steam system
~
MSS .. ; MTC- moderator' temperature coefficient-
'l
^ NHV -- normal heating, ventilation, and~ air conditioning- .[
NPSH- net positive suction head , 1 NRC . Nuclear Regulatory Commission : .j NUS Nuclear Utility Services. OEP onsite electric power . , OSR' outside' containment spray recirculation ~ ;j
.PCS- power conversion, system j PDP positive displacement charging pump ;
P&ID- piping and. instrumentation-diagrams :1 PDS' plant damage state j PIAC Pickard, Lowe, and.Garrick- -1 PORV _ ' power . operated relief valve ll PPRS,PPS primary pressure l relief' system 1 PRA.- probabilistic risk assessment l l PRUEP- Phenomenology and Risk Uncertainty Evaluation Program j PS pipe segment i PTS-_ pressurized thermal shock- ! PWR pressurized water reactor, t l -QA quality assurance , l quality control group-QCG l i RBC reactor building cooling water RCI reactor core isolation cooling , RCP reactor coolant pump l RCS reactor coolant / system, ) l' RE restoration error l L RCU radioactive gaseous waste j RER . residual heat removal ! RLW -radioactive liquid waste ! RMT= recirculation' mode trar.sfer. i ! -RO. reactor operator RPS reactor protection system .; Reactor Safety Study Methodology Application Program
+
RSSMAP L. RTND reference temperature for. transition to_ nil ductility RV relief valve
'RWST. refueling water storage tank-1 l
xxiii. I l 1 1, i { - A .i
r l' ' L SAIC Science App 1'ications: International Corporation SAROS: ' Safety 6 Reliability Optimitation Services : l SARRP' Severe Accident' Risk Reduction Program , - SB0 : station blackout'
'SDC shutdown cooling' SETS . Set 1 Equation Transformation Program
'SG steam generator.
'SGT' standby gas: treatment.
SGTR steam generator tube rupture = ! SI. safety. injection SIAS . safety ' injection actuation system JSIS- 'safetyJinjection system , SLC; ~ standby liquid control-SNLA- Sandia. National. Laboratory, Albuquerque' SOVE solenoid operated. valve 1
!SPC. ' suppression" pool' cooling
-SPM- suppression pool makeup-
- SRO- " senior reactor operator: /
.SRV: , safetyL relief- valve STA' .shif t technica1' advisor - ;y
.SW,SWSL service water ' system or essential' raw cooling water system -l TBC' turbine building cooling. water 1 .(
TCV- testable check valve: ;
.TD: : turbine driven "
TDP. ' turbine driven pump . TEMAC Top Event Matrix' Analysis Code y TVA= Tennessee Valley Authority' UHI upper head injection ~- VCT volume control tank , WOG Westinghouse Owners Group ATWS Rulemaking' Comments t. XVM manual' valve ( l l v' , 0 i i 1-l xxiv !
'l a
.,m 't
i l ACKNOWLElsCEMENTS l The authors wish to acknowledge the following individuals for their l contribution to the Sequoyah Analysis:- j Diane M. Jones for her technical assistance in developing the system , level failure modes and effects analyses. Jeffrey A. Julius for his technical support in; finalizing the analysis and documentation. 'l Marc D. Quilici for his guidance in the fault tree analysis, particularly the use of the SETS computer code. I i b t
?
F I
- i. s
~
1 XXV t r
i i
- 1. EXECUTIVE
SUMMARY
l This document presents the final results of one of several studies that i provided information to the . Nuclear Regulatory Commission Office of
' Nuclear Regulatory Research about Light k'ater Reactor . (Lk'R) risk. The '
Office of Research used the results of,this work, along with other input, to prepare NUREG 1150,m Risk from a selected Eroup of five nuclear ; power. plants is examined in NUREG 1150 by incorporating the results of wide ranging research efforts that have taken place over the past several years. Sequoyah Unit I was chosen as one of the five plants to be analyzed to
- accomplish regulatory goals. The Sequoyah Nuclear Power. Plant contains two units of 1128 megawatts (electrical) capacity each and is located- '
near Chattanooga, Tennessee. The reactors are each housed in ice condenser containments. The Sequoyah plant was previously analyzed in . the Reactor Safety Study Methodology Application Program (RSSMAP) . m Other plants that were chosen fcr analysis are Peach %ttom, Surry. Grand r Gulf, and Zion. 1.1 Obj ec t ive s The primary objective was to perform an analysis to support the NUREG-1150 project that is as near to a state-of-the art, Level-1 Probabilistic Risk Assessment (PRA) as possible. Corresponding Level 2 and Level 3 analyses have also been performed and documented. Direct objectives of the analysis were to identify potential, significant system failures, to provide insights of value to utilities with plants of this type, and to develop, apply, and document the applicaticn of a detailed methodology that can be used by others , including utilities. The perspective gained from NUREG 1150 will be used to support the NRC's resolution of severe actident regulatory issues. , This document presents the Level 1 part of the risk calculation the frequency of scenarios involving system failures which lead to severe , core damage as a result of internal initiators. Core camage is defined l as a significant core uncovery occurrence with reflooding of the core not j imminently expected. The result is a prolonged uncovery of the core, which leads to damaged fuel and a release' of fission products from the fuel. 1.2 Anoroach The standard Level 1 PRA approach was used in the analysis. Event trees were constructed, the ' top events were modeled using lace fault trees, : and the results were quantified using the Set Equation Transformacion System (SETS) and The Top Event Matrix Analysis Code (TEMAC) computer codes.- l 11 1 A
A wealth of information pertinent to probabilistic study was readily available for the Sequoyah plant, owing to previous probabilistic studies performed on the plant. The Sequoyah PRA team analyzed only those aspects of the plant which had been shown to be important in the past or were the - topic of current safety issues. Effort was not expended on areas that had been shown to be unimportant in the past, unless new information was available to suggest the area be reanalyzed. Also, if the analyst felt that a system could be represented adequately using a simplified model rather than a detailed fault tree. the simplified approach 'was used. However, if the analyst felt that a- system was important enough to warrant _ detailed modeling, then the appropriate
-modeling techniques were used. .
In regard to the PRA' methodology, several areas merit comment. First, a human reliability analysis was performed on operator - actions that surfaced ~ in the PRA as - potentially significant. Second, very ~ little > plant specific data were available for the data analysis. Third, . a recovery analysis was performed after the initial quantification 'of-accident sequences to assure proper credit was given for operator intervention during the accident. Fourth, an extensive uncertainty s analysis was performed which required determining the uncertainty on the failure probabilities for basic events in the models. Finally, in some cases, no - firm data existed to support failure probability development, so expert judgment was - formally elicited from people with extensive experience on each issue in question. This_ final item is the subject of Volume 2 of NUREG/CR.4550. i The Level 1 results were grouped into plant damage states : to provide a
- form suitable for input to the back end accident progression event trees.
A plant damage state is a grouping of accident sequences or parts of accident sequences that have similar characteristics, such as vessel f pressure, timing, containment response, and system failures, which provides the necessary input for the accident progression event tree used in the Level 2 analysis. In order to maintain high quality, this work was reviewed by four different groups: an independent Senior Consultant Group, an independent i
- Quality Control Group, Sandia staff and management, and the NRC. In addition, the staff at Tennessee Valley Authority were given an ]
opportunity to review this work at various stages. TVA's comments were I addressed in this analysis, as were numerous comments received from the l NRC, the public, and the nuclear industry. l 1.3 Results The Sequoyah PRA identified 23 core damage sequences with a mean ; frequency greater than 1.0E 7 per reactor year. These sequences taken collectively , are called the comprehensive core damage model.- The ; , comprehensive core damage model yielded a sampled mean frequency of 5.7E. l 5 per reactor year. The accident grouping by initiating event type, I showing the contribution of each type to total core damage frequency, is shown in Table 1-1. The contributions are shown graphically in Figure j I l
.)
1-2
Table 1 1 Dominant Accident Sequence Groups Event Type. Core Damm6e Frequency (/yr)' % of Total LOCA 3.6E 5 62% thSp f 1,$E 5 26% interfacin6 LOCA 6.5E 7 1.1% Transient 2. 6 E. 6 4.6% ATWS 1.9E.6 3.4% Steam Generator Tube Rupture 1. 7E 6 3.0% 5.7E 5 1 1. The cumulative distribution function and the density function for the total core damage frequency are shown in Figure 1+2, These two functions are based on the results of a statistical sample of 1000 points, with some = smoothing employed . in the generation of the density function. The important statistical parameters of the core damage frequency distribution are listed below. Mean 5.7E 5/yr Standard Deviation 6.9E 5 95% Upper 1.8E 4/yr 75% Upper 6.4E 5/yr Median 3.7E 5/yr 25% lower 2.3E 5/yr 5% lower 1.2E 5/yr The comprehensive core damage model represents all of .the accident sequences with frequencies greater than IE 7/yr. There were six fully quantified accident sequences that have point estimate frequencies less than IE 7/yr. These sequences have a combined frequency of 3.9E 7. -In addition, there were 24 partially quantified sequences with point estimate frequencies in the range of 5E 10 to IE 7. These sequences were partially quantified in that they were not subject to recovery analysis. They. were minimal contributors without recovery actions, and therefore not subject to' further evaluation. Their total unrecovered frequency is 7.5E 7/yr. If these sequences are estimated to be reduced by a factor of three, due to recovery, these sequences would represent a total frequency of 2. 5E 7. . Thus , the total contribution .of nondominant sequences is' estimated to be 6.4E 7, which accounts for a very small percentage of the core damage frequency. 13
k py,,,, 5". 62". - Sr' W 1 P. 3 F. LOSS OF OffstfE POWER (LOSP) -
- m o,g ,7 ,. y. < F[ ' , .. 'g.
-9,
,d) i-l$ " ?._ _ $ .
b?e i SCRAM , . ' . -.'m y u
-lE4 . r-E-j \' ' i 4 '
jid l4 :t] STEAM CENERA10R 10DE RUPTURE db ' l$$ , ' E9;-4"'g C l l INTERFACING LOCA (V) 4 jko ;- j y p'D ! mg ;;g g ,nsys,cy, ;
- Nhy;Mk b - -9 6"-
wepg.. ng k i* tocA , l LOSP : i 2P. 37 LOCA .657. . .. . 3 0 7. 26% 74% [ .. e i
+
@ STAtl0N DLACKOUT (500) '- I LOSS OF FECOWATER LARGE LOCA R sBo - SEAL LocA RSMALL LOCA seo - STUCK-OPEN RELIEF -
VALVE
~$
@ $80 - BATTERY DEPLETION t
Figure 1-1. Accident Group Contributions to Total Core Damage. ' Frequency for Sequoyah, l-l i-4 z; q i
i i c 10 - 95% f u M 0.9- 1 U L 0.8 - l A - Mean j T o.7 -
-~
I
.)
V I 0.6 - ' i Median , l P 0.5 , R ' O 0.4 - 1 B A 0.3- 1 B. ' I 0.2- ! L - I 0.1 - 3x T .-. j 0.0 - - - E-6 .1E-5 4 1E-4 E-3 CORE DAMAGE FREQUENCY ' P 4 D ~ E N - S ~ I T - y - E-6 E-5 E-4 E-3
~
CORE DAMAGE FREQUENCY l -' Figure 1-2. Distribution Functions for Core Damage Frequency for Sequoyah. . L ,
An event importance analysis was performed on the comprehensive core damage model. In this analysis. - the relative importance of each basic event, with respect to three measures, is calculated. These three measures' are risk reduction, risk increase, and uncertainty. The risk reduction measure is. the absolute amount by which core damage frequency is reduced if the. event in question had a probability of zero (i.e., ' never happened). The most' important events for risk reduction are related ' to two . types of accident scenarios. These are failure to establish ECCS recirculation from the containment sump after a very small
. loss of coolant accident and loss of auxiliary feedwater during station blackout. The two top events for risk reduction are the small break initiating event and Oc, the percent of very small breaks for which the operator will not be able to terminate the containment sprays which are i activated on high containment pressure. The operation of the sprays will drain the RWST in less than one hour, and force the switchover to ECCS recirculation from the sump. Portions of the switchover at Sequoyah are not automated, and thus the potential for operator error during l reconfiguration of the ECCS makes this a dominant ' contributor to core j damage, The. third most important event for risk reduction is the loss of offsite power initiating event. The fourth and fif th mest important risk reduction events are operator errors committed during ECCS !
reconfiguration. The sixth and seventh most important events are related to non recovery of AC power af ter the initiating event. Thus, the most important risk reduction events are related to the dominant accident ; sequence types. Similar information was generated for risk . increase measures. Risk increase is derived by calculating the core damage frequency with a given event probability see equal to 1.0, the upper bound for an event probability. The menaing of risk increase can be thought of as the resulting core damage frequency if the component (or train or system) is - not available (e.g., always failed). The events with the highest risk increase measures are common cause failure of auxiliary feedwater due to steam binding of the AW pumps, failure of the reactor protection system, and common cause failures of the RWST or the containment sump which , I prevent ECCS recirculation. The fifth, sixth, and seventh most important risk increase events are the same operator errors (failure to reconfigure ECCS) that are also the fourth, fifth, and tenth most important risk ' reduction events. The appearance of these events as both important risk ! reduction and risk increase events implies that these operator errors dominate the study results. Uncertainty importance is calculated in a different manner than risk reduction or risk increase. To assess uncertainty importance, an uncertainty calculation is made, holding the value of a particular event constant. The uncertainty bounds, chosen here as the: fif th and ninety-fif th percentiles of. the calculation, are compared to the uncertainty bounds when all parameters are considered random variables. The . uncertainty importance shows that the same three operator errors for failure to reconfigure ECCS for recirculation contribute the most to the overall statistical uncertainty. , 16 s
i i l 1,4 Conclusions One of the major purposes of the Sequoyah analysis was to provide an { updated perspective on our understanding of the risks from the plant relative to the results of the RSSMAPt2{ analysis. In the present study, , loss of coolant accidents insido containment are the most dominant , accident group, accounting for approximately two thirds of total core ' damage frequency. The prominence of this accident group is very similar i to the results of RSSMAP, which was completed in 1979. Station blackout (loss of all AC power) accidents are the next most dominant contributors to core damage. They account for one fourth of the total core damage frequency. Station blackout sequences were not : important in RSSMAP. The station blackout analysis for this study was much more rigorcus than that of RSSMAP. All aspects of electric power modeling, plant response modeling, and development of event probabilities t have been significantly improved over those ured in RSSMAP. The higher , frequencies for station blackout are considered a more accurate assessment of the event than that contained in previous analyses. Loss of coolant accidents - in interf acing systems outside of containment represent a small contribution to core damage, at 1 percent of the total, but are important contributors to risk because they may represent a direct release path to the environment. The understanding of these evente is relatively unchanged since RSSMAP. In the ensuing years, the calcutated frequency has been reduced due to more frequent check valve test intervals, and recently increased due to the inclusion of common cause failures in the quantification. The general reactor transient category (other than loss of offsite power) accounts for 4 percent of core damage frequency. This category was about > the same contributor in RSSMAP, although RSSMAP did not recognize the viability of feed and bleed core cooling, whereas this study does. Anticipated transient without scram (ATWS) accidents contribute l approximately 3 percent to total core damage frequency. ATWS events were an insigeMicant contributor in RSSMAP. ATWS became more important in this stud; due to considerations of the moderator temperature coefficient and of human error associated with failure of emergency boration. Steam generator tube rupture (SGTR) accounts for approximately 3 percent ; L of coce damage frequency. This event was not analyzed by RSSMAP. To l date, however, at least five steam generator tube failure events have ( been large enough to require an Emergency Core Cooling System (ECCS) response and mitigation. Tube ruptures are a form of interfacing 14CAs, , and thus may be very important to risk, even though they do not dominate core damage frequency. It is therefore appropriate to -include these-initiating events in the PRA. 17
1.4.1 Plant Specific Conclusions As discussed above, the results of this study are similar to the results of previous probabilistic studies on Sequoyah. . Loss of _ coolant . events followed by failure of ECCS recirculation are dominant. This dominance can be related . to certain design features of the Sequoyah plant, including the . ice condenser containment. The principal contributing ; design feature is that of ECCS configuration to the recirculation mode.
- The switchover from the high pressure injection mode of ECCS to the high pressure recirculation mode is not fully automatic and requires several successive operator actions which-must be completed in a short period of time.
The first contributing design feature discussed here is the set point for , containment spray actuation in response to LOCAs. The sprays are f activated with the differential pressure. between the lower containment ; compartment and the annulus roaches of 2.81 psi. This is much lower than , the set point for. large dry containments. The effect of the lower set i point is that spraws will come on for very small break sizes, on the 'c order of 3/4" or less. Smaller break sizes are more freoftent than larger braak sizes, thus containment sprays are expected to come on for a larger percentage of LOCAs at .Sequoyah than at PWRs without ice condenser containments. Spray system operation will deplete the RWST in about 30 minutes, thus causing the need for ECCS recirculation. 'The potential for operator error during the reconfiguration to recirculation causes the spray actuation feature to be important. The RCS will remain pressurized during the early phase of a small break scenario, and thus ECCS high pressure recirculation (HpR; is required after the RWST is depleted. The reconfiguration process for HPR at Sequoyah is a manual operation, which , consists of opening and closing several pairs of valves.- Many of these valves are interlocked with other valves, thus introducing a sequential nature to the reconfiguration. The entire operation must be done v3ry soon following the initiation of the event, thus contributing to high stress levels amon8 the operators. IhCA frequenciew on the order.of 1E 2 and operator error probabilities on the order of IE 3 combine to make these accident sequences dominant at Sequoyah, ; J l The next most dominant accident group is the station blackout sequences. The plant response to station blackout at Sequoyah is similar to that of ! other PWRs. The dominant type of blackout sequence represents core uncovery due to failure of the auxiliary feedwater system. The dominant failures involve initial unavailability of the turbine driven pump and failure of the operator to restore the water level control valves after ; the instrument air header bleeds down. As with the IDCA accident group, certain design features - of the . plant create the need for operator intervention shortly after the onset of the initiator. (in this case : station blackout) in order to maintain an essential safety function. The steam generator feed valves in the auxiliary feedwater system are operated valves that fail closed on loss of air pressure. During station I blackout, the ability to recharge the instrument air headers is lost, resulting in pressure bleed down in approximately 30 to 60 minutes. At this tirW. the operator must go out into the plant and locally crank open the feed flow valves in order to maintain or restore feedwater flow. 1-8
Failure of the operator to perform this task correctly leads to loss of . steam generator heat removal and ultimately core uncovery, unless AC ! power is restored. The next most dominant blackout sequence is the , reactor coolant pump' seal LOCA sequence. 'A generic model for I Westinghouse reactor coolant pumps was developed in Reference 45 and used i in this study. It predicts a significant probability of severe seal degradation, starting at 90 minutes from loss of seal cooling. Core , uncovery is predicted to occur about 2 hours after onset of seal failure, j unless AC power is restored and safety injection is provided within' that i time. The battery depletion time was assessed to be 4 hours, which is ) typical for PWRs. The capability to cross connect the 6.9 kV emergency I buses and the 125 VDC vital battery boards at Sequoyah reduces the : frequency of long term station blackout sequences. ; 1.4.2 Accident Sequence Conclusions i As previously noted, there are 23 accident sequences in the Sequoyah core i damage model. These sequences are listed in Table 5 3 in section 5 of this report. The number of dominant sequences in a PRA model and their l relative size is strongly influenced by the PRA methodology utilized and i the level of detail of the analysis. The relative contribution of various types of sequences for a specific plant can provide insight into the types of accident scenarios which are important at that plant. As discussed earlier, LOCA sequences are the dominant accident group at [ Sequoyah. Examination of the- types of sequences in the IDCA group reveals (1) small breaks are much more prominent than larger breaks, and ' (2) failures in the recirculation phase are much more prominent than failures in the injection phase. In fact, small breaks with failure ef High Pressure Inj ec tion (HPI) do not appear at all in the dominant accident sequences. The absence of the HPI type sequences is due to the ECCS design at Sequoyah which provides multiple, redundant injection I capability. The prominence of recirculation failures is due to the need for operator action in order to provide high pressure recirculation. The station blackout sequences show that loss of auxiliary feedwater and reactor coolant pump seal LOCA are dominant. The relatively low frequency for long term battery depletion is due to the ability to cross connect the AC and DC power systems from Unit 2 to Unit 1. -The seal LOCA sequence frequency incorporates the benefit of this cross tie capability. ; Without the cross tie capability, the seal LOCA sequence frequency would be 1.5E 5 and would'be the accident sequence with the highest frequency. f . i t l An interesting an,pect of the Sequoyah sequence profile is that loss of service water and component cooling water systems, as initiators, are not i l represented in;the. dominant accident sequences. This is interesting in
- light of the fact that all ECCS pumps require cooling from one or both of :
these systems. Failures of portions.of-these syctems are not prominent in the cut sets either. The reason for this absence ir due to the amount ' of redundancy in these systems at Sequoyah. The Emergency Raw Ceoling Water (ERCW) and the Component Coolin6 Water (CCW) systems at the Sequoyah station are dual unit systems in which one large system provides cooling loads to both nuclear units. The SWS has eight pumps and four 3 19
headers while the CCW system have five . pumps and three headers. The system configurations are very versatile with respect to the ability to cross tie and reconfigure the system in the event that-certain pumps or headers.are failed or otherwise unavailable. The result is that. multiple failures (three or more) .are generally required to result in i unrecoverable loss of coo 1Ang wator'to an entire train of systems. The ! fatture characterist,1cs of systems such as -these are generally dominated l by common. cause failures of pumps, suction sources, biofouling, or pipe ! breaks. There is considerable uncertainty involved in the calculation of j common cause failures in systems with large amounts of redundancy. These i types of common cause failures are often plant specific. Baseo on the limited amount of plant specific experience at Sequoyah, and the component failure data base used in this study, the calculated frequency 1 for complete failure of these systems is below 1E 7 per year. ! i 1.4.3 plant Damage State conclusions The core damage sequences in the plant model were combined into seven plant damage states for purposes of accident progression event tree analysis. The plant damage state grouping is very similar to the , sequence grouping shown in Table 1 1, except that station blackout has
- been divided into two groups; a fast blackout group representi"6 the loss of AFW sequences, and a slow blackout group representing all other
- blackout sequences.
1.4.4 Uncertainty Considerations The process of developing a probabilistic'model of a nuclear power plant . involves the combination of many individual events (initiators, hardware failures, operator errors, etc.) into accident sequences and eventually into an estimate of the total - frequency - of core damage. After t development, such a model also can be used to assess the importance of the individual events. The sequence cut set
- models supporting this study have been analyzed using several importance measures. The results of the analyses usin6 an uncertainty importance measure are summarized below. For this measure, the relative contribution of the uncertainty of individual events to the uncerta' ity in total core damage frequency is calculated. Using this measure, the following events were found to be most important; e Operator failure to switch to high pressure recirculation
- Failure of ECCS valves to open
- Failure of diesel generator to start i e Failure of ECCS valves to close e Failure of pressurizer p0RVs to open e Failure of diesel generators to run for six hours e Very small break initiating event 1
- Every accident sequence is the sum of one or more combinations of events that lead to core damage. Thess combinations of events are the detailed scenarios of the minimum sequence of failures (component and- ;
hu' tan) that result in core damage and are defined as ' cut sets." 1 10 ,
L 1.4.5 Comparison to RSSMAP in the eight years between the . Reactor Safety Study Methodology Applications Program (RSSMAP) analysis of Sequoyah and the present analysis,' the understanding of reactor operation and safety have changed. Comparison of study results must take these changes into account. The total core damage frequencies calculated .in the two studies are nearly identical. The total core damage frequency estimated -in i.he RSSMAP was i 5.6E 5 per reactor year while this study developed a point estimate * -' frequency of 5.3E 5 per reactor year. The RSSMAP frequency is based on j use of median values for basic events while the frequency of this study is based on sne use of mean values. .This study calculated a mean value* for total core damage frequency of 5.7E 5 per year. A comparison of ' accident group frequencies is shown in Table 1 2. Significant differences and similarities between this study and the RSSMAP study are summarized below: ?
- Reactor coolant pump seal LOCAs are significant in the ,
present study, but not included in RSSMAP. e Station blackout sequences . are more significant in this i study than in RSSMAP. The station blackout model for this study was-more comprehensive than in RSSMAP. i e LOCAs followed by loss of coolant recirculation remain approximately the s&me frequency, and are significant in. both study results. A detailed comparison of contributors was not made.
- ATWS sequences are not directly comparable due to inclusion of ATWS phenomenology issues such as moderator temperature l
coefficient, different probabilities for failure to scram, l and different perceptions about operator error ,
. probabilities in ATWS situations.
- The interfacing 1ACA frequency was reduced primarily due to increase in valve test frequency and the assumption of recovery for some percentage of these events.
- The frequency for loss of all feedwater sequences (TML) in-this study was slightly reduced over the RSSMAP frequency.
In addition, this study considers feed and bleed cooling as a viable alternative in preventing core damage af ter loss of all steam generator heat removal, whereas RSSMAP did not address this mode of operation. 1 (
- As used here, the term point estimate implies that the failure i probability of each basic event is represented by a single value.
The term mean value implies that the failure distribution of selected basic events is 'used (i.e., propagated through the i sequence calculations) to determine. the sequence frequencies, ! which are then summed to determine the core damage frequency. ! 1 11 r w
p. Table 1-2 Comparison of NUREG/CR-4550, Revision 1 and RSSMAP Sequences Frequencies General Accident Tvoe NUREC/CRA550. Revision 1 Anoroximate RSSMAP Mean (Median) . Median Frequenciect!) Fr e ncy Station Blackout (Slow) 5.1E-6 (9.4E-7)~ -- Station Blackout (Fast) 9.6E-6 (3.8E-6) -13E-7 , Anticipated Transient 1.9E-6 (4.1E-7)' -<1E-7 < Without Scram
~ Transients 2.6E-6 (1.OE-6) 3.OE-6 4
Interfacing IDCA 6.5E-7 (2.0E-8) 4.6E-6 Iess of Coolant Accidents - 3.6E-5 (1.2E-5) 4.8E-5. Steam Generator Tube Rupture 1.7E-6 (3.2E-7) NA Total 5.7E-5 (1.8E-5) 5.6E-5 l (1) Sum of means (or medians) of individual plant damage states l L
1 1
- 2. PROGRAM SCOPE The Sequoyah Probabilistic Risk Assessment (PRA) was conducted during two periods. During the first period, the objective was to complete ~ a fast, ;
efficient PRA in a short period of time. This was accomplished, and following a review and some revisions, the PRA was published as.NUREC/CR. 4550, Volume 5 in February 1987. This report received extensive- j distribution and considerable. review. In response to the comments from + reviewers and especially the U.S. Nuclear Regulatory Commission (NRC) and ! Tennessee -Valley Authority, ' an update of the report - was initiated. ; During the interim perioO edditional system and procedural details were-examined. The result is the significantly revised analysis presented in : this report. This report combines 1 the tasks performed in the original analysis with ! the tasks accomplished during the revised analysis. Vhile the original . objective was to perform a fast, efficient PRA, it became-necessary, due I to . comments and criticism, to examine additional details and to refine ; the models and techniques during the revised analysis. One target in the re analysis was to reduce conservatism as much as. possible. To-give the - reader a perspective of the scope of this work, a list of PRA tasks is ; given below describing what was done in this analysis. The' level of detail is compared to a " state of the art" PRA for- each task and graded ! as (1) improved state of the art, (2) state of the art, (3) slightly f abbreviated, (4) abbreviated, and (5) not analyzed. l e Plant Familiarization Analysis Information was collected f from past Sequoyah studies and the Final Safety Analysis ! Report (FSAR) and put together in an initial set of event trees.-fault trees, and questions for plant personnel. The
- pre visit information gathering took a month. One week was i spent at the plant gathering information - first hand and l regular contact with the plant was maintained throughout :
the course of the study. A confirmatory visit near the end' " of the first analysis and a subsequent visit : during the ' revised analysis were conducted. (Slightly. abbreviated to state of the art) , e Accident Seouence Initiatine Event Analysis- Initiating T event information from plant specific records and past .; studies were used. A search for support system initiators l: was conducted. During the revised analysis, these l initiating events were reviewed. 1.oss of a DC bus (Tm), component cooling water (Teew) , service water (Tsws) e ! u instrument air, 120 VAC, offsite power (T 3 ), and steam , il generator tube rupture (Tso) initiators were re evaluated. L (State of the-art) .; k h 21 i i n
y e krident Scauence Event Tree Analysis Because Sequoyah has been studied extensively in the . past, . functional event trees were not developed. Past . studies and current containment analyses : vere used to identify the. event tree , headings = necessary to model all reactor functions. No l significant shortcuts were used to develop the event treer. 1 Nevertheless, numerous refinements were made in the revised analysis. (Improved state of the-art) e System Annivsis _The level of modelin6 detail' was. at .the discretion of the analyst. If a system could be shown to- , be relatively. unimportant, or' if : a detailed model would: have taken an unreasonable amount of time, simplifications' , were made. If the system was considered important, a L detailed modeling effort was undertaken. - The models are
~
therefore a combination of detailed fault trees,' simplified- : Boolean expressions, and black box models. Fault trees for several events and the electric power system'were added in the revised analysis. The level of detail in many existing fault trees was also increased. Common cause failures were included in the = fault trees rather than applying such failures by hand to the cut sets. Fault' trees were expanded from " train level" modeling (called pipe segments .' in the earlier: reports) to individual, components. (Rangos-from abbreviated to state of the art,- depending on the system) , e Dependent and Subtle Failure Analysis -A significant' effort was made to identify, model, and quantify dependent failures. Intersystem dependencies were identified and modeled in the system analysis. Subtle interactions found , i in past PRAs were reviewed for their applicability to Sequoyah. A Licensee Event Report (LER) review of Sequoyah ' and other plant specific reports was made to identify any
- unexpected interactions or common cause failures.
(Slightly abbreviated to state of-the art)- ; e llumnn Reliability Analysis MIRA) An abbreviated HRA , procedure was developed specifically for this program.24
- An HRA specialist was present during' the plant visit.
During the recovery analysis conducted in the revised 1 analysis, each human error event, either pre or post-accident, was carefully tabulated, described,~and re-O evaluated. Only errors of omission were considered in this analysis. (Slightly abbreviated) -! l l e D6ta Base Analygig A data specialist was present during the initial plant visit. Limited plant-specific data was l: obtained. Where plant specific data was lacking, generic data was used. (Abbreviated) 22 :
.j
i e Accident Seouence Ouantification Analysis -No significant j shortcuts ' were taken in this area. -All the ' accident : sequences with potential for being greater than 1E-7 were l quantified and evaluated for. recovery actions. (State-of- ! the art) , l e Plant Damage State Analysir- Issues from the accident progression event . tress were: identified by the back-end analysts for the front end analyst to evaluate. This evaluation resulted in the binning of core damage cut sets . , into plant damage. states. (Improved state of the art) e Phycleal Process of Reactor Meltdown Accidents Past -i thermal hydraulic calculations and calculations performed i by the. NUREG 1150 accident progression analysts were -used as. required. (State-of the art) e Radionuclide' Release and Transoort This was handled by the NUREG 1150 source term analysts, e Environmental Transoort and Consecuence Analysis This was : handled by the NUREG-1150 back end analysts. ;
- Seismic Risk Analvsis -This is outnide the present scope.
(Not analyzed) i e Fire Risk Analysis--This is outside the present scope. ' (Not analyzed) e Flood Risk Analysis--This is outside the present scope. (Not analyzed) e Other External Hazards (e.c. Tornadoes) This is outside the present scope. (Not analyzed) e Treatment of Uncertainties Statistical uncertainty in' the ' failure data, uncertainty associated ~ with- the application of the failure data, and uncertainty caused by modeling
- assumptions and success criteria vere all treated in the l_ analysis. In the original analysis, modeling uncertainty ,
was handled to a large extent by sensitivity studies. In , the revised analysis, additional uncertainty was incorporated directly into the logic models, Expert ', opinion ' elicitations were conducted. on all important modeling issues. Furthermore, several model and informational issues 'from the original analysis were , resolved by additional study. (Improved state of the art)- l' . 7 In addition to this comparison with a state of the art PRA, it is informative to identify factors that PRAs do not normally treat. The following list of items not usually included in PRAs is taken with some ; l modification from NUREG.1115. W l- < l l l- 2-3 1 f
+
., , c A ' ije ', '
t 4
- Partial 1 Failures-
- Design' Adequacy. . , _ ,
, e. Adequacy of Test and Maintenance. Practices ..
- e. Effect.,.of Aging on Component Reliability (also' burn in phenomena)
~. ".
- 1 Adequacy:of Equipment Qualification' . .'
e', Similar: Parts.Related Common cause.
-* Sabotage <: ,c; _ _
The' Sequoyah PRA' incorporates innovative operator accident. sequence l i , actions into the accident sequence' recovery analysis, thereby improving.
^
on the state.of.the art PRA. . Innovative. operator accident response was: l uniformly treated by all'PRA-teams' using guidelines developed,from a poll l of experts..
.]
f 1 -- I
-i
-t i
.,)
+
f
.< r
-i P
r l j u : t 2 4 ;. 1 g .,.
. s ,
I si ) ,
- 3. PROGRAM REVIEW To assure quality, two groups were chartered with the responsibility of' !
reviewing the work and providing timely : feedback. .Because the , time available to complete:the tasks in the. original analysis.was short, these ; reviews had to be intense, and Probabilistic Risk Assessment (PRA) team 'l response time had to be almost instantaneous. In the revised. analysis, i more time was. available, but the review meetings were- still intense and : informative. In addition to their review, public comments were received
}
by the NRC and three other groups reviewed the work ior their specific l
- l. purposes.
3 1- Senior Consultant Crogg f
. i*
The. purpose of the Senior Consultant Group (300) was . to provide a broad. scope review . of the methods - and J results of the reference plant PRAs. This high level review was to further assure the validity and applicability of the products.- However, the . SCG was not expected to .,' provide ' detailed quality control or assurance - of the. products. This group did not meet during the revised analysis.
}
The members of the SCO are listed below: I e Dennis C. Bley, PL&G. e Michael.P. Bohn, SNL [f
- Cregory J. Kolb, SNL ?
e Joseph A. Murphy, NRC i e William E. Vesely, SAIC (formerly of BCb) 3.2 Oualitv Control Groun' The goals of the Quality Control Group (QCG),were the following:
- to provide guidance - regarding the methodologies to be utilized in the PRAs, -[*
5 e to ensure the consistent application of the methodologies i by all PRA teams, and '
- to ensure the technical adequacy of the work ,
These goals were met via periodic review meetings with the PRA teams. At these meetings, the QCG = discussed the methodologies and reviewed, in detail, all technical work performed. , The QCG was composed of the individuals listed below; also shown is each individual's technical specialty: M l e Gregory J. ' Kolb, - SNL (QCG team leader . systems ' analysis, ,
. original analysis only)' , ,
e- Gareth W. Parry, NUS (unce r tainty analysis ,- - sys tems - analysis, reliability data) 3
"(
3 1- .j j
L
- e. John Wreathal, SAIC (human reliability analysis, revised analysis only) e Barbara.J. Bell, formerly of BCL- (human reliability analysis) e . Arthur C. payne, J r. , SNL (systems analysis, reliability data, back end interface) e Eddie A. Krantz, -INEL (systems analysis,. original analysis only) e David M. Kunsman, SNb (systems analysis, back end interface) e Gary Boyd, SAROS-(systems analysis, back end interface) 3.3 Utility interface A-constant interf ace . was~ maintained with the' utility throughout the duration of the original analysis. The Sequoyah team leader was in constant contact with Sequoyah engineering and plant personnel to ask ,
questions and verify information. The Sequoyah contacts also reviewed - the results presented in the first draf t' of the study and provided comments that were considered in the revised analysis. The same close interface was carried through the revised' analysis. The utility support was extremely helpful. 3.4 1]acertainty Rqy,iew hnel' This panel was formed at the request of the NRQ to considor the way in which uncertainty had been analyzed in the draft NUREC 1150 and the supporting documents. A three day meeting was held on April 20 22, 1987, ! where a number of contributors to NUREC 1150 were invited to make presentations to the panel, as' were others who were known to have views that were important to the assessment. The panel addressed all areas of the uncertainty methodology including the statistical methods used, the way the results were presented, and especially the use of expert j udgment., As a result of the panel's findings, significant changes were made to the analysis (50). The most important improvement was in the elicitation of i export judgment, which became a major effort in the revised analysis for both the front end and back end analyses. 3.5 Peer Review Panel Af ter the publication of the draf t NUREG 1150 and the supporting front-end and. back end documents, the NRC Commissioners recommended a peer review because of the potential importance of these documents to the NRC's regulatory process. Lawrence Livermore National Laboratory was selected to - coordinate this effort. Although ~ this review panel was initiated by the NRC, it functioned independently.' 32
'l I
~
= _ . _ _ _ . _ _ 1
I i Fourteen memb'ers were selected including ~ national and international i experts in the fields of - nuclear . reactor safety, probabilistic risk l assessment, and severe accident phenomenology. The individuals ! represented academics, research' 1aboratories, electric utilities and consulting companies. The first phase of their review was to address the ! draft documentation. The second phase is to review the final NUREG 1150 i and ' related documentation including this report. At least five formal 1 meetings were held during the first phase, and testimony was given by. l numerous people including the Sequoyah analysts. -The-findings are given i in ' Reference 38.: In ' general, the . panel . had a number of - comments on : NUREC 4550,.and those comments relevant to the study have been addressed.: , 3.6 American Nuclear Socierv Committee j Many members of the American Nuclear Society (ANS) felt that the society i should express its view regarding a document such as NUREG 1150 that has. 'l the potential ' to influence - the perception - of accident . risks associated , with nuclear power plants and have"an impact on-the regulatory process. Thus,. the president of the ANS appointed a special committee to follow and comment upon the documentation and . progress of the NUREG-1150 program. ,
. Their findings and recommendations on the draf t NUREG 1150.are found . in
~ Reference 39. These findings and; recommendations were based.on a review of the February 1987 draf t NUREC 1150, and the . supporting documents, aL review of the public comments, briefings by the NRC staff and others, and , ,
visits to Sandia National Laboratories by the Chairman.and Vice Chairman ' to observe the expert review panel process- and to discuss. the ongoing - analysis leading to the revised document. l 3.7 Public Comments [ During the several months when public comments-'were solicite'd, a number f (approximately 50) of- individuals and organizations performed - detailed reviews of the NUREG 1150 related documentation. Their comments were extensive. These comments were submitted to the NRC' and ' sorted by subj ec t. Those comments applicable to the front end analysis and, in particular, the Sequoyah analysis, ' were reviewed by. the analysts and considered to the extent possible during the revised analysis. ; I t 9 I
, 33
s 4.0 ' TASK DESCRIPTIONS This section contains information on the major tasks performed for this study. Section ' 4.1 provides a task flow chart which shows the interrelationship of the Individual tasks. ; The remaining subsections within Section 4 address each Individual task as it applied to the Sequoyah analysis. Section 5 provides the information covered by the last task entitled " Interpretation of Results." ! 4.1 Task _ Flow Chart The major tasks performed for this study are Indicative of the general task performed in any Level 1 PR A. Figure 4.1-1 displays th(e rnajor tasks cartled out in this analysis and shows, the primary information flow paths between each task. The entire process has 1 been performed twice. The first time was during the initial analysis which began in July , 1985 and resulted in the first draft of this report, printed In February 1987. Following a ' comment and review period, the entire process was performed again in order to update , the analysis and respond to comments received on the first draft phase and the reanalysis for each of the major tasks. Reference 4 provides more detailed descriptions of the methodology used in carrying out each task. The reader is referred to that volume and the subsections which follow in order to obtain a comprehensive description of how the Sequoyah analysis was conducted. 1 f k i r 1 r i l 4.1-1
'\
'i I. r '
"W 8 l- ;
a w , I 1 L ! g o lLl 1s - 11,1 is : l * . I B
'I I-lI
.I C !
I < : 1 4 k.1 I 1. I g ! t I ' '
, A J
- l. l . t i a -
ls Iy8
- 1::
Ili ig gl1 l - -
-l 1
li! ; ti il 1 it i l'I;
'l
; il !1 !! -
il 11 l1 I., ' I I \
\,
l1 1
- . l.l.i!!
l B 4.1-2 s
4.2 Plant Familiarization in order to assure that the analysis reflected the Sequoyah Unit I plant, a plant famillarization task wcs performed. During this effort, the analysts became famillar with the specific design, operational, and historical performance aspects of the unit. The initiating event experience, the models, failure deta, and human reliability analysis are 1 based on Sequoyah specific inputs. The performance of this task constituted two plant ! visitsi one plant visit initially and one near the end of the revised analysis, j Prior to the initial plant visit, the analysis team reviewed the Sequoyah RSSMAP PRA, previous A$f1P models, the IDCOR Sequoyah results and the sections of the Sequoyah Final Safety Analysis Report (FSAR) applicable to design and operation of the systems of , Interest. Preliminary event trees and simplified system schematics were constructed and ' preliminary success criteria and dependency matrices were developed to identify specific areas where information was needed to develop accurate models.15ased on these initial activities, a package was prepared and sent to the plant identifying the required design g information, plant specific data of interest, and a list of generic and specific questions l concerning system design and operation that had arisen due to the initial review. Included was a list of procedures and operator activltles that were initially expected to l be important to the plant analysis, and e. list of specific components for which failure rate data was requested. Also, plant specific accident or thermal-hydraulle analyses were requested for several accident scenarlos, if available, as well as physical layout - drawings and containment analyses. The following sections provide a brief description of the plant visit and the information obtained. 4.2.1 Initial Plant Visit . A one week plant visit was arranged to meet with plant personnel. Among the areas of discussion were plant and system modeling questions, collection of system design and operational information, and for several event sequences, review the likely progression of events and the operator's responses to the events.. The PRA plant visit team included a , human factors specialist, a failure-data speciallst, in addition to the PR A analysts. During the visit the team had discussions with the Sequoyah coordinating engineering supervisor, the technical liaison from the TVA engineering office, the plant licensing supervisor, and the Senior Reactor Operator from the training office, in addition, Individual team members talked with design engineers for each system of interest, with reactor operators and trainers at the plant simulator, and with the maintenance staff regarding failure data. A plant tour was taken to become more familar with the equipment, its operation, and the plant's physical layout. Discussions centered on gaining a clear understanding of the following items: s The normal and emergency configurations and operation of the systems of interest. e System Interdependencies, o Design and operational changes recently implemented at the plant. o Operational problem areas identified by plant personnel which might impact the analysis. 4.2-I
e The automatic and manual actions taken in response to various emergency conditions, e The availability of plant specific operational data. The. emergency procedures which addressed actions identified by the PR A analyst as important actions were " walked through" with operations personnel to assess the procedures and required time to complete actions.
- 4.2.2 Information Obtained 4 A set of Sequoyah system flow diagrams, mechanical logic diagrams, wiring diagrams, '
and electrical board load lists were provided by-the Sequoyah staff. Also, the staff provided - copies of the emergency and functional restoration procedures, current-technical specticlations, and several tables and procedures relating to the surveillance instructions. Physical layout drawings were provided, with room heat up curves for some areas. . As the analysts proceeded, there were continuing discussions with plant operators and engineers concerning specific operational and design detalls. The following tables provide a summary of the information requested from the Sequoyah personnel prior to the plant visitt Table . 4.2 1 Identifies the system Information requested based on the initial- ' familiarization. Table 4.2 2 provides the preliminary list of events considered to require human rallability analysis for which information was required. Table 4.2-3 Identitles those areas in which the most up to date analytical results were desired. 4.2.3 Subsequent Plant Visit During the Reanalysis Phase in April 1988, a subsequent visit was made to determine timing factors and to confirm changes made in the reanalysis phase of the PRA.- The trip'provided operator response information, timing and innovative recovery for several sequences. Due to startup ' activities at Sequoyah, a plant tour of Watts Bar provided insights for the recovery analysis. The results of the trip were incorporated at the appropriate levels in the revised analysis. , i w b h 4.2-2
Table 4 7-1 Initial List of Systems . to be Examined and Information Requirements
. Front-line Systems / Components
- 1. High pressure safety injection and charging systems
- 2. Low pressure safety injection system
- 3. Accumulator system 4 - Auxillary feedwater system *
- 5. Containment spray system
- 6. Boron injection systems
- 7. Instrument or control air system -
- 8. PORVs ano primary S/RVs
- 9. Steam generator atmospheric dump va'lves, relief valves, and safety valves
'f
- 10. Reactor protection system (SCR AM)
Support Systems
- 1. AC power system (including diesel generators)
- 2. DC power system
- 3. Component cooling water system
- 4. Service water system 4
- 5. Actuation- systems (Scram, SIAS, containment isolation actuation system, station !
blackout) Typteal Information Required ! 1. For Fluid Systems (Front-line and Support Systems): L ! a. Current system configuration, including l - pumps / fans in standby or normally operating
- test and surveillance intervals, maintenance Intervals, and duration for components 4.2-3
l
-Table 4.2 1 (Continued)
Initial List of Systems i to be Examined and Information Requirements
- valve / damper position (normal, power failure, and on actuation signals)
- Interlocks or permissives on valve or pump actuation, and IsolationLor trip
- signals
- setpoints 1
- Indications or alarms in control room Indicating component / system failure or_ unavailability
- Net positive suction head (NPSH) curves
- b. Fluid system dependencies on support systems, includingt [
- component AC and DC power supplier -
- pump cooling (scal, tube oil, motor, room)
- actuation signals to components _ ,
- Instrument or control air supp!!es ;
- c. Cross connects with other train (s), and with other systems (e.g., firewater) ,l
- d. Alternate power sources (NOTE: Generally this type of information is included in the FSAR and training manual-
- system descriptions, P&los, and Technical Specifications.)
- 2. For electric power system
- one line diagrams
- room cooling requirements and support systems
- load sequencer logic
- cross ties and lock outs
- diesel generator support systems (cooling, starting) i
- test, surveillance and maintenance Intervals and duration
- 3. Logic for Actuation Systems 4 Load _ lists for support systems (Electric power, Actuation, Component cooling - t water, Service water, Control air) i i
L- 5. Location of systems / components lL .
- plan elevation and layout drawings
- section and general arrangement drawings 4.2 b -+
l l Table 4.2-2 initial List of Potentially important ; Operator Procedures and Recovery Actions ! Emergency Procedures and Actions l.. Feed 'and bleed
- 2. - Secondary blowdown with RCS depressurization and low pressure injection ,
- 3. Turning off containment spray._to reduce RWST consumption i
- 4. Manual SCR AM and emergency.horation during' ATWS conditions
- 5. Feedwater recovery actions l
restart turbine driven AFW locally ; connect SWS to AFW suction connect firewater system to AFW. _ 6 Component cooling water system cross connects
- 7. Service water system cross connects
- 8. Loss of power recovery actions :
- battery load shedding
- recovery of diesel generators l manual operation of AFW (including room cooling)
- long term CST refill or firewater connection
- 9. Recovery of roam cooling for ESFs ;
- 10. . Interfacing LOCA recovery l
l 4.2-5
l l Table 4.2 2 (Continued) Initial List of Potentially important Operator Procedures and Recovery Actions j Typleal Information Required i
- 1. - Written emergency procedures i
- 2. Alarms, annunciators, displays and instrumentation l
- 3. Timing considerations
?
- time action required !
- ' time to perform action '
- time of alarm / signal !
- 4. Overall control room organiza tion, manning, and responsibilities i
3st, Surveillance, Maintenance Precedures
- 1. Requirements for staggered test, calibration, surveillance, maintenance procedures, i and independent verification
- 2. Maintenance policy with respect to unscheduled maintenance (comprehensive maintenance versus quick fix)
- 3. Administrative tagging procedure :
1 L l; 4.2-6
< .i D
7 s Table 4.2 31 Plant Specific Analyses of Events and Operations '! a l'
. k ' Anticipated Transient Without Scram (ATWS).
1 1 l~ 2. Feed and Bleed.:
- 3. Secondary steaming with RCS depressurization and low pressure injection or closed j ,
- loop shutdown cooling.
- 4. Station blackout, ibluding b'attery depletion time (with and without load shedding),.
auxillary feedwater (pump / room cooling requirements and trips, manual control and Instrumentation, and water source depletion). - !
- 5. Analyst's-of upper head injection. Is it required for any initiator, or is 'It redundant to a cold leg accumulator?
i
- 6. Requirements. for long-term decay heat removal. What is the minimum configuration of heat exchangers (RHR and/or containment spray) required to l , remove heat - from the core or containment and prevent core damage and '*
l-K containment failure? r r
- 7. Containment spray actuation times for small LOCA sizes (e.g., RCP seal LOCA). j h -
- 8. Requirements for air return fan system or adequacy of natural' circulation (both for I_
D core melt and non-core. melt accident sequences). 4.2-7 4 .. .
!i '
.___.______._____..u___ -
. l1..
o- ,
.i 4.3 .InitiatngO nt Identification and Grouoing Initiating ' event (IE) identification and: ' grouping were : performed u for L, Sequoyah in - accordance with the methodology in Reference. 3. This task I'
involved the! identification of potentially-isignificant' initiators L at . nuclear. ' plants , f identifying the~ applicability ' of them to' the Sequoyah'
~
1 [ plant, and grouping the' initiators.into: categories-based on similar_ plant' q L response and similar success criteria for mitigation-. 'As discussed in' L Reference 3,_it is not the intent of a focused PRA to explicitly evaluate ( (i.e. , : perform event sequence quantification) every possiblelinitiating = _ event.- The: intent is L rather to evaluate ' those" initiators which have
.1 previously' been shown to be important and to? _ ensure that ; all Jother j potential initiators / can be adequately represented by: those : initiators .
chosen for explicit evaluation. The IE identification for'this study wasL 1 based on'a_three part evaluation. ~First, initiators which were shown in previous studies-to be important contributors-to core damage;or. risk were: automatically _ included for evaluation; Second, loss of. support: systems were examined Eon ~ an individual ; basis l tof determine; ~ if . they 'should - be 7 included as initiating events. Land thirdL plant. specific evaluations of ' system' configurations were done to determine:if~certain events which were
.not important at other < planta r might be important at~ Sequoyah ' due - to !
- unique < spatial . or systemic dependencies between s those; initiators and. .
mitigating systems. Important categories are listed below: 6 e Initiators'Important in Other Studies
-Loss of Coolant Accidents:(LOCAs)
.- Transients (e.~g. , IDSP, Lossiof'MFW,' Turbine Trip) <
i Potential: Support System Initiators . 4
- -AC or'DC Bus-Service Water
- Component Cooling Water
- Instrument Air
. Heating, Ventilation -and Air Conditioningc(HVAC)
- e. Sp atal Initiators 1
- Interfacing 14CA - ,
Reactor Vessel' Rupture-L : Each initiating. event candidate was considered in terms,of its potential l for causing reactor trip. Initiators which cause a demand for automatic reactor trip were retained for further evaluation and grouping. Examples
> include loss of main feedwater and loss of flow in one! Reactor Coolant System.-(RCS) loop. Initiators which would not be expected to lead to: an -
imminent (less. than 10 minutes) reactor trip were ' retained for . grouping.
~
>i or eliminated on the - basis of equipment which was failed' by the initiator. Initiators which failed' front ~line or support'. systems, and i could eventually lead to ' reactor shutdown, were ; generally: retained for '
grouping. .Some of these were eddressed in the support system evalur. tion,- while others- were evaluated on' an individual basis. : Initiators which would not result in the need for reactor shutdown directly or indirectly-were' eliminated. Initiators which would not' require reactor trip,. but possibly' lead to administrative shutdown'through Technical Specification i violations were not included. Manual shutdowns for refueling Lor administrative reasons were also not considered. L l 4.3-1 !4 , s
- 7. #
1 E;
' Initiators : retained ( for l accident sequence . evaluation were ' grouped -into initiating event categories based on similar plant . responses, equipment'
= availability and 3 system succeso criteria. . Table ~ 4,3 1 'shows the final 1 ., ~1ist;of event c a te gorie's which. were = used for accident sequence delineation. All of the initiating event categories' listed, with the Table 4.31 Initiating Event Categories Used in the Sequoyah PRA i
Annual Meant . 1 Abbreviation Description Frequency (/Yr) ! T.g Loss of Offsite Power . 9.05E >
-T 2 Loss of Main Feedwater (MFW) 7.22E-1 I
, T-3 Turbine Trip with MFW and Power 6.3 -l Conversion System Initially Available --
1 i T DCX .Non-Recoverable Loss of 125 V DC Vital- 5.0E-3 Battery Board "X" T SG . Steam Generator Tube Rupture 1.0E-2
\
A Large Loss of Cooiant Accident (LOCA), 5.0E-4 : 6"< D < 2 9" S i ~ Medium LOCA 2"< D <6" 1.0E-3 ! S Small LOCA 2- 1.0E-3 5-3 Very Small LOCA 1.3E-2 .i
~I V Interfacing LOCA 6.5E-7 j 4.3-2
'. exception of _ Interfacing LOCA (Event .V), were included in the ' accident sequence quantification using event tree analysis. Event V was quantified separately. Section 4.3.1, initiating. Event identification, identifies the sources of initiating event candida tes. - Section 4.3.2 discusses the evaluation of support systems as initiators. Section 4.3.3 discusses special Initiators and Section 4.3.4 summarizes the selection of initiators.' Section 4.3.5 lists assumptions and limitations inherent in the selection of
. Initiating events for Sequoyah.
4.3.1 initiating Event identification 1
. 1 Table 4.3-2, Sources of Initiating Event Candidates, lists the sources of information used to identify candidates for inclusion as initiating events in the Sequoyah study. The first seven sources listed are PWR PRAs. Review of these studies- generally revealed a-consistent way of grouping initiating events that would facilitate later compgison of-
- study results. The eighth source listed in Table. 4.3 2 is NUREG/CR-3862, which !
provided. a summary of PWR translent data and was useful in determin!ng' the-composition - and frequencies of various groups of: transients as initiating event j[ categories.1The ninth, tenth, and eleventh sources listed are results of meetings held ! early in this program and served to make the-structure of the sequoyah study consistent with other onping PR A studles as well as .to make the list of initiating event categories ! used in the Sequoyah study plant specific. I 4.3.2 Support System Failures'- i System level Failure Modes and Effects Analyses (FMEAs) v tre performed on applicable support systems in order. to determine the significance of system failure as a potential initiator. Appendix D contains.these FMEAs. Table 4.3-3 summarizes the disposition of each system. . I i This section will describe the disposition of the following potentialinitiators.
, Loss of component cooling water ;
Loss of service water .
- Non-recoverable loss of an emergency AC bus Loss 120 VAC power -
Loss of instrument air (station control air and auxiliary air) . ! Loss of HVAC s Loss of a DC bus
'1 Loss of Component Cooling Water (CCW) 3 The Component Cooling System is abbreviated CCS at Sequoyah but is referred to as CCW in this study for consistency and case of comparison with similar systems !
at other plants. Each Sequoyah unit has two independent CCW headers, which ' maintain train separation for cooling loads. Five CCW pumps are shared by both. {' units. There is flexibility in routing flow from the five pumps to the four headers. However, requirements for train separction in the ECCS put constraints on the allowable configurations of the system. The normal configuration is to have three CCW pumps operating. Pump 1 A supplies cooling water to Unit 1 Train A heat loads, including the _ Reactor Coolant Pump (RCP) thermal barriers. Pump 2A supplies cooling water to Unit 2 Train A heat loads. Pump C-S supplies cooling water to Train B heat loac% at both units. , t 4.3-3
E q
, &- \
l
- q. L Table 4.3 ;
Sources of Initiating Event Candidates i i
- 1. . Arkans3s Nuclear One IREP(12) ,
- 2. 'Calvert Clifis IREPII3)a s
- -3. Zion.PRAI8)
- 4. . Indian Point PRA(II) :
r
. . .52,. ? Seabrook PRA )
I9 ; 6.L Millstone 3 PRA(10) I 7.- NSAC Oconee PRA.7) - . n
, 8. Mackowlak, D.P., et al, Development of Transient initiating Event Frequencies for Use in Probabilistic Risk Assessments, NUREG/CR-3862, EG&G Idaho, May 1985.
3
- 9. List of potentialinitiators provided by ASEP Methodology Group in June'1985. )
I k
- 10. List of subtle interactions provided by Sandla National Laboratories, ASEP QA .
team, June-July 1985. 9
- 11. Discus'slons with plant personnel during Sequoyah plant famillarizailon trip in July 1985. .
.g
}
4 1 4.3-4
--: t
l l ;- Table 4.3-3' ~ l Susmary of loss of Support Systems as Initiators .- - Support System . Impact on Normal Attendant Important Estimated Annual loss' Considered Operation System Failures Freauencies ' Resolution 125 VDC Bus MSIV Closure loss of one train of SE-3 Included as a specific Reactor Trip 'switchgear' initiator 6900 VAC None loss of one train of SE-3 Not included as an initiator Emergency Bus. safety related equipment because-it.does not cause reactor trip 120 VAC Vital Bus. Possible reactor loss of automatic auxiliary SE-3 Not Included'as a separate'
- single bus loss trip feedwater control in one initiator because'It does loop _ not fail.enough systems that.
the plant response is very different from T2
- multiple buses Reactor tr*p Possible ' loss of all AN 1E-8 -Not included as a separate f control' initiator due to low j' frequency u Ioss -of MW CCW Reactor trip due loss of cooling to ECCS <10-7~ Not included as a separate to loss cooling to ' equipment initiator due to low RCPs frequency. .See Appendix D
- Ioss of RHR cooling for' frequency calculations SUS (ERCW) Reactor trip. Ioss of cooling to all' ECCS <10-7 Not included as a separate equipment initiator due to low .
frequency. See Appendix D Ioss of- cooling to _ CCW for frequency calculations Instrument Air . Reactor trip MSIV closure- .01 ' Considered to be adequately' MW unavailable; modelled by T2 initiators to AWP flow unavailablef HVAC -- No'effect Not included as + r.eparate initistor _________=___v. =._ -~- - -~ - - ~~ < . , ~ < - - - - - -, -~~ _ -- == L ---= --- - - - ~ - --
, , .n , ,
.I w
?
1, -
, from p 1 CCW system failure was considered- as a. potential initiating event
. two perspectives: 1) . CCW pipc_ rupture : could cause ' internal flooding, i which could_ fail other(equipment as well as' interrupt = component cooling and 2) mechanical failure of CCW pumps and- valves ' could'. lead to loss of component cooling loads,
- Effects'.of: internal. flooding due_to.a CCW pipe rupture were. considered'as~
follows:- , a) No_ single pipe rupture can fail'the entire CCW system._ Although the five- pumps have a common discharge header, train. separation- o is provided.by. isolation-valves, which.are normally; closed, b) . Rupture . 6Da CCW pipe in La _ pipe chase Ewould likely~ not feil
' equipment, because the . water would fall" to the Auxiliary Building .
sump. > c) Rupture of ac CCW pipe in an individual En6 neered 1 Safety Feature . .[ (ESF) pump room would not fail pumps in other ESP pump rooms and may not J directly impact . even the . pump in n the affected room because of sump pumps (,r passive: sumps, d), Rupture of: a CCW - pipe at a-- CCW/SWS heat, exchanger would' have to .
~
flood a very -large volumeL before an; appreciable 11evel of water:
~
.1 could accumulate , _ and._ no ESF pumps - are located at the level of
.the CCW/SWS heat exchangers, y
e). All'ESF electrical" boards and batteries are on higher levels than- .; l the CCW-heat exchangers,-and are in. individual rooms'with1 curbs, . at the closed doors. 1 f) ' All other. CCWJ pipe ; ruptures , -in the Auxiliary ' Building or containment would'likely not affect ESFs. g) All five CCW pumps are clustered together in the northeast corner. of the 690n EL. - Located ' in close proximity are the two ' motor-driven Auxiliary Feedwater ' .( AW) pumps . . Pipe. rupture - in this'- location would seem tofbe the most significant precursor to core
~
uncovery scenarios. However,'it was. discounted for two reasons. The 690: Elevation is a large, wide open-space,.so ficading of the 3 AW pumps or the other CCW pumps . is unlikely.. Secondly, pump failure due to spray effects _is also unlikely_in that the.CCW is . an unpressurized closed cycle system.
' Based on these ~ findings, internal flooding due to CCW pipe rupture- was not considered as an initiating event.
Loss of CCW due to mechanical faults was examined for loss of the entire system; and for total loss of each train. No single . component faults-were found which could fail more than one train of CCW to a unit. In fact,_ multiple; active faults .would be required to interrupt component cooling to Train A which supplies' bearing' cooling.to the RCPs. Loss of. the B header :of- CCW would not cause a plant trip and:was therefore not considered as -an ' initiator. Loss ' of the A header would require rapid reactor shutdown due to loss cf cooling to the . RCP lube oil heat- .[ exchangers. Loss' of train A was evaluated further in Appendix D, but is summarized ; here. Loss of CCW could be a precursor to core damage in the following three ways: 1) Subsequent failure of the charging system would result in 4.3-6
- 2 .
l F loss of all RCP seal cooling, which c'ould lead to a seal LOCA. Depending on the-- particular failures which caused loss of CCW, ECCS may be' completely inoperable, or down to one train. . 2) Subsequent loss of ' auxiliary .feedwater - and main 1 feedwater,' would lead to feed 'and bleed cooling. Depending on the 'particular. '
' failures of CCW, feed and bleed may not be possible, or down to one train of RHR. ;
- 3) A transient induced LOCA would > ultimately lead to. the need for RHR, which would be unavallat'le or down to one train.
' The probabilities of core damage due to various combinations of initial failures, and: .
random failures were calculated for each scenario _. No. sequence was estimated at J
'above IE-8.- Loss of CCW was therefore not included as a potential initiator, it is recognized that dismissal of an initiator on the basis.of a probabilistic argument ,
such as this is.' biased . by the lirnitations' in the ' data base. . Use of different ' ' component failure probabilities or, common cause modeling assumptions could lead to different conclusions about the imp'ortance'of loss of CCW. "
~
i l Loss of Service Water 8
-Service 3ater (Emergency Raw Cooling Water) was analyzed in a similar manner as' t
= CCW.-' A system . level' Failure Modes and Effects Analysis (see Appendix D) was '
performed. for all Individual loads fed'by Lthe Service - Water' system. Failure of
~
s either train of SW will cause reactor shutdown. Failure of both trains w!!! cause j reactor trip, and loss of all component'and shutdown cooling. This would ultimately i lead to core damage. The likelihood of this event occurring,was assessed to be less - than 10E-8 and is therefore not included as an'initiatingL event' ini thenaccident- - sequence quantification. It is recognized that dismissal of an initiator on the basis of a probabilistic ' argument'sucht as this is biased by the limitations in the data. l. base. ,Use of different component failure probabilities or common.cause,modeling.
- assumptions could lead to different conclusions about the importance of the loss of ?
- SWS.
- a Non-Recoverable Loss of an Emergency AC Bus (T ACX1 -
All loads fed from 6.9 kV AC shutdown buses were examined to determine if failure of one bu.s would cause a plant trip._ Control power requirements and motive power } requirements were examined to determine if interruption of an AC bus would cause' reactor trip. The 125 V DC battery boards and '120 V AC vital instrument boards < are normally fed by the 480 V AC shutdown boards through charger andl inverter ; L units. However, the vital batteries also' feed the' 125 V DC and 120 V' AC boards through an uninterruptable power supply configuration. Therefore, all 120 V AC " and 125 V DC power would be available after. loss of.a 6.9 kV AC bus. unless i additional failures in the uninterrruptable power supply. occurred. Loss of a 6.9 kV j
- bus is therefore not expected to cause a reactor trip due' to loss of control power. , ;
h Loss of motive power would fall one charging ~ pump, one. train _of pressurizer i heaters, one' train of cooling to various containment compartments and some CCW ,
- and SW pumps. However, In aN cases, alternate trains = and' pumps would be '{
L available as required by Technica Specifications and.would automatically start or l "l be manually' started, depending on the loads. BOP motive' power requirements are ; supplied by common boards and unit boards, which are independent of the shutdown ; boards, t in summary, a review of 6.9 kV AC shutdown bus loads and lower AC bus loads did i not reveal anything that would cause a plant trip upon loss.of a shutdown bus. ! a 4.3-7 __iad___. _i______________ _
+ -
_______.__.__m
e a , a gss of 120 V AC Power A system level Failure Modes and Effects Analysis (see Appendix D) was performed J on all. loads- fed f rom 120 V-LAC Vital Boards-to determine if failure of one bus or-
. loadLwould cause a reactor trip. It was found that (a)' simultaneous loss of all four ivital boards would cause a reactor trip on low-low' steam' generator (SG) level, and (b) loss of a single' vital board may cause a reactor trip on low-low steam generator -
,(SG) level.- Loss 'of 'any single 120 V AC load-would have no direct effect on the
? plant. LBased on the equipment failed by the loss of each board, it was determined .
; that ~ simultaneous loss of more than one bus would cause reactor trip and could be a -
=significant precursor tol core damage. . However,.since the boards are completely. t
- Independent, with diverse power supplies, the probability of multiple board loss is ~ '
' negligible. Loss of any' single 120 V 'AC bus could be adequately..modeled as a.
contributor. to loss of main feedwater (MFW)(T3)2 Loss of instrument Air
~
- There are five Control and Service ' Air (CSA) compressors supplying normal plant
- loads and ESFs. LService ' Air loads are isolated if. air pressure drops below. a ;
. setpoint.. Control Air loads, such as many of the Main Feedwater (MFW) regulating valves, are =lsolated If (pressure continues to drop, and two Auxiliary Control Air t
' compressors start on this isolation to supply ESFs. The FMEAs for Station Control l Air and Auxillary Control. Alr are shown In' Appendix D. . -
The. Important valves served : by ; instrument air, and their failure < position
- are . ,
summarized below.'
' Main Steam Isolation Valves- FC' ;
Atmospheric Dump . Valve ' FC - Turbine Bypass Steam Dump Valves . FC
- MFW Regulating Valves . ' _
FC 1 SG Level Control Valves from TD AFW Pump.- FC L, SG Level Control Valves from MD AFW Pump - FO-Pressurizer Spray Valves FC l= FC- ! Auxillary Pressurizer Spray Valves ' L FO J Valves for ECCS Room Coolers - ! i
- 51 L -- Chg +
-- CCS
- RHR-1 RHR HX Outlet Valve FO' f SWS Throttle Valves. .FO
? : Note: Pressurizer PORVs are not dependent ' l: on I A.' Loss af. Instrument Air will cause a' reactor trip due to MSIV closure. In. addition,- T t the following will occur: ~
'l. Atmospheric Dump Valves unavailable
- 2. Turbine-driven AFW Flow unavailable (recoverable via manual action).
Pressurizer Spray unavailable- !
- 3. !
4.3-8 ki , p u
y , ,
.o + .
important functions not lost due to loss of alr .
- 1. ECCS room cooling
- 2. RCP seal injection flow
- 3.o RCS make up -
l Steam relief would be through the SG safety valves. This' mode of heat removal, F combined with the= unavailability- of pressurizer .: sprays would likely Llead to b pressurizer PORV demand. This event Is functionally equivalent _ to a loss of main feedwater, with the TD APW
. train unavailable. T 2 si 7.22E-1/ year and L is 8.9E-5. T L2 as caused by random failures is therefore 6.4E-5. T2L as caused by loss of lustrument air is estimated -
as:'
-1 Loss Air
- L (nuTDP) = .01
- 6E-4 = 6E This is 10% of T 2L as currently evaluated. T2L events have a : core damage .!
- potential of. I.7E-6. If Instrument Air was evaluated as a separate initiator, it 'I would add approximately 2E-7 to the total core damage frequency.
1 The other potentially..lmportant aspect of loss = of Instrument Air is that it may j contribute. to translent induced LOCA. The frequency of this-was estimated and- 1 compared to the S2 initiating event frequency. 1 1 Assuming a worst case-PORV demand of 1.0 ! l
-_Q = Stuck Open PORY = Demand
- Valve FTC * (Block Viv FTC + Oper Error)
= 1.0 * .03 * (3E-3 4.1) = 3.lE-3 l
1 i Loss IA
- Q .01/yr
- 3.lE 3.= 3.lE-5 i
Thk number is very low compared to the initiating event frequency for S2(.001). In summary, loss of instrument air was considered to be adequately represented by j other initiators in this study. It was not considered a unique initiator. ~ q Loss of Heating. Ventilation, and Air Conditioning (HVAC)
-A system level Fallure Modes and Effects Analysis (see' Appendix D) was performed on the HVAC system, of- the Auxillary, Control, Diesel: Generator, and Turbine ;
Buildings;- as well' as the Reactor Building Purge '. Ventilation,- Containment Air -l Cooling,. and Condensate Demineralizer Waste Evaporator Building Control ; systems. Heat up calculations provided by TVA for critical rooms such as the l switchgear rooms showed very long heat up times. Portable fans are available at Sequoyah for ' mitigation of these events. Loss of HVAC was therefore not - j considered as a separate Initiator. l Loss of a DC Bus I Loss of a'DC Bus will cause reactor trip due to MSIV closure. It will also fall safety a related systems due to loss of control power for switchgear. This event was included as a separate initiator. ' 1 4.3-9
'y' g
- \
s s 4.1,3 e epecial Initietort ~ . .. 1 S'r t 'citoi4 hcusses interfacing i,Or As;and reactor' vessel rupture. : 4.3.3.1 --Interiacing I,00 A~ , j i
'rheilnterfacing 1.OCA (Event V) was evaluated in a manner similar to that of
-WASH-1400. This event is different at Sequoyah from V' ASH-1400 because of the ECCS configuration at Fequoyah. ' At Sequoyah there are two separate injection
~
headers, which are Isolable with remote-manual isolation valves The RHR pumps are also in seperate rooms. Thus, recovery from Event V is possible at Sequoyah by . Isolation of'the affected injection header and operation of the remnining. train of 'l
~
ECCS.L The calculated mean frequency for event V at Sequoyah was found to be 6.5E-7/yr; 4.3.3.2 L Reactor Vessel Ruptt re ' t
.t
. Previous PR A ' studies (Peferences 7,= 10,= 40)- have- explicitly quantified reactor i
vessel rupture as an_ Initiating event. 'It is postulated to be of a size and location that it. leads directly to core damage.: The frequencies previously calculated were i from -lE-7/yr. to 1.lE-6/yr. These studies <did not identifyf a specific' failure *
~
- mechanism for this event. The frequency calculation, was based on statistical
. evaluation 'of histgrjcal' data, which is zero disruptive; failure
- In ASME pressure , ,
vessels since 1942. With the exception of pressurized thermal shock, no specific failure mechanisms (such as thermal cycling, fatigue, overpressure)' have been , identified, which can be evaluated with a . structured frequency calculation. cThe y calculation of. 'a frequency is therefore based on: Interpretation of 'thei existing :
- data.- ' Previous studles have done~ this,. and- the median value; for~ rupture .was
- - calculated in the low IE-7/yr range. Error factors on this median value ~are a subjective matter.1 Reference logostulated an error factor 'which resulted in the.
calculation'of a~mean value of 107 /yr. Without postulating particular reactor vessel rupture scenarios, it is not possible to -
-[
ildentify any interactions with containment systems. Presuming all. containment i' systems would be nominally available: after a reactor vessel rupture, a single sequence that was in the'lE-7 ~- IE-6 range would be a very small contributor to risk at typical PWRs. Pressurized thermal shock (PTS) has been identified as a credible mechanism for reactor vessel failure in PWRs with certain levels of copoer in the vessel welds. As accumulated neutron fluence on the welds increases, the ductility of the weld , , decreases. If severe overcooling transients occur,or conditions occur where the- 4 reactor is. pressurized at low temperatures, catastrophic weld. failure can occur.
- The probability of reactor vessel failure depends on j e Weld material composition, particularly copper '
o Accumulated neutron fluence at each weld e Frequency and severity of overcooling transients
!These factors _ vary for each plant. A key parameter is the reference temperature i , for transition to nil ductility (RTND).' A temperature of'270 F has been established for. Sequoyah as the temperature below which-transition to nil ductility is of -i minimal concern.* I
- Personal communication with Carl Johnson, USNRC, July 1986, 4.3-10
.l.. e
L p b .
-l 1
Reference 42 calculates the frequency of core damage from PTS for a hypothetical .; P.B. Robinson reactor . vessel -.to' be lE-8/yr. The actual copper content oflthe ! Robinson reactor vessel is so low, that it was not possible to derive a statistically j significant core damage frequency due to PTS.' The copper content was increased j
-In the study models to the point where a RTND of 270 F vras calculated for the end of licensed llie.(32 effective full power years). This allows for the calculation of -
- statistically significant conditional probabilities of core da mage, given an D
' overcooling transient. The RTND at EOL for< Segoyah Unit l 'is' 240 F when -;
calculated in accordance with 10CFR50.61, and 225 F when calculated in accor- j dance with Regulatory Culde .l.99, Rev. 2. - Since H.B. Robinson is of similar design to Sequoyah the frequency and severity of overcooling transients are expected to.be similar. Because the _ calculated RTNN for Sequoyah is.significantly less than the < 270 F used.in the Robinson analysis,it is concluded that core damage due to PTS at - Sequoyah is expected to be negligible compared to core damage from other causes.- In conclusion, it was determined that under the worst possible conditions, reactor vessel rupture is a small contributor to core damage ((1%) and a negligible contri-butor to risk.- 4.3.4 Final Initiating Event Selection The finallist of Initiating events which were explicitly analyzed and became the basis for accident sequence quantification is shown in Table 4.3-1. These' events-and the initiator categories which they represent are further expanded upon in Table 4.3-4 for transients and Table 4.3-5 for LOC As. The three common transient initiator categories of loss of offsite power (T ), loss of main feedwater (T2 ), and turbine trip;with main feedwater initially available T ) were 3 selected for event tree analysis and accident sequence quantification.-. *Ihese transient categories are commonly analyzed by PR A studies.iThe T2 and T3 category can be used to represent many other Initiator categories. . Table 4.3-4 gives a summary of the initla- 1 tor types that are represented by each category. ! Loss of a DC bus.will cause a reactor trip and disables an entire train of safety
?
equipment. It was included as T D C* - Steam generator tube rupture was included as a specific initiating event due to its unique 1 mitigation criterla. The frequency is based on historical experience of 5 events in 500 - PWR years. l 1 The LOCA initiating event selection is summarized in Table 4.3-5. Four sizes of LOCAs were chosen, based on the success criterla for successful mitigation. The frequency of the three largest size brgks are estimated based on a review of past PRAs and the ASEP Methodology Document. The frequency of the very small breaks includes contributions from small pipe breaks, component leakages at flanges and welds, and reactor coolant pump seal LOCAs. Backup calculations -for this frequency derivation are shown in Appendix D of this report.
'y 4.3.5 Important Assumptions I Assumptions which apply only to the selection of initiating events are provided in Table . 1 4.3-6, Initlating Event Assumptions. Some assumptions made in the event tree analysis !
may directly impact initiating event identification or grouping. The complete list of i
. event tree assumptions appears in Section 4.4.1.
i h.3-!!
4 1' 1 Table 4.3-4 Transient Initiating Events l 1 l' Initiating- Representative Initiators Annual Frequency l' Event Included in Initiating .. l Category . Event Category . (Mean Value) _ Comments t Ty Failure of Offsite Power Grid 9.05E-2 This category consists 'of. initiators-l (Loss of Offsite which interruptithe offsite power supply to the plant's 6.9 kV AC buses. Power) Loss of Station Reserve Power Loss of Power to the Switchyard. Frequency. derived from NUREG/CR-5032.(25) See Note 1.. a. w T Failure of Main Feedwater (MFW) 7.22E-1. This category consists' of initiators '-
,L (LossohMFW) _
which cause a' loss'of'MFW.= w Inadvertent.SI Signal Frequency ' derived from' NUREG/CR-3862;(5)- Increase.in Feedwater Flow See Note-2. . T3 Loss-of RCS Flow 6.3 This category consists of all' initiators (Turbine Trip .
' which cause reactor trip but.~ do not fail MFW or any 'other front'line or' support
~
with MFW and PCS CRDM Problems Initially Available) . system. Pressure / Temperature / Power Imbalance-Frequency-derived from NUREG/CR-3862. Steam Generator Leakage See Note 3.
' Turbine Trip
. Generator Trip
~ , , _. __ _. ~.2 , _ u - _ _ . _ __ _- . - - . _ - . . - , _ ._ , _ - _ . _ __ _ _ _ . __ _ _ . . _
Table 4.3-4 (Co'nt'd) Transient Initiating Events Initiating: Representative Initiators. Annual Event Included in Initiating Frequency
~ Category Event Category . '(Mean Value) Comments T Short on DC Bus 5.0E-3 Initiator is a non-recoverable loss of (LossokaDC a DC bus.
Vital Battery Board) ~ Frequency based on an basic failure' rate of IE-7/hr for bus.short. See Note 4. 1.0E-2 Frequency-based on 5 applicable events
~
,a T3g Double ended rupture of a single y (Steam Generator SG tube. in 500 reactor years g
> Tube Rupture)
+
l l' l-U . . _ . _ ._ . _ _ _ .. ._ =.=_. . , , _ _ _ _ _ . _ _ -, , . ... . . . . . _ _ _ _
m y
.,. }
s Notes To. Table 4.3 4 1.- lSequoyah- has~ nine offsiteL. power ' lines feeding the - main ' switchyard. Three-transformers feedi the unit buses, which then-feed the two.6.9kV AC Shutdown ' Boards at each unit. There is one' dedicated diesel-generator (DG) set for each 6.9kV Shutdown Boardc Each DG set has one generator;with two diesels,- both of which are rieeded to power the generator. :
- 2. On reactor- trip, 51, or turbine trip, the MFW regulating ulves will close and the l two MFW turbine driven pumps are tripped." Cenerally, the operators will use AFW .
.while stabilizing the plant and isolating the problem, and then will restore MFW as. i soon as possible in order-to reestablish a closed condensate cycle and clean up of -
the condensate. l L 3. As v Ith T2, MFW is automatically !solated and tripped.; However, its potential for l L carly recovery is much higher than for T2 ': Operating procedures dNect the operator to reestablish MFW.-llf the PFW pumps 1 ; cannot' be recovered, and the' AFW pumps.are unavailable, the operator:is to F depressurize the SGs using the ADVs or turbine bypass . valves, and .then use the - condensate booster pumps to feed the' SGs. If this falls, then the' operator is to > establish feed and bleed cooling.
+
- 4. T DCX isla non-recoverable loss of a 125 V, DC Battery Bus due to a short in
. buswork. - .It11s assumed that all loads connected to that bus are Inoperable.
Supplying ~. power to the bus from 'an alternate: source will not re-energize the loads . Individual loads that can be connected to another bus can be recovered.~ Since each battery board feeds a 120 VAc Vital Instrument Bus, these bu'ses are . Initially lost also. -It is possible to recover the 120 V AC Vital. Instrument Boards by manually routing power from a 480 V AC board through another transformer. Control power to the associated 6.9kV AC Shutdown and 480 V AC Shutdown Boards would be lost. Plant trip would occur due to one train of MFW regulating valves closing on loss of I DC. ' One train of ESFs would be unavailable due-to loss of control power. . Feed and-bleed would also be unavailable since one PORV could not be opened. The normally operating pumps (ERCW, CCW, CHP) would continue to run since the fused brea-kers fall as is. The turbine driven AF.W train is powered by a Unit 2 DC bus, and , would not be affected by loss of DC buses at Unit 1. i 1 ,
-4.3-14 l
% ~
. Table 4.3-5 LOCA Initiating Events l'
Initiating Representative Initiators . Annual Event Included in Initiating Frequency. Category Event Category (Mean Value) -Comments A Large Loss of Coolant Accident 5.0E-4 Equivalent diameter greater (LOCA) than 6: inches.
~
S i Medium LOCA 1.0E Equivalent diameter between 2 - and 6 inches. S 2 Small LOCA i l.0E-3
. Very Small LOCA 1.3E-2 Frequency of S3 based on historical y S3 experience. : See' Appendix 0.
-A, S , S , S3 frequencies'were devekopekbasedonasurvey.of.-
frequencies:used'for similar-
- events in past PWR.PRAs.
V- Interfacing LOCA (Failure of 2 check :6.5E-7 Occurs in- RHR piping. valves in series in low. pressure' Other RCS' connections with' injection lines) ECCS are nct vulnerable to suddenL rupture; since they are designed to. higher pressures than RHR. system.. Leads directly to core damage if ' attempts.;at: isolation fail. b - u swie~ mn ws w- --w.msm-A"-'~vmm~~c. --~~~---<s- - - - - ' ~ ~ = ~ " * - ~ - - ~ ~ - - ' ~ - - - - - - - --- _ _ _ _ . _ _ _ _, ,,,;,,n ,._, ,, ,,n,,
4 i
'j Table 4.3d '
1
. Initiating Event Nssumptions - I f'
l- All Initiating events modeled from. full power operation.' For ATV.)S, it was ik necessary to introduce a split fraction for high and low power events.
- 2. Manual shutdowns for administrative reasons, Technical Specification violation,m, or 'i for refueling are not included as initiating events!:
3 '. Overcooling transients were not evaluated 'as a'special class of events. + t
- 4. Externdt events leading to loss of the Chickamauga Reservoir ~ were not included.'.
- I
- 5. rommon cause failure 'of multiple cooling water systems due to marine growth:
were not included. l l L q
]
1 l 1 4.3-16 ); i .. . . _ . __ . _ _ _ _ _
!- 4.4 Event Tree Analysis n The initiating event identification and grouping process was described in Section 4.3.- [ The list of initiating events used in the Sequoyah PRA update is shown in Table 4.3-1. This section presents and discusses the first stage of the two stage event tree analysis process used for the Sequoyah study. The first stage analyzed the potential for core damage in terms of the ways that safety and non-safety systems could respond to the L initiating events. This stage addressed only the various paths to core damage, without - particular regard to the detailed status of the containment or its systems. The status of containment systems was evaluated only'in the context that their failure could lead to core damage. ; The event trees used in the first ' stage analysis identified all possible core damage sequences. All core damage sequences which were quantified to be greater than IE-7/yr ' j after recovery actions had been included, were retained as dominant sequences. The resultant dominant core damage sequences were. input to the second stage. event l tree analysis, which is presented in Section 4.5. This provided a detailed containment re- : sponse analysis and carried the sequences to the various plant damage states. All of the event trees used in the first stage analysis are presented and discussed in Sections 4.4.2 through 4.4.11. These include special event trees that 'were used - to evaluate ATWS and station blackout. Section 4.4.1 provides a discussion of general- , assumptions and limitations of the event tree analysis. l 4.4.1 - Event Tree Assumptions , Functional event trees have been used in some past PRAs to model the safety functions performed by front-line systems in response to various initiating events.; The functional event trees serve as an intermediate step in the overall event tree analysis and provide - the general framework for construction of more detailed systemic event trees based on , r' the front-line system success criteria associated with the different safety functions. In this study, functional event trees were not constructed. Instead, past PRAs of similar reactor types were used to identify the event tree headings necessary to model all safety i functions directly in the form of systemic event trees. Front-line system success criteria were developed based on a review of past PRA studies, ; , Sequoyah plant specific analyses, and analyses conducted by Battelle and Sandia National' , Laboratories. The general assumptions used in the event tree analysis are presented in Table 4.4-1, Event Tree Assumptions. These assumptions apply to more than- one event ' tree, i Assumptions that are unique to a specific event tree are presented in the subsection for. i that event tree. All sequences identified as resulting in core damage were quantified using the quanti- , tative - results obtained from the fault trees developed in. the' systems. analyses, as discussed in Section 4.6.' All sequences having frequencies less than IE-7/yr. after the initial quantification were dropped from further consideration. All sequences above -
- IE-7/yr were further analyzed for potential operator recovery actions, and the sequences were requantified. Sequences with frequencies less than IE-7/yr af ter the recovery .
4 analysis were dropped from further consideration. All remaining sequences above 1 IE-7/yr af ter recovery constitute the dominant core damage sequences. This process and . the results are presented in Section 4.10. 4.4-1
Table 4.4-1" Event Tree Assumptions-
- 1. All successful sequences are carried to the point where stable hot shutdown or long-
. term cooling conditions exist. In general, sequences were terminated at 24 hours, i , .2 . RCS invehtory makeup is not required if RCS Integrity is maintained. This implies y :that ' normal pressurizer water level is sufficient-to accommodate RCS Inventory shrinkage from full power to hot' shutdown, or if any inventory makeup is required, .
the probability of falling to provide it is negligible. y
- 3. Boration of the reactor is not required if hot- shutdown temperatures and RCS ,
j
. I integrity are maintained (exception of course for ATWS).
I
- 4. .RCS pressure and volume control vla pressurizer heaters and sprays Is addressed only for small breaks and steam generator tube rupture events. -
't 5.' CCW to the thermal barrier in the RCP lower bearing, or RCP seal injection flow, is sufficient to prevent an RCP seal LOCA.
4
- 6. Primary pressure relief is not required following transients with scram. This-means the SRVs are never required to open following transients with scram. -. However, primary pressure may rise to PORV setpoints, thus prompting a PORV opening. a Should this happen, there is a requirement for the PORV to reclose or be isolated in. ,
order to maintain RCS Integrity. PORY demand probabilities were used as follows: - Tg or TDCX, from high power - demand probability = .1 Transients from high power with
- all Instrumentation and power buses operable - demand probability = 0.014 1
Transients from low power - demand probability = 0.0 4 'l 4.4-2
, y.
l Table 4.4-1 (Continued). Event Tree Assumptions
- The derivation of PORV demand rate for various transients was based l1
- on operating experience with Westinghouse Reactors,. as reported in UCAP 9804.(1D T and T 3 type transients are common enough that it. .
wasypossible to get sufficient PORV opening data to estimate a 3 demand rate. For-these transients, a demand rate of 0.014' transient-was used. T3 and Toex. transients are of .particular. interest because' they represent failure of electrical buses. . Instrumentation', l control systems, and components used to control RCS~. pressure.maylbe totally or partially unavailable after these initiato's. r For Yi and- ]
. Tocx type transients, . very little data exist, and it was difficult to postulate a demand rate based on actual data. A value of.
.10/ transient was used for these initiators, .which is similar to values used in Reference 17 and other studies. !
- 7. S2 IDCAs or feed and bleed sequences can not go to 1 closed-cycle ,
cooling with RHR, before. entering the ECCS recirculstion: phase..
- 8. Recirculation switchover will occur at approximately ' .20 L minutes [
after a phase B - isolation signal for A, S ,- and 130 minutes for the i S2 LOCAs. For a certain percentage of S3 14CAs, it.is possible to. delay recirculation by controlling CSS, although there - are no explicit procedural instructions to turn off CSI. {, - 1 l -9. The-Air Return-Fan and Igniter systems are not required to prevent core . damage , although their' availabilities may affect . the accident consequence analysis. 1
- 10. For purposes of sequence ~ timing, "early" is synonymous with the l inj ec tion phase of-ECCS operation and " late"- refers to the l- recirculation phase.
i
- 11. Ice condenser was assumed always to be available. It was, .i therefore, not included on the event tree. -Its ' impact on containment pressure reduction and sequence timing was included in- i E all sequence development work. <
4.4-3
J i j Table 4.4-1 (Continued) , Event Tree Assumptions- .
- 12. .The Upper Head injection (UHl) system wa's installed at Sequoyah Unit I at the time . -
this l study _ was ' being 'done.. Ilowever, it was not included- in - the event tree analysis. : Th'e .UH1_was originally installed .to meet .10CFR- Appendix K criteria.
' Recent analysis for Catawba: using updated codes and relaxed criteria' have shown that UH1is not ' required to meet Appendix K criteria. ;
i
- Letter from R.: Tucker (Duke Power) to B. R. Denton (USNRC), May 9,198s.
t 5 i e P
-r l !
4.4-4
)
. . - , _ __ _ -_-___-- _ _ = _ . - -
4 4 I once the dominant core damage sequences had been identified... the event trees were expanded 'in the stage two analysis . (see Section 4.5) - to ' include the detailed containment systems . responses for those particular - sequences. The . dominant sequences in that - analysis. were - assigned to
- plant damage. states in accordance with;the ground rules given in Section. ':
'4.5. The'eriterion for dominance in the plant damage' state analysis was i a cutoff frequency of 1E 7/yr. '
4.4.2 less of Offsite Power (T ) Event Tree 3 j j This subsection presents and discusses the event tree for the loss of ' offsite power (T3 ) initiating event category. 't-4.4.2.1 Succ'ess Criteria for T Event Tree 3 Success criteria for the T 3transient' event trees are' presented in Table { 4.4 2. - The following paragrapho address unique considerations for the ~ evaluation of T3 sequences. , Loss of offsite power (7 ) will . result in immediate de energization of: 2
- the normal and emergency 6.9kV AC buses. .This would-in. turn de energize all > 480 - VAC buses. Power to the AC buses would be J restored upon successful - operation of the diesel generators. ' The ; DC . buses, and the vital AC buses powered by the DC buses, would - be' expected to remain available, unless additional failures of these buses occurredj i Loss of offsite power would also result in de energitation for the control rod drive mechanisms,. allowing.the control rods to ins.erti .This requires an adjustment to the reactor trip failure probability: to reflect.
only mechanical faults for T2 sequences. The four primary safety functions required in- response. to T 3 are reactor suberiticality, core heat removal via steam generator' cooling, ' RCS integrity, and RCP seal' cooling. If all of these . safety functions are successfully performed, th3 transient ' is mitigated in an early) stage. Failure Lto provide reactor ; scram constitutes' failure of reactor. . subcriticality.and results in a transfer to the ATWS event tree. Failure to provide core heat removal via the = steam generators . leads to a demand- 'v for " feed and bleed" cooling which requires ' success of; HPI and opening-PORVs. Failure to' provide HPI and open both PORV trains' leads to core damage. Successful feed and bleed cooling leads ' to _ demand for coolant a recirculation systems and containment systems during :the recirculation phase. Failure of relief values to reclose requires a transfer to the S 2 '1 14CA event tree. Failure of RCP seal cooling.(i.e. ;1oss.of both thermalf barrier cooling'and seal injection) leads to a seal vulnerable condition. , 4.4.2.2 Discussion of Sequences L , The event trees for T 3 are shown in Figures 4.4 1 and 4.4 2. Two different trees were used to evaluate loss of offsite power. The T3 tree is for sequences where at least one diesel is available. The station blackout tree was used to evaluate sequences with no operable diesels at i Unit 1. Important functional, phenomenological and hardware dependencies j' as well as assumptions and limitations are stated in the general j assumptions found in Table 4.4 1. l" The T event tree' is shown in Figure 4.4 3 1.. Sequence 1 represents successful mitigation of the initiator.;- diesel. generators . start, auxiliary feedwater is- available, and the charging system provides seal injection-flow to the RCP seals. The plant is in a stable 4.4-5
my .- , n. ~ ~ y
- _ -4 l .' Table 4.4-2 --
~
(- : T1 -Transient Success Criteria Sumary . Information. l INITIATOR: T1 - 1.oSS of Offsite Power-CONTAltMENT CONTAlf88ENT- , REACTOR. CORE HEAT RCS PRESSURE SUPPRESSION -CORE HEAT PRESSURE SUPPRESSION SUSCRITICALITY REMOVAL, EARLY INTEGRITY EARLY REMOVAL, LATE LATE CGEMENTS RPS 1/3 AFw, Any open Not Required 1/4 HFR and 1/2 CSS w/HX ' 1. Core heat removal, late and - OR PORVs '1/2 LPR OR .. containment pressure suppression.- 1/4 FPl. Reclose 1/2 LIR w/HX are required only when feed and and bleed is used or RCS Integrlty.Is'. -
'2/2 PORV REP Seal latogrity lost.
(in feed & 1/2 CCP in Seal . bleed) injection Mode f2.' Early containment pressure supp ession Is not. required u OR. for-transient Initiators. e Ca 1 CCW Train to
-Thermal Barriers T -- ::n = = - _ - _ - _ _ , -
_ _ _ = . ____._=c._,_ _.__. _ ~ ~. . ,- - . :.: a .
- ~ _ . ,2-
~
s
._ Y RVs AFW SEAL- CCW PORVs _ . ..
LOSP RPS CLOSE 2/4 INJCT THRML -HPI OPEN LP!/R HPR SGs. FLOW BARR T1 K- 01: .L1- D3 -W D1 ~P1 H3- M2 . Sequence . COMMENTS \; l CORE l l - t
- 1. T1 OK
!. I 2.'T1D3 OK .~
- 3. TID 3W- ~---
SEAL VULN
- 4. TIL1 OK I 5. T1L1H2~ CD
- 6. TIL1H3 LCD-i.
- 7. T1L1P1 CD 1
- 8. T1L101 CD 9.'T101 --
.vFER TO S2
! 10. T1K -- XFER TO ATWS
~
l ( p L-4 . l-l t l: i l. l l I Figure 4.4-1 Event Tree f' or T3 -Loss of Offsite Power i
;_. _ . - . y_..~.. l k- '
* , - *v+" 7* ~ ' ~ ~
' ' ~ ~ ' *~~~ ~ '
u' ! 590-- SG-SV RV4 Af W MAC ACP. OPER DCP-- SEAL WRAC NRAC Ut- RECL CLOSE (10P) 1MR DGM DEPMZ U2 LOCA SEAL TMR U2 -003- LOCA I T1 -SG -0 -l -1H -DG -0D -DC -SL NSL -7M Sequence l CORE l COMENIS. l
- l. 1. 11 - UK - .
! I 2. T1-1M - OK .AC DGN-U2 I 3. T1-1M-DG OK NO St LT-590 I 4. 11-1M-DG-SL OK SLOCA REC AC I l I 5. T1-1M-DG-StNSL CD SLOCA NRAC
- 6. 11-1M-DG-DC OK - REC AC THR'.
I 7. 11-1M-DG-DC-TM CD BATT DErLETE
- 8. 11-1M-DG-DC-SL OK SLOCA REC AC I 9. T1-1M-DG-DC-SLMSL CD -SLOCA NRAC
- 10. T1-1M-DG-CD OK No St LT-$90 I 11. T1-1M-DG-CD-SL OK SLOCA REC AC I 12. T1-1M-nG-00-SLMSL- - CD SLOCA NRAC
- 13. T1-1M-DG-00-DC UK- REC AC TMR I 14. 11-1M-DG-CD-DC-TM CD BATT DEFLETE
- 15. T1-1M-DG-CD-DC-SL OK SLOCA REC AC I 16. 11-1M-DG-CD-DC-StNSL CD SLOCA NRAC l
l 17. 11-L' OK REC AC 1MR -
.# I 18. T1-L-1M CD NO AFU WRACI
- i 19. 71-0 OK REC AC *MR
- I S0 it-O-1M CD SORY NRAC1tMt l
! 21. T1-0-L OK REC AC 1MR I S2. 11-0-L-1M. CD SORV, No Atu l ! 23. 11-SG OK REC AC InR I .24. T1-SG-1M OK ACP DGN-U2' l 'I
'5. T1-SG-1M-DG OK LT-SB0 -
I '6. 11-SG-1M-DG-SL OK StorA REC AC ( I I 77. T1-SG-TM-DG-SLMSL CD SLOCA WRAC
?8. T1-SG-1M-DG-DC OK REC AC 7MR
! ??. T1-SG-1M-DG-DC-TM CD BATT DEPLETE 3D. 11-SG-1M-DG-DC-SL OK - SLOCA REC AC -
! 11. 11-SG-1M-DG-DC-SLMSL LD 'SLOCA NRAC.
- 32. T1-SG-L OK REC AC 1HR I 13. 11-SG-t-1M CD NO ATV WRAC1'
- 14. T1-SG-O OK - REC AC 1MR I 35. T1-SG-0-1N CD SORY NRACIMR l
- 16. 11-SG-0-L OK REC AC IMR I 37. T I-SG-0-L-1H CD SORV, No AF'J l
Figure 4.4-2 Event Tree for T3-Station Blackout I-
- ~ . . _;. __ .
~ - , - - . - -
condition and attention can be directed to restoration of the offsite power. Sequence 2 is similar to 1, except that seal injection flow from the charging system is unavailable. PCP seal cooling is provided by c.CW to the thermal barrier heat exchangers. Sequence 3 represents a condition with no seal cooling available. Both PCW to the thermal bar-riers and seal Injection flow have failed. Auxiliary feedwater is available, however, and all essential safety functions are being provided at the time seal cooling is lost. This '
< represents a seal vulnerable condition and- is- handled with the. seal LOCA model.
Sequence quantification (Section 4.10) Indicated that there are no significant contribu-tors to the T D j 3W state that do not involve loss of all AC power. Those events are , handled through the station blackout quantification. Combinations of failures involving component failures or partial power failures, combined with component failures make no significant contribution to the T 3 D 3W seal vulnerable state. Sequence 4 represents failure of all steam generator heat removal, but successful core , cooling via feed and bleed, using one charging pump or one Si pump and opening of both PORVs. ECCS recirculation from the sump and successful operation of the RHR heat ex-changers provide long term cooling. Sequences 5 and 6 lead to core damage through the failure to provide long term feed and bleed cooling in the recirculation mode. Sequence
-5 is due to failure of the high pressure recirculation system, and Sequence 6 is due to failure of the low pressure recirculation system.
Sequence 7 represents failure ofisteam generator heat removal followed by fallure to establish feed and bleed cooling, due to failure to open both PORVs. Sequence 8 is
~
similar to 7, except feed and bleed core cooling falls due to failure to establish safety injection flow with the charging or Si system. Sequence 9 represer.ts transient induced LOCAs caused by a transient' related PORV demand,- followed by failure to reclose PORV. This condition transfers to the 52 event tree for further evaluation. i Sequence 10 is an ATWS condition and transfers to the ATWS tree for further evaluation. Station blackout (SBO) was evaluated with a separate event tree, because of the pheno-menology and special events that can occur during an SBO. These are discussed here as a prelude to the detailed discussion of each sequence. The important considerations during a station blackout are the preservaton of RCS inventory,-the controlled supply of feed-water to the steam generators, and the extension of battery life as long as possible. These considerations, as they apply to the Sequoyah plant, are discussed below. l l. HCP Seal LOCA - The RrP seal LOCA model in Reference 45 was used to develop Sequoyah specific leak rates, probabilities, and times to seat failure. The model predicts two dominant seal failure scenarlos. The dominant path predicts a 250 gpm leak develop-Ing in each pump at 1 1/2 hours af ter loss of all seal cooling. This path has a probability of .53. The next most dominant path has a probability of .13. This path is a 60 gpm leak developing in each pump at 1 1/2 hours, growing to a 250 gpm leak at 21/2 hours (from l the time of loss of seal cooling). There is also a .27 probability of limited leakage in each pump throughout the entire loss of cooling event. Limited leakage is defined as less than 21 gpm per pump. This is considered a success state with respect to seal. leakage, because 21 gpm per pump can be tolerated throughout the SBO event without causing core uncovery. - All other seat leak sequences combine to account for 7%. The development of this model is presented in Appendix D of this report. RCP seal LOCA will cause core uncovery unless safety injection flow is restored within a requisite time. l Time to core uncovery depends on the leak size. Times to core uncovery for each leak i path are also developed in Appendix D. 1 I 4.4 9 l' l I-__-__--._.
1 c l RCS Cooldown and 'Depressurization The emergency. operating procedures at Sequoyah ! direct the operators to cooldown and depressurize the RCSJn a long-term station black- j out. Depressurization serves the dual purpose.of reducing the risk of seal LOC A, due to ' reduced pressure and temperature on the seals, and reducing RCS leak rate, should anyl I leak paths develop. The time at which cooldown and_ depressurization should be Initiated j and' the tate at which it would pr'oceed are not specified in the emergency procedures, ; other than to limit. the cooldown to less than 100 F/ hour. For purposes of event tree -!
' development, it was considered that cooldown v'ould not begin ur.tll at least one hour j
- after the initiating event. 1 rooldown at Sequoyah _is to be accomplished by dumping steam through SG-AnVs. LAf ter cooldown ls started, depressurization of the pr5 will occur as a natural process, result- 4 ing from the decrease in specific volume of the RCS Inventory as the average RCS j temperature decreases, nepressurization will be aided by inventory loss due to_ normal '
l leakage through the PCP seals. Significant depressurization is.not expected to occur j
.before 2 to 3 hours. Because of thp predicted seal response to loss of cooling, this' timing } j-for depressurization is not early enough to provide any significant benefit to:the seals. J The seal LOC A model development (Ref. 45) does not predict benefit from depressuriza '- ;
tion until approximately 4 hours, at_which time there is already a high probability of seal . failure. Thus, in the station blackout modeling, RCS cooldown and depressurization was- ! not considered to have any ' impact on the development of seal-LOCAs. RCS depres-surization did however, have an eifect on the . allowed time to , recover AC power. - !
- Depressurization would reduce the RCS outflow'and thus extend the time to core unco- !
very. This effect was included in the SBO modeling. PORV Demand and RCS Integrity , An-important function to provide during station j blackout is to preserve RCS inventory until= AC power can be restored. A'PORV which falls to reclose after a demand represents a.LOCA. PORV demand may occur during SBO due to loss of pressurizer pressure control and MSIV closure. j Secondary Side Integrity - The atmospheric relief valves at Sequoyah will be initially l operable in a station blackout. Their continued operability will require control power and ; 'I instrument air. Control power will be: available until _ battery, depletion occurs _ at approximately four hours. However, the instrument air headers will. bleed down' in approximately one half hour. Steam relief will-then be through the safety valves until ; people are dispatched to provide local operation of the ADVs via reach rods. Other valve i' line ups are possible to relieve steam to;the condenser, but are not specifically stated in the blackout procedures. Continued steam relief through the safety valves presents the possibility of uncontrolled depressurization in one steam generator, in the event that a - 1 relief valve falls to reclose. , The overcooling transient would continue until the feed flow to that steam generator was stopped. The AFW design at Sequoyah provides level control valves for each steam gene- 3 rator. There are air operated valves located outside the containment, very close to the containment wall, for. each steam generator. These valves fall closed on loss of air and,- in fact, are required to be locally, manually opened in the SBO sequences in order to ! maintain feed flow. The AFW event, L, has a term.in lt for failure to open the valves on loss of air. The same air supply headers which supply the ADVs, also supply the level control valves. Failure of the operator to recognize the need for SG isolation and-to - - close the proper LCV would result in uncontrolled depressurization of the SG and con-tinued cooldown of-the primary system. The sequence of events following a stuck-open relief valve was considered. The SG with the stuck open valve would depressurize, causing an overcooling transient. Flow to the 1 l 4.4-10
=l faulted SC from the - turbine vrlven (TP) pump .would increase, Ilmited by cavitating venturis in the AFP line. The faulted SG would he fed preferentially to the good SGs due to-'the pressure dif ference. The overcooling transient was not considered capable of causing recriticality, due - to the expected discharr'e of the UHl (borated water source) when the RCS pressure decreased below 1700 psig.
The faulted SG would lead to higher than expected AFW use, but the condensate supply , at Sequoyah is sufficient to meet the increased demand. As the transient continued, the
- operator could throttle the TD- feedwater pump and thus reduce the severity of the transient, t
Steam supply to the TD pump would be unaffected unless SG #1 (normal steam supply to , TD pump) was the faulted SG. If SG #1 remained intact,it would receive very little flow , from the TD pump. However, after the RCS cooled down below the SG water tempera-ture, there.v ould be no outflow from the good SGs, other than steam flow to the TD ~ ' pump, which !s a minimal drain on the Inventory. if SG #1 was the faulted SG, TD pump r steam supply would remain'available, but at reduced pressure. Should SG pressure drop low enough to be unable to supply the TD pump, steam supply could be switched to SC
#4, by manual valve manipulation. ,
l In sequences with a faulted SG, two potential interactions were identified but ultimately l could not be quantified. They were a) that a faulted SG may cause rapid primary system depressurization which may lead to an extended RCP seal life, and b) that core uncovery ' may occur sooner than three hours af ter battery depletion if one SC was faulted. > During the development of the seal LOCA model, specific depressurization rates were not available for inclusion in the model. The elicitees all considered that substantial
~
l cooldown and depressurization would need to occur in order to significantly improve seal , I performance. The expected depressurization rates for the faulted SG scenario are not ! considered -sufficient to provide the necessary amount of pressure and temperature reduction to mal <e a significant impact on seal performance. It was concluded that the .
' level of discrimination in the models was not sufficient to support quantification of this in teraction. - The potential impact of including this interaction would be to lower the probability of seal LOCA, and thus lower the seal LOCA core damage frequency. ,
However, the frequency of the long term battery depletion sequence would be increased. i l Ouantification of the second potential interaction was similarly difficult.- The selection < l- of three hours as a reasonable time period between loss of DC power and AC: power - restoration is largely subjective and is subject to considerable uncertainty. Modeling of-this interaction would tend to decrease the allowable time for AC power restoration, and ,; thus increase the core damage frequency. The two excluded interactions would tend to counter each other if they were to be-
. modeled. An estimate was made that if both of these interactions were included at their maximum effectiveness, there would be no overall ' increase in total- core damage frequency, although long term hattery depletion would he favored over seal LOCA..
Battery Pepletion - A critical event for timing purposes in SBO evaluation is battery i depletion. rhe batterles at Sequoyah are designed for a two hour load discharge in post ! LOCA conditions. This was considered a nominal starting point for estimation of deple-l tion time for the SBO sequences. Battery depletion time couldibe extended with , shedding of nonessential loads from the bus. Specific procedures for load shedding are not in place in Scauoyah, so it was difficult to quantify the advantage gained from this l practice. rommunication with TVA led to the agreement that four hours was a reason-L l'
'4.4-11
l able time to expect battery d:'pletion in an SBO sequence._ Depletion of the vital bat. l terles will leave the plant with no instrumentation or control power. . Although manual ; control of the turbine driver AFW pump is possible without DC power, the inck of instru- ! . mentation in the RCS or the steam generators would ultimately limit the ability to , maintain tore cooling. It was estimated that an additional three hours would be available - l to res%re AC power af ter battety depletion in order to prevent core uncovery. l Operattor, of the bus feeder breakers in the absence of DC power was examined. The bus , breakert, will remain as is upon the loss of DC power. Manual operation of the breakers is posslole through the use of spring loaded jacking mechanisms. Although the absence of ) DC power would complicate the recovery of AC power, the additional time regulred to ; i manually operate the breakers is small compared to the uncertainty in the three hour period from battery depletion to core uncovery. l The event tree for a Unit 1 station blackout is shown in Figure 4.4 2. The functional requirements for mitigation of this event are the same as for other transients. lintry into this event tree presumes reactor scram is successful. ATWS events are addressed in the Tg event tree. Sequence ! represents successful mitigation of a short term station blackout. SG in-tegrity is maintained, as well as primary system integrity. The turbine driven pump ; starts and provides feed flow. AC power is recovered within one hour to end the black- , out. One hour was chosen as an intermediate time for recovery of offsite power because .
- 1) It is sufficient time to mitigate failures of APW'and relief valve failures and 2)It is prior to the time that risk for seal LOCA occurs. Sequence 2 represents non-recovery of ofitite power by one hour, but successful ecoss connect of power from Unit 2. Sequoyah has the capability to cross tie the 6.9kV shutdown boards from one unit to the other. For i circumstances when Unit 2 had two diesels available and Unit I had no diesels available, a recovery action for crotstle of the shutdown boards was included. This would involve i stripping the Unit 2 loads off the Unit 2 bus, crosstle the Unit 2 bus to a Unit I bus, thus feeding the Unit I bus with a Unit 2 dierel generator. This recovery option was not allowed for circumstances where only one diesel was available at Unit 2 (i.e., two unit <
shutdown with one diesel generator was not considered). Sequence 3 represents inability to cross connect a diesel from Unit 2, but successful cross connect of DC power supplies from Unit 2. In circumstances where only one diesel is available at Unit 2, or where shutdown board crosstle did not succeed for other reasons, it is possible to crosstle the battery boards from one unit to another. This allows an operable diesel at Unit 2 to charge a battery at Unit 2, which in turn could energize a vital battery board at Unit 1. . The probability for failure to do this was calculated conditionally on the previous failure to crosstle shutdown boards, in Sequer.ce 3, seal integrity is maintained, thus representing a long term, stable station blackout. AC power will eventually be restored, but timing is not important because all essential safety functions are being provided. Thus, no term for power recovery is asked in Sequence 3. Sequence 4 represents ; occurrence of a seal LOCA, but restoration of AC power and HPI flow before core ' uncovery. Sequence 3 leads to core damage due to occurrence of sea! LOCA and failure to recover AC power prior to core uncovery. Sequence 6 represents failure to supply DC power from Unit 2 to Unit 1, but successful recovery of offsite power by seven hours. In Sequence 7, core damage occurs due to battery depletion at 4 hours and non-recovery of AC power by seven hours. Sequences 8 and 9 are similar to 4 and 5, except no source of DC power other than the Unit 1 bat-teries is available. This is not important, because the timing of seal LOCA is prior to battery depletion time. 4.4-12
Sequences 10 through 16 are similar to 3 through 9, except that the operator has not depressurized the RCS. in Sequences 10 through 16, RCS remains at high pressure. The only effect of remaining pressurized is that core uncovery times for seal LOCA ; sequences are a !!ttle faster, due to the higher break flow rates. Sequence 17 represents early failure of AFW, but recovery of AC power within one. hour. This allows restoration of HPI flow and auxiliary feedwater. The recovery option f for cross connect of a diesel from Unit 2 was not considered possible within the one hour time constraint. Sequence 18 leads to core damage due to the inability to restore AC Fwer and thus restore APW and HPl flow. , Sequences 19 through 22 represent possible outcomes for transient induced LOCA ;
~
scenarlos. In these sequences, a PORY demand is assumed to occur at the time of LOSP. Failure of the valve to reclose leads directly to a LOCA, because the block valves are inoperable due to the loss of power. Recovery of these sequences involves restoration of power to the block valve and closing the block valve. This must be done within one hour to prevent core uncovery. Sequence 19 represents successful mitigation of the LOCA by recovery of offsite power. Sequence 20 leads to core uncovery, due to the inability to isolate the PORV prior to core uncovery. Sequences 21 and 22 include the additional
- random failure of AFW. ;
Sequences 23 through 31 are similar .to 3 through 16, with the exception that operator depressurization of the primary is not necessary. Sequences 23 through 31 involve a faulted steam generator, which will provide cooldown of the primary system. _ ' Sequences 32 through 37 are similar to Sequences 17 through 22, except that they also include a faulted steam generator in addition to the other failures. 4.4.3 Transient with PCS Initially Unavailable (T 2) Event Tree This subsection presents and discusses the e rent tree for the transient with PCS$nitially unavailable (T2 ) Initiating event categories. , 4.4.3.1 Success Criteria for T2 Event Tree Success criteria for the T2 event tree is presented in Table 4.4-3, The three primary saiety functions required m response to T2 are reactor subcriticality, SG make-up for
- core heat removal, and RCS Integrity. If all of these safety functions are successfully >
performed, the translent is mitigated at an early stage. The need to maintain RCS Integrity implies need for reactor coolant pump sealintegrity, which in turn requires seal i injection flow or CCW to the RCP thermalbarriers. l Failure of AFW leads to demand for feed and bleed. The recirculation phase of ECCS is 1' required for core heat removal if feed and bleed is successful. 4.4.3.2 Discussion of Sequences The event tree for T 7is shown in Figure 4.4-3. Important functional, phenomenological and hardware dependencies as well-as assumptions and limitations are stated in the general assumptions found in Table 4.4-1. Explanation of the presence or absence of decision points at various locations in the T2 event tree is provided in the following paragraphs. 4.4 13 m ;
- 3. .
Table 4.5-3 T2 Transient Srxess Criteria Srrery Inferretion INITIARR: T2- Transient with PCS Initially tinavailsie 004TAIMM CMT A SWIEWT REr.CTOR CORE M AT 81CS FRESSURE 9Ff9tES$904 CORE HEAT fMESSLRE SUNRES$904..
$U8CRl!ICALITY REsov4L. EARLY twfEGRITY EARLY REaI0 vat, LATE LATE- - C3EEENTS R75 t/3 AFw, Any Open Mot Raquired I/4 849t end 1/2 CSS w/8ft 1. Core heet rammevet, tete auf ~
OR FORys 1/2 Lf9t Gt contese pressor, soppressten 1/TWI Reefose 1/2 Lf4t w/4t are reqpelred only e f and emt
- p. and N eed Is w9ad er SICS letsgrity is
, 2/2 PORY 8EF Seet 9=teyrIty Iest.
I (In f est & 1/2 CEP in Seet 5 blend Inject 8cm mode 2. Earty contefamnet pressere soppresslos is not required Gt for treasteet In8tlefors.- 1 cot Trein to Thornet Barriars
i i l 3
$ a NE ;
- d
.D oo
- e.
ww \ WN' un i j k MW:M8888: l i mR gm--*SS-N
--- N N d. d- d d. d-- E M,- ,
. . ........ .o
- N m 4 m e N eo a oe e a ,
h W 9-
- .E ,
" e e b 7 e
w o
$2 gg - o
" '$% i ED N C. H '
I E 8 s g 3E u-3 - c o eg M > wza m se , sa >
'i 3,$
ant N J N eo
>a 0
ac u
=
m - g w c
- 3 N f
t SwI
.s o
- I l
1 4.1- 1,5 .l I 1
- l. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ , _
u -- - - . .
The first sequence represents successful stabilization of the reactor at hot shutdown. If reactor scram is successful, AFW starts and provides water to at least two of four steam generators, licat removal is assumed to be through the atmospheric dump valves as the initiating event may have failed the power conversion system Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is stable in hot shut-down. This is considered successful termination of the initiator and no further system availability questions are asked. Sequence 2 is also a success state, with seal cooling being provided by CCW to the thermal barrier. Sequence 3 is a seal vulnerable condi-tion. All critical safety functions are being provided, but RCP seal cooling is not available.. The potential for this sequence to lead to core damage depends on the suscep-tibility of the seals to failure after loss of all cooling and potential recovery options to restore seal cooling prior to seal failure. The seal failure evaluation will be done on an Individual sequence basis, should the quantification show this state to be important.- i Sequence 4 represents loss of auxillary feedwater, but successful feed and bleed cooling, using reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation. Sequence 5 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 6 is similar to 3, - except that the low pressure recirculation systems are unavailable. . I Sequence 7 and 8 represent failure to initiate feed and bleed to cooling after loss of , auxillary feedwater, in Sequence 7, feed and bleed falls due to failure of 2 of 2 PORVs to open, while in Sequence 8, feco and bleed falls due to failure to establish safety injection flow. Sequence _9 is a transient induced 1.OCA, which transfers to the Si tree for further i evaluation; and Sequence 10 is ATWS, which transfers to the ATW5 tree for further evaluation. 4.4.4 Transient with PCSInitially Available (T 3) Event Tree , This subsection presents and discusses the event tree for the transient with PCS initially available (T3 ) initiating event category. 4.4.4.1 Success Criteria for T3 Event Tree Success criteria for the Tg event tree are presented in Table 4.4-4. The three primary safety functions required In response to T3 are reactor subcriticality, SG make-up for , core heat removal, and RCS Integrity. If all of these safety functions'are successfully , performed, the transient is mitigated at an early stage. The need for RCS Integrity leads ; to a requirement for reactor coolant pump seal cooling using either sealinjection flow or ! CCW to the RCP thermal barriers. Failure of AFW and MFW leads to demand for feed and bleed. The recirculation phase of ECCS is required for core heat removal if feed and bleed is successful. , 4.4.4.2 Discussion of Sequences - The event tree for T 3 is shown in Figure 4.4-4. Important functional, phenomenological * ( and hardware dependencies as well as assumptions and limitations are stated in the ! general assumptions found in Table 4.41. 4.4-16 x
Table 4.4-4 T3 Transiet Srxess Criteria Screry Infomstion INITIATGt: T3- Transient with PCS Initially Available CowTAteMENT CONTA pseEWT REACTOR CORE 84 EAT RCS MIESStRE SUPPRESSim CURE 84 EAT fHESStptE St7'4ES$904
$U8CRITICAllTY REse0 VAL, EARLY twTEsttTY EARLY RE4094L, LATE LATE CtBeENTS RPS .1/3 AFW, Any Open Not Required 1/4 pfst and IR CSS whet 1. Core heet removel, feto eed !
OR PORVs 4 R LPR OR contetsument pressere suppresslen
~
1 esFW or Condensate Rectose IR U4t e/M ere regelred caly ehen f w end
, Bocater Trata, blood ts esed or sqCS Integrity a
p 84F Sent W ety 8s sesi. s 1/4 WI 1/2 CtP in Seel-C end injectton mode 2. Early conteinemet pressere 2R PW!V suppression Is not regelred (in food & OR ,for tronslent Is3tletars, blood) 1 Ew Train to Thereet Berrlers _. [ w- #w- - < , - . eg -3 r- , ..s, 4- c- + 3,--g--w. v - + w -a w- - - - ~ =-o-=-m-C- --- - _- - - - . - - - - - - -- ---- -- - -- -
l e = W.E a g oo e- p-
. ==
4 WW W nk b EE:ME8888l l - e U Za mR-=Em-- - E I ,E-- 5, ' m.-R R M.- M M. - M M -M. -AM 3
- u m .,. m s e- e- .t C'
N 3 E E w
" E 7 me
=
=$ c.
? * ?
I$ " c E e
.E
** f k E g b
E
<> G._g, r o t-W"* -
5 , 3 > W y E 34o
<N
>a O
wu 44 g ht I E tf ,
- $ E.'e.
w.2. - 4.4-18 I _ _ _ . _ _ . . a
i The first sequence represents successful stabilization of the reactor at hot shutdown. ; Reactor scram is successful. APW starts and provides water to at least one of three j steam generators. Heat removalis via the steam dumps to the condenser. Seal cooling ! is provided by seal injection flow. At this juncture in the tree, the reactor is stable in hot shutdown. This is considered successful termination and no further system avall-ability questions are asked. Particularly, the availability of RHR which is necessary to , reach cold shutdown is not asked. Sequence 2 is also a success state, with seal cooling ' being provided by CCW to the thermal barrier. Sequence 3 is a seal vulnerable condi. tion. All cr}tical safety functions are being provided, but RCP seal cooling is not ' available. The potential for this sequence to lead to core damage depends on the suscep-tibility of seals to failure after loss of all cooling and the potential recovery options to restore seal cooling prior to seal failure. The seat vulnerable evaluation will be done on- , an Individual sequence basis, should the quantification show this state to be important.- ; Sequence 4 represents stable hot shutdown with SG inventory being provided by main feedwater, after failure of auxillary feedwater. This is a success state similar to , Sequence 1, except of a much lower probability. Questions of seal cooling were not asked on this branch, because the additional sequences would be subsets of Sequences 2 and 3. , Sequence 5 represents loss of auxiliary feedwater and all main feedwater, but successful > feed and bleed cooling, using reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation. . Sequence 6 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 7 is similar to 6, except that the low pressure recirculation systems are unavailable. Sequences 8 and 9 represent failure to initiate feed and bleed cooling after loss of ' auxillary feedwater, in Sequence 8, feed and bleed falls due to failure of 2 of 2 PORVs to open, while in Sequence 9, feed and bleed falls due to failure to estab!!sh safety injection flow. Sequence 10 is a transient induced LOCA, which transfers to the 2S tree for further evaluationi and Sequence 11 is ATWS, which transfers to the ATW5 tree for further evaluation. 4.4.5 Loss of One DC Bus (TDCX) Event Tree This subsection presents and discusses the event tree for the loss of one DC bus (TDCX) i Initiating event category. 4.4.5.1 Success Criteria for T DCX Event Tree Success criteria for T DCX transient event tree is presented in Table 4.4-5. Loss of a DC-bus will cause reactor trip through loss of 120 VAC or 125 VDC vital power. Although all 6.9 kV and 480 V buses are available, the switchgear for these buses, which are powered { from the failed DC bus, are not'available. The affected components can only change state through manual opening or closing of the circuit breakers. The three primary safety functions required in response to 'lhCX are reactor subcritica-lity, core heat removal via steam generator cooling, and RC5 integrity. The requirement , for RCS Integrity leads to a requirement for RCP seal cooling. If all of these safety functions are successfully performed, the transient is assumed to be mitigated at an , early stage. Failure to provide reactor scram constitutes failure of reactor subcriticality -
'4.4-19 .
n od i n y s at s i dn ed r er g , de ep a e pf t rel s r . ous n se s g r e t eI e e e et r r e f eh S p
,re wC48 t t t
l s y t oi e sl r y en o n e n n I ay r o - s u p d n8 t S en e n g d e i T rt es N n r u t ol ni s t el s en gi t m es . o s e cs e e s e r N b 8 et erd oel t y r t p r a or l n ee s r p r e u o C cebi E sf 1 2 sr o l
$ C t T S 4 e N E4 h h n E s 9E w w o sF a U T sR R
- i. I e A S AL T
$ O P C L N RE 2 2 f
w O C S U / I 1
/
n S I E y R r P er m E S T d 5 a T A n A L 4
- i r E amt 4 t e H ,
L 2 69 i E A 2 l e C r R V D0 4 f
/
b C sq / T a s s E R 1 e c N c i O I S S S f t T E e n N r e E m Y l e i E s P s U LR g n a l S A e a r A R T T E E N R t OU o g C $ S E N T R P y - ors t tr ts de t e y e b I Y n eS a n r "X T e e t i r
" S R I p s s V o l an f n o R a e rB s C G O R t t O T e(Ptc u R ET yO c t t B N nP eR A eC ej We C n C S 2 C r D / a o Pt
( l I T h V Y 4 8 5 L 2 T R & A A W 1 l W e d RRe ede E d ) E F ) f H o . A R s n L O 4 f le s E A 3 / a2 s FV / t / nb L o OOM f 2 i ( E
- R g Y T
I T L R O A C T I S 3 : C T P A I R m T E R R A E I N T S I l h I
#.ig
..._.-,,,i-.-
and results in transfer to the ATWS event tree. Failure to provide core heat removal via steam generators results in the need for feed and bleed cooling. Failure of RCSintegrity consists of failure of any open rellet valve to reclose or occurrence of an RCP seal LOCA. Failure of relief valves to reclose requires a transfer to the $2 LOCA event tree. Failure of RCP seal cooling (i.e., loss of both thermal barrier cooling and seal injection) leads to a seal vulnerable condition. 1hls state is evaluated separately, af ter initial quantification.' Failure of SG cooling leads to a demand for " feed and bleed" cooling, which requires success of HPl and opening PORVs. Failure to provide HPI and open both PORV trains leads to core damage. Successful feed and bleed cooling leads to demand for coolant recirculation systems during the recirculation phase. 4.4.5.2 Discussion of Sequences The event tree for TDCy is shown in Figure 4.4-5. Important functional, phenomenologi-cal and hardware depenifencies, as well as assumptions and !!mitations, are stated in the general assumptions found in Table 4.4-1. _j The first sequence represents successful stabilization of the reactor at hot shutdown. Reactor scram is successful. AFW starts and provides water to at least one of three steam generators. Heat removalis through the atmospheric dump valves, as the initiat-Ing event will have failed the power conversion system. Seal cooling is provided by seal injection flow. At this juncture in the tree, the reactor is in hot shutdown. This is considered successful termination and no further system availability questions are asked. Particularly, the availability of RHR, which is necessary to reach cold shutdown, is not asked. Sequence 2 is also a success state, with seal cooling being provided by CCW to the thermal barrier. Sequence 3 is a seal vulnerable condition. All critical safety functions are being provided, but RCP seal cooling is not available. The potentlat for this sequence to lead to core damage depends on the susceptibility of the seals to failure af ter loss of all cooling and the potential recovery options to restore seal cooling prior to seal failure. This state will be evaluated on an Individual basis, if the quantification shows it to be significant. Sequence 4 represents loss of auxillary feedwater, but successful feed and bleed cooling, using containment heat removal systems and reactor coolant recirculation systems. Long term feed and bleed cooling requires high pressure coolant recirculation. Sequence 5 represents core damage due to failure to provide high pressure recirculation for long term cooling. Sequence 6 is similar to 5, except that the low pressure recirculation systems are unavailable. Sequences 7 and 8 represent failure to initiate feed and bleed cooling after loss of auxil-lary feedwater. In Sequence 7, feed and bleed falls due to failure of 2 of 2 PORVs to open, while in Sequence 8, feed and bleed falls due to failure to establish safety injection flow. Sequence 9 is a transient induced LOCA, which transfers to the 3S tree for further evaluation, and Sequence 10 is ATWS, which transfers to the ATW5 tree for further evaluation. 4.4.6 Steam Generator Tube Rupture (T3g) Event Tree This section presents and discusses the event tree for the steam generator tube rupture (SCTR) initiating event. This event is identitled by the symbol T gg in the event tree. 4.4-21
I , M U Nw 8
)
J
$ g R MC' e= d OO S
u J KW wW l b ww .i MM i i E 88:88888: : j l l
~
N m *= *= 3 E E CL O , m m e= e= e= e= e= **
.,a .J .J OV j
J .a
>= >> >=
*= N M W hm @ N ED > "O Q t m [
= ~ o :>
g E Q
- 's E
'?
en k Ve
>= c; O g h Q
- bb [
c .y k O -$ i e V ' WE a
- 5 B
g .Emi
- W t
i4B w=s m O
- m. b
--s 0
-sm a 4N *
{ I th (
>s "a .
EU l, ! M CL M ' i- E , t' y MC (J t O ~! b, 6 e se p . i I 4.4=22
...c..
Success criterla for T 3a event tree are shown in Table 4.4-6. This initiator is unique from other transient mittators because it causes a breach of the primary pressure boundary into the secondary side pressure boundary. Success criteria involved with integrity of the primary pressure boundary now become entangled with the necessity to preserve the secondary side pressure boundary. The primary system and the ruptured steam generator form a continuous pressure boundary and must be maintained at pressures consistent with the secondary side criteria. Normally open effluent lines to the steam generator must be isolated, because they now represent open effluent lines to the primary system, 4.4.6.1 Success Criteria This initiating event begins with a complete double ended rupture in a single steam generator tube, which allows primary coolant to flow into the secondary coolant system. The three primary functions required in response to T 3e are reactor scram, core heat removal, and operator control of RCS pressure. If all of these functions are provided, the transient is mitigated at an early stage. Operator control of RCS pressure regulres RCS cooldown using heat removal through the good steam generators, and depressurization of the primary system using pressurizer spray or PORV opening. Fallure to trip the reactor (either automatically or manually) causes the pressure in the reactor coolant system to increase, possibly resulting in the rupture of additional steam generator tubes and an increase in the flow from the RCS to the secondary coolant system. The ATWS Induced pressure increase in the primary is counter productive to the RCS depressurization which is required to mitigate tube rupture. Because of the complexity of this sequence, and the limited analytical data available _ta support evaluation, steam damage sequence. generator tube rupture with failure to scram was categorized as a core 4.4.6.2 Discussion of Sequences The event tree for Tw, is shown in Figure 4.4-6. The important functional and phenomenological depenTencies as well as assumptions and limitations are stated in the general assumptions found in Table 4.41. The steam generator tube rupture initiator is a double ended rupture of a single tube which results in an RCS cutflow that requires an equivalent makeup flow of about 600 gpm. Actuation of S1 will occur on low pressurizer pressure, shottly after the initiator. Turbine trip, MFW ! solation and start of AFW will occur on the S1 signal. The operator is instructed to identify and Isolate the ruptured steam generator. Isolation of the ruptured SG involves closure of the MSIV, AFW Inlet valve, steam generator blowdown line and turbine driven pump steam admission valve. Complete isolation will not occur until the RCS pressure is reduced to less than the SC pressure. The water level in the ruptured SG will continue to rise due to the influx of water from the break. Pressure in this SG will also rise as the average steam generator water temperature increases. The operator is then directed to cooldown the RCS as rapidly as possible using the good steam generators and then depressurize the RCS using pressurizer sprays or opening a PORV, to reduce the pressure in the RCS to below the pressure in the ruptured SG. This will terminate the breakflow from the RCS and stabilze the reactor. The operator then has to cooldown the ruptured steam generator and place the reactor in cold shutdown. At the point in the event, when the pressure in the RCS is less than the pressure in the ruptured SG, the ruptured SG is isolated, and AFW is being provided to the good SGs, all 4.4-23
+
Table 4.4-6 Tg rmstent T SuEcess Criteria Smery Inforretion INITIATIR: Tg - Steam Generator Tibe as ture CONTAlfeENT CONTAlwENT (X)RE HEAT RCS PRESSURE SUPPRESSl(Pi CORE HEAT PRESSURE SUPPRESSION REACTOR' Sus:RITICALITY REn0 VAL, EARLY INTEGRITY EARLY REMOVA8_, LATE LATE O(DeEMTS 1/3 AFW Pamps Depressurize M/A 1/3 AFW Perup N/A Definition of RCS boundery RPS RCS to less. to egended to incitade SG; Mce to 2/3 SGs than SG-ftv 2/3 SGs SG integelty miest also be setpoint considered... u isolate E^ o MSiv o SB Blowdown Ilne o stese 11ne to TD permp, if in SG #1 . . . _ . . . . , _ .-. ._ , . . _ ~ _ _ . . _ - - . . . . _ ~ _ . . - . _ __ _ _ _ -_ _ . _ _ _ _ . - -
AFW OPER RVs STM BGTR RPS HPI 2/3 DEPRE CLOBE GEN LPI/R HPR BGs RC8 INTEG .l, TSG K Di L OD Q1 QB H3 H2~ Bequence l CORE
- 1. T89 OK
- 2. T8GQS OK
- 3. T8GQ1' OK
- 4. T89Q1R3 CD
- 5. T80Q1QS CD
- 6. T8 GOD OK
- 7. T8GODQ8 CD
- 8. TSGODQ1 OK y 9. T8GODQ1N2 CD
- 10. T8GODQ1R3 CD ,
- 11. TBCODQ198 CD ,
- 12. T8GL CD
- 13. T8GD1 OK
- 14. T8GD1QS CD l 15..T8GDigi CD i 16. T8GD10D CD
! 17. T8GD1L CD
- 18. T8GK. CD Figure 4.4-6 Event Tree for Tgg -Steam Ger.crator Tube Rupture L
1., _ _ . _ . _ _ ._ _ ~ . - . ._ . - . - . . -.-..-. - . _ - - - - - - _ _ . _ _ ~ - - _ - - - - - - - - _ - - . - - - - - - -
the success criteria defined by this analysts are satistled. Operation of those systems necessary to put the reactor in cold shutdown, and provide for cooldown of the ruptured SC were not modeled in the event tree. Sequence I represents successful mitigation of the initiator. Primary and secondary side pressures have been equalized, thus mitigating breakflow. SG integrity (and thus RCS Integrity) have been maintained, and heat removal is provided by the good steam generators. Sequence 2 represents a failure of steam generator Integrity. It was classified a safe state, although it violates the success cr teria, because the timing of this sequence extends it well past the 24 hour mission time for evaluation. This se-quence includes successful depressurization of the primary syi. tem within 45 mluutes of-the initiating event. The leak rate would be reduced substar.tlally below the initial 600 gpm leak rate. Reducton of the leak rate to 200 gpm would extend the RWST depletion time to about 27 hours. Reduction to 10') gpm would extend the RWST depletion time to 53 hours. Should a loss of SG integrity occur after primary depressurization, the likelihood of not being able to mitigate a 100 gpm leak for over 50 hours was considered exceedingly small. I Sequence 3 represents loss of primary system Integrity (i.e., stuck open PORV), but successful coolant recirculation from the containment sump using 1.PR. PORY demand probability for this sequence was estimated to be .25, which represents intentional PORV opening to aid primary system pressure reduction. Secondary side Integrity is maintained throughout the sequence, thus preserving coolant Inventory and enabling long term cool-ant recirculation. Heat removal is through the steam generators. 51 flow in response to the PORY failure will empty the RWST, causing switchover to recirculation from the sump. Because the reactor has previously been depressurtred to 1000 pst in response to the tube rupture, it was assumed it could be further depressurized to allow. low pressure recirculation in the event that high pressure recirculation failed. High pressure recirculation is therefore not necessary, in sequence 4, failure to swltch to low pressure recirculation from the sump results in core damage. Sequence 5 represents unmitigated loss of coolant inventory from the steam generator which ultimately prevents required recirculation from the sump. The loss of RCS Integrity early in the event forces coolant recirculation from the sump; while the loss of SG integrity results in continued loss of coolant inventory to the atmosphere. Eventual inventory depletion in the sump will result in cavitation of the LPR pumps, thus leading to core uncovery. Because the operator has previously depressurized in Sequences 2 through 5, breakflows are low enough to provide substantial time for operator recovery actions to provide alternate sources of coolant injection. In Sequences 6 through 11 the operator has failed i to depressurize the reactor and thus inventory loss rates are much higher. ll Sequence 6 represents a mitigated SGTR with failure to depressurize the reactor. This ' sequence was delineated on the event tree, although it violates success criteria and therefore is not considered a possible outcome. Sequence 7 is similar to Sequence 2, except that breakilows are higher. Failure of the operator to depressurize, combined with loss of SG integrity causes the eventual depletion of the RWST Inventory through the unisolated SG. Recirculation from the sump is not possible. Sequence 8 is a safe state because the retention of SG integrity allows preservation of coolant Inventory and continued emergency coolant recirculation from the sump. The stuck open relief valve which occurred early in the sequence forces the requirement for recirculation from the sump. High pressure recirculation is required l 4.4-26 ! l 1 m,
because of the previous operator failure to depressurize the reactor. Sequences 9 and 10 l represent failure of coolant recirculation due to faults in the HPR/LPR systems. Sequence 11 represents a simultaneous loss of RCS Integrity and SG integrity. Continued safety injection is necessary to maintain RCS inventory. But the loss of SG integrity causes diversion of the coolant inventory outside the containment. The previous failure : to depressurlze the reactor results in high reactor pressure end thus maintains large i discharge rates. Questions of LPR and HPR availability were not asked at this juncture, because sump inventory would not be sulficient to estabilsh recirculation. ; l Sequence 12 is a tube rupture with loss of auxiliary feedwater. Response to loss of AFW j in other transients is to initiate feed and bleed cooling. But, feed and bleed requires ; sustained pressure in the primary system, which is counter to requirements of SG tube rupture mitigation. Due to limited previous evaluation of these circumstances, SG tube , rupture with loss of all feedwater was considered a core damage sequence. Sequence 13 represents a recoverable failure of safety Ir.jection. Early in the sequence, safety injection falls in response to the low pressurizer pressure. This is similar to an unmitigated LOCA, except that restoration of RCS Integrity is possible if the operator , performs rapid cooldown and depressurization of the primary. At the point where ! primary and secondary pressures are equal, the RCS outflow 16 terminated and thus there is no more need for coolant makeup. If these actions occur in a short enough time frame such that core covery is maintained and RCS inventory is sufficient to support steam generator heat removal, this represents an acceptable core cooling state. Sequence 14 leads to core uncovery through the combination of loss of SG integrity and failure of safety injection. Inventory loss is through the SG without the capability to makeup inventory. Sequence 15 is similar, except inventory loss is through the pres. surizer PORV. Sequence 16 represents failure to depressurize the RCS to limit leakage. Continued breakflow through the ruptured tube leads to core uncovery. Sequence 18 is an ATWS sequence, as discussed in the previous section. ATWS was not considered mitigatible when combined with a tube rupture. 4,4.7 Large LOCA (A) Event Tree This subsection presents and discusses the event tree for the large LOCA (A) initiating event category. l~ i 4.4.7.1 Success Criteria for A Event Tree Success criteria for the large LOCA event- tree are presented in Table 4.4 7, Large LOCA Success Criteria Summary Information. The following paragraphs specifically address the application of these success criteria to the evaluation of A sequences. It is assumed that the reactor subcriticality function is performed by the volding of the core during large LOCA blowdown. Successful injection of the RWST will maintain the core in a subcritical state. Therefore, RPS is not required and is not included as a heading on the A event tree. This is consistent with past PRAs. 4.4 27 , 1
- , .r*,_,- V ,n. .
_ m-
. ;4
,n e
n
- Table.4.4-7 _
s.. Large LOCA Success Criteria Sumary Information u INITIATOR: A - Large LOCA (6" < D < 29") _ e CONTA998ENT ~ CONTA98SOff
. REACTOR CORE HEAT RCS RtESSURE SUPRtESSDON CORE HEAT- PRESSWEE SUPRIESS604 SUBCRITDCALITY REMOVAL, DWtLY . DNTEGROTY EARLY. stEMOWAL, LATE ~ LATE COMMENTS
- i
- a
. J Ik Not Required 1/2 LPl Not Appilcoble BCS 1/2 LPR. 1/2 CSS w/MC-t 2(e) Ot + co (e) ' and ( f ) -- -- , . 3/3 Intact. AQ:. t/2 (.PR w/Mt (b, c, d) - - -(g). t r w q .,-
- 2 e.
F w a
?,' . ,' . (
~ -
b e-W% ='m+ 1 vey - g e sse yf w* mW 4 mwyq,ge .i s ugregwM Mp,.si.e w e.gny'um- 4-Q -w yv.sgr m p s' & # 4'g'-
- w 'D-es # qq-
-. gaieu dgetw=uvCW *e ,4 m.==W-YTF8Pr* % f"4C T'f'FT WS*N "=v'e*Mw'*" ret 7D*4 m 'e e9 **--6'es# am-v-*e-ww- w emre r_w,% "
.ws == -mme- -=-.--=-i-----------.--.__-
Notes To Table 4.4-7
- a. Reactor subcriticality is assured regardless of RPS success or fallure. If RPS falls, .
the reactor will still be made subcritical by core volding and maintained that way by injection of borated water from the RV'ST.
- b. Although 2/4 HPI may also be success- for large LOCA, (see Millstone 3 PSS
- p. 2.2-85), LPR would still be necessary in about 20 minutes. Very few faults would fall LPI but not HPI or LPP. Therefore, this success path is not considered.
- c. 71on, Millstone 3, and Seabrook PR As used 3/3 ACC to intact loops as success, while stating it may be conservative. Discussion with Duke personnel regarding the McCulre PP A Indicated that failure of all accumulators could lead to core damage (average core temperature above their cut-off value), but would probably not lead to core slump and vessel breach if LPI is available. Sequoyah RSSMAP used 2/3' ACC (to intact loops). We basis was not explained, but probably based on Surry which required only 2 ACC (for a 3-loop plant). Success for this study was assumed to be 3/3 ACC to intact loops.
- d. UHI was stated not to be required to prevent core melt in the Sequoyah RSSM AP.
Conversations with TVA NPC, and Duke support this based on removal of UHI at McGuire and Catawba " and TVA's plans to remove UHI at Watts Bar 1, and not Install it for Watts Bar 2. rherefore, UH1 is not required for successful mitigation of large LOCAs.
- c. Although the air return fan system assists in maintaining containment pressure below design basis by recirculating the containment. atmosphere through the ice condenser,it is not required to prevent containment failure.
The containment spray system is not required to prevent containment failure during the initial RCS blowdown if the ICS maintains design basis pressure until the Ice is melted (af ter one hour or more depending on break size). By this time, the CSI phase has ended, and recirculation begun.
- f. Zion and Sequoyah RSSMAP PR As required hot leg recirculation for large and intermediate LOCAs, while Seabrook PP A only required it .for large LOCAs.
Mllistone 3 PSS stopped the analysis before hot leg recirculation would be needed. For this study, hot leg recirculation is assumed to be required for large and intermediate LOrAs to prevent boron blockage. This operation will start in 15 hours, and the operators have more than 3 hours to perform the switchover,
- g. The Sequoyah RSSMAP used 1/2 LPR HX and 1/2 CSR HX for heat removal to prevent core damage and containment failure, and 2/2 CSP HXs to prevent containment failure af ter core damage. From the FSAR, the design basis for each CSP HX is 95E+6 BTU /hr while each LPR HX is 37E+6 BTU /hr. %e PSAR Indicates that one CSR HX and one LPR. HX remove suificient heat 'to start reducing containment pressure after about 2 hours.
Based strictly on a comparison of decay power and HX design capacity, 2 CSR trains match decay power at approximately I hour,1 CSR train at 10 hours,2 LPR trains at approx. 20 hours, and 1 LPR train at approx. 6 days. This excludes other means of heat removal such as passive heat sinks. However, Sandla analysis has shown that one LPP/H)' train, utilizing containment spray, is suf fielent to prevent
- Letter from 8. Tucker (Duke Power) to 8. R. Denton (USNRO). Hay 9.190s.
4.4 29
i i Notes To Table 4.4-7 (Continued) i containment overpressure. Heat removal rates for the LPR/HX at design l temperatures are Insufficient to maintain sump water . temperatures. Sump ! temperatures rise, the heat exchangers will operate at increased heat removal rates. Performing a . hest estimate calculation showed that sump water temperatures rise but containment pressure stays within des 18 n. l
- b. If LPR is available, the LPD-sprays are assumed available, and if LPR is not available for core cooling, then LPR sprays are assumed not available. These ,
assumptions are allghtly nonconservative and conservative, respectively, but have been calculated not to impact the analysis. t 9 t r i 1,. 5 4.4-30 ;
1 1 i The Mllistone 3 PSSOO) allowed 2/4 HP1 trains to provide successful core heat removal ! for a large LOC A in place of 1/2 LPI trains. However, LPR would still be necessary in ; about 20 minutes. Very few faults would fall LPI but not HPl or LPR. Therefore, the ' success path involving HPI during large LOCAs is not considered in this study. ; Successful core heat removal in the injection phase is conservatively assumed to require flow from 3/3 . This is consistent with past PRAr
' including Zion,gccumulators to intact RCgoops.
Millstone 3, and Seabrook. ] The Sequoyah RSSMAP(2) report stated that Upper Head injection (UHI) is not required : to prevent core damage. This claim is supported by the decision to remove UH1 at l McGuire and Catawba
- and by TVA's plans to remove UH1 at Watts Bar 1 and not to e install it at Watts Bar 2. Therefore, UH1 was not required for successful mitigation of '
t lar ge LOC As. Success of the Ice Condenser System (ICS) was assumed guaranteed and was not, thereiore, included in the event tree. The Air Return Fan (ARF) system assists in maintaining containment pressure below the design pressure by recirculating the containment atmosphere through the ICS, but it is . not required to prevent containment failure. The ICS doors open at 1.0 psid, which is reached in all LOCA sizes postulated in this study. Although the ARF system does impact hydrogen distribution in the case of a core melt, and may impact fission product transport and source terms, it does not affect core damage probabilities and is not - included in the A event tree.
- Success of the Containment Spray System (CSS) is not required to prevent core damage. .
Therefore, CSS is not modeled in the core damage event trees, but is considered in plant damage state development. It is assumed that hot leg recirculation from the ECCS is required after a large LOCA to prevent flow blockage due to concentration of boron in the reactor vessel. This is con-sistent with the Zion PSS and Sequoyah RSSMAP studies. Hot leg recirculation was , modeled to start at 15 hours and the operators have more than 3 hours to perform the switchover. Successful operation of one CSS train in recirculation mode with its heat exchanger (1/2 CSS-CHR) or 1/2 LPR trains, with heat exchanger, is adequate to remove residual heat from the containment and prevent failure by steam overpressurization. If LPR is available, it is assumed that LPR sprays are available. This assumption is slightly l nonconservative but has been calculated not to impact the analysis results. If LPR is unavailable, it follows that LPR sprays are unavailable. 4.4.7.2 Discussion of Sequences - The event tree for large LOCA is shown in Figure 4.4-7. Important dependencies, assumptions and limitations that apply to more than one event tree appear in Table 4.4-1. Sequence 1 represents a completely successful response to the intiator in which all i systems function as intended. The accumulators inject water immediately to accommo-date the initial high volume surge of water from the reactor cooling system. Low-pressure injection subsequently provides the high volume, low pressure flow required for continued core cooling. The residual heat removal system successfully maintains con-tainment pressures and temperatures at acceptable levels, as recirculation cooling is established from the containment sump to provide long term cooling.
. t..st.: reo. a, no.: coa. h..r> to n. a. D.nton cusime). May e. sees.
4.4-31 , w we
4
, LARGE LOCA LPI ACC- LPR ,
A D6 D5 H1 Bequence- l CORE
- 1. A OK
- 2. AH1 CD
- 3. AD5 CD y 4.~AD6- CD w
co < i
. I i
i I i
. Figure 4.4-7 -.
Event Tree for A-Large LOCA 1 _- _.__r_m_.____-____m__A_m_---_e.- _a_ _amr_ _ _m.i - . _..__.____m__w______.m_..w-t_- - - -- war--v'- -w . -r7e i C^e*- - *- t vs "ve'y e* -w*wT=***-*e ewhww-Ve*<:-- -- _-_-________m_m__ __._,-_ .__-_,._._ _ _
Sequence 2 leads to core damage because of a failure to provide low pressure recircula-tion cooling. No other system can provide the volume of flow needed under large LOCA conditions. Sequence 4 represents failure of the ECCS to respond early in the scenarlo to provide the high volume, low pressure injection flow needed to cool the core, thereby leading to core damage. In Sequence 3, the accumulators fall to inject water immediately as the pres-sure in the reactor coolant system drops as a result of the large break in the cooling system pressure boundary. This sudden loss of coolant inventory causes core damage. 4.4.8 Medlum LOCA (Sg) Event Tree This subsection presents and discusses the event tree for the medium LOCA (Sg) Initiating event category. 4.4.8.1 Success Criteria for Sg Event Tree Success criteria for the St event tree are presented in Table 4.4 8, Medium LOCA Success criterla Summary Information. . The following paragraphs specifically address the application of these success criterla to the evaluation of S sequences. 3 The two safety functions required in response to Si in the injection phase are core heat removal and containment pressur suppression. Two safety functions required !n the recirculation phase are core heat removal and containment heat removal. If all of these safety functions are successfully performed, the core will be placed in a safe condition. Success of RPS or HPI will provide reactor suberiticality. However, HPI is required for core heat removal. Therefore, RPS does not perform a unique function and is not inclu-ded as a heading on the S g event tree. HPI is included as part of the core heat removal ' success criteria. Success of ICS is assumed guaranteed and therefore provides initial containment pressure I suppression. Core heat removal in the injection phase reculres 2/4 HPI trains. Core heat removal in the recirculation phase requires 1/4 HPR trains with 1/2 LPR trains. Developmee of these success criterla is discussed in the following paragraphs. The Ilon, Millstone 3, and Seabrook PRAs used different success criteria for core heat removal in the injection phase. 71on used 1/2 Centrifugal Charging Pumps (CCP) and 1/2 Safety injection (SI) pumps. Mllistone 3 used 1/4 HPl pumps (HPI is defined as CCP and Si combined). Seabrook used 2/4 HPI pumps. The Sequoyah RSSMAP study used 1/2 CCP and 1/2 St. Since 1/4 HPlis acceptable for S 2(see Subsection 4.4.9) below, and the flows from the CCP and $1 pumps are very similar as RCS pressure drops,2/4 HPI was selected as the success criteria for this study. It should be noted that the Zion PSS also required I/2 LPI for Sg but called this additional requirement conservative. This additional regulrement was not included la the Sequoyah - RSSMAP study, in the Millstone 3 PR A, or in the Seabrook PR A. Millstone 3 performed specific thermal-hydraulle analysis to determine that only 1/4 HPI, and not LPI, was required. The recirculation switchovbr at Sequoyah occurs in 20 minutes for S j
. At this time, it is assumed the RCS has only partly depressurized during the injection phase.
Therefore,in this study LPIis not required for core heat removal in the injection phase if H Pl succeeds. 4.4-33
Table 4.4-8 Medium LOCA Success Criteria Sumary Information IMITIATOR: Sg - Medium LOCA (2" < D < 6") OMTAlsSEEsfT (EstT A 98SOff REACTOR CX)RE DEAT RCS PRESSURE SUPRtESS908 . CORE HEAT futESStAE SUF99tESS904 7 s SUBCRITICALITY REse0FAL, EARLY serTEGRITY EARLY REeENAL, LATE- 1. ATE CGuesTS b Not Regelred 2/4 IFl teot Appliceble 9CS t/4 NFut 1/2 CSS w/* 1. Neocter seterittestify 8s (e) (b,c,di ead Gt provided tpf InJoefles, of t/2 L89t 1/2 Lfut w/MK w roted wet e tpr ECCS. (f. g, hl
- 2. 8tCS in+egrity is lost es e direct resett of the Initletor.
- ~ , , s. , ..v., , -, , s v.~-, s-~ ~ r w - w. e v' ~ ,-&" ' - v ~ , -s-~e s-
- ww m 'r vm - ----------,----x-- - - - - -- . - - - - , - - -
Notes to Table 4.4-R i
- a. Reactor suberiticality is assured regardless of RPS success or failure. If RPS falls, the reactor will still be made-subcritical by injection of borated water from the R WST.
- b. Zion, Millstone 3 and Seabrook PRAs used different success criteria (Zion = 1/2 '
CCP and 1/2 Si, Millstone 3 = 1/4, and Seabrook = 2/4). Sequoyah RSSMAP ined 1/2 l CCP and 1/2 St. Because the flow from the CCP and Si pumps are very similar as ; RCS pressure drops, a 2/4 success criteria was selected.
]
Also, Zion PSS used 1/2 LPI for S i but called it conservative. This was not required in the Sequoyah RSSMAP, Millstone 3, or Seabrook PRAs (Millstone 3 did special T-H analyses to determine LPI not required and only 1/4 HPI required). Recirculation switchover at Sequoyah occurs in 20 minutes, when the RCS has only partly depressurized. Therefore, LPI is not required for Sequoyah for Sj . However, the LPI pumps will start upon receipt of an 51 signal and the mlniflow valves must open in order to prevent dead heading of the pump.
- c. Zion, Seabrook and the Sequoyah RSSMAP PRAs did not require accumulators for while Mllistone 3 used 3/3. McGuire analysis indicated that even for success large LOCAs,for Sj,ACC were only marginally required to prevent coreSince damage. <
the Sg should be less demanding than large LOCA, ACCs will not be required for Sg !
' success.
- d. UHI was stated not to be required to prevent core melt in the Sequoyah RSSMAP. i Conversations with TVA, NRC, and Duke support this based on removal of UHi~at
- McGuire and Catawba
- and TVA's plans to remove UHI at Watts Bar 1, and not i install it for Watts Bar 2. Therefore, UHI is not required for successful mitigation of Sg.
- e. Success of the ICS is assumed, thereby assuring containment pressure suppression.
- f. Zion and Sequoyah RSSMAP PR As required hot leg recirculation for large and inter-mediate LOCAs, while Seabrook PRA only required it for large LOCAs. Millstone 3 .
PSS stopped the analysis before hot leg recirculation would be needed.- For this ; study, hot leg recirculation is assumed to be required for large'and intermediate LOCAs to prevent boron blockage. it Is assumed that this operation will start in 15 - hours, and that the operators have at least 3 hours to perform the switchover. ,
- g. While the Zion PSS did not require HPR, the Millstene, Seabrook, and Sequoyah RSSMAP PR As did. Also, recirculation - switchover at Sequoyah occurs in approximately 20 minutes, before the vessel is depressurized. Therefore, HPR is i l
required for this study
- h. LPR success requires previous success of LPl in the mlniflow recirculation mode to -
prevent dead heading the pump during the injection phase.
- 1. If LPR is available, the LPR sprays are assumed _ available,'and if LPR is not available for core cooling, then LPR sprays are assumed not available. These assumptions are slightly nonconservative and conservative, respectively, but have been calculated not to impact the analysis.
- Letter trom B. Tucker (Duke tower) to R. R. Denton (USNRC), May 9,1985. T l 4.4-35 '
l
The Zion :and Seabrook . PRAs and the Sequoyah RSSMAP study did not require accumulators for successful core heat removal for Si , while Millstone 3 required 3/3 ACC. McGuire analysis indicated that even for large LOCAs, ACCs were only marginally required to prevent core damage. Since Sg should be less demanding than A, ACCs will not be required for successful core heat removal in the injection phase for Sg in this study. The Zion PRA did not require HPR, but the Millstone and Seabrook PRAs and the Sequoyah RSSMAP study . did. Recirculation switchover at Sequoyah occurs in approximately 20 minutes, before the RV is depressurized. Therefore, HPR is required for successful core heat removal in the recirculation phase in this study. LPR requires the previous success of LPI in the mlniflow recirculation mode to prevent dead heading the pump in the injection phase of the sequence. 4.4.8.2 Discussion of Sequences The event tree for S gis shown in Figure 4.4-8. Important dependencies, assumptions and 'l limitations are found in Table 4.4-1. 'l i Segence I represents a completely successful response to the initiator in which all ; systems function as intended. High pressure injection immediately provides the high j pressure flow required for core cooling. The accumulators inject water to accommodate q the initial high volume surge of water from the reactor cooling system. The residual ; heat removal systems successfully maintain containment pressures and temperatures at acceptable levels, and low pressure recirculation cooling is established to provide long term cooling. Sequence 2 leads to core damage because of a failure to provide high pressure recircu- ; lation cooling. Sequence 3 denotes failure to establish low pressure recirculation from , the sump, which is required to support high pressure recirculation. Sequence 4 represents failure of the ECCS to respond early in the scenario to provide the high pressure injection flow needed to cool the core, thereby leading to core damage. 4.4.9 Small LOCA (S2) Event Tree This subsection presents and discusses the event tree for the small LOCA (S 2
) Initiating j event category.
4.4.9.1 Success Criteria for S2 Event Tree Success criteria for the small LOCA event tree are presented in Table 4.4-9, Small . L LOCA' Success Criteria Summary Information.. The following paragraphs specifically address the application of these success criteria to the evaluation of S 2sequences. Success of RPS is required for reactor subcriticality. The ICS is assumed available, thereby providing containment pressure suppression for S2 LOCAs. . The primary method of core heat removal is by HPI and AFW. Should AFW fall, " feed and bleed" can be utilized by opening an additional PORY. Successful feed and bleed requires operator action to open one PORY. k 4.4s36
k R KDDD O OCCC C l e c n e 2 4 2 u HHD q 11 1 1 e 8 8 88 B 1 2 3 4 A C R O P 2 L H H m u i 8 d 4
- e R 4 M-g / 4 r e S I H u g
r o P i f L F e e r I T t P 2 n e - H D E v A C 1 DO 8 EL M Cb - l
Table 4.4-9 Small LOCA Success Criteria Sumnary Information INITIATOR: $2 - Small LOCA CONTAlteqENT CONTAlteqENT CORE HEAT RCS PRES $URE SUPPRESSION CORE HEAT PRESSURE SUPPRESSION REACTOR REMOVAL, LATE . LATE CapeqENTS SU9 CRITICALITY REMOVAL, EARLY INTEGRITY EARLY I 1/2 CSS w/HX,
$ RPS 1/4 IFl Not Applicable Not Required 1/4 HPR and and M 1/3 AFW, 1/2 LFR w/HK 1/2 LIR w/HK m (d) (e) 1/4 HPI and Feed and Bleed (a, b, c) i-
~ ' # T W' ,---w-.g -.+mg.- ,p __
'i j
l l Notes to Table 4.4-9 a.' In the event of HPR failure, operator action _ to depressurize the RCS using SGs and l then inject directly with LPR (secondsry blowdown) was Included as a recovery action, , j
- b. Sequoyah RSSM AP used 1/2 CCP and 1/2 St. Zion, Mllistone, and Seabrook used l l 1/4, and IPCOR used 1/4 hased on MAAP analyses. RETRAN analysis of $2 D at l Sequoyah (EPRI NP-3835) also indicated I/4 is success. Therefore,1/4 HPIis used. ,
l l
- c. Main feedwater pumps and Isolation valves are tripped on'an $1 signal. MSIVs close -
on phase B isolation signal. Therefore, no credit was given for the operator to > l-reestablish MFV', or depressurize the SGs and establish FV' with the condensate , booster pumps and hotwell pumps. Feed and bleed was required in response to loss ; of AFW.
- d. Normal closed cycle shutdown cooling is not used as a ' success path for small LOCAs in this study because break size was considered large enough to preclude-RPR operation in this mode.
- e. Also, if LPR ls available, the LPR sprays are assumed available, and if LPR is not available for core cooling, then LPR sprays are assumed not available. These assumptions are slightly nonconservative and conservative, respectively, but have been calculated not to impact the analysis. ;
O T c { r k b S l 4.4 39 1
'/.-
For HPl. success criteria,' the Sequoyah RSSg study used 1/2 CCP and 1/2 51. Zion, Millstone, and; Seabrook . used 1/4. lDCOR - used 1/4, based on Modular ' Accident Analysis gg' gram, (MAAP) analyses. RETRAN analysis of the 5 2D sequence at
'Sequoyah also indicated 1/4:is adequate for HPI success.' Therefore,1/4'is used in this study. ,
Core heat removalin the recirculation phase can be provided by HPR and LPR. q Regarding safety- system success criteria for core heat removal in the recirculation
- phase, Zion, Millstone 3; Seabrook, and Sequoyah RSSMAP used 1/4 HPR and.1/2 LPR.' In addition, MllistoneL 3 and Seabrook allcwed secondary blowdown with 1/2 LPR, and -
~
-normal closed cycle shutdown cooling .(without HPR) as two alternate success' paths. - i Secondary . blowdown: with; 1/2 LPR,is not included in' the event tree analysis, but-is -
~
included in th.e recovery analysis for those sequences where it is applicable.. ! Normal closed cycle cooling is not used as a success path because the size of the break is I considered to preclude its operation. l Containment sprays are not required for containment pressure suppression or heat remo-val. The sprays are expected :to come on in a small break, however, and impact 'the . timing of the sequence. Sprays were put on the event tree to include the impact of their failure on sequence progression.- t 4.4.9.2 ' Discussion of Sequences - The event tree for S 7 1s shown in Figure 4.4-9. Important dependencies, assumptions and limitations are found m Table 4.4-1. ? Sequence I represents a completely successful response to the initiator in which all systems' function as intended. The reactor protection system successfully scrams the reactor.- High pressure injection provides the initial high pressure flow required to replace the lost inventory. The auxiliary feedwater system provides core heat removal via the Mo.m generators. The containment sprays come on shortly after the SI signal. RWST vpetlo_n occurs in about 20-30 minutes, thus forcing coolant recirculation from
'the sump. - Due to the timing of recirculation, the operator does not have time to de-pressurize the reactor. Thus, high pressure recirculation. is required. Sequence'2 e
represents failure of high pressure recirculation, which leads to core uncovery. This sequence is recoverable by secondary blowdown,"thus allowing LPR to inject. Secondary blowdown is considered in the recovery analysis. - Sequence 3 represents failure of LPR L from the sump. This sequence is not recoverable with secondary blowdown. p Sequences 4 through 8' represent small breaks with failure of containment sprays. j Containment sprays are not needed' for containment pressure suppression or heat re-
^
l y moval. Pressure suppression is provided by the Ice condenser; and heat removal is provided by AFW, and later by LPR/HX. Failure of sprays changes the timing' of the sequence by extendir\g the injection phase of ECCS. The operator has ample time to cooldown: and depressurize,' thus negating the need for HPR. Sequence .4 represents o successful mitigation, and Sequence .5 represents core damage due to the failure of
.LPR. In Sequence 6, the operator falls to depressurize, but successfully goes to HPR.
l Sequence 7 'is failure of HPR, and Sequence 8 is failure of LPR.- 1r Sequences 9 through 11 represent a small LOCA with simu'.terous failure of AFW Feed and bleed cooling is necessary in order to prevent core da nap ?. No credit was given for i main feedwater in this circumstance because the MFW pump; are isolated on an Si signal 4.4-40 ! i
t' .- [ - BMALL AFW PORVsl CONT. OPER. LOCA RPS MPI 2/4- OPEN SPRAY DEPRI LPI/R HPR ,- 8Gs INJCT RC8
'82' K D1 L1 .P1 'FI' OD R3 .R2 . Bequence lCOR8l COfUtENTS l
- 1. 82- OK
- 2. : 82H2 - CD
- 3. 82H3 CD '
- 4. 82FI- OK
! 5. 82 FIR 3- CD-
- 6. 82FIOD- OK >
17.'82FIODR2 ~CD
' 8. 82FIODR3- 'CD
-9.~82L1' OK-I 10. 82L1R2 CD j.
- 11. 82L1R3 CD'
- 12. 82L1P1 CD y 13.'82D1 CD'
.. -2 14. 82K, -- XFER TO'ATW8 i= ., l 1 l I
- Figure 4.4 Event Tree for S2-Small LOCA
~
~
I 4.w.y_ m $g ery .'Naade-g p w k. y ==*ad--- , 3y v:e '.,-.. =y,rwevry-,.,e,> - g dima*#. fb v eil t p - g5 ,,__ _ ____,, y.e - *ue < '-*
i and the MStVs close on- a phase B isolation . signal. Previous success of Dy in this sequence guarantees that charging flow is being provided. Failure of AFW can be mitl'- gated-by opening a- single PORV to increase breakflow and thus remove more decay heat. Sequence 9 represents successful feed.'and bleed cooling, including long term recirculation cooling after a successful injection phase. Sequence 12 is failure to open af PORV.
. Sequence 13 represents failure of high pressure ECCS to respond to the small break.
Sequence 14 transfers to the ATWS tree, f 4.4.10 Very Small LOC A ($3) Event Tree This section presents and discusses the event tree for the.very small LOCA initiating - : y, event. This event is identified by the symbol S3 in the event tree-l. L 4.4.10.1 Success Criteria The success criteria for S3 are shown in Table 4.410. They are very similar'.to the S2-criteria. However, timing considerations due to the' impact of the very smal.1 leak rate have a significant impact on the recirculation requirements. The discriminating features for small breaks are that closed cycle RHR cooling is possible, and the operator may be able to control containment sprays, thereby prolonging the injection phase of the acci-dent. If the break size is small enough that sprays never actuate, the reactor may be .. cooled 'down, depressurized and put in shutdown cooling before RWST depletion, thus l negating the need to go to recirculation. J Also for $ 3, the break size is small enough so that closed cycle RHR operation is considered possible, regardless of the break location. The' possibility of the operator controlling containment sprays was considered to be ~a function of the break size and the operator's actions.LLarger break sizes will repres-surize containment, thus reactivating sprays, regardless of the number of times the operator turned them off. Assuming the operator is acting within the - emergency. procedures, it is not considered possible to prolong the . injection phase much beyond 60 minutes if the break size is large enough to repressurize containment after spray termination. Controlled depressurization to within LPR operating range is not any more likely within 60 minutes than it is within 30 minutes. High pressure recirculation will still be required at 60 minutes. All other S 3 success criteria are similar to 2S criteria.
)
4.4.10.2 Discussion of Sequences
~
The event tree for S 3 si shown in Figure 4.4-10. The important functional and pheno- ' menological dependencies as well as general assumptions and limitations are stated in Table 4.4-1. t Sequence 1 represents a completely successful response to the initiator in which all systems function as intended. The reactor protection system successfully scrams the.- reactor. High pressure injection provides the high pressure initial flow required for cotinued core cooling. Auxillary cooling is initiated, the break is small enough to allow - control of the' sprays, the operator depressurizes the RCS, and residual heat removal system is available to provide shutdown cooling. > Sequence 2 addresses the case where residual heat removal system is unavailable and low pressure recirculation cooling is required to provide long term core cooling. If LPR falls
-(as in Sequence 3), then core damage will result.
4.4-42
- - 7 . - - - . . ,- .. .
~
- Table 4.4-10 Very Small LOCA Success Crit'eria Sumary Information -
INITIATOR: S3 - Very small LOCA - . C(MAINMENT - CONTAlteqENT . REACTOR CORE HEAT RCS PRESSME SUPPRESSION. - CORE HEAT - 5HESSORE SOPPRESSl;N SU9 CRITICALITY REMOYAL, EARLY INTEGRITY EARLY REMOVAL,l. ATE .' LATE - . Cope 4ENTS
-1 RPS- 1/4 Pl Not-Applicable Not Required ~ Operator Depressurize .1/2 CSS w/HX, and and - OR 1/3 AFW,- RHR SOC (1/2 LW w/HX OR ~OR- - (d) -
1/4 HPl Operator Depressurize and and - Feed and Bleed '1/2.LPR (a, b, c) OR:
.1/THPR and
'1/2 LPR-
+-
w > a v: .~~ ..L- -,_ _ ~ _ = - + ~
~
~ ~ ~n - + . + ~ , . - - -
.x'-- <- --i. - ,-e~-~ n,- n , ~<,'.c... .....--,-.;-- - . ,
e 1
. Notes to Table 4.410
- a. In the event: of- HPR' failure, operator action' to depressurize the' RCS using SGs
--(secondary blowdowri) was included as a recovery action. ..
b .'- Sequoyah RSSMAP used 1/? CCP and4 1/2 St. 71on, Millstone, and Seabrook 'used y
- 1/4, and IDCOR used-1/4 based on MAAP analyses. RETRAN analysis of S2 D'at Sequoyah (EPRI NP-3835) also Indicated I/4 is success. Therefore,1/4 HPI is used.,
c.- . Main feedwater pumps and Isolation valves 'are tripped on an.51 signal.' MSIVs close on. phase B isolation signal.' - Therefore, no credit; was giventfor the cperator to 0 reestablish MFW, or depressurize the- SGs' and establish FW with the-condensate ', booster pumps and hotwell pumps.-.: Feed and bleed was required in response to loss >
- of AFW. : ~ 'te d'. - Also, If LPR'is available, the LPR spr'ays.are assumed available,~and if LPR:Is'not -
availablel fort core cooling, then LPR spraysi:are! assu'med not ;available.n-: These assumptions arei slightly nonconservative and conservative, respectively, but have ' 9
- been calculated not to impact the analysis.
l,,- t { i a Y 4,4.44
~'
p> yERY- UW NJRVs CONI PR TER SMALL RPS IIPI 2/4 OPEN SPRAT r',18IRL tTPRZ RNR LPl/R 11PR LOCA 3Gs INJCI SPRAY RCS S3 K 01 L1 P1 FI' OC* ~0D Ut M3- N2 se<raence - l core l CDeENIS -]:.
- i. s3 M --
I -2. 53U1 OK I' 3. s3utn3. CD
- 4. 33co a-I 5. 530DM2 CD
- 6. 53aDM3 CD
- 7. 330C- M I 8. 330C#2 CD !
9.. S30tM3 : CD
- 10. 53FI - .M I 11. 53FIw1 M I 12.'~ s3F tvin3.- 1 CD
- 13. 53F100- -L OK I' $4. $3Fl0DN2 : CD
,a 15..s3r100n3 CD A '6. 53L1 M 1
en I 17. 53L1M2'- -CD
- 18. S3t1M3. '
'CD 17.~S3L1P1 CD M. s301- Ce
- 21. 53K --
XFER TO ATWS i
.: Figure 4.4-10 .
' Event Tree for Sf-Very Small LOCA
. . . . . . _ . . . . _. s , _ , _, ., . _ . , , , . . , , . , - . . _ ~ . , . . ~ ., . _ , . . . _ . ....._,_;. . . . , , _ _ _ , , _ . . _ , _ . _
.[ N
- Sequences 6,l5, and 6 address the cases where the ' operator does not' depressurize the RCS< - Continued blowdown, leads- to. RWST Edepletion - which ' forces recirculation.
. Sequence 4_ represents successful switch to high pressure recirculation. _ Sequences 5 and 6 represent core damage due to failure of high and low pressure recirculation.-
in Sequences 7 through 9, the break size is large enough so'that containment sprays can not be controlled sufficiently. to allow time for primary depressurization. Recirculation is forced early, thus requiring high pressure recirculation. Sequences 10 through 15 involve the unlikely failure of containment sprays., This ensures -
- a prolonged injection' phase. Sequences 10 through -15 are analogous to Sequences 1 through 6.
Sequences 16 through 19 represent all cases in which the primary mode of steam genera-tor feedwater supply is losti in this instance, it is necessary to establish feed and bleed . cooling. 1 Both PORVs must be_ open;to. allow water to flow- from the RCS to remove
~ decay heat., A single Si pump or charging pump is required to supply makeup to replenish
- the PORV discharge. It feed and bleed cooling is not established (Sequence 19) , then core damage results. Sequence 16 represents successful feed and bleed cooling followed ~ -;
by long term cooling in the recirculation-mode. 'If either high pressure or. low pressure recirculation cooling is lost (as in Sequences 17 and'18), then core damage results.s a In Sequence 20, the ECCS falls'to respond to the LOCA initiating event and to provide ; the initial high pressure injection flow needed to cool the core. tin Sequence 21, the RPS ;
-falls to scram the reactor, which transfers to the ATWS event tree for further analysis. j 4.4.11 Anticipated Transients Without Scram Event Tree .
ATWS events for Sequoyah were evaluated using a special event tree. Sequences with~ j failure to scram were transferred from other event trees to the ATWS tree.' This section discusses the ATWS evaluation. 4.4.11.1 ATWS Model Development and Success Criterla Definition The principal ATWS analytical work which has been used by the industry to determine E phenomenolog9) issues and success criterla' for Westinghouse plants was published.in' q WCAP-8330. Subsequent ATWS evaluations have' produced refinements:In some }' phenomenological areas and have generated more analytical results to support alternate success criteria. The intent of this study was to develop an ATWS model which included all phenomological issues previously identified and which was based on consensus success criteria. i A review was performed of previous ATWS analyses from the following sources:
- j NUREG-0460((28) 22). ;
SECY-83-g3 '
- Zion PRA III ) )
Indian Point Pg
- Seabrook PRA i Millstone-3 PRA(10) ;
W - Owners Grgig ATWS Rulemaking Comments (27)
- NUREG - 1000 t J
4.4-46 l
1 p , l Based on this, review, the success criteria in Table 4.4-11 were developed. The basis for ,; E selecting the success criteria for this study.are discussed below. ' The document review indicated a significant distinction in success criteria for. transients-initiated at high power, and those initiated from low power. Zion, Indian Point and-Seabrook used 80% as the demarcation line for high and low power, while Millstone and . the WOG used 25E The relationship between power level and pressure rise is not well enough documented in the references to select which power level is' appropriate. This - study chose 25%, because the initiating event data reviewed in Section 4.3 of this report was correlated to 25E The final frequency of high power transients calculated for this study is 4.8/yr, which is slightly larger than the value ot 3.6/yr used in.the WOG -
- comments and 4.0/yr used in SECY-83-293. ;
i Selection of success criteria for this study was based on not allowing RCS pressure to exceed 3200 psi.-.This value was chosen because it corresponds to stress level C limits of the ASME Code. 1 Peak RCS pressure- is related to the value, of : the reactor's moderator temperature ) coef ficient (MTC) at the' time .of ATWS. There exists a critical value cf 'dTC, above - i which there is.insulficient negative feedback to maintain RCS pressure below 3200 psi l regardless of. relief valve operation. For this study, the important parameter is the j percent of time the MTC is above the critical value, rather than the critical MTC value ' ' itself. However, it appears the critical MTC value is -7pcm/ F. = Based on the document - 1 review, an upper bound -value of 0.05 and a lower bound value of 0.001 was selected for. o the percent of time unfavorable MTC exists. ~ Relating these to 95th percentiles of a log ) normal, translates to a mean value of 0.014 with an error factor of 7. f 1 Transients initiated from low power have no restrictions on MTC. Pressure can be i maintained below 3200 ps! for transients initiated from low power, regardless of MTC,if ! relief valve opening is successful. j In addition, NUREG-0460 develops the further discrimination t' hat 'if MTC is very j ' negative, reactivity feedback is great enough to maintain pressure below 3200 psi, even-if multiple relief valves fall to open. Failure of pressure relief under conditions of very j low MTC is therefore considered a negligible contributor to core damage; The amount of i time a very low MTC exists was taken as 0.5, from NUREG-0460 - .:
\
NUREG-0460, SECY-83-293, Zion,. Indian Point, Millstone ~and the WOG comments all i required. turbine trip for transients from high power in order to prevent core damage. ; .. Thus, turbine- trip was required for all loss of main-feedwater events from high power
- l. except when very low MTC exists. Failure to trip the turbine may lead to overcooling of i l the RCS cold legs which would add positive reactivity to the core. This would aggravate q
- the ongoing ATWS and lead to overpressurization of the RCS, regardless of the pressure ;
relief capacity that was available. Turbine trip was not required for transients from low i: power. Primary pressure relief requires three SRVs. Since PORVs at Sequoyah are approximate-ly 1/2 the capacity of SRVs, two SRVs and two PORVs were also allowed. This relief 1 capacity was sufficient to maintain pressure below 3200 psi, if .MTC was below -7 ' pcm/ F and turbine trip was successful. Emergency boration and SG inventory makeup were required for all ATWS events, regardless of power level. SG inventory could be supplied by MFW or 700 gpm flow from AFW.- These criteria are consistent with the Zion PRA study. 1 4.4-47 !
-l Q
.u -
Table 4.4 ATWS' Success. Criteria Sucunary Information EVENT: ATWS Rc5 CORE HEAT RCS PRESSURE REACTOR SUBCRiitCALITY REMOVAL, EARLY INTEGRITY REllEF C0 AMENTS - x All SRY, PORY ' Turbine Trip 1. Entry into the ATWS tree'ess e s Manual insertion MFW of control rods by . OR must reclose -OR the RPS failed.. operator 2 MF MSiv closure . OR CR y 2.'AFW must be supplied to'3 of 4 SG. Emergency boration i TDP 3 SRVs . OR '3. If MTC <-20 pcm/ F'no pressure using I charging 2 SRVs and 2 PORVs' . relief required. pump, taking suction . from RwST, discharging
-4 If MTC >-7 pcm/ F pressure' relief through' the Boron
. not possible.
,A injection Tank, and i remaining at elevated
- 5. Turbine Trip..not required.
'$ temperature to maintain for low power.. Initiators, or' subcriticality.
If MTC is very low. 6.-MTC criteria apply to high. power only., v
.r
- ^ i . i u.. - ._.._..,C'm _ , , , _ . _ , , ,
_.._E,,',i.
~ ._. mum._.i.zi_C. _.. _.w -
_._._.m_.,
, --, m.+~
__-e- _ _m% ..
1-NtfREC-0MO, Zion, Indian Point, Seabrook and the WOG allow mitigation of stuck open relle valves under certain conditions. SECY-83 293 did not address these failures. This - study considered that stuck open relief valves during ATWS would beisafely mitigated if HP1 was successful. Failure of a PORV or SV to reclose would lead to a demand for HPR for long term core cooling. HPR _would not he required until the RWST was depleted, at which time the reactor would be subcritical due .to previous boration. The branch for Q then represents a transfer to the S2 LOCA tree. 3 4.4.11.2 . ATWS Event Tree and Phenomenology ~ The ATWS event tree is shown in Figure 4.4-11. The headings were developed to include all of the essential phenomenological considerations which were discussed in the previous ' section. Containment systems were not included on the event tree because ATWS events - do not impair the operability of any containment system. Each of the headings on the tree is discussed below.- R - Manual Reactor Trip - This-is the first heading on the tree. If the operator manually scrams the reactor, ATWS is over and there are no further unique mitigative ; requirements. Manual reactor scram must occur with one minute. This can be done by_ energizing the shunt trip from the control room.which opens the reactor trip breakers. 1 PL - Power Level - This heading does not represent an action or a system failure, but is - 4 a logic model convenience to delineate different success criteria for the high' and low - power condition, o { a 2 - Moderator Temperature Coefficient ' As with the power level heading, this is a' logic lj model convenience to delineate the three conditions of MTC. The use of two headings, Zi and 2, separates the tree into three regimes. 7 g is very low moderator temperature I coeificient (less than -20pcm/F) and 2 is unfavorable MTC (greater than -7pcm/F). T - Turbine Trip - This heading identifies the requirement to trip the turbine within one minute of the initiating event. i Pa - Primary Pressure Relief - This heading identifies the need for the SRVs and PORVs to open to maintain pressure below 3200 psi. < ymet by MFW or enhanced AFW,AFW - This heading represents a requirement for SG inventor i g - RVC - This requirement is for all relief valves to reclose af ter the initial pressure spike subsides. If a PORV or SRV falls to reclose, it causes a requirement for HPI flow from Si or charging pumps. Dn - HPI - This heading represents the need for emergency boration, using the charging l pu'mps in the safety injection mode and the boric acid transfer pumps. l 4.4.11.3 ATWS Sequences l Sequence I represents the case in which the operator responds to ATWS and is able to ! manually trip the reactor. If this cannot be accomplished, then the remaining sequences' in the event tree address the possible alternative responses of the plant to such a j
, situation.
1 4.4 49
~
L. i ' ): PWR U MIC MIC AFU - (i; HPI~ ATUS MRT LEVEL LOW UNF IBT PPR- 3/4 RVC. l SGs-1K R PL- Z1 Z- 'T P2 L2 02 D4 sequence l CORE l.
~
- 1. IK .OK-
!' I 2.'TKR OK
'! 3. TKRD4 CD-
- 4. 1KRo2- UK.
I 5. TKRc294 CD'
- 6. IKRt2 -CD' 7.~TKRP2 CD-
- 8. TKRT CD
~ 9. TKRZ - CD -
10.'TKRZ1 UK I 11..TKRZ104 CD-u 12. TKRZ102 UK I 13. IKRZ102D4 CD - t E 14.2TKRZ1L2 ' CD
- 15. IKRPL- OK=
I' 16.'IKRPLD4 CD.-
'17. IKRPLO2 . OK .
I 18. TKRPlo204~ Cl '-
- 19. TKRPtt2
~20.-IKRPLP2 CD ,
- Figure 4.4-11 Event Tr'ee for TK-Anticipated Transient Without Scram
_ _ _ _ _ = _ _ _ __ - -. . __ _. - . - - .
- a. . n -- -- - - , .-~. ~ .
. - . . . . . , - :- - : - -. -- .=_ _ ..
3 Sequence 2 represents f ailure to eff ect manual scram, almost entirely due to mechanical failures which can not be mitigated by manual scram. Sequence 2 is from high power with MTC in a high, but mitigable range. Turbine trip occurs, either manually or due to . circuitry that was not failed by the ATWS initiator. Turbine trip prevents overcooling I and thus does not exacerbate the existing reactivity imbalance. Primary pressure increases to the point where PORVs and SVs are demanded. Sequence 2 represents successful opening of sufficient relief valves to maintain pressure below 3200 psi, Auxiliary feedwater starts and maintains SG water levels. Emergency boration is i successful in establishing subcriticality and all relief valves reclose af ter the pressure 1 subsides. The sequence ends in stable hot shutdown with the reactor subcritical on boron. In Sequence 3, emergency boration is not successful. The reacter remains pressurized at some value higher than the R V set points. Continued power generation maintains this pressure and causes continued discharge through the relief valves. Due to the elevated primary pressure, the charging pumps can not maintain RCS invcatory, thus leading to degraded core cooling and core damage. Sequence 4 represents failure of the safety relief valves or PORVs to reclose, af ter boration has been successful. Although subcriticality is achieved in this sequence, there l remains a continual need for coolant makeup. This sequence transfers to the S tree for 2 evaluation of HPR, LPR, and containment systems. Sequence 5 leads to core damage in a similar manner to Sequence 3. Sequence 6 represents failure of enhanced AFW. Less of steam generator heat removal will cause the primary pressure to increase above 3200 psi in spite of successful relief valve opening. The continued maintenance of pressure above the shutoff head of the ; charging pumps will prevent boron injection. Unreplaced loss of inventory will lead to l core damage. Sequence 7 represents insufficient pressure relief in the RCS. Primary pressure will exceed 3200 psi. Potential outcomes of this sequence are a LOCA caused elsewhere due to the pressure and plastic deformation of the check valves on the injection lines, thereby preventing any inventory makeup. ' Sequence 8 is failure of turbine trip. The resultant overcooling will add reactivity to the core, thus aggravating the existing reactivity balance. { Sequence 9 represents those small percentages of times that the core parameters (MTC) are such that ATWS can not be mitigated at all. l Seauences 10 through 14 represent the percentage of time that MTC is so low that l turbine trip, and relief valve operation are not necessary to control primary pressure l below 3200 psi. Emergency boration and AFW are required, just as in Sequences 2 ! through 5. ( Sequences 15 through 20 represer.t ATWS initiated from low power., thereby eliminating the concern about MTC and turbine trip. Sequences 15 through 20 are similar to 2 through 7. 4.4.12 Event Tree Nomenclature Abbreviations used in the event trees are defined in Table 4.4-12, Event Tree Identifiers. l 4.4-51 l l
3:s;; ; I
~i_' /
r I 1 g 5 Table:4.4-12. Event Tree 11dentifiers'
; - A' Large LOCA (6" < D: < 29") - t Dl i~
s Failure of'high pressure-injection with 1/4 charging or safety: injection' trains.(S2.orl transients only)
- Failure of;high pressure-injection:with 2/4 charging or: safety. ,
D2 j
. injection trains (Sp only) i Failure of seal injection flow to reactor coolant pumps. from'1/2.
~
D-3 :
-charging: trains ;
m~
-D4
' Failure:of. emergency boration;from 1/2 charging trains'(ATWS only)
'?
DS
- Failure of cold leg Laccumulators with 3/3 intact trains > _l '
' D.
6
- Failure-of low pressure injection with 1/2: trains
.DC power .to- Unit'1'. Battery -Board 1: or = II; from Unit 2 Battery Board ~
DC' - Ill:or IV' , DG' - . Unit 1 AC power via Unit 2 DGs throughithetShutdownLutility Board-Fj -- Failure of containment: spray injection with 1/2' trains L Fr - Failure of containment spray recirculation'with-1/2 trains j Hi
- Failure. of low pressure--recirculation with- 1/2 trains' and hot' leg recirculation
.H'- -- Failure of high pressure recirculationLwith 1/2 charging or safety ,
i 2 injection trains j
.H 3
- Failure of low pressure injection in miniflow mode ?(1/2. trains) and ,
low pressure' recirculation:(1/2' trains);(hot leg not~ r'equired) q H 4
- Failure of low pressure injection miniflow mode (1/2Ltrains) and low -
pressure :recircult uor with hot-leg recirculation -;(1/2 trains). 3 K - Failure of automatic reactor trip j
, t t
L- i
- Failure of auxiliary feedwater from any 1 pump to 2/4 steam-generators , )
e i 4.^-52
, 3
.f ,
i l 1 Table!4.4-12.(Continued) l 9 Event Tree Identifiers , 1 Failure. of auxiliary feedwater to 3/4 steam. enerators from 2 PDPs or i L. 2 i
- 1? TOP (ATWS with MTC between -20:and-.-7;pcm/ F) or'2/4 steam ;
Lgenerators1(ATWS with MTC:less than -20 pcm/ F) t L SGTR - Failure of.. auxiliary feedwater from any 1 pump to 2 of 3 intact SGs.
-M ~ Failure of main feedwater 'or condensate.feedwater trains :
, o O.C 1 Operator, not able to control) sprays after a :small break .;
,a 0 0, -
Operator cooldown and depressurize RCS P 3 Failure- of PORVs and' block ~ valves to open.!(2/2 t rains) for ' feed 'and-bleed ' P 2 Failure of- primary pressure ' relief for ATWSb 3/3 SRV or 2/3- SRV and- - 2/2;PORV e Q-t - Failure of any relief valve, to _reclose- : y 02 - Failure of. any. safety or relief valve to reclose (ATWS only) - u 03 .- Failure of SG integrity during SGTR 1 I R - Failure to effect manual' scram - t S - Medium LOCA-(2"=< D < 6") i S 2 Small LOCA - S3 Very small LOCA' e T 3 Loss of offsite power. i T2 Transient with initial loss' of power conversion system and main- _ feedwater-T- 3 Transient with power conversion system initially available a T SG Steam generator tube rupture
.f Loss of 125 VDC bus "X" T -
DCX 1 1 t i i i
?
- 4.4-53 5 l' l s r
- m. 4
, c . _ - . _
b
h -. &
f . , . ) *} 6 mm a. , 4'-
~
3 +3 :
~
- g. xx i * ' ' t g .- .p..
- d4 _ 4 i
" ;3,g a p ;), , t? , , j
*. =
( T
*^:,;L_ '
t- f r p i f abl e'. 4.4.12 i Y Z, , x , , 4 , A< > Event-L Tree TIdentifie.rs:
, t
.w, ..
m, ..
, , ~ . ,
t < o . . . ..
- c.:q Failurejtolprovidell/2 RHR trains:during { shutdown lcoolingsmode'
, ;Wgy ' # '
- p : w. . . .
y - , n4m 1 7 >
.f, , r s .
, . V h LFailure of. componentJcool,ingJwater .to( reactor c'oolantipumpf
~
" ~
thermal ., Lbarriers'
- i 'P
^
m 4
'M' . . .
; y .-.-
, c :. -
.S. ,
YZ'1 J Percent ofitimei tuitiveryilow MTClesistsi ' t
+ >
1
, m 4
#- iPercent Jofi thne it' hit $ "unf avorabl e" ' tnoderator : temperature 'coef fi ci e At ;
J [b - 4 . Ez; .
=[(MTC)l exists: -
s9 4 3 *
--> j / '~
.I 5'
}3 I ); -
~
1
,'[_ _ y' J *
- , 3 7
fp' t i
' ' * :;y.
I 1 t ) 4'- ;i,'j- - epa A, . . '.-ili V - s ,g- p y ll, h tg a;- - t , . a ' sy,', r i g 1 1 '.5-1 I I,.. j , 4
$ ' 1
{ ._ _ . '
' ' l'g
' : t . :. ,._ ji_ .
4 s i e
'J l );
1 i ' l Sl >
, .' .1 4
)
jI
' i N-4:' ';f ij . ll r -
- .') ..
\ L %
g g 4 1
- i, d
>v
. ' 5
.q E ..y
{ O' , i \
- s ti .g i
]li b
, d
\ '
4 1 , ?{ q a . , , ~4.4-54
-'a-
,i jj . . , ,
& .h
. c .j . v 1 yo } i.. <
4, s r..I kY I. . ,.c t 8
~}'
z ' ., i ~ (. !'i.,5 i , t C, [ ;. _ i . 12
y
- j L; ' L4.$L Plant ' Damage State Definition' !
- r. .
The / process byL which ' initiating events were identified and grouped, is' l' , Edescribed in Section 4.3, and the initiators used in this: study are listed. lj in Table 1 4.3 1. Section .4.4. discusses , tha . first , stage of ' the two stage - l event tree analysis ; rrocess . The first ; stage identifies the - dominant i event sequences. that lead to core damage. ;The;present section discusses: ;
. the L second. stage of ther event tree . analysis process: i the . plant damage- .
~ state' tree; This stage delineates the dominant core damage sequences;into 1 plant . damage - states (PDSs) . These j trees . show .the finitialc containment - ;
response to the ' accident and ' thus provides a link ,between core damage- , sequences;and plant damage states.' ' W s
'An-overview ofithe two stage event tree analysis process is presented.in.
1 l Section 4.5~1, followed :inJSection 4.5.2 bygdiscussions of. the ' sequence = j indicatora used to define' the plant' damage: states. The PDS . analyses 1 for tho' dominant core damage sequences _is1 described in Section'4.5.3. '
=4.5.1 ' Event l Tree / Plant Damage State. Analysis Processs '
The event trees developed in Section 4.41 generate those combinations iof' q system failures which can lead to core damage. The plant-damage state i trees shown in Section 4.5.3 generate the additional information needed:to O assess the severity of accident consequences. - namely. the degree to . 'i which the, containment systems remain ~ operable as a means of preventing:or reducing the' amount of ~ radionuclide releaseL following , a core ' damage ' ! condition. The plant damage state grouping for. this study wasr a twopstage process. . Initially, detailed plant damage ' states -were;identifiedM using ' ~a seven category identifier, t The number of plant' damage states ' resultingifrom , this exercise 'was too large for . efficient quantification. of o the seven . J event' tree.- The'34: plant damage states with~:seven state identifiers'were L regrouped into seven less discriminating plant damage state. groups. These seven groups formed'the starting point for accident-progression event tree , quantification. .The frequencies of the seven indicator. plant damage d states were'used to identify split fractions within a PDS' group'for event 1 L tree . branch points. The plant damage ~ states serve as { unique entry conditions for the accident progression ; event tree.. : The , PDS ; indicators . . represent the first seven questions on the accident progression event' tree: -l for Sequoyah. It was necessary to modify the core damage: event trees by ' adding headings on'the tree to address all PDS' questions, which could not be answered otherwise. For Sequoyah'this meant adding events to the. tree for success and failure of the containment spray-system in the containment.
.;l heat removal mode. The top events 'for . the , containment systems were 9 specified as follows:
F Containment spray system fails in = injection or recirculation m >de Fr Containment spray . system fails in recirculation after successful
.inj ec tion i
?
-Core damage sequences with point estimate frequencies greater than IE-7/yr ,
(IE 9 was used for blackout cutoff) were delineated -into plant damage ' states. The total point estimate frequency, of all PDSs was then. calculated. PDS frequencies greater than 1Ek7/yr were retained for back- , end' analysis. PDS frequencies between 1E-9/yr and 1E-7/yr were compared :f a 4.5-1 1
-y l
l' , , _ J
a:
.. j to those PDSs above 1E 7/yr to determinejif any PDS between-1E 9 and IE 7 represented ( more severe - containment conditions than any of the dominant PDSs. Such was'not the: case?and all PDS less than 1E 7 were dropped from further analysis. l All: PDSs, below IE-9 -were automatically dropped- from
= further analysis, : The : PDSs ' were then J combined into seven . PDS groups.
The ' grouping ~ of the PDSs into _ PDS groups is shown -in Table '4.5 4. The
, frequency distribution of each PDS_ group was'then calculated,using TEMAC. _j 1
s 4'5.2' Definitions of-the Plant Damage State Indicators =1 A total of 'seven indicators were used to identify a plant damage. state. The seven indicators address the following'issuesF Status:of RCS at onset of cere damage: ; q
- Status of ECCS Status'of containment, heat removal capability
' Status of AC power RWST: injection capability 4
. Steam generator heat remova1' capability-States of RCP seal cooling ;
Ten indicators were _ origina11y zused for. the plant damage s tates . .The j
- T threer other: indicators were used toidelineate the' status of containment isolation,. hydrogen igniters Land the air return fans. These indicators
~
i were originally t indicated--in the PDS identifier, but _ systems analysis of their - failure: characteristics and! dependencies - showed their ' operability ;
- status to .. bed reasonably independent: of the - other indicators.= Thus, the probabilities ' for unavailability ofichese systems. was entered, directly-into the accident progression " event tree- (APET) . ' Each of the seven-
~
indicators is discussed below, in the- order in which they appear in the ' individual 1PDS designators.
- 1) . Status of RCS at Onset of' Cere ; Damage - 'For the purposes of ,
1 containment analysis, "it:~ is inertant to know: then pressure of ' the t reactor coolant system'at the , time of vessel' failure. The expected g RCS pressure was related to. RCS -integrity in this, analysis. _ Eight , l' categories of the RCS integrity. status were identified and related to ! y the initiating events, as shown'in Table 4.5-1. It 'should be ' pointed out that, although the . first character in the . ,
' PDS designator is commonly referred to as the initiating. event, the way that~it was used in the accident progression event tree analysis j
is to indicate the integrity of the RCS at the onset of core damage. Hence, the first character in the PDS designator may differ from the l: ~ sequence initiating event. For' example,- if the initiating event _is a i. l ' transient such as a loss of offsite power, and if an_RCP seal failure occurs .before the ~ onset of core damage ,. then the APET would treat L this case as a small' break in classifying the status of the RCS.
- 2) Status of ECCS - Another key . indicator for the containment analysis is . the past and present status of high and. low pressure injection or recirculation cooling. A total ~ of five categories was identified relative to the ECCS, as shown in Table 4.5-1.
i 73 4.5-2 i __t___._h_______.__________._'______
i l
- 3) Status of Containment Heat Removal Capability - The third key indicator for containment analysia is whether or not containment heat removal is available. Fer plant damage state definition, this was defined to be the availability of at least one CCS train or RHR train in recirculation with service water being supplied to the heat exchanger. The alternate means of containment heat removal (via AFW) included in the first stage event tree analysis would not be available after vessel failure. Three categories were used for this indicator.
- 4) Status of AC Power -
The fourth key indicator identified for the containment analysis is to know whether or not the AC power needed for safety systems is available. Two status categories were identified for this indicator.
- 5) RWST Injection Capability - Another key indicator for the containment analysis is to know whether or not the reactor cavity is full of j i
water. After comparing the RCS volume with the cavity volume, it was determined that, in order to assure that the cavity is full of water, the RWST must be fully injected into the containment. That is, no partial credit was taken for RWST injection. Three categories were identified for this indicator.
- 6) Steam Cenerator Heat Removal Capability - The sixth key indicator for containment analysis is knowing the status of the AFW system and its ability to provide steam generator heat removal. Six status categories were used for this indicator.
- 7) Status of RCP Seal Cooling - The eighty key indicator concerns the availability of cooling to the RCS pump seals, which provides a direct measure of the ability to p rese rve the reactor coolant pressure boundary at the reactor coolant pump seals. Three status categories were used for this indicator.
The category status identified for each of the seven PDS indicators are listed in Table 4.5-1. A typical PDS might be represented as follows: 1 AINY-YYY, where the meaning of each letter is given in Table 4.5-1 by its position in the character string. Considering the number of choices for each of the ten PDS indicators, there are potentially 12,960 different plant damage states. Even if it is estimated that half of those are logically impossible or null sets, this leaves a total of about 6,000 admissible plant damage states. Rather than attempting to estimate the frequency of each potential PDS, the approach taken to partition all of the dominant core damage sequences to the appropriate plant damage states. All PDSs with frequencies greater than 1E-7/yr would be retained for APET analysin. The results were checked to be sure that the total resultant PDS frequency compares to the total core damage frequency. 1 s 4.5-3
a 4.5.3 Plant Damage State Analysis This section describes the plant damage state analysis of each sequence. There were 34
-Individual; core -damage sequences, with point estimate frequency above IE-7/yr_ af ter recovery actions were included. Each of these were delineated into plant damage states.:
~
The 34 sequences and their point estimate-frequencies are shown in Table 4.5-2. The distribution of sequences amongst initiator types is shown in Table 4.5-3. There are no' non-SBO T3 events in the ' dominant sequences. A PDS tree : was .not necessary for blackout sequences because all containment systems are Inoperable. PDS , Indicators could be assigned by inspection of the cut sets. The PDS tree is shown as a- ! formality-in Figure 4.5-1.E The core damage sequences are indicated on the event tree
- and assigned to plant damage states as shown.-
The dominant T 2 sequence is T 2 LIP 3 . The containment response tree for T7is shown in .! Figure 4.5-2. It is similar to the core damage tree except that event F rhas'been added 7 to delineate operabillty' of the containment spray'syste'ms. Status of hydrogen' igniters ,l and air. return fans are assigned independently of other failures for this sequence. .The _l plant damage state for this sequence is shown on the event tree.' t P { g sequences are Tis DC1 shown in Figure 4.h. and T E i lo The containment re. sponse tree to It is ' the core damage tree The dominant T[N except that even has been added to delineate operability of the containment spray systems. _ Status of bydrogen igniters and air return fans are assigned Independently of j 1 other failures for this sequence. The plant damage states for these sequences are shown J on the event tree. There are three dominant T se The containment response tree for T is - l shown In' Figure 4.5-4. ' ThebOO quences.SG p 3 sequence represents .rator loss of steam = gen integrity, which violates containment. Questions of containment operability ' were ! therefore not asked. for this sequence. Ty,L and T s therefore, event F,. has been added to delthVate. oper&mK mlity Initially have of the containment spraySG integrity, systems. Status of hydrogen Igniters and air return fans are assigned independently of i other failures for these sequences. The plant damage states for these sequences are -i shown on the event tree. t There are three dominant large LOCA sequences. They are AD S
, AH 3
, and AD6 . The containment response tree is shown in Figure 4.5-5. It is similar to the core damage tree except that event F has been added to delineate operability.of the containment spray j) systems. Status of hydrogen Igniters and air return fans are assigned independently of other failures for this sequence. ~ The dominant plant demage states for these sequences i are shown on the event tree, j l
There are two dominant medium -LOCA sequences. They are 53 Hj and Sg H g . The containment response tree is shown in Figure 4.5a6.'It is similar to the core damage tree i except that event F has been added to delineate operability of containment spray _ i systems; -Status of hydrogen Igniters and air return fans are assigned independently of- [ other failures for this sequence. The dominant plant damage states for these sequences. : are shown on the event tree. ; The dominant S2 sequences are S F2 7 and2S3H . The containment response tree for S2 is - shown in Figure 4.5-7. It is similar to the core damage tree except that event F has been .; 4.5-4 l o i
)
l adderl to delineate operability of containment spray systems. Status of hydrogen Igniters l and air return fans are assigned Independently of other failures for this sequence. . The ! dominant plant damage states for these sequences are shown on the event tree. l There are three dominant sequences for the 35 Initiating event category. They are 5 3c3 2' S 0 3 H3 . 3The containment response tree is shown in Figure 4.3hH 5-8. 7t H , and is similar to S theWcore damage tree except that event Fr has been added to l delineate. operability of containment spray systems. Status of hydrogen Igniters and air , i return fans are assigned independently of other failures for this sequence. The dominant plant damage states are shown on the event tree. There are two dominant ATWS sequences. They are TKRD4 and TKR2, where T is a combined transient initiator. Status o.f hydrogen Igniters and air return fans are assigned independently of other failures for this sequence. Figure 4.5-9 shows the dominant plant , damage states.
. r 1
l l l l t 4.5-5 I
Table 4.5-1 Category Pefinitions for PDS Indicators 1
.l. Status of RCS at Onset of Core Damage T- -- - nc breal< (translent)
A' - large LOCA (6" to 29)..
$1. -- medium LOC A (2" to 6")
$2 -- small LOCA (1/2" to'?") '
S3 - L.very small LOCA (less than 1/2") ;
.G - . steam generator tube rupture with SG integrity-H' ----- steam generator tube rupture without SG integrity -
V 1
- Interiacing LOC A
.2. Status of ECCS i I -- operated in injection only I
B - ' operated.in injection, now operating in recirculation R -- not operating, but recoverable - N - ' not operating and not recoverable L - LPI,available in. injection' and recirculation of RCS pressure reduced
- 3. Status of Containment Heat Removal Capability 1 Y -- operating or operable if/when needed R -- not operating, but recoverable N -- never operated, not recoverable' 4 4 Status of AC Power j Y -
available R - not'available, but recoverable
- 5. R WST Injection Capability I L Y --
fully injected into containment l R - not fully l Injected, but could be injectedLwith power recovery 4 N - not fully injected, cannot be injected in future
- 6. Steam Generator Heat Removal Capability ,
X - at least one AFWS operating, SGS not-depressurized is D. Y - at least one AFWS operating, SGS depressurized : C - steam driven pump operated until battery depletion, electric driven pump. recoverable - with power - recovery "SGS not : depressurized ' l. D steam driven pump ' operated until battery depletion, electric
~
driven pump - recoverable - with ' power recovery - SGS depressurized S -- steam driven pump failed at beginring, electric driven pump-recoverable with power recovery -! N - no AFWS operating, no AFWS recoverable 1 1 N.$-b
dh@ %p3wn wr:MRP w' ff_:n U Q G n , W, m' t -Lk V'_ OAl$W
, s,_ _ :- +
hW W J$ , ' ~, m',' mh P j ' g- = ;
^%? <
nw ~w)b> .%,
~
u-s E .1 d x tm ssy: $- qb; Qn y ;,; ~--b. d m t4 r g- , N .- *p t s 2 1m ; e t. y s Q:p'm=cy)-M J?'N y;Q;a f:g , , __ %._y' 4 t e i .-.
= _*
?J<E 9m W <h 4 I0 ;- rd _" '
._m'N O +4 --'-
.V'dW' S
_ 4_ j > yf (r Q' k. qM % f
, g , u e a n a . w_
,s - s - _
- c. , ; .
i + m* ~ , A., y ,.+
.e ~.
- . . = ' - +
x ( m.~; .: f2 $ c
~ - ,
t n, r< F <
,'o' b
.t ..p,s. w-y 4 s,. ' b
- e. -M p
/
i[
% : ,,f--' f ' 1 ? I ' ('
j . .'. 4 n.i.mf G D' " mm n,-. - t at+ cm s
<c,j 4 :
e ,
=g. w ,,..=m-.,S . n} .,_ a; - - -g
;.) n' v q y,am ,y-, g w i'-
w j c, s . s LTable A5Ji (CSnt'dM ' N.g ..k . t. , F ' #
,g % w t,
qy . (c tegory , Definitions _'f,orlPDS Indicators ( ' y >
> .At. l
~.n. .* - . <
- -+;
w 4C * * ~.c
- Rt . s
. 4 r-
,.p, p..
r 4 < _ R % * * ' 4^ s <.s.-
~% m s- im%_ ^ :, ; ,'
~
4 M j.i [. Status of RC, P. Se'altooling; ' ' . > m-s, .; ., , m - . . .. _
- ,' [u .
I,. i . -k I . , k' 2 5,. )
%'. ', M,*
^4 1:y '[:)+
g g 4 F,.. F-9 4
. , . , f,A MW i,r
,V S operating,,; A m , - < >
m mg
. 1
% W e,'.
A- - LR>- inot operating,'but recoverable 1 * ' t , 1@.c
%, , g, g -
wm ,
+y. ., n . y , % " jnot operating-and
+ ,
not recoverable- . ;. , (yl} , . t 3 -
,g, s;
- 4. '.:m i
i 1
~- =-3 :m ;. ..
I t- a.e'; . ' 4..b s
? 7, y N ^
(,- Q ^ f f Y, ';,5 \ .k ~ g -i. _
=:k'
, j;.r g' gg"y,'.4-g lp-(3('f -
.t i
~- _; y , 4 ,(
I't x g;" ~ - .m. -.'fj'} ' Ha._ -q
..~n's 4. " e . ..4
, i.
"s # z +%n % '. W .m.n. .
w _ { ,N
-n
~
- ..,_ p s -
[T y a y L-- + '
,5 -._.n =6 . . _ . g y.
q
.,7' 'l_ j k g j '
.Y+,
8
.)
.;_2 * , . _ _
I @'
-,} k Ort fpi T*r 7 4 *c,.- -
8 11 - j I 1
; m
- w. . .y.;
jp g ] t ,
'/,- 3 [m.-[' L - -- .
r { j 4 s i _..~ '
, 4 . - .-
'-t'
~ ,
4r.,
,# _jt Jty +');- '
2+ 5 +* \ , a,. 5
+' se >n_ #
i
;.jp a; oc g .. g 1 :~ r
# . . .,m .
t i m, a .m.
>A~ sm4uw, cu =.; M ,g %
,3(y::3 w q'.r
-, t. . 3
, , _e ,
}
3, s _ y 9 '
' ' " ' ' f P
.i( a-'3,~
,,. _ > ., ' > ff.?,e %-h' , . -
f
; t- . . ' qi .;,f .
.,... , ; -> ., ; p ; .f. ;, " _, ,1 s
. i.
e p1v --'4 3 p ll$ .g6i ( n .a
,.,e, t
- , c , .c ,
t
't g N-5' t ) , I 7.,
4 iT [ E
/ J ,y. , , j-
,.),, i
; ,t.m L% :. <o..f s q+ 4 i p 4 , is.
- 5 21?
L
- y. .
n 4 (fn f + d -(~. l @- f p, E',, d
, )
.w1
-! w 1
( k s
.re "-; .m w !
j
. M=-(' -
- y. "1 i C " "' '
2
, . ' $j 3' a g, A (' a;:t '- 'I
,r, s )
, . ,, _ , . .:s 1
g s T I L A nVi L y f *d t j,,,.
%W 5 E J i
. q>i L. .
o"-[-- wr f J g
':C t
v7 > \.b q ;. 3.-p,' Q- q '9 p s
,?,
1 2.%.
< u q .A 4 . ,, , -
s (4
"y J 4 x w?. ;- , j 4_
p.A 44 3 ). 4_i c .-_. ; 9 i
-%- 4 ., ,.
'.y;,
.o.y g. E_
\
N+
- y g ,
e s,/ h JY,? f I 7-p f t- 1 N#'. i._ f "\,, g f if / y- .bi
- 7,
+ '
, ; ; f"' -
$ 1- J. { 5- '
x
<p 3
- p'-
<6 >'^
p; -c 3 Ji! ff % . I 2U s I. c- -' 4s - 4 si e , .s 1 a-g ' a (- t '. ~~},..' e' j !l f ' - 1 3'.: , 3 4 t, g s.3 y'W { ;_ b b *i I ;) hf 3
,, j
+ ..s..
ety i i
- 1. ._
f j- , Y I
, -.4...3 ,. .
,,1~ , . p
, m_ - m,<m
,, s y' y
,J. gp.. '.\' f
- , g
.\
a' f
. rq .j w.
...t .. Ay; ery
. ~ m m,; s wg s
i,7 eal ,4 , a ' f.A , , S
., 4
'a , , t p.
t f,, A
. ; e
--f ,;
.p,I qq ,q'1 I*.',c..
". y -
Y' . v- 'g i o , y 4
,.)~-_,yn _ 1 yj... k j? j, y.)
t
) , r . , %, s. Ys,1
, g s r 4
; ~Eas s
i
, ; , s' f W
,E i' '
q,( ; p ,,
? d :I j
1 s . . . .> a > ' - = ll
!. [ 4..l' + C '[}N 1; Sh Mp 1- '
ls( . , x, t
, ] .. \ g [jj i,#Fi !'
i .'
; g'. 1[,'-
!,j.
w}a' s -
< i
< ~ #-
- t e.
r{ -}: g s _ T 4 > - F t .f
}. S
.k4
-{,,
w a s n' , ; >" L.
$5 5 * / i f'j ' " "'
iP'j, i -- m' iA '4; , .?I c.3 _ m s
g,
a x: 1t . %; 4 { -
.. S
* * +
, 4 :
L. f' [ 7 ( 1
.g s
+
* .i
- 8 i .* - 5
+*. i , i i 1 '[', ,
+8~ v F
n ,; I$ \.' k i ' k ' sn, , s , sr 4 6 y,-
~ ~ " ' ,, .i-
.t 4
- ( f , Wi *,
z- h t
\
l , Y, .j
- x. = 2 i
a 1 --(1; t m. M;-
' s gr. < q+ .:- Js b:
j
. ?.h py 9s s1 C _y c q; y 4
- j
.w _ ,, 2 i oc, T;ly.; .a
}' _] 1 l f "r,t+
i ' k \- 'l: t . w- .ps i 4 ,", _ 3.: ,., r?
..t. 7 c,.j z.
- .J ,
s_- J
-ti.
^f'i U ' ,' &,
N$.l. - 1 i
%;.y< c g ..:m.h;I em -s, . ' ,4 . i 4, p c 3l% "
~~o4 N. ! vt.
w y.' . .cso g s
. 3-x f3.1, t -.V..,
g...
/ c
. e s 5
'._ ~v . ,3 (:4 5 E
[h hhh _ W, , . , . g k '
$2-' #
4,h N(; ; t [,; u d[6 %%
+
k$'l, w f j N wwg
.g,.
c , e
,1 i
7 7 g,, ,1 <Wq
;, g x=
ru > ,' . 1
~
. Tab 3 0E 4. 5-2 List'of Dominant, Core D'amage' Sequences--
and. Point' Estimate Frequencies-JAnnualc Secuence Frecuency SBO-BATT-T1-1H DG-DC-7H. ' 2.0E-7.
-T1-1H-DG-OD-DC-7H '4.6E-9 T1-SG-1H-DG-DC-7H< .1.1E SBO-L-T1-L-1H- .7.1E-6 T1-SG-L-1H' ~3.5E-7=
t SBO-Q 1 T1-Q-1H 2.9E T1-Q-L-1H, 9.7E-9' -
'q
.T1-SG-Q-1H 1.1E-8 '
T1-SG-Q-L-1H < SE-10 SBO-S LOCA _ .! LT1-1H-DG-SLNSL .2.4E-6 '
=T1-1H-DG-DC-SLNSL 4'.'5E-7' T1-SG-1H-DG-S LNSL . 11.3E-7 3 T1-1H-DG-OD-SIMSL .5.P"-8 Ji T1-SG-1H-DG-DC-SLNSL =1.3E-8= !
T1-1H-DG-OD-DC-SLNSL 8.1E-9 j TLP 2 1y 1.6E-6
' )'
.T DCI LP1 1 3.5E T DCII'1 I P1 3.5E 7 T gg KR- 2.0E-7 T gg L '4.2E-7 j T 3g OO D S .1.6E-6 AD S 1.3E-6.
AD 6 3.-1E-7 q AH 1 '6.2E-7 SH12 5.2E-6 ! SH14 1.2E-6 SH22 5.'2E-6' L 'SH. 2 3 1.5E-6
-S3 0C2H 1.5E-5' l o a L .S 0 H3C3 4.6E-6 l
SWH 3 13 5.3E-7 'i ,e, 4 5-8 , s ., l ' w ,
?
t Table;4.5-2~ (Continued)- List;of' Dominant' Core Damage. Sequences _and-Point Estimate.: Frequencies'- . fAnnual
- Scauence- -Frecuency-t TKRD4- 2.SE-7 TKRZ: 1.4E -
V- 6.SE-7
-TOTAL! -5.3E-51 ,
?i e
- I
- (
If a l i t, > l' -- L 1
/
b 4 a 5 4.5-9
^'!
^
'\'.
' Table ; 4.5-3 Source of Dominant 1 Core Damage' Sequences a
Number of-Dominant , Initiatina Event ' Despyintion Core Damage Sequences T-1 Loss of Offaite Power. 15'
-T 2 Loss of MFW , 1 ,
TDCXj D ascof DC Bus- ,2 g T SG: iSGTR ,
- 3. j
-A- Large LOCA 3 S
i Medium LOCA 2= l S2 , Snial'1 LOCA - '2 S-3 Very'Small':LOCA 3 TK -ATWS :2 L
}
V Interfacing.LOCAs _1 .. . TOTAL 34 h t: 1 L . \ I l I l-1 1. l-( .. 1 ;
- l. ^
A 1 1 4.5-10 D
-y-i , , N m 7L
- w. 6% ,
i, *
- w. a n _a 4
p.,' i 1 1 A r w ,
- Tablei4~.554 -
'v ,
'M
' PLANT DAMAGE STATE; GROUPINGS; '
- - Group . .
; Number._
Grouc Name Plant <Damaae States- '"' 1 Slow Blackoui ITNRR-RDRL
- S RRR-RDRl* ,;
c .S RRR-RCRE 4' , 7 ' S RRR-RDR'
- y. >
LS RRR-RCR +
. -.-i . (5 2 Fast-Bl'ackout, ;TRRR-RSR. ;
-:S2RRR-RSR; - -
l 3 LOCAS-ALYY-YYYO ,
?ANYY-YYN ; - d
'AINY-YYN -
;AIYY-YYN!
I*
.S INYiYYN' ' '
+
=S LYY1YYNI ..+e
- S IYY -YYNj '
' I ...
.S INY-YYN!
S LYY-YYN m JS INY-YYN, 'E
='j
, 1S LYY-YYN y._~ '
'S IYY-YYNL
.x
- 7. , .
4- Interfacing LOCA Vi
.N ,
5' -Transients: L TBYY- .YNY /
-6 ATWS TLYYLYXY? ' '
.GLYY-YXY ;
- S 3NYY-YXNJ ]
7 SGTR: .GIYY-YNY HINY-NXY' ! 1 L y ,
.,i
':'{' *??
.t t-1 :I I ,
J I' ;g . a' , 4.5-11 x # " s g , ..
, a <
. < > * .; j
- y s. . ;,
r - l
- .2-SBO-- SG-SV RVs ATW NRAC ACP OPER DCP-- SEAL- NRAC. NRAC U1 RECL CLOSE (TDP) 1HR DGN DIPRZ U2 LOCA SEAL THR u2 -003- toCA T1: -SG -0 -t -1H -DG -0D -DC -SL NSL -7N Sequence l CORE l PL DAMAGE ST l
- 1. 11 - OK -
! 2. T1-1N ' OK "
I , 3.'T1-1N-DG OK
! 4. 11-1H-DG-SL - OK
!' I 5. T1-1H-DG-SLNSL-CD 'S3RRR-RDR ' 6. it-1H-DG-DC - oK I ~7. T1-1N-DG-DC-7N ' ' CD TRRR-RDR
- 8. T1-1H-DG-DC-SL OK - .
! 9. T1-1H-DG-DC-SLNSL CD : $3RRR-RDR
- 10. 11-1N-DG-0D OK
! '1.'T1-1N-DG-0D-SL. OK I 12. 11-1N-DG-0D-SLNSL CD : T $3RRR-RCR.
'3. T1-1N-DG-0D-DC OK . -
I 14. 11-1N-DG-00-DC-7H . CD TRRR-RCR
?S. 11-1H-DG-00-DC-SL, OK
! '6.~T1-1N-DG-0D-DC-SLNSL CD - $3RRR-RCR
.v ?T. 11-L OK f I 'S. 11-t-1N- ~ CD - TRRR-R$a
[ 19. T1 OK ' I. 'O. T1-0-1N
~
CD ' _ S2RRR-RCR
- 21. it-0-L - OK I
- 22. 11-0-L-IN CD . $3RRR-RSR
?3.111-SG- , OK -
I
- 24. T1-SG-1H OK.
i M . 11-SG-1N-DG OK-
'I 26. 11-SG-1N-DG-SL- - OK I 27. 11-SG-1N-DG-SLNSL CD '$3RRR-RDR
..28. 11-SG-1N-DG-DC .- OK
'I _"9. T1-SG-1N-DG-DC-7N CD TRRR-RDR +
'tn,;11.Sc.1n.DG-DC-SL CK '
I 1 31.-T1 SG-1N-DG-DC-SLNSL CD $3RRR-RDRi
- 12. T1-SG-L - OK I
- 33. 71-SG-t-1N CD -TRRR-RSR t4,1yg.Sg.o - og I' 35. T1-SC-0-1H CD S2RRR-RDR -
- 26. 11-SG-o-t OK
'I 3T. 11-SG-0-t-1N' CD =S2RRR-RSR Figure 4.5-1 .
. Plant Damage State Tree for. Station Blackout:
-4r. .ti- .f-ep.r'N =*64-5.'4-( A.vP- W a%e'-Cr. 4 y.'5 4 -ni>'y- *w-f"' y- %"'N' % (' M1T*ii TP'#w*w-g-' e-% w+*i- 449 g ee 9m , _,.,,, ,, ,
U -:- , i , ..
+
.t'. ,
l l l I 1 1 i i s !. LOSS RVs AFW- PORVs CONI CONT ! 0F_ RPS CLOSE 2/4 HPl OPEN SPRAY SPRAY LP!/R MFW - SGs- INJCT RECIR
'T2-K Q1 L1 D1, P1 FI FR: H3 Sequence. l CORE l PL DAMAGE ST l
- 1. ' T2 - -- OK :
I 2.nT2L1 ' OK - l
- 3. } T2L1P1 -. CD 18YY YNY.-
I' 4. T2L1P1FR JCD -TBYY YNY. I' 5.'T2 lip 1FRH3; 'CD' TINY-YNYJ 6.' T2L1P1FI CD TINY-NNY. 3 s i l* r o ;
+
1 , j l I
;b
;{
Figure 4.5-2 Plant Damage State Tree for T -Loss of Main Feedwater 2
.t
" 4.5-13
, M L: , 1 ', "i:
- .e .
LOSS RVs AFW SEAL. CCW PORVs CONT ' CONT OF DC RPS CLOSE 2/4 INJCT THRML HPI OPEN SPRAY SPRAY LPI/R - BUS SGs FLOW BARR INJCT RECIR TDC K Q1 L1 D3- W D1 P1 -FI FR H3 Sequence - l CORE l PL DAMAGE ST l
- 1. IDC' OK TDCI, IDCII I 2. TDCL1 OK --
l 3. TDCLIP1 CD -TSYY-YNY I 4. TDCL1P1 Fit CD TRYY-YNY l 5. TDCL1P1FRN3 CD' TINY-YNY
- 6. TDCL1P1FI CD TINY-NNY 1 i w
i t Figure 4.5-3 Plant Damage State Tree for Tg -loss of DC Bus
+-w+" ~+c .= 2__ _ _ _ . _ _+.__,-._.-1_'t--s m_.__e_- r _m_.__.__s___e.- __
- - __a v_. -
i.<~.._...______.___._.___&__...mm. -
, - . m.__ - .. . _ _ _ _ . . . . _ _ . _ _ _
- AFW- OPER RVs STM CONT CONT SGTR RPSlHPI a 2/3 0EPRI CLOSE GIN SPRAY SPRAY LPI/R j EGs RCS INTEG INJCT RECIR TSG K jD1 L OD [ 01 QS FI FR- H3 Sequence l CORE lPL DAMAGE ST l
- 1. TSG OK
'I 2.'TSGOD OK I 3. TSGODOS CD MIYY-NXY
- 4. TSGL CD GIYY-YNY I 5. TSGLFR CD GIYY-YNY
! 6. TSGLFRN3 - CD GINY-YNY
- 7. TSGLFI CD GINY-NNY'
- 8. TSGK CD GLYY-YXY
> ! 9. TSGKFR CD GLYY-YXY I ?O. TSGKFRN3 CD GINY-YXY w
- 1. TSGKFI CD GINY-NXY Figure 4.5-4 Plant Damage State Tree for T SG -Steam Generator Tube Rupture i___-__ ...
t l 1 i l i
.l LARGE CONT j LDCA LP! ACC SPRAY LPR q
.i A D6- D5 F H1 Sequence l CORE l PL DAMAGE ST. I
- 1. A OK '
I 2. AH1 CD AlYY YYN
- 3. AF 0( ,
I 4. AFH1- CD AINY YYN
- 5. AD5 CD ALYY YYY .
I 6. AD5F CD- ALYY YYY l I ALNY YYN
- 7. AD5FH1 CD
- 8. AD6 CD ANYY YYN I 9. AD6F CD ANNY YYN f i
t 4
.5 Figure 4.5-5 .,
Plant Damage State Tree for A-Large LOCA i I 4.5-16 i t '!
- - . .- . ~ . .
I l l i l' .! J MED CONT '! LOCA HPl SPRAY LP!/R HPR !
$1 D2 F H4 H2 Sequence l CORE l PL DAMAGE ST 'l
- 1. S1 OK I I
2.'S1H2 CD S1LYY YYN a !
- 3. S1H4 CD S11YY-YYW .
- 4. S1F' OK ,
I
- 5. S1FH2 CD- $1LYY YYN r
- 6. $1FH4 CD Si!NY YYN- ;
i t i i : 1 l
-)
i Figure 4.5-6 ' Plant Damage State Tree for SgMedium LOCA -- 4.5-17 i
SMAll AFW PORVs CONT OPER CONE t.OCA RPS HPI 2/4 OPEN SPRAY DEPRZ LPI/R HPR SPRAY SGS INJCT RCS RECIR S2 K D1 L1 P1 FI CD M3 M2 FR -Sequence l CORE lPL DAMAGE ST l
- 1. $2: OK
! 2. S2M2 CD S2LYY-YYN I 3. S2N2FR CD 'S2LYY-YYN
- 4. S2H3 CD S21YY-YYN
! %. $2N3FR CD S2:NY-YYN T
E Figure.4.5-7 Plant Damage State Tree for $ -Small 2 LOCA
.. . . . . _ _ - . _. _. .._ ._ . _ .~. _ _ _ _ _ . ___ _ __ _
VERY 4FW PORVs CONT OPER OPER CONT SMAtt RPS HPI 2/4 OPEN SPRAY CNTRL DEPRZ 'RNR LP!/R ftPR SPRAY LOCA SGs INJCY SPRAY RCs RECIR 53 K D1 L1 P1 FI OC 00 W1 H3 H2 FR se7Jence l CO*E l PL DAMAGE SY l
- 1. 53 CK I 2. 53W1 UK I 3. 53W1H3 CD S31YY-YYN I 4.'53W1H3FR CD S3fNY-YYN
- 5. 530c OK I 6. 530CM2 CD S3 TTY-YYN l 7. 530CH2FR- CD $3LYY-YYN
.m 8. 530CN3 CD S3ITY-YYN
' I 9. 530CH3FR- CD S3tNY-YYN
- u, N
Figure 4.5-8 Plant Damage State Tree for S - "U 3
cvR MTC MTC AFU CONT CO4T ATUS MRT LEVEL LOW UNF TBT PPR 3/4 RVC HPI srRAY SPRAY Lpt/R SGs INJCT RECIR TK R PL Z1 Z T- P2 12 c2 04 FI FR H3 SeqJence l CORE l PL DAMAGE ST l ~
- 1. TK UK
! 2. TKR OK
- 3. . TKRD4.. CD itYY-YXY
- 4. TKRD4FR CD TLYY-YXY I 5. TKRD4FRH3 CD T4MY-YXY
- 6. TKRD4FI CD TLNY-NXY
. 7. TKRZ- CD 534YY-YX%
-T I
~
- 8. TKRzrR CD s3NYY-YXw
$ I 9. TKtzrRM3 CD s3mwY-Yxw 10..TKRZFI CD S3N4Y-NXM Figure 4.5-9 Plant Damage State Tree forLTK- Anticipated Transients Without Scram l
l
. . - . - - - . . - - . , . . - . , . . , ~ . . - . . ._ _ . . - - - . - - . . - ~ _ , .. . . . . - - . . . . . . . _ . _ , . _ _ . _ . . . .m . .- _ ____1..________ _.
l 4.6 System Analysis The approach used to perform the Sequoyah system analysis was previously described in Section 4.2. Section 4.6.1 provides an introduction to the modeling of systems which were analyzed as a part of the Sequoyah study and lists the general assumptions which were used in the construction of the system fault trees. Sections 4.6.2 through 4.6.16 describe the specille modeling efforts for each system. Each of these sections contains a system description, an identification of system interfaces and dependencies, a discussion of operational constraints, a description of the systerr model developed, an identification of specific assumptions used in developing the system model, and a discussion of operational experience for each of the systems as that experience was incorporated into
- the modeling. Table 4.6-1 lists the plant systems which were modeled as part of the Sequoyah study. This table also identifies plant systems which were not explicitly modeled and explains why these systems were not modeled.
4.6.1 System Modeling and Scope System models were developed for each system represented by the event tree headings and for most of the support systems which are required to operate these systems. For most systems, the models were developed in the form _of system fault trees. However, the actuation systems were modeled by Boolean equations which were developed, based on generic hardware faults and dependencies. Fault tree models were developed with top events corresponding to system success criteria used in the event tree analysis. Because some systems have different success criteria under various conditions, a given system may have more than one top event. Table 4.6-1 Indicates the number of top events which were developed for each system. Fault tree construction and actuation system modeling'was performed at a train level. Operator actions in response to various plant conditions were included in the models only when specific procedures for these actions were 'available. Operator errors of commission were not included in the fault tree analyses. Many modeling assumptions and ground rules were developed and used throughout the system analysis process. Assumptions which are specific to a given system are listed in the section which describes the analysis of that system. General assumptions, which were applied to all systems are listed below: (1) For the purposes of calculating failure probabilities, pump and ~ valve breakers and control circuits are assumed to be part of their respective components. These failure probabilities are included in' the basic component failure rates. (2) For open fluid delivery systems, potential flow diversion through any pathway less than one third the diameter of the main fluid delivery line was not included in the fault tree. (3) Control power for AC motor operated valves is supplied by way of a stepdown transformer directly from the . valve's motive power source. Therefore, no separate source of control power is required.
-I 4.6-1
- s,
-{m
'(4) . ' Unavailability of pumps and motor operated valves due to test and' maintenance is included where appropriate.
t q (3) Mispositioning of ' valves prior to lan Initiating event, usuallylas:'a
- result of, falling to. restore a valve, to its proper position following - ,
test or maintenance, was postulated where appropriate. .l
.w .;
-l
.t
..m.-
q 1 4 6 i
- a. ,
1 -,
'l A
1l 1
?
f , i g 1 1 , .i
.-b
-i q
-f
.i h
s r l t
.t
- \
If r
}
I
.;; '. f
.l
,3
- -p
'i r
+g
.- 4 '
;4.6 2 3
..t
- t R i )}
, -, $.. a . _ , . , ,
*5-j
l Table 4.6-1 System Modeling In The Sequoyah PR A System Type of Model Comments ' l l Accumulators Fault Tree One top event modeled. l Safety injection See Note i Fault Trees _ Charging Fault Trees See Note 2 l Residual Heat Removal Fault Trees - See Note 3 , Auxiliary Feedwater Fault Trees Two top events modeled. Primary Pressure Relief Boolean Equations See Note 4 Secondary Steam Relief Point Estimate 4 Containment Spray Fault Tree ~ - One top event modeled Component Cooling Water Fault Trees : See Note 5 Service Water Fault Trees See Note 6 Electric Power Boolean Equations Instrument Air Not Modeled Incorporated as an explicit dependency Engineered Safety Boolean Equations Generic failure data used Features Actuation at train level. Power Conversion Generic Value See Note 7 , Reactor Protection Generic Value Generle failure data was used at system level. , Heating, Ventilation, Fault Tr ee See Note 8 i Air Conditioning l l
)
4.6-3 _i L l
, m
1 Notes To Table 4.6-1
- 1. . Three top events modeled. Si system fault trees were combibed with. charging -
system fault trees to form HPl/HPR fault trees. -
- 2. Three top events modeled. Charging system fault trees were combined with'SI system fault trees to form HPl/HPR fault trees. Two additional top events were modeled for RCP seal injection and emergency boration.
- 3. Five top events modeled which represent various modes of system operation. TheseL include LPl. LPR wlth hot leg recirculation, LPI with miniflow bypass and LPR, LPI with mlniflow bypass and hot leg recirculation, RHR during shutdown cooling. .l .
~
4.- Four top events modeled which represent opening and reclosure of PORVs/SRVs, , and primary depressurization during steam generator tube rupture.
- 5. Three top events modeled which represent insufficient CCW flow to RCP thermal.-
barriers, to train 1 A ESF equipment, and to train'lB ESP equipment, s
- 6. Seven top events modeled. Each top event represents insufficient SWS flow to a ;
particular complement of ESF equipment, t
- 7. Estimates of system unavailability were developed through examination of previous i PRAs and Sequoyah operating practices. -l
- 8. The HVAC system was not modeled as a separate system. _ Room cooling requirements for each pump room were identified and included in the fault models of the affected systems. The room cooling requirements were developed into basic -!
events for fan failures and SWS fa!!ures. ! 4 4.6-4 m m.
I= s 4.6.2 Cold Leg Accumulator Model
' The. Cold Leg Accumulator System is designed to provide- for the Initial delivery of borated water to reflood the reactor core following a large LOCA. The following sections provide a physical description of the Cold f.eg Accumulator System, Identify any interfaces and dependencies between the accumulators and other front-line and support systems, Identify any operational constraints on the system, describe the fault tree model developed for the cold leg accumulator, Identify pertinent analytical assumptions, and describe any relevant operating experience which was considered during 'the development of the cold leg accumulator model.
4.6.2.1 Cold Leg Accumulator System Description The Cold Leg Accumulator Syster consists of four pressure vessels filled with borated water and pressurized with nitrogen g.9 During normal plant operation, each accumulator 1s isolated from the RCS o: t ra ched valves in series. In the event of a large LOCA, the RCS pressure falls belu the accumulator pressure, the check valves open, and borated water is forced into the RCS. One accumulator is attached to each of the RCS cold legs by a line containing a normally open MOV and two check valves in series. The system is totally passive, that is, ao pumps are required and the check valves change position as a function of differential pressur'e. Although the MOV in each accumulator line is normally open, it receives an ESF signal to ope 1 In the event that it has been inadvertently placed in the closed position. A simplified schematic of the cold leg accumulators is shown as Figure 4.6-1. 4.6.2.2 Accumulator Interfaces and Dependencies The accumulators are dependent on a nitrogen system to maintain pressure in the accumulator vessels. Although the accumulators are normally isolated from this nitrogen source, pressure adjustments can be accomplished during normal plant operation. The accumulator vessels are fully instrumented to indicate an abnormal pressure condition. Due to the simplicity of the Cold Leg Accumulator System and the very short fault exposure time, the dependency on the nitrogen system was not developed further. The MOVs in each accumulator line receive an ESF signal to open. Although these valves are normally open, the ESF signal ensures that they will not be inadvertently closed when required. Because mispositioning of the MOVs coincident with an ESF signal failure is very unlikely relative to other system failure modes, the interface between the cold leg. accumulators and the ESF signal was not ' developed further. 4.6.2.3 Accumulator Operational Constraints The Sequoyah Technical Specifications require that all four cold leg accumulators be operable with each isolation valve open, a water volume of between 7857 and 8071 gallons, a boron concentration of between 1900 and 2100. ppm, and a nitrogen cover pressure of between 385 and 447 psig. -In the event that one accumulator becomes inoperable, it must be restored to an operable status within one hour or hot shutdown must be reached within the following 12 hours. No other operational constraints were Identified for the Cold Leg Accumulator System. 6.6-5 s
.m_.
4.6.4 Cold Leg Accumulator Logic Model The success criteria for the system, for all instances in which it ls required, is accumulator in}ection via'three of 'three intact trains. This assumes that a LOCA has occurred in one.of the RCS loops and that accumulator injection into the remaining three , RCS loops must occur. Only one event was modeled for accumulators as follows: I D3 Injection from less than'three of three accumulators.' into intact cold legs The cold leg accumulator fault tree model is presented in Appendix B. The specific assumptions used to develop the cold leg accumulator model are described in the following section. 4.6.2.5 Assumptions in Cold Leg Accumulator Model in addition to the general modeling assumptions made throughout the- analysis and identified in Section 4.6.1, several system specific assumptions were developed in the course of the cold leg accumulator analysis. These assumptions are listed below (1) Due to monitoring practices and alarms, faults related to nitrogen pressure and accumulator vessel level were not included in the : model. (2) It was assumed that a break (LOCA) is equally likely in any of the four RCS loops. The fault tree model represents the case in which the break has occurred in the Number 4 RCS toop. ' (3) Mispositioning of the motor operated accumulator isolation valves : was disregarded on probabilistic grounds. Such an occurrence would require that the valve be placed In' the wrong position, that -this error is not detected, and that the. valve does not receive an ESF signal or falls to open. This failure mode is believed to be very. unlikely compr; ed with other failure modes. 4.6.2.6 Cold Leg Accumulator Operating Experience No applicable plant specific operational experience for the Sequoyah cold' leg accumulators was found. I r i 4.6-6 l m
ACCUMULATOR 1 FCV 63-118
'q q TO LOOP 1 -
DMG 63-622 63-560 ACCUMULATOR 2 FCV 63-98
- ,_ i . TO LOOP 2 -
8 8
' COLD LEG 63-623 63-561
- ACCUMULATOR T 3 a
'FCV 63-80 .
2 - N 63-624 q' 63-562 ^ _ TO LOOP 3 ACCUMULATOR 4 FCV-
~ 63-67 l
N q . TO LOOP 4 ~ COLD LEG - h-625 b-563 l ALL COMPONENTS INSIDE CONTAINMENT i Figure 4.6-1
. Simplified Schematic of Cold Leg Accumulator
, , , . , . . . . . ~ , . , . ~ , , _ . _ . ._ __ . _
h. 4.A.3 Safety injection Model The Safety injection System (SIS) and the Charging System (CHP) together perform the high pressure coolant injection / recirculation functions. This section' discusses the models develeped for the Safety injection System. Section 4.6.3 describes the design and operation of the safety injection system in both
- the- injection and recirculation operating modes. The subsections below provide a physical description of the safety injection system, identify interfaces between the ,
safety injection system and other front-line and support systems, identify any operational constraints on the. system, describe the fault tree models. developed for the safety i injection system, Identify pertinent analytical assumptions, and describe 'any relevant : operating experience which ivas considered th the ermse of developing the safety '! injection system'models. 4.6.3.1. Safety injection System Description The safety injection system performs no function during normal plant operation. Under accident conditions, marked by a loss of RCS coolant or steam line break (Indicated by i low pressurizer pressure, high containment pressure, high steam flow coincident with low. Iow T av cr low steam pressure, or pressure in one steam generator lower than other : steam generators), the Engineered Safety Features Actuation System (ESFAS) Fenerates ! an ESP signal which initiates safety injection system operatior, in the injection mode. ' Upon receipt of an ESF signal, both Si pumps start, drawing suction from the RWST and , delivering flow directly to the RCS cold legs. All portions of SI system operation are ' automatic, therefore, no operator action is required. In the event of ESF failure, : however, manual system actuation can be used. ; All system MOVs in the injection path are normally in the open position and do not receive an ESF signal. Suction is taken from the RWST, through a single line which contains a normally open MOV and check valve. Two para'lel and redundant Si pump trains discharge into a common line which contains a locked open MOV. The common line delivers flow to all four RCS cold legs. Minimum flow bypass lines are provided to prevent pumps from deadheading in the event that RCS pressure is higher than pump discharge head. in addition, the minimum flow , bypass lines are used for flow testing of the 51 system. , in the recirculation mode, the Si pumps take their suction from the discharge of the Low Pressure Recirculation (LPR) pumps which, in turn, have taken their suction from the containment sump. In order to effect switchover from the injection mode -to the recirculation mode of the SI system, it is necessary for the operator to open the MOVs which permit Si suction to be taken from the discharge of the RHR pumps. Specifically, the operator must open valves FCV 63-8, FCV 63-11, FCV 63-6, and FCV 63 7 A simplified schematic of the SI System, for both injection and recirculation operating modes is presented as Figure 4.6-2. ; L 4.6.3.2 Safety injection System Interfaces and Dependencies . } s The 51 System shares the RWST as a common suction source in the injection mode with
' the charging. system,~ the Low Pressure In}ection System, and. the Containment Spray
. System. In addition to its physical interface with the charging system, the SI System also 4.6-8' .
V'
l l has a functional interface with the charging system by virtue of the fact that jointly, the 51 and charging systems perform the high pressure ECCS function. - In the injection mode, the S1 system is dependent'on the RWST for fluid inventory, the ' AC power system for pump motive power, the DC power system for pump control power, the ESF for pump actuation, and the service water system and component cooling water system for lube oil cooling and seal cooling, respectively.
.in the recirculation mode, 'the Si system is dependent on the LPR system as aLfluid !
source.' in addition, the system. remains dependent on the AC power system, the DC power system, the service water system (SWS), and the component cooling water (CCW) , system. , These dependencies are shown on a train level of detall in Figure 4.6-3. Table 4.6-2 identifies component status and dependencies. 4.6.3.3 Safety injection System Operational Constraints The Sequoyah Technical Specifications require that both Si pumps, and their associated , fluid delivery trains, be operable during normal plant operation. In the event that one pump is not 6perable, it must be restored to an operable status within 72 hours or the plant .must be placed in hot shutdown within an additional 12 hours. No other operational ' constraints were identified for this system. 4.6.3.4 Safety injection System Logic Models in terms of ECCS success criteria, all~ demands for high pressure ECCS function' are stated in terms of "m out of n charging or safety injection trains." The Si system fault tree and the charging system fault tree were constructed using " flow from one of two pumps" as success criteria. The charging and Si trees or subtrees were combined as appropriate to represent high pressure ECCS response to the various initiating events. The following top events include contributions from the SI system. Dj - Failure to provide high pressure injection from at least 1 of ? charging pump trains or 1 of 2 safety injection pumps (i.e., I of 4 y success criteria). D2 - Failure to provide high pressure injection from any 2' of 4 charging or safety injection pumps. l H2 - Failure to provide h!gh pressure recirculation from at least-1 of 2 safety injection pumps or 1 of 2 charging pumps (i.e., I of 4 success criteria). SI flow to the RCS hot legs was not' modeled in the fault tree. Hot leg injection was considered only as a recovery action for A and St LOCAs in the event that low pressure l_ hot leg recirculation was unsuccessful Safety injection system fault trees for both the injection and recirculation operating . modes are included in Appendix B. The specific analytical assumptions which were formulated in developing the Si fault tree models are identified in the following section. 4.6-9
4.6.1.5 Assumptions in Safety injection Model in addition te the general _modeling assumptions developed in the analysis and previously listed in Sect. 5.1, several system specific assumptions were made in the course of the $1 system ahaiysis. These specific assumptions are listed belows (1)- Due' to redundancy of the RCS cold leg injection lines, modeling of these pipe segments was not performed. The fault tree top events are, therefore,"Insuf ficient flow through FCV 63-22", (2) Seal cooling and lube oil cooling are required for pump operability in both the injection and recirculation operating modes. . Room cooling is required in the recirculation mode only. (3) Failure to close a minimum flow bypass line does not represent a potential fluid diversion path. However, failure to close these lines; for recirculation may cause system failure, because these valves are interlocked with the pump suct!an valves. (4) No plugginh of 51 system valves af ter system initiation is postulated. (5) Diversion of flow to the RCS hot legs (i.e., through FCV 63-156'or 63-157) does not fall the system. (6) Failure of the operator to isolate the RWST during recirculation, by closing FCV 63-5, constitutes system failure only if check valve 63-510 also allows backflow. (7) Interlocks prevent FCV '63-11 and FCV 63-8 from opening unless the trained sump Isolation valve (FCV 63-73 or FCV 63-72) is fully open and the Si mlniflow valve FCV 63-3 is fully closed or both Si mlniflow valves FCV 63-175 and FCV 634 are fully closed. 4.6.3.6 Safety injection System Operating Experience-No applicable plant specific operational experlence for the Sequoyah Safety injection - d' System was found. i i I 4.6-10 l e
\
i Table 4.6 2 l Safety injection / Recirculation Component Status And Dependency Summary i Component Normal Status Actuation Dependencies i Pumps: ,, 1AiA Standby ESPAS Train 1 A AC-l A-A, DC-1, SWS- A, CCW-A, LPR-A q IB-B Standby ESFAS Train IB AC-1B R, DC-II, SWS-B, CCW-B, ; LPR-B MOVs: 63-5 NO/FAI Remote Vanual AC-1 BI-B . ! 63-47 NO/FAI Remote Manual AC-1 Al-A ' 63 .NO/FAI Remote Vanual AC-1 B1-B ' 63-152 NO/FAI Remote Manual' AC-1 Al-A 63-153 NO/FAI Remote Manual AC-1 B1-B 63-22 NO/LO/FAl/ POWER Remote Manual AC-1B1-B REMOVED 63-11 NC/FAl Remote Manual AC-1Bl-B 63 ' NC/FAl Remote Manual . AC-1B1-B 63-7 NC/FAI. Remote Vanual AC-1 A l- A 63 8 NC/FAl' Remote Manual AC-1 Al-A . 63-3 NO/FAI
- LPR-ICC-NO-633 AC-1 Al-A 63-4 NO/FAI
- LPR-ICC-NO-634 AC-1 Bl-B 63-175 NO/FAl * ' LPR-ICC-NO-63175 AC- 1 BI-B - >
63-156 NC/FAI Remote Manual Not Developed 63-157 NC/FAI Remote Manual Not Developed l j Closes valve to allow opening of recirculation valves _i i FCV 63-8 and FCV 63-11. ' 1, m 4.61I - 1
.-_.-._7 I'
ES.22 g scW FROa4 RH PtW 18 8 - as n 7 E e TO HOT W w
/\, ucs [ g i
w
=
-~ .gr.=s a .sr ,
9 o f222 I'sm N y
% g__, h h.. .- &,. M,. 1 .
> = .a, .% -- _
i m @ e
.n f12f
.T.
m==a . 1o ncs SS A* . . M G o, gg,.,, -satitt-tan ae M-To Hof aneu g e .4-
- u. ucs NW c>4-- A -
10 #CW 1A A as s as sas - es t 0 ,pey g3 , . ms
. serwtow .
TO fMST TOTE: (1) BAFAKERHACKEDCUT ATPOWERSUPPLY Figure 4.6 . Simplified Schematic of Safety injection System
- - , . . -~ - - , . , . . ., - , ..;,-- - - . . . - . - . - - - - -
)
2 f o 1 t e e h ( S B m PG s t e l MJ I r p Lr 'r p ' s y PA ( a, 21 q a R
^
S T n
/ i o
Nf t c OfO I e TI j CTM n EAE DRT i y t iC S f
. 3 t
e fRI Y S
- f sCE
- 6 a t
t 4 S A H e or S r f u A - i g m PA1 F ar i Mi t t p j P p - ; g pal 4 y y a R i T D - y c n e d A B n 1 1 I 8 A B A B A B e 1 1 1 1 1 I p e D R T D R i t E l E E R Si W E iG E EIO Y E' O O : KR f OJiR
? EYRTM P P VE P t, tE J
f TUAE OT iETUT C A C D RT EA f OOA GFATS J F AECY SW CCW ESFAS a*ee" w u - p l
SAFETY ltWECTION - SUCTION FROM l LOW PRESSURE RECIRCULATION - DISCHARGE I I LPR PtMP 1 A - IPR PtAtP 1B TO St PtA4P TO SI14 NP 1 A-A SUCTION 1B-B SUCTION e
- W AC PCTNER 1A ;;
1B 4p LOWPRESSURE A (? RECIRCUt.ATKXI PUMP B .y p DISCHARGE
-Figure 4.6-3 (Sheet 2 of 2) , . . . . . , . - - - ~ . . - . . - , . . . _ _ _ :_ - _ . . . , _ . . _ , _ __._
\ 4.6.4 Charging System Model The charging pumps, together with the safety injection pumps, perform the high pressure coolant injection / recirculation function at Sequoyah. This section discusses the models which.were developed for the charging system. Section 4.6.4 describes the design and operation of the charging system in.both the inlection and recirculation modes. The subsections below provide a physical description-of the charging system, Identify interfaces between the charging system and other front line and support systems; lelentify any operational constraints on the system, describe the fault tree models -developed for the charging system, identify pertinent' analytical assumptions, and describe any relevant operating experience which was considered in the course of developing the charging system models. 4.6.4.1 Charging System Description The charging system at Sequoyah consists of two centrifugal charging pumps (CCP) and one positive displacement charging pump (PDP). Plant personnel Indicated the PDP frequently leaked and was often out of service. For this reason, the PDP was not included in the model of the charging system. Under normal operating conditions, one of the two centrifugal charging pumps is operating to provide RCS makeup by taking suction from the volume control tar.k (VCT). and delivering makeup flow through two normally open MOVs in series. In addition to the RCS makeup function, the charging pumps also provide seal injection flow to the reactor coolant pump seals.- Under - accident conditions, marked by a loss of RCS coolant or' steam line break I (Indicated by low pressurizer pressure, high containment pressure, high steam flow coincident with low T av or low steam pressure, or pressure in one steam generator lower than other steam kenerators), the Engineered Safety Features Actuation System (ESFAS) generates an ESF signal which initiates charging system operation in the injection mode. Under these conditions, the primary function of the charging system is to deliver high pressure emergency coolant in}ection to the reactor vessel by way of the RCS cold legs. ; On receipt of an ESF signal, the second centrifugal charging pump is started, the RWST isolation valves are opened, and parallel MOV pairs on either side of the BIT are opened allowing flow to be delivered from the RTST to the RCS cold legs. In the event of an ; ESFAS failure or a requirement for " feed and bleed" operation, manual operation of the system can be used. in the recirculation mode, the charging pumps take the!r suction from the residual heat removal (RHR) pump discharge. in order to effect switchover from the injection mode of the charging system _to the recirculation mode, it is necessary for the operator to open the MOVs which permit charging system and 51 system suction to be taken from the discharge of the RHR pumps. 1 The charging system design includes two 100% redundant pum'p trains which share a common RWST suction line and a common injection line to the RCS cold legs. The boron injection tank is capable of providing emergency boration if required. The emergency boration function of the charging system was explicitly modeled only for ATWS events. l 4.(-15 ] l p.,_ , 1
}-
N
' A simplified schematic of the charging system, for both !njection and recirculation operating modes is presented as Figure 4.6-4.
4.6.4.2 Charging System interfaces and Dependencies =. In the injection mode, the charging system shares the RWST as a common suction source with the safety injection system, the RHR system, and the containment spray system. In addition to its physical Interface with the safety injection system,.the charging system also has'a functional' interface with the Si system by-virtue of the fact that lointly, the charging and safety injection systems perform the high pressure ECCS function. in the injectionLmode, the charging system is dependent on the RWST for fluid inventory, the AC power system for' pump and MOV motive power, the DC: power system for pump control power, the ESF for component actuation, and the service water system (SWS) room cooling and tube oil cooling. In the recirculation mode, the charging system is dependent on the PHD system as a fluid' source, in addition, the system remains dependent on the AC power system, the DC
. power system, and the SWS system.
These dependencies are shown at a train level of detall in Figure 4.6-5. Component status and dependencies are identified in Table 4.6-3. 4.6.4.3 Charging System Operational Constraints The Sequoyah Technical Specifications stipulate that-both charging pumps, and their associated fluid delivery trains, shall be operable during normal plant operation, in the event that one pump is not operable, it must be restored to an operable status within 72 hours or the plant must go to hot shutdown within an additional 12 hours. No other oper-ational constraints were identitled for the charging system. 4.6.4.4 Charging System Logic Models Success criteria for high p'r essure ECCS function are stated in terms of "m out of n charging or safety injection trains". The charging system is the only system'which can perform emergency boration and seal injection flow. SafetyL injection flow can be performed by combinations of the charging or SI systems. -The following event tree twadings include contributions from the charging system. '
=
[ l Og - Failure to provide high pressure injection from at least 1 of 2 charging pumps or i of 2 safety injection pumps,- (i.ee,1 of 4 success criteria). D. 2
- Failure to provide high pressure injection from any 2 of 4 charging or safety injection pumps.
D3 - Failure to provide seal injection flow to reactor coolant pumps ; from at least 1 of 2 charging pumps. D4
- Failure to provide emergency boration from at least 1 of 2 charging pumps.
H 2_ Fallure to provide high pressure recirculation from at least 1 of 2 - charging pump trains or 1 of 2 safety ' Injection pumps. - 4.6-16 q l
;l 1
A fault tree of the charging system was constructed, using " flow from 1 of ? pumps" as a top event. The entire tree or subtrees were combined with subtrees from the Si fault i tree,1n appropriate logic, to yleid the appropriate tree for each of the above events. . Separate fault tree models were developed for the injection and recirculation modes of the charging system. These fault tree models are included in Appendix R. 4.6.4.3 Assumptions In charging Model In addition to the general modeling assumptions developed in the analysis and previously ! listed in Section 4.6.1, several system specific assumptions were made in the course of the charging system analysis. These specific assumptions are listed below: { (1) ' Although either of the centrifugal charging pumps can he normally . operating, for the purpose of this analysis, it was assumed that pump 1 A-A is normally operating and! that pump IB-B is in standby. For this reason, faults related to both initiation and operation are postulated for pump IB-D while only faults related to, continued operation are postulated for pump 1 A.A. . (2) Due to redundancy of RCS cold leg injection lines, modeling of these pipe segments was not performed. rhe fault tree top events , are, therefore, "Insuf ficient flow through check valve 63-581". (3) In addition to potential fluid diversion paths which are less than one third the diameter of the main fluid Jelivery line, potential diversion paths which are part of normal makeup and seal injection lines were also disregarded from the analysis. ; (4) It was assumed that failure to isolate the VCT upon safety injec-tion would cause pump cavitation and lead to system failure. (5) Plugging of charging system valves af ter system initiation was not postulated. 1 (6) Lube oil cooling is required for pump operability in both the injec- ; tion and recirculation operating modes. Room cenling is required ; in the recirculation phase. Seal cooling is not required at all. ! (7) It was assumed that the minimum. flow bypass lines do not repre-sent a' fluid diversion path due to the flow restricting orifices in these lines. (8) Interlocks prevent FCV 63-11 and FCV 63-8. from opening unless the trained sump isolatten valve (FCV 63 73 or FCV 63-72) is fully open and the S1 mlniflow valve FCV 63-3 is fully closed or both Si mlniflow valves FCV 63-175 and FCV 63-4 are fully closed. 4.6.4.6 Charging System Operating Experience No applicable plant specific operation:' experience for the- Sequoyah Charging . System was found. i 1 ( 4,r.17 p l~
s .d - Table 4.6-3 Charging injection / Recirculation Component Status And Dependency Summary Component Normal Status Acutation nependencies - ! Pumps: 1A.A Normally ESFAS Train 1 A AC-1 A. A, DC-1, ; Operating . SWS-A, CCW- A IB-B Standby ESPAS Train IB AC-l R-B iv.-II, SWS-B, CCW.B MOVs: . 62-133 NC/FAI ESFAS Train l A AC-I Al-A l 62-136 NC/FAI ESFAS Train IB AC-1B1-B - 63-39 NC/FAI ESFAS Train l A AC-l Al-A 63 NC/FAI ESFAS Train IB AC-1 B l-B 63 23 NC/FAI ESFAS Train IB AC-1B1-B 63-26 NC/FAI ESFAS Train I A AC-1 Al-A 63-8 NC/FAI Remote Manual AC-1 Al-A 63-11 NC/FAI Remote Manual AC-I B l-B ! 63-48 NO/FAI Remote Manual AC-1B1-B J 63-47 NO/FAI Remote Manual AC-I Al-A 63-6 NC/FAl Remote Manual- AC-1B1-B 63-7 NC/FAI Remote Manual AC-1 Al-A 62-98 NO/FA!/POV'ER Remote Manual; Not Developed REMOVED 62-99 NO/FAl/ POWER Remote Manual Not Developed REMOVED -r I r b L 1 4.6-18
.t - wassao9oosa i 2 RElE I D g It bl 6 aa fa g
!!!! [
B
$2! l
.a WBSNDONOO 33 i s tij l
d E m
@4!!@G. h .U
=
,,i e
Q f. E8 I 5 dl 5 <- 1 -8 4 $ 1
- g4t:@cill- .[, e is .
a g E
$ E E
!U k! M l ?
X! X! !! zi z! pi 0 E E. : E .- g 5 3 a I 1 M [pg $
*a g7' 24:sgies wo! ,
gl l In! Bht! 86: si gi a oI HC0 at: ni go: II
=
L
- j. g di a I
r 4.6-19 A.
r - CHARGRIG ltDECTIOff HECIHCtA.AllON SYSlEM [) i I i Pt s.tP FtitJP 1RArt1A TRAB818 f\ f I l l l uw sw M b AC POWER 1A ' ' 1B DCPOWER I 17
, a o ' r b
o I SEfMCE 1A WAIER 1B wk mr DIGRIEETIED 1A yy SAFETY FEAillRES-ACTUAllOff '
- 1B 1 ).
SYSTEf.8 Figure 4.6-5 llelsemiency l)lngram for Cimrging System j (Sheet i of 4) l. I
-agg s
.y ,--g r g-g, g r'1m,- g-. 4'aq--ym'-'y ,
3 w y Jmp > sh--%- agy< apy y g4 y gas'**r.r- --m*q,e w -a .g. m__
- _m_f_.m.vi L _ _ _ . ,. , , , . _ m___. _ _ , ___- . .-. -._.._-
m
.e CHARGING PUMP SUCTION SOURCE --
(RECIRCULATION) l' ) 1 I rRou rnou LPR PUMP LPR PUMP 1 A-A 18-8
. (h ()
[ - Le AC PO'/ER 1A (p 1B (). LOW 1A 9 ) PRESSURE RECIRCulATIOtt 1B jp Figure 4.6-5
. (Sheet 2 of 4)
PJ _ , . . . _ . . . . . . , _ _ . , . , . . . . _ . . ., --_.m.__. .._ - _ _ . _ _ __. _ _._._..-.._._ _=
1..... . - ,
.. + -.
g- , CllARGlHG PUMPc ' DISCIIARGE - LINES I I FCV 6340 ' l FCV 63 39 Af1D AtlD . FCV 63-25 FCV 63-26 : .. f l l vM VM As ' - T 4
' AC POWER '. 1A q( ..
2 u
~1B' mv
- EllGitlEERED 1A 9p SAFETY . ,
FEATURES -IB 3 r ACTUATIOri SYSTEf.! - Figure 4.6-5 - (Sheet 3 of 4) .
.+-
, 2
' ' " ~ '- ^^ - " " * '
~ ~ - '"
- ^ ^ * ' '
. - - - , . -,- ' +.<-:-n---a-------c- n - A------~~--~~
_______ g n---.-n. --
. . . . _ . . . ..= _ .
~ ; ~
- CHARGING PUMP:
SUCTION SOURCE
~ (INJECTION)'
[); I I MOV MOV 62-135 62-136 t w v- - - ACPOWER 1A jp
. .10 - jp _
L4 )
~'
EtlGit1E'ERED A SAFETY .. FEATURES .B () 1 -ACTUATIOff SYSTEM Figure 4.6-5~ _
'(Sheet 4 of 4)-
~
* , < - - mm-._...-s..r....e.u.,mm-,a -. ,%. .._[,A,.,_,__.,
_ .m __ ,. , _ , _ l._____3____21-,A.--s --~+hsm,.. --mai -%..%.m..
4.6.5 L Low Pressure injection / Recirculation (LPl/LPR) Model 1The _ Residual Heat P.emoval . System (RHR) provides' emergency coolant injection and recirculation following - a loss of coolant - accident' in' which . the RCS has been depressurized. When the RHR' system provides these functions, it .is referred to as Low Pressure injection (LPI) or Low Pressure Recirculation (LPR)in this study for consistency and comparison with similar studies. In addition, RHR is operable during shutdown-cooling. LPR provides the- suction source for CHP and Si pumps in- the recirculation mode, in addition, the LPl/LPR system performs a containment pressure suppression function by delivering low pressure spray to . the containment atmosphere. Heat exchangers in the LPI/LPR pump discharge lines serve to remove residual heat from .the-containment. The piping connection to the containment spray headers is shown in Figure o 4.6-12. -; The following sections provide a physical description of the LPI/LPR system, Identify ' interfaces and dependencies between the LPI/LPR system and other plant systems,
- identify any operational constraints on the LPI/LPR system, provide a description of the-fault tree models constructed for the LPl/LPR system and identify any relevant LPI/LPP- ,
operational experience which was considered in the analysis. 4.6.5.1 LPl/LPR Description d The Sequoyah LPl/LPR system is composed of two 100% capacity pump trains. In the < injection mode, the two pump trr!ns share a common suction header from the RWST. Each pump draws suction from the header through a normally open VOV'and discharges through a check valve,'two' locked oper, manual valves, an RHR heat exchanger, an air operated valve, and through an MOV, ad arranged in series, which lead to the RCS cold legs. Each of the lines to'the cold legs contain two check valves in series which provide isolation from the high presstire RCS. - in the recirculation mode, the LPP pump trains take suction from the containment sump - through two parallel suction lines. Each suction line contains a normally closed MOV. . The pump discharge path le the same in both the injection and recirculation modes, with I the exception that in the long term, af ter A and Sj events, recirculation flow must be i delivered via the RCS hot legs; in the hot leg recirculation mode, system operation is similar to cold leg recirculation, with the exception.that flow is delivered to the RCS hot legs rather than to the cold legs. Hot leg recirculation requires operator action to redirect flow from the cold legs ' j to the hot legs. On indication of a loss of RCS coolant, the ESFAS . generates an ESF signal which initiates LPI operation.- All system valves are normally aligned - to their injection .! positions and successful LPI initiation requires only that the two LPI pumps start. If primary system pressure remains above the LPI pump shutoff head, the pumps will
. discharge through the minimum flow bypass lines, thereby, avoiding pump deadhead!ng until the primary system pressure has been reduced enough to allow LPI flow to the RCS j
~
cold legs. Upon reaching low RWST level (29%), the recirculation mode is begun by automatically - switching pump suction to the containment sanio. Opening of the pump suction valves,
- FCV 63-72 and 63-73 is performed automatti ally.
A simplified schematic of the LPI/LPR system is shown in Figure 4.6-6. t 4.6-24
}
4.6.5.2 LPl/LPR Interfaces and Dependencies )
' The LPI system Interfaces with the CSS, and charging systems at the common RWST.
The LPR system interfaces 'with the chuging and Si system at .their respective e recirculation suction valves. The LPI system 18 dependent on the RWST as a fluid source, . the AC power system for motive power to the LPI pumps and the MOVs, the DC power , i system for control power to the LPI pumps, _the' ESF for system actuation, and CCW system for pump cooling. In the recirculation mode, the LPR system is dependent on the; i sump inventory as a fluid source, the AC power system for motive power to the LPI l pumps and MOVs, CCW for pump cooling, SWS for pump room cooling, and the ESF which
- generates the signal to switch to sump suction. These dependencies and specific train assignments - are shown in the . system dependency diagram ~ in Figure 4.6-7 and the -
component status and dependency summary in Table 4.6-4, 4.6.5.3 LPI/LPR Operational Constraints The Sequoyah Technical Specifications require that one residual heat removal (LPI/LPR) pump be' operable at all times and-that the pump must have an operable suction and discharge path, in the event that any ECCS pump (LPI, CHP, or SI)is inoperable,it must be restored to operable status within 72 hours or the plant must be placed in_ hot standby within the next six hours and placed in hot shutdown within an additional six hours. The-system models, therefore, reflect the fact that only one LPl/LPR pump train can be-unavailable due to test or maintenance activities at any given time. No other operational constraints were identified for the LPl/LPR system, 4.6.5.4' LPI/LPR Logic Models s The success criteria for the Sequoyah LPl/LPR system vary, depending on the specific application in the event tree analysis. For every case where LPl/LPR is required,- operation of one of the two LPI pumps is required for system success. However, various complements of other LPI/LPR system components are required for.different initiators. The event tree headings _ and corresponding fault tree top events, which pertain to LPl/LPR operation are: D6 - Failure to provide low pressure injection with at least 1 of 2 LPI l trains. H3 - Failure to provide low pressure recirculation with at least 1 of 2-l LPR trains or failure to switch to hot leg recirculation at 15 - hours. l H3 - Failure to provide LPI system operation in the miniflow mode i_ during the injection phase or failure to provide low pressure : recirculation via at least 1 of 2 LPR trains. ' l H4 - Failure to provide LPI system operation in the miniflow mode , E during ' the injection phase or - failure to provide low pressure-recirculation via at least 1 of 2 LPR trains, or fallure to provide p hot leg recirculation in the long term. Wi - Failure to provide 1 of 2 RHR trains during shutdown cooling, [i \ 4.6-25 o.. ,
.s l
The1 fault trees developed .for these events are' included in Appendix' B. ' The specific -
' assumptions used tot develop' the I.Pl/LPR fault trees are included In the' following-
. sec tions.
r 4.6.5.5l Assumptions in LPl/LPR System Models in addition to . the - general modeling assumptions l made Lthroughout. the analysis and identified. iniSection 4.6.1, several system specific assumptions were developed in the-course of the LPl/LPR analysis.' These assumptions are listed below:
~
'(1) CCW is required to provide pump cooling in both the injection and'
> recirculation . modes. Pump room cooling is required only 'In the recirculation mode, primarily due to the short injection phase. ,
(2) The operator is directed to close crossover valves FCV 74-33 and
- FCV 74-35, prior to recirculation. Use of the crossover line to
< deliver flow from one pump via the opposite pump's' discharge line, is modeled as a recovery action if necessary.
(3) : Inadvertent diversion of LPl/LPR flow to the RCS hot legs does not , fall core heat removal for LOCA initiators.1For S2 and transient initiators which regulre containment heat - removati(CHR) such. Inadvertent flow would fall CHR because the RHR heat exchangers , would be bypassed. Analysis showed that- such a . failure would. require two independent: valve mispositioning . faults, incorrect : performance of'~the recirculation switchover procedure, and incorrect periormance of startup flow" testing. On'probabilistict l grounds, therefore, this potential b'ypas's/ diversion pathway)was not _.
. Included in the fault tree models..
-(4) It was assumed that in the recirculation mode, the LPR pumps may.
not take suction from the ' opposite train! via backflow.. For example, the pathway from the sump, through FCV 63-73, back
~
through FCV '74-21, and through FCV 74-3 is not a viable suction ; path for pump 1 A-A. l (5) It was assumed that the only applicable failure mode for locked ' open manual valves is plugging. ' ~ No other failure modes were postulated for these components. f (6) It was' assumed that hot leg recirculation ~1s rcquired for Sg and A~ LOCA initiators at approximately 15 hours af ter the switchover - from RWST to sump suction. [ 4.6.5.6, LPl/LPR Operating Experience No applicable plant - specific operating experience for the Sequ'oyah LPl/LPR system was found. j 1 q 4.6-26
h L
--Table 4.6-4 LPl/LPR Component Status And Dependency Summary
-i Component Normal Status Actua tion . Dependencies o Pumps:
1A-A; Standby ESFAS Train 1 A AC-1 A-A, DC-1, CCW-A, SWS-A IB-B- Standby ESFAS Train IB AC-1 B R, DC-II,'- CCW-B, SWS-B . MOVs:
]
63-1 NO/FAl/ POWER Remote Manual AC-1 Al-A REMOVED. 74-1 NC/ Power Removed Remote Manual = . AC-1 Al-A !
'74-2 NC/ Power Removed ' Remote Manual AC-1BI-B !
74-3 - NO/FAI = Renio'te Manual' AC-1 Al- A 74 NO/F Al ' Remote Manual AC-1B1-B - 74-33 NO/FAI Remote Vanual . AC-l Al-A ~ -l 74-35 a NO/FAI Remote Manual - AC-1BI-B. J 63-94 NO/FAI 'i Remote Manual AC-1B1-B - 'i 63-93 NO/FAl Remote Manual. AC-1 Al-A i 63-172 NC/FAl Remote Manual- l AC-1 B1-B 63-72 NC/FAI ESFAS Train l A AC-1 Al-A . < 63-73 NC/FAI ESFAS Train IB~ ? AC-1 BI-B '; 74-12 NC/FAl
- LPI-ASF-HI-6392 ACil Al-A ' i 74-24 NC/FAI a
- LPI-ASF-Hi-6391 AC-1B1-B '1, AOVs:. 1 74-161 NO/FO }
Remote Manual --- 4 74-28 NO/FO Remote Manual ---- ll i Low pump discharge flow signal opens valve. i 4.6-27 s i
.q
e er
' ^ '
5 5 9 9
.g, 4
' W5T d'
s M ec, 74 24
-nis. 3 (
o g 0 B g
~'
1r m 9 g PS-73 PS-74 M Z2 L ESZB ' ' *
- ssass assee revo l u sca N rev 4s s to 74 ut 7* So hen
'6 TO
. 'C'e pcv RCS sst ta 23 nw ' e xcewxan' -,74 2
- 828M '
OD to e . Elaf;qr,ag 4 37 is e ESJS 7* 88 '
- r-IN'2 **8 LEG nMn N oo "ww. Octrm
<,-4 O i g ~E rev *En a
'ssses as set TO w)(un
. r
. ,cJ ,cv.2>
7s - es eqd,= , 1.ev = a .rt + N
- ncs a 74 2 I flOT k3 , ESZH ESZS ' PS 90 ES2t'
- 3 s LEG m re"a91* - A N Eszz &Yp* d?n d?2.
74 3 iJlcumagm r?, 74 ts
^ 1**, mvm
== ==
' Maar 1A A 1A A PS 83 ~
A reg - m to 12 .g RAIP tA A A Tc7 sa r2 - S Tc7 53 73 mnt m noreAuvcene.POWERREMOVT . p) man ~ os<A, mESSURE flTEFLOCKED VALVES Figure 4.6-6 ' simplified Schematic of the Low Pressure Injection / Recirculation System - m- N , men 9kW- qm m.I. & y g g qum,s ,.,..n.A.,,mr wggwyy ] p- y r 'P' JP-ey* *
'+sm*g ,ef- -'hsm---e=*F -4"N1r%-~ - -
'% quag.-q iMy ,ymg r,-N ,yns . .m.., ,
. ~
? %
s V' r
)
3 f. o 1 t e , e h
~
B reu (S PB 1 s s l Mt i wr ; '; . - e m Uf j , z PA R
"' _ r e P t wys T
E:N I oSn . R !O Uf I , o Sf TM 7_ ri ot SIOA ET1 LE T - 6
- f al l
FCt CS I 4i nt c i PEH Y h W!Ulc S e r ri r Ot E R' u gc L i gi{a c F Dl yn
/
A A c o i 1 nt 1 Wa t t i i F 9 p - -E e c PA R 4 -' -' A l nj e T e p n I e _ D A 0 A B 1 1 I 8 3 1 1 A 8 g 8 1 1 g 1 . H T D H f f E - a K E E H St O
/ V E 1 G t E'EI 1 V
I O P Cl s l yE' OAKi P LE l EYRTl lT t f t AE C nI MOT tETUT i C EA KFATS A D SW' OOA t AECY CCW ESFAS '
~
i
#*r.
P: D.m a r u
~.
F* iNe _ g
_ :j - ' '.a
'" N Q
- _ ^J __
^-fl
, ~ .L '.
-- g;-
.a
.w, . >
- -u-
.- LOW PRESSURE l .
wi
.r
- RECIRCULATION _
-PUMP SUCTION :
~ SOURCES
. O
.I I FCV- FCV?
' 63-72 . 63 :
' (*\
- ud ,Os. k -
.t a
w ,, o .. .
- 1A -n AC POWER .., r
~
' E 18 .
,- r. . "
~.
EllGirlEERED SAFETY 1 1A O J! FEATURES- ^1B 'F ACTUATION T SYSTEM Figure 4.6-7.
- (Sheet 2 of 3) '
.,.p.,w. y,,,. ms6 -..% 4.,9... . , f %e *e ^ eE e * $ e + - sy* r r.gtj w g7,,y- ,,conisy g-- ,iy , _ _., y A,,,,g, , . , , ,. , , . .f_,., _, , . _ _ _ _
s.- .
. e- _
.N:
LOW PRESSURE HOT LEG . RECIRCULATION . {- L.- w
- .i
.b -
o .l .l-8 g .- FCV. ~ FCV. ~FDV 74-33 35- 63-172,_
.j v4 vw t._.w-
. AC POWEll .1A .j p .. Q 1B y
.j
- l
' Figurc ' 4.6-7
~
~(Sheet 3 of 3) d e,- .wy- u e., m,%w w- ww .s ye ...w. -.mi.- d,,.J-w. ...#.+~.,s.-y.%,u .-g-
- , .. .. y- . y, p-.--. , _y ,---.y. - - - , .g... , - , . .- ., , . , _ , g.,.,__. _
w..
li >
' 4.6.6' Auxiliary Feedvater (AFW) System Modeli The Auxille.ry Feedwater (AFW) system provides feedwater to the steam generators (SGs)
~
to allow ' continued heat removal- from . the primary : system- when main feedwater is = unavallable. . In this capacity the AFW system serves as one of the means to perform the - :i safety function of early core heat removal following a transient or s' mall LOCA. l
, , The following sections provide a system description, Identify dependencies and Interfaces - ,
,of 'AFW with other systems, Identify operational constraints, provide a description of the -
fault tree logic model constructed for AFW, identify assumptions pertaining'to AFW that
'i were used in the fault tree analysis, a'nd discuss 'AFW operating experience. :
i 4.6.6.1 AFW System Description The Sequoyah AFW~ system is acthree train ' system ' including two motor ' driven pumps - (MDPs) and one turbine driven pump (TDP). 7 Each MDP discharges toLtwo of the four -
-SGs. The TDP is twice' the capacity of the MD pumps and discharges to all four SGs.
~
Each pump takes suction: through a common header - from Condensate Storage Tanks- ' (CSTs) A.and B or from one of two SWS headers. Each of the two CSTs has a capacity of approximately 400,000 gallons. The Technical Specifications require one CST to be. '
. operational with *at least .190,000 gallons of water. . Eachiflow. path from an AFW pump discharge; to' a SG has two check valves. in series and a .normally closed airc operated 4 valve c A simplified schematic of the' AFW system is shown in Figure 4.6-8. -
The two MDPs start automatically on receipt of an'AFW-actuation signal. This sigrnl is f generated 'In response to any of' the following conditions:. - SG water level low-low, presence of the ESF signal, station blackout, or trip of main feedwater pumps.. The same , signal causes the TDP throttle / trip valve to open automatically starting the' TDP'and causes the normally closed air operated valves in the AFW supply lines to the SGs to open automatically. In~ the event that low AFW pump suction pressure is sensed,' indicating faults in the condensate storage tank suction lines, suction is automatically switched to !
- the SWS headers by opening the SWS header isolation valves.
4.6.6.2 AFW System Interfaces and Dependencies L The AFW system depends on AC power for motive power to MDP motors, DC power for control power to MDPs, TDP, and AOV, and ESFAS for automatic actuation. In addition.to the dependencies listed above, the AFW system also interfaces with the Instrument air system, HVAC, and SWS. HVAC provides room cooling for the TDP and L Instrument air is provided to the AOVs. It was assumed that instrument air is available if AC power is available. Instrument air was included as a dependency.for.the~ AOVs only when long term operation under degraded power conditions .was postulated. The AFW interfaces with the SWS for a back-up water supply, i r Control power for the AOVs in the TDP discharge lines are supplied from battery boards at Unit 2. In addition, the SG water level Instruments which input to the TDP control logic are also powered from DC battery boards associated with Unit 2. ! The AFW system dependencies are shown in the d'ependency diagram which is presented: as Figure 4.4-9. Table 4.6-5 summarizes AFW component status and dependencies. f 4.6-32 <
p i
,4.6.6.3 ' AFW System Operational Constraints
.l The - Sequoyah Technical . Specifications require that three LIndepenitent auxiliary feedwater pumps and associated flow paths must be operable with:
(a)' ~ Two motor driven AFW pumps, each capable'of being powered from . separate shutdown boards, and { (b) One steam' turbine driven AFW pump capable of being powered from. an operable steam supply system. ' In the event that one AFW pump is inoperable, the pump must be restored to operable-status within 72 hours or the plant must go_ to hot standby within the next six hours and l go to hot shutdown within the following six hours. - With two AFV' pumps inoperable, the - plant rnust go to hot standby within six hours and to hot shutdown within an additional six t
- hours. With three AFW pumps inoperable, corrective action to restore at least one pump-to operable _ status must be taken as soon as possible. No.other ' operational constraints
' were identitled for the AFW system. i q
'4.6.6.4 AFW. System Logic Model The success criteria for the Sequoyah- AFW system _ vary depending on the application in the . event ' tree . analysis. The AFW. system success criterion:for all initiators except. j ATWS is' AFW flow to 'any-two of fouristeam generators' from any one- AFW pump. The 1 ATWS Initiator success criteria-is 'AFW flow- to three of four steam generators from 2 i MDPs or 1 TDP. The event tree headings which pertain to AFW operability are: l L3 1 Failure to provide auxillary feedwater from I of 3 pumps to at I least 2 of 4 steam generators, t L2 -
Failure to provide auxillary feedwater from 2.of 2 MDPs or i TDD to at least 3 of 4 steam generators. < L - Failure to provide auxiliary feedwater from 1 of 3 pumps to 2. SGTR of 3 Intact steam generators. { The' fault trees developed for these top events are included in the , Appendix B. The. specific assumptions'which were made in developing the AFW fault trees are described in-the following section, t 4.6.6.5 Assumptions in AFW System Model 'I in addition to the general modeling assumptions made in the analysis and previously .! discussed in Section 4.6.1, several system-specific assumptions were made in the course ; of the AFW analysis. These specific assumptions are as follows: 1 (1). Room cooling is required for the turbine driven pump. Room cooling is not required for the motor driven AFW pumps. The MD pumps are i in an open room and have ~been environmentally quallfled to meet - local high energy break requirements.. The = high energy break requirements would likely be more severe cthan those conditions ] expected from loss of room cooling. e 4.6-33 i
+,%- f
,,xy -
N, 4:
' ~
-(2) Based on' system diagrams;and conversations with plant' personnel [it
- was concluded that the normal positions of the valves ~1n the common.
~
E* 2 steam supply line ere those.shown in the simplified P&lD. FCVs 1-15, 1-17, and 1-18 are normally open and fall as is., FCV l-51 is normally -
- closed and falls as'is, but receives two.independentisignals to open
.when required.' FCV;.1-16 is normally closed and isl signaled to open If e
< > FCV 1-15 is sensed to be in the closed.pbsition..
(3)~ . The ,AFW ' minimum: flow bypass lines;do n'ot constitute a significant:
- potential fluid diversion path. q (4)L Spurious.. signals which could potentiallyJ close steamfsupply valves- 1 '
1-17 and t 1-18 were not included in the analysis on~ the grounds that < > these events are believed to be probabilistically insignificant-relative-
~
; to other postulated failures. ; , j A
(5) its was assumed that lf the throttle / trip valve'(FCV l-51): initially -
. opens as' required, it .will continue to open, and close, as required over the AFW system mission time.
(6) ' '. Valves FCV 3-172, 3-173, 3-174, and 3-175 require instrument. air in i
~
order to open. However, they are equipped with accumulators. These?
~
d valves can be manuallyiset in-the open pos1 tion? and :therefore loss of - Instrument air is recoverable. it.was also assessed that probability.of ?
; loss - of ; instrumentiair ; is L very csmall, ;if LAC. power 3 is available. ' q LConsidering the potential recovery action, and the high reliability of;
. air if AC power Is available, fallure of.these valves due;to' loss of -
~ Instrument air- was only_ considered in station black ~out; sequences; ' For ;
blackout sequences the TDP AFW fault tree model was modified by including a single cutset for failure to manually open these valves. (7)' : Suction sources for the AFW. system are the condensate storage tanks . (both tanks) and the SWS headers.- a (8)' ~ Long term operation-of > AFW without DC power and 120'VAC power-was assumed to be- unfeasible. . Although -it! may be possible to; set !: pump speed . manually ' fin th.e . absences of!l control power, " L instrumentation is required to measure: water level, and.thus provide E feedback for speed control. [ 4'6.6.6 AFW System Operating Experience No' plant specific-operational experience was included in the analysis of the Sequoyah auxiliary feedwater system., 4 I , 1
+
4.6-34 .m
y . . s
;O ' ,_
{ , iy o ; L i Tabie' 44-5 J AFW Component Status And Dependency Summary - j
- Component . Normal. Status Actua tion . Dependencies'
. Pumps - *
.. MDP 1 A-A ' Standby'- x ESFAS Train 1 A Ar-1 A- A~, DC-I--
+ . MDP IB-B1 . Standby. ' ESFAS Train' IB' AC-1B-B, DC-Il .l uTDP 1 A-S Standby.
~ '
ESFAS Train I A.. Main Steami DC-Ill' 1
" . . ESFAS Train IBf .
MOVs: ' ,
- 3-!!6 A ' NC/FAl' . Low lMDP-A Suction Pressure'
~
AC-1 A2-A'.
; 3-i l6B ' NC/F Al' Low MDP-A Suction Pressure AC-1 A2-AL d p' #'
3-126 A ' NC/FAI : Low. MDP-B. Suction, Pressure AC-1 B2-B - 1 i L3-126B- NC/FAl ,~ Low MDP-B. Suction Pressurei ~ AC-1B2-B -
- l 3al36A' NC/FAI . ~ Low TDP Suction Pres:ure " ' AC-1 A2-AL 3-136B. NC/FAI - Low TDP Suction Pressure ~ AC-1 A2-A 31179A NC/FAI - Low TDP Suction Pressure AC-182-B -- ->
.3 179B' NC/FAI , ' Low TDP Suction Pressure ~ ACelB2-B 1 . NC/FAI - .ESF AS Train l A L . AC-1 A2-A 1-15' NO/FAI ' AC-1 A2- A 1-17/ NO/FAI' '
; AC-1 A2-A" l-18L NO/FAl AC-1B2-B :
1-51 NC/FAI L ESFAS Train I A ' DC-Ill . 1-52'- NO/FAI ESFAS Train IB: - DC-Ill , -l q
'AOVs: I 3-164 NC/FO on Loss < ESPAS Train l A' DC-1 ,
of DC'and . Loss of Air 1 3-156 NC/FO on Loss ESFAS Train I A' DC c} of DC and j Loss of Air j l, 3-171 NC/FO on Loss ESFAS Train IB DC-II ' 3 l of DC and . j Loss of Air 1'
.'3-148 NC/FO on Loss ESFAS Train.lB'. DC-II L L - of DC and l Loss of Air- .
.{
3-175 - NC/FO on Loss ESFAS Train I A ' DC-III ~ ! 3 of.DC, FC on - .[ L Loss of Air 3-174 NC/FO on Loss ESF AS Train' IB DC-IV - -l of DC, FC-on .j Loss of Air. .. oi 3-173 NC/FO on Loss ESFAS Train 1B ' DC-IV - 'i of DC, FC on 3 4
- - Loss of Air .
.g b- 3-172 NC/FO on Loss ESF AS Train l A DC-III .
of DC, FC on Loss of Air l. 4.6-35 , i g# m]
' -jj
, ~-. _ _
w Mim M. m " _ A .A 5 5
. , r- ,e.
p,,,,
- g. 9 y
n.x es. h,. ic.
-2 ==-
.l l ,
l U U
= TsT ,]
= =')( es 4o2 ..a ;g ..-. s
~ PS4tB
' # w
>.n .
.tc.=. ps e , 44,.-,2
, - cv 6 . ,,,,,, . e pggts m
,A g p
Q, ' 5 es;,g .es
-me
; ., =a na== -- .
aam en :- A A eier- . M4f 7 - g . c.s ; ,,,,,,e., Mtacta-
= .i.c,. . T.c.g
, g ,c . eswe .
_. estr,a . .icn. . ps ,7 . p3 , -y d*
~ ogegantogs 0-4 -
3 I
.. .., ;cg, .. -'
_ A PS4?f pg4pg - ses .A o : is, Ta- ,yg ,93 < h., ic.. , - :l es4 , 3
- .m g to pg494 afucorwaar
- - PS4 f 5 jo, ,mc - 3.m . ,tg
;6o. >h, **"
. gr
.;; g,,e. .
, @ .- @ EJ @
a._ a.,' . VALVE WALVE _
.Can .= ?: ?: . ?: ?: = .12. .
a '/o'". a3 - '" es e n4n. Figure 4.6-8 _ Simplified Schematic of the Auxilia.y Feedwater System
..;~,.. ,._-.__..a~e_--.,_
, . . a_' - _ L_. nu';_'. _
+-n.,.,. - _ _ _ _ . s-w + . - -- . . - - . .--n...~w_.-.-. -
-' .. p w
.. AUX 1LIARY-FEEITNATER '
- SYSlEM ~ -
'( ) .
_. I 1 PUMP PtitP TDP-1RAlti ~ IRAlta - THA94 1A A -18 0 ' 1 A-S J R L ACPOWER- 1A 17 o .
- IB ,r b-N DC POWER g qp la MP. .-
ill qp EtlGitlEERED 1A. '(p . '
'NI ~
-SAFETY -
FEATURES- 1B- .iF. 4i. ACTUATIOt!'-
- SYSTEM :
Figure .4.6-9 :
' Dependency Diagram for tiie Auxiliary Feettwater System f
_ __----_.-_--a_ - _ _-. ..:.-. --- . - _ .
4;6.7 f Primary. Pressure Relief System (PPRS) Model The primary pressure relief system (PPRS) provides protection from overpressurization of the primary system to ensure that primary system stress limits are not exceeded.~ The
.PPRS also provides the means to reduce the RCS pressure if necessary for situations such as feed and bleed. The following sections provide a physical description of the PPRS, Identify the interfaces and dependencies of the PPRS with other front-line and support . systems, identify any operational constraints on the PPRS, provide a description of the l fault tree model constructed for the PPRS, identify the PPRS specific assumptions, and' identify the operational experience available for the PPRS.
4.6.7.1 PPRS Description i DThe Sequoyah PPRS is composed.of three safety relief valves (SRV) and tw6 poweri ,
' operated relief valves (PORVs). = The safety valves; were important only in the ATWS ;
- analysis. > Thel PORVs provide RCS pressure relief- at a set point below the SRVs. -' All
' l
- relief valves discharge to the pressurizer. relief tank. Each PORV'is provided with' a; j motor operated block valve. A simplified schematic of Lthe PPRS:Is shown in Figure
4.6-10. , i-' The PORVs automatically.open on_ high RCS pressure ^or are _ manually opened at the - discretion of the operator. The block valves are normally open unless a PORV is leaking.- I 4.6.7.21 .PPRS Interfaces and Dependencies The PPRS is dependent on DC power for control power _to the PORVs and AC power buses
. for ; motive - power- to theo PORV ~ block - valves. ' The PORVs are not' dependent: on- t i
instrument' air. The SRVs have no dependencies; on any other plant system. The ! dependencies are shown in Figure 4.6-11. ; 4.6.7.3 PPRS Operational Constraints } No operational constraints were identified for the PPRS. . i 4.6.7.4 PPRS Logic Model , i The success criteria for the Sequoyah PPRS varies depending on the specific event tree application. The following events represent various PPRS failures addressed In' the event - trees: Pg - Failure of the PORVs and block valves to open (2 of 2 trains) for i feed and bleed. P 2 Less than 3 of 3 primary safety valves or 2 SRVs with 2 PORVs valves open. j Qg - Failure of any PORV to reclose, j Q3
- Failure of any SRV or PORV to reclose.
The Boolean equations developed for these events are presented in Appendix B.
.j 4.6-38
, o f
k 4.6.7.5- PPRS Operating Experience Based on generic PWR. experience each PORV is blocked on the average, 20% of the. q time.
~
PORV demand was based on lnformation in-V iCAP 9804U 7) . The PORV demand for T 2 and 3 transients haveToccurred transients is 1.4E-?/ to predict a PORVdemand. demandInsufficient numbers rate. .it was estimated of T3 thatandthe T V demand - rate for these transients was 0.1.
-i o
~
i i I l
-j 1
- j 4.6-39 g t
..7-
')
TO PRESSURIZER RELIEF TANK
- a- a. a.
' 68-563 8-564 68 N
g L h -565
~
l FCV -FC- ' 68-333 PCV 68-3341 b FCV-4 FC
>. ~.
68-332 .PCVE "68-340A - PRESSURIZER ALL COMPONENTS INSIDE _ CONTAINMENT . Figure 4.6-10
.Simplifie<1 Scliematic of the Primary Pressure Relief System - ,
l l
- m. .a.... . .. . a . _ ;__._,_._ _ . . _ . .:.._u.._.,,_ _ _ . . . . _ . , ._. _...;
, )'i .
=
fL i-' _ _ K g c2 ; o33 q u t
~
S L ) - 1 L ( A V m t e s y - S -- K f l C3 e O3 I 3 i l D' e - R e r u s s e r I_ - 1 P l 6 y W4 r f 3 E 4 a T O P 3 - e r i m u g P r - n i '~ F eh t r
) f o
1 ( m . a r - g a . i - D . y - c V A n - g H0 O4 y F e.
- c. e -
P3
;. d n l e
W n p e o D s d . A B i n 1 1 e p e d ie g H R o E E l W W e r O O a u P P a C C F ~. A D ) - 1 ( . J
=_
=___
I I . i
a: 4.6.8 . Containment Spray System (CSS) Model
' The Containment Spray System (CSS) is designed to act with the Ice Condenser System--
(ICS) to provide containment pressure' suppression during the injection phase following a l LOCA and provide containment heat removal during the recirculation phase following a
- LOCA. It performs pressure suppression in the Containment Spray injection (CSI) mode
;'by.' spraying cool water from the RWST to condense, steam in the . containment. Upon depletion of the water in the RWST, the CSS is shif ted to the Containment Spray Recir- y culationL (CSR) mode,' through ~a combination of _- automatic and operator. actions, to l perform the containment heat' removal safety function in the recirculation phase of the' /
accident. CSS also performs the containment radioactivity removal function.
.The following subsections provide a . system description,, identify dependencies 'and interfaces foi the CSS 'with other systems, Identify. operational ~ constraints,t provide a. >
description of the fault tree, logic model constructed for. the CSS, Identify assumptions J pertaining to the CSS that were used in the fault tree analysis, and discuss CSS operating i 1 experience. - t 4.6.8.1 CSS Description < The Sequoyah CSS contains two 100% capacity pump trains. EacS train includes a centri-fugal pump, a heat exchanger (HX),:a minimum flow recirculation line, and associated piping and valves, in the injection mode, the ^ two trains draw water from the RWST ,
.through a common suction line (with no active components) which is also shared with the-charging, SI, and RHR pumps. ~ 1n the _ recirculation mode, the two trains draw water from -
the containment sump through separate,. parallel. suction lines which are shared with the ' corresponding RHR pump trains. In the CSR mode the water flowing through the-CSS pump trains is' cooled by service water flowing.through the secondary side of the CSS HXs. Each CSS pump train discharges through a normally closed MOV and a check valve to its associated containment spray ring header. A simplified schematic of the CSS is1 shown in Figure 4.6-12.
-Both CSS pumps are normally in a. standby condition. They start automatically. upon re-ceipt of a Phase B containment isolation signal _ from the Engineered Safety Feature Actuation System (ESFAS). 'The Phase B isolation signal'Is initiated by a~ containment pressure differential of 2.81 psl between the lower containment compartment and the .
annulus between the ice condenser and the outer containment wall. The Phase B isola-tion signal also causes an "open" command to be sent to normally open MOVs in the CSS ' pump suction lines and to the normally closed MOVs in the CSS pump discharge lines. A 30 second time delay is included in the CSS pump start circuitry. 4.6.8.2 CSS Interfaces and Dependencies The CSS Interfaces with the following support systems: the Electric Power System
.(EPS), the Essential Raw Cooling Water (ERCW) System (called the Service Water System ..
(SWS) in this report), the Component Cooling System (CCS) (called the Component Cool- 1 Ing Water (CCW) System in this report), the Engineered Safety Features Actuation System (ESFAS), and the Heating, Ventilation and Air Conditioning (HVAC) System. The CSS fault tree is linked via developed events to fault trees for all of these except ESFAS and HVAC. The interfaces between CCS and PVAC are included as requirements for fan coolers and service water in the fault trees. The interfaces between CSS and ESFAS are ! treated as undeveloped events. l 1 4.6-42 ?- ___ i i
q CSS train assignments and dependencies are shown in Table 4.6-6, CSS Component Status , and Dependency Summary, and in Figure 4.6-13, CSS Dependency Diagram. 1, 4.6.8.3 CSS Operational Constraints The *r echnical Specifications on the CSS require both CSS trains to be operable during - plant operation.- The action statement requires that an inoperable CSS train be restored j to operable status within 72 hours, or that the plant be in hot standby within the next 6 hou rs. . 1 4.6.8.4- CSS Logic Model
~
The two safety functions performed by the CSS which are of interest to this study are containment heat ~ removalc and post accident radioactivity : removal.- Both 'of these i functions occur in the recirculation phase of a LOCA. _ The pressure suppression function of the CSS performed .during the injection: phase is redundant to the ice condenser - function. Due to the very high reliability of- the ice condenser,- the sprays are very ; seldom required. The principal function of the sprays is to inject borated water into the ! l containment, to support spray recirculation operation. CSR is required for containment-
. heat removal in the long term af ter the ice has melted. l' The two functions performed during CSR are containment heat removal and containment-radioactivity removal. The heat removal function required spray action and service l j
water to the heat exchanger, while the radioactivity removal function can be provided if ! ' only the spray action is available, with no service water 'to the heat exchangers. However, the CS pumps are dependent on the service-water system for cooling. The: component cooling water supply comes off the same header as the water supply to the heat exchanger. There are very few failure combinations which will fall containment j heat removal, but allow continued pump operation. .The probability of these-failure j j combinations is insignificant compared to the probability of those failures which fall both
~
heat removal and radioactivity removal. Therefore, a single fault tree was gen: rated -I which represented failure of both functions. The event tree headings are as follows: 1 FI - Failure to provide spray flow through I of 2 headers, taking suction from the RWST. l Fr - Failure to provide spray flow through 1 of 2 headers, with service water supplied to_ the attendant heat exchanger, taking suctioni from the-
.f i
containment sump. The CSI and CSR fault trees are included in Appendix B. 4.6.8.5 Assumptions in CSS Model in addition to the general modeling assumptions made in the analysis and previously discussed in Subsection 4.6.1, System Modeling and Scope, several _ system specific ) assumptions were made in the course of the analysis. The following specific assumptions 1 were made in the CSS analysis: (1) Flow diversion paths are significant only if they have a piping . diameter greater than 1/3 of the diameter of the main piping. (2) The probability of inadvertently opening two locked-closed valves in series in the same flow path is insignficant. i j 4.6-43
e t (3)- Success or failure of CSS is not affected by success or failure of LPR spray; 'unless thel failure is. due' to faults in shared components (i.e.,
, common sump suction line).'-
. ('4 ) . The misskn time for the recirculation phase is'24 hours.
7; _ c. 9 R
- (5) .Fallure to isolate a CSS pump suction' from the RWST at the end of-the injection phase will cause insufficier;t; flow from the containment' sump to that CSS pump during the recirculation phase.
. (6)' The probability of plugging suf ficient nozzles to fall a' spray' header .
was considered to be negligible compared to other system faults.-- ,
-1 4.6.8.6 CSS Operating Experience ~
No applicable plant specific CSS operating experience for the Sequoyah CSS was foand. 4 i n 1 l 4
'i i
h a 4.6-44
. .f ,
i
'I Table 4.6-6 '
. . , t CSS Component Status And Dependency Summar_y Normal Component . Status- '
- Actuation Dependencies a
Pumps: _ lA-A Standby _- ESFAS Train I A* - AC-1 A-A : ,
- DC-1:
~ CCW-A SWS-A IB-B Standby ESFAS Train IB* AC-1 B-B .
DC-II . ~' 5 CCW-1 B
^
SWS-1 B ' CSS MOVs: 'I 72-21 NO/FAI ESFAS Train lB* AC-1 B1-B 72-22 NO/FAI ' ESFAS Train I A* -- AC-1 Al-A : ! 72 NC/FAl ESFAS Train ~1B* ' AC-1 BI-B - 72-39 NC/FAl ' ESFAS Train I A* = ~ AC-1 Al-AL E 72-20 NC/FAI Remote Manual ? AC-1B1-B j 72-23 NC/FAI Remote Manual _ AC-1 Al-A , i SWS MOVs: a 67-125 NC/FAl Remote Manual 'AC-1 A2;A 67-126 123 NC/FAl Remote Manual AC-1 A2-A j NC/FAI Remote .Hanual- . AC-1B2-B 67-124 NC/FAI Remote Manual ' AC-1B2-B - t b i
'i
. Phase B Isolation Signal (Containment Pressure Hi-HD i
t 4.6-45 j F h
-- _--.L_. --- - 3
w
=>
1g css usT t em . _ . IC . n ser ___,lg,_ff:!! _ _'4 marase me n owt DaE
#cv #cv 4
LIEm
~ ES:ff - ~
rez' Ps-sr . far =~ g .1 eg PS-50 7 Egtm tg F To ses aws la a Yk
-s _
l AC 1P 6 82J CS$ Hit . ' M M* ;6 '9P t C aaaaaaaaa PS-5 2 -
-m- atF2 HS . PS-5f j
nlZs. 72 'M M M .l 74 25 '55Idi"s**" fCV tc 1P~ ~ N 72 SM aaaaaaaaa 4' - TJ 40 ' F2 $64 ; 6 PS-54 t 1r. 73 .,.aaaaaaaaa 5 c g acy . teNe4 ad FI OW TINE j JL , , Fn20 72-13 RERIFt 98G WATER ftEYtmed mm
, c-I, ,
= .=
g assanesericStse g j,"g h $ a rev re am '. og .- f 7* q g 4 sCv M'2
&fCV 80 74 si 74 620 to am ia 74 S24 to
. fcv - pey ' 43 83
.N
" vo ftCS M
74 3 N# 1
.7H4 yg CM 4a
-66 csa ar =
f H.cv - M,cve.
. :St:. LCT,
^
* ** lCy -+
rev . T p 1rucy-
;L74 3F F4 - cn f,. ,,
b6 E ..
== ; == -
-- ,4 ,,
Itf B ' graman._aa!!1 Mime .g ?:
~ >>. :::,
PS-s4 cw
- an Ley, is-os Figure 4.6-12 Simplified Schematic of the Containment Spray System"
. . , _ . . . .z __ . . _ ._ _ _ , _ . . . _ . _ . . , c_ , _ ; ,,_ _ , , . , ._ _ _ _ .
'~ '
. gg ',
SPHAY- ~ SYSTEM
's
#) --
I I~
- css ess TRAt31A TRAta18-f f l i w w A m AC POWER 1A ' r JL 1B 'F DCPOWER- 1 1 P e ;E
.a-1A ' '
f d. SERVK:E
. WATER q p
> y 18 >-
1r COfAPO JENT. ' . IA q p COCLV Ca : WATF t . 1B '
)
=
EtaGalEEHED - . yg ,, SAFETY 'r
'FEATunES :
~19 ACTUATKX8 qp '
-SYSTEt.4 -. -
.~
Figure 4.6-13..
~
- Dependency Diagram for the Containment Spray System -
3
%.%p. w au
- y.'s..+ 4m,.h,.- ,_-we.-- m- 4.
3 -.s. .,e.' y ( -.f.a-s.wm,- Jf p w a-A9p- *# eg 5,.yyy
+*gi _y'N'-- M' .v:-wA e t*T O't('M1- e "-'%'T-Mw4' 4 t'N' 7 P W#-MW'P
( 4.6.9 - Component Cooling Water (CCW) System Model The Component Cooling System is abbreviated CCS at Sequoyah but is referred to as the CCW system in this study. for consistency and ease of comparison with similar. systems at< other plants. The systems CCW (i.e.,system' provides; engineered cooling).
~ safeguards watersystems
- These to_ various includecomponents RHR, Si, andIn front-line CSS.- CCWesafety' - ;
also provides cooling. water to the Reactor Coolant Pump.(RCP) thermal barriers. The following subsections' provide _a system description, identify. dependencies and
- interfaces between CCW; and other systems, identify operational constraints, provide a; J description of the fault tree logic model constructed for CCW, identify assumptions pertaining -'to CCW;that' were used in the fault tree analysis, and- discuss the CCW_ .;
operating experience.
- 4.6.9.l' CCW System Description The Sequoyah CCW. system is a closed cycle system. lAs shown 'in Figure 4.6-14, Sequoyah CCW Schematic, it contains five centrifugal pumps and three heat exchangers (HXs) and serves both' Units _1 and 2. Train I A engineered safeguards equipment is normally served by CCW Pump 1 A-A and CCW HX' A, which also serve the RCP_ thermal barriers in the Unit I reactor building. Train 2A is normally served by CCW Pump 2A-A and CCW HX B. The B trains at both units (i.e., Trains.lB' and=2B) are normally' served by CCW Pump C-S and CCW HX C. The CCW pumps take suction from the CCW return j lines from the engineered safeguards equipment.they scrve. They discharge through the ;
CCW HXs to the CCW. supply lines to the engineered safeguards equipment they serve. A fraction ~of-the flow from CCW Pump 1 A-A is routed through Thermal: Barrier Booster i Pump 1 A .A or IB-B to the Unit l'RCP_ thermal barriers and-is returned to the common suction header of CCW Pumps I A-A and IB-B. Another. fraction of the Train'l A flow is normally routed through the spent fuel pit heat exchangers, which can be switched to-l Train 2A in the event of an accident at Unit 1. Of the CCW pumps and HXs that are normally aligned to serve Unit 1.(i.e., Pumps I A-A,
~
IB-B, and C-S and HXs A and C), Pumps 1 A-A-and C-S and both HXs .A and C. are normally in operation. CCW Pump IB-B is normally in a. standby condition but starts automatically on _ low pressure at the combined discharge header of Pumps 1 A-A and
~
- 1B-B. In . addition, each CCW pump receives anl automatic start signal fromL the corresponding train of the ESFAS.
Of the Unit i RCP thermal barrier booster pumps, Pump 1 A-A is normally operating and Pump IB-B is normally in standby. Both pumps receive an automatic start signal from e the ESFAS. 4.6.9.2 CCW System Interfaces and Dependencies I CCW Interfaces with the following support systems: -the Electric Power System (EPS), > the Engineered Safety Features Actuation System (ESFAS), and the Essential Raw , Cooling Water (ERCW) System (called the Service Water System (SWS) in this report). ( The CCW fault tree is linked via developed events to the fault trees for various EPS trains and to the SW System (SWS) fault tree. The interfaces between CCW and the ESFAS are treated as undeveloped events. 4.6-48
,i ..m_____. _ _ - _
l I: CCW train assignments and' dependencies on other support systems are shown in Table 4.6-7, CCW Component Status and Dependency Summary. The common CCW/AFW pump space is cooled by space coolers that include fans and heat - exchangers, which in turn are cooled by the SWS. However, room cooling of' the CCW 1 room was assessed to be unnecessary for continued pump: operation (see assamptions). Therefore, loss of CCW/AFW room cooling is not included in the CCW fault tree. CCW also interfaces with front-line systems. The LPl/R system depends on CCW for removal of heat -from the RHR HXs and pump seal water HXs. The HPI/R system depends on CCW for removal of heat from the Si pump. The CSS depends on CCW for - removal of heat from the CSS pump oil and mechanical seal HXs.- In addition, CCW is needed to cool the-RCP thermal barriers. Specific interfaces between CCW and the-
~
~
systems it supports- are shown in Table 4.6-8, Interfaces between CCW and Systems Supported by CCW. 4.6.9.3 CCW Operational Constraints ' Following an accident at Unit 1,, activation of the RHR heat exchangers require s activation of an additional pump or transfer of the spent fuel pit heat exchangers to 1 CCW Train 2A. If two CCW pumps-(i.e., Pumps l A-A and IB-B) supply Train l A, then 'j adequate cooling flow can be provided from the Train- l A engineered safeguards ', equipment, the RHR heat exchangers, and the spent fuel p!t heat exchangers. This ' ! constraint does not apply during the injection phase. ~l Technical. Specifications require two CCW loops to be operable at each unit. This requirement can be met with three pumps. One CCW pump was assumed to always be , required to service Unit 2. It was assumed that any pump could be aligned to either CCW l header at Unit 1, af ter an initiating event. The pre-Initiator configuration, however, has the 1 A pump supply the 1 A header and the C-S pump supply the IB header.
.i 4.6.9.4 CCW Logic Model l As indicated in_ Table 4.6-8, there are three top events in the CCW fault tree. They correspond to the three groups of equipment served by CCW as follows:
CCW Fault Tree Top Event Associated Equipment Insufficient Cooling Flow from R CP Thermal Barriers ' CCW Pipe Segment (PS) 345 ' Insufficient Cooling Flow from Train l A Engineered Safeguards 1 CCW PS 337 Equipment ; Insufficient Cooling Flow from Train IB Engineered Safeguards i CCW PS 356 Equipment ! The first top event listed above appears as the following event tree heading on the Sequoyah event trees discussed in Section 4.4: i W - Loss of CCW to RCP thermal barriers L 4.6-49 q l
-The'second and third top events are used to'llnk CCW to frant-line systems through developed events in the front-line system fault trees.
The part of the CCW fault tree that is common to the first two top events includes house events representing engineered safety features (ESFs) operating in the injection mode and in the recirculation mode. These house events are used to turn on and off different parts of the fault tree depending on the ESF mode, since the success criteria,in terms of the number of CCW pumps operating in train l A and the status of the spent fuel pit HXs are different, depending on whether ' ESFs are in the in}ection mode or in the recirculation mode. If the RilR HXs are not required, one CCW pump'will provide sufficient flow to train l A and the RCP thermal barriers, regardless of whether or not spent fuel pit HXs have been transferred to Unit 2. Af ter activation of the RHR HXs,in the recircalation mode, one CCW Pump will provide suf.ficient cooling only if the spent fuel pit HXs have been transferred to Unit 2, but both CC? Pumps I A-A and IB-B are required if the spent fuel pit HXs have not been transferred. The CCW fault trees are included in Appendix B. _ 4.6.9.5 Assumptions in CCW Model in addition to the general modeling assumptions previously discussed in Subsection 4.6.1, System Modeling and Scope several system specific assumptions were made in the course of the analysis. The following specific assumptions were made in the CCW analysis: . (1) The RCP thermal barrier booster pumps are not interlocked. That is, af ter rece'pt - of a signal from the ESFAS, both pamps are operating and operator action is required to stop one, although it is , acceptable for both to continue to operate simultaneously. (2) In lines that normally have CCW flowind through them (i.e.,-lines connected to CCW cooling loads that are normally operating and for > which Indication of loss of. cooling would be available to the r operators), plugging and inadvertent closure of normally open valves and failure of check valves to open are not postulated to occur, t Examples include Pipe Segment (PS) 334, which is normally providing ; flow from CCW Pump 1 A-A to the RCP therrnal barriers; PS 337, which is m mally providing flow from CCW Pump 1 A-A to the CCP
- 1 A-A medanical seal HX; and ' PS 339 and. PS 342, which are normally providing flow from CCW Pump C-S to the waste evaporatot building. This assumption applies to the following CCW pipe segments:
PS 301 PS 323 or 324 PS 339 PS 350 PS 302 PS 325 or 326 PS 342 PS 363 : PS 303 PS 329 PS 344 PS 304 PS 330 PS 345 ! PS 305 PS 334 PS 346 PS 309 PS 335 PS 347 PS 311 PS 336- PS 348 , PS 318 PS 337 PS 349 4.6-50 t
.r; - - . - . . - . - .
e
~ ,'; N :
' ' i
<3 t
g I a l 7
*i rd . . . . .
.(3) During the Merch 1986' plant visit,"It was learned that the CCW '
a M , .; m , pump motors were recently replaced' with motors which' were - i'
. environmentally lquallfled to meet high energy line break criteria. it q .was assumed that the EQ capability,60mbined with the open nature: l c of the CCW pump room,'would eliminate' the. need for CCW pump '
'i-room cooling during accidents.
j
- t.
3 '4.6.9.6 CCW Operating Experience - gj
. 'No applicable plant specific operating experience on the CCW was found.u >
+
',, , 't
.'{
.t 1se !
6 l i i
< ;i 4
i
)
i I i {
'?
q
?
'l u .;
.i
-t
- .t
, s b
i i 4.6-51 .t
~
! .7 ' n . 1 y'+ [g vs '
+
.. , . - .-i. --
t n '
a.g - _
. .-~
,. c ..
# s
^
~ ~ '
qf
~
- v. ;
s # ._ . _ ~
~
- Table 4.6-7; .
, 1 -
- CCW Component Status And Dependency Stmeary::_ ,
s_;. -- 'R- ,_ _ _ ( , CCW NORMEL
~
. CCMPONE'4T ' TRAIN STATb5 ACTtRTION DEPENDENCIES Pimps: '
17.-A 1A Operating .ESFAS Train 1A or low Dixharge Pressure; [AC' ,STAl-A :. -2 DC - 1~ S ESFAS Traln-1B or Low Discharge' Pressure AC - $181-6 ~m
~
18-B 1A Standby DC _. n. C-S 18~ . Operating ESFAS Trafa 1A er 1B C - $2B2-S (Norm} < AC - STA2 4 (Att) +
- DC - IV (Norm), .
T
~
' E
- o. DC - 1 ( At t) =
g cn ,
,3, -
Operating- ESFAS Tealn iA . ' M - TA1-IA TBP1A TA -
- ' ~
DC: .1 TBPIB- 1A Stendby .ESFA3 Train IB.
~
. AC - 181-s; , . ,
'_ - DC. .IV i ~T' . ,
- e q:-: -
- ,NOVs: . ,- --
N , 1-70-3.
~
18 N0/FA1 - Remote Mensal AC. - 1B2-9 : I 1-70-207 IB = .fo/FA1. Remote Manuel ~. AC - !B2 . _ _ y 1-70-156 1A -NC/FA1 Remote Manoet' ~ AC i 1AZ-A -
. =: ,
=- ..
"-m 1-70-153 - .18 - Nc/;al Remote Mamsel.- ;Ac - IB2-s:
~
~
Power: removed. ^
'Modeled in LPR fault tree.= _ _ q
.. , - . . ~
_g -
' ~
~
- - _ v ; s. s .
, f.]
- - ~
v . . .
, ~
n -e_ _' -._ b "
pJ
.nc .
w Table 4.6-8 Interfaces Between CCW And Systems Supported By CCW Ass 0CIATED sYsTErdCOWoNENTs' RCs 'LP1/R .HP1/R Css RCP Css FtMP THERMAL Rift PtPP . s1 PtPF '- 'CH PUW oll AND CCW FAULT TREE TCP EVtNT BARRIER Rm m SEAL HX. SEAL E -5EAL-HX sEtt HXs Insuf f(cfent Cooling Ffow fra CCW Ps 343 1, 2, 3, 4 insuf f fcTent Coof Ing Flow frm CCW Ps 337 fA-A 1A-A lA-A GA-A TA-A-J.- (354) 0 52 & 355) 0 51 & 355)' 0 50) (353 & 355) 7 InsufffcTent Coolfng Flow fr m CCW PS 356 18 4 , IB-B 1B-0 10-0 10-0 y 061)- 059 4 362) - 0 56.& 367) 0 577 0 60 & 3623
'The component identification ntenber appears opposite the appropriate CCW fault tree top event,-
which is shown as a developad event ca the supported system fault tree. - CCW pipe segnent numbers shown in parentheses are included in the supported system fault trees.;
~
L-- . . -- -
! ti r ,a I
'{, ge i.
d a.Uin r l.i ' si d O , ll f =! o! ! ; 2i M o!- e
*1
=
B.,, .O y; ht.; v i1
=
J.. = i: , jYi , i: a: n! n! f-ii ?? is ?? , n. R tvi i .r9i .I try: i33 ;
-- u,n e ag ,
,p,n
,g,m, a get l a !Isi,g ggi e!l c y -[- :
i: a n: i: ie a v.w v re: si g is ni ge c : isis ei s lwn'en: i2 ' y - i?nir li3 2 : y ' p_ 1 51 2 ti a 3B f53
.1 (51
.I 2 !I I 2!i
= = : -
=;B:
=
i;l E B B B ll ,
!! ti al !! e- !
E! E! E5 EI E: x
++ . E". ll ra MY fr i 'l li -- W' !
l
=T 3
3 ,3 - 'I la mer
}e. -
si gol .% *o3 j" ys.q'l 4
'IIIl i !j' i!E I! I Il!.W- I g l l ' '- -
'I l!
1 l 1 , r i 4.6-54 ; a
.. n . .__4
- r. . _..... ..
5 5 E I 9 9 o O O
- U o T E Mm E
$ es s<s N 3**4 rsses es se -
%. f F PS 5 [, , [sc St
--o . .,. , , , . . . . . . -.-
,s ,,,,, ., . .IDN ,,302-p3,g o=N g i
"=
- 800511R meexse ftACIOR COOT ANT eu.sPS PLM hEIM
' BAN ERSEAT EXCalAtGERS 4
- Figure 4.6-14
~
Simplified Schematic of the Component Cooling Water System (Sheet 2 of 3) . 4 p
' i i u: u__
c.
.. .~ , . _ - - - - .
+ _
f
- CCW hX A PS-337 PS-350 PS-301 (FROM PS-3375 OJ PAGE 1)
X 552^ WW sssA X ssiA g gg . 707^ ==w o..w. ia7asA . pg 3gg (TO PS-301 - a W ON PAGE 1) PS-351
<HW sseA 712A , , - 7:3A ssoA W>##'"
ss2A
- e. . secas Mf2 5"**'
.UA ,b.as 4 s5s 1A 9E AL PS-353 X
s69A w span, 671A s?2A cet . eLAL Hrs PS-M X ' f
- 2. W 4
=-
sHt m e64A ffCV 88 8 70Lif1 CCW HX C PS456 PS-357 PS-304
#N (FROM PS-356; X esas
- >o--fM4-O<2 ms ws m
--C><
ssas X as7s C-S E M
.# ON PAGE 1) a-=o.e e
, " * " ' pg.g (TO PSOO4 PS-358 e.
W ' ON PAGE 1)
<~m esse
- >o 7:2s
.sa-c>o-se e swees 713e esos esas
, 5' PS-359 * *
- se e sent gg warLn ear
_ m 5698 wm 5718 6728 on ee$ sm e-. PS-361 X
**58
-c>< :S .
s==se e -
= saae esev Mis 3 At1 COMPONENTSt 0UTSIDE CONTAINMENT Figure 4.6-14 Gimplified Schematic of the Component Cooling Water System (Sheet 3 of 3) '
1 0 .. 2-2
i l 1 L 4.6.10 Service Water System (SWS) Model !
. The Essential Raw Cooling Water (ERCW) System provides Service Water at Sequoyah, but is referred to as the Service Water System (SWS) in this study for consistency and ,
ease of comparison with similar systems at other plants. , The SWS provides cooling water to various components in front-line systems, including HPI, LPI, and CSS. The SWS also provides cooling water to components in support ; systems, including CCW and EPS. In addition, the SWS serves as an alternate source of l l water for the AFW pump suctions, r l l The following subsections provide a system description, Identify dependencies and interfaces between SWS and other systems, identify' operational ccastraints, provide a description of the fault tree logic model constructed for SWS, identify operational constraints, provide a description of the fault tree logic model constructed for SWS, ! identify assumptions pertaining to SWS that were used in the fault tree analysis, and ' discuss the SWS operating experience. 4.6.10.1 SWS Description The Sequoyah SWS is an open system. It draws water from the Tennessee River, Chickamauga Reservoir, and discharges the water to a cold water channel. As shown in Figure 4.6-15, Sequoyah SWS Schematic, it contains eight SWS pumps and serves both : Units 'I and 2. The four main SWS supply headers correspond to the for ESF trains: Trains l A and IB at Unit 1, and Trains 2A and 2B at Unit 2. Trains l A ane ?A are cross-connected at-the discharge of, and together are served by, SWS Pumps 3-A, K-A, 0-A,
-and R-A. Similarly, Trains IB and ?B are cross-connected-at the discharge of, and together are served by, SWS Pumps t-B, M-B, N-B, and P-B. Tater flows from the four main SWS supply headers into branch lines serving'the diesel generator (DG) unit coolers, the turbine-driven 'AFW pump, the CSS HXs, ESF air. conditioning (A/C) equipment, shutdown board room A/C water chillers, CCW HXs, and. some non-essential cooling loads. Water flows from al! of these loads (except the turbine driven AFW pump) via SWS ,
Discharge Headers A and B to the cold water channel. Water can also be routed from SWS Discharge Headers A and B tn Motor Driven AFW Pumps l A and IB. SWS Pumps 3-A, L-B, P-B, and R-A were assumed to normally be in operation. SWS Pumps K-A, M-B, N-B, and Q-A are normally in a standby condition but receive
- automatic start signals from the ESFAS.
4.6.10.2 SWS Interfaces and Dependencies , The SWS depends on other systems for electrical power (AC for motive power to pump. I motors and for motive and control power to valve motors, DC for control power to pump . l motors) and automatic actuation. The STS interfaces with the following support systems: The EPS and the ESFAS. The SWS fault tree is linked via developed events to the various EPS trains. The interfaces between the SWS and the ESFAS are treated as undeveloped events. The SWS pumps are self-cooled. SWS train assignments and dependencies v other support systems are shown in Table l 4.6-9, SWS Component Status and Dependency Summary, and in Figure 4.6-16, SWS l Dependency Diagram, t L 4.6-h 1. l.
\
1 The SWS Dependency Diagram is applicable only to the SWS pumping station and main supply headers. Train separation within the SWS branch lines varies depending of the systems served. Power supplies and aauation signals to SWS branch line components are consistent with the train separation schemes of the systems served. The SWS also Interfaces with the systems it supports. The SI pumps and charging pumps depend on *he SWS for removal of heat from the oil coolers and room coolers. The RHR system depends on the SWS for removal of heat from the RHR pump room coolers. The CSS depends on the SWS for removal of heat from the CSS HXs. The AFW system depends on the SWS as an alternate source of water for the APW pump suctions, which are normally supplied by the Condensate Water Storage Tanks. The CCW system depends on the SWS ft.r removal of heat from the CCW HXs, and the EpS depends on the SWS for-removal of heat from the shutdown Soard room A/C water chillers and the DG unit coolers. The EPS-SWS Interface was examined, and ultimately not included in the fault tree models. Specific interfaces between the SWS and other systems are shown in Table 4.6-10, Interfaces Between SWS and Other Systems. 4.6.10.3 SWS Operational Constraints A selector switch used to determine which one of the two SWS pumps powered by a single DG will receive the priority automatic start signal in response to a safety injection signal from the ESFAS. Thus, only four of the eight SWS pumps can receive an automatic ' start signal. The normally operating pump was assumed to receive the automatic signal. Any two of the four SWS pumps connected to a pair (i.e., train) of SWS main supply l headers will provide sufficient flow to that pair of headers. The SWS configuration for i normal summertime plant operation includes two operating STS pumps per train, aligned to opposite DGs. 4.6.10.4 SWS 1,ogic Model There are seven top events in the SWS fault tree. They correspond to failure to provide adequate cooling for various groups of equipment served by the SWS as shown in Table 4.6-10. None of the top events in the SWS fault tree appear as event tree headings. -All of them ! are used to link the SWS to front-line systems through developed events in the front-line system fault trees. The SWS fault trees are included in Appendix B. 4.6.10.5 Assumptions in SWS Model in addition to the general modeling assumptions previously discussed in Subsection 4.6.1, System Modeling and Scope, several system specific assumptions were made in the course of the analysis. The following specific assumptions were made in the SWS analysist 6 (1) The SWS pumping station is sized to accommodate full flow through all branch lines in the SWS simultaneously, Therefore, no significant flow diversion paths could be created by allowing " excessive" flow through one or more branch lines. Similarly, failure to isolate the lines from the SWS main supply headers to components inside the 4.6-58
t containment-(i.e., upper ~and-lower contakment ventilation coolers, reactor coolant pump motor coolers,' and control rod drive motor coolers, none of which require SWS for cooling during an accident) on a containment isolation signal will not cause the SWS to fall to supply adequate flow to components which require SWS for cooling during an accident.'
'(2) The probability of pipe rupture in a 24 hour period is assumed to be insignificant compared to other component faults.
(3) The probability of inadvertently' opening two locked closed valves in series in the same flow path (i.e., in each of the pipe segments leading from the old SWS pumping station) is insignificant. (4) The mission time for SWS is 24 hours. (5) A DG cannot handle more than one SWS pump starting at a tNe, However, the probability of failure of the selector switch, whitn_ is used to determine which one of the two pumps powered by a single. DG will receive the priority automatic start signal, is insignificantly small. (6) Plugging of SW strainers or traveling screens to the extent that they inhibit SW flow were not included in the: models. SWS discharge blockage was not cvsidered due to the large discharge pipe size (i.e., 48 Inches). The SWS is a normally operating system. To date, there have been no Instances of SWS . blockage of sufficient magnitudes during normal operation, to Interrupt SW flow. Therefore, there is no basis to calculate a probability for SW blockage subsequent to an initiator. ) (7) In lines that normally have SWS flowing through them (i.e., lines connected to SWS cooling loads that are normally operating and for c.ilch Indleation of loss of cooling would be available to - the operators), plugging and inadvertent closure of normally open valves and failure ot check valves to open are not postulated to occur. This assumption applies to the following pipe segments: PS 105 PS 116 PS 172 PS 195 q PS 107 PS 154 PS 173 PS 197 - ! PS 110 PS 155 'PS 174 PS 198 or 199 ! PS 112 PS 156 PS 184 PS 202 PS 113 PS 157 PS' l E9 PS 203 ' PS 114 PS 162 PS 190 PS 115 PS 171 PS 192 i 0.6.10.6 SWS Operating Experience t Sequoyah operating experience has shown that any two of the four SWS pumps connected , to a pair (i.e., traln) of SWS main supply headers will provide sufficient flow to that pair J of headers. I 4.6-59
,e _ , _ . . ,.-z., , ,
_ r , n , g
~
~
e ~
- Table 4.6-9 ...
~
~
SWS Component Status- And: Dependency Sunnary - E ^ n
/
I , .~ M .na.
~ '
u e e' E ACTIMTION ~ DEPENDENCIES- , NOTES. COFONENT TRAIN STATUS
. Motor Drfven Pumps: '
- J-A 1A & 2A Operating AC - 1A-A
.DC'- 1^ ,
K-A. IA & 2A Standby. ESFAS Trafn 1A . AC ,2A-A DC - 111 L-9 1B & 2B Operatfng AC '- 184
- DC -.11 '
.* M-B 18 & 28 Standby ESFAS Train IB AC B-
- r '
- DC - 1 V -
m - o f4-S 1B & 28.- Standby. ESFAS Trafn 1B- #C B : ;-:
, _ DC - 11 P-s ' 18 & 2B . Operating : AC - 2B-3 -
. DC - I V :
P Q-A 1A & 2A; Standby- ESFAS Traf.i 1 A AC - 1A-A- .. DC. 1 lR-A 1A'.& 2A Operating' ' AC - 2A-A [ ~ DC -- 111
- Scrt.< fash Pumps:
A-A 1 A & 2A -' Standby'. Local Pressure Swf tch AC - E1 A-A . ,_ B-i3 .18 & 2B Standby. Lccal. Pressure Switch E: - E184 - - IB'& 2B -Standby" Local Pressure Switch AC - E28-B -N
- C-8 D-A '1A & 2A . Standby Local Pressure Switch - - AC '- E24-A .
n'..
- 4
, - 4,w.~..._sc,.- -r -.v., . w w. s . . - x. . . , - - . ,e - - . , ~ . , , * . . . 4 .. .~.,-...~,4,-- - . axem..-m__.__ . . . . . - _. _ __
.m----
.)
d Table 4.6-9 (Cont'd) SWS Compraent Status And Dependency Surunary 4 ... SWS NORMM. COMPONENT TRAIN STATUS ACTUAT10N DEPENDENCIES NOTES. MOVs: 136A 1A PC/FA1 Low Pressure In Condensate Suctfon Lfne AC - 1A2-A (1 ) 1-3-179A '1B rC/FA1 Low Pressure fn Condensate Suctfon Lfne AC - 182-e (1 ) 1-67-125 1A PC/FA1 Remote Manual AC - 1A2-A (2) [
- 1-67-126 IA NC/FA1 Remote Manual AC - IA2-A (2)
S i-67-123 16 NC/FA1 Remote Manuel AC - 182-0 -(2) 1-67-124 18 NC/FA1 Remote Manual AC - 182-0. (a) D AOVs: 1-67-176 1A NC/FO ESFAS Trafn 1A ' DC - 1 (3) 1-67-184 1A NC/FO ESFAS Trafn 1A DC - 1 (2) 1-67-182 18 NC/FO ESFAS Trefn 18 DC - 11 (3) 1-67-186 1B NC/FO ESFAS Trafn 18 DC - 11 (2) NOTES: (1) Modeled in APd fault tree.
-(2) .Modeled in CSS fault tree.
(3). Modeled-in SI-fault tree. L ____
4
."?;
2
$J _
!able 4.6-10 Interfaces Between SWS And Other Systems:
Associated Systems / Component 4 HP1/R css CCW AFw P /R RMt PUW - $1 Pt w oll CCP 01L CSS.PUW AND R004 AM) R004 .R004 TDP M)P R004 COOLER COOLERS CCCLERS CSS HX . COOLER cot HX SUCTION. StCTION SWS FAULT TREE TOP EVENT 1A-A & 1A 1A 1A 1A InsufffcTent Flow fr a SWS (172 & 173) (160) (204) (200) PS 113 IB 1A' 18 Insufffcfent flow fra SWS (1 61) '(205) . (201) PS 114 C (194,1% 10 d insuff(cfent Flow fra SWS
' 196,' & 199)' (201)
. PS 115 A & B' 1A & IB
- 1. sufficient Flow fr m SWS PS 116 (200 & 201) 1A-A & IA IA InsufffcTent Flow frm SWS 1A PS 163 (169) (1 64, 165, (168) 166, 167) insufffefent Flow fra SWS 18-B & 18 PS 175 (185 & 186) 78-B & 1B 18 insufffcfent Flow fr a SWS 18 PS 176.. (182) (177, 178, (1 81 )
179, 180)
- The component identification number appears opposite the-appropriate SWS ' fault tree top. event, which is shown as'a. developed event on the supported system fault tree.
SW5 pipe segments sh0wn in parentheses are included in the supported system fault trees. L
. . ., . ~
, . . . . ,_ . . _ . , .. __, . _ _ . _ _ _~ __ _ _ _ _ .
E l l I j scastm wasu Maup pypica g
$7A4perg aa
** ~ PS-105 7
100Glonos pg.ygg PS:112 "" ? i /
;y
'0' e3 '" ma s,en kaar; p-nimp even, .
"* FS-196 0; -10 surNFaosR N#
\ 1 *Ky tA ,*C,
*! tt sa T sa - o art p ,e,5,,
ES 137 b $w "mimos i - " " " *
- b FS-rar PS-114
.i l
a R H e4s M *rias, p4as mis s
**r p ,78y' *,'s p ,ig v PS 10s g' O Unas$
> t cc 2 **
cs 1,1l g j PS-109 om em LO y focotoaos PS-115 af u G "* N $sN f$ '* PS-110 p$$ e"MM e sises
? 10swuraegg
{ sE I $ ;; 7 IP5t#P8GE 4 (C 29 DA 2KV er to
/ -e PS-111 R
g "mtmos On ( ~' PS'2os rs i ts '* **** *' f n MR2 y g
**** 5 5'2, e=w .i.,N ,
** PS-112 1
a 3 sis: ,ea 1 9 22) 9 505A) es0TES (1)MORMattVOPfes POWE'RRFWD , (2)NORMRLtVOPEN,COPHROL AR850tATED Figure 4.6-15 bimplified Schematic of the Service Water System (Sheet I of 4) ~
a
. rs zon
- =
- : .".1
" *aa 2
i.ie
- rr-"* :". . ::::, .
rs- -
.?,1 h. .li "*~ ea T=
'",TX.llU".* W.4.,
e
., 1 e .a C *W. e WU rs 16e Ti."?.Zi" W ,5k. . . .!"i "W*
rs. t&R PL- E Ts 2,$,,,gli ik T_3 [@. _ . e - c -
?_J W'
rs.irr *
, ~' .
W, a..e M_ r0 e== V e rane rs1re rs-see
~
'3.,
; W .
rs urs zs_su rsses * * ~ i k -
- _ ...- M.- - .
W' . n cm
- e. . .
a v .- .~ m . ,~=.
., 4 k *=. rs m vs ,ao vs esr
- rs-nre N,,. rs-vss a- rm cm ..,
@ p m., es .e ca.= e e y rese y rasa re.s ,i,,, saae y .
e e ., e-M rs ses -
> _4, cm -- .. =, . - .
1. a.:..
'i.a.,
9 _i.'s gg;; /=* , y,,,, a.x;;:,. i T T.T...,,=,,y,.,- rs ser N~v '.W
^^
9 e w.~ gg a=== y, h es err vs-ere vs-san
.cL. r:n T.2- e.5Jif : C gg, am.. y,,,-
rs-sra W--
,., n. a====,.
M - m I IF
.m .=- _= .
c ,,.. . , aa c... e.a . e== . Figure. 4.6-15 Simplified Schematic of the Service Water System (Sheet 2 of 4) , a -- . , ,, ,.- .- -a,-. .
-1 J
,==.=an.aae.
r e e.at,o.o. a= n= nJ' n' ,"Y '
's _ , , , ,
,stry gw e(AtMR PeM 2p
,, n n , , , .=n.n=
"J 'A r, -'A 'A 'A rs ses e
. s., = _ _ m ..:,
ms 03.% T., ,$, --Q N W L*"Ii l[ y. vs-r es * *'a e'= rs-ura ""
= ~ rs.uss e u ss i'c/L'f."
2.m 7"LZ n.= 7"L'f.i Nm y ,, u %. 5
---c-W .i?i c> ec ee
*=s e,se es us e
f S. MAN.. [ e, m v ~e
.s .b. .
m es e-o rs.rus
"' L% .=
L Xe=T
.e".
vs.sne _,.. gun o, e e < eev rs n' eun *2, %r %'ll' S W'~a*=": M.' u.= c M e a=
====
e M. .ih e= dr-d.. -
. - .c=-
Teersma g
*lllllll"4" = r,c. M
.m em erm
,o_ ,
F8 288
'"O"" .6%.
e,m erm e Figure 4.G 15 Simplified Schematic of the Service Water System (Sheet 3 of 4)
- = - - - . - - - -
m- --um.._m.m_._
V
-4 TO Ff7H 00EEEt GE90EnaTOR
, g., m y m, ,,
(P5 tt3 ppg 61) 3 E 80 E NA ,,, ,,,-
. . , .. 6:24 9924 SePe sIFS TO $W DfSCHARGE teem)ER g
'%.-- s te lPAGE sp :
E1h2 *WiQ * *! s se s'n'a g ,,, ,
,t,e,r
, en.r sscv i s, g ,,c.,.
u or
- saeA
~
-+ TO FWTs4 DIE SEL M ser " se'ek M'8EHA M 1 A-A S " 2A~A' p $53 FROtf 9tW9tVMEADER 39
, e IlXS , ,
FS tas PAGE s) ) esc, ,, <
. 40 *Fcv e 67 67 80 $334 4 U 68 $33A j h gg, TO sWHEADER di r$
- r= = S'SA sesa l
1
. rRons suPPtV ME ADER et TOflFTH DESEL ENERA10R psit4 PAGE Q T l p t er
& (
8 TO SW Ot$ CHARGE HEADER A figg { [ o run par s er -- , , , s,29 s e, SITA > StFA St29 0' I get St , S g y y [f91 ., u
., a m IB g sten 2B B seas saa py Hx= .y g '
7Jyv1 ifE !E . IIE s'1% p E S iJ0$ R e.sien s, - y ESA - ioF5'TH DESEL M8dEfMTOR Figure 4.6-15 Simplified Schematic of the Service Water System (Sheet 4 of 4)
.a.mm%...__ 3.w,,_,J%- - - ~
I SERVICE SERVICE SERVICE SERVICE WATER WATER WATER WATER TRAlta 1 A TRAlti 18 TRAlti 2A TRAltl 2B l VM VM V~ VM ACDOWER 1A yp q) IB ' ' ' ' 2 ' 2A ' 2B yp qp h .. !
$ DC POWER g
I - qp a u qp um m
'F < 'F ll! a, r ,a r IV ' ' "'
1 r 3r Ei!GillEERED 1A ' ' ' ' SAFE 1Y 'F 'I FEAIORES is .
' ' 2' I 'F 'F ACTUATIOli SYSTEP.1 Figure 4.6-16 Depen <1ency Diagram for the Service Water System i
4.6.11 Electric Power System (EPS) Model The' Electric Power System (EPS) provides AC and DC power to safety related components. 'The following subsections provide a system description,~ identify dependencies and interfaces of the EPS with other systems, identify operational
~
constraints, provide a description of the logic model developed fpr.the EPS, identify : assumptions pertaining to the EPS 'that' were used in the analysis,' and discuss EPS operating experience. i 4.6.11.1 EPS Description. ' A simplified schematic is shown in Figure 4.617. As shown on the figure the EPS consists of AC and DC subsystems, each of which is divided into four trains serving the two reactor units. AC Trains I A and IB serve Unit 1, and AC Trains 2A and ?!Vserve - Unit 2. DC Trains I and 11 generally supply loads at tinit 1, and DC Trains !!! and IV - generally supply loads at Unit 2. However, some DC loads, such as those required for : TDAFWP, are cross connected between units. Each AC train includes one 6.9 kV ~ AC~ sliutdown board,' and two 480 V AC shutdown boards. Each 125 V DC vital battery board . supplies two 120 V AC vital Instrument power boards through 120 V AC vital Inverters. The 120 V AC vital instrument power boards can be supplied alternately from the 4RO V l AC shutdown boards through 50 kVA in trument power transformers. ' Each of the four 6.9 kV AC shutdown boaro: is normally supplied by-the offsite power : grid or by the plant's ma!q generator but also has a diesel generator (DG) unit which starts automatically upon loss of the normal power supply. A fif th DG unit exists at the - plant, but its operational status is in question. Consequently, the fif th' diesel was not included in the study. Also, a fif th 125 V battery is provided as backup to the batterles - in DC Trains I,11,111, and IV. The battery however, was determined to be maintained in a reasonable state of availability, and was therefore, included in the study. l The EPS has two other important features. Neither of these features is shown in the ; schematic, but they ara included in the station blackout model. One feature is the ' shutdown utility bus which enables any 6.9 kV board to be connected to any other 6.9 kV i board. Thus, one diesel can feed two shutdown boards at once. Loads on the buses would have to be curtailed to prevent over loading the diesel. Connection of the utility bus'is i done by manually inserting breakers in the switchgear room. rhis- can be done in , approximately 15 minutes. This feature was included in the station blackout model, as a . recovery action. The other feature of the EPS is that every DC battery board has a normal and alternate power supply. In the event that the normal supply is unavailable, the battery board can be powered by the alternate hoard, by rneans of throwing a switch in the battery room. One power source then supplies two battery boards. Both battery boards can supply full , power loads. This feature is also included in the station blackout model.
~
4.6.11.2 EPS Interfaces and Dependencies There were tio inter-system dependencies modeled for the EPS. During normal operation, EPS is dependent on offsite power, which was assumed to be a perfect source, for all Initiating events ev. cept Tj . For T ,3 the diesel generators become the AC power source. - There are dependencies amongst certain subsystems of the EPS. These dependencies L were treated In' the fault trees developed for electric power. 4.6-68 l L' '
- I
" , ?
F A notable EPS dependency which was not rnodeled was the SWS. The EPS depends on SWS for heat removal from the diesel generators and for cooling of the shutdown board switchgear rooms. Each of these interfaces was examined and in each case it was found that doubly redundent' service water cooling was supplied to each EPS unit requiring cooling. In the case of DC cooling, it was decided that the "SW-doubles" required to fall a DG were far less likely than failure of the DG ltself. In the case of the switchgear room cooling, it was decided that the combinations of fan failures and SW failures were of low enough probability to be of minimal contribution to loss of power to components. The EPS Interfaces with the systems it supports, including all front-!!ne systems. Other systems generally depend on the EPS for AC power (for motive power to pump motors and for motive and control power to valve motors) and for DC power (for control power to pump motors). Train separation within the electric power supplies matches the train separation of supported systems, with the additional feature that some components can alternatively be powered by power supplies from an opposite train or the other unit. An example is CCW Pump C-S, which is normally supplied by AC Power Train 2B and DC Power Train IV but can be alternately supplied by AC Power Train 1 A an'd DC Power Train 1. Dependencies between components within the EPS are listed in Table 4.6-11, AC/DC Power Supplies and Dependencies. F 4.6.11.3 EPS Operational Constraints There are no automatic transfers of board supplies between redundant power sources. All 480 V shutdown boards have alternate feeders to their respective board _ buses, but transfers between the normal and alternate feeders are manual. 1 A means of manually interconnecting power sources at the 6.9 kV level is provided by the j shutdown utility bus (not shown in Figure 4.6-17), which allows any 6.9 kV shutdown board to be connected to any other 6.9 kV shutdown board. All circuit breakers connected to - this bus are normally open and disconnected (racked out). Use of the bus requires manual insertion and closing of two of the circuit breakers. The diesel generators are supplied with their own dedicated hatteries for starting, and
~
field flashing. Loading the diesel onto the shutdown buses is done by the vital oatteries, but can be done manually if the vital battery is unavailable. Failure of the dedicated diesel battery is included in the probability for DG failure. 4.6.11.4 EPS Logic Model Fault trees for the EPS were developed for the 6.9 kV and 480V shutdown boards,480V reactor MOV and cabinet ventilation boards and the C oattery boards. The EPS fault trees are included in Appendix B. 4.6.11.5 Assumptions in EPS Model in addition to the general modeling assumptions previously discussed in Subsection 4.6.1,1 System Modeling and Scope, several system specific assumptions were made in the course of the analysis. The following specific assumptions were made in the EPS analysis: 4.6-69
(1) DG cooling dampers are normally open and must transfer closed to fall. Therefore, their failure probability is ' assumed to be insignificant.
-(2)' Loss of DC power causes; loss of AC switchgear control power but does not by itself cause the AC switchgear to trip open.
(3) The mission time for DG fall to run is 6 hours. Discussion of mission time selection is found in Appendix D. 4.6.11.6' EPS Operating Experience No applicable plant specific operating experience for the Sequoyah EPS was found. i i i l 4.6-70 a )
Table 4.6-11 AC/DC Power Supplies And Dependencies BUS / NORMAL ALTERNATE COP 4'ONENT FEED FEED DEPENDENCY /CDMPENTS 6.9 kV AC Shutdown Boards (5/D BD): 1A-A Nuclear Unit i Offstte grfd Powered by DG 1A-A on loss of of fsf fe power. 18-B Nucler Unft 1 Offsite grid Powered by DG 18-B on foss of of fsite powar. 2A-A Nuclear Unit 2 Of fsite gefd Powered by DG 2A-A on loss o' of fsite power. 28-6 Nucler Unit 2 Offsffe grfd Powered by DG 28-0 on loss of of f sf te power. DG Units: IA-A- Not .*ppl Tcable Not Appl feeble Dependencies on SWS and ESFAS not modeled.'
'18-6 Not Applicable Not Applicable Dependencies on SWS and ESFAS not modeled.
A 2A-A Not AppIIcable Not Applicable Dependencies on SwS and E';FAS not modeled. 2B-9 Not Applicable Not Applicable Dependencies on SWS and ESFAS not modeled. 480 V AC Shutdown Boards: l Al-A 6.9 kV 1A-A None Failure dominated by f aults in normal feed. - 1A2-A 6.9 kV 1A-A None Failure dominated by faults in normal feed.
'181-6 6.9 kV 1B-B None - Fallure dominated by f aults In normal feed.
182-6 6.9 kV IB-B None Failure dominated by faults in normal feed. 2Al-A 6.9 kV 2A-A None Fallure dominated by faults in normal feed. 2A2-A 6.9 kV 2A-A None Fallure dominated by faults In normal feed.' - 231-6 6.9 kV 2B-B None Fallure dominated by f aults In normal feed. 2B2-8 6.9 kV 28-B - None- Failure dominated by faults In normal feed.
. . . . - ~, - , _ _ . . .
_ , . - _ , , - . _ . . - - ,.. &- - _ . . . ... _ _ . . ,e . . , . . . _ _ _ _ _ _ _ _ _ _ _ _ _
; 31
' Table 4.6-11-(Cont'd)-
AC/DC Power Supplies And Dependencies BUS /. NORMAL-- ALTERNATE COMPONENT : FEED FEED DEPENDENCY / COMMENTS
-l 480 V AC Reactor E F Boards:
= 1Al-A 480 V S/D BD 1Al-A 480 V S/D CD 1A2-A
~ IA2-A 480 V S/D BD 1A2-2 480 V S/D 2 1#.8-A IBI-B 480 V S/D BD 181-B 480 V S/D E 182-B 182-B 480 V S/D 80 482-0 480 V S/D 80.181-B 0 2Al-A . 480 V S/D BD 2A2-A ~
480 V S/D BD 2Al-A-2A2-A 480 V S/D B3 2A2-4 480 V S/3 IU 2Al-A
- 331-1 480 V S/D BD 281-B 480 V S/D BD 282-B 282-8 .480 V S/D 80 282-8 480 V S/D.80 281-B I 480 V AC Control and AuxIlls y Building Ventilation Boards:
e s U - 1Al-A 480 V S/D 89 1Al-A 493 V S/D W IAZ-A 181-0 490 Y S/D BD 101-B 480 v S/D 80 182-8 2Al-A" 480 V S/D BD 2Al-A 480 V S/D ED 2A2-A 281-0 480 V S/D W 281-B 480 V S/D BD 282-0 125 Y DC Vital Batte". Boards: 1 480 Y S/D BD 1Al-A, .480 V S/D BD 101-0, or fifth battery, Manual transfer to alternate feed modeled 125 V S/D 80 Battery 1. as recovery.; 11 480 V S/D BD 102-0, 480 V S/D BD'IA2-A, or-fifth battery Menval. transfer to af ternate feed modeled 125 Y Battery 11 as recovery. ill 490 V S/D 80 2Al-A,- 480 V S/D 80 2B1-0, or fifth battery Manuat ltesnsfer to alternate feed modete1 125 V Batten 111.. as recovery. 1Y 490 V S/D BD 282-B, . 430 V S/D W 2A2-A, or fifth batfery ' Manual ternsf er to alternate f eej not =>fele1 125 V Battery 1Y. as recovt.cy. g n wg --Way yw A 7 g 3r+ g--g,gy sgi.T pf" N e'-' . J+ager -e- N F -we' ' ' 6*f* "W, & tb '
'd -m- =sh--- s b-m._sm'mm. - ----
a.
= ---
WW . m
.- -.4
.Il.. -.l.l
< i.
I- .=1
.a t
., -m.3L. I r-.s. ,
_. _, i--n--i _.
..e
- g. g.. ...g Y.. . . . . . .. . . . . ..Y Y.. . . . . _. - .. . . . .Y
. .il 8~I ! .-11.11 . ..
ll ..11 II ' .g. . .I.l .11 . ll .11- .c 42 oz2 2$^ s %2 x~^ts 2 s ga as
.=." N' =A
~
".=9 9 ". = . . ".=.Y Y". n . . = ."Y Y.=!'
ll- .. ll11 ll llllII'
-.[q . II-.-.ll_
IIll 1 I _Il11ll ..- .11ll llll ll .4..--I,l .-. [q=. -.[q . ll-.-.ll- . ll -.-. Il [q=. l l gr.. o c.- m . . ,. . - -ll n n ll g, . - . . - . llg;.. -l ;; ll .e..... ll
,, - TY .. ,,
...---llnnl YT - . . . , ,
"W "A # "A"I "a" Figure 4.6-17 l Simphfied Schematic of the Electric Power System
( (Sheet i of 2) l l' l i l. i, .. _ 2 _ ;_ _ il
. . . . , . . ~ . _ . . . . . . . - . .. , . _ . _ . - ~ ~ . - - - - - , . ~ ~ ~ ~ ~ ~ - . . - - - - - - - - . - - - - - - - - - - - - - - -
iin.i.ii i.i.iian,-- b II ' $$ E E
.- 1 M
l g ! B a B 1 s _ I et
, s 8 m
~ 8 8
~
R - s2 - g 9 l 3 E
- g 8_l B =
l " e E E. - _j vi 2 8 1 m e
. i I
1 i i ? -
;;i' n
?? ;h 2 y9 4w
.x ~
6 E -
.. L@ *w_f go. %
II ' $$ I I a I tj T M l g ! 1 - E l s R 5 - m e I B
! I -
= 1 1 E
a3 ,
' l 3
=
i 1 8 R g I = m B2
' k J .
g
. ; a a gi . E i a' ??
4.6-74 '
l 4.6.12 Instrument Air System Model A detailed analysis of the Sequoyah Instrument Air System was not performed. The instrument Air system was incorporated as an explicit dependency to the front-line systems modeled. 1
..~-
._1 2.
1. i
- T s-
'(
4.6-73
4.6.13 Engineered Safety Features Actuation System (ESFAS) Model The Engineered Safety Features Actuation System (ESF AS) is designed to sense selected plant parameters, determine whether or not predetermined safety limits are being exceeded, and, if they are, to form logic combinations based on exceedance of the selected parameter limits. Once the reouired logic combination has been formed, the ESFAS sends actuation signals to those FSF components which are required to respond to the particular condition that exists. The following sections provide a physical description ]a of the ESP AS and other plant systems, identify any operational constraints on the system, describe the model developed for the ESFAS, identify pertinent analytical assumptions, and describe any relevant operating experience which was considered during : the development of the ESFAS model. 4.6.13.1 ESFAS Description l The ESFAS consists of two distinct portions of circuitry. Analog circuitry provide redundant channels which monitor various plant parameters. Digital circuitry provide two redundant logic trains which receive inputs from the analog protection channels and j provide the necessary logic to activate required ESF systems. Each digital train is capable of actuating the required ESF equipment. The specific functions which rely on the ESF AS for initiation include: (1) Reactor trip, if not previously provided by the reactor protection ? system. 4 (2) Proper sequencing of ESF power loads, including:
- a. Cold leg injection isolation valves.
- b. Charging pu mps, safety injection pumps, LP oumps and associated valving,
- c. Motor driven auxiliary feedwater pumps.
(3) Phase A containment isolation. (4) Steam line isolation. (5) Main feedwater line isolation. (6) Start emergency diesels to assure backup power supply. (7) Containment spray actuation. (8) Phase B containment isolation. (9) Essential raw cooling water (SWS) and component cooling water (CCW) pump start. (10) Automatic switchover of the residual heat removal (LPR) pumps from the injection to the recirculation mode. Table 4.6-12 summarizes the ESF AS requirements in terms of ESF initiation. 4.6-7 A
4.6.13.2 ESFAS Interfaces and Dependencies The only dependency included in the ESFAS model was the dependency on the electric power system to provide 120 VAC for instrumentation and 125 VDr for instrumentation and logic circuits. 4.6.13.3 ESF AS Operational Constraints Although the Sequoyah Technical Specifications do contain limiting conditions for operation which establish constraints in terms of ESFAS operation, the analysis which was performed for this system was generic in nature and thus, did not address any specific operational constraints. 4.6.13.4 ESFAS Logic Vodel Specific terms were developed for each train of ESPAS for the safety injection signal, phase A containment isolation, phase B containment isolation, and R WST/ sump reconfiguration signal. The terms representing ESFAS signal failure which appear in the various system models are listed and defined below. AFW-ACT-FA TRNA Train "A" auxiliary feedwater system activates signal. AF W-ACT-F A-TRNB Train "B" auxiliary feedwater system activates signal. ESF- ACT-F A-CS A 1 A Train "A" containment spray system activates signal. ESF- ACT-F A-CS A l B Train "B" containment spray system activates signal. SlS- A CT-F A-TR N A Train "A" ECCS safety injet: tion signal. SIS- A C T-F A-T R NB Train "B" FCCS safety injection signal. LPR- ACT-F A TRN A Train "A" low pressure recirculation switchover signal. LPR-ACT-F A-TRN A Train "B" tow pressure recirculation switchover signal. CCW-ACT T A-LODPl Componer't cooling water pump activation signal. 4.6.13.5 Assumptions in ESFAS Logic Model No system specific assumptions were made in the ESFAS analysis. 4.6.13.6 ESF AS Operating Experience No applicable plant spe<_lfic operational experience for the Sequoyah ESF AS was found. l l 1 4.6-77
, uo ,
ce m y > .
,; > 3.; , ,
[I # IIS ,
>Q ,
g; c , ; X , Table 4.62121 r ; ESFAS Instrumentation Summary Y , > se . , , t I
+ ,
W:' .
..'tj
, +, ~
- 7. E
, q- , , ' f.; s, 5
, , ' No. of Channels?
~
+ Functional Unit ,
- No; of Channels - '
"to Trip,=
^
E f s ._
- g. , , '1.; ECCSI E
.. ac , ,
- )..
a.L 'M 'anual: c2s ' si , y" ~: , ..
'3 ~ ?
.b. 111gh Containment Pressure
- c. iMigh Differential Pressure- '12 2/ steam line i- Between Steam Lines- I. (3/ steam line) ;and 1/4 comparison -
between . steam line'- i
- d. ! Pre $suNzer Low Pressure 3 :-2 '-
- e. High Stearri Flow In~ 2/4 : 2/ steam line ' ~ 1/ steam line .
Steam Lines Coincident? 4 .TAVG Signals' -2 , 4 Pressure Signals 7;
, With Low-Low TAVG or Low' Steam Line Pressure. '
1
'1;
- 2. Containment Spray
- a. Manual 4 2E lb.'" Containment Pressure- -_
4 2. E : High-High ' 3 r r s _hc F = , hj SOURCE: ; Sequoyah FSAR
' ci
,_s,.
4 r . 1 N 4;6 ..
- _ . p ,
e
, 's-f the report. Instrument air is required for valve operation.
4.6.14.3 PCS Opet ational Constraints PCS is not available after loss of offsite power, or any event which causes the MSIVs to close. PCS was also assumed to be unavailable af ter a T DCX nitiating i event due to the closure of the main feedwater regulating valves. 4.6.14.4 PCS Logic Model Success of PCS requires providing flow from one or more VFW pumps to one or more SGs, or depressurizing and providing flow from one or more condensate booster pumps to one or more SGs. A logic model was not constructed fo- the PCS, Point estimates of PCS unavailability for each initiating event were developed through a consideration of the Sequoyah design, previous PWR PR As, and thc dependencies identified for PCS. 0.6.14.5 Assumptions in PCS Model The following specific assumptions were made regarding the availability of PCS: _ (1) The unavailability of PCS for all 5 2 3"d 3 3 initiators is oefined as 1.0, because the SI signal trips the purnps and closes t'ie MFW regulating valves. In addition, the containment spray actuatior signal closes the MSIVs thereby complicating recovery. 4.6-79
> . n. '!
, o.
E I g. 1(2). For steam generator tube rupture, initiators, Main Feedwater will be j initially-' unavailable. :The 51 signal generated on-low pressurizer. pressure will trip the main feed pump. turbine and close the MFV' ., regulating valves. Recovery was considerf for this event however, 1 because the MSIVs will remain openn containment pressure:will not rise for a T 3c, so an' MSIV closure signal will not be present.- 4.6.14.6; t PCS Operating Experience . .; No applicable plant specific operating experience for' the Sequoyah PCS was found., t f f h
!i i
(
- -j
.i l) $
.t u ,;
i. T p 1 , j-l , h S '- t 'I
't 4.6-80 :
y
,s- . ,
- l , '. _ -I
7 t , o i
-}
-y.
-4.6.15 Reactor Protection System Model' .7 The reactor protection - system (RPS) l's ' designed .to aut'omatically scram the' reactor ? - N follotving receipt of Indications of abnormal conditions - The RPS wgodeled as a two component gck box.c. LGeneric' data derived ? f rom? NUREG-1000 .and: the.~ ATWS 3 Rulemaking was used to determine failure probabilities of.cach component.' l iThe total probability of itPS failureLwas considered to be 6E-5 per; demand.JOf.th'Is, a component of 4E-5 is due to combinations of breaker faults and_ logic faults, whichLare-recoverable manual: scram.=;The other component of 2E-$ is not recoverable, within the two minute time constraint set for'ATWS events.
~
, 1 1,
l u a i
..j
-.f 4.6 :, -
t
~
Si ,
& +
1 L 4.6.16 lee Condenser System (ICS) Model The ice rondenser System (ICS) performs a' containment pressure suppression. function
~
during.the initial phases following a LOCA. The ICS performs .this function by providing 1
- a passive heat sink In' the alr/ steam flow path from the lower compartment to' the upper
- compartment of the containment.-
The.1CS was not included in the event trce or_ fault tree analysis.J However, certain design features of the ICS were important in determining sequence timing and outcome. < The following subsections provide a. system - description, identify dependencies; and Interfaces of the ICS with other systems, identify operational. constraints, identify - assumptions pertaining- toi the' 1CS- that were used in the analysis, and discuss ICS operating cxperience. 4.6.16.1 ICS Descr_lption
' A simplified schematic of the ICS is shown in Figure 4.6-18. The ice condenser is essen -
- ! ally a cold storage room in which ice.ls maintained-in an array of vertical cylindrical-cuiumns. The columns are composed of four perforated metal baskets approximately 12 feet long each, filled with flaked, borated ice. The space between the columns forms the' inw channel for steam and air. The ice condenser is contained in the annulus formed by-i'.: containment vessel wa' _ l the' crane wall. -
s The Sequoyah containment is divided into an upper and lower compartment. The upper and lower compartment are separated and sealed from:each other by the divider harrier seal. Leakage across this boundary is closely controlled.~ Following a LOCA, the riting j pressure in the lower compartment forces steamlin the lower compartment through the ~ ice condenser. Air return ; fans are provided -to promote mixing between the two-compartments in the long term. J] p+ ,J j During usual plant operation, the ice is isolated from the- containment building j atmosphere (to prevent melting) by inlet' doors and' outlet ' doors. The inlet doors are' j spring loaded and will open on i psf differential pressure. 4.6.16.2 ICS Interfaces and Dependencies ; 1 During normal plant operation, the ice-in the ICS is maintained by the ice condenser j refrigeration system. However, during a LOCA, the ICS performs as a completely ! passive system having no interfaces or dependencies on other systenis. 4 4.6.16.3 ICS Operational Constraints The Sequoyah Technical Specifications require the ice bed to be operable within specified ! limits of boron concentration, pH, temperature, ice weight and number of baskets, andi j with flow channels through the ice condenser. If these conditions are'not met, ice bed operability must be re...ared within 48 hours or the plant must be placed in hot standby . condition within the next six hours. Similar operating constraints:applyt to' the ' ice bed temperature monitoring system, ice condenser doors, -Inlet door position monitoring ,l ' system, personnel access doors and equipment hatches in the divider barrier between the containment's upper and lower compartments, contalr. ment air return fans, ice condenser j
- floor drains, refueling canal drains, and divider barrier seal. )
) l l
4.6-82
- -- ___L_ 2
E p 4.6.16.4 1CS Logic Vodel The 1.CS is required to provide containment pressure suppression following a large_ or - -I medium-LOCA (i.e., A.or.S_g).
~
Evaluation of the ICS led to;the following concluslon.: Contingent upon the assumptions
~
1 listgd below, the probability of failure of the ICS was considered to be low enough (i.e., 10 / demand) to not be an important contributor to core damage frequency.- 14.6.16.5, Assumptions in ICS Model 1 The following specific as'sumptions were made in developing the ICS fault tree model: (1) No operator action'is involved af ter a LOCA. - i (2) Failure of the, ICS due ;to phenomeno'fogical events such as-channeling of the ice, water collection-in the condenser floor, or.
~
barrier seal leakage were not 1ncluded. ! (3) Insufficient ice inventory to perform successful pressure suppression was considered to be virtually impossible due to the large initial inventory _ of ice and multiplicity of Technical Specifications'on the ice and its attendant systems.'
-(4) ICS failure 'due to inlet door blockage, caused by either random L
- failure or failure to remove blocks a_f ter refueling, was considered toi i be very low. This is because of the large numbers of doors and the j multiplicity of Technical Specifications covering the doors. '
4.6.16.6 ICS Operating Experience No plant specific ICS operating experience _was included in the analysis of the Sequoyah ICS. . i
'}
s
-] .
i 4.6-83 j i i i
, , i__A
ll
!l 1 t.m
. Y-g
= ryzgOZO s u r[
i r m
. t e
. ' s y
S E
. r
. T e N s E n R
. M. e T . T I
.E d
- h. n I
F E R- . R l f o
~
M R...
.A..
. A P
O T
]L~ C T .
R _ L L B 3
- h. M C 8 e A A R. . O A 1 c
- (
~
C
'P
[' - E I M W .E
.D .
R R 6 . O E . 4 e N VI . E e C A I D . W r i t R R .
. O u g o f
E C - L S P i F c P . R i U . O t a c . y - O J' [ 1 ) O R D m e ( T E L h c m5 ( N I S d 3 i e f i
. l
- p p . -
i m S
- ES TL Rl I f N GS NL CN NE EA A UF RA I M ! l MW T U Nt NL E RA U V L
I AE R O T TS C iS t OE CV A'n&^ e y
~' ;. .
j
S. L 4.6.17 ' Heating, Ventilating, and Air Conditioning (HVAC) System Model
- The' HVAC system was not analyzed as a distinct system for.this study. Particular .-
segments of HVAC were analyzed 'as they provided room cooling functions to certain-
' rooms. Many ESF pumps require room cooling for continued operation, inclusion of the room cooling functions were done through the ESF systems interfaces with the SWS, and room cooling fans which are required for room cooling. The SWS acts as a sink for heat -
that is removed from ESF pump areas.- ; The fault tree models foi systems which require room cooling identify the appropriate SWS Interfaces for those systems. The SWS is described in Section 4.6.10. The room; . 1 cooling fans are modeled as a part of the systems which require fan operation. , r ! L. j i 1 i i.
,1 I
'l 1
.l 1
l i i 4.6-85
. eL _
I 4.6.18 System Analysis Nomenclature' in order to ensure that naming of failure events is done consistently throughout the fault
. tree- coding process, a standard coding scheme- was established.- This consistency 'is necessary to ensure that the dependencies and Interfaces between the systems are- ,
properly accounted for when the individual system fault trees are merged with thelr. i
' support systems and the merged fault trees are linked together to perform the accident sequence quantification. In addition, the standard coding scheme provides the analyst or reviewer a traceability of the events from the cutsets resulting from the-accidenti sequence quantification to the Individual fault trees.
H' The . standard. coding scheme developed utilizes a sixteen: character identifier. - Each individual event' code is composed ' of four parts - a system;ldentifier, an event' or: component type identifier, a failure mode code, and a unique event identifier. Each of these parts is separated by a' dash for readability. The system-identifier is composed of-three characters which were: selected to readily convey the system to the reader. The. Ilst of system-Identifiers is provided in Table 4.6-13. - The event' or component type identifier is composed of three. characters which! identify the component type if a component fault, or the event type.lf other than a component fault. The list of event or-component identifiers is included in Table 4.6-14.- The failure mode code is composed.of two characters which identify the failure mode associated with ~the fault. : ~lhe list of j failure mode codes is included in Table 4.6-15. . The unique event identifier is composed of up to f.ve characters which utilize a portion of the utility ID for a component or-In the case of non-component faults or- grouped faults conveys information about the fault- ' f type. Table 4.6-16 contains the symbols used in the system schematics'. i e
]
1 o I i i i
.j I
4 f 4.6-86 l i _A ..
,- -- ; . , - a %. . . ,
.. f S s - 1 4 F41 la ,
,s j
Tableit t.6- 131 ' - s
' System identlfiers 1 System :
7 - Identifier - System Name
"& ~
4 ACC- / Accumulators ' ' s f ; ACP . ' AC Power, System ADS . Automatic Depressurizatlhn System.- '
/AFW- ~
PAuxillary Feedwater System or. Fmergency Feedwater)Systemi
! ARF: - Air Return Fan; System 4
50
'CCU-- :-Contain_ ment Atmosphere Cleanup - ' -
- CCW- Component Cooling Water System 1 CDS" Condensate System - .J
, CFC: LContainment= Emergency Fan Cooler SystemT 1 CGC: Containment Combustibl6 Gas Control > .
' s 1
- CH P.~ sCharging Pump System <
CHW Chilled Water Sy'stdm? '
' CIS Containment isoladon(System -
CLS Consequence Limiting Control: System ' CPC: Charging Pump Cooling System CRD Control Rod Dilve Systems a . CSC Closed Cycle Cooling System ; CSR Containment Spray Recirculation System CSS Containment. Spray. System, ,
- CVC Chemical and Vdume Control System '
h DCP DC Power System , 3-DWS .Drywell (Wetwell) Spray Mode of RHR System - EHV Emergency Heating, Venti.lation, and A'Ir Conditioning. System O ESF Engineered Safety Feature Actuation System . 4 ESW. Essential Service Water System
, d FHS Fuel Handling System .
- s N hcl High Pressure Coolant injection System HCS ~lligh Pressure Core Spray . System . j HPI' High Pressure Injection System (Charging and/or Safety Injection)
HPR. High Pressure Recirculation: System (Charging and/or Safety injection; )j
- j l '>
-7 f
f 4.6-87 2 m:
i 2
< !p ji
, ;' . ,1 l ' 2 . - 1 3 s ,. y
., .~.<*
. . . ,s.. . .-...; .. ... . : V, ...;-L'. 'N ' '
qq ,.. 7 , y qe a -
'l s .t o - Table 4.6213 (Cont'd)- ,
O >
. System identifiers =
. ;- c
, j
; System '
~
.i
- ,, > : Identifier '- , System Name ,
'i
'HSW: High Pressure, Service Water System; :l N IAS: Instrument = Air System.
=lCS< . ice Condenser System
~
+
j
. lSO!- : Isolation Con' denser System-:
M ISR Inside Containment Spray Recirculation System; , i
~
LCI ' - Low Pressure Coolan't injection System ;
~LCS- . Low. Pressure Core Spray Syste'm LPl . Low Pressure injection. System' i
LPR Low Pressure Recirculation System ' '
.i V
LMCW Main Circulating Water System (main ' condenser cooling' water)
'MFW Main Feedwater System ,
. MSS Main Steam System? .,
-NHV Normal Heating. Ventilation, and Air Conditioning System .
OEP f Onsite Electric Power System OSR Outside Containment Spray Recirculation System i PCS Power Conversion System PPS Primary Pressure Relief System PORV/SRV) RBC Reactor Building Cooling Water System RCI Reactor Core Isolation Cooling System- l RCS Reactor Coolant. System .- RGW Radioactive Gaseous Waste System ; RHR Residual Heat Removal System
' RLW P3dioactive Liquid Waste System 4
RMT Recirculation Mode Transfer System
, RPS Reactor Protection System SDC Shutdown Cooling Mode of RHR SGTJ Standby Gas Treatment System .
a
- SI- Safety injection System SIS Safety injection Signal (Portion of ESF) .1 SLC Standby Liquid Control System l
4
'\
4.6-88
- f. '
"Il[ .t" ,
7; , 4
+ <, ,
s s
;. i '
. Table 4.A-13 (Cont'dh System identifiers' m.
5
/ System . .
- Identifier - System Name SPC: . Suppression Pool Cooling System. .
1z ,
- for suppression pool cooling mode of the RHR:systemi SPM:
~.
- Suppression Pool Make,p System -- i
'j:
x SWS= Service Water System or Essential Raw Cooling Wa'ter
~
, TBC - Turbine Building' Cooling, Water System i
,I
.I
- i
- y I
i
^
i
.I i
I.
.3 u
l 1 i', 4 l l l d t .m 4,( 89: 0 1 N< , g[ ,
' j; e
1 , t r ,h o
a fs;
;y ,
Table' 4M-14
~
Event and Component Type identifier-Component identifier C - Air Cooling Heat Exchanger ACX
- Sensor / Transmitter. Units:
Flow ASF' Level - ASL. ' i Physical Position ASO: ,
;j Pressure : ASP i 1:
Radiation : 'ASR Temperature - AST, - -i Flux ASX- .j Circuit Breaker CRBr ( Calculational Unit CAL Electrical Cable CBL Signal Conditioner - -CND l
' Control Rods; !
Hydraulically Driven -CRH l
- Motor Driven - iCRM j Ducting -DCT-Motor Driven Compressor. MDC- j Motor Driven Fan FAN i- [
Fuse FUS Diesel Generator n G N. Hydrogen Recombiner Unit HRU' HTX Heat Ew; hanger Inverter
]
INV - Electrical isolation Device ISO . ; Air Cleaning Unit ACU- ] Load / Relay . Unit LOD j Logic. Unit LOi J Local Power-Supply- LPS q Motor Generator Unit MGN Motor Operated Damper MOD Non-Retyrn Damper CKD .j l
, 4.6-90 y ' ! ?4:. t ; , r "l .
i o ,, 0; m '
. Table 4'.6-14 (Cont'dl q
Event and Component. Type Identifier cj a Component - Identifier a d 1 Pumps: a Engine Driven EDP? ; Motor. Driven - MDP< J
~ Turbine Driven TDP
~
s
> Manual Control Switch 'XSW Rectifier ~ REC Transfer Switch - TSWj ][
' Transformer TFM:
Tank TNK= Bistable Trip Unit rXX Air Heating Unit AHU h m Electrical Bus - DC BDC Electrical Bus - AC BAC Manual Damper XDM Pneumatic / Hydraulic Damper. 'PND Battery BAT Battery Charger BCH a Valves: Check Valve .CKV'.- Hydraulic Valve .HDV Safety / Relief Valve' s
'SRV Solenoid Operated Valve SOV Motor Operated Valve ,MOV Manual' Valve XVM- ;
Air Operated Valve -AUV, -j
' Testable Check Valve TCV Explosive Valve q Flow Control Valve
~EPV- ':
.FCV F W ter FLT "i
- h.strumentation and Control Circuit ICC 1 Stralner STR Heater Element 'HTR I Traveling Screen Assembly TSA d Sump SMP 4
., 4.6-91 ,
S, <
.l nl
m 1 1 , 1 Table 44-14 (Cont'd)
^
i , . .
' Event and Component Type Identifier .
- Event Ide'ntiff'er :
Pipe Segment Fault . PSF
< ' Pipe Train Fault PTF- -;
L Actuation Scgment Fault ' ACS Actuation Train Fault ACT. AC Electrical Trald Fault' . TAC - DC Electrical Train Fault -TDC j
~ Human hror l XHE.
Common Cause Fault CCF - Miscellaneous Aggregation of Faults VFC i 1 a y i
-l
+
1 1 i i 1 1 1 i-! l s ,
.L: '4.6-92
~
4- 2 ; 4..-
- x. c. ,- z O'
', i }
e _.g_ ._3 a 1 L. , .x
. Table 4.6 15 e
m Failure Mode Codes
- L Failure Mode Code -
Valves, Contacts, Dampers. Fall to TransferL '
-FT:
Normally Open,- Fall Open ' A
,OO
- Normally Open, Fall Closed (Position) ' , OC~
.Normally. Closed, Fail Closed .
LCC ' Normallyl Closed Fall Open .i. .CO Y Valves, Filters, Orlfices, Nozzles . + Plugged . ,, . . PG Plugged or Fall'to Restore from Test or - PR Maintenance j. Pumps, Motors, Diesels, Turbines, Fans, Compressors, Fall to Start ' FS j
^
Fall to Continue Running FR, Sensors,' Signal Conditioners, Bistable 1 Fall High '
- H1'-
,- Fall Low A LO- q No Output NO; Segments, Trains and Miscellaneous Agglomerations Loss of Flow, No Flow . _ LP: .j Loss of Functior FC A'ctuation Falls y FA :; No Power, Loss of Power . LP- I Fallure (for miscellaneous fault agglomerations- : VF ~ i not based on segments or trains) Hardware ' HW= ~~f Ba ttery, Bus, Transformer- 1
'No Power, Loss of Power LP' l
- Short ST' 1 Open OP-j I
l 1 l
.d d
1 0 Events or components are only suggestions. - The failure modes listed may.be used for anyE applicable event or component type. ' '
,]D j
d 4.6-93. '
\ <J( -
. . . . . .:__ _ _3
. .,.. c; -- -
3 e b. LO Table 4.6 15.(Cont'd) 1 Failure Mode Codes
- I '
. Failure Mon.. . -- . Code- -; j
- q Tank, Pipes,' Seals, Tubes-'
1 LeakJ ,LKJ i
- Rupture';
RP j
;i Human Errors q Fall to Operate .-
J FO ;% Miscalibrate ' ' MC ; J! Fall to Restore from Tes't or Vaintenance ' .RE Normal Operations (unavailable due to planned u t'vity) Maintenance - MA-
. Test. .
-TE ~
' Test and Maintenance -
'TM u i t'
il l J ..
.i j
't ll t i
- Events or components are only suggestions.~ The fsilure modes listed may be 'used for-any
.' anplicable event'or component type. '
(
- i 'l '
'I' l
=4.6-94 ,
. !l
. ) s_, t
>y , .c " _ _ ._ _ [ '_- QffffllQM
- li i~
Table 4.6-16 Symbols Used in th'e System Schematics f
% 'Normally Open Manual ValveL j ' $NI F ~ Normally _ Closed M_anual Valve
, . Normally.Open Motor Operated Valve c.) rA. , "
Normally Closed Motor Operated Valve h Normally.Open Air' Operated Valve ;
$r,A &
Ncrmally_ Closed Air Operated Valve t $- hj - +- CheckValve' '
$- ; Heat Exchanger Or Cooler.
Motor Driven Pump h , ,c Spray Header j
'4.6-95 l t .
- 3. , , .s-
. ~ .
" A , t
@ ' +
. Table 4.6-16 (Cont'd)1 ;!
- Symbols' Used in the System Sihematics--
m
} ',
s,.'
.}
Strainer : ! 1 1 I 5
/
- Tank 1;.: a i
't t.
Reacto'r - : i V
^ .i 3
Steam Generator
\ / ;
,j . w -f l,
l' UPPER c- co""^" " _ Containment f L l i ,
*-Ice Condenser -
LOWER' f CCMPARTMENT i 7 Containment Sump f7 > Fluid Line '!- I3 $ i
,i.
.! b i
a' ' 4.6-96 , L j . II: 1
, s ,
1 + ~
~
S N,e
, ~ Table 4.6-16 (Cont'd);
' Sy,mbols.Used in the System Schematics - -
L! 1 Diesel Generator-1 c-Charger; , 1l l 1 LBattery 1 o l 1, Inverteri -
,- 1 1 : Transfer Switch;- il 1
J q Bus , j LO : Locked Openi
.l LC: . Locked Closed- 0;
.i t
- -- i 4.6-97 y
?
.j. %
c h)' '
'} r
_ _ , . _s.. . . . . . . .. .. . . .
1 4.75 - Analysis of Decent mt Failures r Dapandent , failures were - integrated into the analysis in ' two ways.. . Dependent; f ailures' due to- functional' dependencies' and = support <I. dependencies were identified and? modeled : in; the event tees and fault ~ trees. Discussion ^of these. efforts is found~in theJevent tree and fault
-treo sections <(Sections 4.4 and 4.5). . Dependent failures, which can not:
be explicitly.modeled as functional dependeneies or support dependencies, were - included in the study as a result of three : specific' efforts. LTheyi were'
- Dependenciea which ~ involve - dependent' failures due to l phenomenological 1 dependencies or unforeseen design interactions -!
"were - called " subtle interactions" 'in cthis atudy.
~
Subtle interactions found; in? past PRAsL were reviewed for' their applicability to Sequoyah.
- An LER review: of ' Sequoyah was made to ' identify any _ unexpected interactions or common cause ' failures, which lactually ' occurred q at the-plant.
D
*L Beta factors for common cause failures were systematically; i included'in. fault tree development.
~
Common causo failures were. ; modeled for redundant pumps, MOVs, and diesel generators. ! s a In addition, for those - systems not- modeled .in ' detail (i.e. , actuation systems, control systems ,' and the power conversion system),- a review of the system . designs and interfaces was performed to , de termine whether: there were any peculiarities- in the' system ' design which would result _in-unexpected. interactions with other systems ~or!would be expected to-result in significant differences - in, the failure = rate off the- system from- the > j generic system. failure rate. The ESFAS atisequoyah is' composed of two symmetrical trains. Power separation .is maintained for : eacht train'of' j i ' ESFAS, and no instances were identified where series components requiring actuation within a system train were actuated - by different . actuation system trains. The emergency power' system trains.are also symmetrical. In sone -instances , systems at' Unit 1 are.' supplied-by ' DC ' power trains ~! associated with Unit ' 2. However, in all' cases: these connections only j broadened' the power . redundancy and did not introduce ' any additional .l dependencies. - The: remainder of this section is divided - as. follows:: Subsection 4.7.1~ discusses the review and resolution of subtle interactions found in' past . PRAs; Subsection 4.7.2 presentsc the results of the LER search and ! discusses the method'of application of beta factors. 1 4.7.1 Subtle Interactions ' As discussed above, a list of. po'tential subtle interactions were I identified
- based on past operating experience and PRA analyses. ;
Each of these items were examined with respect to the specific Sequoyah - j design to determine whether or not 'similar ' interactions exist at I Sequoyeh, .The.brief description of the items'in.the list of potential 1 subtle' interactions is shown in Table 4.7-1. Table 4.*i-2 summarizes the ' applicability of the . items in the list to the Sequoyah design and the , resolution of those items which were found to be applicable. l Letter from G. J. Ecyd (Safety and Reliability Optimization Services, Inc.) to F. T. Harper (Sandia National Laboratories). " Topics of Concern for PRAs of ASEP Plants," June 18, 1985. Letter from F. T. Harper and G. J. Kolb to PRA experts, "Subt.le Interactions Found in Past PRAs and FRA-Related Studies," July 2, 1985. 4.7-1 f ,
. t
s i Table 4.71: Generic List Of Potential Subtle Interactions i
- 1. . niesel generator load sequencers can fall in~certain' ways, following loss of offsite
- power, which can result in_ the inability to load components onto the bus or load the -
diesel onto the bus.-
~
L 7. Occurrence of sneak circuits ln component circuitry can lead to inadvertant-- component isolation following power restoration, y
- 3. Fallures of bus switching logic can be critical if a safety related cire alt also j performs switchyard switching functions. The switchyard circuit failure could cause. loss of offsite power and at the same time prevent diesel load;ng on the huses.- ,
4 Inaccurate modeling of pump room cooling can lead to omisslor of actuation : I failures. If room cooling actuation occurs on high room temperature,it should be
~
modeled that way.
- 5. Occurrence of voltage droop prior to loss of offsite power, can result in blown j fuses, which would prevent equipment operability, even though diesel generators
~
o were operable.
- 6. Where containment temperature and humidity are very high, use of terminal blocks j inside containment for actuation' systems, may be unacceptable, j q '
7 Inadvertent isolation of all feedwater flow to all steam generators may occur due to unexpected actuation of steam line break protective features.
- 8. Potential use of alternate core cooling methods needs to be examined thoroughly in -
light of recent industry efforts. . j{
- 9. Steam binding of the AFW pumps due to back leakage through normally closed ..
I check valves or MOVs must be considered as a possible common cause failure of the 1 AFP system. Li
- 10. Air binding of cooling water systems.must be' considered as a common cause failure, particularly for those cooling systems which Interface with instrument air. ,]
- 11. Steam line break isolation circuitry on turbine driven pump systems can cause inadvertant isolation on loss of HVAC. i
- 12. Passive component failures in piping systems can result in common cause. failures of - I multiple sys' ems due to flow diversion or' loss of Inventory. t
- !{
- 13. . Failure to isolate non-essential cooling water loads can cause fal!ure of safety related systems during a'ccident conditions. !
14 Failure to close of discharge check valves for cross-tied pumps, can fall the entire system by allowing back flow through the inoperable pump, i i
;7 4.72 M x__a___=-___=- _-_
> -- - e'
~
; n' , ,
> a Table 4.7-l'(ront'd)
' Generic ' in af Potential Subtle Interactions.
- 15. : conditions during station blackout are quite different from other transients and'canl
' Introduce tinique failure modes into systemmodeling.- _
16 Dependent events based on operating experience should be surveyed and included as
. possible.'.
17.'- -Availability of main feeNwater following plant trip should be examined on a plant c specific basis. Isolation of main feedwater as well as operational emphasis and
~
, system suitability to post trip conditions need to be examined. - .[
i
- 18. - Refill _of dry steam generators af ter loss of feed events may be exceedingly . .!
-difficult at som'e plants. . Feasibility of this action should be examined thoroughly before allo ~ wing credit in the PP A models .
19.' Main / auxiliary feedwater commonalities may introduce potential failure modes for
- AFW, such as flow diversion into the condensate system.
20.; i 1 availability due to pre-existing block valve closure should be considered fo. ;th pressurizer PORVs and steam generator PORVs.
- 21. Overfill of steam generators resulting in water carry-over to the steam lines'must.
~
be considered as a potential failure mode 1for AFW turbine driven pumps during: scenarlos without normal SG level control.
- 22. Normal operating configuration may not represent the worst case for all 'system. <
availability. All potential configurations should be examined, o
- 23. Failure position of secured doors upon failure of the security systems or its power supply should be examined for potential accessability problems during station blackout events.
l 3 { .
, 1 4
L A 4 :
.4.73 H q
J[ i y'
s a
, 4 j y ,
.-i Table b.7-7
( > Applicability of Gene-ic Subtle Interactions to Sequoyah - >
.j
-ITIW NI)MPEP IN TABLE '
4.7 APPLir APILITY/U ESOLI'TIOM 9 1.- Each 6.9kV AC' shutdown board has _itsjown load shedding ~ , relays. -' One 'of two ' relays: must l operate to shedithe; 'oads' ,l from each 6.9kV ' Ar- shutdown beard. Each load is sequenced hack on by its own Agastat timer. Failure of one of the load '
]
shedding relays would keep the DC from being connected to.- r the board. ! Fowever, this'would affect only thi_s board, and . tbe relay failure rate is small compared with the?DCLiallure i rate. Therefore, this' potential interaction is not'important , and was not modeled.' '
?. - The turbine driven AFF pump isolation circuits are powered j by an uninterruptable power supply. Therefore, this potential: 4
~
interaction was not considered to be applicable.
- 3. Each 6.9 kV AC shutdown board at Sequoyah is supplied by a vital battery.iSwitchyard breaker l operation-is powered. by . ,
the station. batteries. ' in': addition, bus ;switchingi can be ~ l performed Lmanually. using manual transfer s' witches. There
- a fore, this potential interaction wasinot. considered to- be -
~
applicable and ivas not included in the analysis. -%
- 4. Potential interactions involving pump room ' cooling : were included in the-system fault 1 tree models. Developed ' events were used in front line J system models c to account- for dependencies.on common- portions of the ' service ' water and-electric power systems. .
3
~'
Plant personnel stated that when the pumps are being tested l during plant 1 shutdown,1 thei pumps are: operated for- a long - d period > so that the- pump room cooling systems;must work. . ; This provides 'a ~ periodic test of 7the" pump room cooling. sys tems. ; It. was noted that portable cooling fans are available on each ' level, and the operators would not hesitate to block the doors ' open if room cooling is failed.L The turbine driven AFW pump is automatically isolated on high temperature,: but room cooling is provided by diverse power trains (AC and DC) and-- 't would not be manually stopped during AFW operation. Pecovery of room cooling was allowed, but only when the operator would have indication =of high room temperature - l ' before pump failure. p , i, 4.7 4. g . J => '/ .t j
- e. 1.
m_-.,-__ _ , - _ _ _ _ _ . _ - _ _ _-_--_--- - - _ _ . , _ _ _ _ , _ _ , _ _ , _ _ - _ - _ _ - - ._ -
$# ll$40 4*d>4@9 , ..
IMAGE , -EVALUATlON gig +3, ,, /////,y.ff, r. l.0 En E@8 y IIE I.l [m W l A l.25 1.4 1.6 4 150mm >
< 6" >
4 ,, f+'/b
% 0
%>7/// ++4%y "" ' " S
"*""55sffS195ff"""*""
7 h4<f WEBSTER NE YORK 14580 (716) 265 1600
' Table 4.732l(Continued)
Applicability of Generic Subtle Interactions to_Sequoyah ITEM NUMBER IN TABLE' 4.7 1 APPLICABILITY / RESOLUTION
-5. This interaction derives. from an event at Indian Point.
Loss of offsite-power occurred in such a way that.there was a_"long" period of slowly declining voltage before - power was completely lost. The voltage drop caused ' increased ' current in inductive circuits. The -voltage - " droop" was sufficient to blow fuses. This- interaction was not incorporated into the Sequoyah= study, because sufficient data on'the magnitude-and: length of the previous voltage " drops" are not available.- It is-therefore not possible to predict the' probability of fuse failure and thus one can not incorporate this into system
-models.
- 6. Sequoyah uses terminal blocks in ' containment for motive power only. Control power junctions do not use terminal blocks. The only -' motive power for components in containment, required for this study would be - for the MOV .
block valves which-are powered by 480V MCCs. .There is only ) one sequence where the block valves'are required to operate
~
j in an adverse environment, that being isolation.of a-PORVL I during station blackout recovery. Failure to recover.from station blackout in time to . isolate the PORV is 0.19. Superposition of concerns about terminal blocks would not be expected to increase this unavailability a significant amount. This subtle interaction was ntherefore not treated further in this study. 1
- 7. The Sequoyah SG isolation system is designed to prohibit simultaneous isolation of.all steam generators. The motor- ~
driven AFW trains,are not isolated on' steam breaks or SIAS- y signals. q q 8, Alternate core cooling methods -were included. in the _f Sequoyah analysis. Use of MFW or condensate booster pumps, _j and feed and biced cooling using HPI and- the _ PORVs - were 4 considered in the event tree analysis. Use of the ' procedure to employ the firewater pumps with ready-made < spool pieces to supply the SGs was also considered but.not included in the analysis for two reasons; a) consideration of the other actions mentioned above brought the frequency of TML type sequences down to a minimal contributor, and.b) : t.he actual benefit of third and fourth alternative actions ! in loss of ' feed accidents is questionable, due to the j amount of time available prior to core uncovery af ter 1 previous alternatives have failed. 4.7-5
f 4 ).
. [-
2 Table 4.7 2 (continued)I Applicability of Generic Subtle interactions to Sequoyah ITEM NUMBER.
'IN TABLE .
4.7 AFFLIC ABILITY /R ESOLilTION
- 9. - Sequoyah has experienced backflow of MFW Into~ the. AFW lines ~,' as ~ evidenced by hot AFF discharge piping. However, .
no pump failures have ' occurred due to steam binding._ The AFW configuration at Sequoyah is such that each pump train is virtually separated from the others'with the. exception of the miniflow recirculation lines. Each pump discharges to a separate header which then supplies the steam: generators.s Fach supply line has a closed A0V in it. The miniflow lines -
, have one check valve - to prevent backward flow. The mlniflow lines also lead to -the CST, not to. the pump suction as at some other plants ~ that have had steam' hinding problems, in addition, operating procedures direct shif tly testing of the -
temperature of the pump casing and discharge piping. Also,- the check valvesn are rebuilt at ~ cach refueling. . These measure should reduce the potential for steam binding, , f However, -all of. the : AFF _ pumps have_ 'a common suction - -_ l header so the potential for common modeLiallure by steam- " binding ls still. considered to exist at Sequoyah, but at_a very - low rate: due to the design considerations and preventive measures noted above. = The AFW fault tree includes -this failure mode. The probability _ of this failure mode is calculated in Appendix D.' 10 The ERCW is an open water cooling system'which provides cooling water to ' the . 'five . station air compressors and. aftercoolers as well as the two ESF Auxillary Control Air Compressors. These are all downstream of the pumps with 1 or 2 check valves in the piping. TI.ese failures are deemed unimportant because:
- 1) The pumps are upstream of- tSe air : heat exchangers with check valves in between.
- 7) -It is an open system and the ~ERcW flow would tend to push the leaking air toward the discharge rather than the pumps.
4.7-6 _.
s
~ Table 4.7-2 (Continued)
Applicability of Generic Subtle Interactions to Sequoyah ! ITEM NUMBER IN TABLE ; 4.7 1 APPLICABILITY / RESOLUTION i
- 11. .- The steam supply to the turbine-driven AFW train is isolated
.on high AFW room temperature, or.high steam flow signals. .
DC powered fans, are provided in the TD' AFW pump room. . Therefore, this potential interaction was not considered to be applicable during station blackout. 4
~12.- Several areas were identified in which a single passive failure could result in the failure of multiple systems, including pipe breaks, flow blockages, and valve failures due.to stem / disc separation. These events'were.modeled as necessary in each of the applicable systems to assure that the commonality.
would be reflected in the accident sequence evaluation. 13 The pump success criteria ' and ' system fault ' trees were developed to include failure to perform necessary isolation or ' j realignment of nonessential cooling loads.
- 14. Probability for check- valve . fall to close - is' 1.0E-3/d.
Probability for pump fall.to start is 3.0E-3/d. The sequence ' of events where a check valve falls to close af ter the pump in '
~
+
that train falls to start.or run, thus ' causing-back flow from the other train and subsequent failure of the entire system is explicitly included in the -fault' trees of allivedundant pumps headered- together. .The problem of' pump casing rupture, which fails both trains, is not : explicitly included in the analysis.
- 15. Station blackout was modeled in significant detail. Special considerations- such as RCP seal failure,. battery depletion, loss of instrument air pressure, and non isolability of failed 4 valves were considered.
RCP seal LOCA due to loss of all~ seat cooling was included in-the station blackout models, Battery depletion time of four hours was used, based on NUREG/CR-3226.
- 16. Beta factors- based on EPRI-NP-3967 were included ;in the .
fault tree analysis for the diesel . generators, the MOVs, and the LPI, CSS, CCW, nnd motor driven AFW pumps. .
- 17. At Sequoyah, MFW regulating valves close and the turbine -
driven MF pumps trip on reactor trip or turbine trip. Plant operating procedure is to stabilize SG water level with AFW, but then restart MFW as soon as possible.
.4.7-7
s
. Table 4.7 2 (rontinued)'
Applicability of Generic. Subtle Interactions to Sequoyah ITEM NUMBEP IN TABLE 4.7-1 APPLIC ABILITY /R ESOLUTION
- 18. It was considered that the operators would initiate feed and bleed shortlyo before - SGs were dry.- . Further recovery <
i attempts for AFW were not modeled. Therefore refill of dry . ' steam generators did not come into the study. 19 No significant commonalities between the MFW and AFW-
. systems were identified. Therefore, this potential interaction' was not further addressed.-
- 20. Due~ to lack of' operating experience at Sequoyah since.1985,-
generic PWP estimates,for pressurizer PORV block time and - SG ADY block time ~were used. c
?!. Overfilling of the steam generators and the resultant carry-over of water. Into.the turbine driven AFW pump turbine was=
considered .to be a low probability: event .if instrumentation was available. Potential.-SG overfill was postulated in- the- -; station blackout analysis, 'in : the event. that DC power .was unavailable.
- 22. Normal operating configurations for systems were confirmed, but some sy' stems (such as CHP, SWS, and CCW) are variable.
- 23. Sequoyah has a~ separate DC that supplies power to-the door ~
- locking system when offsite power is unavailable. - Also, if all l power is lost, access is not compromised.
?
-i
.(
i l 1 l I s 3 l l L i 4.7-8 { l . - .
4.7.? Common rause Analysis ' Modeling of common cause' events was approached in two ways. First, a _ search of Sequoyah _ LEPs was ~made to identify previous occurrences of plant specific common cause failures. No common cause. failures or peculiar dependencies were found 'as a result of this LER search. Secondly, common cause failures were included through the systematic application of common cause events in the fault tree analysis of redundant components. The values used for the beta factors were derived from EPRI-NP-3967. %e common cause method- i ology and the beta factor guidelines ~are detailed in Reference 4. The groundrules'for application of beta factors are summarized below:
- 1. ITeta factors were only applied within systems,' not, across system -
l boundaries. l
- 2. Reta factors were only applied; within a system to _ redundant components and identical failure modes.
3.- Cut sets for random independent failure of multiple components were included in system models in addition to the cut sets containing the beta factors.
- 4. rommon cause failure of the following redundant components were postula ted:
Diesel genera tors Motor operated valves Si pumps and charging pumps, separately LPI pumps CSS pumps. Motor driven AFW pumps (No turbine driven pumps) SV'S pumps and CCV' pumps, separately i A description of the common cause events identified and used .in ' the Sequoyah quantification is provided in Table 4.7-3. I l l l-4.7-9 l l
.T;bloi4.7-3 Common 1C2uco_FailurGoi Event Identifier Description 'AFW-CCF-FS-1AABB Failure of-Auxiliary Feedwater (AFW) motor driven-pumps (MDPs) 1A-A and.1B-B.
to start.- AFW-CCF-FT-AOV Failure.of AFW air operated valves. (3-148, -156, -164,--171, -172,,-173,
-174,7-175)- to open.
CHP-CCF-CC-1356. Failure ofLmotor operated valves ~(MOVS)- a , 62-135 and 62-136 to open. j CHP-CCF-CC-2526 Failure of MOVs'63-25.and 63-26 to open. CHP-CCF-MOV-VCT Failure of Cha'rging Volume' Control' Tank)
. valves-(62-132, -133)=to close. ,
CSS-CCF-CC-392 Failure of'MOVs 72-2"and,72-39 to'open. CSS-CCF-FS-1AABB Failure of the Containment Spray (CSS) MDPs 1A-A and 1B-B to start. , DCP-CCF-LP-III Failure of the 125V DC batteries I and-II. HPI-CCF-FS-1AABB Failure of HPI MDPs 1A-A:and 1B-B^to~ start. } 4 HPR-CCF-CC-6367 Failure of.MOVs 63-6 Jand~63-7 to'open.- I c HPR-CCF-CC-V678 Failure of MOVs 63-6, -7, and>-8 to open. HPR-CCF-CC-V811 Failure of MOVs.63-8 and'63-11 to open.c ! l LPI-CCF-FS-1AABB Failure of LPI-MDPs 1A-A and 1B-B.to-start. LPR-CCF-CC-7273 . Failure.of!MOVs-63-72.and 63-73nto.open. l-MSS-CCF-FT-AOV Failure of-the turbine bypass valves to l; open. L
- OEP-CCF-FS-1AABB _ Failure of diesel. generators 1A-A~and 1B-B to start.
l l l
.PPS-CCF-FT-3233 Failure of RCS power operated relief- j L valve (PORV) blocking valves (MOVs 332, 333). H PPS-CCF-FT-PORV Failure of RCS PORVs to open.' j H i 4.7-10 <
l
' Tabibi 4. 7-3 E (Cantinu!d)1 Comm:n CruSO-Failurc3 Event Identif'ler- Descriotion-SWS-CCF-CC-2523' Failure of SWS CSS heat-exchanger inlet valves:(67-123, 67-125) to.open.
SWS-CCF-FS-KMNQ Failure of SWS HDPs K-A, M-B, . N-B, and Q-A to: start.. 1 SWS-CCF-FS-KQ Failure of SWS MDPs K-A and Q-A'to 1 start. SWS-CCF-FS-MN Failure of SWS MDPs M-B and-N-B to ' l start. l l SWS-CCF-FT-AOV Failure.of SWS air operated valves. 1 5 a l r r N-l t i L . I-1 q l l l t 4.7-11 .j i <
4.8 Human Reliability Analysis This section presents the results of the human reliability analysis (HRA) performed for this study. Included in this section is a discussion of the human actions which were identified. .the methods and assumptions used in their evaluation,'and the final human error probabilities used in the accident sequence quantification. Detailed calculations of the human reliability analysis are found in Appendix C of this report. Section 4.8.1 discusses the scope and references the methodology. Section 4.8.2 lists the human actions which wcre analyzed. Section 4.8.3 presents and discusses the important ! results of the pre-initiator human reliability analysis. Section 4.8.4 - presents and discusses the results of' the post-initiator human reliability analysis. Section 4.8.5 discusses the innovative recovery actions which were considered. 4.8.i- Summary of Methodology and Scope Human reliability analysis for this study was performed in accordance with References 24 and 26. The HR A was divided into two overall categories of actions; pre-initiator errors and post-initiator errors. Pre-initiator human error analysis was concerned with miscalibration errors and equipment restoration errors. : Human actions which lead to these . errors are done under normal plant operating conditions with stress -levels appropriate for everyday work environments. The calculation of error probabilities for these actions was concerned with the adequacy of the maintenance and inspection
. procedures, the dependence of related tasks, and- the administrative redundancy of restoration procedures.
The ~other category of- human errors was post-initiator errors. . Post-initiator error analysis was concerned with human errors made in response to the mitigation of an initiating event. The human actions from which these errors derive are procedure directed. Calculation of error probabilities for these actions was primarily concerned with the amount of time available to complete the task, the stress level under which the t task was performed, and the amount of redundant verification that was'possible within the allowable time period. l Modeling of human interactions with the-plant systems was done during the fault tree L analysis, the event tree analysis, and most importantly, the accident sequence recovery i analysis. Human actions can be directly defined at the fault tree level and the event tree level. But due to the way that fault trees and event trees were linked together to create failure expressions for an entire accident sequence, it'is not necessarily possible-to identify all human actions until the sequence level cut sets have been generated. When using the large fault tree-small event tree (LFT-SET) approach,.the most common place lor identification of human interactions was in the accident sequence recovery analysis which was done after the initial accident sequence Boolean reduction and quantification. In the LFT-SET process, this was the first time that minimal cut sets to-an entire core damage sequence could be viewed. Thus, all the information was available, within the context of a single cut set to determine the alternatives for function restoration and the allowable timing for restoration. Search for possible recovery actions was directed by the emergency operating procedures applicable to the particular sequence. These recovery actions involved restoration of system operability or initiation of an alternative system to provide or to mitigate the failed function. 4.8 1
'All human errors identified were errors of omission. These were defined as instances - where an operator was required to correctly perform a task in order to ensure the proper . functioning of a system.. If this task was not performed correctly in any way,' the system -looses its ability. to function. i - 4.8.2 Human Actions Analyzed
- As discussed in the previous section, identification of human interactions was done at the-
~
fault tree level, event tree level, and in the accidentEsequence recovery analysis. - -
- Operator actions were of two categories; pre-Initiator actions, which are: restoration andt miscalibration errors, and post-initiator actions, which involve diagnosis, operation and-
, manipulation of systems and components. Post-initiator errors were identified and collected at three levels of analysis. They wcre -
- all retained for quantification. Each operator action appearing in a specific sequence has timing considerations, . and other conditional circumstances which may make 4 the -
quantification - of- the error. probability tunique to that -. sequence. ;Thus, multiple . quantifications of one event were common. 4.8.3
- Analysis of Pre-Initiator Errors Events for mispositioned valves or. components were identified by the system fault tree' <
analysis. = These events were postulated to occur as a result of failure to restore valves after regular pump testing. or. maintenance, failure to restoreLvalves: during power-ascension that were closed for maintenance during cold shutdown, or: failure to remove the refueling canal drain plugs af ter refueling.- Some ~ valves do not require position ' 3 changes for pump testing.cValve misposition errors-for these valves were assessed to be' ' negligible compared to other causes of component failure and thus, were not included in the system models. The guidelines for quantification of component restoration errors are shown in Table 4.8-1. Based on the physical layout and location of the ~ECCS and containment spray; systems,. and the HRA pre-accident guidelines, which define the potential for common cause - mispositioning of valves in terms of valve locations, timing of valve test, maintenance, and monitoring practices, use of check lists and- use of verification procedures, no common cause misposition errors were identified. However, the possibility of failing to remove the two refueling canal drain plugs af ter refueling operation was analyzed as a common cause restoration error, and a time-based model was developed to include' the, quarterly checks required by Technical Specfication. This potential error,is described in the following subsection. Miscalibration errors were also postulated to occur for all actuation systems. Examination of the sequence cut sets indicated areas where failure of both trains of an actuation system could lead to core damage. in instances where a sequence had an actuation system double, a cut set-involving miscalibration of multiple sensors due .to-human error-was added to the sequence. .i l Quantification of these error probabilities addressed the number of sensors which must be miscalibrated and the indications from other instrumentation which would be-available to alert the operator to take manual ' action. Af ter a preliminary screening, one miscalibration error was significant. That being the miscalibration of the RWST water level sensors. The quantification of these events are discussed below.- 4.8-2
g ' i- } 1 Table 4.8-1 HRA fo'r Restoration Errors ! l
- 1. Valve misposition were errors of -omission only. Restoration errors (REs) were postulated for each pump test, for pump maintenance, and for valve maintenance. 1 F
- 2. . Restoration errors were assessed to be Insignificant if ve.tve position annunciated in '
control room.
- 3. Restoration errors were assessed to be insignificant lf valve receives automatic-
]
signal to open.
~
- 4. - Restoration error quantification was performed for each valve as follows (values :
.]
given are mean values): l
- a. BHEP'of 0.03 was assigned
- b. Any valve which is required to be flow tested immediately folloviing a system i maintenance act which requires closure of that valve is assigned an additional multiplier of 0.01 1 i
- c. Valves with Independent position verification (for Sequoyah,.all valves) were assigned an additional multiplier of 0.01
- d. . Valves with position checked on - shif tly basis .were assigned an additional 1" multiplier of 0.01; or, valves with position checked on weekly basis assigned-additional multiplier of 0.3' "
- e. If valve is flow tested, then only one multiplier in addition to BHEP may be assigned.
- 5. Based on the restoration times, valve locations, and pump testing, common mode-mispositioning of -valves in redundant trains of systems was assessed .to be ;
insignificant. 1 4.8-3
m. 7 4.8.3.1 - Drain Plug Removal Af ter RefuelinE WFC-XHE-DRNPLC)
~
During a plant refueling outage, two drain plugs are placed in the refueling canal so that_ . the canal can be flooded prior to refueling operations. .lf these valves are not removed '
~
d
- a. iter refueling, under accident conditions, the containment spray system would pump the water from the containment sump' into the. upper containment compartment with.no way; to pass back into the sump for recirculation.. This would lead to failure of the ECCS and containment' spray systems in the recirculation mode. : 1 Following refueling, Mi-1,2, App. C directs workers to remove the refueling ca'vity drain 1 plugs and install vortex eliminators. The cognizant engineer, SRO, QA supervisor, and
~
plant supervisor must all provide sign-of fs verifying:that the: plugs have been removed.-
'Only the cognizant engineer provides a sign-off- for other. steps unrelated tolthe drain; plugs. An additior.at checklist, FHI-8, is completed by the refueling' crew to _ verify that they have properly removed the plugs. a Before increasing TA above 2000 F, and af ter each personnel entry, data sheet SI-l'9 ;
must be filled out vebying that.the drain plugs are in storage. Sign offs are required
.,4 from the SRO, the worker who stores the plugs, the' STA, and the FQE staff. In addition, an SI-20 data sheet-must be completed which separately verifies that each drain plug is ,
removed and its respective vortex eliminator. is installed. Sign-offs are required from
.the worker who performs the task, the SRO, and the'QA staff. 51-20 is completed,-
verifying removal of the drain plugs, every 92 days. Based on the- pre-accident HR A: guidelines,(20 !a BHEP of .03 was applied. - The- BHEP? was modified by multipliers of 0.1 for the Mi-1.2 checklist,0.1 for the FHI-8 checklist, and 0.1 for the SI-19 and SI-20 checklists. In addition, to reflect the quarterly checks,s the value was modified by multipliers of 0.1 for the second quarter 51-20 check,0.5 for. the third , quarter SI-20 check, _ and 0.5 ' for the fourth ' quarteri SI-20, check. , Conservatively, no credit was given for any. 51-19 transit' entry checks which might be l performed. 'The four quarterly restoration failure probabilities were averaged to obtain the probabl!!ty that the refueling canal drain plugs would not be removed on demand. . The calculation is shown below: 3 First Quarter Failure Probability = .03 x 0.1 x 0.l fx 0.1 = 13.0E-5 q' Second Quarter Failure Probability = - 3.0E-3 x 0.1- = 3.0E-6 ' Third Quarter Failure Probability = 3.0E-6' x 0.5 = - 1.5E-6 Fourth Quarter Failure ~ Probability = 1.5E-6 x 0.5 - = 7.5E-7 Sum of Quarterly Failure Probabilities = 3.5E-5
?
3.5E-5 + 4 = 9.0E-6 = . Average probability of refueling drain plugs being in place at time of LOCA initiator.
- 4. 8.3.2 Miscalibration of Multiple RWST Water Level Sensors'(RWT-XHE-MSCAL) 3 Miscalibration of multiple RWST water level sensors was identified as a potentially i important event in this study. Switchover to recirculation af ter. a- LOCA occurs automatically, based on water level in the RWST and water level in the containment sump. When water level reaches 29% in the RWST and 10% in the sump, the ESFAS logic >
'is made up and the RHR pump _ suction will automatically switch -to the; sump.
~
1 L Miscalibration of the sump level sensors was not considered as critical as miscalibration I of the RWST sensors, based on their relative set points. The sump level indicators would j l have to experience a much larger miscalibration error than the RWST sensors, in order to delay automatic switchover. 4.8-4 l
The RWST level sensor calibration was considered to be a key issue because RWST ' water
-level is the central focus for switch to recirculation. The operators watch it and the ESFAS uses it. If the water level reads significantly above 29%, the operator will believe' het is safely in the injection phase. . Sump level indications would not be as definitive, because 1) RCS blowdown and melted ice contribute to sump level 2) sump level may bel slow to respond because of transit time from the'other containment compartments.
Water level calibration is also considered important because the . inventory remaining at the 29% water level will be injected in approximately ten minutes.- The ESFAS logic for recirculation is 2/4. Therefore 3 we.ter level ~ sensors must be-miscalibrated In order to fall the signal. Reference 24 was first consulted for HRA l
. guidance, but was found to be insufficient for these purposes. Reference 24 defines only-3 levels of dependence; zero dependence, high dependence, and complete dependence. If-' .
1 the criteria in Reference 24 are followed, this event would have zero dependencf76y'hich was not t.hought appropriate given the nature of the task. NUREG/CR-1278 was consulted to provide a finer level- of discrimination, for levels- of dependence. . In accordance with NUREG/CR-1278, calibration of the water level sensors was considered ~ to have a low level of dependence. Assuming a basic human error probability of .03 for 1 each sensor, and using a conditional HEP of success and failure from Table 10.3 of Reference- 26, for low dependence, and considering the possible success and failure ! combinations to miscalibrate 3 of 4 sensors,' the probability 'of miscalibration of three~ sensors is 5.0E-4. . 4.8.4 Analysis of Post-Initiator Operator Actions i Post-initiator operator actions can be cla'ssified as skill based actions or_ rule ' based actions. The two types of actions are quantified differently, as discussed below. 4.8.4.1 Quantification of Skill Based Actions Skill based actions are those that are performed from memory. They represent skills-acquired through training and practice. The performance of these tasks is not considered , to be 'significantly affected _by-stress level, previous events, or, timing. The HRA guide suggests that skill based actions have an error probability of 2.7E-3 each ; Reduction of -
- the overall error probability due to verification or' checking by a second person is not )
j I appropriate for skill based actions. The error probability of 2.7E-3 was assigned to all skill based' actions, independently of _ y the context in which .they appeared, stress level,' timing, or previously committed , operator errors. Rule based action; however, were quantified based on' the context'in which they appeared. . Stress level, timing, and adequacy of procedures!were factored - into 'the quantification. Error probabilities for rule based actions, were also shifted l l~ upward due to a previously committed error in the sequence of events. The amount the' HEP increased primarily dependent on the time between thefirst error and the.second - action. . 1 Classification of actions as skill based or rule based was based on the structure of the emergency procedures and operator training. y The Sequoyah system of emergency procedures follows the generic Westinghouse guidelines. There are three major sets of emergency pro' cedures. The emergency , procedures (EP), the emergency con tingency actions -(EC A), and the functional { restoration procedures (FRP). They are related as follows.
- 4.8-5 L
I
}i - The EPs are event oriented procedures, There ar'e four basic sets, with several subsets to ;
each set. .The four sets are: e reactor trip or safety injection p e loss of reactor or secondary coolant
.e : faulted steam generator isolation :
e- steam generator tube rupture : These procedures are the primary se't of procedures for mitigation of all transients and LOC As. . The operator is trained to make;a preliminary diagnosis of_ an event, and to , select one of these series of EPs. The FRPs are a series of six procedures.which provide. instructions'for restoration of a s
. critical safety function? The six series involve: -
e loss of subcriticality e loss of core cooling e loss of secondary heat removal-e~ potential pressurized thermal shock - e containment integrity + e ' reactor vessel inventory These~ functions are normally provided' during reactor operation and will. continue to b'e provided regardless of any single component failure. The shift technical advisor (STA) will monitor several parameters involved with the preservation of these functions. Should these - parameters range out of acceptable ~ limits, the STA will bei directedL to the appropriate functional restoration procedure. This procedure is ~ followed until the lost function is restored.
- The third set of procedures are the ECAs. These are- event oriented procedures for- :
severe cases of multiple equipment failures, which can be specifically diagnosed. There are four sets of ECAs: e Loss of all AC Power e Loss of Emergency Coolant Recirculation ~ or ' LOCA Outside Containment e Uncontrolled Depressurization of all Steam Generators- ' e SGTR with Loss of Reactor Coolant i The first 13 steps of E-0 represent'immediate actions after a scram. These will be done from memory without reference to a written procedure. They represent a universal set '; ! of actions necessary to tend to immediate concerns after a reactor trip and to form the L basis for a diagnosis. Some of these actions are repeated at the beginning of. other procedures. 1 j These steps involve verification of reactor trip, turbine trip, AC power,-SI flow if needed, AFW if needed, and containment isolation. . If the desired response is not , obtained, the operator is trained to perform immediate manual' activation of these l systems. With few exceptions, actions involved with the first 13 steps of E-0 were , consided skill based actions and assigned an error probability of 2.7E-3. Manual actuation errors were handled with one additional discrimination. For cases , where only 'one train of actuation failed, the actuation of the other train would be
-4.8-6
p p } l
. sufficient indication that the queestioned system was required. For these cases, the skill-based HEP applies. For. cases where both trains of actuation failed,:two types of indications were considered available to the operator: instrumentation from other 1 systems and whether or not previous safety system actuation had occurred. For cases !
when alternate. indication was present, the HEP was calculated from the upper joint i diagnosis error in Figure 7-1 of Reference 24, corresponding to the time available for . 5 action. If no. alternate indication was present, no secovery was allowed. The upper joint HEP was chosen because indirect indications'are available to the operator, rather than j the more direct indications in the previous case.
]
4.8.4.2 Quantification of Rule Based Actions ; The results of the HRA are summarized in Table 4.8-2. This table shows the important conditions pertaining to each operator action.. These are the type.of applicable error j probabilities (action, diagnosis, skill based), the stress level (moderate or high), and type ' of action (dynamic or step by step). The allowable time for diagnosis is also shown, along i with the diagnosis error. where applicable. The detailed work sheets supporting these calculations are shown in Appendix C of this report. The methodology is summarized - here. (1) Identification of the sequence failures and the accident conditions. (2) Based on the cut set (and sequence), the timing of the events (i.e, occurrences, f ailures, alarms, Indications, etc.) was established. (3) Based on the cut set (and sequence), the symptoms and therefore the possible recovery actions (and required activities) were-identified. ! (4) The time available to the operator to diagnose and perform the action (and activities) was established. ! (5) The probability of the operator- failing to properly diagnose the , accident was determined. This considered such things'as operator ; training, simulator exercise, etc. i i (6) The type of recovery action (whether ' dynamic' or ' step-by-step') was j determined considering such things as the plant using r,ymptom i oriented procedures, operator training, etc. (7) The stress-level of the operator was determined considering such i things as time available,- difficulty of the action, training, number and timing of equipment failures,' etc. (8) The probability of the operator falling to perform the recovery action was evaluated.- Some of the prominent sequences involving operator error are discussed individually in the following sections. I t 4.8-7 1
y
~
- ~
w .- yn W _ 3.g.
. y m ;w m ,
yyy ' P _y - -
;- ..,3 ;; :~ ,
w; n - 3@.+
-t.v.g -3 v.nava w ~ w~ y:y,. fS~ &,
Table.4.8-2 ' ' ' >
. , __ - .. l 1 . ,
- 'd M Human Reliability ' Analysis. Surunary
~ ~~
. a. <
M .a Stress ; Action : Action- V _ _~f ** g-Identifier Sequence. -Type ' Level' ; Type: Diagnosiss ' Error" _1Mean , , x
~ te#b i064i
'AFW-XHE-OPNVALVE
'SB0 A-(PD)- MOD 3SRS: :-;
- .064L A CCW-XHE-F02CCWCS- : ALL.- "A-(PD) . MOD .SBS' --i J320 .032 O : >
. ~.. .. -
; .032 ?
.032:
^
CCW-XHE-VF-SFPHX LOCA A-(PD)' M00' / SRS :. - -- c ,
. . . ,- +, . w
.032 *i.03?2-
~
CHP-XHE-EMERGBOR ATWS A-(PD). - MOD 1SBS: --- n001;
~
~ , ,
1[.04*.64];*3' ).077? m; f
-CSS-XHE-FO-CSRc LOCA -A-(PD)- TIME STR- SBS= --- 4 wS&
' CSS-XHE-SWSHXVLV - LOCA . A-(PD) :. MOD iSBSE '
-- f
- .02 .32S32*;2~ dl?4.1E-4?.
HPI-XHE-FO-FDBLD 1T2L ' A-( PD ) - : MOD ' :SBSL -- i[.032*.32]*2?
~
,# = -
a ~.0222
* % ,~ 4
,=.
HPR-XHE-FO-6311 A,52,S3'S1 A-(PD). fMODJ 4SBS J--n 502*.32*.323 . 12.05E3d . 1 , _1 j.02.* {32*i32f
~
y' HPR-XHE-F0-635- ;S2'S3'S1 A-(PD); MOD ' MSBS: .a , 2.05E-3( HPR-XHE-FO-CHISL: 'S 2'3 S ' 1, ;A-(PD): M00f lSBS ~ < - .:
. G02*.32s32i $ ?.05E-3_ I v ,
~
,.02*.32.*s325 .
HPR-XHE-FO-SIMIN #5 ,S AJ+: D: - MOD f ;SBS : ..,8E-44 . 1 85E-3r ~% 7 7: - :LB;f 20inIN. w
'~ ,
'L ' 4: }
^,
-HPR-XHE-FO-SIMN1. :S 3C9 00: LA . - M LSBS. -4 .02*.32*.32d- l2iO5E-3E HPR-XHE-FO-SIMN2 S0 3C JA D' M00' iSBS'
? 2E24(II:.
. LB 0--30 MIN-
'0b32*.32?
m. F2.51E-M ic% 4 ' "
; 1
, ? . -; .. ,s -
1 - HPR-XHE-F0iV6V7' 'S[,S*S3 1-(PQ MOD" 1 9-.. g 02*.32*.32P . ??}05E '3 ; ;y ," - p 2 m .. - .4SBSl "
& HPR-XHE-F0-V8V114 S 1,5 S
2 'S 3 ' -i A-(PD), 7PODi SBS;" M ;.02;*i32*.32( O05E-3[ u Q
.' c
>,- , ., _c .. , + .:. .
- LOWj -
~
-LPR-XHE-F0lHOTLl 1Sy,A 1A-(PD); jSBSj a-- .02*.02*111, ,- E4.0E-51 7. . ._1"Q,? n.n n ? . . . . -
w C LPR-XHE-FO-CHR 'LOCA' ; ' A (PD)? - 1 MOD; , - 1SBSj _ =-O -
. %" ; " [4;1E-4: -
;d22i~
h ( LRCSIXHE-DPRZCLDNS S= =A-(PD); : MOD ? * . KSBS.- nE--t - f i:-;-
~ ^
. 3. m
-+
, . _ - .- a RCS-XHE-DPRZ-TSGj g3g -
-AT+ A
. - fMOD?
fSBSE n 4-- _
- .022.(f. w -
f .029, RHR-XHE-SUCTNVLV.- TS3 ?A-(PD)M
. L0u l,
.15857 .
=c-- e -
,.02*.02J -
- 4.0E-4
m 9 (1)' f2E-4? aphliesito'a portio'n ofi0pdueTtollarge(theakjsize. : For?Og eve'nts[causpdlbyloperatorferror,Ydiagdosis/is }
- m
= ,' - .
second:eventiat-40' minutes =1.00266-. , - - f7 x+ a : ^ , ^q
~ : .;- -op
~
_ s #' - ; w~" '~ % g" 37 ,
'79.g ( Oy g g ^[
;q
, ., , ~ v . , %:; , 9, .
's , .' "
j L. a . ' x._ _,,- ' % 4 a ;2 , M $ k. h ~ & L:1MCw; " $L ^ d k .M M;-M [4,iQ;M (, . 6;.h ;gqg ;;a; .h g [ % b(g;;;, .u ;2,,u_ _ _ ?y n <
'~ . .- - :
q
~
a;-
- ?
~. ; :q;
, ' o;
= 2 -r
= .
- f. . .
'h2: 5
.:c_ -
-1
/- w-
-Table 4.8-2'(Continued)f '
"=
EHuman Reliab4ity Analysis Suma yf s . [ -: .
~
M@ 6 _ da
- Stress Action '
Action' - IdentifierkI} Sequence Type ' Level Type' Diagnosis ' Error ' ; Mean1 . V
*E > . .~
. gp RAl- . 53H,5 2H- A+DJ .
,M00 SBS Conditional? w f.0495: ~
~
on prev. - oper. error ~ 53H,S 2H
~
RA2 'A-(PD) MOD" : SBS ' - - - , l[.032*.32]*2s '.022f , . R A3 - TL : OVERRIDE SI L HIGH - SBS Y .. . 032 e .08 . 112 : RAS ALL A+D MOD ~SBS - . 027- 4 08 -.11: RA6 ALL SB -- --
-. --. 2.7E-3 d .
RA7 .SH: 'A.+'D
- HIGH SBSl . 266 . 064 ..337 v - MED @ 10 MIN
- t. .
? RA9 ALL i A+D MOD- SRS' . 267 . .032 ..30-UB @ 20 MIN RAll : T 39 '.
~A+D MOD SBS- CONDITIONAL 1 --
~014L ON PREV... c
.0PER.-ERROR c
,.-- R A13 --
.T 3g _- A+D . MOD- SBS" CONDITIONA[. .-- . 0034
'ON PREV.
OPER.:-ERROR' - RA14: .TSG; ;A+D. .. MOD ? SBS ? CONDITIONAL- --/ ..014;
.. ON PREV.
3 0PER.EERROR
. RA17f '
T DCX7 !A (PD)D
- MOD . SBS.. 1--c .032 - .032 -
RA19 . .
.~
.; SH ' ::A +SD: MODt :5BSr . 0266- : .032*.32 1037
~
'LB 0-10 MIN:
- m
~ '
. (1) .Identifieriindidates_.the recoveryLaction which[.the'humanferror is associated'with.: Some.;of these'. i -
recovery actions -
~also have hardware' failures 5 associated with"them. : tHasdware failures are.Ldiscussed in Section 4.10. _ .
r q
-s ,
~
g . v. ;
' s r - " - ,Y l,, L l %
- 7 , ~-
_935 + p.. '6---"' * * ^ ' ' * "
- 1'1'~'t M*'A '^
M'^T' "**"Yr " ' **T'i' "7^ J 'N 'Wf* "- - - v s"v"'eu y -d s* y y- *" ycr 1 g" "+'( q- V ' -
**t--*'O' '
*T I "T E rr e * " ' W *m1 ^-' -,i# m" *'"*# M'M' '"Y a
7 , 'qg g
, :j 4.8.4'.3-i Recirculati Switchover (Cold Leg) During LOCA'. ,
^
1
' Scenario j l
- Operator actions associated -with individual components,were identified in the' fault tree - "
- analysis.. . Some of the L actions' represent '. identical! procedures- done . to. redundant a components. . For the purpose of HRA modelling,1 many;of;these; types'of individual.
, actions: were considered coupled events (l'.ei, complete: dependence).i: The individual' -:'
events) were grouped into overall operator actions. representing; the major, operations '
- during recirculation'..
The grouping 'of events;is'shown below.a :The events .in parenthesis are thelindividual: j actions appearing in the fault l trees,- : .
-1. Switchover Lo! high pressure' emergency- core coolingfsystem (ECCS) L
- fro'm injection to recirculation.': s J
~t E
HPR-XHE-FO-SIMIN (HPR-~XHE-FO-634, HPR-XHE-FO-633,'- HPR-XHE-FO-63175) . . . HPR-XHE-FO-V6V7 (HPR-XHE-FO-636, HPR-XHE-FO-637)~ , HPR.-XHE-FO-V8Vil (HPR'-XHE-FO-638, HPR-XHE-FO-6311) 1 i,.
- 2. Isolation of ECCS from refueling water storage tank (RWST) suction. ;
' HPR-XH E-FO-631 -
HPR-X HE-FO-635 .. . .. l HPR-XHE-FO-CHISL (HPR-XHE-FO-62136, HPR-XHE-FO-62135) '
- 3. **itchover of core spray.' system (CSS) from injection to recirculation,' -
including ~ isolation of RWST suction. l
}
CSS-XH E-FO-CSR i 4.. Valving in . component ' cooling water (CCW) t6 the residual: heat
~
removal (RHR) heat 'exchangers (HXs). . CSS-XHE-SWSHXVLV .. LPR-XHE-FO-CHR (LPR-XHE-CCW1153, LPR-XHE-CCWil56) { Controls and Procedures y y All actions are performed in the main control room at one location. Many' valve controls ;
- are numbered on the panel to correspond to the step in the procedure (ES-1.2 and App. A and B) and their order of operation. y Procedures are step-by-step, and well practiced. 4 Time Considerations T=0 Start of LOCA (5 3 IS ? IS
- 20 min.
Lo.RWST level alarms (29%) I) 30 min. Lo-lo RWST level alarm (8%) , 35 min. RWST empty (if CSS not stopped or switched to sump)- y q l 4.8-10 i l-t-
Diagnosis Diagnosis error is applicable even though recirculation is procedure directed. The operator may. go to E-0 (Rx Trip or Safety Injection) in a LOCA, or may go directly to E-1 (loss of Rx coolant). Should the operator initially go to procedure E-0 in a LOCA, at step 19, they would be directed to E-1. E-1 in turn leads them E-1.2 (transfer to RHR containment sump). The time for diagnosis is relatively short (approximately 20_ minutes) to determine if this is a LOC A, and anticipate high pressure recirculation will be needed-when the Lo RWST level alarm is actuated. Even though there are compelling alarms and indications, and extensive training for these situations, diagnosis error (for. the need for - recirculation) was included. ( Post-Diagnosis Actions Recirculation switchover has been separated -into four independent events, based on the procedures and the f ault tree modeling and recovery analysis. These are:
- 1. Switchover of high pressure ECCS from injection to' recirculation. >
- 2. Isolation of ECCS from RWST suction.
- 3. Switchover of CSS from injection to recirculation, including isolation of RWST suction.
- 4. Valving in CCW to the PHR HXs and the CSS HXs.
Switchover to hot leg recirculation does not occur in the same time frame or procedure and is treated separately. Events 1,2, and 3 above must be performed in the 10 to 15 minute timeframe after the Lo RWST alarm is given and the low pressure (LP) trains' have been automatically switched to the sump for suction. Otherwise, the RWST will empty and the high pressure (HP) ECCS pumps and CSS pumps will quickly fait, unless they are manually stopped. L Function 4 can be delayed indefinitely, although it must be performed for LPR-CHR _to l~ be successful. Event 1, HP ECCS switchover, consists of three critical steps opening or closing nine valves, some of which are ~ interlocked with each other. As few as two, or as many as five valves are necessary for successful switchover, depending on which LPR and HPR trains are operating. As each. valve control is turned, the operator observes that the valve i position indicators turn on. Directly after switchover, valve alignment and ECCS flow is l verified by procedure. A second verification, with a checklist and a diagram is L performed after the recirculation switchover actions are performed. Also, flow rate is l required to be written down. The three S1 miniflow valves are not on the verification i list, but the interlock is specified in the procedure. Based on valve manipulation and closing times, about 1-2 minutes would be required for Function 1. - However, events 2 and 3 must also be performed in this 10-15 minutes, so time is l important and the operating crew is under moderately high stress. To quantify event 1, based on the human reliability procedures (HRA) procedures, an initial HEP of .02 was used to perform critical action, step-by-step, moderately high . stress. This was reduced from the suggested BHEP of .032 to account for numbered valve controls, extensive training, and control board graphics. Two independent 4.8-11 F
r ,$ i verifications were applied because .of the extensive training, required flow monitoring and required verification with a checklist. Event 2 is quantifled just like event 1. Isolation of ECCS suction from the RWST, is-
. performed af ter the first verification of event 1. .SI must be reset,-and three valves ' - closed, taking about one minute. A fourth. valve must have power restored (outside the - ;
control room), but-it is redundant to other valves which~ are automatically closed, and is I therefore not a critical action. Event 3, CSS switchover,1s performed when the RWST reaches.the lo lo level. The spray pumps are stopped, two valves are closed to isolate the RWST, and two valves are opened to the sump. There are some valve interlocks, which are modeled in the fault trees.! The CSS valve alignment Lis verified, andi the CSS pumps are restarted. , Spray flow is verified.- Then, t: e valve alignment is verified using a checklist with diagram, and the _, flow rate is written down.- These valve: controls .do not have. numbers beside them i representing the steps in the procedure. The sequences for which event 3 was of interest, all have a' failure of HpR or LPR. - : Event 3 was therefore quantified conditionally on' previous failure of ECCS. The r operators' attention would be diverted to restoration of the ECCS and would thus have less time to reconfigure sprays. For this reason, the HEPs for step-by-step. moderately . high stress actions .were multiplied by two to account for time stress. In additon, only-one verification was credited, considering that attention would be focused on restoration of ECCS.
~
Event 4, valving in CCW to the RHR 'HXs or SWS to the CSS HX's for decay hea't removal, consists of opening two valves ~and verifying- flow. The operator also is to monitor surge tank level and perhaps transfer CCW loads. It is not critical in terms of when it is performed, if the operator neglects this action . during . recirculation - switchover, and it is required later in the accident-sequence (i.e.,~ containment pressure - continues to rise af ter several hours) the mistake can be recovered.' For this reason an additional verification action was added to the HEP for events 1 and 2, this results in an. overall HEP of 4.lE-4. 4.8.4.4 Hot Leg Recirculation Switchover (LPR-XHE-FO-HOTL)- Scenario Switchin8 of one train of LPR from cold leg recirculation to hot leg recirculation will prevent boron blockage or buildup in the long-term. Controls and Procedures y All controls are in the main control room in one area, but the power to a critical valve I must be restored outside the control room at the emergency boards. The operator is , L guided from E-1 (Loss of Reactor Coolant) to ES-1.3 (Transfer to Hot Leg Recirculation)' af ter ' 15 hours. Hot leg reciretion and the procedure are also referred to in the Function Restoration Guidelines inadequate core cooling. L Time Consideration Hot leg recirculation switchover is specified in 15 hours. Other PRAs have used a time period of 25 hours. The diagnosis and action times are very long since boron blockage would occur gradually over hours or days,if at all. 4.8-12
4 4 E l
~
Diagnosis- - l L The; operator is already In;the Loss of Reactor Coolant procedure, because cold leg ' recirculation switchover' must have been successful. -If' inadequate' core cooling occurs i because the operator has forgotten hot leg recirculation, then the FRGs direct him to--
- check hot leg recirculation. Therefore, diagnosis error.was considered negligible.
Post-Diagnosis Actions The operator. sw. itches one train of RHR by restoring power ~ to ' one valve,: then j opening / closing- three val _ves. He:Is then instructed to verify hot leg flow with his 1 Instrumentation.L If 'one LPR train'does not work, he is instructed to use-the other LPR - a train. Then,' valve alignment is verified:with a checklist and diagram, and the flow rate: l is- written 'down~. .The entire process. was modeled as a single action. : An independent vertication at the same error rate was applied. - Even if these actions fall, recovery is. still possible for hours to days." Indication of ina'dequate core cooling directs the operator , to the FRGs, and hence to hot leg recirculation again, including checking the hot leg flow - instruments. : Since this is 'a recovery action,-after previous failures of ' actions and verifications, a HEP of .I was used for recovery.' 4.8.4.5 Feed and Bleed Cooling (HPI-XHE-FDBLD)- Scenarlo-q If all feedwater is unavailable, feed and bleed can be used to remove decay heat from the . l Core. Controls and Procedures' Operator is instructed by E-O (Rx trip or SI) to go to FRP-H.1 (Loss of Secondary Heat ! Sink) if there is no steam generator feed flow or all SG levels ars less than-33E This , function restoration guideline directs the operator.to stop all;RCPs.and go to feed and. bleed immediately if all SG levels are 'less than 25% Otherwise, heLis to' attempt to- t restore AFW,-MFW, or condensate flow-if levels are1 greater than 25% During these . L actions, the operator is immediately. to go to F&B if SG levels are .less than 25E He , verifies that one or more CHP or SI pumps are running, then opens both PORVs and both ! block valves. Procedures are clear and concise. - All controls are in the main control room in one area. ' Time Considerations T=0 Transient, no AFW, no MFW , T = 20 min. SG level =.25% T = 35 min. SG dryout (without RCP trip) > These times are from W generic analysis and hackground to FRP-H.1, which concluded F&B should be started at 30 minute after loss of feed flow in order to prevent core - uncovery.- The 1 generic analysis showed that later initiation of feed and bleed may not - prevent core uncovery. Two plant-specific ana(ygs are also available, but have variations in timing and available ! ECCS. EPRI NP-3835 performed RETRAN calculations which indicated one PORV'- 4.8-13 l {
+
J L would be. adequate to prevent substantial core voiding, but opened the PORY at 13 minutes,'much before SG dryout. SG dryout gurred about 1.5 hours, but the RCPs were tripped at 10 minutes. The IDCOR MAAP analysis indicated PORY opening at 42 minutes 'with all ECCS pumps running was successful.- For this case, SG dryout occurred in 57 minutes (no RCP trip). Another analysis (using MAAP) indicated that even . with the PORY cycling about its automatic setpoint (2335 psi), turning on all ECCS
- pumgt 50 minutes was. successful. SG dryout occurred in 62' minutes for the BMI 2104 analysis, which did not look at F&B..
Based on the above survey of analysis, a time limit of 45 minutes from reactor trip to establish feed and bleed, was used for purposes of calculating human error probabilities. 1 Diagnosis Because the operator is directed to feed and bleed in the FRGs, diagnosis was considere'd negligible. Post-Diagnosis Actions The operator is directed to trip the RCPs, insert a Phase A isolation signal, verify that . CHP and SI pumps are running, and open the PORVs and block valves. The actions will be. performed by an RO, and monitored by the SRO. To quantify there were considered to i be two critical actions, each step-by-step, with - moderately high stress. A single verification of .32 was used. 4.8.4.6 HRA of Operator Actions During ATWS Five operator actions could potentially be required during an ATWS sequence, depending on the particular course of the sequence. An HR A was done for ATWS.which evaluated these actions as a sequential series using a consistent set of diagnosis errors and cognitive assumptions. These five events are,in order: o Manual reactor scram o Turbine trip, if not done automatically l' o Start AFW, if not started automatically o Open block valve on PORV within two minutes, if PORV' isolated previous to initiator o Emergency borate, if manual scram failed' Scenario For the purposes of the HRA, the starting point for the ATWS event is defined to be the first indication in the control room that either a) one or more RPS trip parameters have been exceeded, b) one or more reactor trip breakers have been de-energized,' or c) at least one train of RPS logic has been tripped. This is- the first indication the operator would have that control rod insertion was supposed to have occurred, but did not. The possibility that an ATWS could occur without one of the above indications was not considered. These -indications would be accompanied by several . control board status changes, including many annunciators. These indications would direct the operator toward reactor scram. The operator must trip the turbine within one minute, if it does not trip automatically. The operator must also start AFW within one minute, if it does not-start automatically. The operator will also attempt to manually scram the reactor by 4.8-14 l j
V I-I activating the manual scram circuit which de-energizes the shunt trip and removes power
- from the control rod drive motor generator sets. Manual scram must be accomplished in the first two minutes in order to be effective in altering the course of the transient. At approximately two minu tes, the maximum pressure increase will occur, thereby demanding the pressure mitigation functions. The SRVs and PORVs will open automatically. j If manual scram is unsuccessful, the operator must shut the reactor down using emergency boration. This involves establishing a safety injection flow path from the .
R4ST through. the Boron injection Tank, and opening of a valve from the boric acid transfer (BAT) pumps to the CHP suction and switching the BAT pump.to fast speed. ] Procedures and Training All operator actions during ATWS are clearly. specified in individual steps in procedure FRP S.I. However, due to the fast acting nature of an ATWS, the operators would not !' have time to take a procedure from the file. All ATWS actions must be- performed from memory. The initial actions which may occur during all reactor trips are considered skill based actions. These are turbine trip, reactor trip, and AFW- start. Emergency boration and opening a block valve would only happen af ter an ATWS and are considered rule based actions.
. transient.
Operator training instructs the operators to immediately verify subcriticality on every Whenever an operator sees indication of scram or partial scram, the operator. j is instructed to look at the rod position indicators and if they are not all lit red, activate i manualscram. reactor scram, turbine trip, and then start AFW. These actions are a routine part of any - ; 1 Timing of Operator Actions i Manual reactor trip, manual turbine trip, and manual start of AFW would all be performed as soon as the operator could look at the rod position and reach the control l j panel. All three controls (scram, turbine trip, and AFW start) are close together. Timing i for these actions is considered to be within one minute. ;
)
Opening the block valve for the PORV will occur after the operator realizes manual scram has failed, it must occur within two minutes to be effective in mitigation of the initial pressure spike. Emergency boration will be attempted within 10 minutes, j Calculated HEPs The immediate operator actions during ATWS m e skilled based. Opening the block valve for the PORV and emergency boration, are consdered to be ruled based actions. HEP for the skill based actions were assigned a value of 2.7E-3 each. Opening of the PORV block valve within two minutes to help mitigate the pressure rise is-dominated by diagnosis error. The lower bound HEP for 2 minutes in Figure 7-1 of Reference 24 was used. l i i i 4.8-15
Fou'r actions are'actually necessary to initiate emergency borationr o Open BIT outlet valves og - Open BIT inlet valves-
~
4 o lsolate VCT. ' o Open suetion valves from RWST These actions were considered as a single' action'for purposes of quantification. .The-verification HEP used for this sequence is assigned the same value as the initial-HEP, that being 3.2E-2. This is unusual in that it represents a' completely; independent person performing the task. However, use of such a low number was considered justified ior' this : sequence because of the attention and training devoted to ATWS since the Salem AT.WS-incident. A basic error rate of .032 (item 3, Table 8-5, Reference 24) and a. verification ' error of .032 were used. The overall. HEP for_ failure to borate is lE-3. _ ; 4.8.4.7 L Operator Actions During Steam Generator Tube Rupture (SGTR) (RCS-XHE- f DpR2-TSG) The steam _ generator tube' rupture event requires operator actions , to cooldown .and.
~
depressurize the -RCS iri order to safely mitigate this' initiator. - Failure to . equalize primary and secondary pressure will' lead to continued influx of primary _ inventory to thei SG. The water will boll off to the condenser or blow- through the relief ; valve if'the) - MSIVs are closed. The scenario modeled in this study !ncludes_ closure of the _MSIV.MThus i
- failure to equalize primary and secondary pressures will lead to'a steam generator relief '
valve demand within an hour. Continued failure to depressurize 'and control safety ~ injection flow will cause continued relief valve demands,' possibly leading to the valve passing water. Should the valve fall to reclose - af ter passing . steam,f orf water, uncontrolled blowdown .would occur.. The faulted steam igenerator now Lrequires additional operator actions to safely mitigate the sequence. Depending o_n the particular failuras whlch lead to loss of secondary side integrity, operator actions to isolate the SG or depressurize the RCS to atmospheric are required. The other important SGTR-sequence involves failure of AFW.. For these sequences the 'i operator must restore main feedwater t in order to init~iate ard maintain cooldown which is ', required for depressurization. As the postulated tube rupture is large enough to cause an. Si signal, MFW will be isolated. Although the MSIVs can be expected to remain open,' the L Si signal must be overriden to restore MFW. . < Scenario Steam generator tube rupture sequences are considdred to begin 'with a simultaneous. i double ended rupture of a single _ steam generator tube. Very closely in time.thereaf ter, . , an 51 signal will occur on low pressure. The immediate' concern for the operator, after identifying the event as ~a steum generator tube rupture, is to identify the ruptured SG, ; isolate the ruptured SG and then initiate cooldown of the RCS and depressurization of. ; the RCS to equalize pressures in the RCS and ruptured SC. For the purposes of timing in this sequence, it was considered that cooldown of the RCS must begin by 15 minutes af ter the tube ruptur9 in order to have pressure qualized by 40 ' minutes and thus prevent pressurization of the ruptured SG, which would cause the relief - valve to lif t. In the extreme case of depressurization failure with no control of Si flow, the relief valve would continue to be demanded. At some point, the break flow would becort.e subcooled with respect to tie SG relief valve set point. Subsequent relief valve demands will likely result in the valve passing two phase flow. The valve was considered. , t 4.8-16
to fail open af ter passing two phase flow. Therefore, in the extreme, failure to depressurize within 40 minutes without subsequent action in the near term to correct the mistake, would lead directly to loss of SG integrity due to failure of safety or relief valves to reclose af ter passing water. Loss of SG integrity can also occur from failure of other lines to isolate. . Loss of SG integrity, however, does not lead directly to core damage. A time period of at least a) depressurize the reactor to atmospheric, b) depressurize the reactor to such a point that leakage is minimal and can be matched by - RWST refill, or c) provide isolation of 'the faulted paths, if possible, via closure of isolation valves. For sequence T3g-L (loss of AFW), the operator must recover MFW in sufficient time to i proceed with cooldown and depressurization. The residual SG inventory is sufficient to I start cooldown. The HR A model considered that alternate feed would need to be in place ,'
. within 20 minutes in order to continue cooldown.
Procedures and Training Operator actions for steam generator tube rupture are directed by the E-3 series. The operator may initiate E-3 based on diagnosis of a SGTR, or he may initailly respond with E-0 (Reactor Trip /SI). Step 18 of E-0 directs the operator to check for ruptured tubes and directs him to E-0. Recovery from a faulted SG is covered by E-2. Calculated HEPs Operator actions associated with cooldown and depressurization were considered to be-step by step actions under moderate stress. Although depressurization and cooldown are procedure directed, a diagnosis error was included for tube rupture sequences, because it , was considered that there is insufficient time for the operator to select E-0 and work through the procedure to cross reference to E-3 and initiate' depressurization within 15 - minutes. The operator must select the SGTR procedure af ter reactor trip in order to be ready to initate cooldown at 15 minutes, thus the need for a diagnosis error in the overall HEP. The HRA for the long term recovery actions in response to a faulted-ruptured' SG contained subjective decisions concerning how low the error probability should be.. The situation is that an initial operator error was committed, thus increasing the probability of-future operator errors, but the time period is long enough to justify a very low HEP. In the final decision, the ASEP HRA guidelines listed in Table 4.8-3 were followed. These resulted in the calculation of 1.4E-2 for operator recovery af ter an initial operator error. l 4.8.5 Innovative Recovery One possible innovative recovery action was identified, that being to gag a stuck open SG safety valve while the system was pressurized. For steam generator tube rupture sequences with a subsequent loss of steam generator integrity, the timing of the sequence allows approximately 10 hours to mitigate the inventory loss before depletion of the RWST. Mitigation is possible through two methods, a) depressurization to a low enough pressure that flow is minimal and tolerable or b) to reestablish SG integrity by closure of an isolation valve. A special case is presented when the loss .of integrity is due to a failed safety valve, because the safety valves are not isolable. For some sequences, such as those with tube l l 4.8-17 t ..
rupture:and' subsequent loss of instrument' air, depressurization is'not possible.::These sequences may be initially appear to be unrecoverable, but given the 10 hour time ptriod.. to RWST depletion, consideration.;. was given.Lto innovative: recovery ' actions. One in;--
- particular: was to gag' the relief . valve, while it .was blowing down. The questions int determining its probability were the physical limitations of the environment under which -
this Laction could ' be - done, ; rather t - suggestion. - Following- the guidelines (qgan for innovative the probability recovery probabilities,of t the genera a failure probability _of 3E-1 was used. 4.8.6 Assumptions Used During Sequoyah HRA .i General assumptions used for the Sequoyah IIR A are shown in Table 4.8-3. - i
~
( q a
' I
.r t
e I 1 F F 5 f
.E t
e I l ; l 4.8-18
, d
Table 4.8-3 Groundrules For Sequoyah HRA
,1. One SRO and one RO for Unit 1. assumed in the control room at all times. .
- 2. Either an RO or AO will be available'in five minutes, and the STA or another SRO in ten minutes.
- 3. Actions done outside the control room could be performed by any plant personnel except Unit 1 SRO, RO, STA.
4 SRO/RO will follow the E series procedures or the ECAs. 5 Upon brrival.of STA in CR, he will track'the progress of the event by monitoring critical safety functions in accordance 'with CSF status trees. Progression of- thee transient through .the CSF status trees may direct the operators' to enter a - functional restoration procedure. The emergency procedures may also direct the operators to a functional restoration procedure.-
- 6. All out of CR actions require at least 10 minutes transit time, and often more, based on the location.
- 7. Plant specific performance shaping factors were not used. Basic human error ~
probabilities as specified in References 24 and 26 were used.- ~
- 8. The HR A is based on procedure revisions current in April 1988..
t
- 9. Operator will read each step of each required proceduce.
- 10. Operator.will read all procedure steps correctly.
l 11. In the HRA models, if any single action is credited and postulated to fail three times, no further credit is given for that action.-
- 12. As a guideline, minimum diagnosis errors of IE-4 for the.short term (about 2 hours) N and IE-3 for the long term were imposed. Lower error probabilities were used only if convincing circumstances could justify their use.
- 13. As a guideline, overall error probabilities 'less than ' lE-4 were not used unless justified by convincing circumstances.
l l 1 l 4 I-4.8-19
.1
4.9 Data Base Development ' The follovring sections identify the sources used to establish the . data base for quantification of the Sequoyah sequences, list assumptions used in the data development, and provide a~ summary of the data used in the Sequoyah sequence quantification.- 4.9.1 Sources of Data Base Information. The probabilities for~ all basic events. in the Sequoyah data base were derived from generic data. Initiating event frequencies were derived from several- sources. The > frequency of loss of offsite data from NUR EG/CR-5032g erFrequencies and associated power recovery for initiating factorsT were event category based on
'(turbine 3
l (l s of MFW) were derived from data listed in l trip with MFW _NUREG/CR-3862 ). af PCS available) and T.loss Frequencies of a DC vitalfor h o s derived from generic data listed inD the-CX met (hodology document.gttery Initiating event board) we frequency for steam generator tube' rupture was derived from a survey of PWR operating-experience. - LOCA (A, Si , Sp) initiating event frequencies were developed based on a survey of frequencies used for~ similar. sizes of LOCAs in previous PWP PR As. Initiating event frequency for the S3 LOCA was based on a survey of PWR operating experience. This survey is documented in Appendix D. Error _ probabilities .for operator actions were evaluated using the l human reliability assessment methodology in Reference 24. Discussions .of the derivation of HEPs are E found in Section 4.8. Values for the beta factors used in the accident sequence quantification were derived from generic data found in Reference 4. Application and description of the beta factors is discussed in Section 4.10, 4.9.2 Data Base Description Tables 4.9-1 through 4.9-6 provide a summary of specific data used in the accident : sequence quantification. For each basic event in these tables, the event identifier, a L description of the identifier, the mean value, distribution type, error factor, and any I applicable comments are provided. Table 4.91 summarizes the initiating event data. Table 4.9-2 summarizes the human reliability analysis results. Table 4.?-3. summarizes the recovery action failure probabilities used in the accident sequence quantification. i. Table 4.9-4 summarizes the beta values applied in the accident sequence quantification. Table 4.9-5 summarizes the mean value, error factor, distribution type, and data sources ! for all the events used in the ccmprehensive Sequoyah plant model. l l , l 4.9-1
= _ - . Q
- m. ,
c' I , ' . h .
~ ' '
,g
.u- j_q
$'m , ,
y 7g : GO ' (Tablei4A ' ~~
.- [ Initiating (Event' Data _ ,
+ .-. :;.y i.
4
' Annu a'll 4 C
-Abbrevi ation ' Description Frequency '
EF: ' l J9.05E sa; ' LTg; :: Lossoff0ffsitePower > y ' s - Tp; . Loss,of. Main.FeedwaterI(PfW)[ , ; s. 7.22E.1' t
^
TurbNe'TrNlwNf1FHandPSwer~ [6.3: 12;
*T3 ~
- Conversi_on System I_nitiallyc Avai.lable?
~, _ . .
. F s.TDCX Non-Recoverable Loss ' ofJ125 V.' DC: Vitali 5.0E-34 110g Dir.
- Battery Board "X"i '
p , . 5 Steam" Generator Tube Rupture- 1.0E-2
~
LT3g ' 5: ,
. - ~ .
Large Loss of'. Coolant? Accident 1(LOCA),. 10;
- A? 5.0E-a c 6" < D_<'29" <
'S t = Medium-LOCA.:2"'<r.D'< 6"- L1_.0E-31 P : 10 ;-.
S 2 Small LOCA ' l'.0E-3 ' 101 s S13
.Very ^Small LOCA 1.3E.7J 10 b'
V Interfacing LOCA !6.5 E-7.J
?
3 a .' ' Distribution for this : probability 'is1shown in: Appendix D. -
'b. Based on expert elicitation documented inLReferenceL45. ~
Distribution shown)in . Appendix E.- a ;- 3 4.' 9-2 w x , w x1
11 Table 4.9-2
~
Human ReliabilityL Ana1Ysis Description
-Identifier .Descrintier) Mean L ATW-XilE-OPNVALVE - ' Operator must locally open SG 1evel 6.40E-2 o . control valves during-sBO, after instrument air header depressurizes.
CCW-XHE-FO-CCWCS Operatoryfailsito start standby CCW 3.20E-2' C-S pump.. CCW-XilE-VF-S TPHX ' Operator fails to. transfer, Spent Fuel- 3.20E-2 Pit cooling loads torother unit. CHP;XHE-EMERGBOR Operator falls to? initiate emergency' l1.00E-3' boration. 4 CSS-XHE-FO-CSR. Operator failsLto realign Containment- '7.70E-2' Spray-system.(CSS) for recirculation.. 3J CSS-XHE-SWSilXVLV . Operator fails to open Service Water 4.10E-4, system CSS. heat exchanger valves. HPI-XHE-FO-FDBLD Operator fails to initiate feed and 2.20E bleed. HPR-XHE-FO-631 Operator fails to close high-pressure 2.05E-3 recirculation (HPR) FCV163-1.
'HPR-XHE-FO-635 Operator fails to close llPREFCV 63-5. 2.05E HPR-XHE-FO-CHISL Operator failsfto clos'e Charging system 2.05E-3.
suction valves"from RWST.
~
IIPR-XHE-FO-SIHIN - Operator fails to=close Safet'y Injec- 2.85E-3 tion-(SI) miniflow to RWSTLduring S2* HPR-Xh 0-SIMN1 Operator: fails,to close SI maniflow1to '2'05E-3' RWST.during S 3 sequences.' HPR-XHE-FO-SIMN2 Operator failsito.close"SI miniflow'to 2 . 51 E- 3 -- RWST'during"S O3 D sequences..
- HPR-XHE-FO-V6V7 Operator fails to.open'HPR FCVsL63-6 :2.05E-3 and 63-7..
- HPR-XHE-FO-V8V11- Operator fails'to open.llPR FCVs 63-8 '2.05E-3 and~63-11.
LPR-XHE-FO-CHR Operator fails.to establish CCW'to RH'R' 4.10E p heat exchanger.- f 4.9-3 ,
\ ,
+
)
3 +
.g
- 1. , s
- V.
Table'4.9-2"(Continued). Human Reliability Analysis Description ,
' Identifler Descriotion Mean 'j i' -i
, ,, 1 LPR-XHE-TO-HOTL Operator.; fails to initiate hot leg ' 4 '. 0 0 E-5 l recirculation'..
Operator fails to cooldown:and depres-RCS-XHE-DPRZCLDN. - 2.20E-2 i surize the reactor. -) RCS-XHE-DPRZ-TSG Operator fails'to cooldown and depres- ' -2'.-90E-2
~
.surize the reactor.during-SGTR. .
operator; fails.to open Residual-Heat
- RHR-XME-SUCTNVLV 4.00E-4:
-Removal suction valves.(74-1, 74-2). 1
'4 a
e w o
- 1. f' u -
l
'l.
l: , -4.9-4 i-ll ' Q . ., .w_ ' -
-Table 4.9-3 Recovery Action Summary ~
TOTAL ERROR ~ x IDENTIFIER DESCRIPTION . UNAVAIIABILITY ~ FAC TOR ACP-DGN-RC-U2 ' Unit 1 shutdown boards supplied with 2.81E-1 MAX ENT a AC power via Unit 2 DGs through shutdown-utility bus. DCP-U2 Provision of DC power to Unit 1 Battery 5.50E-1: MAX ENTa-
' Boards ~I or II from Unit 2. Battery Boards III or IV during a station blackout-(SBO).
DG-REC DG failure recovery within-1 hour. 9.00E-1 MAX ENTa: DG-REC 2 DG failure recovery within 5 hours. 8.00E-1 MAXiEhra-
, DG-REC 3 DG' failure recovery within 7 hours. 6.00E-1 MAX ENTa e
$. 'RA1 Depressurization of the RCS via 4.95E-2 MAX-ENTa blowdown of the SGs, after loss-of-emergency ~ coolant recirculation.
Quantified after previous operator error. RA2 :Depressurization of the RCS'via 2.20E ' MAX-:ENTa blowdown of-the SGs, after loss ~of: emergency coolant. recirculation. RA3 Restoration of MFW aft'er loss of AFW
~
1.12E-1 MAX ENT a duringisteam generatorJtube rupture.. . RA4 ' Refill.RWST, in long; tern, with 1.00E-1 MAX Effra , sufficient water to provide continued makeup?for a'small break. ' RA5 Establish alternate ESF pump room 1. 60 E-1 -- -MAX ENT"- cooling using portable coolers and fans._.
~
~ ~
. s
~
K,> .'7 ' 4 3 .., Table 4.9-3 (Continued)
~'
Recovery Action Surmary TOTAL- ERROR-IDENTIFIER DESCRIPTION UNAVAILABILITY.~ FACTOR- ' RA6 Manually activate AFW, SI, or con- 2.70E-3 -10 tainment sprays in response to a' _ IDCA, after automatic actuation fails.
~
RA7 Manually activate recirculation 3.30E-1 MAX ENTa switchover, after automatic actuation fails. RA8 Locally open the SWS MOVs to CSS 2.40E-1 POINT ~ C . heat exchangers (H/Xs), or locally ESTIMATE. open the-CCW MOVs to the RHR H/Xs, after the MOVs-fail to automatically open. RA9 Stop and.' restart RHR pumps when the 3.00E-1 MAX ENT"
^ 6 RCS pressure falls below the shutoff a head. In response to the RHR minimum-flow bypass valves failing to open during a small: break.
RA10- Depressurization of the RCS via'SG^ 2.20E-1 MAX'ENTa -
-blowdown,_and subsequent refill of the RWST.-
RAll- Depressurize RCS to. limit flow from 1.40E-2 '10 a' stuck.open SG-ADV during a steam
. generator tube rupture (SGTR) . - .
RA12: Failure __to.use SI pumps for hot leg 1.00E 10 recirculation'.during a.large LOCA.-
~
RA13 Locally isolate a stuck open SG' blow- 3.40E-3 10 down line during a'SGTR. e -
.,"m*w_Wwr*s**_ rwa -h_'.-m_- ..a_ a_ma-..m. _mm....____m_.
~ . .
Tchle 4.9-3 (Continued)
- Recovery Action Summary.
TOTAL ERROR IDENTIFIER DESCRIPTION ' UNAVAIIABILITY' FACTOR RA14 Depressurize RCS to limit flow'from. 1.40E-2 10 a stuck open SG safety. valve during'a SGTR. RA15' Locally gag-SG safety valve. 3.00E-1 POINT
- ESTIMATE RA16- Isolate affected RHR train after an -3.00E-1 POINT interfacing IDCA. ESTIMATE.
RA17 Failure to supply an alternate DC L3.70E-2 MAX ENTa power supply. RA18 ' Failure of automatic actuation when 1.00E-2' 10 _ f. both trains are unavailable (S3 0"1Y)- T MAX ENTa RA19 Open RHR header cross' tie valves '4.30E-2 duringirecirculation to' allow cross feed of'the:RHR to SI and charging pumps.
. a. . Maximum entropy distributions'havea. lower bound of one-nth the mean value and an 1 upper bound of 1.0, or.n times the mean value whichever is~ lower, where'n is the ferror factor.
- i. .
c
-gg -
9-'y myrw., -
'si- qc' s q n, g, w 9ag as y .-.19 9@ m-. g wisr .; e,1 --e iv j f g gby=-F-+1-c e + w *e#yy y g i iay *-S-%- gey . 8 9 99-W N W- r.,@ gr, w y-$if &1g 'y iv-W 311--ge4g iidr pg vt<ai1. giggif4e. fr k. .,,. nm4_w- hi-- m-m. a.nmei.--a e-.m-
Table 4.9-4
-c Beta Factor Fault Summary ERROR
~ IDENTIFIER DESCRIPTION UNAVAI1 ABILITY FACTOR-BETA-BATT BETA FOR CCFAILURE OF BATTERIES 8.00E-3 3 i . BETA-2DG BETA FOR CCFAILURE OF DIESEL GENERATORS 3.80E-2 ,3 BETA-AFW -BETA FOR CCFAILURE OF_ AW MDPs- 5.60E-2= 3 BETA-CSS BETA FOR CCFAILURE OF GS MDPs 1.10E-1 MAX ENTROPYa-BETA-LPI BETA FOR CCFAILURE OF LPI MDPs 1.50E-1 MAX.ENTROPYa
-BETA-SI BETA FOR CCFAILURE OF HPI MDPs 2.10E-1 MAX ENTROPY8
-BETA-2SWS BETA . FOR CCFAILURE OF 2 SWS MDPs 2.60E-2 3 BETA-3SWS BETA FOR CCFAILURE OF 3 SWS MDPs ~ 1. 4 0 E-2 ' 3 BETA-4SWS BETA FOR CCFAILURE OF 4'SWS MDPs 9.60E-3 3
' BETA-2AOV BETA FOR CCFAILURE OF 2 AOVs -
1.00E-1 MAX ENTROPYa- , .# l BETA-3AOV BETA FOR CCFAILURE OF 3 AOVs 5.50E-2 3 i ; BETA-4AOV BETA FOR.. CCFAILURE OF 4 AOVs 4.26E-2 . 3
*- BETA-5AOV BETA FOR CCFAILURE OF-5 AOVs 3.80E-2 3
- BETA-6AOV: BETA FOR CCFAILURE OF 6 AOVs 3.57E-2 3 BETA-7AOV- BETA FOR CCFAILURE OF 7 AOVs 3.47E-2 :. 3 BETA-8AOV BETA FOR CCFAILURE OF 8 AOVs 3.42E-2 .3 BETA-2MOV BETA'FOR CCFAILURE'OF 2 MOVs __ 8.80E-2 3
~ BETA-3MOV - BETA FOR CCFAILURE OF 3 MOVs 5.37E-2 3 -
-BETA-SRV BETA.FOR CCFAILURE OF-PORVs 7.00E-2 3 x
~
- a. Maximum entropy distribution.with a' lower bound of one-third the. failure rate'and an-upper bound of 1.0, or three times the failure rate. whichever is lower. ,
~ . _ - .. . ._ _ , _ _ . - , ~ . . . , ... ,... . - . - _ . _ _ _ _ . . , _ . - - , , . - , . ~ . . . _ . . , . . . . _ _ . _ _ _ _ . _ _ _ . . . _ _ _ _ _ . .
Table 4.9 Sequoyah Data Table Rate per Demand or.. Event Identifier Event Description Hour T_ime Mean a Source / _EE Comments (NOTE: Abbreviations are included at the end of this table.)- A LARGE IDCA INITIATOR, D > 6" 5E-4/YR - 5.00E-4~10 ASEP GEN ACC-CKV-CC-63560 ACC CV 63-560 FAILS TO OPEN 1E-4/D - 1.00E-4 3:ASEP, GEN ACC-CKV-CC-63561 ACC CV 63-561 FAILS TO OPEN - 1E-4/D - 1.00E 3 ASEP GEN ACC-CKV-CC-63562 ACC CV 63-562 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN ACC-CKV-CC-63622 ACC CV 63-622 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEM-ACC-CKV-CC-63623 - ACC CV 63-623 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN ACC-CKV-CC-63624 ACC CV 63-624 FAILS TO OPEN 1E-4/D 1.00E-4 .3 ASEP GEN ACC-MOV-PG-63118 ACC FCV 63-118 PIEED 1E-7/HR 18mo 6.50E-4 3 ASEP' GEN ACC-MOV-PG-6380- ACC FCV 63-80 PIGED : = 1E-7/HR 18mo 6.50E-4 3 ASEP GEN ACC-MOV-PG-6398 ACC FCV 63-98 PIEED ' IE-7/HR 18mo 6.50E-4 3 ASEP GEN
- ACP-BAC-ST-1A1A 480V RX MOV BD 1Al-A.BUSWORK FAILURE T 1.3E-7/D - 1.30E-7 5 ASEP GEN
- ACP-BAC-ST-1A2A 480V'RX MOV BD 1A2-A BUSWORK FAILURE 1.3E-7/D - 1.30E-7 5 ASEP GEN ACP-BAC-ST-1AA 6.9kV S/D BD 1A-A BUSWORK FAILURE 3.1E-6/D - 3.10E-6 5 ASEP GEN
.ACP-BAC-ST-1B1B 480V RX MOV BD IB1-B BUSWORK FAILURE 1.3E-7/D- --1.30E-7 5 ASEP GEN ACP-BAC-ST-1B28. 480V RX MOV BD IB2-B BUSWORK FAILURE 1.3E-7/D - 1.30E-7 5 ASEP GEN ACP-BAC-ST-1BB 6.9kV S/D BD 1B-B BUSWORK . FAILURE 3.1E-6/D - 3.10E-6' 5 ASEP GEN
- ACP-BAC-ST-CIA 1A 480V CAB' VENT BD.1Al-A BUSWORK FAILURE 1.3E-7/D .1.30E-7 5 ASEP GEN ACP-BAC-ST-C1B1B 480V CAB VENT-BD 1B1-B BUSWORK FAILURE 1.3E-7/D - 1.30E-7 5 ASEP GEN-ACP-BAC-ST-SIA1A 480V S/D BD 1Al-A BUSWORK FAILURE 1.3E-7/D - 1.30E-7 5 ASEP GEN- '
ACP-BAC-ST-SIA2A . 480V S/D BD 1A2-A BUSWORK FAILURE 1.3E-7/D - 1.30E-7 5 ASEP GEN ACP-BAC-ST-S1B1B 480V S/D. BD 1B1-B BUSWORK FAILURE 1.3E-7/D - 1.30E 5 ASEP GEN ACP-BAC-ST-S1B2B 480V S/D.BD 1B2-B BUSWORK FAILURE 1.3E-7/D - 1.30E-7 5 ASEP GEN ACP-CRB-CO-1718 SPUR XFR. OF. NRML FDR BRKR TO 6.9kV S/D BD 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-1726 SPUR XFR OP. NRML FDR BRKR TO 6.9kV S/D BD 2.9E-5/D - 2.90E-5 3 ASSP GEN ACP-CRB-CO-1A1AI SPUR ~ XFR OF XFMR INLET CKTBRK 2.9E-5/D - 2.90E-5 '3 ASEP GEN ACP-CRB-CO-1A1AO SPUR. XFR OF XFMR OUTLET CKTBRK - 2.9F-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-1A2AI. SPUR XFR OF XFMR' INLET CKTBRK 2.9E-5/D. - 2.90E 3 ASEP GEN N $- gy9-%-m. '% * . ~ - gMN ge1t-'T -f 7qvye-+ e5w- .q 1*g- y .r vP P gpW- -- W'd'e-MTP tr W-M P+ T w eP *N++ewdure"-- l e-? tow _ -a. .*=W=m.--4.< wia .--*---.h _ - - - - -
Table 4.9-5 (Continued) Sequoyah Data Table Rate per Demand or Source / Event Description Hour Time Mean XF_aComments Event Identifier (NOTE: Abbreviations are included at the end of this table.) 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-1A2AO SPUR XFR OF XFMR OUTLET CKTBRK 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-181BI SPUR XFR OF XFMR INLET CKTBRK 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-1B1BO SPUR XFR OF XFMR OUTLET CKTBRK 3 ASEP GEN ACP-CRB-CO-1B2BI SPUR XFR OF XFMR INLET CKTBRK 2.9E-5/D - 2.90E-5 2.9E-5/D - 2.90E-5 3 ASEP GEN , ACP-CRB-CO-1B2BO SPUR XFR OF XFMR OUTLET CKTBRK 3 ASEP GEN ACP-CRB-CO-30 SPUR XFR OF FEEDER BREAKER. 2.9E-5/D - 2.90E-5 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-31 SPUR XFR OF FEEDER BREAKER 3 ASEP GEN ACP-CRB-CO-32 SPUR XFR OF FEEDER BREAKER 2.9E-5/D - 2.90E-5 2.9E-5/D - 2.90E-5 3 ASEP GEN-ACP-CRB-CO-33 SPUR XFR OF FEEDER BREAKER 3 ASEP GEN ACP-CRB-CO-34 SPUR XFR OF FEEDER BREAKER 2.9E-5/D - 2.90E-5 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-35 SPUR XFR OF FEEDER BREAKER - 2.90E-5 3 ASEP GEN ACP-CRB-CO-36 SPUR XFR OF FEEDER BREAKER 2.9E-5/D 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-37 SPUR XFR OF FEEDER BREAKER 3 ASEP GEN 2.9E-5/D - 2.90E-5
;p ACP-CRB-CO-38 SPUR XFR OF FEEDER BREAKER 3 ASEP GEN L ACP-CRB-CO-39 SPUR XFR OF FEEDER' BREAKER 2.9E-5/D - 2.90E-5 2.9E-5/D - 2.90E-5 3 ASEP GEN ACP-CRB-CO-40 SPUR XFR OF FEEDER BREAKER 3 ASEP GEN ACP-CRB-CO-41 SPUR XFR OF FEEDER. BREAKER 2.9E-5/D - 2.90E-5
- 2. 81E-1/D - 2.81E-1 ME RECOVERY ACP-DGN-RC-U2 U-1 ACP VIA U-2 DGs THRU S/D UTIL BUS AC POWER UNAVAIL 6.9kV S/D BD 2A-A 1E-4/D - 1.00E-4 5 NOTE (1).
ACP-TAC-LP-2AA 5 NOTE.(1) ACP-TAC-LP-2BB AC POWER UNAVAIL 6.9kV S/D BD 2B-B IE-4/D - 1.00E-4 AC POWER UNAVAIL 480V SWS MCC 2A-A 1E-4/D - 1.00E-4 5 NOTE (1) ACP-TAC-LP-E2AA IE-4/D - 1.00E-4 5 NOTE (1) 3 ACP-TAC-LP-E2BB AC POWER UNAVAIL 480V SWS MCC 2B-B IE-4/D - 1.00E-4 5 NOTE (1) ACP-TAC-LP-S2B2B AC POWER UNAVAIL 480V S/D BD 2B2-B 1.7E-6/HR 24hr 4.00E-5 3 ZION FRA ACP-TFM-NO-1A1A TRANSFORMER 1Al-A FAILURE 3 ZION PRA ACP-TFM-NO-1A2A TRANSFORMER 1A2-A FAILURE 1.7E-6/HR 24hr 4.00E-5 1.7E-6/HR 24hr 4.00E-5 3 ZION PRA ACP-TFM-NO-1B1B TRANSFORMER 1B1-B FAILURE 3 ZION PRA-ACP-TFM-NO-1B2B TRANSFORMER 1B2-B FAILURE 1.7E-6/HR 24hr 4.00E-5 j ~ _ - - - - . _ _ _
Table 4.9-5 (Continued) Sequoyah Data Table Rate per Demand or Source / Event Identifier Event Description Hour Time _Mean EFaComments (NOTE: Abbreviations are included at the end of this table.) AFW-ACT-FA-ERCWA FCVs 3-116A, 3-116B NOT SGNL'D TO OPEN 1.6E-3/D - 1.60E-3' 5 ASEP GEN AFW-ACT-FA-ERCWB FCVs 3-126A, 3-126B NOT SGNL'D TO OPEN 1.6E-3/D - 1.60E-3 5 ASEP GEN AFW-ACT-FA-ERCWT- FCVs 3-136A, 3-179A,B NOT SGNL'D TO OPEN 1.6E-3/D - 1.60E-3 5 ASEP GEN AFW-ACT-FA-TRNA AFW TRAIN A ACTUATION SIGNAL FAILS 1.6E-3/D - 1.60E-3 5 ASEP GEN AFW-ACT-FA-TENB AFW TRAIN B ACTUATION SIGNAL FAILS 1.6E-3/D - 1.60E-3 5 ASEP GEN AFW-AOV-CC AFW AOV FAILS TO OPEN 1E-3/D - 1.00E-3 3 ASEP GEN AFW-AOV-CC-3148 AFW AOV 3-148 FAILS TO OPEN 1E-3/D. - 1.00E-3 3 ASEP GEN AFW-AOV-CC-3156 AFW AOV 3-156 FAILS.TO OPEN 1E-3/D - 1.00E-3 3 ASEP GEN AFW-AOV-CC-3164 AFW AOV 3-164 FAILS TO OPEN lE-3/D - 1.00E-3 '3 ASEP GEN AFW-AOV-CC-3171 AFW AOV 3-171 FAILS TO OPEN 1E-3/D - 1.00E-3 3 ASEP GEN AFW-AOV-CC-3172 AFW AOV 3-172 FAILS TO OPEN 1E-3/D --1.00E-3 3 ASEP GEN AFW-AOV-CC-3173 AFW AOV 3-173 FAILS TO OPEN 1E-3/D - 1.00E-3 3 ASEP GEN AFW-AOV-CC-3174 AFW AOV 3-174 FAILS TO OPEN 1E-3/D - 1.00E-3 3 ASEP GEN
." AFW-AOV-CC-3175 AFW AOV 3-175-FAILS TO OPEN 1E-3/D -
1.00E-3 3 ASEP GEN
?-
U AFW-CCF-FS-1AABB CCFAILURE OF AFW MDPs 1A-A and IB-B POINT EST - 1.70E-4 -- (AFW-MDP-FS) * (BETA-AFW) AFW-CCF-FT-AOV CCFAILURE OF AFW AOVs TO OPEN POINT EST - 3.42E-5 -- (AFW-AOV-CC) * (BETA-8AOV) AFW-CKV-CC-3805 AFW CV 3-805 FAILS TO OPEN IE-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3806 AFW CV 3-806 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3810 AFW CV 3-810 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3820 AFW CV 3-870 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3821 AFW CV 3-821 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3830 AFW CV 3-830 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3831 AFW CV 3-831 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3832 AFW CV 3-832 FAILS TO OPEN IE-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3833 AFW CV 3-833 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFN-CKV-CC-3861 AFW CV 3-861 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN
Table 4.9-5 (Continued) Sequoyah Data Table. Rate per Der.and or Source / Event Identifier Event Description Hour Time Mean EF a cenments (NOTE: Abbreviations are included at the end of this table.) AFW-CKV-CC-3862 AFW CV 3-862 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3864 AFW CV 3-864 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3871 AFW CV 3-871 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3872 AFW CV 3-872 FAILS TO OPEN 1E-4/D - 1.00E-4 3 ASEP GEN AFW-CKV-CC-3873 A W CV 3-873 FAILS TO OPEN 1E-4/D -}}