ML20054H428
| ML20054H428 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs  |
| Issue date: | 06/30/1982 |
| From: | Cybulskis, Cybulskis P, Hatch S, Kolb G, Wooton R Battelle Memorial Institute, COLUMBUS LABORATORIES, SANDIA NATIONAL LABORATORIES |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| CON-FIN-A-1047 NUREG-CR-1659, NUREG-CR-1659-V03, NUREG-CR-1659-V3, SAND80-1897-V03, SAND80-1897-V3, NUDOCS 8206240048 | |
| Download: ML20054H428 (240) | |
Text
{{#Wiki_filter:_ _ _ _ _ _ _ _ _ NUREG/CR-1659/3 of 4 SAND 80-1897/3 of 4 AN Printed May 1982 Reactor Safety Study Methodology Applications Program: Calvert Cliffs #2 PWR Power Plant Steven W. Hatch, Gregory J. Kolb Sandia National Laboratories Peter Cybulskis, Roger O. Wooton Battelle Columbus Laboratories it; Nw e 8 85 a ermore Califomia 94550 under Contract DE AC04 76DP00789 1 1 l l l l h$065$o0$o!SOoSSs P PDR l Prepared for U. S. NUCLEAR REGULATORY COMMISSION l
NOTICE This report was prepared as an account of work sponsored by an agency of the United States Covernment. Neither the United States Government nor any agency thereof, or any of their employ. ees, makes any warranty, espressed or implied, or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus product or process disclosed in this report, or represents that its use by such third party would not infnnge privately owned rights. Available from GPO Sales Program Division of TechnicalInformation and Document Control U.S. Nuclear Regulatory Commission Washington, D.C. 2055$ and National Technica! Information Service Springfield, Virginia 22161
NUREG/CR-1659/3 of 4 SAND 80-1897/3 of 4 AN-REACTOR SAFETY STUDY METHODOLOGY APPLICATIONS PROGRAM: CALVERT CLIFFS #2 PWR POWER PLANT Steven W. Hatch Gregory J. Kolb Sandia National Laboratories Albuquerque, New Mexico 87185 Peter Cybulskis Roger O. Wooton Battelle Columbus Laboratories Columbus, Ohio 43201 i Printed May 1982 Sandia National Laboratories Albuquerque, New Mexico 87185 Sandia Corporation for the U. S. Department of Energy Prepared for Division of Risk Analysis Office of Nuclear Regulatory Research U. S. Nuclear Regulatory Commission Washington, D. C. 20555 NRC FIN No. A1047 i i
ACKNOWLEDGEMENTS A number of people have contributed to this program during its existence, in particular,
*Stuart V. Asselin Wallis R. Cramond Frederick T. Harper Jack W. Hickman Desmond Stack Sandia National Laboratories Mario A. Fedele Anthony J. Giacobbe Robert B. Klaiber Evaluation Associates, Inc.
I Mark Cunningham James J. Curry Gordon Edison Frederick M. Manning Merrill Taylor U. S. Nuclear Regulatory Commission Richard Denning Battelle Columbus Laboratories The authors would also like to thank -Emily Preston and June Christy for their help in typing and assembling this report.
- Presently employed by Technology for Energy Corporation ii
l FOREWORD This report is the third in a series of four reports which-present the results of the analyses performed in the Reactor Safety Study Methodology Applications Program (RSSMAP). This volume describes the analysis performed for Calvert Cliffs Unit 2; other volumes describe the analysis of Grand Gulf Unit 1, Sequoyah Unit 1, and Oconee Unit 3. The RSSMAP analyses were an attempt to use insights from the relatively detailed and elaborate Reactor Safety Study analysis to perform a meaningful plant risk analysis with minimum manpower and economic impacts. It was also desired that the study of plants with differing reactor and contain-ment designs would broaden the class of nuclear power plants explicitly analyzed in terms of risk. The reader should be cautioned to consider these results in their proper context. As was true of all the RSSMAP plants studied, the Calvert Cliffs analysis was conducted primarily with information available in the Final Safety Analysis Report (FSAR), Technical Specifications and selected plant procedures. This approach does imply some limitations in the depth of the analysis since as-built systems often differ from those depicted in FSAR drawings. Also, FSAR analysis and technical specifications generally indicate more conservative criteria and guidelines than are actually required for system success. It should also be noted that some developments in risk assessment methodology have been employed in the Calvert Cliffs analysis which were not used in the earlier Sequoyah analysis. Among the most important of these involve a more explicit modelling of stuck iii
open relief valves and the treatment of dominant accident sequences to include complement events. As a final point, it is acknowledged that, subsequent to the completion of the Calvert Cliffs analysis, come changes in plant hardware or procedures have been made or are being planned which may have an effect on the probabilities of dominant accident sequences. Ilowever, due to the development of major new efforts in plant reliability analysis by both the nuclear industry and the Nuclear Regulatory Commission, an attempt to analyze the effect of these changes was not undertaken in this study. Comments on this report and the RSSMAP methodology are invited. Comments should be sent to: Chief, Reactor Risk Branch Division of Risk Analysis Office of Nuclear _ Regulatory Research U. S. Nuclear Regulatory Commission Washington, DC 20555 iv y w w -= e m -
"-v
EXECUTIVE
SUMMARY
This volume represents the results of the analysis of the Calvert C?.iffs Unit 2 Nuclear Power Plant which was performed as part of the Reactor Safety Study Methodology Applications Program (RSSMAP). The RSSMAP was conducted to apply the method-ology developed in the Reactor Safety Study (RSS) to an additional group of plants with the following objectives in mind: (1) identi-fication of the risk dominating accident sequences for a broader group of reactor designs; (2) comparison of these accident sequences with those identified in the RSS; and (3) based on this comparison, identification of design differences which have a significant impact on risk. Significant use of RSS insights and results was made for the Calvert Cliffs analysis. Loss of coolant accidents (LOCAs) and transients were used as initiating events. The release categories, human error, and component failure data bases were the same as those used in the RSS. The transient and LOCA event trees for Calvert Cliffs differ somewhat from the RSS event trees. This is due to different systems and interactions among systems at Calvert Cliffs. In addition, the RSSMAP transient and LOCA trees are interrelated in recognition that transient initiating events may ultimately lead to LOCA conditions. Unlike the RSS, detailed fault trees were not used to identify all possible failure modes; rather, a " survey and analysis" technique was used to identify the most likely failure modes of a sy stem. The determination of which accident sequences result in core melt and the subsequent containment response and release was made by the MARCH and CORRAL v
codes which are significantly more developed than those available when the RSS was performed. No consequence analysis was performed. The most significant sequences contributing to'the core melt frequency and, by extension, the risk identified for Calvert Cliffs Unit 2 were transient initiated sequences with failure of all secondary cooling. Another class of accident sequences which was important involved losses of offsite power followed by a PORV sticking open and subsequent failure of all emergency coolant injection or recirculation. These two types of accident sequences contribute approximately - 90% of the total core melt frequency for Calvert Cliffs. The core melt frequency at Calvert Cliffs was calculated to be much higher than that calculated for the Surry reactor in the Reactor Safety Study . This is primarily due to the much less reliable Auxiliary Feedwater System at Calvert Cliffs. It should be noted that an Auxiliary Feedwater System upgrade is currently in progress which will increase the system reliability. Refer to Chapter 6.0 for a discussion of this upgrade and its possible effects on the core melt frequency.- vi
~. -- . - - - ,- -. ,-
CONTENTS CHAPTER PAGE 1.o I NT RO Du CT IO N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 2.2 METHODOLOGY........................................... 2-1 2.1 R ev i ew o f RS S Me th od o lo gy . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2 RS S MAP M e thod o lo gy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 3 .0 GENERAL PLANT DESCRIPTION AND DIFFERENCES FROM RSS PLANT........................................ 3-1 3 .1 Calvert Cliffs ESP Systems Which Do Not Have Comparable Surry ESF Systems..................... 3-2 3.1.1 Containment Air Recirculation and Cooling System (CARCS).................... 3-2 3 .2 Calvert Cliffs ESF Systems Which Have Comparable S u r ry E S F Sy s t e ms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.1 Emergency AC Power System (EPS) . . . . . . . . . . 3-3 3.2.2 DC Power System (DCPS)................... 3-4 3.2.3 Reactor Protection System (RPS).......... 3-5 3.2.4 Containment Leakage (CL)................. 3-6 3.5.5 Cold Leg Injection Accumulator System (CLAS)................................... 3-7 3.2.6 Low Pressure Injection System (LPIS)..... 3-7 3.2.7 Low Pressure Recirculation System (LPRS)................................... 3-7 3.2.8 High Pressure Injection System (HPIS).... 3-8 3.2.9 High Pressure Recirculation System ( H P RS ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.2.10 Engineered Safety Features Actuation System (ESFAS)........................... 3-10 3.2.11 Containment Spray Injection System (CSIS)................................... 3-11 3.2.12 Containment Spray Recirculation e Sy s t em ( CS RS ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12 vii
CONTENTS (Cont'd) PAGE 3.2.13 Auxiliary Feedwater System (AFWS)........ 3-12 3.2.14 Cooling Water and Containment Heat Removal System (CHRS).................... 3-13 3.2.15 Power Conversion System (FCS)............ 3-14 4 .0 SYSTEMS ANALYSIS TASK................................. 4-1 4.1 Event Trees...................................... 4-1 4.1.1 Initiating Events......................... 4-2 4.1.2 LOCA Event Tree........................... 4-3 4.1.3 Transier.t Event Tree...................... 4-5 4.1.4 Interfacing Systems LOCA.................. 4-9 4.1.5 Comparison of Calvert Cliffs and Surry Event Trees......................... 4-10 4.2 Safety System Unavailability Mod els . . . . . . . . . . . . . . 4-12 4.3 Accident Sequence Analysis....................... 4-15 4.3.1 Generating and Quantifying Accident Sequence Cut Sets - An Example............ 4-16 4.3.2 Identification of the Dominant System Accident Sequences................. 4-22 5 .0 ACCIDENT PROCESS ANALYSIS TASK........................ 5-1 5.1 Scope............................................ 5-1 5.2 Containment Processes and Accident Sequence Selection............................... 5-3 5.2.1 Containment Event Tree.................... 5-3 5.2.2 Containment Failure Pressure.............. 5-3 5.2.3 Calvert Cliffs PWR Accident Sequences considered................................ 5-5 5 .3 Analy sis of Accident Proces ses . . . . . . . . . . . . . . . . . . . 5-7 5.3.1 Results................................... 5-8 5.3.2 Containment Failure Modes................. 5-10 5.4 Fission Product Release Evaluation............... 5-14 viii
CONTENTS (Cont'd) PAGE 5.4.1 CORRAL Code............................... 5-15 5.4.2 Results................................... 5-16 5.5 Summary and ' Discussion of Results . . . . . . . . . . . . . . . . 5-17 5.5.1 Assignment to Release Categories.......... 5-18 5.5.2 Quantification of Containment Failure Modes..................................... 5-20 5.5.3 Interface with Systems Analysis Task . . . . . . 5-23 6.0 R E S U LT S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.1 Calvert Clif fs Dominant Accident Sequences. . . . . . . 6-1 6.2 Comparison with the Dominant Accident Sequences in the Reactor Safety Study . . . . . . . . . . . . 6-28 6.3 Conclusions and Limitations...................... 6-32 6.3.1 Conclusions............................... 6-32 6.3.2 Limitations............................... 6-33 REFERENCES REF-1 j APPENDICES APPENDIX A EVENT TREES Al LOCA Event Tree.......................... Al-1 A2 Transient Event Tree..................... A2-1 A3 Interfacing Systems LOCA................. A3-1 APPENDIX B SYSTEM ANALYSIS B1 Emergency Power System (EPS)............. B1-1 B2 DC Power System (DCPS)................... B2-1 B3 Reactor Protection System (RPS).......... B3-1 B4 Containment Leakage (CL)................. B4-1 B5 Cold Leg Injection Accumulator System (CLAS)................................... B5-1 B6 Low Pressure Injection System (LPIS) . . . . . B6-1 ix
CONTENTS (Cont'd) PAGE. B7 Low Pressure Recirculation System (LPRS).................................. B7-1 B8 High Pressure Injection System (HPIS)... B8-1 B9 High Pressure Recirculation System ( H P RS ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B9-1 B10 Engineered Safety Features Actuation-System (ESFAS).......................... B10-1 Bll Containment Spray Injection System (CSIS).................................. Bil-1 B12 Containment Spray Recirculation Sy s t em ( CS RS ) . . . . . . . . . . . . . . . . . . . . . . . . . . . B12-1 B13 Auxiliary Feedwater System ( AFWS) . . . . . . . B13-1 B14 Cooling Water and Containment Heat Removal System (CHRS)................... B14-1 B15 Containment Air Recirculation and Cooling System (CARCS).................. B15-1 APPENDIX C MARCH ANALYSES OF KEY CALVERT CLIFFS CORE MELTDOWN ACCIDENT SEQUENCES................... C-1 X
1.0 INTRODUCTION
As a part of determining the public risk due to accidents in light water reactors (LWR), the Reactor Safety Study (RSS) (Refer-ence 1) developed a methodology for evaluating risks associated with potential accidents at nuclear power plants. A number of or-ganizations and individuals have recommended that the methodology ! developed in the RSS be used on a wider basis to analyze commercial power reactor systems and to assist in making informed decisions when public risk is a consideration. Further, it has also been stated by the Nuclear Pegulatory Commission (NRC)1 that ways should be examined in which the RSS methodology can be used to improve the regulatory process. In light of this, the Probabilistic Analysis Staff of the NRC initiated a program in October of 1975, entitled "The Reactor Safety Study Methodology Applications Program (RSSMAP)," to provide a broader foundation for applications of the RSS meth-odology and engineering insights to the regulatory safety review process. The RSS addressed two reactors, the Surry and Peach Bottom plants. For those two reactors, the accident sequences that dom-inated risk were identified. As a further application of the RSS methodology, the RSSMAP was conducted with the following objec-tives: (1) identify the risk dominating accident sequences for a broader spectrum of reactor designs, (2) compare these accident sequences with those identified for the reactors studied in the 1See NRC Annual Report to the President, 1975. 1-1
RSS, and (3) based on this comparison, identify design differences between the plants which have a significant impact on risk. The Reactor Safety Study Methodology Applications Program was divided into two principal tasks: systems analysis of engineered systems, and analysis of the accident processes. Sandia National Laboratories was asked to perform the systems analysis task. This task was performed with the aid of Evaluation Associates, Inc., of Bala Cynwyd, Pennsylvania, as a subcontractor. B' :telle Columbus Laboratories was asked to perform the analysis of accident processes. The RSSMAP study includes three PWR power plant designs and one BWR plant design. Thesedesignsaresignificantpydifferentfrom those studied in the RSS. Table 1-1 identifies the NSSMAP plants, the RSS plant used for comparison, and some key' design features.'.
~
^
!/' ~.
This volume documents the RSSMAP results for the Calvert Cliffs s.
#2 unit. It is a 850 MWe Combustion Engineering PWR w'ith a dry; con ,
j teinment and is located on the western shore of the Chesapeake Bay,', ,
~ ,-
} in Calvert County, Maryland. Calvert Cliffs, owned'and operated by the Baltimore Gas and Electric Company, obtained their construction - permit on July 7, 1969 and entered commercial operation in April 1977. Separate volumes describe the RSSMAP results for each l of the other plants studied. ,, f 4 n* f, b a ~ b Y
}
4 1-2 - w.
- -- - - - . , ~ .--.,,.,-- . - . -,m,- - - -
.,. , ,,y -, ,c.p.g- ,,, , , , . , , , . . - , , . - ,
Table 1-1. Major Characteristics of RSS and RSSMAP Studied Plants RSSHAP PLANT RSS PLANT USED FOR COMPARISON Sequoyah #1 PWR Surry PWR Reactor Vendor - Westinghouse
- Reactor Vendor - Westinghouse Architectural Engineer -
- Architectural Engineer - Stone Tennessee Valley Authority and Webster Engineering Corp.
Four Reactor Coolant Loops
- Three Reactor Coolant Loops a
1148 MWe - 775 MWE
- Dry Subatmospheric Containment Ice Condenser Containment i
- Now in low power testing
- Commercial Operation on 12/72 Oconee #3 PWR Reactor Vendor - Babcock and Wilcox Architectural Engineer - Duke Power Co. with Assistance from Bechtel Power Corp.
Two Hot Leg Reactor Coolant SURRY PWR Loops Four Cold Leg Reactor Coolant Loops 886 MWe Dry Containment
- Commercial Operation 12/74 Calvert Cliffs #2 PWR Reactor Vendor - Combustion Engineering
- Architectural Engineer -
Bechtel Power Corp Two Hot Leg Reactor Coolant SURRY PWR Loops Four Cold Leg Reactor Coolant Loops 850 MWe Dry Containment
- Commercial Operation 4/77
'< Grand Gulf $1 BWR Peach Bottom BWR Reactor Vendor - Gener al - Reactor Vendor - General Electric
,-' Electric Co. Co.
- Architectural Engineer -
- Architectural Engineer -
Bechtel Power Corp. Bechtel Power Corp. BWR/6 Design
- BWR/4 Design 1250 MWe
- 1065 MWe Mark III Containment a Mark I Containment Commercial' Operation scheduled -
Commercial Operation 7/74 for 1981
, 1-3/-4
2.0 METHODOLOGY As stated in Chapter 1, the RSS Methodology Applications Program consists of two principal tasks: systems analysis and accident process analysis. This chapter will discuss the basic methodology utilized in performing these tasks, differences from the methodology presented in the RSS, and important assumptions and restrictions used in performing the analyses. Details of how the methodology was applied to the analysis of the Calvert Cliffs
- 2 power plant can be found in Chapters 4 and 5.
2.1 Review of RSS Methodology Before discussing the RSSMAP methodology, a brief review of the RSS methodology may be useful in identifying similarities and defining differences between the two methodologies. In the RSS, the methodology consisted essentially of three basic tasks. These included: (1) a systems analysis task, (2) an accident process analysis task, and (3) a consequence analysis task. The first two correspond to RSSMAP tasks. The third task analyzed the accident sequences in terms of consequences to public health and property damage. This third task was not included in this study. The initial step in the RSS systems analysis task involved the construction of functional event trees. These trees dictated the functions which must he performed by plant systems to mitigate an accident initiated by various loss of coolant accidents (LOCAs) or transients. For LOCAs, these functions were reactor subcrit-icality, emergency core cooling, post accident radioactivity re-moval, containment heat removal, and containment integrity. For 2-1
i, a 2 i transients, the required functions were reactor suberiticality, i j core cooling, reactor coolant system overpressure protection, and
- i i maintenance of reactor coolant system inventory. Then system event l trees were constructed by identifying the plant systems needed to perform the required post-accident functions. After completing
! this, the system accident sequences were delineated and a detailed fault tree analysis was conducted on all the systems represented ; on the event tree to determine the failure modes and failure prob-ability of these systems. In some cases, detailed fault trees were not needed if actual plant failure probability data existed. The ; fault trees were quantified using a component and human failure j data base compiled as part of the RSS. The system failure proba-bility was expressed in terms of a median value with an associated
, tolerance bound. The error factor was due to uncertainties in the RSS data base. The final step of the RSS systems analysis task was the quan-tification of the accident sequences depicted on the system event ! trees. Any dependencies which existed among the systems in the sequence, which were not explicitly covered by the event tree structure, were identified (i.e., a shared system component) and incorporated into the quantification. System accident sequences with the highest frequencies were then analyzed in terms of acci-dent processes. The accident process analysis was conducted to determine (1) which of the dominant system accident sequences resulted in core l a melt, (2) the response of the containment following an accident, and (3) for those sequences predicted to result in containment 2-2
failure, the amount and types of radioactivity released to the environment. Containment event trees displaying potential con-tainment failure modes were created for each system accident sequence. Probabilities of these failure modes were then esti-mated. The complete accident sequences (defined as a system accident sequence with its appropriate containment failure mode) were then assigned to one of nine PWR radioactive material release categories. The categories were ordered in terms of severity with Category 1 representing the most severe radioactive material release. The accident sequence frequencies in each category were then summed in order to assess the release category frequency (per reactor year). It was recognized that there was an uncertainty associated with the release category placement of each sequence. To account for this, the RSS smoothing technique was used; that is, a probability of 0.1 was assigned to an accident sequence being in an adjacent release category, and a probability of .01 was assigned to an accident sequence being two release categories from the one in which it was placed, etc. After applying this technique, the final release category frequency was assessed. The final RSS task was to analyze the release categories in terms of consequences to public health and property damage. This was accomplished through the use of various models depicting items such as meteorology, population evacuation, and population dose. Through the use of these models, the consequences of each release category were determined. Multiplication of the frequency of the release category and its associated consequence resulted in a 2-3
i risk estimate of each category. Summing the risk of all the re-lease categories resulted in an estimate of the total power plant risk. 2.2 RSSMAP Methodology The RSSMAP methodology is based on that used in the RSS. To meet, in an efficient manner, the objectives of the program stated in the introduction, insights and results from the RSS were used when appropriate. However, certain departures frem the RSS meth-odology did occur and are summarized below. During the development of the RSSMAP event trees, it was found that the RSS functional event trees were basically appli-cable to the RSSMAP plants. A reiefinition of one of these func-tions was made, however, for purposes of clarification. Specif-ically, the RSS LOCA function, containment heat removal, was split in the RSSMAP into two functions, namely containment overpressure protection during the injection phase and containment overpressure protection during the recirculation phase. Each of these functions is needed to prevent a containment overpressure failure; however, using the RSSMAP representation, the analyst can more easily dis-tinguish containment overpressures which occur early in the acci-dent from those that occur late. This distinction is useful he-cause the time at which the containment fails is important to accident consequences. 2-4
In addition to the LOCA function redefinition, two additional transient functions, which were previously implied in the RSS re-sults, were defined. From the list of PWR transient sequences in Table V 3-7 of the RSS, it can be seen that containment systems (e.g., containment spray systems, events C and F) appear as part of the sequence even though they don't explicitly appear on the transient event tree. These containment systems provide the func-tions of containment overpressure protection and post accident radioactivity removal. In the RSSMAP, these functions have been explicitly added to the list of transient functions. The plant systems required to perform the LOCA and trancient functions were sometimes different in the RSSMAP plants. As an example, during a LOCA the containment heat removal function at Surry is performed with heat exchangers located in the contain-ment spray recirculation system. At Calvert Cliffs, this function is performed with the heat exchangers located in the containment spray recirculation lines and/or by the containment air recircu-lation and cooling system. Further, many dependencies hetween the RSSMAP event tree systems were found to be different from those found in the RSS, thus resulting in changes in the event tree structure. During the formulation of the event tree, it was decided that a single LOCA tree, rather than the three RSS LOCA trees, was an adequate representation of the plant response to a LOCA of any given break size. As a result of these differences in plant design and analysis, the RSSMAP system event trees for Calvert Cli ffs dif-fer significantly from the RSS trees. 2-5
One of the insights gained from the RSS was that system fail-ure probabilities are dominated by only a few failure modes such as sinnle, double and common mode hardware and human failures. Because of this insight, elaborate fault tree models to identify all possible system failure modes, as was done in the RSS, were not developed for the RSSMAP. Instead, a " survey and analysis" technique was used to determine system failure modes. This tech-nique was, in essence, a systematic approach by which the analyst searched for system failure modes. The search was done manually and was usually stopped when all double or triple failure modes were identified. A Boolean equation was then constructed for each system which represented these failure modes. These equa-tions were utilized in the accident sequence analysis described later. (For an example of the " survey and analysis" technique, see Appendix B.) It should be noted-that the failure mode search was based largely on systems information gained from the plant FSAR, a single visit to the plant, and some follow up conversa-tions with plant personnel. It is recognized that this limitation in the study does not provide assurance that all system failure modes have been identified. The RSSMAP system unavailabilities were quantified using the RSS hardware and human error data base, except for those systems where actual plant failure probability data existed. Throughout the course of this work, point estimate unavailabilities were-used in determining the system failure probabilities rather.than the median unavailability with its associated error factor as was used in the RSS. 'This departure from the,RSS methodology was 2-6
made because the additional effort of estimating error factors was not judged necessary for risk comparisons or the identification of dominant eccident contributors. The final step of the RSSMAP systems analysis task was a system accident sequence analysis to determine those core melt sequences with the highest frequency. This was done by combining the Boolean equations describing the succeeded and failed systems for each accident sequence, performing a Boolean reduction of the equations to produce sequence cut sets (i.e., the system failures which produce an accident sequence), and quantifying these cut sets using the data base. The cut sets for each accident sequence were summed to arrive at a total sequence frequency. The accident sequence Boolean reduction and cut set quantification was performed with the aid of the SETS and SEP computer codes (Reference 17). In the RSS, the accident sequence analysis was performed largely by hand calculatior.s. In some cases, this may have required some assumptions concerning interactions between system a sequence to make the calculations practicable. Such assumptions were unnecessary in the RSSMAP due to the increased analytical capability afforded by SETS and SEP. (For more details concerning the systems analysis task, see Chapter 4. ) System accident sequences identified with the highest fre-quencies were then analyzed in terms of accident processes. The accident process analysis task for the RSSMAP was conducted in a more detailed manner than was done in the RSS. Use was made of a new computer code known as MARCH, and an updated version of the CORRAL code (References 3 and 4). 2-7
.- - . . . _ . = . -.. .- - --- - -. .- . ..
The MARCH code, developed at Battelle Columbus Laboratories, performs P.0- and transient initiated accident calculations from the time-of the initiation of the accident through the stages of blowdown (LOCA only), core heat up, boiloff,' core meltdown, pres-sure vessel bottom head melting and failure, debris-water inter-action in the reactor cavity, and' interaction of the molten debris with the concrete containment base pad. The mass and energy ad-ditions into the containment building during these stages are continuously evaluated and the pressure-temperature response of the containment with or without the engineered safety features is i calculated. The MARCH simulation also accounts for metal water reactions, combustion of hydrogen, and heat losses to structures in the containment. By comparison, the accident process analysis
! conducted in the RSS was conducted largely with hand calculations, which required several simplifying assumptions (e.g., small LOCAs and transients were treated in a gross manner by comparing them to calculations done for large LOCAs).
The updated version of the CORRAL code uses the same basic analytical models as the RSS version, but has been made more ver-satile. The code can now model the transport of the radionuclides within the containment in more detail oecause of the increased capability of handling larger problems. For each of the dominant system accident sequences, the codes ! were used in determining possible containment failure modes, esti-7 mating the probabilities of each failure mode, and placing each sequence into the seven RSS PWR core melt release categories. The non-melt categories 8 and 9 were found to have a negligible impact 2-8
on risk in the RSS and were not included in the RSSMAP. (For more details concerning the accident process analysis task, see Chapter 5.) Upon completion of the accident process analysis, the complete accident sequences (defined as the combined system accident sequence and containment failure mode) were ranked and the dominant accident sequences identified. The final step in the RSSHAP was then to compare the expected risk of the Calvert Cliffs plant with the RSS PWR. This was done indirectly by comparing the probability (per reactor year) of the seven PWR core melt release categories, i.e., the RSSMAP methodology did not include a task to directly analyze the consequences of accident sequences. l 2-9/-10
-. _-- _ _ i
_ - . . _ _ - - _ _ - - _ = , ___ .__ . 3.0 GENERAL PLANT' DESCRIPTION AND DIFFERENCES FROM RSS PLANT j The likelihood of certain accident sequences and the factors 1 which cause an accident sequence to dominate the risk associated with a plant are clearly dependent on the plant design. In this i section, significant design differences between the.Calvert Cliffs and Surry units are summarized. Detailed system descriptions and reliability estimates are presented in Appendix B. 3 The Calvert Cliffs reactor units each have two steam gener-ators and two steam generator loops designed by Combustion Engineering; the Surry units have three steam generators and three loops designed by Westinghouse. Each Calvert Cliffs reactor unit - power is 850 MWe; the Surry units each develop 788 MWe. Both containments are the dry type. The Calvert Cliffs containment construction is a post-tensioned reinforced concrete cylinder and } dome with a steel liner. The design pressure is 50 psig. The Surry containment is of reinforced concrete design with a steel liner and has a design pressure of 45 psig. The Calvert Cliffs con-tainment free volume is 2 x 106 ft3 while Surry's is 1.8 x 106 ft3, There are several important differences in the safety systems between the plants which perform the LOCA and transient engineered safety functions (ESF). These differences are the result of dif-i ferent systems present at the Calvert Cliffs plant as well as many differences in piping and circuitry configurations, system success criteria, and test and maintenance intervals for systems which appear at both plants. Some of the more obvious dif ferences can be seen in Figures 3-1 and 3-2 which depict Calvert Cliffs and Surry l ESFs with related system components in a simplified manner. l 3-1 4
. . , . , . , _ . , _ _ - , _ .,-.__.____.,-..m._ _ , . , , _ . , , . . _ . , _ _ , - , . , . _ _ _ _ , _ . _ - . . ~ , _ _ , , , , , _ , . _ . m,
A word of caution should be made about comparing the system failure probabilities of both plants. The comparison given in the following descriptive summaries is based on an independent compar-ison of the systems. Interdependencies among the various systems at the plant are not considered at this point. Because of this fact, a statement such as "Calvert Cliffs System A has a failure probability five times greater than Surry System A," has no safety significance unless the systems being compared are truly indepen-dent of other systems at the plant and have an equivalent role in performing a post accident function. For purposes of comparing safety then, the appropriate place of comparison is the accident sequences since it is at this point where all system interdepen-dencies are considered. Accident sequences and system interde-
- pendencies are discussed in Chapters 4 and 6.
3.1 Calvert Cliffs ESF Systems Which Do Not Have Comparable Surry ESP Systems i There is one Calvert Cliffs ESF system which has no compar-able Surry ESF system. A brief description of the purpose and dom-inant failure modes of this system follows. 3.1.1 Containment Air Recirculation and Cooling System (CARCS) The function of the CARCS is to remove heat from the contain-ment atmosphere during normal plant operation and following a LOCA. The CARCS, along with the containment spray injection system, pro-vide alternate methods of depressurizing the containment following a LOCA. It is sized such that three of the four containment air coolers will limit the containment pressure to less than the con-tainment design pressure even if the containment spray system does 3-2
not operate. This success criteria has been found to be conser-vative by Battelle Columbus Laboratories. MARCH and CORRAL analyses for this program showed that one fan cooling unit will provide adequate pressure control. The dominant failure mode is a common mode failure of both CARCS actuation channels due to a possible miscalibration. 3.2 Calvert Cliffs ESF Systems Which Have Comparable Surry ESF Systems Brief descriptions of the differences between similar Surry and Calvert Cliffs systems are given below. 3.2.1 Emergency AC Power System (EPS) A comparison of the Calvert Cliffs and Surry designs pro-duces the following characteristics: (1) The Calvert Cliffs systems below the 4160-volt ESF buses do not differ significantly from the Surry systems. (2) The Calvert Cliffs design employs load sequencers to sequentially load its diesel generators over a 30 second period after startup. This results in a significantly lower inrush load-ing on the Calvert Cliffs diesel generators than that for Surry which does not sequentially load its generators after startup. (3) The Surry plant employs three diesel generators with one generator dedicated to each of two units and the third gener-ator serving as a backup generator shared by Units 1 and 2. Cal-vert Cliffs also employs three generators. However, in the event of a LOCA concurrent with loss of off-site power, any two of the 3-3
three generators may be connected to the unit having the LOCA and
- the remaining generator used to provide the necessary power for safe shutdown of the unaffected unit. This feature provides more flexibility for providing emergency AC power to both units in the.
event of failure of one of.the diesel generators since a single
]
j generator is capable of supplying all the emergency power require-i i ments for one unit. i (4) Surry's diesel generators do not require jacket cooling
- while Calvert Cliffs do.
! (5) The unavailability of the EPS at Calvert Cliffs has-been assessed to be a factor of two lower than that at Surry.
l 3.2.2 DC Power System (DCPS) Two major design differences between the Calvert Cliffs and Surry DC power systems were disclosed in this analysis. (1) Calvert Cliffs incorporates inter-unit load sharing in its design while Surry employs two separate and redundant service I channels for each unit. (2) Surry employs a separate and independent DC power supply-consisting of a battery charger, battery and distribution system for startup and control of the three emergency diesel generators. Cal-l vert Cliffs employs its vital DCPS for this function. Based on the technique used for estimating DC system unavail-ability in the RSS, the Calvert Cliffs and Surry DCPS have a similar unavailability estimate. However, a recent Sandia National Laboratory DC power system (Reference 13) study identified a DC common mode fail-ure not previously identified in the RSS. This failure could be 3-4
attributed to events such as the miscalibration of the battery charger charging rate which causes the batteries to degrade and fall upon demand following a loss of off-site power. This common mode was judged to be applicable to the Calvert Cliffs emergency on-site power control 125-volt DC subsystem. The unavailability estimate for this subsystem is greater than two orders of magnitude higher than would have been estimated using the RSS method. 3.2.3 Reactor Protection System (RPS) The RPS for both Surry and Calvert Cliffs are actuated by in-terrupting power to the control rod assemblies but the method for doing so is significantly different. The Surry RPS accomplishes the reactor trip by de-energizing combinations of one-out-of-two pri-mary circuit breakers via the logic channels. In the Calvert Cliffs RPS each measurement channel which can initiate protective action i operates a channel trip unit containing three sealed electromagnet-ically actuated reed relays. The Surry RPS logic employs three sensor logic channels feed-ing into two output trains which, in turn, input to the circuit i breakers. The Calvert Cliffs sensor logic is a two-out-of-four sys-tem whereas the Surry sensor logic is a two-out-of-three system; i.e., any two of the logic channels will trip the reactor when an abnormal condition occurs. , Calvert Cliffs RPS unavailability is lower than Surry's by a factor of two. This is due to the fact that a NRC report (Reference 14) has indicated that the Surry RPS failure due to three or more rods failing to drop into the core is overly conserva-tive and was assessed as insignificant for Calvert Cliffs. 3-5
3.2.4 Containment Leakage (CL) As discussed in the main report, insights from WASH-1400 were used wherever possible to evaluate the reliability of each part of the Calvert Cliffs design. Thus, on the basis of the WASH-1400 cnalysis, and in consideration of the leak tests required by tech-nical specifications; structural failure of the containment shell, failure of the blind flange on the refueling tube and major leakage through the equipment hatch were not judged to be dominant contri-butors to the CL probability. Further, the probability of a sig-nificant leakage path through the containment spray injection line was not judged significant because, unlike Surry, Calvert Cliffs uses the same line for containment spray recirculation as for in-jection. Back leakage through the LPIS lines was also judged not significant because of the numerous check valves in each line. Conversely, dominant contributors to the Calvert Cliffs CL probability, which were not present at Surry, developed from the difference between Surry's subatmospheric design and Calvert Cliffs atmospheric containment. Specifically, the probability of signif-icant open penetrations of the containment which go unnoticed for some time was precluded at Surry because normal operation requires internal containment pressure to be significantly below atmospheric pressure, i.e., the containment is ccnstantly leak tested. However, at Calvert Cliffs, where there is no constant leakage monitoring system and the containment is kept at atmospheric pressure, a sig-nificant unnoticed leakage path was judged to be more likely, re-culting in a CL probability estimated at approximately seven times that of Surry. This estimate was based on a review of LER data on PWR containments kept at atmospheric pressure. 3-6
3.2.5 Cold Leg Injection Accumulator System (CLAS) Two major design differences between the Calvert Cliffs and Surry CLAS were found in this survey. The Surry design employs three identical trains for delivery of borated water to the reactor coolant system whereas the Calvert Cliffs design uses four identical trains. Surry's accumulators are pressurized to 650 psig while Cal-vert Cliffs are pressurized to only 200 psig. The unavailabilities for the Calvert Cliffs and the Surry CLAS were found to be approximately equal. 3.2.6 Low Pressure Injection System (LPIS) Both Calvert Cliffs and Surry employ redundant LPIS trains to deliver borated water to the RCS following a LOCA. Surry's LPIS suction line contains a manually operated gate valve in series with a motor-operated valve and check valve before the branchoff point to the pumps. There is then a single manually operated valve in each flow line before the pump. The LPIS pump discharge lines at Surry. come together outside containment and then branch inside containment before connecting with the RCS. At Calvert Cliffs, separate supply lines provide water from the RWST to the pumps. The LPIS pumps then discharge to a common header. Water is then pumped into the core via four injection lines (which are shared with the HPIS). The unavailability of the LPIS at Calvert Cliffs was found to be lower than that at Surry by a factor of two. 3.2.7 Low Pressure Recirculation System (LPRS) i The Calvert Cliffs and Surry LPRS are similar in that they employ redundant trains to deliver water to the RCS from the sump 3-7
i a j following a LOCA. Both systems use the same pumps as in their LPIS and both require operator actions to start the system. The Surry system also requires operator action after 24 hours to realign LPRS I flow from RCS cold legs to the hot legs. This later realignment is not necessary for the Calvert Cliffs system. Failure to perform any of the above realignments constitutes a common mode failure of the system due to human error.
- Another difference in the systems is the piping configura- -
tions from the RWST to the pumps. Surry employs a single suction line to supply the LPRS pumps, while Calvert Cliffs has two inde-pendent lines. The unavailability of the LPRS at Calvert Cliffs was approx-imately ten times greater than that at Surry. The unavailability at i Surry was dominated by the above mentioned common mode failure while the Calvert Cliffs unavailability was dominated by the failure of i ! the operator to start the system and the common failure due to mis-calibrated RWST level sensors. 3.2.8 High Pressure Injection System (HPIS) The Calvert Cliffs and Surry high pressure injection systems differ significantly in design. Unlike Surry, the Calvert Cliffs HPIS has redundant headers in the high pressure pump lines on both the discharge and suction sides. During normal operation, one of three high pressure pumps of Surry runs continuously to control-the inventory of the reactor coolant system by supplying high pressure makeup from the volume control tank. During the safety injection mode of operation the suction of these pumps is realigned to the RWST whereby a set of parallel MOVs are opened automatically 3-8
by the Surry SICS (refer to Section 3.2.10). At Calvert Cliffs, the HPIS is not used during normal operation. There are no valves which are required to operate in the redundant RWST supply lines to the safety injection pumps of Calvert Cliffs. Another major difference between the two systems is that the Surry system has a boron injection tank (BIT) and a borated water supply, whereas Calvert Cliffs has only the borated water supply. Addition of the BIT results in additional failure modes not found at Calvert Cliffs. In response to a LOCA, the unavailability of the Surry HPIS is a factor of three higher than the Calvert Cliffs HPIS due to more single failures in the pump suction header and the BIT failure modes. 3.2.9 High Pressure Recirculation System (HPRS) Both systems use three high pressure pumps which discharge to redundant headers. The flow path in Calvert Cliffs is directly to the cold legs through a series of valves in redundant distribu-tion headers. In Surry, the flow is through the Boron Injection Tank (BIT) to the cold legs with a provision to bypass if the flow through the BIT is insufficient. After 24 hours of recirculation the Surry system is switched from cold leg to hot leg recirculation. The source of water for the Calvert Cliffs HPRS is the con-tainment sump through redundant lines and valves. In Surry the suction of the charging pumps is taken from the discharge of the low pressure pumps thereby requiring their operation during recir-culation. 3-9
Initiation of the HPRS is based on low level signals from the Refueling Water Storage Tank (RWST) in both systems. At Calvert Cliffs, a Recirculation Actuation Signal (RAS) is automatically generated upon a low RWST signal. The RAS aligns the valves and pumps required for high pressure recirculation. In Surry, the low RWST signal alerts the operator who then aligns the system for recirculation. The operator is also required to realign the system from cold to hot leg recirculation. The unavailability of the HPRS at Calvert Cliffs was as-sessed to be slightly lower than that at Surry. The dominant fail-ure contributor at Calvert Cliffs was the common mode failure of the RAS due to miscalibration of the RWST water level. .The domi-nant contributor at Surry was a common mode failure of the operator to open several MOVs required for operation of the HPRS. 3.2.10 Engineered Safety Features Actuation System (ESFAS) The emergency equipment actuation systems for the Calvert Cliffs and Surry plants are significantly different. One major de-sign difference results from the number of sensor channels and the coincident logic which combines the sensor signals for ESF subsystem initiation. The ESFAS at Calvert Cliffs uses two-out-of-four coin-cidence sensor logic whereas the Surry Safety Injection Control System (SICS) uses one-out-of-three and the Surry Consequence Limiting Control System (CLCS) uses three-out-of-four sensor logic. Another major design difference of the Calvert- Cliffs ESFAS is the subdivision of the actuation channels of safety injection, containment spray, and containment isolation into multiple actua-tion subchannels. The number of pieces of equipment initiated by a 3-10
4 i i single actuation subchannel has therefore been reduced, allowing convenience and flexibility of periodic actuation system and equip-ment tests. The Surry engineered safeguards instrumentation system has only two redundant actuation subchannels per engineered safe-guards subsystem (e.g., the seven SICS output slave relays which initiate components in one train of emergency core cooling are in series with one output flip flop relay). The Calvert Cliffs ESFAS was not modeled in its entirety; instead, failures were attributed to each subchannel and incorpor-ated into the other system models which require actuation. Common mode failures were also included where applicable. Because of this, the total ESFAS unavailability estimates for Surry and Calvert Cliffs cannot be compared. Common mode failures due to miscalibration of all the q sensors in a bank were found to be dominant in both the Surry and
- Calvert Cliffs ESFAS.
- 3.2.11 Containment Spray Injection System (CSIS) 4 An important difference between the Calvert Cliffs and Surry systems is the fact that the Surry CSIS is independent of the j CSRS. At Calvert Cliffs, the CSIS and CSRS share most of the same equipment. Also, the Calvert Cliffs CSIS includes heat exchangers I while the Surry CSIS does not.
Another difference is that the Surry CSIS takes water from the RWST via a dedicated line whereas each CSIS train at Calvert Cliffs receives RWST water from a header that is shared with the low and high pressure injection pumps. 3-11
The unavailability of Calvert Cliffs CSIS was calculated to be more than that of Surry by a factor of two. For both systems the dominant failure was a common mode failure of the CSIS actuating signals due to sensor miscalibration. 3.2.12 Containment Spray Recirculation System (CSRS) The CSRS systems for Calvert Cliffs and Surry are consider-ably different in both design and mode of operation. One important difference is that the Surry system is independent of its CSIS where-as the Calvert Cliffs CSRS uses much the same equipment as its CSIS. The success criteria for Surry is two of four pumps. The success criteria for Calvert Cliffs is one of two pumps. The dominant contributor to the Calvert Cliffs CSRS unavail-ability was a common mode failure of the RWST water level sensors which provide inputs to the automatic recirculation signal. This results in an unavailability two orders of magnitude greater than Surry's. The dominant failure contributors at Surry were maintenance faults of the pumps and valves. l 3.2.13 Auxiliary Feedwater System (AFWS) The auxiliary feedwater systems at Calvert Cliffs and Surry are considerably different although they perform the same function. Notable differences include:
- 1) Surry's AFWS is automatically initiated whereas Calvert Cliff's AFWS is remote manually initiated A delay auto-start circuit is currently installed but it is temporary and non-safety grade (no credit was given for this circuit in the analysis).
3-12
- 2) Calvert Cliffs has two turbine-driven pumps as opposed to two electric and one turbine-driven pump at Surry.
- 3) Several valves are shared by both pumps in the Calvert Cliffs pump suction lines as opposed to separate suction lines for each pump at Surry.
- 4) Calvert Cliffs delivers auxiliary feedwater to two steam generators; Surry delivers to three.
There are some similarities between the plants. Each AFWS has common headers which allow delivery of feedwater to any steam generator from any pump, though the piping configurations are dif-ferent. Also, successful operation requires the flow from one pump to one steam generator. In general, however, the systems are quite different. The unavailability of the AFWS at Calvert Cliffs is approx-imately 100 times larger than that of Surry when off-site power is available. With no off-site power, the unavailability of Calvert Cliffs is larger by a factor of twenty five. The dominant failure for the Calvert Cliffs AFWS was the failure of the operator to manually initiate the system. l 3.2.14 Cooling Water and Containment Heat Removal System (CHRS) The Calvert Cliffs and Surry CHRS are both capable of 200% heat removal capacity. The two systems are completely different in design and operation. The Calvert Cliffs CHRS uses the Chesapeake Bay for its heat sink. Three salt water pumps per unit take suction directly from 3-13
the bay and supply the component cooling and service water heat exchangers. The bay is considered a constant inexhaustible supply of cooling water. Surry, on the other hand, incorporates a 25,000,000 gallon intake canal for storage of cooling water in case of dam failure downstream from the plant. The cooling water flows under a 20-foot gravity head from the intake canal to the main condensers and heat exchangers. Water is pumped to the intake canal via four circulating water pumps which are powered by offsite power. Upon loss of offsite power or loss of downstream dam conditions, flow to the main condensers will be stopped to avoid draining the 25,000,000 gallon intake canal. Containment heat removal in Surry is accomplished with four spray trains (50% capacity each). Heat removal in Calvert Cliffs is performed with two spray trains and four building coolers. 3.2.15 Power Conversion System (PCS) One of the main functions of the PCS at both Calvert Cliffs and Surry is to provide feedwater to the steam generators during normal operation. Following a reactor trip, both systems are also capable of delivering feedwater at a lesser rate to provide the function of decay heat removal. One method of successful decay heat removal at Calvert Cliffs can be accomplished by delivering steam generator feedwater with one train of feedwater. One train is defined as one of three electrically driven condensate pumps feeding one of three electrically driven condensate booster pumps feeding one of two high pressure steam driven feedwater pumps. In this mode of 3-14
operation, the heat sink is either the condenser or the secondary steam system safety valves. At Surry, successful PCS decay heat removal can be accomplished by one of three low pressure elec-trically driven condensate pumps delivering to one of two high pressure electrically driven feedwater pumps. The heat sink at Surry is also the condenser or secondary safety valves. The power conversion systems are expected to have similar failure probabilities in response to reactor shutdowns not asso-ciated with loss of feedwater. For these transients, success requires the continued operation of the feedwater system. How-ever, in response to a loss of feedwater transient caused by a hardware problem or a loss of offsite power (LOP), successful feedwater operation requires the recovery of the system. PCS recovery following a LOP requires that offsite power be restored and several operator actions be performed. Information presented in Reference 15 indicates that it is reasonable to assume that the PCS would not be restored in most cases following a LOP within the short term. It is felt that this estimate also applies to the Calvert Cliffs PCS because of its similar design. The probability of not recovering the PCS following a LOP was therefore assumed to be 1.0. PCS recovery following a hardware problem requires assessment and correction of the problem. Reference 15 suggests that at least 90% of all feedwater problems were corrected within 30 minutes or did not involve total loss of the PCS. The Reference 15 data examined reflects situations where there were problems with the PCS and the Auxiliary Feedwater System (AFWS) was available. 3-15
The true situation, as modeled into the sequences, is one where there is a total loss of feedwater. In such a case, Reference 15 indicates that primary emphasis would be placed on restoring the AFWS, but that a somewhat parallel effort to restore the PCS would
> also be conducted. PCS nonrecovery after a hardware failure was roughly estimated to be 10-1 for Calvert Cliffs based on a 90%
recovery rate described in Reference 15. The RSS assumed a PCS nonrecovery probability following a LOP of .2. This value corresponds to the expected nonrecovery probabil-ity of offsite power. A value of 10-2 was used for PCS nonrecovery following a hardware problem at Surry (compared to the 10-1 value described above) and was derived from industry data. It is sus-ected that the 10-2 nonrecovery probability is based on data for cases where the AFWS is successfully operating. The true situation is one where all feedwater is lost. For this reason, and due to the fact that some data for a similar PCS existed, a different i PCS nonrecovery probability was used for Calvert Cliffs. 1 3-16 -
m
\e _ - _ , m _ _ _ .n v s -
,7 a a o o o _ . _ m . .. _ _ ,,, V E: .m,___,,, V U
PORV (2) PRESSURIZER c'c' ' o
- .omem couvr.sres s,s se g V mom h .r.wser SG 4 UN'= ) (2)
NS V (s RCP b 7 comou.a.:
'7 b
scrip , lT.A'.^3.n i Note: Number in parenthesis indicates number of redundant pumps or trains. Figure 3-1. Simplified Calvert Cliffs ESF Diagram
f S'Q .
--: _ r s .=
6 d m a f i e e N r s l s
, r s
t au
=
*8 D/ :sa _,g g a
i
. g D
_ j C i F S
". D _.
,*' E
- L
- m"' r y s
_.go e r e ?- r E u A__,"" " I. S d e
..l i f
. "Y. -
_". m 3 i a a l p m a t
.aD =
i m e e W
?__::::
n a ss e
, l S
._ u. ms n
e ,
", g
*, 6 I I m o " ,,, " '
s mg e e
=- *
*,,' u
- 2 A o , * \
yl 3
- (
e o a r u 7.,99
.B1
@y i g
4 F
.. 1
== E" - - -
a I i i c h 1 e J sD L C r i. r
4
~
1 , ib ,, 4.0 SYSTEMS ANALYSIS TASK 1 This chapter summarizes the work done as part of the RSSMAP
. Calvert Cliffs #2 systems analysis task. The work was done by i Sandia National Laboratories with the aid of Evaluation Associates,
-Inc. The objective of this task was to identify the dominant sys-tem accident sequences which are the major contributors to public 4
risk for the Calvert Cliffs plant. These sequences were identified - through the use of event tree and safety system unavailability models. (The system unavailability models are, in essence, a Boolean equation representation of a simplified fault tree.) The event tree and system unavailability models utilized are discussed in Sections 4.1
; and 4.2, respectively. The dominant system accident sequences, gen-erated through the use of these models, are presented in Section 4.3 along with an illustrative example showing how a typical accident sequence calculation was performed.
4 4.1 Event Trees Event trees are the structures from which accident sequences are derived. Two event tree types, used in succession, produce the complete accident sequences. The System Event Trees, the subject } of this section, interrelate the initiating events and the engineered safety feature failure events and result in system accident sequences such as "ACD." The Containment Event Trees, done as part of the accident process analysis, relate the possible responses of the con-tainment to the physical situations associated with each system acci-I dent sequence. The resulting containment failure modes, designated by terms such as a, S, 6 are added to the system accident sequences is 4-1
._ .. , . . , - , . . . - - _ _ , .__.,._..,m . . . _ , . _ , ,
7 ,
to form the complete accident sequences such as "ACD-6. " Details of the Containment Event Trees can be found in Chapter 5. 4.1.1 Initiating Events The type of initiating events considered were the same as in the RSS, i.e., LOCAs and transients. The RSS considered three LOCA size ranges. These were designated "S2" (1/2" <D< 2"), "S1" (2" <D < 6") and "A" (D > 6"). Three sizes were chosen since the requirements on the ECCS and other systems necessary to mitigate a LOCA were dif ferent for each LOCA range. The RSS also considered three types of transients. These were all designated "T" and included reactor shutdowns initiated by
- 1) a loss of off-site power,
- 2) a loss of the main feedwater system caused by other than a loss of off-site power, and
- 3) other causes in which the main feedwater system is initially available.
These transient initiators were assessed to adequately represent a spectrum of generic PWR transients (RSS, Table I 4-9) in terms of their effects on the mitigating systems. Based on the study of the FSAR, it was determined that the three LOCA sizes used in the RSS were adequate to describe the ECCS requirements at Calvert Cliffs. Therefore, the same LOCA designa-tions (A, Si, and S2) and the initiating event frequencies are used in the Calvert Cliffs analysis. 4-2
The same three transients chosen in the RSS and their estimated frequencies were also chosen to represent initiating transients at Calvert Cliffs. The loss of off-site power transient is designated T1 and has a frequency of 0.2/ year. The loss of main feedwater transient is designated T2 and has a frequency of 3/ year. Other transients with main feedwater initially available are designated T3 and have a frequency of 4/ year. 4.1.2 LOCA Event Tree The Calvert Cliffs LOCA event tree is displayed in Figure 4-1. A detailed discussion of this event tree is presented in Appendix A-1. This section will highlight the discussion given there. A single LOCA event tree was judged to be an adequate repre-sentation for the entire spectrum of break sizes. Except for the removal of the reactor protection system event (K) for the "A" LOCA analysis, the rest of the tree headings and structure are identical for all size breaks. The success / failure criteria of the event tree headings may change, however, depending on the break size. The systems depicted on the event tree perform seven plant functions. The combinations of plant systems which are required to successfully perform these functions for a variety of LOCA sizes is displayed in Table 4-1. These functions were chosen since they are either required to successfully mitigate a LOCA or they can affect the consequences of a core melt if mitigation of the LOCA is unsuccessful . The definitions of success for the event tree headings are given in Table 4-2. Some important dependencies incorporated into the LOCA event tree structure are given below: 4-3
- 1) If containment spray injection fails (event C) then containment spray recirculation fails, since the systems share most of the same equip-ment.
- 2) If the Containment Air Recirculation and Cooling System fails during the time interval correspond-ing to the ECCS injection phase (event Y), then it fails during the recirculation phase (event Z) since the equipment and the success criteria are exactly the same during both phases.
- 3) If the emergency coolant injection system fails (event D) it was assumed that emergency coolant recirculation (event H) is superfluous. This is due to 1) the ECCS injection and recirculation systems share many of the same components so that if event D occurs, then event H will occur with a i 1
high likelihood, and 2) the consequences for se-quences with injection failing and recirculation succeeding are the same as for sequences in which ECCS in both injection and recirculation modes fail.
- 4) Containment heat removal can succeed by either of two methods : Operation of one Containment Air Recirculation and Cooling System (CARCS) fan train or operation of one containment spray recirculation system (CSRS) train in conjunction with their asso-ciated secondary cooling water systems. Event G 4-4
represents failure of containment heat removal using the CSRS, the component cooling water system, and the salt water system. Therefore, if the CARCS succeeds during the recirculation phase (event Z), no success / failure choice is given for event G since the containment heat removal function has been met. Also, for sequences where the containment spray system (events C or F) fails, no success / failure choice is given for event G. It can be noted on the LOCA tree that no event tree structure was developed following failure of the reactor protection system, event K. This was done for purposes of simplification since the event tree structure following failure of the RPS would be identi-cal to the structure following the success of the RPS. An important assumption made in this analysis was-that the Containment Spray Recirculation System and the Containment Air Recirculation and Cooling System would be operable in a post core melt environment. Recent preliminary experiments performed at Sandia suggest that these systems could fail after a core melt due to plate out of fission products on or in critical components. 4.1.3 Transient Event Tree The Calvert Cliffs transient event tree is displayed in Fig-ure 4-2. A detailed discussion of this event tree is presented in Appendix A-2. This section will highlight the discussion given ; there. 4-5
A single transient event tree was judged to be an adequate model of the plant response following the three transient initiat-ing events considered. i The systems depicted on the tree perform six plant functions. 2 The combination of plant systems which are required to perform these functions fur all three transients is displayed in Table 4-3. These functions were chosen since they are either required to suc-cessfully mitigate a transient or they can affect the consequences of a core melt if mitigation of the transient is unsuccessful. The definitions of success for the event tree headings are given in Table 4-4. Transient sequences with failure of a safety / relief valve to reclose, event Q, can be treated as a small-small LOCA since the systems responding to these LOCAs are identical to those required for an S2 LO CA . These " transient induced LOCAs" are therefore transferred to the LOCA event tree upon occurrence of event Q. Dependencies incorporated into the transient event tree struc-ture are the followings l 1) If the power conversion system operates successfully (event E) then the operation of the auxiliary feed-I water system and the secondary steam relief is un-necessary.
- 2) A success / failure choice for event P1, the Safety /
Relief Valves Demand event, appears only on sequences where the RPS and AFWS both succeed. The probability that the valves will be demanded for this' case was 4-6
assessed to be 0.07 and was based on Combustion Engineering plant data (Reference 10). If either the RPS or AFWS fail, the relief valves are assumed to be demanded.- If the RPS and the PCS both succeed, it is assumed that the relief valves will not be demanded.
- 3) Success / failure choices for event P2, Safety / Relief Valves Open, appear in all sequences in which the pressurizer safety / relief valves are demanded.
- 4) Success / failure choices for event Q, Safety / Relief Valves Reclose appears in all sequences in which the pressurizer safety relief valves successfully open except for the accident sequence in which the RPS and all steam generator cooling fails (KML).
For this sequence it is assumed that the safety / relief valves will remain open through core melt-down due to high RCS pressure.
- 5) Success / failure of the CVCS is only included in the sequence where the Reactor Protection System and PCS fail and the AFWS has succeeded (TKM).
The CVCS is needed in this sequence to assure the reactor is in a shotdown condition by injecting concentrated boron solution into the core from the boric acid tanks. If boron injection fails, the reactor could remain at a power level above the 4-7
decay heat removal capability of the AFWS, eventually leading to core melt.
- 6) The CARCS (event O) and CSIS (event O') success /
failure choices appear only on transient sequences l leading to a core melt. This is because these sys-j tems have no role in preventing a transient initiated core melt; their operation will, however, affect.the consequences of certain core melt accidents. 4
- 7) If the RCS relief valves fail to reclose the sequence results in a LOCA, and.the sequence (and analysis) is continued in a LOCA event tree. This is justified by the fact that the rate of leakage of RCS inventory is sufficient to fit the defini-tion of a LOCA.
I An explanation is in order concerning the " note 1" on the transient tree. If too much cooling is provided_to the second-ary side of the steam generators by the power conversion system or emergency feedwater-systems, a rapid RCS cooldown transient would ensue. The effects of these types of. transients were not-explicitly modelled on the event tree in_this study. An important assumption made in this analysis was that the Containment Spray Recirculation System and the Containment Air- , Recirculation and Cooling System would be operable'in a post core melt environment. Preliminary results of experiments performed at SNL suggests that these systems might possibly fail after a 4 core melt due to plate out of fission products on or in critical l components. 4-8
4.1.4 Interfacing Systems LOCA The Calvert Cliffs interfacing system LOCA event tree is presented as Figure 4-3. A detailed discussion of the Calvert Cliffs interfacing system LOCA is presented in - Appendix A3. This section will highlight the discussion given there. The event tree shown in Figure 4-3 is' identical to the Surry (RSS) LPIS check valve rupture event tree. The initiating event of the tree, event V, assumes failure of a series of three check valves in one of the low pressure injection system lines and the opening of the normally closed isolation motor operated valve (MOV), which is also in series with the check valves, for MOV testing. This would allow high pressure coolant water to enter the low pressure piping outside containment and pipe rupture to occur. The containment engineered safety features would be relatively ineffective for this accident, and the low pressure injection system would also fail due to the LOCA. As a result, core melt would occur. Since the containment engineered safety features are relatively ineffective, the variations in consequences are so small among the sequences, which all include the initiating event, only the initiating event V Probability was used to quantify the accident sequence. The frequency of occurrence for this accident was calculated to have a negligible probability for Calvert Cliffs due to provisions for annual leak testing of critical valves, an increased number of valves in the cold leg injection lines, and the placement of relief valves which would limit the types of valve failures which could initiate an interfacing system LOCA. 4-9
4.1.5 Comparison of Calvert Cliffs and Surry Event Trees The Surry LOCA and Transient event trees are ' displayed in Fig-ures 4-3 through 4-6. A detailed discussion of the event tree dif-ferences is presented in Appendices A-1 and.A-2. Some of the more important differences are listed below. LOCA
- 1) Response to a LOCA was depicted by one event tree at Calvert Cliffs and three event trees at Surry.
- 2) Due to plant design or analyses differences, events Y and Z appear only on the Calvert Cliffs tree and events I and L appear only on the Surry trees.
- 3) For purposes of simplification and due to insights gained from the RSS, the Calvert Cliffs equivalent to the Surry events B (electric power) and E (emer-gency coolant functionability) were removed from the Calvert Cliffs LOCA tree. The emergency electric power systems were explicitly modelled as support systems in the Calvert Cliffs Boolean equation.
Emergency coolant functionability was not found to be important in the RSS and therefore not con-sidered in RSSMAP.
- 4) The event tree structure differs somewhat between the plants due to some different interdependencies between the systems represented on the event tree.
4-10
Transient
- 1) The Calvert Cliffs transient event tree explicitly includes systems related to containment response (events O and O'). The Surry transient tree did not include these systems. Success / failure of these systems were implied, however, in the Surry accident sequence results.
- 2) For purposes of simplification, the Calvert Cliffs equivalent to the Surry event W (Residual Heat Removal) was removed from the Calvert Cliffs tran-sient event tree. This system was required to bring the Surry plant from hot to cold shutdown and was included in the Surry analysis for completeness (Refer to Appendix V, page 38 of the RSS).
- 3) The Surry transient event tree treated transient induced LOCA sequences, i.e., those with stuck open relief valves, directly on the transient event-tree and assumed they were core melts. On the Cal-vert Cliffs tree, these sequences are transferred to the LOCA tree and treated in a similar manner.
l as other LOCAs.
- 4) The event tree structure differs somewhat between
! the plants due to some different interdependen-cies between the systems represented on the tree. l 4-11 2
4
- 5) The P1 event, which represents a probabilistic i
demand of the RCS relief valves, appears only on the Calvert Cliffs transient tree. The Surry event tree assumed that the relief valves either were or were not demanded. 4.2 Safety System Unavailability Models Each system represented on the event trees, except for those where plant and/or industry data existed, was reviewed and analyzed in order to determine system failure modes. An insight gained from the RSS was that system unavailabilities are usually dominated by single, double and common mode hardware and human failures. Because of this insight, elaborate fault tree models to identify all pos-sible system failure modes were not used. Instead, a." survey and analysis" technique was used to determine system' failure modes. This technique is in essence a systematic approach-by which an ana-lyst searches for system failure modes. The first step in conducting a typical. survey and analysis was to review all available information pertaining to the Calvert Cliffs system. Sources of information available for this study were the FSAR system description and drawings, the technical specifications and discussions with plant personnel. The next step was to review a similar system analyzed in the RSS. The purpose of this review was to gain insight concerning typical types of important system failure modes (e.g., singles, doubles, human error, test, maintenance, and common mode faults). Based on the Calvert Cliffs system information and RSS insight 4-12
the analyst manually conducted a failure mode search. Identifi-cation of single and common mode failures was made first fol-lowed by doubles, test and maintenance. Any interactions that the system being analyzed had with other systems on the event tree, such as a shared component or actuation system, were noted. The failure modes were then quantified using the RSS hardware and human error data base. In some instances, due to a lack of detailed subsystem information, subsystem unavailabilities were taken directly from the similar system analyzed in the RSS. This was done primarily in obtaining estimates of control circuit unavail-abilities for pumps and valves. During the course of the analysis it was generally found that most systems which appear on the event trees share a number of com-ponents and support systems. Because of this fact, Boolean equations equations describing the system failure modes were constructed so that these interdependencies could be properly treated during the accident sequence calculations. Some systems, however, were assessed to be independent or nearly independent of all other event tree systems. A Boolean equation describing failure modes for inde-pendent systems was not necessary since the system unavailability could be simply multiplied into the accident sequence calculation. A " survey and analysis" for each of 15 Calvert Cliffs safety systems can be found in Appendices B-1 through B-15. Most of these systems appear as events on the event trees. Some of these are support systems (e.g., emergency AC and DC power systems and the Engineered Safety Features Actuation System) which are common to several event tree systems. Each appendix includes a derivation i 4-13
,y-. , .~ - ~ --. ,y-
of the Boolean equation (s) describing system failure and an unavail-ability estimate assuming independence from all other Calvert Cliffs systems. In many instances more than one Boolean equation was derived for a particular system because some system failure modes were different depending on the event tree initiating event. Tables 4-5 and 4-6 can be used as a key to the contents of Appendix B. Across the top of each table is a list of the event tree initiating events. Listed in the first column are the systems which define the events on the LOCA and transient event trees. The three LO CAs A , Si, S2, and three transients, T1, T2, T3, have been discussed previously. The TQ initiators are transient induced LO CAs . The entries in the tables are either an unavailability estimate, an equation number, or not applicable (N/A). The numerical entries in the table are unavailability estimates for the system under consideration. The systems which have unavailabilities listed were considered to be independent of all other event tree systems. The equation numbers reference specific Boolean equations l in the appendices which were used in the calculation of a particular sequence. The letters "a" and "b" in parenthesis after some of the equation references indicate which form of the equation was used. Different initiators sometime require different equation forms, and are described in the appendices. A N/A entry means that the system is not used in response to the initiator. For example, HPIS failure is modeled by HPIS Boolean equation B8-1, form "a", for all small (S2) LOCAs and T2 and T3 transient induced LOCAs as described in Appendix B-8. Equation B8-1(b) was used in the analysis of large (A) and intermediate (SI) LOCAs and 4-14
-w. +-
finally, Equation B8-1 in its entirety was used to model T1 tran-sient induced LOCAs. These three HPIS equations can be identified in Appendix B-8. 4.3 Accident Sequence Analysis The final step of the Calvert Cliffs systems analysis task was the performance of a system accident sequence analysis to determine those core melt sequences with the highest frequency. This was done by combining the Boolean equations describing the succeeded and failed systems for each accident sequence, perform-ing a Boolean reduction to produce sequence cut sets (i.e., the minimum combination of system failures which produce an accident sequence), and quantifying these cut sets using the data base. The cut sets for each accident sequence were summed to arrive at a total sequence frequency. .The accident sequence Boolean reduc-tion and cut set quantification was performed by the SETS and SEP computer codes respectively. System accident sequences with a frequency greater than 10-8 per reactor year were identified. These sequences were then given to Battelle Columbus laboratories and were analyzed in terms of accident processes (see Chapter 5). An example which illustrates the procedure utilized in per-forming the system accident sequence analysis follows in Section I 4.3.1. Those sequences with a frequency greater than 10-7 p'er reactor year are presented in Section 4.3.2 as significant con-tributors to the core melt frequency at Calvert Cliffs. l l t 4-15 i
4.3.1 Generating and Quantifying Accident Sequence cut Sets - An Example The sequence chosen to illustrate the procedure is the tran-cient induced LOCA T MQ-FM. 2 It is a transient initiated by a loss of main feedwater (T 2M) followed by a failure of a RCS relief valve to.reclose (Q) and failure of the containment spray recirculation and emergency coolant recirculation systems (F and H respectively). This sequence is a combination of transient sequence 3 and LOCA sequence 8. The dash in the accident sequence T 2 MQ-FH indicates a transient induced LOCA and thus a transfer from the transient event tree to the LOCA event tree. The events to the left of the dash (T2 MQ) are events from the transient event tree. Those on the right (FH) are the sequence events that continue on the LOCA event tree. The sequence label T2 MQ-FH is a convenient identifier since it represents all the systems which failed in the sequence. This con-venient identifier, however, should not be confused with the Boolean representation of the same sequence. Besides the systems which failed in this sequence, several systems operated successfully or were recovered. These are the reactor protection system (Event K), the Auxiliary Feedwater System and/or the Power Conversion System ( L) , the probabilistic demand and the opening of the RCS relief valves (P1 and P2), the containment spray injection system (C), the Containment Air Recirculation and Cooling System (Y and Z), and the emergency coolant injection system (D). The Boolean representation of the sequence depicts both the succeeded and failed systems and would be T2 EMLP i P2 0-CYDFZH. Quantification of this accident sequence requires the use of the Boolean sequence representation. 4-16
A number of the systems / events in this sequence are indepen-dent from all other systems / events. These are T2, K , M, P 1, E, F2 ' l and O. Since they are independent their unavailabilities/availa-bilities can be simply multiplied together. The unavailabilities/ availabilities of these systems can be determined from Table 4-6 as: P(T 2 M) = 3 per reactor year P(K) = 1 - (2 x 10-5) a 1 L = 1.0 - 3.0 x 10-3 1 P(P1) = .07 P(P2) "1- ( C) "1 P(0) ~ 8.0 x 10-2 Multiplying these values together yields 1.7 x 10-2, The rest of the system / events in the sequence (C Y D F Z H) are dependent due to sharing of various components and subsystems. In order to properly treat these dependencies in the accident sequence calculation a Boolean equation was written for each of the remaining system / events. These Boolean equations were derived in Appendix B and Tables 4-5 and 4-6 can be used to determine the necessary equations to perform the sequence calculation. These equations are:
- 1) CSIS success (event C), complement of Equation Bll-1(b)
C = S I AS CM + CS AS CM + (B + 0 + CSA2 + SIAL) - (C + P + CSB2 + SIB 1) 4-17
- 2) CARCS success (event V), complement of Equation B15-1(a):
Y = (R + SW21 + CSA1) * (S + SW22 + CSB1) * (T + SW21 + CSA1) - (U + SW22 + CSB1) + CSAS CM j The terms SW21 and SW22 represent cooling water i failures which af fect the CARCS. These terms can be replaced with Equations B14-1 and B14-2.respectively. From Appendix B-14, SW21 = A2 + C2 + D2 + SIA5 + SIA7 + SIASCM + SIAL *SIBl and SW22 = E2 + F2 + G2 + SIB 9 + SIB 7 +' SIB 5 ' SIAS + CSA3 CSB3 + SIASCM + SIAL
- SIBl + SIA8' SIB 8 .
- 3) HPIS success (event D), complement of Equation B8-1(a)-
! 3 = (B + KT + SIA2 + HPLP21C) - - ! ( C + LT + S IB2 + HP23 LP2 2 C) + (MT + SIAL) (N + SIB 1)+ A + SIASCM + HPCM 4-18
-mc *e- - - - n+-3 art. w -r > . ,
9--r wyyw -=w-- -7 r-r .--m -mi-- w+- v-- vs -
--e -
The terms HPLP21C and HP23LP22C represent cooling water failures which affect the HPIS. These two terms can be replaced with Equations B14-3 and B14-4, respectively. From Appendix B14, HPLP21C = Kl+L1 - (Ml+ SIB 7) + H1 and HP23 LP22C = J1+L1 - (Ml+ SIB 7) + H1
- 4) CSRS failure (event F), Equation B12(a):
F= (B + 0 + CSA2 + SIAL + R21 COOL + O' + W + RASAl) - ( C + P + CSB2 + SIBl + R22 COOL + P' + V + RASB1) + RAS CM . The terms R21 COOL and R22 COOL represent pump room cooling failures of the HPRS, CSRS, and LPRS. These two terms can be replaced with Equations B14-7 and B14-8, respectively. From Appendix B-14, R21 COOL = A2 + R21 + SIAL SIBl and l R22OOOL = E2 + R22 + SIAL SIBl .
- 5) E CRS failure (event H):
For this sequence, ECRS is successful if the High Pressure Recirculation System (HPRS) operates. For this sequence, event H is represented by Equation B9-1, 4-19
H = HPRS = (B + K + SIA2 + HPLP21CR + R21 COOL + K' + W + RASAl) * ( C + LT + SIB 2 + i HP23LP22 CR + R22 COOL + L' +V+ RASBl) + RASCM . The terms HPLP21CR and HP23LP22CR represent cooling water failures which affect the HPRS. These terms can be replaced with Equations B14-5 and B14-6, respectively. From Appendix B-14, HPLP21CR = K1 + Ll* (M1 + SIB 7) + H1 + RAS CM + (E2 + N1 + RASB1)* (R1 + S1 + A2 + RASA1) and i HP23 LP22 CR = J1 + Ll* (M1 + SIB 7) + H1 + RAS CM + (E2 + N1 + RASB1)* (R1 + S1 + A2 + RASA1). The terms R21 COOL and R22 COOL are discussed above. No equations were given for event 5. This is due to the fact that successful CARCS operation during injection (event Y) implies successful CARCS operation during recirculation (event Z). In general, each term in the expanded equations for events C, Y, D, F and H represents a group of system components. These groups or modules were constructed in order to reduce the number of' terms 4-20
in the Boolean equations. This greatly simplifies the accident sequence calculation, i.e., reduces the computer time required to perform the Boolean reduction. A module was created when it was assessed that a group of components, such as a pump train or con-trol circuit actuation train, were independent from all other plant components or modules. The expanded Boolean equations for C, Y, D , F, and H are now "anded" together and Boolean reduced. This reduction was per-formed by the SETS computer code (Reference 17). Reduction in-volves the elimination of redundant terms by applying the Boolean identities P
- P = %, P + PQ = P, and P -
P = P. Applying these identities eliminated a large number of the redundant terms. How-ever, due to the addition of complement events in the Boolean equa-tion, several redundant terms still remain. These redundant terms were eliminated by removing all complemented events from the remain-ing terms and reapplying the second Boolean identity given above. For example, after applying the Boolean identities the first time, two terms in the reduced Boolean equation may be of the form ABC + ABD. Since we are interested in the minimum number of component / module failures, or minimal cut sets, which cause an accident sequence to occur, the events C and D, which represent component / module success, are not important in the final results. These two terms can be replaced with the term AB. Reducing the equation a second time yielded terms which represent the sequence minimal cut sets. After obtaining the sequence minimal cut sets, the next step was to quantify them. This was done by substituting the point esti-mate unavailabilities for each term into the cut sets and performing 4-21
the arithmetic. The arithmetic was performed by the SEP computer code (Reference 15). Those cut sets with the highest frequency were then identified. These cut sets are the dominant contributors to the sequence fr equency . The total sequence frequency was calcu-lated by summing all the sequence cut set frequencies. The results of reducing and quantifying the dependent events E D F 5 H gives a probability of 3.3 x 10-3 It should be noted that this frequency is higher than what would be obtained by multi-plying the " independent" E, 7, D , F, 5, and H frequencies together due to common mode failures between systems. Multiplying this frequency by the independent event frequencies gives the T 2 0M-FH sequence frequency without recovery : T2MQ-FH (no recovery ) = (1.7 x 10-2)( 3.3 x 10-3 )
= 5.5 x 10-5 ,
Credit for possible recovery actions was given on a sequence-by-sequence basis and incorporated by hand after the computer sequence reduction. For this sequence, a 0.1 nonrecovery factor was anded to each cut set to reflect the probability that the operator would not close the PORV block valve. Block valve closure would terminate the LOCA. Including the 0.1 nonrecovery factor gives the final T 2MO-FH sequence frequency : T2MQ-FH = (5.5x10-5)(.1) = 5.5x10-6 , 4.3.2 Identification of the Dominant System Accident Sequences Using the procedure described in the previous section, each potential core melt event tree sequence was quantified. Those sequences with a frequency greater than 10-7 per reactor year 4-22
t are listed in Tables 4-7, 4-8, and 4-9. These sequences were given to Battelle Columbus Laboratories and analyzed in terms of accident processes. Work at Battelle consisted of attaching an appropriate containment failure mode probability for those sequences which were found to lead to core melt and the placement of the sequences in their proper PWR release category. (Battelle's work-is described in detail in Chapter 5.) Based on the estimated sequence frequency and release category placement, those accidents sequences which are expected to domin-ate the risk at Calvert Cliffs were identified. These sequences and the most important system failures which cause the sequence to ( occur (i.e., sequence cut sets) are discussed in detail in Chap-ter 6. 4-23
Table 4-1. Alterna e Equipment Success Combinations for Functions Incorporated into the Calvert Cliffs LOCA Event Tree Injection Phase Recirculation LOCA Reactor Containment Containment Size Subcriticality Overpressure Post Accident Emergency Overpressure Post Accident Emergency protection Radioactivity Core Protection Radioactivity Core Due to Steam Removal Coolingl Due to Steam Removal Cooling Evolution Evolution Rbactor Protec- 1/2 Contain- 1/2 CSIS 1/3 High 1/2 Contain- 1/2 CSRS 1/3 High tion System ment Spray Pressure ment Spray Pressure (RPS) Required Injection Injection Recirculation Recircu-0-2" (CSIS) OR 1/4 (HPIS) (CSRS) with lation S2 ContainEnt AND 1/2 Shutdown (HPRS) LOCA Air Recurcu- Alixiliary Cooling fleat lation Pan Feedwater Exchanger OR Coolers (AFWS) 1/4 CARCS ~ (CARCS) b e $ 2-6" Si 1/3 IIPIS LOCA - b/
%/
3/4 Safety 1/3 HPRS Injection OR Tanks AND
>6" A
RPS 1/3 IIP W Not AND 1/2 Low LOCA Required 1/2 Tow Pressure Pressure Recurcu-Injection lation
*# V (LPIS) # N (LPRS) 1 It is assumed that for small (S2) LOCAs, natural circulation is established.
See discussion in Chapters 5 and 6.
Table 4-2. Event Definition for the LOCA Event Tree LOCA - A breach of the pressure boundary of.the reactor coolant system (RCS) which causes an uncontrollable loss of water inventory. There are three LOCA categories. A Large LOCA - A breach of the RCS with a flow area greater than .2 ft2(A> 6" diameter). S1 Small LOCA - A breach of the RCS with a flow area greater than .02 ft2 and less than or equal to .2 ft 2 (6" >S1 > 2" diameter). S2 Small-Small LOCA - A breach of the RCS with a flow area greater than .001 ft2 and less than or equal to .02 ft2 (2" >S2> .5" diameter). K Reactor Protection System (RPS) - Failure of automatic reactor scram system (Note: This event applies only to Si and S2 LOCAs. For the large "A" LOCA, success is assumed due to the effects of blowdown.) C Containment Spray Injection System (CSIS) - Failure to provide flow from at least 1 of 2 reactor building spray pumps, taking suction from the RWST, through its respec-tive spray header into the containment atmosphere. Y Containment Air Recirculation and Cooling System (CARCS) - Failure to remove steam (heat) from the containment atmos-phere with at least 1 of 4 containment air coolers. 4-25
Table 4-2. Event Definition for LOCA Event Tree (Cont.) D Emergency Coolant Injection System (ECIS) - Failure to provide sufficient water to the core to prevent melt during the injection phase. ECIS for Large 'A) LOCAs - Failure to provide flow to the RCS from at least 1 of 3 high pressure trains, 1 out of 2 low pressure trains (taking suction from the RWST), and 3 out of 4 safety injection tanks.
, ECIS for Small (SI) LOCAs - Failure to provide the flow to the RCS from at least 1 of 3 high pressure trains.
ECIS for Small-Small (S2) LOCAs - Failure to provide flow to the RCS from at least 1 out of 3 high pressure pumps injecting into the core and 1 out of 2 auxiliary feedwater trains providing secondary cooling. F Containment Spray Recirculation System (CSRS) - Failure to provide flow from at least 1 out of 2 reactor building spray pumps, taking suction from the reactor building sump, through its respective spray header into the containment atmosphere. Z Containment Air Recirculation and Cooling System (CARCS) (Recirculation Phase) - Failure to continue to remove steam (heat) from the containment atmosphere with at least 1 of 4 containment air coolers. 4-26
Table 4-2. -Event Definition for LOCA Event Tree (Cont.) H Emergency Coolant Recirculation System (ECRS) - Failure to provide sufficient water to the core to prevent core melt in the recirculation phase of a LOCA. ECRS for Large LOCAs - Failure to provide recirculation flow to the RCS from at least 1 out of 3 high pressure trains or 1 out of 2 low pressure trains (taking suction from the reactor building sump). ECRS for Si and S2 LOCAs - Failure to provide recirculation flow to the RCS from at least 1 out of 3 high pressure i trains. G Containment Heat Removal System (CHRS) - Failure to provide sufficient cooling of the containment atmosphere to prevent containment overpressure and a subsequent core melt during the late recirculation phase. Containment heat removal can be provided by one of the following methods: Operation of at least 1 of 4 CARCS fan cooling units and its associated service water and salt water cooling trains. Operation of 1 of 2 CSRS trains and its associated com-ponent cooling and salt water cooling trains. 4-27
i, Table 4-3. Alternate Equipment Success Combinations for Functions Incorporated into Calbert Cliffs Transient Event Tree Reactor Containment , Coolant Overp res su re System (RCS) Protection Post-Accident Core Overpressure RCS Due to Steam Radioactivity Subcriticality Cooling Protection Integrity Evolution Removal A Reactor Protec- Power' Conversion 1/4 Safety / All Safety / 1/4 Containment 1/2 Containment [- tion System System Relief Valves Relief Valves Air Recirculatit>n Spray Systent ' co Required g Open When Reseat Fan Coolers Trains (CSIS)
- Demanded or or 1 of 2. Auxiliary 1/2 Containeent Feedwater Trains Spray Systes
- t. , ' trains (CSIS)
I F e ,
d Table 4-4. Event Definitions for the Transient Event Tree T1, T2, T3 Transient - Any abnormal condition in the plant which requires that the plant be shut down, but does not directly breach RCS integrity.
*Tt - Shutdown initiated by a loss of offsite power .
*T2 - Shutdown initiated by a loss of main feedwater caused by other than a loss of offsite power.
*T3 - Shutdowns with main feedwater initially available.
K Heactor Protection System (RPS) - Failure of the RPS to insert the control rod groups into the core. M Uninterrupted Power Conversion System (PCS) - Failure of the PCS to remain in uninterrupted operation following a transient. Since the PCS will be interrupted by a T1 and T2, event M will always follow these initiators. s i L Auxiliary Feedwater System ( AFWS) or recovery of the PCS - Fail-ure to provide steam generator cooling by the use of at least one of the following methods: a) Recovery of the PCS b) Flow from at least one of the AFWS turbine driven pumps to at least one stean generator. 4 4-29
l Table 4-4. Event Definitions for Transient Event Tree (Cont.) Py RCS Safety / Relief Valve _ Demand (SR/ Demand) - The probability
- that the safety / relief valves are not demanded (i.e. - RCS pressure does not exceed relief setpoint) .
P2 Safety / Relief Valves Open (SR/VO) - Failure of sufficient S/RVs to open and relieve excess primary system pressure. O Safety / Relief Valves Close (SR/VR) - Failure of any S/RVs which opened to reseat. f U Chemical Volume and Control System (CVCS) - Failure of the CVCS to inject concentrated boron solution into the RCS after an anticipated transient without SCRAM and success of the AFWS. l O Containment Air Recirculation and Cooling System (CARCS) - Failure to prevent containment overpressure due to steam evolution by the use of at least one CARCS fan cooling unit. O' Containment Spray Injection System (CSIS) - Failure to prevent containment overpressure due to steam evolution or remove radioactive effluents from the containment atmosphere by the use of at least one CSIS' subsystem. 1 4-30
Table 4-5. System Equations and Unavailabilities Used in the Calvert Cliffs LOCA Sequence Analysis Systerns lOCA Initiator Incorpor-ated into IIXA Event Tree Events A Si S2 T01 T20 and T30 RPS (Event K) N/A 2.0x10-5 2.0xlO-5 N/A N/A GIS Eq. Bil-1(a) Eq. Bll-1(a) Eq. B11-1(b) Eq. Bil-1(c) Eq. Bil-1(b) (Event C) CARG Eq. B15-1(a) Eq. B15-1(a) Eq. B15-1(a) Eq. B15-1 Eq. B15-1(a) (Event Y) IIPIS Eq. B8-1(b) Eq. BB-1(b) Eq. BB-1(a) Eq. B8-1 Eq. B8-1(a) (Event D) (IAS 9.0x10-4 N/A N/A N/A N/A (Event D) AINS N/A N/A Eq. B13-1 Eq. B13-2 Eq. B13-1 (Event D) IPIS Eq. B6-1 N/A N/A N/A N/A (Event D) GRS Eq. B12-1(a) Eq. B12-1(a) Eq. B12-1(a) Eq. B12-1 Eq. B12-1(a) (Event F) CARG See Note 1 See Note 1 See Note 1 See Note 1 See Note 1 (Event Z) IIPRS Eq. B9-1(a) Eq. B9-1(a) Eq. B9-1(a) Eq. B9-1 Eq. B9-1(a) (Event II) IPRS Eq. B7-1 N/A N/A N/A N/A (Event II) OIRS Eq. B14-10 Eq. B14-10 Eq. B14-10 Eq. B14-10 Eq. B14-10 (Event G) Footnotes for Table 4-5 can be found on next page. 4-31
1 I l Footnotes for Table 4-5 ,' l. No equation was used for the CARCS during recirculation mode since it was assumed that Event Y impliee Event Z and similarly, Event 7 implies Event Z. ) 3
- 2. No equations are given for systems which are totally independent 1 of all others. Instead, the independent point estimate i unvailabilities of the independent systems are listed.
- 3. Some of the above equations may refer the reader to support j system equations in other appendices.
l I i 1 1 l I i a I I i i i I 4-32 I i
Table 4-6. System Equations and Unavailabilities Used in the Calvert Cliffs Transient Sequence Analysis Systems Transient Initiator Incorporporated into the Transient Event T1 T2 T3 Tree Events RPS e 2.0x10-5 2.0x10-5 (Event K) Uninterrupted PCS 1.0 1.0 1.0x10-2 (Event M) PCS Recovery 1.0 1.0x10-1 1.0 (Event L) AFWS Eq. B13-2 Eq. B13-1 Eq. B13-1 (Event L) Safety / Relief 1.0 7.0x10-2 7,ox10-2 Valve Demand (Event P1) Safety / Relief c c c Valves Open (Event P2) Safety Relief 8.0x10-2 8.0x10-2 8.0x10-2 Valves Reclose (Event Q) CVCS .1 .1 .1 (Event U) CARCS Eq. B15-1 Eq. B15-1(a) Eq. B15-1(a) (Event O) CSIS Eq. Bll-1(c) Eq. Bil-1(b) Eq. Bil-1(b) (Event O') If AC power is interrupted, failure of the RPS is negligible. Refer to Appendix B3. 4-33
Table 4-7. Dominant LOCA Sequences A Sy S 2
~
-6 -6 AD 5.1x10 SHy 1.5x10 3H 2
5.0x10
~ -6 AH 4.0x10 S y FH 1.0x10 S FH 3.3x10 2
~ ~
-6 AFH 3.2x10 SDy 4.8x10 S CY 2
1.0x10
~ ~7 ACY 1.0x10 SyCY 3.0x10 S 2 Yu 1.0x10
~
S CD 1.0x10 2 4-34
Table 4-8. Dominant Transient Induced IOCA Sequences Ti T9 T~3 T yMQ-D 2.9x10 -5 T2MO-II 8.5x10-6 T 3MQ -II 1.1x10-7
-5 TyMQ-li 2.4x10 T 2MO-FII 5.6x10-6 TyMQ-Fli 1.2x10 T 2MQ-D 3.2x10-6 T yMQ-CD 6.0x10 -6 T 2MO-CY 1.7x10-6 T yMQ-CYD 4.0x10 -6 T 2MO-YG 1.7x10-7 T yMO-CII 2.3x10-6 T 2MQ-CD 1.4x10-7 T IMO-CY 2.2x10-6 T 2MQ-C11 1.3x10-7 T iMO-YDG 1.3x10-6 T 2MQ-CYD 1.0x10-7 T IMO-YIIG 8.4x10-7 T IMO-YD 8.3x10-7 T IMO-DF 8.1x10-7 TyMQ-YFl! 5.7x10-7 T iMQ-YII 2.7x10-7 T tMO-YG 2.7x10-7 4-35
. _ = . _. ..
i 2 Table 4-9. Dominant Transient Sequences I T1 T2 T3 .i T t ML 7.2x10-4 T 2 ML 9.0x10-4 T 3 ML 1.2x10-4 T iMID0 ' 1.0x10-4 T 2 KML 6.0x10-5 T3MLO' 4.6x10-7 T y MLO 6.0x10-6 T2 Mw' 3.5x10-6 T 3 MID- 4.2x10-7 f TiMID' 4.2x10-6 T 2 MID 3.2x10-6 T3MIDO' 1.2x10-7 T 2MLOO' 9.3x10-7 a i r i i 1 i j 'l 4 1 h 4-36
-,.-...,_.-m,,,_.. - - . - , , . - _ _ . _ _ _ _ , _ _ , - . . _ , __.,_....,_-_,.m- . . , _
LOCA RPS CSIS ECIS CSRS ECRS CNRS RC) No. Sequence Result A,53,Sy K C Y D F Z H G Fey to Pesults S - Safe Condition g R 1 LOCA S CM - Core Melt < 2 H CM g , 3 Z S i G 4 ZG CM Z H N 5 i G a 6 ZHG CM E 7 F S Z i i H 8 FH CM F _ y H 9 FZ CM i H 10 FZH CM 2 11 D CM I E 12 DZ CM D l G 13 DZG CM g Z 14 DF CM i C i 2 15 DFZ CM 5 16 Y S n G 17 YG CM F sequence 3 5 18 YH CM _ H i for transaent D G 19 event tree _ YHG CM H 20 YF CM I I Y i H 21 YFH CM _ d 22 YD CM
" K F i p i G 23 YDG CM F 24 YDF CM Success y II 25 C S d i H 26 CH CM D
R 27 CZ CM V l H 28 CZH CM D , C i Z 30 CDZ CM t g E 3h CY CM Failure 5 from CM sequences 15ens and.2,ee y ! H 32 CYH s,.ns,. . e. D 33 CYD CM
,K 34-66 K's Figure 4-1. Calvert Cliffs LOCA Event Tree
SSR and lSSR and Uninter- AFWS or rupted PCS TE RPS PCS Recovery SR/ DEMAND SR/VO SR/VR CVCS CARCS CSIS NO. SEQUENCE RESULTS T g.7 2 3'Y R M L Pg P 2 O U O O' E 1 T S u_ F, ,
- 2 TM S En I . O - - - - - - - - - - - - - 3 TMQ- 14CA I E g P, 4 TM,2 S i
P' 5 TMP g S M I E u L. .See Note 1 p, m O' 7 TMLO' CM O i 8 "W G
' O* 9 TMI4O' CM L
g , d' 10 TMLP 2 U" SUCCESS O' p, - 11 TMLP O' CM O' 12 TMLP y 0 CM O ,
= 0 g3 9ygp oo. CM g 2 F2 ,
14 TR S 9 15 LOCA 1p
- - - - - - - - - - . - TRQ-M ge PAILURE g , 16 TRP 2
CN P, ' O' gy 7,p 0' 2 CM O* f 0 , 10 TRPy 0 CM W g 19 TRPyOO' CM W 20 TRM S O_ 5 , 21 TmU CM R U 2* 22 TRMUO' CM
' O 0* 23 TRMUO CM
' O' 24 TEMUOO' CM E O 25 TRMQ- LOCA 5 ,
6' 26 TRMP y CM Py O' 27 TEMP2 0' CM O l 0 , 28 TKMP2O CM M = O' 29 TEMP2OO' CM 5' 5 , 30 TRML CM E3 . O' 3g 9,,gg. cy O* REY TO RESU*.TS O , 32 TRMID CM S - Safe u*o ition
. 33 Tmt40' CM 5 4 Tmp U" CM - Core Melt Py a o. 2
_ 35 TRMLP2 O' CM LOCA - Goes to LOCA O' Event Tree O 36 TmW O 2 CM l O. Note 1. 37 TEMLP2 00' CM
*1ay lead to overcooling transient Figure 4-2. Calvert Cliffs Transient Event Tree
l 1 LPIS Check Valve EP RPS ECl # SEQ CORE Rupture V B K D 1 V M 2 VD M 3 VK M 4 VB M i Figure 4-3. LPIS Check Valve Rupture Event Tree 4-39
L *' F EP CSIS ECl ECF CSRS CHRS LPRS SHA LOCA SEQUENCE 4 R C D E F G H I
, 1. A
- 2. Al
, 3. AH I 4 AHI
, 5. AG.AHG
- 6. AGl. AHGI
, 7. AF AHF
- 8. AFl. AHFI
, 9. AE j 10. AEl
, 11. AEG
- 12. AEGI
, 13. AEF 14 AEFI
, 15. AD
' 16. ADI
, 17. ADG
- 18. ADGI
, 19. ADF
' 20. ADFl
, 21. AC
- 22. ACI
, , 23. ACH 24 ACHI
, 25. ACG ACHG Yn i 26. ACGl.
ACHGI
- 27. ACF. ACHF
, 28. ACE
- 29. - ACEI i 30. ACEG
- 31. ACEGI
- 32. ACEF
, 33. ACD 34 ACDI No , 35. ACDG
' 36. ACDGI
- 37. ACDF
- 38. As i
Figure 4-4. Surry Large LOCA Event Tree 4-40
-.--y, , , - - - - - - - . , - - - . - , , , - - . - - - , , . - , - ,. ..v- , , , - -,,,-n. - - - .,- ,. .-- , ---- -a
3'nal EP RPS CSIS ECl CSRS CHRS ECR SHA LOCA s SEQUENCES S t B K C D F G H I
. 1 51
' 2 Sit l i 3 51H 4 S1HI l . 5 StG,51HG 6 SIGI, 51HGl
, 7 51F,S1HF 8 S1F I, S1HFI i 9 S1D 10 S1DI i 11 SIDG
' 12 SIDGI i 13 SIDF
' 14 S1DFl i 15 SIC 16 SICI
, 17 SICH
' 18 51 CHI
, 19 51CG
' 20 S1CGI 21 S1CF
, 22 SICD
' 23 SICDI
, 24 SICDG 25 SICDGI 26 SICDF
- 27 S1K 28 S1KI i 29 S1KG 30 S1KGl i 31 S1KF 32 S1KFI 33 S1KC No 34 51KCG 35 S1KCF 36 stb 37 S1BK Figure 4-5. Surry small LOCA (S 1, 2" - 6" Diameter) h RCS 4-41
6 0C EP RPS Sp .jI CSIS ECl CSRS CHRS ECR SHA S2 a K L C D F G H I i 1 52 2 SI2 i 3 SH 2 4 S2HI i 5 S2G, S2HG 6 S2GI, S2HGI j 7 S2F, S 2H F 8 S2FI, S2HFI
, 9 SD 2
' 10 S201
, 11 52DG 12 S2DGI 13 S2DF 14 S2DFI 15 SC 2
16 S2CD 17 S' 2 18 S2LI
, '9 S2LG 1
20 S2LGI
, 21 S2LF Yes 22 S2LFI g 23 S2LC
, 24 SK2 25 S2K1
, 26 S2KG I 27 S2KGl
, 28 S2KF y I 29 S2KFi 30 S2KC No i 31 SB
' 2 32 S2 BK Figure 4-6. Surry Small LOCA (S2) Event Tree 4-42
~ , . - - _ . - . . - _ , . . - _ . _ ..
1' l i TI #4 586 Esos ser sat CvCS ##1 pcs asas yo va em SEQUtasCE T E M L P O U
- t 7 3 Tw I
3 TU 4 Tu u 3 TWw e Tuu
? TML l 3 TWLO
, ,. m to TMLP 19 TE I 12 TEW
- 13 TEU 14 TKO ll TE00 le TEP 17 TEM i i le TEWW E
10 TEMU 30 TEMO
- a 2 TauOW 23 7Eur 23 TEuL 34 TEMLP Figure 4-7. RSS Transient Event Tree, PWR 4-43/-44
! 5.0 ACCIDENT PROCESS ANALYSIS TASK This chapter summarizes the results of the accident processes and source term evaluation for core meltdown accidents in the Calvert Cliffs PWR. 5.1 Scope i The accident processes task is aimed at quantitatively describing the physical phenomena that are expected to occur dur-ing reactor meltdown accidents and at determining the nature and quantities of fission products that would be expected to be
! released from containment during the various accident sequences.
The principal physical processes and accident parameters of l concern are: i a) the time scale of the accident, particularly the I times for the start and completion of core melting, b) the time required for the molten core to fail the
" reactor vessel bottom head, c) possible energetic interactions when the core debri.s falls into water on the floor of the reactor cavity, including the likelihood of containment failure due to such interactions, d) long-term pressure-time history within the reactor containment, including the likelihood and time of containment failure due to overpressure, 5-1
e) the probability and consequences of hydrogen burning or detonation within the containment building , f) the interaction of the core debris with the concrete foundation, g) the magnitude and timing of fission product release from the fuel to the containment atmosphere, h) the transport and removal of the various fission product species within the containment building atmosphere, and i) time-dependent leak rate from the containment building, including the airborne fission products. The analyses were conducted with the MARCH (Reference 2) and CORRAL computer codes. MARCH performs a consistent analysis o2 the thermal-hydraulics associated with the successive stages of core meltdown and containment response. It represents a signifi-cant improvement over the nethods of meltdown analysis used in the RSS. CORRAL describes fission product transport and deposition wit:iin the containment and determines the leakage to the environ- .aent. Much of the input required by CORRAL is provided by MARCH. The current version of CORRAL is a modification and generalization of the CORRAL code developed during the Reactor Safety Study. The general features of the CORRAL code are described in References 2 and 3. 5-2
5.2 Containment Processes and Accident Sequence Selection 5.2.1 Containment Event Tree The containment event tree utilized for the Calvert Cliffs evaluation was identical to that developed in the Reactor Safety Study. This is shown in Figure 5-1, with the notation given in Table 5-1. 5.2.2 Containment Failure Pressure The Calvert Cliffs containment structure consists of a post-tensioned reinforced concrete cylinder and dome connected to and supported by a massive reinforced concrete foundation slab. The interior surface of the structure is lined with a 1/4-inch thick welded steel plate to assure a high degree of leak tightness. In the post-tensioned concept, the internal pressure load is balanced by the application of an opposing external pressure type load on the structure. Sufficient post-tensioning is used on the cylinder and dome to more than balance the internal pressure so that a mar-gin exists beyond that required to resist the design basis accident pressure. Bonded reinforced steel is also provided to distribute strains due to shrinkage and temperature changes. Additional bonded reinforced steel is included around penetrations and discontinuities to resist local moments and shears. The basic design criterion is that the integrity of the liner be maintained under all anticipated load conditions and the structure shall have an elastic, low-strain response under all design loadings. The post-tensioned tendons are stressed to 80 percent of ultimate strength during installation and perform at 50 to 60 percent during the lifetime of the containment. 5-3
Some of the principal design parameters for the containment building are as follows: Inside Diameter 130.0 ft Inside Height 181.7 ft Vertical Wall Thickness 3.75 ft Dome Thickness 3.25 ft Foundation Slab Thickness 10 ft Liner Thickness 0.25 in Free Volume 2,000,000 ft3 Design Pressure 50 psig Design Leak Rate 0.33 v/o per day ' In the absence of detailed information on the sizing and placement of reinforcing in the structure and given the limited scope of the study, it was not possible to perform a detailed anal-ysis of the structure to define an expected failure level. On the basis of available information on the details of the structure and limited analyses, it was initially estimated that the yield strength of the prestressing tendons, as defined by one percent deformation, would be reached at an internal pressure of about two times the design level. Relative little additional load bearing capacity would be gained in going to the ultimate strength of the tendons. A failure pressure of twice the design level, or 115 psia, was assumed in the initial analyses of this study. If consideration is given to the strength of the conventional reinforcing steel, that of the containment liner, effect of dead loads, etc., a somewhat higher nominal failure level can be derived. A failure pressure 5-4
of 135 psia was used, where applicable, for the derivation of the probabilities of the several containment failure modes. As utilized here, the failure pressure is not a single discrete value, but a continuous variable with a cumulative probability dis-tribution. This approach recognizes that the probability of struc-tural failure is small at loads slightly above design, but increases with increasing loading. By definition, the probability of failure at the nominal failure pressure is 0.5; it approaches unity as the stresses due to the loading approach the ultimate strength of the materials. Under this approach, a failure pressure of 135 + 10 psia has been used for the purpose of this study. 5.2.3 Calvert Cliffs PWR Accident Sequences Considered Accident event trees have been developed by the Systems Analysis Task for several LOCAs (A, Si, S2) as well as transients (T1, T2, T3). Based on the preliminary evaluation of the event trees and the potential consequences of the various sequences, a number of accident sequences were identified as being potentially important with regard to overall accident risk. This set of accident sequences, identified in Table 5-4, was examined in more detail; the results of these analyses formed the basis for the conclusions of this study. A number of these potentially important sequences were explicitly evaluated by means of MARCH and CORRAL calculations; others were evaluated on the basis of their similar-ity with sequences explicitly calculated; still others were con-sidered on the basis of insights developed as a result of related analyses on other reactor designs. 5-5 l
Those sequences for which explicit calculations were not performed were compared with sequences for which such calculations were available. The bases of such comparisons were phenomenological similarities, as discussed below. Sequences characterized by loss of containment heat removal will have similar ultimate consequences regardless of the initiating event; while the initiating event and other failures will influence the specific timing, the essential feature of such sequences is meltdown in a failed containment. The primary system response of transients with stuck open safety / relief valves has been found to be very similar to small LOCA sequences. In sequences with containment safety systems operating, the prin-cipal threats to containment integrity are hydrogen burning and/or rapid steam generation from debris quenching; if these are avoided then containment meltthrough would be the principal failure mode. In core melting sequences without any containment safety features operating, the containment atmosphere will tend to be steam rich I and hydrogen burning may not be possible. Phenomenological simi-larities such as the above can be used to effectively evaluate a large number of accident sequences on the basis of the results of a limited set of specific calculations. The sequences selected i for detailed evaluation are based on the probabilities as deter-mined by the Systems Analysis Task as well as by the need to cover a range of phenomena. Additionally, it may be noted that the Calvert Cliffs evaluation had the benefits of the insights developed in previous analyses on several other PWRs. i 5-6
- . .. - . . - . - - . . ~ .
5.3 Analyses of Accident Processes The MARCH (Meltdown Accident Response Characteristics) code provides the analysis of the various thermal-hydraulic processes during reactor meltdown accidents. MARCH contains a number of interrelated and coupled subroutines, each of which treats a par-ticular process or phase of the accident. The principal subrou-tines are noted below. PRIMP and BOIL evaluate the primary coolant system response including pressure history, coolant leakage, effect of secondary system heat transfer, and emergency core cooling sys-tem operation, if appropriate. These features are essential for the analysis of small break and transient accident sequences. BOIL is the only element of MARCH that was available at the time of the Reactor Safety Study. The initial versions of BOIL described the boiloff of water from the reactor vessel and the meltdown of the core up to the point of core support failure; they assumed a large LOCA as the initiating event. The current version of BOIL provides continuous transitions for core collapse, grid plate failure, and the dropping of the core debris into the lower head of the reactor vessel; a number of user-selected options are provided for these transitions. HEAD evaluates failure of the reactor vessel head considering meltthrough as well as the effects of pressure stress; the latter can have a significant effect in small break and tran-sient sequences. The HOTDROP subroutine describes the interaction of the core debris with water in the reactor cavity following vessel meltthrough, including such ef fects as debris fragmentation, heat transfer, and chemical reactions. The interaction of the core debris with concrete is described by the INTER code (Reference 5); 5-7
the latter was written at Sandia National Laboratories and has been adapted and integrated by BCL into MARCH. The FPLOSS routine describes the release of the radionuclides from the fuel and fol-lows the heat source associated with each group of fission products. The MACE routine describes the containment temperature and pressure history taking into account nuclear and chemical heat generation, heat losses to structures, effects of containment safeguards, intercompartment flows, leakage to the outside, etc. MACE is con-tinuously coupled to other subroutines in MARCH. It may be noted that the MACE subroutine in MARCH provides the essential contain-ment thermal-hydraulic input required in CORRAL, the fission 1, product transport code to be discussed later. 5.3.1 Results The input parameters to the MARCH code used to represent the Calvert Cliffs plant were derived largely from the FSAR; the data derived from the latter were supplemented somewhat by a site visit as well as limited input from other sources. For purposes of the l MARCH analyses the containment was modeled as a single volume. Following containment failure the containment sprays and/or coolers, if initially operating, were assumed to fail. Containment failure was represented as a 7 ft2 opening. The results of the MARCH analyses of the key accident sequences are summarized in Table 5-2. As can be seen, not all the accident sequence-containment failure mode combinations were eval-uated. However, a sufficient number of cases were evaluated in detail to develop an overall insight on expected phenomena in the 5-8
sequences of interest. Some general observations on the MARCH results are given below. Details of the Calvert Clif fs MARCH calculations are given in Appendix C. The accidents initiated by pipe ruptures were broken up in the Systems Analysis Task into three categories according to the size of the initiating primary system break. A classification of this type was required because the probability of occurrence varies with the size of the break and also because the specific-engineered safety features required to mitigate the LOCA are a function of the size of the break. In terms of the accident response as predicted by MARGI, the LOCAs initiated by greater than 2-inch diameter breaks (SI) are substantially similar to the large break (A) cases. While the depressurization and blowdown rates for the Si cases are different from the A cases, they are sufficiently rapid for these sets of cases so as to lead to very similar times for safety sys-tem actuation, core nelting , containment failure, etc. Thus, from the accident processes viewpoint, the A and Si sequences were treated as equivalent. For LOCAs initiated by breaks of < 2-inch diameter (S2), on the other hand, the predicted accident behavior was sonewhat dif ferent. In the evaluation of the accident pro-cesses, the S2 sequences were characterized by 2-inch diameter b re aks . For these small breaks the primary system depressuriza-tion is quite slow, with core melting in most cases taking place while the primary system was still at elevated pressure. The lat-ter situation has several implications, including: reducing the probability of the occurrence of reactor vessel steam explosions, shortening the incremental time required for reactor vessel failure 5-9
(meltthrough) due to the addition of significant pressure stress, and delaying the discharge of accumulator water until af ter sub-stantial core melting or even af ter reactor vessel failure. The transient (T) sequences with stuck open relief valves (Q) were typified by extended primary system depressurization times and, thus, were similar in many respects to the S2 sequences discussed above. In transient sequences with relief valves working properly, , coolant boilof f and subsequent core melting typically take place at very high pressures; with the potential for severe challanges to the containment following vessel f ailure. 5.3.2 Containment Failure Modes The containment event tree used for the present analysis is the same as that developed in the Reactor Safety Study for the PWR. Some further observations based on the MARCH analyses of a number of accident sequences will be given here. The consideration of the possibility of containment rupture due to steam explosions in the reactor vessel (a) is largely based on the analyses that were conducted for the Reactor Safet's Study, with some modifications to take into account subsequent experi-mental work. Based on fuel-coolant interaction work at Argonne National Laboratory (Reference 6 ), Sandia (Reference 7), and others, occurrence of steam explosions in the presence of a high ambient pressure is believed to be very unlikely. As was noted above, high primary system pressures during the core melting phase have been predicted for many of the small breaks (S2) and transient (T) sequences. In these situations, the probability 5-10
of a , the containment failure due to a steam explosion in the reactor vessel, is taken as 0.0001. In the absence of high pres-sure, the a probability is the same as that used in the Reactor safety Study, namely 0.01. There are indications that these prob-abilities are too conservative (References 6 and 7). Since they do not appear to have any appreciable impact on the predicted risk profile, these probabilities are retained for consistency with pre-vious analyses of the overall program. The differences in design between Calvert Cliffs and the Reactor Safety Study PWR are not expected to have any appreciable influence on the effects of a steam explosion if it does take place. Containment leakage (p) results from the failure to isolate, in the event of an accident, containment penetrations that are normally open. None of the sequences involving containment iso-lation failure were found to be among the dominant ones in the Reactor Safety Study and the same situation is expected to pre-vail for the Calvert Cliffs plant. This is a result of the combination of low probability of these sequences together with relatively modest consequences associated with them. As a result of these considerations, no containment leakage sequences were explicitly evaluated in this study. Two types of containment overpressure (6) scenarios were identified for the dominant Calvert Cliffs accident. sequences. In one type, loss of all containment heat removal with ECC systems operational leads to a slow pressure buildup and, in the absence of corrective action, certain overpressure failure occurs. The second type is associated with rapid boiloff of water from the reactor 5-11
cavity. For transients and some small LOCAs, accumulator injection may not. occur until after head failure. At head failure, the accumulator water as well as the molten core are injected into the reactor cavity. In some sequences, the Calvert Cliffs reactor cavity may also contain additional water draining from the con-tainment floor. Rapid quenching of the core debris by the water in the reactor cavity may lead to overpressure failure even with containment safeguards operational. ' The potential for containment rupture due to hydrogen burning (Y) depends on a number of factors, namely, composition of the atmosphere, availability of an ignition source, and incremental pressure rise associated with the burning. i MARC 11 analyses indicate that for the Calvert Cliffs core melt sequences initiated by large and intermediate LOCAs, with contain-7 ment safeguards operating , conditions favorable to hydrogen burn-
- ing will be achieved prior to the end of core meltdown and are generally maintained for the duration of the sequence. In corre-sponding sequences with no containnent safeguards, the high partial pressure of steam that typically results may preclude hydrogen burning. In small break (S2) and transient (T) sequences, all of the hydrogen is not released to the containment as it is generated ,
but may be retained partially in the primary system until reactor vessel failure. Thus the atmosphere may not be flammable prior to vessel head failure. The flammability of the atmosphere sub-seque nt to head failure and the release of all the hydrogen may again depend on the status of the containment safeguards. Com-binations and intermediate ' situations can also be observed in 5-12
specific cases, e.g., flammable atmosphere for limiced periods of time. The question of the availability of an ignition source for , hydrogen burning can have several ' aspects. The hydrogen generated during the core melting process will generally be at a very high temperature. If the path from the core to the containment atmo-sphere is short, e.g., for a hot l'eg break, t.he hydrogen may be above the spontaneous ignition temperature upon release to the containment and no other ignition source will be required to pro-duce burning. If, on the other hand, the hydrogen passes through asubstantiallengthofpipingbeforereachingthecontainmentfit - may be cooled to the point where an exte'rnal ignition source would be required to produce burning. In various studies of large scale melt-concrete interactions, hydrogen burning is a normal side effect. Thus, the time of reactor vessel meltthrough and dropping of the core debris on concrete may be the most likely point in the accident sequence for the ignition of hydrogen. For purposes of determining containment failure mode pr'obabilities, . ignition of hydrogen, at the time of vessel meltthrough, has baen assumed if the composition of the atmosphere is determined to lue in the Some points of qualification regardihg the flammable region. application of the experimental observations to the present anal- , yses should be noted. The experiments were conducted in a normal atmosphere with an essentially unlimited supply of cxygen (air); this is clearly not the case in a closed containment where the quantity of air is limited and where the partial pressure of steam may be considerable. Also, in many of the accident sequences of 5-13
interest, the dropping of the core debris is accompanied by large quantities of water; whether this water could cool the evolved hydrogen suf ficiently to avert ignition is unknown . Some further considerations with regard to the treatnent of the hydrogen burning cases are as follows. While hydrogen burn-ing could conceivably take place at widely varying times, as noted previously, the most likely time of hydrogen ignition was judged to be the time at which the core debris drops to the floor of the reactor cavity. At this time the hydrogen concentrations are generally well into the flammability range and the assumption of burning may lead to the prediction of a significant probability of containment f ailure even though the co.itainment sprays and/or coolers are ope rating . If it were assumed that the hydrogen burned as it was generated, or as soon as a flammable composition was achieved, the effective rate of energy input into the contain-ment would be lower, and the time of containment failure could be i later than under the present assumptions, i f it were predicted at all. This could, in turn, shif t the hydrogen burning cases to lower release categories for the cases with sprays operating. The latter set of assumptions would require the availability of an i ignition source other than the nelt-concrete interac' cion. The present assumptions regarding hydrogen burning are believed to lead to conservative predictions. - 5.4 Fission Product Release Evaluation The fission product release model used in the present analyses is the same as that used in the Reactor Safety Study. 5-14
-- -,s, - - e p y y4n p e -
-mv v
The model consists of four fission product release terms for each of seven classes of fission product species; additionally, a frac-tion of iodine, one of these species, can be specified as being converted to organic iodine. The release terms and classes of fission products are noted in the discussion below; the basis for and details of this model are given in Appendix VII of WASH-1400. 5.4.1 CORRAL Code The CORRAL (Containment of Radionuclides Released After LOCA) code describes fission product transport and deposition la contain-ment systems of water-cooled reactors. CORRAL II, the version used here, is a revised and generalized version of the program written for the Reactor Safety Study (see Reference 2 ). The containment is represented by up to fif teen individual compartments connected to each other in any combination of series or parallel arrangements. Radionuclide release into the containment by any of four release mechanisms for each of eight groups of fission products can be specified. The four mechanisms for fission product release from the core debris are: gap release ( cladding rupture), fuel melt-ing (core meltdown), fission product sparging during concrete decomposition (vaporization release ), and steam explosion release (oxidation). The eight groups of radionuclides considered are: noble gases, molecular iodine, organic iodine, ces in.a-rubid i um , tellurium, barium-strontium, ruthenium, and lanthanum. Radio-nuclides can be removed f ron the atmosphere by particle settling deposition, spray removal, pool scrubbing , filters, etc. Input requirements for CORRAL include: description of the containment 5-15
system, engineered safeguards parameters, timing of accident events, thermodynamic conditions as a function of time, inter-compartment flows, leakage rates, and fission product release component fractions. The code uses this input to continuously compute changing properties and fission product removal rates as a function of tine. These values are used in incremental solu-tions to the coupled set of differential equations to obtain the time-dependent fission product concentrations and accumulations in each compartment of the containment. The principal output consists of cumulative fractional releases from containment with time for each of the fission product groups. 5.4.2 Results The inputs on accident event times, containment thermal-hydraulics, etc., required by CORRAL are derived from MARCH calculations. As in the case of the MARCH runs, for the CORRAL calculations discussed here the containment was modeled as a single volume. Following containment failure the sprays and/or coolers, if initially operating, were assumed to fail. While the i latter is not necessary in all cases, certainly the ef fectiveness i of sprays or coolers in a con +minnent with a major failure would be greatly diminished. The results of the CORRAL calculations performed specifically for the Calvert Cliffs plant are summarized in Table 5-3. The
- results of the specific CORRAL cases presented here in addition to those from similar sequences for other RSSMAP plants were used to j
estimate the release fractions for sequences that were not evaluated 5-lb
in detail. The bases for estimating release fractions for sequences that were not explicitly evaluated are phenomenological similarities to sequences that have been evaluated, either under this specific effort or related programs. Some examples of such similarities are noted below. The fission product releases for meltdowns in initially failed containments have been found to be very similar, even with wide variations in initiating events and ! containment failure times. For accidents with core melting in the absence of containment safety features, leading to early contain-ment failures, the releases are typically large. If containment overpressurization is delayed a long time, or averted, the fission product releases will be small, even in the absence of active safety features. 5.5 Summary and Discussion of Results The combined results of the MARCH and CORRAL analyses of the Calvert Cliffs PWR key accident sequences are summarized in Table 5-4. Given here for each of the previously identified sequences are applicable containment failure modes and the estimated release category for each accident sequence-failure mode combination. Also shown are the estimated probabilities of the various containment failure modes for each sequence. The release categories assumed here are the same as those defined for the PWR in the Reactor Safety Study. It may be noted, however, that in many cases the specific fission product release calculated in the present study did not correspond very closely to the previously defined release 5-17
ca teg ories. This suggests a need to re-evaluate the definition of the Reactor Safety Study release categories and consider the establishment of alternate, perhaps more generally applicable categories. In assigning sequences to release categories, the
-attempt was made to find the most reasonable fit for a particular ,
- site of calculated releases to a corresponding category. Typi-
! cally, with the exception of the noble gases, all the fission product groups were considered in this assignment. - Since all the r noble gases are generally released, this group does not provide a very meaning ful basis for discrimination among categories. 5.5.1 Assignment to Release Categories From Table 5-4 it is seen that all the steam explosion cases for Calvert Clif fs are estimated to fall into Release Category 1, even those in which the sprays are initially operating. In the Reactor Safety Study, the latter were predicted to be- in Release Category 3. Examination of the details of the analyses indicates that the higher release fractions currently calculated for steam-explosion cases with sprays initially operating are a direct result of larger puf f releases associated with the steam explosion itself. The MARCH analyses take into account the vapor generated by the steam explosion and include this in the puff release. For steam explosions at low containment pressures, this results in larger , fractional releases than were previously predicted. The results for steam explosion with no containment sprays are consistent with previous results. 5-18 v - ~ g g w.rm---por i..r-.m-w> --.%. 1, . ,. -y9 -.n.g y- 9 -M 7-- P mT7-- -' e-m'----
r Based on previous results, sequences involving loss of containment isolation (p) were assigned Category 4 or Category 5 releases, without and with containment sprays, respectively. Containment f ailure' due to hydrogen burning (7) w'as found to lead to Category 2 and 3 releases. The Category 2 releases generally occur in the absence of containment sprays during core meltdown. The Category 3 releases are generally associated with sequences in which containment sprays are operational, but in which hydrogen burning is predicted to fail containment at about the time of vessel bottom head failure. Containment overpressurization (6) in the absence of containment heat removal, but with operational emergency core cool-ing systems, leads to meltdowns in a failed containment and has been found to result in Category 2 releases. Overpressurization due to rapid boilof f of water from the reactor cavity by quenching of the core debris leads to Category 2 or 3 releases, depending on the availability of the containment sprays up to the time of contain-ment failure. In the complete absence of containment safety fea-tures, the dif ference in tine between containment failure due to debris fragmentation and failure due to concrete attack without debris fragmentation is relatively short, and both types of over-pressure failure may lead to Category 2 releases. In the inter-mediate case where the core debris may be only partially quenched, either due to limited fragmentation or other factors, containment failure could possibly be delayed somewhat longer, with resultant Category 3 releases. 5-19
Containment meltthrough (c) may be the principal mode of containment failure if the other failure modes are avoided. Meltthrough sequences in which the containment sprays or coolers are operating have been found to result in Category 7 releases. If meltthrough takes place in the absence of containment s'afety features, Category 6 releases are predicted. 5.5.2 Quantification of Containment Failure Modes The quantification of the steam explosion probabilities was discussed previously. Basically, the reference steam explosion probabilities are unchanged from the results of the Reactor Safety Study. For core melting at high ambient (primary system) pressure, the probabilities of steam explosions are reduced on the basis of the results of more recent studies. The probability of containment isolation failure (p) was
-3 estimated in the Appendix B4 to be approximately 7x10 ,
It was expected that sequences involving containment isolation failure would not significantly contribute to the overall risk. This expectation was supported by the results of this study. A number of the more probable Calvert Cliffs accident sequences are characterized by all the safety functions except ultimate heat removal functioning. For these sequences in the absence of corrective action, containment overpressurization will be inevitable; hence, the probability of overpressure failure is unity ( 6 = 1) . The probability of succensful corrective action is included in the calculation of accident sequence probabilities. Also, since overpressurization occurs before core melting and 5-20
hydrogen generation, the probability of hydrogen burning is not of particular significance. A second type of accident sequence is characterized by failure of all active safety functions, e.g., transients with loss of elec-tric power. For these sequences, high containment steam partial pressures are predicted to coincide with the hydrogen release from the primary system. The high steam pressures generally preclude hydrogen burning. However, the rapid boiloff of water from the reactor cavity, which may occur in these sequences, is predicted by MARCH to produce peak containment pressures at or above the nominal failure level. Since the predicted pressure is high, the over-pressure probability depends substantially on the likelihood that an efficient debris-water interaction actually occurs. Our impres-sion of steam explosion experiments performed at Sandia (Reference
- 8) and by others is that there is a high probability of the inter-action occurring. However, the thermal efficiency, as calculated by MARCH, may be an overestimate due to simplifying assumptions and effects such as dispersion caused by the interaction itself.
If debris fragmentation and quenching do not take place, the attack of the concrete and boiloff of water from the cavity would be predicted to lead to containment failure in a relatively short time. Based on these considerations, containment overpressure failure due to rapid quenching of the core debris and/or attack of the concrete together with water boiloff for these types of sequences, is assigned a total value of unity, i.e., 6 = 1, the consequences, however, would be somewhat dependent on the timing of the failure. 5-21
In most of the accident sequences under consideration here, at least some of the containment safety features are operating. Thus, the steam partial pressures in these sequences will generally be low and the likelihood of flannable hydrogen-air mixtures will be high. For large and intermediate LOCA sequences, MARCH gener-ally predicts the attainment of flammable mixtures prior to com-plete core melting and the existence of such conditions for much of the sequence. For transients and small LOCAs, the MARCH model-ing predicts partial storage of hydrogen in the primary system until vessel head failure. The release of this hydrogen to the containment following head failure generally results in atmosphere compositions well into the flammable range. If ignition is assumed to take place at the time of head failure, containment pressures near the nominal failure level are predicted. In the absence of hydrogen burning, the quenching of the core debris by the water in the reactor cavity has been predicted to yield peak pressures above the failure level. The combination of hydrogen burning followed by debris quenching can result in pressures well above the failure level. If steam production due to debris quenching occurs first, it may tend to preclude hydrogen until much of the steam is con-densed. While the operation of the containment safety features, particularly that of the sprays, will act to fairly rapidly reduce these pressures, they will have little effect on the peak pressures that may be associated with these transients. In the derivation of the containment failure mode probabilities given in Table 5-4, con-sideration was given to the probabilities of failure due to hydrogen burning, debris quenching, as well as the combination of the two. 5-22
i The notation (Y+6) represents the sum of several individual probabilities. In the quantification, the probability of each of these processes taking place was assigned a 50 percent probability; the predicted containment failure probabilities take into account the existing pressure prior to the time of the occurrence of these processes. Thus, the large LOCA sequences show lower containment failure probabilities than do the transients and small LOCAs. Containment failure by basemat meltthrough (c ) was assumed to take place in all the meltdown sequences; however, only in the absence of any other f ailure mode would containment meltthrough be the dominant path of radioactivity release. These are the only cases reflected in Table 5-4. There are continuing questions as to the inevitability of containment meltthrough (Reference 9); it may be possible that the attack of the basemat will be arrested. The latter would be particularly plausible if the debris were to be widely dispersed throughout the containment, or if a coolable debris bed were to form af ter quenching in the reactor . cavity; the latter would assume, of course, a continuing supply of cooling water. 5.5.3 Interface With Systems Analysis Task The results shown in Table 5-4, when combined with the probabilities of the individual accident sequences as determined in the Systems Analysis Task, yield the risk profile as well as identifying the dominant accident sequences for the Calvert Clif fs PWR. This is discussed in the following chapter. i 5-23
CRVSE CL CR-B CR-OP CR-MT a 8 Y 6 e C i
' 6 Y
- 8 a
Figure 5-1. PWR Containment Event Tree Table 5-1. Containment Event Tree Notation Symbol Letter Meaning CRVSE a Containment rupture due to a ' reactor vessel steam explosion. CL 8 Containment leakage. CR-B y Containment rupture due to hydrogen burning. CR-0P 6 Containment rupture by over-pressurization. CR-MT c Containment failure by basemat meltthrough. 5-24
Table 5-2. Summary of-MARCH Calculated Event Times Start Start End Containment Core Start End Head Basepad Sequencre ECC ECC Failure (2I Uncovery Melt Melt Fails Melt Notes TML- y --- 238 186(3) 205 233 237 238 Hydrogen burn at vessel head failure. TML- 6 --- 149 97(4) 116 142 146 284 Core debris interaction with water in the reactor c uity. TMLOO'6 --- 319 186(3) 205 233 237 238 Containment failure due to steam and noncondensable generation from corium-concrete interaction. - S2FG-6 0 994(5) 994 1040 1087 1147 ECCS failure follows containment failure. l S2CG- 6 0 1099(5) 1099 1143 1191 1252 1253 1253 ECCS failure follows containment failure. I W ACG- 6 0 424(5) 424 424 476 --- ---- ECCS failure follows containment failure. , I AG-6 0 1127 1127 1127 1173 1210 1242 1242 ECCS failure follows containment failure. S2 ML 0 36 60 78 TMIC- Y --- 109 56 78 108 109 109 g (6) --- ---- 120 139 ---- ---- ---- With degraded steam generator heat transfer. ACY' 0 no melt No sprays, one building cooler works. AC'Y 0 no melt No building coolers, one spray, and one containment spray heat exchanger works. (1) All times in minutes from the start of the accident. (2) Times for containment failure at 115 psia. (3) Primary system coolant loss evaluated on the basis of steam blowdown. (4) Primary system coolant loss evaluated on the basis of liquid blowdown until hot leg voiding. (5) ECCRS failure assumed to follow containment failure. (6) No melt with good steam generator heat transfer.
l Table 5-3. Summary of CORRAL Results, Final Releases Fission Product Group Release Case Xe I Cs Te Ba Ru La Category Description TML-Y 1.0 0.75 0.72 0.69 0.079 0.056 0.0090 2 No spray scrubbing. 4 TML-Y 1.0 0.11 0.19 0.60 0.015 0.037 0.0071 3 Spray scrubbing of melt release. TMLOO'-6 1.0 0.30 0.40 0.50 0.039 0.037 0.0063 2 No containment safety features. I AG-6 1.0 0.57 0.78 0.77 0.085 0.062 0.010 2 Spray fails before melt. S CG-6 2 1.0 0.33 0.66 0.71 0.070 0.055 0.0092 2 Spray fails before melt.
Table 5-4. Calvert Cliffs PWR Key Accident Sequences
--- --- --- - -- -- - --- --------- -- - ---------- Re l e a s e Ca te go ry --- ----- -- ------ -- - - --- --- - -- - - --- -- - ---- -
Sequence 1 2 3 4 5 6 7 TML a = 0.0001 Y+6 = 0.7 p= 0.007 (= 0.3 a = 0.0001 Y+6 = 0.7 @ = 0.007 (= 0.3 TMQ-!! TMQ-FH a= 0.0001 Y+ 6 = 0.7 p= 0.007 (= 0.3 TMQ-D a = 0.0001 Y+6 = 0.7 p= 0.007 . f = 0. 3 TMQ-DF a = 0.0001 Y+6 = 0.7 p= 0.007 (= 0.3 TNQ-YG a= 0.01 6=1 p= 0.007 TMQ-YH- a= 0.0001 Y+6 = 0.7 D= 0.007 (= 0.3 f U TMQ-YHG a= 0.0001 Y +6 = 0.7 p= 0.007 6'= 0.3( 1) TMQ-YF a= 0.01 6=1 p= 0.007 TMQ-YPH a= 0.0001 Y+ 6 = 0.7 6'= 0.3Il) @= 0.007 TMQ-YD a= 0.0001 Y+6 = 0.7 p= 0.007 (= 0.3 TMQ-YDG a= 0.0001 Y+6 = 0.7 p= 0.007 6'= 0.3 ( 1 ) TMQ-YDF 'a= 0.0001 Y+6 = 0.7 6'= 0.3 ( l ) TMQ-CH a= 0.01 Y+6 = 0.7 = 0.007 (= 0.3 UMQ-CD a= 0.0001 Y+6 = 0.7 @= 0.007 (= 0.3 TMQ-CY a= 0.01 6=1 p= 0.007 TMQ-CYH a= 0.01 0 = 0.8 6 '= 0' . 2 ( 1 ) @= 0.007 TMQ-CYD a= 0.0001- 6 = 0.8 6'= 0.2(l) p= 0.007
Table 5-4. (Continued)
-- -- - -- -- -- --- --- - ----- --- -- ---- - --- ---- Re l e a s e Ca t e go ry - - -- - - -- ---- - ---- --- --- - ---- - --- --- -- -- -- -
Sequence 1 2 3 4 5 6 7 TMLO' a = 0.0001 Y+ 6 = 0.7 p= 0.007 E= 0.3 TMLo a - 0.0001 Y+ 6 = 0.7 p= 0.007 E= 0.3 TMLOo' a = 0.0001 6= 0.8 6'= 0.2(1) p= 0.007 TKML a= 0.0001 Y+ 6 = 0.7 p= 0.007 E= 0.3 (A,Sj)H a = 0.01 Y+ 6 = 0.3 p= 0.007 E= 0.7 SH 2 a = 0.0001 Y+ 6 = 0.7 p= 0.007 E= 0.3 (A,Sj)FH a = 0.01 Y+ 6 = 0.3 p = 0.007 E= 0.7 1 f S 2 ni a= 0.0001 Y+ 6 = 0.7 - p = 0.007 C= 0.3 l N 03 (A,S 1 )D a= 0.01 Y + 6 = 0.3 p= 0.007 (= 0.7 S2 YG a = 0.01 6=1 p= 0.007 ACD a = 0.01 Y+ 6 = 0.3 p = 0.007 E = 0.7 S 2 CD a = 0.0001 Y+ 6 = 0.7 p= 0.007 E= 0.3 (A,S1)CY a = 0.01 6=1 .p= 0.007 S2 CY -a = 0.01 6=1 p = 0.007 (1) For delayed overpressure failure relative to core melt. l l l i 1
6.0 RESULTS Two of the main objectives of this study were to determine which accident sequences are the most significant contributors to the risk associated with the operation of Calvert Cliffs Unit 2 and to compare the overall risk for this plant with the comparable RSS PWR. The most significant Calvert Cliffs accident sequences, or " dominant accident sequences," are discussed in detail in Section 6.1. These sequences were derived by considering both the results of the systems analysis task and accident process analysis task l presented in Chapters 4 and 5, respectively. The overall risk of Calvert Cliffs is indirectly compared with that of Surry. This is done by comparing the frequency assessed for the seven PWR core melt release categories. The comparison is presented in Section 6.2. In Section 6.3, appropriate conclusions and study limitations are given. 6.1 Calvert Cliffs Dominant Accident Sequences The dominant accident sequences identified for Calvert Cliffs Unit 2 are depicted in Figure 6-1. A key to the figure nomenclature is given in Table 6-1. The solid lines on the histogram represent the release category frequencies. These were found by summing, for each release category, the point estimate frequencies of the dominant accident sequences presented in Figure 6-1 as well as those non-dominant sequences not shown in Figure 6-1. The dominant accident sequences presented in Figure 6-1 represent greater than 90 percent of the total release 6-1
category frequency for Categories 3, 5 and 7, and approximately 80 percent for Categories 2 and 4. The dashed lines represent the release category frequencies after application of the RSS curve smoothing technique; that is, a probability of 0.1 was assigned to an accident sequence being in the adjacent release category, and a probability of 0.01 was assigned to an accident sequence being two release categories from the one in which it was placed, etc. The curve smoothing technique reflects the uncertainty associated with the categorization of each accident sequence. As can be noted from the figure, the effect of curve smoothing dominates the fre-quency estimates for release Categories 1, 4, and 6. The dominant accident sequences will now be discussed in the order they are displayed in Figure 6-1. For each sequence, several of the most probable cut sets are described. (The systems and cut set terms used to describe the accident sequences are discussed in Appendix B.) Potential containment failure modes associated with the sequences are indicated. The containment failure modes and their associated probabilities provide the basis for the frequency of the accident sequences as they appear in the various release categories in Figure 6-1. In many of the cut sets listed below, recovery terms appear to reflect various recovery possibilities. These recovery terms are summarized in Table 6-2. It should be noted that all recovery terms, except one, were added by hand and thus they do not appear 6-2
in the Boolean models presented in Appendix B. The exception is the term LOACRES (see Appendix B13). Sequence T2 ML a , Y , 6 , 0 , r : This sequence is initiated by a loss of the power conversion system (T2 M) followed by the failure to restore the power conversion system and f ailure of the Auxiliary Feedwater System (L) . Contain-ment failure is predicted to occur from an in-vessel steam explo-cion (a), overpressure due to hydrogen burning (Y), overpressure due-to gas generation (6), containment leakage ( ), or basemat meltthrough (c). This sequence depicts a loss of the systems which provide the normal (T2 M) and emergency (L) means of delivering feedwater to the steam generators. Because of this, secondary decay heat removal via the steam generators would be lost within ~15-30 minutes due to boilof f of their inventory. This would lead to boiloff of the RCS inventory via the safety / relief valves leading to core uncovery and melt. No credit was given for the use of primary system feed and bleed as an alternate decay heat removal mechanism due to information presented in references 12 and 16. Reference 12 concurs with analysis presented in Appendix C that it is questionable whether feed and bleed is possible at Calvert Cliffs. This is primarily due to the questionable capability of the PORVs to depressurize the RCS to the level at which the high-pressure injection pumps can cool the core (i.e., pump shutoff head is ~1250 psi) . Even if the PORVs could depressurize the RCS , it 6-3
is doubtful they could be opened in time to prevent a core melt. Reference 16 states that the PORVs must be opened within 10 minutes following a loss of all feedwater to establish feed and bleed. Also, to open the PORVs at Calbert Cliffs, the operator must go behind the main control panel and remove two control modules, i.e., the operator cannot open the PORV from the main control panel by flipping a switch. Reference 16 questions whether the operators have been properly trained to perform this maneuver within the 10-minute s interval. The frequency of this sequence is estimated to be: T2ML = 9.0 x 10-4* . The dominant contributor, or cut set, for this sequence is listed and described below. Cut Set Cut Set Frequency T 2*M *CONSTl *PCSNR 9.0 x 10-4 Cut Set Term Descriptions T2 -- Transient initiating event caused by a loss of feedwater. Offsite power is assumed to be available. F(T2) = 3 per reactor year. M -- Total interruption of the Power Conversion System. P(M) =-1.0 due to the initiating event. CONSTl -- Hardware and human faults causing failure of the huxiliary Feedwater System. P(CONST1) = 3.0 x 10-3,
- Modi fications to the AFWS design are proposed which will affect the frequency of this sequence. A new frequency, which includes the AFWS modifications, is roughly estimated in Section 6.3.2.
6-4
1 Cut Set Term Descriptions (Cont'd) PCSNR -- Failure to recover the Power Conversion System. P(PCSNR) = 1.0 x 10-1 (See Table 6-2. ) Sixty percent of the CONSTl Boolean term consists of hardware failures in the AFWS. The rest of the contribution is due to an operator failure to manually initiate the system. Refer to Appendix B13. The containment failure mode probabilities and release category placements for Sequence T 2 ML are assessed to be: P(a) = 0.0001; Category 1 P( y + 6 ) = 0.7; Category 3 P(p) = 0.007; Category 5 P(() = 0.3; Category 7 Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. S equence TI ML a , y , 6 , P , f : This sequence is initiated by a loss of offsite power with concomitant failure of the Power Conversion System (TIM) and the Auxiliary Feedwater System (L). Containment failure is predicted to occur from an in-vessel steam explosion (a), overpressure due to hydrogen burning (Y), overpressure due to gas generation (6), containment leakage (p), or basemat meltthrough (c). This sequence involves a loss of all secondary heat removal resulting in reactor coolant system inventory boiloff through the safety / relief valves leading to core uncovery and melt. No credit 6-5
was given for primary system feed and bleed core cooling. (Refer to the earlier discussion of sequence T 2ML.) No credit was also given for recovery of the power conversion system (PCS) for this sequence. In Reference 15 it was estimated that the PCS could not be restored in most cases following a loss of offsite power to prevent core damage. It is felt that this estimate also applies to the Calvert Cliffs PCS because of its similar design. The frequency of this sequence is estimated to be: T1 ML = 7.2 x 10-4* . The dominant contributors, or cut sets, of this sequence are listed I and described below. Cut Set Cut Set Frequency T 1*M *CONSTl 6.0 x 10-4 T 1*M *LOACRES*D21ST*D12ST 2.6 x 10-5 T 1*M*LOACRES*D12ST* F2 1.7 x 10-5 . Cut Set Term Descriptions T1 -- Transient initiaping event caused by a loss of offsite power. F(T1) = 2.0 x 10- per reactor year. M -- Total interruption of the Power Conversion System. P (M ) = 1. 0 due to the initiating event. l 4
*Modifica tions to the AFWS design are proposed which will affect the frequency of this sequence. A new frequency, which includes the AFWS modifications, is roughly estimated in Section 6.3.2 6-6
Cut Set Term Descriptions CONSTl -- Hardware and human faults causing failure of the Auxiliary Feedwater System. P(CONSTl) = 3.0 x 10-3, LOACRES -- Failure of possible recovery actions such as the operator opening the local manual bypass valves in the AFWS steam admission lines. P(LOACRES) = 1.0 x 10-1 (See Table 6-2.) D21ST -- Diesel #21 unavailability due to maintenance and start failure s . Diesel is needed to open one of two AFWS steam admission motor-operated valves after a loss of offsite power. P(D21ST) = 3.6 x 10-2, D12ST -- Diesel #12 unavailability due to maintenance and start failures. Diesel is needed to open one of two AFWS steam admission motor operated valves after a loss of offsite power. P(D12ST) = 3.6 x 10-2, F2 -- Failure of several control valves in Salt Water System train #22 which are needed to provide jacket cooling for diesel generator #21. The diesel will fail without jacket cooling. Diesel #21 is needed to open one of two AFWS steam admission valves after a loss of offsite power. P(F2) = 2.4 x 10-2, Sixty percent of the CONSTl Boolean term in the first cut set consists of hardware failures in the AFWS. The rest of the contri-bution is due to operator failure to manually initiate the system. The rest of the cut sets listed for this sequence are characterized by start failures or jacket cooling failures of both diesels which prevent the AFWS steam admission MOVs from opening and failure of possible recovery actions such as the operator opening local manual valves which bypass the MOVs. Refer to Appendix B13. The containment failure mode probabilities and release category placements for sequence T I ML are assessed to be: 6-7
i P(a) = 0.0001; Category 1 P ( 7 + 6 ) = 0. 7 ; Catego ry ; 3 P(p) = 0.007; Category 5 P(c) = 0.3; Category 7 Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. Sequence T ML 3 a , Y , 6 , p , e : This sequence is initiated by a transient in which the - Power Conversion System is initially available (T3) followed by a subse-quent failure of the Power Conversion System (M) and a failure of the Auxiliary Feedwater System (L). Containment failure is I predicted to occur from an in-vessel steam explosion (a), overpres-sure due to hydrogen burning (7), overpressure due to gas generation (6), containment leakage (p), or basemat meltthrough (c). This sequence involves a loss of all secondary heat removal resulting in reactor coolant system inventory bolloff through the safety / relief valves leading to core uncovery and melt. No credit was given for the use of primary system feed and bleed core cooling. (Refer to the earlier discussion of sequence T ML. 2 ) The frequency of this sequence is estimated to be: T3ML = 1. 2 x 10-4 * . 4 l l
- Modifications to the AFWS design are proposed which will affect the frequency of this sequence. A new frequency, which includes the AFWS modifications, is roughly estimated in Section 6.3.2.
6-8 i 1
The dominant contributor, or cut set, for this sequence is listed and described-below: Cut Set Cut Set Frequency T 3*M *CONSTl 1.2 x 10-4 Cut Set Term Descriptions T3 -- Transient initiating. event with the Power Conversion System initially available (e.g., Turbine Trip). F(T3) = 4 Per reactor year. M -- Failure of the Power Conversion System to continue operation following reactor trip. P(M) = .01. CONSTl -- Hardware and human faults causing failure of the Auxiliary Feedwater System. P(CONST1) = 3.0 x 10-3, Sixty percent of the CONSTl Boolean term consists of hardware failures in the AFWS. The rest of the contribution is due to an operator failure to manually initiate the system. The containment failure mode probabilities and release category placements for Sequence T 3ML are assessed to be: P(a) = 0.0001; Category 1 P( y + 6 ) = 0.7; Category 3 P(p) = 0.007; Category 5 P(c) = 0.3; Category 7 Multiplying the sequence frequency by the-containment failure mode probabilities gives.the values presented in Figure 6-1. Sequence T lMLOO ' a , D , 6 : This sequence is initiated by a loss of offsite power with concomitant failure of the Power Conversion-System (TI M), the 6-9
Auxiliary Feedwater System (L), the Containment Air Recirculation and Cooling System (O), and the Containment Spray Injection System (O'). Containment failure is predicted to occur from an in-vessel steam explosion (a), an overpressure due to gas generation (6), or containment leakage (p). This sequence involves a loss of all secondary heat removal resulting in reactor coolant system inventory boiloff through the cafety/ relief valves leading to core uncovery and melt. No credit was given for primary system feed and bleed core cooling. (Refer to the discussion of Sequence T ML. 2 ) The failure of all containment systems increases the consequences of this type of accident. The frequency of this sequence is estimated to be: 1 T1 MLOO' = 1.0 x 10-4* . The dominant contributors, or cut sets, of this sequence are listed and described below. Cut Set Cut Set Frequency T 1*M *BATCM 8.0 x 10-5 T y*M*D21ST*D12ST*LOPNR8HR*DGNR8HR 5.4 x 10-6 T y*M *D21ST*F2*LOPNR8HR*DGNR8HR 3.6 x 10-6 1 l
- Modifications to the AFWS design are proposed which will affect the frequency of this sequence. A new frequency which includes the AFWS modifications, is roughly estimated in Section 6.3.2.
6-10
-- n , - - - - . . - .-, - - , _ . - , .
T y*M *LOACRES*LOPNRL*D21ST*D12ST 2.6 x 10-6 T 1*M*LOACRES*LOPNRL*D12ST*F2 1.8 x 10-6 Cut Set Term Descriptions T1 -- Transient initiagingper event caused by a loss of offsite power. F(T1) = 2.0 x 10- reactor year. M -- Total interruption of the Power Conversion System. P (M ) = 1. 0 due to the initiating event. DATCM -- Common mode failure of all batteries. P(BATCM) = 4.0 x 10-4 D21ST -- Diesel #21 unavailability due to maintenance and. start failures. Diesel is needed to power approximately 1/2 of all safety systems following a loss of of fsite power. P(D21ST) = 3.6 x 10-2, D12ST -- Diesel #12 unavailability due to maintenance and start failures. Diesel is needed to power approximately 1/2 of all safety systems following a loss of offsite power. P(D12ST) = 3.6'x 10-2, LOPNR8HR -- Failure to recover offsite power in 8 hours. P(LOPNR8HR) = 3.0 x 10-2 (See Table 6-2.) DGNR8HR -- Fa.. lure to recover either diesel generator in 8 hours. P(DGNR8H1') = 7.0 x 10-1 (See Table 6-2. ) F2 -- Failure 3f several control valves in Salt Water System train #22 which are needed to provide jacket cooling for diesel ger.erator #21. The diesel will fail without jacket cooling. Diesel #21 is needed to power approximately 1/2 of all systemt following a loss of offsite power. P(F2) = 2.4 x 10-2, LOACRES -- Fatlure of possible recovery actions such as the operator opening local manual valves in the AFWS steam admission lines. P(LOACRES) = 1.0 x.10-1 (See Table 6-2.) LOPNRL -- Failure to recover offsite power in 3 hours. P(LOPNRL) = 1.0 x 10-1 (See Table 6-2. ) Many of the dominant cut sets for this sequence involve loss of all DC power. Loss of all DC power after an accident initiator 6-11
leads to core melt since all safety systems need DC power to insure cuccessful operation. The BATCM term represents immediate common mode failure of all station batteries. It was derived from the licensee event report study presented in Reference 13. (See also Appendix B2) . The cut sets which include the LOPNR8HR and DGNR8HR terms involve long-term DC power loss. In these cut sets the AFWS is initially operating and both diesels have failed. If offsite power is not recovered or a diesel generator restored in about 8 hours, it is expected _ that both batteries will fail due to long-term depletion. The containment failure mode probabilities and release category placements for sequence T IMEO0' are assessed to be: P(a ) = 0.0001; Category 1 P(6) = 0.8; Category 2 P( 6') = 0.2; Category 3 P(p) = 0.007; Category 4 For this sequence, the overpressure containment failure mode was split into 6 and 6'. The 6' represents delayed overpressure failure relative to core melt. Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. Sequence T2 KML Ge Ye 0e0,f This sequence is initiated by a loss of the Power Conversion System with offsite power available (T2 M) followed by a failure of the Reactor Protection System (K) and the Auxiliary Feedwater 6-12
System (L). Containment failure la predicted to occur from an in-vessel steam explosion (a), overpressure due to hydrogen burning (Y), overpressure due to gas generation (6), containment leakage ( p) , or basemat meltthrough (f ). In this sequence, RPS failure causes a reactor scram failure. This type of sequence is fast act.ing and little time would be available for operator action. he operator would first attempt to manually scram the reactor, howe'rer, the dominant RPS cut sets involve circuit breaker failures which cannot be recovered via pushing the control room scram b 2ttons (see Appendix B3). We assume the operators will be preoccupiel with attempting to scram the reactor and will, the re fore , not 3ctuate the AFWS, or recover the PCS (i.e., systems which may potentially mitigate bhe. scram failure) ' prior to core damage / melt. The frequency of this sequence is calculated to be:
/
T2 KML = 6.0 x 10-5* , The dominant contributor, or cut set, for this sequence l's lis t'ed and described below. Cut Fet Cut Set trequency T 2* K *M
- L 6.0 x 10-5
- Modifications to the AFWS design are proposed which will affect' the frequency of this sequence. A new frequency, which includes the AFWS modifications, id. roughly estimated in Section 6.3.'2. ,
6-13
Cut Set Term Descriptions T2 -- Transient initiating event caused by a loss of feedwater. Offsite power is assumed to be available. F(T2) = 3 per reactor year. K -- Failure of the Reactor Protection System to terminate the fission process. P(K) = 2.0 x 10-5, M -- Total interruption of the Power Conversion System. P (M ) = 1.0 due to the initiating event. L -- Failure of the Auxiliary Feedwater System. P(L) = 1.0 due to the short accident progression time. The dominant containment failure mode probabilities and release category placements for Sequence T2 KML are assessed to be P(a) = 0.0001; Category 1 P( Y + 6 ) = 0.7; Category 3 P(p) = 0.007; Category 5 P(r) = 0.3; Category 7 Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. Sequence TIMO-D a , Y , 6 , 0 , ( : This sequence is initiated by a loss of offsite power with concomitant failure of the Power Conversion System (T I M), a relief valve opening and then failing to close (Q), and a failure of high-pressure injection (D). Containment failure is predicted to occur from an in-vessel steam explosion (a), overpressure due to hydrogen burning ( Y), overpressure due to gas generation (6), containment leakage ( p) , or basemat meltthrough (t). 6-14
This sequence develops into a small LOCA when a relief valve fails to close. Reference 10 states that the PORVs could be demanded on every less of of fsite power regardless of whether or not secondary cooling is available. During the LOCA, core cooling via the high-pressure injection system fails, followed b'; core melt. The frequency of this sequence is estimated to be: T1 MO-D = 2.9 x 10-5 , The dominant contributors, or cut sets, of this sequence are listed and described below. Cut Set Cut Set Frequency T 1 *M *F1 *o *D21ST*D12ST*NREDF 4.1 x 10-6 T 1 *M *F1*o *D12ST* F2 *N REDF 2. 8 x 10-6 T 1 *M*P 1 *O *MT
- D 21 ST
- N R EDF 1.5 x 10-6 T 1*M *F *Q i
*HPCM *NRPORV 1.3 x 10-6 T 1*M *F 1*o *M1 *D12ST*NREDF 1.1 x 10-6 T 1 *M *F1 *Q *MT *F2 *NREDF 1.0 x 10-6 T 1*M*F *O*LT*D12ST*NREDF 1
9.8 x 10-7 T 1*M*F *Q*KT*D21ST*NREDF i
- 9. 8 x 10-7 T 1*M*F *Q*C*D12ST*NREDF 1
8.1 x 10-7 T g *M*P i *Q*B*D21ST*NREDF 8.1 x 10-7 T1*M*F *o*N*D12ST*NREDF 1
- 7. 9 x 10-7 I
6-15
Cut Set Cut Set Frequency T 1*M
- Pi*Q*KT*F2*NREDF 6.5 x 10-7 Ty*M*P i *O*LITl*D21ST*NREDF 4.3 x 10-7 T 1*M *F i*Q *F2 *LITl *NREDF 2.8 x 10-7 Cut Set Term Descriptions T1 -- Transient initiagingper ever.t caused by a loss of of fsite power.
F(T1 ) = 2. 0 x 10- reactor year. M -- Total interruption of the Power Conversion System. P(M ) = 1. 0 due to the initiating event. Pi -- Probability that the PORVs are demanded. P(E1 ) = 1.0. O -- Failure of a PORV to reclose given it opens. P(0) = 8.0 x 10-2, D21ST -- Diesel #21 unavailability due to maintenance and start failures. Diesel is needed to power various HPIS train #23 components, HPIS pump seal cooling systems, and a PORV block MOV after a loss of offsite power. P(D21ST) = 3. 6 x 10-2, D12ST -- Diesel #12 unavailability due to maintenance and start failures. Diesel is needed to power various HPIS train #21 components, HPIS pump seal cooling systems, and a PORV block MOV after a loss of offsite power. P(D12ST) = 3. 6 x 10-2, NREDF -- Failure to restore offsite power so that the HPIS can be utilized or the PORV block MOV closed given that one or both diesel generators have failed. P(NREDF) = 2.0 x 10-1 (See Table 6-2. ) NRPORV -- Failure of the operator to close the PORV block valve given that both diesel gene {ators have started. P (NRPORV) = 1.0 x 10- . (See Table 6-2.) F2 -- Failure of several control valves in Salt Water System train #22 which are needed to provide jacket cooling for diesel generator #21. The diesel will fail without jacket cooling. Diesel #21 is needed to power various HPIS components after a loss of offsite power (see above). P(F2 ) = 2. 4 x 10-2, MT -- Failure of a normally closed MOV in HPIS train #21 to open. P(MT ) = 1. 3 x 10-2, 6-16
. . . . , - - . . - - , , _ ..,_____--..----,.--y . -,...--,---,.____.mvw- -- _. , M
HPCM -- Common mode failure of the HPIS due to a flow diversion through a failed LPIS or accumulator check valve. P(HPCM) = 8.0 x 10-4 M1 -- Failure of several Component Cooling Water System train #22 components which affect HPIS pump seal cooling. P (M 1 ) = 9. 8 x 10-3 LITl -- Failure of several Component Cooling Water System train #21 components which affect HPIS pump seal cooling. P(LITl) = 3.7 x 10-3 LT -- Failure of several HPIS train #23 components. P(LT) = 8.5 x 10-3, KT -- Failure of several HPIS train #21 components. P(KT) = 8.5 x 10-3, C -- Failure of several HPIS train #23 components. P(C) = 7.0 x 10-3, B -- Failure of several HPIS train #21 components. P(B) = 7.0 x 10-3, N -- Failure of a normally open MOV in HPIS train #23. P(N) = 6.9 x 10-3, The first two cut sets listed above are characterized by double diesel generator hardware or jacket cooling faults which fail both HPIS trains when there is no recovery. Cut sets #3, 6, 7, 8, 9, 10, 11 and 12 are characterized by HPIS valve / pump and diesel faults. Cut sets #5, 13, and 14 are characterized by double HPIS pump seal cooling faults. The containment failure mode probabilities and release category placements for Sequence T I MQ-D are assessed to be: P(a) = 0.0001; Category 1 P( y + 6 ) = 0.7; Category 3 P(p) = 0.007; Category 5 P(c) = 0.3; Category 7 6-17 I
Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. Sequence T MQ-Hi a , Y , 6 , @ , ( : This sequence is initiated by a loss of offsite power with concomitant failure of the Power Conversion System (T IM), a relief valve opening and then failing to close (Q), and a failure of high-pressure recirculation (H). Containment failure is predicted to occur from an in-vessel steam explosion (a), overpressure due to hydrogen burning (Y), overpressure due to gas generation (6), containment leakage (p), or basemat meltthrough (c). This sequence develops into a small LOCA when a relief valve fails to close. Reference 10 states that the PORVs could be demar.ded on every loss of offsite power regardless of whether or not secondary cooling is available. During the LOCA, core cooling via the high-pressure recirculation system fails, followed by core melt. The frequency of this sequence is estimated to be: TIMO-H = 2. 4 x 10-5 , The dominant contributors, or cut sets, of this sequence are I listed and described below. i Cut Set Cut Set Frequency T 1*M*Pl*Q*Rl*D21ST*NRLDF 5.8 x 10-6 T 1*M*Pl *Q
- Rl *F 2 *N RL DF 3.8 x 10-6 T1*M*P i*Q*N1*Rl*NRLDF 3.8 x 10-6 f
l 6-18 l l
T 1*M
- Pi*Q*N1*D12ST*NRLDP 1.4 x 10-6 T i*M *Fi*Q*Sl*D21ST*NRLDF 1.4 x 10-6 T 1*M *F 1*Q*Sl *F2*NRLDF 9.2 x 10-7 T 1*M*F *Q*Sl*N1*NRPORV 1 9.2 x 10-7 T 1*M*F *Q*Rl*RASBl*NRPORV i 8.0 x 10-7 T y*M *Fi *Q* Rl *E2Tl *NRLDF 5.6 x 10-7 T 1*M *F 1 *Q* Rl *G2Tl*NRLDF 5.6 x 10-7 Cut Set Term Descriptions T1 -- Transient initiagingper event caused by a loss of offsite power.
F(T1) = 2.0 x 10- reactor year. M -- Total interruption of the Power Conversion System. P(M ) = 1.0 due to the initiating event. P1 -- Probability that the PORVs are demanded. P(P1) = 1.0. Q -- Failure of a PORV to reclose given it opens. P(Q) = 8.0 x 10-2, D21ST -- Diesel #21 unavailability due to start or maintenance faults. Diesel is needed to provide power to various HPRS train #23 components, HPRS pump seal cooling systems, and a PORV block MOV after a loss of offsite power. P(D21ST) = 3.6 x 10-2, D12ST -- Diesel #12 unavailability due to maintenance or start failures. Diesel is needed to power various HPRS train #21 components, HPRS pump seal cooling systems, and a PORV block MOV after a loss of offsite power. P(D12ST) = 3.6 x 10-2, NRPORV -- Failure of the operator to close the PORV block valve . given that both diesel generators are operating. P(NRPORV)
= 1.0 x 10-1 (See Table 6-2. )
NRLDF -- Failure to restore offsite power so that the HPRS can be utilized or the PORV block MOV closed given that one diesel has failed. P(NRLDF) = 1.0 x 10-1 (See Table 6-2.) 6-19
4 l 1 i i l l F2 -- Failure of several control valves in Salt Water System
; train #22 which are needed to provide jacket cooling for-diesel
- generator #21. The diesel will fail without jacket cooling.
; Diesel #21 is needed to power various components after a loss P(F2) = 2.4 x 10-2 of offsite power (see above).
SI- - Failure of several control valves in Salt Water System train
#21 which are needed for HPRS pump seal cooling. P(SI) =
. 2.4 x 10-2, I N1 -- Failure of several control valves in Salt Water System train
#22 which are needed for HPRS pump seal cooling. P(N1) = 2.4 x 10-2, R1 -- Failure of several control valves in the Component Cooling Water System which affect pump seal cooling for the HPRS pumps. P(Rl) = 1.0 x 10-1 RASBl -- Failure of recirculation actuation subchannel B1 which signals open the control valves in salt water train #22, which are needed for HPRS pump seal cooling. P(RASB1) = 5.0 x 10-3, E2Tl -- Failure of Salt Water System pump #22 to restart and continue running af ter a loss of offsite power. This pump provides jacket cooling to diesel generator #21. Diesel #21 is needed to p wer various components (see above). P(E2Tl) = 3.5 x 10 .
G2T1 -- Failure of Service Water System pump #22 to restart and continue running after a loss of offsite power. This pump is needed to provide jacket cooling for diesel #21. Diesel #21 is needed to power various components (see above). P(G2Tl)
= 3.5 x 10-3,
) Most of the cut sets listed above are characterized by double high-pressure recirculation pump seal cooling faults. Seal cooling failure is caused by diesel generator failures or cooling water hardware faults. The dominant containment failure mode probabilities and release category placements for Sequence T I MO-H are assessed to be: i 6-20
. , , - - . --n .
. - r , , , ,,. m,-,, .e , , - ~ . . , , - . , --....r-. -,.m.. - , - , - - , , . . -, --n.,,--,-...e- , . -
P(a) = 0.0001; Category 1 P( Y + 6 ) = 0.7; Category 3 P(p) = 0.007; Category 5 P(c) = 0.3: Category 7 Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. Sequence T IMO-FH a , Y , 6 , P , ( : This sequence is initiated by a loss of offsite power with concomitant failure of the power conversion system (Tl M), a relief valve opening and then failing to reclose (O), failure of the containment spray recirculation system (F), and failure of the high-pressure recirculation system (H). Containment failure is pre-dicted to occur from an in-vessel steam explosion (a), overpressure due to hydrogen burning (Y), overpressure due to gas generation (6), containment leakage ( D), or basemat meltthrough (r). This sequence develops into a small LOCA when a relief valve fails to close. Reference 10 states that the PORVs could be demanded on every loss of offsite power regardless of whether or not secondary cooling is available. During the LOCA, core cooling via the high-pressure recirculation system fails, followed by core melt. This sequence is quite similar to Sequence T MO-HI except in this case there are no containment sprays available during recir-culation to scrub radioactive material from the containment atmosphere. This causes the consequences from Y, 6 , 0 , and c c:ontainment failures to be worse than those for T IMO-H. 6-21
The frequency of this sequence is estimated to be: TiMQ-FH = 1. 2 x 10-5 The dominant contributors, or cut sets, for this sequence are listed and described below. Cut Set Cut Set Frequency T 1*M *F *Q*RASCM*NRPORV 1 1.6 x 10-6 T1*M*F *Q*R22*D12ST*NRLDF 1 1. 4 x 10-6 T 1M*F *Q*R21 i *D21ST*NRLDF 1.1 x 10-6 T 1*M *F *Q i *R21 *R2 2 *NRPORV 7.6 x 10-7 T 1*M*F *Q*W*D21ST*NRLDP l
- 7. 5 x 10-7 T 1*M
- Pl *Q*V*D12ST*NRLDF 7.5 x 10-7 T 1*M*F *Q*F2 1 *R21*NRLDF 7.3 x 10-7 T 1 *M *Fi *Q *W* R2 2 *NRPORV 5.2 x 10-7 T iM *F *Qi *W* F2 *NRLDF
- 5. 0 x 10-7 T 1*M
- F *Q 1
- V
- R 21 *N RLDF 4.0 x 10-7 T 1*M *F 1*Q *RASAl*D21ST*NRLDF 2. 9 x 10-7 T 1*M
- Pl *Q*RASBl*D12ST*NRLDP 2.9 x 10-7 T 1*M *F *Q i
- B *R2 2 *NRLDF
- 2. 8 x 10-7 T 1*M *F *Q i *W*V *NRPORV
- 2. 7 x 10-7 T 1*M *F *Q*C*R21 i
*NRPORV 2.1 x 10-7 T 1*M*Pi *Q
- R 2 2 *RASAl *NRPORV 2.0 x 10-7 T 1 *M *Fi *Q *F2 *RASAl *NRPORV 1.9 x 10-7 6-22
Cut Set Term Descriptions T 1--Transientinitiagingeventcausedbyalossofoffsitepower. per reactor year. F(T1) = 2.0 x 10-M -- Total interruption of the Power Conversion System. P(M ) = 1. 0. due to the initiating event. P1 -- Probability that the PORVs are demanded. P(P1) = 1.0. Q -- Failure of a PORV to reclose given it opens. P(0) = 8.0 x 10-2, D21ST -- Diesel #21 unavailability due to maintenance or start failures. Diesel is needed to provide power to various HPRS train #23 and CSRS train #22 components after a loss of of fsite power. P(D21ST) = 3.6 x 10-2, D12ST -- Diesel #12 unavailability due to maintenance or start failures. Diesel is needed to provide power to various HPRS train #21 and CSRS train #21 components after a loss of offsite power. P(D12ST) = 3.6 x 10-2, NRPORV -- Failure of the operator to close the PORV block valve given that both diesel generators are operating. P(NRPORV) = 1.0 x 10-1 (See Table 6-2 ) . NRLDF -- Failure to restore of fsite power so that the HPRS can be utilized or the PORV block MOV closed given that one diesel has failed. P(NRLDF) = 1.0 x 10-1 (See Table 6-2.) F2 -- Failure of several control valves in Salt Water System train #22 which are needed to provide jacket cooling for diesel generator #21. The diesel will fail without jacket cooling. Diesel #21 is needed to power various components after a loss of offsite power (see above). P(F2) = 2.4 x 10-2, R21 -- Failure of room cooler #21 which causes failure of one train of CSRS and HPRS. P(R21) = 1.9 x 10-2, R22 -- Failure of room cooler #22 which causes failure of one train of CSRS and HPRS. P(R22) = 2.5 x 10-2, W -- Failure of valves in one of the containment sump recirculation lines which fails one train of CSRS and HPRS. P(W) = 1.3 x 10-2, V -- Failure of valves in one of the containment sump recirculation lines which fails one train of CSRS and HPRS. P(V) = 1.3 x 10-2, 6-23
RASCM -- Failure of all CSRS and HPRS pumps caused by a common mode failure of their actuation system. The actuation system is required to realign the pump suction from the RWST to the containment sump. P(RASCM) = 1.0 x 10-3, RASAl -- Failure of recirculation actuation subchannel Al which realigns the llPRS pump 21 and CSRS pump 21 suction from the RWST to the containment sump. P(RASA1) = 5.0 x 10-3, RASBl -- Failure of recirculation actuation subchannel B1 which realigns the IIPRS pump 23 and CSRS pump 22 from the RWST to the containment sump. P(RASB1) = 5.0 x 10-3, B -- Failure of common RWST suction valves in one train of IIPIS and CSIS. P (B) = 7.0 x 10-3, C -- Failure of common RWST suction valves in one train of IIPIS and CSIS. P (C) = 7.0 x 10-3, The dominant cut sets listed above are characterized by failure of the CSRS and the llPRS due to combinations of room cooling, actua tio n , suction line, and diesel generator faults. The dominant containment failure mode probabilities and release category placements for Sequence T IMQ-FIl are assessed to be: P ( n) = 0. 0001 ; Catego ry 1 P( Y + 6 ) = 0.7; Category 2 P(p) = 0.007; Category 4 P(() = 0.3; Category 6 Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. Sequence T MQ-Il 9 a , y , 6 , p , e : This sequence is initiated by a loss of the power conversion system (T2 M) followed by a relief valve opening and then failing to reclose (Q), and a failure of the high-pressure 6-24
recirculation system (H). Containment failure is predicted to occur from an in-vessel steam explosion (a), overpressure due to hydrogen burning (Y), overpressure due to gas generation (6), containment leakage (p), or basemat meltthrough (c). This sequence develops into a small LOCA when a relief valve fails to close. For T2 initiating events involving success of the auxiliary feedwater system it was recognized that the PORVs may not be demanded. The probability that the PORVs are demanded during this sequence was assessed to be .07 based on information presented in Reference 10. During the LOCA, core cooling via the high pressure recirculation system fails, followed by core melt. The frequency of this sequence is estimated to be: T2MQ-H = 8. 5 x 10-6 , The dominant contributors, or cut sets, of this sequence are listed and described below. Cut Set Cut Set Frequency T 2*M*Py Q*N1*Rl*NRPORV 4.0 x 10-6 T 2 *M*P y *Q*N1*Sl*NRPORV 9.7 x 10-7 T 2*M*E l*Q*RASBl*Rl*NRPORV 8.4 x 10-7 T 2 *M *Ey *Q *KT *R2 2 *NRPORV 3.6 x 10-7 T 2*M
- Pl*Q*LT*R21*NRPORV 2.7 x 10-7 T 2*M*F *Qy *SIA2 *R2 2 *NRPORV 2.1 x 10-7 T 2*M *E *Q y *RASB l *S l *NRPORV 2.0 x 10-7 T 2 *M*P y *Q
- RASAl *N 1 *NRPORV 2. 0 x 10-7 6-25
T 2*M *F *Q i *KT *V *NRPORV 1.9 x 10-7 T 2*M
- Py *Q *LT*W*NRPORV 1.9 x.10-7 Cut Set Term Descriptions T2 -- Transient initiating event caused by a loss of feedwater.
Offsite power is assumed to be available. F(T2 ) = 3 per reactor year. M -- Total interruption of the Power Conversion System. P (M ) = 1. 0 due to the initiating event. Pi -- Probability that the PORVs are demanded. P(Py) = 7.0 x 10-2, Q -- Failure' of a PORV to reclose given it opens. P(Q) = 8.0 x 10-2, NRPORV -- Failure of the operator to close the PORV block valve. P(NRPORV) = 1.0 x 10-1 (See Table 6-2.) N1 -- Failure of the salt water inlet or outlet valves of component cooling water heat exchanger #22. This heat exchanger helps supply pump seal cooling during recirculation for the HPRS. P(N1) = 2.4 x 10-2, S1 -- Failure of the salt water inlet or outlet control valves of component cooling water heat exchanger _#21. This heat-exchanger helps-supply pump seal cooling during recirculation for the HPRS. P(S1) = 2.4 x 10-2, R1 -- Failure of several control _ valves in the Component Cooling Water System which affect pump seal cooling for the HPRS. P(Rl) = 1.0 x 10-1 R22 -- Failure of room cooler #22 which causes failure of HPRS train #23. P(R22) = 2.5 x 10-2, R21 -- Failu- e of room cooler #21 which causes failure of HPRS train #21. P (R21 ) = 1. 9 x 10-2, RASAl -- Failure of recirculation actuation subchannel Al which signals open the salt water inlet and outlet valves of com-ponent cooling water heat exchanger #21. The_ heat exchanger provides pump seal cooling for the HPRS during recirculation. P(RASA1) = 5.0 x 10-3, 6-26
RASBl -- Failure of recirculation actuation subchannel B1 which signals open the salt water inlet and outlet valves of com-ponent cooling water heat exchanger #22. The heat exchanger provides pump seal cooling for the HPRS during recirculation. P(RASB1) = 5.0 x 10-3, W -- Failure of valves in one of the containment sump recirculation lines which fails HPRS train #21. P(W) = 1.3 x 10-2, V -- Failure of valves in one of the containment sump recirculation lines which fails one train of HPRS train #23. P(V) = 1.3 x 10-2, LT -- Failure of several HPRS train #23 components. P(LT) = 8.5 x 10-3 KT -- Failure of several HPRS train #21 components. P(KT) = 8.5 x 10-3, SIA2 -- Failure of safety injection actuation subchannel A2 which initiates HPIS pump #21. P(SIA2) = 5.0 x 10-3, The dominant cut sets for this sequence are characterized by failures of the HPRS due to combinations of pump seal cooling, actuation, or other hardware faults. The containment failure mode probabilities and release category placements for Sequence T 2 MQ-H are assessed to be: P(a) = 0.0001; Category 1 P( Y + 6 ) = 0.7; Category 3 P(p) = 0.007; Category 5 P(r) = 0.3; Category 7 Multiplying the sequence frequency by the containment failure mode probabilities gives the values presented in Figure 6-1. 6-27
6.2 Comparison With the Dominant Accident Sequences in the Reactor Safety Study The Surry sequences which dominated the seven PWR core melt release categories in the RSS are presented in Figure 6-2. A short description of these are presented below: TM LB ' --6,Y,( : Failure of the feedwater delivery system (power conversion) (M ) and auxiliary feedwater systems (L) given the in%tiating transient event of loss of offsite AC power (T) with failure to recover either onsite or offsite AC power within about 3 hours, preventing containment ESF mitigation of accident (B') consequences. Containment failure due to overpressure, hydrogen burning, or meltthrough. V: Interfacing systems LOCA due to failure of the LPIS check valves. S 2C-6: Failure of the containment spray injection system (C) given a small LOCA (S2) (1/2"1D12"). Containment failure due to overpressure. AD-r: Failure of the emergency coolant injection system (D) given a large LOCA (A) ( D2,6 " ) . Containment failure due to meltthrough. AH-(: Failure of the emergency coolant recirculation system (H) given a large LOCA (A) (D16"). Containment failure due to meltthrough. S 1 D-(: Fai.l ure of the emergency coolant injection system (D) given a small LOC A ( 2 "1Df6 ") . Containment failure due to meltthrough. S 1 H-r: Failure of the emergency coolant recirculation system (H) given a small LOCA (2"1Df6"). Containment failure due to meltthrough.
-S2 D-c: Failure of the emergency coolant injection system (D) given a small LOCA (1/2"<D12"). Containment failure due to melt-through.
S 2 H-t: Failure of the emergency coolant recirculation system (H) given a small LOCA (1/2"<Df2") . Containment failure due to meltthrough. TM L- r : Failure of the feedwater delivery system (power conversion l (M) and auxiliary feedwater (L)) given a transient initiating event (T). Containment failure due to meltthrough. 6-28
I TKO-( Failure of the reactor protection system (K) to shutdown the reactor and failure of at least one pressurizer safety / relief valve to reclose (Q) given a transient initiating event (T). Containment failure due to meltthrough. i TK40- c : Failure of the reactor protection system (K) to shutdown the reactor- failure of power conversion system (M) and fail- ' ure of at least one pressurizer safety / relief valve to reclose (Q) given a transient initiating event (T). Containment > failure due to meltthrough. These Surry sequences dominate the seven PWR release categories after applying the RSS curve smoothing technique. The equivalent of the Surry TMLB' sequence is the Calvert Cliffs' T I MLOO' sequence. The core melt frequency calculated for the Calvert Clif fs ' sequence is about an order of magnitude higher. This is primarily due to a battery common mode failure and other battery depletion failures which were included in the Calvert C lif f s ' analysis and were not identified for Surry. (These failures may apply to Surry, however. ) The interfacing system LOCA (Event V) was important at Surry. It was not found to be a dominant accident sequence at Calvert Cliffs. This dif ference was due to an increased number of valves in the cold leg injection lines at Calvert Cliffs. Sequences involving loss of all secondary cooling after a transient initiating event (TML) were found to be important at both j plants. The Calvert Cliffs sequences have a total frequency esti-mate more than two orders of magnitude higher than the comparable Sur ry sequences. The reason for the higher frequency estimate for Calvert Cliffs is primarily due to the calculated unavailability of the Auxiliary Feedwater System. The Calvert Cliffs' AFWS was 6-29
enalyzed as a two train, manually initiated system with several cinale failure modes. Surry's AFWS is a three train, automatically initiated system. This AFWS dif ference caused all of the Calvert Cliffs' sequences involving Event L to have high sequence frequencies relative to Surry. Another important core melt sequence at Surry was S 2C. Failure of CSIS prevents the addition of large quantities of borated water to the containment. Since only a small portion of the reactor coolant system inventory leaks to the sump, sufficient elevation head is not available and the CSRS pumps will fail due to cavitation. Failure of the CSRS pumps causes failure of containment overpressure protection at Surry. Upon containment overpressure failure the LPRS fails due to pump cavitation followed by core melt. Due to the presence of the Calvert Cliffs' Containment Air Recirculation and Cooling System, which performs a redundant containment overpressure protection function to the containment spray system, the S2 C sequence does not result in core melt. The equivalent core melt sequence at Calvert Clif fs would be S 2CY. This sequence is not as significant a risk contributor for the Calvert Cliffs plant due to its much lower sequence frequency. Sequences involving a loss of offsite power and a stuck open PORV were found to be much more important at Calvert Clif fs than at Surry. This is due to the fact that in the RSS, given success of the AFWS, no demand of the PORVs was expected. 6-30
Information obtained in RSSMAP indicated that the PORVs could be demanded on every loss of offsite power regardless of whether or not secondary cooling is available. (Reference 10.) Several LOCA sequences which involved failure of the emergency core cooling system, either during the injection or recirculation phases were important at Surry (e.g., AD, AH, S 1H, S 2D, and S2H)- These LOCAs were caused by random rupture of the RCS piping. Several LOCA sequences were also important at Calvert Clif fs. At Calvert Cliffs, however, these LOCAs were due primarily to stuck open valves (i.e., transient induced LOCAs). Containment overpressure failure due to hydrogen burning was assessed to be more important at Calvert Cliffs. The reason for this is that the Surry accident sequences, which dominated the release category in which hydrogen burning is usually placed, failed the containment by overpressure due to steam prior to core mel tdown. Since the hydrogen is produced during the meltdown, this containment failure mode for these accident sequences is precluded. Sequences involving overpressure containment failures following a core meltdown were also found to be more important at Calvert Cliffs. Analysis presented in Appendix C indicates that for some sequences which have containment safety systems operating, overpressure containment failures can still occur. When the molten core drops into the reactor cavity, the steam spike which results could fail the containment regardless of whether or not the fans or sprays are operating. The reactor cavity is expected to be 6-31
filled with water from the accumulators which discharge upon failure of the bottom of the reactor vessel. 6.3 Conclusions and Limitations 6.3.1 Conclusions Several conclusions and observations can be made by comparing the Calvert Cliffs and Surry analyses: o Design differences between plants can have significant impact on the dominant accident sequences and public risk. Some of these differences include a less reliable AFWS at Calvert Cliffs and lack of a containment fan cooling system at Sur ry. o The methods used for determining the accident sequences for Surry in the RSS are equally applicable to a Combustion Engineering PWR. o The frequency of core melts due to LOCAs is approximately a factor of four greater at Calvert Cliffs. This is primarily due to the fact that transient induced LOCAs were assessed to be more important at Calvert Cliffs (See Section 6.2).
~
o The frequency of core melts due to transients is approximately two orders of magnitude greater at Calvert Cliffs.* This is primarily due to a less reliable AFWS assessed at Calvert
- Modi fications to the AFWS design are proposed which will affect this frequency estimate. A new estimate, which includes the AFWS modifications, is roughly estimated in Section 6.3.2.
1 6-32
Cliffs. Also of importance are differences in the analyses of the power conversion systems (PCS) at both plants. Current information suggests that the Surry PCS analysis may have been optimistic. (See Section 3.2.15 for details.) o The overall frequency of a core melt accident was assessed to be approximately a factor of 40 greater at Calvert Cliffs (2 x 10-3 for Calvert Cliffs vs. 5 x 10-5 for Surry).* 6.3.2 Limitations The following limitations were identified in this analysis: o The Calvert Cliffs Final Safety Analysis Report and limited discussions with plant personnel ws:;e the primary sources of information utilized in this study. A more rigorous analysis would require additional information. This upgraded information base should include as-built piping and instru-mentation diagrams, plant procedures, and direct contacts with the plant personnel and designers for purposes of answering technical questions. o The transient event tree initiating events chosen in this study were the same three chosen in the RSS. A more rigorous analysis should consider more transient initiators. o The majority of the data base utilized in this study was compiled as par't of the RSS. Parts of the RSS data base were developed from generic industry data now more than seven years old.
- Modifications to the AFWS design are proposed which will affect this frequency estimate. A new estimate, which includes the AFWS modifications, is roughly estimated in Section 6.3.2.
6-33
Several of the RSS numbers used directly affected the dominant accident sequence frequencies. If newer, plant specific data were utilized, a significant impact on the sequence frequency estimates may be realized. A more rigorous study should therefore review and update the RSS data and use plant specific data whenever possible. o In the Calvert Cliffs analyses, it has been assumed that primary system natural circulation will be established af ter S2 LOCAs or transients with stuck open relief valves. Sufficient steam generator heat transfer is also assumed throughout these types of accidents. If these conditions do not occur, then Battelle Columbus Laboratories has calculated that the primary system pressure will stabilize above the shutoff head of the HPIS pumps, and core melt- , 1 down may occur solely due to the initiating event (see Appendix C). Analytical results presented in Reference 10 indicates that two phase natural circulation will occur during these accidents. This was the basis for our assump-l tion. However, Reference 10 also indicates that inadequate l ! experimental research has been performed to verify two phase natural circulation. o This study attempted to identify huraan errors which could i degrade or lead to failure of the safety systems responding to a LOCA or transient. These human errors were of two basic types, (1) those errors occurring during routine i 6-34 l l
operation, such as inadvertently leaving valves in the wrong position, and (2) errors which occur during the course of an accident, such as an operator failing to manually initiate the Auxiliary Feedwater System when needed. In order to assess operator errors during the course of an accident, the analyst must be aware of the plant parameter indications which the operator is relying upon to make decisions in the control room (e.g., at TMI the operator terminated the high pressure injection system because of a high pressurizer level indication). To gain these types of insights, it is recommended that future, more complete analyses perform detailed calculations of plant system dynamics associated with each accident sequence and thoroughly review operating and emergency procedures. o This study was based upon an AFWS design which is scheduled to be upgraded. The AFWS modifications will be completed during the November 1982 outage of Unit #2 and the November 1983 outage of Unit #1. The upgrade will affect some of the frequency estimates of the accident sequences identified in this study. Five of the sequences affected-are included among the dominant ones described in Section 6.1. The AFWS upgrade will briefly be described here and a rough estimate will be made as to how the upgrade might affect these dominant accident sequences and the overall core melt ' frequency for Calvert Cliffs Unit #2. 6-35
The proposed system is depicted in Figure 6-3 (not shown is the turbine driven pump steam supply piping) . As can be seen, the new system has three trains utilizing two steam driven pumps and one electric driven pump. The system is designed to start automatically upon a variety of signals. An intertie will be included so that the electric driven pump at Unit #1 can provide auxiliary feed-water to Unit #2 and vice versa. To intertie the systems, the operator must perform some actions from the control room. Recent discussions with Baltimore Gas and Electric personnel indicate that one of the two steam driven pumps will have its steam supply normally blocked off with a manual valve. Use of this pump will therefore require operator actions away from the control room. The motor operated valves in the turbine steam supply piping will be changed to air operated valves which will fail safe. Some of the more important changes to the AFWS are summarizea below. AFWS Analyzed in Proposed AFWS Safety Significance This Study Change of Proposed Change (App B13) Two steam driven One steam driven Enhanced system pumps and one electric redundancy pump with two other pumps available given operator action. Manually initiated Automatically Less reliance on system initiated system. operator action. 6-36
AFWS Analyzed in Proposed AFWS Safety Significance This Study Change of Proposed Change (App B13) MOVs in steam Air operated System is immed-driven pump steam valves in steam iately available supply lines driven pump following a total which fail steam supply loss of AC power. closed. lines which Less reliance on fail open. operator action. The upgraded AFWS will be a two train system assuming no operator recovery actions. If these two pump trains fail, the operator has the option of valving in the electric pump from the other unit and/or the second turbine driven pump. It has been conservatively assumed that the operator would only have time to attempt one of these actions in the post accident period. It is also assumed that the appropriate recovery action depends on the type of initiating event, i.e., if the reactor trip is caused by a loss of offsite power (T y), the appropriate action will be to start the second turbine driven pump and if the trip is caused by something other than a loss of offsite power (T2 or T ), the electric pump will be utilized. Since both units 3 will most likely experience a loss of offsite power simultaneously and since both units will need their AFWS to respond to this transient, interunit sharing of the electric pumps may not be possible. For other transients it is likely that the other unit will not trip and thus the recovery option would probably entail use of the other unit's electric AFWS pump since it can be actuated from the control room (Units 1 and 2 share the same control room). Assuming these recovery options, a rough 6-37
estimate of the new AFWS unavailability will be calculated given a T 1 , T2, or T3 transient. The unavailability of the AFWS given a T1 transient is esti-mated to be approximately 4.8 x 10-4 This unavailability is dominated by the following terms: (8 x 10~4) (1 x 10-1) + 2 x 10 -4
+ (0.069) (0.029) (1 x 10~1) = 4.8 x 10 -4
- where, 8 x 10-4 = Approximate unavailability of two pump trains (Appendix B13),
2 x 10-4 = Failure probability of the suction valve which is common to the two turbine pumps and electric pump, 0.069 = Failure of the electric pump to start due to diesel generator service water or hardware faults (Appendix B1), 0.029 = Failure of the turbine driven pump ( Appendix B13), 1 x 10-1 = Failure to recover by starting the second turbine driven pump (Reference 11, high stress model assumed to apply to AFWS recovery actions outside the control room). It can be noted that no recovery is possible given failure of the suction valve since the second turbine pump is also dependent on it (Figure 6-3). The unavailability of the AFWS given a T2 or T3 transient is estimated to be approximately 3 x 10-5 This unavail-ability is dominated by the following two terms: 6-38
(8 x 10-4)(.03) + (2 x 10-4)(.03) = 3 x 10-5 where,
.03 = Failure to reco'rer by starting the other unit's electric pump (Reference 11, lower bound of high stress model assumed to apply to AFWS recovery actions inside the control room).
The other terms are the same as those described for T1 transients. As stated earlier, the proposed AFWS upgrade affects the frequency estimates of five dominant accident sequences. The updated frequency estimates for T IML, T 2ML, and T 3ML are:
~
Tl ML = ( .2) (4.8 x 10-4) = 9.6 x 10 per reactor year, T2 ML = (3)(.1)(3 x 10-5) = 9 x 10-6 per reactor year, and T3 ML = (4)(.01)(3 x 10-5) = 1.2 x 10 -6 per reactor year where, 0.2 = Frequency of T IM, 3.0 = Frequency of T2e 4.0 = Frequency of T3 4.8 x 10-4 = Unavailability of AFWS given T 1,
- 3 x 10-5 = Unavailability of AFWS given T2 or T3' O.1 = Failure to restore the PCS given T2, and
.01 = Failure of the PCS to continue operation given T3' The updated estimate for Tt MLOO' is 9 x 10-5 per reactor year. This is only a small decrease from the original number given in Section 6.1 since the dominant cut sets are due to DC power failures which are unaffected by the updated design.
6-39
The T2 KML frequency estimate drops below 1 x 10-7 since the updated design includes an auto-start which means an operator action is not required following the failure to scram (See the discussion of sequence T2KML in Section 6.1) . With the upgraded AFWS design, the most likely core melt sequence following scram failure would be T KMU 2 and the dominant cut set would her (3.0)(2 x 10-5)(0.1) = 6 x 10-6 where, 3.0 = Frequency of T2e 2 x 10-5 = RPS failure probability (Appendix B3), and 0.1 = Failure of the operator to manually initiate the chemical volume and control system (CVCS). The CVCS delivers boron to the RCS to insure sub-criticality (Reference 11, high stress model assumed to apply to recovery actions following failure to scram.) The proposed AFWS upgrade may have a significant impact on the overall core melt frequency calculated for Calvert Cliffs. Incorporating the recalculated sequence frequencies into the results causes the core melt frequency to be reduced from 2 x 10-3 per reactor year to approximately 4 x 10-4 per reactor year. It should be noted that this is only an estimate of how the AFWS upgrade would affect the results. To more accurately account for the new design, a more indepth analysis would be required. 6-40
h i s Table 6-1. Symbols Used in Figure 6-1 Initiating Events , t T1 - Loss of Offsite Power Transient "
.,4 s
!! n T2 - Loss of Power Converdion System Transient Caused by Other Than a Loss of Offsite Power ..s T3 - Transients with the Power Conversion System Initially hvail[able System Failures ,
,e D - Emergency Coolant Injection System, F - Containment Spray Recirculation System H - Emergency Coolant Recirculation System K - Reactor Protection System L - Auxiliary Feedwater System or Recovery of the Power Conversion System 5 M - Power Conversion System (Normal Operation)
Q - Reclosure of Pressurizer Safety / Relief Valves O'- Containment Spray Injection System (transient event tree)- O - Containment Air Recirculati'on and Cooling S'ystem (transient event tree) ' s Containment Failure Modes ,
)
a - Vessel Steam Explosion y p - Containment Leakage 6 - Overpressure Due to Gap Je-cretion 6'- Overpressure Due tc c e * - 3 ration with Containment Failure Delayed Relative to .. ore :r elt Y - Overpressure Due to Hydrogen Burning ( - Basemat Meltthrough 6-41
d Table 6-2. Recovery Terms Appearing in Dominant Accident Sequences s Non Recovery Tarm Description Probability Reference PCSNR Failure to restore the power .1 15, pg. A2-11 conversion system (PCS) within
~30 minutes following a reactor trip caused by a PCS interrup-tion.
LOACRES Failure to restore the auxiliary .1 11, High feedwater system (AFWS) given a Stress total loss of AC power (LOAC). Model The AFWS is restored by opening manual valves in the AFWS steam admission lines. LOPNRL Failure to restore offsite power .1 2 within 3 hours given LOAC. Restoration of offsite power would allow operation of contain-ment systems capable of mitigating the accident. LOPNR8HR Failure to restore of fsite power .03 2 within 8 hours given LOAC and success of AFWS. Restoration of offsite power or a diesel is required to prevent AFWS failure via depletion of the station batteries. DGNR8HR Failure to restore a diesel .7 2 generator within 8 hours given LOAC and success of AFWS. Restoration of a diesel or offsite power is required to prevent AFWS failure via deple-tion of the station batteries. It is assumed repair of only one diesel will be attempted within this time-frame. 6-42
Table 6-2. (Cont.) Non Recovery Term Description Probability Reference NRPORV Failure to recover a stuck .1 11, High open PCRV by closing its Stress block valve given AC Model power is available. This includes the operator failing to close the valve or hardware failure of the valve. NREDF Failure to recover failed .2 2 components within ~1 hour following a stuck open PORV LOCA and f ailure of one or both diesels to pre-vent core melt. Recovery actions consist of restor-ing offsite power so that high pressure injection can be utilized or so that the PORV block MOV can be closed. NRLDF Failure to recover failed .1 2 components within ~3 hours following a stuck open PORV LOCA and failure of a single diesel to prevent core melt. Recovery actions consist of restor-ing offsite power so that high pressure racirculation can be utilized or so that the PORV block MOV can be closed. 6-43
. ~~n Dot t wAffr Pwn CORE MELT RELEASE CATEGORIES ACCIDENT SEQUENCES 1 2 3 4 5 6 7 T2ML a9.0x10-8 (?+616.3x10'4 06.3x10-6 s2.7x10~4 TgML a7.2x10*8 (y+4)$.0x10*4 $5.0x10-6 e2.2x10-4 7 3ML al.2x10-8 (T+6)8.4x10-5 pg,4,go-7 <3.6x10-5 r TgMLoo' al.0x10-8 48.0x10-5 6' 2.0x10'S #7.0x10-7 T 2FM t. a6.0x10*9 g .'+ 4) 4. 2 x10-5 04.2x10~7 <1.8x10-5 T gMO-D a 2. 9 :10*9 (v+6)2.0x10-5 p2.0x10~7 e8.7s10-6 T gMQ-H a2.4x10~9 (y+4)1.7x10-5 pl.7x10-7 e7.2x10-6 T gMO-Fil al.2x10*9 (?+4)8.4x10-6 08.4x10-8 v3.6x10-6 7 2MO-tf aB.5x10-10 (T+d)6.0x10-6 06.0x10-8 e2.6x10-6 CATEGORYI TOTAL 3.3 10*7 1.2x10-4 1.3x10*3 1.1x10-6 g,3xto-5 1.3x10-5 5.7x10-4 1This le an unsmonthed total which includes the contribution from all of the nondominant sequences. 10~ 10 -3 . -------- _4 ,______ i 10 -- I i e _ _ _ _ _ _7
-5 10 --
10 - 6,, 10- '
-8 10 Cat 1 Cat 2 Cat 3 Cat 4 Cat 5 Cat 6 Cat 7 (The solid lines depict the category totals shown above.
The dotted lines depict the results after application of the RSS ' smoothing' technique.) Figure 6-1. Calvert Cliffs Dominant Core Melt Accident Sequences 6-44
22 LEA.st cATEGopf 1 2 3 4 S 4 7 I 19e La ' 42 10*0 t4s10*7 T7 10*7 Y V4s10-6 l 8C 2 42a10*' AD g2s10*6 As g2s10-6 S0 3 c1:10-4 ss 3 t1:10-6
$0 g9:10*6 3
5M 2 e6a10*0 WL e6:10*6 TE 0 s3:10*0 Tapio t1:10-6
-5 tw t fMo'I 8:20 boo d 5.je*7 ,g 3-7 ( C O' L a20 10-> .
10**_ 10*5_ 20**_ 10*I, 10*8 Note: The Probabilities for each release category are the sumations of values of the dominant accident sequences plus a 104 contribution from the adjacent release cate-gory probability. Categories 1, 4, and 5 are totally dominated by sequences in other categories due to this smoothing. Figure 6-2. Surry Dominant Accident Sequences 6-45
p uv.srs uvisn
-e3 r ., e. , ,, ., .... m i ,,,,,,, -*-
j w= s e e
.ucu uw.si, u..sre; l
^'
f '2' 1-__x u=isz
"*" M av4st l
l "I 7 I I l I
" *r?, ' 3, g nwens I
l
"*"' *s ve ns l V i I
1 a.w in w X ,=wi O arvoiss I m i e ! i uvooe4 MV Pt** I I From m .is *='= u ,.3si h --M-D Wv g. _. _ _j CST 12 g n== ! M , ,,,,,,s
-N i ,, X- i uv4 sir uwess uvasse I I
"*
- S 3 8 l l u vasss
' -N n voosa 5---M--U-u voost u vessa
$1ti N V
Notes _
- 1) Dotted lines depict the major changes to the AFWS.
- 2) One of the two turbine pumps will have its steam supply blocked with a closed manual valve (not shown).
Figure 6-3. Proposed Calvert Cliffs Auxiliary Feedwater System Upgrade
f References
- 1. Calvert Cliffs Final Safety Analysis Report, Baltimore Gas and Electric Company, nd., na.
- 2. U. S. Nuclear Regulatory Commission, " Reactor Safety Study -
An Assessment of Accident Risks in U. S. Commercial Nuclear Power Plants." WASH-1400 (NUREG-75/014), October 1975.
- 3. Wooton, R. O., and Avci, H., " MARCH (Meltdown Accident Response Characteristics) Code, Description and User's Manual,"
NUREG/CR-1711, Battelle Columbus Laboratories, October 1980.
- 4. Burian, R. J., and Cybulskis, F., " CORRAL-2 User's Manual,"
Battelle Columbus Laboratories, January 1977.
- 5. Murfin, W. B., "A Preliminary Model for Core / Concrete Interactions," SAND 77-0370, Sandia National Laboratories, August 1977.
- 6. Henry, R. E., and McUmber, L. M., " Vapor Explosion Potential Under LWR Hypothetical Accident Conditions," CONP-770708, Proceedings of the Topical Meeting on Thermal Reactor Safety, Sun Valley, Idaho, July 31 - August 4, 1977.
- 7. Corradini, M. L., Woodfin, R. L., and Voelker, L. E.,
" Preliminary Analysis of the Containment Failure Probability by Steam Explosions Following a Hypotehtical Core Meltdown in a LWR," NUREG/CR-1104, February 1980.
- 8. Corradini. M. L., " Analysis and Modeling of Steam Explosion Experiments," NUREG/CR-2072, April 1981.
- 9. Murfin, W. B., " Report of the Zion / Indian Point Study:
Volume 1," NUREG/CR-1410, August 1980.
- 10. U. S. Nuclear Regulatory Commission, " Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant Accidents in Combustion Engineering Designed Operating Plants,"
NUREG-0635, January 1980.
- 11. Swain, A. D., and Guttmann, H. E., " Handbook of Human Reliability Analysis With Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278 (draft report), April 1980.
- 12. U. S. Nuclear Regulatory Commission memorandum to Karl Kniel, Generic Issues Branch, DST, from Brian W. Sheron, Reactor Systems Branch, DSI, on the status of feed and bleed for emergency decay heat removal, March 31, 1981.
- 13. Baranowsky, P. W., Kolaczkowski, A. M., and Fedele, M. A.,
"A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants," Nuclear Regulatory Commission NUREG-0666, April 1981.
REF-1 l
- 14. U. S. Nuclear Regulatory Commission, " Anticipated Transients Without Scram for Light Water Reactors," NUREG-0460, April 1978.
- 15. G. J. Kolb, S. W. Hatch, P. Cybulskis, and R. O. . Wooton.
" Reactor Safety Study Methodology Applications Program:
Oconee #3 PWR Power Plant," NUREG/CR-1659, Volume 2, Sandia National Laboratories, Revised May 1981.
- 16. Memorandum from B. W. Sheron, NRC, to T. P. Spels, NRC, Subject, Feed and Bleed Capability in CE Plants Both With and Without PORVs, February 11, 1982.
- 17. R. B. Worrell, D. W. Stack, "A SETS User's Manual for the Fault Tree Analyst," SAND 77-2051, Sandia National Laboratories, November 1978.
9 i $ REF-2
APPENDIX Al LOCA EVENT TREE - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION F?.GE
1.0 INTRODUCTION
........................................ A&-3 2.0 CALVERT CLIFFS LOCA EVENT TREES ..................... Al-3 2.1 Event Tree Functions and Functional Success Criteria ............................... Al-3 2.1.1 Reactor Subcriticality Success Criteria . Al-4 2.1.2 Containment Overpressure Protection from Steam Evolution Success Criteria ........ Al-4 2.1.3 Post Accident Radioactivity Removal Success Criteria ........................ Al-5 2.1.5 Emergency Core Cooling Success Criteria . Al-5 2.2 Event Tree Definitions and Tree Development .... Al-6 2.2.1 Events A, S S - Breaks in the Reactor Coolant Sy ske,m k RCS ) . . . . . . . . . . . . . . . . . . . . . Al-6 2.2.2 Event K - Reactor Protection System (RPS) Al-7 2.2.3 Event C - Containment Spray Injection System (CSIS) ........................... Al-7 2.2.4 Event Y - Containment Air Recirculation and Cooling System (CARCS) During Injection Phase ......................... Al-7 2.2.5 Event D - Emergency Coolant Injection System (ECIS) ........................... Al-8 2.2.6 Event F - Containment Spray Recirculation System (CS RS) ........................... Al-9 2.2.7 Event Z - CARCS During Recirculation Phase ................................... Al-9 2.2.8 Event H - Emergency Coolant Recirculation System (ECRS) ........................... Al-10 Al-1
I i 4 TABLE OF. CONTENTS (Cont.) i ! SECTION PAGE
-2.2.9 Event G - Containment Heat Removal.
(CHR) ..................................'Al-ll 3.0 COMPARISON OF CALVERT CLIFFS AND SURRY LOCA
- EVENT TREES ........................................ Al-12 6
Y 4 d A i 4 1 4 ) I I s I 5 I 4 1 4 I 1 Al-2 1, n
1.0 INTRODUCTION
The Calvert Cliffs LOCA event tree is displayed in Figure Al-1. For comparison, the Surry LOCA event trees are shown in Figures Al-2, 3, and 4. A discussion of the functions the Calvert Cliffs plant systems perform following a LOCA and the criteria which define function success are discussed in Section 2.1. The Calvert Cliffs LOCA aystem event tree is explained in detail in Section 2.2. Following, in Section 3, a comparison of the Calvert Cliffs and Surry LOCA event trees is made. 2.0 CALVERT CLIFFS LOCA EVENT TREES 2.1 Event Tree Functions and Functional Success Criteria There are four basic functions which the Calvert Cliffs safety systems perform given a LOCA:
- 1) render reactor subcritical
- 2) provide emergency core cooling 31 prevent containment overpressure failure due to steam evolution
- 4) remove radioactive materials from containment atmosphere Except for the first function which must be performed immediately following a LOCA, each of the remaining functions can fail either during the injection phase (water drawn from RWST) or after the switch over to the recirculation (water drawn from containment sump) phase for a sustained protection. This results in seven functions involving the success or failure of various safety systems.
Al-3
l i The combinations of plant systems which are required to i successfully perform these functions for a variety of LOCA sizes will now be discussed. Refer to Table Al-1 for a summary of this discussion. 2.1.1 Reactor Subcriticality Success Criteria To halt the fission prescess and thus achieve reactor subcriticality following small LOCAs, the Reactor Protection System (RPS) is required to insert its control rods into the core. For LOCA sizes greater than about 6" in diameter, however, the reactor is automatically rendered subcritical due to core voiding caused by the LOCA and subsequent core reflood by borated water from the core flood tanks or emergency core cooling system. These larger LOCAs, therefore, do not require the RPS. 2.1.2 Containment Overpressure Protection From Steam Evolution Success Criteria The Calvert Cliffs FSAR states on page 6-17 that:
- . "Any of the following combinations of equipment will provide sufficient heat removal capability to maintain the post-incident containment temper-ature and pressure below their design value
- a. Two containment spray pumps will provide 100 percent cooling capacity, i
- b. One containment spray pump in con-junction with two containment air cooling units will provide more than 100 percent cooling capacity.
- c. Three containment air cooling units will provide 100 percent cooling capacity."
This criteria for success has been found in subsequent j research by Battelle Columbus Laboratories to be overly conservative. Al-4
Their research has shown that one spray subsystem or one fan cooling unit and their associated secondary cooling water systems will provide adequate pressure control during both the injection and recirculation phases. (During the recirculation phase, heat must also be extracted from the spray water via the CCW heat exchanger.) This more realistic criteria was used in this study. 2.1.3 Post Accident Radioactivity _ Removal Success Criteria In addition to its depressurization function, the containment spray system scrubs the containment atmosphere of radioactive materials. The operation of one spray subsystem is adequate to perform this function during both the injection and recircula-tion phases. 2.1.4 Emergency Core Cooling Success Criteria The Calvert Cliffs FSAR states: " Analysis of the loss-of-coolant incidents are performed assuming minimum engineered safety features which includes only one high pressure pump, one low pres-sure pump, and four safety injection tanks (one spilling through the break) . " This FSAR statement was used as the success criterion in the large (A) LOCA analysis and was used to deduce the other LOCA success criteria. Because of the slow pressure decay follow-ing S and S LOCAs, it is assumed that only the high pressure 1 2 system is applicable. For the small (Sy) LOCA, the flooding flow must also be supplemented by heat removal through the auxiliary feedwater system (AFWS). It is assumed, as in the RSS, that the PCS will be unavailable and core melt'will occur without AFWS operation for this size LOCA. Table Al-1 illustrates the combina-tions of system success needed for successful emergency core cooling for each LOCA break size. Al-5
2.2 Event Tree Definitions and Tree Development The Calvert Cliffs LOCA event tree is displayed in Figure Al-1. The systems which perform the eight functions make up the event tree headings. Dependencies among these systems dictate the event tree structure. A single LOCA event tree is an adequate representation for the entire spectrum of break sizes, since the tree structure and tree headings are identical for all breaks. However, some of the tree headings definitions do differ depending on the LOCA break size. A discussion of the heading definitions and tree structure follows. 2.2.1 Events A, S1, S7, - Breaks in the Reactor Coolant System (RCSt Based on a study of the FSAR, it was determined that the three LOCA sizes used in the RSS were adequate to describe the ECCS requirements at Calvert Cliffs. The LOCA initiating events are due to random ruptures of the RCS and fall in the following break size ranges: LOCA Equivalent Diameter (D) Probability Per Reactor Year A D> 6 inches 1.0x10-4 S 1 2" < D < 6" 3.0x10-4 S 2 D< 2 inches 1.0x10-3 In addition to random ruptures, LOCAs can be transient induced. This latter type is caused by the failure of an RCS relief valve to reclose after being demanded in response to a transient. This LOCA would fall in the S2 LOCA break size range. Al-6
2.2.2 Event K - Reactor Protection System (RPS) The definition is the same as the reactor subcriticality function given in Section 2.1.1. Sequences 34 through 66 on f ( the Calvert Cliffs transient event tree depict ATWS events and were not delineated explicitly on the tree. The event tree structure is the same for these sequences as for sequences 1 through 33. This was done to simplify the event tree. The RPS is required and therefore given a success / failure choice following Si and S2 LOCAs. For large (A) LOCAs, the RPS function is defined an succeeded. This is because the break quickly blows down the reactor and borated ECC water will prevent the fission process from restarting even if the RPS fails. 2.2.3 Event C - Containment Spray Injection System (CSIS) The function of the CSIS for this event is to reduce contain-ment pressure by quenching steam released by the LOCA. The CSIS delivers spray to the containment atmosphere through dual trains consisting of redundant spray headers and pumps. During the injection phase, water is drawn from the Refueling Water Storage Tank (RWST). Successful CSIS operation for event C requires flow from one of the two pump trains. The success or failure of the CSIS does not depend on the LOCA size or RPS and thus, a success / failure choice is always given. 2.2.4 Event Y - Containment Air Recirculation and Cooling System (CARCS) During Injection Phase Thic system draws the containment atmosphere past cooling coils which are cooled by service water and saltwater systems Al-7
(e.g., the coils are cooled by service water and the service water is cooled by saltwater) to remove heat from containment. It is thus a means of reducing containment pressure caused by released steam. The CARCS consists of four air fans and associated coolers. Successful operation requires cooling from one of the four fan units. The success or failure of the CARCS does not depend on any 1 events preceeding it so a success / failure choice is always given. 2.2.5 Event D - Emergency Coolant Injection System (ECIS) The ECIS is a group of four subsystems that operate in different combinations to prevent core damage for various LOCA break sizes. These subsystems are the safety injection tanks (CLAS), the high pressure injection system (HPIS), the low pressure injection system (LPIS), and the auxiliary feedwater system (AFWS). There are four safety injection tanks which automatically deliver j borated water to the reactor vessel when system pressure is below 200 psig. Borated water is also injected into the core by two s low-pressure and three high-pressure injection pumps taking suction
- from the Refueling Water Storage Tank. Steam generator cooling via the auxiliary feedwater system is required for S2 LOCAs to reduce the reactor coolant. system pressure to a level such that the HPIS can deliver water to the core (HPIS shutoff head is approximately 1200 psig).
Successful operation of the ECIS, given RPS success, as a l l function of break size requires the following combinations of subsystems: Al-8
LOCA Functional Success A 3 of 4 CLAS and 1 of 3 HPIS and 1 of 2 LPIS S1 1 of 3 HPIS S2 1 of 3 HPIS and 1 of 2 AFWS A success / failure choice for the ECIS is always given. 2.2.6 Event F - Containment Spray Recirculation System (CSRS) This event describes the early recirculation mode of the con-tainment spray system. The CSRS uses most of the same components as used in the injection mode. Two pump trains recirculate sump water to the containment spray headers to provide for containment overpressure protection and radioactivity removal. Successful CSRS operation requires flow from one of two pump trains. Since the CSIS and CSRS share most of the same equipment, failure of the CSIS precludes success of the CSRS. Therefore, no success / failure choice is given for event F, given the failure of event C. 2.2.7 Event Z - CARCS During Recirculation Phase The CARCS which depicts this event and requirements for success are identical to those for event Y. No change in the CARCS operating state is required, as is the case with the con-tainment spray and emergency core cooling systems, which must be realigned from the RWST to the sump at the start'of the recircu-lation phase. All that is required is the continued operation of Al-9
tho CARCS. Thic svcnt is includ2d in ordar to diccarn CARCS failure which occurs during the recirculation phase. Since the timing of this system's failure can affect the consequences of an cecident sequence, event Z was included. Since the CARCS is modeled by both events Y and Z, failure of the CARCS in the injection mode, event Y, precludes success of the CARCS in the recirculation mode, event Z. Therefore, no success / failure choice is given for event Z given the occurrence of event Y. 2.2.8 Event H - Emergency Coolant Recirculation System (ECRS) The High Pressure Recirculation System (HPRS) and Low Pressure Recirculation System (LPRS) provide for recirculation of water from the containment sump to the reactor core. For nmall LOCAs, emergency coolant recirculation (ECR) is accomplished by the HPRS since RCS pressure will be too high for LPRS operation. For large (A) LOCAs, the RCS pressure will be low enough so that either the HPRS or LPRS will successfully accomplish ECR. The HPRS and LPRS represent the recirculation modes of the HPIS and LPIS realigned to take coolant from the sump rather than from the RWST. Success of the ECRS -requires the following combinations of subsystems as a function of LOCA sites LOCA Functional Success A 1 of 3 HPRS or 1 of 2 LPRS Si 1 of 3 HPRS S2 1 of 3 HPRS Since the HPIS/HPRS and LPIS/LPRS share most of the same equipment, failure of the HPIS and LPIS precludes success of the Al-lO
HPRS and LPRS. Therefore, no choice is given for event H given the failure of ECI, event D. (It was assumed, though not exactly correct, that failure of ECI implies failure of ECR. It can be noted by referring to Section 2.2.5, for example, that for an A LOCA, ECI can fail due to failure of the safety injection tanks alcae. If this ECI failure mode occurs, event H would not be pre-cluded. This assumption was also made in the RSS.) 2.2.9 Event G - Containment Heat Removal (CHR) As discussed in Section 2.1.2, there are two methods of pro-viding containment overpressure protection during the recirculation phase of a LOCA. One means of providing successful containment heat removal (i.e., containment overpressure protection) is by the operation of 1 of 4 CARCS fan trains. No success / failure choice is therefore necessary for accident sequences in which the CARCS has succeeded, events Y or 5. Another method of providing CHR is the operation of one CSRS train with heat being removed from the containment via the shut-down cooling heat exchangers. Operation of the CSRS in events C and F did not require that cooling water be supplied to the secondary side of the shutdown cooling heat exchangers. Operation of the CSRS for event G requires that component cooling water flow is available to the heat exchangers and that the saltwater cooling system is available to cool the component cool'ing water. To summarize, success / failure choices representing tais method of CHR are given only if (i) event Z (or Y) occurs (CHR would already be defined as succeeded if event I occurs) and (ii) event E, the Al-11
CSRS succeeds. Also, since a containment spray train is required, if both fail, CHR by this method fails. Therefore, no success / failure choice is given if either occur. 1 3.0 COMPARISON OF CALVERT CLIFFS AND SURRY LOCA EVENT TREES 1 The RSS constructed three LOCA event trees representing plant response to three different break size ranges for the Surry reactor (see Figures Al-2, 3, 4). Due to substantial differences in event tree structure and the event tree headings, a single LOCA tree was not an adequate representation of the plant response and thus, three trees were created. For the Calvert Cliffs reactor, as dis-cussed previously, one tree was an adequate representation. Due to plant design differences, events Y and Z appear only on the Calvert Cliffs event tree. These events represent the CARCS which is a system not present at Surry. Likewise, the Surry event trees included an event I, the sodium hydroxide system; a corresponding system does not exist at Calvert Cliffs. The Surry event trees include an event depicting the loss of electric power, event B. Since the electric power systems do not, in themselves, perform a post accident mitigating function, it was decided to incorporate these systems into the fault trees. This serves to simplify the Calvert Cliffs event tree structure. The Surry A LOCA tree had an event called emergency cooling, functionability, event E. This event represented those occasions when ECIS operates, but the core was uncoolable (e.g., failure of core supports resulting in an uncoolable geometry, steam binding from excesnive secondary side steam leakage, etc.) This event Al-12
was based on conservative assumptions regarding lack of function-ability. It was not included on the Calvert Cliffs tree because it is a relatively small contributor to core cooling failure when compared with the unavailability of the ECIS itself. If it were included, the event tre4 structure subsequent to its success / failure would be identical to that already represented by the structure subsequent to event D. Eliminating event E, there-fore, simplifies the event tree structure and was removed on the Calvert Cliffs tree. The Surry S2 LOCA tree has an event L which is not present on the Calvert Cliffs tree. At Surry, for a small (S2) LOCA, the RCS must be depressurized by the Auxiliary Feedwater System (AFWS) so that the ECIS can operate. At Calvert Cliffs, for a small (S2) LOCA, the AFWS is also required so that the ECIS can operate. Since the AFWS is considered a part of the ECIS for S2 LOCAs, it was included as part of event D. Eliminating event L, therefore, simplifies the event tree structure and was removed on the Calvert Cliffs tree. And finally, the Surry event trees treated LOCAs initiated by transients (e.g., stuck open RCS relief valves) directly on the transients event tree and assumed they were core melts. The Calvert Cliffs transient event tree treats these sequences as a type of LOCA (see Appendix A20) . Once that it is determined that a transient has become a LOCA, th 9eauence is no longer continued on the transient tree, but is analyzed as an S2 LOCA on the LOCA tree. Al-13
Table Al-1. Alternate Equipment Success Combinations for Functions Incorporated into the Calvert Cliffs LOCA Event Tree Injection Phase Recirculation LOCA Reactor Containment Containment Size Suberiticality Overpressure Post Accident Emergency Overpressure Post Accident Emergency protection Radioactivity Core Protection Radioactivity Core Due to Steam Removal Coolingl Due to Steam Removal Cooling Evolution Evolution Reactor Protec- 1/2 Contain- 1/2 CSIS 1/3 High 1/2 Contain- 1/2 CSRS 1/3 High tion System ment Spray Pressure ment Spray Pressure (RPS) Required Injection Injection Recirculation Recircu-0-2" (CSIS) OR 1/4 (HPIS) (CSRS) with lation S2 ContainEnt AND 1/2 Shutdown (HPRS) LOCA Air Recurcu- Auxiliary Cooling Heat lation Fan Feedwater Exchanger OR > Coolers (AFWS) 1/4 CARCS ~ y (CARCS) 1d b 2-6" S1 1/3 HPIS LOCA l
%/
3/4 Safety 1/3 HPRS Injection OR Tanks AND
>6" RPS 1/3 HPT5'-
A Not AND 1/2 Low LOCA Required 1/2 ~ Low Pressure Pressure Recurcu-Injection lation
%# \'
(LPIS) \# N (LPRS) l It is assumed that for small (S2) LOCAs, natural circulation is established.
thCA RPS CSIS ECIS CSRS " ( C) No. Sequence Result F C Y D F 2 H G A.Sg,Sy Fey to Results S - Safe Condition g R 1 14CA S CM - Core Melt ' g H CM 2 E E g , 3 E S i G 4 EG CM 2 5 5 EH CM H 5 ! C 6 ZHG CM 5 1 F S l
! H 8 FH CM y E 9 FE CM i H 10 F1H CM I 11 D CM F g 12 DZ CM D l C 13 D2G CM Y 14 DF CM i g i 2 15 DF3 CM 6 16 Y S
_ i G 17 YG CM U 18 YH CM sequence 3 H i for trenaient 5 i G' 19 YHG CM event tree E YF G Y ! H' 21 YTH CM 5 22 YD CM
l C 23- YDG CM D
F 24 YDF CM H 25 C S Success y ,
, H 26 CH CM di D E 27 CZ CM Y l H 28 C2X CM i- D '
C s 2 30 CD2 CM l 1r H 31 CY CM g Failure sequences 35 and 25 f rom ! H 32 CYH CM i y transtant event tree 33 CYD CM
.D K 34-66 K's ,
Figure Al-1. Calvert Cliffs LOCA Event Tree ;
L *' F EP l CSIS ECl ECF CSRS CHRS LPRS SHA LOCA SEQUENCE A B l C D E F G H I
, 1. A
' 2. Al
, 3. AH
' 4. AHI
, 5.'AG AHG
- 6. AGl. AHGI
, 7. AF. AHF
- 8. AFl. AHFI
, 9. AE
' 10. AEl i 11. AEG
- 12. AEGI i 13. AEF
- 14. AEFI i 15. AD
' 16. ADI i 17. ADG
- 18. ADGI i 19. ADF
' 20. ADFl i 21. AC
' 22. ACI i 23. ACH
' 24. ACHI
, 25. ACG. ACHG yes i 26. ACGl.
ACHGI
- 27. ACF. ACHF
, 28. ACE
' 29. ACEI i 30. ACEG 31 ACEGI
- 32. ACEF i 33. ACD
' 34 ACDI No , 35. ACDG
' 30. ACDGl
- 37. ACDF
- 38. AB Figure Al-2. RSS PWR Large LOCA Event Tree Al-16
l b**'I l EP RPS CSIS ECI CSRS CHRS ECR SHA LOCA # SEQUENCES St ' B K C D F G H I
- 1 S1
' 2 Sil i 3 S1H 4 S1HI i 5 StG.S1HG 6 StGl. S1HGl 7 S1.51HF F
8 S1F l. S1H FI i 9 S1D
' 10 SIDI
, 11 SIDG
' 12 SIDGI i 13 SIDF
' 14 SIDFl i 15 SIC 16 S1Cl i 17 SICH 18 51 CHI
, 19 SICG
' 20 SICGI 21 SICF
- 22 SICD 23 S1CDI
, 24 SICDG 25 SICDGI 26 SICDF
- 27 S1K 28 SiKI i 29 SiKG 30 S1KGl i 31 S1KF
' 32 51KF1 33 51KC No 34 S1KCG 35 S1KCF 36 stb 37' StBK Figure Al-3. RSS FRR Small (Sy } LOCA Event Tree Al-17
l S GOC EP ' RPS p .jf CSIS ECl CSRS CHRS ECR SHA l , S 2 B lK L C D F G H I i 1 S 2 2 S I' 2 i 3 SH2 4 S2HI i 5 S2G, S2HG S S2GI, S 2HG1 j 7 S2F, S 2H F 8 S FI, S HFI 2 2
, 9 SD2
' 10 SyDI
, 11 S2DG
' 12 S2DGI 13 S2DF 14 SyDFl
, 15 SC 2
16 S2CD 17 S' 2 18 S 'I 2 i 19 S2LG 20 S2LGI i 21 S2LF
' 22 S2LFI Yes 23 S2LC
)L
, 24 SK2
"" 25 S2KI 26 SyKG 27 S2KGl
,- 28 S2KF i S2KFI y 29 30 S2KC No i 31 SB2 32 S2BK Figure Al-4. RSS PWR Small (S2) LOCA Event Tree Al-18
r APPENDIX A2 TRANSIENT EVENT TREE - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
........................................ A2-3 2.0 CALVERT CLIFFS TRANSIENT EVENT TREES................. A2-3 2.1 Event Tree Functions and Functional Success Criteria ............................... A2-3 2.1.1 Reactor Subcriticality Success Criteria ................................ A2-4 2.1.2 Core Cooling Success Criteria ........... A2-4 2.1.3 Reactor Coolant System Overpressure Protection Success Criteria ............. A2-5 2.1.4 RCS Integrity Success Criteria .......... A2-6 2.1.5 Containment Overpressure Protection Due to Steam Evolution Success Criteria ................................ A2-6 2.1.6 Post Accident Radioactivity Removal Success Criteria ........................ A2-7 2.2 Event Tree Definitions and Tree Development .... A2-7 2.2.1 Events T1, T2, T3 - Transients Requiring a Rapid Reactor Shutdown ...... A2-8 2.2.2 Event K - Reactor Protection System ..... A2-8 2.2.3 Event M - Secondary Steam Relief and Uninterrupted Operation of the Power Conversion System ................. A2-8 2.2.4 Event L - Secondary Steam Relief and Auxiliary Feedwater System or Recovery of the Power Conversion System .................................. A2-10 2.2.5 Event P1 - Safety / Relief Valves Demanded ............................... A2-ll A2-1
TABLE OF CONTENTS (Cont.) SECTION PAGE 2.2.6 Event P2 - Safety / Relief Valves Open . . . A2-12 2.2.7 Event O - Safety / Relief Valves Reclose ............................... A2-12 2.2.8 Event U - Chemical and Volume Control System ........................ A2-13 2.2.9 Event O - Containment Air Recirculation and Cooling System . . . . . . . A2-13 2.2.10 Event O' - Containment Spray Injection System ...................... A2-14 3.0 COMPARISON OF CALVERT CLIFFS AND SURRY TRANSIENT EVENT TREES ........................................ A2-14 A2-2
1.0 INTRODUCTION
The Calvert Clif fs transient event tree is display.ed in Figure A2-1. For comparison, the Surry transient event tree is shown in Figure A2-2. A discussion of the functions the Calvert Cliffs plant system perform following a transient and the criteria which defines function success is discussed in Section 2.1. The Calvert Cliffs transient system event tree is explained in detail in Section 2.2. In Section 3, a comparison of the Calvort Cliffs and Surry transient ovent trees is made. 2.0 CALVERT CLIFFS TRANSIENT EVENT TREES 2.1 Event Tree Functions and Functional Success Criteria In response to a transient, the Calvert Cliffs reactor systems perform the following functions during the early phase of reactor shutdown:
- 1) render reactor suberitical
- 2) prevent reactor coolant system (RCS) overpressure
- 3) provide RCS integrity ,
- 4) provide core cooling Reactor subcriticality must be achieved immediately following the transient. RCS overpressure protection is required following certain anticipated transients or if a delay is experienced in 4
achieving core cooling. RCS integrity is required to. prevent a small small (S2) LOCA af ter the successful performance of the RCS overpressure protection function. Core cooling must be provided within 30-60 minutes to prevent core damage. A2-3 ' P 9*
The functions stated above are required to bring the plant to a hot shutdown condition. Since Calvert Cliffs can be maintained in a hot shutdown condition without threatening a core melt for an extended period of time, the above functions are an adequate representation of the important Calvert Cliffs PWR transient functions. If successful mitigation of the transient cannot be achieved and a core melt ensues, the following plant functions can aid in lessening the consequences of the accident.
- 5) radioactivity removal from the containment atmosphere
- 6) containment overpressure protection due to steam evolution The combinations of plant systems which are required to successfully perform these functions for a variety of transients will now be discussed. Refer to Table A2-1 for a summary of this discussion.
2.1.1 Reactor Subcriticality Success Criteria To halt the fission process and thus achieve reactor sub-criticality following transients, the Reactor Protection System (RPS) is required to insert its control rods into the core. 2.1.2 Core Cooling Success criteria After achieving reactor subcriticalsty, post shutdown decay heat must be removed from the reactor coolant system. This is normally accomplished by delivering feedwater flow from the power conversion system to the steam generators and boiling off of this water to the condenser or to the atmosphere via the secondary safety / relief valves. If, however, the shutdown A2-4
involves a loss of the power conversion system, a backup decay heat removal system must be used. The backup system at Calvert Clif fs is the Auxiliary Feedwater System (AFWS). This system consists of two 100% capacity steam driven pumps. Successful auxiliary feedwater operation requires flow from one of the steam driven pumps to at least one steam generator. The two methods of core cooling discussed thus far have assumed that reactor suberiticality was achieved. If reactor subcriticality is not achieved, and a failure of the power con-version system also occurs, a RCS pressure of greater 4000 psi may occur (reference 4). If the RCS does not rupture, research at Battelle Columbus Laboratories has shown that the core can be maintained in a shutdown condition and successfully cooled with the operation of the chemical volume control system pumps and the auxiliary feedwater system. 2.1.3 Reactor Coolant System Overpressure Protection Success Criteria Reactor Coolant System (RCS) overpressure protection is required for certain anticipated transients and incidents where core cooling is delayed or the Reactor Protection System fails. For some transients, the surge capacity of the pressurizer would suf fice to accept the transient event with only a small surge in the pressure occurring. For more severe transients, such as those involving failure of the RPS to make the reactor subcritical, the operability of the pressurizer safety / relief valves would be required to prevent a potential rupture of the RCS. A2-5
Two RCS pressurizer safety valves and two power operated relief valves are provided for the Calvert Cliffs reactor. For those anticipated transients where the RPS operates, operation of two of the above valves would limit the RCS overpressure transient to less than 110 percent of the RCS design pressure. For those anticipated transients without scram (ATWS), all four valves are needed to limit RCS pressure to less than 150 percent of the design pressure (Reference 4). 2.1.4 RCS Integrity Success Criteria The RCS pressurizer safety / relief valves that open as a result of a transient event must all reclose to prevent a discharge of an excessive quantity of coolant from the RCS. Otherwise, a valve sticking open following the transient event of interest would result in a loss of coolant event covered in small small LOCA sequences. 2.1.5 Containment Overpressure Protection Due to Steam Evolution Success Criteria It is stated in 6.4.4 of the FSAR, Design Evaluation of the Spray System (p.6-17), that:
"Any of the following combinations of equipment will provide sufficient heat removal capability to maintain the post-incident containment temperature and pressure below their design values
- a. Two containment spray pumps will provide 100 percent cooling capacity.
- b. One containment spray pump in conjunction with two containment air cooling units will provide more than 100 percent cooling capacity.
- c. Three containment air cooling units will provide 100 percent cooling capacity. "
A2-6
This criterion for success has been found in subsequent research by Battelle Columbus Laboratories to be conservative. Their research has shown that one spray subsystem or one fan cooling unit will provide adequate pressure control if required following a transient initiating event. This more realistic criteria will therefore be used. 2.1.6 Post Accident Radioactivity Removal Success Criteria In addition to its depressurization function, the containment spray system scrubs the containment atmosphere of radioactive materials. The operation of one spray subsystem is adequate to perform this function if it should be required during a core meltdown. An additional system which is designed to remove radio-active material from the containment atmosphere is the Containment Iodine Removal System (CIRS) . The CIRS consists of three 50% fan units which pull the containment atmosphere through charcoal and high ef ficiency particulate filters. The CIRS was not modelled into the Calvert Cliffs accident sequences because of the negligible effects the system would have on the consequences of a core melt accident. 2.2. Event Tree Definitions and Tree Development The Calvert Cliffs transient event tree is displayed in Figure A2-1. The systems which perform the six functions make up the event tree headings. Dependencies among these systems dictate the event tree structure. A single transient event tree was deemed to be an adequate representation for all transient A2-7
initiating events considered. A discussion of the heading definitions cnd tree structure follows. 2.2.1 Events Tig_T23_Tj - Transients Requiring a Rapid Reactor Shutdown The same three transients chosen in the RSS were also chosen to represent a spectrum of transient initiators at Oconee. These were designated: T1 - Reactor shutdown initiated by a loss of offsite power ( .2 per reactor year) T2 - Reactor shutdown initiated by a loss of the power conversion system caused by other than a loss of offsite power (3 per reactor year) T3 - Reactor shutdown initiated by other causes in which the power conversion system is initially available (4 per reactor year) 2.2.2 Event K - Reactor Protection System (RPS) The definition is the same as the reactor suberiticality function given in Section 2.1.1. The RPS is given a success / failure choice following all three transients. 2.2.3 Event M - Secondary Steam Relief and Uninterrupted Operation of the Power Conversion System The functions of the secondary steam relief system and the power conversion system are to maintain the coolant inventory in the steam generators and to transfer core heat to the environ-ment. The power conversion system (PCS) consists of'the condensate-feedwater system and the turbine bypass system. Under normal operation, feedwater from the condenser hotwell is supplied to the steam generators by two electrically-driven A2-8
condensate pumps (another on standby ), two electrically-driven condensate booster pumps (another on standby), and two steam driven main feedwater pumps. The system is designed to operate in several different modes dependent on conditions resulting from the initiating transient event. Each mode also entails a different means of transferring heat to the environment. Following a transient which results in a reactor trip, PCS feedwater flow is throttled to 5% (i.e., decay heat level) and steam bypasses the main turbine via the turbine bypass valve and dumps directly into the condenser. At least one complete train of condensate and main feedwater piping must be intact to deliver water from the condenser hotwell to the steam generator. If the condenser should become unavailable, steam may be dumped to the atmosphere through the atmospheric dump valves. Successful PCS operation following a T3 transient initially requires the automatic throttling of the feedwater flow to approximately 5 percent. Once this has been accomplished, all that is required is the continued operation of the feedwater system. Continued operation is estimated to fail with a prob-ability of 10-2 based on RSS insight. In response to a loss of feedwater transient caused by a hardware problem (T2) or a loss of offsite power (TI), successful feedwater operation requires the recovery of the system. (Recovery of the PCS is modeled as part of event L, but will be described here.) In order to recover following a Tl initiator, offsite power must be restored followed by several A2-9
operator actions to regain the PCS. In order to recover follow-ing a T2 initiator, the problem must be assessed and corrected. Based on discussions with plant personnel, roughly 90% of the T2 type transients could be expected to be recovered within 30 minutes. No estimate was given following T1 transients and, thus, a conservative assumption of no credit was made for PCS recovery within 30 minutes. The PCS is given a success / failure choice following all three transients. However, since the PCS will be interrupted by T1 and T2 transients, event M will always be coupled with the T1 and T2 initiating events in the definitions of the accident sequences. 2.2.4 Event L - Secondary Steam Relief and Auxiliary Feedwater System or Recovery of the Power Conversion System In the event of an interruption of the PCS, decay heat is i removed from the RCS by the Auxiliary Feedwater System ( AFWS) and is transferred to the environment through the main steam atmospheric dump valves. Functioning of the AFWS prevents relief of primary coolant through the pressurizer safety valves and ultimate uncovering of the core. Successful AFWS operation requires the attainment of flow from one of the turbine driven pumps to at least one steam gen-erator. The AFWS is manually initiated upon loss of the PCS by the operator from the control room. Uninterrupted operation of the PCS makes operation of the AFWS or recovery of the PCS unnecessary. Thus, success / failure A2-10 m rw- , y - - y--y- --
---y --- ,iwg,=,y - y yg
choices for event L are given only on sequences involving inter-ruption of the PCS. If the AFWS is unavailable, the operator will attempt to restore the PCS (refer to discussion of PCS recovery in Section 2.2.3). 2.2.5 Event P1 - Safety / Relief Valves Demanded (SR/ Demand) Success of " safety / relief valve demand" (event P1) is defined as the probabilistic demand of the pressurizer safety / relief valves given a transient in which successful core cooling via the steam generators has been established. The probability that the safety / relief valves are demanded af ter loss of offsite power (T1) transients is 1.0. The probability that they will be demanded after T2 or T3 transients is estimated to be .07 for cases where the AFWS and RPS succeed. These proba-bilities were based on PWR operating experience reported in NUREG-0635 for Combustion Engineering reactors (reference 10). A success / failure choice appears only in sequences in which the RPS and AFWS both succeed. If either the RPS or AFWS fail, no choice is given since the relief valves will definitely be demanded. If the RPS and PCS both succeed, no choice is given because it is assumed the relief valves will not be demanded. 2.2.6 Event P2 - Safety / Relief Valves Open (SR/VO) Success of this event is defined as at least 2 S/R valves opening for transients in which the RPS succeeds and 4 opening for ATWS. A2-11
Success / failure choices appear in all sequences in which the pressurizer safety / relief valves are demanded open (refer to discussion of event Pi in Section 2.2.5). The probability used in the sequence analysis for this event was the same as that used in the Reactor Safety Study, 1.0x10-5 per valve. No sequences involving Event P2 were found to be significant contributors to risk at Calvert Cliffs. 2.2.7 Event 0 - Safety / Relief Valves Reclose (SR/VR) As discussed in Section 2.1.4, success of this event requires the closure of all S/R valves. Success / failure choices appear in all sequences in which the pressurizer safety / relief valves successfully opened. An exception to this is the accident sequence in which the reactor protection system and all steam generator cooling fails (KML). For this sequence it is assumed that the safety / relief valves will remain open through core meltdown due to the high RCS pressure. The failure of a single safety / relief valve to close is esti-mated to be 4x10-2 for Calvert Cliffs. Two valves, however, are expected to open for most transients since the setpoints are identical. Therefore, the event O probability can be estimated by : O = (4x10-2 closure failure)(2 valves) = 8.0x10-2, l Credit for possible recovery actions was incorporated by hand on a sequence-by-sequence basis. One possible recovery action considered was the operator closing the PORV block valve and terminating the LOCA. A2-12 __ _ _ _ J
2.2.8 Event U - Chemical and Volume Control System The chemical and volume control system is normally in use during all power operations to control the volume and chemistry of the RCS coolant. It provides for multiple functions to be carried out during plant operations and can be utilized during transients to inject emergency coolant and concentrated boron solution to the reactor core. Success / failure of the CVCS is only included in the sequence where the Reactor Protection System and PCS fail and the AFWS has succeeded (TKM). The CVCS is needed in this sequence to assure the reactor is in a shutdown condition by injecting con-centrated boron solution from the boric acid tanks. If boron injection fails, the reactor could remain at a power level above the decay heat removal capability of the AFWS and could eventually lead to core melt. A .1 probability was used in the sequence analysis for this event which represents failure of the operator to utilize this method of injection. l 2.2.9 Event 0 - Containment Air Recirculation and Cooling System The Containment Air Recirculation and Cooling System (CARCS) is designed to remove heat from the containment after an accident. The system consists of-four air fans and associated coolers. The service water system supplies water to the secondary side of the cooling coils. RBCS success / failure choices appear on all transient sequences leading to a core melt. Successful operation requires cooling from one of four fan cooler units. A2-13
2.2.10 Event O' - Containment Spray Injection System The Containment Spray Injection System (CSIS) supplies spray to the containment atmosphere which condenses steam released into the containment during a core meltdown. It can also have some effect on radioactive material release from the containment if a core melt occurs. It is assumed that the fan coils can operate during a core melt and will not clog up. The CSIS con-sists of redundant spray headers and pumps that deliver cool water to the containment atmosphere from the refueling water storage tank (RWST). Successful CSIS operation requires flow from one of two pump trains. CSIS success / failure choices appear on all transient sequences leading to a core melt. 3.0 COMPARISON OF CALVERT CLIFFS AND SURRY TRANSIENT EVENT TREES The RSS constructed a single transient event tree which represented the plant response to a variety of transients for
; the Surry reactor (see Figure A2-2). As discussed previously, a single transient event tree was also chosen to model a spectrum of Calvert Cliffs transients.
The Surry transient event tree included events U, depicting the operation of the chemical volume and control system, and event W, depicting the residual heat removal system. These systems were required to bring the plant from a hot shutdown to a cold shutdown condition. Since Surry can remain in a hot shutdown condition for an extended period of time without threaten-ing a core melt, these systems were not analyzed in detail and i A2-14 i
were included on the event tree for completeness. Calvert Cliffs can also remain at hot shutdown for an extended period. The equivalent Calvert Cliffs residual heat removal systems were not modeled on the Calvert Cliffs transient event tree for purposes of simplification. The CVCS is included since it is needed to assure the reactor is in a chutdown condition after an ATWS and PCS failure. The Calvert Cliffs transient event tree explicitly includes systems related to containment response (event O and O'). The Surry transient tree did not include these systems. Success / failure of these systems were implied, however, in the surry accident sequence results (refer to Table V3-7 of the RSS; events C and F are the containment spray injection system and containment spray recirculation system respectively) . The Calvert Clif fs P1 event, which represents a probabilistic demand of the pressurizer safety / relief valves, does not appear on the Surry tree. The Surry event tree assumed that the relief valves either were or were not demanded with 100 percent certainty. And finally, the Surry event trees treated LOCAs initiated by transients (i.e., stuck open RCS relief valves) directly on the transient event tree and assumed they were core melts. The Calvert Cliffs transient event tree treats these sequences as LO CAs . Once that it is determined that the transient has become a LOCA, the sequence is no longer continued on the transient tree, but is analyzed as an S2 LOCA on the LOCA tree. A2-15
Table A2-1. Alternate Equipment Success Combinations for Functions Incorporated into Calvert Cliffs Transient Event Tree i J Reactor Containment l Coolant Overpressu re System (RCS) Protection Post-Accident Core Overpressure RCS Due to Steam Radioactivity Subcriticality Cooling Protection Integrity Evolution Removal N I H
, en Reactor Protec- Power Conversion 1/4 Safety / All Safety / 1/4 Containment 1/2 Containment tion System System Relief Valves Relief Valves Air Recirculation Spray System
.j Required Open When Reseat Fan Coolers Trains (CSIS) , Demanded d or or 1 of 2 Auxiliary 1/2 containment < Feedwater Trains Spray System , Trains (CSIS)
SSR and :SSR and Uninter- 'AFWS or rupted PCS RPS PCS Recovery SR/ DEMAND SR/VO SR/VR CVCS CARCS CSIS NO. SEQUENCE RESULTS TE M L Pg Py Q U O O' 2 3T T g,7 K U 1 T S 0 2 TM s F, , F, i i O ______________ 3 TMo- 14CA E E g P' 4 TMP y S'
' #1 5 TMP S O' 6 TML CM 5 ,
" ' O' y yngge cg L. See Note 1 F, O' 8 TMLO CM o ,
0'
' 9 TM140' CM g
O' 10 TMLP 2 CM 5 , O' gg 7ggp 0' CM SUCCESS p, O' 2 O 12 TMLP O
! 0' 13 1MLP y b ' CM CM 14 TK S F, ,
= 0 . ____________ 15 TKO- IACA g.
If M 16 TKP 2 CM M FAILUBE P, O i
' O, 17 TKP2 0' CM 0 CM O , 18 TKP y 0 19 TKPyOO' CM
-4 g 20 TKM S b 5 , 21 Tmu CM O* U 22 TEMUO' CM K O' 23 TKMUO CM O , 0* CM 24 TKMUOO' O -..-- 25 TKMQ- LOCA E _ ------ . 0 26 TKMP. CM 5 , O' Py 27 TEMP2 0' CM O CM O , 28 TKMP2O
' O' 29 TEMPyOO' CM M
- 5 , 30 TKML CM Py 3' 31 TKMI4' CM 0' TKMLO CM O ,
32 KEY TO RESULTS " S - Safe Condition 5 34 TKMLP CM n CM - Core Melt p
- o. 35 m '
m LOCA - Goes to LOCA O' TKMLP O CM 36 2 o. Event Tree ' 37 TEMLP 2OO' CM Note 1. May lead to overcooling transient Figure A2-1. Calvert Cliffs Transient Event Tree
TE M ssp 6 158 L Set set CvCS naps pd a8*5 VO va ses st0VINCE y a u L P O U
- i T I
2 TW 3 fu 4 Tu 3 '
$ TWw n
a Tuu 7 TuL 1
' ' 3 TuLO s
e Tutou 10 f uLP 11 TE I ' 12 Taw I TKO 13 14 TKQ il TEQu 16 TAP 17 Tau le Tauw 3 19 Taug 20 TauO 21 Taucu 22 TauP 4
;3 TauL 24 Ta uLP Figure A2-2. RSS Transient Event Tree, PWR A2-18 i
1 r APPENDIX A3 SURVEY AND ANALYSIS INTERFACING SYSTEMS LOCA - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
...................................... A3-3 1
2.0 CALVERT CLIFFS INTERFACING SYSTEMS ................ A3-3 2.1 Description .................................. A3-3 2.2 System Operation ............................. A3-4 3.0 SURRY INTERFACING SYSTEMS ......................... A3-7 4.0 COMPARISON BETWEEN CALVERT CLIFFS AND SURRY INTERFACING SYSTEMS ............................... A3-7 5.0 CALVERT CLIFFS INTERFACING SYSTEMS EVALUATION ..... A3-8 5.1 Event Tree Interrelationships ................ A3-8 5.2 Determination of the Calvert Cliffs Interfacing Systems LOCA Probability ......... A3-9 t A3-1/-2
1.0 INTRODUCTION
The systems interfacing with the Reactor Coolant System (RCS) in the Calvert Cliffs Unit 2 plant which, if certain isolation failures occur, provide a flow path leading to an extra-containment LOCA, were reviewed and compared with the interf acing systems in the similar PWR design (Surry) evaluated in the Reactor Safety Study (RSS). The important interf acing systems for both Calvert Cliffs and Surry are described and compared in Sections 2 through
- 4. A point estimate probability of a Calvert Cliffs interfacing systems LOCA is given in Section 5.
2.0 CALVERT CLIFFS INTERFACING SYSTEMS 2.1 Description The systems interfacing with the reactor coolant system provide for emergency shutdown and core cooling in the event of an accident. They also provide temperature control for the coolant under normal operating conditions, and collect deaerated tritiated water inside the containment. The Safety Injection System and the Shutdown Cool-ing System provides emergency cooling at both low and high pressures and shutdown cooling at lov pressures. The Chemical Volume and Control System (CVCS) delivers borated water from the boron injection tanks to the core for emergency shutdown cooling. The Reactor Coolant Drain Tank collects deaerated tritiated water from the reactor coolant system. Of these systems, only the Residual Heat Removal System (low pressure safety injection system / shutdown cooling system) aligned in the low pressure injection (norn 1 operating) mode, provides the possibility for a pipe rupture outside A3-3
the containment and concurrent loss of vital emergency core cool-ing systems due to the RCS leakage. The residi'al heat removal system aligned for low pressure emergency coolant injection constitutes the low pressure safety injection system. A schematic diagram of the Calvert Clif fs ECCS is shown in Figure A3-1. The two low pressure safety injection (LPSI) pumps (LP21 and LP22) take th'eir suction from the refueling water tank, during the injection mode, and discharge to the cold legs of the RCS. In the shutdown cooling mode these pumps take suction from the hot leg of coolant loop number two. Two motor electric isolation valves (MOV-001 and MOV-002) and a relief valve in the shutdown cooling line separate the high pressure RCS from the LPIS. These valves and the associated piping are designed to withstand RCS pressures. The rest of the shutdown cooling system is designed for low pressure and subject to rupture if the high pressure RCS coolant inadvertantly enters the system. Three check valves and a motor operated valve separate each LPIS discharge line from the RCS cold legs. Test connections are provided after the first and thirdi check valves to test for leak-age. These valves and associated piping are designed to meet high pressure requirements while the remaining piping and valves in the LPIS discharge lines are designed for low pressure requirements. The check valve closest to the RCS in each line is shared with the line coming from the accumulator. 2.2 System Operation 1First check valve being the closest to the RCS. A3-4
During normal p . ant operation, there are no components of the shutdown cooling or low pressure injection system in operation. The systems are aligned for emergency injection with all components on standby. Two motor operated valves, with a relief valve between the two valves, isolate the suction of both low pressure safety injection pumps from the reactor coolant system hot leg. These MOVs and the valve between the shutdown cooling heat exchangers and the low pressure safety injection header are locked closed d". ring plant operation. The keys are kept under administrative control to ensure that the valves cannot be opened inadvertently during plant operation. An interlock is also provided to prevent the isolation valves from being opened when the upstream pressure exceeds the design pressure of the system. When a safety injection actuation signal is received, the low pressure safety injection pumps start and the discharge line isola-tion valves are opened. If the RCS pressure drops below approximately 200 psig, the LPSI system will start delivering flow, along with the safety injection tanks, through the series check valves into the RCS cold legs. Following reactor shutdown and cooldown the system is operated in the shutdown mode for further cooling of the reactor coolant system when the coolant temperature falls below 300*F and the cool-ant pressure falls below 300 psig. At this time, the system must be manually realigned for shutdown cooling. Prior to placing the system in operation, the boron concentration is verified at various points in the system. During the early stages of shutdown cooling, the cooldown rate is controled by limiting the flow through the A3-5
1 l tube side of the heat exchanger. Constant flow through the core is maintained by using valve SI 306 as a heat exchanger bypass valve. The system utilizes the LPSI pump, taking suction through the shutdown cooling line from the RCS hot leg number two l, to circu-late the reactor coolant through the two shutdown cooling heat exchangers, returning it to the reactor coolant system through the low pressure safety injection header. The entire system is flow tested at each refueling shutdown. There are test connections provided to check for leakage through the:
- 1) Check valve closest to RCS in LPSI discharge line
- 2) Check valve just prior to entering containment in LPSI discharge line
- 3) Motor operated valve within the containment in the shutdown cooling line There are also visual inspections of pump seals, valve packing, flange connections, and relief valves to detect any leakage prior to reactor start-up.
The position of all motor-operated valves are indicated on the 7 control board in the main control room with a visible signal. As stated previously, the shutdown cooling system valves are locked closed during plant operation, both locally and on the control board. The keys are kept under administrative control to ensure that the valves cannot be opened inadvertently. An interlock is 1See accented line in Figure A3-1. A3-6
I l l also provided to prevent the isolation valves from being opened f when the upstream pressure exceeds the design pressure of the system. In the event of main control room evacuation, the necessary control functions are transferable to the auxiliary control room. 3.0 SURRY INTERFACING SYSTEMS At Surry, only one of several interfacing systems includes a direct low pressure /high pressure RCS interconnection which would result in an isolation failure induced extra-containment LOCA. This is the Residual Heat Removal System ( RHRS) aligned for low pressure emergency coolant injection during reactor power operation. A schematic diagram of the Surry (LPIS) is shown in Figure A3-2. Six isolation protected pipelines interconnect the LPIS with the RCS. These lines interconnect with each of the three hot and three cold legs of the RCS. Based on the number of valves in series and their normal positions, the cold leg injection paths (two series check valves) are the greatest risk contributors. 4.0 COMPARISON BETWEEN CALVERT CLIFFS AND SURRY INTERFACING SYSTEM The residual heat removal system aligned in the low pressure injection mode is the significant interfacing system in terms of overall risk, in both the Calvert Cliffs and Surry plants. However, the dominant f ault contributor for Surry is the failure of the two check valves separating the RCS cold legs from the LPIS, while the dominant contributor for Calvert Cliffs is the failure of two motor operated valves in the shutdown cooling portion of the RHRS from the hot leg of the RCS. The reason for this shift in dominant f ault contributor is due to the f act that the Calvert Cliffs design A3-7
has three check valves and one motor operated valve, in series, separating the LPIS from the cold legs of the RCS. The design of the Calvert Cliffs plant is discussed in detail in Section 2.0. The failure probability is much less for Calvert Cliffs than for Surry due to provisions for annual leak testing of valves (Surry did not have such provisions), increased valve redundancies in the cold leg injection lines , and the placement of relief valves which limit the types of valve failures which would constitute an interfacing system failure. The point estimates for this type of sequence for Calvert Cliffs and Surry are: Q(Interfacing System, Calvert Cliffs) = 8.8 x 10-12 Q(Interfacing Sys tem, Surry) = 4.0 x 10-6 S.0 CALVERT CLIFFS INTERFACING SYSTEMS EVALUATION 5.1 Event Tree Interrelationships The event LPIS valve failure (event V) does not occur on the LOCA or Transient Event Trees. The event tree, shown in Figure A3-3 was developed in the RCS explicitly for this event and applies also to Calvert Cliffs. All four sequences result in core melt; valve rupture is assumed to result in core melt regardless of which other systems operate. The ef fect of the other three systems, electric power, reactor protection, and emergency cooling injection is merely to delay the melt. Electric power (event B) is necessary for the operation of the high pressure injection portion of the emergency coolant injection (event D). Operation of the ECI will delay core melt. A3-8
5.2 Determination of the Calvert Cliffs Interfacing Systems LOCA Failure Probability. Two failure modes have been identified for Calvert Cliffs which result in the sequence V (valve failure). extra-containment LOCA: a) Failure of two motor operated isolation valves in the Shutdown Cooling Line f rom the RCS primary loop hot leg. b) Failure of three check valves and one motor operated valvel in either of four LPSI/HPSI discharge lines. If failure mode "b" were to occur, it would cause a large extra-containment LOCA with the associated consequences. In order for this failure mode to occur, all four of the valves would have to rupture or leak grossly (a gross leak is only important for check valves which may fail to reseat after a flow test). Due to the number of valves in series, the probability of this failure mode occurring is insignificant. In order for failure mode "a" to occur, both of the MOVs in the shutdown cooling line must rupture. The inboard MOV (MOV-001) is assumed to fail first since it is experiencing the full RCS pressure differential. Once the inboard MOV fails, the high RCS pressure differential is transferred to the outboard MOV (MOV-002). If this valve then ruptures, an event V type LOCA would occur. However, if the inboard MOV fails, it is assumed that the operator would be alerted due to the subsequent RCS discharge through the 3/4-inch relief valve. When the operator is aware of the problem, it is assumed that shutdown procedures would commence in order to lit should be noted that the normally closed MOV is tested when the plant is shut down. A3-9
_ _ _ - _ = __ __. - .. i fix the failed inboard valve. The time required 50 shut down is approximated 10 hours. If the outboard valve fails in this time period af ter the first valve f ails, an extra-containment LOCA would occur. j The governing equation for this case is similar to that used in the RSS except for the restriction that the outboard MOV must fail within 10 hours. This equation is t t'+10 Q(event V, failure mode "a") = Al dt A2 d t" o 't '
= 10A12A t where Al and A2 are the rupture failure rates for the inboard and outboard MOVs, respectively (Al=A2 = 1.0 x 10-8/hr). The probability, therefore, for event V on a yearly basis is Q(event V) = 10*(1.0 x 10-8)2 *8760
= 8.8 x 10-12 ,
i A3-10
cue L f to
*" 9 CD3
'o o uo W TC) (OLD J.ooP J xyzyp Al,
's W '*?!,%
% 6%
V&f CD CL M ** - 6 t$ I h , Rl full 8 W&
'D" M'~ :,., ~~3, 6- g,n
'fBfCf" EW r
= m- , o
-24m '
C*l C5 k nov.egs ( HA 27 ] y"" C 36 Cs s W "
"g O
y l I ~* css - _ O mDa r, - H # y' C 3*7 % C65 C 64 e k..n ---
- a. ,
. ;,. ,, n ~~-*
* 'G m Csv At Q En -f><F--ta toop.s S137 Q
-6 W A3
-N-
~
J L go-..s,
" CH
-y C..
- _a,. a' p m
> <> C. 0-
,k, ,, t i >^ !M
"'" c '
Y Ct ak-As O* "PE3h j , y
" E a
~ ~ 2Z l ,,,- C.,
l
--n , y m (
M13 C 40 s s TJT7 mw-gyy gy C## C52% N 6 Ye Cf6
*M T ~
>4-N nw gg3 CSD Cl2 MOV 64% ,"" "' r X ._ k g CO * A' WME NT Af L g
b CV a b MIL 4f 5) CD4 Sting p k2 Co*T eeNmf Art-smer u,w,= , o ;> W4' MD** VISS CRO o l Mllff vnwE 05N
""~" ' ' '
SHuToosJA/ Cool:A/& FROM - S v' k r, PKiMRRY Loof & v'#*E NOV"M Z-HOT LE6 Figure A3-1. Calvert Cliffs Emergency Core Cooling System (shutdown cooling line highlighted)
** *
- SW
/ ts .m s, w'wei
' 6. cens ltces t*** ve - l [ - [$* '7 ./
.,.]
*m N l!I
,' IN ta
- v. e. , l g ;, y
- i**.a Orva vew
'd*7.,, ./ N ' N i //
- smnrsi
, LA t
/ C, N w.e. ow
* ** a 4 I / .
m, o ., lceL.,e riaa / . l 8 r - we p- _ I f* sap ea J'* cio,e _..... . - as as.e . i e8 e sneene.
. ,t lA N
t j.
' :*N fC '/
- w.w.
o gi; w
, , P,eee en,a,.no
.a
- v. p. e'
* '. l ,- F7 pY.es,. ' *
- ;'l I
e 4 ,/ >4- . ic n- /.
- -,,-p ,
/ tPis (Pas r e-re i}
i
,' /. /
,'g?/ 5 V j
,a n@J L r 4 %
' s, n,e m w.w.Se..,eTwe Figure A3-2. Surry LPIS Schematic Diagram LPlS Check Valve EP RPS ECl # SEQ CORE Rupture V B K D 1 V M 2 VD M 3 VK M 4 VB M Figure A3-3. Surry LPIS Valve Rupture Event Tree A3-12
APPENDIX B1 SURVEY AND ANALYSIS EMERGENCY POWER SYSTEM (EPS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
..................................... B1-3 2.0 CALVERT CLIFFS EPS DESCRIPTION . . . . . . . . . . . . . . . . . . . B1-3 2.1 Plant Distribution System Description ....... B1-4 2.2 Emergency Diesel Generator Description ...... B1-7 2.3 System Operation ............................ B1-9 3.0 SURRY EPS DESCRIPTION ............................ Bl-ll' 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY EPS ....... B1-17 5.0 CALVERT CLIFFS SYSTEM EVALUATION ................. B1-18 5.1 Event Tree Interrelationships ............... B1-18 5.2 EPS Model Description ....................... B1-18 5.2.1 EPS Boolean Equations ................ B1-18 5.2.2 EPS Unavailability ................... B1-20 B1-1/-2
I l . e s
1.0 INTRODUCTION
i The Calvert Cliffs Unit 2 Emergency Power System (EPS) was reviewedandcomparedwiththe'simi[arPWRdesign(Surry) e,valu-Oted in the WASH-1400 study. The EPS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report res- ' K .. ; ,; pectively. A comparison of the two emergency power systems;is
~
given in Section 4. EPS event tree interrelationships'are detailed in Section 5. Also included in Section 5 is a description of the , model used to incorporate EPS failures into the Calvert Cliffs
- f.
accident sequences and a point estimate of the EPS unavailability assuming independence from all other Calvert Cliffs systems. 2.0 CALVERT CLIFFS EPS DESCRIPTION The Calvert Cliffs plant electrical systems are designed to
/
provide a continuous supply of power to all essential plant equip- ; ment during normal plant,operStion and under accident conditions. During normal plant operat('o ns electrical power is supplied from the off-site 500 KV transmission systems and the main generators , of Units 1 and 2 via the on-site 500 KV substation. The plant has three emergency diesel generators, each of which is capable ( ).
/-
of supplying sufficient power for the operation of a Unit's- - neered safety features. The diesel generators start automatScally f
/
in the event of a LOCA or loss of auxiliary power to the buses which supply vital loads. nie Calvert Cliffs AC. power system is - t , shown in Figure B1-1. ,j
.e
/
jf , B1-3 'j
) .
'-. ~-,--w, -c .., - , .
2.1 Plant Distribution System Description 1 The Emergency AC Power System for Calvert Cliffs Unit 2 consists of (1) one dedicated diesel generator (DG21), (2) two 4160-volt buses (21, 24) and (3) four 480-volt buses (21A, 21B, 24A, and 24B). Buses 21A and 24A feed redundant engineered safety features as do buses 21B and 24B. The two remaining diesel generators (DG12, DGil) are available to supply emergency power to Unit 1 through interconnecting switchgear. Four unit load centers (21A, 21B, 24A, and 24B) and two motor control centers (MCC204R and MCC214R) which provide power to the Unit engineered safety features are supplied from separate diesel generators through 4160V/480V unit service transformers U-480-21A, U-480-21B, U-480-24A, and U-480-24B. When off-site power is avail-able, the 4160/ Volt ESP buses 21 and 24 are supplied through 13.8 KV/4160V unit service transformers U-4000-ll and U-4000-21 from the on-site 500 KV substation. The 500 KV substation is arranged in a breaker and one-half arrangement and is connected in a ring bus configuration with two main buses and-connections to both of the generators' main power transformers, two plant service transformers (U-13000-1, U-13000-2), and the off-site 500 KV transmission systems. During normal plant operation Units 1 and 2 supply 25 KV and 22 KV respectively to the on-site 500 KV substation through four half capacity transformers (U-25000-11, 12 for Unit 1 aad U-25000-21, 22 for Unit 2). The , 1Section 2.1 is included for completeness. Understanding the material in this section is not necessary to understand the EPS reliability model. The reader may wish to skip Section 2.2. B1-4
switchyard 500 KV power circuit breakers, the circuits from the cwitchyard to the generator main transformers and plant service transformers and the outgoing lines are provided with disconnect switches or isolating links to permit isolating any power circuit breaker or any circuit from the switchyard. Primary and backup zone relaying is provided for the circuit from the switchyard to the generator main power transformers and for the two switchyard main buses. The 125-volt DC and 120-volt vital AC systems for the plant are divided into four independent and isolated channels. Each channel consists of one battery, two battery chargers, one DC bus, multiple DC unit control panels, and two inverters. Each inverter has an associated vital AC distribution panelboard. Power to the DC bus, DC unit control panels, and inverters is supplied by the otation batteries and/or the battery chargers. Each battery charger can recharge a discharged battery while still supplying the steady state power requirements of the system. The 125-volt DC buses 11 and 22 are part of load group A and buses 12 and 21 are part of load group B. Buses 11 and 21 supply control power for equipment associated with load groups A and B, respectively, for Units 1 and 2. Buses 12 and 22 supply power to the computer inverters, diesel generator 12 control circuits, emergency light-ing, and two channels of the 120-volt vital AC system. The 120-volt vital AC system for each Unit has four separate distribution panelboards. These panelboards supply power to four reactor protection system channels and four engineered safety fea-tures actuation system channels. Each panelboard is supplied by B1-5
an inverter with its own DC feeder and each pair of inverters per channel is supplied by a separate battery. Each inverter can be manually bypassed and its distribution panelboard supplied from the 120-volt AC inverter backup bus which is fed from an engineered safety features motor control center through a regulating transformer. Each of the four 125 VDC emergency power sources is equipped with the following instrumentation in the control room to enable continual operator assessment of emergency power source condition.
- 1. DC bus undervoltage alarm
- 2. Battery current indication
- 3. Charger current indication
- 4. Charger malfunction alarm (including input AC undervoltage, output DC undervoltage and output DC overvoltage)
- 5. DC bus voltage indication
- 6. DC ground indication The 250 VDC systems are ungrounded and are equipped with ground detectors.
The 125V DC and 120V AC, shown in Figure B1-2, supplies power to various plant backup lube and seal oil emergency pumps in the event of loss of auxiliary AC power or failure of the normal AC pumps. No other engineered safety feature loads are supplied by this system. The system consists of one motor control center, two battery chargers and one battery. The battery chargers are sized such that in combination they are capable of supplying the continuous load of the largest motor. Each battery charger B1-6
is fed from separate engineered safety features 480-volt load centers (one from each Unit). The system is ungrounded and equipped with ground detectors. Charger current and bus voltage are displayed in the control room with annunciation for bus and charger undervoltage. This system supplies 120/208-volt power to all plant instru-mentation other than supplied from the DC and the vital AC systems. The system is divided into two separate panelboard sections. Each section is supplied by a single 3-phase transformer connected to an engineered safety features motor control center. In the event of loss of normal auxiliary power, the transformers are energized by the diesel generators. A manually operated bus tie switch is pro-vided between the two sections. 2.2 Emergency Diesel Generator Description Diesel generators supply emergency 4160-volt, 3-phase, 60 Hz power directly to the 4160-volt engineered safety features buses. The genertors are designed to reach rated speed and voltage and start to accept loads within 10 seconds after receipt of the start signal. Three diesel generators, designated as DGil, DG12, and DG21, are provided for the plant. Generators 11 and 21 normally supply power to Unit 1 and 2 ESF buses 11 and 24, respectively. Generator 12 normally supplies power to ESF buses 14 and 21. Provisions are included for automatic start and load sequencing. Each diesel generator is rated to deliver power as follows: 2500 KW - Annual 2700 KW - 2000 hours 3000 KW - w00 hours B1-7
The three diesel generators share a starting air supply system which includes two redundant subsystems. There are two redundant air supply headers to which the two redundant air receivers per diesel generator are connected. Each diesel gen-erator includes one electric motor drive air compressor and diesel generator 12 is additionally equipped with an engine driven compressor. Each diesel generator is also equipped with a standby warming system which automatically maintains the engine cooling water and lubricating oil temperature at satisfactory levels. The diesel generators receive cooling from the Service Water System. Each diesel generator is equipped with a 485-gallon day tank. Transfer of fuel oil from the storage tanks to the day tanks is accomplished by 10 gpm rated fuel transfer pumps, one each per diesel. At this rate, the day tank will allow 119 minutes of operation before transfer of fuel is necessary. The total capacity of the two storage tanks is 250,000-gallons allowing 18.3 days of operation for the three diesel generators at 3000 KW load each. The outdoor storage tanks (each of 125,000-gallon capacity) are redundant and independent. Redundant diesel supply headers interconnect the two tanks and manual valves are positioned such that normally each tank supplies a different header. Through manual valves located in the auxiliary building, each diesel generator has the capability to obtain fuel from either of the redundant tanks through the redundant headers. A failure of one tank will not result in failure of the redundant tank. B1-8
The 125-volt DC control power for diesel generator 11 is supplied by battery #11. Diesel generator #11 is a part of and supplies power to load group A. Battery #11 is also a component of load group A. Diesel generator 21 is supplied by battery 21 both of which are components of load group B. Diesel generator 12 obtains control power from either battery 12 or 22 by manual transfer. Equipment is provided in the control room for each gener-ator, for remote manual starting, remote stopping, remote synch-ronization, governor and voltage regulation, governor and voltage I droop selection and automatic or manual regulator selection. Equipment is provided locally at each diesel generator for re-stricted manual starting in case of control room emergency, man-l ual starting during routine diesel generator testing or mainte-I nance, manual stopping, governor and voltage regulation, automatic or manual regulator selection, exciter field removal and reset, and remote and automatic or local manual control selection. 2.3 System Operation During normal plant operation both plant service trans-formers are energized from the 500 KV substation and share the total auxiliary load with the bus tie between service buses 11 l and 21 open. The 4160-volt buses receive off-site power from the 13.8 KV system through the unit service transformers. The diesel generators are started by either loss of 4160-volt bus voltage or by the Safety Injection Actuation System (SIAS) . In the event of an SIAS signal, actual transfer to the bus is not made until the preferred source of power (off-site) is actually B1-9
lost. When a LOCA occurs, control logic identifies the 4160-volt ESF buses for the unit having the LOCA, sheds all sequenced loads and assigns two of the three diesel generators to supply these buses. During normal operation diesel generator 11 is preselected for connection to ESP bus 11 of Unit 1 and diesel generator 21 is assigned to ESF bus 21 of Unit 2. Diesel gen-erator 12 is setup for supplying either ESF bus 14 of Unit 1 or ESF bus 24 of Unit 2 and will be connected to the ESF bus of the Unit having the LOCA. During LOCA conditions accompanied by simultaneous loss of preferred power, the LOCA sequencers will start automatically to load sequentially the diesel generators. Similarly, the shut-down sequencer for the nonaccident unit will start automatically. The LOCA sequencers initially block the SIAS and the CSAS to the equipment to be sequenced and then unblock in programmed steps. Refer to Table B1-1 for a list of which components are powered from which emergency diesel. Each diesel generator is equipped with various local and con-trol room alarms. Electrical instruments are provided in the control room and at the diesel generator for surveillance of generator. volt-age, frequency, power and reactive volt-amperes. Reverse power, loss of field and underfrequency protection are provided but are made permissive to trip only upon diesel generator synchroniza-tion to the normal auxiliary power supply. Protective devices which function to shutdown the diesel generator and are retained during SIAS include the following: B1-10
O
- 1. Overspeed
- 2. Crankchse pressure high
- 3. Lube-oil pressure low
- 4. Generator differential overcurrent
- 5. Generator ground overcurrent These devices prevent a rapid destruction of the diesel generator and are therefore the only shutdown functions permitted during SIAS. Both pressure shutdown functions initiate upon coincidence of two out of three to provide additional reliability. Each de-vice when actuated initiates an annunciator in the control room.
The service water system removes the heat from the diesel generator heat exchangers. After operating at full load with a jacket temperature of 185*F, the diesel can continue to operate I for one minute without service water cooling before the jacket I temperature reaches 200-205*F and the diesel is automatically shut down. With an initial jacket temperature of 140-145'F, the diesel generator can operate three minutes before tripping. In order to ensure a source of AC power to the diesel generator auxiliaries, separate transferable motor control centers are pro-vided for each diesel generator. Each motor control center sup-plies the engine room ventilation fan, fuel oil transfer pump, engine standby warming systems, and air compressor. The position of diesel generator 4 KV isolating disconnect switches determines which supply feeds the motor control centers. 3.0 SURRY EPS DESCRIPTION The Surry EPS is configured to provide continuous AC power to the Engineered Safety Features (ESF) 4160-volt buses (lH and 1J) in the event of a LOCA. A simplified block diagram and B1-ll
single line diagram are shown on Figures B1-3, B1-4, and B1-5, I respectively. The ESF buses support 480-volt AC emergency buses providing power for a battery charger element of the battery / direct current and static AC inverter vital buses. Dual vital bus systems are cross connected (using regulating transformers) t to the 480-volt emergency buses. The DC and AC vital buses per-mit orderly control of the reactor during momentary 4160-volt AC interruptions. The source of emergency AC power for Surry consists of a dedicated diesel generator (one for each of two Surry Units) and a backup diesel generator shared by the two Surry Units. The dedicated and shared diesels go on line direct to the 4160-volt ESF buses of the affected unit in the event of a LOCA/ESF demand. The emergency power distribution system consists of two redundant, and basically independent trains, Trains A and B. Each train consists of a DC network and an AC network. Train A con-sists of AC buses which include the letter "H" in their designation and DC buses with the letter "A" in their designation. Train B consists of AC buses with the letter "J" in their designation and DC buses with the letter "B". The train alignment of the buses is as follows: Train A Train B 4160 V bus lH 4160 V bus lJ 480 V bus lH 480 V bus lJ 480 V MCC lH1-1 480 V MCC lJ1-1 480 V MCC lH1-2 480 V MCC lJ1-2 125 V DC Dist. 125 V DC Dist. Cabinet lA Cabinet 1B B1-12
(a) 4160V Buses - The 4160-volt buses lH and lJ are the sources of AC power for Train A and B respectively. Thus, if either of these buses is lost, all AC power to its as-sociated train is also lost. Because of the importance of continuity of service, both these buses are provided with two sources of power: the off-site power source (the pre-ferred source), and the on-site power source (the standby source provided by the diesel generator). In the event of trouble on the preferred source, the emergency source will start automatically and provide power to the affected 4160-volt bus. Each bus has a capacity of 3000 amperes.and serves directly the ESF motors that are rated above 300 HP, and distributes power to the lower rated ESF loads via a station s'ervice transformer. These 4160-volt buses are normally isolated from each other; however, this isolation can be violated at cubicle 15H1 on 4160-volt bus 1H. This violation occurs when a normally removed bus tie breaker is inserted in the empty cubicle 15H1 and the tie breaker is closed. Such deliberate actions occur only for special maintenance conditions and would not, in themselves, cause the loss of 4160-volt power; however, the inde-pendence of the-AC power distribution system would be compromised. (b) 480V Load Centers - The 480-volt emergency load center buses lH and lJ are fed from 4160-volt buses 1H and IJ via 4160-480-volt station service transform-ers lH and lJ, respectively. These buses are the main B1-13
sources of power for the 480-volt trains; therefore, if either of these buses is lost, all-ado-volt power to its associated train is also lost. These buses, like the 4160-volt buses, are equipped with drawout type circuit breakers, and serve directly several large ESF motors, and distribute power to the 480-volt motor control centers. (c) 480V Motor Control Centers (MCC) - Motor control centers MCC lH1-1 and MCC lJ1-1 are energized by 480-volt buses lH and lJ respectively. These MCCs provide power to motors much smaller than those served by 480-volt buses lH and lJ, including auxiliary components associated with the larger loads served by 4160 and 480-volt buses lH and lJ. Typical of the auxiliary loads served by these buses are cooling water pumps for the charging pumps and several valves associated with safety injection. In addition, each MCC distrib-utes primary power to a 125-volt DC cabinet via two feeders, which serve two battery chargers, and to a i 480-120-volt transformer to serve two 120-volt vital buses. Because the MCCs serve the relatively small 480-volt loads, they are equipped with combination starters (i.e., molded case breakers plus magnetic contractors) rather than with the larger drawout type l circuit breakers. The combination starters provide overload protection by the contractors and short cir-cuit protection by the circuit breakers. Motor control l B1-14 l l
centers MCC 1H1-2 and lJ1-2 are essentially similar to MCC lH1-1 and lJ1-1. That is, they are energized by 480-volt buses lH and lJ, respectively , and distribute power via combination starters to the remaining 480-volt . ESF loads. In other words, all the supporting 480-volt ESP loads are supplied by the combined distribution net-works of MCC IH1-1 and lH1-2 (Train A auxiliary loads), or lJ1-1 and lJ1-2 (Train B auxiliary loads) . (d) 125VDC System - The main power to the 125-volt DC Distribution Cabinets lA and 1B is normally supplied from the AC power source by four battery chargers, two for each cabinet. The alignment of service is such that the two battery chargers that supply Cabinet 1B are served by MCC lJ1-1 (Train B). Under normal con-ditions, the DC loads are actually served by the AC sy s tems , and the batteries which are connected to these buses are on floating charge. Upon the loss of AC power, these DC buses are energized from their respective batteries, lA or 1B. The DC buses provide control and primary power to several ESF loads, including control power to operate the circuit breakers on 4160 and 480-volt buses lH and lJ, and operating power for several solenoid valves and two 120-volt vital buses via inverters. These buses are normally isolated from each other; however, this isola-tion can be bypassed by the closing of a normally open bus tie breaker which places these two buses in parallel. B1-15
I I l I I l This bus. tie breaker can only be closed manually and is I f under administrative control to permit the sharing of l load between buses during certain maintenance conditions such as repair or replacement of a battery charger. (e) Protective Systems - The EPS is provided with (1) automatic protective devices including differential re-lays to protect major equipment such as the diesel gen-erator and transformers, (2) undervoltage relays to ensure continuity of service by tripping the preferred r source of power upon a low voltage condition, start the diesel generator, and transfer the load to the diesel generator, (3) instantaneous overcurrent relays to pro-tect against short circuits, (4) and time delay relays (actually inverse time elements wherein the time to trip is inversaly prcportional to the fault current) to protect against equipment malfunctions such as a locked rotor condition or excess friction. The trip settings of the overcurrent relays are coordinated to minimize the effect of any failure of the overall power system. In other words, the breaker that feeds a faulted circuit would be the'first to trip, thereby confining the loss of power to the affected feeder. Indicating devices in the form of alarms and annuncia-l tors are also provided. Thus, if the automatic devices should fail, the operator may be able to take approp-riate action via the manual control devices located at the control room or at the breaker panels. B1-16
4.0 COMPARISON OF CALVERT CLIFFS AND SURRY EPS A comparison of the Calvert Cliffs and Surry designs produces the following characteristics: (1) The Calvert Cliffs systems below the 4160-volt ESF buses do not differ significantly from the Surry systems. (2) The Calvert Cliffs design employs load sequencers to se-quentially load its diesel generators over a 30 second period after startup. This results in a significantly lower inrush loading on the Calvert Cliffs diesel generators than that for Surry which does not sequentially load its generators after startup. (3) The Surry plant employs three diesel generators with one generator dedicated to each of two units and the third generator serving as a backup generator shared by Units 1 and 2. Calvert Cliffs also employs three generators. However, in the event of a LOCA concurrent with loss of off-site power any two of the three generators may be connected to the unit having the LOCA and the remaining generator used to provide the necessary power for safe shutdown of the nonaccident affected unit. This feature provides more flexibility for providing emergency AC power to both units in the event of failure of one of the diesel generators since a single generator is capable of supplying all the emergency power requirements for one unit. (4) Surry 's diesel generators do not require jacket cooling while Calvert Cliffs do. (5) The median estimate of insufficient power at LOCA as determined by the RSS for Surry is 1.0 x 10-5 This number includes failure of Surry 's EPS and the probability of a loss of B1-17
l off-site power at the time of the LOCA. The similar value for Calvert Cliffs would be (4.7 x 10-3, failure of both emergency diesels) x (1.0 x 10-3, Lop at LOCA) = 4.7 x 10-6, a factor of two lower than Surry. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The Calvert Cliffs' EPS was not modeled as a single event tree event since it was explicitly included in the Boolean models developed for each power dependent system. Failure of an EPS division is defined as failure of the associated diesel to pro-vide power when off-site power is lost. Loss of off-site power is the initiating event for the T1 accident sequences. Offsite power is assumed available during T2 and T3 accident sequences. Offsite power is also assumed available after LOCAs since the initiating probability times the probability of an induced LOP was smaller than the 10-7 low probability sequence cutof f discussed in Chapter 4. 5.2 EPS Model Description 5.2.1 EPS Boolean Equations Two Boolean equations were developed to model the EPS; one for each diesel generator. These equations are: D12 = D12ST + BAT 12 BAT 22 + SW12DGTl* SW21DGT1 + BATCM D21 = D21ST + BAT 21 + SW22DGT1 + BATCM B1-18
The terms D12ST and D21ST represent diesel unavailability due to maintenance and start failures for diesels #12 and #21, respectively. An RSS value of 3.0 x 10-2 was used as the start failure probability. A typical mean outage time for diesels due to maintenance is 21 hours. The average maintenance frequency used in the RSS was .22 acts per month. Therefore, O diesel maintenance
= 21 x .22 =.6.4 x 10-3 720 Using this maintenance unavailability and the RSS start failure num-ber gives 3.6 x 10-2 as the D12ST and D21:'T term unavailabilities.
The terms BAT 12, BAT 22, and BAT 21 represent battery failure on demand of batteries 12, 22, and 21. The batteries are required for field flashing and control of the diesel generators. Battery 12 or 22 can supply diesel 12. An RSS value of 1.0 x 10-3 was used for this failure. The terms SW12DGT1, SW21DGT1, and SW22DGT1 represent failures of the cooling water trains which cool the diesel jackets. A diesel can operate for approximately three minutes without jacket cooling. Service water train #12 or #21 can sup-ply diesel #12. These terms are discussed in more detail in
-2 Appendix B14 and were assessed at 3.2 x 10 each.
One common mode failure was attributed to the Calvert Cliffs' EPS. The term BATCM represents a failure of batteries 12, 21, and 22, simultaneously, from degradation due to common mode failure (e.g., incorrect charging levels). Based on a recent DC power study (Reference 3) and assuming a strong coupling between batteries, this common mode failure was assessed at
~4 4.0 x 10 . (Refer to Appendix B2.)
B1-19
5.2.2 EPS Unavailability Adding the contributors listed in the last section yields
-2 D12 = 4.0 x 10 and D21 = 6.9 x 10-2 The Boolean equations and unavailabilities described above were inputed into the models for all power dependent sy stems . The reader should be cautioned that these are unavailabilities of Calvert Cliffs' EPS if it is considered independent of all other sy st ems . In general, the EPS (diesel) unavailabilities will depend on what other system successes or failures have occurred.
B1-20
Table B1-1. Emergency Diesel Generator Loads During a Loss of Offsite Power Components Powered Components Powered by Diesel #12 by Diesel #21 Motor Operated Valves Motor Operated Valves MOV-615 MOV-616 MOV-617 MOV-626 MOV-625 MOV-635 MOV-627 MOV-636 MOV-637 MOV-645 MOV-647 MOV-646 MOV-656 MOV-4071 MOV-4070 MOV-4145 MOV-4144 MOV-5251 MOV-5250 Pumps Pumps Low Pressure #21 (LP21) Low Pressure #22 (LP22) Containment Spray #21 (CS21) Containment Spray #22 (CS22) Iligh Pressure #21 (llP21) High Pressure #23 (HP23) Component Cooling Water #21 (CC21) Component Cooling Water #22 (CC22) Ssrvice Water #21 (SW21) Service Water #22 (SW22) Salt Water #21 (S21) Salt Water #22 (S22) Containment Coolers #21 and #22 Containment Coolers #23 and #24 B1-21
.. - _ _=._m- ._
l..=. ... .e .e ... ne v av en a l, .g' ::,, I e..ev ** saws -ar~~-* i N.3 . ro vaar teaos I i)' s 1 I ,,'p..- 3 L__ > Jo *Ms ered'* NO
]
,t I, y,44y,
- o. a > >. .. I
<. r* J .
s 4 . ,. - ,, ,,.. ,
~. au. eau.-j v m.
, , , , _ 1,t <: - . . . . . . . . a
'* s l ,* *!&.* 5* s en 3 J!
lj' ' - r> ~. . ous as,u .<-ara
~ -- t u a -r.< ,
g ','W**"** n
<=
- tl ...~..n
,,)), .,
,L~ -
t- e n - re-s*** easr*,a ~-~ L
,,,a- j l
.g
- r., s : , ,,, ,. . ,,
E L D G.o2 tu W ar au
\ N
. a, a ,<> e ,_ -. r. av u n.s, l ,s 3
e n-. N&O r *d.tt.
,",,.,,,.,,,,L
,/ \
s
=
';s ov <r >r. :.va.z,w y '"* 'l,"l,* \ j u 3 k,,,~, ,,j \t
'r .e e,.
usun . rser
.,2 r.< aov sn u e m ovs.,rg,
--i ,. .n .,a . ., ower2 u--
aseo ..m re o.-r era n.,e
)l os**/sona, Jane *a r
- -ra
.) !t - r,er a,s ,,.s< ****
g M. ,. n. av raas,'a u n
" **'** it s a., Q-
, ~ , . ~ , . - l a i-a
.. . a. ~ ,, f Figure B1-1. Calvert Cliffs AC Power System
.._r __..r
... ,.s a : == = e- .- =-- . = scw :. _ =-
1 1 1 _.-c .
-.. --= 1 1 1
, 1, w_ -
== - _
.--..= . = ez.. .n. . m.
m.: :=- ,e;_
-- 4, .a..-
cc
-- o ,ew. ,_- --
4. av.. A _- .- -- TTW
--TTT T s .s
>4 T 3 T -- T2T 3, 3 .! 3 dr
/
.==
4::
/.t.
4
/
,/ . .t . . /. .
~-
i.t..-l7.1y. i.l,i yid':2 i if,4 l i.l.
. A,, q. i.1 if i.
i..M. i.q[.,._ a it g1.h 7.. I .._. Ey
. h 27
.. y 1
w - 1 3.s. - , 3
= _ .:... y
.5 u...
n
= := -- -
g;:,g r ,_ l w..r:..=. m .=:. :.
. ~
k1
.... .. .: r_
=
. #y; k d, .g.g:, . u :
. 5.Er.h-
_ =.= . . rc3 . l!i.hJ i . . . ... _._, _. - _- ~ _ f f, = f 1 l. 1
.=. . . =. 1
._- . = . .= .f- .
. . . .. = .. .. .=... . =_ . = .
=
.:- L .1 ..
== . L ._ .. . . _ .,
E+.:- 2:E=- C ~- E :- [E=~ f] 5=- E+=- E.h-- 5=- w e i N - 4.4
' ..f . , .'f
'f . . .
'f
'f f ., . . - . . ' . .f 'f '.f ,.'.f 'f Iw m= L m Y ,.. e. N e. L s. -~
rl ,,4m i :P F ,~* F :r" 1 :.-- F C-. =
=_- - - ~
- = -. - :. : ==-- ::=~ = =:.--
Figure Bl-2. Calvert Cliffs Single Line Diagram, Vital 120V AC & 125V DC, Emergency 250V DC
. . ~ . .
Team O Tee n A 730 kV We4 B* 500 kV $.pcmyerd Boese Avte Tereisem 27 tv 27 t v Ts 80s 5,sie* * ' To Unes 1 g ,, BOP Evnem 34 6 4V But S 34 $ kV Sm & Me.n Co weeise aA .a Gews, Ums 1 Unos2 Reweve $uien Aewee $iesen f earsterwoe f eeWoemee R $$ A RSS C a160 V 4160 Vom 4160 Vem T eoWee T rewe See O son f i 1e Una 2 Syneen 41501JSm 41601M two TeVan -' 21rsion If jf Q Te se.e. e t ,- , Po-, sve== De=1Ger=rene DG3 Dews Cc=ses DG 1 Figure B1-3 Simplified Surry Emergency Power Block Diagram Bi-24 i
SCO SCO 2 2304 L202 aTM2 102 21 52 2A02 a302 S y3 a 20 k k MT2 #
.. u ?l .,gi 2 2Tqu22372 3 t ,. ......
GT172 E- 1[]G11240EE c,,02 f L L] E [] L E t_ E] ==2 g t2. 2t?.. 2c?.2Ar & 20,_ . ,2,. ~~ , , . , =
-. ,c...
.. - - c... ~ ~...
c~ .. v~ $ VV "" Mv 22 a12 uti Lt:2 uS5 u 54 m2? []t122 35 'S 16 _. . . . >- s.m. u.. . cin > g.. .mcum
. . . 31", . ~~ nia. .y . niac 11.., M V ' uu 2i **
- ia y .2 'c,,,. Q- )8
, ,,, ,, , ) i s 2 is
,o y
.isoi.)is.2 ss.yn.
i
,,,, ).t ium.2, *y)'5c2
.isoic 5!.=s ic cis.
n,',' r, =ci t_2
,, ; 23,,
i,I L_e_ , , ,
-. ' L_^ ,,., .
- 3. ,
'L L,^ m, !
~< I. ,,
~< l) a-. =
~<l na i. in ti en. , ne i. ie ri n c. . c 2, <r- c " a
... uisiv. .usi ns. )
.u ..0-n
.) .... -isiv. .usi l
') f isab l)b- ,$ d his , u,,'3) l I ')iwa f cis. )
I) { l Ifkf
"' en 5t ci. - l ""5 l ,r- cia <r c"^ at run e v *i60 1 mv 5$TRANSIJ q 9 , gggn,qsgg 0,"f's 'y - c2a o.
a'~'
O II C'p' iu, . . .
3IM 94 4 04J10 9.H,0
. ) 1.M6 l) l ca. u- <- c2 [
IL l NL ht SL t.s 1 6 <m C. A WCCtJ1? UCc 1 12 h6 SL EL NL A B (Sh 2) (Sh 2) Pigure B1 J . Surry Single Line EPS Diagram 4 B1-25
A 6 , 3 A C
,A A
8 C e 2 A
) ] y
) l
[ 4 t A y m)l ** A
)[
S m
- l 1
7 A A .
- A A A
) > - S C
- 1 7 C .
B C m- ) t n
)
I" 1' o c _ ( E 'E 1-1
"" ,A m
a H c r S t o g C C A 0 1 t A - I-a p s A i t s-s . D n i i i ') i ? ' i s-e. i.
- v. .
e i c. a L(s L S 6 i.- i 7 P v E A L s * )l- - , ! l
,5' A
)[') it u e
- 9 A m n
- l A
i g L e l e l A.
. g
., n 1
> i 8 ^ > S y
i r r C u 7 A O x9 8 S 6 9 , ? mC I 8
.L
- 8 ri i
l S
) >
iN L 5 yV e o t l i s i g t s -
, 1 8 B i . 1 s . ) ) s .
t B t 1 i k(s n s, .' l y v e 1 i
- r u
1 - l-J 1 g C s i C M i F rL 's c o
)
L " iN A 5 8
) ) .
e " 7 5 C 8 7 4 C .
- C t 8 - C l' - S f, p y
4
)[
)
3 B Nr , 7 S
)
l s
- i. m S
B . S 6 . C C m y
APPENDIX B2 SURVEY AND ANALYSIS DC POWER SYSTEM (DCPS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS PAGE SECTION
1.0 INTRODUCTION
..................................... B2-3 2.0 CALVERT CLIFFS DCPS DESCRIPTION .................. B2-3 2.1 System Description .......................... B2-3 2.2 System Operation ............................ B2-5 3.0 SURRY DCPS DESCRIPTION ........................... B2-6 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY DCPS....... B2-8 5.0 CALVERT CLIFFS SYSTEM EVALUATION ................. B2-9 5.1 Event Tree Interrelationships ............... B2-9 5.2 DCPS Unavailability.......................... B2-10 B2-1/-2
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 DC Power System (DCPS) was re-viewed and compared with the similar PWR design (Surry) evaluated in the WASit-1400 study. The system designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, re-spectively._ A comparison of the two systems is given in Section
- 4. DCPS event tree interrelationships are detailed in Section
- 5. Also included in Section 5 is an estimate of the DCPS unavail-ability.
2.0 CALVERT CLIFFS DCPS DESCRIPTION The DCPS for the Calvert C]iffs' plant (Units 1 and 2) con-sists of a 125 VDC system and a 250 VDC system. The 125 VDC sys-tem supplies power to DC unit control panels and 120 VAC inverters. The 250 VDC system supplies power to plant backup lube oil and seal oil emergency pumps in case of loss of auxiliary AC power or fail-ure of the normal AC pumps. 2.1 System Description The 125 VDC system for the plant consists of four independent and isolated channels. Each channel includes one 125-volt battery, two battery chargers, one DC bus, multiple unit control panels, and two 120 VAC inverters (see Figure B2-1). Each battery charger is designed to be capable of recharging a discharged battery while at the same time supplying required steady state power requirements. The battery chargers are energized by 480-volt unit buses and, for each battery, one charger is fed from Unit 1 and the other charger is fed from Unit 2. B2-3
l I
'The plant is divided into two independent load groups; i.e.,
load group A and load group B. The 125 VDC buses for the plant include Unit 1 DC buses 11 and 12 and Unit 2 DC buses 21 and 22. The 125-volt DC bus 11 supplies equipment associated with load 4 group A for both Units and the 125-volt DC bus 21 supplies-equip-ment associated with load group B for both Units. .DC buses 12 i and 22 each supply power to the plant computer inverters, diesel generator 12 control circuits, emergency lighting, and two chan-nels of the 120-volt vital AC system. A single 120-volt vital AC system is provided for each Unit. This system includes four separate distribution panel boards which
- supply power to the four reactor protection system channels and the four engineered safety features actuation system channels.
Each panel board is supplied by an-inverter with its own DC feeder and each pair of inverters per channel is supplied by a separate battery. Each inverter can be manually bypassed and its distri-bution panel board supplied from the 120 VAC inverter backup bus which is fed from an engineered safety features motor control center through a regulating transformer. Both the 125-VDC system and the 120 VAC system are ungrounded and equipped with ground ! detectors. Each of the 125 VDC emergency power sources is equipped with the following instrumentation in the control room: (1) DC bus undervoltage alarm (2) Battery current indication (3) Charger current indication B2-4
( (4) Charger malfunction alarm (a) input AC undervoltage (b) output DC undervoltage (c) output DC overvoltage (5) DC bus voltage indication t (6) DC ground indication The 250 DC system is designed to supply power to plant back-up lube oil and seal oil emergency pumps in the event of loss of auxiliary AC power or failure of the normal AC pumps. There are no loads connected to this system that are related to the func-tioning of engineered safety features. The 250 VDC emergency pump system for the plant includes one motor control center, two battery chargers, and one 250-volt l battery. Each battery charger is fed from a separate 480-volt load center (one from Unit 1 and one from Unit 2). The 250 VDC system is ungrounded and equipped with ground detectors. DC bus undervoltage and battery charger undervoltage are annunciated in the control room. 2.2 System Operation During normal plant operation, all battery chargers are i energized by the 480-volt unit load centers. The chargers main-l tain a constant voltage to (1) supply the batteries with suffi-cient current to keep them fully charged and (2) maintain the-steady state loads of the DC instrumentation, control circuits and inverters. B2-5
l
,3 In the event of loss of auxiliary system power, the bat-teries will continue to supply the required DC and vital.AC equip-ment loads for up to eight hours without support from the battery chargers. When AC power is.available from the diesel generators, which obtain power for startup, monitoring, control and protection ,
f rom the 125-VDC systeg, the battery charg ars will be re-energized andresumenormaloheration. During normal operation, both ba't ery chargers are energized by the 480-volt unit load centers. The chargers maintain a con-stant voltage to keep the battery fully charged. In the event of loss of auxiliary system power or failure of a normal AC pump, the battery will supply the necessary power for backup pump operation. When AC power is available the battery chargers will be manually re-energized and resume normal operation. 3.0 SURRY DCPS DESCRIPTIONf. The Surry plant design incorporates two class lE safety re-I lated DC power supply systems plus a series of locally situated self containe'd battery-powered emergency lighting units for re-mote areas. A separate ' independent 125-volt DC power supply system, composed of a battery charger, battery and distribution system is associated with each of the three diesel generator emergency on-site power generation units. This critical system provides power for start-up, monitoring, protection, and control of the on-site emergency AC powcr system.
+
5 6 TB2-6
The second safety related system is the 125-volt DC vital power system, shown in Figure B2-2, which is composed of two iden-tical redundant service channels for each nuclear unit, each chan-nel containing a battery, two parallel static battery chargers, ungcounded distribution bus and cabling to the remote DC loads. Each channel supplies 125-volt DC power for high voltage switch-gear control, turbine bearing and seal oil pump motors, and sole-noid valve operating power during normal plant power operation. During loss of AC power emergency operation, the pump motor loads are shed and the system supplies uninterrupted battery power for the high voltage switchgear and solenoid valves and picks up emergency lighting for the reactor containment, turbine room and other selected building areas and provides power to the vital in-verters for supplying critical AC reactor protection and instru-mentation loads to the associated nuclear unit. The two vital DC channels for each nuclear unit are physi-cally and electrically independent from the battery to each of the remote AC and DC load points. Vital safety loads are redundant on each channel and a manually controlled tie breaker provides a load sharing capability between the DC buses. During normal operation the 125-volt DC load for each channel is fed from the battery chargers, powered by the 480-volt AC emergency buses, with the batteries floating on the system. Upon loss of off-site AC power, the batteries automatically pick up the connected load. The batteries are designed for two hour continuous operation and successful operation of any one of the two redundant vital 125-volt DC systems will insure safe shutdown of the associated B2-7
l l nuclear unit with no accompanying accident or auxiliary feed-water system failure. Because of the plant diesel generator sharing design, recovery of AC power by the emergency diesel generators requires successful operation of two of the three diesel generator 125-volt DC power supply systems for either single unit or total plant AC supply. Both safety related DC systems are fully monitored with voltmoters, ammeters, and ground detectors and protected by fuses and circuit breakers which are appropriately displayed and alarmed in the main control room. A program of regular inspection and test of all batteries is in effect and auto-matic starting and loading of the emergency generators is periodically tested which exercise the related DC power supply. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY DCPS Two major design differences between the Calvert Cliffs and Surry DC power systems were disclosed in this analysis. (1) Calvert Cliffs incorporates inter-unit load sharing in its design while Surry employs two separate and redundant service channels for each unit. (2) Surry employs a separate and independent DC power supply consisting of a battery charger, battery and distri-bution system for startup and control of each of the three emergency diesel generators. Calvert Cliffs employs its vital DCPS for this function. Based on the technique used for estimating DC system un-availability in the RSS, the Calvert Cliffs and Surry DCPS have B2-8
P a similar unavailability estimate. However, a recent San'dia '~ National Laboratory DC power system (Reference 3) study iden-tified DC common mode failures not previously identified in the RSS. For example, th9 miscalibration of the battery charger charging rates which causes the batteries to degrade and fail upon dsmand following a loss of offsite power was found to have common mode potential. This common mode was judged to be applicable to the Calvert Cliffs emergency on-site power control 125-volt DC cubsystem. The unavailability estimate for this subsystem is greater than two orders of magnitude higher than would have been estimated using the RSS method. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships From an accident viewpoint, the most important function of the DCPS is the startup and control of the diesel generators when off-site power has been lost. The DCPS is also needed for emergency instrumentation and control. Failure of a DCPS ESF division is defined as failure of the division to startup and control its associated diesel generator or failure to supply DC power to DC defendent systems. The DCPS does not appear as an explicit event on the event trees. Instead, the DCPS was incorporated into the Boolean equations developed for the emergency power system. The DCPS is, therefore, only required after loss of off-site power sequences. For all other cases, AC and DC power is assumed to be available. B2-9
5.2 DCPS Unavailability The dominant contributor to DCPS division failure was ESF battery failure on demand after a loss of off-site power. The Boolean terms BAT 12, BAT 21, and BAT 22 have been used to depict the demand failures of ESF batteries #12, #21, and #22, respec-tively. The RSS value of 1.0 x 10-3/ demand was used for this type of failure. One common mode failure of the DCPS was identified. A recent Sandia Laboratory study (Reference 13) identified a fail-ure of all batteries due to the miscalibration of the battery charger charging rate which causes the batteries to degrade and fail upon demand. This common mode was found to be applicable to Calvert Cliffs. The term used in Appendix Bl to depict this failure is BATCM and a 4.0 x 10-4 failure probability was used in the accident sequence analysis. B2-10
=c. :. :e :.= serr :. : = :-
1
- p= a -- -.
m 1 1 = 1..: J_
- 1. ._._.
4 -,=.--.1=c:.r=:: . s
= - .,
v,z.- _._ _ =_
=- = =- -
== == . r.. s_ _ ., - .
TTT d T T '~? sT _. s . 4
- _,a=
m Tr__i6 < <_. T < < ... < .
~T >6
- s. . ... s . ? s. s.
di AAi)AsTe A$h i- . AA T AA 1 s _. u.
, R-s i di
;_.=
#$l$lfd T=T=Im i
e l... T e W "." W .;
- .. P. W
. .. - - - - - = . -
- O*'.**.!*****~* . . . . . . .
*::' ' ** '. *. . .. . = ~ ;...' ;~ *: ~ ~ '
L I
- :.- :=..
ll .
" . . " *" "" ..*. .~. .~ . f, ,; a,
.. . b' 'f)f,"y N f{f". =,A,'.4=
t- .:;*"."."."'-.- 8 - -- - h lMml lu! il. g
-= .: :-
.;- .. , . - p .r..:.: - : .:-
I I 1 1 I I 1 - c - ___, =. 1i f = --_ tf b b 1J . =- 1J us ..M. . .-- - - --- to 1 0 . . . , E- L~- s_' . E_'.:-
~
= .:- LL i _~:- 7 jf] EM - EY - Eh- r_ - -
', 'f 'f 'f f } 'f ?(
. ' . .f 'f '.f , 'f 'f._ . . . .
Y xx Eu Y=x9 Y xx9 Y xx I::.. 4 gn [h ree
. :.~ :- > :.-- F :.~ - V ,:~ - > rr I ,I : ..=
i
- .: - - :::- -~ ==.-- :. ==-. :.:::.-- :. .: --
Figure B2-1. Calvert Cliffs Single Line Diagram (Vital 120V AC & 125V DC, Emergency 250V DC)
480 VAC (BUS J TRAIN B) 480 VAC (BUS H. TRAIN A) MCC 131-1 MCC 1H11
) 33 04
) 35 ) 96 A5 ) ) AS .4
) A3 l 1 5' ' l
~ < , < < <
C,, C100 N>
,, ~<C, ,
g7-= C10A 9* iRusA - -- Cat m > iti"~s . ?)* 7 v.e.1 1-8V l
.. A. )
l- Vet.e t III CsA m, a - CAA
,7- Cs. , .-
*)010 m __
') A10 i.. A
-- ;) en 3. . . i
- i. 2 s . . . . , i 2 Ai, ..-.. I1 iA2 7 c . .. _ _1. __ y _,__._1___ c . .. . s LJ m C- v. .i s -u
)
w >== ,) ..v...i i 4 _] E ._ i2oAC _l_ ia i N _
. ... e i2 soc --
C30 m, 47-C73 C7A 7p CAA
,- C.s C, ,, y-s< SL
)S2 )St )I A7 ) A1 ) A2 l [ oc.is oC.i A l l 1 l L >
^
LI L L ,:
.....,. e hi
( SL i NL 1. wt i (- SL {
.....A -~
Figure B2-2. Surry DC Power System
APPENDIX B3 SURVEY AND ANALYSIS REACTOR PROTECTION SYSTEM (RPS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
....................................... B3-3 2.0 CALVERT CLIFFS RPS DESCRIPTION ..................... B3-3 2.1 System Description ............................ B3-3 2.1.1 Control Element Assembly ............... B3-3 2.1.2 Trip Logic ............................. .B3-5 2.2 C;; stem Operation .............................. B3-7 3.0 SURRY RPS DESCRIPTION .............................. B3-8 4.0 COMPARISON OF CALVERT CLIFF AND SURRY RPS .......... B3-13 5.0 CALVERT CLIFFS SYSTEM EVALUATION ................... B3-15 5.1 Event Tree Interrelationships ................. B3-15 5.2 Determination of RPS Unavailability ........... B3-16 B3-1/-2
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 Reactor Protection System (RPS) was reviewed and compared with the similar PWR design (Surry) evaluated in the WASH-1400 study. The RPS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, respectively. A comparison of the two reactor protection systems is given in Section 4. RPS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a description of the reduced RPS fault tree model and a point estimate of the system unavailability. 2.0 CALVERT CLIFFS RPS DESCRIPTION 2.1 System Description The RPS consists of sensors, amplifiers, logic and other equipment necessary to monitor selected nuclear steam supply system conditions and to ef fect reactor shutdown by de-energizing the control element drive mechanism (CEDM) coils allowing the control element assemblies (CEA) to drop into the core by gravity if any one or a combination of conditions deviates from a preselected operating range. An auxiliary signal is provided to trip the turbine coincident with reactor trip. 2.1.1 Control Element Assembly The Calvert Cliffs reactor core is composed of 217 fuel assemblies and 77 control element assemblies (CEA). The CEAs B3-3
consist of five inconel tubes 0.948 inch in outside diameter. Four tubes are assembled in a square array around the central fifth tube. The tubes are jointed by a spider at the upper end. The hub of the spider couples the CEA to the drive ' assembly. The CEAs are activated by magnetic jack control element drive mechanisms (CEDM) mounted on the reactor vessel head. The CEAs are divided into the following groups:
- a. Shutdown: three groups
- b. Regulating: five groups There are 37 single CEAs and 20 dual CEAs (the dual CEA is made up of 2 single CEAs connected to separate grippers and carried by an extension shaft) . The 20 dual CEAs are for shutdown; 37 single CEAs are for regulating. All CEAs are scrammable.
The Control Element Drive Mechanism (CEDM) is of the magnetic jack type drive. Each CEDM is capable of with-drawing, inserting, holding or tripping the CEA from any point within its 137-inch stroke. The CEDM drives the CEA within the reactor core and indicates the position of the CEA with respect to the core. For conditions requiring rapid shutdown of the reactor, the CEDM coils are de-energized, B3-4
allowing the CEA and the supporting CEDM components to drop into the core by gravity. There are 57 CEDMs. The CEDM coils are de-energized by opening a minimum of one pair of trip circuit breakers in each motor generator supply path. There are some basic differences between Calvert Clif fs and the RSS PWR. For example, the RSS PWR plant (Westinghouse) used a two-of-three trip logic whereas the Calvert Cliffs plant (Combustion Engineering) uses a two-of-four trip logic system. Also, the RSS PWR used only one power circuit to the control rods. That circuit had two CBs in series either of which could trip the reactor. The Calvert Cliffs plant has four paralleled power paths to the control rods, each path contains two CBs in series, either of which will open that power path. All four power parallel power paths must be opened to completely SCRAM the reactor. The first of these differences ( two-of-four logic for trip) would be expected to reduce unavailability while the second (four parallel power paths to the control rods) would be expected to increase unavailability. 2.1.2 Trip Logic The Calvert Cliffs RPS consists of four identical channels. Each measurement channel which can initiate protective action B3-5
operates a channel trip unit containing three sealed electro-magnetically actuated reed relays. Four trip units are actuated for each trip condition. The trip paths are designated A, B, C, and D. The trip paths are connected in six two-out-of-two logic matrixes which form a two-out-of-four coincidence logic with re-spect to the input channels. At the output of each logic matrix is a set of four sealed electromagnetically actuated relays (logic matrix relays). The contacts from six of the logic matrix relays (one from each logic matrix) are connected in series with the coil of a trip circuit breaker control relay. (This is repeated for each of the four trip circuit breaker control relays, K1, K2, K3, and K4.) Each of these four trip paths is the power supply line to a trip breaker control relay whose contacts provide actuation of under voltage (UV) and shunt trips (ST) on the trip circuit breakers thus interrupting the ac power to the CEDM power supplies. (Figure B3-1.) Manual trip may be accomplished from the control console. The actuation of two adjacent pushbutton switches on the control panel causes interruption of the ac power to the CEDM power sup-l plies. Two sets of manual trip pushbutton switches are provided. The manual trip is independent of the automatic trip system though both involve removing voltage (125 vde) from the under voltage coils and applying it to the shunt coils. When one of the four channels is taken out of service, the protective system logic can be changed from a two-out-of-four B3-6
to a two-out-of-three coincidence for a reactor trip by by-passing the removed channel. This is accomplished by the operation of a logic bypass switch. One key-operated switch is provided for each trip unit. Only one key is provided for the trips for any one variable to ensure that only one group of four can be bypassed at one time. 2.2 System Operation The Calvert Clif f s RPS has four independent measurement channels designated A, B, C, and D. These channels monitor plant parameters and initiate a trip when two-out-of-four indicate a condition for trip (see Table B3-1). Independent channel trips are combined in six two-out-of-two logic mat-rixes. Each two-out-of-two logic matrix provides signals to four one-out-of-six logic units, each of which causes a trip of the breakers in the ac supply to the CEDM power supply when power is removed from the CEDM's seventy-seven (77) shutdown and regulating CEAs drop into the core by gravity. The use of two-out-of-four logic between the four in-dependent measurement channels permits a channel to be tested on-line without initiating a reactor trip. Maintenance to the extent of removing and replacing modules within a protective measurement channel can also be accomplished on line without causing a reactor trip. The technical specifications for the B3-7
Calvert Cliffs Nuclear Power Plant delineates the minimum fre-quencies for checks, calibrations, and testing of the reactor protection system. Each logic channel is tested monthly. The RPS sensors are checked during each shift and are tested monthly. To prevent either the on-line testing or maintenance features from creating a means for unintentionally negating protective action, a system of interlocks initiates a protective channel trip whenever a module is placed in the test mode or is removed from the system. However, provisions are made in each protective channel to sup-ply an input signal which leaves the channel in a non-tripped condition for testing or maintenance. The test scheme for the reactor protective system is based upon the use of comparative measurements between like variables in the four protective chan-nels, and the substitution of externally introduced digital and analog signals as required, together with measurements of actual protective function trip points. 3.0 SURRY RPS DESCRIPTION The RPS is defined to consist of 48 CRAs, their magnetic jack assemblies, breakers and motor generator sets that provide power to the magnetic jacks and the electronic logic that con-trols the trip circuit breakers in response to the monitoring of certain reactor temperature. (The Surry RPS logic diagram is shown in Figure B3-2.) The RSS analysis did not consider the rod control system, which is used B3-8
to slowly raise or lower individual control rods for the
" shimming" of reactor power. Since the entire rod control =
l system gets its power from the reactor trip breakers, trip-ping the reactor by opening the breakers disables the rod controls and removes all power to the magnetic jacks. With-out power, all magnetic jacks wi'11 release their hold on the control rods and allow them to fall into the core unless mechanical damage restrains them. Thus the rod shim control system has no effect on the success of a trip. The rods and jacks thus will only be involved in the analysis as mechanical faults. The Reactor Protection System or Trip System rapidly drops the Control Rod Assemblies when conditions exist requiring re-actor shutdown. Control rods are normally held in position by the magnetic jacks. The Control Rod Assemblies are dropped during the trip by removal of power to the rod control system through the opening of either reactor trip breaker 52/RTA or reactor trip breaker 52/RTB. Breaker 52/RTA is controlled by RPS Train A and Breaker 52/RTB is controlled by RPS Train B. The two series connected trip breakers RTA and RTB con-trol power from two parallel connected motor generator sets. The two motor generators provide isolation from the 480-volt buses they are powered from and provide power to the magnetic jack controls with a three-phase non-synchronous voltage which would be difficult to sustain by shorting to any other source B3-9
of power remaining present due to shorts to other buses when the trip breakers open is very unlikely. Since the motor gen-erator sets receive power from two 480-volt buses, failure of power on both of these buses will result in an inadvertent trip. The two reactor trip breakers are each bypassed by a special test breaker of the same type as the trip breakers. These are called BYA-bypass A, connected across RTA, and BYB connected across RTB. Both bypass breakers are normally open. BYA is tripped by reactor Train B and BYB is tripped by Train A. A typical test use of these breakers would be to close BYA for a test of breaker RTA. Test signals are sent through Train A which will trip our RTA. Instruments monitoring RTA will indicate that it tripped properly. After testing, RTA is closed again and BYA is opened, and the system is left with only the original closed series connection of RTA and RTB. If during the test (when RTA, RTB, and BYA were closed) a trip condition would exist, all three breakers would open and a reactor trip would occur. The two bypass breakers are inter-locked electrically so that both may not be closed at the same time. The bypass breakers are also used for repairing of the trip breakers RTA and RTB. If RTA fails to trip in the test mode, BYA will be closed and RTA will be " racked out" and repaired without removing power or scramming the reactor. B3-10
The tripping signals which trip the various breakers come from two logic trains which are identical in design. Each is composed of relay logic and has the purpose of combining var-ious transducer bistable signals into a single command to trip the reactor. The initiating bistable signals are combined to-gether into eight functional signals called RTl thru RT7 and manual trip. Each of the eight is capable of initiating a trip by itself. This relay logic, called trip Trains A and B, consists of all logic between the bistable relays of the analog instrumentation and the trip breakers. The eight divisions of each train are:
- 1. RT Primary System,
- 2. RT Primary System and Nuclear Flux Differential,
- 3. RT Pressurizer System,
- 4. RT Steam Generator Low-Low Level,
- 5. RT Steam Generator Feed-Flow Mismatch,
- 6. RT Miscellaneous Trips,
- 7. RT Nuclear Flux Instrumentation, and
- 8. Manual Trip.
Although there are reactor trips from many sources, definition of failure to trip for the small liquid leak LOCA considers only three of those divisions as the initiating signals at-tempting to provide a trip. They are:
- 1. RT The pressurizer signals: low pressure;
- 2. RT The primary system: overtemperature at; and
- 3. RT Trips through SICS initiation: low pressurizer coincident with low pressurizer level.
B3-11
On each of these circuits, except for RT6, transducers provide analog signals which result in bistable relay signals for each out-of-tolerance parameter. Since there are usually three analog instrumentation channels for each parameter, the relay logic provides a two-out-of-three determination for each para-meter. This signal combined with others generates the RTl and RT3 trips. RT6 on the other hand is composed of the logical "or" of both output signals of the SICS. Since the analysis is only concerned with the small LOCA, it is assumed that the only initiating signals which will trigger the SICS are pres-surizer low pressure and level. It should be noted that the same six pressure and level transducers used in the RT3 trips are used for triggering the SICS; however, different compar-ators are used. In the above descriptions, combinations of separate instrument channel signals are accomplished by relay logic.
- Each separate instrument channel is an analog circuit using transducers, current loops and solid state circuitry. A typical instrument channel has a constant current type trans-ducer in series with a 40-volt DC power supply and several "I/V modules" (resistors), where a proportional voltage is created from the current loop. Across each "I/V module" two wires are attached which feed the input of a voltage comparator. The comparators sense the difference between that signal and a reference which can be a fixed l
B3-12
voltage or another transducer signal. The comparator is all solid state circuitry and provides an AC signal on its output which feeds a logic (bistable) relay to represent that the abnormal condition is present. More complex loops, such as the temperature channels, have additional analog modules such as summers, lead / lag controllers or multipliers which do further signal conditioning on the analog signal before it is fed into the final voltage comparator. These instrument channels are designated by a name such as instrument loop 459. That instru-ment loop (in this case a pressurizer level monitoring loop) has a transducer such as LT459, power supply LQ-1-459, I/V module LC-1-4 59/R, comparator LC-1-459A and bistable relay number LC459A. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY RPS The Calvert Cliffs RPS differs significantly from the Surry RPS in the method of interrupting power to the CEAs. The Surry RPS accomplishes the reactor trip by de-energizing combinations of one-out-of-two primary circuit breakers via the logic channels. In the Calvert Cliffs RPS each measure-ment channel which can initiate protective action operates a channel trip unit containing three sealed electromagnetically actuated reed relays. Four trip units are actuated for each trip condition, the trip paths are designated A, B, C, and D. B3-13
4 d The trip paths in the Calvert Cliffs RPS are connected in six two-out-of-two logic matrixes (AB, AC, AD, BC, BD, and CD) which form a two-out-of-four coincidence logic with respect to the input channels. At the output of each logic matrix is a set of four (24 in all) sealed electromagnetically actuated re-lays. These sets are designated AB1, AB2, AB3, AB4, ACl, ..., CD3, and CD4. The contacts from ABl, ACl, ADl, BCl, BDl, and l CD1 are placed in series with the coil of relay K1, a trip circuit breaker control relay. Similar sets of contacts AB2, i i AC2 ..., CD2; AB3, AC3, ..., CD3; and AB4, AC4, ..., CD4 are placed in series with the coils of- , relays K2, K3, and K4 re-i ) spectively. Each of these four trip paths is the power supply i i line to a trip breaker control relay whose contacts provide actuation of under voltage (uv) and shunt trips (ST) on the trip circuit breakers, thus interrupting the AC power to the CEDM's power supplies. The Calvert Clif fs CEDMs are separated into two groups. The CEDM's power supplies in each group are supplied in parallel with three-phase ac power from the motor-generator sets. Two full capacity motor-generated sets are provided so that the loss of either set does not cause a release of the CEAs. Each side of each branch line passes through two trip circuit breakers (each actuated by a separate trip path) in series so that, i although both sides of the branch lines must be de-energized to release the CEAs, there are two separate means of interrupting each side of the line. This arrangement provides means fee the t testing of the protective system. B3-14
The Surry RPS logic employs three sensor logic channels feeding into two output trains which in turn, input to the circuit breakers. The Calvert Cliffs sensor logic is a two-out-of-four system whereas the Surry sensor logic is a two-out-of-three system; i.e., any two of the logic channels will trip the reactor when an abnormal condition occurs. The point estimates for the Calvert Cliffs and Surry RPS failure probabilities are: Q(RPS, Calvert Cliffs) = 2.0 x 10-5 Q(RPS, Surry) = 3.6 x 10-5 Calvert Cliffs RPS unavailability is somewhat lower than Surry's. This is due to the f act that a recent NUREG report (Reference 14) has indicated that the Surry RPS failure due to three or more rods failing to drop into the core is overly con-servative and was assessed as insignificant for Calvert Cliffs. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships Failure of the RPS appears as event K on the Calvert Cliffs LOCA and transient event trees. For the analysis of large LOCAs, the RPS event is assumed to succeed since the vessel will quickly blow down and borated ECCS water will prevent the fission process from restarting even if the RPS fails. For all other accidents, operation of the RPS must be considered. B3-15
5.2 Determination of RPS Unavailability i j A simplified fault tree for the Calvert Cliffs RPS is shown in Figure B3-3. The major contributor was found to ^ be failure of the RPS trip circuit breakers to open. The RPS unavailability for Calvert Cliffs was assessed to be: Q(RPS) = 2.0 x 10-5 l I l ) B3-16 l
Table B3-1. Calvert Cliffs RPS Trip Parameters Trip Number of Condition for Variable Sensors Trip Comments High Rate of Four wide range start up Rate of change of Power Primarily F,quipment Change of Power channels exceeds 2.6 decades per Protection Trip Proportional counters minute trip is bypassed Core is adequately fission chambers below 10-4 percent and Protected without above 154 power. this trip. High Power Eight ion chambers 10% above measured Pre trip alarm 8% above Level power O. measured power O. 4 Pump Operation 106.5% Alarm 104.5% 3 Pump Operation 80 t Alarm 78 4 f3 2 Pump Operation P Opposite Inops 15.1% Alarm 49.1% 4 Same Loop 46.8% Alarm 44.8% Iow Reactor Cool- Four differential ant Flow pressure transmitters 4 Pump Operation 954 Alarm 974 3 Pump Operation 72% Alarm 744 2 Pump operation 50% Alarm 52% Opposite Loops 47% Alarm 49% Same Loop Low Steam Genera- Four sets of two 50 inches below normal Pre trip alarm at 32 tor Water Level (one on each steam water level. inches below normal generator) downcomer water level. level differential pressure transmitters Auctioneered Low of steam generators 1 and 2 used.
Table B3-1. Calvert Cliffs RPS Trip Parameters (Cont.) Trip Number of Condition for Variable Sensors Trip Comments Low Steam Genera- Ptur sets of two (one 500 PSIA Pre trip Alarm 628 psia tor Pressur e on each steam generator) downcomer level differ- Auctioneered Low of ential pressure trans- Steam Generators 1 & 2 mitters is used. Iligh Pressure Four narrow range pres- 2400 PSIA Pre trip Alarm 2350 Pressure sure transducers psia, w 1 H Thermal Margin / 4 Resistance Tempera- Variable Trip Set Point Pre trip Alarm 100 paia CD Iow Pressure ture Detectors (in the Minimum 1750 paia above the variable trip Trip hot and cold leg of Set Point (computed each steam generator) value). Ifigh Containment Four pressure trans- 4 PSIG Pre trip Alarm 3 PSIG Pressure mitters Loss of Load Ioss of Ioad above a Equipment Protection preset power level. Trip - Not required for reactor protection. Manual Trip 2 Sets of two push Operation Decision Testable during button switches reactor operation.
480VAC3h 430VAC3f Bus No 1 Bus No 2
)MainCircuit Breakers o)
Motor Generators 240 VAC 36
)4d5ynchronize )
Oc Bus Tie
* +125V dc Bus No 1 l
l 1 CB2A) (CB3A Manual o o C828 (B3B Trip g e n n
<- Trip Circuit Breakers o
. . CylA, _u) ,
CB4A B4B UV ST _______.__CBlh* d' J l Individual Individual
- CEDM Con.
- Note: There are 4125 de Buses 1, 2, 3, 4 CEDM Power trol System EDM Power with circuitry identical to that Sunolies Sucolies ,
shown for Bus 1. Bus 2 goes to CB2A and CB28, etc. Figure B3-1. Calvert Cliffs RPS Power Trip Circuit i B3-19 l l
~.m .-a , c,.,.,
,t.i Q --
7 _.) t m ., ,
-.,i,s o,. _
-- _O - ...
g
, ,,,... g = .....
m ,,,
...o
.._,., D .. .e
= . ..
..s,.
~ ..
.y .c. 7)
...,...=
j v. c
~t_,..
m d s '- - - 81 STABLE 9 *** m j OUTPUTS ) ORITY tm.( N ' "'"'" O tocrc or g INSTRUMENT lj CHANNELS ""7 D*""(, } I
. u ,.
s=c 7 ara ___./ ..........
..c n. .,
.sc_ _ s,csn-.i h id i.*T.'.
t-3. .... _b ,7
~ , . . . -
"a~-*
7 j g d) m l p .
"" "~ * *
,.i,-.-,.
__ / _ ,, .
. ,,, s m ..., ~ . . . .
; - . . . , a Figure B3-2. Surry Reactor Protection System Logic Diagram
FAILupE OF Tot IIPS T# T;tP 2 E-5 I I I I CINE DIssLFTitpl FAILumC (F nPS CIRCu!T Wlut FAttTS CIWWes 84EE IgeslSITS HCe SuFF ICIDef WWEAAlps Fall OF 1 RIP guS FA4LTE im 8006 TO ENIOP 10 OPDs TO OftEA Er lesTeupENTATilme ENTRY ( ( ( ( 2 E-e i 1 power sureLv 00umLE FAILUMES Tm!P Clacasti sEm fulnitsenscE j 4 E-S 3 8 E*O i CONTINUED OU i l NEXT PAGE MaA0wAAE F AILURE MMt0etAAC F AILulIE
- CorWIseATIONE (F ConstesAfl0MS OF i
g AyEAgEgg=g IEELAYS E3 AND E4 ta e 20 Asso CSE BA.M.4A i M 2 E-S. SAFC AS FOR H El AND E2 DELAYS 2 E-8 I i i i I CIRCulf AEA BA Ace leELAv El Ase CS IIELAYS El Ase Claculf ma la Ase mELAY A2 Ace C3 24 FAIL 10 (F OR 2A EMI 23 FAIL E2 FAIL 28 F AIL TO CPUs I A EN IS Fall I E-6 6 1.3 E-fl I E-6 6 7.2 E-S 7.2 E-S I I I I TRIP AELAY CIRCulf SER 2A CIIICu!T SER I A TRIP IELAY El FAILS OR 20 FAIL 10 GR IS F AIL TO R2 FAILS (PDs IFEN 5.8 E-S 3.6 E-6 4 2 E-3 2 E-3 I __ l l 1 CIIICuf f SER 2A Cilicuff SA B CINCuff S R BA CIRCulf 3 2 IS AM FAIL M MAftoWAaE FAIL 1SE MANhf M FAILI M N FAILIM I E-3 : E-3 E-i I E-s Figure B3-3. Calvert Cliffs Simplified RPS Fault Tree
CONTINUED FROM PREVIOUS PAGE r% I I l l TRIP Cincuff man TRIP CIRCUIT SER TRIP CIRCulf am TWIP Clatuff mut I A CLCEED tRJRIssG 2A CLOSED tXJRIssG BA CLOM O OURIssG 4A CLOSED thallac CS 2 El FAIL IP WELAY N E2 FAIL OR kip Av 4 E3 FAIL IP aELAY CS BA E4 FAIL h1P Y e E-8 SAFE AS FOR 2 E-8. SAft AS FINt 2 E-8. SAFE A$ Flut 2 E-6. SAFE AS Flut Cincult am M circuli 301 M Cinculi ma M Claculf am M t:3 I I I Y 1 RIP CIRCUIT SER TRIP CIRCuff ank TRIP CIRCuff anR TRIP CleCu!T Sat w Ie CLOSED DUR1 peg 28 CLDSED DLfl1IEG EB CLDSED OURIseG 48 CL13 BED DumIsec
$ El FAIL ! SEiAY C is E2 FAIL RIP REL AY S'4Y EE FAIL IP LAY $Yo IP AY E4 FAIL 2 E-8. SAFE AS FOR 2 E-8. Safe AS Ftpt 2 E-4. SAFE AS FM CIRCult EUt M ClpCUIT D'.R M CIRCuff OER M 3 E-S T
I I TRIP CINCuff DUt saammenar FAstisg M CLOSED 115tlIC EF CIRCuf f mit 40 MAINTDeMcCE int TRIP #ELAY E3 2 E-I I E-3 i . Concult = = 4e Lacit insP mELAY FAILE 10 tr os E5 FAJLS I t-s I.s E-e Figure B3-3. Calvert Cliffs Simplified RPS Fault Tree (continued) _- _ _-_ __ _ _ _ a
l 4
.,/
r' g\ t t , APPENDIT. B4 1, ,: , SURVEY AND ANALYSIS 5 - i CONTAINMENT LEAKAGE (CL) - CALVERT CLIFFS PLANT TABLE OF CONTENTS / k- PAGE SECTION ;
1.0 INTRODUCTION
....................................... B4-3
. I i 2.0 CALVERT CLIFFS CONTAINMENT INTEGRITY
SUMMARY
. . .. ... B4-3
,/ si <
2.1 Descriptio,n ................................... B4-3
~/
2.2 Operation ..................................... B4-6 l< . 3.0 SURRY CONTAINMENT LEAKAGE DESCRIPTION .............. B4-7 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CL , CONTRIBUTORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .,. . . B4b9 5.0 CALVERT CLIFFS CL EVALUATION . ... .. . . . .. . .. . ... . . ... B4-10 5.1 Event Tree Relationship ....................... B4-10 5.2 Es tima te of CL Pr obability . . . . . . . . . . . . . . . . . . . . B4-ll s-1 1 o N 4
/
J i k B4-1/-2 4 e _ _ _ _ + _ - - . - - - _ _ - - - - _ _ _ _ _ - . _ - - _ _ . _ - . . _ _
l
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 systems and components which are designed to contain the release of radioactivity from the primary system in the event of an accident were reviewed and compared with the analogous system and components of the Surry plant analyzed in WASH-1400. The probabilities of failure of these system or com-ponents define the containment leakage (CL) probability as was used in the containment event tree. As in WASH-1400, containment leakage was defined as that leakage which provides a flow path to the atmos-phere equivalent to a 4" diameter hole or greater. The designs to minimize containment leakage for Calvert Cliffs and Surry are described in Sections 2 and 3, respectively, of this Appendix. A comparison of the Calvert Cliffs and Surry design is given in Section 4. The use of the 'CL' probability in the contain-ment event tree is specified in Section 5. Also included in Section 5 is a point estimate of the Calvert Cliffs 'CL' probability. 2.0 CALVERT CLIFFS CONTAINMENT INTEGRITY
SUMMARY
2.1 Description The containment building is a post-tensioned reinforced con-crete cylinder and dome connected to and supported by a massive reinforced concrete foundation slab. The entire interior surface of the structure is lined with 1/4 inch thick welded ASTM A36 steel plate to assure a high degree of leak tightness. Numerous mechanical ( and electrical systems penetrate the containment structure wall through welded steel penetrations. The penetrations and access openings were designed, fabricated, inspected and installed in B4-3
accordance with Section III, Class B of the ASME Pressure Vessel Code. The general design basis governing isolation valve require-ments is that leakage through all fluid penetrations not serving engineered safety feature systema is~to be minimized by a double barrier so that no single,. credible failure or malfunction of an active canponent can result in loss-of-isolation or intolerable leakage. The installed double barriers take the form of closed piping systems, both inside and outside the containment structure, and various types of isolation valves. Isolation valves associated with containment penetrating lines not required for safety systems are closed in the event of a LOCA. These valves are closed by the redundant containment isolation signals generated by the Engineered Safety Feature Actuation System (see Appendix BlO). Other containment isolation valves have handswitches which are located in the main control room, for normal control and backup control during an emergency. All remotely operated containment isolation valves are provided with position indication (open or closed) in the control room. Figure B4-1 is a simplified schematic of the containment system showing safety system and other penetrations. All penetrations except the following are located in groups and a penetration room is located at each group.
- 1. Equipment Hatch
- 2. Personnel Access Lock
- 3. Emergency Personnel Access Lock
- 4. Refueling Tube
- 5. Purge Line Inlet and Outlet B4-4
s .Any leakage that might occur from these penetrations will be collected and exhausted through vents. In this manner, leakage which might occur from these groups of penetrations .will be isolated from leakage which might occur through the containment structure itself. Fluid penetrations which are required to be isolated after an accident are classified into.four categories: Type I. Each line connected directly to the reactor coolant system has two isolation valves. One valve is in-side and the other valve is outside the reactor building. These valves may be either a check valve and a remotely operated valve, or two remotely opera-ted valves, depending upon the, direction of normal flow. Type II. Each line connected directly to the reactor building atmosphere has two isolation valves. At least one valve is outside and the other may be inside or outside the reactor building. These valves may be either a check valve and a remotely operated valve or two remotely operated valves, depending upon the direction of normal flow. Type III. Each line not directly connected to the reactor cool-ant system or not open to the reactor building atmosphere has at least one valve, either a check valve or a remotely operated valve. This valve is located outside the reactor building. B4-5
Type IV. Lines which penetrate the reactor building and are connected to either the building or the reactor coolant system, but which are not normally open dur-ing reactor operation, may have manual valves with provisions for locking in a closed position. Each valve may be tested periodically either during normal opera-tion or during shutdown conditions to insure its operability when needed. 2.2 System Operation Containment isolation occurs on a signal of approximately 4 psig in the containment building. Valves which isolate penetra-tions that are directly open to the containment structure, such as the purge valves and sump drain valves, will also be automatically closed on an isolation signal. Fluid penetrations serving enginered safety features systems also meet the design basis double barrier criteria, but do not close upon a containment isolation signal. Isolation valves of other systems are sized and actuating times determined, depending on the amount of radioactivity these systems could release from the containment in the event of a loss-of-coolant incident. Auto-matic actuation of the isolation valves not required by the engineered safety features will insure a rapid closure independent of the reactor operator. Upon receiving the Containment Isolation Signal (CIS), all isolation valves required to isolate the containment from the B4-6
ourrounding environment and other systems within the plant, close cutomatically. The CIS is produced by either two-out-of-four containment pressure sensor channel trip signals or manual initiation from the Control room. Containment pressure is monitored by four independent pressure transmitters which are separate from those utilized for the safety injection actuation signal and the containment spray cctuation signal. Refer to Appendix B10. In addition to the capability for manual initiation of the actuation signals from the control room, each of the above-listed actions may be individually initiated by appropriate control switch operation. Upon loss of control air or loss of control circuit power, the engineered safety feature isolation valves automatically assume the operating position for the LOCA condition. Where two icolation control valves are provided for a single containment psnetration, each valve is controlled by a separate actuation sub-system initiates closure of the valve. 3.0 SURRY CONTAINMENT LEAKAGE DESCRIPTION The containment building is a steel-lined, reinforced concrete structure, including foundations, access openings, and penetrations designed to maintain an essentially leak-tight barrier against the release of fission products under conditions up to and including any design basis accident. Normally, the 60 psia design pressure containment operates at a subatmospheric pressure of 9 to 11 psia. The containment system is designed for a maximum leakage rate of less than 0.1 volume percent per day at design pressure. B4-7
Access to the containment structure is provided by a 7'0" ID personnel hatch penetration and a 14'6" ID equipment hatch pene- j tration. Other smaller containment structure penetrations include hot and cold pipes, main steam and feedwater pipes, fuel transfer tube, and electrical conductors and containment purge lines. Figure B4-2 is a cross-section of the containment structure. The Surry nuclear plant containment isolation is achieved by applying common criteria to penetrations (e.g., the two barrier criterion) in all the interfacing fluid systems and by using ESF signals to activate appropriate valves. Signals which activate the safety injection control system (SICS) and the consequence limiting control system (CLSC) are used to close these isolation valves. Depending on the specific application, the two barriers previously mentioned consist of one of the following valving arrangements:
- 1. Two automatic isolation valves, one on each side of the containment wall.
- 2. An automatic isolation valve and a membrane barrier.
- 3. An administratively controlled, manually operated valve outside, and a sealed system inside the con-tainment.
- 4. Two administratively controlled, manually operated valves, one on each side of the containment wall.
- 5. A sump recirculation pipe and valve arrangement, con-servatively designed and fabricated, and enclosed by a special valve pit.
B4-8
A membrane barrier consists of either pipe, tubing, component wall. An incoming line from a centrifugal pump or a surge tank 10 considered an open line and a check valve is used in incoming lines instead of an automatic isolation (auto-trip) valve. However, check valves, single or in pairs, are not used to provide the only means for isolating a penetrating line. There are about 50 major piping penetrations through the containment structure. These can be grouped in five functional classes according to the Lnplementation of the design bases. Class I piping is open to the outside atmosphere and is connected to the reactor coolant system, or a connecting system, or is open to the containment atmosphere. Class II piping is connected to a closed system outside the containment, and is connected to the reactor coolant system, or a connecting system, or is open to the containment abnosphere. Class III piping is connected to open systems outside the containment and is separated from the coolant system, or a connecting system, and the containment atmosphere by a closed valve under administrative control or a membrane barrier. Class IV piping must remain open after a loss-of-coolant accident. Class V piping is connected to normally closed systems outside the containment, and is separated from the reactor coolant system, and connecting systems, and the containment atmosphere by a closed valve and/or membrane barrier. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CL CONTRIBUTORS As discussed in the main report, insights from WASii-1400 were used wherever possible to evaluate the reliability of each part of the Calvert Cliffs design. Thus, on the basis of the WASII-1400 B4-9
analysis, and in consideration of the leak tests required by tech-nical specifications, structural failure of the containment shell, failure of the blind flange on the refueling tube and major leakage through the equipment hatch were not judged to be dominant con-tributors to the CL probability. Further, the probability of a significant leakage path through the containment spray injection line was not judged significant because, unlike Surry, Calvert Cliffs uses the same line for containment spray recircultion as for-injection. Back leakage through the LPIS lines was also judged not significant because of the numerous check valves in each line. Conversely, dominant contributors to the Calvert Cliffs CL probability, which were not present at Surry, developed from the difference between Surry's subatmospheric design and Calvert Cliffs atmospheric containment. Specifically, the probability of signi-ficant open penetrations of the containment which go unnoticed for some time was precluded at Surry because normal operation requires internal containment pressure to be significantly below atmospheric pressure, i.e., the containment is constantly leak tested. However, at Calvert Cliffs, where there is no constant leakage monitoring system and the containment is kept at atmospheric pressure, a sig-nificant unnoticed leakage path was judged to be more likely. 5.0 CALVERT CLIFFS CL EVALUATION 5.1 Event Tree Relationship Containment Leakage, CL, appears as event # on the containment l event tree. I B4-10
l l 5.2 Estimate of CL Probability As discussed in Section 4.0 of this Appendix, a significant contributor to the CL probability was judged to be the possibility of a significant violation of the containment integrity going unnoticed for some time. To estimate the probability of this failure mode, Licensee Event Reports (LERs) were surveyed for the period 1969 to mid-1980. During this period, approximately 184 years of PWR operation was amassed for plants with other than a subatmospheric containment design (average capacity factor of 74.6% assumed).1 The LERs were screened to yield incidents in which a containment penetration equivalent to a 4" diameter pipe was open at plant conditions other than shutdown. Many of the violations found involved leakage or opening of both airlock doors. However, because the airlocks were alarmed, these violations were generally of very short duration. Incidents in which unmonitored penetrations were open and penetrations caused by plant personnel inadvertently drilling holes in the steel liner did occur. However, the inadvertent drilling penetrations, some of which remained undiscovered until an integrated leak test was performed, were not included as failure contributors because they did not meet the 4" diameter equivalent hole criterion. Thus, the major component of the undetected open penetration contributor to CL was from an incident involving an unmonitored system pene-tration. This single incident was the largest contributor to containment leakage of atmospheric containments during the time period examined. Assuming such occurrences are equally likely 1 Nuclear Power Plant Operating Experience - 1978, NUREG-0618. B4-ll
at all plants, this failure mode, estimated at 7x10-3, was the dominant contributor to the Calvert Cliffs "CL' probability and was the value used in the sequence analysis. 1 i B4-12
}
.mm .m.
s.P'inJ 1ML5 I
;*s,as O e,,
4 eerms st 9 e yH I l Lo .c n a a va Co"W*e t 4, W
- to
.ANs' to .
s M**1 W M9
.. ..i - i ... - m 9 to stas s,asts
~
- u. iusn m. e# l'
+- --
uO
..... ,m, E.. M di - '*"5
"'f *n , y ... g s i %,
.n . .
. -- s 1 e.c --
=tes == I% **
t I
$_ ' "C y L =um -x e x
L,.- = qx@, [
...... .. . .-e -
I- = G .,
... . -g> .xg:
i
. .uie.
w,i .i a. 5 .u. ... m -
,,,=Jg;, g5' on 5
.{.Q x, , _( ,,,,,
c.c.
-> =,
- Im m
=, ses I' g mm ac no :u.um.um m %
C EE'~ I .. .;. *!'* ' (
. L ?" n U , ..
y
.. %...J , _ . -
.Xe
. m. ug ,g ,,
r. y {. + 1
=, - c
- v. n n- n 1,*
- I
..... I
,g.
i [ l
...g n .s _
q -
-4 .
' ";j, e y- '
= gr.4
~
..-..r... .....
1,- J. . .- _T
..9 -
< w:, ,, -
Y y t,.f- (M .'m ' s.utte,.a cmstro et I s coaeoata t i "' pou , s. f* g 04---
,etuant tie g- (. r. % . stas n.s cnottuc warsa not sto Q conIAI rtat w ,t%; we to tint st%1 **
. niu uutt n, rar ,
.w$
c-n n ( I a,txcrsat we e n___
-4Mt , I 'a'"""
. ,. 7,;,,
u,smn I 1mto . .Q N un te P"'#-- l
- a. . .' s
.... t:a N
j Figure B4-1. Simplified Calvert Cliffs Containment Leakage Schematic
Construction Vent j 8" Vent MOV Containment Spray
)
pov ( CSIS Header j CS101 A o injection System RWST VS 102 8" CSIS Header joig [ 1 A vsa ^ " h- O &
, ? r [,y -
P1A VS1000 p,n g, ifo*n' - CS24 g q 1010 MOV V V I O' Pen rto Cold
= &>- A ;2,, =e To h
-A 18000 N8 g- VS 100C g 1863A Hot h
VS101 To Airlock HPIS To {HPIS yg3g 21 18GOA 12" 4 . Sump
% P1A t,.
1r F 10 18608 Figure B4-2. Surry Containment Leakage Schematic
i APPENDIX B5 SURVEY AND ANALYSIS COLD LEG INJECTION ACCUMULATOR SYSTEM (CLAS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
.................................... B5-3 2.0 CALVERT CLIFFS CLAS DESCRIPTION ................. B5-3 2.0 System Description ......................... B5-3 2.2 System Operation ........................... B5-4 3.0 SURRY CLAS DESCRIPTION .......................... B5-4 4.O COMPARISON OF CALVERT CLIFFS AND SURRY CLAS ..... B5-6 5.O CALVERT CLIFFS SYSTEM EVALUATION ................ B5-6 5.1 Event Tree Interrelationships .............. B5-6 5.2 Evaluation of CLAS Unavailability .......... B5-6 B5-1/-2
l.0 INTRODUCTION The Calvert Cliffs Unit 2 Cold Leg Injection Accumulator Sys-tem (CLAS) was reviewed and compared with the similar PWR design (Surry) evaluated in the WASH-1400 study. The CLAS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this I report, respectively. A comparison of the two core flooding sys-I f tems is given in Section 4. CLAS event tree interrelationships I are detailed in Section 5. Also included in Section 5 is a point estimate of the CLAS unavailability. 2.0 CALVERT CLIFFS CLAS DESCRIPTION 2.1 System Description The CLAS along with the High Pressure Injection System, Low Pressure Injection System, and Auxiliary Feedwater System are designed to form collectively an overall Emergency Core Cooling System (ECCS), which is designed to prevent core damage over the entire spectrum of LOCA break sizes. Figure B5-1 shows the Calvert Cliffs Cold Leg Injection Accumulator System. The CLAS is a passive self-contained, self-actuating system. It is designed to flood the reactor core when the reactor coolant system pressure drops below 229 psig (tank pressure plus elevation head) in the event of a large LOCA. The system consists of four separate and independent trains. Each train consists of a nitrogen pressurized (safety injection) tank, containing borated water, two check valves and a normally open motor-operated isolation valve in series, and associated piping. The borated water is discharged into the four RCS cold legs under the driving force of the pressurized nitrogen in the tanks. B5-3
The accumulator tanks contain borated water at a minimum boron concentration of 1720 ppm and are pressurized with nitrogen at 200 psig. The tanks are constructed of carbon. steel and internally clad with stainless steel. Level and pressure instrumentation (audible and visual) is provided to monitor the availability of the tanks during plant operation. Provisions have been made for sampling, filling, draining, venting and correcting boron concentration. Two 12-inch check valves in series prevent high pressure cool-ant from entering each accumulator during normal plant operation (valves SI217, SI227, SI247, SI237, A1, A2, A3, and A4). The isolation valve which is in each line between the two check valves is fully open during normal plant operation and has its position indicated in the control room (MOV-614, 624, 634, and 644). The position of these valves is verified every 12 hours as required by technical specifications. 2.2 System Operation During normal operation the reactor coolant system is isolated from the tanks by two check valves in series thereby preventing re-actor coolant from entering the accumulators. When the reactor coolant system pressure drops below 229 psig, due to a LOCA, the stored borated water, driven by the pressurized nitrogen, opens the two series check valves and is injected into the four RCS cold legs to flood the core. 3.0 SURRY CLAS DESCRIPTION The Surry Cold Leg Injection Accumulator System (CLAS) pro-vides for core protection for intermediate and large reactor-B5-4
l coolant system pipe failures by automatically flooding the core with borated water. The system, which is passive and self-actuat-ing, includes three independent trains for injecting borated water into the cold legs of the reactor coolant system (Figure B5-2). Each train consists of a nitrogen pressurized tank, contain-ing borated water, two check valves and a normally open, motor-operated isolation valve in series, and the associated piping for interconnecting the tank with the cold leg. The tank is pressur-ized to 650 psig. When the pressure in the cold leg drops below 650 psig, the check valves "ill open and the borated water will be forced into the reactor coolant system. If the isolation valve is closed and a LOCA occurs, a safety injection control system (SICS) signal will apply power to the motor operator to open the valve. Water level and N2 pressure in each accumulator is monitored and alarmed by redundant level and pressure instrumentation. A relief valve provides overpressure protection for each accumulator. The accumulators are isolated from all other systems and accumula-tor suppport systems by closed valves. Successful operation of the CLAS in the event of an interme-diate or large LOCA requires that the contents of at least 2 of the 3 accumulators be injected into the reactor coolant system cold legs. If a LOCA occurs in a cold leg, the contents of the associ-ated accumulator will be lost out of the break thereby requiring both of the remaining 2 accumulators to successfully discharge their contents into the reactor coolant system. B5-5
4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CLAS Two major design differences between the Calvert Cliffs and Surry CLAS were found in this survey. The Surry design employs three identical trains for delivery of borated water to the reac-tor coolant system whereas the Calvert Cliffs design uses four identical trains. Surry's accumulators are pressurized to 650 psig while Calvert Cliffs are pressurized to only 200 psig. The RSS estimated a 9.5 x 10-4 unavailability for the Surry accumulator system. This is slightly higher than the 9 x 10-4 calculated for Calvert Cliffs' system. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The CLAS is one of a group of three systems which provide Emergency Coolant Injection (ECI) to prevent core damage for vari-ous break sizes. The remaining two systems include (1) the High Pressure Injection System and (2) the Low Pressure Injection System. Failure of the CLAS contributes to Event D (ECI) fcr large LOCA sequences. Failure of the CLAS to deliver the contents of three of the four safety injection tanks to the reactor core, in the event of a large LOCA, constitutes system failure. 5.2 Evaluation of CLAS Unavailability It is assumed that a large LOCA will disable one CLAS train (a worse-case cold leg break). The remaining 3 trains must then function properly in conjunction with the HPIS and LPIS to success-fully reflood the core. B5-6
A Boolean equation of the Calvert Cliffs' CLAS was not required since the system is nearly independent from all others. A single check valve in each injection line is shared with the HPIS and LPIS. However, since it takes only one check valve fail-ure in the CLAS to fail emergency coolant injection it was possible to neglect this interdependency. Refer to Figure B5-1. The CLAS can fail if any of the three remaining motor-opera-tcd valves plug (one train is assumed disabled by the LOCA). An RSS value of 1.0 x 10-4 was attributed to this type of failure. No operator error was considered since the position of each MOV is checked every 12 hours. It is also assumed that maintenance on the valves during power operation would violate technical specifica-tions. The CLAS can also fail if any of the check valves in the lines fail closed. This failure was assessed at 1.0 x 10-4 per valve. Possible CLAS flow diversion to the reactor coolant drain tanks (see Figure B5-1) was not considered in the failure analysis since the drain tank lines are small (one inch lines). The CLAS point estimate unavailability used in the sequence analysis was calculated to be: CLAS = (3 MOVs) - (1.0 x 10-4 unavailability /MOV) + (6 check valves) - (1.0 x 10-4 unavailability / check valve) CLAS = 9.0 x 10-4/ reactor year. B5-7
h "
@ " N ag hg *
@J ' h
.tb
&G - // - //- //-t: ,- g D '~$ '
'A &&m,4-l__ c j ,m s
_I
>< ::: -e4 y:,.fb,e q)?-Q t ,,
~_~ ,- 3, e .
9r 1 x A..U v L--y.--------- ( a_ g_ i .y i S* V >< c><~
"6 Jk'1t (M)-( -h q" M (C% '.L a)
TMT C*""E. N--N O cmTaiwstur PDitstr,Tsor4 l Figure B5-1. Calvert Cliffs Safety Injection Accumulator System (1 of 4 Typical)
Normally Open Valw Normatty Closed Valve i h s7 Ny Fill Va}ve Vent Vent 2$ CV 18758 v To HPIS 2k Pressure 10'* RH 16-1507 Accumulato, Flush g T e a nsmir.et Test Line l'a' 1925 RV 18588 Pl'I927 iL l l I 4 N s d' e g
+o+<a HCV HCV 1r w 650 PSB Ny
~
r; 18500 1850C o From - - Level RHR LT T e ensmitte, System 1924 LT 19M Accumulator 82 HCV 18518 158 TK-18 Fing N ,
=
N >'$ Cv 1875E MOV 18658 y
.a
! i~.s:44402 w2 m
, , w rm -
3/4 si-37407 L of,y,jy,2s e
, l gg;g_ w snicio ee Wall Figure B5-2. Surry Accumulator - Simplified System Diagram (one of three independent accumulators shown)
APPENDIX B6 SURVEY AND ANALYSIS LOW PRESSURE INJECTION SYSTEM (LPIS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
....................................... B6-3 2.0 CALVERT CLIFFS LPIS DESCRIPTION .................... B6-3 2.1 System Description ............................ B6-3 2.2 System Operation .............................. B6-4 3.0 SURRY LPIS DESCRIPTION ............................. B6-5 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY LPIS ........ B6-5 5.0 CALVERT CLIFFS SYSTEM EVALUATION ................... B6-7 5.1 Event Tree Interrelationships ................. B6-7 5.2 LPIS Model Description ........................ B6-7 5.2.1 LPIS Boolean Equation .................. B6-7 5.2.2 LPIS Unavailability .................... B6-10 B6-1/-2
i l l l
]
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 Low Pressure Injection System (LPIS) was reviewed and compared with the similar PWR design (Surry) evaluated in the WASH-1400 study. The LPIS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, respectively. A comparison of the two low pres-sure injection systems is given in Section 4. LPIS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a description of the model used to incorporate LPIS failures into the Calvert Cliffs accident sequences and a point estimate of the LPIS unavailability assuming independence from all other Calvert Cliffs systems. 2.0 CALVERT CLIFFS LPIS DESCRIPTION 2.1 System Description The Emergency Core Cooling System (ECCS), which is designed to prevent core damage over the entire spectrum of RCS break sizes, is combined of the LPIS, the High Pressure Injection System (HPIS), the Auxiliary Feedwater System (AFWS), and the Safety Injection Tanks (SIT). Figure B6-1 shows the ECCS for one reactor unit. As highlighted in Figure B6-1, the LPIS is a system which pro-vides two flow paths for delivering borated water to the RCS follow-ing a LOCA. The LPIS utilizes two low pressure safety injection pumps each of which is connected to one of the two independent suction headers which also serve the high pressure and containment spray pumps. B6-3
l 1 l The low pressure pumps discharge to a common header from which four ' lines branch off to supply each cold leg. Each pump delivers the borated water to the reactor vessel at a flow rate of 3000 gpm at an RCS pressure of approximately 150 psi. The low pressure pumps are horizontal, single-stage centrifu-gol units provided with minimum flow protection to prevent damage when starting against a closed system. The design basis and system requirements are met with the operation of one low pressure safety injection pump, delivering rated flow and assuming 25 percent spillage through the break. All valves not required to operate on initiation of safety in-jaction are either isolated from the safety injection flow path or locked in the safety injection position during operation. Adminis-trative controls ensure that the locked valves are in the correct positions. The LPIS pumps receive seal cooling water from the com-ponent cooling water system. Refer to Appendix B14. 2.2 System Operation Automatic initiation of the LPIS is initiated by the Engineered Safety Features Actuation System (ESFAS). Safety injection is initiated either when the pressurizer pressure drops below 1600 psia or when the containment pressure raises above 4 psig. Upon initiation of safety injection, the two low pressure pumps are started and the four safety injection isolation valves in the supply headers to each cold leg open, letting water from the Refue'ing Water Storage Tank (RWST) into the RCS. The injection mode is terminated and recirculation begun when a low level in the RWST is sensed, at B6-4
which time the low pressure safety injection pumps are automatically shut down and both sump recirculation valves are automatically opened upon the Recirculation Actuation Signal (RAS). A recirculation line is provided on the discharge of each pump for testing and dead head protection. Testing can be accomplished by recirculating water back to the refueling water storate tank. 3.0 SURRY LPIS DESCRIPTION The LPIS in the Surry Plant (Figure B6-2) consists of i) Two pumps (3000 gpm, 600 psig each), each driven by an electric motor. Each pump shares a common suction header and discharge header. ii) Refueling Water Storage Tank (RWST) (350000 gal, of borated water, with 1900 PPM boric acid concentration, chilled to 45 F). iii) 3 discharge lines, one to each of 3 cold legs of RCS.. iv) 2 check valves in each of the 3 discharge lines, 1 nor-mally open motor operated valve in the common feeder to the 3 discharge lines and 2 normally open motor operated valves, one each in the pump discharge line. v) Piping, isolation valves and instrumentation. All stop valves between the RWST and the RCS are local and/or remote controlled manual valves and would normally be open. The check valves are installed to preclude backflow from the high pres-sure (2000 psig) RCS to the LPIS (600 psig). Pump start-up is initiated by a signal from the Safety Injec-tion Control System (SICS) when the pressure in the RCS falls to B6-5
600 psig. Borated water is drawn from the RWST and discharged into each of the 3 RCS cold legs. When the RWST is approximately 93 per-cent empty, as indicated by low RWST level alarm, the operator must realign the system to recirculate water from the containment sump to the RCS cold legs. The LPIS is designed on the following basis: a) Either pump will provide sufficient flow to the RCS cold legs. b) Acceptable system performance can be achieved with only one of three cold leg flow paths providing flow into the RCS. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY LPIS Both Calvert Cliffs and Surry employ redundant LPIS trains to deliver borated water to the RCS following a LOCA. Surry's LPIS suction line contains a manually operated gate valve in series with a motor-operated valve and check valve before the branchoff point to the pumps. There is then a single manually operated valve in each flow line before the pump. The LPIS pump discharge lines at Surry come together outside containment and then branch inside containment before connecting with the RCS. At Calvert Cliffs, separate supply lines provide water from the RWST to the pumps. The LPIS pumps then discharge to a common header. Water is then pumped into the core via four injection lines (which are shared with the HPIS). The RSS calculated value of 4.7 x 10-3 for LPIS failure at Surry compared with a 3.0 x 10-3 unavailability for Calvert Cliffs. The dominant failure for the Calvert Cliffs B6-6
cystem was flow diversion through some inadvertently opened valves. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The LPIS is one of a group of four systems which provide Emergency Coolant Injection (ECI) to prevent core damage for vari-ous break sizes. The other three systems are (1) the High Pressure
~
Injection System (HPIS), and (2) the Auxiliury Feedwater> System (AFWS), and (3) the Safety Injection Tanks (SIT). The probability of LPIS failure contributes to Event D, Emergency Coolant Injection, for large (A) LOCA's. Failure of the LPIS is defined as failure to deliver borated water to the'RCS at s a flow rate equal to or greater than the design output of one LPIS pump. , 5.2 Calvert Cliffs LPIS Model Description 5.2.1 LPIS Boolean Equations One Boolean Equation was developed to model the LPIS. This equation was used in the large LOCA sequence analysis. LPIS (2 of 2 trains fail) = A + Q + F + SIASCM -
+ SIAL
- SIBl + (C + E + SIB 3 + HP23LP22C) *
(Eq. B6-1) 4 s (B + D + SIA3 + HPLP21C)
- Table B6-1 relates each term in the above equation to the com-ponents shown in Figure B6-1. Table B6-2 lists total component unavailabilities and each of the contributors to the component B6-7
unavailability. Component unavailabilities were comprised of hard-ware, human, and maintenance faults where applicable. No electric power contributions were included into the LPIS model. The LPIS is only required after large LOCAs, a case in which offsite power will be available. Technical Specifications for Calvert Cliffs state that compo-nents shall not be removed from service so that the affected LPIS train is inoperable for more than 72 consecutive hours. If one LPIS train is inoperable for more than 72 hours, the reactor must be shut down. The average maintenance interval used in the Reac-tor Safety Study is 4.5 months, which corresponds to a frequency of 0.22 per month. From tha Reactor Safety Study (Table III 5-3) the log normal maintenanc . duration for components whose range is limited to 72 hours is a mean time of 19 hours. Therefore, the unavailability of one component due to maintenance is estimated to be: 19(.22) = 5.8 x 10
-3 720 l No downtime for testing was included in the LPIS pump unavail-cbility, since the recirculation lines will permit testing without taking the pumps out of service.
l One common mode failure was identified with the LPIS. The term t' SIASCM represents the failure of all LPIS initiating channels due to j possible miscalibration of the sensor / compositors. This failure was assessed at 3.2 x 10~ per reactor year and also affects the HPIS. Refer to Appendix B10. B6-8
The terms, SIAL, SIA3, SIB 1, and SIB 3 represent individual subchannel actuation faults. Channels SIA3 and SIB 3 initiate the pumps LP21 and LP22, respectively. Channels SIAL and SIBl open the MOVs in the injection lines. The terms HPLP21C nd HP23LP22C represent failures in the cooling water systems which provide water to the LPIS pump seals and bearings. It is assumed that without proper cooling, the pumps will fail. Refer to Appendix Bl4, Cooling Water and Con-tainment Heat Removal Systems, The only human errors included in the LPIS model were inad-vertent closure of manual valves M28, M42, M43, M34, M54, and M55, control valve CV-657 and motor-operated valves MOV-658, MOV-4143, and MOV-4142. The "A" failure mode represents a loss of pump recirculation to the RWST. The recirculation line is normally open and func-tions to prevent the safety injection pumps from pumping against high pressure. After a large LOCA, RCS pressure will remain higher than LPIS delivery pressure (approximately 200 psig) for a short , period of time. During this time, the pumps will fail if the re-circulation path is not open. J The "F" failure mode depicts the failure of control valve CV-306 due to plugging. Failure of this valve will block LPIS flow from both trains. The "Q" failure mode represents the inadvertent opening of valves CV-657 or MOV-658. If either of these valves is opened, LPIS flow could be diverted away from the LPIS headers (i.e., delivered to the containment spray headers). B6-9
5.2.2 LPIS Unavailability Using the Boolean equation given in the last section and the term unavailabilities given in Table B6-1, an independent LPIS point estimate unavailability can be calculated. This is found to be: LPIS = 3.0 x 10-3 , Double maintenance contributions, i.e., components of both trains being deliberately removed from service for maintenance, were removed from these unavailabilities since this condition is not allowed by Technical Specifications. A quantitative ranking of the Boolean terms for the LPIS is given in Table B6-3. As can be noted, approximately 67 percent of the system unavailability is due to the single failures repre-sented by Q. The reader should be cautioned that these are unavailabili-ties for Calvert Cliffs LPIS if the system is considered inde-
- f pendent of all others. In general, the LPIS unavailability will l depend on what other system successes or failures have occurred.
l l B6-10
t Table B6-1. Boolean Equation Term Descriptions Boolean Term Term Definition Term Unavailability A MOV-659 + MOV-660 2.0 x 10-4 B MOV-4143 + C65 7.0 x 10-3 C MOV-4142 + C66 7.0 x 10-3 D M28 + M42 + M43 + C35 + 9.4 x 10-3 C56 + LP21 E M34 + M54 + M55 + C41 + 9.4 x 10-3 C63 + LP22 0 CV-657 + MOV-658 2.0 x 10-3 F CV-306 1.0 x 10-4 ISIAl SIAS Subchannel Al 5.0 x 10-3 ISIBl SIAS Subchannel B1 5.0 x 10-3 ISIA3 SIAS Subchannel A3 5.0 x 10-3 I SIB 3 SIAS Subchannel B3 5.0 x 10-3 I SIASCM SIAS Common Mode Failure 3.2 x 10-5 2 HPLP21C Cooling Water for Pump LP21 1.0 x 10-3 2 4.1 x 10-4 HP23LP22C Cooling Water for Pump LP22 1 Refer to Appendix G10. 2 Refer to Appendix B14. B6-ll
Table B6-2. Component Unavailabilities i Component Fault Failure Description Identifiers Contributors Q/ Component Check Valve C65, C66, C35, C56, C41, C63 Hardware 1.0 x 10-4 Q Total 1.0 x 10-4 LPIS Pump LP21, LP22 Hardware 1.0 x 10-33 Control Circuit 1.8 Maintenance 5.8 xx 10 10-3 Q Total 8.6 x 10-3 3 Motor MOV-4142 Operator Error Operated MOV-4143 Pluggged 1.0 1.0 xx 10 10-4 Valve Maintenance 5.8 x 10-3 (Normally Open) Q Total 6.9 x 10-3 Manual Valve M28, M42, M43, Operator Error 1.0 x 10-4 (Normally M34, M54, M55 Plugged 1.0 x 10-4 Open) Q Total 2.0 x 10-4 1 Recirculation MOV-659 0perator Error Line MOV MOV-660 Plugged 1.0 x 10-4 2 Maintenance (Normally Open) Q Total 1.0 x 10-4 Control Valve CV-657 (Normally MOV-658 Operator Error 1.0 x 10-3 Closed) Q Total 1.0 x 10-3 I Control Valve CV-306 Operator Error (Normally Plugged 1.0 x 10-4 2 Maintenance Open) Q Total 1.0 x 10-4 The position of these valves is checked every 12 hours. 2 It is assumed that unavailability due to maintenance of' these valves would violate Technical Specifications. B6-12
Table B6-3. Quantitative Ranking of Boolean Terms 3 Q
*HPLP21C HP23LP21C 2.0 2.1 x x 10 10-4 A 2.0 x 10-4 F 1.0 x 10-4 E*D 8.8 x 10-55 C'D E*B 6.6 x 10 5 C'B 6.6 4.9 x x 10 10-5 E*SIA3 4.7 x 10-5 D* SIB 3 4.7 x 10-5 B* SIB 3 3.5 x 10-5 C*SIA3 3.5 x 10-5 SIASCM 3.2 x 10-55 SIAL
- SIB 1 SIA3* SIB 3 2.5 2.5 x x 10 10-5 E*HPLP21C 9.4 x 10-6 C*HPLP21C 7.0 x 10-6 SIB 3*HPLP21C 5.0 x 10-6 D'HP23LP22C 3.9 x 10-6 B'HP23LP22C 2.9 x 10-6 SIA3*HP23LP22C 2.1 x 10-6 Point Unavailability = 3.0 x 10-3 OInterdependencies between these two cooling water loops have been considered.
B6-13
[77, 4 Acum O b 6 "3 ,f,7,o ces
'9l?*
- e. cop 1 11 2:1
,,, % "'"?! & _ _
,,y egs sso sw WV, co e
;QA
~*- e ss 1 - ""z c5s Ru riott eve wette Mc3 ->o4 s
,, "8' c35 , , , 'VJY u g, mv sos y,q ae e
~
_h. ..,
,m q5:rzy g,
l
,-. , .- s
* . , , 2
(,,u,_ zu [,,y es o x,, s , e,r,
;Q y,,
es cs ~v eus & , , . , , ,
-k"}--h - ess
-h N am
'A ess c a.
' pp c4
' l cn ' ' ><}-
- m. _Q ^%'[.,s,Vp. ..ss i
~ _.....,
9 s
, x-w -
f ""' Wh
~b'T
~
1h.s. T ,,,,*h_ , , hid NM cv cs -b.4
= . _. g ( l g .j I aso eso
,,. g,2,, o "" '"
'"G-QsTh+- "
O,<,
- -Q
-.. .. , ~Cni *zx h [] ( xas) .ac-
"~"*
I W-
~ -
e.cor y sm ~<svr #f' Yo o. , , y, 88 Ox csu "53
, x.-N --
e c v76vs +M "" '" Ada consandatarr wad enz g , cey C ' " " ' sy y ,""" P
~~ "'
($-% SP84Y Hidor R I y9 I y
- m. nss esa b4'
~ - ~~r can Figure B6-1. Calvert Cliffs ECCS Schematic (LPIS Highlighted)
l 1 l 1 I \1 l
; I Ie" l"
%%N g. E $i , .
= =
NNN N N ) n
/ i o
t
- a r
- e N wNNN+,
p
<C : o S
I MN s i = s I l c I i a m r M m = m m . x o
- jl.s-n
( I l ,' lj}.3 c A O i O t a m e h c s kc S s r e L y r A J, r k> N rA r, u s
'h 2
- = . -
- =
, Lr s
a e G M.iNAA r u
, =
=
> t l
g n
= ,,
A, " 625 y?* I l)l
APPENDIX B7 SURVEY AND ANALYSIS LOW PRESSURE RECIRCULATION SYSTEM (LPRS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
......................................... B7-3 2.0 CALVERT CLIFFS LPRS DESCRIPTTON ..................... B7-3 2.1 System Description .............................. B7-3 2.2 System Operation ................................ B7-4 3.0 SURRY LPRS DESCRIPTION ............................... B7-5 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY LPRS .......... B7-5 5.0 CALVERT CLIFFS SYSTEM EVALUATION ..................... B7-6 5.1 Event Tree Interrelationships ................... B7-6 5.2 LPRS Model Description .......................... B7-6 5.2.1 LPRS Boolean Equation . . . . . . . . . . . . . . . . . . . . B7-6 i
5.2.2 LPRS Unavailability ...................... B7-8 B7-1/-2
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 Low Pressure Recirculation System (LPRS) was reviewed and compared with the similar PWR design (Surry ) evaluated in the WASH-1400 study. The LPRS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, r espectively . A comparison of the two low pressure recirculation systems is given in Section 4. LPRS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a descrip-tion of the model used to incorporate LPRS failures into the Calvert Cliffs accident sequences and a point estimate of the LPRS unavail-ability assuming independence from all other Calvert Cliffs sy s tems . 2.0 CALVERT CLIFFS LPRS DESCRIPTION 2.1 System Description The LPRS utilizes two pumps designed for a 3000 gpm capacity at a discharge head of 150 ft. Each pump has a separate supply line from the containment sump which it shares with the containment spray and high pressure injection pump (s) of the same train. The two sump supply lines each contain a motor operated valve and a check valve which must open. The two low-pressure pumps discharge to a common header from which each RCS cold leg is supplied. The four RCS cold leg supply lines interface with the high pressure and accumulator discharge lines. Comparison of Figure B6-1 and B7-1 reveals that the LPRS pumps and many valves are shared with the Low Pressure Injection System. Passive miniflow by-pass lines are employed to prevent pump overheating and loss of suction. B7-3
I 2.2 System Operation The safety injection pumps initially draw borated water from the refueling storage water tank. This tank has sufficient water volume to supply safety injection flow for up to 36 minutes follow-ing a large LOCA assuming three high-pressure and two low-pressure l cafety injection pumps and two containment spray pumps are running. When the refueling water tank is 10 percent full, a recirculation actuation signal (RAS), opens the isolation valves in the two lines from the containment sump and shuts down the low-pressure safety injection pumps. The refueling water tank suction valves remain open initially during the switch to the recirculation mode to preclude the loss of supply to a high-pressure safety injection pump in the unlikely event the isolation valve in the containment sump line should experience delay in opening. Back flow through either refuel-- ing water tank suction line is prevented by check valves. In addi-- tion, the operator will manually close the RWST suction valves after verifying the opening of the containment sump lines' valves. The earliest automatic recirculation would occur is 36 minutes' assuming all engineered safety features pumps are running. The recirculation mode can also be accomplished manually by the operator. The High Pressure Recirculation System (HPRS) would normally be used to recirculate water from the sump. If the HPRS is unavailable, the LPRS would be used. The LPRS would be manually initiated since the low-pressure pumps are turned off by the recirculation actuation signal. B7-4
3.0 SURRY LPRS DESCRIPTION The LPRS in the Surry plant shown in Figure B7-2 includes the containment sump, two pumps in parallel (each capable of delivering 3000 gpm at a 225 foot head), and associated valves and piping. There are three discharge lines, one to each of three cold legs of the RCS. Each discharge line has two check valves. There is one normally open motor operated valve in the common I feeder line to the three discharge lines and two normally open motor operated valves in each pump discharge line. When the RWST is approximately 86% empty, as indicated by a low RWST level alarm, l the operator must realign the LPIS to recirculate water from the l containment sump to the RCS cold legs. After 24 hours for large pipe break accidents, the operator must realign the LPRS to recircu-late water to the three RCS hot legs. Individual headers provide water from the containment sump to each LP pump. Either pump will provide sufficient flow into the RCS. Flow through any one cold leg or any one hot leg (after 24 hours) is sufficient. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY LPRS The Calvert Cliffs and Surry LPRS are similar in that they employ redundant trains to deliver water to the RCS from the sump following a LOCA. Both systems use the same pumps as in their LPIS and both require operator actions to start the system. The Surry system also requires operator action after 24 hours to realign LPRS flow from RCS cold legs to the hot legs. This later realignment is not necessary for the Calvert Cliffs system. Failure to perform any of the above realignments constitutes a common mode failure of the system due to human error. B7-5
Another difference in the systems is the piping configura-tions from the RWST to the pumps. Surry employs a single suction line to supply the LPr.S pumps, while Calvert Cliffs has two inde-pendent lines. Surry 's LPRS unavailability was dominated by the common mode failures listed above and was assessed to be 1.3 x 10-2, Calvert Cliffs LPRS unavailability was also dominated by common mode failures. Failure of the operator to start the system and failure due to miscalibrated RWST level sensors summed to over 95% of the assessed 1.1 x 10-1 unavailability. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The LPRS is one of two systems providing Emergency Coolant Recirculation (ECR), event ~H on the LOCA event trees, to prevent core damage for various break sizes. The other rystem is the High-Pressure Recirculation System (HPRS) . Successful ECR requires the operation of one of two HPRS trains for Si and S2 LOCAs. For large (A) LOCAs, ECR requires one of two HPRS trains or one of two LPRS trains. 5.2 LPRS Model Description 5.2.1 LPRS Boolean Equation The following Boolean equation was developed to model LPRS failure: LPRS = (B + D + SIA3 + HPLP21C = R21 COOL + D' + RASAl + W) o (C + E + SIB 3 + HP23LP22C + (B7-1) R22 COOL + E' + RASBl + V) + RASCM + LPRSCM . B7-6
Each term in the above equation, except for R21 COOL, R22 COOL, D', E', W, V, RASA1, RASB1, RASCM, and LPRSCM, are discussed in Appendix B6. Tables B7-1 and B7-2 list descriptions of these terms and component unavailability estimates. These unavailabilities are comprised of hardware, human, and maintenance faults. Testing of the LPRS valves was found to negligibly add to the valve unavail-ability when compared to other contributions and was therefore not included. It should be noted that the primed events E' and D' represent failure of the low pressure pumps during the recirculation phase. The Calvert Cliffs' technical specifications state that main-tenance is allowed during power operation on any component which will not remove more than one train (flow path) of a system from service. The component shall not be removed from service so that the affected train is inoperable for more than 72 consecutive hours. The average maintenance interval usad in the RSS is 4.5 months, which corresponds to a frequency of 0.22 per month. From the Reactor Safety Study (Table III T-3), the log normal maintenance act duration for components whose range is limited to 72 hours is 19 hours. The unavailability of valves LP-19 and LP-20 due to a maintenance outage - is therefore estimated to be: 19 .22) = 5.8 x 10-3 l It is assumed that during the recirculation phase the LPRS pumps will require room cooling. The terms R21 COOL and R22 COOL l represent failut e of the cooling water systems to cool the rooms containing LPRS pumps #21 and #22, respectively. It is~also B7-7 L
assumed that the pump seals and bearings need cooling. The terms HPLP21CR and HP23LP22CR represent pump seal and bearing cooling failures during recirculation. Refer to Appendix B14 for more details. The terms RASAl and RASBl represent individual subchannel actuation faults. Subchannels RASAl and RASBl open the recircula-tion line MOVs when the RWST water level gets low. The term RASCM represents a common mode failure of both RAS subchannels due to miscalibration of the RWST water level sensors. Since the pumps are turned off by the recirculation signal, the LPRS must be manually initiated. A common mode failure of the operator failing to start the LPRS is depicted by the term LPRSCM. ' Since the LPRS is demanded only after a failure of the HPRS, it is assumed the operator would be under a moderate to high stress level. This failure was conservatively assessed to be 1.0 x 10-1 (reference 6). 5.2.2 LPRS Unavailability Using the Boolecn equation given in the last section and the term unavailabilities given in Table B7-1, an independent LPRS point estimate unavailability can be calculated. This is found to be: LPRS = 1.1 x lO-1/ reactor year .
" Double" test and maintenance contributions, i.e., a deliberate action specifying both trains to be tested or maintenanced oimultaneously, were not included in this unavailability estimate because such an action would violate technical specifications.
Further, it can be seen that reduction of the Boolean equation B7-8
describing the LPRS results in 66 terms. Examination of these terms shows that 9 (16 for T1) depict " double injection" failures o f the LPRS, i.e., LPRS failure due to failure of both trains during low-pressure inject on. These failures were not included in the calculations of the independent LPRS unavailability above since the LPIS must have succeeded (at least one train) to demand LPRS. For calculation of the unavailability as used in the accident sequence analysis, double injection failures and other physically inconsistent failure contributors were eliminated according to the Boolean reduction process where the equations describing each of the systems involved in the sequence were condensed together. It can be noted that two terms in the LPRS equation dominate. The two common mode failures LPRSCM and RASCM contribute over 95% to the total LPRS unavailability. The reader should be cautioned that these are unavailabilities for Calvert Cliffs' LPRS if the system is considered independent of all others. In general, the LPRS unavailability will depend on what other system successes or failures have occurred, i.e., the unavailability used for the LPRS in the sequence analysis calcula-tion must be a conditional unavailability. l B7-9
Table B7-1. Boolean Equation Term Descriptions Boolean Term Term Definition Tern Unavailability 4B MOV-4143 + C65 7.0 x 10-3 4C MOV-4142 + C66 7.0 x 10-3 l 4D M28 + M42 + M43 + C35 + 9.4 x 10-3 C56 + LP21 4D M34 + M54 + M55 + C41 + 9.4 x 10-3 C63 + LP22 l 1S IA3 SIAS Subchannel A3 5.0 x 10-3 5 0 x 10-3 1 SIB 3 SIAS Subchannel B3 . 2HPLP21CR Cooling Water for Pump LP21 5.9 x 10-3* During Recirculation (1.4 x 10-2)** 2HP23LP22CR Cooling Water for Pump LP22 5.3 x 10-3* (1.3 x 10-2)** 1RASAl RAS Subchannel A1 5.0 x 10-3 1RASBl RAS Subchannel B1 5.0 x 10-3 1RASCM RAS Common Mode Failure 1.0 x 10-3 2R21 COOL Room Cooling for Pump LP21 1.9 x 10-2* During Recirculation (2.8 x 10-2)** 2R22 COOL Room Cooling for Pump LP22 2.6 x 10-2* During Recirculation (3.5 x 10-2)** D' LP21 3.5 x 10-3 E' LP22 3.5 x 10-3 3V C20 + MOV-4145 1.3 x 10-2 3W C21 + MOV-4144 1.3 x 10-2 LPRSCM Operator Falle to 1.0 x 10-1 Restart LPRS I Refer to Appendix BlO. 2 Refer to Appendix B14. 3 Refer to Appendix B9. 4 Refer to Appendix B6.
- Applies to all initiators except T1
** Applies to T1 initiators.
B7-10 1
l j Table B7-2. Component Unavailabilities Component Fault Failure Description Identifier Contributors O/ Component Pump LP21 Hardware LP22 (Fails to restart) 1 x 10-3 Control Circuitry 1.8 x 10-3 Fails to operate 24 hrs (3 x 10-5/hr) 7.2 x 10-4 O Total 3.5 x 10-3 Note: Refer to Appendices B10, B14, B6 and B9 for other component unavailability descriptions. 1 B7-ll
to Actf** 0 D b 79fpo t.oeP J Rttp7 qq,gy,g * (E3 M d,y
;Q Cyg s% gy CE VCL M *v- 6 ts i @^4Li C56 O Rt filftlVO gMH 1 i
adAF(t
- 1. css syny up C3 m ov- do s q & 0 V .-' w
'"*'%Tfi!M ,y geseaf wa#
( CT CT u-44 C4
^5j
Aer-625
* ** a 2d
-A "Y"h
[ y,g
- >c c,d a-QW X< * @ =
gc., g. C,. mo aff A 30 c 39 % - mse Q aee<-d 55 ,A M A4 0 F- dI7 J*
- , _n..._,,
m is - -v.<,: /c,, s* p'" v SI 37 a**V-d 'y mor-658 7 <*' w q (O
-O ,,g ,, e-653 r ff P 2 X-N p
(7 Mor an
.0 ,
h p
~<- * $Ja i x g/
' ' ' ""3
*k CM 1
to c, s <-s ss y wO' "'* c an aru h 22 l #
"s=
t.oDP Y M O '8 g, MM l Cu Ce
'ITY *AW N cgg ' y,y syg "
) h summ Csal
- c. c,. -.....s ,
~
2,,
' ConrTnt stMckT '
'! A x ;
Copinsarmentr SPS4Y JIE4DE'It E J t a ! mod vss5 C2o l ;O,
~ ~ - , - cs N, l
Figure B7-1. Calvert Cliffs ECCS Schematic (LPRS Highlighted)
'I f. ?, II g
} i - f. ]}:,1 I[1 sI E25 125 I25 W 143 A ?. a i25 i iI25I i25 125 !25
- 3
; ; - ,i r s
'ilsn{'?!
5: . ni 25 i 525 252
\
j 5 5 25 2 s25 g.5
$ I
, , y . -
up 12 vi:33 vi:D .h ,XD t' e
=
i- * . 525 S 25 7 vi))(vi b D c i 3 vi:3 vi:DJ is pr ist " r,X
=:
- m. ,.
,j elj s
ir Xs T - B7-13/-14
APPENDIX B8 SURVEY AND ANALYSIS HIGH PRESSURE INJECTION SYSTEM (HPIS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
................................... B8-3 2.0 CALVERT CLIFFS HPIS DESCRIPTION ................ B8-3 2.1 System Description ........................ B8-3 2.2 Sy s tem Ope ra t io n . . . . . . . . . . . . . . . . . . . . . . . . . . B8-4 3.0 SURRY HPIS DESCRIPTION ......................... B8-5 4.0 COM*ARISON OF CALVERT CLIFFS AND SURRY HPIS .... B8-8 5.0 CALVERT CLIFFS SYSTEM EVALUATION ............... B8-9 5.1 Event Tree Interrelationships ............. B8-9 5.2 HPIS Model Description .................... B8-9 5.2.1 HPIS Boolean Equations ............. B8-9 5.2.2 HPIS Unavailability ................ B8-12 B8-l/-2
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 High Pressure Injection System (HPIS) was reviewed and compared with the similar PWR design (Surry) evaluated in the WASH-1400 study. The HPIS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, respectively. A comparison of the two high pressure injec-tion systems is given in Section 4. HPIS event tree interrelation-ships are detailed in Section 5. Also included in Section 5 is a description of the model used to incorporate HPIS failures into the Calvert Cliffs accident sequences and a point estimate of the HPIS unavailability assuming independence from all other Calvert Cliffs systems. 2.0 CALVERT CLIFFS HPIS DESCRIPTION 2.1 System Description The High Pressure Injection System along with the Low Pressure Injection System (LPIS) and the Safety Injection Tanks (SIT) form collectively the overall Emergency Core Cooling System (ECCS), which is designed to prevent core damage over the entire spectrum of RCS LOCA sizes (the Auxiliary Feedwater System is required for S2 LOCAs only). Figure B8-1 shows the ECCS for one reactor unit. High pressure injection is necessary to prevent uncovering of the core for small LOCA's, where high system pressure is maintained, and to delay uncovering of the core for intermediate-sized LOCA's. The HPIS is capable of delivering emergency coolant at discharge pressures up to 1275 psia. Three high pressure safety injection pumps take suction from two independent suction headers (see Figure B8-3
B8-1). These headers are initially supplied with borated water from the Refueling Water Storage Tank. When that tank is emptied to 10 percent, borated water is recirculated from the sump of the containment. Redundant flow paths are provided from the discharge of the injection pumps by two independent headers. These headers, in turn, supply four individual safety injection lines, one leading to each cold leg of the reactor coolant system. With offsite power available, the safety injection actuation signal (SIAS) starts two of the three high-pressure pumps. If offsite power is not available, two pumps and the motor operated valves will be powered by the emergency diesel generators. Normal plant operating procedures include routine testing to ensure the operability of the pumps. The HPIS pumps are tested using a normully open minimum flow recirculation line which allows water to be recircu-lated back to the RWST. The recirculation line also provides head protection for the pumps when RCS pressure is high. The high pressure safety injection valves are designed for 2485 psig. The motor-operated injection isolation valves are located outside of the containment and are thus not subjected to the environmental conditions existing in the containment following a LOCA. One header supply valve is normally open. The other header supply valve and the eight safety injection valves are normally closed and are opened by the SIAS. It is assumed that seal cooling is required during operation of the pumps. Seal cooling is provided by the component cooling water system. Refer to Appendix B14. B8-4
2.2 System Operation Safety injection is initiated either when the pressurizer pressure drops below 1600 psia + 22 psi or when the containment pressure rises above 4 psig. Upon initiation of safety injection, two or the three high pressure and two low pressure safety injec-tion pumps start and thirteen safety injection line isolation valves open, letting water from the refueling water tank into the reactor coolant system. After sufficient water has been transferred from the tank, a continuous source of borated water is provided by recirculating containment sump water directly to the pump suction. Recirculation is automatically initiated by low water level in the refueling water tank. Transfer to the recirculation mode may also be manually initiated. The SIAS occurs as a result of either two-out-of-four contain-ment pressure sensor channel trip signals, two-out-of-four pressurizer pressure sensor channel trip signals, or manual initiation from the control room. The two independent safety injection actuation signals from the two redundant actuation subsystems initiates the following: a) Open 8 high pressure injection MOVs. b) Open one high pressure header MOV. The other redundant valve is locked open. c) Start two of three high-pressure injection pumps. d) Close 4 air operated safety injection leak test valves. No credit was given for a feed and bleed mode of decay heat removal using the llPIS due to the high RCS pressure expected on loss of all secondary cooling. B8-5
1 3.0 SURRY HPIS DESCRIPTION The Surry High Pressure Injection System provides a high pressure source of emergency cooling water to the RCS in the event of a LOCA. Figure B8-2 is a simplified system diagram of the HPIS. The HPIS uses the high pressure charging pumps to draw water through a single auction header from the Refueling Water Storage-Tank (RWST) and injects the water through a single discharge header into the cold legs. Another function of the HPIS is to push the 12 weight percent boric acid solution in the 900 gallon Boron Injection Tank (BIT) into the RCS in order to provide fast injection of boron to the reactor core for reactivity suppression. The injection of the 12 weight percent boron from the BIT was concluded not to be a critical requirement for HPIS success in response to a LOCA. During normal plant operation, one operating charging pump draws water from the Volume Control Tank (VCT) and discharges it as makeup to the normal charging line and seal coolant to the pump seal injection line. Actuation of the Safety Injection Control System (SICS) wills
- a. Open parallel RWST supply valves 1115B and D to provide the RWST emergency water for HPIS pump (charging pump) suction;
- b. Start the standby charging pumps;
- c. Close the VCT isolation valves LCV-1115C and E (in series) to prevent draining the VCT;
- d. Close the normal charging line isolation valves 1289A and B (in series);
B8-6
1
- e. Open the parallel BIT isolation valves 1867A and B, at the BIT inlet, and 1867C and D at the BIT outlet;
- f. Close the boric acid recirculation line trip valves 1884A, B and C, to terminate low pressure recirculation of 12 weight percent boric acid solution between the Boric Acid Tanks (BAT) and the BIT;
- g. Close the charging system mini-flow valves.
After the SICS changes the HPIS valve positions, all operable charging pumps will pump water from the RWST to the discharge header CH-80, through HPIS line SI-57 through the BIT, and to the RCS cold legs through lines common with the LPIS. The actuation of the HPIS for injection is entirely automatic. The 12 weight percent boric acid solution is normally recircu-lated between the Boric Acid Tank (BAT) and the BIT by one of two redundant boric acid transfer pumps. The boric acid recircula-tion serves to assure that the BIT is full and to help prevent boron precipitation by keeping the solution mixed. Baron precipitation in the 12 weight percent boric acid solu-tion will occur at a temperature below 130*F. The contents of the BIT and those sections of HPIS piping isolated by the BIT isolation valves are maintained above the precipitation temperature by strip heaters on the BIT and heat tracing on the piping and valves, including the boric acid recirculation piping. Temperature alarms and backup heaters are provided should any of the heaters or heat tracing circuits fail. Transfer to the backup heaters for heat tracing is manual. Undetected heat tracing failure will result in B8-7
precipitation of boric acid solution within 4 to 5 hours and will fail the HPIS. Successful long-term operation of the charging pumps requires lubrication oil cooling and pump seal cooling. Plant personnel estimate that the charging pumps can operate for 30 to 45 minutes without lubricating oil or seal cooling. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY HPIS The Calvert Cliffs and Surry high pressure injection systems differ significantly in design. Unlike Surry, the Calvert Cliffs HPIS has redundant headers in the high pressure pump lines, both discharge and suction sides. During normal operation, one of three high pressure pumps of Surry runs continuously to control the inventory of the reactor coolant system by supplying high pressure makeup from the volume control tank. During the safety injection mode of operation the suction of these pumps is realigned to the RWST whereby a set of parallel MOVs are opened automatically by the Surry SICS. Calvert Cliffs' HPIS is not used during normal operation. Also, there are no valves which are required to operate in the redundant RWST supply lines to the safety injection pumps of Calvert Cliffs. The RSS assessed an 8.6 x 10-3 unavailability for the HPIS at l Surry. The dominant failures of the system included failures of the RWST supply valves, Boron Injection Tank (BIT) isolation valves, and BIT heaters. There is no comparable system to the BIT in Calvert Cliffs. Injection of high concentrated boron solution when required for transients is accomplished by the charging pumps of the Chemical B8-8
and Volume Control System. On a SIAS signal, these pumps are aligned to take suction from the Boric Acid Tanks and inject to the ( RCS through headers which are independent from other safety injection systems. The HPIS unavailability for Calvert Cliffs is calculated in Section 5.2.2 to be 1.9 x 10-3 for S 2 LOCAs, 1.7 x 10-3 for A and S 1 LOCAs, and 1.9 x 10-2 for T 1 induced LOCAs. The dominant failure mode for random LOCAs was HPIS flow diversion through a failed check valve in the LPIS system. For T1 induced LOCAs, failure of both pump seal cooling water loops after the LOP was dominant. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The HPIS is one of the three subsystems of the ECCS which provide injection of coolant to the core to prevent damage for , various break sizes. The remaining two subsystems are the LPIS and the Cold Leg Accumulator System (CLAS). Failure of the HPIS contributes to event D (ECI) for all LOCA and transient induced LOCA sequences. For St LOCAs, successful operation of one HPIS train will adequately provide core cooling. For the other LOCA sizes, a combination of one HPIS train with other systems is required. 5.2 HPIS Model Description 5.2.1 HPIS Boolean Equations The general form of the HPIS Boolean equation representing failure of the HPIS system considering one of the trains is re-quired for success is: B8-9
HPIS = (B + KT + SIA2 + HPLP21C + D12) * (C + LT + SIB 2 + HP23LP22C + D21) + (Eq. B8-1) (MT + SIAL + D12) = (N + SIB 1 + D21) + A + SIASCM + HPCM. The above equation, except for the terms D12 and D21, was used in the analysis of small (S2) LOCAs and T2 and T3 transient j induced LOCAs and is referred to as Equation B8-1(a) in the main l report. Equation B8-1, without the terms A, D12, and D21, was used in the analysis of large (A) and intermediate (S 1) LOCAs and is referred to as Equation B8-1(b). Equation B8-1 in its entirety was used to analyze T1 transient induced LOCAd. The "A" failure mode represents a loss of pump recirculation to the RWST and applies only for S2 and transient induced LOCAs. The recirculation line is normally open and prevents the safety injection pumps from pumping against high pressures. For small LOCAs, RCS pressure will remain higher than HPIS delivery pressure (~1200 psi) for an extended period so that inadvertant closure of the recirculation line will cause the pumps to fail. Terms D12 and D21 represent failure of diesel #12 and #21, respectively. Descriptions of these failures can be found in Appendix B1, the Emergency Power System. Credit for recovery of offsite power was incorporated by hand in the sequence analysis. The terms SIAL, SIB 1, SIA2, and SIB 2 represent individual channel actuation faults. Channels SIA2 and SIB 2 initiate pumps HP21 and HP23, respectively. Channels SIAL and SIB 1 open the MOVs in the injection lines. Refer to Appendix B10, Engineered Safety Features Actuation Systems, for more details. B8-10
The terms HPLP21C and HP23LP22C represent failures in the cooling water systems which provide water to the HPIS pump seals and bearings. It is assumed that without proper cooling, the pumps will fail. Refer to Appendix B14, Cooling Water and Containment Heat Removal Systems. Table B8-1 relates the terms in Equation B8-1 to the components shown in Figure B8-1. Table B8-2 lists total component unavailabil-ities and each of the contributors to the component unavailability. The unavailabilities listed in Table B8-2 are comprised of hardware, h'uman and maintenance faults. Technical Specifications for Calvert Cliffs state that compo-nents shall not be removed from service so that the affected HPIS train is inoperable for more than 72 consecutive hours. If one HPIS train is inoperable for more than 72 hours, the reactor must be shut down. The average maintenance interval used in the Reactor Safety Study is 4.5 months, which corresponds to a frequency of 0.22 per month. From the Reactor Safety Study, (Table III 5-3) the log normal maintenance act duration for components whose range is limited to 72 hours is a mean time of 19 hours. Therefore, the unavailability of one component due to maintenance is estimated to be: 19(.22) = 5.8 x 10-3 720 Calvert Cliffs Technical Specifications also state that only two pumps are required for extended operation; one of the three pumps can be out indefinitely. Because of this, pump HP22 is assumed to be unavailable. B8-ll s
l No test contributions were included in the pump unavailability. It is assumed that the minimum flow recirculation line allows pump testing without taking the pump out of service. Several common mode failures were identified in the HPIS. The term SIASCM represents the failure of all HPIS initiating channels due to possible miscalibration of the sensor /comparitors. This failure was assessed at 3.2 x 10-5 per reactor year. (Refer to Appendix BlO.) For each LOCA, successful HPIS operation requires the equivalent flow of at least one pump. This assumes 25 percent spillage out a cold leg break. It is assumed that an additional flow diversion would be possible through a failed open check valve in the accumu-lator or LPIS lines. A leak or rupture of any of these valves would cause HPIS flow to be diverted from the core. It is unknown how much HPIS flow would be diverted. To be conservative, it is assumed that if any of the eight check valves fail, the HPIS will fail. This common mode failure is represented by the term HPCM. The only human errors included in the HPIS model were inadver-tent closure of manual valves M30, M47, M32, and M51 and motor-operated valves 654, 4142, and 4143. 5.2.2 HPIS Unavailability Using the Boolean equations given in the last section and the term unavailabilities given in Table B8-1, independent HPIS point estimate unavailabilities can be calculated. These are found to be: B8-12
HPIS = 1.9 x 10-3 (for S 2 LOCAs and T2 and T3 induced LOCAs HPIS = 1.7 x 10-3 (for S1 and A LOCAs) HPIS = 1.9 x 10-2 (for T i induced LOCAs) Double maintenance contributions were removed from these unavailabilities since both trains being out for maintenance at the game time is not allowed by Technical Specifications. A quantitative ranking of the Boolean terms for the HPIS in response to S2 LOCAs and T2 and T3 transient induced LOCAs is given in Table B8-3. As can be noted, over 50 percent of the system unavailability is due to the terms "HPLP21C'HP23LP22C" and "HPCM." A quantitative ranking of the terms for the model used for A and S1 LOCAs is given in Table B8-4. The term HPCM again dominates. The ranking for loss of offsite power (TI) induced LOCA sequences is given in Table B8-5. In this case, the term HPLP21C*HP23LP22C, which depicts failure of both pump seal cooling loops, dominates. The reader should be cautioned that these are unavailabilities for Calvert Cliff's HPIS if the system is considered independent of all others. In general, the HPIS unavailability will depend on what other system successes or failures have occurred. B8-13
Table B8-1. Boolean Equation Term Descriptions Boolean Term Term Definitions Term Unavailability A MOV-659 + MOV-660 2.0 x 10-4 B MOV-4143 + C65 7.0 x 10-3 C MOV-4142 + C66 7.0 x 10-3 Kr M30 + M47 + C37 + 8.5 x 10-3 C64 + HP21 LT M32 + M51 + C39 + 8.5 x 10-3 C61 + HP23 MT MOV-656 1.3 x 10-2 N MOV-654 6.9 x 10-3 ISIAl SIAS Subchannel A1 5.0 x 10-3 ISIBl SIAS Subchannel B1 5.0 x 10-3 ISIA2 SIAS Subchannel A2 5.0 x 10-3 ISIB2 SIAS Subchannel B2 5.0 x 10-3 ISIASCM ESFAS SIAS Common 3.2 x 10-5 Mode Failure H PCM Al + A2 + A3 + A4 + 8.0 x 10-4 C2 + C5 + C9 + Cl2 2H PLP21C Cooling water for pump 1.0 x 10-3 HP21 during injection (7.5x10-3)** 2HP23LP22C Cooling water for pump 4.1 x 10-4 HP23 during injection (6.9 x 10-3)** 3D12 Diesel #12 failure 6.8 x 10-2 3D21 Diesel #21 failure 6.9 x 10-2
- 1. Refer to Appendix B10.
- 2. Refer to Appendix B14.
- 3. Refer to Appendix Bl.
- Applies for all initiators except T1
** Applies for T1 initiators.
B8-14
Table B8-2. Component Unavailabilities Component Fault Failure l Description Identifiers Contributors Q/ Component Check Valve C37, C64, C39, C61, A1, A2, A3, A4, C2, l C5, C9, C12, C65, C66 Hardware 1 x 10-4 i l 0 Total 1 x 10-4 l l Pump HP21 Hardware 1 x 10-3 l HP23 Control Circuitry 1.1 x 10-3 l Maintenance 5.8 x 10-3 Q Total 7.9 x 10-3 i Motor MOV-656 Hardware 1 x 10-3 Operated Plugged 1 x 10-4 Valve Control Circuitry 6.4 x 10-3 (Normally Closed) Maintenance 5.8 x 10-3 l 0 Total 1.3 x 10-2 Manual Valve M30, M47 Pluggged 1 x 10-4 (Normally M32, M51 Operator Error 1 x 10-4 Open) Q Total 2 x 10-4 Motor MOV-654 Operator Error 1 x 10-3 Operated MOV-4142 Plugged 1 x 10-4 Valve MOV-4143 Maintenance 5.8 x 10-3 l (Normally Open) Q Total 6.9 x 10-3 Recirculation MOV-659 l Operator Error Line MOV MOV-660 Plugged 1 x 10-4 (Normally 2 Maintenance i Open) Q Total 1 x 10-4
- 1. The position of these valves is checked every 12 hours.
- 2. It was assumed that unavailability due to maintenance of these valves would violate technical specifications.
B8-15
Table B8-3. Quantitative Ranking of Boolean Equation Terms for the HPIS Following Small (S2) LOCAs and T2 and T3 Induced LOCAs HPCM 8.0 x 10-4
*HPLP21C HP23LP22C 2.1 x 10-4 l
A 2.0 x 10-4 MT*N 9.0 x 10-5 K*LT 7.3 x 10-5 MT* SIB 1 6.5 x 10-5 KT*C 6.0 x 10-5 B*LT 6.0 x 10-5 B*C 4.9 x 10-5 FT SIB 2 4.3 x 10-5 LT*SIA2 4.3 x 10-5 C*SIA2 3.5 x 10-5 B* SIB 2 3.5 x 10-5 N SIAL 3.5 x 10-5 SIASCM 3.2 x 10-5 SIAL SIB 1 2.5 x 10-5 S IA2
- SIB 2 2.5 x 10-5 LT
- HPLP21C 8.5 x 10-6 C
- HPLP21C 7.0 x 10-6 SIB 2*HPLP21C 5.0 x 10-6 Kr
- HP23 LP22C 3.5 x 10-6 B HP23LP22C 2.9 x 10-6 SIA2
- HP23LP22C 2.1 x 10;6 Point unavailability = 1.9 x 10-3
- Dependencies between the two cooling water loops have been considered.
B8-16
Table B8-4. Quantitative Ranking of Boolean Equation Terms for the HPTS Following Large and Intermediate Size LOCAs HPCM t 8.0 x 10-4
*HPLP21C*HP23LP22C 2.1 x 10-4 MT*N 9.0 x 10-5 KP LT 7.3 x 10-5 MT SIB 1 6.5 x 10-5 KP C 6.0 x 10-5 B*L,T 6.0 x 10-5 B*C 4.9 x 10-5 KT
- S IB2 4.3 x 10-5 UP SIA2 4.3 x 10-5 C*SIA2 3.5 x 10-5 B
- S IB2 3.5 x 10-5 N SIAL 3.5 x 10-5 SIASCM 3.2 x 10-5 SIAL
- SIB 1 2.5 x 10-5 SIA2* SIB 2 2.5 x 10-5 Ur HPLP21C 8.5 x 10-6 C HPLP21C 7.0 x 10-6 SIB 2*HPLP21C 5.0 x 10-6 Kr
- HP23 LP22C 3.5 x 10-6 B HP23LP22C 2.9 x 10-0 3
SIA2*HP23LP22C 2.1 x 1026 Point unavailability = 1.7 x 10-3
- Dependencies between the two cooling water loops have been considered.
B8-17
- _ _ _ _ _ _ _ _ _ .__ -. - 1
Table B8-5. Quantitative Ranking of Dominant Boolean Equation Terms for the HPIS Following T1 Induced LOCAs
*HPLP21C HP23LP21C 6.7 x 10-3 D12*D21 4.7 x 10-3 D21*MT 9.0 x 10-4 HPCM 8.0 x 10-4 D21 FT 5.9 x 10-4 D12*LT 5.8 x 10-4 Total P'o int Estimate 1.9 x 10-2
- Dependencies between the two cooling water loops have been considered.
=
B8-18
$le Y
#cun b b NE y', (t3 Q
'9l?*:
AooP of
'/
472i7 g,y g 11*'U:' lo% Cl5 _~ _ 6deo e st CD CZ M **' !$ t RE ftsft lV6 m o. M Cd G, >g afu
=
C,- pA ..,...
't-s
[
.=., ,sm,,
.-,ow % /, , - -
'Y n 2 4yz?%
S
,02'
**4 t< __
, . ( MX 20 S '"'
Cat CT A cr-e 2 5 A A I ' %\.l f w i -- Cs go Cs'ls.au O' Av 2.s l Y asst egg
~ so aa.v-d55 Cd
# +8 W' -
Af& p o'v.'g n y A ' ' "
- ,o. u a;
/ m~ v \
tn
-> 9U37t y"
W z... . ., Q^ ants no2? i3 hev.653
- Cn 9-- -e p NF 2 WW CD C7 (9 mov 4 a a h l m5o C6o l O VN
> h M ** M3L C 21 Nr23
- n. m Q'
~% :.1 m
M2 Cd2 Atu y",y7, ,7 ' if MY , Om '8 MB Ce ? bm' 7 # wov sys
~ C S 2 2.
Cl! g '
/
cn c,; O k x ./ I
~~ ~
M,2-O A co m , er d 8 CONTE lNME.!T C m, Csy p SPR4Y lif 40E R l t m od- Yis$ C2o
~ ~ - vivs IN C2s Figure B8-1. Calvert Cliffs ECCS Schematic (HPIS Highlighted)
If ' mm S E N I L N 0 1 T A L t yC ) 1 R n l o i D t I C A a C r e
-. RI A
_ C 7 6
. 3 7 p -. S 11' a O
_ 8 3 S 1 F V H
) y U l H fl )
P M I C a
- _ W m
}/
, I C r o
l R A H N 7 w 1 R O C ( c 1
- E i
[ 3W ~ _ t a 1, J m e 3 0
- V3 3 h
)
)1 N11
~ ,
1 1 L c 2 S D V O H 9 >' 1
- 1 1
4 2 S I 1 5 P H
% y l 1 i! *!3I i1l r
r l815plt6l 2 4 2
- r u 1
S 2' i r n S C a o I L i 3u 1 yLuFC G 3 r . t LN 2
- s o AIE O 2 n MCN S C
3 o R RI OAL - Te - T NH 1 u r 8 M C r B 1 i s e S e r I T s u 1 F L M O S V R u a v i i g R F l 1 F l t r 8 e i V. ' r r r r r
/
4 4 DS o,O LCE CL gglwO lf I , l\I l! l l
APPENDIX B9 SURVEY AND ANALYSIS HIGH PRESSURE RECIRCULATION SYSTEM (HPRS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
....................................... B9-3 2.0 CALVERT CLIFFS HPRS DESCRIPTION .................... B9-3 2.1 Sy s tem De s cription . . . . . . . . . . . . . . . . . . . . . . . . . . . . B9-3 2.2 System Operation .............................. B9-4 3.0 SURRY HPRS DESCRIPTION ............................. B9-5 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY HPRS ........ B9-7 5.0 CALVERT CLIFFS SYSTEM EVALUATION ................... B9-8 5.1 Event Tree Interrelationships ................. B9-8 5.2 HPRS Model Descriptions ....................... B9-8 5.2.1 HPRS Boolean Equations ................. B9-8 5.2.2 HPRS Unavailability .................... B9-10 B9-1/-2
- 1. INTRODUCTION The Calvert Cliffs Unit 2 High Pressure Recirculation System (HPRS) was reviewed and compared with the similar PWR design
( Surry ) evaluated in the WASH-1400 study . The HPRS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, respectively. A comparison of the two high pressure recirculation systems is given in Section 4. HPRS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a description of the model used to incorporate HPRS f ailures into the Calvert Cliffs accident sequences and a point estimate of the HPRS availability assuming independence from all 1 other Calvert Cliffs systems. 2.0 CALVERT CLIFFS HPRS DESCRIPTION 2.1 System Description The HPRS is one of two systems designed for long-term core cooling following a LOCA. The other system is the Low Pressure Recirculation System (LPRS) . After exhaustion of the RWST, the LPRS and HPRS are used to recirculate water from the containment sump to the RCS. If the LOCA is large enough, the RCS will be at a low enough pressure so that only the LPRS would be required. If the LOCA is small, however, the RCS will be at a pressure above the shutoff head of the LPRS pumps and the HPRS, which is capable of delivering emergency coolant at discharge pressures of up to 1275 paia, would be required. The HPRS, highlighted in Figure B9-1, consists of three pumps and associated pipes all designed for high pressure opera-tion. A comparison of Figure B9-1 and B8-1 reveals that the B9-3
HPRS shares most of its components with the HPIS. The HPRS draws water from the containment sump through two redundant lines. One line feeds high pressure pumps HP21 and HP22 and the other line supplies pump HP23. The pumps discharge to a common header which then branches into two lines which, in turn, connect to the four RCS cold legs. 2.2 System Operation The safety injection pumps initially draw borated water from the refueling water storage tank (RWST). This tank has sufficient water volume to supply safety injection flow for up to 36 minutes i assuming three high pressure and two low pressure safety injection pumps and two containment spray pumps are running. When the refueling water tank is 10 percent fu ll, a recirculation actuation system (RAS) signal opens the isolation valves in the two lines from the containment sump and shuts down the low pressure safety injection pumps. The RWST suction valves remain open initially during the switch to the recirculation mode to preclude the loss of supply to a high pressure safety injection pump in the unlikely event the isolation valve in the containment sump line should experience a delay in opening. The operator will manually close the RWST suction valves after verifying the opening of the containment sump line valves. In addition, back flow to the RWST suction line is prevented by check valves. The earliest automatic recirculation would occur is 36 minutes assuming all engineered safety features pumps are running. The recirculation mode can also be accomplished, manually, by the operator. B9-4
The safety injection flow spilling from the break in the RCS is cooled by mixing in the containment sump with the cooler containment spray water. At the discretion of the operator, a Portion of the cooled water from the containment spray system may be diverted to the suction of the high pressure pumps. 3.0 SURRY HPRS DESCRIPTION The primary function of the Surry HPRS serves basically the The HPRS is required same functions as the Calvert Cliffs HPRS. to supply high pressure water to the RCS following a small LOCA where there is no rapid depressurization of the RCS. The Surry HPRS can also serve as an alternate discharge path for the LPRS at low pressures (see Figure B9-2). The HPRS consists of three charging pumps, each with a 150 gpm capacity at a 2750 psig discharge pressure. The required flow for successful HPRS operation is 150 gpm at full head or the flow of one charging pump. This includes consideration for the loss of flow of a rupture in the flow path to a cold leg. The source of water for the HPRS pumps comes from the discharge of the LPRS pumps through motor operated valves 1863A-B. The LPRS draws flow from the containment sump. Initially , when in the HPIS mode, the systen is aligned to draw water from the Refueling Water Storage Tank (RWST) and deliver it to the cold legs of the RCS. The HPRS mode is manually initiated when the level of the RWST reaches 87% empty by the operator who opens the suction valves from the LPRS discharge, It MOV 1863A and MOV 1863B, and closes the RWST supply valve. B9-5
is assumed that the charging pumps are already operating from the HPIS mode and that the LPRS and sump systems are operable. The discharge of the HPRS is directed to either the RCS cold legs or hot. legs with initial recirculation-passing through the Boron Injection Tank (BIT) to the cold legs. An alternate path to the cold legs which bypasses the BIT is available if flow is found to be deficient. This is done by opening MOV-1842.- During the first day of operation recirculation is injected to the cold legs. If necessary, flow is'then directed to the hot legs to prevent the accumulation of boron, residue, and debris in the core which would result from continuous boiling. It should be noted that all valve manipulations required for emergency recirculation are directed or remotely operator con-trolled. Thus, a valve in the wrong position will not be activa-ted to the proper position automatically.
- Successful charging pump cooling depends on a closed charging pump cooling water system to provide cooling water for the pump seals and a once through charging pump service water system to cool the lubrication oil coolers and to remove heat from the charging pump cooling water system through intermediate seal heat exchangers. The 600 HP charging pump motors'also require cooling by air drawn into the hoods over the motors into the auxiliary j building central air ventilation system. Failure of pump lubri-
!' cating oil or seal cooling or failure of air flow through the l l auxiliary building central area ventilation system, which prevents 4 ! overheating of the pump motors during HPRS operation, is assumed l to fail the charging pumps.
- B9-6
4.0 COMPARISON OF CALVERT CLIFFS AND SURRY HPRS Both systems use three high pressure pumps which discharge to redundant headers. The flow path in Calvert Cliffs is directly to the cold legs through a series of valves in redundant distri-bution headers. In Surry, the flow is through the Boron Injection Tank (BIT) to the cold legs with a provision to bypass if the flow through the BIT is insu f ficient. After 24 hours of recircu-lation the Surry system is switched from cold leg to hot leg recirculation. The source of water for the Calvert Cliffs HPRS is the contain-ment sump through redundant lines and valves. In Surry the suction of the charging pumps is taken from the discharge of the low pressure pumps thereby requiring their operation during recirculation. Initiation of the HPRS is based on low level signals from the Retueling Water Storage Tank in both systems. In Calvert Clif fs a Recirculation Actuation Signal (RAS) is automatically generated upon e low RWST signal. The RAS aligns the valves and pumps required for high pressure recirculation. In Surry, the low RWST signal alerts the operator who then aligns the system for recirculation. The operator is also required to realign the system from cold to hot leg recirculation. An unavailability of the Surry HPRS was assessed to be 9.0 x 10-3 in the Reactor Safety Study. The dominant failure contributor was a common mode failure of the operator to open several MOVs required for HPRS operation. B9-7
The dominant contributor to the HPRS unavailability at Calvert Cliffs was the common mode failure of the recirculation actuation signal due to miscalibration of the RWST water level sensors. The unavailability of Calvert Cliffs' HPRS was assesssed I in Section 5.2.2 to range from 4.9 x 10-3 to 8.1 x 10"3 depend-ing on the accident initiator. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships Failure of the HPRS contributes to the Emergency Coolant Recir-culation (ECR) event, Event H, for all LOCAs. Success of the HPRS requires that one of the two pump trains deliver water from the sump to the reactor vessel. i 5.2 HPRS Model Description 5.2.1 HPRS Boolean Equations The following Boolean equation was developed to model HPRS failure considering one high pressure pump is required for success: HPRS = (B + K + SIA2 + HPLP21CR + R21 COOL + D12
+ L' + W + RASAl) -
(C + LT + SIB 2 (B9-1)
+ HP23LP22CR + R22 COOL + D21 + L' + V + RASBl)
+ RASCM.
All of the terms in the above equation except K', L', V, W, RASAl, R21 COOL, R12 COOL, RASB1, and RASCM, depict failures of the HPIS and are defined in Appendix B8. It is assumed that during the recirculation phase the HPRS pumps will require room cooling. The terms R21 COOL and R22 COOL B9-8
r:present failure of the cooling water systems to cool the rooms containing HPRS pumps #21 and 22, respectively. The pump seals and bearings must also be kept cool. Terms HPLP21CR and HP23LP22CR represent pump seal and bearing cooling failures. Refer to Appendix B14 for more details. The terms D12 and D21 represent diesel generator failures. These terms were only included in the analysis of T1 sequences where offsite power is lost. Equation B9-1, without these two terms, is referred to as Equation B9-1 (a) in the main report. The K' and L' failure modes represent failure of the high pressure pumps to continue operating during the recirculation mode. The terms RASAl and RASBl represent individual subchannel actuation faults. Subchannels RASAl and RASBl open the recircu-letion line MOVs. The term RASCM represents a common mode failure of both RAS subchannels due to miscalibration of the RWST level sensors. Table B9-1 relates the terms in Equation B8-1 to the components chown in Figure B9-1. Table B8-2 and D9-2 list total component unavailabilities and each of the contributors to the component unavailability. The unavailabilities listed in these tables are comprised of hardware, human and maintenance faults, where applicable. Technical Specifications for Calvert Cliffs state that compo-ncnts shall not be removed from service so that the affected HPRS train is inoperable for more than 72 consecutive hours. If one HPRS train is inoperable for more than 72 hours, the reactor must bo shut down. The average maintenance interval used in the Reactor i B9-9
Safety Study is 4.5 months, which corresponds to a frequency of l 0.22 per month. From the Reactor Safety Study, (Table III 5-3) the log normal maintenance act duration for components whose range is limited to 72 hours is a mean time of 19 hours. Therefore, the unavailability of one component due to maintenance is estimated to be: 19(.22) = 5.8 x 10-3 720 Calvert Cliffs Technical Specifications also state that only two pumps are required for extended operation; one of the-three pumps can be out indefinitely. Because of this, pump HP22 is conservatively assumed to be unavailable. 5.2.2 HPRS Unavailability Using the Boolean equation given in the last section and the term unavailabilities given in Table B9-1, independent HPRS point estimate unavailabilities can be calculated. Two HPRS unavail-abilities were calculated, one for Tl initiators and one for all other cases. These are: HPRS = 4.9 x 10-3 (applies for all initiators except T1 transients) HPRS = 8.1 x 10-3 (applies for T1, transients)
" Double" test and maintenance contributions, i.e, a deliber-ate action specifying both trains to be tested or maintainced simultaneously, were not included in this unavailability estimate because such an action would violate technical specifications. ,
l B9-10 ,'
Further, it can be seen that reduction of the Boolean equation describing the HPRS results in 65 terms (82 for T1). Examination of these terms shows that 9 (16 for T1) depict " double injection" l failures of the HPRS, i.e., HPRS failure due to failure of redundant components during high pressure injection which describe the high pressure injection system. These failures were not included in the calculations of the independent HPRS unavailability above since the HPIS must have succeeded (at least one train) to demand II PRS . For calculation of the unavailability as used in the acci-dent sequence analysis, double injection failures and other phy sically inconsistent failure contributors were eliminated according to the Boolean reduction process where the equations describing each of the systems involved in the sequence were condensed together. A quantitative ranking of the dominant Boolean terms is given in Table B9-3. As can be noted approximately 20% of the system unavailability is due to the common mode failure RASCM. The reader should be cautioned that these are unavailabili-ties for Calvert Cliffs' HPRS if the system is considered indepen-deat of all others. In general, the HPRS unavailability will depend on what other system successes or failures have occurred, i.e., the unavailability used for the HPRS in the sequence analysis calculation must be a conditional unavailability. B9-ll
l I i Table B9-1. Boolean Equation Term Descriptions Boolean Term Term Definitions Term Unavailability 4B MOV-4143 + C65 7.0 x 10-3 4C MOV-4142 + C66 7.0 x 10-3 4 KT M30 + M47 + C37 + 8.5 x 10-3 C64 + HP21 4 LT M32 + M51 + C39 + 8.5 x 10-3 C61 + HP23 IS IAl SIAS Subchannel Al 5.0 x 10-3 IS IB1 SIAS Subchannel B1 5.0 x 10-3 1RASCM RAS common 1.0 x 10-3 mode failure 2HPLP21CR Cooling water for 5.9 x 10-3* pump LP21 during (1.4 x 10-2)** recirculation 2HP23LP22CR Cooling water for 5.3 x 10-3* pump LP22 during (1.3 x 10-2)** recirculation 2R21 COOL Room cooling for 1.9 x 10-2* pump LP21 during (2.8 x 10-2)** recirculation 2R22 COOL Room cooling for 2.6 x 10-2* punp LP22 during (3.5 x 10-2)** recirculation 3D12 Diesel #12 failure 6.8 x 10-2 3D21 Diesel 421 failure 6.9 x 10-2 K' HP21 fails to run 7.2 x 10-4 L' HP23 fails to run 7.2 x 10-4 V C20 + MOV-4145 1.3 x 10-2 W C21 + MOV-4144 1.3 x 10-2 1RASAl RAS Subchannel Al 5.0 x 10-3 1RASBl RAS Subchannel B1 5.0 x 10-3
- 1. Refer to Appendix BlO.
- 2. Refer to Appendix B14.
- 3. Refer to Appendix Bl.
- 4. Refer to Appendix B8.
- Applies to all initiators except T1
** Applies to T1 initiators.
B9-12
Table B9-2. Component Unavailabilities Component Fault Failure Description Identifiers Contributors O Component HPRS pump HP21, HP23 Fails to operate for 24 hours (3.0 x 10d/hr) 7.2 x 10~A Q Total 7.2 x 10-4 Check C20, C21 Hardware 1.0 x 10Z$ valve Q Total 1.0 x 10-4 Motor operated MOV-4145, Hardware 1.0 x 10-3 valve (nor- MOV-4144 Plugged 1.0 x 10-4 mally closed) Control circuit 6.4 x 10-3 Maintenance 5.8 x 10;3 O Total 1.3 x 10-2 2 6 1 B9-13 i
~ , , ,, , - - . , - , _ . - , - - . - ~ ~ - - - - - - - .
l l Table B9-3. Quantitative Ranking of Dominant Boolean Terms for the HPRS For non-T1 initiators: RASCM 1.0 x 10-3 R21 COOL
- R22 COOL 4.9 x 10-4 We R22 COOL 3.4 x 10-4 Ve R21 COOL 2.5 x 10-4 K e R22 COOL 2.2 x 10-4 Re R22 COOL 1.9 x 10-4 WeV 1.7 x 10-4 Le R21 COOL 1.6 x 10-4 Total point estimate = 4.9 x 10-3 For T y initiators:
D21 e R22 COOL 2.4 x 10[3 RASCM 1.0 x 10_4 R21 COOL e R22 COOL 9.8 x 10_ R22 COOL e HPLP21C 4.9 x 10_44 We R22 COOL 4.6 x 10 R21 COOL e HP23LP22C R21 COOL
- V 3.6x10j 3.6 x 10
~
Ke R22 COOL 3.0 x 10[ Be R22 COOL 2.5 x 10_4 Le R21 COOL 2.4 x 10 -4 Ce R21 COOL 2.0 x 10 Total point estimate = 1.0 x 10 -2 r [ B9-14
to(a L2O b b# 'W 7?ff" LocP J Rf Zg7 W ,$,yN hiu-5%TM'L*4%
- Ct3 M by dy Q Ctg N
Vco /z e V4
~<- a rs y' __-vi css se rugs,n N(,. ,) X ,y,p',f,-
;,, ,33 y' cs l :'O.
h y'
' ~~
cy: . . . . "',, ' ua u .O. ._. ' j "z%qh%4 r
~;
A- + (~3~; Q - a L3 x, - Ka@:
"K* * ' p, W '
-- a s l Rf "
c65 C 66 rT F /4 T I C6 6 r 7 M o* * > 6 MeV-456 l i MM CD &'# - - cxo ' att sta m.v- d 55 ,h A!O m o v- s t ? A l tCoe3
%m @ ' Q-
[.,;, _[~~.
'E _.m
-,,X>'o-~s>
., "d hha,g ~
4 xw m w cv 0;
~*...
g l 1 -w c.o 4 ce . x ,f, w wk- C9 A** - e si w ~ - ~ .;, , M _ 1; pn v cn ,an W ln ee j 6 h 22 l w +4 2 q I "" c6'
*w Z.,%, y 7,e' ua y e-v 0 o. -n C C [>c : s-l
! 7 #N 9 c sp ' y,y. gg X<e
~7 CS22 LA H O
T' y f X4.,' n c
, ,i q,,, g em cs: ~. 6*s , , , ,,,
N co samaa
,3, c.=_ .r 9 I ' y SPfiler WE4DE R mod-sr$$ Cto O4
~ ~ -sm Nces Figure B9-1 Calvert Cliffs ECCS Schematic (HPRS Highlighted)
CV300 54 73S
/ IY j Cvi20 Y I'om LPRS F4 <
s.724 g ta6FC 1867A FT
'k"% ( 2 c
F rom LPAS
><F-
~
k ,,, k .. F3 , CV300 58237 p 18670 t8673 Cv120 From LPRS Cv400 $3 238 Dew H s r CHas h Cv420 ss 776 C4 i M From LPR$ I8ad7 , % cuao ya 12963 1 bc l From LPRS F6, 58240 ' lGM m o-m so-186EA 1287A 25 32878 a 1297C 2s J NG HG gg AWSt~ - 1267A A 1269A 7 gy m imas iare iae. :: Foe
~"'
B D<} 7,,",*1! .Taci F - LPas w o==-i g Hra:nr.C. =, , iss2A Figure B9-2. Surry HPRS Simplified System Diagram (shown in Cold Leg Recirculation Mode)
l APPENDIX B10 SURVEY AND ANALYSIS ENGINEERED SAFETY FEATURES ACTUATION SYSTEM (ESPAS) CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
......................................... B10-3 2.0 CALVERT CLIFFS ESPAS DESCRIPTION ..................... B10-3 2.1 System Description ............................. B10-3 2.2 System Operation ............................... B10-5 3.0 SURRY ESPAS DESCRIPTION .................. 4.......... B10-10 3.1 Surry CLCS Description ......................... B10-10 3.2 Surry SIAS Description ......................... B10-ll 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY ESPAS ......... B10-12 5.0 CALVERT CLIFFS SYSTEM EVALUATION ..................... B10-13 5.1 Event Tree Interrelationships .................. B10-13 5.2 ESFAS Model Description ........................ B10-14 B10-1/-2
)
1.0 JN100 DUCTION The Calvert Cliffs Unit 2 Engineered Safety Features Actuation System (ESPAS) was reviewed and compared with the similar PWR design (Surry) evaluated in the WASH-1400 study. The ESFAS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report respectively. A comparison of the two actuation systems is given in Section 4. ESFAS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a description of the model and point estimate unavailabilities used to incorporate ESFAS failures into the Calvert Cliffs accident sequences. 2.0 CALVERT CLIFFS ESFAS DESCRIPTION 2.1 System Description The ESPAS monitors reactor building pressure and RCS pressure to detect the failure of the RCS. The ESPAS provides initiation signals to the high and low pressure injection systems, containment isolation systems, the containment air recirculation and cooling system, the recirculation systems, and the building spray system. In addition, an ESPAS signal is used to start the emergency power system and initiate a transfer to that system. The conditions that will actuate engineered safety features are a containment pressuie of 4 psig or larger or a reactor coolant pressure of 1600 psia or lower. The Calvert Cliffs ESFAS includes four redundant sensor channels and two redundant actuation trains. The power for the protective system is supplied from four separate and independant vital 120 volt AC buses. Each vital bus is supplied from a separate battery system through an inverter. The system has been designed such that B10-3
i testing, routine servicing, and preventative maintenance can be performed without interference to normal plant operation or with-l cut loss of system function availability (e.g., performance of these operations does not result in a simultaneous unavailability of both actuation subsystems). The actuation system is divided into four sensor channels, two actuation trains, and two logic channels for sequential loading of the diesel generators. Each of the sensor channels consists of a sensor for monitor-ing each of the following process variables:
- a. Containment Pressure - one each for Safety Injection Actuation Signal, Containment Spray Actuation Signal, and Containment Isolation Signal.
- b. Pressurizer Pressure
- c. Containment Radiation
- d. Refueling Water Storage Tank Level
- e. Steam Generator Pressure Particular sensor and actuation channels are arranged to produce f signals to initiate equipment consistent with the type of protec-tive action required. These signals are designated:
l
- a. Safety Injection Actuation Signal (SIAS)
- b. Containment Spray Actuation Signal (CSAS)
- c. Containment Isolation Signal (CIS)
- d. Containment Radiation Signal (CRS)
- e. Recirculation Actuation Signal (RAS)
- f. Steam Generator Isolation Signal (SGIS) 9 Undervoltage (UV)
- h. Chemical and Volume Control System Isolation Signal (CVCSIS)
B10-4
Emergency diesel generators are provided for supplying power to engineered safety features in case of loss of the normal auxil-iary system power. Undervoltage, blocking and sequencing are required for sequential loading of the diesel generator and are part of the ESPAS. An independent, loss of offsite power signal will also actuate the diesel generators. The Auto-Test feature of the Engineered Safety Features Actuation System provides a continuous test of the logic circuitry f rom bistable input to relay driver output. This includes testing of the engineered safety features signal initiation, blocking, automatic block removal, load shedding and load sequencing. The operability of the Auto-Tester may be demonstrated in several ways. Frequent visual inspections are made to verify no alarms in the system and to verify that the Auto-Test lights are scanning. Periodically manual test signals are inserted in the system logic to demonstrate that the Auto-Tester will detect and annunciate a fault in the system. The ESFAS initiating logic is shown in Figure B10-1 and con-sists of bistables, bistable output relays, matrix relays, initi-ation channel output relays, manual testing controls, indicating lights, power supplies, and interconnecting wiring. 2.2 System Operation Providing signal inputs to the safety injection actuation signal (SIAS) are four independent pressurizer pressure transmitters and four independent containment pressure transmitters. The containment pressure transmitters are separate from those used for initiation B10-5
of the containment spray actuation signal and the containment isola-tion actuation signal. Actuation occurs as a result of either two-out-of-four pressurizer pressure sensor channel trip signals, two-out-of-four containment pressure sensor channel trip signals, or manual initiation from the control room. Each of the two indepen-dent safety injection actuation signals from the two redundant actuation subsystems initiates the following: SIAS Actuation Subchannel Nos. Action SIAL / SIB 1 a) Open one containment spray valve b) Open four high pressure injection valves c) Open two low pressure injection valves d) Open one high pressure header valve, the redundant valve is locked open e) Start one salt water system air compressor SIA2/ SIB 2 a) Start one or two high pressure safety injection pumps ) SIA3/ SIB 3 a) Start one low pressure safety injection pump j SIAS/SIAS a) Closes two service water isolation valves l SIA7/ SIB 7 a) Start one or two component cooling water pumps I b) Start one or two service water pumps ! c) Close one or two component cooling l heat exchanger salt water outlet valve. d) Open one component cooling shutdown heat exchanger component cooling outlet valve B10-6 l
e) Close one component cooling heat exchanger salt water inlet valve f) Opens a service water hegt exchanger salt water outlet valve. a) Start one or two salt water pumps SIA8/ SIB 8 b) Close one salt water isolation valve SIA9/ SIB 9 a) Send signals to emergency diesel generators b) Close diesel gen 12 feeder breaker c) Opens a service water hegt exchanger salt water outlet valve, SIA10/ SIB 10 a) Opens 2 CLAS tank isolation valves In addition to the capability for manual initiation of the actuation signal f rom the control room, each of the above-listed actions may be individually initiated in the control room by appropriate control switch operation. A safety injection block is provided to permit shutdown depressurization of the reactor coolant system without initiating safety injection. Block is accomplished manually. This process w211 be under strict administrative control with block indicated by a local light and annunciated on the station annunciator system. It will not be possible to block above a preset pressure and, if the system is blocked and pressure rises above this point, the block is automatically removed. The block circuit is designed to conform to the single failure criterion. Wide range pressure and level transmitters are also provided to furnish pressurizer pressure and level measurements during reactor warmup, when the reactor is shutdown, or following a loss-1 Actuated by subchannel SIA7 only. 2 Actuated by subchannel SIB 9 only. B10-7
i l of coolant incident. These measurements will permit knowledgeable manual control of the safety injection pumps and valves. To provide the containment spray actuation signal (CSAS), four independent containment pressure transmitters are utilized. The pressure transmitters are separate from those used for initi-ation of the safety injection actuation signal and the containment isolation actuation signal. Actuation occurs as a result of either two-out-of-four containment pressure sensor channel trip signals or manual initiation from the control room. Each of the two independent containment spray actuation signals from the two redundant actuation subsystems initiates the following: CSAS Actuation Subchannel No. Action CSA1/CSBl a) Switch two containment coolers to low speed b) Open two containment cooler service water valves CSA2/CSB2 a) Start one containment spray pump CSA3/CSB3 a) Close one service water isolation valve In addition to the capability for manual initiation of the actuation signal from the control room each of the above-listed actions may be individually initiated in the control room by appropriate control switch operation. To prevent an inadvertent containment spray system actuation in the case of an undesired trip of the containment spray actuation signal, the containment spray valves are opened only by safety injection actuation signal. These valves are fail-safe, i.e., B10-8
upon loss of power, the valves open. While the containment spray volves are open, containment isolation is maintained by backup check valves in the spray system piping. Four independent refueling water tank level switches provide digital inputs to the recirculation actuation signal (RAS). Upon coincidence of two-out-of-four low water tank level trip signals, or manual initiatior from the control room, the recirculation actuation signal is generated. Each of the two independent signals from the two redundant actuation subsystems initiates the following: RAS Actuation Subchannel No. Action RASAl/RASBl a) Open one containment sump discharge valve b) Stop one low pressure safety injec-tion pump c) Close one minimum flow recirculation valve to the refueling water storage tank d) Open one component cooling heat exchanger salt water inlet valve e) Open one or two component cooling heat exchanger salt water outlet valve f) Throttle one service water heat exchanger salt water outlet valve. In addition to the capability for manual initiation of the actuation signal from the control room, each of the above actions may be individually initiated in the control room by appropriate control switch operation. The refueling water tank discharge valve is normally open and upon loss of control power the valve remains in the open position. Valve failure in the open position during the recirculation mode B10-9
of operation does not affect pump suction since check valves are provided to maintain containment integrity and prevent reverse flow during the recirculation mode. The containment sump discharge valve is normally closed and upon loss of control power the valve remains in a closed position. The devices and components actuated by the ESPAS are summarized in Table B10-1. 3.0 SURRY ESFAS DESCRIPTION The Surry ESPAS as described in WASH-1400 was split into two systems; namely, the Consequence Limiting Control System (CLCS) and the Safety Injection Control System (SICS). 3.1 Surry CLCS Description The Surry CLCS is designed to detect out-of-tolerance conditions within the containment, by measuring containment pressure, and to initiate operation of equipment and systems designed to limit and counteract these conditions (see Figure B10-2). The devices which are activated by the CLCS are initiated at one of two pressure levels. A containment pressure rise to 1.5 psig initiates the "HI" containment pressure phase of the CLCS. In this phase, the containment vacuum pumps are tripped, certain containment isolation valves are closed and back-up signals are sent to the Safety Injection Control System (SICS) which monitors RCS pressurizer pressure to activate core cooling systems. A further rise in containment pressure to 10.3 psig initiates the "HI-HI" containment pressure phase of the CLCS. In this phase, the CSIS and the Containment Spray Recirculation System (CSRS) are B10-10
i l initiated, the remaining containment isolation valves are closed, the emergency diesel generators (No. 1 and No. 3) are started, and service water is diverted to the containment spcay heat exchangers by energizing the appropriate motor operated valves. The CLCS consists of four independent measurement channels and two logic trains for each pressure level. Each logic train l trips when 3 of the 4 measurement channels sense a trip pressure. The logic trains and measurement channels are designed to trip on loss of power for HI actuation but are prevented from tripping HI-HI on loss of power (redundant power precludes disabling HI-HI by one failure). Manual initiation of the HI trains is accomplished by depressing one push button while manual initiation of the HI-HI trains is accomplished by simultaneously depressing two push buttons. Placing a measurement in the test mode causes it to send a trip signal to all four logic trains. Thus, only two of the three remaining channels must trip to initiate the logic trains. A logic train, which is in test, will be automatically pulled out of test if the train not being tested trips. 3.2 Surry SICS Description The Surry actuation system, the Safety Injection Control System (SICS), provides initiating signals to other systems such as the LPIS, HPIS, and the Reactor Protection System (RPS). The SICS consists of two redundant trains, each of which includes analog instrumentation to energize seven output relay coils which trovide for electrical control of the HPIS, LPIS, accumulators and containment valves. The circuitry in both trains is identical B10-ll
and redundant. Each train is fed by a separate DC bus and is located in a separate cabinet. Both trains are fed from different bistable relays which in turn are fed by the same comparators, i.e., relay PC 455 in train A and relay PC 455 in train B are both fed by comparator 455. Thus, train redundancy is lost but is replaced by channel redundancy at this point. The SICS is automatically activated when any of the following conditions exists: a) Low pressurizer pressure coincident with low pressurizer water level. b) High containment pressure. c) High differential pressure between any two steam lines. d) High steam line flow coincident with low steam line pressure or low Tgyg across the core. The logic diagram for one channel of the dual channel SICS appears in Figure-B10-3. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY ESFAS The emergency equipment actuation systems for the Calvert Cliffs and Surry plants are significantly different. One major design difference results from the number of sensor channels and the coincident logic which combines the sensor signals for ESF subsystem initiation. The ESFAS at Calvert Cliffs uses two-out-of-four coincidence sensor logic whereas the Surry SICS uses one-out-of-three and the Surry CLCS uses three-out-of-four sensor logic. Another major design difference of the Calvert Cliffs ESFAS is the subdivision of the actuation channels of safety injection, containment spray, and containment isolation into multiple actu-B10-12
otion subchannels. The number of pieces of equipment initiated by a single actuation subchannel has therefore been reduced, allowing convenience and flexibility of periodic actuation system and equipment tests. The Surry engineered safeguards instrumentation system has only two redundant actuation subchannels per engineered safeguards subsystem (e.g., the seven SICS output slave relays which initiate components in one train of emergency core cooling are in series with one output flip flop relay.) The Calvert Cliffs ESFAS was not modeled in its entirety; instead, failures were attributed to each subchannel.and incorp-orated into the other system models which require actuation. Common mode failures were also included where applicable. Because of this, the total ESPAS unavailability estimates for Surry and Calvert Cliffs cannot be compared. Common mode failures due to miscalibrations of all the sensors in a bank were found to be dominant in both the Surry and Calvert Cliffs ESFAS. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The ESPAS does not appear as an explicit event on the event trees. The ESPAS, however, does contribute to several events since it actuates many of the plant ESP systems. A list of the systems the ESPAS actuates and the corresponding event tree events is given below. B10-13
System Event
- 1) HPIS ............................ LOCA event D
- 2) LPIS ............................ LOCA event D
- 3) LPRS ....................... LOCA event H
- 4) HPRS ............................ LOCA event H
- 5) CSIS ............................ LOCA event C Transient event O'
- 6) CSRS ............................ LOCA event F
- 7) CARCS ........................... LOCA event Y, event Z, Transient event O System Event
- 8) Containment Heat Removal Systems (CHRS)........... LOCA event O 5.2 ESFAS Model Description A comparison was made of the Surry SIAS and CLCS and the Calvert Cliffs ESFAS which identified actuation logic trains (or channels) and sensor groups that perform similar functions. The unavailability of a Calvert Cliffs channel or sensor group was then assumed to be the same as the equivalent Surry channel or sensor group. Common mode failures which applied to the Surry actuation system were also assumed to apply to the Calvert Cliffs system. Results of this comparison are given in Table B10-2.
The faults depicted in Table B10-2 were substituted into the LPIS, LPRS, HPIS, HPRS, CSIS, CSRS, CHRS, and CARCS Boolean equations as appropriate (see Appendices B6, B7, B8, 89, Bll, B12, B14 and B15). These faults appear in these equations according to the Boolean identifier given in Table B10-2. B10-14
The common modes listed in Table B10-2 are all due to sensor / comparitor miscalibrations. For instance, the Surry CLCS HI common j mode error assessment was based on the possibility of repetitive human errors during the containment pressure sensor comparator cali-bration and test procedures. This fault could occur on all compar-itors for which similar actions are called for. If this human error were to occur, both logic trains of CLCS HI would fail. In the Surry CLCS analysis it was assumed to be a tightly coupled event where miscalibration of all comparitors was assigned the value of 1 x 10-3, The similar sensor-comparitor group at Calvert Cliffs is the Contain-ment Spray Actuation Signal (CSAS) sensor group. The probability of a CSAS common mode failure due to sensor miscalibration was also assessed at 1.0 x 10-3, At Calvert Cliffs, a Recirculation Actuation Signal (RAS) is generated when the RWST level gets low. This signal automatically realigns the ESF's to the recirculation mode. At Surry, recircula-tion is initiated manually from the control room. Since there is no comparable RAS signal at Surry, it was assumed that the Calvert Cliffs RAS was similar to the SIAS signal at Surry. B10-15
Table B10-1 Engineered Safeguards Actuated Devices Subchannel Actuated Devices SIAL CV-4150 MOV-615 MOV-617 MOV-625 MOV-62 7 MOV-637 MOV-64 7 MOV-656 SWC21 SIBl CV-4151 MOV-616 MOV-626 MOV-645 MOV-64 6 MOV-635 MOV-63 6 MOV-654 SWC22 SIA2 HP21 HP23 SIB 2 HP22 HP23 SIA3 LP21 SIB 3 LP22 SIAS CV-1600 CV-1637 SIBS CV-1638 CV-1639 i SIA7 CC21 1 CC23 SW21 SW23 CV-5160 CV-5206 CV-3828 l l B10-16
Table B10-1 (Continued) Subchannel Actuated Devices SIB 7 CC22 CC23 SW22 SW23 CV-208 CV-5163 CV-5162 CV-3830 SIA8 SAW21 SAW23 MOV-5250 SIB 8 SAW22 SAW23 MOV-5251 SIA9 Dll, CV-5210 D12 SIB 9 D21 D12 CV-5212 SIA10 MOV-614 MOV-624 SIB 10 MOV-634 MOV-644 CSAl CV-1582, Containment Cooler 21 CV-1585, Containment Cooler 22 CSBl CV-1593, Containment Cooler 23 CV-1590, Containment Cooler 24 CSA2 CS21 CSB2 CS22 CSA3 CV-1598 CSB3 CV-1599 CV-5210 CV-5160 CV-5206 LP21 MOV-4144 MOV-659 B10-17
Table B10-1 (Continued) Subchannel Actuated Devices RASBl CV-5208 CV-5163 CV-5162 LP22 MOV-4145 MOV-660 CV-5212 B10-18
Table B10-2 Comparison of Surry and Calvert Cliffs Actuation Faults Surry Fault Similar Calvert Cliffs Surry Failure Description Fault Description Contributors Q/ Component CLCS III ESPAS Containment Containment Pressure Pressure Channels Logic Train (CSAl, CSB1, CSA2, CSB2, CSA3, CSB3)* Singles, Doubles 2 x 10-2 Test, Maintenance 2.1 x 10-3 Q Total 2.2 x 10-2 SICS SIAS Subchannels Logic Train (SIAL, SIB 1, SIA2, SIB 2 SIA3, SIB 3, SIAS, SIB 5, SIA7, SIB 7, SIA8, SIB 8, SIA9, SIB 9) or ESFAS RWST Low Water Level Channels Singles, Doubles 3 (RASAl, RASB1)* 2.9 x 10 Test, Maintenance 2.1 x 10- 3 0 Total 5 x 10-3 CLCS HI Containment Pressure ESPAS Containment Sensor Group Pressure Sensor Common Mode Group Common Mode (CSASCM)* 1.0 x 10-3 CLCS HI ESPAS RWST Containment Pressure Sensor Group Sensor Group Common Mode Common Mode (RASCM)* 1.0 x 10-3 SICS ESFAS SIAS Common Mode Sensor Group Common Mode (SIASCM)* 3.2 x 10-5 GTerm in parenthesis is the Boolean identifier of this fault. B10-19
.. . .. - e .-, - - . ~
~'
.,4 v . ~ . . .
$$ ee i
s@ @@ @A se I a =
==- ==- .: .,
.m. -- .=.,
W $ 1&, p .
@1 .v a!& -,
4, t!Pr a ter -, 1
-t # __.
.L L a
= -
s H n O I L s..... . 1. . _ , , . , , .... .u . o r , -y,- m .a.e sy g., F,,,, ny- - - ' - y _ au 7 l- - l
~ .-
.~.
l 8""' b arrn l6 66 A & sh sk s1: l l l,}fa.. & 2, ,j:e;.y , ru,i me
'l s,,,,4 saa. . s ,,,, .;<. s ee. , I
,,, ,,, ,,; ,, ,p 4 svo.>6 sre. 4 !"'~'. , T ,"~'",, ... . .
J ta ua t"I "**' l LJ ,,,,
.t:'.* ~ ' ::':~' I p
.s., ., l l
9:s sqs T '9 'If S%' 'N 9:s *y? * ;'.' ?l' ci 'O % *R l" ' l __.___ w. . =i...,,,=,m,,.,,, _ . . e . __
+. : g .
__ J Figure B10-1. Calbert Cliffs - Engineered Safety Features Actuation System (ESFAS)
L ogic l Train ( ChannelA A B CtCS g Inj,y
,Contain H Hi PRESS DetKleon j1 A / Hi \ Equipment ment (3 of 4 Channels H RESS E O'1"I'0" \ inii at (1of2P'En ush nottons Contain-ChannelB ESS IH AHI ,
C et t C CS i ment Hl\ go,t;,g, HI B [g"[ c Channel B g - B 3 O' 4 HI PRESS Hi Channels ' Detntion For Trip) Hi \ Channel C ) l HB HI PRESS l CD Contaen- Deintion HlH ment lH logic o I C d' - Channel C HIPRESS C B L initiaw to g, . ,gyh gg Hg H Deintion HIHIA A Equipment (3 of 4 ChannelD Channels Hi Hi PRESS D For Trip) gyh PER Contain- Detntion sn,tiatida ment 2 DI 2 Push utton [e[so'r ChannelD E 095 D - Hi PRE SS D Train Denntion Hl C g g 0 3 g4 Equipment Channels For Tript fHh Figure B10-2. Surry CLCS Simplified Diagram l
. :.':~.n m 1- n -J C i== i -
- = , e r.i L :- .m.
C i-- i - .. . be e. . ., l
,C i== '
_)-
'n v
it. 1*.=l
- - i 1
l
) --< q .. - .
L*".:::= i=._.<
. C lE3 - -> *-
.C -
.~= -.
~ . :-y to j
s % ,_. i r: :.
*a ,
f~ o N i
- . ~.,,,i 7 1
/_ /
--c q
-- /
!=. -
/m
,i
<m ow a -
==
N o
.O L.as .4
--J .
- = ...
P~~~~'l__ . f ,
=.
- '* * :=- ~ ~ I."1.-
= ..
.. m = \,m, 'C':.
c.---.- 3= bi n= D-
- au .~
Figure B10-3. Surry Safety Injection Control System
APPENDIX Bll SURVEY AND ANALYSIS CONTAINMENT SPRAY INJECTION SYSTEM (CSIS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
....................................... Bil-3 2.0 CALVERT CLIFFS CSIS DESCRIPTION .................... Bil-3 2.1 System Description ............................ Bil-3 2.2 System Operation .............................. Bll-4 3.0 SURRY CSIS DESCRIPTION ............................. Bll-5 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CSIS ........ Bll-6 5.0 CALVERT CLIFFS SYSTEM EVALUATION ................... Bll-6 5.1 Event Tree Interrelationships ................. Bil-6 5.2 CSIS Model Description ........................ Bil-7 5.2.1 CSIS Boolean Equations ................. Bll-7 5'.2.2 CSIS Unavailability .................... Bil-9 Bll-1/-2
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 Containment Spray Injection System (CSIS) was reviewed and compared with the similar PWR design (Surry) cycluated in the WASH-1400 study. The CSIS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, respectively. A comparison of the two containment spray injection systems is given in Section 4. CSIS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a descrip-tion of the model used to incorporate CSIS failures into the Calvert Cliffs accident sequences and a point estimate of the CSIS unavail-cbility assuming independence from all other Calvert Cliffs systems. 2.0 CALVERT CLIFFS CSIS DESCRIPTION 2.1 System Description The CSIS along with the Containment Air Recirculation and Cooling System (see Appendix B15) provide alternative methods of depressurizing the containment following a LOCA. In addition, the CSIS sprays provide removal of released radioactivity from the post cccident containment atmosphere. The Calvert Cliffs CSIS consists of two electric-motor-driven pump trains which draw water from the Refueling Water Storage Tank, via separate header, and discharge to the spray headers located in the upper area of the containment. A simplified schematic of the system is shcwn in Figure B11-1. Operation of either train is sufficient to keep the post-accident containment pressure excursion within acceptable limits. As stated above, the operation of the Bil-3
CSIS sprays also provide removal of core released radioactivity from the containment atmosphere. 2.2 System Operation The CSIS is automatically initiated by the Engineered Safety Feature Actuation System (ESFAS) in the event of a loss-of-coolant accident. Both containment spray trains are activated automatically along with the fourth containment air cooling unit. Three contain-ment air cooling units operating at high speed under normal plant operation are switched to their lower speed. The Safety Injection Actuation Signal (SIAS) opens the air operated containment spray discharge valves for the pumps. The Containment Spray Actuation Signal (CSAS) starts the corresponding pumps. In addition to the capability for normal initiation of either of these signals from the control room, each pump or valve can also be individually initiated manually by the appropriate control switch operation. Inadvertent operation of the system will be alarmed when the spray pumps are operated. Flow indication and valve position indication are also provided for the operator, so the situation would be quickly observed and remedial action taken. To prevent one inadvertent containment spray system actuation in the case of an undesired trip of the CSAS, the containment spray valves are. opened only by the SIAS. The spray pumps and heat exchangers are located outside the containment to permit access for periodic testing and maintenance during normal plant operation. A recirculation line is provided on the discharge of each spray pump for testing, which can be accomplished Bll-4
I by recirculating water back to the refueling water tank. The re-circulation line is sized to pass the minimum allowable pump flow of 50 gpm. 3.0 SURRY CSIS DESCRIPTION The Surry CSIS, shown in Figure Bll-2, consists of two inde-pendent spray subsystems, each containing a pump, filter, spray nozzles, isolation valves and associated piping, plumbing instrumen-tation and controls for delivery of 3200 gpm par subsystem of chilled, alkalized borated water from the Refueling Water Storage Tank (RWST) to the containment atmosphere. Each pump is driven by a steam turbine - electric motor dual drive. A mechanical clutch assembly allows only one drive to be effective at a time. The system is automatically placed in emergency service by a 10 psig reactor building pressure signal from the consequence limiting control system which starts the pumps and opens the isolation valves to the containment. Each spray train is designed to deliver suffi-cient heat removal capacity to provide for successful initial containment response (depressurization of initial pressure excursion and return to sub-atmospheric conditions) until depletion of the RWST. The addition of sodium hydroxide solution to the containment spray serves to improve spray removal of radioactive iodine from the containment atmosphere. The Surry CSIS operates in conjunction with the Containment Spray Recirculation System (CSRS) during the initial containment response period. Since CSIS water is required for the CSRS suction supply, the systems are dependent. The criterion for containment Bil-5
spray success therefore requires the successful operation of either CSIS train plus successful operation of two of the four CSRS trains. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CSIS An important difference between the Calvert Cliffs and Surry systems is the fact that the Surry CSIS is independent of the CSRS. At Calvert Cliffs, the CSIS and CSRS share most of the same equipment. Thus, the Calvert Cliffs CSIS includes heat exchangers while the Surry CSIS does not. Another difference is that the Surry CSIS takes water from the RWST via a dedicated line whereas each CSIS train at Calvert Cliffs receives RWST water from a header that is shared with the low and high pressure injection pumps. In the Reactor Safety Study, a 2.4 x 10-3 unavailability was estimated for Surry's CSIS. The dominant failure was a possible common mode where the actuation sensors are all miscalibrated. The unavailability of Calvert Cliffs' CSIS was calculated to range from 5 x 10-3 to 6 x 10-3 depending on the initiating event. The dominant CSIS failure for all initiators was a common mode failure of the CSIS actuating signals due to sensor miscalibration. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The Calvert Cliffs CSIS is one of two systems designed to pro-vide immediate cooling of the reactor building atmosphere to limit the post-accident containment pressure excursion and return the containment to atmospheric pressure. The other system is the CARCS Bll-6
which is automatically placed in its emergency operating mode at a reactor building pressure of 4 psig. The CSIS also provides the function of post-accident radioactivity removal. Failure of the CSIS is represented by event C on the LOCA event trees and event O' on the transient event trees. For all cases, failure of the CSIS is defined as failure to deliver flow to a spray nozzle from at least one pump. This criteria for success differs somewhat from the FSAR definition and its basis is discussed more fully in Section 5.1 of Appendix B15. 5.2 CSIS Model Description 5.2.1 CSIS Boolean Equations The general form of the Boolean equation used to model the CSIS is given below: CSIS = (B + 0 + CSA2 + SIAL + D12) - (Bll-1) (C + P + CSB2 + SIBl + D21 + Q)
+ SIASCM + CSASCM.
The above equation, except for the D12 and D21 terms, was used to model CSIS failure for large and intermediate size LOCAs (A and S1), and is referred to as equation Bll-1(a) in the main report. The-equation used to model small (S2) LOCAs and T2 and T3 transients is referred to as Equation Bll-1(b) and is the same as Equation Bll-l(a) except that the Q term is dropped. Finally, the T1 transient model is identical to Equation Bll-1, except for the omission of the 'O' term. This form of the CSIS equation is referred to as Equation Bll-1(c) in the main report. Bll-7
i The terms D12 and D21 in the above equation depict the failure of emergency diesel generator #12 or #21. These terms were only included in the analysis of loss of offsite power transients (T y). The term 'O' depicts failure of CSIS train 22, due to a pos-sible flow diversion. If either valves CV-657 or MOV-658 are inadvertently opened, CSIS train 22 flow might be diverted into the LPIS injection lines. This failure mode is only applicable for large and intermediate LOCA (A and S1) sequences since RCS pressure will be low. This term was not used in small (S2) LOCA or transient sequences since RCS pressure will be high, preventing a flow diversion (i.e., the LPIS will not be injected into the core when RCS pressure is high). The terms SIB 1, SIAL, CSA2, and CSB2 represent inidividual CSIS actuation failures. CSIS injection valves CV-4150 and CV-4151 are opened by the Engineered Safety Feature Actuation System (ESFAS) channels SIAL and SIB 1, respectively. Channels CSA2 and CSB2 initiate the containment spray pumps. Two common mode failures were identified with the CSIS. The term CSASCM represents a miscalibration of the sensors which signal ESPAS channels CSA2 and CSB2. Term ~SIASCM represents a miscalibration of sensors which signal ESFAS channels SIAL and SIBl. (See Appendix B10 for details.) The only human errors included were inadvertent closure of the manual valves in the CSIS lines and inadvertent opening of several motor-operated valves. Bll-8
Technical Specifications for Calvert Cliffs state that components shall not be removed from service so that the af fected CSIS train is inoperable for more than 72 consecutive hours. If one CSIS train is inoperable for more than 72 hours, the reactor must be shut down. The average maintenance interval used in the Reactor Safety Study is 4.5 months, which corresponds to a frequency of 0.22 per month. From the Reactor Safety Study, (Table III 5-3) the log normal maintenance act duration for components whose range is limited to 72 hours is a mean time of 19 hours. Therefore, the unavailability of one component due to maintenance is estimated to be: 19(.22) -3 720 = 5.8 x 10 No test down time was included in the analysis since a normally open recirculation line is provided for testing 5.2.2 CSIS Unavailability Using the Boolean equations given in the last section and the term unavailabilities given in Table Bll-1, independent CSIS point estimate unavailabilities can be calculated. These are found to be: CSIS = 5.1 x 10-3 (Applies for A and S1 LOCAs) CSIS = 6.3 x 10-3 (Applies to T1 transients) CSIS = 5.0 x 10-3 (Applies to S 2 LOCAs and T2 and T3 transients). Double maintenance contributions, i.e., components of both trains being deliberately removed from service for maintenance, Bll-9
were removed from these unavailabilities since this condition is not allowed by Technical Specifications. A quantitative ranking of the Boolean terms for the CSIS is given in Table Bll-3. For the A and Si LOCA case, CSIS failure is dominated by the CSASCM failure mode which contributes approximately 20 percent to the total unavailability. The term CSASCM also domin-ates the other cases. The reader should be cautioned that these are uravailabilities for Calvert Cliffs' CSIS if the system is considel:ed : independent of all others. In general, the CSIS unavailability will depend on what other system successes or failures have occurred, i.e., the unavailability for the CSIS used in the sequence calculation must be a conditional unavailability. . Bll-10
Table Bil-1. Boolean Equation Term Descriptions l Boolean Term Term Definition Term Unavailability B MOV-4143 + C65 7.0 x 10-3 C MOV-4142 + C66 7.0 x 10-3 Q CV-657 + MOV-658 2.0 x 10-3 D12 Failure of diesel #12 6.8 x 10-2 D21 Failure of diesel #21 6.9 x 10-2 SIASCM Safety injection signal 3.2 x 10-5 Common mode failure CSASCM CSIS pump initiating signal 1.0 x 10-3 Common mode failure O M45 + M29 + M22 + M17 + M3 + C36 + CIS + C13 + 2.9 x 10-2 MOV-663 + CV-4150 + CS21 P M53 + M33 + M23 + M18 + M12 + C40 + C16 + C14 + 2.9 x 10-2 MOV-662 + CV-4151 + CS22 SIAL Safety injection channel Al 5.0 x 10-3 failure SInl Safety injection channel B1 5.0 x 10-3 failure CSA2 CSIS initiation channel A2 2.2 x 10-2 failure CSB2 CSIS initiation channel B2 2.2 x 10-2 failure P Bll-ll
Table B11-2. Component Unavailabilities Component Pault Failure Description Identifier Contributors O/ Component Manual Valve M45, M29, M22, M17, (Normally M3, M53, M33, M23, Operator Error 1 x 10-4 Open) M13, M12 Plugged 1 x 10-4 O Total 2 x 10-4 Check Valve C36, C15, Cl3, C40, C16, C14 Ilardwa re 1 x 10-4 0 Total 1 x 10-4 Pump CS21, CS22 liardware 1 x 10-3 Control Circuit 1 x 10-3 Maintenance 5.8 x 10-3 0 Total 7.8 x 10-3 Motor Operated MOV-663 Operator Error 1 x 10-3 Valve MOV-662 Maintenance 5.8 x 10-3 (Normally closed) Q Total 6.8 x 10-3 Control Valves CV-4150 Hardware 3 x 10-4 (Normally CV-4151 Control Circuit 6.4 x 10-3 Closed) Plugged 1 x 10-4 Maintenance 5.8 x 10-3 O Total 1.3 x 10-2 t i Bll-12
l Table Bll-3. Quantitative Ranking of Dominant Terms l l in CSIS Boolean Equation For A and St LOCAs: i CSASCM 1 x 10-3 l O*P 8.4 x 10-4 i 0 CSB2 6.4 x 10-4 l CSA2+P 6.4 x 10-4 CSA2 CSB2 4.8 x 10-4
-3 Total Point Estimate = 5.1 x 10 For T y Transients:
-3 D12*D21 4.7 x 10 CSASCM 1 x 10~-4 0P 8.4 x 10 -4 O*CSB2 6.4 x 10 ~4 CSA2 P 6.4 x 10 ~4 CSA2.CSB2 4.8 x 10
-2 Total Point Estimate = 1 x 10 For Sy LOCAs and T2 and T3 Transients:
CSASCM 1 x 10-3 ! OP 8.4 x 10-4 O'CS92 6.4 x 10-4 CSA2+P 6.4 x 10-4 CSA2 CSB2 4.8 x 10-4 Total Point Estimate = 5.0 x 10-3 Bll-13
h 1*,0 Arcum g jf % Cl3 Q ED V #8 4 N 4.OCP f 17 217 J - gay Q cgs G60 SM A CD A CL V4
* * * * . 9% tf ! W"EN Cba REYhftlWO O are y I (- T 4./ # F F t
, gr-N C3 m ou- 4s 4 C 35 LP o
,y 5 7) *f y,q twPz n _Q~ ev vvu ,.e 7
s
~
-- Cs, j , ~
n n -Q .nng.~ Q W, ( }{'~,7 f3 Mz ci r* s'Ni C4 CS Mov et$ p,g i g
,,_ 3
~
r C6S C66 C6 Mer .2d f MM C 37 % - a (ot D soff asad- d 55 -*8 w,
-- m3d < -
- u 9 ,a,. ,7 a _x .a i
- z. C g
e* P3 : lM--C M37 #4M4-{(1 Q
# # 8II ser% Asa?
a mev-65 3 C3a NP 2 Q -Vi , e :
--lM--1 cv ce "1--~H.a <-
3 M.o - pp,, > l - so C 7 __[ p,g of g > ~ ~- ' '1, , an Cn sen2@gy > t
=
Arru 4,,,.,,7 m a n ' u- % . E n8854 Cdf Y ~
.y, ,
C i . CM Cl2 Mer 6V5 i M0L C Ct1 p COW 1&sNatnW
$ffL4Y HE4DE R l f
)
m od sr$1 Cto
~ ** - sm Csu N
Figure B11-1 Calvert Cliffs ECCS Schematic (CSIS Highlighted)
l g s
) > Fj >>
^ v y _
1 _ H ^ (< y t
} < < <v n
e 0 ea dt in s i m n V g N# 1 n o iC
,l I,8 ,I I I I g I i 1 I I II ' l I ' il l t
n e e c m m _ _ a en r - di g
;s a e t n t
C s C 6C n 8 a _ uo N V N v N i OC D l w v i
- l o
F
\ - d
/ 2 1 i e
V f i
\ ' l p
m i 1 p2 S (" S I S C y r , e y r e 1 i g F r ti i r r ; p u 2 S kB 2 O N y O N v' l i B e r u f l g 4 i
~
~
F 8 s o y v i N v T S I W R
$Y (?
APPENDIX B12 SURVEY AND ANALYSIS CONTAINMENT SPRAY RECIRCULATION SYSTEM (CSRS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
.......................................... B12-3 2.0 CALVERT CLIFFS CSRS DESCRIPTION ....................... B12-3 2.1 System Description ............................... B12-3 2.2 System Operation ................................. B12-4 3.0 SURRY CSRS DESCRIPTION ................................ B12-4 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CSRS ........... B12-5 5.0 CALVERT CLIFFS SYSTEM EVALUATION ...................... B12-6 5.1 Event Tree Interrelationships .................... B12-6 5.2 CS RS Model Description . . . . . . . . . . . . . . . . . . . . . . . . . . . B12-7 5.2.1 Boolean Equation .......................... B12-7 5.2.2 CSRS Unavailability ....................... B12-8 1
I i B12-1/-2
l.0 INTRODUCTION The Calvert Cliffs' Unit 2 Containment Spray Recirculation System (CSRS) was reviewed and compared with the similar PWR design (Surry) evaluated in the WASH-1400 study. The CSRS designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report , respectively. A comparison of the two containment spray recirculation systems is given in Section 4. CSRS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a description of the model used to incorporate CSRS failures into the Calvert Cliffs accident sequences and a point estimate of the CSRS unavailability assuming independence from all other Calvert Cliffs systems. 2.0 CALVERT CLIFFS CSRS DESCRIPTION 2.1 System Description The CSRS provides for long-term cooling of the reactor building atmosphere to limit the containment system pressure to below the design limit. It also provides for long-term scrubbing of the atmosphere to remove radioactive materials. Each of two spray paths includes an electric pump, one heat exchanger, a spray header containing 90 nozzles, and associated piping and valves (see Figure B12-1). The pumps, which are located outside the containment, can deliver water at 1630 gpm during the recirculation mode. This system is initially aligned to draw water from the refueling water storage tank. During the recirculation mode, water is drawn from the containment sump. The sump water is cooled by the shutdown cooling heat exchangers. B12-3
It should be noted that no credit was given for alternate > CSRS flow paths. It is possible, using cross-tie connections, to supply the spray headers with the LPRS. 2.2 System Operation
-nitially, following a LOCA, the containment spray system is alignea to deliver water from the refueling water storage tank to the reactor building. When the low liquid level is reached in the RWST, continuation of containment spray is accomplished by automatic transfer of the pump suction to the containment sump. The switchover is initiated on coincident low-level signals from level switches located in the refueling water tank. Four independent refueling water tank level switches provide digital inputs to the recircula-tion actuation signal (RAS). Upon coincidence of two-out-of-four low water tank level trip signals the RAS is generated.
3.0 SURRY CSRS DESCRIPTION The CSRS provides for recirculation of the containment sump water through the heat exchangers of the Containment Heat Removal System (CHRS) to spray headers inside the containment for pressure control, fission product removal and long-term energy removal in the event of a LOCA. The CSRS, which is independent of the CSIS, consists of four trains, each of which includes a pump, heat exchanger, spray header and associated piping and valves (see Figure B12-2). Each pump has a rated flow of 3500 gpm. Two of the pumps are located inside the containment and have a rated head of 230 feet. The remaining B12-4
two pumps, which are located outstde the containment, have a rated heed of 249 feet. All stop valves in the flow path from the containment sump to the spray headers are normally open. Therefore, initiation of flow is accomplished by turning on the four pumps (PlA, PlB, P2A and P2B) via a signal from the Consequence Limiting Control Syster. (CLCS) when a LOCA occurs. Start-up of the pumps located inside the containment (PlA and PlB) is delayed for two minutes and start-up of the pumps located outside the containment (P2A and P2B) is delayed for five minutes after receipt of the CLCS HI-HI signals by the associated pump control circuits. The motor operated valves V1, V 2r V3 and V4 are automatically opened by the CLCS signals if they are inadvertently left closed. Pumps 2h and 2B can be manually stopped by the operator action at any time while pumps lA and 1B cannot be stopped until the CLCS is reset following a return of containment pressure to subatmospheric. The CRS is designed on the following basis: Pumping by two of the four trains during the-first twenty-four hours following a large pipe break accident and by one of the four pump trains after twenty-four hours will provide sufficient flow for system success. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CSRS The CSRS systems for Calvert Cliffs and Surry are considerably different in both design and mode of operation. One important difference is that the Surry system is independent of its CSIS whereas the Calvert Cliffs CSRS uses much the same equipment as its CSIS. The success criteria for Surry is two of four pumps. The B12-5
i i success criteria for Calvert Cliffs is one of two pumps. l The dominant contributors to the Surry CSRS unavailability were maintenance faults of the pumps and valves. The RSS assessed
-4 a 1.0 x 10 unavailability for the Surry CSRS.
The dominant contributor to the Calvert Cliffs CSRS unavail-ability was a common mode failure of the RWST water level sensors which provide inputs to the automatic recirculation signal. The CSRS unavailability for Calvert Cliffs is calculated in Section 5.2.2 to range from 7.7 x 10-3 to 1.1 x 10-2 depending on the initiator. I 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships 1 The CSRS is one of two systems designed to provide long-term cooling of the reactor building atmosphere to limit containment pressure. The other system is the containment air recirculation and cooling system (see Appendix B15) which includes four separate cooling units. Either of these systems provides sufficient cooling i i to limit and maintain containment pressure within acceptable limits. The CSRS also provides for long-term scrubbing of the containment atmosphere to remove radioactive materials. The CSRS contributes to event F on the LOCA event tree. Success of the CSRS requires that at least one of the two spray trains is operating. This success criterion was obtained through research at Battelle Columbus Laboratories and does not match the criterion set forth in the Calvert Cliffs FSAR. B12-6
,. ...w---.,n. - - - - , , . , ., , -- - - - , , . - - - , , ,, -, ,~ , - , - . -en
5.2 CSRS Model Description 5.2.1 Boolean Equation The following Boolean equation was developed to model CSRS fcilure: CSRS = (B + 0 + CSA2 + SIAL + D12 + R21 COOL + 0' + W + RASAl) - (B12-1) (C + P + CSB2 + SIBl + D21 + R22 COOL + P' + V + RASBl) + RASCM . The above equation, except for the D12 and D21 terms, was used to model CSRS f ailure for all initiators except T1 transients and is referred to as Equation B12-1(a) in the main report. Equation B12-1 in its entirety was used to model T1 ccquences. The terms D12 and D21 in the above equation depict the failure of emergency diesel generator #12 or #21. These terms were only included in the analysis of loss of offsite power transients (T y). A more detailed description of the terms B, O, C, P,W, and V is given in Appendix Bll, the Containment Spray Injection System. It should be noted that the primed terms, O' and P', represent failure of the CSRS pumps to operate during the recirculation phase. The terms SIB 1, SIAL, CSA2 and CSB2 represent individual CSIS actuation failures. CSIS injection valves MOV-4150 and MOV-4151 cro opened by the Engineered Safety Feature Actuation System (ESFAS) chtnnels SIAL and SIB 1, respectively. Channels CSA2 and CSB2 initiate the containment spray pumps. Failures of this kind, which B12-7
occur during the injection phase, will disable parts of the CSRS. The terms RASAl and RASBl represent individual recirculation signal I actuation faults. Subchannels RASAl and RASBl open the recircu-lation line MOVs when the RWST water level gets low. The term RASCM represents a common mode failure of both subchannels due to a miscalibration of the RWST water level sensors. Refer to Appendix B10. It is assumed that the containment spray pumps will fail in the long term without room cooling. This assumption is based on discussions with plant personnel. The terms R21 COOL and R22 COOL a < represent room cooling failures for pumps CS21 and CS22, respectively. 5.2.2 CSRS Unavailability i I Using the Boolean equation given in the last section and the term unavailabilities given in B12-1, independent CSRS point estimate unavailabilities can be calculated. These are found to be: CSRS = 7.7 x 10-3 (Applies to all initiators except T1 transients). ! CSRS = 1.1 x 10-2 (Applies for T1 transients).
" Double test and maintenance contributions, i.e., a deliberate I
action specifying both trains to be tested or maintenanced simulta-neously, were not included in this unavailability estimate because such an action would violate technical specifications. Further, it can be seen that reduction of the Boolean equation describing the CSRS results in 65 (82 for T y) terms. Examination of these terms shows t that 16 (25 for T y) depict " double injection" failures of the CSRS, i.e., CSRS failure due to failure of redundant components during con-B12-8
tainment spray injection. These failures were not included in the cal-culations of the independent CSRS unavailability above, since the CSIS must have succeeded (at least one train) to demand CSRS. For calcula-tion of the CSRS unavailability as used in the accident sequence ana-lysis, double injection failures and other physically inconsistent ! failure contributors were eliminated according to the Boolean reduction process where the equations describing each of the systems involved in the sequence were condensed together. I A quantitative ranking of the dominant Boolean terms is given in Table B12-3. As can be noted, approximately 10% of the system unavailability is due to the common mode failure RASCM. The reader should be cautioned that these are unavailabilities for Calvert Cliffs' CSRS if the system is considered independent of all others. In general, the CSRS unavailability will depend on what other system successes or failures have occurred; i.e., the unavailability used for the CSRS in the sequence analysis calcula-tion must be a conditional unavailability. B12-9
B12-1. Boolean Equation Term Descriptions Boolean Term Term Definition Term Unavailability IB MOV-4143 + C65 7.0 x 10-3 1C MOV-4142 + C66 7.0 x 10-3 10 M45 + M29 + M22 + M17 + M3 + C36 + C15 + C13 + 2.9 x 10-2 MOV-663 + CV-4150 + CS21 1p M53 + M33 + M23 + M18 + M12 + C40 + C16 + C14 + 2.9 x 10-2 MOV-662 + CV-4151 + CS22 2SIA1 Safety injection channel Al 5.0 x 10-3 failure 2 SIB 1 Safety injection channel B1 5.0 x 10-3 failure 2CSA2 CSIS initiation channel A2 2.2 x 10-2 failure 2CSB2 CSIS initiation channel B2 2.2 x 10-2 failure 3D12 Failure of diesel #12 6.8 x 10-2 3D21 Failure of diesel #21 6.9 x 10-2 O' CS21 7.2 x 10-4 P' CS22 7.2 x 10-4 V C20 + MOV-4145 1.3 x 10-2 W C21 + MOV-4144 1.3 x 10-2 2RASAl RAS Subchannel Al 5.0 x 10-3 2RASBl RAS Subchannel B1 5.0 x 10-3 2RASCM RAS common mode ' 1.0 x 10-3 failure 4R21 COOL Room cooling for pump CS21 1.9 x 10-2* during recirculation (2.8 x 10-2)** 4R22 COOL Room cooling for pump CS22 2.6 x 10-2* during recirculation (3.5 x 10-2)** 1 Refer to Appendix Bll. 2 Refer to Appe'ndix B10. 3 Refer to Appendix Bl. 4 Refer to Appendix B14.
- Applies for all initiators except T1 transients.
- Applies for T1 transients.
B12-10
Table B12-2. Component Unavailabilities Component Fault Failure Description Identifier Contributors Q Component CSRS Pump CS21 Fails to Operate CS22 24 hrs (3 x 10-5 hr) 7.2 x 10-4 Q Total 7.2 x 10-4 Motor Operated MOV-4145 Hardware 1 x 10-3 Valve (Nor- MOV-4144 Plugged 1 x 10-4 mally Closed) Control Curcuitry 6.4 x 10-3 Maintenance 5.8 x 10-3 Q Total 1.3 x 10-2 Check Valve C20 Hardware 1.0 x 10-4 Q Total 1.0 x 10-4 B12-11 ,
Table B12-3. Quantitative Ranking of Dominant Terms in the CSRS Boolean Equation For non-T1 initiators: RASCM' 1.0 x 10-3 0 e R22 COOL 7.3 x 10-4 CSA2.e R22 COOL 5.7 x 10-4 P e R21 COOL 5.3 x 10-4 R21 COOL e R22 COOL 4.9 x 10-4 CSB2 e R21 COOL 4.2 x 10-4 Total point estimate = 7.7 x 10-3 For T1 initiators: RASCM 1.0 x 10-3 R21 COOL e R22 COOL 9.8 x 10 4 O e R22 COOL 9.8 x 10-4 P e R21 COOL 7.8 x 10-4 CSA2 e R22 COOL 7.7 x 10-4 CSB2 e R21 COOL 6.2 x 10-4 W e R22 COOL 4.6 x 10-4 V e R21 COOL 3.6 x 10-4 Total point estimate = 1.1 x 10 . 4 i l i I B12-12 i
~, , . - . . . - - , . - . - - . . _ , -
, - - - , - , - . - . - - . . , . , , , , , - - - - , . , , , , . - - . _ . - ,--- -.. -n.
raa e $2 l'<1. MU Ev' ca
'9::"<-vv-Og Loop 2 SE2I7 d'Y wa' :a "'"
cl5 , M w 6e o new 6" CD CL M *V' 4 ?S y l 24% CS6 gg fugg pq conD V~ $,4 $ if b C3 "**b p gq LP I
-n - . . . ~ . , , %'-C r "
4 4! gg7 "0V' 6 tY AE , 2 C4 CS Movet$ s f % _A f
-- cs,
_t,op _ Q C4 M ar aid f L f xm)o ij . c 39 I NfZ t (M D
- m. M o...., p A_ att n26 n nese!* d 55 w
J.ccP3 ( /Qf
~; -
% y N3 ) as2% 27 mv-653 NP 2 w 'A-- -V+- -~<.=
cv V(4 >Q-N 4 Ce f _ g ,j l - so Cao LaJ J >
# g#^ 0 d23 _
g "N CU Nfl3 ) I s v , OL D ,J L ifb - 21 l
&Y 10
- w Col Mov- s ys CS2%
V ca '/ c,; M.., 4 > x -
/ l ~~ ~
a '* H mz g (y C0 ATT aft WME vr c-Q,L M af I Co#TAINmfarr SPlt Af HE*Dd R E L 2 , k m od St$$ 'C2o
.O.
..!- vb c Figure B12-1 Calvert Cliffs ECCS Schematic (CSRS Highlighted)
f I c l < S I g-I_l
@ !:=_ D5 -
5 i I > > I > > I > > I g > > l > > g l l l l .l l .. .. l I n i Urie OO I n n, i U. 2 v l Pa i rie l I I c -, Figure B12-2. Surry Containment Spray Recirculation System i B12-14 4
- -- ,. .- -,-.,-.,,,_.____,my_.__7,_.-_ _ _ . . _ . _ - - - - _,m_,, , _ , _ , - - ,m,,,,-,,..m., _-
u_,,.y, , - -..,_ ,,,% , , ,-,,
APPENDIX B13 SURVEY AND ANALYSIS AUXILIARY FEEDWATER SYSTEM (AFWS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
..................................... B13-3 1
2.0 CALVERT CLIFFS AFWS DESCRIPTION .................. B13-3 i 2.1 AFWS Description ............................ B13-3 l 2.2 Sy s t em Ope ra t i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . B13-4 3.0 SURRY AUXILIARY FEEDWATER SYSTEM . . . . . . . . . . . . . . . . . B13-5 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY AFWS ...... B13-6 5.0 CALVERT CLIFFS SYSTEM EVALUATION ................. B13-7 5.1 Event Tree Interrelationships ............... B13-7 5.2 AFWS Model Description ...................... B13-8 5.2.1 AFWS Boolean Equations ............... B13-8 5.2.2 AFWS Unavailability .................. B13-9 B13-1/-2
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 Auxiliary Feedwater System (AFWS) , was reviewed and compared with the similar PWR Auxiliary Feedwater l System (AFWS) design (Surry) evaluated in the WASH-1400 study. The system designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report respectively. A comparison of the l two systems is given in Section 4. AFWS event tree interrelation-l l ships are detailed in Section 5. Also included in Section 5 is a description of the model used to incorporate AFWS failures into the Calvert Cliffs accident sequences and a point estimate of the ! AFWS unavailability assuming independence from all other Calvert j Cliffs systems. 2.0 CALVERT CLIFFS AFWS DESCRIPTION 2.1 AFWS Description The purpose of the Calvert Cliffs Unit 2 Auxiliary Feedwater System is to remove primary coolant system stored energy and resid-ual core energy when main feedwater is unavailable. Without the AFWS, primary coolant will be lost out through the pressurizer safety valves and the core may ultimately be uncovered. The AFWS consists of two turbine driven pumps along with associated piping valves, and controls. A simplified flow diagram of Calvert Cliffs AFWS for Unit 2 is shown in Figure B13-1. The normal water supply to each pump is from Condensate Stor-age Tank No. 12 (CST No. 12), via a common line feeding a branch line to each pump. Flow from each pump discharges into a branch line feeding a common line which in turn branches to each of two B13-3
steam generators (SG). AFWS flow is controlled by controlling pump speed and by regulating flow through a normally closed (NC) air-operated control valve in the feed line to each SG. Each NC air-operated control valve fails open on loss of air, and each can be bypassed by a loop that includes a normally closed manually operated valve. AFWS water can also be obtained from CST No. 11 and 21. No credit was given to these water sources in the short term since flange connections must be fitted into the supply lines before water would be available. Steam to drive the AFWS turbine-driven pumps is obtained from the steam generators. Each steam generator can supply steam to either or both steam turbine-driven pumps from its main steam line through a normally closed motor operated valve which fails as-is or a normally closed manual bypass valve into a common header. Each AFW pump takes steam from the common header through a normally open manual valve, a check valve, a DC operated normally open stop valve, and an air operated normally closed throttle valve. An alternate source of steam can be obtained from the steam generators of the other unit or from steam generated by the auxiliary steam generator, which uses an oil fired boiler. No credit was given for either of these alternate steam supplies. 2.2 System Operation During normal power plant operation, the.AFWS pumps are idle and the air operated flow control valves between the pumps and steam generators are closed. Given an initiating event, the AFWS is set into operation manually. Manual AFW initiation is by a semi-dedicated B13-4
operator in the control room follcwing any reactor trip. The semi-dedicated operator means that the operator has other duties in the control room until that time when the AFWS is needed, then he is dedicated 100% to operate, control, and monitor the system. A delayed, auto-start circuit is currently installed, however, no credit was given to it since it is temporary and non-safety class. 3.0 SURRY AUXILIARY FEEDWATER SYSTEM A simplified flow diagrath for the Surry APWS is shown in Figure B13-2 (reference WASII-1400 II 5-11). The AFWS consists of two 350 gpm electric-driven pumps and one 700 gpm turbine-driven pump along with associated piping, valves, and controls. All pumps can be started either automatically or manually. The system de-livers feedwater via separate suction lines from a 110,000-gallon condensate storage tank to the secondary side of three steam gen-erators through two headers. Each steam generator can draw f rom either header. The electric pumps are started automatically when: 1) a Safety Injection Control System (SICS) signal is present; 2) loss of off-site power is detected; 3) main feedwater pumps shut off; or 4) low water level is detected in a steam generator. The turbine pump is automatically started for detection of low water in a steam generator or loss of off-site power. Af ter about eight hours the condensate storage tank is ex-hausted and water must be drawn from the fire main (400,000-gallons with 400 gpm replacement) or from another condensate storage tank (300,000-gallons). Switching to these water supplies requires B13-5
1
)
manual valve operation. Successful operation requires flow of the equivalent of one electric-driven pump to any one steam generator. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY AFWS The two auxiliary feedwater systems are considerably dif-ferent although they perform the same function. Notable differences include:
- 1) Surry's AFWS is automatically initiated whereas Calvert Cliffs' AFWS is remote manually initiated.1
- 2) Several valves are shared by both pumps in the Calvert Cliffs pump suction lines as opposed to separate suction lines for each pump at Surry.
- 3) Calvert Cliffs delivers auxiliary feedwater to two steam generators; Surry delivers to three.
- 4) Calvert Cliffs has two turbine-driven pumps as op-posed to two electric and one turbine-driven pump at Surry.
There are some similarities between the plants. Each AFWS has common headers which allow delivery of feedwater to any steam generator from any pump, though the piping configurations are dif-ferent. Also, successful operation requires the flow from one pump to or.e steam generator. In general, however, the systems are quite different. l A delay auto-start circuit is currently installed, but it is temporary and non-safety class. B13-6
WAS!!-1400 assessed a 3.7 x 10-5 unavailability for Surry's AFWS for the case where off-site power is available. The dominant l failure for this case was a common mode failure where the discharge l valves for all three pumps are inadvertantly left closed after tests of the pumps. For the case where there is a loss of off-site power (LOP), an AFWS unavailability of 1.5 x 10-4 was assessed. The dom-l inant contributor for this case was failure of the diesels which provide emergency power to the electric pumps in conjunction with l test or maintenance failure of the turbine-driven pump. l l In Section 5.2.2, Calvert Cliffs #AFWS unavailabilities of 3.0 x 10-3 for T2 or T3 transients or S2 LOCAs and 3.9 x 10-3 for T 1 transients are calculated. The dominant failure in both cases was the failure of the operator to manually initiate the system. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event free Interrelationships The AFWS provides the function of emergency secondary heat removal and appears as part of Event L on the transient tree and Event D on the LOCA tree. For transients, core cooling can be achieved by the Power Conversion System or one of two AFWS trains operating. For S 2 LOCAs, core cooling is achieved with one of three High Pressure Injection System trains and one of two AFWS trains. B13-7
5.2 AFWS Model Description 5.2.1 AFWS Boolean Equations Two Boolean equations were developed to model AFWS failure. The first depicts system failure following T2 and T3 transients and S 2 LOCAs. The second depicts system failure following a loss of off-site power (T1 transient). AFWS = CONSTl (Applies to T2 or T3 transients or S 2 LOCAs) (Eq. B13-1) where CONSTl = Al + Bl*Cl + Dl'El + Fl*Gl + Fl*D1 + El*G1 + APWSCM. AFWS = CONSTl + D12*LOACRES*(F1 + El) + D21*LOACRES*(Gl + Dl)
+ D21*D12*LOACRES.
(Applies to T1 transients) (Eq. B13-2) Terms D21 and D12 in the above equation represent failures of emergency diesel generators #21 and #12 respectively and are described in Appendix B1, the Emergency Power System. Table B13-1 relates the rest of the terms with the components shown in Figure B13-1. Table B13-2 lists total component unavailabilities and each of the contributors to the component unavailability. These unavailabilities are comprised of hardware, human, test, and main-tenance faults where applicable. Technical Specifications for Calvert Cliffs state that com-ponents shall not be removed from service so that the affected AFWS train is inoperable for more than 72 consecutive hours. If one AFWS t B13-8
train is inoperable for more than 72 hours, the reactor must be shut i down. The average maintenance interval used in the Reactor Safety Study is 4.5 months, which corresponds to a frequency of 0.22 per i month. From the Reactor Safety Study, (Table III 5-3) the log , normal maintenance act duration for components whose range is lim-ited to 72 hours is a mean time of 19 hours. Therefore, the un- + i availability of one component due to maintenance is estimated to 1
, be 19(.22) = 5.8 x 10-3 720 i
1 1 One common mode failure was identified for the AFWS. The term AFWSCM represents the failure of the operator to manually initiate the AFWS. This failure mode was assessed to have a pro-l
~
bability of 1.0 x 10 . The Handbook of Human Reliability (refer- , ence 11) was used to generate this number and was based on a case study presented in Chapter 21. After a loss of offsite power and failure of a diesel generator, the turbine steam supply valves MOV-4071 and MOV-4070 will fail as is (they are normally closed). In this circumstance, the operator must open the local manual bypass valves Sy of S 2 The term LOACRES in the T y equation represents failure of the operator to open one of these valves. , 5.2.2 AFWS Unavailability i Using the Boolean equations given in the last section and the term unavailabilities given in Table B13-1, independent AFWS point estimate unavailabilities per reactor year can be calculated. i These are found to be: B13-9
For T2 or T3 transients or S 2 LOCAs, AFWS = 3.0 x 10-3, Por T 1 transients, APWS =13.9 x 10-3, Double test or maintenance contributions, i.e., components of both trains being deliberately removed from service for mainte-nance, were removed from these unavailabilities since this condition is not allowed by Techni~ cal Specifications. A quantitative ranking-of the Boolean terms for the AFWS J equation applicable to T2 rT 3 transients or S 2 LOCAs is given in Table B13-3. As can be noted, approximately 30% of the system un-availability is due to the common mode term AFWSCM. A quantitative ranking of the Boolean terms for the AFWS applicable to T1 tran-sients is given in Table B13-4. Again, the term AFWSCM is dominant, contributing approximately 25% to the total unavailability. The reader should be cautioned that these are unavailabil-ities for Calvert Cliffs' AFWS if the system is considered independent of all others. In general, the AFWS unavailability will depend on what other system successes or failures have occurred. l l l l l [ B13-10 l
Table B13-1. Boolean Equation Term Descriptions Term Boolean Term Term Definition Una'tailability Al C3 + C4 4.0 x 10-4 Bl P1 + P4 + S6 +' P3 + SS + TP21 2.9 x 10-2 s - Cl P2 + P6 + S8 + P5 + S7 + TP22 2.9 x 10-2 D1 H1 + HS + CV-4511 1.3 x 10-2 , f El H2 + H6 + CV-4512 1.3 x 10-2 Fl S3 + MOV-4071 1.3 x 10-2 , Gl S4 + MOV-4070 1.3.x 10-2 AFWSCM Operator fails to manually initiate the 1.0 x 10-3 ' system -- LOACRES Operator fails to res are ,, AFWS by opening manuig 13.0 x 10-1 bypass valves S or S (T y transients)
*D12 Diesel Generator 6.6 x 10 $12 fails
*D21 Diesel Generator 8.0 x 10-2
#21 fails CRefers to Appendix B1 J
B13-ll _ , ,
-^ - ___ _ _ _ _ . _ _ _ _
Table B13-2. Component Unavailabilities Component Pault Failure Description Identifiers Contributors Q/ Component P3, P5 Check Valve S3, S4, S5 S7, H5, H6 Hardware 1.0 x 10-4 Q Total 1.0 x 10-4 C3, C4, Pl Manual Valve P2, P4, P6 (Normally Open) S6, S8, H1 Operator Error 1.0 x 10-4 H3 Plugged 1.0 x 10-4 0 Total 2.0 x 10-4 Turbine Pump TP21 Hardware l 2.0 x 10-2 TP22 Control Circiit 1.8 x 10-3 Fails to operate 24 hrs. (3.0 x 10-5/hr) 7.2 x 10-4 Maintenance 5.8 x 10-3 Q Total 2.8 x 10-2 Control Valve CV-4511 Hardware 3.0 x 10-4 CV-4512 Control Circuit 6.4 x 10-3 Plugged 1.0 x 10-4 Maintenance 5.8 x 10-3 Q Total 1.3 x 10-2 Motor Operated MOV-4071 Hardware 1.0 x 10-3 Valve MOV-4070 Plugged 1.0 x 10-4 Control Circuit 6.4 x 10-3 Maintenance 5.8 x 10-3 0 Total 1.3 x 10-2 l ! 1 Turbine pump data taken from " Boston Edison Co. Pilgrim Station Unit 2 Station Blackout and Emergency Feedwater System Reliability," Bechtel Power Corp., Sept. 1978. I B13-12 f -_~
Table B13-3. Quantitative Ranking of Terms for the AFWS Boolean Equation for T2 or T3 Transients or S 2 LOCAs AFWSCM 1.0 x 10-3) Bl*Cl 8.4.x 10-4 Al 5.0 x 10-4 Dl'El 1.7 x 10-4 CONSTl Fl*G1 1.7 x 10-4 Fl*D1 1.7 x 10-4 El G1 1.7 x 10-4 Point Unavailability 3.0 x 10-3 B13-13
Table B13-4. Quantitative Ranking of Terms for the AFWS Boolean Equation for T1 Transients APWSCM 1.0 x 10-3 Bl*C1 8.4 x 10-4 D12*D21*LOACRES 5.4 x 10-4 Al 5.0 x 10-4 Dl'El 1.7 x 10-4 F1 G1 1.7 x 10-4 Fl*D1 1.7 x 10-4 El*G1 1.7 x 10-4 D21*LOACRES*G1 1.0 x 10-4 D21*LOACRES*D1 1.0 x 10-4 D12*LOACRES*F1 8.8 x 10-5 D12*LOACRES*El 8.8 x 10-5 Point Unavailability 3.9 x 10-3 1 1 B13-14 l
M M /- %'7o Y PT PI y , g , g gqg i n' 'sc NO. it C V-e/Sil l l 5.5 k Ass nZ tt
% %$ fan s;
YO UC sy, , DMPVW '/09) Y hp, p FO r0 a '- l 9 g- 't> , M9 8.tNE v U u ' =
'/ '#
Ao [HI PV PJ P' hTM Alfx iN si
^
GFN PENE stM M TP2.8 CitF M L y p,
.~.~ -3 h STOP P PI OOX i
MOOM r*. "*LVE y
._.i L
- Q^$'" " " b- f5
^UA rr C*** 0"i b sia A
CD w CV stssz - Y'tc nOOM w u. 41 -* y *. YADD ] TANK % PWT Sggg g Aux g NO.12 _ A c csriz oW un Ms , r, . s s1M GEN s. i P c3 (- ty i TO P6 n / C e O's s' ' K E NC t '""' AD AO T 2 A P2 T , , s ,u T 4 ,,
@~ -@ 'J TO uM8T NO. /
s TK O. PT LEGEND AO - Alli OPFnATED VALVE l .I H - NORMALLY CLOSED FO - F All OPEN . Aux b. YAno FA - FAIL AS IS FP nOOM NOTES
- NOnMALLY OPFN DC - D/C OPERATED VALVE SINGLE UNIT SHOWN - OTilER UNIT M
MOTOR OPERATED VALVE DMT - OEMINERAll2ED WATER TANK PWT -PnElf1EATED WATER TANK DW - WELL SYSTEM Figure B13-1. Calvert Cliffs Auxiliary Feedwater System
' li ljJIll ,l lljl lll X
= . X s x vA' t 4 C. ,a .a c I s O'c . r' e m c c c a r g U **oD a l i
' D c w o
' ' 'r '
l l F
' m e
o, t l s
- e M x y - S
_, III iI Il u lII
=
'c' ni v
' ',j, r e
- c ,
t _ rll j a ig l
- s,m ill l g n
'- dw i' ' , ;l, v ~"v c;cie.n 4 , : :
_ e . + *
. l c
- - e
. * " e e
v,, - F _ m
=,
y
'" li a - y
# m
_ .. ,v w
, - r
, n r
T'= - a l c e
"x a " -
i l w, l f
, / -. - ix is c, 7- - u
_ l c n r usu u nX , .
.- A y
_ - e ",
" - r r
_ - i
%, f
'" - u c C u , e
- S
_ n c, . c u ,no _ r J r e i ., :
- 2
_ e i e n: - t - _ 3 r e n,e - 1 J'U nt l l l il : I l
- B l : I11 il;l [,l' g l !I ll L e o
- r
$' u h,n"o" o E, g l
,P' i
~ - .' F r
- l!'
i- '
- rel
- 1,-
- ~e=
e r s'** w oCie* t
APPENDIX B14 SURVEY AND ANALYSIS COOLING WATER AND CONTAINMENT HEAT REMOVAL SYSTEMS (CHRS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE' l.0 INTRODUCTION ................................... B14-3 2.0 CALVERT CLIFFS CHRS DESCRIPTION ................ B14-3 2.1 System Description ........................ B14-3 2.2 System Operation .......................... B14-5 3.0 SURRY CHRS DESCRIPTION ......................... B14-6 4.0 COMPARISON OF CALBERT CLIFFS AND SURRY CHRS .... B14-8 5.0 CALVERT CLIFFS SYSTEM EVALUATION ............... B14-9 5.1 Event Tree Interrelationships ............. B14-9 5.2 CHRS Model Description .................... B14-10 5.2.1 CHRS Boolean Equations ............. B14-10 5.2.2 CHRS Unavailability ................ B14-22 B14-1/-2
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 cooling water and containment heat removal systems (CHRS) were reviewed and compared with the similar PWR Containment Heat Removal System (CHRS) design (Surry ) evalua-ted in the WASH-1400 study. The system designs for Calvert Cliffs and Surry are described in Sections 2 and 3 of this report, respec-tively. A comparison of the two systems is given in Section 4. CHRS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a description of the model used to incor- t porate CHRS failures into the Calvert Cliffs accident sequences and a point estimate of the CHPS unavailability assuming independence from all other Calvert Cliffs sy stems . 2.0 CALVERT CLIFFS CHRS DESCRIPTION The function of the CHRS is to provide cooling water to com-ponents in the turbine, auxiliary, and containment buildings for normal and emergency operation. Engineered Safety Feature compo-nents cooled by the CHRS include the high and low pressure injec-tion pumps and room coolers. Following a LOCA, the CHRS removes heat by providing water to cool the containment atmosphere and sump via the containment air and recirculation cooling system fan units and the shutdown cooling heat exchangers. 2.1 System Description The CHRS is comprised of three subsystems. These are the Component Cooling Water System (CCS), the Service Water System (SWS), and the Salt Water System. The CSS and SWS are designed to remove heat from the plant 's various auxiliary systems. The Salt B14-3
i Water System provides the cooling medium between the CCS and SWS heat exchangers and the ultimate heat sink, the Chesapeake Bay. Systems which remove heat from the containment during accident conditions are the Containment Spray Recirculation System (CSRS) and the Containment Air Recirculation and Cooling System (CARCS) which are cooled by the CCS and SWS, respectively. Figure B14-1 shows the simplified schematic of the Component Cooling System, Service Water System, and the Salt Water System. Each system contains three motor driven pumps, heat exchangers, and piping and instrumentation. All remotely operated valves are either air operated or hydraulically operated and fail safe in the emergency containment heat removal mode. The CCS is a closed loop system with the following components:
- 1) 3 component cooling pumps (5000 gpm each);
- 2) 2 component cooling heat exchangers which provide cooling for the high and low pressure safety in-jection pumps and the shutdown cooling heat ex-changers;
- 3) 2 shutdown cooling heat exchangers which provide cooling for spray water to remove heat from the containment following injection (see Appendix B12).
The SWS is a closed system with the following components:
- 1) 3 service water pumps (7000 gpm each);
- 2) 2 service water heat exchangers which provide cool-ing for turbine auxiliaries, fuel pool heat exchang-ers, containment coolers, and diesel generators; B14-4
- 3) 4 containment coolers (CARCS) which cool the con-tainment (see Appendix B15).
The Salt Water System is an open system which circulates bay water to cool the CCS and SWS. The Salt Water System consists of the following components:
- 1) 3 salt water pumps (15,500 gpm each);
- 2) 2 SWS and 2 CCS heat exchangers.
2.2 System Cperation The Salt Water System is a two train system. During normal opsration, both salt water trains will be in operation. Each train cupplies one service water heat exchanger, one component cooling water heat exchanger, one ECCS pump room cooler and several non-vital loads. After a LOCA, Engineered Safety Features Actuation System (ESFAS) signals will (1) start the salt water air compres-sors which provide control air to the salt water air operated valves, (2) close valves to stop flow to the circulating water pump room coolers, (3) open the service water heat exchanger dis-charge valve, and (4) close the component cooling water heat ex-changer inlet valve (heat exchanger is not needed during injection). The component Cooling System is also a two train system which functions to cool the shutdown cooling heat exchangers, the HPIS cnd LPIS pump seal coolers, and several non-vital loads. One CCS pump is running during normal operation to supply the non-vital i loads. It is assumed that pump CC21 is the one running. Upon re-ceiving an ESFAS signal, the other CCS pumps will start and the shutdown cooling heat exchanger discharge valves will open. l l B14-5 l
The Service Water System (SWS) is also a two train system. The SWS provides cooling water to the Containment Air Recircula-tion and Cooling System (CARCS) fan units, the diesel generator jacket coolers, and several other non-vital loads. Both SWS trains run during normal operation. Upon receiving an ESFAS signal, valves will be closed to prevent flow to the service water turbine area and the spent fuel coolers, and the inlet valves to the CARCS fan units will open. 3.0 SURRY CHRS DESCRIPTION The function of the Containment Heat Removal System (CHRS) is to cool the containment sump water being recirculated through the Containment Spray Recirculation System (CSRS). The system includes the cooling water source, the secondary side of four heat exchang-ers and associated piping and valves (see Figure B14-2). River water is the source of water for the heat exchangers. The service water is directed through the secondary side of the heat exchangers for heat removal and is discharged into the dis-charge canal. The water is supplied from the Circulating Water System by gravity flow between the high level intake canal and dis-charge canal seal pit. Intake canal water flows under the influence of a 20-foot grav-ity head thrcM;h the heat exchangers when the MOV-SW-103 valves are opened via the Consequence Limiting Control System (CLCS) HI-HI sig-nals. The water flows from the common header through normally open valves (MOV-SW-104), through the heat exchangers, and then through another set of normally open valves (MOV-SW-lOS) into the discharge B14-6
canal. The containment sump water is recirculated at a higher pres-sure than service water; therefore, leakage would be of sump water to the discharge cooling water. A sample of discharge water from ! cach heat exchanger is passed through radiation monitors (RM-SW-114, -155, -116, and -117) which are automatically started by the CLCS III-llI signals. If activity is detected in one of the dis-l charge lines, the plant procedures require the operator to close the appropriate isolation valves (MOV-SW-105 valves and MOV-SW-104 valves) to isolate the leaking heat exchanger. Air vents are located at the high point in each of the service water supply and discharge lines (eight in total). Each line is two inches in diameter and includes a (normally open) manual valve and a check valve. The purpose of these vents is to allow air in the heat exchanger system to escape, in order not to impede the start of service water flow. The level in the intake canal is maintained by eight circula-ting water pumps which supply water from the river. These pumps are powered by offsite power. If offsite power is lost, water flow into the intake canal from these pumps is stopped and flow from the canal to the two condensers in each unit must be stopped to avoid draining the 25,000,000 gallon intake canal. Upon receipt of a
" loss of electric power" signal coincident with a CLCS HI-III signal in Unit 1, the condenser inlet and outlet valves (MOV-SW-106 and -100) are automatically closed on the Unit 1 condensers. At the same time one valve in each circulating water line to the Unit 2 condenser is closed (MOV-SW-200B, -200D, -206A, -206C). Since the accident has directed the swing diesel (No. 3) to Unit 1, only the B14-7
No. 2 diesel is available for Unit 2, and hence only four of the eight valves on Unit 2 have power. The operators have the capa-bility of switching the No. 3 diesel generator to Unit 2, from the control room, should such a condition exist. There are three diesel-driven emergency service water pumps of 15,000 gpm each, which can supply water to the intake canal from the river and which start upon loss of station power, these are only intended to supply the necessary service water under the assumption that all condenser main coolant lines are closed.
- a. The CHRS is designed on the following basis:
- 1. Two of the four heat exchangers are required for the first 24 hours following an accident, and only one after this period.
- 2. Sufficient cooling water flow to all four heat exchangers can be obtained through either of two lines from the intake canal and through any one of the four MOV-SW-103 valves pro-vided that normally open valves MOV-SW-106A and SW-106B are open.
4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CHRS The Calvert Cliffs and Surry CHRS are both capable of 200% heat removal capacity. The two systems are completely dif ferent in design and operation. The Calvert Cliffs CHRS uses the Chesapeake Bay for its heat sink. Three salt water pumps per unit take suction directly from the bay and supply the component cooling and service water heat B14-8
cxchangers. The bay is considered a constant inexhaustible sup-ply of cooling water. Surry, on the other hand, must incorporate a 25,000,000 gal-lon intake canal for storage of cooling water in case of dam failure downstream from the plant. The cooling water flows under a 20 foot gravity head from the intake canal to the main condensers cnd heat exchangers. Water is pumped to the intake canal via four circulating water pumps which are powered by offsite power. Upon loss of offsite power or loss of downstream dam conditions, flow to the main condensers will be stopped to avoid draining tho 25004000 gallon intake canal. Containment heat removal at Surry is accomplished with four spray trains (50% capacity each) . Heat removal at Calvert Cliffs le performed with two spray trains and four building coolers. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The CCS, SWS, and Salt Water System collectively form the con-tainment heat removal system at Calvert Cliffs. The CCS and SWS remove heat from ESF components and the containment atmosphere and transfer it to the Salt Water System. The Salt Water System then transfers the heat to the ultimate heat sink, the Chesapeake Bay. The following list illustrates which systems contribute to which event tree events: I l B14-9
Sy stem Event SWS LOCA events Y and Z Transient event O CCS LOCA events D, H, and G Salt Water System LOCA events F, Y, Z, D, H, G Transient event O The SWS is required to cool the CARCS fan units during both the injection and recirculation after a LOCA. After a loss of offsite power, the SWS is needed to provide diesel jacket cooling so that emergency power can be generated. The CCS is required to cool the high and low pressure pump seals during LOCA injection and recirculation phases. The CCS is also needed to cool the shutdown cooling heat exchangers for long term containment heat removal. The Salt Water System is required for most events in which the CCS or SWS is needed and also supplies room cooling for the ESF pumps during recirculation. Secondary cooling of the CCS is not required during injection. i i 5.2 CHRS Model Description 5.2.1 CHRS Boolean Equations Ten Boolean Equations were developed to model CHRS fail-ures. In general, these equations are combinations of SWS, CCS, and Salt Water System component or actuation failures which model particular cooling water failures of the ESFs. The first two equations depict the cooling water failures j that were input into the CARCS Boolean equations for all initia-l tors except Tl transients.
- B14-10
_ - - ~- -, .__ __ , . _ . - _ _ _ . . _ _ _ _ _ _ _ .. .
SW21 = A2 + C2 + D2 + SIA5 + SIA7 + SIASCM + SIAL SIBI
+ SIA9 (Eq. B14-1)
SW22 = E2 + F2 + G2 + SIB 9 + SIB 7 + SIA8' SIB 8 + SIB 5 'SIA5 + CSA3 *CSB3 + SIAL SIB 1 + SIASCM . (Eq. B14-2) j Equation B14-1 represents cooling water failures for CARCS l fan units 21 and 22. Equation B14-2 represents cooling water fail-uros for CARCS fan units 23 and 24. The terms A2, C2, E2, and F2 t I depict Salt Water System component failures while terms D2 and G2 depict SWS component failures. Prior to a LOCA or transient, both salt water and service water loops will be operating. It is therefore assumed that the normal flowpaths are verified. This implies: l a) Manual valves 84, 86, 76, and 78 and check valves l 85 and 87 in the Salt Water System are open and t i providing flow; b) Control valves 5149, 5160, and 5162 in Salt Water System are closed; c) Valves 5150, 5210, 5250, 5251, 5152, 5212, and 5153 in the Salt Water System are open and pro-viding flow; d) Manual valves 2, 8, 10, 10a, 57, 59, 60, 56, 58, 65, 68, 7, and 9 and check v.alves 1 and 67 in the SWS are open and providing flow; e) Valves 1600, 1638, 1599, 1637, 1639, and 1598 in the SWS are open and providing flow. B14-ll
The rest of the terms in the above equations represent Engineered Safety Features Actuation System (ESFAS) failures which affect the SWS or Salt Water System. ESFAS subchannel SIA5 closes valves CV-1637 and CV-1600 and subchannel SIB 5 closes CV-1638 (CV-1639 is not signalled closed). If both of these subchannels fail, it is assumed that SWS flow will be diverted to the turbine area. ESFAS subchannels SIAL or SIB 1 are required to start the Salt Water System air compressors which provide control air to the air operated valves. The system is assumed to fail without con-trol air. The subchannels SIA7 and SIB 9 open the Salt Water Sys-tem discharge valves on the SWS heat exchangers (CV-5210 and CV-5212). Subchannels SIA7 and SIB 7 close the component cooling water heat exchanger inlet valves (CV-5160 and CV-5162). These valves are closed so that full saltwater flow is diverted to the service water heat exchangers during the injection phase of a LOCA. ESFAS subchannels SIA8 or SIB 8 are required to close valves MOV-5250 or MOV-5251. Closure of one of these valves prevents salt water flow from being diverted to the circulating water pump room coolers. This failure is applicable only for salt water train 22. Subchannels CSA3 or CSB3 are required to close valves CV-1598 or CV-1599 to prevent SWS flow from being diverted to the spent fuel coolers. This failure mode is also only applicable to salt water train 22. Finally, the term SIASCM represents a common mode fail-ure of the SI ESFAS subchannels due to sensor miscalibrations. Equations B14-1 and B14-2 represent cooling water failures for the CARCS for all initiators except T1 transients. For T1 transients, slightly different forms were used. The terms A2, D2, B14-12
l E2, and G2 represent failures of the salt water and service water pumps to continue operating for 24 hours (they are normally in operation). For T1 transients, these terms were replaced with A2T1, D2T1, E2T1, and G2T1 which depict not only failure of con-tinued operation of the pumps, but also pump start failures and control circuit malfunctions (the pumps must be restarted follow-ing a loss of offsite power) . Equation B14-1, with A2 and D2 replaced with A2T1 and D2T1, is referred to as Equation B14-1(a) in the main report. The modified form of Equation B14-2 is referred to as Equation B14-2(a). The following equations represent the cooling water fail-ures that were input into the HPIS and LPIS Boolean equations for all initiators except loss of offsite power transients. HPLP21C = K1 + Ll*(M1 + SIB 7) + H1 . (Eq. B14-3) HP23LP22C = J1 + Ll* (M1 + SIB 7) + H1 .- (Eq. B14-4) Equation B14-3 represents pump seal cooling failure during injection for LPIS pump 21 and HPIS pump 21. Equation B14-4 repre-sents pump seal cooling failure during injection for LPIS pump 22 and HPIS pump 23. (HPIS pump 22 is assumed unavailable, see Appen-dix B8.) The terms K1, J1, L 1, M1 and H1 represent Component Cooling System component failures. Salt water cooling of the CCS heat exchangers is not required for pump seal cooling during the injection phase. One CCS pump is running during normal operation (it is as-sumed to be pump CC21) which implies that certain valves in train B14-13
l 21 have flow path verification. Valves C101, M102, M103, CV-3826, M104, and Mll2 are assumed to be in the correct operating configura-tion. The term SIB 7 represents an ESFAS actuation failure. Sub-channel SIB 7 actuates CCS pump #22. Equations B14-3 and B14-4 represent HPIS and LPIS pump seal cooling failures for all initiators except Tl transients. For T1 transients, slightly different forms were used. The term L1 de-picts failure of CCS pump 21 to continue running. For T1 tran-sients, the term L1 in Equations B14-3 and B14-4 was replaced with the two terms LlT1 + D12 which represents not only failure of con-tinued operation of the pump, but also pump start failures and con-trol circuit failures. The term D12 represents failure of diesel generator #12 to provide emergency power to pump CC21. Another change made to Equations B14-3 and B14-4 was to add the term D21 into the parentheses containing M1 and SIB 7. The term D21 represents the failure of diesel generator #21 to provide emer-gency power to pump CC22. The described changes were made to Equations B14-3 and B14-4 for T1 transients. These new forms are referred to as Equations B14-3(a) and B14-4(a) in the main report. For example, HPLP21C (used for T1 transients) = K1 + (LlT1 + D12)*(M1 + D21 + SIB 7) + H1 . (Eq. B14-3(a)) The next four equations represent cooling water failures that were input into the HPRS, LPRS, and CSRS Boolean models. B14-14
HPLP21CR = HPLP21C + RASCM + (E2 + N1 + RASB1)*(R1 + S1 + A2 + RASA1) . (Eq. B14-5) HP23LP22CR = HP23LP22C + RASCM + (E2 + N1 + RASBl)*(R1 + S1 + RASAl + A2) (Eq. B14-6) R21 COOL = A2 + R21 + S IAl
- SIB 1 (Eq. B14-7)
R22 COOL = E2 + R22 + SIAL
- SIB 1 (Eq. B14-8)
Equation B14-5 represents pump seal cooling failure during recirculation for LPRS pump 21 and HPRS pump 21. Equation B14-6 represents pump seal cooling failure during recirculation for LPRS pump 22 and HPRS pump 23. Equations B14-7 and B14-8 depict pump room cooling failures during recirculation for the HPRS, LPRS, and CSRS pumps. It is assumed that without room cooling during recirculation the pumps will eventually fail. The terms HPLP21C and HP23LP22C represent pump seal cooling failures during the injection phase and are in turn represented by Equations B14-3 and B14-4. The terms RASA1, RASB1, and RASCM depict Recirculation Actu-ation Signal (RAS) failures. RAS subchannels RASAl and RASBl send signals to open the salt water inlet and outlet valves on the com-ponent cooling water heat exchangers. The term RASCM represents a common mode failure of subchannels RASAl and RASBl due to miscali-bration of the RAS sensors. Refer to Appendix B10. B14-15
Salt water cooling is required for successful pump seal cool-ing during recirculation. The terns E2, N1, A2, and S1 represent component failure in the salt water trains. The term R1 represents component failure in component cooling water loop 22. The ECCS room coolers are assumed to be required during re-circulation for the HPRS, LPRS, and the CSRS. Equations B14-7 and B14-8 were input into the Boolean m6dels of these systems. The Salt Water System directly supplies two ECCS room coolers. Each cooler cools a high pressure, low pressure, and containment spray pump. The terms A2, E2, R21, and R22 depict component failure of the Salt Water System and room coolers. The terms SIAL and SIBl represent actuation failures of the Salt Water System. Engineered Safety Features Actuation System (ESFAS) subchannel SIAL or SIBl is required to start the Salt Water System air compressors which supply the air operated valves. Equations B14-5 through B14-8 were used for all initiators except loss of offsite power transients (TI). For T1 transients, slightly different forms were used. For Equations B14-5 and B14-6, the T1 transient forms of terms HPLP21C and HP23LP22C were used. In addition to this, the terms E2 and A2 were replaced with the terms E2T1 and A2T1. Refer to the discussion of Equations B14-1 and B14-2. Finally, two terms were included to describe failures of the diesel generators. The terms D12 and D21 depict failure of emergency diesel generators
#12 and #21.
B14-16
Incorporating.these changes gives: HPLP21CR (T1 transients) = HPLP21C (T1 transients) + RASCM + (E2T1 + RASBl + N1 + D21) - ( A2T1 + RASAl + S1 + R1 + D12) , (Eq. B14-5(a)) Ond HP23LP22CR (T1 transients) = HP23LP22C (T1 transients) + RASCM + (E2T1 + RASBl + N1 + D21) (A2T1 + RASAl + S1 + R1 + D12) . (Eq. B14-6(a)) The T1 transient forms of Equations B14-5 and B14-6 are re-ferred to as Equations B14-5(a) and B14-6(a) in the main report. Equations B14-7 and B14-8 also have different forms for T1 transients. The A2 and E2 terms again become A2T1 and E2T1, and the LOPNRL terms are added. The T1 forms of Equations B14-7 and B14-8 are given below and referred to as Equations B14-7(a) and B14-8(a) in the main report.
=
R21 COOL (used for T1 transients) A2T1 + R21 + SIAL *SIBl + D12, (Eq. B14-7(a)) and B14-17
R22 COOL (used for T1 transients) = E2T1 + R22 + SIAL - SIBI + D21 . (Eq. B14-8(a)) The next equation depicts a cooling water failure of the emergency diesel generator jacket cooler #21. It is assumed that without jacket cooling the emergency diesels will fail. This equation was input into the Boolean equation used to model emergency diesel #21. See Appendix Bl. SW22DGT1 = E2T1 + G2Tl + F2 (Eq. B14-9) Diesel generator #21 receives cooling water from SWS train 22 which, in turn, is cooled by salt water train 22 via the SWS heat exchanger. Term E2Tl and F2 represent pump and compo-nent failures of salt water train 22. Term G2T1 represents pump and component failures of SWS train 22. Diesel generator #12 normally receives cooling water from Unit l's SWS train #12. Since Unit l's cooling water systems are independent from Unit 2's, a point estimate of 3.2 x 10-2 was used for SWS train #12. This value, referred to as SW12DGT1 in the model for diesel #12, is the same as that calculated for Equation B14-9. Diesel #12 may also receive cooling from SWS train #21 in the event of SWS #12 failure. The Boolean equation for SWS train #21 is: SW21DGT1 = A2T1 + C2 + D2T1. The last equation describes the Containment Heat Removal Sys-tem (CHRS) which contributes to the LOCA event G. The CHRS is re-quired when all four containment air recirculation and cooling system fan units are unavailable. B14-18
CHRS = [B + O + CSA2 + SIAL + R21 COOL + O' + W + RASAl + P1 + SIA7 + (E2 + N1 + RASB1)*(R1 + S1 + A2 + RASA1) + Ll*Ml]*[C + P + CSB2 + SIBl + R22 COOL + P' + V + RASBl + Ol + SIB 7 + (E2 + N1 + RASB1)* (R1 + S1 + A2 + RASA1) + Ll Ml] . (Eq. B14-lO) Three fluid systems are needed to remove containment heat. The Containment Spray Recirculation System (CSRS) delivers water from the sump, through the shutdown cooling heat exchangers, to the containment spray headers. The CCS supplies water to the sec-ondary side of the shutdown cooling heat exchangers, and the Salt Water System cools the CCS water via the CCS heat exchangers. Equation B14-10 depicts failure of both CSRS trains to re-move containment heat and includes all combinations of CSRS, CCS, and Salt Water System component failures (i.e., the above equation simply stated is CHRS = [ failure of CHRS via containment spray / chutdown heat exchanger loop 21]*[ failure of CHRS via containment apray/ shutdown heat exchanger loop 22]) . The terms B through RASAl and C through RASBl represent failures of the CSRS and are described in Appendix B12 and in earlier parts of this Appendix. The terms (E2 + N1 + RASB1)*(R1 + S1 + A2 + RASA1) depict failures in the Salt Water System (except Rl) and were described earlier in this Appendix. The terms SIA7 and SIB 7 are CHRS actuation failures. En-gineered Safety Features Actuation System subchannels SIA7 and B14-19 1
SIB 7 are required to signal the shutdown cooling heat exchanger outlet valves open. If these valves are left closed, containment heat removal will fail. The terms P1, 01, L1, R1, and M1 represent component failures in the Component Cooling System. Equation B14-lO was used to model the CHRS for all initia-tors except loss of offsite power transients (T1). For T1 tran-sients a slightly different form was used. For T1 transients, Equation B14-10(a) was used to model the CHRS. CHRS (T y transients) = [C + P + CSB2 + SIB 1 + R22 COOL + D12
+ P' + V + RASBl + Ol + SIB 7 + (E2Tl + RASBl + D21
+ N1) -
(R1 + S1 + A2T1 + RASAl + D12) + (LlT1 + D12) (M1 + D21)] - [ B + 0 + CSA2 + SIAL + R21 COOL + W
+ RASAl + P1 + SIA7 + O' + D12 + (E2T1 + RASBl
+ D21 + N1) -
(R1 + S1 + A2T1 + RASAl + D12) 4 (LlT1 + D12) - (M1 + D21)] . (Eq. B14-10(a)) As in previous equations, the terms E2, A2, L1, and M1 have been replaced with E2T1, A2T1, LlT1, and MlT1. Also the diesel terms have been added. Finally, the T y forms of R21 COOL and R22 COOL were used (Equations B14-7 (a) and B14-8(a)). Table B14-1 relates the terms in Equations B14-1 through B14-10 with the components in Figure B14-1 and lists the term unavailabilities. Table B14-2 lists the contributors used in the B14-20
component unavailabilities. These unavailabilities are composed of hardware, maintenance, and human faults where applicable. Technical Specifications for Calvert Cliffs state that com-ponents shall not be removed from service so that the affected cool-ing water train is inoperable for more than 72 consecutive hours. If one train is inoperable for more than 72 hours, the reactor must be shut down. The average maintenance interval used in the Reac-tor Safety Study is 4.5 months, which corresponds to a frequency of 0.22 per month. From the Reactor Safety Study, (Table III 5-3) the log normal maintenance act duration for components whose range is limited to 72 hours is a mean time of 19 hours. Therefore, the un-availability of one motor operated valve due to maintenance is es-timated to be: 19(.22) -3 720 = 5.8 x 10 Calvert Cliffs Technical Specifications also state that only two system pumps are required for extended operation of the CCS, SWS, and Salt Water System; one of the three pumps in each system can be out indefinitely. Therefore, pumps CC23, SW23, and S23 are assumed to be unavailable. Credit was given to these pumps in that no test or maintenance contributions were attributed to the other pump unavailabilities. It is assumed that the third _ system pump will be operable if the other pumps need to be tested or taken out for maintenance. B14-21
5.2.2 CHRS Unavailability Using the Boolean equations given in the last section and 1 the term unavailabilities given in Table B14-1, independent point i I' estimate unavailabilities can be calculated. These are found to be: i SW21 = 3.7 x 10-2 (3.6 x 10-2)* SW22 = 3.7 x 10-2 (4.3 x 10-2)* I HPLP21C = 1.0 x 10-3 (7.5 x 10-3)* HP23LP22C = 4.1 x 10-4 (6.9 x 10-3)* HPLP21CR = 5.9 x 10-3 (1.4 x 10-2)* HP23LP22CR = 5.3 x 10-3 (1.3 x 10-2)* R21 COOL = 1.9 x 10-2 (2.8 x 10-2)* R22 COOL = 2.6 x 10-3 (3.5 x 10-2)* SW22DGT1 = 3.2 x 10-2 SW12DGT1 = 3.2 x 10-2
-2 SW21DGT1 = 2.6 x 10 1
The reader should be cautioned that these are unavailabil-ities for Calvert Cliff's CHRS and cooling water systems if the systems are considered independent of all others. In general, the unavailabilities will depend on what other system successes or failures have occurred. Value applies for T 1 transient case. B14-22
Table B14-1. Boolean Equation Term Descriptions Boolean Term Tarm Term Definitions Unavailability A2 S21 7.2 x 10-4 C2 CV-5210 + CV-5150 1.9 x 10-2 D2 SW21 + CV-1637 7.4 x 10-3 E2 MOV-5250 MOV-5251 + S22 7.2 x 10-4 F2 CV-5152 + CV-5153 + CV-5212 2.4 x 10-2 G2 SW22 + CV-1598 CV-1599 + CV-1638 7.2 x 10-4
- CV-1600 K1 M105 + M106 + M107 + M108 + M109 8.0 x 10-4 til Mill 2.0 x 10-4 ,
J1 M110 2.0 x 10-4 L1 CC21 + Mll3 9.2 x 10-4 M1 CC22 + Mll4 + M116 + C115 9.8 x 10 R21 Room cooler 21 1.9 x 10-2 R22 Room cooler 22 2.5 x 10-2 P1 Mll7 + CV-3828 1.2 x 10-4 Ol Mll8 + CV-3830 1.2 x 10-4 N1 CV-5162 + CV-5208 2.4 x 10-2 S1 CV-5160 + CV-5206 2.4 x 10-2 R1 CV-3824 + M9A + M28A 1.0 x 10-1 LlT1 CC21-Tl + M113 3.7 x 10-A2T1 S21-Tl 3.5 x 10-3 E2T1 S22-Tl 3.5 x 10-3
-3 G2T1 SW22-Tl 3.5 x 10
-3 D2T1 SW21-Tl 3.5 x 10 B14-23
~ - .. .-
/ m 3 <
1 Table B14-1. (continued) ' i l Boolean , Term Term Term Definitions ___- Unavailability i 1S IAl SIAS subchannel Al < 5.0 x 10-3 1S IB1 SIAS subchannel B1 "
< ;e ,, - :
IS IA5 SIAS subchannel A5 - is IB5 SIAS subchannel B5 i~ IS IA7 SIAS subchannel A7 " 1S IB7 SIAS subchannel B7 ' IS IA8 SIAS subchannel A8 p" - a,- ISIB8 SIAS subchannel B8 i i - . 1S IB9 SIAS subchannel B9 . J - " 1CSA2 CSAS subchannel A2 # (2I2
., i ' .c' x 10S '
1CSB2 CSAS subchannel B2 ' i ."'
,e .
ICSA3 CSAS subchannel A3 , , i
.;/,.>
ICSB3 "- CSAS subchannel B3 ,
, i t
1RASAl RAS subchannel Al ',. 3 5.'O.x 10-3 3, I .J ' 1RASBl RAS subchannel B1 ,, j h" i IS IASCM SIAS common mode f ailure . 3.2'$ 10-5 i m 1RASCM RAS common mode failure -
' . ;I! 1.0 } x' 10-3' ~
.. ' i 2D12 Diesel #12 -
6.8'x 10~.2' ' 2D21 Diesel #21 -
' ,6.9 x 10~2 -
E '. - s
+ w
-t ,
~
1 Refer to Appendix B10. 2 Refer to Appendix Bl. , B14-24 '
*A t
- - - , , - , , ,- - . ,- - r
l- . , l . Table B14-1. (continued) Boolean Term Torm' Term Definitions Unavailability a
, 4-B s
. Refer to Appendi x 12 7.0 x 10-3 C Refer to Appendix 12 7.0 x 10-3 O Refer to Appendix 12 2.9 x 10-2 P .
Refer to Appendix 12 2.9 x 10-2 O' Refer to Appendix 12 7.2 x 10-4
. P' Refer to Appendix 12 7.2 x 10-4 'O V Refer to. Appendix 12 1.3 x 10-2 l
H.J
/' N '< Refer to Appendix 12 1.3 x 10-2 D
l. e
/
\
s B14-25 l
\
. = _ _ . . _. . .. - -- . _ . . . - _ - - _ - - - - . - . - .. .- - _ .- . - - . .. . _ . ..
1 , r Table B14-2. Component Unavailabilities i Component Description Fault Identifiers , Failure Contributors O/ Component i Check Valve Cll5 Hardware 1x 10-4 O Total 1 x 10-4 r i 4 1 t Manual Valve M105s M106, M107, (Normally open) M108, Mill, M110, . j M113, M114, Mll6, ! i M117, Mll8 Plugged 1 x 10-4 ! Operator Error 1 x 10-4 O Total 2 x 10-4 l fo a I
! I Control Valve CV-5210, CV-5212 Hardware 6.0 x 10-4 1 $ Control Circuit 6.4 x 10-3 Maintenance 5.8 x 10-3 g Plugged 1.0 x 10-4 Q Total 1.3 x 10-3 ft Control Valve CV-5152, CV-5153, i CV-5150. Maintenance 5.8 x 10-3 j 1
Q Total 5.8 x 10-3 ' Control Valve CV-3828, CV-3830, Hardware 3.0 x 10-4 CV-5162, CV-5208, CV-5160, CV-5206 Control Circuit 6.4 x 10-3 . 4 Maintenance 5.8 x 10-3 , O Total 1.2 x 10-3 '
- , , ,= --n v v w . y
Table B14-2. (continued) i
- j. Component i Description Fault Identifiers Failure Contributors O/ Component Control Valve CV-1637 Hardware 3.0 x 10-4 .
i Control Circuit 6.4 x 10-3 ' 4 O Total 6.7 x 10-3 i i i Control Valve CV-3824 Operator fails to ! open valve given failure of CCS loop 22 1.0 x 10-1
! O Total 1.0 x 10-1 m
H Pump (Normally SW21, S21, Fails to continue 1 f N operating) SW22, S22, operating 24 hours l CC21 (3 x 10:2/hr) 7.2 x 10-4 I O Total 7.2 x 10-4 Pump (Must Start) CC22 Hardware 1.0 x 10-3 . Control Circuit 1.8 x 10-3 Maintenance 5.8 x 10-3
- Fails to operate t 24 hours l (3 x 10-5/hr) 7.2 x 10-4 0 Total 9.3 x 10-3 I
l i i
Table B14-2. (continued) Component Description Fault Identifiers Failure Contributors O/ Component Pump (Restart CC21-T1, SW22-T1, Hardware 1.0 x 10-3 af ter T 1 transients) S21-T1, SW21-T1, Control Circuit 1.8 x 10-3 S22-Tl Fails to operate 24 hours (3.0 x 10-5/hr) 7.2 x 10-4 Q Total 3.5 x 10-3 Room Cooler 21 Pan fails 8.4 x 10-4 Control Circuit 6.0 x 10-3 Hardware 1.3 x 10-2 N y Q Total 1.9 x 10-2 Room Cooler 22 Pan fails 8.4 x 10-4 Control Circuit 6.0 x 10-3 Hardware 1.9 x 10-2 O Total 2.5 x 10-2
1 r
,,,,, , . Wrf; ma u .,
w .we .1 f. . ~J. rilei;;!;d0:M; t gast J3 - - I,44
- j .i ibr )
.j b Ifih i[*k IEcg/ jif2IiE_a 1*' b E=.
Lt .,j ::: @a*
- e. E q !=
g
< i -4
- au .
eu{ ,g -" I 8 e 6g
! ald -=! ,
dzzlll1I.fl4 , = I
. 5eu. ~
~ d ,~ . n l.e ~q ti h ~ [ ,r .
O
, f:* ,
j 1 a wy gs u g h $* i a : It I I 3r.I o e-I -
~
~p 0 tde--< . a
;e x; * :i:. /
p~.--}l } . 1 2 t r-o-/ 1
,. t--2.I c }2'Emam N -I~ _-4Isi:T ;y.,ye Ia i .
I,_
' &_E E '}V[1._ 7-g{
f' "' ' j,'
&X{ J -ip. g [ , , i i i s ")
> 1 1 me 6 $
~
J" j = l l 0- -- g>
+
T eo -* T* 1, 1 1r il- TT se 4o
=
./ /= / /- // gl=igi
- oo h ] __I 'I !!5jj!! O" D[) ~ a -
AL
~
a
- 32. I
/*
.W. #.:::
- w
- .:_T 'I 3
! k: ! 5I!!: k~ -
o
+
x 3 :xi :: e, I
. l l u s!
9c
.N
~
C - - l
*= , an a- ..'i.'ha d-- by f' jl,l Hr l F- v
' . J, eo
..? + ..$ 4k
~ J= +i s Ey N
~h D " 1.
~a ,q
- o-7 g .Mg. .*h l D gh
- U n 55 $$t
" E
$5% 1 o2 6 O
,5 EEE 5 Z
- y. . : -.x m k
,T I d .
h v
-4 l F -
2 a 3 I t
. I C
u p
, /l' 'e,-t {t (I
/ -( m
- /og ./ -
m
-1 e z u 1 5
= -e a-faal ( ~t Q
!!:=-
ft -
- 6p.:
hi ivi o it s , 53 a = = sf ::: a at
$ I E B14-29
)
\
t i le la
*} W 24
\
t d , !' il j ( m y i ' h itt itI w T ls l lla 4 isl n &
-% M 'l I! I' I!
__ s m .
!! I!
I 6 S a I f) .$ o l
!! ,'j I!
4 g - / A l
= s i i
} E Ic J;. .i , le > e 9 . .
5 u M,L
--- , M y I\ [g , r-g ,
3!! I
, )' l 6
,, IS g
I
,. I I 14 m
- .'l i l i i ,
u
.. si = t% 8
!-e l g8 f J l l O li .! la E' 'y D 4
- g. ,
*I i lN.,i . ii s 4 m
!_!.kn
- s" ..!
l
- fr .fat e
,/
i Ti gli l l 17 s lI *
;m 8 e
i -r., i i*
- n ? i a aj o l
n m
"e s , e i I I
c - . n i i 8 I , 5 Oe - @m ',a l
- 18a n i 'I u :: ,.
t l ci i , m sf i' " . g*g
.v. 1 .
) j
,; r . a i I op- J - : i l
r-. i Id'd i q i::t i i t n!/j a 2- i : :f , i {q p i j it", i t I"l I-r i I _.AI. l I I i
-- d l
, !I /..a !i i "
.f M,
,i a
i la L, _ _ _ _ _ _ _ i v ' f C B14-30
APPENDIX B15 SURVEY AND ANALYSIS CONTAINMENT AIR RECIRCULATION AND COOLING SYSTEM (CARCS) - CALVERT CLIFFS PLANT TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
........................................ B15-3 2.0 CALVERT CLIFFS CARCS DESCRIPTION .................... B15-3 2.1 System Description ............................. B15-3 2.2 System Operation ............................... B15-4 3.0 SURRY CARCS DESCRIPTION ............................. B15-5 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CARCS ........ B15-5 5.0 CALVERT CLIFFS SYSTEM EVALUATION .................... B15-5 5.1 Event Tree Interrelationships .................. B15-5 5.2 CARCS Model Description ........................ B15-7 5.2.1 CARCS Boolean Equations ................. B15-7 5.2.2 CARCS Unavailability .................... B15-9 l
l i l B15-1/-2 l
1
1.0 INTRODUCTION
The Calvert Cliffs Unit 2 Containment Air Recirculation and Cooling System (CARCS) was reviewed. Since the WASH-1400 Surry PWR does not have a similar system, a comparison could not be made. The CARCS design for Calvert Cliffs is described in Section 2 of this report. CARCS event tree interrelationships are detailed in Section 5. Also included in Section 5 is a description of the model used to incorporate CARCS failures into the Calvert Cliffs accident sequences and a point estimate of the CARCS unavailability assuming independence from all other Calvert Cliffs systems. 2.0 CALVERT CLIFFS CARCS DESCRIPTION 2.1 System Description The function of the CARCS is to remove heat from the contain-ment atmosphere during normal plant operation, and following a LOCA, the CARCS along with the containment spray injection system, provides alternate methods of depressurizing the containment following a LOCA. ! It is sized such that three of the four containment air coolers will limit the containment pressure to less than the containment design pressure even if the containment spray system does not operate. The containment air recirculation and cooling system includes four two-speed cooling units located within the containment. Heat in extracted via the service water system (Appendix B14) which is circulated through the air cooling coils. Refer to Figure B15-1. B15-3
The service water return line for each cooler has two air-operated stop valves and one local, manually operated valve, all in parallel. The air-operated control valves can be operated from the control room. One control valve is used for normal cooling require-ments and the other control valve, which opens automatically upon 4 receipt of a Containment Spray Actuation Signal, is used following a LOCA. The third parallel, local manually operated valve is provided to permit passage of sufficient service water in case the full flow CSAS actuated valve should malfunction. 2.2 System Operation During normal reactor power operation, the CARCS provides for removal of normal heat losses from equipment and piping in the reactor building. This is accomplished by operation of three of the four fan-cooler units at full speed with their coolant flow throttled. The equipment, piping, valves and instrumentation, except for distribution ducting, are located either outside the secondary shield within the' reactor building or outside the reactor building itself. Thus the equipment can be regularly inspected, tested and maintained during reactor power operation. Cooler performance is individually monitored by inlet and outlet flow meters, thermocouples, and outlet radiation monitors; all of which are displayed in the main control room and annunciated in the case of flow leakage or high radioactivity. Operator control of inlet and outlet flow valves is provided for flow throttling and isolation. B15-4
l Following a LOCA, a 4 psig containment pressure will generate a CSAS signal causing the system to automatically reconfigure as follows: o The service water control valves in the cooler discharge are fully opened to increase the coolant flow (CV-1585, CV-1593, CV-1582, CV-1590). o The fourth fan-cooling unit is started and the speed of all four fans is set at half speed to reduce the power requirements generated by the denser building atmosphere. The continuous circulation of the post-accident reactor building airstream mixture through the four coolers in this emergency mode is designed for heat removal which is in excess of that required to depressurize the containment for LOCAs with successful emergency core coolant injection. It is assumed that the cooler coils will not clog up during a core melt. 3.0 SURRY CARCS DESCRIPTION The Surry plant does not have the equivalent to a CARCS. 4.0 COMPARISON OF CALVERT CLIFFS AND SURRY CARCS Since the Surry reactor does not have the equivalent of a CARCS, a description and comparison is not possible. 5.0 CALVERT CLIFFS SYSTEM EVALUATION 5.1 Event Tree Interrelationships The CARCS operating in its emergency cooling mode, is one of two independent systems designed to provide immediate and long-term B15-5
cooling of the reactor building atmosphere to depressurize and maintain the containment below rupture pressure following the post-accident pressure excursion. The second system is the Containment Spray Injection System (CSIS) which is automatically initiated at a reactor building pressure of 4 psig and is also designed to provide 100 percent of the design cooling capability. According to the definition of containment overpressure protection given in the FSAR, either the CSIS operating alone, at full capacity, or two of the four cooling units in conjunction with the spray system at one-half capacity, or operation of three of the four cooling units will provide suf ficient post-accident heat removal for successful containment pressure control. These criteria for success have been found in subsequent research conducted by Battelle Columbus Laboratories to be conservative. Their research has shown that the operation of one spray sub-system or one fan cooling unit will provide adequate pressure control. These more realistic criteria have been used in this study. Operation of the CARCS appears as event Y on the Clavert Cliffs LOCA event tree. This event depicts CARCS operation during the injection phase. Continued operation of the CARCS during the time interval corresponding to the recirculation phase is modeled by event Z. The CARCS is also part of the containment pressure reduc-tion event (event O) on the transient event tree. In all three events (Y, Z, and O) successful operation of the CARCS requires the operation or continued operation of one of four fan cooler units. B15-6 4 - - . -
5.2 CARCS Model Description 5.2.1 CARCS Boolean Equations The general form of the CARCS Boolean equation used in the cccident sequence analysis is depicted below for one of four CARCS units required for success: (R + SW21 + CSAl + D12) (S + SW22 + CSBl + D21) (T + SW21, + CSAl + D12) (B15-1) (U + SW22 + CSBl + D21) l
+ CSASCM .
l The above equation, except for the D12 and D21 terms, was used in the analysis of all LOCAs and transients except loss of of fsite power transients and is referred to as Equation B15-1(a) in the main report. For T1 transients, Equation B15-1 was used in its entirety. The terms D12 and D21 represent failure of diesel #12 cnd #21 to provide emergency power when needed. Refer to Appendix B1, the Emergency Power System, for more details. The terms SW21 and SW22 represent service water failures. S rvice water is required to cool the CARCS fan cooler units. (Refer to Appendix B14, Cooling Water and Containment Heat R moval Systems.) The terms CSAl and CSBl represent individual CARCS actuation cubchannel failures. Each channel actuates two CARCS trains. B15-7
- _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ 1
The term CSASCM represents a common mode failure of both CSAl and CSBl channels. A 1 x 10-3 unavailability was attributed to this common mode due to a possible miscalibration of sensors which are common to both channels. (Refer to Appendix B10, Engineered Safety Features Actuation System.) Table B15-1 relates the rest of the terms in the previous equa-tion to the components shown in Figure B15-1. Table B15-2 lists com-ponent unavailabilities and each of the contributors to the component unavailability. The unavailabilities listed in Table B15-2 are com-prised of hardware, human and maintenance faults. Technical Specifications for Calvert Cliffs state that compon-ents shall not be removed from service so that the affected CARCS train is unavailable for more than 72 consecutive hours. If one CARCS train is unavailable for more than 72 hours, the reactor must be shut down. The average maintenance interval used in the Reactor Safety Study is 4.5 months, which corresponds to a frequency of 0.22 per month. From the Reactor Safety Study, (Table III 5-3) the log normal maintenance act duration for components whose range is limited to 72 hours is a mean time of 19 hours. Therefore, the unavailability of one component due to maintenance is estimated to be: 19(.22) -3 720 = 5.8 x 10 , Testing of the CARCS components was found to negligibly add to the component unavailability when compared to other contributions and was therefore not included. B15-8
5.2.2 CARCS Unavailability Using the Boolean equations given in the last section and the term unavailabilities given in Table B15-1, independent CARCS point estimate unavailabilities can be calculated. These are found to be CARCS = 4.6 x 10-3 (Applies to cases with AC power available) and CARCS = 6.2 x 10-3 (Applies to cases with AC power not initially available) . It should be noted that the CARCS is unavailable if all AC is lost. Double maintenance contributions, i.e., components of both trains being in maintenance, were removed from these unavailabilities since this condition was not allowed by technical specifications. A quantitative ranking of the dominant Boolean terms for the one of four CARCS case for cases with AC power available is given in Table B15-3. As can be noted, 30 percent of the system unavail-ability is due to the failure of both service water trains. A quantitative ranking of the dominant Boolean terms for this case is given in Table B15-4.
~
The reader should be cautioned that these are unavailabilities for Clavert Cliffs' CARCS if the system is considered independent of all others. In general, the CARCS unavailability will depend on what other system successes or failures have occurred, i.e., the unavailability used in the sequence calculations must be a condi-tional unavailability. B15-9 l
l Table B15-1: Boolean Equation Term Definitions Boolean Term Term Definition Term Unavailability R M32 + M13 + C20 + CV-1584 + 2'.8 x 10-2 CV-1585 + FC22 S M38 + MIS + C23 + CV-1592 + 2.8 x 10-2 CV-1593 + FC24 T M44 + M17 + C26 + CV-1581 + 2.8 x 10-2 CV-1582 + FC21 U M50 + M19 + C24 + CV-1589 + 2.8 x 10-2 CV-1590 + FC23 CSAl Channel Al Actuation Failure 2.2 x 10-2 CSBl Channel B1 Actuation Failure 2.2 x 10-2 CSASCM Channel Al and B1 Common Mode 1.0 x 10-3 Failure 1D12 Diesel #12 Failure 6.8 x 10-2 1D21 Diesel #21 Failure 6.9 x 10-2 2SW21 Service Water Loop 21 Failure 3.6 x 10-2
-T1 Transients 2SW22 Service Water Loop 22 Failure 4.3 x 10-2
- T1 Transients 2SW21 Service Water Loop 21 Failure 3.7 x 10-2
- LOCAs and non-T1 Transients 2SW22 Service Water Loop 22 Failure 3.7 x 10-2
- LOCAs and non-T1 Transients 1 Refer to Appendix Bl.
2 Refer to Appendix B14. B15-10 l l - ..
Table B15-2. Component Unavailabilities i l Component Fault Failure Dascription Identifiers Contributors O/ Component Mcnual Valve M32, M13, M38, M15, Operator Error 1.0 x 10-4 (Normally M44, M17, M50, M19 Plugged 1.0 x 10-4 Open) Q Total 2.0 x 10-4 Check Valve C20, C23, C26, C24 Hardware 1.0 x 10-4 Q Total 1.0 x 10-4 Control Valve CV-1584, CV-1592, Operator Error 1.0 x 10-3 (Normally CV-1581, CV-1589 Plugged 1.0 x 10-4 Open) Maintenance 5.8 x 10-3 Q Total 6.9 x 10-3 Control Valve CV-1585, CV-1593, Hardware 3.0 x 10-4 (Normally CV-1582, CV-1590 Plugged 1.0 x 10-4 Closed) Control Circuit 6.4 x 10-3 Maintenance 5.8 x 10-3 Q Total 1.3 x 10-2 Fan Cooler FC21, FC22, FC23, Fails to run FC24 24 hrs. (1x10-5/hr) 2.4 x 10-4 Fails to change speed 3.0 x 10-4 Control Circuit 1.0 x 10-3 Maintenance 5.8 x 10-3 0 Total 7.3 x 10-3 B15-ll
i r t l Table B15-3. Quantitative Ranking of Boolean Terms for the CARCS Following LOCAs and T2 and T3 Transients i SW21 SW22 1.4 x 10-3 CSASCM 1.0 x 10-3 CSAl SW22 8.1 x 10-4 CSB1 SW21 8.1 x 10-4 } CSAl CSBl 4.8 x 10-4 S U SW21 2.9 x 10-5 R T SW22 2.9 x 1-5 CSAl S U l.7 x 10-5 R CSBl T 1.7 x 10-5 - i RSTU 6.2 x 10-7 .i } Total Point Estimate = 4.6 x 10-3 1 t B15-12
Table B15-4. Quantitative Ranking of Boolean Terms for the CARCS Following T1 Transients SW21T1
- SW22T1 1.6 x 10-3 CSASCM 1.0 x 10-3 CSA1
- SW22T1 9.5 x 10-4 SW21T1
- CSBl 7.9 x 10-4 CSAl
- CSBl 4.8 x 10-4
~
D12
- D21 4.7 x 10
-3 D12
- SW22T1 2.9 x 10
-3 D21
- SW21T1 2.5 x 10
-3 D21
- CSAl 1.5 x 10
-3 D12
- CSBl 1.5 x 10 R
- SW22T1
- T 3.4 x 10-5 SW21T1
- S
- U 2.8 x 10-5 R
- CSB1
- T 1.7 x 10-5 CSAl
- S
- U l.7 x 10-5
-5' D21
- R
- T 5.4 x 10
~
D12
- S
- U 5.3 x 10 R*S*T*U 6.2 x 10-7 Total Point Estimate = 6.2 x 10-3 B15-13
F14W ELEMENT
~~
t C$AS & 644 J4 r getfYY
, *n 32 u Jrr '*5 g "'3-lMF.O.f h -l ,
I SERY1CE WAftR F.O. . SLTFLT LINE H h i n x f.0. CIS STARTS 1%I FAN & I *[ S'.1TCF.!S CPERATING TANS TO FI2UCID 5FIED l Cum, untn 4S P To m e M1ADEn
*The four inch line is used for normal operation. The eight inch line is used for emergencies.
Figure B15-1. Typical CARCS Train (refer to Fig. B14-1 for the complete schematic) 1 B15-14
APPENDIX C MARCH ANALYSES OF KEY CALVERT CLIFFS CORE MELTDOWN ACCIDENT SEQUENCES TABLE OF CONTENTS SECTION PAGE
1.0 INTRODUCTION
.......................................... C-3 2 .0 CALVERT CLIFFS CALCULAT IONS . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 2.1 Loss-of-Feedwater Transients..................... C-3 2.2 Safety Valve Reclosure Failures.................. C-8 2.3 LOCA Sequences................................... C-ll 2 .4 Minimum Containment Sa feguards . . . . . . . . . . . . . . . . . . . C-13 2.5 Primary Depressurization Procedure............... C-14 REFERENCES C-18 C-1/2
1.0 INTRODUCTION
The dominant Calvert Cliffs core melt accident sequences involve two types of initiating transients. One type of transient 10 initiated by failure to provide feedwater makeup to the steam ganerator secondary. In the second, a primary system safety relief valve opens on demand but fails to reclose. Eventual core uncovery occurs in both cases due to failure to provide primary system make-up. These initiating events are also accompanied by failures in the containment safeguards. MARCH calculations were performed for the dominant transient sequences as well as a number of LOCA ccquences. These calculations are discussed below. Other MARCH analyses, performed to define the minimum containment safeguards, are also discussed. 2.0 CALVERT CLIFFS _ CALCULATIONS 2.1 Loss-of-Feedwater Transients The Systems Analysis Task has identified a number of loss-of-feedwater transient sequences as being potentially risk significant for the Calvert Clif fs plant. Among these are the TML, TMLOO', and TKML transient sequences. Several of these sequences were eval-uated by means of the MARCH code. The MARCH calculations indicate significant probabilities of containment failure following reactor vessel meltthrough in such sequences. Given such early containment failure, corresponding CORRAL calculations indicate PWR Release Category 2 or 3 releases, depending on the availability of containment sprays prior to containment failure. Figures C-1 through C-19 present some of the principal MARCH results for the TML sequence. Figure C-1 shows the total mass of C-3
water in the two steam generators. The two steam generators initially contain 278,200 pounds of water. About a third of the water is vaporized before reactor shutdown at 28.5 seconds. The reactor shutdown signal was taken to be low steam generator water level, as described in the Calvert Cliffs SAR. Following reactor shutdown, the steam generator secondary side bolloff rate of about 4000 lb/ min is controlled by the core decay heat. Complete dryout of the steam generators is predicted by MARCH to take about one hour.* Figure C-2 shows the mass of water in the primary system. The coolant leak rate is shown in Figure C-3. MARCH predicts little primary system leakage until about 30 minutes. At this time, the primary system water begins to heat up and expand due to degrada-tion in the steam generator heat transfer. The primary system pressure (Figure C-4) increases to the relief valve set point, and water is forced through the valves. At about 80 minutes, the primary water temperature increases to the saturation temperature at the relief valve set point. The resulting steam generation in the core forces an increased volume of water through the safety valves. The coolant leak rate (Figure C-3) increases to nearly 15,000 lb/ min for about 15 minutes. At about 93 minutes, the hot legs become void (Figure C-5) and steam venting at a lower rate follows. At 98 minutes (Figure C-5 ), the core begins to uncover.
- The Calvert Cliffs SAR states that the auxiliary feedwater must be initiated by 13 minutes to avoid emptying the steam gener-ators. Apparently, the 13 minute time refers to the start of tube uncovery rather than complete dryout.
C-4
l l l Core temperatures increase rapidly (Figure C-6) and melting (at 4130*F) begins at 115 minutes (Figure C-7 ) . The fraction cladding reacted reaches 0.31 prior to core clumping into the bottom head at 139 minutes for the particular modeling assumptions utilized. Calculations have been performed to examine the sensitivity of the predicted cladding reaction to vari-ations in the input options in the meltdown and cladding reaction models in MARCH (Reference C-1) . These calculations indicate the likelihood of nearly complete cladding reaction for the range of parameters studied. Based on these indications, the cladding reaction was taken to completion for the present calculations. Thus, Figure C-7 shows complete cladding reaction by the end of the core meltdown at 142 minutes. Figures C-8 and C-9 show the masses of hydrogen in the primary cystem and in the containment building. The MARCH modeling for this calculation compressed much of the hydrogen generation into the last few core-meltdown (subroutine BOIL) timesteps. Further, a signifi-cant fraction of the total hydrogen generated is predicted to be retained in the reactor vessel until head failure. Thus, about 1100 pounds of hydrogen are released to the containment during the last stages of core meltdown, and an additional 1250 pounds are released several minutes later when the head fails at 146 minutes. After about 500 minutes, as seen in Figure C-9, the hydrogen mass in the containment increases from 2300 pounds to about 3500 pounds due primarily to oxidation of the chromium in the core debris during the concrete penetration phase of the accident. The hydrogen was not assumed to burn in this particular MARCH calculation. C-5
l Figure C-lO shows the containment pressure (PTOT) for the TML transient assuming containment integrity is maintained. The pre- l dicted pressures are seen to exceed the nominal failure levels. Building coolers were started at 6 minutes. Containment sprays l were assumed not to be turned on.* Figure C-lO also ekows the adiabatic hydrogen burn pressure (PBURN). PBURN is the contain-ment pressure which would occur und r adiabatic conditions if all the hydrogen in the containment at that time were rapidly burned. When flammability conditions are not satisfied, PBURN is plotted as PTOT. Thus, flammable conditions occur for a few minutes after the end of core meltdown at 142 minutes and again after 214 min-utes. Between 146 and 214 minutes, flammable mixtures do not occur because of the high steam concentrations (Figure C-ll) . Dur-ing this interval, high steam concentrations are produced by the boiloff of water from the reactor cavity following reactor vessel head failure. The containment coolers cannot condense the steam as rapidly as it is generated by the quenching of the core debris. It may be noted that spray operation would decrease the atmosphere steam concentration and thus increase the flammability in this time period. The results shown in Figure C-10 indicate containment fail-ure could be produced by either hydrogen burning or high steam pressure for the TML sequence. The building coolers maintain low pressure except during the period of rapid boiloff from the reactor cavity.
*The 4 psig spray actuation signal would be reached at about 90 minutes during the period of high primary system leak rate (see Figures 3 and 10); it is not clear if the spray would be kept operating, however.
C-6
l l The mass of water in the reactor cavity is shown in Figure C-12. During the blowdown phase of the accident, 1000 ft3 (61,000 lbs) of water collect in the reactor cavity. After head failure at 146 minutes, the accumulators dump an additional 247,000 pounds of water into the reactor cavity. The quenching of the hot core debris in the reactor cavity rapidly vaporizes much of the water. At 160 minutes, the debris is quenched and the boiling process is stopped. About 40,000 pounds of water remain in the reactor cavity after dabris quenching. Additional water may flow into the reactor cavity due to continued operation of the containment coolers. Dur-ing the INTER calculation of concrete penetration, starting at 284 minutes, the core debris is assumed to be water covered; implicit in this is the assumption of debris remelting as opposed to the formation of a coolable particle bed. Containment atmosphere and heat sin ~k (walls and structure) temperatures are shown in Figures C-13 and C-14. The structure surface temperatures (designated by FE, FE-Interface, Concrete Inter-Face, and Concrete) generally closely follow the gas temperatures. Little temperature change is seen at the center line of the 1.5-foot thick concrete (CON C.L.) wall heated from one side. The CORRAL fission product rel ease calculations (Table 5.3) for the TML-y sequence are based on a MARCH calculation in which containment failure was assumed to be produced by hydrogen burning at the time of reactor vessel head failure. MARCH results for this calculation are shown in Figures C-15 through C-19. The accident tim-ing for this case (see Table 5.2) is somewhat different than for the case discussed above due to different (input) assumptions made C-7
relative to the coolant leakage from the pressurizer safety valve. For the TML-6 hydrogen burning case, a steam blowdown was assumed; while for the TML y case discussed above, significant liquid blow-down occurred. The time to core uncovery is more rapid for the i case of liquid leakage; subsequent behavior is very similar for the two cases. Containment pressures and temperatures for the TMLOO'-6 case
! are shown in Figures C-20 and C-21. This sequence is similar to TML except no containment safeguards are available. In addition, in the specific calculation shown, rapid boiloff of the accumulator water from the reactor cavity due to debris fragmentation was not assumed to occur. Boiloff from the top of the debris during the INTER concrete penetration phase was considered, however. Without rapid debris quenching the' nominal failure pressure is reached about 1.4 hours after the start of concrete penetration or 5.5 hours into the accident; with debris quenching, containment' failure would be predicted shortly after reactor vessel failure.
2.2 Safety Valve Reclosure Failures Several sequences involving the failure of safety / relief valves to reclose have been considered. The calculated response i i of the Calvert Cliffs primary system for such transients is sen-sitive to the modeling of the steam generator heat transfer and the availability of high pressure ECC makeup. MARCH calculations i indicate both good steam generator heat transfer and the operation of high pressure ECC injection are required to prevent core uncov-l ery. If either is sufficiently degraded, core uncovery results. C-8
The MARCH calculations of steam generator heat transfer are dependent on a number of modeling and accident sequence assumptions. These include the steam generator heat transfer coefficients, the availability of auxiliary feedwater, and the degradation of heat transfer due to loss of both primary and secondary side water inventories. The primary system pressure further depends on the shutdown power trace, the valve leak rate, and the water / steam content of the leakage through the open safety valve. Depending on the above, MARCH calculations predict primary system pressures after the first 10 minutes of the accident will equilibrate at levels between 1050 and 1350 psia. Since the high pressure ECC pumps for this plant have a shutoff head of about 1280 psia, these considerations have a significant impact on the ability to provide primary system makeup. The Systems Analysis Task has identified several sequences, of the type being considered here,.which involve ECC hardware fail-ures. For these accidents, core meltdown will occur regardless of steam generator heat transfer considerations. For sequences in which both high pressure 'ECC and steam generator auxiliary feed-water are available, the MARCH analyses indicate core uncovery is unlikely. For sequences in which all steam generator feedwater is lost and one safety valve remains open, MARCH calculations indicate core uncovery and meltdown are likely.*
- Sequences in which two valves are opened by operating procedure are discussed in Section C.5.
C-9
MARCH calculations involving failure of a safety valve to reclose, the TMQ sequence, are discussed below. Figures C-22 to C-27 compare the results of two MARCH calculations for this seguenc'e. In the calculations, one power-operated relief valve-(area ~O.0199 ft2) was assumed to remain open. Both high pressure ECC and steam generator auxiliary feedwater were available. 'Th~e modeling assump-tions for the two MARCH calculations wore identical, except in the second calculation, steam generator heat transfer was assumed to degrade at about 90 minutes as the liquid level in the reactor vessel fell below the hot leg elevation. In reality, it should be possible to maintain good heat transfer from the primary to the secondary even with a steam environment on the primary ~ side. Steam condensation on the steam generator tubes would be expected to provide good heat transfer in this mode of operation provided the secondary side water inventory is maintained at an adequate level. In order to obtain good condensation heat transfer, the secondary water level must cover the primary side steam voids. Since auxiliary feedwater is available for the TMQ transient, adequate inventory can be maintained by the operators.* Figure C-22 shows that with good steam generator heat transfer, the primary system pressure closely follows the secondary side after about 20 minutes. The secondary is assumed to be vaporiz,ing at a constant pressure of 1000 psia, corresponding to the relief
*For much of the Three Mile Island transient, low secondary-side ,
steam generator water levels were maintained even though feedwater { was available after the first minutes. Good steam generator' hoat l transfer was not maintained during the core uncovery period after 2.3 hours.C-2 C-lO !
,1
valve set point. Since the high pressure shutoff head is 1280 poia, ECC injection is maintained. Figures C-23 and C-24 show a constant mixture level and coolant inventory, indicating that tha core is covered and cooled. For the TMQ calculation in Figures C-25 through C-27, the steam gancrator heat transfer was assumed to degrade at about 90 minutes ao the primary side liquid level fell below the hot leg elevations. The primary system pressure increases above the ECC shutoff heat ct'about 110 minutes. With no ECC injection, Figures C-26 and C-27 show core uncovery starting at about 2 hours. The calculation was terminated at this time, but core melting would be expected to follow. 2.3 LOCA Sequences Several of the more probable LOCA sequences, as identified by the Systems Analysis Task, were analyzed by the MARCH code. These e are discussed below. Figures C-26 through C-29 show MARCH results for the S 2 ML 3 ccquence, a small break loss-of-coolant with failure of normal and auxiliary feedwater systems. The analysis for this case differs from that for the TMQ sequence discussed above in two ways: first, the leak area is 0.0218 ft2, corresponding to a 2-inch diameter break, and second, auxiliary feedwater is defined to be unavailable in this sequence. Comparision of Figures C-24 and C-28 illustrates the sensitivity of the predicted results to these changes. With no auxiliary feedwater, the calculated primary system pressure remains above 1300 psia for about 50 minutes. With no auxiliary C-ll t . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . -
feedwater, MARCH predicts the steam generator heat transfer is reduced,to about 75 percent of the core decay heat at 20 minutes due to the lowered s.scondary side water level. For the TMQ sequence at the same time, secondary water levels are not lowered, and the calculated heat transfer to the steam generator is approximately equal to the core decay heat. Consequently, higher pressures occur for the S 2ML sequence. The core uncovers at 36 minutes (Figure C-30) and the core melting starts at 60 minutes (Figure C-31) . At about 50 minutes-the primary system pressure falls below the ECC shutoff head, and ECC injection begins with only the bottom 2 feet of the core remain-ing covered. By 67 minutes, the coolant mixture level increases to a level of about 7 feet recovering regions of the core containing molten fuel. The increased steam generation rates accompanying the rising water levels result in a higher system pressure. The ECC injection stops again, and the core water level again falls to 2 feet at 80 minutes. This cycling behavior would be expected to continue. (The calculation was stopped at 80 minutes.) Since MARCH does not explicitly model core geometry changes associated with melting, it is not possible to be very definitive about the eventual outcome of this sequence. Since a significant fraction of the core was predicted to melt during periods of core incovery, this sequence is assumed to result in eventual meltdown. It is possible that this sequence could be terminated short of complete core melting. The complete loss of containment heat removal was found to be a relatively probable occurrence for this plant design. Sequences C-12
S2 FG, S2 CG, ACG, and AG, in addition to the previously noted TMLOO', waro specifically evaluated by MARCH. Inssequence AG, all systems, except heat removal from the containment, function; the core is cooled but the containment pressure increases continuously as all the water in the system is heated by decay heat. At about 19 hours the containment pressure reaches the nominal failure level; the ECC systems are assumed to fail during the rapid depressurization asso-ciated with containment failure. Core uncovery and melting thus take place in a f ailed containment. In sequence ACG, the contain-ment sprays a- well as containment heat removal are failed. In the absence of containment sprays all the heat capacity of the water within the system is not utilized and containment failure is predicted sooner, at about 7 hours, than in the previous sequence. In sequences S2 FG and 2S CG, containment heat removal failure is accompanied by spray recirculation and spray injection failure, respectively. In these small LOCA sequences, the primary system blowdown and the emptying of the refueling water storage tank are significantly extended in comparison with the large LOCA sequences discussed previously. The essential features of the overall l sequence are still the same, i.e., slow pressurization of the con-tainment to its f ailure level, followed by emergency core cooling system failure and subsequent core melting. 2.4 Minimum Containment Safeguards Two MARCH calculations were performed to determine the minimun containment heat removal requirements for LOCAs. The initiating accident was taken as a large LOCA. The decay heat boiloff rate was ! maximized by assuming only sufficient ECC injection to the vessel to C-13
just keep the core covered and provide for makeup to compensate for boilof f; excess ECC injection was assumed to spill to the sump. In one MARCH calculation, containment heat removal was provided by one i 1 spray pump and one spray heat exchanger. For the other calculation, heat removal was provided by one building cooler. For the case with the containment spray working, the calculated containment pressure peaked at about 47 psia at the end of blowdown and decreased monotonically to 27 psia after 10 hours. The building sump temperature decreased from 310
- F at the end of blowdown to a
166*F at the time ECC and containment recirculation flow started at 84 minutes. Following the start of recirculation, the sump temper-ature slowly increases and peaked at 197*F at 6.7 hours. At 10 hours, the sump temperature has decreased to 196*F. Since all temperatures are trending downward, it is concluded one containment spray and heat exchanger provide an adequate containment heat sink. For the case with only one building cooler working, containment pressures are similar to those discussed above. Sump temperatures are generally lower. It is concluded that one building cooler pro-vides an adequate containment heat sink for the purposes of the present study. 2.5 Primary Depressurization Procedure Combustion Engineering (CE) has proposed a procedure for depressurizing the primary system in the event of loss of feed-water transients. In the procedure, two power operated relief valves (POVs) would be manually opened at 10 minutes. The results of the Combustion Engineering calculations, as described in NUREG-0635 ( Reference C-3 ), are quoted below. C-14
m u r ,
" Operator action proposed by CE to avoid core uncovery for this accident consists of opening the two PORVs prior to 600 seconds in the accident.
System pressure reduction obtained by this action is calculated to provide HPSI activation early in the transient, and a considerably slower dryout of the steam generators. Vessel mixture level devel-ops considerably earlier in the transient but stabilizes near the hot leg elevation for about 1-1/2 hours due to nearly balanced volumetric flows between the break and HPSI. At about 3000 seconds, dryout occurs in the steam generators resulting in a slow increase in primary system pressure up to the l HPSI shutoff pressure, and where HPSI water from the cold leg serves to reduce the core boiloff rate and terminate the system pressure rise near 1400 psia at just over 8000 seconds into the transient. Ves-sel mixture level continues to decrease, however, and core uncovery begins at 11,250 seconds (approximately 187 mins), or about 6650 seconds (11 mins) later than in the case with no operator action. Following the start of core uncovery, the boiloff rate is reduced, and relief through the open PORVs result in a system depressurization which eventually reactivates the HPSI system and starts core recovery. Uncovery to a depth of 8.3 feet is calculated to C-15
occur at 12,000 seconds (3 hrs, 20 min). The peak cladding temperature experienced during the uncov-ery was computed to be 2040'F. System response for this case was not analyzed beyond when this peak cladding temperature occurred, so that the final stable operating condition was not predicted. Because the HPSI refill of the vessel will result in a recovery of the core boiloff rate, primary system repressurization can be expected, and may be sufficient to again shutoff HPSI flow. Addi-1 tional cycling of vessel mixture level and clad-ding temperature can be expected, but would be attenuated as a result of the decaying core power generation rate. Based on these considerations, the analysis of this accident is not considered complete, and further analysis will be required..." We have not examined the details of the CE analyses; we have, , however, performed several MARCH calculations to examine the pos-sible effectiveness of such an approach. Figures C-32 through C-37 show the results of three MARCH calculations in whicht (1) one valve is opened at time zero, (2) two valves are opened at time zero, and (3) two valves are opened at 10 minutes. The flow area for two opened POVs was 0.0238 ft 2 in the MARCH calculations. Por the case in which one valve is opened, MARCH predicts the primary system pressure remains above the ECC shutoff head and core uncovery (meltdown) results (Figures C-32 and C-33 ) . If two C-16
valves are opened at time zero, MARCH predicts no core uncovery (Figures C-34 and C-35). If the opening of the valves is delayed until 10 minutes, MARCH predicts uncovery of the top 1.0 foot of the core between 45 and 60 minutes (Figures C-36 and C-37). For both of the last two cases, leakage through the two open POVs results in primary system depressurization so that ECC injection is maintained and core uncovery results. Comparison with the results of the procedure described above has two implications: (1) based on the predicted lower pressures, the CE calculation, as dsocribed in Reference C-3, implies better steam generator heat transfer during the initial part of the dryout transient than the MARCH calculation. For the case illustrated in Figures C-36 and C-37, MARCH predicts the steam generator has absorbed 92 percent of the total core decay heat; thus, essentially all the decay heat-must be taken out by the steam generators in the above referenced analysis; and (2) based on the CE prediction of core uncovery after 60 minutes, MARCH apparently predicts somewhat greater leakage through the two open POVs than the CE calculation. Because of these differences and tne apparent sensitivity of the results to ! input and modeling assumptions, neither of the above analyses can ! bn considered definitive; thus, the possible effects of the proposed I primary system depressurization procedure have not been factored into the present study. 1 l i C-17 i i
References for Appendix C C-1. Cybulskis, P., " MARCH Predictions of Hydrogen Behavior in LWR. Meltdown Accidents,'" Workshop on the Impact of Hydrogen on LWR Safety, January 25-28, 1981, Albuquerque, NM. C-2. Wooton, R. O., Denning, R. S., and Cybulskis, P., " Analysis l of the Three-Mile Island Accident and Alternative Sequences,"
. NUREG/CR-1219 (January 1980).
C-3. " Generic Evaluation of Feedwater Transients and Small LOCAs in CE Designed Plants," NUREG-0635 (January 1980). 1 4 J l I i 5 C-18
l lll11II 0o
$G & h 5 5 $lE5 O5. w&=E 1 1 2 2 3 0 5 0 5 0 5 0 0 0 0 0 0 0 0 0
0 F i g u r e 2, C 0
- 0 l
S e t C a m 4, 0 0 A G L e n V e r a E t o T06, R r I 0 T I n M v e E C n t - L I o ( 8, y r M0 0 F v e I F r N S s u U s T E1 T Ti ) 00. m e 0 M L S - q e u 1 H e n 2, 0 O c e 0 T T M L 1 4, 0 0 1 6 0 0
l CALVERT CLIFFS TML-HOT
! b p 5.0 Z 4.0-2 C4 A4 30-
- Z.
o f4 i M
$ E-*
i
$ 3D-
! Eza i O I
- < 1.0-
} 2 i O.0 . . i i 0.0 20.0 40.0 60.0 80.0 100.0 120.0 140s 180.0 TIME - (MINUTE) Figure C-2. Primary Water Inventory versus Time - Sequence TML
'l I Un EQ hEg*
4 <l E bN<N <M MNM pd 1 1 2 2 3 0 5 0 5 0 5 0 0 0 0 0 0 0 0 0 0 2, 0 F 0 i g u r e C C 3
- 4, 0 A f
0 L T o V t a E l T0 6, _ R L e a I 0 1 T k M R E C a t e -
~ L I
( 0, v e M0 0 j F r s u I N F s U S T T i m e )E1 0, 0 T
- 0 M S
e L q u e n c 1 2, H e 0 0 O T M T L 1 4, 0 / 0 1 6 0 0
CALVERT CLIFFS TML-HOT
, 3000.0 1
i j Ed 2500.0- - ' i l D I $ i 4 2000.0-i I 2 N i o E-* 1500.0 - i 0 M l w > in i j g 1000.0 - i h M ! M ! 4 500.0-l 1 i o.0 i i i i ! o.0 20.0 40.0 80.0 80.0 i i i 100.0 120.0 140.0 160.0 TIME - (MINUTE) Figure C-4. Primary System Pressure versus Time - Sequence TML i k
l ,l 0
,0 6
1 0
,0 4
1 L M T e c T 0 n e O ,2 0 u q H 1 e S L 0 e m M 0
,0 )E i
T T 1 T us s S Ur N ev F I F ,008 (M vel I e
- L L e C E r u
Mt
- 0. I x T ,0 T i 6 M R m E a e
V L / t S 0 r A ,0 4 t e a C W 5 0 C
,0 2 e r
u g i F 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 6 4 2 2 1
- 4 *
- A p. w hE:>eM N<NEW - I b E-n'rw 1 l'
CALVERT CLIFFS TML-HOT 7000.0 CORE MAX
........... CORE ME 7
----- U.P. G AS
! 6000.0- ~L N l l Es4
? l
$y1 cg 5000.0-D E-4 ,
4 " i h 4000.0- [ / si / M i
$2 E-4 3000.0- /
w
- l>4 /
'A /
y 2000.0 -
/
H . cd *
.i (14 ,-
1000.0 - .
-g , .. *L.a ~~ w.W >
0.0 . . . . . . . 0.0 20.0 40.0 60.0 80.0 100.0 120.0 140.0 160.0 TIME - (MINUTE) Figure C-6. Primary Temperature versus Time - Sequence TML
. CALVERT CLIFFS TML-HOT A N 1.0 N M , , .... . ...... rc. i 5 : i ! M :
- M 02- .
1 O ! ! U ! ! A ! ! Z ! 'l 4 !
- 0.8- :
I A m i i O b [ i O O ! ! w < !
- N
m 0.4 - A ! 4 4 i 1 A ! U l in 02- l Z / O l , e- e : l Em 0 . l 4 # g 0.0 i i i i i i i N 0.0 20.0 40.0 60.0 80.0 100.0 120.0 140.0 160.0 TIME - (MINUTE) Figure C-7. Fraction Clad Reacted and Core Melted versus Time - Sequence TML ) l a
CALVERT CLIFFS TML-HOT 2000.0 , 1 M Ez.1 Ed Cf) k
> 1500.0 -
M 2 w M Q4 ? 2; 1000.0 - M ~ 500.0 - O o M A Z 0.0 , , , , , , , 0.0 20.0 40.0 60.0 80.0 100.0 120.0 140.0 160.0 TIME - (MINUTE) Figure C-8. Ilydrogen Mass in Primary versus Time - Sequence TML
0 0 0 0 0
,00 8
0 T ,0 0 7 O L H M T e
- ,0 0
c L 0 6 n e u M )E q e T S 0. 0 U T - S ,05 N e m F I M i T F ( s u I s 0 0 - L ,0 r e C 4E v M s I s T T M a R ,0 0 0 n E 3 e g o V L d r y A l 0 I 0 C ,0 2 9 C e 0 r u
,0 g 0 i 1
F 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 s 0 5 0 5 0 5 a 3 2 2 1 1 {0OMA>% E j
?
CALVERT CLIFFS TML-HOT 180.0 Prot
........... y g n n
~....'
1604 - - 4 ' '..
- .s (n
% 140A ~ lr\:
n
- 1 i \.
1 Iz] i : : :, A 180.0 - ! i p ; ; .! ........................ l i 100.0 - i! l O b l l W-N E-* m I. :I 1: 5 M 80.0-Z s 40.0-Z ^ O U __ 20.0-O.0 , , , , , , , , 0.0 100.0 200.0 300.0 400.0 500.0 000.0 700.0 8004 900.0 TIME - (MINUTE) Figure C-10. Containment Pressure versus Time - Sequence TML
CALVERT CLIFFS TML-HOT 10 SN
.......... Im)
----- OIY 02-U2 Z
o
~
l 04-1 E-* O 4 o Z 1 I N N e M 0.4 - A O A 02~ . -~~. ....
..... ..................... ~ ........
s ......,"**. **...........
', ,, . . ~~
. . . . . .,~~.~............
r.- lb rS'
~
O.0 1 , , , , , 0.0 100.0 200.0 300.0 400.0 500.0 6004 7004 8004 900.0 TIME - (MINUTE) Figure C-ll. Mole Fractions versus Time - Sequence TML
CALVERT CLIFFS TML-HOT
*O
- 35.0
!
- 1 i
Ed I " 30.0-
- 4 O
M o H 25.0-1 0 1 4 , ExJ j g 20.0-o Z 0> o 15.0 - i Es i 10.0 -
\ %
l O 5.0- L
\
0.0 . . . . i i 0.0 100.0 200.0 300.0 400.0 500.0 i 600.0 700.0 850.0 900.0 l TIME - (MINUTE) Figure C-12. Water Mass in Reactor Cavity versus Time - Sequence TML 1
l [ \ O S s_ D O _ 8 L _ M _ T 0 _
- o. e T
d c 7 n O e u H _ q e S L - M e m M dT i T T s U u S gN s r e F I M v F ( e r u I t L i a r C E e p m e T T R ,W t n e E m V L t r a p A 0 C m o C 3 1 D C O e 1 r u g i F 0 0
- - ~ - - -
D 0 0 0 0 0 0 0 0 0 0 0 0 5 5 3 0 3 5 2 M 5 1 1
%Dk Q4 g Eg2 d 9OO ni"
CALVERT CLIFFS TML-HOT 350.0 n FE H,
....... . yg gy.
' ----- CON IF.
! 300.0 - - CON CL l CON i A 250.0-I b C4
- D y 200.0- -
? 6 M
j g 150.0-Ew )
- 100.0 -
5 50.0-4 3 3 I I I I y
! 0.0 100.0 200.0 300.0 400.0 500.0 I
000.0 700.0 800.0 900.0 I TIME - (MINUTE) Figure C-14. Wall Temperature versus Time - Sequence TML 1 1 1
- CALVERT CLIFFS TML-H2 BURN 140.0 Tot 1L
.......... SrM NYD 120.0 -
i 100.0 -
>-4 l g 80.0-Z ? D w " 00.0-1 ErJ
! M l 4 40.0-i l l 20.0-Ii.
. ~ ~ ~ , , , , , , , ,j , 1 ~........................,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,, ........ ..........
'.....:(^ ______--------____......-----------~~~~~~~
- 0. i i h[ ^ 0 250.0 b.0 450.0 550.0 edo.0 N.0 80 #8 TIME - (MINUTE)
Figure C-15. Pressure versus Time - Sequence TML
i l CALVERT CLIFFS TML-H2 BURN I 2500.0 i i Dig id 2000.0-M
- D i E-4 N
j m 1500.0-2 N E-*
- o
! 6
^
E-* ! $ 1000.0- !' x E-* I Z i
; fl.
l 2 500.0-
- O U N l m p d O.0 0.0 1d0.0 2d0.0 3d0.0 4d0.0 5d0.0 6d0.0 7d0.0 8$0.0 900.0 TIME - (MINUTE)
Figure C-16. Compartment Temperature versus Time - Sequence TML
ll!l l so 0ZEMZ2 e > < j E* m 2 a. ( N D C gmg 1 1 2 2 3 3 5 0 5 0 5 0 5 O 0 0 0 0 0 0 0 n 0 0 0 0 0 0 0 0 0 F i g u r 1 e 0. C 0 .
- 0 1
7 C 2
- A C 0 L
p o m 0 0
. V a
r E t m . f ' [ R e n t 3 0 T 0 - 0 W a T C l l I M L I T E40 F e - m 0 p e 0 F r a ( . S t u M r e I N00 5
. T v
e U0 T M r s ) E . L u s - T i 6 0 . H m e 0 2 S y nN oo B e q u 7 d 0
,<q) U e
n 0 . R c e N T . M 8 _ L 5 _ 0 _ 0 _ 9 0 _ 0 _ 0
, l\ 1 ! l1
l i i CALVERT CLIFFS TML-H2 BURX a 12.0 1 4 Q N M 10.0 - i i M j A M 8.0-g ' m i l O I N 6.0 - { O ! ? M i U % 1 p \ ' A 4.0 - O l > l A 1 4
- H 2.0 -
i O l b l 0.0 , i 0.0 100.0 200.0 300.0 400.0 500.0 800.0 700.0 800.0 900.0 TIME - (MINUTE) Figure C-18. Total Gas Leakage versus Time - Sequence TML 1 1
CALVERT CLIFFS TML-H2 BURX 100.0 VERTICAL
........... RADI AL N 80.0- ......'..
O. z ..........- o
~
Ea 4 M 80.0- .'....... E-* M z ... a M ...- s % ..- w .- N 40.0- - E* / M .- M l 0 l Z e' O 20.0-
,f' i
0.0 , , i i i i i i 0.0 100.0 200.0 300.0 400.0 500.0 600.0 700.0 800.0 900.0 TIME - (MINUTE) Figure C-19. Concrete Penetration versus Time - Sequence TML
?
o.
-m-o s a -4 . 3 I
o.
-n- .
- o. O
-n~
x Ed
- o. al
** u
' C i O a
- R w m
-a.- m ,
I e:
- C
- e. a
- =e4 8 m Ed .
a ,, oM " E'
~
m
-g r s.
m =.
,g y , ,_
I r e OE .a > t o d
' ,8
*'M b p H
. v- u a
- i o 4 o = x
,,. to, a e -
e o eM
~ N m
1 o
.j' , ,
,.* =} o
. +
n g O U (
/
-4 ,
u c o . tn e4
- n w -
e o
-a o-
,- ,i
( O
, , , o i i"
. . o -
,,,, o.ogg o.oo o os , 0 ot 0 0t 0'0 WISd '380SS'384 ' :/
/
Y l I i C-38 l
.. ..7, p .d ,
_ _ - _ . - - . , _ . , -. . - - . _ . - , + , . . , ,, _. , ,
o
- v; o
n _; o
-r; o .
-d O
~
l -. o
$e
-i y a
0 \ l o. D , -o** er O m
'o o i 3 = o z u> 5
- om e m -e I m
= - 8 a u d _
s E-*
.r e b-m .
s
= o o b
-5 %
U u 0 o G
-;u o e
l o .
-; a s i N
1 O U o
-i r
o o en d
- o. N
.N o
l : o d 0 oos 0 005 o oot o oot 0 001 00 J '3801983dW31. C-39 '
CALVERT CLIFFS TMQ,WAFW=5810,TLEG=0 3000.0 2500.0 - e -e CO 2000.0-0 DQ M 1500.0- ?> aM - 1000.0-M l 500.0-0.0 . , , , i , , , . . . . 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 110.0 12 0.0 130.0 TIME - (MINUTE) Figure C-22. Primary Pressure versus Time - Sequence TMQ with Good Steam Generator Heat Transfer
'llI lll lll l Il i
0 0 3 1 0 0 ,0 2
= s 1 G _
0 E
,1 0
L - __ 1 T, _ 0
-- ,0 Q 0 -
0 1 M T 1 r-8 0 e c 5 0 n
,9 er = ue qf es W 0.
0 ) Sn a F ,8 E T r T A U e mt W ,
,00. N 7I ia Tc I I
Q M ( s ur so M ,0 0 - rt ea T 6 - vr en e E re S ,0 I
- 0. M t uG xm F 5T ia Me F mS t
I 0 a
,0 L 4 ed to C So
/G r
0 eh T ,0 3 tt ai R Ww E ,0 0 3 V L 2 2 C A ,0 0 e r C 1 i u g F 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 6 4 2 1 E%J.N>Nl- NnDE*X.2 ,<NEinIO
. g
?:
CALVERT CLIFFS TMQ,WAFW=5810,TLEG=0
~ 5.0
- SGSEC
........... PRIMARY l
4.0 - '. tn
.-1 g .... .
N 3.0- .,.. n k L o ..... 2 m.0- ........
. . . . . . ~......
5 1.0-0.0 , , , , , , , , , , , , 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 11 0.0 120.0 130.0 TIME - (MINUTE) Figure C-24. Water Mass versus Time - Sequence TMQ with Good Steam Generator IIeat Transfer
9 8
-$ e e
o 3
*, 8' o ~ .
l CO -8, 1 O o x I A h N a
-g o 4 5 CS -g g "i M
P .g2 .; Cf)
-R nea n % "mn as 4 -8, I no H M s2 OMo "N E-* $ o H , at Z -g "g M tv a 25 >A -g AB mm 4
O , ;
-2 ?
U Q N
-o g, t
8
& Q $ & S
~
I i i I I a ISd'3Hf1SS3Hd AHVNIHd C-43
0 0 3 1 0
,2 u
1 D
,01
- 1 h t
0 - i w 1 - D 8 -
. ,0 0 Q M
5 - 1 T
= - e D c F -
_ ,0 9 n e ur A, - qe ef Q D) 0 s Ss n a M ,8n eTr T Umit
,0DNTa c 7 I S 'Mu sli F ( sr ro D
F ,0 8 - et va r I ee L Ern C D Mue
,0 I x tG 5 TimMa T mt e
R D
,40 aS e
E td Se
/d V
L 0 ra er tg 0
,3 ae A WD C D 6
,0 2 2 C
D e
,0 r
1 u g i F D O D D D D D D 0 0 0 0 0 C 0 1 8 a 4 2
.i ) *:.
sIz M>M1-. M:a:E>
. - ,_ 2 ,:< MEc*nIoN
?:
1 l
D 0 3 1 D 0 2 1
~
- D 0
1 1 0 1 8 =g r j D 0 0 5
=g -
1 h t
= .
. ~
D i w F
~ 0 r 9 Qe A, .
,~
- Mf Ts n
Q '
~
D
- 0) cr ea M 8EnT e
~ Tut T
U qa ee
~ 0NSH
.0 7 I S - '
Mo r F '
' ( et ma F
I L ~- - D 0 0 - D E uG Mrm ir Te se s n C 0I ea y.~ 5Tve t T sS s R D
.0 ad Me E 4 d
+
ra er V L
,s D
tg ae WD
- .0 A .- 3 C .-
D 7 2
~ 0 -
2 C e
. r
~ u D g
- 0 1
i
- F
..- D O
o s D g o n D 4 z 1 O b* nAgNE<p nvO g<2 g e a,0 t 111
CALVERT CLIFFS S2ML,MEL=-1 2500.0 1 1 2000.0-CO I4 Z l3 1500.0 - I l Z I l o -
;; > 1000.0- l N
4 500.0-0.0 , , , , , , , , 20.0 30.0 40.0 50.0 00.0 70.0 80.0 90.0 0.0 10.0 TIME - (MINUTE) Figure C-28. Primary Pressure versus Time - Sequence S ML 2
't l
,- r ; j ,- , _
, ) .; ,, s a _ - ..
, - . t
_ _ ~ S . ,, _d _+,,.
'- j,' ~
- w. ,
" ' . , y.
- g. ' .,
I CALVERT CLIFFS S2ML,MEL=-1 100.0 800-a Ci N 4 60.0-1 N Z D Ed a X M 40.0-i C M M 4 20.0-N E-En O N 0.0-Z
-20.0 . , , , . . . .
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 TIME - (MINUTE) Figure C-29. Water / Steam Mixture Level versus Time - Sequence S 2ML l x
;,,_ _ 4 .
. ~~. .-
4 s .. t -
-..~..
+ -
1
.-- .: 4 . .
. , . 3 , .
., ~. : c .
g -
'c
-+
. s -.
4
.;, 7 . . .
,y, ,_
e., -,
CALVERT CLIFFS S2ML,MEL=-1 a 5.0
. MW
.......... PRIMARY 4.0- '.
l . 1 5 . a: . w 10 . H . g . o . l %
- s O i.,
20- . 8 . t0- ...... 0.0 , , , , , , . . 0.0 10.0 20.0 30.0 40.0 50.0 00.0 70.0 80.0 90.0 TIME - (MINUTE) Figure C-30. Water Mass versus Time - Sequence S2 Nb
*a?
NM$ .OZ UJ %MAOENa
- 4ZQ UOZM m jEmQ d 0 0 0 0 0 0 O 0 0 1 2
3 4 5 n- 7 0 0 F . i 1, . g 0 . u 0 . r CC e DL RA C ED C 3 1 2 0 i A 0 L TF V ir ma ec E t i 3 R Sn o 0 0 i T e qC T ul ea I C nd c M L eR E40 i I e Sa 2 c 0 F Mt Le ( F d M I S a n d N50 i S U0 C o T 2 r e )E M M e 6 0 i
,L l
t e 0
- !:':iI M E
d ?
!r v
e d! i L r 7 !li s u 0i = A !./ s .
.*"'.' 1
'i..
8 i I;
- 0
- 0 .
9 0 0
0 0 2 1 0
,0 1
1 0 0
,0 V 1 O
P ,0 0 9 e m 1 i T
- 0 0 s L ,8 u s)
M ) ee
- 0. E v p rn 2 ,0 T e O
S 7Ureuv N sl S I sa F ,006 (M P1reV F ( m
- eL I tM L ,00. E y S s 2 C 5MSI e yc Trnae T ,0 0 mu R 4 iq re PS E
V L ,0 0 3 2 3 A C C ,0 0 e r u 2 g i F 0
,0
= 1
\ \ %. 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 0 5 0 5 0 5 3 3 2 2 1 1 MZD$ $% MNE
* $> mZA o
l
l 1 I 1 11 I I1l fl l ll 0 0 2 1 l 0
. 0 1
1 0 0 0 V 1 O 0 P . 0 9 e m i 1 T 0
- . 0 s u
L 8 s r M 0.
)
E e) vn e 2 . 0 T lp S 7U veO N I Lv l ee S 0.M ea F . 0( rV 6 u F - t1 i x( I L 0. 0 E ML M C 5M m2 aS I e T te Sc T 0 0
/n re R
4 eu tq ae E WS V L . 0 0 3 3 A 3 C C . 0 0 e s, 2 r u g i F 0
. 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 8 8 4 2 2
>M1-. 7EMNM d M N EM n I 5EY H
?0 i
CALVERT CLIFFS S2ML-2 POV 2500.0 l M N 2000.0-l D co in N 1500.0 - 2 N E*
? >En U 1000.0 -
N k
= .-e Z 500.0-A 0.0 ' '
0.0 lb.0 d.0 h.0 d.0 50.0 6b.0 N.0 N.0 d.0 100.0 110.0 120.0 TIME - (MINUTE) Figure C-34. Primary System Pressure versus Time - Sequence S2 ML (2 Valves Open)
ll l l
/
;[
0 *.,t
- 0 2
gp,^ - 1 w- - 0 3'
- ,01
- 1 , ,
e r-0 r: 0
,0 V
1 ; . _ g* O 0 P
- 0 -
- ,9 ,d, 4, e
= .
=. m ,
2 = . 0 i T ; k
,0 8
s u , L : s r) M
^
) en -
*::- Eve p .
2 ;
^
,00. T lO .
4 S :- . 7Ue n. Nvs ee - 3
? I Lv ,
S ^
,D 0 M ea l
F 0( rVu , . *
~-
4 F I M+
?'
^
i t2 x( 1 y 0 E M L
,0.
L 5Mm2 M
-3
,,e C
I aS e TteSc : 0 T
/n R
,0 4
re eu tq 7 ,- E V L
,3 0
0 WS ae r 5 , 3 A C
- 'e.
C ,0 0 e r ;% 2 - - u ,~ g , i F 0
,0 '
1
~ .
0 0
- u. .
0 0 0 0 0 0 0 0 0 . 7 0 0 0 0 0 0 0 0 . 9 m 7 6 5 4 3 2 1 1,. {; e, g>d MMDEMMN M4 NEE *n i Eh
, e l l I 1ll
ll W a l CALVERT CLIFFS TMLQ10 3000.0 N 2500A - - D 2000.0 - De 1500.0-
~ cn >* l 1000.0 -
w M 44 500A-l 0.0 , , , , , , , , , , , 0.0 10.0 20.0 30.0 40.0 50.0 80.0 '70.0 80.0 90.0 100A 110.0 120A TIME - (MINUTE) Figure C-36. Primary System Pressure versus Time - Sequence TMLQ l l
CALVERT CLIFFS TMLQ10 90.0 l (> 80A - V 10A - Qp 80.0-M. o 50.0-T N m B 40.0-
* (n 1
30.0-20.0 -
;. =- =: : ::s!!n!
~
l 10.0 , i i i i i i i i i l i 20.0 30.0 40.0 50A 80A 70.0 80A 90A 100.0 110.0 1204 0.0 10.0 TIME - (MINUTE) Figure C-37. Water / Steam Mixture Level versus Time - Sequence TMLQ
DISTRIBUTION: US NRC Distribution Contractor (CDSI) (155) 7300 Pearl Street Bethesda, MD 20014 130 copies for AN 25 copies for NTIS T. C. McCreless, Chief (4) Project Review Branch #2 Advisory Committee on Reactor Safeguards US Nuclear Regulatory Commission Washington, DC 20555 Atomic Safety and Licensing Board Panel (2) US Nuclear Regulatory Commission Washington, DC 20555 Attn: J. R. Yore, Chairman Technical Advisor A. S. Rosenthal, Chairman Atomic Safety and Licensing Appeal Panel US Nuclear Regulatory Commission Washington, DC 20555 W. J. Dircks Executive Director for Operations US Nuclear Regulatory Commission Washington, DC 20555 Director (2) Office for Analysis and Evaluation of Operational Data US Nuclear Regulatory Commission Washington, DC 20555 Office of Nuclear Reactor Regulation (8) US Nuclear Regulatory Commission Washington, DC 20555 Attn: H. R. Denton, Director R. H. Vollmer, Dir., Div. of Engineering R. J. Mattson, Dir., Div. Systems Integration S. S. Hanauer, Dir., Div. Human Factors Safety T. E. Murley, Dir., Div. Safety Technology D. G. Eisenhut, Dir., Div. of Licensing G. W. Knighton, Chief, Research Coord. Branch (2) W. J. Besaw, Director (10) Division of Technical Information & Document Control US Nuclear Regulatory Commission Washington, DC 20555 DIST-1
Distribution (cont. ) : V. Stello, Jr. Deputy Executive Director for Regional Operations US Nuclear Regulatory Commission Washington, DC 20555 Director Regional Operations and Generic Requirements Staff US Nuclear Regulatory Commission Washington, DC 20555 M. A. Taylor MNBB 6606 US Nuclear Regulatory Commission Washington, DC 20555 Office of Nuclear Regulatory Research (30) US Nuclear Regulatory Commission Washington, DC 20555 Attn: R. B. Minogue, Director G. Arlotto, Dir., Div. of Engineering Technology O. E. Bassett, Dir., Div. of Accident Evaluation R. Bernero, Dir., Div. of Risk Analysis (25) K. Goller, Dir., Div. of Facility Operations F. Arsenault, Dir., Div. of Health, Siting & Environment R. C. DeYoung, Director (4) Office of Inspection & Enforcement US Nuclear Regulatory Commission Washington, DC 20555 B. H. Grier, Regional Administrator (4) US Nuclear Regulatory Commission, Region I Office of Inspection & Enforcement 631 Park Avenue King of Prussia, PA 19406 J. P. O'Reilly, Regional Administrator (2) US Nuclear Regulatory Commission, Region II Office of Inspection & Enforcement 101 Marietta Street, Suite 3100 Atlanta, GA 30303 J. G. Keppler, Regional Administratcr (2) US Nuclear Regulatory Commission, Region III Office of Inspection & Enforcement 799 Roosevelt Road Glan Ellyn, IL 60137 DIST-2
Distribution (cont. ) : J. T. Collins, Regional Administrator (2) M US Nuclear Regulatory Commission, Region IV - Office of Inspection & Enforcement _ 611 Ryan Plaza Drive, Suite 1000 Arlington, TX 76012 R. H. Engelken, Regional Administrator (2) .g US Nuclear Regulatory Commission, Region V _ i Office of Inspection & Enforcement -- 1990 N. California Boulevard, Suite 202 Walnut Creek, CA 94596 -
=
W. Wagner, Deputy Assistant Director d Naval Reactors Division - US Department of Energy Washington, DC 20545 R. Brodsky, Assistant Director (2) Reactor Safety & Computation r Naval Reactors Division US Department of Energy Washington, DC 20545 m J. Crawford, Director __- Reactor Research & Technology Division US Department of Energy - Washington, DC 20545 Chief - Safety Assessment Branch Office of Reactor Research & Technology - US Department of Energy Washington, DC 20545 Deputy Assistant Administrator C for Radiation Programs (2) US Environmental Protection Agency _ 401 M. Street, S.W. 7 Washington, DC 20460 C US Library of Congress
.2 Federal Documents Section 10 First Street, S.E. --
Washington, DC 20540 n > Library National Bureau of Standards - Washington, DC 20234
]
Advanced Research & Applications Corporation = 1223 E. Argues Avenue - Sunnyvale, CA 94086
=
DIST-3 E
N Distribution (cont.): _ C Aerospace Corporation P. O. Box 92957 Los Angeles, CA 90009 _ Assistant Vice President -- American Electric Power Service Corporation 2 Broadway R - New York, NY 10004 R. Christie Nuclear Engineering Branch Tennessee Valley Authority W10C126 Jm 400 Commerce Ave. ' Knoxville, TN 37902 D. Johnson c/o R. Christie Nuclear Engineering Branch Tennessee Valley Authority W5D207C-K 400 Commerce Ave. - Knoxville, TN 37902 - Babcock & Wilcox Company Product Development Division J-- P. O. Box 1260 Lynchburg, VA 24505 = Chief Librarian ' Bechtel Power Corporation P. O. Box 3965 - San Francisco, CA 94119 Bechtel Power Corporation (2) 15740 Shady Grove Rd. Gaithersburg, MD 20760 Attn: D. H. Ashton m Chief Nuclear Engineer Bell Laboratories 600 Mountain Avenue Murry Hill, NJ 07974 - Center for Environmental Studies Princeton University Princeton, NJ 08540 - Henry Piper CRBRP Project Office y P. O. Box U Oak Ridge, TN 37830 DIST-4
-i-.---
Distribution (cont. ) : William Parker, Jr., Vice President Duke Power Company Steam Production, Power Building 422 South Church Street Charlotte, NC 28242 Engineering Technical Library Duke Power Company P. O. Box 2178 Charlotte, NC 28242 Director E. I. DuPont de Nemours and Company Savannah River Laboratory Aiken, SC 29801 Vice President Nuclear Ebasco Services, Inc. 2 Reactor Street New York, NY 10006 EG&G Idaho, Inc. (2) P. O. Box 1625 Idaho Falls, ID 83401 Attn: President Jim A. Hunter Nuclear Division Director Nuclear Safety & Analysis Center Electric Power Research Institute 3412 Hillview Avenue Palo Alto, CA 94304 Larry Conradi Energy, Inc. Suite 220 515 W. Harrison Kent, WA 98301 General Electric Company P. O. Box 81608 Jan Diego, CA 92102 Manager of Power Plant Reliability Utilities Division Gilbert Associates, Inc. 525 Lancaster Avenue Reading, PA 19603 IBM Thomas J. Watson Research Center P. O. Box 218 Yorktown Heights, NY 10548 DIST-5
Distribution (cont.) : N. C. Rasmussen Dept. of Nuclear Engineering Massachusetts Institute of Technology 77 Massachusetts Avenue Cambridge, MA 02139 MPR Associates 1140 Connecticut Avenue, N.W. Washington, DC 20036 Inter Mountain Technologies P. O. Box 2108 Idaho Falls, ID 83401 Attn: President Northeast Utilities 174 Brush Hill Avenue W. Springfield, MA 01089 President, Nuclear & Systems Sciences Holmes & Narver, Inc. 999 Town & Country Road Orange, CA 92668 Director Nuclear Safety Analysis Center P. O. Box 10412 Palo Alto, CA 94303 Nuclear Services Corporation 1700 Dell Avenue Campbell, CA 95008 NUS Corporation (2)
#4 Research Place Rockville, MD 20858 Attn: E. R. Schmidt J. J. Curry Pacific Gas & Electric Company Beale Street San Francisco, CA 94105 Pickard, Lowe and Associates, Inc.
Suite 612 1200 18th Street, N.W. Washington, DC 20036 John D. Richardson Manager of Safety and Licensing Mississippi Power & Light Co. Jackson, MS 39205 DIST-6
M _ M Distribution (cont.t: Dept. of Mechanical Engineering - Rensselaer Polytechnic Institute Troy, NY 12181 Science Applications - Suite 200 . 5 Palo Alto Square Palo Alto, CA 94304 = -- Science Applications Suite 1200 W x 7315 Wisconsin Ave. Bethesda, MD 20014 5 Vice President Southern California Edison Company T - P. O. Box 800 - 2244 Walnut Grove Avenue - Rosemead, CA 91770 Director _, Southwest Research Institute SanEn o 8284 _ Stanford Linear Accelerator Center - Stanford University P. O. Box 4349 7 Stanford, CA 94305 Westinghouse Electric Corporation (2) - P. O. Box 355 Pittsburgh, PA 15230 Attn: Manager, Nuclear Safety Library, Nuclear Energy Systems Stone & Webster Engineering Corp. P. O. Box 2325
]
Boston, MA 02107 -- Chief Power Research & Development " Tennessee Valley Authority - Chattanooga, TN 37401 2 m United Engineers & Constructors, Inc. Advanced Power Engineering _- 1401 Arch Street -- Philadelphia, PA 19102 - Department of Statistics University of Missouri - Columbia, MO 65211 DIST-7 2
===
Distribution (cont. ) : Library Battelle Pacific Northwest Laboratory P. O. Box 999 Richland, WA 99352 Argonne National Laboratory (4) 9700 S. Cass Avenue Argonne, IL 60439 Attn: Technical Library Report Section 203-CR 125 Director, Engineering Research Division Director, Reactor Analysis & Safety Division Brookhaven National Laboratory (2) Upton, NY 11973 Attn: Dept. Applied Science, Bldg. 197 Associated Chairman for Reactor Safety R. Olson (5) Baltimore Gas & Electric Co. Room 922 G&E Building P. O. Box 1475 Baltimora, MD 21203 E. Normand Northwest Energy Services Co. P. O. Box 1090 Kirkland, WA 98033 Technical Library Idaho Nuclear Engineering Laboratory 550 Second Street Idaho Falls, ID 83401 Frank Gillman Nuclear Safety, L-140 Lawrence Livermore Laboratory P. O. Box 818 Livermore, CA 94550 Los Alamos Scientific Laboratory (2) Los Alamos , NM 87544 Attn: Q-6 Division A-Division Oak Ridge National Laboratory (4) Oak Ridge, TN 37830 Attn: Library Director, Reactor Division Library Records, Bldg. 4500 N., Rm. H205, P. O. Box X David Yue, Bldg. 9104-1, P. O. Box Y DIST-8
Distribution (cont'd) : Battelle Columbus Laboratories (3) 505 King Avenue Columbus, Oh 43201 Attn: Roger Wooton Peter gybuskis Librarian Technology for Energy Corporation (2) 10770 Dutchtown Road Knoxville, TN 37922 Attn: Stuart V. Asselin Gary Boyd Evaluation Associates, Inc. GSB Building 1 Belmont Avenue Bala Cynwyd, PA 19004 Dept. of Nuclear Engineering University of Virginia Charlottesville, VA 22904 L. F. Dale Manager of Nuclear Services Mississippi Power and Light Co. P. O. Box 1640 Jackson, MS 39205 US Nuclear Regulatory Commission (200 copies for Licensee Dist.) Division of Document Control Distribution Services Branch Washington, DC 20555 Attn: P. Larkins DIST-9
Distribution (cont . ) : 4400 A. W. Snyder (2) 4410 D. J. McCloskey 4412 J. W. Hickman (25) 4412 N. L. Brisbin 4412 D. D. Carlson 4412 W. R. Cramond 4412 F. Harper 4412 S. W. Hatch (6) 4412 A. Kolaczkowski 4412 G. J. Kolb (6) 4412 A.C. Payne 4412 D. D. Drayer 4412 R. G. Spulak 4412 T. A. Wheeler 4413 N. R. Ortiz 4414 G. B. Varnado 4416 L. D. Chapman 4445 L. O. Cropp 4420 J. V. Walker 4440 G. R. Otey 4450 J. A. Reuscher 8214 M. A. Pound 3141 L. J. Erickson (5) 3151 W. L. Garner (3) DIST-10 h u.s. Gov E nMh0 E NT PRIN T8NG OF FIC Es l 9 8 2-0-6 76-02 9 /551 l . . . _ .
~
[ !F d
.4 h
+,.
e ), 3 , l' f a
)z_-*, w ,
s o--
-d _ s.
- g{' '!.-
' % , h:
..nM 'Y ' "
-f l' . c , *
.- t ) _
? l,s.
> l f' , / e 1 AN '
1 g gs013B17 MGI BR
$h, 01V , of)g%AIIONS p p t i.1 L Y a egpy po a NU,R E(>
v gt 20555,_ " t t.a 21< ' c.:
-" +
w n id i r4G 10. 4 e
,e --& .v' e
' ~~
s h~ p. r / . p y:. - i, / - ,3 ?> ,.
,.e 're
# 4., d .
9 a f 8 sd" %,
/ . i .* -
s ,- s a f e l'
- r
' r$
k W e Eg.rg Yauy 6 .. fi* * /
+
,p e' s
5 n' ./ gs, , f ** ,g
./ _
r (
.t ,J'[ ?
i x .x/ 's
,, ,,,v g ; -
;,f.f g ,
yQ x, .
'r .
} ; A ' ~~ ._&.
, [* %
4.> .,/.<
. :. ,y.
_.e
. r- j,
- a f- .
t
' * ?f
.g
. a4 w
./ .,
.) <
6
/ '94 1, -#
s!
,.4
'Y ' 4 !q t
,g-
+ ..+
f 5 s*.-
.{
y ,
,c
) -}}