ML20058F108

From kanterella
Jump to navigation Jump to search
RHR Autoclosure Interlock Removal at Millstone Unit 3
ML20058F108
Person / Time
Site: Millstone Dominion icon.png
Issue date: 04/30/1990
From: Dube D, Owens D, Weerakoddy S
NORTHEAST UTILITIES
To:
Shared Package
ML20058F093 List:
References
NUSCO-170, NUDOCS 9011080093
Download: ML20058F108 (60)
v  d  e


Text

{{#Wiki_filter:_ NUSCO 170 \\ la M'llstone Un't 3 w x RHR Autoclosure Interlock Removal at Millstone Unit 3 1 l .- i ft - i ' P 'r, ,g' 'g [. "g' lLl"yylG&~f. f.4 Q-lW f ?* . g. j.4,,,:)c q#;Gj];q.-Qq .x c qy ,, 7,.. ... s..n e . z s. g%,. + .i ; 3gy th ' * m$ - t V ". \\.'.-, d

,.. -].

j, ;. 4 a(;:/n y,a cbh,, "W ' hYTk%*f,., _ -..lf..,. .~ ^ >o,. .J.4gWi.: {.y., Mggi..,,;. - x ' G W '; e . a: +- '.K f %.R. + jy&:. [ g.e 9 ; ;gy.].} .ce. pn 3 g. .x..y4. }p ! +.;.. = y,n.v9(m.

4., w.

w .:g cgg x; n~g, A8M 2h; . [ .2 g; 'i?$? y f ..:n - :

&q s

W ,, ' 'f*wl ; ?. C ' .f Q

v. -

R :? y.,,;,_ l + -' %%inhA%[@S. .r - a x '-.,gh:, ?.. j?4- "i. .L i 4.~ ,Mi ; pg,:h .=-. PREPARED BY Probabilistic Risk Assessment Section Northeast Utilities Service Co. m m. m. April 1990 rw .m :, :, ,r .,a r.

E r

DISCLAIMER The information contained in this topical report was prepared for the specific requirements of Northeast Utilities Service Company (NUSCO) and its affiliated companies, and may contain materials subject to privately owned rights. Any use of all or any portion of the information, analyses, methodology or data contained in-this topical report by third parties shall be undertaken at such party's sole risk. NUSCO and its affiliated companies hereby disclaim any liability (including but not limited to tort, contract, statute, or course of dealing) or warranty (whether express or implied) for the accuracy, completeness, suitability for a particular purpose of merchantability of the information. l

4 NUSCO 170 RHR Autoclosure Interlock j Removal at Millstone Unit 3 Probabilistic Risk Assessment Section Northeast Utilities Service Co. April 1990 vv vc--+- --sw. -, :-.,, +.,,,, ,._.m

NUSCO 170 RHR Autoclosure Interlock Removal at Millstone Unit 3 Probabilistic Risk Assessment Section Northeast Utilities Service Co. April 1990 Prepared by: d -- 6/7/fo Sunil Weerakoddy PRA Section, NUSCo Reactor Engineering Reviewed by: b & [b r/v/7o David Owens PRA Section, NUSCo Reactor Engineering Approved by: 2 O. bt I/7 / 9 o Donald A. Dube PRA Section, NUSCo Reactor Engineering

.I TABLE OF CONTENTS fA93 1: INTRODUCTION 1-2 BACKGROUND 2 l 3 SCOPE 4 5 4 PRA ANALYSIS l 4.1 Interfacing. System LOCA (Event V) Analysis 5 l 4.1.1 Base Case Analysis 8-4.1.2 Comparison with Callaway 13 l. 4.1.3 Sensitivity Analysis 17 4.2 RHR Unavailability Analysis 19 4.2.1 RRR Initiation 20 4.2.2 RHR Short Term Cooling Unavailability 20 4.2.3 RHB Long Term Cooling Unavailability 22 4.3 Overpressure Transient Analysis 27 l 4.3.1 Initiating Events 27 4.3.2 Heat Input Transients -29 L 4.3.2.1: Premature Opening of the RHRS 29 4.3.2.2 Rod Withdrawal 29 L 4.3.2.3 Failure to Isolate RHRS During Startup 29 l. 4.3.2.4 Pressurizer Heaters Actuation 30 L 4.3.2.5 Startup of an Inactive Loop 31 ~ 4.3.2.6 Loss of RHRS Cooling Train 32 4.3.3 Mass Input Transients 33 I 4.3,3.1 Opening of Accumulator Discharge Valves 33 4.3.3.2 Letdown ~ Isolation; RHRS Operable 34 4.3.3.3 - Inadvertent SI Actuations -42 4.3.3.3.1 Review of Past Events at MP3 43 4.3.3.3.2 Discussion with operators 43 4.3.3.3.3 Review of Operating Procedures 44 i '4.3.3.3.4 Relief' Valve Capacity 44 L L 5

SUMMARY

AND CONCLUSIONS 47 5.1 Interfacing Systems LOCA Frequency 47 5.2 RHR Unavailability 48 L 5.3 Overpressure-Transients 48: 5.3.1 Heat Input Transients 48 5,3.2 Mass Input Transients 49 6-RECOMMENDATIONS 50 7 REFERENCES 52 03P820X.080-S

~. >-~ I ..{ ~ r j . p t g-1 - LIST OF FIC'JRES i FIGURE EAGE i 1 ~1. Simplified P&ID of RHR Suction-Isolation Valves 7 2. . Event V Scenarios: RHR Suction, Path (With ACI) 14 ~ .in V Scenarios:.RHR Suction Path:(Without ACI) 15.. .3. . Evei.: -s 4. Compar! Eon of RHR Design Between Group 2.(WCAP-11736) j Planta and Millstone Unit 3 18-r 5.. Letdown Isolation /RHR Operable Event Tree (With ACI) 35 j -i 6. Letdown Isolation /RHR Operable Event Tree. (Without ACI) -36 i i: i F .1 t - k }. o 4 4 7 -{ b. i'r -A r 03PB20X.080 l: .r r. r ._.._,,s.

? f \\ - LIST OF TABLES i r f . 7 1 IA&ll 2 AGE l '.. Probability of-Failures of Components With and= Without ACI' 9 s. 2i Event V Frequency Through RHR Suction Paths .16 -3 $

RHR-Short-Term Unavailabilitty 23-4.

RHR Long Term Unavailability -26L '5. Frequency.of Consequence Categories'for Letdown . Isolation /RHR Operable. Event 41 t

u

,i s -t t .I -i s b I w s i; 3 ) i >5, ' - l . i j. s

M, r i

5 q t.' r i 'q, ] :]

  • t i

s-t .j -i 4 4 x. t, 03PB20X.060 4 /p' ,. - +. -..,. ~

1 INTRODUCTION-The purpose of this analysis is to investigate the risk impact of removing = the autoclosure interlock (ACI) from the residual heat removal system (RRRs) suction valves 3RHS*MV8701A&B and 3RHS*MV8702A&B at Millstone Unit 3 (MP3). In place of this automatic feature, an alarm will be added to indicate to the operators that the valve is open while the reactor coolant system pressure is high. This report summarizes the probabilistic risk assessment (PRA) performed in support of the RHR ACI removal. The detailed . supporting analysis is found in Reference 1. The RHRS is aligned to the. reactor coolant system (RCS) for shutdown cooling after.RCS temperature is lowered to less than 350*F and the RCS . pressure is -less than 390 psia.(2) After the RHRS is aligned, the RCS . pressure should be maintained below this pressure. If the RCS pressure exceeds 765 psia while the RHRS is in service, then the ACI will send a signal to close the RHR suction valves 8701A&B and 8702A&B.(3) The purpose oof the ACI is-to prevent the RHRS, whose design pressure is approximately 600 psi, from.being exposed.co high pressures. The proposed project, when ~' irplemented,' will delete this ACI feature. Instead, an alarm will be added in"the' control room to warn the operators if the isolation MOVs are open while the RCS pressure is high. 03PB20X,08D 1 6

4 2 BACKGROUND 1 Loss'of RHR during shutdown operations has.been a concern to the regulators and the industry for a considerable period of time. These events have continued'to occur at a rate of several per year, in spite of the increased attention given.o.s) A major contributor to the loss of RHR events has been the spurious actuation of the ACI. Spurious closure of the RHR suction valves attributed to the failure of the ACI circuitry, not only I causes a loss of RHR and an overpressure transient, but also isolates the RHR relief valve, which can mitigate overpressure transients. In its

backfit analysis in support of the Generic Letter 88-17, " Loss of Decay Heat Removal"U) under programmed enhancements, the NRC stated the following:

-"..,We are asking licensees to consider evaluation of the ACI for the DHR system, and we encourage its removal. Experience shows that spurious closure of these valves (RHR suction path - isolation valves) has caused approximately 60% of the. loss of DHR events..Since the.ACI aids in preventing LOCAs outside containment (Event V), this should be evaluated on a plant y

specific basis.")"

Removal of the ACI has several impacts on risk. As pointed out in the previous section, removal of the ACI affects the frequency of interfacing systems LOCAs which may occur when'the RHRS is subjected to pressures exceeding its design pressure. ' Removal of the automatic isolation feature is expected to increase the Event V frequency. However, the installation of the new alarms which would warn the operators of already open RHR 03PB20X.000 2

E =;c , + - . l: ~, M, Ej'$

p n

se ~ suction motor operated valves;(MOVs) is expected to counter the risk increase duelto ACI removal. When the ACI is removed, a high percentage of loss of DHR= events will be prevented-That is,-the risk attributed to.the- ' loss.'of RHR during shutdown.is reduced. Finally, the response of the plant - y -to overpressure transients during non power operation will a so be - r l .affected. This report provides "<c summary of the PRA analysis performed. 'j -using. the-method established by WCAP 11736 Am to address the above ^ mentioned issue. ? ' ll: ( i e . [ 1{ '.' i' ii- '{ F . '= 4 - ( i 1 f h 2 l 1 1 cars 20x.oso 3 f . r

3 SCOPE 4 i .This'PRA analysis will-address the following three concerns: ~ Means Available to Minimize' Event V Concerns The PRA analysis will examine the change in Event V frequency through the RHR suction path due to removal of RHR ACI and replacin6 it with F the new Alarm "RX PRESSURE HICH, RHR SUCTION ISOLATION HOV OPEN." - e The RHRS Relief Capacity As a part of, examining the success criteria for mitigating inadvertent safety injection (SI) events, the RHR suction path relief valve capacity will be investigated. The RHRS Reliability. as well as Low Temoerature Overoressure (LTOP)~ '{ Concerns t The effect of RHR ACI removal on the RHRS unavailability will be examined. Further,. the effect of RHR ACI removal on the capability to mitigate or initiate-LTOP transients will be examined, i l .03PB20X 0so 4

4 PRA ANALYSIS 4.1 Interfacing System LOCA (Event V) Analysis An interfacing systems LOCA outside the containment is a breach of the RCS when the RCS iscat high pressure at an interface with the low pressure piping system. Such a breach has the potential to cause a LOCA outside the containment in which radionuclides are transported directly from the RCS to the environment. This section provides the summary of calculations of the interfacing systems LOCA frequency for the RHRS-RCS system interface for the two cases:

1) with the present autoclosure interlock (ACI) feature, and 2) without the ACI feature and with the prope.cd clarm to be installed.

Reference 7 (WCAP-11736-A) performed-the Event V analysis for four reference plants. None of these analyses are directly epplicable to Millstone Unit 3 due to the following key differences: There are'three RHR suction path isolation valves in MP3 compared to 'two valves in Callaway. The relative positioning of-the relief valve in Callaway with respect i e to isolation MOVs is different from MP3. = In MP3, power is removed from MOV8701C and MOV8702C only, during power operation. In Callaway, power is-removed from all four RHR 1 f isolation valves, 5 ons2cx.oso i

Figure 1 is a simplified diagram for RHR suction valves illustrating parameters and components significant for the Event V analysis. For each of the three valves, MV8761A, MV8701B, and MV87010 in RHR train A, the following failure modes were considered. Since the two RHR trains are identical, the discussion and the analysis are applicable to the motor operated valves in RHR train B as well. Left open during startup. Spurious opening during normal operation. Catastrophic rupture. Treating valve stem separation failure was also considerod. However, it was determined that it is unnecessary to treat this as a separate' failure mode. The combinations of ft.ilure modes of the valves that could lead to an Event V were examined. Credible failure modes of valve MV8701A depend upon the failure mode of MV87010. For example, if MV8701C was left open during startup, then rupture is a credible failure modo for MV8701A since this gate valve is exposed to the high reactor pressure. However, if MV8701C was not lef t open, - then rupture of MOV8701A is not a credible initiator since it is not exposed to a high pressure. However, if MOV8701C ruptures, then MOV8701A gets exposed to the reactor pressurc for a maximum duration of 1.5 years. l 6 03PB20X 06D'

m (ACl) - Autoclosure interlock (PRT) - Discharge to pressurizer relief tank RV l (O) - Powered from Bus 34C SET RV 37A (P) - Powered from Bus 34D 2470 8708A Note: - Control power for the MOVs PSIG ( A-) [ 8 l is stepped down via transformets (PRT) (PRT) SET e j E from th 480V power suppHes 440 M M y RH to each valve. PSIG s u a e pp FROM 2 F M LC. l P1A r ' LC. e RCS 7 m s MV8701C l MV8701 A 01B INSIDE j (0) e (O) (P) SmUCTcl l ACI PT405/405A

4"----

INSIDE l l 5 ESF i l l BUILD. 8 8 ACI _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _,g _ _ _ _ _ _ i PT403/403A RV l s RV 87088 l 8 G 8 SET B.) l M LC. ru n M M PUMe F' F ' LC. l F' P1B MV8702C MV87028 MV8702A Note: RHRS is shown with (P) (P) (O) valves in normal position during plant ope ation. FIGURE 1: SIMPLIFED P&lD OF RHR SUCTION ISOLATION VALVES

L 4.1.1 Base case Analysis In order to model the dependency of failure modes among RHR suction valves that may lead to interfacing system LOCAs and considar all potential Event V scenarios, two event trees were constructed. Figures 2 and 3 are the event trees for the two cases "with ACl" and "without ACI " It is g important to note that MOV8701B is not included in the event tree. Credit was not taken for MOV8701B (and MOV8702A) for Event V analysis. These two valves are 12" 600# class RHR valves. The two valves installed at MP3 have a maximum allowable working pressure as per ANSI standard of 1235 psig and a ceiling pressure of 1795 for the RCS operatin6 temperature.(H There-fore, these valves were assumed to fail as soon as they get exposed to the high RCS pressure. However, given the design margins provided in the ANSI standard, this valve will have a moderate likelihood of surviving a one. time, short duration application of RCS pressure. The failure mode in which both MV8701C and 8701A are left.open during startup is not considered due to a) leak rate testing requirements of these valves, and b) lifting of relief valves that will be noticed in the control room. At MP;. when the relief valves lif t, the RCS coolant discharges to the pressurizer relief tank (PRT) which alarms. 1 The probabilities of some failure modes change when the RHR AC1 feature is deleted. Therefore, the frequency of an interfacing systems LOCA event .through'the RHR suction path changes. Table 1 summarizes failure probabilities of different failure modes of'tha two valves MV8701C and MV8701A, with and without .e RHR AC2. feature, The fault trees and'the onszox.oso 8

i i j i j w 4 Tabl* ': Probabilities of Failure of Comoonents with and without ACI j l FAILURE-PROBASILITY COMPONENT AND FAILURE MODE VITH ACI VITHOUT ACI i MOVB701C 1 . Rupture 8.76E 04 8.76E 04 I Left open During Startup 3.25E 03 3.25E 03 g Spuriously Opens. 3.84E.10 3.84E 10-c., MOV8701A Rupture (Civen 8701C Left Open) 8.76E 04 8,76E 04 Rupture (Civen 8701C Ruptures) 6.57E.04 6.57E 04 Left Open During Startup 9.83Ea05 2.02E 06 f Spurious _Opering 2.40E 07 2.40E 07 j + l r ? n: c onszox.oso - 9 l

i i other supporting calculations used to compute the failure probabilities are found in Reference 1. These probabilities were calculated using fault trees which are based on the elementary diagrams of RHR system inlet isolation valves 3RHS*MV8701A and 3RHS*MV8701C," H Component failure rate data used in the fault tree analysis were derived primarily from two documents (NUREC/CR 2815 Rev. I and IEEE 500) and appear in Table 7-1 of WCAP 11736 A. The basic event probabilities used for the fault treer. were derived from Table B 5 of WCAP 11736 A. The following boundary conditions and assumptions were applied in the fault tree construction and analysis. Some of these assumptions were derived from WCAP 11736 A and are applicable to MP3 for comparing merits / demerits of RHR'ACI removal. 4 Plant is in mode 1, 2, or 3. Valve MV8701A will be exposed to RCS pressure if and only if_MV8701C is-open or ruptures. 'o Valve MV8701B ruptures if exposed to the RCS pressure. No common cause rupture of valves is considered. The failure r,te is the same for MV8701A and MV8701C valves given' y i that the valve is exposed to-RCS pressure, A11' electric' power to the' control circuitry is assumed to be available, carazox.oso-10

1 l A refueling outage occurs every 18 months. The rupture rate for valves is 1 X 10-'/hr. 1 The term " valve rupture" is defined as catastrophic internal leakage. Leakage past the valve.does not lead to failure since the time frame of events allow appropriate remedial action, c At MP3, per plant operating procedure OP3310A(8) the MCC breakers that supply power to valves 3RHS*8701C and 8702C are open (i.e., MOV de-energized) when the RHRS is aligned during plant heat up. Therefore, spurious opening of MOV8701C during modes 1, 2, or 3 can occur if and only if the operator omits to perform this step. Therefore, Prob (MOV87010 Spurious Opens) ~ 2.40 X 10-7 X 1.6 X 10-8 3.84 X 10-10 Here, 1.6 X 10'8 iw the probability of operator failure to de energize power to MOV87010 vith the valve in the closed position. This probability is' derived from WCAP 11736 A. The probability 2.40 X 10-' is the probability of spurious opening of MOV8701A (or MOV8701C) given that power-was available at the circuit breaker and is derived by solving a fault tree.1 The probability-of operator failing to close valve 8701A during startup changes from 9.83E 0$ (with ACI) to 2.02E 06 (without ACI). The key factor that lowers the probability when ACI is removed is the relatively low probability of failure to detect an open MOV using an alarm annunciation (P (failure to detect via annunciator) - 2.66E 04) compared to failure to carstox.ceo 11

i i l' detect an open MOV via mainboard light (P (failure to detect via MB light) - 0.98). These human error probabilities were derived from WCAP 11736 A. Reference 3 was reviewed to examine the applicability of these failure probabilzwi-s to MP3. The sensitivity of the probability { 0.98 (human error) on the results was examined. k' hen this probability is lowered, the difference between Prob (valve left open) between the "with AC1" and the "without AC1" cases is reduced. Therefore, lower values for this human error probability results in a reduction of the impact of ACI deletion on the V sequence frequency, t 1 I A fault tree (Figure C 3, Reference 1) was used to quantify the probability of leaving valve MV8701C in the open position during startup as 3.25E 03. This probability is higher than the corresponding value for MV8701A since ACI feature is not associated with the valve MV8701C and since the new alarms will not be installed on it. This probability is unaffected by the proposed change. 1 WCAP 11736 A uses a valve rupture rate of 1 X 10'? per hour. Although the industry experience indicates a lower rupture rate (between 10-7 and 10-e), this conservative rupture rate (10-7 per hour) was used to calculate valve rupture probabilities. For valve MV8701C and for valve MV8701A when MV8701C is left open during startup, the probability of a rupture in a year (8760 hours), based upon a rupture rate of.1 X-10-7 per hour, is 8.76 X 10 _(10*7 X 8760), i For valve MV8701A, if MV8701C ruptures, the probability of a rupture is the product of the rupture rate and the average exposure time. Based upon an carszox.oep 12

average exposure time of half of a refuel cycle (nine months), the probability of rupture of MV8701A, given that MV8701C fails due to rupture, f 1 is 6.57 X 10-' (10-7 X 8760 X 0.75). { f Figures 2 and 3, event trees for the case "with ACI" and "without ACI," illustrate the V-sequences through the RRR suction paths and the frequency of each path. By summation of the sequences, the following frequencies result: Event V frequency (with ACI) - 3.51 X 10 per year /RHR A Train Event V frequency' (without ACI) - 3.43 X 10-' per year /RHR A Train Since two RRR suction paths exist, these frequencies become 7.02 X 10*' and 6.86 X 10~' per year -for the with ACI and the without ACI cases, -respectively. l !Therefore, removal of the ACI and installation of the alarms lower the . Event V ' frequency by approximately 2.3%. -4.1.2 Comparison with Callaway l ) Table 2 summarizes the Event V frequency results for Callaway as reported =in WCAP 11736 A and Millstone Unit 3. The results indicate a significant reduction (24%) in Event-V frequency for Callaway as compared to a small reduction (2.3%) for Millstone Unit 3. This. difference is accounted for as follows: 03rs2cx.oso 13

PLANT IN MOV 8701C MOV 8701 A RELEASE RELEASE OPERATION FAILURE FAILURE MODE MODE PROB. IE C A 9.96E-01 OK 8.75E-04 OK 6.57E& 8.76E-04 5.76E-07 V 9.83E-05 8.61E-08 V 1.00E+00 ~ 2.10E-10 V 3.25E-03 OK 3.25E-03 8.76E-04 2.85E-06 V 2^40E-07 7.80E-10 V 3.84E-10 OK 9' 5 3.84E-10 3.77E-14 V ,4 3.36E-13 V 2'40E-07 9.22E-17 V EVENT V SCENARIOS: RHR SUCTION PATH: WITH ACI FIGURE 2

PLAN T IN MOV 8701C MOV 8701 A RELEASE RELEASE OPERATION FAILURE FAILURE MODE MODE i PROB. IE C A i 9.96E-01 OK 8.75E-04 OK 6.57E-04 8.76E-04 5.76E-07 y 2.02E-06 1.77E-09 V 2.40E-07 1.00E+00 2.10E-10 V 3.25E-03 OK 3.25E-03 8.76E-04 2.85E-06 V 2.40E-07 7.80E-10 y 3.84E-10 OK 2.02E-06 3.84E-10 7.76E-16 V 2.63E-04 1.01 E-13 V 2.40E-07 9.22E-17 V EVENT V SCENARIOS: RHR SUCTI.ON PATH: WITHOUT ACI FIGURE 3 ww - + - o

= _, _, i 4 z s. s.. - t s. .e 2 a 1 4 ) . Table 2: Event V Freauency Throuch RHR Suetion Paths 1 Callavav* Millstone Point 3 1 l - With'ACI 1.52E 06/ year 7.0?E 06/ year i Without ACI. - 1 16E 06/ year 6.86E 06/ year j Percent Change 24% 2.3% e '(.- o

q..

-* Source:. Reference 7 t '( f1 {' 1 I l'

(

+ + t .j. 4 ~. I i i r 1 --i; 5 y t ') a 4 i' \\ ? I r ..r

h I;

I sit 'f J + t t n 03rt20X.080' 16

L

-. h, '. ,a, ..m p ~a4

i As illustrated in Figure 4 which compares the RHR nuclear path i designs betweer. Callaway and Millstone 3, MP3 has three isolation l valves per RHR train A compared to only two for Callaway-.

However, since KV8701B (and 8702A) are assumed to withstand only 1800 psi, it was not credited in the Event V analysis.

Therefore, out of the two valves KV87p1A and MV8701B in which the AC1 feature is replaced by an alarm, only one is credited in the MP3 analysis. f P 1 Probability of leaving MV3701C open is 3.25 X 10-3 since this valve has no ACI interlock (before the modification) or alarm (after the i modification). For Callaway, the corresponding probability is t

1. 04 X.10-'. This accounts for the higher Event V frequency for MP3 compared-to calleway in spite'of having three suction valves in

' series. 4.1.3 . sensitivity Analysis 'l The Event-V frequency via the RHR suction _ path of MP3 at present is estimated.at 7.02E 06. While the above Event V frequency calculations are adequate to compare the impact of ACI removal and alarm installation, they are considered overly-conservative due to the following: MOVs 8701B and 8702A in the RHR suction paths are not credited. Rupture rate of 10'7 is high and is inconsistent with industry -experience. 03PB20X.08D 17

h-ar 8702A 8701A W rm ACI ACI l (ALARM) (ALARM) { ar 8702B 87010 [ W i w a w a i 4 l r, vm l ACI ACI (ALARM) (ALARM) l WCAP-11736 GROUP 2 PLANTS (CALLAWAY) RHR DESIGN h-ar k !k* ( w + m + 8 rm V, 8 87010 8701C 8701A ACI 8 ACI (ALARM)

(ALARM)

I ar' I a I wfa wT2 ! &#2 + V, r, r, 8702C 8702B l 8702A ACI 8 ACI CCW{AINSENT, (ALARM) (ALARM) 9 These two valves are not credited in the MP3 event V analysis since maximum pressure these valves can withstand is assumed to be 1800 psi (Ref.13). MILLSTONE UNIT 3 RHR DESIGN FIGURE 4. COMPARISON OF RHR DESIGN BETWEEN GROUP 2 (WCAP-11736) PLANTS AND MILLSTONE UNIT 3.

Although MV8701B has an assumed maximum allowable pressure of 1800 psi, l when exposed to 2200 psi RCS pressure, it most probably will not undergo catastrophic failure. If the P (MV8701B rupture when exposed to RCS 5 pressure) is assumed to be 0.1, and a rupture rate of 3 X 10 / hour is assumed, 'then the Event V frequency reduces to 1.86 X 10-7 per year for the "with ACI" case and to 1.81 X 10-7 for the "w'ithout ACI" case. These values are better approximations of the Event V frequency through RHR suction paths at MP3. Discussions with operators at MP3 on the leak testin6 procedure of the RHR suction isolation valves emphasizes why the relatively high Event V frequencies computed in this analysis may not be indicative of actual Event V frequency at MP3, although they may be adequate for comparing merits / demerits of'RRR ACI removal. The analysis in this report, following WCAP 11736;A uses: P(Valve.Left Open) - 9.83E 5 (for 8701A) P(Valve Left open) - 3.25E 3 (for 8701C) i However, the valve leak test procedures and the operator awareness indicate that these unavailabilities may be lower.. If these probabilities are lowered, then Event V' frequency reduces further. 4.2 RHR Unavailability Analysis The availability of the RHRS for shutdown cooling is an issue of signifi- . cant concern in the nuclear industry. Many events have occurred in which cars 2cx.oso 19

the RER function has been lost. Spurious actuation of the ACI while the reactor is shutdown has caused a large fraction of the loss of RHR events. This section determines the impact of removing the ACI feature on the unavailability of RHR. To achieve this objective, RRR unavailability is calculated with and without the ACI feature, 4.2.1 RHR Initiation The actions taken to initiate RHR are not affected by the removal of the' ACI feature or installation of an alarm on 3RHS*8701A and 3RHS*8701B. Therefore, it was determined that failure probability does not change due to the proposed ACI circuitry removal and installation of an alarm. 4.2.2 RHR Short Term Cooling Unavailability Fault trees were constructed to quantify RHR short term cooling unavail-ability with and without the ACI feature. Appendix D to Reference 1 contains these. fault trees. The following boundary conditions and the assumptions used in the WCAP ll736 A analysis were reviewed for their applicability to MP3: Two trains of RHR are required for 72 hours following initiation of the RHRS. t Injection into two cold legs is required for the initial RHR cooldown

phase, carstox.ceo 20 e

r e

E-J L- }._ i No testing or maintenance operations are assumed to occur during the e initial RHR cooldown phase. l During the RHR initiation, both RHR pumps are started successfully. All electric power is assumed to be available, j 4 No common cause failure of components is considered. These boundary conditions assumptions were found to be applicable for determining of merits / demerits of RHR ACI removal on RHR short term unavailability. The fault trees-for MP3 were constructed using the fault trees already developed for Callaway in WCAP 11736 A. The following major differences e between Callaway and MP3'were identified: MP3 has three suction isolation valves-per suction path compared to only two in.Callaway, MP3 has an additional check valve 8847A/B/C/D in each injection path. ~The piping and instrumentation diagrams (P& ids) and the elementary electrical _diagracs which served'as the basis for the fault trees are listed in Reference 1. The basic event probabilities were derived from LTable C 10 of WCAP 11736-A. The cut sets obtained by solving the fault trees are-also given in Appendix D of Reference 1. ons2cx oen 21

The short term RHR unavailability (first 72 hours af ter the RHR cooling begins)'for MP3 are listed and compared with the corresponding t unavailabilities of Callaway in Table 3. The ACI removal reduces the - short term RHR unavailability at MP3 by approximately 12%. from 1.64 X 10-2 to 1.45 X 10-2 As illustrated by Table 3, the unavailabilities of Callaway and Millstone Point 3 compare well in spite of the additional isolation valve MV8701C (8702C in train B) in MP3. This is due to the RhR unavailability being dominated by the "RHR pumps failing to run" and " spurious actuation of ACI signal." These two failure modes are independant of the number of suction - valves. P For the case "with ACI," approximately 88% of the.cotal unavailability is attributed to RHR pumps failing to run for 72 hours. Approximately 12% of the total unavailability is attributed to the spurious ACI signal that isolates the RHR trains. Th'.s 12% is eliminated when the RHR ACI is deleted. For the case "without ACI," approximately 99% of the RHR unavail-t ability.is attributed to RHR pump failures. 4.2.3 RHR Long Term Cooling Unavailability RHR is required to cool the RCS throughout the shutdown. However, decay . heat load continues to decrease during,nutdown. MP3 plant operating procedure OP3208 notes the followin : "As the reactor coolant system heat load is reduced, adequate cooling may l-be obtained using only one RHR train. If desired and whea possible, the . carstox,oso 22

1' +, l. .g Table-3: RMR Short Tern Unavailability Callavav* Millstone Point 3 i 'With ACI' 1.64E 02 1.64E 02 'Without ACI 1.44E 02 1.45E 02 l ' Percent Change 12 l 12 i '*Sourcot Reference 7 .i-f' 0 -s, i r 4 ? - tt 4 o usaox.oso 23 'ign r is i

h. n Il' RHR system should be shifted from two train operation to one train opera. L tion in accordance with the plant operating procedure OP3310A." Based on the above, the success criteria for RHR cooling in the long term is the successful operation of a single RHR train. The mission time of six l weeks (1008 hours) used in the WCAP lh736 A is applicable to MP3. There-i = fore, basic event data provided in Table C+10 of WCAP 11736-A was deter-mined to be applicable to MP3. This basic event data was used to quantify l. the fault trees. 4 The assumptions and boundary conditions used11n the fault tree analysis to ' determine RHR long term cooling unavailability are as follows: One train of RRR is-required for six weeks. Six weeks is representa-e tive of the time of a refueling outage. Injection into two cold legs is required for long term RHR. Train-A pump is operating, and the train B pump is in standby. No switching of trains is assumed. I Human error contribution to RHR unavailability is not considered since the effect is independent of the ACI feature. These assumptions are in addition to the six boundary conditions listed under RHR short term cooling. When the applicability of the above assump. tions to MP3 were investigated, it was found that the RHR trains are typically switched during shutdown to accommodate refuel work activities. 4 -cus2cx oso 24

k Since the probability of losing RHR due to RRR train switching is indepen* dont of the ACI feature, this assumption does not affect the comparison of results between the two cases. i The fault trees for Callaway for long-term RHR unavailability were examined to determine their applicability to MP3. Some changes to the Callaway trees were made to account for the following difftrences between the MP3 and Callaway RRR designs: i MP3 has three isolation valves (MOVs) per suction path. MP3 has an additional check valve (8847A, B, C, and D) in each injec-tion path to the cold legs. The MP3 fault trees and the cut sets for RHR long term cooling for the cases "with ACI" and "without ACI" are included in the Appendix D of the analysis file.(n The long term RHR unavailability for MP3 is listed and compared with the- -corresponding unavailabilities of Callaway in Table 4. The ACI removal reduces the long term RHR unavailability at MP3 by approximately 70%, from 3.94 X 10-2 to 1.19 X 10-2 As illustrated by Table 4,,the unavailabilities of Callaway.and MP3 compare well in spite of the additional isolation valves 3RHS*87010-and 3rHS*8702C at MP3. This is attributed to the RHR unavailability being dominated by spurious ACI signal (for the case of "with ACI" only) and the RHR pump failures. L 03PS20K,08D 25 m

y Table 4: RHR Lonc-Term Unavailability callawav* Millstone Point 3 = With ACI 3.91E 02 3.94E 02 b Without ACI 1.17E 02 1.19E 02 Percent Change 70 70 M

  • Source:

Reference 7 L-e l R x-M =- m carnacx.oso 26

4 r-4.3 overpressure Trans'ient Analysis Equipment malfunctions, procedural deficiencies, and incorrect operator actions during startup or shutdown conditions can lead to pressure tran-sients in the RCS while the RHRS is in op' ration. These pressure tran-sients are of concern because the RHRS may be subjected to pressures exceedin5 its design pressure. This section identifies events that would initiate overpressure transients and analyze the effect of ACI removal on those transients. t 4.3.1 Initiating Events Reference 7, having surveyed past reports that characterf.zes different types of transients possible at cold shutdown, lists the following over-pressure transients: Premature opening of the RHRS. Rod withdrewal. Failure to isolate RHRS during startup. T Pressurizer heaters actuation. Startup of inactive loop (startup of an.RCP). Loss of RHRS cooling train. = 27 03rszex.oso e z- +

Opening of accumulator discharge isolation valves. Letdown isolation. RHRS operable, RHRS isolated. l Charging / safety injection pump actuation. In addition to the sbove generic events, the potential for 11 ant specific overpressure transients was examined by screening the plant. neident reports (PIRs) at MP3. This screet. did not reveal any potontial initiators outside of those listed <e. The single significant observa-tion made as a result of screening the PIhs is that MP3 has had several inadvertent safety injection actuation events during its relatively short operating history. The RCS pressure can go up due to a) events that affect the heat input / heat recoval balance (heat input transients), and b) events that affect the mass balance (mass input transients). The following sections address these two types of transients and the change in response to these transients due to ACI removal, ons2ex.oso 28

l l 4.3.2 Heat Input Transients 4.3.2.1 Premature Opening of the RHRS This type of event was not considered plausible and was not analyzed in detail, due to the following: The " prevent-open" interlock of the RHRS prevents the opening of the interlock valves MV8701A/B and MV8702A/B. unless the RCS hot leg pressure is less than 375 psig.(8) This type of event has not occurred to date. e 4.3.2.2 Rod Withdrawal The Westinghouse analysis") determined that the rod withdrawal accident produced one of the least severe transients of those analyzed and would not overpressurize the RHRS. It has been determined that pressure would not exceed 110% of the RRRS design pressure. Based upon 600 psi, RHRS design pressure, 660 psig is not exceeded. This is well below the ACI set point of 765 psig. Further, RHRS relief valves would also be available to mitigate this transient. Therefore, removal of ACI has negligible, if any, impact on this transient. 4.3.2.3 Failure to Isolate RHRS During Startup Failure to close all three MOVs during startup is not considered as a credible transient since this condition would become apparent when the RHR oars 2cx.oso 29

relief valves lift and discharge to the pressurizer relief tank (PRT). The unusually low pressure increase rate and the PRT alarms will warn operators that the RRR isolation valves are open. If one or two of the three suction valves are left open, the RCS pressure may rise without exposing the RHRS to the high pressure and the relief valves may not lift. A loss of coolant accident can occur if the closed valve opens or ruptures. Removal of the ACI has an impact on the frequency of this interfacing system's.LOCA scenario. This impact was assessed in Section 4.1 under Event V analysis. 4.3.2.4 Pressuriser Heaters Actuation At MP3, according to the plant operating procedure OP3208, group A, B, D, and E pressurizer backup heaters are de energized prior to aligning RHRS. If the operator decides to cool down with a bubble in the pressurizer to 140'F, the desired heaters are manually energized. Further, according to OP3201oo), during plant heat up (transition from Mode 5 cold shutdown to-No Load operating conditions), the heaters are energized prior to isolating RHRS. Therefore, a likelihood exists for overpressure transients due to t pressurizer heater actuation, while the RHRS is lined up with the RCS. Removal of the ACI will remove one mitigating feature of this type of transients. In spite of the above, after discussions with MP3 operators,. it was decided that this. initiator does not warrant detailed analysis, due to the following: Since this transient is very slow, the operator should recognize and terminate the transient. 1 ons2ex.oso 30 l

RHRS relief valve limits the pressure increase. To date, Vestinghouse plants have not experienced this type of tran-sient. 4.3.2.5 Startup of an Inactive Loop When the reactor coolant pumps (RCPs) have been stopped, the steam genera-tor water may remain at a relatively constant temperature greater than the RCS temperature. At MP3, the operators are instructed to have at least one RCP running when the RCS temperature is above 160'F. Therefore, the non-uniform temperature condition will prevail only when the RCS temperature is below 160*F. When there is a temperature difference between SG and RCS, if an RCS pump is inadvertently started, the sudden heat input will result in a rapid increase in RCS temperature. Westinghouse analysis estimates that the pressure change is approximately 1500 psi and occurs in roughly 90 seconds with no relief valve actuation. The following reasons explain why ACI removal has a negligible impact upon the frequency or the response to this transient: The plant operating procedure OP3208 instructs the operator to stop all reactor coolant pumps and rack down and tag out all the RCP power supply breakers, when the pressurizer temperature in 160 170*F and the RCS temperature is 130 140'F. Therefore, the likelihood of an inadvertent actuation of an RCP is extremely low, onszex.ose 31

In the event of an inadvertent actuation of an RCP, the rate of pressure rise is relatively rapid (1500 psi in 90 seconds) compared to the timeframe associated with closing of MOVs. Therefore, it is very likely that the RERS will see the increased pressure for long et.vugh in spite of the ACI feature. Hence, removal of the ACI has less of an impact. Two mitigating features: a) the RHR relief valves, and b) the cold overpressure protection system (COPPS) will reduce the impact of this accident on the RHRS. Note that, according to OP3208, COPPS is placed in service when the RCS temperature has been lowered to 425'F, before the RHRS is aligned to RCS. 4.3.2.6 Loss of RHRS Cooling Train The continuous addition of docay heat into the reactor coolant with no heat removal by the RHRS cooling will result in a gradual rise.in the RCS temperature and the RCS pressure. This overpressure transient does not warrant detailed analysis, due to the following: The rate of pressure increase due to continuous addition of decay heat is relatively slow compared to the timeframe in which mitigating actions and RHR isolation actions can be taken, with or without the ACI feature. With the ACI feature, if the pressure reaches the set point 765 psia, the suction isolation MOVs will isolate the RHR within approximately two minutes. Without the ACI, however, with the new alarms to be added, the operators will be warned of the carszex.oso 32

increasing pressure while the RHRs are lined up with RCS when the pressure reaches 440 psig (the set point of the new alarm). This pressure is low compared to the ACI set point 765 psi. Therefore, the operators have more time available to them to close the suction isolation MOVs than in the case with ACI. The operators can limit the RCS pressure by venting the pressurizer. 4.3.3 Mass Input Transients 4.3.3.1 Opening of Accumulator Discharge Valves According to plant heatup and cooldown procedurect.to) at MP3, the following actions are implemented. During plant cooldown, when the RCS pressure is lowered to 1015 psia, safety injection accumulator tanks are isolated by closing the valves: 3 SIL

  • MV8808A, MV8808B, MV8808C, and MV8808D.

After these valves are closed, the valve power supply breakers are locked open. During the plant heatup, the above supply breakers are energized, valves MV8808A/B/C/D are opened, and power supplies sre locked out, before RCS pressure reaches 1000 psia. However, the above is performed after isolat-ing RHRS. Therefore, MV8808A/B/C/D, the safety injection accumulator tank outlet isolation valves, are kept closed with power off of the supply breaker during the whole duration when RHRS is aligned to RCS. Following the above sequence of events, the likelihood of SI accumulator discharge to RCS while RHRS is aligned is considered a low probability event. .03rs2cx.oso 33

1 In the event the above transient occurs, the pressure rise in RCS is limited by the pressure of accumulators. At MP3, the accumulators are maintainod at 650 psig under normal operation. Further, overpressure p...;-tion is provided to the accumulator by relief valves whose set pressure is 700 psig. Therefore, in the event the accumulator discharges to the RCS, the maximum pressure achieved will be less than 650 psig. Since the set point of ACI is 765 psia, the ACIs will not actuate during the above transient. That is, removal of ACI will have no impact on this transient. 4.3.3.2 -Letdown-Isolation; RHRS Operable At.MP3, plant cooldown procedure (OP3208) instructs the operator to I - establish a letdown path usin6 RHRS by opening 3CHS-HC128 letdown flow + control valve. If a failure occurs in the letdown path, a mass input J transient can result with the RHRS operable. The following mitigating features may be challenged during this transient: RHRS relief valves. 'COPPS (PORVs and the Logic Circuits). ACI (or Manual isolation of RHRS), i Figures 5 and 6 show the event tree used to analyze this transient for the two cases.with and without ACI. ons2ex.oso. 34 Ad

l 3 stesnB8assassalBl5 T3 og o og oo e

  • $E$

E. W. I E. W W~ $ % E W W E E E. E % 5 % E seesees;a?9979~~~? 9m s.~.,~- ~~-e e w w A a a a _s _s w b 2 8 8 Kld a 8 e r 9 l"a S s e 5se g e e a a ~ 8 0 38I s s s s s 8 $m 5 5 5 5 5 ~ ~ ~ ~ ~ is a i ~ 64 w, e S l If 2 q !i 9 35

i ll ll1 lll ^ 6 ES E AE V R ED O O O O O O O O 1 Pt I I P U L F C F C F C P EO K F C K S S K F C K S S K S O S O O G L L L I RM O L L O L L O R L O L L O L A L H H F E 2 3 2 5 6 5 9 1 9 0 3 o 1 5 2 2 2 4 S 4 4 4 4 0 4 4 0 1 1 t 1 1 1 1 1 1 1 AEB E E E E E E E E E E E CE E E E E E ) ELDO 1 1 9 4 3 5 0 3 6 8 0 0 0 6 6 6 6 3 C EOR 6 4 3 3 6 0 6 0 7 9 1 1 0 9 6 9 6 6 A RMP 8 5 3 5 1 2 7 1 2 5 4 1 1 6 2 2 1 1 T JA sT K VA R 3 4 4 TI t RE 0 0 0 OS O E E E P E W ( 9 4 4 PR 3 9 9 E 1 6 6 ER T FST T REEA R 2 2 HUVE v 0 N 0 LS E REAE R E E V 0 0 E RVR 0 0 6 3 R II R EP OSY O TA NR A 0 4 R 2 1 1 E R PO O E E H E P 0 0 R P O 1 6 J O 2 3 O S R I OSP N TP ROM A 4 4 0 0 W 1 1 1 1 1 A F O U O E E E M ET D SP 7 7 7 7 P T 6 6 6 6 O ? 2 2 2 2 EL l l! NS RIOEES V 4 HTVCLO S 0 L R E R UA SVC ? 4 9 SVN P M 3 E 0 R O P OO C E E4 P 5 7 1 FS REET 4 8 HLVF V 0 0 LI R REAL E E 0 0 RV 0 0 6 9 TN IE TAIV E TE I ING IN t

y I i Initiatine Event I ' Based upon. operating experience, the frequency of the initiating event is estimated at 1.25E 01.(M Event RV-l o D i The, relief valve set point of the 10U05 is 440 psig. The actual capacity of I the two valves in 1060.9 gpm/ valve. The maximum flowrate of a charging . pump at MP3"is'560 gpm.au Therefore, if one of two RHR RVs-open, the pressure rise due to letdown isolation can be arrested. Using the failure h - probability of 3.00E 4.for failure of an RV to open upon demand, the nodal h, ' _ probabilitiest aro : - - P:-(1/2 RHR relief:vutves fails'to open) - 3.00E 4 + 3.00E 4 - 6.00E-4 1 P (2/2 RHR relief valves fail to open) - (3.00E 4)2 a' - 9.00E 8 s h 'Iri the event both RVs fail to lif t, the pressure surge will continue until i the COPP systen is challenged. i i -: n-Event = COP' COPPS (cold overpressure; protection system) at MP3 consist of.two pressur-Lizer' power operated relief valves (PORVs), and actuation logic to I 37 i-03ra20x.oso i y e

continuously monitor RCS temperature and pressure conditions when armed by l the operator.- F According to OP3208, the operator should arm COPPS when the RCS pressure ~ has been lowered-to 425'F, That is, COPPS is armed prior to aligning the 'RHRS with RCS. 1 i The probabilities of failure to open one or both PORVs were calculated using. fault trees. These fault trees are included in Reference 1. Event RSV If one or both of ' he EWlRS RVs open, the relief capacity -is more than t adequate.to_ relieve mass input from the charging pump, However, if both a7 .PORVs fail to open,'then the pressure will rise until the ACI is actuated 'and the RHRS.is isolated. This occurs when the pressure reaches the ACI

set point 765fpsia.

At.*- MOVsI3RHS*8701A/B'and 3RHS*8702A/B have the ACI feature. If the RCS pressure'exceedsf765: psia, the ACI feature will automatically initiate .u the closing of these valves. Thefprobability of' failure to close RHR suction valves with ACI is jj: ,2.23 X 10*7 .This. number was derived from WCAP 11736-A after ensuring that the fault tree constructed for Callaway (Figure D 12, Reference 7) is-Lapplicable to MP3, The minor differences that exist between the Callaway .and MP3 circuitry'does not affect the above probability. -carszex.oea 38 a

When the ACl feature is removed and replaced by an overpressure alarm, the nodal probabilities at event RSV will be different. Failure to close at lean one MOV on each RHR train with the overpressure alarm is modeled using a fault tree in Figure D-13 of WCAP 11736 A. The failure probability at node RSV is dominated by the probability of operator error and is deter-mined to be: - 1.11E-05 (if a previously demanded mitigating system is successful) - 9.42E 04 (if none of the previously demanded mitigating systems are successful) The basis for these probabilities were examined, and it was determined that -these probabilities are applicable to the MP3 analysis. Events OAl. OA2. RVR The basis for the nodal probabilities of these events were investigated. It was determined that the nodal probabilities used in the Westinghouse analysis for Callaway are applicable to MP3, as well. ' Event POR The probability of PORVs to re seat were deter.nined by quantifying a fault tree (Figure 11, Reference 1). These probabilities are: carazox.ceo 39

6.94E 4 P (1/1 PORV fail to re seat) 1.39E-3 P (1/2 PORV fails to re seat) Figures 5 and 6 show the event tree for the Letdown. Isolation RHRS operable transient with and without ACI feature, respectively. Table 5 summarizes the frequency of consequence categories. These consequence categories are as defined in Table D 5 of WCAP ll736-A. The only consequence category that is affected significantly 14 HOPV. The frequency of this category increases from 3.86E 18 to 1.63E-19. Although this is an increase by a factor of approximately 4200, the significance of the impact is considered trivial due to the absolute magnJtude of frequencies. It is concluded that ACI removal has no significant impact on the Letdown Isolation /RHR operable transients based on the low probability of failing to open both RHR RVs (9.00E-8) and the COPP system (1.54E-3). Letdown Isolation - RHR Isolated During a transient in which letdown and RHR isolates, the RHR ACis are not available as a mitigating feature. Therefore, removal of the RHR ACI has no inpact on the response to this transient. However, the frequency of the transient is significantly affected by the deletion of the ACI feature, i 03PB20X 080 40

Table 5: f.recuencies of consecuenet,_Caterories for Letdown Isolation - EBR Onerable Event Consequence ( Catecorv (1) F.,Lth ACI Without ACI OK 8.62E 02 8.62E-02 LLFO 5.49E 03 5,49E 03 LLCO 3.34E-02 3.34E-02 LSF0 1.65E-06 1.65E-06 LSCO 2.00E 05 2.00E 05 LSFI-6.96E 15 6.96E-15 MOPI 2.67E 12 2.66E-12 LSCI 2.96E 12 2.96E-12 HOPI 1.67E-12 1.66E 12 HOPV(2) 3.86E-18 1.63E-14 f1) See Table D 5 of WCAP ll736-A for explanation of categories. (2) Only category that changes frequency to any measure. The consequence category is an interfacing systems LOCA without opening of any relief valves. 03Pn20x.oso 41

.o Table D 2 of-WCAP 11736 lists 50-loss of RHR events due to spurious closure of isolation MOVs at Westinghouse plants. Based on total shutdown years of 112.4, the frequency of this transient is 0.445 per shutdown year. Based upon past experience, it can be conservatively assumed that 50% of these overpressure: transients would be avoided by removing the ACI feature. Elimination of inadvertent isolation of RHRs is the major motivation to remove the ACI. Naturally, 50% reduction in the initiator frequency with no other changes to nodal probabilities brings down the frequency of each ~ consequence category by 50%. 4.3.3.3 . Inadvertent'SI Actuations i This overpressure transient was analyzed in detail since MP3 has had ten inadvertent SI events during its relatively short operating history. The detailed analysis' included: Examination of the ten SI events. Only three out of ten were found to have occurred during mode 5 and one event in mode 4 Therefore, six of the events were irrelevant to the RHR ACI removal study. ' Discussions ~with operators on the past SI events and on the general response of plant at mode 5 to inadvertent SI events. 3 ? Examination of pump flow rates and the capacities of the relief e. valves and theLPORVs. 42 onszox.oso

Examination of racking down and racking in procedures of the HPSI and charging pump motor breakers, r 4.3.3.3.1 Review of Past Events at MP3 Since the Millstone Unit s oesor. operation, ten SI actuation events have occurred. Only four of these events occurred when the >1 ant was in either . operating mode 4 or mode 5. In one of these events, no injection to the reactor pressure vessel-(RPV) took place. During the other events, the ch'arging pump injected into the core. In all the events the plant was stabilized by resetting the SI signal and stopping the pump prior to progression of the overprese re transient. 4.3.3.'3.2-Discussion with Operators The purpose of the discussion was to a) confirm the operating procedures e that require racking down of SI and inoperable Charging Pump breakers, b)'obtain insights'of the operators, and to c) examine plant specific nvulnerabilities. During the discussions, the capability of RVs, PORVs, and the availability of COPPS was discussed. As a response to the numerous-inadvertent SI events, a-new procedure that requires the operator to -install safety. tags to close on 3SIH*MV8801A and 8801B so that these valves will stay closed upon an SI. signal, has been implemented. Therefore, injection-into the RPV through the cold legs from the operable charging ipump cannot occur during an inadvertent SI at MP3-(OP3208). Instead, an inadvertent SI signal will cause the operable charging pump to inject into the RWST. onszox.oen 43

4.3.3.3.3 Review of Operating Procedures According to the plant cooldown procedure OP3208, the following actions are performed on the SI pump breakers prior to aligning RCS with RHRS. Rackdown the A and B SI pump breakers, Rackdown the inoperable charging pump breal ers. { According to the plant'heatup procedure, OP3201, the following actions are performed after aligning the RHR system to safety injection mode. Rack in the other charging pump motor breaker. -e l Line up the high pressure safety injection for automatic operation. e-The sequence of these steps indicate that when the procedures are followed, only one charging pump is powered with the RHRS aligned. Therefore, an inadvertent SI signal can cause only one pump (charging) to inject. 4.3.3.3.4 Relief Valve Capacity The relief valves 3RHS*RV8708A and 3RHS*RV8708B are located inside the containment structure between the valves MV8701A and MV8701B for RHR train A and between'the valves HV8702A and MV8702B for'RHR train B. These relief valves lift when the RER pressure exceeds the set point of 440 psi.nz) 03Pn20x.oso 44

y I As a part 'of the PRA analysis and in order to address an NRC concern, the relief valve capacities were examined in detail. Review of technical data l . sheets and calculation files revealed the actual capacity of each valve is rated at 1060,9 gpm at a back pressure of 3 psi. Since the maximum charging pump ' flow rates are 560 gpm for single pump operation and 740 gpm - for two pump operation, it is concluded that the relief valves at MP3 are adequately sized to mitigate most overpressure transients. - WCAP 11736-A estimates the annual frequency of inadvertent sis as 1.25E 1 i based upon 112.4 shutdown years and.14 occurrences.at Westinghouse plants. Based upon.MP3 experience, four SI events have occurred in approximately 165 shutdown: days, i.e., 165/365 shutdown years. Therefore, MP3 specific inadvertent SI occurrence frequency is 8.85 occurrences per shutdown year, i assuming the frequency remains the.same in the future. Any one.of the two relief valves is capable of mitigating an-inadvertent 'SI..However, assuming conservatively that only one RRR is aligned to RCS, , 1/1 relief valves is needed to mitigate the accident. The failure . probability of this event is 3.00E-4 according to WCAP-11736 A. ? Ih the event the RVs fail, the subsequent pressure increase will demand the COPP system-to mitigate' the transient. MP3 specific COPPS failure proba-bility is-7.16E 02 for one'out of 2 PORVs failing and 1.54E-03 for both j PORVs failing. These probabilities were calculated using fault trees.u) Opening of one out of two PORVs is considered as adequate to mitigate an c,- overpressure transient due to an inadvertent.SI. Since the water flow capacity through a single PORV-exceeds.'1000 gpm. Therefore, COPPS is considered failed only if both PORVs fall to open. The probability of this -i 45 ens 20x,oso

t f e . event 1s,1.54E 03. This probability was ca'le' lated using fault trees. ~ u constructed for the MP3 PORVs,0) Based upon the above= discussion, the frequency of an inadvertent-SI leading f to a demand of the ACI is: (8.85)~X.(3.00E 4) X (1.54E-3) - 4.09 X 10-6 Civen the probability of RHR ACI failure as 1.24E 7 (WCAP-11736 A), and the probability of operator error to isolate RHR when the ACI is removed as 9.42E 4 (WCAP-11736-A), the frequency of undesirable consequence category t resulting' from an inadvertent SI increases from 5.07 X.10-u (4,09 X 10-' X - 10 24 X 10-7)' to ' 3. 85 X.10-' (4.09 X 10-6 X 9. 4 2 X 10-'). , Although the. frequency of the consequence category HOPV increases by a factorJ5f-approximately 7500,= the impact of.ACI removal is considered ins 1 nificant due to the extremely low absolute frequencies. This. 8 frequency willfbe even lower since a new operating procedure requires the ' two motor operated valves in the injection path to RCS' from the charging ~ pumps to'be de-energized in the closed position. If the operator error ~ probability-to implement this step of the procedure is assumed to be u 1.00E 2, now the frequency of-the inadvertent SI initiated sequence drops from 3.85 X 10-8 to 3.85 X 10-". i .s 03PS2CX,08D 46 L 4

/ 5

SUMMARY

AND CONCLUSIONS 5.1 Interfacing Systems LOCA Frequency As illustrateduin Table 1, the removal of the ACI feature and replacing it with an alarm that occurs when the reactor pressure exceeds a set point 440 psig while RHR suction MOVs are open, reduces the Event V frequency at . Millstone Point 3 by approximately 2.3%. The lowering of the Event V o froquency is' driven by the reduced probability of operator error to -j recognize that an RHR suction MOV is open via the new alarm to be i installed. _ The L reduction -is : Event V_ frequency was subjected to a sensitivity analysis after:- i i t a) reducing valve rupture rate from 1.00E-07 to 3.00E-08, and b)- the change in (a) above' combined with a reduction of the valve left open probability by a factor of 10. For these two cases (a) and (b), the differences in Event V frequencies ~ (withiand without AC,1) were 2.2% and 1,4%, respectively. Based upon the-above analysis, it is concluded that replacing the RH'. ACI y with the proposed alarm has no undesirable impact on the Event V fr equency i' at MP3. onszox.oso - 47

i 1 5.2 RHR Unavailability l According'to Tables 3 and 4, the removal of ACI will reduce the RHR short-term-unavailability by 12%-from 1.64E 2 to 1.45E 2. Further, removal of the ACI feature significantly reduces the long-term RHR unavailability (approximately 70%) from 3.94E 2 to 1 }9E 2. These results clearly convey the major advantage of removing the ACI feature. 5.3 Overpressure Transients e 5.3.1 '.:aat-Input Transients Six initiators-leading to_ overpressure transients-during shutdown were examined. The removal of the RHR ACI does not affect risk attributed to heat input' transients. In general', except the inadvertent start of an RCP, the. pressure - transient attributed-to the other heat input transients develop relatively. slowly. Therefore, the function of the RHR ACI can easily be accomplished by-the new-alarm to be installed. The new alarm warns the operator of the high pressure condition in RCS when-the pressure exceeds 440 psig. The set point for ACI which the' alarm replaces is 765 psia. Therefore,-the new alarm will increase the time. -available to respond to the high pressure condition. This additional time will1 compensate for the delay of several minutes which the operator needs to'close the RHR suction isolation valves after the alarm sounds. The inadvertent RCP startup frequency is low due to precautions taken such as: racking down and-tagging out all the RCP power supply breakers. 03PB20X.08D 08 -r w

t Furthermore, in the unlikely event of an inadvertent RCP startup, the l pressure transient is too rapid for either the ACI feature or the alarm (co be installed) to accommodate. In addition, the RHR relief valves and tne = PORVs provide a relief path to mitigate this transient. 5.3.2 Mass Input Transients i b Three different mass input transients were examined. The frequency of transients attributed to the opening of accumulator discharge valves are estremely low since the isolation MOVs are closed and power is removed from the breakers. Further, since the accumulators are maintained at 700 psi, this maximum pressure attributed to this transient is well within the capabilities of RHR RVs. and the RHR ACIs will not be challenged due to [ their 765 psia set point. " Letdown isolation; RHRS operable" transient analysis illustrate a major advantage of removitic.he RHR ACI. Specifically, when the ACI is removed the frequency of this transient will reduce significantly. The inadvertent SI actuation transient was examined in detail since four events have occurred during the relatively short duration of the MP3 history. None of the above events progressed to an extent where the RHR ACI.was demanded. It is concluded that the removal of the RHR ACI has no significant dmpact on this overpressure transient due to a) adequate capacity of RHR RVs,'b) adequate capacity of-PORVs, and c) modification to plant procedure that would direct the inadvertent SI actuated charging flow to the refueling water storage tank (RWST), rather than to the RCS. ons2cx.oso 49

4 6 RECOMMENDATIONS r At MP3; the RHR ACIs are essociated with valves MV8701A and MV8701B in RHR Train A and valves MV8702A and MV8702B in RHR Train B. Therefore, when the RHR ACI is deleted, the new alarms will be associated with these valves, too. However, the pressure isolation valves (PIVs) of the two RHR suction paths are MV8701C and MV8701A for RHR Train A and MV8702C and MV8702B for L RHR Train A. That is, two of the overpressure alarms will be associated with two non PIVs MV8701B and MV8702A, These two valves are not designed to withstand the RCS pressure for extended durations. 6 If the new alarms are installed on the valves MV8701C and MV8702C instead of MV8701B and MV8702A, the interfacing systems LOCA frequency can be lowered. However, such a design change is not recommended due to the following: U3 ) A cost benefit analysis performed using the MP3 ISAP procedure indicate a relatively low benefit. Existence of alternative actions such as procedural changes that would compensate for not having the ACIs or the new alarms on two PIVs. The probability of leaving the MV8701C and MV8702C in the open position is already very low due to existence of a leak rate test.UU The sequence of activities performed during the leak rate test can be summari::ed as follows: 03PB20X.080 50 l

i. Close MOVs MV8701A and MV8701C. 11. Leak test MV8701A (gradually opening MV8701C). iii. Close MV8701C. iv. Remove power from MV87010, i v, Leak test MV87010. Since power is removed from the valves MV8701C and MV8702C, the probability of spurious opening is extremely low for these valves. Therefore, the probability of the " valve lef t open" event is dominated by the product of the probability of operator errors to close MV8701C and failure to leak While the product of the two operator errors wili be low, it test MV8701C. can be further reduced by checking the valve position from the control i after the leak test is completed, prior to entering mode 1. Such an action, and/or periodic checking of valve position indication of MV8701C and MV8702C, will compensate for not having the new alarm on valves MV8701C and hV8702C, 03re2cx.oso 51

t . t. I I

o V.

7' REFERENCES l 1. S.'D. Weerakkody; "RHR ACI~ Removal," Analysis File W3-517 940-RE, -l 4 -Revision 0, April 1990, e t I 2. 'OP3208, Millstone Unit-3 Procedure, " Plant Cooldown," Revision 4. j 3. OP3310A, Millstone Unit 3 Procedure, " Residual Heat Removal," Revision 3. 4. -Generic Letter 87-12, " Loss of RHR while the RCS is Partially Filled,"'USNRC,: July 9,;1987.

5.

Generic Letter 88-17, " Loss of Decay. Heat Removal,",USNRC, j October 17, 1988. L 6. -USNRC, Backfit Analysis in Support'of'the Proposed Generic-Leeter, " Loss of: Decay. Heat Removal,", September 20', 1988. 7. WCAP 11736 A, " Residual Heat Removal System Autoclosure Interlock i _ Removal Report for the. Westinghouse owners Group," Revision 0.0, 1 ' October,.1989, s 8. .S&W Dwg. No. 12179-ESK 6QT, Elementary Diagram 480 VAC tiG Residual: ~ Heat Removal System Inlet Isolation Valve (3RHS*MV8701A), ~ I Revision 10,-May-8, 1988. 52 03PS20X.080

~-- I w -h. 9.J S&W Dwg. No. 12179 ESK 6QR. Elementary Diagram 480 VAC tLQ Residual-Heat Removal System Inlet Isolation Valve =[3RHS*MV87010), Revision 9,_ N, -May:4, 1988. 4

10.

OP3201, Millstone Unit 3 Operating Procedure, " Plant Heatup," .j i Revision 4. g-n. ' ll". Fina1LSafety Analysis Report, Millstone Nuclear Power Station Unit 3, ' \\ September 1988 Revision. ^ i 12. S&W :Dwg..No.12179-EM 112A-11. "P&ID; Low Pressure Safety Injection," -Revision'11. November.9, 1989.

l 0

.i '

13, :E. A.-Oswald,'-MP3 Public Safety Impact Model, Revision 0, February 2,-

.j l-I a N 1988. -Hq 0 o i i~ l14i JSP3601F 4,-(Steps.7.3 and;7.10),' Millstone 3 Leak Test of the RCS= Loop 1~and'4 Suction Valves of the RHR Train ~A and Train B. U y u -1 -i; 1 1 +. -] l '! s jg e

1.

+ u Ii s.. .l 5 j t d i 03PB20x.oso 53 ..y i4 J}}

Retrieved from "https://kanterella.com/w/index.php?title=ML20058F108&oldid=4474141"