ML20069N883
| ML20069N883 | |
| Person / Time | |
|---|---|
| Site: | Shoreham File:Long Island Lighting Company icon.png |
| Issue date: | 12/02/1982 |
| From: | James Smith LONG ISLAND LIGHTING CO. |
| To: | Harold Denton Office of Nuclear Reactor Regulation |
| References | |
| SNRC-805, NUDOCS 8212070219 | |
| Download: ML20069N883 (99) | |
Text
s 1 LONG ISLAND LIGHTING COM PANY d'O SHOREHAM NUCLEAR POWER STATION P.O. BOX 618 NORTH COUNTRY ROAD e WADING RIVER, N.Y.11792 December 2, 1982 SNRC-805 Mr. Harold R. Denton, Director Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D. C. 20555 Evaluation on Internal Flooding Shoreham Nuclear Power Station - Unit 1 Docket No. 50-322
Dear Mr. Denton:
The pur pose of this letter is to respond to a NRC letter dated September 29, 1982 for a LILCO evaluation of concerns expressed by Future Resources Associates (FRA), regarding reactor building internal flooding sequences due to inadvertant valve operation during maintenance. The following enclosures (forty copies) are provided:
Enclosure 1 - Response to the FRA estimate of core vulnerable condition 1 due to postulated internal flooding sequences.
Enclosure 2 - A detailed re-analysis by our PRA consultant, Science Applications, Inc. (SAI), of postulated flooding sequences that lead to a core vulner-able condition. Flow rates, water sources, equipment vulnerability levels, and response times are addressed in an appendix to this report.
The basic conclusions of the re-analysis are:
- 1. Tae internal flooding initiator is a highly .mprobable event which requires gross violations of power plant administrative controls on maintenance not accounted for in the FRA analysis.
1The term " core vulnerable" as utilized in the draft Shoreham PRA refers to a time-dependent loss of core cooling function. No credit is taken in this calculation for systans such as corriensate transfer, ultimate cooling or fire pump which are also available to the operator. These systens were evaluated in the containment event tree portion of the Shoreham draft PPA in the calculation of core melt probilility.
8212070219 821202 PDR ADOCK 05000322 kO A PDR I[
l December 2, 1982 j Mr. Denton Page 2 1
Internal flooding sequences due to maintenance leading to core ;
2.
vulnerable states are not dominant accident sequences for l Shoreham when compared with other accident sequences evaluated in the draft Shoreham PRA. A conservative estimate of the core vulnerable frequency contribution is 1.5 x 10-6/ year.
- 3. An as-built survey of electrical equipment was performed and confirms that the reactor building floor area is sufficiently large to accommodate very large quantities of water prior to inundating safety equipment.
- 4. Both non-safety and safety-grade level instrumentation alarms in the control room provide the reactor operator an early warn-ing of potential flooding hazards.
- 5. The operator can isolate the flood source from the control room.
- 6. Given a flooding condition, safe shutdown can be achieved with the power conversion system per emergency procedures which is not degraded by the flooding condition due to its location.
The condensate system provides a highly reliable source of water in all scenarios. In addir. ion, the availability of feedwater pumps was treated conservatively in this analysis taking into account flooding scenarios which potentially lead to reactor isolation.
The above conclusions are consistent with those of the draft Shoreham PRA.
In response to your request for a LILCO position on design changes, the following information is provided:
The Shoreham PRA was performed as a continuing risk management tool for use by LILCO over the life of the plant. The Shoreham PRA addresses the sources of risk associated with postulated accident sequences in comparable detail to a " level 3" PRA. In addition, the Shoreham PRA includes a detailed state-of-the-art technology evalua-tion of both in-plant and ex-plant consequences associated with the identified low probability accident sequences.
In addition to the above scope of work, LILCO identified that a specific probabilistic analysis should be performed on the impact of the release of excessive water onto the elevation 8'0" ficor of the reactor building.
The results of the updated probabilistic analysis of the internal flood sequences due to maintenance indicates that the calculated frequency of these postulated events taken together represent a
)
December 2, 1982 Mr. Denton Page 3 small fraction of the best estimate core vulnerable frequency.
Based upon this finding, the' sequences involving postulated large internal floods do not represent risk " outliers" at Shoreham.
This small contribution should be evaluated along with the other identified contributors to risk to determine if there are any cost-effective methods to minimize the frequency of identified risk contributors. Plant or procedural changes should be assessed in the context of a cost / benefit evaluation recognizing that residual risks will persist despite the changes in a single group of sequences.
Based upon LILCO's cost / benefit considerations, coupled with the fact that the frequency of the postulated sequences is yory low, there does not exist sufficient justification for plant i modifica-tions to further reduce the frequency of these postulated sequences.
However, LILCO's review of the SAI re-analysis indicates that al-4 though the overall risk due to internal flooding events is very low, the opportunity does exist for prudent positive actions that provide additional cost-effective risk reduction in both the areas of pre-vention and mitigation of postulated flooding events. In this light, the following actions will be taken by LILCO:
- 1. Tagging procedures will be enhanced to provide additional appropriate cautionary information to maintenance personnel on specific boundary valves which have been shown to be important to flooding sequences, and
- 2. LILCO will continue efforts with the BWR Owners Group to arrive at a meaningful Secondary Containment Control ProJedul:e which will provide additional specific guidance to the operator for dealing with postulated flooding events.
In the course of finalizing the preparation of this submittal, a f
letter from the NRC (A. Schwencer) to LILCO LM. S. Pollock), dated 1
November 24, 1982, was received which requested additional informa-tion LILCO has reviewed this letter and has concluded that the SAI re-analysis enclosed, in conjunction with additional informa-tion forwarded by letters SNRC-794. SNRC-792, and SNRC-783, is responsive to this request.
It should be noted that FRA did not, in its analysis, account for the fundamental fact that boundary valves of concern to flooding sequences are required both by LILCO procedure and standard power plant operating practice to be de-energized during maintenance acts.
This omission in the FRA analysis in large part accounts for the discrepancy in the calculation. The enclosed SAI analysis resolves this discrepancy and others.
4 December 2, 1982 Mr. Denton Page 4 This submittal concludes LILCO's review of the FRA concerns and
, should, in LILCO's judgement, close this issue on the Shoreham docket.
. Should you have any questions,-please contact'chis office.
i Very truly yours,
- k. .
dlv
! . L. Smith Manager, Special Projects 4
- Shoreham Nuclear Power Station RJT:jm c.c.: J. Higgins
- All Parties i
1 i
i I
i
ENCLOSURE 1 RESPONSE TO FUTURE RESOURCES COMMENTS CONCERNING INTERNAL FLOODING .
DUE TO MAINTENANCE i.CTO In response to the Future Resources Analysis (FRA) comments concerning the internal flood analysis appearing in the Shoreham 4
draft PRA, a complete reanalysis has been performed. This conservative analysis estimates that there are maintenance induced internal flooding sequences involving Elevation 8 of the reactor building having a core vulnerable frequency value of 1.5E-6. This result indicates that these flooding scenarios have a small contribution to risk on the order of 3%. The following discussion compares the results of this reanalysis reconstructed to the form of the sequence mentioned in the FRA draft report.
The FRA report presents the following approximation for a maintenance-induced-flood core vulnerable accident.
C pered no. probability that probability that probability pretability of on-line the system is the operator operator that the maintenances disassembled opens the isol- fails to operator per year given mainten- ation valve dur- reclose the erroneously ance ing taintenance_ isolation isolates the valve power con-version sys- .
tem during flooding.
x (C/A)
E[NA( ne year)] x ( A) xP(D/AABAC) x P(E/AABAC)
The following discussion compares the SAI reanalysis of this expression with the analysis appearing in the FRA submittal for a hum.an error, during HPCI maintenance event. -
E[N (one year x P(B/A) e The FRA analysis for this combination of events was done by assuming the number of maintenance acts per year is 1.08, and the probability that a maintenance act will cause a system to be disassembled is 0.1. This yields a probability for the combinatien of the frequency of E[NA( ne year)] x P(B/A) to be 0.108 per reactor year. In a more detailed analysis. SAI has used the LER data base for turbine driven pumps used in BWRs, to determine the expected number of failures per year for the pump. While all the reported failures do not require the system to be opened for m a i u t e r. a n c e , use of this number will, to scme extent, account for unreported maintenance acts that cause the system to be opened. This calculation is described in the revised Appendix A of the submittal, and estimate the value for E[NA( n year)) x P(E/A) of 0.079. Although this number is not significantly different from the FRA value, the estimate derived from the LER data base is judged to be nore realistic. . 2-
P(C/A) The FRA analysis uses the upper bound of 2.0E-2/maintena.nce out-age as the value for P(C/A). This value was taken from Swain and Guttmann as an upper bound due to an assumed 3.5 day maintenance outage. This value is for a simple valving error during a maintenance act. SAI has performed a detailed human reliability analysis of the maintenance procedure requiring isolation of the pump, the associated valves and their controls. This analysis indicates that the maintenance procedures call for power to be removed from the valve operators. When power is removed remote operation of the valves is not possible. In addition, the location of the valves, close to the location where water would be released, makes it highly unlikely that local manual operation of the valves could take place without the operator wticing the water flow and reclosing the valve. Theretore, If power is removed from the isolation valves, it is highly unlikely that the system will become unisolated. The probability of an inadvertant opening of an isolation valve is the product of two parts: 1) the probability that power is not removed from the valve and 2) the operator inadvertantly , o p e r,a t e s . t h e valve. The conservative estimate for the first event is 0.01, while the estimate used for the second event is
~
0.02. This yields a probability for P(C/A) of 2x10 (0.01 x 0.02). P(D/AABAC) The FRA analysis used the curve estimating human performance after a large LOCA to estimate the probability. The estimate used for this event by FRA is 0.25 due to the assumed highly stressful conditions. SAI has performed a detailed analysis of this event including a procedural and control room review. This analysis used new information concerning cognitive behavior, end simulator data to derive a time-dependent model of operator actions subsequent to a flood event. For the event analyzed here the estimated time available for operator action is 13-17 minutes, depending on the source of water. Using this, the estimated probability for event P(D/AABOC) is 0.1 since it is likely that the flood would be the only "off normal" event going on in the control room for an operator error induced flood during major maintenance. P(E/AOBAC) The FRA analysis of this event concludes that due to the stressful situation a value of 0.25 or higher is appropriate. In the detailed analysis, SAI has evaluated all possible , d_ependencies that would preclude the use of the PCS (feedwater, and condensate) to become unavailable during a flood event occurring while the reactor is at power. The availability of feedwater pumps was found to be dependent on operator actions following a flood event. The condensate system was found to be
a highly reliable source of water in all sequences. The SAI analysis estimates the conditional probability that, given a flood, the probability of core vulnerable sequance is , approximately 0.038. Evaluation of the Resulting E::p r e s s ion s Evaluation of the expression for flood frequency is shown below: FRA analysis 1 0.108 x 0.02 x 0.25 x 0.25 = 1.35 x 10 '/ reactor year SAI detailed reanalysis ' -0 -8 O.079 x 2x10 x 0.1 x 0.038 = 6.6 x 10 /rcactor year SAI believes that the detailed analysis perforced shows that the core vulnerable frequency of flooding scenarios involving HPCI caintenance is conservative. A more realistic anal.ysis estimates a frequency, 3 orders of magnitude lower than the FRA approximation found in their draft report. i l m
_ _ . . . _ . . . _ . . . . . . . - . . - _ _ . ~ - --- - SAI-336-82-PA ENCLOSURE 2 Event Tree Evaluation of Sequences Following a Release of Excessive Water In Elevation 8 of the Shoreham Reactor Building Due to Postulated Errors During Maintenance. November 1982 Prepared For: Long Island Lighting Company Prepared By: Science Applications Inc. 5 Pale Alto Square, Suite 200 Palo Alto, California 94303 i e
l
- 1. Event Tree Evaluation of Sequences Following a Release of Excessive Water in Elevation 8 of the Shoreham Reactor f
- Building Due to Postulated Errors During Maintenance The SNPS Reactor Building surrounds the Mark II containment structure. The majority of safety-related equipment is located
! throughout the Reactor Building, with the largest concentrations located on elevation 8, the lowest level. All of the ECCS pumps are l located in the Shoreham Reactor Building at elevation 8 in a large i
- cylindrical compartment. auch an arrangement provides the benefits l
of good maintenance access and the capability for natural circulatien i compartment ventilation; however, there is also a remote possibility of a common mode event disabling all the equipment in the elevation 8 compartment. Therefore, in addition to the initiators considered for ! a Level 3 PRA (1), the SNPS PRA also includes an evaluation of the potential for public risk due to possible common mode events such as a h i p. b water level in the elevation 8 con.partneut which may disable the ECCS equipment. A typical scenario involving the release of water into the elevation 8 compartment consists of the following items: i j e Leakage in the reactor building would drain.to elevation 8' ,
.(lowest level) via openings and stairwells l
I 1
e The reactor building sump indication would give early indication in the control roou that water was collecting in the sump e The ECCS Instrumentation would assist in determining leakage from any safety train for immediate operator isolstion e Redundant, safety related water level detectors located on elevation 8' would alarm in control room at approximately flood level (approximately 2000 gallons) e Pumpback system is operated to continuously control postulated leakage by returning leakage to the suppression pool e The operator takes action to terminate the leak and safely shutdown the plant using normal makeup systens or available ECCS equipment. l l Based upon the available indication to the operator, and the l capability of the available sump and pump back systems, it is judged ! that small to medium leaks in the Reactor Building are adequately mitigated by the existing systems and produce a negligible l contribution to potential core vulnerable states. However, large , postulated leaks may compromise the availability of several systems, therefore this ,section presents an evaluation of the frequency of 2
core vulnerable conditions resulting from a large release of water wi. thin the Reactor Building. - In order to place these postulated flooding sequences in perspective , it should be recognizec that: e The large release of water in elevation 8 is an unlikely event. e Elevation 8 safety grade water level instrumentation alarms are located in the control room to alert the operator to the . potential hczard. e Safe shutdown can be performed with equipment which is not affected by the postulated flood. This section provides the logic models used in the elevation of postulated accident scenarios associated with the release of i excessive water into the elevation 8 compartment. Figure 1 is a flow chart of the steps and information flow developed for the evaluation of large releases of water in the Reactor Building. The discussion to follow includes: e Initiating sources and the potential paths which would lead to . sufficient water in the Reactor Building to disable the equipment in clevation 8 3 l
e Vulnerability of the equipment if a quantity of water collects in elevation 8 as a function of the height of t,he postulated flooding. e Potential alternative sources of coolant makeup and containment heat removal if a disabling release of water into elevation 8 should occur e Quantification of the event trees describing the frequency of unacceptable conditions for each unique water source and pathway to elevation 8 accounting for both automatic and operator action in response to the postulated flood. Appendix A provides additional details on the elevation 8 evaluation. 1.1 Initiating Sources Tine likelihood of an initiator can be derived by examining the potential water sources involved and the possible paths available to lead to the release of water into elevation 8. Table 1 lists the sources and quantity of water each contains. Of these sources only the CST, suppression pool, and the service water system can supply water for maintenance induced floods.
=
4
Table 1
SUMMARY
OF POTENTIAL WATER SOURCES WHICR MAY RELEASE EXCESSIVE WATER IN ret.CTOR BUILDING SOURCE QUANTITY (Gallons) Suppression Pool 160,000* Condensate Storage 550,000 Reactor Primary System ** a) 42,928 b) 152,928 Screenwell (Long Island Unlimited Sound)
- Total water volume in the suppression pool at the high water level mark is 608,500 gallons.
** Figure "a" includes water from the bottom of the core to the normal water level in the RPV. Figure "b" includes "a" plus condenser hotwell water.
1.2 Vulnerability of Equipment If large quantities of water are introduced into elevation 8, important equipment may become inoperable. Some of the principal equipment in the elevation 8 compartment includes the following: e HPCI Pump and Electrical Panels e RCIC Pump and Electrical Panels - e Core Spray Pumps and Electrical Panels 5
o LPCl Pumps and Electrical Panels e RHR Heat Exchangers e Recire Pump MG-Set Fluid Coupler Cooling Water Pump Motor Control Centers 1 Each piece of equipment has different vulnerability aspects. Some equipment such as heat exchange'rs and tanks are not judged to be adversely affected under any water-related condition. However, most pumps, turbines, and electrical panels are assumed to be disabled if i water comes in contact with any electrical feature on the equipment. No credit is assumed for low conductivity water sources such as CST in which electrical shorting is less likely to occur. The combined capacity of the elevation 8 sump pumps is 640 gpm. The quantity of water and related flow r a s. s ;*"an in Appendix A indicate that the sump pumps are not adequate to prevent excessive water collection in elevation 8 for certain unlikely sequences of events. i The calculated height of water collection in elevation 8 is found to be higher than the above principal equipment in some scenarios; therefore, resulting in disabling the ECCS equipment cited above (see i Table 2). .
=
k 6
i e The following pumps or systems are available to provide coolant l inj e c tion to the reactor vessel in the event-that the ECCS equipment i on elevation 8 are disabled: 1 l l l 1 i t i a . + 5 l l l l i 4 i i 1 I t I i f . I i f r 7 I l. I I ._. - - . . . - - . - - .
J Tsble 2
SUMMARY
OF VITAL EQUIPMENT ASSOCIATED WITH SAFETY SYSTEMS LOCATED IN THE ELEVATION 8 COMPARTMENT AND THE POSTULATED HEIGHT AT WHICH VITAL EQUIPMENT COULD BE DISABLED SYSTEM ASSOCIATED MINIMUM POSTULATED FAILURE SYSTEM VITAL EQUIPMENT DISABLED HEIGHT (NOTE 2) MODE HPCI HPCI INST. (IE41*PS023A-D) I' - 10" HPCI ISOLATION RCIC RCIC INST. (IE51*PS026A, B) 2' - 0" RCIC ISOLATION l LPCI RHR INST. RACK A, B 3' - 10" RHR LOGIC (IEll*PDS001A, B) D SABLED CORE CORE SPRAY INST. 3' - 10" INJECTION SPRAY RACK A, B (IE21*PDS033A, B) VALVE CLOSURE RECIRC MOTOR CONTROL CENTERS l' - 6" COOLING PUMPS (llDI, 12D1) WATER PUM (MG-Set) TRIP FOR FLUID COUPLER (NOTE 1) CONDENSATE NONE NONE NONE I NOTE 1: Due to oil heatup, trip of recirculation pump MG-SET is calculated to l occur in approximately 7.5 minutes following loss of MCC. Emergency procedures require initiation of Emergency Shutdown on loss of cooling l water indicatiot. in control room. NOTE 2: Based on physical survey of electric component position and postulated electrical shorting effects. m 9 8 i
- 1. High pressure e Icedwater e Control Rod drive o Stand by Liquid Control
- 2. Low Pressure e Condensate e Condensate Transfer Pumps
- e Service Water Pumps
- e Diesel Fire Pump *
- Treated in the Containment Event Trees Each of these pumps are considered in the evaluation of the coolant injection function; however, some of the cited alternatives have a relatively small effect on the calculsted reliability of coolant injection. ,
For postulated floods during normal or accident conditions, Shoreham has a redundant level alarm system, powered by emergency supplies, at . elevation 8 in the reactor building secondary containment. The main purpose of this alarm system is to provide indication in the main 9
control room of any unacceptable water buildup at elevation 8. This alarm system is not the only means to provide a warni.ng of a potential flood problem since alternate instrumentation and continuous running of the sump pumps (indicated by a light in the control room) would also provide indication of excessive leakage. The sump pumps and their associated alarm system are powered from normal power buses. 1.4 Quantification of Event Tree Sequences Following A Release of Excessive Water into the Reactor Building This section provides the event trees used to quantify the frequency of events leading to core vulnerable states resulting from a release of water into elevation 8. The event trees portray the sequences of events following a major maintenance action on a safety system requiring system disassembly while the plant is at power. Two sets of event trees are constructed to reflect the pathways to
- postulated core vulnerable conditions from each of the above. The two sets of event trees referred to here and the role that each of these two play in the assessment process is as follows
e Initiator event trees: Using a major maintenance act as the ,
. starting point, subsequent operator actions are. accounted for in the determination of the potential course of the accident.
10
These initiator event trees are used to sort out similar plant conditions, entry condition states (regardless of how the plant reached that state), so that these entry states can be used to enter the systemic event trees. e Systemic event trees: Using the entry condition states and frequencies determined from the initiator event trees, the systemic event trees are then used to determine the likelihood of particular plant response paths for similar entry condition states. The quantification of successful core cooling and containment heat removal is performed for each initiator type using the same event tree structure repeated for each of the entry states. In summary, the quantification of the postulated flooding sequences which could result in core vulnerable conditions takes place in two steps: (1) the initiator event trees are used to sort out operator action and plant state, and the results summarized by collecting similar plant conditions together for entry into the second groups of event trees; (2) the system event tree are then used to quantify the plant response for the predisposed entry states determined in the initiator event trees.
=
11 1
1.3.1 Initiator Event Trees t The initiator considered in the structuring of the event trees is a major maintenance act which requires exposing safety system to the Reactor Building atmosphere. These initiator event trees are each addressed separately with a short discussion of the considerations used in quantifying the functional events in each event tree type. The initiator event trees are formulated to discretize the continuum of potential end states possible in postulated flooding events. These discrete states are then lumped together in manageable groupings based upon similar effects on plant systems. Following the discussion and quantification of individual initiator event trees, the results are summarized in a matrix format. The calculated frequencies from the initiator event trees are collected together into sinitar bins within the matrix which are then used as entry condition states for the systemic event trees. It should be noted that within the initiator event trees are a number
- of automatic and manual actions. The characterization of operator response under the postulated flooding conditions is crucial to the quantification. As has been noted elsewhere in this PRA and in t.h e -
open literature, the quantification of operator action is subject to relatively large uncertainties. The operator response model used to 12 s
,. .~. a. - - _ . , . ,
quantify operator action following postulated internal flood sequences assumes that the Shoreham operators and shi'ft supervisors are thoroughly trained in the procedure to be used in che event of a high water level alarm in the Reactor Building. The end points of the initiator event trees are the entry condition states for the systemic event trees. The critical height used in this analysis is 3'-10", all ECCS systems are assumed to be disabled if the flood is not isolated before this height is reached. There are four principal entry condition states derived from the potential flood initiators; these are the following: The four principal reactor plant states are determined by the source of water, either the CST (C), or other (0) (suppression pool, service water); and by the reactor status, either a manually initiated controlled shutdown (T), or an automatic trip from high power resulting in an MSIV closure (S). The four events are designated as follows: I T-C: A flood resulting in the loss of inventory from the CST, combined with a controlled shutdown (turbine trip) of the reactor according to emergency procedures. T'0: A flood resulting from loss of inventory from other sources (suppression pool, service water), combined with a 13
controlled shutdown (turbine trip) of the reactor according
, to emergency procedures. -
S-C: A flood resultint3 in the loss of inventory from the CST, combined with an MSIV closure that results in loss of feedwater. S-0: A flood resulting from loss of inventory from other sources, combined with an MSIV closure that results in loss of feedwater. The following discussion focuses on the description and quantification of the initiator event trees. INITIATOR EVENT TREE: Major Maintenance Actions one mechanism for the release of water into the Reactor Building is i due to a combination of major maintenance on a system in the Reactor Building, coupled with an event that provides a flow path to the l Reactor Building from a large water source. This subsection provides the event tree quantification for the following maintenance initiator event tree types: l l (1) RCIC (2) HPCI , l 14 l
_ . . _ . . . _ _ _ 1 (3) Core Spray (4) LPCI . (5) Service Water The maintenance initiator event trees for these systems are presented in Figures 2 through 6. The following brief discussion of the functional events is provided for the understanding of the postulated 4 sequences and their quantification. Additional details are presented in Appendix A. INITIATING FREQUENCY Major Maintenance (T p g ***
-TFLS)*
cases occur during reactor power operation when a safety system may require major maintenance. Here, major maintenance refers to those actions which would require disassembly of system components eliminating one barrier between large sources of water and the Reactor Building. The calculation of the frequency of such major maintenance actions is done for each systen and is presented in Appendix A. PROCEDURE (P): According to Shoreham procedures during maintenance actions the operator is required to remove power from the valves which isolate the maintenance items froc potential water sources. Failure to remove power from the isolation valves .
- could result in either automatic opening on an accident challenge (D) or accidental manual opening from the control room (E C
- 15
Local opening of the isolation valves (from the motor control center (MCC) or local manual) is judged to be n e gligible since there is no convenient way for the operator to de-isolate the system. DEMAND (D): In the unlikely event that the operator fails to follow the maintenance procedure and remove power from the isolation valves, there is a possibility that a transient challenge for safe shutdown may occur during the major maintenance outage which also results in an automatic challenge to opening the system valves. The probability of the demand includes the automatic or manual action to open the isolation valves. SOURCE (S): For some systems there is a possibility that suction can be taken from either the CST or the suppression pool. This branch point is an artifice used to distinguish these features for use in sorting the potential sequences. OPERATOR MAINTAINS ISOLATION (E C L challenge for the safety system there is some small probability that an operator error may occur during major on-line maintenance which would result in inadvertent opening of the isolation , _ valves. I 16
FLOOD ANNUNCIATION (I): Control room annunciation of the fact that excessive water is present in the Reactor Building is based strictly on the estimated reliability of the water level instrumentation system. OPERATION ACTION (A): The operator's ability to isolate the source of the water release into the elevation 8 is based upon an operator response model discussed in detail in Appendix A. This is a time-dependent function and is evaluated at the time for which operator response would prevent extensive environmental stress on the safety system operation, a flooding to a 3'-10" depth. PLANT / REACTOR STATUS (R): Since the primary method of coq 1 ant injection and containment heat removal is the use of the power conversion system, the status of the power conversion systen is a key parameter in assessing the mitigating capability of the plant given a flood induced in elevation 8. As described in Appendix A I
- a value of 0.3 conservatively bounds the possibility of the flood inducing a transient condition in the reactor which results in a MSIV closure event (S).
INITIATOR EVENT TREE: Summary , l - i l 17 l
One of the principal functions of the initiator event trees is to sort out similar sequences, collect them together, and then be able to evaluate the system response to these similar preconditioned events in the syteemic event trees. As discussed above, " Entry Condition States" developed by examining the various types of potential flood initiators result in a matrix of plant states which are then combined and used as initiators in the systemic event trees in order to define the probability and distribution of potential core vulnerable states. The five initiator event trees presented here have been quantified using the data and models of the event functions developed in Appendix A. The results are compiled in Table 3 according to the 4 possible discrete entry states discussed earlier. m a 18
Table 3
- INITIATOR EVENT TREE
SUMMARY
FOR MAINTENANCE-INDUCED POSTULATE ACCIDENT SEQUENCES ; INVOLVING REACTOR SulLDING FLOODING !
^
INITIATOR DESICNATOR SEQUENCE TYPE PER REACTOR YEAR T-C T-0 S-C S-0 CLASS I CLASS II E RCIC in major T 1.8E-8 1.8E-8 4.3E-8 7.7E-9 6.5E-9 9.5E-10 FL1 maintenance i
; itPCI in major T FL2 5.5E-6 7.1E-7 5.4E-6 3.0E-7 7.5E-7 1.2E-7 ;
maintenance l.
'I-CS in major T ---
2.9E-8 --- 1.2E-6 1.3E-7 1.8E-8 maintenance I f . LPCI in major T --- 5.6E-7 --- 4.0E-6 4.4E-7 6.0E-8 l FL4 maintenance , RHR lleat T --- 3.6E-9 --- 6.8E-9 7.6E-10 1.2E-10 Exchanger in FL5 major mainten-ance E -- 5.5E-6 1.4E-6 5.4E-6 5.6E-6 1.3E-6 2.0E-7 19 i
4 i Next, the processing of these frequencies through the Shoreham sp,ecific systemic event trees is perforced. . 1.3.2 Systemic Event Trees Given the entry conditions derived from the above discussion, the systemic event trees are formulated to assess the likelihood of the progression of flooding accident sequence to core vulnerable conditions. The system event tree format is the same as that used in Section 3 of the Shoreham draft PRA. i Figurea 7 through 10 are the systemic event trees which summarize the - quantification of end states (frequency of core vulnerable Classes) resulting from manual turbine trips or MSIV closures. i The quantification of the conditional probabilities of system availability takes into account the plant status, the system 4 environmental stress, the availability of water sources, and the systems involved in the initiator. . The functional event descriptions are similar to those presented earlier in Section 3. This section discusses any significant differences from the previous description emphasizing functional, , apatial, and environmental dependencies induced by the postulated
- accident s e q u e n,c e s .
I 20 r e- ,w-- - . - , - -w,-, -w y-- .. ., ..,2-t-- -
-<% -- -m, . -z- - - -w - , -
i,---
INITIATOR (S.T): Table 3 summarizes the initiating frequencies which are determined via the ir.itiator event tree,s and which are used to enter the systemic event trees. SCRAM (C): See discussion for manual shutdown, turbine trip, and MSIV closure presented in Sections 3.4.1, 3.4.2, and 3.4.3, of the PRA. The principal difference in the system event trees presented here is that all failures to insert the control rods are treated as leading directly to a Class IV core vulnerable event. No credit is given for ATWS mitigation using the feedwater system and SLC. Note that the benefit from ARI and RPT in reducing common mode electrical failures has been accounted for in the choice of the conditional probabilities of scram system failure; that is, the reactor scram function is approximated for these cases to be only those mechanical common mode failures which may inhibit control rod insertion, since electrical common mode failures are approxinately two orders of magnitude less likely due to the implementation of ARI and RPT design changes at Shoreham. l PRESSURE CONTROL (M,P): See the discussion of these events in l l Sections 3.4.1, 3.4.2, and 3.4.3. , FEEDWATER (Q): The availability of feedwater is preconditioned on the status of the plant. For MSIV closure events, virtually 21 i i i
.- . - . . . - . . ~ . . . . .
no credit is given for feedwater as a useful coolant injection
. source within 30 minutes *. For operator induced turbine trip events, feedwater unavailability is calculated to be relatively low; this is based upon licensing basis analysis which indicates a small potential for feedwater trip and subsequent MSIV closure. Shoreham startup tests may show that this characterization is overly conservative and needs to be modified to more accurately assess the plant response under these conditions.
HIGH PRESSURE COOLANT INJECTION RCIC (U') and HPCl (U"): The response of HPCI and RCIC is directly affected by the postulated conditions of excessive water in the reactor building. Since control instrumentation for both systems is located at approximately the 2 foot level it is found that the postulated flooding sequences could compromise HPCI operability. Therefore, for unisolated floods HPCI is assigned a failure probability of 1.0. Similarly, RCIC has components which could be disabled by the postulated massive flooding reached the 2 foot height. i
- Time available for feedwater to be restored may actually be longer for some identified flooding sequences, but no credit is taken for this additional time for operator action to reopen the MSIVs. This
, is judged to be a conservatism in the analysis. Shoreham emerge.ncy - procedures provide instructions for re-opening MSlV's. l 22 l
l l LOW PRESSURE COOLANT INJECTION (V): The release of excessive water into the reactor building results in two eff ects which can adversely impact the LPCI and CS pumps: (1) The water can create unacceptable environmental stress on the electrical connections for the pumps at the 3' 10" level.. (2) The water source could be the suppression pool in which case the CS and LPCI pumps would cavitate due to loss of suction at approximately the same level as item (1). In all of the low probability flooding accident sequences analyzed, the LPCI and CS pumps were assumed to be disabled due to one of the above causes. The remaining low presdure system is the condensate system which l is normally operating. I l l Event X Timelv Reactor Depressurization: In the instance when the operator loses feedwater, depressurization is required. The primary contributor to the probability of Event X is the I - probability of the recognition by the operations team that they rdquire the condensate system. This recognition is considered to be a cognitive task which has been conservatively assumed to be 23 _ ~ - . _ , _ .
required within 30 minutes minus the time required for deprensurization. Since the depressurization time can be considered negligible, the probability of this event would be given by Table A-10'as 0.01. Since this table provides the probability of operator response to a secondary event, it could be argued that this is too conservative because the occurrence of the flood event would make the operations team aware of the necessity to depressurize if feedwater is unavailable. However, it could also argued that w'ith alarms present the decision-making may be made in a stressful atmosphere . Since the effects of stress differ depending on the level of training, to be conservative it is assumed that the event occurs within the first six months of operation and so the operators would be considered to be novices. Since extremely high stress is reserved for life-threatening energency situations (which is not the case here) moderate 1 high stress is assumed in the performance of a dynamic task. In this case, the assigned probability should be increased by an order of magnitude as required by Table 20-23, Section 2, Item 3B on page 20-32 of NUREG/CR-1278. This would place the assigned i probability at 10x.0l=0.1. This number would correspond to the extreme of the conservative error bounds assigned t) the response ,
. of a cognitive task within 30 minutes from NUREG/CR-2815(G-14),
and so is very conservative. 24
CONDENSATE: As for the case of CS and LPCI, the condensate pumps can be used for low pressure coolant makeup given that the reactor can be depressurized. The condensate system has a separate water source, i.e., the condenser hotwell, which affords sufficient water supply to maintain reactor coolant inventory and adequate core cooling. Since the condensate system does not depend on equipment in the elevation 8 compartment of the reactor building, the release of water into the reactor building will not adversely affect the use of the condensate system to initially supply coolant makeup to the reactor. Also, since the condensate system is running during operation; there is a high probability that it will continue to run for the duration of the postulated transient. If feedwater becomes unavailable, (e.g. due to MSIV closure) than the condensate system will continue to operate on recirculation to the condenser hotwell. When the reactor primary system pressure is lowcred sufficiently, the discharge check valves in the FW/ condensate system will open and inject coolant directly into the primary system automatically. Operator action is required only for the following:
- 1. Control water level in the reactor.
- 2: Control flow to the reactor.
25
. . . - . .......a.....-.--. . . . . , . .
- 3. Minimize flow into the containment.
Under the isolation conditions there would not be coolant makeup from the reactor to the hotwell and makeup must come from the following within approximately 4 to 6 hours at decay heat levels: (1) Condensate transfer pumps from the CST to the hotwell. Since this is a normal operation it is judged to have a relatively high success rate. (2) Reopening the MSIVs or aligning alternate makeup paths to the condenser hotwell. In the event of the unavailability of water from the CST, operator action under stress may be required. For cases where hardware availability may also be in question, a low success rate is assigned to the operator response. It is judged that the condensate system has a high conditional probability of success under these circumstances. A conservative estimate has been made to characterize the condensate system availability over short term and the extended period of recovery.* , 26
CONTAINMENT HEAT REMOVAL: This event function is the same as discussed in Sections 3.4.1, 3.4.2 and 3.4.3 ot draft PRA. The availability to remove decay heat from containment needs to be established in order to ensure long term containment integrity. The principal means of removing heat from the containment and their limitations are as follows: e RHR and RCIC in the Steam Condensing Mode: Essential e components of these systems are located in elevation 8 of the reactor building. Therefore, adverse environmental stress in elevation 8 is assumed to compromise the long term heat removal capability of these systems. e Power Conversion System: The normal heat removal path through the main condenser is not affected by the environmental effects in elevation 8 as long as the MS1Vs can be maintained open. In any event, if the water level in the core can be restored, the MSIVs can be reopened per emergency operating procedure. i
*The draft Shoreham PRA fault tree had assumed that use of the condensate system for injection to the reactor required a manual alignment of the system utilizing the startup bypass line around the .
feed pumps. A re-evaluation indicated that injection directly
.through the feed pumps was feasible without re-alignment.
27
1.4 Summary of the Probabilistic Evaluation of the Frequency of Core Vulnerable Conditions Due to Internal Flo,oding Table 4 summarizes the results of the systemic event tree quantification for internal flood related sequences. The results are presented as a summation of the frequencies of various similar end statss (i.e., core vulnerable) from the system event trees by accident class. The two classes to which internal floods contribute are summarized by the entry condition derived from the initiator event trees, i.e., turbine trips, or isolation events. An examination of the dominant contributors to core vulnerable frequency from postulated internal flooding sequences indicates that isolation events involving releases of water to the reactor building through the HPCI, LPCI or CS are the primary contributors. m 28
Table 4
SUMMARY
OF RESULTS OF EVENT TREE QUANTIFICATION FOR MAINTENANCE-INDUCE"D i INTERNAL FLOOD RELATED SEQUENCES IN TERMS OF CORE VULNERABLE FREQUENCY Initiator Event Tree Class I Class II States Loss of Loss of Containment Coolant Makeup Heat Removal Turbine Trips: T-C 1.4E-8 2.9E-8 T-0 3.lE-9 7.4E-9 MSIV Closures: S-C 7.0E-7 8.lE-8 S-0 6.2E-7 8.4E-8 TOTAL: 1.3E-6 2.0E-7
% of Total Core Vulnerable: 2.6% .4%
4 ( 1 1 9 em I 29
In order to place the postulated flooding sequences in perspective, it,should be recognized that: . e Large internal floods are unlikely.
- e Safety grade level instrumentation alarms in the control room alert the operator to the potential hazard 2 e The operator can isolate' the identified flood sequences from the control room, o Safe shutdown can be performed with equipment which is not affected by the postulated flood and which is the principal equipment virtually always used by the operator to reach safe shutdown.
The principal contributors of the identified sequences to risk are in the lower core melt consequence classes (i.e., Class I and Class II). Therefore, the potential public risk does not increase proportionally to the increase in frequency of these accident classes. The results of the probabilistic analysis of the maintenance-induced . internal flood sequences indicate that the calculated. frequency of these postulated events taken together represent approximately 3.0% 30
j . . . _ . . . . . - . . . - i . I i i of the best estimate core vulnerable frequency. Based upon this T finding, the sequer.ces involving postulated large int'ernal floods due i to maintenance do not represent risk outliers at Shotwham. h 'l i i O
=
I i i 31 I
, _ . . . ~ , . -- , _ - , , _ . _ , _ ___sm_____ , , _ . _ _ _ _ _ _ . , _ . _ _ . , _ _ _ _ _ _ _ _ _
f w wdDW h. E
.s >
M x
=
2 w 5 W m w ww=W cr m
>- w
> w
. b8de "" " E ^
q -1 j ' A k 4 & c mMn 9 - H aC >= > W = C x HKw M "Mr
.J 8 ym am av.
o Hwwm =$h Ow v E E e h. d ao>= IM" C ~3 CL k M H - s. OU
% "O
.8 G
ht Id M E LAJ *e= 6 LA. o E . e M M 1AJ cW
=c= &
O CC O 3E" o g ZM g<- CC A H C to w %M EHH O >HMH O U *Q M M aC LsJ Sa tsJ K cy H CE Q H LM &
*C C Cf Cf aC > Q O&
CHO C O H RAJ ar= 4 M r=
< < e-- 8- H M =. kq CL M st M =C ' m3 O H CC SM M M >- LaJ v .e a CE M to 1AJ H ad tt H Le O. Z CL CK M to M mO
% Z CC >= C Q.
MCH M H 14J M b _ n.g dk [ e as C4 ar= b i l 1 BAJ M U U3 I un - E M> 3. MM 2 5 oh Eb g LW
>- = .Mc 2e HM E oa s
%/ =
Jk
. I3 h dd h O M C M
.YCtw2 M = $
uZH M >= *C = M cc O tu -f (5 CC m u.14 CL U Z td r-Mt,5 O ec $ M. z 84 g"*
. HO D ) - >*. CL J Ld O o cc M tu 3 c to J to (L H % >
qu. j . .... 32
' . i l!;_ ' I.6[ , : t; i ' t; l' ,
g R 1 1 5 T _ _ - A R R I _ _ R R R R _ _ _ R R R R - _R R R R _ R R PEC On Et Pu __ 0 o- 9
-_ 4 0 4 0
___ C- C- C- C C- C- C- _ Cs-C.s.
$' - - - - C.
Tg Tt5 f $ t T 5 T 3 T 5 T S - _T- S T S 8, ) r T 0 d A Eu t R a 9 1 e 9 9 0 1 e 9 ,e e C O - - - t r e - _ - E E t 7 2 t' - _ 8 t e t _ _ _ I t t - _t t E t _ 5tt a C P ( l 4. I P' I. s. e 7 M. ,. s. i 1 1 F 2 t i R I n tO t? eAe g yp R t s gI gS t A A C C R l g C "I A a t t t i A gy lg Ca l A t g A t I i g(t g R n a e c gE - . E E t t . - (tg g r t g- - - t t 5 $ t t 5 s - - P 5 5 5 5 P P P
- O o n D #=agT P P T
P P T T g o aT P P T P T P T aO t t O P p T y P P r T E 3
- T T T T ai1 P ,
e u q S S e S u to t S s tG t a t0q " g t S e0a uTP qU , n i s AMa , 3 3, 3 3 3 3 1 3 3 e PSl * * - * *
- d
,a ,, ,i i' i' 'E ,- ,i ,s : ,3 s3 o
sO I 2 3 q , o T A A A A A l 5 ele 0 F O55t " " " " i T04f A *a eGP L0 OA0 # '0 1
'0 1
'0 l
'0 i 0
d e r tAs00 s m 1
- 0 t rIt5t 2 2 2 2 t
t A OOe1F a Il l t s t f 0 u u t0 t l 4rt 0al s t o lCi ilt o o Ol iu I P f Oo o P 3 3 O m 'a t o 3 3 3 r 5 0 t LDgt c, 0 o 0 R TCAe c, 0
- o Il f e
m e 4 s 0i 3 l C r 7a f E 2 0 2 T . 4: 9g .AL 0 e tl Pa a. 50 t c R 0mC1 n n J
- e a D
E v n R 4 E e t O T A m4 o1 TA 0 l f r o i n P &f A g t r sm L E
- t a tlCO O *aCS 0MMI i a M l
i t CI L O n C EO 5 5 I R E GP e C R l tP 5 g O U tLPT vL US . T : n S AMSC l TC P. 5 T S C S C gir
'j j p u YL l
f P T D YBA U ,
%m5 0
%D0oDtltL 2
/. PcAi Er ftC D
- l i
U Y TA aDf S* t C, P D't o. o e SICCM 5 r _ j ( u g _ D0 tt i t vt a F
)w LA .
D t0 I e5 1 C C a a1gs P 0 g tnI i P sal t o s, A pit is n l l g E 4 C A A g y e g 0 7 C,t I 4 r p 4 Cgi
# t T o. .g "
t 1 t a g 1 M - i
l'; . I imitlATOR lP90CfDuet l DtcaA%3 SOURCE D[kATOR LDPOR et'.fDet Init5mit? R. StafUS MPCI Pode sv5ftM nG' v4 Lit CPteAfoe Optant0e rt000 DetRATOR In MANUEL y g CALCUL4ftD al*0V[D TPON DEMAr.DtD Of CMattthCt MAINTAINS MA14 FAIR 5 C0'40l f l04 150LAft5 SNUTOOWN I tQUENCY TM W 575ftM MAltithAhCE f80M 350. Opta ATIONAL SUPP POOL MCC C.R. ArmVNCI Af t0 TLOOO IN PROG 8t$5 O TOR gggg vALvt5 CONDITION CST 150LAil04 150LAi!Om gp,,g,y,g l
,+.-
T R2 [ P O 5 L L l
'C _
I A a n2 y
- OE - - -
4 __ OE , l 0** '
--; !.3 __ .. . . .
,g A p _ _ _ _ . TPfgA ,,,_ 5.4t-7 T0 N
,, t __. 02 , a .3 iPE A'A 2.3C-7 50 N
' ' C
' [
.003 TMC I 1.7t-7 T0 N 5.P. f
.5 l.3 __ ypgggf .. y pg,g $.0 N
,l t".s -
-j .3
.079 4 MAL '
s T0 N t
'.5 ypt ag $0 N
~ TrtLI t T0 N I "cp3.
i ' n3
, f*t ia e 5-0 N t
- 0,. . . .
,i me . . . s F
.3 0.. . . . ;
,3 A TP$t A 5 51
- I
- 3 C TC M -
.02 i .3 TPSE Aq C
2.st-7 5-C N M3 TP5tC i 1.7t-8 TC M - C57 .5
.01 l3 TP5tt ia 7.lt.9 5-C N OC' . . -
t 3 Og* . . . cTreated in entsting . event trees. ,3 A 4 tP3rLa c T-C N i e n3 TP5t(na e 5-C N TP5E I t TC N
.003 i L n3 TP$tgIR 8 5-C N l
Oc. . . . A 0.011 CST l .6 5 iPO4 5.21-6 5-C N
#3 1,0 2.st-a JC N g Figure 3: T pg: Initiator Event Tree for Postulated Flooding Sequences Initiated by '
an Error During HPCI Major Maintenance.
* .C '.
that:st0e 4 pay.! Duet Mm3 OPtuAI0e te#0e l Pt510st lettLalTT 's' tan sitM ET CPipalot OPtpA10e Tt000 0Praat0e C5
- I grg is Math!Alk5 M41!4TAIN5 CO*cifl04 DIAG'05I$ $puteaug stoutaCE CALCULAfte TTPt er MAltithANCE # #l C" ' '$ ' ST5im '
V OPIRAfloriAL I" Pit ProCIOust CON 0lTI04 IRATIM I R ATION RECOG IN D r1000 T E 9 FL3 P 0 L E C I A R FL i l I og . . . 3 Og . . . Og* . .. .
.3 .. . . .
1
,g A, TPE A C 2.K-s T-0 L
{
.04 .001 .3 5-0 i TPE AR C 3.M s L [
.003 TPEC I a.4t 10 T.0 L
, .3 m oi. 3.K.i. s-0 t l
Og* . . . f' n .3 Og* . . . ,
, ,g A e T-6 ;
.01
- 2 I"kA L
'n .3 ypgan e 3-0 L
{
.003
' INI
- L
- n3 TPtg le c S-9 L ,
. f Og* . . . ;
"*8 I .s ^3 TPOA 1.n-s 5-0 L .
}.
i *E3 TPDI 5.K-9 5-0 L i e
- Treated in entsting event trees. -
** Includes both C5 pwmps.
'Meaval valve from CST 15 treated in inmen error probability section and found to contribute a negligible conditional probability to the potential for unmitigated flooding.
Figure 4: Initiator Event Tree for Postulated Flooding Sequences Initiated by TFL3: an Error During Core Spray Major Maintenance . LTI s
N, '. INIflAf04 l P9CO DURE DIOND cetPat0e genOs l al5 TORE INticalif 5fATuY LPCI P is 5 IM NOT OP(RATOR OP[tATOR FLOOD OPERATOR MANUAL . Im hh. I Aft a MAINTAINS MAINIAINS CONDITION DIAGNO5IS gg SEQutact CAttutatto ifPt 0F $,3,g M4141tW VALVES OPEPATION4 10 CAL Ca ATithCI ATED AND ptsPON5t gg Ot5fGIATOR FREQUENCT 5(Qututt Pf4 PROCEDURE CON 0li104 I**II" NAIIM ' TED Pa0GtE55 arc 0rmilED Ft (PerRnTr) T
- g. P 0 E L E C 3 A FL4 i
l [ t OK . . . OK . . . , me . . .
.0g .001 1.0 A g
,3 N I* L i
TPty 2.4t-7 5-0 L
.003 , TPEC I L I *3 TPtclR 7.M 10 5-0 L me . . .
1.0 A 2 TPF A t'0 L i L
.01 e l
*I
., a e TPE AR $.0 L e
.003
, TPtg l c T-6 L 3
i TFZg le c 5-0 L no . . . *
.0048 1.0 "3 TPDA 3.et-6 5-0 L ,
.003 t
TPOI 1.?t 4 5-0 L
- Treated in entsting event trees.
**IncIndes four LPCI pungs.
5 Figure 5: Tg: Initiator Event Tree for Postulated Flooding Sequences Initiated by an Error During LPCI Major Maintenance.
- g. >
I IhlilATOR l Pa0Cf3utt OfMAND OPERATOR tRR04 l atstoet inttCalty 'gg*A us
)
#7" 5%Ilm MT SEP7!CI e CPfaA104 FLom OPtRATOR WA ta St@t o"FRM KOMO Math!AINS OPERAIDs MAlmiAlq$ C090lil04 OIAGN0515 MnuAL 5t0iKNCE CAttttAtt0 TIPt OF gn ISOLATION BT $nuta gggg LOCAL Ca wiACI Alto AND 8tsPONSE 33 M5tGNATOR fat 0UENCY 5t0UENCt MikitaANCE MI MIAIIM 150LAil0A As0 10 150LAtto Pit PAOCEDURt 150LA110M Paocat55 (PerasTr)
,COND11104 RIC0C4tl[0 FLOOO T
FL5 i P 8 l L i C I A a Tgt$ , m . .. .
- Og . . .
M* . i a3 Ot* . . . 3 MAC 2.M-9 T.0 0 ;
.01
,,,, , ,3 ypg AR C
I.7t.9 S-9 0
.0,3 ,
mie i.rt , T-0 0 I 3 TPE II "' I*O 8 C me . . . e a3 M* . . .
.01 TPt g t T.0 0
.01 e i, . 3 AR t $-0 0
.003 ,
MBL c T-0 0 .i i *3 TPEg la e $-0 0
- Ot* . . .
j
.00l** 1 a .01 TPf* 4.0t-0 $-0 0
.003 TPOI 1.ft-9 $-0 0
- Included in entsting event trees.
** Includes both service water loops.
Figure 6: TFL5 -Initiator Event Tree for Postulated Flooding Sequences Initiated by an Error During Service Water Major Maintenance (i.e.,HeatExchangers) ti
(*i
!*-!!!Af04 !DITICAttif P.[ stunt CO4 TROL toX ui 12JECf f04 C04fAttetNT estAT pf MCvat s/R VAtyfs s/R VAtyts yggggg,gg ctAs or cPt 70s m Gpts RfC10st0 gggg upgg g(gpt [0 TMtv Cs LPCI CONDENsAlt sist On nggg st0utEt (AiCUL Alt 0 IU Ayattaalt AvAltaatt A, AfAILA8tt AVAllAgtt I, C E at (gt Ks DislGNATOR f NCT
{p , yygg g y,l I T C A P U' 8" 0 3 ** v* Q V'* N' , W" FttDWAfta T
- E 1.0' TgW' = gr
,5
' 3 gg .
(r:3 f,v r.st-8 ttass It ci g ..u dra u u'+u* ncic v - - ca i v v'ev*.v'* 1 r gu. . og i q i s.u-3 9.st.s a f,0uO e class II (22) 1.0t-r (42)
,,q, (,, , n ,$, ,, ,
.or (3II r,qu' - or (s) 3 'igu'u' - or '
. , r.et-4 !5 "-5 r,qu's e etass II - f (inctiete in rtrouetta Asort) (13) 1.w t M r,qu'u' e etass si ! t.0 (32) t (i) C5 7 T,quu' - or C r.at-4 55 " -3 t,ouw e nass II 3, (re) 2.0t-r (**) r,ouw e nass : ; I333 r,cuv' - et 1.0 L"I 1 'rour'w' - et ', ' C r.st-4 ls.0t-3 r que w e n ass is i
,,,. (rs) .or-r (85) r,que v e nass : '
" (383 (35) r,quv 'v* - oz &
IIII !5 "-3 conotasatt r,ouv's u- 5.st-le Ctass is - s.st-6 1.0* 1.0E-r IN class II r,0uv 'v"W 3.lt-1 , , I3I III : Ot-3 0.3 1.0 f Quv g r.gt 9 Ctass 1 : (19)
. (ntnissett) r, qui 1.it. s nass I 1.ct-a I43 II33 1.0t-s (3) '
r,C e nAss 3:
- Includes contributton due to c.atrol red wither.w.1.
*Ia s tatenance or flooded "Acq.tres the supply of wheep to the hotoell within .pproutestely s n r 6, o, i miv'. .c .iternte io.rce (i.... cst si ..si.hi.
g Figure 7: System Event Tree for Turbine Trips with Greater Than 3' 10" of Water in the Reactor Building (Source = CST).
lalTIAf04 CalflCAtat Petstunt Cor:Teot I* l C00t a4T IAltCTID4 1-0 C04fAlertNT Is[Af Dimvat
- g j FIWM gag 1/e valvt1 5/a vattts Fit 0 utile I Wl' Ct455 or I
Gpts
#CIC e*Cl mEuwt 5 '
C1 LPCI CmMAft me 08 Stoutett CattdAlto M D "ILO .gn ng DiC10MO ayAttAgtg 3,AgtAgtg Ago " ,g,, 8,0,1 gyAgtAtti AvallAgtt PCS OtSIGNATOR fH NCv ytn7g,gLg E , 40m-C5i 04 It (M Bt0Plute 50uett etCOvter 5U41:4t!04 AvaltAgtt Ptus su *10 M5 ' 04 If ' u' u taralstta C a i P O C a v' v+ v'. v' I w* I * #
., Ftt0Wafft T
?
1.0* I,W' * # arts: '- (21) (ell
't' 8 M*' CLA55 Il i
flu v.v'ev se v.u'+2 9 * " {rb u.u'+u* ACrc (si v.v'ev ev'* i f,0w' . a ; s.st s 1 5 'E-3 f,0w(gil *
~ r CLASS 11 (22) 1.0t-r (er) e
' tov (t) R Ass 3: ,
,,, I33I f,0u' . m l wCt (5) 'fouw'
. m ,
i 2.st-4 is.w 5 e
- f,quw class Is !
(InttUOtB IN Fit 0WAftR AA0vt) II3I I E*I T,0u'W' s class !! 1.0' T,qu . m (t) C5 y gyg. , g r.st-4 II M-3 T,0laf a RAS $ It 1.0* Ip t R AS$ II T (g) I' '
. f,tTM' . m !
1.0 I* ' i , 'tW'**
- 88 .
15 0t-3
! 2.et-4 r,quww a class it
,,,e (rsi r.0t-r I'53
- r,que's e R Ass : ,
99 gig) I3*I r,quv'v* - m - l IIU l I ComotW5 Aft f gQuv'v"W- t CtA$$ It i.x-s
/R=fr*
1.0* 83 t.0t-r W3 I*'I ry'v v 2.x IO class II I33 2.x.10 III 2.0t-3 f,quv CtAss (ntstislett) i gque 2.et-9 class I t.ct-0 I*I IIN I.0t-5 t,n ,a tetA (3) f,C 8* CLASS 11 (2)
*Iac1. des contributton due to teatrol red withdrew.1.
'Is malatenance or flooded
**seg.tres the supp1r of makeup to the hetwell within .pprestestely s n r n reneata, mIv's c .. iter te rce (i.e.. Csr is va...it.nie)
Figure 8: w
- System Event Tree For Turbine Trip Cases With an Accumulation of Approximately Five Feet of Water in the Reactor Building (Source = Sources Other Than CST)
1837IA704 'CalTICAt tf y Pets 50DE Conia0L COntav N ttil04 004TAl!setOT NEAT 9trev4L 54 M CL455 SF E3' Sfs vatyt5 5/s VAtM5 BCIC WCI 'IFI O, IIMilf C0te( %Alf RMR OR I St0MENCE CALCEAft9 MIUt AftB O M ttACroe C5 (KI PUMP RCIC IN KS IM9UIEEI OPtq , altt05te AvAILA8tt AV4 tt AM E , , otrats. AVAllASLt AVAllAgt[ IT AVAILA8lt et5tGt:AT
,, INR Cil0N sit 4f4 004 (Per Rs Tr) VEntRAtt[
f ADN CSI p((OvtRfCj.4911Afl04 AvaltA8tt PLUS SW g g,
- 1, C si p u- u- o j u v' v- v- u- z W- l SCIC m)
N0fts:
.. ( *
(2)U=U'*U*1) W W'4W* .c W.ge*2 i
- L3] v v'ey* eve. NKt m } .
Operator action required b
- i tetween I and I hour. '
l 1.o ret. wire m 1 ( ' f! t ' CORE SP9Af NA ) ! ;- r') 1.0 ( p 4 l LKI NA ) .' Y)' T2 8 *' '
- 8E
~'d -1.0 ComerN54rt !58E-3 t,uov v v r.at e CLA55 II -
1.0 1.0E-2 T200v'V"U 4.M-4 ' ' ' 5.M-6 # "' ' t CLASS It I ' in.fr (NtCLICIRE) .025 1.N-F T,ugvI33 class t I I* ' t,uon s.u F CtAss t m-a r,N rnAN5rta - 3 "*I TC2 CLA55 tv Figure 9: System Event Trees for MSIV Closure Cases with an Accumulation of Greater Than 3' 10" of Water in the Reactor Building (Source = CST via HPCI or RCIC). O
ii IDillaf08 CDITIOtlT v PDES$tPt Comip% (CDLANT I4Jtt "'1 CONTAl'.144f HE AT REM)v4L ClA55 0F kly I-L conotN5All Rift 04 Cattutette M58m Alt 8 Closuet 5/E VALVt1 5/R DALVts DCIC IPCI Rt ED pt A:0R C5 LPCI Puf mlV KS stOutuCE Coet DCIC IN M510m10e Ano (LOOD GPIN RfCt0MO AVAllAgtt AVAllA8tt ,g #",,0 Dt . D 5 AVAllA8t( AVAILAtt! qugt ggq y gg (ggg; It f AV A IL ABL[ ' Per Ra TF) N IANE (IRIOutuCV Ie0M * ' : '2110N g aC PIC0f tRE D AVAltaett Plus 5v
- y,g,3,gg
~,I C le p U' U* O V' V* V'* W' 2 W*
RCIC ,, MA } lovts: q ;' v v ev or v.v..r
,' I U U'su*
\
C3J V=V'*V'eV WI __ M 3
- h Operator action required k between I and I hour. ,
[ 1.0 ( .
- cost senav M )
i.0 ( i LPCI M} l ( T VW - SE
~IO 2 ComotusAff l 5 M-3 T UQV V W 2.5t-8 CLA55 II j 2
5.6C 6 1.0 1.0t.2 y uggey.y g,gg.g CLA55 II '
/EsVr 2.00 3 .01 (NCCLICittt) y yg,(3) 4.M 8 CLA55 I T2UQE I*
- CLA55 I
'M T 81 e LOCA 2
I* *$ TC e 2 CLASS IV s Aegelres supply of seleup to the hotwell within apprentestely 5 hears by opening st51V's or lasertion from alternate source (i.e.. CST is unevellable) Figure 10: System Event Tree for MSIV Closure Cases with an Accumulation of Greater Than 3' 10" of Water in the Reactor Building (Source = other than CST), S . 4
l I APPENDIX A RELEASE OF WATEis IliTO E!FVATION 8 0F THE REACTOR BUILDING =
. .. .._._ ~ . _ . . . . . - . . . ..
APPENDIX A RELEASE OF WATER INTO ELEVATION 8 0F THE REACTOR. BUILDING The Shoreham Reactor Building surrounds the Mark II containment structure. At its lowest elevation (referred to here as elevation 8), the building is an open cylindrical compartment: 1.e., there are no barriers in the elevation 8 compartment, which would interfere with personnel access or room ventilation. However, this open area presents the possibility of adversely affecting the equipment in elevation 8, if excessive water were released into the compartment. A release of water into elevation 8 of the Reactor Building, greater than the sump capacity, is not anticipated to occur during the life of the Shoreham plant. Nevertheless, sources of water exist which he e rbe ontentici te overflow the sump caracit, if nor er noro
, , .a; a: 1 . ,.
(defined as initiator types) are examined that have this potential, regardless of how small the probability of a release. The frequency of these potential initiater types are developed in this appendix. This frequency is used in Section 1.4 as the initiator for a set of the event trees which are used to evaluate the potential accident sequence outcomes from these initiators. Further, the following . . a s pe c t s- o f the evaluation of elevation 8 regarding the potential release of water into the Reactor Building are discussed: Al
1 e Sources of water and available sump pump capacity (Section A.1) i e Pathways of water into levation 8 and corresponding flow rates (Section A.2). o Vital system equipment in elevation 8 and vulnerability to high water level (Section A.3) e Functional event quantification (Section A.4) The spectrum of event sequences postulated to lead to the release of t water into the elevation 8 compartment are evaluated by considering i the largest releases possible and conservatively characterizin; flow I rates and operator response for these large releases. i A.' SOUFCES OF VATER A f;D AV ILAblE St?P CAPACITY , c As a starting point for determining the likelihood of various reactor building (RB) internal flooding scenarios, the sources and volume of i water required to flood the critical RB locations, as well as the l capacity of various drainage systems must be considered. These data i make it possible to identify water inventories, which, if diverted
- into these regions such as the RB elevation 8 compartment could ,-
I result in a flood. l 1 l A2 L
.- ., a.... ... .
The volume of water for each foot of depth required to flood the reac; tor building elevation 8 compartment with all equipment and piping installed has been conservatively estimated at 41600 gallons. Drainage systems which would receive the initial volume of flood water include: e Reactor Building Floor Sumps e Reactor Building Equipment Sumps e Reactor Building Porous Concrete Sumps These systems have sump capacities of 2490 gallons, 1660 gallons, and 500 gallons, respectively for a total sump capacity of 4650 gallons. The sump pump capacities for these systems are 400 gpm (which includes the excess leakage return pump with a capacity cf approximately 100 gpm), 200 gpm, and 40 gpm, respectively, fcr a total surp pump capacity of 640 gpr. These reactor building cump pumps are available, or the normal AC power buses, to successfully drain and control water leakage within the elevation 8 compartment. If the floor drain sump tank indicators register radioactive materials, the sump pumps will not be activated (pumping water out through the radioactive waste system). In this case, the leak detection pump can be activated manually, to pump . leakage into the suppression pool. A3
. . . . _ > _ . . _ . _ . . _ . . . . _ ~.
A second case for using the leakage return system would be in the ev e n't of a loss-of-offsite power. All floor drain sump pumps would become inoperable. The leakage return pump is designed to remain operable under this condition. For the purposes of this study, failures which produce leakage within the capability of the sump pumps are found to be negligible contributors to the overall frequency of unacceptable releases of water into the elevation 8 compartment. This is due to the relatively high reliability of the sump pump system to effectively mitigate small leaks. Therefore, those failures which will be quantified in this analysis are the spectrum of failures which are large enough to inandate the sump capacity. Since the PRA, of necessity, is an evaluation of discretized accidents rather than a continuim, it is necessary to treat these spectra tegether. Therefcre, & Set of conservative assumptions are made to discretire the coat auum of p o t. 31 b l e leaks. These assumptions place all the potential leaks greater than the sump pump capacity in one group, characterizing it with the probability of a large release and the flow rate associated with a large release. The capccity of these drainage systems and the volume of the elevation 8 compartment require that potential flooding initiators . . have a targe water inventory and a flow path capable of delivering water at a rate greater than 640 gpm. Water sources of this size are summarized in Table A-1. Flow paths are considered in Section A.2. A4
. ,. . ... - , . . :- -~... ..: .. . - . .
l 1 A.2 INITIATOR TYPES l i Based upon information found in. Table A-1 defining the sources of
- water, a pathway investigation has been performed to define the potential failure modes (due to maintenance acts) from these water sources which may lead to the release of water into elevation 8.
Table A-2 summarizes the initiator water sources (as evaluated for 4 the Shoreham PRA). i 4 h 4 4 e i t e 5. 8 A5
.. .. , - . . . . ~ . . . . . . . . .. .
l Table A-1 SUMMAkY OF POTENTIAL WATER SOURCES WHICH MAY RELEASE EXCESSIVE WATER IN ELEVATION 8 SOURCE QUANTITY (GAL.) SUPPRESSION POOL 160,000* CST 550,000 SCREEN WELL (Long Island Sound) UNLIMITED REACTOR PRIMARY SYSTEM ** a) 42,928 b) 152,928 '
- Total water volume in suppression pool is 608,500 gallons.
However, only a portion of it can be drained through ECCS pump suction piping.
- Figure "a" includes water from the bottom of the core to normal water level in the reactor pressure vessel. Figure "b" includes "a" plus condenser hotwell water.
Table A-2 TYPES OF INITIATORS WHICP MAY LEAD TC THE RELEASE OF WATER INTO THE ELEVATION 8 COMPARTMENT Water No. of Systems Source Lines Involved Characterization SUPPRESSION POOL 8 CS, LPCI, RCIC, HPCI NON-PRESSURIZED CST 4 CS, HPCI, RCIC NON-PRESSURIZED SCREENWELL/LONG 4 SERVICE WATER PRESSURIZED ISLAND SOUND (Service Water Discharge)
-~~-
E A6
, . . .w _ . . . . , _ - . . . . _ . - _ . . . - . - -
\
This section provides estimates of the time available between the
~
initial release of water into the reactor building and.when water level of 3 feet and 10 inches is reached for each initiator water source identified in Table A-2. These estimates then form the basis for determining the impact on equipment availability and operator response. Each initiator has an associated flow rate which, together with the data supplied in Section A.1, determines the time frame for various flood levels. A.2.1 Suppression Pool Source Initiator I i Inadvertent opening of a flow path from the suppression pool to e pump in either the HPCI, RCIC, LPCI or Core Spray systems undergoing major maintenance could allow a portion of the contents of the o u p p r e .i s . o r p c.. ' to drain into the reactor building. Iht calculations of floa rate were conservatively performed to estimate the flow rate from tne suppression pool to the reactor building under these postulated conditions. These flow rates were based on the supuression pool water level beirg maintained at the high water level setpoint. This conservative assumption was made because the rate.at which coolant makeup is discitarged to the suppression pool cannot be . - determined for the general case. If there is no coolant discharge to the suppression pool, the suppression pool water level will drop, eventually uncovering the pump suction strainers which are located approximately 5 feet below the high water level mark. A7
4 A.2.2 CST Initiator Source When major maintenance occurs on the pump in either of the HPCI, RCIC, or Core Spray systems, there is a possibility that a flow path to the pump from the condensate storage tank (CST) may be inadvertently opened allowing the contents of the CST to drain into the reactor building. Calculations were performed in order to estimate the flow rate from the CST into the reactor building under these postulated conditions. A.2.3 Service Water Initiator Source The RHR and RBCLCW heat exchangers are supplied by service water at flow rates that are high enough to be considered as possible flooding initiators. A maintenance act was assumed to result in design flow rates for each heat exchanger (8000 gpe for the RHR heat exchanger.
- e. 4 0 ,. gpm for the RSCLCk heat exchanger) leaking into the reactor building.
A.2.4 Summarv of Initiator Sources: Flow Rates and Estimated Times to Reach 3'-10" depthe The data from Section A.1 implies that the time frame f or a flood ., wil.1 bes extended as long as drainage systems remain operable. In this analysis it is assumed that sump pump operation continues until the flood reaches a. depth of I foot, after which the pumps arc A8 l'
inundated. Therefore the calculations of flood timing were carried out in two steps: below and above 1 foot of depth. The volume of water required to flood the reactor building, then, is 46250 gallons for the first foot of depth and 41600' gallons / foot above that level. The net flow rate into the reactor building is initially 640 gpm lower than the flow rate due to the initiator to account for sump pump operation. The results of this analysis for each initiator source and system are summarized in Table A-3. A9
s Table A-3
SUMMARY
OF INTRNAL FLOODING INITIATOR TYPES: i. t' LOW RATEM AND FLOOD # TIMING e INITIATOR LOCATION FLOW RATE ELEVATION 8 FLOODING TIME, MINUTES * ,i. SOURCE gpm 3'-10" Depth
- Suppression HPCI Pump Suction 9,600 17 lip !
Pool RCIC Pump Suction 1,500 110 ., i ? LPCI Pu:np Suction 17,000 9.4 ;{ i * ! Core Spray Pump Suction 13,000 12 : t CST HPCI Punip Suction 12,000 13 2 ,i' RCIC Pump Suctton 2,100 76 Core Spray Pump Suction 12,000 13 i i Service Water RHR Heat Exchanger 8,000 25 i t
- These flood times were calculated based on a failure of the sump pumps to successfully operate, and a 41,600 gallons per foot of depth in the reactor building.
A10
, . . - . , . . . . . ~ . . - . . . - . . . .
. . . . . . . . . . _ . - ~ . . . _ . . - . . . A.3 VULNERABILITY OF EQUIPMENT The vulnerability of vital equipment with a potential to be disabled, by contact with water is assumed to be correlated to the height of potential flood level in the Elevation 8 compartment. The quantity of water required to flood the elevation 8 compartment to various heights is tabulated in Table A-4 for a bare compartment, and for the compartment with all identified equipment and piping installed. Note that a 25% margin in equipment volume has been added to ensure that unidentified additional equipment will not invalidate this evaluation. The conclusions are relatively insensitive to the assumption including a 25% equipment margin. Table A-4 HEIGH 1 UF WATER IN Till ELEVAIIO:, 6 COMPARTME UI VERSUE THE QUANTITY OF WATER REQUIRED TO ATTAIN THAT LEVEL Water Calculated Height Quantity of Water Conservative * (Ft) (Gal) w/o Equipment Estimate 1 52,843 41,600 5 264,215 208,000 10 528,430 416,000
- Assumes 25% equipment volume.
All
. . . ... ~. . . .
Table A-5 lists the equipment in Elevation 8 and identifies the ECCS equipment. - Each piece of equipment has different vulnerability aspects. Some equipment, such as heat exchangers and tanks, are not judged to be adversely affected under the postulated high water level conditions. However, most pumps, turbines, electrical panels, and terminal box connections are assumed to be disabled if water comes in contact with any electrical features on the equipment. For each piece of equipment the water level height, at which equipment may be subjected to adverse environmental stress, in an essential factor. The last column of Table A-5 gives the estimated height at which each individual piece is assumed to be disabled with a high probability, due to water coming in contact with essential controls or electrical components. The ieportance of the equiprert's vulnerability is only a factor as it relates to the particular system ' it supports. The primary systems affected by water released into elevation 8 are the ECCS systems: HPCI, RCIC, LPCI and Core Sprav (all of which have vital equipment as elevation 8). Table A-6 identifies the vital equipment, which if disabled, will disable the < system it supports. Also listed in the last column are the heights of water that disable the equipment. - In the Shoreham analysis the critical flood level which is considered for reliable operation of ECCS equipment in the elevation 8 G A12
.. . . .. .~ . _ . . . . . . . - . . . . .
t compartment is 3'-10". This level is chosen based upon the vuln'erability of all ECCS equipment at this level, lower' flood levels have been evaluated and shown not be significant contributors. A.4 FUNCTIONAL EVENT QUANTIFICATION The use of initiator event trees to sort out and bin similar plant states is the same as the concept used in WASH-1400 to limit the number of in-plant consequence calculations that were required. For the Shoreham analysis the initiator event trees are composed of five types. These types of event trees are derived directly from a knowledge of the initiator sources, the systems involved, and the type of postulated failure (i.e., maintenance coup]cd with an operator error). Quantification of the functional events appearing in the even- trees io pertorced in tnis s i. =_ t t e n . Events hat nav4 i c e n t i c .2 ; cerivatier! are grouped together. This section has been dirided into subsections that correspnnd to similar portions of the in2tiator event trees as follows: Section Functional Esents i /3 4.1 Initiators due to Loss of System ,, Integrity resulting from I
. maintenance actions A13
- -- , , ,,-n- ._ --.-.w, . - , - , - ~ . - - - .-
Table A-5 MAJOR ELEVATION 8 EQUIPMENT LIST , FOSTULATED EQUIP. TYPE EQUIPMENT DESCRIPTION PART NO. DISABL{D HEIGHT-/ PUMPS FLOOR DRAIN SUMP PUMPS 1Gil*P-035A-D l' - 0" 1G11*P-036A-F DRY FLOOR DRAIN TANK PUMPS IG11*P-161A,B l' - 0" RADWASTE EQPT DRAIN SUMP & PUMP TO POROUS IG11*P-224A,B l' - 1"
** HPCI PUMP IE41*P-016 -----
HPCI VAC PUMP IE41*P-075 l' - 0" HPCI CON. PUMP IE41*P-076 l' - 0"
** PCIC PUMP IE51*P-015 -----
RCIC VAC PUMP IE51*P-076 l' - 0" RCIC CON. PUMP IE51*P-077 l' - 0"
** RHR PUMP MOTORS lEll*P-014A-D 5' -
4" LEAKAGE R f 'l l' F N PUMP Gl !
- P -2 70 3' -
9"
** CORE SPRAY LOOP LEVEL PUMPS 1E21*P-049A,B l' - 3"
** CORE SPRAY PUMP MOTORS 1E21*P-013A,B 4' -
9" DRYWELL EQIP. DRAIN TANK PUMPS 1G11*P-0332A,B l' - 2" RCIC LOOP LEVEL PUMP lE51*P-051 l' - 4"
** HPCI OIL PUMP 1E41*P-127 2' - 2" HPCI LOOP LEVEL PUMP 1E41*P-050 2' - 3" TURBINES
** HPCI TURBINE lE41*-TU-002 6' -
0"
** RCIC TURBINE 1E41*-TU-005 4' - 0" MOTOR SUMP PUMPS AND COOLING 1R24-11D1 l' -6" CONTROL WATER PUMPS TO RECIRC 1R24-12D1 l' -
6" CENTERS PUMP MG-SET FLUID COUPLER A14
. . : , .. u. --
POSTULATED EQUI.P. *
. DISABL D TYPE' EQUIPMENT DESCRIPTION PART NO. HEIGHT-{1 TANKS FLOOR DRAIN SUMP TANK 1Gil*TK-050A.B -----
IGil*TK-056A-C ----- DRYWELL FLOOR DRAIN RECEIVER IGll*TK-057 ----- SALT WATER DRAIN TANK 1Gll*TK-190 ----- DRYWELL EQUIP. DRAIN RECEIVER IGil*TK-049 ----- HEAT HPCI EXCHANGER BAROMETRIC CON. VACUUM TANK IE41*E-036 ----- RCIC BAROMETERIC CON. TANK IE51*E-038 ----- RHR HEAT EXCHANGER lEll4*E-034A,B ----- RBCLCW HEAT EXCHANGERS IP42*E-Olla.B ----- DRYWELL EQUIP. DRAIN COOLER IGil*E-094 ----- ELEC.
- PANELS
** RCIC INSTR. BACK IH21*PNL-017 2' - 0"
** RCIC INSTR. RACK IH21*PNL-037 2' - 0"
** CORE <PhaY DACE iH21*PU -01 3' -
10"
** CORE SPRAY RACK IH21*PNL-019 3' - 10"
** RHA INSI. RACK A IH21*PNL-018 3' - 10" i ** RER INST. RACK B lH21*PNL-021 3' - 10"
** HPCI INST. RACK A IH21*PNL-036 l' - 10" c
~
** HPCI INST. RACK B lH21*PNL-14 l' - 10"
** Vital Equipment required for system operation.
1
-/ Heights are taken from a physical survey measurement taken from bottom of component to floor level.
~.
Non-electrical component I A15 { .
Table A-6 SL5_ARY OF VITAL EQUIPMENT ASSOCIATED WITH SAFETY SYSTEMS LOCATED IN THE ELEVATION 8 COMPARTMENT AND THE POSTULATED HEIGHT AT WHICH VITAL EQUIPMENT COULD BE DISABLED SYSTEM ASSOCIATED MINIMUM POSTULATED FAILURE SYSTEM VITAL EQUIPMENT DISABLED HEIGHT (NOTE 2) MODE HPCI HPCI INST. (IE41*PS023A-D) l' - 10" HPCI ISOLATION RCIC RCIC INST. (IE51*PS026A, B) 2'- 0" RCIC ISOLATION LPCI RRR INST. RACK A, B 3' - 10" RRR LOGIC (IEll*PDS001A, B) DISABLED CORE CORE SPRAY INST. 3' - 10" INJECTION SPRAY RACK A, B (1E21*PDS033A, B) VALVE CLOSURE RECIRC MOTOR CONTROL CENTERS l' - 6" COOLING PUMPS (11D1, 12DI) WATER PL'MP (MG-SET) TRIP FOR FLUID C7JPLER (NOTE !) CONDENSATE NONE NONE NONE NOTE 1: Due to fluid (oil) heatup, trip of recirculation pump MG-SET is calculated to occur in 7.5 minutes following loss of MCC. Emergency procedures require initiation of Emergency Shutdown on loss of cooling water. NOTE 2: Based on physical survey of electric component position and associated electrical shorting effects A16
. . . . . . ... . . . . . . . . . . . . . + . . . . .. .
A.4.2 Human Error Probabilities A.4.3 Other Initiator Event Tree Functions A.4.1 Quantification of System Maintenance Which May Lead to' the Release of Excessive Water Into the Elevation 8 Compartment There is also the possibility that portions of a system could be i disassembled to perform maintenance (e.g., pump impeller replacement). If during this maintenance, an error or set of errors occur which de-isclate the component undergoing maintenance, thcn tae release of water through the opened system mey occur. Therefore, on-line maintenance of systems located in the reactor build.ng which could result in the release of water into the reacter building when coupled with additional operator or maintenance errors are evaluated as potential sources of internal flood initiators. The method used in the quantification of the initiating frequency (i.e., the frequency of major on-line maintenance of the systems in the reactor building) is addressed here. The conditional probability of the system being opened is based upon
! the following considerations:
A17
~'
e BWR operating experience data (A-1 to A-3) indicates that the unavailability of safety systems due to on-line maintenance is limited as shown in Appendix A.4, of the PRA. T4ble A-7 reproduces these best estimates. e The unavailability of a system associated with major, on-line maintenance is judged to be significantly less than the overall system unavailability, e Only a small fraction of the maintenance operations involve opening of the system to the Elevation 8 atmosphere; therefore, for most system maintenance operations, the system is not subjected to the failure mode of interest, i.e., internal flooding of the Elevation 8 comparteent. e A portion of the maintenance operation is assumed to be involved in disassembling and assembling the components; therefore, the system is not opened during this time of the Elevation 8 and also does not contribute to the potential for water release. r P a a A18
Table A-7 MAINTENANCE UNAVAILABILITY ," TOTAL SYSTEM SYSTEM UNAVAILABILITY (APPENDIX A.4) Core Spray
-3 Loop A 2 x10 ~
Loop B 2 x10 LPCI Pump. Leg A ~ Pump Leg C 4 x10 Pump Leg B ~ Pump Leg D 4 x10 HPCI 10~
~
RCIC 1.1x10 l RBCLCW 2 x10" (est) I a en v A19
s t
. . g.
\
- m. ..
, %[ .'
-In order to idenOffy tile1 frequency of maintenance operat, ions which could result in disasseSb' ling and opening the systems in elevation 8,
<4 .
a conservative approach"10 adopted. Specifically, the LER data base
,t' \
is reviewed to ittentify the.(requency of turbine driven and motor
?% '
driven pump failuras.jgbUying these g m. failure frequencies, the approach used here is to identify eachtof _ % , these failures as a source of major
.g maintenance which could.when'Ecupied with an operator error, result l
- r. ,<, ,
in the release of watar into elevation FJ. ' ( ,. t )
'l 2 N'
There are four fai]ure medes for pum.ps in keference A-4, i.e., leakage / rupture,'c*oes ndt; start, loss of function, and does not ~ g s s
- continue to run. Table A-11 below shows the data used in the evaluation ofcthe Bl!R i \
s t an,dby . pump s : ( motor driven and., turbine t i
, n, v .\
driven. The hourly LER'dallure ' rates characterize'thelfirst failure s' mode, while demand tailure rates are used for the other failure moden, - s
\sss. s ,
. s.,
4
't
.- Table A-B 4
4' LER DATA
- FOR BWR STANDBY PUMPS,OVEPsTHE PERIOD: JANUARY 1972 THROUGH APRIL 1978 i
.g.- \-
1 1 3 POPULATION FAILURE EVENTS (DEMANDS) (STAND 3Y JOURS) LEAKAGL/ DOES NOT LOSS OF DOES NOT STANDBY m '
,\' RUPTURE. START FUNCTION CONT-INUE -
PUMPS
, [! \ TO RUN
- ) ,. ,
t MOTOR 13,644 6,777!627 6 ) 5 4 6
~' '
DRIVEN ' h \
's .
TURBINE 1,820 6 s 868,033 -
'l 6 5 DRIVEN '
,3, ,
s *
*Taken from Table'18 of,'.RIference - ~
A - 4 ., s N
* .\
s is,A20 _ _ _ _ _ . 3,. Y 'l . - % ' -- -- - - -
4 Motor Driven Pumps For motor driven standby pumps, the following LER rates are found for
, the four failure modes:
o Leakage /Rupt2re: 6 events /6,777,627 hrs. = 8.0x10- /hr. o Does not start, loss of function, and does not continue to run (5+4+6) events /13,644 demands -3
= 1.1x10 / demand.
It is assumed that these pumps are in standby status nearly all of the time during a year and there are twelve
- demands on the average a per year. The annual maintenance frequency is then calculated 3
^ directly from these LER rates: (8x10- /hr) X (8760hr/ year) + 1.1x10- / demand X 12 demand /ycar = 2.0 x 10 ~ /yr. In other words, the maintenance frequency is 2.0 x 10 -2 per year for motor driven standby pumps. Turbine Driven Pumps Similarly, the annual maintenance frequency for turbine driven standby pumps can be calculated as follows: l 1 A21 , l
(0/868s033hr) X (8760hr/yr) + ((1+6+5) failures /1820 demands) X
-2
'12 demands /yr = 7.9 x 10 /yr .
The maintenance frequency is 7.9 x 10 -2 per year for turbine driven standby pumps. Table A-9 summarizes the frequency associated with major maintenance operations based upon the above evaluation and a conservative estimate of heat exchanger on-line maintenance.
*The number of demands per year are conservatively estimated here to be four scheduled tests plus eight other occurrences.
t i
, i i.
t i A22
- . - . _ _ . , . . - . = - - . - _ - . . _ . - . - - - . . - _ - - . - . . . . - . - _ . . --_ -
Table A-9 FREQUENCY OF ON-LINE MAJOR MAINTENANCE. OF SYSTEMS IN THE REACTOR BUILDING FREQUENCY INITIATOR EVENT SYSTEM (PER YEAR) TREE Core Spray T 0.04 FL3 LPCI T 0.08 yL4 HPCI T 0.079 FL2 RCIC T 0.079 FL1 T Service k'a t e r 0.04 FL5 m s A23
- - ~-
J 4
- In addition to the maintenance frequency, another item required in asse,ssing the length of plant vulnerability is the length of time that the major maintenance may require. This length of time is necessary to evaluate the likelihood of potential plant challenges (MSIV closure) during the major maintenance occurrence.
4 In WASH-1400 (A-3), maintenance summary reports from Millstone 1 and Dresden 1, 2, and 3 for 1972 were the data sources for the maintenance duration evaluation. The pump maintenance act duration ranges from 2 to 400 hours, with sample mean (based on raw data) 37 hours. It should be noted that these calculations included both on-line and off-line maintenance. a i Taking into account the plant technical specifications which restrict the maintenance duration during the plant operation, bounds of hour j and 72 hours are proposed for the log-normal distribution model for on-line uaintenance by EG5G in Reference A-4 The main maintenance duration can be calculated by using these bounds as 5% and 95% percentile values. The calculated mean duration is 19 hours for the assumed bounds suggested by EG8G. For the Shoreham Nuclear Generating Station, the plant technical specifications allow the turbine driven standby pumps to be . unavailable for a maximum of 14 days
- before the plant.is placed in a
" shutdown" configuration to complete the maintenance.
Therefore, the maintenance duration evaluation for SNPS can be derived by increasing 9 A24
d the 95% percentile value to 336 hours (14 days). The median and mean of the log-normal model can be calculated as follows: , Median: 1/2 336 = 13 hrs [ En 26' Mean: 13 x exp. [1/2 5 1.64 I ] = 93 hrs.
- HPCI and RCIC have technical specification allowable ortage items of 14 days.
l l l
- a e
A25
1 l 1 l l 1 For motor driven standby pumps, the technical specification limit is 1
. I 7 da'ys instead of 14 days. By assigning a 95% percentile value to l
168 hours (7 days) the median and mean are calculated as: j
\
Median: 1/2 168 = 9.2 hrs 2 fLn 18.4 Mean: 9.2 x exp. [l/2 ( l.64 ) = 44 hrs A.4.2 Operator Action Interface Events Involved in Reactor Building Flood Sequences A.4.2.1 Introduction The systematic review of the operator interface with the sequences of the SNPS PRA which could potentially lead to Reactor Building flooding and consequent core vulnerable sequences has revealed operator related human error events which contribute to these c-equences. The events of interest ti r e :
- 1. Event P - Operator Removes Power from Boundary L Ives
- 2. Event E - Operator Maintains motor control center (MCC) isolation of the Boundary Valves.
i
- 3. Event E C
- Operator Maintains Control Room Isolation of the Boundary Valves.
- 4. Event A - Operator Diagnoses and Isolates Flood in X minutes . ,
Thg set.ual contribution of these events to a particular sequence is determined by the frequency and duration of other events such as maintenance on one of the systems which would be a potential A26
I initiator, the frequency of automatic initiation commands and other events which are discussed in other sections. This segtion discusses the probability of individual events based upon a review of the ' design and procedures related material that has been acquired from LILCO and/or collected as a result of a walk-through inspection of 1 both the SNPS control room, the Reactor Building Elevation 8 area, and interviews with SNPS operations and maintenance staff. Since this review was accomplished from a human reliability perspective many of.the function distinctions important from other perspectives did not contribute to the human error probability whereas other distinctions which might not be functionally significant were of importance from a human reliability standpoint. For example, from a recovery standpoint the important consideration is whether the 1 operating team is made aware of the flood, how long he has to respond 4 to detect and isolate the flood, and whether or not his attention is totally available for this discoverv and isolation problen. The ind iv id u a l valve whien initiate: tht !luod is of no consequence except as it affects these parameters. A.4.2 Event P - Operator Removes Power from Boundary Valves Event Background The remhval of power from equipment being maintained or -inspected during a maintenance operation is a routine procedure followed in most industrial facilities. This procedure is common practice in A27
. - . . . ._ .- . ,_ ~ -
both fossil and nuclear stations and has become standard practice from.a personnel safety standpoint. The removal of power is clearly called out in the LILCO " Rules of Safe Operation" dated 1 January 1980. The relevant paragraph states: 1.04.4 " Hold-off" type of " Equipment Clearance Permit" SH'ALL be used where ever it is necessary to perform maintenance on or inspect equipment. This type of
" Equipment Clearance Permit" certifies to the persons to whom it is issued that the equipment specified is isolated from all sources of voltage, temperature, and pressure so that the work indicated'on the " Equipment Clearance Request" form can be performed. This type of " Equipment Clearance Permit" can be issued to an unlinited number of authorized personnel at the same time.
Although the procedure refers to the maintained equipment alone and not the boundary equipment it is also common practice that power is removed from all boundary equipment as well (again to protect plant maintenance personnel). Interviews with LILCO personnel verified that this is in fact the LILCO practice, and a review of a sampic SECP* for a relevant system (HPCI) indicated that the associated
" Tagging Order" required isolation and then the electrical disablement of all boundary equipment. These valves are electrically l
disconnected from their associated 480 V supply by pulling and tagging the appropriate breaker at the motor control center (MCC). The probability of missing an individual breaker is further reduced by the fact that each step in the tag sequence must be initialed by - l
*SECP - Station Equipment Clearance Permit '
i 1 A28
l the individual performing the work. Also, routinely the sequence and l
~
its implementation are verified for safety related equipment. This is also indicated on Page 9 SPR.12.011.01 Rev. 5, 2/12/82 " Station Clearance Permits" the relevant section reads: I 8.3.10 Step, 16,17 - If deemed necessary by the Watch Engineer, a secondary qualified person shall verify the correct implementation of the SECP tagging order and placement of the clearance tags. Note: When a safety related system is affected independent verification should be provided to the extent necessary to assure that the proper system was removed from service. This may be accomplished by checking appropriate equipment and controls or indirectly by observation of indicators and status lights. Where significant radiation exposure could result, this equipment may be waived. Event Human Error Probability (EEP) Alternatives: This particular type of event could be assigned the HEP noninal valves given in NUREG/CR-1278 for fcur recorded events. The recorded events and their corresponding probabilities are: NUREG/CR-1278 Events Probability Reference
- 1. Failure to carry out 0.01(0.005 to 0.05) p 20-31, Table 20-22, plant policy when there Item I is no check or person.
- 2. Error of Omission in 0.003(0.001 to 0.01) p 20-29. Table 20-22, Use of Written Item 2 Procedures in Non-passive Tasks with check-off. Long
, list 10 items.
- 3. Failure to follow 0.01(0.005 to 0.01) p 20-23 Table 20-15, established pYocedures Item 5 or policies in valve changes or restoration A29
i' NUREC/CR-1278 Events Probability Reference
- 4. l Change or restore wrong 0.003(0.001 to 0.01) p 20-21, Table 20-14, 110V switch or circuit item 7 breakers in a group of
; similar appearing items.
Event 1 is clearly conservative when compared to the Event P defined a here in the SNPS PRA since LlLCO procedures call for a check and verification of the implementation of the tagging order. Event 3 is related to changes in the valves themselves rather than the restoration of power to the valve at the MCC. For these reasons it would appear that Event 2 or Event 4 is more analogous to Event P. Since cach has the same HEP nominal value and ranFe distinction need not be made between them. 4 Event Human Er*or Probability Selection and Justification: The ass,ciated probability and bounds are then 0.003 (0.001 to 0.01) i as given in NUREG/CR-1278. The extrene high value 18 known to bc I conservative since 0.01 is the nominal value to be assigned with no l c lie c k , and LILCO procedures do call f or a check. However total credit cannot be taken for the procedures as written because:
- 1. The tagging order requirement for checking is left to the discretion of the Watch Engineer, and he clearly has the option of not requiring verification, and .
- 2. .Even for safety systems the requirement is optional.
For these reasong the selected probability is judged to be between the nominal and high value si.e., 0.003 to 0.01) and to be i i A30
. . _ . . . . . . . . . . . .. .. . ~ .
r . conservative 0.01 is selected. If the procedures are amended so that
~
a ch'eck is required for the boundary valves of concern, and if operating personnel are trained accordingly, then the probability could be reduced to 0.003. This value is consistent with the nominal probability of inadvertently not racking cut a valve breaker. In a second meeting the operational staff agreed to consider changes to maintenance procedures. Probability (Event P) = 0.01 per vulnerable maintenance occurrence is judged to be conservative. A.4.2.3 Event E - Perator Maintains Isolation of the Boundary C Valves Event Background rht operator could tail to maintain the isolation of these valvet. either by manually opening one or more of them locally, or by remote opening. Of course remote opening is not possible for manual valves. Valves can be opened remotely either at the motor control center or in the control room. Due to the location of the manually operated isolation valves near the area where the flood would occur, it is judged to be very unlikely that an operator would open an , isolation valve locally and fail to notice the flood and reclose the valve. A31
. .: . . - - ~ .
Operation of the valve at the MCC requires the presence of two things: power and commend. Power at the MCC requires.the failure of Event P. Command at the MCC requires the valve operation to be
" jumped". Jumping of these valve controls is not likely to occur at Shoreham. Due to the low probability of this event, it is not considered in further calculations.
Inadvertent Operation of Panel Switch: The other possibility is that the valve is opened from the control room. This operation would require that the valve auto function would be available and that appropriate panel switch is activated. I The auto function would be active if the operator failed to remove power from the valve (EVENT P). The panel switch could be activated if either the operator mistakenly apciates the tagged out switch. A 0.001 (NUREG/CR 127c p 20-21, Table 20-14 Item 4) high value is used to include the possibility for failure to tag and the use of multiple tags in the area. Two other considerations were evaluated: a command fault to the valve
~
(less than 10 in the maintenance period), or if the operator inadvertently operates the panel switch. This final event requires further discussion. ,, e
- Here a distinction is made between mistaken operation of a switch (i.e., the operator turns the wrong one) and inadvertent operation of A32
. .- - . . . ~ . . - . . .- .
the switch (i.e., the operator turns the switch without knowing it). This second event is more probable in some instances due" to design specific considerations of the SNPS control board. Two general types of switches are used in the control of the systems of interest, on the SNPS control board, round thumb knob two position switches and "L" handle switches. The thumb knob switches and "L" handle switches with key locks are not susceptible to inadvertent operation since they require an overt action directed specifically at their operation for actuation. The "L" handle switches without keys which are more than 6 inches from the edge of the panel are also not susceptible since the operators would have to actually sit on the panel to inadvertently actuate them. This is an unlikely occurrence for a trained operational staff. However, there are several "L" handle switches within one or two inches from the edge of the panel. Since the panel is approximately at hip height the potential for inadvertent actuation exists. I This possibility exists for the valve operator switches of interest for this sequence since many of them are on the edge of the panel and since they are momentary-contact spring-return-to-auto type which may be susceptible to inadvertent operation. The initiating mechanism is that of an operator walking by the panel and catching a belt loop, a flashlight, a wallet or anything else at hip height on the valve , handle end activating the valve without his knowledge. 1 A33
l In the time required for some of the maintenance actions of interest and, probability that someone inadvertently actuates a switch is estimated at 50% to be conservative. Assuming there cre 50 valves switches on the edge and at most only one contributes to this sequence during a particular maintenance act the probability for each valve is estimated at 0.01 per vulnerable act. (HPCI and RCIC have two valves each associated with switches on the edge of the control panel) and 0.001 per vulnerable act for all others (LPCI, CS, SW). A.4.2.4 Event A - Operator Diagnoses and Isolates Flood in X Minutes 1 The Operator Recovery Model Used for the SNPS PRA Flood Sequence The evaluation of the erobability of recovery (i.e., the operator isolating a flood which has occurred) is based upon the use of a response time versus humar. error prcbability relation. Tho suggestion that such a relatior is the proper approach for recovery probability assignment has a long history. The work of W. Hannamar. is also acknowledged in this area. Early work (A-5) provided experimental evidence for the validity of such a correlation for basic stimulus / response tasks in a NPP control room environment. l Later work (A-6) suggested that the approach could have validity across a broad range of tasks. More recent work (A-7, A-8, A-9) .. provides correlational research to substantiate the suggestion, and provides quantitative indication of what conservative bounds for the ra'ation would be when applied to operator responses to risk A34
significant cognitive tasks, as well as providing a more comprehensive reference set. The particular relation used in this analysis to assign Human Error Probabilities to the operator response to a singular flood occurrence will be contained in Chapter 12 of the 1982 revision of Reference A-12, and haa been recently been published in Reference A-10. For multiple transients the singular occurrence value is assigned to the first transient diagnosed in and the more conservative screening values for the joint HEPs given in Reference A-ll are applied f or all subsequent problems using the approach suggested in Referente A-10. In this analysis it has been assumed (for conservatism) that when multiple transients are present the flood will not be the first one diagnosed and so the more conservative values have been applied. Event Background Tbt tint available f .> r flood response depend.s on the discharge rate from the flooding source through the active pathway. Since the times may change as a result of more definitive analysis the failure of this event has been developed parametrically using time of response as a parameter. The event A provides for recovery from all potential flood initiator sequences; automatic initiated opening of a boundary valve, or manually initiation of a valve. Although,from a systems ,, analysis standpoint each of these must be treated separately the human interface similarities allow the last two to be treated in a similar fashion. For the case of automatic initialad opening of a i A35
boundary valve, it is assumed that multiple alarms of the same or higher priority will be occurring in the control r o o m a t- the same time as the flood alarc, and the operators job will be to address multiple alarms until he gets to the flood alaru and then must proceed to identify the source of the flood, determine the isolation approach required, and implement it. In the case of a manually initiated opening of a boundary valve only the flood related alarms will be occurring and the operator need only address the isolation of the flooding source. For this reason the following two events are identified and discussed below:
- 1. Event A -
Operator Isolates within X minutes after auto A occurrence.
- 2. Event A g - Operator Isolates Flood within X minutes after manual occurrence.
Event A Ihe operator can tail in Event A by either not being prompted to act to isolate the flood, or by acting but not being able to identify and isolate the flood in X minutes. The operator may not be prompted to act to isolate the flood either because the flood alarm does not activate, or because even though it activates he cust deal with other alarms as well and may not be able to address and isolate the source of flooding in X minutes. The failure of the flood alarm is a
- componept failure event and its probability is addressed in Event I.
To be conservative alternative means of being alerted to the flood are not considered although they are available. When multiple A36
1
.- . .- . . . .. l 1
l l problems occur simultaneously the nominal response function needs to l be m'odified to take into account the expected degradation in the function due to stress of multiple alarm occurrences. Recent research in this area has led to the development of the multiple occurrence time response table given below. The table is included in Chapter 12 of the 1982 Edition of NUREG/CR-1278. For the case when the flood is the second event the expected response probability performance reported is shown in Table A-10. Table A-10 RESPONSE TIME PROBABILITY - 2ND EVENT Px (Probability of not successfully X responding to the 2nd event in this (minutes) case the flood by X minutes) 1.0 1.0 10 0.5 20 0.1 30 0.01 60 0.Q01 1500 10 It should be noted that the times given here are tices between the prompt (i.e., flood alarm), and the time a response is initiated. This does not include the operator action intervention time, (i.e., time required to activate the relevant controls) but does include the time required to identify the source of flooding and to determine ,- what isolation response is required. The times listed (and also the times with other Table A-10) here are based upon the response of Control Room Operators who are trained in the specific flood alarm A37
response procedures, and recognize the time priorities required to be cons'idered for isolation. That is what are the primary sources of water and the most probable pathways, ar.d which require the quickest action. This training is considered to include work on this specific sequence response, and that the training is renewed on a regular basis. If the operator is prompted to act immediately upon the occurrence of the flood alarm he might still be unable to identify and isolate the source of the flood. The time response situation is similar to the previous situation except that the flood is now his primary concern and therefore the first event numbers from Chapter 12 of NUREG/CR-1278 are used, as shown in Table A-ll.
=
l A38 _ ___ _~ _ _ . __ _. . --_ _ -
i Table A-Il RESPONSE TIME PROBABILITY - IST EVENT ," Px (Probability of not successfully X responding to the 2nd event in this (minutes) case the flood by X minutes) 1.0 1.0 10 0.1 20 0.01 30 0.g01 60 10 1500 10-Event A A Probability: Operator Error Within X Minutes Following An Automatic Plant Action The probability for failure to isolate the flood that occurs due to an isolation event is the sum of the values in the previous two tables. These results are displayed in Table A-12. 1 Iable A-12 PROBABILITY THAT FLOOD REMAINS UNISOLATED FOR X MINUTES AFTER AUTOMATIC PLANT ACTION; e.g., MSIV CLOSURE INITIATES FLOOD X P A A 1 1 10 0.6 20 , 0.11
'30 0.011 60 0.0011,4 1500 1.1x10 l
A39
Event A g The operator can fail Event A g by either not being prompted to act to isolate the flood, or by acting but not being able to identify and isolate the flood in X minutes. The operator may not be prompted to act to isolate the flood either because the flood alarm does not activate, or because he does not respond to it properly. In the case of manual initiation the failure to respond properly is just the probability that he fails to respond to an annunciated alarm light. The probability is given in NUREC/CR-1278 (P20-9 Table 20-3, Item 1)
~
as 10 per occurrence. The nominal value has been used since in this instance the flood is a singular occurrence. The failure of the alarm to activate is a hardware failure probability, which is again not addressed here. If the operator as prompted to the flood when the probability that he fails to respond to isolate it in X minutes is the same as the probabilitier given in Table A-13. Event A q Probability L Based upon the above analyses the event Ag probability can be given ( a g t. i n neglecting the alarm failure probability) by Table A-13.
=
A40
1 Table A-13 PROBABILITY THAT FLOOD REMAINS UNIS0 LATED
- I'OR X MINUTES DURING CONTROLLED MANUAL SHUTDOWN X P A
(X) M 1 1 10 0.1 20 0.01
-3 30 1.1x10 2.0x10 '
~
60
-4 1500 1.1x10 l In summary the values used in the SNPS PRA for HEP are compiled in Table A-14 along with the initiator branch point, the source of the water, the time available, and the human error probability.
A.4.4 Other Initiator Event Tree Functions There ay e two remaining categories of event tree functions which are discussed below: A41
(1) Plant status which includes predisposition to the availability of the feedwater system.
*(2) The control room annunciation given that a fidod is in progress.
A.4.4.1 Plant Status First, consider the characterization of plant status. For the flood i initiator trees associated with major maintenance the plant status is sorted based upon the use of two event functions, D and R. System not demanded by operational condition (D): This event function sorts out those cases for which an MSIV closure occurs coincident with a potential flood initiator due to major maintenance, i I i a m A42 1
[ Table A-14 ,
SUMMARY
OF THE HEP QUANTIFICATION FOR EVENT A SYSTEM INITIATOR BRANCH REACTOR
- SOURCE / TIME HUMAN ERROR POINT STATUS AVAILABLE** PROBABILITY (HEP) iI Maintenance T pg A g
P Supp/110 2.0E-4 ' j RCIC A P Supp/110 2.0E-4 2 2.E-4 (suction) A 6 ; 3 A P CST /76 2.0E-4 ' 4 A S CST /76 0.0011 (1 hr) , 5 Maintenance T A P Supp/17 0.1 , HPCI A P Supp/17 0.1 , (suction) A P CST /13 0.1 0.1 A P CST /13 4 1 A S CST /13 0.6 5 s Maintenance T A P Supp/12 0.1 F3 A l P Supp/12 0.1 CS 2 0.6 (suction) A S Supp/12 3 Maintenance T pL4 A P Supp/9.4 1.0 g LPCI A P Supp/9.4 1.0 2 Supp/9.4 1.0 (suction) A S . 3 Service Water TFL5 Al P SW/28 0.1 i
', A43
1 The hourly probability of an MSIV closure event is derived from an estimated / event per year divided by the number of hours in a year, (8760) to give
=
1 1.1 x 10 -4/hr. 8760 The probability of an MSIV closure during maintenance of RCIC or HPCI is P (D/T FL1, TF 2) = 93 x 1.1 x 10-4 = 0.011 The probability of an MSIV closure during maintenance of either LPC1 or CS pumps in conservatively assumed to automatically activate this system P (D/T FL3, TFL4) = 43 x 1.1 x 10-4 = 0.0048 Reactor Status: (R1 - This event function distinguishes between the , possibility of a controlled operator response that preserves feedwater (T), and a response that results in an MSIV closure and loss of feedwater (S). The LILCO Emergency Procedures such as that related to loss of reactor building closed loop cooling water to recirculation pump MG-Set (SP#29.017.01 Revision 2 - 9/24/82) clearly require that the reactor operator immediately reduce Recire pump - ' speed t'o minimum, trip Recirc MG-Set, and initiate the emergency shutdown procedure (SPf29.010.01). If this is accomplished, the feedwater system will continue to operate. O r. the other hand, if the A44
l operator allows the reactor to remain at full power, a delayed recirculation pump trip (approximately 7.5 minutes from the time at which the flood reaches Motor Control Centers at the 18" level) will i occur. A recire pump trip is caused by a postulated flood-induced failure of cooling water pumps to the recire pump MC-set fluid coupler which is annunciated in the control rocm. If both recirc pumps trip simultaneously at full reactor power, it is possible that l the feedwater system will not be capable of a runback to prevent a reactor water level 8 feedwater trip which is followed by an MSIV closure. It is conservatively assumed that an MSIV closure will also occur even for events that do not occur with the reactor at full power. J Since LILCO procedures (such as that referenced above) establish an ] l operational requirement for manual shutdown via the emergency shutdown procedure, it is judged that a substantial majority of evnt s will occur without loss of feedwater It is alsc conceivable ,t that the operator has initiated shutdown prior to the loss of MCC llD1 and 12D1 at 18". If this is the case, the trip cf the t recirculation pumps will have no effect on reactor status. A proposed LILCO secondary containment control procedure will address this. However, the probability of failure of the operator to j manually shutdown the reactor is estimated to be .3. This upper , l l bound is assigned to take into account the possibility of operator I i error due to a large number of alarms occurring at the time necessary for this decision to be made. This value is consistent with the .25 A45
.- -----.---..-_-t---i- -- ,. -. -.,,4 - , - . ,---m . -, y
..u-.-_.
~ ,.. . . . . . . . . . . . . . . . . ..
1 value given by NUREG/CR 1278 for human error probability assigned to , an error on the part of novice operators carrying out a task under extremely high (life-threatening) stress conditions, and is therefore very conservative when applied to experienced operators or to the stress conditions which are to be expected. A.4.3.2 Control Room Annunciation (I): The probability that the flooding conditions is not annunciated or recognized is dominated by two events - failure to recognize a flood event /given that it is annunicated, and failure of the annunicators. The flood annunicator is a safety grade system with an alarm appearing on the dedicated panel in the control room. The alarm is served by an acknowledge switch on the panel so that it is very likely that this alarm will be noticed. Failure to recognize the f l o o r! alarm is assessed to be 0.001 Failure of the flood annunicator is dominated by a common-mode miscalibration error
-3 assessed to be 2x10 . Therefore, the event I is assessed at
-3 3x10 per challenge.
I A46
e REFERENCES A-1 Limerick Generating Station Probabilistic Risk Assessment, Docket Nos. 50-352, 50-353, September 1982. A-2 "Probabilistic Analysis of the Reliability of BWR-4 Systems for Small LOCA Events", General Electric, NEDO 24809, April 1980. A-3 WASH-1400, " Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants". U.S. Nuclear Regulatory Commission, October 1975. A-4 NUREG/CR 1205, " Data Summaries of Licensee Event Reports of Pumps at U.S. Commercial Nuclear Power Plants: January 1, 1977 to April 30, 1978", U.S. Nuclear Regulatory Commission, January 1980. A-5 A.E. Green, " Safety Assessment of Automatic and Manual Protective Systems for Reactors", AHSB(s), R-172 Authority Health and Safety Branch, UK, Risely England, 1979. A-6 R.R. Fullwood and A.A. Hussiemy, " Human Performance Response Time", 1979 ANS Winter Meeting. A-7 J.R. Fragola, " Human Error Probability for the Cognitive Mode of Behavior". SA1/NY R82-7-3 (3), July 27, 1982. A-8 J. Wreathall, " Operation Action Trees. An Approach to Quantifying Operator Error Probability During Accident Sequences", NUS Report 4655 NPS, July 1982. A-9 R.E. Hall, J.R. Fragola, and J. Wreathall, " Post Event Decision Errors: Operation Action Tree / Trim-Reliability Correlation", NUREG/CR 1605, BNL, August 1982. A-10 A.D. Swain, "Modeling of Response to Nuclear Power Plant Transients for Probabilistic Risk Assessment", in K. Noro (ed.), Proceedings of the 8th Congress of the International Economics Association, August 23-27, 1982 Tokyo, JAPAN. A-ll R.A. Bari, et. al., " National Reliability Evaluation Program (NREP) Procedures Guide", NUREG/CR 2815, Final Draft, September 9, 1982. . , A-1,2 . A.D. Swain and H.E. Guttmann, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, NUREC/CR 1278, pg. 13-4 April 1980. A47}}