ML20081A121
| ML20081A121 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 09/30/1983 |
| From: | ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | |
| Shared Package | |
| ML17298A607 | List: |
| References | |
| CEN-239-S03, CEN-239-S03-R01, CEN-239-S3, CEN-239-S3-R1, NUDOCS 8310260160 | |
| Download: ML20081A121 (373) | |
Text
{{#Wiki_filter:-. CEN-239 Supplement 3 Revision 01 PROBABILISTIC RISK ASSESSMENT, OF THE EFFECTS OF PORVs ON DEPRESSURIZATION AND DECAY HEAT REMOVAL PALO VERDE NUCLEAR GENERATING STATION UNITS 1, 2 AND 3 O Prepared for the C-E Owners Group Nuclear Power Systems Division September, 1983 y%
.Y.-
8310260160 831013 PDR ADOCK 05000528 PM A - V
r-O LEGAL NOTICE This report was prepared as an account of work . sponsored by Combustion Engineering, Inc. Neither Combustion Engineering nor any person acting on its behalf:
- a. Makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately
""*d 9"' "
O
- b. Assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.
O
\_
O i CEN-239 Supplement 3 Revision 01 I September, 1983 , i , l REVISION 01 Revision 01 to the Probabilistic Risk Assessment of the Effect of l PORVs on Depressurization and Decay Heat Removal for Palo Verde ! Nuclear Generating Station Units 1, 2, and 3 provides changes to Supplement 3 text to amplify or update the present analysis results. These changes are the result of a more detailed treatment O of the Automatic e0Rv ceses, and e more compiete eneiysis of t Auxiliary Feedwater restoration. The c5anges are indicated by a change bar in the right margin. This revision supersedes the existing Supplement 3. i l O
O SUNiARY OF SUPPLEMENT 3 i The NRC has requested that utilities owning C-E supplied NSSS plants without power operated relief valves provide a plant specific evaluation of the " rapid depressurization and decay heat removal capabilities" of their plants and respond to a series of questions (Appendix A). The following questions extracted from the list in Appendix A request a probabilistic evaluation of the potential change in risk that would result from adding power operated relief valves to these plants. This change in risk can be incorporated into a value-impact evaluation. The brief responses presented for these questions provide a synopsis of the analyses that are contained within this document. These results are specific to the Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2 and 3. Responses to questions 1 thru 7, 8e and 12 thru 14 are provided in CEN-239 (_28). Question 8: For extended loss of main and auxiliary feedwater case where feed / bleed would be a potential backup:
- a. What is the frequency of loss of main feedwater events; break down initiators that affect more than MFW, e.g., DC power?
- b. What is the probability of recovering main feedwater? Provide your bases such as availability of procedures and the human error rates?
- c. What is the probability of losing all auxiliary feedwater (given Item a)? Include considerations of recovering auxiliary feedwater as well as common cause failures (including those which could affect main feedwater availability and support system O dePeadeacies) ead feiiures thet couid be hidden from detection via tests?
i i
- d. What is the uncertainty in the estimates provided for a), b) and c)?
- e. How long would it take for core melt to initiate?
- f. Were core to melt under these conditions, what is the likelihood of steain generator tube rupture (s) due to steam pressure from slumping core?
- g. Characterize the consequences from core melt events of e) and f).
Response to Question 8: A review of the operating experience of the nuclear industry and a fault tree analysis of the PVNGS MFW design were 9 performed to determine the frequency of loss of MFW events. The results of the analysis are quantified by a statistical distribution which represents the frequency of loss of MFW. For PVNGS, the initiating event frequency can be expressed in terms of a median value of 1.18 events per year with an associated error factor of 3. The error factor is defined as the ratio of the 95 th to 50 th percentile. The median value represents the estimate that, considering uncertainty, would be expected to be higher than the true value with 50% confidence. The associated error factor is a ratio, as defined above, which when multiplied with the median estimate, yields an upper bound estimate which would be expected to be higher than the true value with 95% confidence. These results were further incorporated into an extensive evaluation of the core damage frequency due to loss of the li
)
/~N V secondary heat sink. The analysis included an investigation of the potential for recovering feedwater. The core damage frequency contribution resulting from a loss of the secondary heat sink was evaluated for the current plant design which includes low pressure pumps (condensate pumps) for secondary heat removal following SG depressurization but has no PORVs, and for an alternative plant design which does not credit the alternate secondary heat removal capability but includes PORV depressurization ard decay heat removal capability. The resulting core damage frequencies for PVNGS are 7.3E-6 per year with an associated error factor of 11 without PORVs and 1.0E-5 per year with an associated error factor of 12 with PORVs (manual design). (The resulting core damage frequency for PVNGS assuming an automatic PORV design is 5.0E-6 per year with an associated error factor of 13).
O The core demese frequeacy for ioss of neat siak eveats was also evaluated assuming no alternate secondary heat removal capability and no PORV depressurization and decay heat removal capability. The resulting core damage frequency was estimated to be 1.1E-5 per year with an associated error _ factor of 13. The complete analysis is presented in this report. Question 9: What is the risk from steam generator (s) tube failu res? As a minimum, consider the following:
- a. Scenarios leading to core melt from one or more steam generator tubes failing in one i steam generator. Include paths which
- consider failure of relief or safety valve in the faulted steam generator, capability of (or loss thereof) to depressurize the secondary side, the role of the ECCS including inventory and Boron availability.
iii t
1
- b. What is the frequency of steam generator tube h ruptures in two steam generators? This estimate should include consideration of common cause failures such as design errors, events resulting in extremely nigh A P across the tubes, aging, etc. If tubes were to fail in both steam generators, what is the probability of core melt and generally characterize the consequences.
- c. For a) and b) above, discuss the likelihood of steamlines filling with subcooled water and any consequential failures.
- d. For a) and b), discuss uncertainties including human error rates (carefully considering the clarity and unambiguity of procedures). g Response to Question 9:
The frequency of the SGTR accident sequences which could _ potentially lead to core damage were statistically combined into two categories: 1) scenarios resulting from SGTR in one or two steam generators assuming offsite power was available and 2) scenarios resulting from SGTR in one or two steam generatc'. with a coincident loss of offsite power. The complete analysis (which includes a detailed evaluation of each accident sequence) is presented in this report. The core damage frequency contribution due to SGTR in one or two ste ' generators for PVNGS assuming offsite power is available can be expressed in terms of a median value of 1.7E-5 per year with an associated error factor of 5. The error factor is defined as the ratio of the 95th to 50 th percentile. The core damage frequency contribution due to SGTR in one or two stean generators with coincident loss of g iv
O offsite Power is estimeted to be 1.5E-s Per yeer with ea associated error factor of 10. The decrease in core damage frequency due to the added depressurization capability of PORVs was determined to be negligible compared to the core damage frequency contribution from all other SGTR accident sequences. The likelihood of steam lines filling with subcooled water during a SGTR was also investigated. The total frequency of sequences that could possibly lead to SG overfill conditions was determined to be approximately 2.5E-4 per year (median value) with an associated error factor of 5 (ratio of 95thto 50th percentile). Question 10: What is the core melt frequency from PORV initiated LOCA? Characterize the consequences? O Response to Question 10: The core damage frequency due to PORV initiated LOCA was evaluated based on two plant designs (manual PORV design and , automatic PORV design) which would be assumed to provide increased RCS decay heat removal and depressurization capability. For the manual PORV design, the PORVs are manually opened and the plant is assumed to operate with the PORV block valves closed which tends to minimize the risk associated with PORV LOCA. The results of the analysis are quantified by a statistical distribution representing the core damage frequency of PORV LOCA. The core damage frequency contribution due to PORV LOCA can be expressed in terms of a median value of 8.4E-8 per year with an associated error factor of 11. The error factor is defined as the ratio of the 95 th to 50 th percentile.
- If automatic actuation of the PORVs were to be assumed and v
L
if the plant were to operate with the block valves open, the $ core damage frequency contribution due to PORV LOCA would become 3.9E-6 per year with an associated error factor of 17. Question 11: What is the net gain (or loss) in safety considering 8, 9, and 10 above if PORVs were to be installed? Are there any additional benefits (or drawbacks) achieved by installing PORVs? Examples of potential benefits are mitigation of ATWS and pressurized thermal shock,
. and reduced risk associated with depressurized primary system during a core melt.
Response to Question 11: The overall change in core damage frequency (net gain or loss in safety) due to the installation of PORVs was determined by examining only those events which were considered to significantly contribute to an increase or decrease in the total core damage frequency. The core g damage frequency contribution due to LOHS events and PORV LOCA is impacted by the presence of PORVs while the change in SGTR core damage frequencies does not contribute to a , net gain or loss in safety. The calculation was performed with the SAMPLE code at the sequence level to account for dependencies between the sequences. The result indicates a net increase in total core damage frequency due to the installation of manually actuated PORVs of 1.2E-6 per year (median value). If automatic actuation of the PORVs were to be assumed and if the plant were to operate with the block valves open, the result would indicate a net increase in total core damage frequency of 2.6E-6 per year (median value). It should be noted that the above values are very small compared to the proposed NRC safety guideline of 10-4 core melts per year. vi
O tiST OF ^Ca0avaS ADHR Alternate decay heat removal ADV Atmospheric dump valve ADS Atmospheric dump system AFW Auxiliary feedwater AFWS Auxiliary feedwater system ATWS Anticipated transient without scram BPS Blowdown processing system CCAS Containment cooling actuation system CCW Component cooling water CCWS Component cooling water system CEA Control element assembly CEDM Control element drive mechanism CE0G Combustion Engineering Owners Group CIAS Containment isolation actuation signal CSAS Containment spray actuation signal CS Containment spray Containment spray system
]'
CSS CVCS Chemical and volume control system DG Diesel generator ECCS Emergency core cooling system EDS Electrical distribution system . EFAS Emergency feedwater actuation system i EFW Emergency feedwater ! EFWS Emergency feedwater system ESF Engineering safety features ESFAS Engineering safety features actuation signal l FSAR Final Safety Analysis Report FWCS Feedwater control system HEP Human error probability HP High pressure HPSI High pressure safety injection HX Heat exchanger LOCA Loss of coolant accident LOHS Loss of secondary heat sink LOOP Loss of offsite poder MCC Motor control center vii
LIST OF ACRONYMS h (continued) MFW Main feedwater MSIS Main steam isolation signal MSIV Main stecm isolation valve MSSV Main steam safety valve NRC Nuclear Regulatory Commission NREP National Reliability Evaluation Program NSSS Nuclear steam supply system PLCS Pressurizer level, control system PORV Power operated relief valve PPCS Pressurizer pressure control system PPS Plant protective system psia Pounds per square inch, absolute psig Pounds per square inch, gage PTS Pressurized thermal shock PVNGS Palo Verde Nuclear Generating Station RAS Recirculation actuation signal g RCP Reactor coolant pump RCS Reactor coolant system RPS Reactor protective system
- RWT Refueling water tank _
SBCS Steam bypass control system SBLOCA Small break loss of coolant accident SCS Shutdown cooling system j SG Steam generator SGTR Steam generator tube rupture SIAS Safety injection actuation signal SONGS San Onofre Nuclear Generating Stations TBV Turbine bypass valve TBS Turbine bypass system TCV Turbine control valve l TT Turbine trip T H0T Reactor coolant system hot leg temperature VCT Volume control tank g kD Core damage frequency 1 viii
TABLE OF CONTENTS ( ]) SECTION PAGE
SUMMARY
OF SUPPLEMENT 3 i LIST OF ACRONYMS vii TABLE OF CONTENTS ix LIST OF FIGURES xv LIST OF TABLES xviii
1.0 INTRODUCTION
1-1 1.1 Purpose 1-1 1.2 Approach 1-1 1.3 Background 1-2 1.4 Report Outline 1-4 2.0 METHODOLOGY 2-1 () 2.1 Information Sources 2-3 2.1.1 Plant Design and Procedural Information 2-3 2.1.2 Reliability Data 2-5 2.2 Analysis 2-6 2.2.1 Event Tree Analysis 2-7 2.2.1.1 Function Level Event Trees 2-7 2.2.1.2 System / Action Level Event Trees 2-8 2.2.1.3 Description of the CEETAR Code 2-10 2.2.2 Fault Tree Analysis 2-12 2.2.2.1 Fault Tree Construction 2-12 2.2.2.2 Fault Tree Evaluation 2-12 2.2.2.3 Human Failures 2-14 2.2.2.4 Description of the CEREC Code 2-15 2.2.3 Fault Tree / Event Tree Interfacing 2-15 2.2.3.1 Calculation of the Total Core 2-16 Damage Frequency 2.2.3.2 Dependent Failures 2-17 1 gg 2.2.3.3 Description of the CEDAR Code 2-18 (,) 2.2.3.4 Uncertainty Analysis 2-18 2.2.3.5 Description of the SAMPLE Code 2-19 ix
TABLE OF CONTENTS (continued) SECTION PAGE 3.0 PLANT DESIGN 3-1 3.1 Plant Description 3-1 3.2 Plant Systems 3-4 3.3 System Interdependencies 3-7 3.3.1 Mitigating vs. Support Systems 3-7 3.3.2 Support vs. Support Systems 3-7 4.0 INITIATING EVENTS 4-1 4.1 Event Selection 4-1 4.2 All Other Events 4-1 4.3 Initiating Event Frequencies 4-1 4.3.1 Loss of Secondary Heat Sink 4-1 4.3.2 Steam Generator Tube Rupture 4-4 4.3.3 PORV LOCA 4-9 5.0 ACCIDENT SEQUENCE DETERMINATION 5-1 llh 5.1 Loss of Secondary Heat Sink 5-2 5.1.1 Initiating Event 5-2 5.1.2 Normal Sequence of Events 5-3 5.1.3 Functional Event Tree 5-3 - 5.1.4 Systemic Event Trees 5-8 5.1.4.1 Loss of Secondary Heat Sink 5-9 Event Tree 5.1.4.2 Loss of Secondary Heat Sink 5-14 with Feed and Bleed Operation Event Tree 5.2 Steam Generator Tube Rupture 5-18 5.2.1 Initiating Events 5-18 5.2.2 Normal Sequence of Events 5-18 5.2.3 Functional Event Tree 5-19 5.2.4 Systemic Event Trees 5-25 5.2.4.1 SGTR in One SG Event Tree 5-26 5.2.4.2 SGTR in One SG with Coincident 5-34 LOOP Event Tree 5.2.4.3 5.2.4.4 SGTR in Two SG Event Tree SGTR in Two SG with Coincident 5-38 5-43 g LOOP Event Tree x
TABLE OF CONTENTS (continued) SECTION PAGE 5.3 PORV LOCA 5-47 5.3.1 Initiating Event 5-47 5.3.2 Normal Sequence of Events 5-48 5.3.3 Functional Event Trees 5-48 5.3.3.1 PORV LOCA Following Loss of 5-50 Secondary Heat Sink Functional Event Tree 5.3.3.2 PORV LOCA Following Steam 5-54 Generator Tube Rupture Functional Event Tree 5.3.3.3 Spurious or Transient Induced PORV 5-59 LOCA Functional Event Tree 5.3.4 Systemic Event Trees 5-62 5.3.4.1 PORV LOCA Following Loss of 5-63 Secondary Heat Sink Event Tree 5.3.4.2 PORV LOCA Following Steam 5-67 (} 5.3.4.3 Generator Tube Rupture Event Tree Spurious or Transient Induced 5-69 PORV LOCA Event Tree 5.4 Other Core Damage Sequences 5-73 6.0 SYSTEM ANALYSES 6-1 6.1 High Pressure Safety Injection 6-3 6.1.1 System Description 6-3 6.1.2 Assumptions 6-6 6.1.3 Results 6-9 6.2 Auxiliary Spray System 6-15 6.2.1 System Description 6-15 6.2.2 Assumptions 6-15 6.2.3 Results 6-19 6.3 Containment Spray System 6-23 6.3.1 System Description 6-23 6.3.2 Assumptions 6-25 6.3.3 Results 6-27 O xi
TABLE OF CONTENTS h (continued) SECTION pAGE 6.4 Power Operated Relief Valves 6-30 6.4.1 System Description 6-31 6.4.2 Assumptions 6-31 6.4.3 Results 6-34 6.5 Primary Feed and Bleed System 6-39 6.5.1 System Description 6-39 , 6.5.2 Assumptions 6-43 6.5.3 Results 6-45 6.6 Turbine Bypass System and Turbine Trip 6-49 6.6.1 System Description 6-49 6.6.2 Assumptions 6-53 6.6.3 Results 6-55 6.6.4 Turbine Trip 6-59 6.7 Main Steam Isolation 6-60 6.7.1 System Description 6-60 6.7.2 Assumptions 6-60 6.7.3 Results 6-63 6.8 Atmospheric Dump System 6-66 6.8.1 System Description 6-66 - 6.8.2 Assumptions 6-69 6.8.3 Results 6-71 l 6.9 Main Steam Safety Valves 6-75 6.9.1 System Description 6-75 6.9.2 Assumptions 6-77 6.9.3 Results 6-78 6.10 Main Feedwater System 6-80 6.10.1 System Description 6-84 l 6.10.2 Assumptions 6-86 6.10.3 Results 6-89 6.11 Auxiliary Feedwater System 6-92 6.11.1 System Description 6-95 6.11.2 Assumptions 6.11.3 Results 6-97 6-99 g xii t >
l O TA8tE OF CONTENTS (continued) SECTION PAGE 6.12 Steam Generator Blowdown System 6-104 6.12.1 System Description 6-104 6.12.2 Assumptions 6-107 6.12.3 Results 6-109 6.13 Alternate Secondary Heat Removal Capability 6-113 6.13.1 System Description 6-113 6.13.2 Assumptions 6-113 6.13.3 Results 6-117 6.14 Electrical Distribution System 6-120 6.14.1 System Description 6-120 6.14.2 Assumptions 6-131 6.14.3 Results 6-132 6.15 Cooling Water Systems 6-133 6.15.1 System Description 6-133 g 6.15.2 Assumptions 6-138 v 6-138 6.15.3 Results 6.16 Instrument Air System 6-139 6.16.1 System Description 6-139 6.16.2 Assumptions 6-141 - 6.16.3 Results 6-141 6.17 Restoration of Feed Flow Analysis 6-145 6.17.1 Restoration Methodology 6-145 6.17.2 Restoration Analysis and Assumptions 6-146 6.17.3 Restoration Results 6-149 6.17.4 Non-essential AFW Pump Operation 6-156 6.17.5 Non-essential AFW Pump Analysis Assumptions 6-156 6.17.6 Results 6-156 7.0 ACCIDENT SEQUENCE ANALYSIS 7-1 7.1 Loss of Secondary Heat Sink Sequence Analysis 7-1 7.1.1 Loss of Heat Sink Core Damage Scenarios 7-1 7.1.2 Loss of Heat Sink with Feed and Bleed 74 Core Damage Scenarios xiii
TABLE OF CONTENTS (continued) h SECTION PAGE 7.2 Steam Generator Tube Rupture Sequence Analysis 7-7 7.2.1 SGTR in One Steam Generator Core Damage 7-7 Scenarios 7.2.2 SGTR in One Steam Generator with Coincident 7-12 Loss of Offsite Power Core Damage Scenarios 7.2.3 SGTR in Two Steam Generators Core Damage 7-15 Scenarios 7.2.4 SGTR in Two Steam Generators with 7-20 Coincident Loss of Offsite Power Core Damage Scenarios 7.2.5 The Effect of PORVs on SGTR Core Damage 7-23 Frequencies 7.2.6 Steam Generator Overfill Scenarios 7-23 7.3 PORV LOCA Sequence Analysis 7-29 7.3.1 PORV LOCA Following loss of Heat Sink 7-29 Core Damage Scenarios 7.3.2 PORV LOCA Following SGTR in One 7-31 m Steam Generator Core Damage W Scenarios 7.3.3 Spurious or Transient Induced PORV LOCA 7-34 Core Damage Scenarios 7.4 Other Core Damage Sequences 7-37 8.0 STEAM GENERATOR TUBE STRENGTH MODEL 3-1 l 9.0 RESULTS 9-1 9.1 Core Damage Frequency Contributions 9-1 9.2 Change in Core Damage Frequency due to Improved 9-5 Decay Heat Removal Capability l 9.2.1 Change in Core Damage Frequency due to 9-5 Added Alternate Secondary Heat Removal Capability 9.2.2 Change in Core Damage Frequency due to 9-6 Installation of PORVS
10.0 REFERENCES
10-1 Appendix A NRC Staff Request for Additional Information A-1 g Appendix B Probabilistic Tube Strength Model B-1 xiv
l l O uST OF FIGURES , FIGURE TITLE PAGE 1.4-1 Report Flowchart 1-5 2.0-1 Study Methodology 2-2 2.2.2.1-1 Fault Tree Symbology 2-13
, 5.1.3-1 Loss of Secondary Heat Sink Functional Event Tree 5-5 5.1.4.1-1 Loss of Secondary Heat Sink Systemic Event Tree 5-13 5.1.4.2-1 Loss of Secondary Heat Sink with Feed and Bleed 5-16 Operation Systemic Event Tree 5.2.3-1 SGTR Functional Event Tree 5-22 5.2.4.1-1 SGTR in One SG Systemic Event Tree 5-31 5.2.4.2-1 SGTR in One SG with Coincident LOOP Systemic 5-35 Event Tree 5.2.4.3-1 SGTR in Two SGs Systemic Event Tree _
5-39 5.2.4.4-1 SGTR in Two SGs with Coincident LOOP Systemic 5-44 Event Tree 5.3.3.1-1 PORY LOCA Following Loss of Secondary 5-51 Heat Sink Functional Event Tree 5.3.3.2-1 PORV LOCA Following Steam Generator 5-55 Tube Rupture Functional Event Tree 5.3.3.3-1 Spurious or Transient Induced PORV LOCA 5-60 Functional Event Tree 5.3.4.1-1 PORV LOCA Following Loss of Secondary 5-66 Heat Sink Systemic Event Tree 5.3.4.2-1 PORV LOCA Following SGTR Systemic 5-68 Event Tree - i 5.3.4.3-1 Spurious or Transient Induced PORV LOCA 5-70 Systemic Event Tree 6.1.1-1 High Pressure Safety Injection System 64 (Injection Mode) 6.1.1-2 High Pressure Safety Injection System 6-5 (Recirculation Mode) 6.1.1-3 High Pressure Safety Injection / Recirculation 6-7 Support System Dependency Diagram 6.2.1-1 Auxiliary Spray System 6-16 l 6.2.1-2 Charging Supply to Auxiliary Spray System 6-17 6.2.1-3 Pressurizer Auxiliary Spray Support System 6-18 Dependency Diagram 6.3.1-1 Containment Spray System Schematic 6-24 6.3.1-2 Containment Spray Support System 6-26 Dependency Diagram 6.4.1-1 Power Operated Relief Valves (PORVs) 6-32 6.4.1-2 Power Operated Relief Valves Support System 6-33 Dependency Diagram xv I
LIST OF FIGURES h FIGURE TITLE PAGE 6.5.1-1 High Pressure Safety Injection System 6-40 (Injection Mode) 6.5.1-2 Power Operated Relief Valves 6-41 6.5.1-3 Charging System 6-42 6.5.1-4 Primary Feed and Bleed Support System 6-44 Dependency Diagram 6.6.1-1 Turbine Bypass System 6-50 6.6.1-2 Schematic of a Typical TBV 6-52 6.6.1-3 Turbine Bypass Support System Dependency 6-54 Diagram 6.7.1-1 Main Steam Isolation Valves 6-61 6.7.1-2 Main Steam Isolation Support System Dependency Diagram 6-62 6.8.1-1 Atmospheric Dump System on Steam Generator 1 6-67 6.8.1-2 Atmospheric Dump System on Steam Generator 2 6-68 6.8.1-3 Atmospheric Dump Support System Dependency 6-70 Diagram 6.9.1-1 Main Steam Safety Valves 6-76 6.10.1-1 6.10.1-2 Main Feedwater System Main Feedwater Support System Dependency 6-85 6-87 h Diagram 6.11.1-1 Auxiliary Feedwater System 6-96 6.11.1-2 Auxiliary Feedwater Support System Dependency 6-98 Diagram - 6.12.1-1 Steam Generator Blowdown System 6-105 6.12.1-2 Steam Generator Blowdown System (continued) 6-106 6.12.1-3 Blowdown Support System Dependency Diagram 6-108 6.13.1-1 Alternate Secondary Heat Removal Capability 6-114 (Condensate System) 6.13.1-2 Condensate Support System Dependency Diagram 6-115 6.14.1-1 Typical 13.8 KV Intermediate Bus Schematic 6-121 6.14.1-2 Typical 13.8 KV Bus Schematic 6-122 6.14.1-3 Typical Non-Class 1E 4.16 KV Bus ScFematic 6-123 6.14.1-4 Typical Class 1E 4.16 KV Bus Schematic 6-124 6.14.1-5 Typical Non-Class IE 480 V Load Center Schematic 6-125 6.14.1-6 Typical Class IE 480 V Load Center Schematic 6-126 6.14.1-7 Typical 480 V MCC Schematic 6-127 6.14.1-8 Typical Class IE 125 VDC Load Center Schematic 6-128 6.14.1-9 Typical Class 1E 125 VDC Distribution Panel Schematic 6-129 6.14.1-10 Typical Class IE 120 VAC Distribution Panel Schematic 6-130 g xvi
1 O tist or eiGuaeS FIGURE TITLE PAGE 6.15.1-1 Essential Cooling Water System 6-134 6.15.1-2 Essential Spray Pond System 6-135 f 6.16.1-1 Instrument Air System 6-140 6.17.4-1 Non-essential AFW Pumps 6-157 8.0-1 Frequency of Tube Ruptures for an Affected 8-3 Steam Generator I i , O . V xvii
LIST OF TABLES h TABLE TITLE PAGE 2.2.1.1-1 Anti-Core Melt Safety Functions 2-8 3.2-1 Plant Systems 3-5 3.3.1-1 Mitigating Versus Support Systems 3-8 3.3.2-1 Support System Versus Support System 3-9 4.3.1-1 Loss of Main Feedwater Initiating Event Frequency 4-3 4.3.2-1 SGTR Initiating Event Frequencies 4-8 4.3.3-1 PORV Initiating Event Frequencies 4-11 5.1.2-1 Normal Sequence of Events for Loss of Feedwater 5-4 5.1.3-1 Loss of Secondary Heat Sink Functional 5-7 Event Tree Considerations 5.1.4-1 Loss of Secondary Heat Sink Event Tree 5-10 Branch Definitions 5.2.2-1 Normal Sequence of Events for SGTR 5-20 5.2.2-2 Normal Sequence of Events for SGTR with 5-21 Coincident LOOP 5.2.3-1 SGTR Functional Event Tree Considerations 5-23 5.2.4-1 SGTR Event Tree Branch Definitions 5-27 5.3.2-1 Normal Sequence of Events for PORV LOCA 5-49 5.3.3.1-1 PORV LOCA Following Loss of Secondary 5-52 Heat Sink Functional Event Tree Considerations 5.3.3.2-1 PORV LOCA Following SGTR Functional 5-56 Event Tree Considerations - l 5.3.3.3-1 Spurious or Transient Induced PORV LOCA 5-61 Functional Event Tree Considerations i 5.3.4-1 PORY LOCA Event Tree Branch Definitions 5-64 ! 6.1.3-1 Failure Probabilities for PVNGS HPSI System 6-11 l 6.1.3-2 Dominant Cutsets for PVNGS HPSI System 6-12 1 6.2.3-1 Failure Probabilities for PVNGS Auxiliary 6-21 l Spray System 6.2.3-2 Dominant Cutsets for PVNGS Auxiliary 6-22 l Spray System 6.3.3-1 Failure Probabilities for PVNGS Containment 6-28 l Spray System 6.3.3-2 Dominant Cutsets for PVNGS Containment 6-29 Spray System 6.4.3-1 Initiating Event Frequencies and Failure Probabiities 6-36 for PVNGS PORVs & W 6.4.3-2 Dominant Cutsets for PVNGS PORVs 6-37 xviii
(k LIST OF TABLES (continued) TABLE TITLE PAGE 6.5.3-1 Failure Probabilities for PVNGS Primary 6-47 Feed and Bleed System 6.5.3-2 Dominant Cutsets for PVNGS Feed and Bleed 6-48 System 6.6.3-1 Failure Probabilities for PVNGS Turbine 6-57 Bypass System 6,6.3-2 Dominant Cutsets for PVNGS Turbine Bypass 6-58 System 6.7.3-1 Failure Probabilities for PVNGS MSIVs 6-64 6.7.3-2 Dominant Cutsets for PVNGS MSIVs 6-65 6.8.3-1 Failure Probabilities for PVNGS Atmospheric 6-73 Dump System 6.8.3-2 Dominant Cutsets for PVNGS Atmospheric 6-74 Dump System 6.9.3-1 Failure Probabilities for PVNGS MSSVs 6-79
/~' 6.10-1 Loss of Main Feedwater Plant Trip Events 6-81 6.10-2 Plant Trip Events Excluded from Loss of Main 6-83 Feedwater Analysis 6.10.3-1 Initiating Event Frequency and Failure Probabilities 6-90 for PVNGS Main Feedwater System 6.10.3-2 Dominant Cutsets for PVNGS Main Feedwater 6-91 System 6.11.3-1 Failure Probabilities for PVNGS Auxiliary 6-101 Feedwater System 6.11.3-2 Dominant Cutsets for PVNGS Auxiliary 6-102 Feedwater System 6.12.3-1 Failure Probabilities for PVNGS Steam Generator 6-111 l Blowdown System
! 6.12.3-2 Dominant Cutsets for PVNGS Steam Generator 6-112 Blowdown System 6.13.3-1 Failure Probabilities for PVNGS Alternate 6-118 Secondary Heat Removal Capability 6.13.3-2 Dominant Cutsets for PVNGS Alternate 6-119 Secondary Heat Removal Capability 6.16.3-1 Failure Probabilities for PVNGS Instrument 6-143 Air System 6.16.3-2 Dominant Cutsets for PVNGS Instrument 6-144 Air System O)- l xix l
LIST OF TABLES h (continued) TABLE TITLE' PAGE 6.17.2-1 Initial Operator Actions for Total loss 6-151 of Feedwater 6.17.3-1 HEP for Combined Tasks 6-152 6.17.3-2 HEPs for Restoration of Auxiliary Feedwater 6-153 for Specific Events 6.17.3-3 Error Bounds for AFW-HEP Calculations 6-155 given in Table 6.17.3-2 6.17.6-1 Failure Probabilities for PVNGS Restoration Analysis 6-160 6.17.6-2 Dominant Cutsets for PVNGS Non-essential AFW Pump 6-161 7.1.1-1 Loss of Secondary Heat Sink Core 7-2 Damage Sequences 7.1.2-1 Loss of Secondary Heat Sink with Feed 7-5 and Bleed Operation Core Damage Sequences 7.2.1-1 SGTR in One SG Core Damage Sequences 7-8 7.2.2-1 SGTR in One SG with Coincident LOOP Core 7-13 Damage Sequences 7.2.3-1 SGTR in Two SGs Core Damage Sequences 7-16 3 7.2.4-1 SGTR in Two SGs with Coincident LOOP 7-21 W Core Damage Sequences 7.2.5-1 Minimal Core Damage Sequences Including 7-24 Auxiliary Spray System Failure 7.2.5-2 Change in Core Damage Frequency due to Added 7-25 Depressurization Capability of PORVs 7.2.6-1 Steam Generator Overfill Scenarios 7-27 - 7.2.6-2 Frequency of Steam Generator Overfill 7-28 7.3.1-1 PORV LOCA Following Loss of Secondary 7-30 Heat Sink Core Damage Sequences 7.3.2-1 PORV LOCA Following SGTR Core Damage 7-32 Sequences 7.3.3-1 Spurious or Transient Induced PORV LOCA 7-35 Core Damage Sequences 7.4-1 Summary of Dominant Sequences (No Feed and Bleed) 7-38 7.4-2 Key to Accident Sequence Symbols 7-39 7.4-3 Dominant Sequence Categories 7-40 8.0-1 Events Considered in Tube Strength Model 8-2 9.1-1 Core Damage Frequency Contributions due to LOHS, SGTR 9-2 and PORY LOCA 9.2.2-1 Change in Total Core Damage Frequency due to PORVs 9-8 g XX
O PROBABILISTIC RISK ASSESSMENT OF THE EFFECT OF PORVs ON DEPRESSURIZATION AND DECAY HEAT REMOVAL
1.0 INTRODUCTION
1.1 PURPOSE The NRC has requested that utilities owning C-E supplied NSSS plants
! without power operated relief valves provide a plant specific evaluation of the " rapid depressurization and decay heat removal capabilities" of their plants and respond to a series of questions originally forwarded to' C-E (1) (Appendix A).
The objective of the work reported herein is to develop responses to the NRC questions for Palo Verde Nuclear Generating Station (PVNGS), Units 1,
] 2 and 3.
1.2 APPROACH
~
l The NRC questions cover a wide range of topics, not all directly related to the subject of depressurization and decay heat removal. The work reported herein provides responses to questions 8 through 11 (Appendix A). Responses to the other questions are being addressed separately. Questions 8 through 11 request information regarding the probability of core melt due to loss of heat sink, PORV LOCA, and steam generator tube ruptu re. This report provides this probabilistic information. In addition, the questions include numerous requests for information concerning physical phenomena associated with core damage or " degraded core" conditions. C-E believes it is appropriate to fully answer these questions only after 1) the probability of C-E plants experiencing such l, 1-1 1
. _ . . .. , -. - ,~ , - - - . , , . . - . -
degraded core conditions has been quantified (including appropriate h evaluation of capabilities of existing equipment to function beyond their design bases to prevent or minimize core damage) and, 2) this probability has been shown to be higher than a commonly accepted standard or goal.
1.3 BACKGROUND
The early C-E NSSS designs used Power Operated Relief Valves (PORVs) as non-safety grade equipment to limit overpressure transients to pressures below the ASME Code safety valve setpoint. This function was intended to reduce challences to the safety valves, thereby minimizing weepage and avoiding potential leakage following actuation. The PORVs were not intended to prevent a high pressure reactor trip, but rather, were to be used in conjunction with the trip to mitigate the pressure transient. As each of the early plants became operational, the effectiveness of the pressurizer spray system to limit pressure transients was demonstrated. Consequently, C-E was unable to substantiate any advantages to opening g PORVs during transients to protect the safety valves from leakage. PORVs were also considered to be counterproductive in light of the PORV leakage problems that had been experienced. Furthermore, best estimate transient analysis had demonstrated that the pressure overshoot above the high , pressure trip to be so minimal that, when PORV operation was not credited, the safety valves were still not challenged. Accordingly, the PORV function during power operation was not considered necessary, and was eliminated from subsequent C-E designs. Recently, a contingency method of core cooling employing once-through flow in the RCS has been advanced by the NRC as an alternate decay heat removal system. This method would use PORVs in conjunction with the High Pressure Safety Injection (HPSI) pumps and has been referred to as " feed and bl eed" . In this regard, the Advisory Committee on Reactor Safeguards (ACRS), following its review of C-E's System 80, stated: O 1-2
"In recent years, the availability of reliable shutdown heat removal capability for a wide range of transients has been recognized to be of great importance to safety. The System 80 design does not include capability for rapid, direct depressurization of the primary system or for any method of heat removal immediately after shutdown which does not require use of the steam generators. In the present design, the steam generators must be operated for heat removal after shutdown when the primary system is at high pressure and temperature. This places extra importance on the reliability of the auxiliary feedwater system used in connection with System 80 steam generators and extra requirements on the integrity of the steam generators. The ACRS believes that special attention should be given to these matters in connection with any plant employing the System 80 design. The Committee also believes that it may be useful to give consideration to the potential for adding valves of a size to facilitate rapid depressurization of the System 80 primary coolant system to allow more direct methods of decay heat removal. The Committee wishes to review O this matter further with the cooperation of Combustion En9 neering 1 and the NRC Staff." (3_)
In meetings with the ACRS and NRC Staff, C-E has presented its position and the bases for designs which do not employ PORVs. The NRC has raised a - series of concerns regarding this issue and provided a list of questions to i C-E and applicant utilities. In recognition of the scope of these i questions the NRC has requested justification for operation during the period of time the questions are being addressed. [ Justifications for continued operation have been submitted on both the SONGS 2 and 3 and CESSAR-System 80 dockets (4_,5_). These l justifications are based on the following. l l
- 1. The NSSS is coupled with a highly reliable, safety grade Auxiliary Feedwater (AFW) System.
O V 1-3
~ _ _ _ __ _ _ _ _
- 2. The Plant is capable of achieving cold shutdown conditions using only $
safety grade systems, even without offsite power and with an additional single failure.
- 3. The steam generator design includes many features which will enhance tube integrity, minimizing concerns associated with operating reactors. Additionally, careful attention to the plant water chemistry program will ensure that the magnitude of the impurity ingress into the steam generators is maintained at a low level.
- 4. Even if all auxiliary feedwater supply were somehow lost, the potential exists for a contingency heat removal scheme by depressurizing the steam generators to allow the use of low head pumps.
- 5. Review of probabilistic analyses does not appear to show any justification for the addition of Reactor Coolant System (RCS) valves for decay heat removal purposes, g 1.4 REPORT OUTLINE The purpose of this section is to provide a brief summary of the ~
information contained in subsequent sections and to convey to the reader the mannt:r in which the report format was developed with respect to the input required tc generate and complete each consecutive section. Section 1.0 presents an introduction to the report by stating the work objective, the approach taken, and by providing a report background. The purpose of Section 2.0 is to provide a discussion of the procedures used in the various analyses that were required to generate responses to the NRC questions. The methodology employed in these analyses is described in terms of information sources for the reliability data, analytical procedures and computer codes used in the analyses. O 1-4
O O O I 4 , SECil0N 1.0 SECTION 2.0 SECTION 8.0 SECTION 10.0 INIRUDUCTION METHODOLOGY SG TilBE STRENGTH REFERENCES MUDEt q" l on SECil0N 5.0
~** ~~
ACCIDENT SEQUENCE I DETERMINATION SECTION 3.0 SECil0N 7.0 SECTION 9.0 i + % j PL ANT DESIGN ACCIDENI SEQUENCE RESULTS i if ANALYSIS SECilDN 4.0
-** IN111AllNG EVEN15 ~~
SECil0N 6.0 SYSTEM ANALYSES l. l
, IIGURE 1.4-1 REPORT ELOWCHART 1
1 1 4 8 i
Section 3.0 provides a brief synopsis of the plant design and a list of design highlights for the plant systems addressed in the report. Also included is an overview of the interdependencies that exist between the various systems used to mitigate an event (i.e. LOHS, SGTR or PORV LOCA). The information in Section 3.0 is used to support event tree construction in Section 5.0 and fault tree development in Section 6.0. The purpose of Section 4.0 is to identify and define the three initiating events considered to be most relevant to the PORV issue, i.e., Loss of Main Feedwater, SGTR and PORV LOCA. Also included is a brief description of each initiating event type and a presentation of the initiating event frequency associated with each event. These frequencies are used as input to the event tree analyses in Section 5.0 and the accident sequence analyses in Section 7.0. l Section 5.0 utilizes plant design data, transient analysis, and plant emergency procedures to develop event trees for each of the initiating events. The branches that are used to construct the event trees define the h systems or actions that will require fault tree analysis. The quantitative fault tree results (presented in Section 6.0) are then input to the event l trees in order to provide a basis for filtering out the low probability ( scenarios. The results of Section 5.0 include a list of accident sequences - for each event tree. Each sequence is qualitatively evaluated to determine if it may or may not lead to core damage. Section 6.0 contains the results of all fault tree analyses and probabilistic evaluations that are used as input to the event trees in Section 5.0. Plant design data and operating procedures were used to support development and construction of the fault tree logic diagrams. Each subsection includes a system description and schematic, a support system dependency diagram, a list of assumptions and quantitative results. The results are used as input to the event trees in Section 5.0 to provide O 1-6
,im a basis for filtering out the low probability scenarios. The results are also used as input to the accident sequence analyses in Section 7.0 in order to statistically quantify core damage scenario frequencies.
The purpose of Section 7.0 is to identify and describe the minimal core damage scenarios that were selected from the lists of event tree output sequences in Section 5.0. The scenarios are statistically quantified using input failure data obtained from Sections 4.0 and 6.0. Section 8.0 (in conjunction with Appendix B) provides an empirical SG tube strength model which is used to analyze the consequences of a group of events which provide excess primary / secondary pressure differences. The probability of SGTR is determined as a function of the number of tubes ruptured for an aged SG. Section 9.0 summarizes the quantitative results of the study and provides the core damage frequency contribution due to each initiating event. The O overall change in total core damage frequency associated with the installation of PORVs is evaluated and discussed. O l 1-7 l
2.0 METHODOLOGY The four NRC questions, regarding the risk associated with the addition of l PORVs to plants which do not initially have them, have all been addressed using standard risk assessment methodology (6). The underlying approach used in answering these questions consists of an estimation of the core damage frequency with and without PORVs and the determination of the net ! change. The NRC questions have limited the core damage frequency 1 < calculation to the consideration of three types of events for which the PORV is expected to play a major role, either as the initiator of the event or within some sequence of mitigating actions. The events are loss of secondary heat sink, steam generator tube ruptures in one or both steam ! generators and small break LOCA through an inadvertently open PORV. i The procedure for determining the core damage frequency used in this task is the same employed in all of the major PRA studies that have been , performed to date, namely, to identify the event sequences which lead to O core damase and to quantify the Probabiiity thet eny of enese sequeaces occurs during a reactor-year of operation. Figure 2.0-1 contains a flowchart which illustrates the major elements of this procedure. The identification of the event sequences is accomplished using event tree analysis, incorporating design and reliability data, and input from any _ required human reliability analysis. The quantification of the sequence frequencies is a somewhat more complex operation involving fault tree analysis, interfacing of the fault tree results with the output of the event trees and uncertainty analysis. This section describes the plant design and reliability data utilized in the various analyses and describes the methodology employed to perform the I analyses referred to in Figure 2.0-1. O 2-1
EVENT 4 TREE ANALYSIS PLANT k DESIGN DATA m HUMAN FAULT / EVENT INTERPRETATIG " b N RELIABILITY I TREE 5 0F INTERFACING RESULTS ANALYSIS , RELIABILITY _ DATA 3 f FAULT l
- > TREE -
ANALYSIS i i FIGURE 2.0-1 STUDY METHODOLOGY I O O O
2.1 INFORMATION SOURCES Two general categories of information are used in performing risk assessment analyses, i.e., plant design and procedural information and reliability data. The various types of data within these categories and their sources are described in the following sections. 2.1.1 Plant Design and Procedural Information Plant design and procedural information is used both in defining the event sequences and in determining the sequence occurrence frequencies. The enumeration of the event sequences first requires the definition of the nominal sequence of events, from the initiating event to stabilization of the plant parameters. The following data sources are used to obtain this: e The plant FSAR (J,) which provides
- System descriptions O -
oescr4Ptioas or iiceasia9 treasieats e Plant System Descriptions (8,) e CEN-152, C-E Emergency Procedure Guidelines (9) _ e CEN-128, Responses of C-E NSSSs to Transients and Accidents (10,) Once.the nominal sequence of events has been defined an event tree is assembled to identify off-nominal sequences. The event tree structure is defined by the physically logical sequences of events that can occur during the transient resulting from the initiating event and various combinations of additional failures. References (7) and (_10) provided some insight into the behavior of the plant for several initiating events. Additional transient analyses, performed specifically to respond to the NRC questions, were used to obtain further insight into plant behavior with the addition of several concurrent failures to the initiating event. 2-3
The quantification of the sequence occurrence frequencies requires the h assembly and quantitative evaluation of fault tree and human failure models. The assembly of the fault tree model requires detailed information on system design and operation. The following data sources were used to obtain these: e The plant FSAR (7) which provides
- System descriptions
- Piping and Instrumentation Diagrams (P& ids) e The plant system operating instructions (H) e The plant electrical wiring diagrams (J2)
The assembly of the human failure models requires the following data sources: e The plant FSAR (7) which provides g
- Partial instrumentation lists
- Equipment locations I e Plant System Descriptions (8_) ,
l l e Plant system operating instructions (H) i e CEN-152, C-E Emergency Procedure Guidelines (9) e Control board layout drawings and equipment lists (13_) 3 In addition to these sources, interviews with reactor operators and training personnel from the C-E simulator were conducted and the information obtained was factored into the models. 1 O l 2-4
2.1.2 Reliability Data The determination of the sequence .currence frequencies involves two steps, i.e., the quantification of the individual elements of the sequence and the combination of these results to obtain a total frequency. The following types of numerical reliability data are necessary to perform these steps:
- 1. Initiating event frequencies
- 2. Component failure data, including
-Demand failure rates for standby components
-Operating failure rates for operating components
-Repair times
-Human failure probabilities
-Error factors for all of the above to be used in uncertainty calculations d
A wide range of sources was used to assemble the data base used in these studies. The human failure data, including both human failure probabilities and associated error factors were obtained from the Handbook of Human Reliability Analysis (H). Data for mechanical and electrical . components and for initiating events were obtained from the following sources: ! e The National Reliability Evaluation Program (NREP) Data Base (1_5_) 5 e The Reactor Safety Study (16) l l e IEEE Standard 500 ( E) 1 e C-E Reliability Data System (H) O 2-5
l e C-E Interim Data Base (19) h l e Several specialized reports on
-Pumps (3)
-Loss of Offsite Power (21)
-Feedwater Transients and Small Break LOCAs (2_2,)
2
-DC Power Supplies (2_3) 3 The majority of the data was obtained from References (15_) and l (16).
l l 2.2 ANALYSIS l As stated previously the calculation of the core damage probability l involves two major steps, each of which is accomplished through the use of one or more types of analyses. The following list specifies the elements of each step: O
- 1. Definition of Core Damage Sequences
- a. Event Tree Analysis
- 2. Quantification of Sequence Probabilities .
l a. Fault Tree Analysis
- b. Fault Tree / Event Tree Interfacing
- c. Human Reliability Analysis Each of these elements appears in Figure 2.0-1 and will be described in detail in the following sections. A discussion of the methodology used in performing the human reliability analysis is contained in Section 6.17.
O 2-6
O 221 Eveat Tree ^#airsis The objective of event tree analysis is to delineate the combinations of additional failures which can realistically occur following an initiating event. The types of additional failures considered in the analysis are limited to those which alone or in combination lead to the occurrence of core damage. Event trees were constructed for the three types of initiating events addressed in the NRC questions. These are as follows:
- 1. Loss of Secondary Heat Sink
- 2. Steam Generator Tube Rupture
- Single generator
- Double generator
- 3. Small Loss of Coolant Accident through a PORV The event trees were constructed in two steps. The first involved the construction of a " functional" event tree in which the failures considered in conjunction with the initiating event were failures to perform safety -
functions. The second step was the expansion of the functional event tree into a system / action level event tree in which the additional failures were system failures or failures to perform a particular action. These steps and the computer code used to assemble the system / action level event trees are discussed below. . l 2.2.1.1 Function Level Event Trees The function level event tree is an event tree in which the branch ! headings are defined as the failure to maintain safety functions j required to protect the core. Table 2.2.1.1-1 contains a list of the five " anti-core melt" safety functions and their definitions Io l 2-7 l
,. n, - - - , - - - --,,----.-ve ..-,,p r-, - -- - - - - - - , - . - , a ~ - -- -- w-----
TABLE 2.2.1.1-1 h ANTI-CORE MELT SAFETY FUNCTIONS Safety Function Purpose Reactivity Control Shut Reactor Down to Reduce Heat Production Reactor Coolant System Maintain a Coolant Medium around Core Inventory Control Reactor Coolant System Maintain the Coolant in the Proper State Pressure Control Core Heat Removal Transfer Heat from Core to a Coolant Reactor Coolant System Transfer Heat from the Core Coolant Heat Removal O l l l O 2-8
O (32)- ra the eveat tree a isses described 'a this report the safety function Reactivity Control was included only for illustrative purposes. Since ATWS scenarios were not considered to be within the scope of this study but have been addressed in previous studies (33,34) no detailed analysis was performed for the loss of this safety function. Function level event trees are not quantified but represent an intermediate, qualitative step towards the assembly of the detailed system / action level event tree. The function level event tree serves as a guide for the analyst and helps insure that all safety functions have been addressed. The assembly of the system / action level event tree proceeds directly from the function event tree through the expansion of each safety function heading into the one or more systems or actions required to maintain the safety function. 2.2.1.2 System / Action Level Event Trees O The system / action level event tree is an event tree in which the branch headings are defined as the failure of various systems or human operators to perform their required functions. The specific selection of system failures and operator actions is obtained through expansion of the function event tree. The system / action level event tree is the final step in the event tree analysis and yields the list of event sequences (combinations of initiating event and additional failures) which will be quantified to obtain a core damage frequency. The quantification is discussed in Section 2.2.3. l One of the major considerations in the assembly of the system event tree is the treatment of the various support systems within the plant, l e.g., offsite and emergency power, instrument air and component cooling water. Support systems have the potential for affecting the 2-9 L
reliability of several systems which appear on the event trees. For example, the loss of offsite power affects all systems which rely on offsite power and which must switch to diesel generators or station batteries in its absence. There are two methods for treating support systems in the assembly of event trees. They are as follows:
- 1. Event tree boundary conditions
- 2. Fault tree linking The use of event tree boundary conditions refers to the explicit incorporation of support system failures in the event tree, either as branch headings within the tree or as part of the specification of the initiating event. For example, loss of offsite power could be treated by defining the initiating event as " initiating event-with coincident loss of offsite power or -with no coincident loss of offsite power" and constructing two event trees, one for each situation. In this h instance, the branch probabilities for those systems or actions which rely on offsite power would be different for the two trees.
Alternatively, the loss of offsite power could appear as one of the branch headings within the tree. This would require the construction - of a single tree but would increase its length and require any analysis codes to be capable of handling conditional branch probabilities for sequences in which the loss of offsite power appeared. The event trees constructed for the steam generator tube rupture analyses, in this report, treated loss of offsite power in the initiating event definition. Other support systems in the steam generator tube rupture trees as well as the event trees for loss of secondary heat sink and PORY LOCA employed the fault tree linking approach. In the fault tree linking approach the support systems are treated within the fault tree models, for each system or action appearing in the event tree. This approach has the effect of minimizing the size g 2-10
of the event tree, however, it increases the size of the individual fault trees and the complexity of the quantification procedure. This approach has been employed, to some degree, in all of the event trees presented in this report. 2.2.1.3 Description of the CEETAR Code The constraction of the event trees presented in this report was aided by the use of the computer code CEETAR (C-E Event Tree Analysis Routine). CEETAR requires the input of branch titles and logic rules, which are used to eliminate illogical sequences. Using this input, CEETAR produces a complete event tree which can be drafted automatically on an X-Y plotter or output on a line printer (if fewer than 15 branch headings are required). In addition, CEETAR will produce a listing of the output sequences using the literal descriptions of the branch headings. O If the initiating event frequency and branch probabilities are also In provided as input, CEETAR will calculate the sequence frequencies. addition, CEETAR can filter out sequences with frequencies below a specified cut-off value. CEETAR is written in FORTRAN IV for use on the CDC 7600 computer. l O 2-11
2.2.2 Fault Tree Analysis h The quantification of the event tree sequences requires knowledge of the failure probabilities for each branch of the tree. When a branch represents a specific failure of a single component the failure probability can typically be obtained directly from one of the data sources described in Section 2.1.2. However, when a branch represents a specific failure mode of a system or subsystem it is necessary to construct a fault tree model of the system and to perform a quantitative evaluation of the model. Below is a discussion of the construction and evaluation of the fault trees and a description of the computer code used to perform the analysis. 2.2.2.1 Fault Tree Construction Each event tree branch which represents the failure of a system or subsystem requires the construction of a fault tree. The construction of the fault tree requires a complete definition of the functional h requirements of the system, given the initiating event to which it is responding. The inability to meet these requirements defines the " top event" of the fault tree. The fault tree itself is a graphic model of the various parallel and sequential combinations of failures that will . result in the top event. The symbols used in constructing the fault tree are illustrated and defined in Figure 2.2.2.1-1. 2.2.2.2 Fault Tree Evaluation The evaluation of each fault tree yields both qualitative and quantitative information. The qualitative information consists of the "cutsets" of the model. The cutsets are the various combinations of component failures that result in the top event, i.e., the failure of the system. The cutsets form the basis of the quantitative evaluation which yields the failure probabilities required for the quantification of the event sequence frequencies. O 2 - 12
O FIGURE 2.2.2.1 1 FAULT TREE SYMBOLOGY Output event occurs if one OR GATE or more of the input events occurs. L Output event occurs if and AND GATE only if all input events occur. F3 Basic fault event requiring BASIC EVENT no further development. An event which is described by EXTERNAL INPUT a fault tree model develoced independently - typically a support system failure. TRANSFER IN Used as method of conveniently
/\
W segmenting the tree for draf ting purposes and to avoid duplication of portions of the tree. Indicates continuation to other portions of the tree. TRANSFER OUT O 2-13
The quantitative evaluation of the fault trees yields several h numerical measures of a systems failure probability, two of which are typically employed in the event tree quantification, i.e., the unavailability and unreliability. The unavailability is the probability that a system will not respond when demanded. This value is used when the event tree branch represents a system function or action which is performed quickly, such as the reseating of a previously opened safety valve, or if the branch represents a particular condition, such as offsite power unavailable at turbine trip. The unreliability is the probability that a system will fail (at least once) during a given required operating period. This value is typically used when the event tree branch specifies a required operating period for a system, such as auxiliary feedwater system fails to deliver feedwater for four hours. The unreliability is usually added to the unavailability when the event tree branch represents the failure of a standby system to actuate and then run for a specified period of time. O 2.2.2.3 Human Failures Two types of human failures are included in the fault tree analyses performed in this study. They are " pre-existing maintenance errors" , and failures of the operator to respond to various demands. Pre-existing maintenance errors are undetected errors committed since the last periodic test of a standby system. An example of this type of error is the failure to reopen a mini-flow valve which was closed for maintenance. A failure of the operator to respond includes the failure of the operator to perform a required function at all or to perform it correctly. An example of this type of error is the failure of the operator to back-up the automatic actuation of a safety system. The probabilities for these types of human failures were cbtained from Reference (H). O 2-14
4 e 2.2.2.4 Description of the CEREC Code The evaluation of the fault trees constructed for this study was aided by the use of the computer code CEREC (C-E Reliability Evaluation
, Code). CEREC is an extensively modified version of the PREP and KITT codes ( 4). The PREP portion of the code, which generates the cutsets, has several modifications to its output format. The KITT portion of-the code, which performs the quantitative evaluations. has
- several major additions to the original KITT capabilities. They are as follows
- 1. The capability of calculating the unavailability for a periodically tested standby system using either the demand failure rate (inhibit condition) or the standby failure rate, test interval and allowable downtime.
- 2. The capability of filtering out cutsets based on cutoff veiues for ear or rive ceicuieted reiiebiiity Pere eters-
-O
- 3. The capability of automatically performing sensitivity analyses on any parameter.
- 4. The capabilty of determining the uncertainty of any of the output reliability parameters based on the uncertainty of the component failure data.
CEREC is written in FORTRAN IV for use on the CDC 7600 computer. 2.2.3 Fault Tree / Event Tree Interfacing The goal of the event tree and fault tree modeling is the determination of i a core damage frequency for initiating events. The previous sections discussed the development of the event trees to dC ineate the relevant failure sequences and the performance of the fault tree analyses to obtain the failure probabilities for the elements of the sequences. This section will describe the procedure used to combine these results to obtain a total core damage frequency for each initiating event. 4 2-15
O The two primary concerns in this calculation are the effect of dependencies between the elements of a sequence and the uncertainty in the total core damage frequency due to uncertainties in the basic component failure data. 2.2.3.1 Calculation of Total Core Damage Frequency Consider the following event tree l A l B l C D I.E.+556 NO C/D' I.E.+kUCb NO C/D I.E.+5CD C/D I.E.+ BUD NO C/D I.E.+ABCD C/D l I.E.+ABCD C/D I.E.+ABbb C/D The first step in calculating the total core damage frequency, ACD' e is the identification of the event tree sequences that lead to core damage. In the calculations performed for this study the core damage sequences were identified using several representative transient _ analyses and the definition of a peak cladding temperature of 2200*F as the on-set of core damage. In the example above, the core damage sequences are identified as such by the label on the right. For this example, the total core damage frequency can be expressed as A CD " A I .E. x P [AECD U ABCD U ABCD U A5C6] [1] where A I.E. = The occurrence frequency of the initiating event U signifies the union of the specified elements and the A, 5 notation indicates branch taken (failure) and branch not taken (success), respectively. 9 2-16
If no credit is taken for the probability of successful operation of a system, the "non-minimal" sequence, i.e., BCD, can be eliminated. A non-minimal sequence is one which contains additional failures beyond those necessary to obtain core damage. Since BC alone results in core damage, BCD is a non-minimal sequence. Equation 1 can be rewritten as A CD
- A I .E. x P[CD U BC U A] [2]
This can be rewritten as ACD " AI.E. x [PCD + PBC + PA i (higher order terms)]. [3] In the calculations performed in this report, the higher order. terms, which are quite small, have been ignored. If dependencies exist between the elements, Equation 3 can be written as O - - ACD " AI.E. x PC lI.E x PD lI.E.,C
- BlI.E.xPlI.E.,8+PlI.E.
C A The conditional probability of where P X lI.E. = X given that the initiating event . has occurred. 2.2.3.2 Dependent Failures The existence of dependencies between the elements of the sequences gives rise to the need for conditional probabilities, as illustrated in the example in the previous section. The dependencies result from the sharing of components or support systems between the elements. The conditional probabilities resulting from the shared components is calculated as follows:
- 1. The particular components and/or support systems shared between two systems are identified.
2-17
i
- 2. The probability that each shared component is failed, given that the first system is g]
i failed, is calculated.
- 3. These conditional component failure probabilities are used in calculating the failure probability of the second system.
2.2.3.3 Description of the CEDAR Code The CEDAR code (C-E Dependency Analysis Routine) is a utility code designed to automate the identification of shared components and the calculation of their conditional failure probabilities. The PREP portion of the CEREC code produces and stores a file containing the cutsets of a system fault tree model. CEDAR identifies comon components within these files and calculates their conditional failure probability as the ratio of the sum of the probabilities of the cutsets containing the shared components to the total system failure probability. If the calculated conditional failure probability is less than the normal random failure probability, the random failure probability is used. CEDAR is written in FORTRAN IV for use on the CDC 7600 computer. 2.2.3.4 Uncertainty Analysis As described in Section 2.2.2.4, the CEREC code has the capability of performing uncertainty analysis on the failure probability caiculations for a fault tree. The uncertainty analysis uses Monte Carlo sampling of the component failure rates which are assumed to be represented by log-normal distributions. The output of the uncertainty analysis consists of a median and error factor for the fault tree model. Note that the use of error factors implies that the system failure probabilities are also represented by log-normal distributions. Analytical results in this report are generally in terms of a median h value with an error factor which, when multiplied by the median value, 2-18
' yields an upper bound estimate at 95% confidence. The median value, rather than the mean value, was chosen in order to be consistent with WASH-1400, the IREP studies and most other PRAs and also in order to be consistent with the methodology recommended in the NRC's July 1982 draft Action Plan for Implementing the Commission's Proposed Safety Goal Policy Statement.
Given the equation for the total core damage frequency (e.g. Equation 4), based on the event tree core damage sequences, and given the CEREC Monte Carlo outcome data for each element in the equation, the representative distributions for each element are determined and sampled to yield a distribution for the total frequency. This operation is performed by the SAMPLE code. 2.2.3.5 Description of the SAMPLE Code The SAMPLE code, which was used in the Reactor Safety Study, is designed to perform uncertainty analysis on any generalized equation. The required input consists of a FORTRAN function subroutine to describe the function of interest, specification of the type of distributions to be used in modeling the variables of the function and the parameters used to define the distributions for each variable. - j Monte Carlo simulation is performed by sampling the variable ! distributions and evaluating the function numerous times. These ! trials then define the distribution of the total function values and SAMPLE provides various descriptions of this distribution. In the analyses performed for this task, the generalized equations consisted of individual sequence and total core damage frequency equations analogous to Equation 4. The probabilities of the sequence elements were represented by log-normal distributions. The parameters of the distributions were obtained from the CEREC runs for each element. O SAMPLE is written in FORTRAN IV for the CDC 7600. 2-19
F Q 3.0 PLANT DESIGN 3.1 PLANT DESCRIPTION Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2 and 3, operated by the Arizona Public Service (APS) Company is located approximately 36 miles west of the city of Phoenix in Maricopa county, Arizona. The nuclear steam supply systems (NSSSs) are designed and supplied by Combustion Engineering. Each unit employs a pressurized water reactor. Major components of each NSSS include a reactor vessel and internals, control element assemblies, two steam generators, a pressurizer, four reactor coolant pumps and various control systems and instrumentation. The balance of the plants, including prestressed concrete reactor containment buildings in which each NSSS is located, are designed and constructed by the Los Angeles Power Division of Bechtel Power Corporation. The Palo Verde station features separate containments, auxiliary buildings, turbine buildings, diesel generator buildings, control buildings and fuel p# handling buildings for Units 1, 2 and 3. One ultimate heat sink is provided for each generating unit. The ultimate heat sink consists of two Seismic Category I essential spray ponds. The ultimate heat sink is utilized for normal and emergency shutdown. The ultimate heat sink has a storage capacity that enables the associated essential spray pond system to operate continuously for 30 days without any makeup water supply. The NSSS generates approximately 3800 MWt, producing saturated main steam. Each of the three NSSS units contains two primary coolant loops, each of which has two reactor coolant pumps, a reactor vessel outlet (hot) pipe and two inlet (cold) pipes. There are separate safety systems for each of the units. The ECCS consists of redundant high pressure injection trains and redundant low pressure injection trains. Hot leg as well as cold leg l injection capability exists. The Auxiliary Feedwater System, serving the secondary side of the steam generators, is also separate for each unit. Each unit has 3 AFW pumping trains, each capable of supplying 100% flow , to either steam generator. O 3-1
The containment systems for each unit include the containment structure, $ the containment spray system, the containment air purification and cleanup systems, the containment building purge system, and the containment hydrogen control system. The containment design basis is to limit releases of radioactive materials subsequent to postulated accidents, such that resulting calculated offsite doses are less than the guideline values of 10CFR100. Electrical power is supplied to plant equipment through multiple power j sources. The main turbine-generator supplies the auxiliary loads during normal plant operation. Three startup transformers can be supplied by any one of the four circuits from the Southern California Edison - Arizona - New Mexico - West Texas power grid to the PVNGS switchyard. Each unit has 2 backup diesel generators available for safety related loads in the event offsite power is lost. Batteries are available for supplying the necessary DC power. The power conversion system with the appropriate controls, converts the g thermal energy generated in the reactor into electrical energy. This system consists of a turbine-generator, condenser, condensate pumps, feedwater heaters, and main feedwater pumps. Two identical U-tube steam generators produce saturated steam. Two steam generator outlets are _ on each steam generator. A header connects all main steam lines and each main steam line is routed to the main turbine. The turbine is a 1800 r/ min, tandem-compound, 6-flow, 43-inch last state bucket reheat unit. It consists of one double-flow, high-pressure (HP) turbine, three double-flow, low pressure (LP) turbines and four moisture separator-reheaters with two stages of reheating. The di rect-driven l generator is a General Electric Corporation three-phase, 60 Hz, four-pole, l cylindrical rotor, conductor cooled, directly coupled to the last low-pressure stage of the turbine. l 1 O 3-2
Electrical power from the generator is conducted from the generator ({) terminals by an isolated-phase bus to the 24-KV side of the main step-up transformer. The other side of the main transformer is connected to 525-KV lines which carry the power to the switchyard to be fed into the 525-KV transmission system. The reactor power levels and corresponding net electrical output are as follows: o Core thermal power level - 3817 MWt e Net electrical power - 1304 MWe output at generator terminal e Electrical power output - 34 MWe consumed onsite Net electrical power output 1270 MWe {} e - consumed offsite C) l l 3-3
e 3.2 PLANT SYSTEMS Table 3.2-1 presents a list of plant systems that were evaluated for this task. System design highlights are also included. A more detailed description of each system is provided in Section 6.0. O O 3-4
. v. .-_ -. - . ,,, _. - _. . -
, _._.__r_
TABLE 3.2-1 PLANT SYSTEMS SYSTEM DESIGN HIGHLIGHTS High Pressure Safety Injection e Two Train Safety System System e One Motor Driven Pump in Each Train Auxiliary Spray System o Safety System o Flow Provided by any One of Three Charging Pumps
, Containment Spray System o Two Train Containment Spray System Power Operated Relief Valves e Two Flow Paths e Block Valve and Coded Relief Valve in each Path Primary Feed and Bleed System l e Feed Flow Required From One HPSI and One Charging Pump or From Two HPSI Pumps e Two of Two Flow Paths required for
~
Bleed Portion p' Turbine Bypass System o Control System e 55% Turbine Bypass Capacity Main Steam Isolation e Safety System with Redundancy e Safety Coded Valve in Each Steam Line Atmospheric Dump System o Safety System ~ o Two Safety Coded Valves per Steam Generator Main Steam Safety Valves e Banks of Coded Safety Valves with Redundancy Main Feedwater System o Three Motor Dr.iven Condensate Pumps l e Two Turbine Driven Feed Pumps Auxiliary Feedwater System e Safety System with Redundancy e Two Motor Driven Pumps e One Turbine Driven Pump Steam Generator Blowdown System o Non-Safety System Alternate Secondary Heat Removal e Non-Safety System Capability (Condensate System)
- 1. Assuming PORVs are installed.
3-5
.- __ .__ _ _ __ - __ _ __._.. ~ - ..-.. . .
TABLE 3.2-1 m W (continued) PLANT SYSTEMS SYSTEM DESIGN HIGHLIGHTS Electrical Distribution System e Two Redundant Power Divisions e One Diesel Generator in Each Class 1E Power Division Cooling Water Systems e Two Safety Systems with Redundancy e Two Motor Driven Pumps in Each Train Instrument Air System o Non-Safety System O O 3-6
i O 3.3 SYSTEM INTERDEPENDENCIES 3.3.1 Mitigating versus Support Systems The successful operation of front line safety systems may require the operability of one or more support systems. An understanding of front line versus support systems interdependencies is fundamental to the study of accident scenarios. Also nuclear industry operating experience has indicated that some of the more severe accidents have originated from failures originating in support systems. A matrix of front line vs. support systems can be a useful tool for readily evaluating the extent of system interdependencies in a power plant. Table 3.3.1-1 provides a list of the mitigating systems addressed in this study vs. support systems. It should be understood that any interdependence identified in the matrix does not necessarily indicate that the loss of a particular support system is sufficient to cause failure of the associated mitigating systems. t 3.3.2 Support versus Support systems i In many instances, successful operation of support systems requires the operability of other support systems. Table 3.3.2-1 depicts the PVNGS _ support system interdependencies. It should be understood that any , interdependence identified in the matrix does not necessarily indicate that the loss of a particular support system is sufficient to cause failure of the associated support system. i, l l. 3-7
, . - _ _ _ _ ___-_____._...__.1 _ _ _ _ _ _ _ _ . _ . _ . _._
TABLE 3.3.1-1 h 1 MITIGATING VERSUS SUPPORT SYSTEMS l l l l l l w l l l l l @l l ~ l l l 5l I E! l 2 l E l 2 ! u l SUPPORT SYSTEMS l lg lj $ gl3l l c l 0 l e l 8l 5 l El l l 3 : ; ; l > l h l Q l E l t l oE l 0 l E l "8l b : l
~l i l
Iw l' MITIGATING SYSTEMS High Pressure Safety Injection X X X X Auxiliary Spray System X X X X Containment Spray System X X X X X h PORV X X X Primary Feed and Bleed X X X X Turbine Bypass System X X X - Main Steam Isolation X X Atmospheric Dump System X X Main Steam Safety Valves Main Feedwater System X X X X Auxiliary Feedwater System X X X X X Steam Generator Blowdown System X X X Alternate Secondary Heat X X Removal Capabili ty I Any interdependency identified in the matrix does not necessarily indicate that the loss of a particular support system is sufficient to cause failure of the associated mitigating systems. g 2 System boundries are assumed to include the charging pumps. 3 Assuming PORVs are installed. 3-8
O O O
*W *-* m O W O O O m --* > 3 LA m o w O N m
3 M
-b 3
M (A C CO3 to VMM et > LA
*C _e. M -*= "O "U
VM *1 =** ct _d- et O -** C 3 O fD rt (D O 103 a u3 O m lx3 et % ct ' (D 'k '> -4 m 3 3C O O 3:= 0 mW1 et > -4 O (A M a c+ m O llE -< M V (D D (D M w O m et W V 8-1 m W D --i fD -1 (D "1 m I A B r+ 3 LA >-* m .-* Z to 8. & M m m m
- O (D M >-*
C3 et m
*O Q
@M S m
14. m O. C (D (A m V3 -< C V et m "O M O d- --4 *U C
*1 -b r+ -
(D 9O m -4 x 5 7 m Q. O w = m -i r+ 3 _______________________ m
@ r+
? x Onsite AC Non-1E '"4 -4 m 9 m m .a _____------------------
< r-m w C r+
a 11 x x x Offsite AC 9 m w
- x C w O.
m a _______________________ m . tD O N f+ $ x x Onsite AC' Class IE EO .'.
"O rt 3 _______________________ O oO N t+ "
O3 x x x 125V DC Class 1E m C (D mn -<
. _______________________ m m --4 20 Cooling Water Systems 9W T
;= c _______________________
,M
- ESFAS
_ x x O3 rt O
? *+ . Instrument Air (D
m _______________________ mg LA 3 O@
. O rt b rY rt 7 (D (D Q.
e e
i ('~dh 4.0 INITIATING EVENTS 4.1 EVENT SELECTION The NRC questions focused on those initiating events which the staff considered to be most relevant to the PORV issue. These events are Loss of Main Feedwater, Steam Generator Tube (s) Rupture in one or two steam generators, and PORY LOCA. In addition, a survey was made of other l
- potential core damage scenarios to identify those which could be mitigated by improved methods of depressurization or decay heat removal.
4.2 OTHER EVENTS i The most comprehensive PRA performed to date on a plant with a C-E supplied NSSS is the Calvert Cliffs 1 Interim Reliability Evaluation Program ! (IREP)(H). The IREP Final Report has not yet been issued. However a draft final report was issued in January of 1982. This draft was ,U O reviewed to identify dominant accident sequences. Table 7.4-1 lists the Calvert Cliffs Unit 1 dominant sequences. Each sequence was studied to determine which ones are relevant to the PORY issue. Results of the survey are presented in Section 7.4. 4.3 INITIATING EVENT FREQUENCIES 4.3.1 Loss of Secondary Heat Sink The Main Feedwater System provides a continuous supply of feedwater to the steam generators for full load to zero load operations during normal plant operation. The PPS provides protection against the reduction or loss of normal feedwater by the steam generator low water level trip. The MFW i system is designed to automatically provide 5% flow to meet RCS decay heat removal requirements following a reactor trip event. O 4-1 _ _ _ _ _ _ ._. _ _- ._ _ _ . . . _ . . ~_ , _ . . . _ _ _ _ . _ _ _ . _ _ _
The initiating event for the loss of heat sink analysis will be defined as h plant / reactor trip events causing a loss of full-load operating main feedwater flow and subsequent loss of the post-trip 5% bypass main feed fl ow. Included in this definition are plant trips that are a result of perturbations in the main feedwater system or its support systems as well as malfunctions in other plant systems. System perturbations or malfunctions that result in automatic plant / reactor trips were determined based on operating experience (H) and information in References (15_) and (1_6). Among the potential root causes of a Loss of Main Feedwater event is a Feedwater Line Break. This event is significant in that along with possibly resulting in a loss of Main Feedwater to both steam generators, it also has the potential for degrading the reliability of the Auxiliary Feedwater System. This root cause was considered but was not included in accident sequences for evaluating the change in core damage frequency associated with adding PORVs. This root cause was omitted because the frequency of core damage due to loss of heat sink following Feedwater Line g Break is low compared with the sequence cut-off frequencies discussed in Section 7.1.1. The frequency of Feedwater Line Break in the specific lengths of pipe that _ could effect AFW reliability has been evaluated at 4.5E-5 per year (30). The conditional unreliability of AFW (given FWLB) is 3.1E-3 (See Section 6.11). The ADHR function unreliability (from Section 6.13) is 5.8E-2. Therefore, the point estimate of the frequency of core damage due to LOHS following a FWLB is 8.1E-9. The frequency and causes of Loss of Normal Feedwater were determined by fault tree analysis in Section 6.10. The initiating event frequency of Loss of Main Feedwater is presented in Table 4.3.1-1. To account for the PVNGS specific feedwater system design, the MFW system and its support systems were modelled at the component level in the analysis. Breakdown initiators that affect more than the MFW system were also modelled directly in the analysis. (Refer to Section 6.10). g 4-2
TABLE 4.3.1-1 LOSS OF MAIN FEEDWATER INITIATING EVENT FREQUENCY Frequency Error (Median Value per year) Factor 1.18 3 Note: The above frequency is used as input to the loss of Secondary Heat [ Sink Event Trees discussed in Section 5.1. The initiating event I frequency is combined with mitigating system failure probabilities to evaluate accident sequences. () l O 4-3 i I _ . . _ _ . _
)
4.3.2 Steam Generator Tube Rupture A SGTR is usually defined as a tube leak or rupture whose maximum leak flow rate exceeds the capacity of the charging system. Four distinct initiating events were defined for input to the SGTR analyses: e Initiating event 1 is defined as one or more tube ruptures occurring in one steam generator. Offsite power is assumed to be available at the time of the initiating event. e Initiating event 2 is defined as one or more tube ruptures occurring l in one steam generator with a coincident loss of offsite power. e Initiating event 3 is defined as one or more tube ruptures occurring in both steam generators. Offsite power is assumed to be available at the time of the initiating event. e Initiating event 4 is defined as one or more tube ruptures occurring h in both steam generators with a coincident loss of offsite power. A survey of operating history was conducted to provide a basis for estimating the above initiating event frequencies. A SGTR was further defined as a tube leak or rupture whose maximum flow rate was equal to or greater than 125 gpm. The following events were interpreted as SGTRs ( 2_5) . Maximum Plant Date Flow Rate (gpm) Point Beach 1 2/26/75 125 Prairie Island 1 10/2/79 390 R. E. Ginna 1 1/25/82 630 Surry 2 9/25/76 330 0 4-4
0- These four events are assumed to be the only recognized SGTRs in US PWR commercial experience to date. The total number of reactor years of experience was evaluated to be 361.0 years as of December, 1982(18). The distribution of time to occurrence of SGTR in one SG was assumed to be exponential. The probability of SGTR in one SG by time t is expressed mathematically as F(t) = 1 - e-et t>0 _ El] where e is the occurrence rate for SGTR. Confidence bounds on the occurrence rate are obtained from percentiles of the x2 distribution since the distribution of the sample mean e, an estimate of e, is distributed as x 2. (_26 ) . The confidence bounds are obtained by solving the following equations for el and eufrom tables provided in Reference (_26). O -
/ g(x)dx = a/2 s
[2] u I 0 g(x)dx = a/2 [3] . l where g(x) is the [ probability density function with Y = 2n degrees of freedom for the lower bound and Y =2(n+1) degrees of freedom for the upper bounds. The 100(1- a )% confidence interval for e is then l l
-2 X a/2,2n <0< [x1-a/2,2n+2 2
E43 For the SGTR in one SG events which have been experienced n=4
-2 / year 4 e = 4./T = 4./361. years = 1.108 x 10 T = total number of reactor years 4-5
1 O The table values of the x 2 distribution are X
.05,8 = 2.733 E
.95,10 = 18.307 The 90% confidence interval for e is then 1.108 x 10-2 8 2.733 < e < l.108 x 10 18.307 8
3.8 x 10-3 1 e 12.5 x 10-2
- The median value of eis determined by using the following expression e 5 = X .5,10 =
9.342 (1.108 x 10-2) = 1.3 x 10-2/ year 2n 8 The distribution of e was approximated by a lognormal when initiating event probability distributions were simulated by combining distributions with a Monte Carlo (stochastic sampling) computer code. In this case, the 5th and 95th percentiles of the X 2 distribution were matched to the 5th and 95th percentiles of a lognnrmal distribution. The median of g the lognormal distribution is estimated by 1
%= [(3.8 x 10-3)(2.5 x 10-21/2 3 = 9.7 E-3 per year i -
The error factor for the lognormal distribution approximation was calculated to be EF = .95= 2.5 x 10~2 = 2.6 l e
.5 9.7 x 10-J A value of EF = 3 was used in the analysis -
To determine the frequency of the initiating event SGTR in One SG with Coincident loss of Offsite Power, the above results were combined with a loss of offsite power median failure probability of 10-3 assuming a lognormal distribution and an error factor of 10 (H). Monte Carlo uncertainty analysis was used to determine the median value and approximate error factor for the combined probabilities. The resulting initiating event frequency is 9.8E-6 per year with an associated error factor of 13. h l 4-6 l \ i L
O There have been no known SGTRs in two SGs in the history of PWR commercial operation. An event frequency for SGTRs in two SGs can be estimated given that T = 361.0 years and n = 0. The median occurrence rate is approximated by 2 X .50, 2n+2 1.39 2T , 2(361) = 1.9 E-3 / year The error factor was estimated by taking the ratio of the 95 to 50 percentile.
- 2 5.99 8.3 E-3 / year X .95,2T 2n+2 , 2(361 ) ,
8.3E-3 = 4.4 = 5
- 1. n-4 To determine the frequency of the initiating event SGTR in Two SGs with Coincident Loss of Offsite power, the above results were combined with a O' loss of offsite power median failure probability of 10-3 (assuming a log normal distribution and an error factor of 10 (16). Monte Carlo uncertainty analysis was used to determine the median value and error factor for the combined probabilities. The resulting initiating event frequency is 1.9E-6 per year with an associated error factor of 13.
SGTR initiating event frequencies are sumarized in Table 4.3.2-1. Section 8.0 presents a discussion of a steam generator tube strength model for aged steam generators. l l l O 4-7
TABLE 4.3.2-1 h SGTR INITIATING EVENT FREQUENCIES Frequency Error Event Description (Median Value per Year) Factor SGTR in One SG 9.7E-3 3 SGTR in One SG with 9.8E-6 13 Coincident LOOP SGTR in Two SGs 1.9E-3 5 SGTR in Two SGs with 1.9E-6 13 Coincident LOOP O i Note: The above frequencies are used as input to the SGTR event trees discussed in Section 5.2. The initiating event frequencies are combined with mitigating system failure probabilities to evaluate l accident sequences. l O 4-8 I
'O 4.3.3 90Rv LOCA PORV LOCA was identified as one of the three types of events to be considered in the core damage frequency calculations. In order to address PORV LOCA impact on core damage frequency, a manual PORV design and an automatic PORV design were considered. Both assumed PORV designs allow for the valves to be opened manually to reduce RCS pressure following a steam generator tube rupture event or a loss of secondary heat sink. For the manual PORV design, the PORVs are assumed not to be designed to minimize-challenges to the primary safety valves. However, for the automatic PORV design, the PORVs are assumed to be designed to minimize challenges to the primary safety valves. A PORV LOCA is a breach of the RCS pressure boundary that results in an initial rapid uncontrolled depressurization of the RCS. Therefore, mitigation of this transient requires makeup of the lost RCS inventory as well as removal of heat from the reactor core and RCS. The success criteria for RCS inventory makeup and heat removal were determined by Q transient analyses (30 36). Success for RCS inventory makeup requires at least one HPSI pump to inject borated water into the RCS loops. Successful removal of RCS heat can be accomplished by the steam generators or the containment heat removal systems. Success for RCS heat _ removal by the steam generators requires at least one steam generator with feedwater available to maintain the steam generator water level. Success for RCS heat removal by the containment heat removal systems requires at least two emergency containment fan coolers and at least one containment
, spray train to remove thermal energy discharged into the containment from the RCS.
-Based on the assumed PORV design, three types of PORV LOCAs were considered. The three types are as follows:
- 1. PORV LOCA Following Loss of Secondary Heat Sink. This type of PORY LOCA refers to manually opening the PORY flowpaths following a loss of secondary heat sink. The steam generators
' are unavailable to remove RCS heat. 4-9
- 2. PORV LOCA Following SGTR. This type of PORV LOCA refers to g manually opening of either PORV flowpath following a tube rupture in one steam generator. The unaffected steam generator is available to remove RCS heat.
- 3. Spurious or Transient Induced PORV LOCA. This type of PORV LOCA refers to the opening of either or both PORV flowpaths. For the manual PORV design, this type of PORV LOCA includes error (test, maintenance, or operator) induced openings. For the automatic PORV design, this type of PORV LOCA includes high RCS pressure transient induced openings. Both steam generators are available to remove RCS heat.
For each type of PORV LOCA considered, a fault tree analysis was performed (See Section 6.4) to quantify the occurrence frequency. The occurrence frequencies for loss of secondary heat sink and tube rupture in one steam generator were incorporated into the fault trees to evaluate the occurrence frequencies for these types of PORV LOCA. Nuclear operating experience information(E)wasusedalongwithanassumedvalvetesting frequency that varies from two weeks to quarterly to evaluate the Spurious PORV LOCA (manual design) occurrence frequency. These frequencies are l presented in Table 4.3.3-1. - l l O 4-10
TABLE 4.3.3-1 PORV LOCA INITIATING EVENT FREQUENCIES Frequency 1 Error Event Description (Median Value per Year) Factor PORV LOCA 1.8E-5 16 Following LOHS PORV LOCA 1.3E-4 7 Following SGTR Spurious or Transient Induced PORY LOCA (a) Manual Design 3.2E-5 16 (b) Automatic Design 5.0E-32 13 ! A U i Note: 1. The above frequencies are used as input to the PORV LOCA event trees discussed in Section 5.3. The initiating event frequencies are combined with mitigating system failure probabilities to evaluate ! accident sequences. -
- 2. This value excludes challenges to the PORVs due to malfunction of the turbine runback feature. Operating experience shows that C-E NSSS supplied plants with turbine runback feature experience more challenges to the PORVs. Therefore, the affected plants are currently operating with the turbine runback feature overridden. If challenges to the PORVs due to malfunction of the turbine runback feature were included, the PORV LOCA initiating event frequency would increase by approximately 15%.
l O 4-11
i i l l () 5.0 ACCIDENT SEQUENCE DETERMINATION The sequence of malfunctions or failures of systems that lead to core
' damage conditions for each initiating event considered, were determined by developing functional and systemic event trees. The functional event tree interrelates an initiating event (Loss of Main Feedwater, SG tube rupture or PORV induced LOCA) with plant safety function failures and yields functional accident sequences. The systemic event tree interrelates each initiating event with system failure events and yields system accident sequences. Section 2 provides a more detailed description of the methodology used in the development of the event trees and fault trees and the treatment of system interactions and support system dependencies.
The accident sequences for the loss of secondary heat sink, PORV induced LOCA, and steam generator tube rupture were determined using event i tree / fault tree methodology. In order to provide consistency in identifying the accident sequences for these transients, the following () general rules were followed: e Event tree models, both functional and systemic, are developed from the initiating event to a state representing either shutdown cooling l entry conditions or core damage conditions. . l e Core damage conditions are defined as peak cladding temperatures of 2200 F. l l e All systems are in the normal, automatic mode of operation at the time i of the initiating event. l l e Reactor trip will occur when plant protection system setpoints are l reached. e The event tree / fault tree analyses are based on the PVNGS Unit 1 l design. The results are considered to be applicable to Units 2 and 3. [D s-l 5-1 l l
5.1 LOSS OF HEAT SINK g A loss of secondary heat sink refers to the inability to remove RCS and core heat via the steam generators as a result of losing main feedwater and auxiliary feedwater flow. During normal plant operations, the MFW system provides a continuous supply of feedwater to the steam generators at required pressure and temperature for full load to zero load operations. Following the loss of main feedwater, the AFW system automatically supplies feedwater to the steam generators for reactor decay heat removal and to cooldown the RCS to shutdown cooling entry conditions. A loss of main and auxiliary feedwater flow and failure to re-establish a secondary heat sink will cause RCS temperature and pressure to increase and eventually threaten core integrity. During a loss of secondary heat sink event, RCS temperature is controlled at a value slightly above that corresponding to steam generator saturation conditions until a substantial portion of the tube bundle in each steam generator is uncovered. At this point, RCS temperature will begin to increase. When the steam generators boil dry, RCS temperature and pressure will rise rapidly. If conditions in the RCS reach the setpoints for the primary safety valves, RCS inventory will begin to discharge out the safety valves. If a secondary heat sink is not re-established and loss of ~ RCS inventory continues at high pressure, core uncovery will occur. Core damage conditions, defined for this study as peak cladding temperatures of 2200*F, will be reached in approximately 70 minutes following a reactor trip signal based on low steam generator level (28, Section 2.8). 5.1.1 Initiating Event A loss of normal operating feedwater is defined as a reduction in feedwater flow to the steam generators, when operating at power, without a corresponding reduction in steam flow from the steam generators. The result of this flow mismatch leads to reduction in steam generator water inventory and a subsequent heatup of the primary coolant. The PPS provides O 5-2
protection against the loss of normal feedwater by the steam generator low water level trip.- The Main Feedwater System is designed to automatically provide 5% flow to ' meet RCS decay heat removal requirements following a reactor trip event. The initiating event for the loss of heat sink analysis will be defined as the loss of normal operating main feedwater flow resulting from automatic plant / reactor trip events and the loss of the post-trip 5% flow. Included in this definition are plant trips that are a result of perturbations in the main feedwater system or its support systems. The frequency of loss of main feedwater was evaluated by fault tree analysis (See Section 6.10). 5.1.2 Normal Sequence of Events The normal sequencgof events following a loss of operating MFW flow and post-trip 5% bypass flow, is a continued decrease in steam generator water level and the automatic initiation of the Auxiliary Feedwater System. The O Aux 411ery Feedwater System. coasistia9 or oae seismic cete9ery 1 motor-driven and one turbine-driven feedwater pumps and one non-seismic Category I motor-driven pump, is employed to effectuate core cooldown. Following a reactor trip, the TBVs are normally used to control steam generator pressure. If the TBVs are unavailable, steam pressure may be controlled by _ the ADVs or the MSSVs. The pressurizer auxiliary sprays provide RCS pressure control and are used to reduce primary pressure. Table 5.1.2-1 presents the normal sequence of events following loss of main feedwater from the initiating event until event termination at shutdown cooling entry conditions. 5.1.3 Functional Event Tree The Loss of Secondary Heat Sink functional event tree, presented in Figure 5.1.3-1, was developed to determine the functional accident sequences that could lead to potential core damage. The functional event tree was 5-3
, , w - ,,
TABLE 5.1.2-1 h NORMAL SEQUENCE OF EVENTS FOR LOSS OF FEEDWATER
- 1. Termination of main feedwater flow
- 2. SBCS Quick Open of TBVs
- 3. Reactor / Turbine Trip on low steam generator water level
- 4. MSSVs open
- 5. AFW flow actuated and delivered
- 6. MSSVs close
- 7. Cooldown controlled using AFW, SBCS and Pressurizer Auxiliary Spray
- 8. When condenser vacuum becomes unavailable, continue cooldown with ADVs
- 9. Shutdown cooling entry conditions reached O
O 5-4
I o o . g FIGURE 5.1.3-1 LOSS OF SECONDARY HEAT SINK FUNCTIONAL EVENT TREE INITIATING REACTIVITY RCS'. INVENTORY RCS PRESSURE CORE HEAT RCS HEAT EVENT CONTROL CONTROL CONTROL REMOVAL REMOVAL. I LOSS OF MAIN REACTOR INVENTORY FORCED SECONDARY i FEEDWATER TRIP MAKEUP DEPRESSURIZATION CIRCULATION HEAT SINK 1 2 m 3 u. 4 I 5 6 i l 7 I ! 8 9 n- _ _10 1 l
developed for the current plant design and for the plant design assuming h feed and bleed capability is provided. As depicted in Table 5.1.3-1, each safety function can be defined in terms of functional elements which are used as intermediaries to correlate the five anti-core melt safety functions (3_2) 2 to the specific plant systems or actions required to mitigate a loss of secondary heat sink. The list of associated systems / actions provides the logical groundwork for constructing a system / action level event tree which can be used to generate more detailed accident scenarios. The functional accident sequences for the loss of heat sink event are discussed as follows: Sequence 1 Sequence 1 is the transient when all safety functions are satisfied following the initiating event. In this sequence, the core is cooled, secondary system and core integrity are maintained and shutdown cooling entry conditions are reached. O Sequence 2 Sequence 2 is the transient when the safety function, RCS Heat Removal, is not maintained. This sequence results in core damage conditions. Sequence 3 Sequence 3 represents the transient when Core Heat Removal by forced circulation, RCP operation, is not maintained. In this sequence, the secondary system and core integrity are maintained and shutdown cooling entry conditions are reached with natural circulation conditions existing in the RCS. l Sequence 4 Sequence 4 results in core damage conditions due to failure l to provide RCS Heat Removal and failure the of Core Heat Removal safety function. Sequence 5 Sequence 5 represents the transient when RCS Pressure Control, depressurization of the primary system, fails. In this sequence, the core and RCS are . cooled, but the primary g ! 5-6
O. U TABLE 5.1.3-1 LOSS OF SECONDARY HEAT SINK FUNCTIONAL EVENT TREE CONSIDERATIONS SAFETY FUNCTION FUNCTIONAL ELEMENTS ASSOCIATED SYSTEMS / ACTIONS Reactivity Control Reactor Trip Reactor Trip I RCS Inventory Inventory Makeup There are no specific Control systems / actions required for RCS Inventory control except through RCS Pressure Control and RCS Heat Removal. RCS Pressure Depressurization Auxiliary Sprays 2 Control I Feed and Bleed Operation Core Heat Forced Circulation RCP Operation Removal i RCS Heat Secondary Heat Sink Auxiliary Feedwater System Removal Restoration of Feed Flow Alt. Sec. Heat Removal Capability Removal of Secondary Stegm FeedandBleedOpegation Containment Sprays g HP Recirculation i i 1 ATWS will not be considered in the scope of this evaluation 2 Associated systems / actions assuming feed and bleed capability is provided l v} l 5-7
pressure criteria for shutdown cooling entry conditions is not achieved. This results in a stable core configuration with a long term demand on the safety function, RCS Heat Removal. Sequence 6 Sequence 6 results in core damage conditions due to failure to provide the RCS Heat Removal and RCS Pressure Control safety functions. Sequence 7 In Sequence 7, RCS Heat Removal is provided but safety functions RCS Pressure Control and Core Heat Removal have failed. Sequence 7 results in a stable core state but impacts the actions associated with RCS Heat Removal. See Sequences 3 and 5. Sequence 8 Sequence 8 results in core damage conditions due to failure to provide RCS Heat Removal and failure of Core Heat Removal and RCS Pressure Control. h Sequence 9 The safety function, RCS Inventory Control, is satisfied by RCS Pressure Control and RCS Heat Removal. 1 - Sequence 10 As discussed in Section 2.2.1.1, ATWS is not considered in the scope of this program. 5.1.4 Systemic Event Tree The systemic event trees were developed by determining the systems / actions which perform in response to the loss of secondary heat sink transient for each of the safety functions identified in Table 5.1.3-1. The systems / actions define the systemic event tree branch headings. The systems / actions were then placed in approximately the chronological order that they will be called upon following the transient. The initiating event, Loss of Main Feedwater, and transient analysis determine the success e 5-8
O criteria for those systems or actions. These criteria dictate the top failure logic for the system fault trees. In addition to the system success, accident mitigation also requires the successful operation of support systems upon which the systems depend. Section 3,3 details the mitigating system / support system dependencies for the systems required in the loss of secondary heat sink transient. Two systemic event trees were developed for loss of Secondary Heat Sink. The Loss of Secondary Heat Sink Event Tree discussed in Section 5.1.4.1 determines the core damage scenarios for the current plant design including alternate secondary heat removal capability. The event tree in Section 5.1.4.2, Loss of Secondary Heat Sink with Feed and Bleed Operation Event Tree, determines the core damage scenarios assuming primary feed and bleed capability is provided. Table 5.1.4-1 defines the event tree branches and associated failure criteria that are used as input to both event trees. The fault tree results for the systems specified in the systemic event trees are presented in Section 6.0. O V 5.1.4.1 The Loss of Secondary Heat Sink Event Tree The Loss of Secondary Heat Sink Event Tree is presented in Figure 5.1.4.1-1. The safety function, RCS Heat Removal, is provided by the , Auxiliary Feedwater System, Restoration of Feed Flow, Alternate Decay Heat Removal (low pressure secondary heat sink) and Secondary Steam Removal. (Refer to Table 5.1.3-1). The safety function, Core Heat Removal, refers to termination of RCP Operation and the safety function, RCS Pressure Control, refers to operation of auxiliary sprays. l The event tree accident sequences were filtered using a frequency cutoff of 10-8 per year. The sequences that lead to core damage conditions are discussed in detail in Section 7.1.1. The branch headings are briefly discussed below: l w) 5-9 i i
TABLE 5.1.4-1 h LOSS OF SECONDARY HEAT SINK EVENT TREE BRANCH DEFINITIONS Branch Branch Designation Title Failure Criteria LF Initiating Event loss of Main Feedwater Flow, Plant / Reactor Trip Events and Failure to Deliver 5% MFW Flow from 1 of 2 MFW Pumps to 1 SG Gg Fail to Deliver AFW Flow Failure to Automatically Deliver AFW Flow from 1 of 2 AFW Pumps to One SG U Failure to Restore Feed Flow Failure to Manually Restore AFW 1 Flow from 1 of 2 AFW Pumps to 1 SG and Failure to Establish Flow from 1 of 1 Non-essential AFW Pump in 60 Minutes Following a loss of Main and Auxiliary Feed Flow U Failure to Restore Feed Flow Failure to Manually Restore AFW g 2 Flow from 1 of 2 AFW Pumps to 1 SG W and Failure to Establish Flow from 1 of 1 Non-essential AFW pump in 25 Minutes Following a and Auxiliary Feed Flow (oss of Main Failure to Manually Establish Feed V Failure of Alt. Sec. Capability Flow from a low Pressure Secondary Heat Sink (Flow from 1 of 3 Condensate Pumps delivered to 1 SG) in 60 minutes W Failure to Remove Secondary Failure to Remove Steam from SG by i Steam Opening 1 of 8 TBVs,1 of 4 ADVs or 1 of 20 MSSVs X Failure to Terminate RCP Failure to Manually Terminate RCP Operation Operation Upon Indication of Total Loss of Feed Flow N Failure to Initiate Failure to Deliver Auxiliary Spray Auxiliary Spray Flow Flow from 1 of 3 Charging Pumps to the Pressurizer O 1 These branches are applicable assuming feed and bleed capability is provided. 5-10
h) TABLE 5.1.4-1 (continued) LOSS OF SECONDARY HEAT SINK EVENT TREE BRANCH DEFINITIONS Branch Branch Designation Title Failure Criteria Y Failure of Feed and Bleed Failure to Establish Flow through Operation 2 of 2 PORV Trains and to Deliver Makeup Flow from 1 of 2 HPSI Pumps and 1 of 3 Charging Pumps or 2 of 2 HPSI Pumps S 2 Failure of Containment Failure of 2 of 2 Containment Sprays Spray Traing to Deliver Flow to Containment R Failure to Achieve HP Failure to Provide Flow to the RCS Recirculation from 1 of 2.HP Pumps Takigg Suction from the Containment Sump 4 o 1 These branches are applicable assuming feed and bleed capability is provided. 5-11
LF The initiating event is defined as the frequency of loss of h operating main feedwater flow from plant / reactor trip events and the probability of loss of the 5% MFW flow. The frequency of the initiating event was determined by fault tree analysis in Section 6.10. G 1 The failure probability of the Auxiliary Feedwater System was also determined by fault tree analysis presented in Section 6.11. The analysis models the failure to automatically deliver AFW flow. No operator action to restore AFW flow or start the non-essential AFW pump is included in the model. Recovery actions are addressed in a separate analysis (Section 6.17) and are based on the dominant AFW system cutsets. U 1 Following the initiating event and loss of AFW flow, operator action will be directed towards restoration of AFW system. The operator has approximately 60 minutes to re-establish AFW flow before core damage conditions are unavoidable (_28, Section g 2.8). An analysis was performed to determine the human error probability for failure to restore AFW and align the non-essential AFW pump in the 60 minute time period in Section 6.17. _ V At 60 minutes following reactor trip, operating procedures will guide the operator to depressurize the secondary system and feed the steam generators directly with a condensate pump. This secondary heat sink is referred to as the Alternate Secondary Heat Removal Capability. The fault tree analysis is presented in Section 6.13. Note that the Alternate Secondary Heat Removal Capability (condensate system) is dependent upon offsite power. Use of this system will be implemented only after restoration of AFW fails. O 5-12
v
. o a ~ m c
Q m n a. . n z R %* z o
- w m - z FL
@$ m T Tii m
' *8
$zm m A ; =c 2
g
~ ~ ~ # 5 ym 28 O
z- X C C g $ z - - - - - os
- 2 0 0 0 0 a m a <-
I i i i i i e
,3 @
n o mm mmmmmmm 5 a ;c e - - e e - c m a nn J L
~
n
%e "sa s'(
' REBMUN ~ N????f *[ w* ,$ $E
~ m HCNARB ~ E **
w w T e ,S w E?e WOLF YRRPS YRRILIXUR z _ _ 5g e n ETRITINI OT ERULIRF 3 o-
=
E c En n< - NOITAREPO PCR $ j 8$ x ?f ETRNIMRET OT ERULIRF 9
- R MRETS YRADNOCES _-
m n- a a".&e ,2 3 l
.s o EVOMER OT ERULIRF
- 2G
;0 %
n O'o j YTILIBRPAC LRVOMER < _ 5 *
.CES .TLR FO ERULIRF g{
.E.
" Ee WOLF DEEF -
E E." EROTSER OT ERULIRF S && WOLF WFR g ) O REVILED OT LIRF l E A E lO i 1 9-IE l
.. _-__ =- - - .-
!!; Failure to remove secondary steam refers to the inability to release steam energy through the steam generators. Following a loss of feedwater event, steam generated in the steam generators may be conveyed directly to the condenser via the TBVs or directly released to the atmosphere by the ADVs or MSSVs.
Failure to remove secondary steam is equivalent to a loss of heat sink in this analysis (See Section 6.9). X Per Combustion Engineering Emergency Procedure Guidelines (9_), RCP operation is to be terminated upon indication of a total loss of feed flow event. Termination of pump operation results in natural circulation in the core and minimizes the heat added to the primary coolant by the pump operation. N The pressurizer auxiliary sprays are used to depressurize the primary side. Due to failure of the auxiliary sprays, the primary pressure criteria for shutdown cooling entry conditions is not achieved. This results in a stable core configuration h with a long term demand on the safety function, RCS Heat Removal. The fault tree analysis for Fail to Initiate Auxiliary Spray Flow is presented in Section 6.2. 5.1.4.2 Loss of Secondary Heat Sink with Feed and Bleed Operation Event Tree The Loss of Secondary Heat Sink with Feed Bleed Operation Event Tree is presented in Figure 5.1.4.2-1. The safety function, RCS Heat Removal, is provided by the Auxiliary Feedwater System, Restoration of Feed Flow, Secondary Steam Removal and direct RCS heat removal by primary Feed and Bleed Operation. The safety function Core Heat Removal refers to termination of RCP operation. The safety function, RCS Pressure Control, is provided directly by PORV operation (Refer to Table 5.1.3-1). O 5-14
O Feed eae 8ieed OPeretioa. ia edditioa to estebiishias fiow throush PORVs and providing the associated makeup flow, requires the establishment of High Pressure (HP) Recirculation flow. The discharge of primary coolant into containment via the PORVs is conservatively assumed to result in the automatic initiation of the containment sprays. Containment spray pumps and the HPSI System initially utilize the same source of water, the Refueling Water Tank (RWT ). Upon depletion of RWT inventory, HP pump suction will automatically switch to the containment sump and enter the recirculation mode of operation. It is assumed that shutdown cooling entry conditions will be achieved following successful feed and bleed operation. The event tree accident sequences were filtered using a cutoff frequency of 10-9 per year in order to add visibility to certain sequences. The core damage sequences are discussed in Section 7.1.2. The branch headings are defined in Table 5.1.3-1 and are discussed below: O LF Initiating Event - same as Section 5.1.4.1. G Failure to Deliver Auxiliary Feed Flow - See discussion for 1 Branch G 1 in Section 5.1.4.1. . U Following the initiating event and loss of auxiliary feed flow, 2 operator action will be directed towards restoration of Auxiliary Feedwater System. However, at 25 minutes following the reactor trip event, the operator is assumed to commence primary feed and bleed operation by opening the power-operated relief valves (PORVs) (28, Section 2.8). Once feed and bleed operation is initiated, the operator will terminate restoration actions and use the direct RCS heat removal system. The restoration task analysis presented in Section 6.17 therefore allowed only 25 minutes for restoration actions. A V 5-15
_ gT O N *
>o ao.
l o t T h G wm .J l ta >ae _ e e , mu2 a a_ o2 a b t t wa .nQ"o >a eoO>omo i l A o J go yn v e ,U i c b m .utto oo _uao2 _ r i r a n wa.JOZo eo eura>u t t t u n i l c m l W eh a t s e s l mooozoam>. meter .u o c rex o Etc JnQ"u >o >tEr~za>o t t t c r e I X u L xua oQnxe5- oz i hl O - aud d a S S fe m a rd wa JoEo oa utto _ t t e g O _ .uo q f e F Y mzo m.uua oQuEa> oz tt ur S J t zo s _ nm c q e E C O ( ea . JoEu o.A t yt u N h e D ce n A ,S s u ta c e R Y o oz > m s*- zruz> O.ma>m (Q
- b s oo H c to eOI u>u t t t R wc. .JsQ"u fv a SE -
fe r YA F I e ST t ae sv e T I G r.a Q"aO eooa. cH r ** az ES U e v t I R a 1 1N l u CK E 8 7 6 5 meEzuI t a 5 4 3 2 1 ur t EW VI 1
. . . . . . . . zoEm"'E se e ET .
se d NH 4 e a T . L L L L L L L dh F 2 L a n TE - F F F F F F F F iv d RE 1 ne d ED E - - - - - - - - Sb i A ee s N ce c u D G .G ,G G ,G .G ,W I tn i i N i s B U ,u X C oe s L , .U ,U I O nl e E Y R T i d E .S N 2mi i D 8 2n n O E 1 S
. a P N E 1t S E V e e R E A Q d c A N T U d i t T I T I E u o O O N e n N N C t 7 E o C 1
. O D
E O
O W 1 Feiiure to Remove Secondary Steem - See discussion for 8cench Wy in Section 5.1.4.1. X Failure to Terminate RCP Operation - See discussion for Branch X in Section 5.1.4.1. Y The failure probability for the primary Feed and Bleed System was determined by fault tree analysis in Section 6.5. The successful initiation of Feed and Bleed flow at 25 minutes, opening of both PORV trains and providing the required primary inventory makeup, results in acceptable core conditions, i.e. peak cladding temperatures less than 2200'F. (28, Section 2.8). Note that the Feed and Bleed System design employed in the analysis, is not redundant; both PORV trains are required for successful operation. S2 Failure of the containment sprays to deliver flow to containment results in a larger RWT inventory for feed and bleed {} operation. If containment sprays are not actuated, the RWT inventory is sufficient for continued Feed and Bleed Operation until shutdown cooling entry conditions are reached. If containment sprays are actuated, Feed and Bleed Operation requires operation of the HP recirculation mode. Failure of _ j containment cooling (containment sprays) is investigated in the event tree analysis on PORV induced LOCA. (See Section 5.3) R Failure to achieve high pressure recirculation refers to inability to provide flow to the RCS loops by at least one of two l high pressure pumps that take suction from the containment sump. l l Additional information on high pressure recirculation and the fault tree results are provided in Section 6.1. l O 5-17
5.2 STEAM GENERATOR TUBE RUPTURE g 5.2.1 Initiating Events For this evaluation, a SGTR is defined as a tube leak or rupture whose maximum leak flowrate exceeds the capacity of the charging system. Four distinct initiating events focusing on SGTR were defined for input to the SGTR analysis. Each initiating event addresses a slightly different aspect of tube rupture and challenges the plant in a slightly different fashion. The four initiating events are defined as follows: e Initiating event i is defined as one or more tube ruptures occurring in one steam generator. Offsite power is assumed to be available at the time of the initiating event. o Initiating event 2 is defined as one or more tube ruptures occurring in one steam generator with a coincident loss of offsite power. e Initiating event 3 is definea as one or more tube ruptures occurring in both steam generators. Offsite power is assumed to be available at l the time of the initiating event,
~
e Initiating event 4 is defined as one or more tube ruptures occurring in both steam generators with a coincident loss of offsite power. l The procedure for determining SGTR initiating event frequencies and the l calculated results are presented in Section 4.3.2. l 5.2.2 Normal Sequence of Events The normal sequence of events following a SGTR is similar for tube ruptures in one or two steam generators. For a SGTR in one steam generator, the affected SG is isolated and secondary cooldown is initiated and maintained from the unaffected steam generator. For tube ruptures in both steam O l 5-18
Ch generators the most affected SG is isolated and cooldown is accomplished b) using the least affected SG. Table 5.2.2-1 presents the normal sequence of events for SGTR assuming offsite power is available at the time of the initiating event. The normal sequence of events varies for the cases where offsite power is unavailable at the time of the initiating event. In this instance the initiating event will be defined as tube rupture (s) in one or two SGs with a coincident loss of offsite power. The normal sequence of events is presented in Table 5.2.2-2. 5.2.3 Functional Event Tree The SGTR functional event tree, presented in Figure 5.2.3-1, was developed to determine the functional accident sequences that could lead to potential core damage. The functional event tree was developed for the current plant design and for the plant design assuming PORVs were installed. As depicted in Table 5.2.3-1, each safety function can be defined in terms of functional elements which are used as intermediaries to correlate the five anti-core melt safety functions (32) to the specific plant systems or actions required to mitigate a SGTR. The list of associated actions provides the logical groundwork for constructing a ~ system / action level event tree which can be used to generate more detailed accident scenarios. The following functional accident sequences were obtained from the SGTR functional event tree: Sequence 1 Sequence 1 represents the initiating event, steam generator tube rupture. For this case, all safety functions are maintained and the core is protected. O' o 5-19
TABLE 5.2.2-1 h NORMAL SEQUENCE OF EVENTS FOR SGTR
- 1. Reactor / Turbine Trip.
- 2. SBCS Quick Open of TBVs - TBVs reclose.
- 3. SIAS on Low Pressurizer Pressure.
- 4. Operator initiates cooldown by manually operating the Turbine Bypass System in conjunction with either Main Feedwater or Auxiliary Feedwater.
- 5. At T < 535*F the operator isolates the affected or most affebd steam generator and continues cooling with the unaffected or least affected SG.
- 6. Auxiliary Spray is initiated to commence RCS depressurization.
(PORVs could be used if the Auxiliary Spray System was unavailable).
- 7. Throttle HPSI Flow to prevent repressurization.
- 8. If necessary, blowdown can be initiated from the isolated SG to prevent overfilling.
- 9. When condenser vacuum can no longer be maintained, cooldown continues by establishing flow from at least one ADV on the unaffected or least affected SG.
- 10. Shutdown cooling entry conditions achieved.
l l l l 1 PORVs are not included in the current plant design. O 5-20
O TAetE 5.2.2-2 NORMAL SEQUENCE OF EVENTS FOR SGTR WITH COINCIDENT LOOP
- 1. Reactor / Turbine Trip.
- 2. MSSVs automatically open and reclose.
- 3. SIAS is generated on Low Pressurizer Pressure.
- 4. Cooldown is initiated by operation of the Atmospheric Dump System in conjunction with the Auxiliary Feedwater System.
- 5. At T 535*F the operator isolates the affected or most affe!h<SG and continues cooling with the unaffected or least affected SG.
- 6. Auxiliary Spray is initiated to commence RCS depressurizationy (PORVs could be used if the Auxiliary Spray System was unavailable).
- 7. Throttle HPSI flow to prevent repressurization.
- 8. Continue cooling using at least one ADV on the unaffected or least affected SG.
O 9. Shutdown cooling entry conditions achieved. O 1 PORVs are not included in the current plant design. 5-21
,,y-._,,--_,_y ---
,_,y_-._.,__r, _ , _ _,, . -_-,___,._ ,y __,, ___,,._ ___ ._ , , ,, , , , , , . _ . ,,
FIGURE 5.2.3-1 SGTR FUNCTIONAL EVENT TREE INITIATING REACTIVITY RCS. INVENTORY RCS PRESSURE CORE HEAT RCS HEAT EVENT CONTROL CONTROL CONTROL REMOVAL REMOVAL. f1AINTAIN SG PRESS MAINTAIN SGTR REACTOR TRIP INVENTORY 11AKE-UP DEPRESSURIZATION NONE SECONDARY LIlllT RCS PRESSURE HEATSINK 1 2 T 3 Id 4 5 s 6 9 O O
TABLE 5.2.3-1 SGTR FUNCTIONAL EVENT TREE CONSIDERATIONS SAFETY FUNCTION FUNCTIONAL ELEMENTS ASSOCIATED SYSTEMS / ACTIONS Reactivity Control Reactor Trip Reactor Trip l RCS Inventory Inventory Makeup High Pressure Safety Injection Control Maintain SG Pressure Trip Turbine Reclose Normally Opening Secondary Steam Valves Prevent Unnecessary Opening of Secondary Steam Valves Limit RCS Pres.sure Throttle HPSI l RCS Pressure Depressurization Auxiliary Sprays Control PORVS Core Heat None There are no specific Removal systems / actions required for Core Heat Removal except through RCS Inventory Control , RCS Heat Maintain Secondary Loss of Secondary Heat Sink is Removal Heat Sink addressed in Section 5.1 l 1 I 1 ATWS will not be considered in the sccpe of this evaluation O ! 5-23
~+n a--,e-~ wr
Sequence 2 Sequence 2 consists of a SGTR with a coincident loss of secondary heat sink (LOHS). Since the transient and long term effects of a loss of secondary heat sink are rigorously addressed in Section 5.1, it was felt that evaluating the consequences of a SGTR with a coincident LOHS would not yield any new information. Therefore, LOHS is considered to be outside the scope of this evaluation. Sequence 3 Failure to depressurize the RCS could lead to a large integrated leak flow. If all other safety functions are maintained, shutdown cooling entry conditions should still be achieved. Sequence 4 Sequence 4 is best discussed in terms of the SGTR functional elements that define RCS inventory control. e Inventory Make-Up: If depleting RCS inventory is not replenished, the core will eventually uncover. e Maintain SG Pressure: If SG pressure is not h maintained, the pressure differential between the primary and secondary side can lead to a high integrated leak flow. Core damage will result if the total volume of the leak flow exceeds the long term - capacity of the RWT. e Limit RCS Pressure: HPSI flow should be throttled during RCS cooldown to limit RCS pressure and prevent a large integrated leak flow. Failure to throttle HPSI can lead to SG overfill provided the blowdown system is unavailable for draining. SG overfill can result in unnecessary openings of the ADVs or MSSVs. Sequence 5 Failure to depressurize the RCS combined with any of the functional elements in sequence 4 will increase the leak flow rate and, if applicable, hasten the time to core uncove ry. O 5-24
O Sequence 6 As discussed in Section 2.2.1.1, ATWS is not considered in the scope of this program. 5.2.4 Systemic Event Trees The system / action level event trees for SGTR were developed by expanding the associated systems / actions list presented in Table 5.2.3-1 to include the various secondary valves and tne failure mechanisms that could lead to unnecessary valve openings. A separate event tree was constructed for eacn of the four SGTR initiating events defined in Section 5.2.1. It was felt that a complete re-evaluation of each SGTR event tree, assuming PORVs were installed (i.e. including an extra branch in eacn event tree to model the PORVs), would not provide any new information for tne following reasons: o PORV LOCA following SGTR is addressed in Section 5.3.4.2.
~ e The assumed role of PORVs in SGTR events is to provide backup RCS depressurization capability should the Auxiliary Spray System be una vailabl e. (It should be noted tnat the Auxiliary Spray System provides a safety related capability for depressurization.) The results of the SGTR event tree analyses (assuming no PORVs are installed) do not indicate tne Auxiliary Spray System to be a significant contributor to the SGTR core damage frequencies, therefore, the impact of PORVs on SGTR core damage frequency is determined to be negligible. This assumption is supported by a quantitative discussion of tne use of PORVs as a backup to tne Auxiliary Spray System in Section 7.2.5.
e Re-evaluating each SGTR event tree witn a extra brancn to model PORV depressurization capability would unnecessarily increase tne sizes of the event trees (and therefore the required computer time) witnout generating any new core damage sequences, i.e. any core damage sequence including the PORVs would be filtered out on low frequency. A V 5-25
-- ,., - . - . - . - - - ,.- ee . ,-,% . -
F Table 5.2.4-1 defines the event tree branches and associated failure criteria that are used as input to the four event trees. Fault tree results for each branch are presented in Section 6.0. 5.2.4.1 SGTR in One SG Event Tree The SGTR in One SG Event Tree is presented in Figure 5.2.4.1-1. Tne safety function, RCS Inventory Control, is provided by the following actions: e Delivery of High Pressure Safety Injection e Turbine Trip e Successful Operation of Normally Opening Secondary Steam Valves e Prevention of Unnecessary Openings of Secondary Steam Valves e Throttling of High Pressure Safety Injection e The safety function, RCS Pressure Control, is provided by the Auxiliary Spray System. If the Auxiliary Spray System was unavailable PORVs could provide back-up depressurization capability. (See Section 7.2.5.) PORVs are not included in the current plant design. - For this event tree the accident sequences were filtered using a frequency cutoff of 10-8 per year. The scenarios that lead to potential core damage are presented in Section 7.2.1. The event tree branches used to construct the event tree, SGTR in One SG, are discussed below. Ty The initiating event is defined as one or more tube ruptures in steam generator SG-2 with offsite power available at the time of the initiating event. The initiating event frequency is calculated in Section 4.3.2. O 5-26
p J TABLE 5.2.4-1 SGTR EVENT TREE BRANCH DEFINITIONS Branch Branch Designation Title Failure Criteria T1 Initiating Event SGTR in one SG T2 SGTR in one SG with coincident LOOP T3 SGTR in two SGs T4 SGTR in two SGs with coincident LOOP A Fail to Deliver Failure to deliver flow from 1 of 2 Sufficient HPSI Flow HPSI pumps to the RCS on SIAS and failure to maintain sufficient HPSI flow (A'). B Turbine Fails to Trip Failure to completely terminate on Reactor Trip steam flow to the high pressure turbine on reactor trip. C 1 Turbine Bypass Valves 8 of 8 TBVs fail to quick open Fail to Quick Open following turbine trip. 1 of 8 TBVs fails to reclose Q D Turbine Bypass Valve Fails to Reclose following quick open or during cooldown. E t MSIV on Affected (or One of two MSIVs on the affected SG Most Affected) SG fails to close on MSIS. Fails to Close . F i Loss of TBV Flow Prior Termination of TBV flow prior to to Isolation of the isolation of the affected SG Affected (or Most Affected) SG F 2 Loss of TBV Flow After Termination of TBV flow after Isolation of the isolation of the affected SG Affected (or Most Affected) SG H ADV on Unaffected (or Failure to terminate ADV flow Least Affected) from both ADVs on the unaffected SG SG Fails to Close 1 MSSV on Unaffected One MSSV on the unaffected 1 (or Least Affected) SG fails to reseat or reclose SG Fails to Reclose
~'s (V
5-27
TABLE 5.2.4-1 h (continued) SGTR EVENT TREE BRANCH DEFINITIONS Branch Branch Designation Title Failure Criteria J ADV on Unaffected Failure to initiate steam flow (or Least Affected) through at least one of two ADVs SG Unavailable on the unaffected SG. K ADV on Affected (or Failure to initiate steam flow Most Affected) SG through at least one of two ADVs Unavailable on the affected SG. L ADV on Affected (or Failure to terminate ADV flow Most Affected) SG from both ADVs on the affected SG Fails to Close M MSSV on Affected (or One MSSV on the affected SG Most Affected) SG fails to reseat or reclose. Fails to Reclose N Fail to Initiate Failure to deliver auxiliary Auxiliary Spray flow l spray flow from 1 of 3 charging pumps to the pressurizer. O Fail to Throttle HPSI The operator fails to throttle HPSI flow. P i Excess Feedwater to Excess AFW flow to the affected ~ Affected (or Most or most affected SG. Affected) SG Qi Fail to Initiate Fail to initiate blowdown from Blowdown from the the affected SG. Affected SG I2 MSSV on Least Affected One MSSV on the least affected SG Fails to Close on SG fails to reclose following Turbine Trip turbine trip. M MSSV on Most Affected One MSSV on the most affected SG 2 SG Fails to Close fails to reclose following turbine on Turbine Trip trip. 1 The use of PORVs as a backup to the Auxiliary Spray System will be addressed in Section 7.2.5. g 5-28
TABLE 5.2.4-1 (continued) SGTR EVENT TREE BRANCH DEFINITIONS Branch Branch Designation Title Failure Criteria E 2 MSIV on least Affected One of two MSIVs on the least SG Fails to Close affected SG fails to close on MSIS Q2 No blowdown from Most Blowdown isolation valve on most Affected SG affected SG fails to open. Q3 No Blowdown from Least Blowdown isolation valve on least Affected SG affected SG fails to open. Q4 Fail to Initiate Failure to initiate blowdown Blowdown from both steam generators.. P 2 Excess Feedwater to Excess AFW flow to the least least Affected SG affected SG. P 3 Excess Feedwater to Excess MFW or AFW flow to least least Affected SG affected SG. O O 5-29 l
A Failure to Deliver Sufficient HPSI flow refers to the delivery of h one pump flow to two RCS loops. The fault tree analysis for Failure to Deliver Sufficient HPSI flow (assuming offsite power is available at the time of the initiating event) is presented in Section 6.1. B Failure of the Turbine to Trip on reactor trip refers to one flowpath through the turbine remaining open long enough to generate a MSIS on low SG pressure. If one MSIV on the affected SG fails to close, uncontrolled SG blowdown will occur through the turbine. If both MSIVs close successfully, the sudden termination in steam flow will result in a challenge to one MSSV on the affected SG. The probability for Failure to Trip the Turbine is presented in Section 6.6.4. C 1 The TBVs normally quick open following turbine trip to prevent unnecessary opening of the MSSVs. Should the TBVs fail to quick open, a combination of MSSVs with steam flow capacity equal to g that of the TBVs will open to relieve SG pressure. The fault tree analysis for TBVs Fail to Quick Open is presented in Section 6.6. D Failure of one TBV to reclose following quick open or during j cooldown prior to isolation of the affected SG will result in generation of a MSIS, Should one MSIV on ti.e affected SG fail ( to close, uncontrolled SG blowdown will occur through the Turbine Bypass System. If both MSIVs close successfully, the sudden termination in steam flow will result in a challenge to one MSSV on the affected SG. The fault tree analysis for One TBV Fails to Reclose is presented in Section 6.6. E l MSIV on Affected SG Fails to Close refers to one of two MSIVs on SG-2 failing to close on MSIS. The fault tree analysis for MSIV on SG-2 Fails to Close is presented in Section 6.7. O 5-30
w a o : 3 o ou L. ea Ww. e 2e a sa 3 oW wo e o
*- s w wo E 3 o
ew a w .s s . e aw oe oe -a o -w a -e e
. s. .a we
.s e oW w ww ww a - ze aw aW wa oo
(.%I - ee -o
-a ww - -* - w ., ws i se gg -o a e cu eu ow ua wu * . 8 ws ww
== u w
=e
-s o
.g ~ *~
ww a
-E =t
=
w wo s -w ww == \j *W. fM E* *a %- 2S 2oc -o e 2 -$ fA ff Td Ta T* yX StoutisCE
.o. .-
.a Wa
- 3 -
ao e .o se-B- aa a
= om s -ea oI
=
w= ww o
=
3a- 3-a k .o ee =s a co siiattom coct s- g a ge 43 s b .o = W ea o -= g w 3 ga ga
-~ ~ 95 oE 5 b c. . b $ ~s Y $$ 5 .$e >
& N. *1 6 .s == -.
3 g 1;
- 2 "; og ' "5 22 o o" e-
-5z e
so g 2 2 e w w . L T E E 4 g E. O E. Fi F# 9 li J % 3 mi Qi a L m i T ! NIT. eve %7 I T C. I T . pi g i T pid 1 T . p.C 8 Y ] l 7 C3. I ! 7 - 0 2.L
- I T C 2.4 I .
Y 2].**> *
- t. T Opi i 2. T C8 2
- 3. Y
- N i 4. Y %c, I ' Y - NO.4 i T . gg g i '
T - %Ci W t ii . T N:9 l' T %23 ma. 7 Fs i 21. 7 - F3:1
' r,p ,
22. 23, T rc I 24 T Pr'G. l 25. Y . a;1t l T i 26. . r,2 ; , n
- 27. T . r,,a
- 28. T :%
j i 71. Y r ,g g i I . 3. T ,%3 1 . t. T >>%C2n
- 2. T Es1 l 3, T r a l E I . 4. T -
s Ci T 223 I Y r ,;C 4 l 4 .
? I T
- FrJC2i
.1 .
Y - Fa I T - F.M. W n: ; .; k I
.\ 42. Y F.Pi
- 43. T F.]
k I 44 T T F.C*i 4!i. - Fi:2. l 416. T . F :;.m1 l 4 ' Y - F C3.d 1 41 . 7 F.4
. 1 4 7 . F %] .
l E 5. T Fn%3 5' T . si j i 5;' T - Fi 12. I 5.!. 7 - Fi 13 1 54. T - F. 2]i
- 55. T C l 1 55. T C9i e f 57 T Ci i m! T 22.Mi s Y ce, Y 33 j i T CC*>
u 7 C 3. I l. T CC;1a i_ I 4. T C 2.L
.!i, T C2C 8 ili. Y - 2pi 2
I T CN I 11 . T - C%2i b T - C%Q l 7. Y rg:3,
- 71. T I'i
- l 72. T C 0 l
s 73. T : .0
- 74. T Ci l l 7 Y :9t
- f '! T :1C.
I 7 Y ;ai 7 T 3 I 7' T _m T *i i d
- i. T ._2iMi
- 2. T :N I 3 T T iNO
- 4. T l T imi 8
i 7 i
, 7 3 l ! T - i .:*;
l e T 00 7 _.i I h ( . T f .'ni I T :1F32s
) T . , F .,0
\j i i T : F 2 02i T :iri I -
! r :,r sei
[ . I . T - 7,r,;
! l . T [iF3 c T . ,r,[i m Y .
T m 4 [ .
- 7 W 7
I : 1 . CSi
- Tt - c3
~
*The above minimal core damage sequences are evaluated and discussed in F Section 7.2.
Note: Any branches excluded from the above event tree have been eliminated due to logic rules or the frequency cut-off as discussed in Section 2.2.1. O SGTR IN ONE SG SYSTEMIC EVENT TREE FIGURE 5.2.4.1-1 5-31 4 0 . O O
F Loss of turbine bypass flow prior to isolation of the affected i SG will result in a challenge to one MSSV associated with the affected SG. The fault tree analysis is presented in Section 6.6. F 2 L ss of turbine bypass flow after isolation of the affected SG will eventually result in a challenge to one MSSV associated with the unaffected SG. This is based on the assumption that the isolated SG is in a relatively steady state condition while the sudden termination of steam flow from the unaffected SG results in an upward pressure transient. If the ADVs on the unaffected SG are unavailable (e.g. the operator fails to open at least one ADV), one MSSV on the unaffected SG will open. The fault tree analysis for loss of TBV Flow After Isolation of the Affected SG is presented in Section 6.6. H ADV on Unaffected SG Fails to Close refers to one of the two ADVs associated with SG-1 failing to close after being challenged by O a turbine bypass system failure after isolation of the affected SG. The failed open ADV results in a MSIS, however, the MSIS j would have no impact on the isolated SG. The fault tree analysis for ADV on SG-1 Fails to Close is presented in Section 6.8. I j Il MSSV on Unaffected SGa r ils to Reclose refers to one MSSV on SG-1 failing to close after being challenged on turbine trip l (following a TBS failure) or following a failure of the associated ADVs to open. Six MSSVs are assumed to open on SG-1 if the TBVs fail to quick open. If the ADVs are unavailable when required, one MSSV will open. The fault tree analysis is presented in Section 6.9. J ADV on Unaffected SG Unavailable refers to failing to open at I least one of two ADVs associated with SG-1 in response to a TBS t failure following isolation of the affected SG. The fault tree analysis is presented in Section 6.8. 5-32 l
. R K ADV on Affected SG Unavailable refers to failing to open at least one of the two ADVs on SG-2 in response to SG overfill conditions. The fault tree analysis is presented in Section 6.8.
L ADV on Affected SG Fails to Close refers to one of two ADVs on SG-2 failing to close after being challenged by a SG overfill. A failed open ADV on the affected SG results in a direct flowpath for RCS inventory from the primary system to the atmosphere (outside containment LOCA). The fault tree analysis for ADV on SG-2 Fails to Close is presented in Section 6.8. My MSSV on Affected SG Fails to Reclose refers to one MSSV on SG-2 failing to close after being challenged by a failure of the TBVs to quick open or a failure of one ADV on the affected SG to open. Six MSSVs are assumed to open on SG-2 if the TBVs fail to quick open. If the ADVs are unavailable when required, one MSSV will open. A failed open MSSV on the affected SG results in an outside containment LOCA. The fault tree analysis is h presented in Section 6.9. N Failure to Initiate Auxiliary Spray Flow results in a high primary to secondary pressure ratio which leads to a large - integrated leak flow. The failure to deliver auxiliary spray in conjunction with the failure to initiate blowdown from the affected SG results in SG overfill and a challenge to the ADVs. The fault tree analysis for Fail to Initiate Auxiliary Spray Flow (assuming offsite power is available at the time of the initiating event) is presented in Section 6.2. O Fail to Throttle HPSI refers to maintaining a relatively high RCS pressure through continued delivery of safety injection near the shutoff head. Failure to Throttle HPSI in conjunction with the failure to initiate blowdown from the affected SG results in SG overfill and a challenge to the ADVs. The probability for Fail to Throttle HPSI is presented in Section 6.1. g 5-33
Py Excess feedwater refers to uncontrolled delivery of auxiliary feedwater to SG-2. Excess feedwater in conjunction with failure to initiate blowdown from the affected SG results in SG overfill and a challenge to the ADVs. The fault tree analysis is presented in Section 6.11. Fail to Initiate Blowdown from the Affected SG refers to failing Qi to initiate blowdown flow from SG-2. The fault tree analysis is presented in Section 6.12. 5.2.4.2 SGTR in One SG with Coincident LOOP Event Tree The SGTR in One SG with Coincident Loss of Offsite Power event. tree is presented in Figure 5.2.4.2-1. The safety functions are provided by the systems / actions listed in Section 5.2.4.1. For this event tree the accident sequences were filtered using a frequency cutoff of 10-10 per year. Because the initiating event frequency includes O the Probabiiity of ioss of offsite Power. it wes feit thet e cutoff frequency of 10-10 per year rather than 10-8 per year would provide increased visibility of the significance of the output scenarios obtained from the event tree. The scenarios that lead to potential core damage are presented in Section 7.2.2. The event tree - branches used to construct the event tree, SGTR in One SG with Coincident LOOP, are discussed below. T2 The initiating event is defined as one or more tube ruptures in SG-2 with a coincident loss of offsite power on turbine trip. The initiating event frequency is calculated in Section 4.3.2. It should be noted that for PVNGS a loss of offsite power results in loss of the Turbine Bypass System and loss of the Steam Generator Blowdown System. l A Failure to Deliver Sufficient HPSI Flow refers to the delivery of one pump flow to two RCS loops. When offsite power is l p' unavailable, the unreliability of the HPSI system becomes a l v significant contributor (>10%) to the overall system failure 5-34
+
E bN N CO o o U d o UI EE OU ow r a w z Ud U *U E- .. 05 28 3 et S5 Sa S E. 0 SS da d2 "d :2 0! Cc *M t: 2 . tt z. SM 02* 5 *: ed to ES Eh 53 0; == y= secut=ce 27 w. . "I"o ." 3% af 3" ." o, oi 05 32 ! !! comerwartc= ccce ad fr Ed '$ $8 5
'$ z$
*=
rN $0 'E ~
"U- r.
Et = 5 EE E= E 5 r: a m "b
- 2 , 3 a*
d 5
- 3 a 5 8 I a P R 9 E, M I, J 4 L M, N O P, a i
- t. r2 - INIT. EVENT
( 2. 72 #: I 3. 72 - 0 ~ 1 4. r2 cpi
- 5. 72 - N I 6. 72 - NQ I. 72 - n, +
l l ! . 72 - M3pi l c . T2 a,0 10 T2 - FN i it. T2 - prN2 12 I2 - L K l l 13 72 - tg I 14 T2 LN 15 T2 4 i 16 T2 *=:
- l7 I2 W2 4 !@. 72 - aCg, W 19 72 *N i 20 72 - aNO 21 T2 - j j i 22 T2 JO 1 23 r2 - JM i 24. 72 - JN2
- 25. T2 J">
l 26 Y2 J a >0 27 T2 - JL i 29 T2 - JLO
- 29. T2 - J*
l 2 T2 - a0
. t '2 e i 4 . 2 T2 s*
l : 3 T2 - e3 4 72 - -N l . 5 r2 - -N2
. 5 T2 - ?"?
l l : 7. T2 ,m3 I .9 T2 ma-N
- % T2 et i eC 72 st a 4i. 72 -a i e2 72 -50 43 r2 a i i 44. T2 a3 l 45. T2 *N -
ef.. 72 - ma y i 4-. r2 - =ar] 4 T2 - =* i .ts. T2 - -2 50 72 - 4 W j i 51 T2 AN E 52 T2 ans 53 T2 -a E4 T2 - aJ
- 55. 72 Gli
*The above minimal core damage sequences are evaluated and discussed Section 7.2.
Note: Any branches excluded from the above event tree have been eliminated due to logic rules or the frequency cut-off as discussed in Section 2.2.1. SGTR IN ONE SG WITH COINCIDENT LOOP SYSTEMIC EVENT TREE $ FIGURE 5.2.4.2-1 5-35
i O(/ probability. Branch A can actually be separated into two distinct failure modes; failure of the system to supply sufficient flow on SIAS and failure of the system to maintain flow. Although the event tree only includes one input branch for the HPSI system, separate uncertainty analyses were performed on ' the unavailability and the unreliability. Failure of the HPSI system to maintain flow is defined by branch A' in the scenarios presented in Section 7.2.2. The fault tree analysis for Failure to Deliver Sufficient HPSI flow (assuming offsite power is unavailable) is presented in Section 6.1. B Turbine Fails to Trip on Reactor Trip. See discussion for branch B in Section 5.2.4.1. E MSIV on Affected SG Fails to Close. See discussion for branch t Et in Section 5.2.4.1. O a ^Dv en uaeffected SG reiis to Ciose. For this eveat tree. the ADVs are opened by the operator to initiate cooldown. A failed open ADV on SG-1 results in a MSIS. The fault tree analysis for ADV on SG-1 Fails to Close is presented in Section 6.8. i 1 MSSV on Unaffected SG Fails to Close on Turbine Trip refers to l 2 ! one MSSV on SG-1 failing to close on turbine trip. Six MSSVs are assumed to open on SG-1 following turbine trip. A subsequently failed open MSSV results in a MSIS. The fault tree i analysis is presented in Section 6.9. J ADV on Unaffected SG Unavailable refers to failing to open at least one of two ADVs associated with SG-1 when required (initiation of cooldown, following an MSIS to prevent a MSSV from l opening). The fault tree analysis for ADV on SG-1 Fails to Open is presented in Section 6.8. O 5-36
K ADV on Affected SG Unavailable refers to failing to open at least h one of two ADVs on SG-2 in response to a challenge (initiation of cooldown, MSIS, or SG overfill). The fault tree analysis is presented in Section 6.8. L ADV on Affected SG Fails to Close refers to one ADV on SG-2 failing to close after being challenged. A failed open ADV on the affected SG results in a direct flowpath for RCS inventory from the primary system to the atmosphere (outside containment LOCA). The fault tree analysis is presented in Section 6.8. M MSSV on affected SG Fails to Close on Turbine Trip refers to 2 one MSSV on SG-2 failing to close on turbine trip. Six MSSVs are assumed to open on SG-2. For this event tree, branch M , 1 as defined in Section 5.2.4.1, is separated into branches My and M 2
. The separation of these branches simplifies the logical construction of the event tree, i.e. branch M2 represents the case where the MSSVs open on turbine trip and h branch My represents all other cases where one MSSV opens only if the associated ADVs are unavailable. The fault tree analysis is presented in Section 6.9.
M 1 MSSV on Affected SG Fails to Reclose refers to one MSSV associated with SG-2 failing to close after being challenged by a failure of the ADVs associated with SG-2 to open due to initiation of cooldown, MSIS or SG overfill. A failed open MSSV on the affected SG results in an outside containment LOCA. The fault tree analysis is presented in Section 6.9. N Fail to Initiate Auxiliary Spray Flow. See discussion for branch N in Section 5.2.4.1. Since the blowdown system is unavailable, failure to initiate auxiliary spray will result in SG overfill. The fault tree analysis for Fail to Initiate Auxiliary Spray Flow (assuming offsite power is unavailable) is presented in Section 6.2. g 5-37
O V 0 Fail to Throttle HPSI. See discussion for branch 0 in Section 5.2.4.1. Since the blowdown system is unavailable, failure to throttle HPSI will result in SG overfill. P 1 Excess Feedwater. See discussion for branch P i in Section 5.2.4.1. Since the blowdown system is unavailable, excess feedwater will result in SG overfill. 5.2.4.3 SGTR in Two Steam Generators Event Tree The SGTR in Two Steam Generators Event Tree is presented in Figure 5.2.4.3-1. The safety functions are provided by the systems / actions listed in Section 5.2.4.1. For this event tree the accident sequences were filtered using a frequency cutoff of 10-8 per year. The scenarios that lead to potential core damage are presented in Section l 7.2.3. The event tree model includes the assumption that the operator will be able to define a most affected and a least affected SG. He O will isolate the most affected SG and cooldown the plant with the least affected SG. The event tree branches used to construct the event tree, SGTR in Two Steam Generators, are discussed below. T3 The initiating event is defined as one or more tube ruptures in - ! both steam generators with offsite power available at the time of the initiating event. The initiating event frequency is calculated in Section 4.3.2. A Fail to Deliver Sufficient HPSI. See discussion for branch A in Section 5.2.4.1. B Failure of the turbine to trip on reactor trip refers to one l flowpath through the turbine remaining open long enough to
. generate a MSIS on low SG pressure. If one MSIV on either the most affected or least affected SG fails to close, uncontrolled SG blowdown will occur through the turbine. If all four MSIVs close successfully, the sudden termination in steam flow will 1
5-38
p : s ,g g! j, g 2, , g ,, ,8t , , g ,ya s f g 3, l x
-- 8 t :
- e,a--
- :- e-
.a :s 23 :s gg s e
.a . :
-s 8 a- --
f 3, a.c af 2, u a - -: 83 st
- s. !u
- e = 8 :. :: s-
,, 3g 3, 33 3;
- - s*
.. ., 3 . == g3 2 u m.c, sa se :- :t at a- : 2: .y
- . .- .t 2.
.= a g.e ng s=: .e : =,- e-a a -
== == 8= 8= -., . 8y 8g 8g . c...i..no cece g: n:- : ::
v ,.= a= gs g e m :: :: s : e sa - - a , :, 3
- :_ :: :: : : .- 8 8 8 - g ::
.- _ <_=- r.
=, ,= . ,a , . a, . : s
. = .. . < 1. -
,,1 r.r,.
L T _ l l _ 1 2 2 ". a 2 i T ,
, .. r ,_ ,
t l Y M T 5 Y j i a _- . l
, 9 .
1:' ' I = %1.
.. - %:a o . ,,
I f ,2M i I ,_ T , _ T g_,,, I l
- :n I .. ,.
I .3,
,. 2
T ji I rp2 i . ,c-
,-. I ~
6
) I
, ,:c rs,3 7
ir i ., . . . W e r.I, w h I W: S. a. 4 5 .
- F rll F21 j l
;,. . -a
,mE - 7, : a F
I f
- Fa%J l
l
- i . 3 -
I i l __
/I l l :'
-s
- l -
iLa 5
's]
I r , W W i , u-
*, _.i
! _ 9
-], T 1
l 5 *_ FC 23 _af 20 *a_ W n%d
*The above minimal core damage sequences are evaluated and discussed in 4
Section 7.2. Note: Any branches excluded from the above event tree have been eliminated ! due to logic rules or the frequency cut-off as discussed in Section 2.2.1.
'9 SGTR IN TWO SGs SYSTEMIC EVENT'TRE'E l
l FIGURE 5.2.4.3-1 0 4 5-39 WEWh Td s '_ W. .f D ju i Z O 4 1 8 O e
result in a challenge to one MSSV on the most and least affected steam generators. The probability for Failure to Trip the Turbine is presented in Section 6.6.4 C i TBVs Fail to Quick Open. See discussion for branch C i in Section 5.2.4.1. D Failure of One TBV to reclose following quick open or during cooldown prior to isolation of the most affected SG will result in generation of a MSIS. Should one MSIV fail to close, uncontrolled SG blowdown will occur through the Turbine Bypass System. If all four MSIVs close successfully, the sudden termination in steam flow will result in a challenge to one MSSV on each SG. The fault tree analysis is presented in Section 6.6. Eg MSIV on Most Affected SG Fails to Close. See discussion for branch E3 in Section 5.2.4.1. O) E 2 MSIV on Least Affected SG Fails to Close refers to one of two MSIVs on SG-1 failing to close on MSIS. The fault tree analysis is presented in Section 6.7. F 1 Loss of turbine bypass flow prior to isolation of the most affected SG will result in a challenge to one MSSV on each SG. The fault tree analysis is presented in Section 6.6. F 2 Loss of turbine bypass flow after isolation of the most affected SG will eventually result in a challenge to one MSSV associated with the least affected SG. This is based on the assumption that the isolated SG is in a relatively steady state condition while the sudden termination in steam flow from the least affected SG results in an upward pressure transient. One O V 5-40
ADV on the least affected SG could be opened by the operator (to prevent the MSSV from opening) and fail to close, or if the ADVs were unavailable, one MSSV on the least affected SG would open. The fault tree analysis is presented in Section 6.6. H ADV on Least Affected SG Fails to Close refers to one of two ADVs associated with SG-1 failing to close after being challenged by a TBS failure or SG overfill. A failed open ADV on the least affected SG results in a direct flowpath for RCS inventory from the primary system to the atmosphere (outside containment LOCA). The fault tree analysis is presented in Section 6.8. It MSSV on Least Affected SG Fails to Reclose refers to one MSSV on SG-1 failing to close after being challenged by a failure of the TBVs to quick open or a failure of the ADVs on the least affected SG to open. A failed open MSSV on the least affected SG results in an outside containment LOCA. The fault tree analysis is presented in Section 6.9. h J ADV on Least Affected SG Unavailable. See discussion for branch J i n Section 5.2.4.1. K ADV on Most Affected SG Unavailable. See discussion for branch K in Section 5.2.4.1. L ADV on Most Affected SG Fails to Close. Sec discussion for branch L in Section 5.2.4.1. My MSSV on Most Affected SG Fails to Reclose. See discussion for branch M 1 in Section 5.2.4.1. N Failure to Initiate Auxiliary Spray Flow results in a high primary to secondary pressure ratio which leads to a large integrated leak flow to both SGs. The failure to deliver auxiliary spray in conjunction with the failure to initiate h 5-41
blowdown from either or both SGs results in SG overfill and challenges to the ADVs. The fault tree analysis for Fail to Initiate Auxiliary Spray Flow (assuming offsite power is available at the time of the initiating event) is presented in Section 6.2. 0 Fail to Throttle HPSI refers to maintaining a relatively high RCS pressure through continued delivery of safety injection near the shutoff head. Failure to throttle HPSI in conjunction with failure to initiate blowdown from either or both SGs results in SG overfill and challenses to the ADVs. The probability for Fail to Throttle HPSI is presented in Section 6.1. P 1 Excess Feedwater to the Most Affected SG. See discussion for branch Pi in Section 5.2.4.1. P 3 Excess Feedwater to the Least Affected SG refers to O uncontroiied deiivery of meia feedweter er euxii4ery feedweter to Excess feedwater in conjunction with failure to initiate SG-1. blowdown from SG-1 results in SG overfill and a challenge to the ADVs on that SG. The fault tree analysis is presented in Section 6.11. - 02 No Blowdown from Most Affected SG refers to a loss of blowdown flow only from SG-2. (Blowdown can still be initiated from SG-1). This branch includes failure to open the blowdown isolation valve on SG-2. The fault tree analysis is presented in Section 6.12. Q3 No Blowdown from Least Affected SG refers to a loss of blowdown flow only f rom SG-1. (Blowdown can still be initiated from SG-2). This branch includes failure to open the blowdown isolation valve on SG-1. The fault tree analysis is presented in Section 6.12. /') U 5-42
Q4 Fail to Initiate Blowdown refers to the failure to initiate blowdown from both steam generators. This branch includes only the blowdown system failures which will result in a loss of the entire blowdown system. The fault tree analysis is presented in Section 6.12. 5.2.4.4 SGTR in Two SG with Coincident LOOP Event Tree The SGTR in Two SG with Coincident Loss of Offsite Power Event Tree is . presented in Figure 5.2.4.4-1. The safety functions are provided by the systems / actions listed in Section 5.2.4.1. For this event tree the accident sequences were filtered using a frequency cutoff of 10-10 per year. Because the initiating event frequency includes the probability of loss of offsite power, it was felt that a cutoff frequency of 10-10 per year rather than 10-8 per year would provide increased visibility of the significance of the output scenarios obtained from the event tree. The scenarios that lead to potential core damage are presented in Section 7.2.4. The event tree branches used to construct the event tree, SGTR in Two SG with Coincident LOOP, are discussed below.
~
T4 The initiating event is defined as one or more tube ruptures in both steam generators with a coincident loss of offsite power on turbine trip. The initiating event frequency is calculated in Section 4.3.2. It should be noted that for PVNGS a loss of offsite power results in loss of the Turbine Bypass System and loss of the Steam Generator Blowdown System. l A Failure to Deliver Sufficient HPSI. See discussion for branch A in Section 5.2.4.2. Failure of the HPSI system to maintain flow is defined by branch A' in the scenarios presented in Section 7.2.4. l l B Turbine Fails to Trip on Reactor Trip. See discussion for branch B i n Section 5.2.4.1. h 5-43
h o bo N o b O o o o o O o
- 2: . .= . . .
er e __ ==
- on ta 23 28 3 25 25 ta ! $= So SS 38 iS d(* 20 d = U C =$ ! O C Ch S 3 Sw =d U Es fM o ES o Er Em 3: Go := Eh 5 ;;; *
*3 gg == yg sEGUENCE 2" m: 2" to $" 52 22 E" E o~ o 1E 2* = to E2 EE
- cenetNaticN CocE aU Er FN 2 "N EN- 22 ' a= 22 2N EN *E ~
U5 UE a- z rn Et ga E *$ EE E
- : 32 0 *d
- 2b E- a .- 3 a
- a a'
5; $ AE $
- 2 2' 2" a 2 2 8 2 a 8 8, 4 8 Ei E, * [> J M L Mt 4 0 i I: i
?. 74 - INIT. EvENr ~
g } 2. T4 - 8, r 3. 74 . p, 4, r4 . O g i ! . r4 2p, r i . T4 - OP T4 - N l . . 74 - NO
< . T4 Ps k j (( 74 m _,0 t1 T4 *
- tN i 12 T4 - "t40 13, r4 . L 2 1 14. T4 - LO LS. r4 . g l 16. 74 . gy: +
lr iy. T4 - 40 tf . 74 . gq t5 . T4 - J j i 2C T4 21
- I 2 T4 - JC 22 r4 . ;q 2.1. T4 - JMt i 24, T4 - J P ,0
- 25. T4 - ad i 2F. r4 wo 21 T4 - ,
- i i 2! . T4 - .0 l 21 . r4 . ,N l j( . T4 - ?N 3 j i. T4 - ems 4
j 2. r4 9m,0 p\ - j 3. r4 - et f I : T4 - A h _4 . i . 3. re - 7e
. 6 74 . = +
6 . 7. 74 - =0 l .9. T4 - an, j9 r4 . a , l 40 T4 - das I 4i. T4 - 41,
*The above minimal core damage sequences are evaluated and discussed in i Section 7.2.
Note: Any branches excluded from the above event tree have been eliminated due to logic rules or the frequency cut-off as discussed in Section 2.2.1. SGTR IN TWO SGs WITH COINCIDENT LOOP SYSTEMIC EVENT TREE FIGURE 5.2.4.4-1 i
\_.
5-44
-- r -- . , - - . - - _ - - . - 3,_,,_n T _. _ , _ .- ,.n_. _ . _ ,,,_9 ,r __
E i MSIV on Most Affected SG Fails to Close. See discussion for branch E in Section 5.2.4.1. E 2 tiSIV on Least Affected SG Fails to Close refers to one of the two MSIVs on SG-1 failing to close on MSIS. The fault tree analysis is presented in Section 6.7. H ADV on Least Affected SG Fails to Close refers to one ADV associated with SG-1 failing to close after being opened by the operator to initiate cooldown or to prevent a MSSV from opening. A failed open ADV on the least affected SG results in a direct flowpath for RCS inventory from the primary system to the atmosphere (outside containment LOCA). The fault tree analysis is presented in Section 6.8. 1 MSSV on Least Affected SG Fails to Close on Turbine Trip refers 2 to one MSSV on SG-1 failing to close on turbine trip. Six MSSVs are assumed to open on SG-1. For the event tree, branch 1,1 as defined in Section 5.2.4.1, is separated into branches l i and 12 . The separation of these branches simplifies the logical construction of the event tree, i.e. branch 12 represents the case where the MSSVs open on turbine trip and - branch I t represents all other cases where one MSSV opens only if the associated ADVs are unavailable. The fault tree analysis is presented in Section 6.9. > 1 1 MSSV on Least Affected SG Fails to Reclose refers to one MSSV associated with SG-1 failing to close after being challenged by a failure of the ADVs on SG-1 to open due to initiation of cooldown, MSIS or SG overfill. A failed open MSSV on the least affected SG results in an outside containment LOCA. The fault tree analysis is presented in Section 6.9. O 5-45
O C' J ADV on Least Affected SG Unavailable. See discussion for branch J in Section 5.2.4.1. K ADV on Most Affected SG Unavailable. See discussion for branch K in Section 5.2.4.1. L ADV on Most Affected SG Fails to Close. See discussion for branch L in Section 5.2.4.2. M 2 MSSV on Most Affected SG Fails to Close on Turbine Trip. See discussion for branch M 2 in Section 5.2.4.2. My MSSV on Most Affected SG Fails to Reclose. See discussion for branch M y in Section 5.2.4.2. N Fail to Initiate Auxiliary Spray Flow. See discussion for branch N in Section 5.2.4.3. The fault tree analysis for Fail to P) t Initiate Auxiliary Spray Flow (assuming offsite power is unavailable) is presented in Section 6.2. O Fail to Throttle HPSI. See discussion for branch 0 in Section 5.2.4.3. Since the blowdown system is unavailable, failure to - throttle HPSI will result in SG overfill. P i Excess Feedwater to the Most Affected SG. See discussion for branch P1 in Section 5.2.4.1. Since the blowdown system is unavailable, excess feedwater will result in SG overfill. P 2 Excess Feedwater to the Least Affected SG refers to uncontrolled delivery of auxiliary feedwater to SG-1. Since the blowdown system is unavailable, excess feedwater will result in SG overfill. The fault tree analysis is presented in Section 6.11. 5-46
5.3 PORV LOCA $ Power Operated Relief Valve (PORV) Loss of Coolant Accident (LOCA) as described in this section refers to the uncontrolled release of RCS mass through the PORV. In order for a PORV LOCA to occur and have significant impact on the reactor core integrity the following conditions have to be met. e Continuous flow through the PORV e Failure of PORY LOCA mitigating systems During a PORV LOCA, RCS mass is released into the containment through the PORV. This condition results in RCS pressure and inventory decrease in conjunction with simultaneous containment pressure and temperature increase. Failure to terminate RCS mass flow through the PORV and failure to restore or maintain RCS inventory eventually leads to core uncovery and core damage. 5.3.1 Initiating Event O Both the manual and the automatic PORV designs considered feature two 50% capacity PORV flow paths. Each path consists of a motor operated block valve and a PORV. For the manual PORV design, the motor operated block valves and PORVs are closed during power operation. These valves are _ designed to be opened manually to reduce RCS pressure following a steam I generator tube rupture event. These valves are also opened manually to establish a means for alternate decay heat removal following the loss of the preferred heat sink. For the manual PORV design, the PORVs are not designed to minimize challenges to the primary safety valves. l l The automatic PORV design features normally opened motor operated block l valves and closed PORVs during power operation. In the event of a high RCS pressure transient, the PORVs open automatically to prevent or minimize challenges to the primary safety valves. l l The assumed PORV design allows for the valves to be manually opened following a steam generator tube rupture event or loss of the preferred g 5-47
()
- s. secondary heat sink event. In addition to procedural and automatic opening of the valves, there is also the possibility that the valves can open inadvertently. Therefore, the PORV LOCA initiating event refers to the opening of either or both PORV flow paths and the inability to terminate flow through the path (s) when required. Included in this definition are the operator actions necessary to close either the block valve or the PORV in each path. Based on the assumed designs of the PORV and the definition for PORV LOCA, a fault tree was developed and evaluated to determine the occurrence frequency for each condition that can cause the PORV flow path to be open. The fault tree analysis is presented in Section 6.4.
5.3.2. Normal Sequence of Events PORV LOCA is characterized by depressurization of the RCS which leads to a reactor trip, if the reactor has not been tripped by other parameters. Continued depressurization of the RCS causes the HPSI pumps to actuate, ,] take suction from the refueling water tank and discharge to the RCS loops. When containment pressure reaches the high-high setpoint, the containment spray pumps start and also take suction from the refueling water tank and discharge to the containment atmosphere. Upon depletion of the refueling water tank inventory, the suctions of the HPSI and containment spray pumps _ are realigned to the containment sump to continue cooldown of the primary system. Immediately after the reactor and turbine trip, the turbine bypass valves open to relieve secondary steam and cool the steam generator. If the turbine bypass valves are not available, steam generator cooling can be, accomplished by utilizing the atmospheric dump valves or the main steam safety valves. Feedwater to the steam generator is maintained by the MFW System which ramps back to 5% of its flow capacity upon reactor trip. Should 5% main feedwater become unavailable, the AFW System is actuated to maintain feedwater delivery to the steam generators. p Table 5.3.2-1 presents a summary of the normal sequence of events for PORV (-) LOCA from the initiating event until shutdown cooling entry conditions are reached. 5-48
TABLE 5.3.2-1 h NORMAL SEQUENCE OF EVENTS FOR PORY LOCA
- 1. PORV LOCA
- 2. Reactor / Turbine Trip on Low Pressurizer Pressure
- 3. Steam Bypass Control System opens the TBVs, if the steam generators are available
- 4. Actuation of the HPSI System by the SIAS
- 5. Actuation and delivery of AFW flow, if the steam generators are available
- 6. Actuation of the Containment Spray System by the CSAS
- 7. Realign suction of the HPSI and containment spray pumps to containment sump to initiate and maintain recirculation
- 8. When the TBVs become unavailable, continue secondary side cooldown with the ADVs, if the steam generators are available
- 9. Shutdown cooling entry conditions reached.
O 5-49
5.3.3 Functional Event Trees There are three events which cause or result in the opening of the PORVs and their associated block valves. These events are inadvertent or transient induced opening of the PORV flow path, manual opening of the PORV flow paths following a loss of the preferred secondary heat sink, and
, manual opening of either PORY flow path following a steam generator tube rupture event. Each type of PORY LOCA initiating event requires that functional elements be satisfied or maintained in order to preclude core uncovery and damage. Certain functional elements are common to all PORV l
LOCA initiating events while others are unique to a particular PORV LOCA initiating event. Therefore, three functional event trees were developed to reflect the three different types of PORV LOCA initiating events _. PORV LOCA is characterized by depressurization of the RCS. Therefore, by nature of a PORV LOCA the RCS Pressure Control Safety Function is not challenged or threatened. The other four anti-core melt safety functions O ere requireo to be satisfied or to preclude core uncovery and damage. iateiaea roiio ia9 e eonv 'oc^ ia order 5.3.3.1 PORV LOCA Following Loss of Secondary Heat Sink Functional
- Tree .
l The functional event tree for PORV LOCA following loss of the preferred secondary heat sink is presented in Figure 5.3.3.1-1. Table 5.3.3.1-1 identifies the functional elements which are used as ! intermediaries to correlate the five anti-core melt safety functions l (32) to specific plant systems or actions required to mitigate a PORV LOCA following the loss of secondary heat sink. In this functional event tree both steam generators are unavailable. i ) System interactions and system availability provide the bases for the general assumptions that were used to develop the functional event tree. The general assumptions used are as follows: O 5-50
FIGURE 5.3.3.1-1 PORV LOCA FOLLOWING LOSS OF SECONDARY HEAT SINK FUNCTIONAL EVENT TREE INITIATING REACTIVITY RCS INVENTORY RCS PRESSURE CORE HEAT RCS HEAT EVENT CONTROL CONTROL CONTROL REMOVAL REMOVAL PORV LOCA REACTOR INVENTORY FORCED CONTAINMENT NONE w/LOHS TRIP MAKEUP CIRCULATION HEAT REMOVAL 1 2 V' 4
-5 L %
6 7 1 O O O
( )' TABLE 5.3.3.1-1 PORV LOCA FOLLOWING LOSS OF SECONDARY HEAT SINK FUNCTIONAL EVENT TREE CONSIDERATIONS SAFETY FUNCTION FUNCTIONAL ELEMENTS ASSOCIATED SYSTEMS / ACTIONS Reactivity Reactor Trip Reactor Trip I Control RCS Inventory Inventory Make-up High Pressure Safety Control Injection RCS Pressure None PORV LOCA is characterized Control by depressurization of the RCS. Therefore, RCS , Pressure Control is not ' challenged. , Core Heat Forced Circulation High Pressure (J3 Removal Recirculation RCS Heat Containment Containment Sprays Removal Heat Removal 1 1 ATWS is not considered in the scope of this evaluation l l l l l ($) l 5-52 l *
- 1. PORVs open to their full position, fail to close when required and result in uncontrolled bleeding of the primary system.
)
I
- 2. Partial opening of either PORV in response to LOHS leads to core damage. This sequence is addressed in the Section 5.1.4.2. ;
- 3. Successful operation of high pressure recirculation is conditional on successful operation of high pressure injection.
Based on the above assumptions, the functional accident sequences for PORV LOCA following loss of secondary heat sink (Refer to Figure 5.3.3.1-1) are as follows: Sequence 1 The core is protected. All anti-core melt safety functions are satisfied or maintained; therefore core uncovery and damage do not occur. Sequence 2 In this sequence, high pressure injection and h recirculation are maintained prior to containment cooling failure. Loss of containment cooling results in containment temperature and pressure increases but the increases are not severe enough to cause - t containment failure. Therefore, the core is not l l threatened. l l l Sequence 3 In this sequence, high pressure injection and l containment cooling are accomplished but high pressure recirculation is not accomplished. The inability to l accomplish high pressure recirculation prevents l l circulation of reactor coolant flow through the core to ! remove core heat. Therefore, this accident sequence l will result in core uncovery and damage. 1 Sequence 4 In this sequence high pressure injection is maintained. However, high pressure recirculation and g containment cooling are unavailable. The inability to 5-53
O eccompiisn nigh pressure recircuietion inhibits removei of core heat. Therefore this sequence will result in core uncovery and damage. Sequence 5 In this sequence containment cooling is maintained but high pressure injection is unavailable. Because high pressure recirculation is conditional on successful high pressure injection, high pressure recirculation will also be lost. Failure to provide high pressure injection leads to core uncovery and damage. Sequence 6 In this sequence high pressure injection and containment cooling are not maintained. High pressure recirculation will also be lost because of the conditionality on successful high pressure injection. This sequence leads to core uncovery and damage. O seaueace 7 as discussed ia sectioa 2 2 t 1. ^Tws is aot coasidered in this program. 5.3.3.2 PORV LOCA Following Steam Generator Tube Rupture - Functional Event Tree The functional event tree for PORV LOCA following steam generator tube rupture is presented in Figure 5.3.3.2-1. Table 5.3.3.2-1 identifies the functional elements which are used as intermediaries to correlate the five anti-core melt safety functions (32) to specific plant systems or actions required to mitigate a PORV LOCA following steam generator tube rupture. In this functional event tree the intact steam generator is available to remove heat from the RCS. O 5-54
! l lI
! l 1 2 3 4 5 6 7 O L
)
T TL CY AA AR EV E TO HO R NT M ^ I N SE (E CR V R GN SI N T O AL I EA D T HV E A O C L k EM R U RE O C OR F R C I C E E R T E RT R ON U TE SL AV RE SO 1 E ER E
- RT N 2 NL PN 0 3 C E A A GN O MI O SC C
R O l t O 3 L AT E C 5 V TN R SU O F P G E Y R NE I R ll R O Y G WU TL R I OT NO O P ' F LP ER T U LU VT N E OR F NN E K E IO V A B C N M U S I C T R Y T IL R VO O P I R T I TT C R CN A T AO E EC R R G A N C IT O R TN L T AE I V TE I N V S R / O w G O I P 9'"t l 1 l l
()* TABLE 5.3.3.2-1 PORY LOCA FOLLOWING SGTR l FUNCTIONAL EVENT TREE CONSIDERAT!0NS SAFETY FUNCTION FUNCTIONAL ELEMENTS ASSOCIATED SYSTEMS / ACTIONS
~
Reactivity Reactor Trip Reactor Trip l Control RCS Inventory Inventory Make-up High Pressure Safety Control Injection RCS Pressure None PORV LOCA is characterized Control by depressurization of the RCS. Therefore, RCS Pressure Control is not challenged. Core Heat Forced Circulation High Pressure Removal Recirculation RCS Heat Containment Containment Sprays Removal Heat Removal SG (Intact) 5% Main Feedwater Inventory Auxiliary Feedwater SG (Intact) This functional element Pressure is addressed in Section 5.2. 1 ATWS is not considered in the scope of this evaluation O 5-56
System interactions and system availability provide the bases for the h general assumptions that were used to develop the functional event tree. The general assumptions used are as follows:
- 1. Successful operation of high pressure recirculation is conditional on successful operation of high pressure injection.
- 2. Uncontrolled secondary pressure decrease leads to core uncovery and damage. This sequence is discussed in Section 5.2.3.
Based on the above assumptions, the functional accident sequences for PORV LOCA following steam generator tube rupture are as follows: Sequence 1 The core is protected. All anti-core melt safety functions are satisfied or maintained; therefore, core uncovery and damage do not occur. Sequence 2 In this sequence, high pressure injection and g recirculation are maintained. The intact steam generator inventory is not maintained in addition to containment cooling. The combined failures result in containment temperature and pressure increases in _ addition to a large pressure differential between the RCS and the affected steam generator that supports continued leak flow. The continued leak flow will eventually cause the core to uncover and subsequently core damage will occur. Sequence 3 In this sequence high pressure injection, containment cooling, and delivery of inventory to the intact steam generator are accomplished; however, high pressure recirculation is unavailable. The inability to accomplish high pressure recirculation prevents O 5-57 {
C circulation of reactor coolant flow through the core to remove core heat. Therefore, this accident sequence will result in core uncovery and damage. Sequence 4 In this sequence high pressure injection is maintained. However, inventory to the intact steam generator, containment cooling, and high pressure recirculation are unavailable. The inability to accomplish high pressure recirculation inhibits removal of core heat. The inability to provide inventory to the intact steam generator inhioits rapid RCS cooldown which causes a large pressure differential between the RCS and the affected steam generator. This condition . will continue to support loss of RCS inventory outside the containment and will eventually cause the core to become uncovered and subsequent core damage will occur. Sequence 5 In this sequence containment cooling and delivery of inventory to the intact steam generator are maintained; however, high pressure injection is unavailable. Because high pressure recirculation is conditional on successful high pressure injection, high pressure - recirculation will also be lost. Failure te provide high pressure injection leads to core uncovery and l damage. l Sequence 6 In this sequenct high pressure injection, containment cooling, and delivery of inventory to the intact steam generator are not maintained. High pressure recirculation will also be lost because of the conditionality on successful high pressure injection. This sequence leads to core uncovery and damage. Sequence 7 As discussed in Section 2.2.1.1, ATWS is not considered in the scope of this program. I ! 5-58
5.3.3.3 Spurious or Transient Induced PORV LOCA Functional Event Tree lh The functional event tree for inadvertent PORV LOCA is presented in Figure 5.3.3.3-1. Table 5.3.3.3-1 identifies the functional elements which are used as intermediaries to correlate the five anti-core melt safety functions (32) to specific plant systems or actions required to mitigate a spurious or a transient induced PORV LOCA. In this functional event tree, both steam generators are available to remove heat from the RCS. Successful operation of high pressure recirculation is conditional on successful operation of high pressure injection. Based on the above assumptions, the functional accident sequences for spurious or transient induced PORV LOCA are as follows: Sequence 1 The core is protected. All anti-core melt safety functions are satisified or maintained; therefore core uncovery and damage do not occur. $ Sequence 2 In this sequence, high pressure injection and recirculation are maintained. Steam generator inventory is not maintained and steam generator , pressure is not controlled in addition to containment cooling failure. The combined failures result in containment temperature and pressure increases but the increases are not severe enough to cause containment failure. Sequence 3 In this sequence high pressure injection, containment cooling, delivery of inventory to the steam generators and steam generator pressure control are accomplished; however, high pressure recirculation is unavailable. The inability to accomplish high pressure recirculation prevents circulation of reactor coolant flow through the core to remove core heat. Therefore, this accident sequence will result in core uncovery and damage. g 5-59
O O O FIGURE 5.3.3.3-1 SPURIOUS OR TRANSIENT INDUCED PORV LOCA FUNCTIONAL EVENT TREE INITIATING REACTIVITY RCS INVENTORY RCS PRESSURE CORE HEAT RCS HEAT EVENT CONTROL CONTROL CONTROL REMOVAL REMOVAL SPURIOUS REACTOR INVENTORY FORCED C ^ NONE H PORV LOCA TRIP MAKEUP CIRCULATION SG INVENTORY SG PRESSURE 1 4 2 m 3 h ! i i ] _4 l . 5 .j I 7 i i I i e i
r TABLE 5.3.3.3-1 $ SPURIOUS OR TRANSIENT INDUCED PORV LOCA FUNCTIONAL EVENT TREE CONSIDERATIONS SAFETY FUNCTION FUNCTIONAL ELEMENTS ASSOCIATED SYSTEMS / ACTIONS Reactivity Reactor Trip Reactor Trip l Control RCS Inventory Inventory Makeup High Pressure Safety Control Injection RCS Pressure None PORV LOCA is characterized Control by depressurization of the RCS. Therefore, RCS Pressure Control is not challenged. Core Heat Forced High Pressure Removal Circulation Recirculation Containment Sprays O RCS Heat Containment Removal Heat Removal SG 5% Main Feedwater Inventory Auxiliary Feedwater SG Bypass Steam to Main Pressure Condenser Dump Steam to Atmosphere l 1 l ATWS is not considered in the scope of this evaluation O 5-61 i
O Sequence 4 In this sequeace hi9 h pressure in3ectica is maintained. However, steam generator inventory, steam generator pressure, high pressure recirculation, and containment cooling are unavailable. The inability to accomplish high pressure recirculation inhibits removal of core heat. Therefore, this sequence will result in core uncovery and damage. Sequence 5 In this sequence containment cooling, delivery of inventory to the steam generators and steam generator pressure control are accomplished; however, high pressure injection is unavailable. Because high pressure recirculation is conditional on successful high pressure injection, high pressure recirculation will also be lost. Failure to provide high pressure injection leads to core uncovery and damage. {} Sequence 6 In this sequence high pressure injection, containment cooling, steam generator inventory, and steam generator pressure are not maintained. High pressure recirculation will also be lost because of the conditionality on successful high pressure injection. . This sequence leads to core uncovery and damage. Sequence 7 As discussed in Section 2.2.1.1, ATWS is not considered in the scope of this program. 5.3.4 Systemic Event Trees Three PORV LOCA systemic event trees were developed and constructed to represent the specific plant system response to the different types of PORV LOCA defined in Section 5.3.1. Each event tree was constructed by incorporating, as event tree branch headings, the systems / actions required / \ 5-62 m n , . . . - - _ . . . , , , , _ _ , _ , _
to mitigate PORV LOCA. Event tree branch headings are placed in the h approximate chronological order that they will be called upon following a PORV LOCA, and interdependencies between event tree branches are logically incorporated. Table 5.3.4-1 defines the event tree branches and associated failure criteria that are used as input to the event trees. Fault tree results for each branch are presented in Section 6.0. 5.3.4.1 PORV LOCA Following Loss of Secondary Heat Sink Event Tree The event tree for PORV LOCA Following Loss of Secondary Heat Sink is presented in Figure 5.3.4.1-1. As shown in Table 5.3.3.1-1, the system / action associated with RCS Inventory Control is high pressure safety injection; with Core Heat Removal is high pressure recirculation; and with RCS Heat Removal are containment sprays. These systems are used as the branch headings for the event tree. O The event tree branch headings are discussed as follows: P1 The initiating event is defined as the frequency of manually opening both PORV flow paths following a loss of secondary heat sink times the probability that the flow paths are not isolated _l to prevent uncontrolled depressurization of the RCS. The frequency of the initiating event was determined by fault tree analysis which is presented in Section 6.4. 1 l A Failure to deliver sufficient HPSI flow is defined as failure to l provide flow to the RCS loops by at least one of three high l pressure pumps that take suction from the refueling water tank. Additional descripton of the HPSI System and the fault tree results are given in Section 6.1. 1 l 5-63
r' ( TABLE 5.3.4-1 PORV LOCA EVENT TREE BRANCH DEFINITIONS Branch Branch Designation Title Failure Criteria P1 Initiating Event PORV LOCA following loss of secondary heat sink P2 Initiating Event PORV LOCA following steam generator tube rupture in one steam generator P3 Initiating Event Spurious opening of either PORV flowpath P4 Initiating Event Transient induced opening of both PORV flowpaths A Failure to Deliver Failure to provide flow to the RCS Sufficient HPSI Flow from at least 1 of 3 high pressure pumps, taking suction from the RWT. 5 1 Failure to Provide Failure to provide flow from at Containment Cooling least 1 of 2 containment spray
- pumps into the containment atmosphere.
R Failure to Achieve Failure to provide flow to the RCS High Pressure from at least 1 of 2 high pressure Recirculation pumps, taking suction from the containment sump - Z i Failure to Deliver Failure to provide cooling to the 5% Main Feedwater intact steam generator via 5% main to 1 Steam Generator feedwater l Z 2 Failure to Deliver Failure to provide cooling to 5% Main Feedwater either steam generators via 5% main feedwater G i Failure to Deliver Failure to automatically deliver Auxiliary Feedwater AFW flow from at least one AFW Flow pump to either steam generator G 2 Failure to Deliver Failure to provide cooling to the Auxiliary Feedwater intact steam generator by at least to 1 Steam Generator 1 of 2 auxiliary feedwater pumps l O l l 5-64
l TABLE 5.3.4-1 O (continued) PORV LOCA EVENT TREE BRANCH DEFINITIONS Branch Branch Designation Title Failure Criteria C 2 Failure to Open Failure to control steam TBVs generator pressure by not opening at least 1 of 8 turbine bypass valves W 2 Failure to Open Failure to control steam MSSVs generator pressure by not opening at least 1 of 10 MSSVs associated with each steam generator. T Failure to Open Failure to control steam generator ADVs pressure by not opening at least 1 of 4 ADVs O 1 i l l l l 9 5-65 t
O O O i a: w w w a > 1
> - wm
- > ~~
am o ru wo e ow rm n_ g Te o d o- o u) W$ Tr SEQUENCE s- HJ em eo COMBINATION CODE u) o w mz w a_ wa wm mI mo m a. o a o , 4 a u. ae ar , - u_ -z -o T3 To Tm
- u. u) u_ u ur A Si R 1 P1 - INIT. EVENT p I 2 P1 -R
- g 3. P1 - Si i
l 4. P1 - sir
- 5 Pi -A *
- I 6 P1 - RSi d
j FIGURE 5.3.4.1-1 PORV LOCA F0LLOUING LOSS OF SECONDARY HEAT SINK ) SYSTEMIC EVENT TREE The above minimal core damage sequences are evaluated and discussed in Section 7.3. Note: Any branches excluded from the above event tree have been eliminated due to logic rules or the frequency cut-off as discussed in Section 2.2.1. r
S i Failure to provide containment cooling refers to the inability to provide containment spray and to remove thermal energy from the containment atmosphere. Containment spray is provided by the Containment Spray System. Additional information on the Containment Spray System along with the fault tree results are given in Section 6.3. R Failure to achieve high pressure recirculation refers to inability to provide flow to the RCS loops by at least one of two high pressure pumps,that take suction from the containment sump. Additional information on high pressure recirculation and the fault tree results are given in Section 6.1. 5.3.4.2 PORV LOCA Following Steam Generator Tube Rupture Event Tree The event tree for PORV LOCA Following Steam Generator Tube Rupture is presented in Figure 5.3.4.2-1. As shown in Table 5.3.3.2-1, the system / action associated with RCS Inventory Control is high pressure g safety injection; with Core Heat Removal is high pressure recirculation; and with RCS Heat Removal are containment sprays and feedwater to the intact steam generator. These systems are used as the branch headings for the event tree. , The event tree branch headings are discussed as follows: P 2 The initiating event is defined as the frequency of manually l opening either PORY flow path following a tube rupture in l one steam generator times the probability that the flow l path is not isolated to prevent uncontrolled depressur-ization of the RCS. The frequency of the initiating event was determined by fault tree analysis which is presented in Section 6.4. O 5-67
O O O m e = w w ' w wo w a >
> >m > - wm a2 .a - a o ra wo w w e ow re oa oo oo a_ o ee aw SEQUENCE u_ i-- m z zm o o o o- om ar
-- H2 s- a sm mo COMBINATION CODE m u_ o w mz w n_ wr w wa wm er e eo eo m n_
o om os a o _a u. .a w _a .a H _J r ' -. u. -. n_ ~z .-. z .-. o wo a a u- ao a..
- u. m um ua u. o ur R Zi G2 Si R 1 P2 - INIT. EVENT I 2 P2 - R
- 3 P2 - Si l 4. P2 - sir 5 P2 - Zi l l 6. P2 - ZiR t
[ 7. P2 - ZiSi
- m 8 1 P2 - Z isir
! 9 P2 - zig 2
- 1 l 10 P2 - zig 2R 11 P2 - zig 2Si .
12 P2 - R
- l 13 P2 - RSi 14 P2 - RZi i l 15 P2 - RZiSi
) 16 _. P2 - RZiG7 i FIGURE 5.3.4.2-1 j j PORV LOCA FOLLOWING SGTR , SYSTEIIIC EVENT TREE The above minimal core damage sequences are evaluated arid discussed in Section 7.3. Note: Any branches excluded from the above event tree have been eliminated due to l logic rules or the frequency cut-off as discussed in Section 2.2.1. 4 l l
A Failure to deliver sufficient HPSI flow. See discussion for h branch heading A given in Section 5.3.4.1. Z 1 Failure to deliver 5% main feedwater to the intact steam generator is defined as the inability of the Main Feedwater System to ramp back to provide 5% flow to the steam generator with no tube rupture. Additional information on the Main Feedwater System is presented in Section 6.10. G Failure to deliver auxiliary feedwater.to the intact steam 2 generrtor refers to the inability of the auxiliary feedwater system to provide flow for cooling the steam generator with no tube rupture. Once 5% main feedwater becomes unavailable, feedwater for cooling the intact steam generator is provided by the auxiliary feedwater system. The delivery of auxiliary feedwater continues until shutdown cooling entry conditions are met. The auxiliary feedwater system failure probability was determined by fault tree g l analysis. The fault tree model includes the unavailability l of the steam generator with the tube rupture and only the automatic actions needed to deliver auxiliary feedwater to l the intact steam generator. Additional information on the , Auxiliary Feedwater System and the fault tree results are given in Section 6.11. S i Failure to provide containment cooling. See discussion for branch heading Si given in Section 5.3.4.1. R Failure to achieve high pressure recirculation. See discussion for branch heading R given in Section 5.3.4.1. 5.3.4.3 Spurious or Transient Induced PORV LOCA Event Tree The event tree for Spurious or Transient Induced PORV LOCA is presented in Figure 5.3.4.3-1. As shown in Table 5.3.3.3-1, the system / action associated with RCS Inventory Control is high pressure g safety injection; with Core Heat Removal is high pressure 5-69
/m w a b = re e $
w e w -b W W W ri e
]x 3 wo w 3
w 5 a. 5 n 5 a. a a; o E u .o
- r. I a:
og o o o* o o a- E c a: 'y y F.LOULNCL O --. 8E S S S C S id C Ed $E ('Ot1HINHil0N CODE wE no ' wo ao w w wO wE E* Ee Ed E $w 5 5 5' d$ dr da du d; a d; 15
$5 Ew EE ES EE E ES ET A 12 Gi C2 Wp i Si R I P3 INIT. LVENT l 2 P3 -R
- 3 P3 Si l 4. P3 - sir
- b. P3 - C) l G. P3 - C2R 1 P3 - C>Si I 8 P3 C2 sir 9 P3 l>
l 10 P3 l>R m ll. P3 - />Si L i 12 P3 - /> sir o l3. P3 />C) I 14. P3 220/R lb. P3 - l>C>Si 16 P3 />Gi
- I i1 P3 - />GnR
- 18. P3 - />CiSi 19 P3 - it 1G 02 1 20 P3 - 22GiC2R 21 P3 - ljGirySi 22 P3 - A
- I 23. P3 - OS
- 24. P3 - 402 l 25 P3 - RC2Si
- 26. P3 - Al2 l 21. P3 - H2 2S 28 P3 - Al20 2 29 P3 - Al2Gi FIGURE 5.3.4.3-1 SPURIOUS OR TRANSIENT INDUCED PORV LOCA SYSTEMIC EVENT TREE
- The above minimal core damage sequences are identical for Spurious PORV LOCA and Transient Induced PORV LOCA. These sequences are evaluated and discussed in Section 7.3.
Note: Any branches exch ded from the above event tree have been eliminated due to logic rules or the frequency cut -off as discussed inSection 2.2.1.
l recirculation and with RCS Heat Removal are containment sprays, 5% h main and auxiliary feedwater and dumping steam to the condenser or to the atmosphere. These systems / actions are used as the branch headings for the event tree. The event tree branch headings are discussed as follows: P3 The initiating event is defined as the frequency of error induced or spurious openings of either PORV flow path times the probability that the affected flow path is not - isolated to prevent uncontrolled depressurization of the RCS. The frequency of the initiating event was determined by fault tree analysis which is presented in Section 6.4. P4 The initiating event is defined as the frequency of high RCS pressure transient induced openings of the PORV flowpaths times the probability that the flowpaths are not isolated to prevent uncontrolled depressurization of the RCS. The g frequency of the initiating event was determined by fault tree analysis which is presented in Section 6.4 A Failure to deliver sufficient HPSI flow. See discussion for . Branch Heading A given in Section 5.3.4.1. Z 2 Failure to deliver 5% main feedwater is defined as the inability of the MFW System to ramp back to provide 5% flow to either steam generator. Additional information on the Main Feedwater System is presented in Section 6.10. G 1 Failure to deliver auxiliary feedwater refers to the inability of the AFW System to provide flow for cooling either steam generator. Once 5% main feedwater, the preferred source becomes unavailable, the Auxiliary Feedwater System provides feedwater for cooling either steam generator so that shutdown cooling entry conditions can be achieved. The AFW System failure probability was determined g by fault tree analysis. The fault tree model includes only 5-71
(] the automatic actions needed to deliver auxiliary feedwater. Additional information on the AFW System and the fault tree results are given in Section 6.11. C Failure to open the turbine bypass valves refers to not opening at least one of the turbine bypass valves to relieve secondary steam. This system is used as the preferred system for removing secondary steam to enhance RCS cooldown. The system failure probability was determined by fault tree analysis. Additional system information and fault tree results are given in Section 6.6. W 2 Failure to open the main steam safety valves refers to not opening at least one of the ten safety valves associated with each steam generator. If the turbine bypass valves are unavailable, the main steam safety valves would open and reclose to relieve secondary steam but prevent overcooling of the RCS. The failure probability for opening one of nine valves in each bank is presented in Section 6.9. T Failure to open the atmospheric dump valves refers to not opening at least one of the four atmospheric dung valve . flow paths to relieve secondary steam to the atmosphere. The atmospheric dump valves are used to dump secondary steam to the atmosphere when the turbine bypass valves are l unavailable. The system failure probability was determined by fault tree analysis with the results and additional l system information presented in Section 6.8. S i Failure to Provide Containment Cooling. See discussion for branch heading Si given in Section 5.3.4.1. R Failure to Achieve High Pressure Recirculation. See discussion for branch heading R given in Section 5.3.4.1. O 5-72
,,...-- , - . - - . - - - - - - - - -- <n -,,. - , - - , , , - - , ,
5.4 OTHER CORE MELT SEQUENCES h The NRC questions (see Appendix A) focused on the initiating events and subsequent event sequences that the staff considered to be most relevant to the PORV issue. These events are loss of heat sink, steam generator tube rupture and 00RV LOCA. The questions additionally request that consideration be given to ATWS, PTS and other accident sequences for which PORVs may provide a benefit. A qualitative discussion of ATWS and PTS appear in the main body of this report (_2_8). 8 In order to investigate the other accident sequences for which PORVs may provide a benefit, a survey method was used. Specifically, the preliminary results of the Calvert Cliffs Unit 1 IREP Study (H) were reviewed with the intention of identifying core melt sequences that could be mitigated or prevented by incorporating feed and bleed capability, and that are not covered in the event trees of Section 5.1, 5.2, and 5.3. The conclusion of the IREP review is that of the eleven dominant sequences h identified by IREP, seven are not relevant to the PORV issue (these involve large and small LOCA and small-small LOCA with failure to trip) and four are relevant to the PORV issue and are covered by the event trees of Sections 5.1, 5.2, and 5.3. No relevant dominant sequences were found to - have been over-looked. Section 7.4 contains the detailed sequence descriptions. l 0 1 5-73
1089b(83G13)bt-1 O s.o SvSTes analvStS The following sections contain the results of all fault tree analyses and probabilistic evaluations that were used as input to the systemic event trees for Loss of Secondary Heat Sink, Steam Generator Tube Rupture and PORV LOCA. Efforts were made to maintain consistent levels of detail in the fault tree models. There was an attempt to keep failures modelled at the component level, however, occasionally it was required to expand the fault trees to sufficient levels of detail to include distinct failure modes for major components (e.g. HPSI pump fails to start and HPSI pump fails to operate) and to include auxiliary system failures. Specifically, the Electrical Distribution System, the Instrument Air System, and the Cooling Water Systems were addressed and included in a uniform manner throughout the system fault tree analyses. In performing the fault tree analyses, a number of general groundrules were formulated to further standardize the models. The analyses did not consider the following:
- 1. Failures resulting from the environment created by the initiating events.
~
- 2. Common cause failures of more than one piece of equipment based on common location.
- 3. Failures caused by external events such as floods, lightning, tornadoes or earthquakes.
- 4. Spurious closure of normally open valves, unless they are fail-closed valves.
- 5. Spurious opening of normally closed valves, unless they are fail-open valves.
_ 6. Sabotage. U 6-1
1089b(83G13)bt-2 Whenever possible, plant specific operating procedures were used to g support development and construction of the fault tree logic diagrams. All analyses are categorized by system for organizational efficiency, however, when applicable the sections include multiple fault trees developed at the system functional level for various modes of system operation. Also included in each systemic section is a system description and schematic, a support system dependency diagram, a list of assumptions specific to the fault tree models developed for the particular system, a table of results and a table of dominant cutsets for each fault tree model. The quantitative results of the fault tree analyses are presented as confidence distributions in terms of median values and error factors. Typically, the dominant mode of system failure was the unavailability (the probability that a system will not respond on demand). The unreliability of a system required to operate for a period of time following a transient is included in the results only if the unreliability was found to be a significant (>10%) contributor to the overall system failure probability. It should be noted that the support system dependency diagrams presented in Sections 6.1 - 6.16 include onsite and offsite sources of non-class 1E AC power as separate support systems in order to provide increased visibility of the support systems available for operation of both safety and normally operating plant systems. An arrow drawn from one source of AC power to the next represents the logical sequence of AC power available to the system. The arrow could also be interpreted as a logical AND gate, i.e., the power supplies connected by an arrow provide normal and backup AC power to the system and both sources must be unavailable to cause system failure. A terminated line drawn from a support system indicates that the particular support system is not a valid requirement of any of the operating modes of the specific plant system being addressed. l 9 l 6-2
1089b(83G13)bt-3 O 6 1 arca eatssuae sareTv tuascTron svsTE" Three distinct operating modes of the HPSI system were evaluated for input to one or more of the systemic / action level event trees discussed in Sections 5.1-5.3. The functions addressed were Fail to Deliver Sufficient HPSI Flow (injection mode), Failure to Achieve High Pressure Recirculation and Fail to Throttle HPSI. The HPSI system also plays an important role in feed and bleed operation, however, the functional aspects of the HPSI system in relation to feed and bleed operation are addressed in Section 6.5, " Primary Feed and Bleed System". Fault tree logic diagrams were used to evaluate Fail to Deliver Sufficient HPSI Flow and Failure to Achieve HP Recirculation. A probability calculation based on operating experience was used to calculate the probability of failing to throttle HPSI flow. The results of the analyses are presented in Section '6.1.3. 6.1.1 System Description Schematics of the PVNGS HPSI System (Injection Mode and Recirculation Mode) are presented in Figures 6.1.1-1 and 6.1.1-2. The injection mode of operation is initiated upon receipt of a safety injection actuation signal (SIAS). A SIAS is produced upon any two coincident low pressurizer pressure (<1700 psia) or high containment pressure signals. The SIAS may
~
also be initiated manually in the control room. Upon a SIAS, the HPSI pumps automatically start and the HPSI header isolation valves open. During injection mode, the minimum flow lines downstream of each pump are kept open to prevent possible dead head operation. The pumps take suction ( from the Refueling Water Tank (RWT) and discharge through the eight HPSI l header isolation valves via two redundant HPSI headers. The safety injection water then flows to the reactor vessel through a safety I injection nozzle on each of the four RCS cold leg pipes. If offsite power (normal AC) is unavailable, the ESF buses are connected to the diesel generators and safeguard loads (the HPSI System) are then started in a i preprogrammed time sequence. i (_.) 6-3
O P P P S S SO C C CO8 A R R R 2 1 7 7 7 4 3 2 2 2 2 I I 1 S 3 S 2 S 1 4 4 4 5 5 5 3 - 3 - 3 - 4 1 3 1 I 1 5 1 5 I S T
- - - N I I I S E S ,
M Nl I l 7 6 7 6 7 AA 6 7 6 TW 4 4 3 3 2 2 1 1 N 6 6 6 6 6 6 6 6 O R C E D I S - I S I S I S I I S I S 1 5 AS Q g EE HV .
)
. M b"[)!
)
n
- ~
IA L ) s ~
~ - s
)
s 9 n SV g a. ' a a. *' e. P s
; i H
5 ( ( - C,s ( s s t l M E T S Y S I 2 N I SR I O SR I PD 8 PD 9 T HH 9 HH 9 C ) 6 I S 6 I S I E E J 0 N 0 N 1 1 1 O Y N T OI E 6 9 7 5 6 F T E 6 6 6 A C S E R J
- - 2 4 5 J Q I I 4 0 0 E N I S S - 4 4 R I F 1 - - U (
S M 5 I I S S S S E R . P 1 Q I - H S M ) S 4 8 2 ) 2 P 2 0 6 20 N 0 6 4 5 P P l 6 6 -
- s P - P 6
I S 6 I S I S 5' ( [; ( a i s MB UI PS I S P H 4 3 X5 7 7
< 1 3
5 6 0 3
% 0 2
6 I S 6 I S _ P H H - N C m C b 1 M t _ 5 S [- _[ ) T N E M [ N6 f 0 [~5 6 l A T N 3 0 0 O 5 3 6 5 C
- 7 7 H
C H C 1 I 6 6 I S S O mE
9 S C R 3 S C R g h3 C R A 2 7 7 4 3 2 2 I I S 3 S 2 1 0 4 4 4 4 5 5 5 5 3 - 3 - - - 4 I 3 I 1 1 S 1 S 5 T
- - N 1 1 Eq 5 5 ' o lL lL AA 7 6 7 6 7 7 6 TW 4 4 3 3 2 1 1 N 6 6 6 6 6 6 6 O
- - - - - - C R
E I S - I S I S I S I S - I S 3 D AS EE HV IA L - SV P H M E T S Y
- S I
7 I 2 N O I ) SR 8 PD 9 T E HH 9 C D o 9 E O 6 6 2 M - - J M - 1 I N 1 5 S I N 6 O 1 7 Y I 4 T T 6
- E A 9 7 I F L E 5 6 S A U R 6 6 6 S C U
- 2 4 5 R G
- 0 E I 1 I 4 0 4 R C I
5 S - ,4 F 1 - - U E 1 I S R S S (
'h [$
$ E L - R J
) ) P 9 H
G I 6 g ( H J [- S
%'" h) 0 6 4
2 4 2 0 P - 20 2 P P m t P 6 6 I 6 6 I I S g WI PS B I S S S : ; P H 0 2 4 3 7 0 7 7 4 1 3 6 0 4N- 4X 5 I 0 6 I p6 a I 5 3 H I S S 2 S gS P M C C I e N U H@ i] [- _ S S T N E M r [ lf A [- _ T 6 " N 0@ 3 5 0 0 "7 O 5 H C 3 H C 2 I S 6 7 6 I y 5 6 1 C S 5 o l
?u e
1089b(83G13)bt-4 The recirculation mode is automatically initiated by the Recirculation g Actuation Signal (RAS) upon low RWT level. The RAS opens the containment sump outlet valves and closes the HPSI pump mini-flow line recirculation valves. The High Pressure Safety Injection / Recirculation support system dependency diagram is provided in Figure 6.1.1-3. 6.1.2 Assumptions The following assumptions were made in performing the fault tree analysis for Fail to Deliver Sufficient HPSI Flow:
- 1. System failure is defined as the inability to deliver sufficient HPSI flow to the reactor core. Sufficient HPSI flow is defined as one pump flow to two RCS loops. (Two flowpaths are required to deliver the flow from one pump.
- 2. Isolation of the pump mini-flow lines could result in dead head operation and damage to the pumps.
- 3. The only operator action considered was manual backup of SIAS from
~
the control room. The operator is allowed 20 minutes to backup the SIAS.
- 4. The containment sump isolation valves are closed.
- 5. The HPSI system is tested at start-up and once each eighteen months.
If pump maintenance is required, manual valves SI-470, SI-476, SI-402 or SI-478 may be closed and inadvertently left in the wrong position. The probability of this maintenance error is included in the analysis. However, all other normally open valves are required to remain open during plant operation. Therefore, the only failure mode considered for these valves is plugging. O 6-6
i O-FIGURE 6.1.1-3 HIGH PRESSURE SAFETY INJ/RECIRC HIGH PRESSURE SAFETY INJECTION / RECIRCULATION SYSTEM SUPPORT SYSTEM DEPENDENCY DIAGRAM n I l l HPSI TRAIN A HPSI TRAIN 8 (Pt.NP SIA-P02) (PUMP SIB-P02) l ONSITE AC NON-1E F ' l OFFSITE AC l . O " ONSITE AC Division A , CLASS 1E Div!sion B 12SV DC Division A , CLASS 1E ' Division B l l INSTRUMENT AIR j I Loop A , COOLING ' WATER Loop B , Channel A ESFAS Channel B O 6-7
1089b(83G13)bt-5
- 6. It is assumed that components on train A receive SIAS-A and $
components on train B receive SIAS-B.
- 7. Cooling Water Systems are not required for successful HPSI pump operation.
- 8. Since maintenance can only be performed on one HPSI pump during plant operation, unavailability contributions due to pump maintenance are included only for HPSI pump SIA-P02.
- 9. Motor operated valves CH-530 CH-531 SI-666 SI-667 SI-698 SI-699 are all FAI (fail as is) and are normally open, therefore, loss of power to these components is not considered in the fault tree model.
The following assumptions were made in performing the fault tree analysis g for Failure to Achieve HP Recirculation:
- 1. System failure is defined as the inability to recirculate sufficient coolant through the reactor core via the high pressure safety _
injection system. l 2. Sufficient coolant is defined as the successful operation of one high l pressure safety injection pump. l 3. Successful operation of the HPSI system in the injection mode has l been achieved. Both HPSI pumps are assumed to be operating.
- 4. The generation of the RAS closes the mini-flow line series isolation valves. Failure of these valves to close does not significantly impact HP recirculation flow; therefore, failure to isolate the miniflow lines is not considered in the fault tree model.
O 6-8
1089b(83G13)bt-6 O 5. The RWT isolation valves are manually closed from the control room. Failure to close these valves does not impede recirculation flow; therefore, these valves are not included in the fault tree model.
- 6. If loss of offsite power occurs as an initiating event or as a result of turbine trip, power is restored prior to realignment for high pressure recirculation.
The following assumptions were made for the probability calculation for Fail to Throttle HPSI:
- 1. This failure mode is applicable only to the SGTR event trees. Fail to Throttle HPSI refers to maintaining a high RCS pressure through continued delivery of safety injection near the shut off head. System failure is defined as the operator failing to take the appropriate actions to throttle HPSI flow.
- 2. There have been four events to date classified as SGTRs. (See Section 4.3.2).
In one of the four events, the operator failed to adequately throttle HPSI flow. O V 6.1.3 Results The quantitative results of the analyses are presented in Table 6.1.3-1. The , confidence distributions of the failure probabilities are presented in terms of - median values and error factors. The error factor is defined as the ratio of the 95 l to 50 percentile. l l For Fail to Deliver Sufficient HPSI Flow, a fault tree logic diagram was used to evaluate the specific cases required as input to various event trees. For the SGTR event trees where offsite power is available at the time of the initiating event, the fault tree model does not include grid collapse following turbine trip as a component failure, i.e. the probability of grid collapse on turbine trip is 0.0. For the SGTR with Coincident LOOP event trees, the fault tree model assumes the grid is lost on turbine trip, i.e., the probability of grid collapse on turbine trip is 1.0. For the PORV LOCA event trees, grid collapse following turbine trip is included as a valid failure mode with a probability of 10-3 (16). It was noted that the unreliability of the HPSI system became a significant O v 6-9
1089b(83G13)bt-7 contributor to the total system failure probability for the case where g offsite power was given as unavailable. Therefore, a separate analysis was performed to determine the probability of failing to maintain HPSI flow for 8 hours following a SGTR with Coincident LOOP. These results are presented as Cases One through Five respectively in Table 6.1.3-1. l For Failure to Achieve HP Recirculation, a fault tree logic diagram was used to provide input to the Loss of Secondary Heat Sink (LOHS) and PORV LOCA event trees. For the PORV LOCA event trees, the probability of failing to achieve HP recirculation is provided as Case Six in Table 6.1.3-1. O The probability for Fail to Throttle HPSI is used only in the SGTR event trees. Operating experience was used to calculate a failure probability of .25 (1 failure in 4 SGTR events). An error factor of three was assumed. Table 6.1.3-2 contains a list of the dominant cutsets for each case presented in Table 6.1.3-1. Included in the table is a brief description g of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. 1 1 6-10
s T 1089b(83G13)bt-8 Q TABLE 6.1.3-1 FAILURE PROBABILITIES FOR PVNGS HPSI SYSTEM Case Failure Probability Error Number Ocscrir, tion (Median Value) Factor One Fail to Deliver Sufficient HPSI S.4E-5 10 Flow-System Unavailability given offsite power is available at the time of the initiating event Two Fail to Deliver Sufficient HPSI 2.3E-3 6 Flow-System Unavailability given offsite power is unavailable at the time of the initiating event Three Failure to Deliver Sufficient 2.4E-4 6 HPSI Flow - System Unavailabilty given PORV LOCA Four Fail to Deliver Sufficient HPSI 5.9E-5 8 l Flow-System Unavailability Fail to Maintain Sufficient 9.2E-4 Q Five HPSI Flow-System Unreliability 16 at 8 hours given offsite power is unavailable at the time of the initiating event Six Failure to Achieve HP 7.1E-5 23 ,I Recirculation-System Unavailability A Seven Fail to Throttle HPSI 2.5E-1 3 6-11 1
l 1089b(83G13)bt-9 TABLE 6.1.3-2 lll DOMINANT CUTSETS FOR PVNGS HPSI SYSTEM Case % of Total Failure Number Cutset Description Probability One 1. FSSR2003 SIAS A not generated and 15% FSSR2004 SIAS B not generated and FSS02005 Operator fails to generate SIAS
- 2. HBCB2093 HPSI Pump 1 Breaker fails to 4.8%
close and HBCB2100 HPSI Pump 2 Breaker fails to close
- 3. HBCB2093 HPSI Pump 1 Breaker fails to 4.8%
close and HPMJ2101 HPSI Pump 2 fails to start
- 4. HPMJ2094 HPSI Pump 1 fails to start and 4.8%
HBCB2100 HPSI Pump 2 Breaker fails to close
- 5. HPMJ2094 HPSI Pump 1 fails to start and 4.8%
HPMJ2101 HPSI Pump 2 fails to start lll Two 1. EDDJ2816 DG E-PEA-G01 fails to start and 65% EDDJ2817 DG E-PEB-G02 fails to start
- 2. EBTB2820 DG E-PEA-G01 Breaker fails to 2.2%
close and _ EDDJ2817 DG E-PEB-G02 fails to start
- 3. EDDJ2816 DG E-PEA-G01 falls to start and 2.2%
EBTB2821 DG E-PEB-G02 Breaker fails to close Three 1. EBGP2680 Spurious grid collapse and 34% EDDJ2816 DG E-PEA-G01 fails to start and EDDJ2817 DG E-PEB-G02 fails to start
- 2. EBGP2680 Spurious grid collapse and 9%
EDDJ2816 DG E-PEA-G01 fails to start and EDDK2819 DG E-PEB-G02 fails to operate
- 3. EBGP2680 Spurious grid collapse and 9%
EDDJ2817 DG E-PEB-G02 fails to start and EDDK2818 DG E-PEA-G01 fails to operate O 6-12
l 1089b(83G13)bt-10 0 TABLE 6.1.3-2 (Continued) DOMINANT CUTSETS FOR PVNGS HPSI SYSTEM Case % of Total Failure i Number Cutset Description Probability SIAS A not generated and I Four 1. FSSR2003 14% FSSR2004 SIAS B not generated and FSS02005 Operator fails to generate SIAS l
- 2. HBCB2093 HPSI Pump 1 Breaker fails to 4.3%
close and HBCB2100 HPSI Pump 2 Breaker fails to close
- 3. HBCB2093 HPSI Pump 1 Breaker fails to 4.3%
close and HPMJ2101 HPSI Pump 2 fails to start
- 4. HPMJ2094 HPSI Pump 1 fails to start and 4.3%
! .HBCB2100 HPSI Pump 2 Breaker fails to close
- 5. HPMJ2094 HPSI Pump 1 fails to start and 4.3%
HPMJ2101 HPSI Pump 2 fails to start Five 1. EDDJ2816 DG E-PEA-G01 fails to start and 21% EDDK2819 DG^E=PEB-G02 fails to operate
- 2. EDDJ2817 DG E-PEB-G02 fails to start and 21%
EDDK2818 DG E-PEA-G01 fails to operate _
- 3. EDDK2818 DG E-PEA-G01 fails to operate 11%
and EDDK2819 DG E-PEB-G02 fails to operate Six 1. FSRR2015 RAS A not generated and 11% FSRR2016 RAS B not generated and FSR02017 Operator fails to generate RAS
- 2. HVMA2324 Containment Sump Valve SI-673 4.0%
FT0 and HVMA2328 Containment Sump Valve SI-676 FT0
- 3. HVMA2324 Containment Sump Valve SI-673 4.0%
FT0 and HVMA2330 Containment Sump Valve SI-675 FT0 O 6-13 4
1089b(83G13)bt-11 TABLE 6.1.3-2 (Continued) g DOMINANT CUTSETS FOR PVNGS HPSI SYSTEM Case % of Total Failure Number Cutset Description Probability _
- 4. HVMA2326 Containment Sump Valve SI-674 4.0%
FT0 and HVMA2328 Containment Sump Valve SI-676 FT0
- 5. HVMA2326 Containment Sump Valve SI-674 4.0%
FT0 and HVMA2330 Containment Sump Valve SI-675 FT0 0 Seven 1. HZZO2338 Operator fails to throttle HPSI 100% O O 6-14
1089b(83G13)bt-12 6.2 AUXILIARY SPRAY SYSTEM (] 6.2.1 System Description Figure 6.2.1-1 provides a schematic of the Auxiliary Spray System. To initiate auxiliary spray, the spray valves HV-203 and HV-205 are manually opened from the control room. The charging line valves PVD-240 is then closed to divert flow to the pressurizer. Figure 6.2.1-2 provides a schematic of the charging supply modelled in the fault tree. Figure 6.2.1-3 provides the Auxiliary Spray Support System dependency diagram. 6.2.2 Assumptions The following assumptions were made in performing the fault tree analysis: o 1. System failure is defined as the inability to deliver sufficient U auxiliary spray to the pressurizer. Sufficient flow is defined as the flow from at least one charging pump.
- 2. The operator is allowed 30 min. to establish auxiliary spray flow ~
from the time auxiliary spray flow is first desired. The operator action to initiate the spray flow is defined as opening of the two auxiliary spray valves (HV-205 and HV-203) and closing of the charging line valve (PVD-240).
- 3. It is assumed that none of the auxiliary spray flow is diverted back through the main spray valves to the RCS cold legs. This is because the check valve (V244) in the main spray line will prevent any back flow. Also, the main spray valves provide a back-up to the cNck valves as they are normally closed and are of failed closed (FC) design.
q NJ 6-15
O E E w EM M5 MS vhs _m [ N i N 0 iZ5>
- e m e m a, oEN s
b E M= )( $
=
h MC a, 8 $ e - Mk,,, = E 4 E 6 w D E. e E i': E
~ a <
W dec s - n W O -- E C w l-[ 2 Sg , s1
-g n
LJ - wE e SE
@ X? Sie j4 R=
0 6-16
E IY GL RP AP HU CS 9 7 5 N3 %3 3 3 3
- 3, -
V y V 8 l 4 3 3 "N 2 3 y
- " 3 v &N 3y Y
L 2 P P 1 U S 2 g 6 i E T 1 P 2 P h 3 P M G R A H R U G I M M U C F U L P P P e 6 9 2 2 A"3 1 1 A^ k 3V
- MW 3 V
- L V O
EN I 0 G1 R1 AC HU C$ iO m
O PRESSURIZER AUX SPRAY SYSTm FIGURE 6.2.1-3 PRESSURIZER AUX!LIARY SPRAY b SUPPORT SYSTEM DEPENDENCY OTAGRAM I I A ARY CHARGING I SYST m SYSTEM (3 f3 l I i i t i AUXILIARY AUXILIARY SPRAY VALVE SPRAY VALVE lHARGING TRAIN' CbARGING TRAL?l HV-205 HV-203 (PUMP 1) (PUMP 2) lONSITEACNON-1E l lOFFSITEAC l ONSITE AC Division A CLASS 1E Division B O Division A 125V DC CLASS 1E Division B : l INSTRUMENT AIR H Loop A M COOLING WATER Loop B ---f Channel A M ESFAS Channel B q 1 Charging pump 3 is assumed to be down for maintenance. O 6-18
1 1089b(83G13)bt-13 L O 4. The operational status of the charging pumps is assumed to be as follows:
- a. Charging pumps 1 and 2 are operating at the time of transient.
- b. Charging pump 3 is down for maintenance.
- 5. Only one auxiliary spray valve (HV-205 or HV-203) is needed to provide sufficient spray flow.
- 6. Spring loaded check valve V435 is not in the failed open position at i
the time the auxiliary flow is initiated. It is also assumed that after the auxiliary spray is initiated, the pressure drop across the check valve remains less than the setpoint (to open the check valve).
- 7. The spray valves HV-205 and HV-203 and the charging line valve j POV-240 fail close on loss of power. The normally open motor operated charging line valve HV-524 will remain open on loss of
- power.
- 8. On loss of offsite power, the charging pumps require operator action to load them on the diesel generators.
6.2.3 Results The fault tree logic diagram for Fail to Deliver Auxiliary Spray Flow was used to evaluate the specific cases required as input to various event trees. For the SGTR event trees where offsite power is available at the time of the initiating event, the fault tree model does not include grid collapse following turbine trip as a component failure, i.e., the probability of grid collapse on turbine trip is 0.0. For the SGTR with Coincident LOOP event trees, the fault tree model assumes the grid is lost on turbine trip, i.e., the probability of grid collapse on turbine trip is 1.0. For the Loss of Secondary Heat Sink event tree the probability of 0 6-19 1
.,__.--_.___.._.?__._._._-_._._
1089b(83G13)bt-14 failing to deliver auxiliary spray flow is conditional on the loss of MFW lll and AFW. The dependencies which exist between these three systems have been incorporated into the Auxiliary Spray System failure probability. The quantitative results of the analyses are presented as Case One through Three respectively in Table 6.2.3-1. The confidence distributions of the failure probabilities are presented in terms of the median values and error factors. The error factor is defined as the ratio of the 95 to 50 percentile. Table 6.2.3-2 contains a list of the dominant cutsets for each case. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. O l l t I O 6-20
1089b(83G13)bt-15 TABLE 6.2.3-1 (]) FAILURE PROBABILITIES FOR PVNGS AUXILIARY SPRAY SYSTEM Case Failure Probability Error Number Description (Median Value) Factor One Fail to Deliver Auxiliary Spray 3.8E-3 4 Flow-System Unavailability given offsite power is available at the time of the initiating event Two Fail to Deliver Auxiliary Spray 1.1E-2 3 Flow-System Unavailability given offsite power is unavailable at the time of the initiating event Three Fail to Deliver Auxiliary Spray 4.2E-3 3 Flow-System Unavailability given loss of MFW and AFW O s O 6-21 s w,- ,e - - - * - ----s-- .e -, - , - -,-g- nn,-,, e,,-w -m ,,_ - .-- ,g--<,.-,--p-, ge,w- .-, ,-w--,a.--y --,---,wng, , , , - - , - , -
1089b(83G13)bt-16 TABLE 6.2.3-2 $ DOMINANT CUTSETS FOR PVNGS AUXILIARY SPRAY SYSTEM Case % of Total Failure Number Cutset Description Probability One 1. PVS02470 Operator fails to initiate aux. 62% sprays
- 2. UVDB2477 Charging line valve PDV-240 35%
fails to close (Mechanical Mal-function)
- 3. PVCA2474 Aux. spray line check valve 3%
V431 fails to open (Mechanical Malfunction) Two 1. PVS02471 Operator fails to load charging 37% pumps on Diesel Generator.
- 2. PVS02470 Operator fails to initiate aux. 27%
sprays
- 3. UVDB2477 Charging line valve PDV-240 15%
fails to close (Mechanical Malfunction)
- 4. EDDJ2816 Diesel Generator E-PEA-G01 13%
fails to start and EDDJ2817 Diesel Generator E-PEB-G02 fails to start Three 1. PVS02470 Operator fails to initiate aux. 58% sprays.
- 2. UVDB2477 Charging line valve PDV-240 32%
fails to close (Mechanical ~ Malfunction)
- 3. EBGP2680 Spurious grid collapse and PVS02471 Operator fails to load charging 4%
pumps on diesel generators and O 6-22
1089b(83G13)bt-17 (] 6.3 CONTAINMENT SPRAY SYSTEM 6.3.1 System Description The objectives of the Containment Spray System are to reduce the containment temperature and pressure following a loss of Coolant Accident or Main Steam Line Break by removing thermal energy from the containment. This cooling system also serves to limit offsite radiation levels by reducing the pressure differential between the containment atmosphere and the external environment., The Containment Spray System consists of two 100% capacity trains. The Containment Spray System utilizes the refueling water tank, the containment sump, two containment spray pumps, two shutdown cooling heat e.xchangers, two independent spray headers, and associated valves, piping, and instrumentation as shown in Figure 6.3.1-1. The spray system is actuated by the Containment Spray Actuation Signal (CSAS) on high containment pressure. The CSAS starts the containment spray pumps and opens the spray control valves to the containment. The Essential Cooling Water System (ECWS) and the Essential Spray Pond System (ESPS) are required to provide coolant to the shutdown heat exchangers and are actuated by the Safety Injection Actuation Signal (SIAS) on high containment pressure. The SIAS starts the ECW pumps and the ESP pumps. During the injection mode the actuated spray pumps take suction from the refueling water tank and discharge through the shutdown heat exchangers to the containment headers. These headers contain spray nozzles that break the flow into small droplets which are then dispersed into the containment atmosphere to absorb heat. When the water droplets reach the containment floor, they drain to the containment sump where they remain until the recirculation mode begins. When the refueling water tank inventory decreases to 10% of its minimum allowed volume, a recirculation actuation signal (RAS) is generated. Generation of RAS opens the containment sump isolation valves to allow O v 6-23 w n n, e ,- w g - --w- +e v- - - -<- ---,-+- - ,em*-w -.-,---s~ , m- - - - - - -
-n- v,-- -< w -
e f S R f 1 2 TE ND EA + f D R R D ME H H NH I AY f TA NR OP CS g S 5 T N E M NL I L AA TW
) 2 1 N
- s a
7 g 7 6 O C 6 - s i
- , 1 E s g 5 7 6 8 9 6
i s
- k6- I S
S R E G ' f , N N O WA S ! S O H ' W D C T X M W C E E. S C E U E S S H S T A - E H 8 + 9 7 M 8 8 7 6 i s
- 3 9 k6 1 5
E T S Y h 6 1 5 4 m6-1 5 9 S Y 1 9 5 8 6 i s
- k8 6 1
5 A R P S 1 3 6 9 5 6 T E 6 6 N R
- - 4 E U I 7 s 8 M G S
@1 s . m 5
4 1 8 a 4 i
- N4 I P
I A T I F s S 5 N O C 6 3 n 8 3 TS s 4 4 30 NP 0 U P 0 4 1
^
P
- EE Mt -
6 ' , A NP B 6
- @6 6 S
k ,1 p$ I AY IS I I TA S S 7 NR > 58 5 OP NI 1 1 CS NI S S 4 3 7
- 7 gI 5 4 6 6 6 0 5 - -
4 1 3 5 0 3 H
- N1 0
I
- N1 1 0
2 1 5 S _ P M 1 C S 5 1 n , N U 5 0 S T [~ ~ T N E 1 f W ! R A 0 3 ['5 0
'6 0
2
, N T N
O g6 - 5 3 - 6 5 C
- - 1 7 7 H H 5 6 C C - -
1 I S S i%
1089b(83G13)bt-18 O automatic transfer of the containment spray pumps suction from the refueling water tank to the containment sump. Transfer of pump suction ensures that containment cooling is maintained. The RAS also closes the containment spray pumps miniflow isolation lines. The containment heat removal support system dependency diagram is provided in Figure 6.3.1-2. 6.3.2 Assumptions . The following assumptions were made in performing the fault tree analysis:
- 1. System failure is defined as the inability to remove sufficient containment heat. Sufficient Containment heat removal is provided by one 100% capacity CSS train.
- 2. Isolation of the spray pump mini-flow lines during injection mode (VS could result in dead headed operation and damage to the pumps.
- 3. The only operator actions considered were manual backup of the CSAS, SIAS and RAS from the control room.
- 4. The RAS closes the containment spray pumps mini-flow line series isolation valves at 10% level in the RWT. Failure of these valves to close does not significantly impact the containment spray recirculation mode; therefore, failure to isolate the mini-flow lines is not considered in the fault tree model.
- 5. Since maintenance can only be performed on one CS pumps during plant operation, unavailability contributions due to pump maintenance are included only for CS pump SIA-P03.
O 6-25
O FIGURE 6.3.1-2 CONTAINMENT SPRAY CONTAlft1ENT SPRAY SYSTm SUPPORT SYSTEM DEPENDENCY DIAGRAM O I I I TRAIN A TRAIN B l ONSITE AC NON-1E l , lOFFSITEAC l ONSITE AC Division A ,, CLASS IE e Division B 125V DC Division A CLASS 1E Division B lINSTRUMENTAIR l Loop A : COOLING WATER Loop B : Channel A ESFAS Channel B O 6-26
1089b(83G13)bt-19 (]) 6.3.3 Results The fault tree logic diagram for Failure of Containment Sprays was used to evaluate the probability of failing to provide sufficient containment heat removal for the PORY LOCA event trees. The result is presented as Case One in Table 6.3.3-1. For the LOHS with Feed and Bleed Operation event tree, the Containment Spray System logic diagram was also used to generate a failure probability for Failure of Containment Sprays. As discussed in Section 5.1.4.2, failure of the Containment Spray System has an effect on the volume of RWT inventory available for feed and bleed operation. For . this event tree, the probability of failing to actuate the containment sprays is conditional on the loss of MFW and the loss of AFW and the dependencies which exist between these three systems have been incorporated into the Containment Spray System failure probability. These results are presented as Case Two in Table 6.3.3-1. For each case, the confidence distribution of the failure probabilities p are presented in terms of the median values and error factors. The error
\-- factor is defined as the ratio of the 95 to 50 percentile.
Table 6.3.3-2 contains a list of the dominant cutsets for each case presented in Table 6.3.3-1. Included in the table is a brief description
~
of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. I r l O 6-27
i 1089b(83G13)bt-20 ' TABLE 6.3.3-1 h FAILURE PROBABILITIES FOR PVNGS CONTAINMENT SPRAY SYSTEM Case Failure Probability Error Number Description (Median Value) Factor One Failure of Containment Sprays - 1.5E-3 18 System Unavailability Two Failure of Containment Sprays - 2.7E-3 14 System Unavailability given loss of MFW and loss of AFW O O 6-28
1089b(83G13)bt-21 TABLE 6.3.3-2 DOMINANT CUTSETS FOR PVNGS CONTAINMENT SPRAY SYSTEM Case % of Total Failure Number Cutset Description Probability One 1. FSSR2003 SIAS A not generated and .88% FSSR2004 SIAS B not generated and FSS02005 Operator fails to generate SIAS
- 2. FSAR2009 CSAS A not generated and .88%
FSAR2010 CSAS B not generated and FSA02011 Operator fails to generate CSAS
- 3. FSRR2015 RAS A not generated and .88%
FSRR2016 RAS B not generated and FSR02017 Operator fails to generate RAS Two 1. EBGP2680 Spurious Grid collapse and 6.8% EDDJ2816 DG E-PEA-G01 fails to start and EDDJ2817 DG E-PEB-G02 fails to start
- 2. EBGP2680 Spurious Grid collapse and 5.5%
EDDJ?816 DG E-PEA-G01 fails to start and EDDK2819 DG E-PEB-G02 fails to operate
- 3. EBGP2680 Spurious Grid collapse and 5.5%
EDDJ2817 DG E-PEB-G02 fails to start and EDDK2818 DG E-PEA-G01 fails to operate 1 4. EBGP2680 Spurious Grid collapse and 4.4% EDDK2818 DG E-PEA-G01 fails to operate _ and EDDK2819 DG E-PEB-G02 fails to operate O 6-29
1089b(83G13)bt-22 6.4 POWER OPERATED RELIEF VALVES (PORVs) $ For the PORV LOCA event trees, fault tree analyses were performed to determine the occurrence frequencies of the following PORV LOCA initiating events: o PORV LOCA Following Loss of Secondary Heat Sink. This type of PORV LOCA refers to manually opening the PORV flow paths. The steam generators are unavailable to remove RCS heat. e PORV LOCA Following SGTR. This type of PORV LOCA refers to manually opening either PORV flowpath following a tube rupture in one steam generator. The unaffected steam generator is available to remove RCS heat. e Spurious or Transient Induced PORV LOCA. This type of PORY LOCA refers to the opening of either or both PORV flowpaths. For the manual PORV design, this type of PORV LOCA includes error (test, maintenance, or operator) induced openings. For the automatic g PORV design, this type of PORV LOCA includes high RCS pressure transient induced openings. Both steam generators are available to remove RCS heat. The frequencies for loss of secondary heat sink and tube rupture in one steam generator were incorporated into the fault trees to evaluate the occurrence frequencies for these types of PORV LOCA. Nuclear operating experience data was used along with an assumed valve testing frequency that varies from two weeks to quarterly to evaluate the Spurious PORV LOCA (manual design) occurrence frequency. In order to evaluate the unavailability of the PORVs for back-up RCS depressurization capability should the Auxiliary Spray System be unavail-able, a fault tree logic diagram was used to determine the probability of failing to establish flow through one PORV. O 6-30
1089b(83G13)bt-23 Q 6.4.1 System Description An assumed Power Operated Relief Valve (PORV) design for PVNGS is presented in Figure 6.4.1-1. Both the manual and the automatic PORY designs considered feature two 50% capacity flow paths. Each path contains a motor operated block valve and a PORV. for the manual PORV design, the motor operated block valves and the PORVs are closed during power operation. These valves are designed to be opened manually to reduce RCS pressure following a steam generator tube rupture event. The role of PORVs following a SGTR is discussed in Section 7.2.5. These valves are also opened manually to establish a means of alternate decay heat removal following a loss of the secondary heat sink. The role of PORVs following a loss of secondary heat sink is further discussed in Section 6.5, " Primary Feed and Bleed System". For the manual PORV design, the PORVs are not opened by signals that are generated auto-matically, therefore, they do not prevent or minimize challenges to the primary safety valves. For the automatic PORV design, the motor operated block valves are opened and the PORVs are closed during power operation. In the event of a high RCS pressure transient the PORVs open automatically to prevent or minimize challenges to the primary safety valves. The PORV support system dependency diagram is provided in Figure 6.4.1-2. 6.4.2 Assumptions The following assumptions were made in performing the frequency evaluations for PORV LOCA:
- 1. Both PORV flowpaths are required following a loss of secondary heat sink event.
- 2. At least one PORV flowpath is required following a SGTR.
- 3. Spurious PORV LOCA refers to error induced opening of either PORV flowpath.
- 4. The frequency for testing the valves varies from two weeks to quarterly.
- 5. Operator action may be required to establish or terminate flow through the PORVs.
O 6-31
O e - h t r - o - K f - N A d T n H C a . N d E U Q e s O o T l c
> sn ee vp l o a
vs e k v cl 2 3 3 oa l v n31 C R 1 C R S E V L b k A hc V t o il
. F 1 wb
_' E - IL O 1 E sh R 4 et 0 1 1 ti 3 D 6 aw bm3 1 C R 1 C R E T A R E E R U G r es pe P I ot O F a R t r E ne W ap O l o _ P p .
,tn na gl i p s
e , d n g li _ as ue R nd E a Z I R ) mc i U et S S ( ha E t m R P o rt _ ou Fa I O mb l
r O FIGURE 6.4.1-2 PORVs POWER OPERATED RELIEF VALVES SUPPORT SYSTE!1 DEPENDENCY O!AGRAM g l l I PATH I PATH !! l ONSITE AC NON-1E l ; l OFFSITE AC l ONSITE AC Division A CLASS 1E Division B ' 125V DC Division A CLASS 1E Division B l INSTRUMENT AIR l 1 Loop A , COOLING WATER Loop B ; Channel A ESFAS Channel 8 O 6-33
1089b(83G13)bt-24 The following assumptions were made in performing the fault tree analysis for Failure to Establish Flow Through One PORV:
- 1. Failure to establish flow through the PORVs is defined as the inability to fully open one block valve and the associated PORV.
- 2. Motor operated block valves RC-130 and RC-131 are loaded on 480 VAC motor control centers E-PHA-M33 and E-PHB-M34 respectively.
- 3. PORY RC-132 and RC-133 are loaded on 125 VDC buses E-PKA-M41 and E-PKV-M42 respectively.
- 4. Operator action is required to establish flow through the PORVs.
6.4.3 Results For the PORV LOCA event trees, fault tree analysis was used to detennine the following initiating event frequencies: g e PORV LOCA following loss of secondary heat sink, e PORV LOCA following SGTR. e Spurious or Transient Induced PORV LOCA In order to determine the unavailability of the PORVs, a fault tree logic diagram was used to evaluate the probability of failing to establish flow through one PORV. The model was used to evaluate the following cases: e offsite power is assumed to be available at the time of the initiating event. e offsite power is included as a component with a failure probability of 10-3 (16). O 6-34
r 1089b(83G13)bt-25 13 offsite power is assumed to be unavailable at the time of the V e initiating event. The quantitative results of the analyses are presented as Cases One through Six respectively in Table 6.4.3-1. The confidence distributions of the initiating event frequencies and failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. Table 6.4.3-2 contains a list of the dominant cutsets for each case presented in Table 6.4.3-1. Included in the table is a brief description of each cutset as well as the percent contribution to the total frequency or failure probability. The percentage is based on a best estimate ratio. I l O 6-35
s 1089b(83G13)bt-26 TABLE 6.4.3-1 O INITIATING EVENT FREQUENCIES AND FAILURE PROBABILITIES FOR PVNGS PORVs Case Failure Probability Error Number Description (Median Value) Factor One PORV LOCA Following LOHS - 1.8E-5 16 Initiating Event Frequency Two PORV LOCA Following SGTR - 1.3E-4 7 Initiating Event Frequency Three Spurious or Transient Induced PORV LOCA - Initiating Event Frequency (a) Manual Design 3.2E-5 16 1 (b) Automatic Design 5.0E-3 13 Four Failure to Establish Flow 1.1E-3 4 through One PORV - System Unavailability given offsite power is available at the time of the initiating event g Five Failure to Establish Flow 1.1E-3 4 through One PORY - System Unavailability Six Failure to Establish Flow 3.5E-3 4 through One PORV - System - Unavailability given offsite power is unavailable at the time of the initiating event 1
- 1. This value excludes challenges to the PORVs due to malfunction of the i turbine runback feature. Operating experience shows that C-E NSSS l supplied plants with turbine runback feature experience more challenges to
- the PORVs. Therefore, the affected plants are currently operating with the turbine runback feature overridden. If challenges to the PORVs due to l malfunction of the turbine runback feature were included, the PORV LOCA initiating event frequently would increase by approximately 15%.
i l [ O l 6-36
1089b(83G13)bt-27 O Taste 6.4.3-2 DOMINANT CUTSETS FOR PVNGS PORVS Case % of Total Failure Number Cutset Description Probability One 1. ZZZZ2928 Loss of MFW and Loss of AFW 99% ZZZZ2927 and Operator fails to isolate VVX02937 the PORV flow paths Two 1. ZZZZ2926 Tube rupture in one SG and 99% VVX02937 Operator fails to isolate the PORV flow paths Three 1. VVMV2945 Pre-existing error on valve 23% (a) Manual RC-133 and Design ZZZZ2936 Valve RC-131 opens for testing and VVX02938 Operator fails te isolate the PORV flow path
- 2. VVMV2944 Pre-existing error on valve 23%
RC-131 and p, ZZZZ2934 Valve RC-133 opens for testing y and VVX02938 Operator fails to isolate the PORV flow path
- 3. VVMV2940 Pre-existing error on valve 23%
RC-132 and ZZZZ2932 Valve RC-130 opens for testing - and VVX02938 Operator fails to isolate the PORV flow path
- 4. VVMV2939 Pre-existing error on valve 23%
RC-130 and ZZZZ2930 Valve RC-132 opens for testing and VVX02938 Operator fails to isolate the PORV flow path (b) Auto- 1. ZZZZ2979 Valve RC-133 opens spuriously and 43% matic VVMS2948 Valve RC-131 electrical malfunction Design
- 2. ZZZZ2978 Valve RC-132 opens spuriously and 43%
VVMS2943 Valve RC-130 electrical malfunction O 6-37
1089b(83G13)bt-28 TABLE 6.4.3-2 (continued) lll DOMINANT CUTSETS FOR PVNGS PORVS Case % of Total Failure Number Cutset Description Probability Four 1. VVZ02550 Operator fails to open one >99% PORY and the associated block valve Five 1. VVZ02550 Operator fails to open one >99% PORV and the associated block valve Six 1. VVZ02550 Operator fails to open one 43% PORV and the associated block valve
- 2. EDDJ2816 DG E-PEA-G01 fails to start and 39%
EDDJ2817 DG E-PEB-G02 fails to start
- 3. VVMA2552 Valve RC-131 fails to open or 2.6%
the associated breaker fails to close and EDDJ2816 DG E-PEA-G01 fails to start
- 4. VVMA2551 Valve RC-130 fail to open or the 2.6%
O associated breaker fails to close and EDDJ2817 DG E-PEB-G02 fails to start 1 1 l l 1 6-38 l l
~ - - - -
6 5' IMAGE EVAL.UATION d$;?g, k[Sf4<>+ \/ TEST TARGET (MT-3) ((// / , 1.0 da m 5 *i n Ils'= u D b!!___N l,l l.8 1.25 1.4 1.6 4 150mm > 4 6" > 4,k,? * ' o 3,# k.<&,o. tr$
1089b(83G13)bt-29 O 8.5 eaix^av etto ano 8'eco SvStea 6.5.1 System Description A conceptual Primary Feed and Bleed System for PVNGS consists of Power Operated Relief Valves (PORVs), the High Pressure Safety Injection System and the Charging System. A schematic of the PORVs is presented in Figure 6.5.1-2. It consists of two trains of a power-operated relief valve and a motor-operated block valve in series. The PORVs are located off the pressurizer and exhaust to the pressurizer quench tank. A schematic of the PVNGS HPSI System (Injection Mode) is presented in Figure 6.5.1-1. During the injection mode, the minimum flowlines downstream of each pump are kept open to prevent possible dead head operation. The pumps take suction from the Refueling Water Tank (RWT) and discharge through the eight HPSI header isolation valves via two HPSI headers. The safety injection water then flows to the reactor vessel through a safety injection nozzle on each of the four RCS cold leg pipes. l The HPSI System is connected to the diesel generator power system in the event of a
/] loss of normal offsite power.
l l l A schematic of charging flow to the RCS loops is presented in Figure 6.5.1-3. The ! charging pumps take suction from the volume control tank and inject into the RCS _ l during plant steady state operations. Normally two pumps are operating. l l The Primary Feed and Bleed System is a manually actuated system. Following a loss j of secondary heat sink (loss of main and auxiliary feedwater flow) the operator initiates feed and bleed by opening the PORVs for at automatic design or PORVs and associated block valves for a manual design system.I The injection mode of operation of the HPSI system is either manually initiated or automatically initiated following j a SIAS. A SIAS is produced upon any two coincident low pressurizer pressure or high l containment pressure signals. If the charging pumps are not already running, the l operator also starts them. Primary pressure control and heat removal is accomplished by releasing
- 1. For a manual design, plant operates with block valves closed and for an automatic design, plant operates with block valves open. For both designs, Feed and Bleed is l b, manually initiated.
I 6-39 q w-,.- -. y- 5 .+_ y _
O P P P S0 S0 SO C00 C0A COB C A Rt3 RtI RL2 R 2 7 4 e 7 1 2 2
- 2g-3g 2M I
S 3 4 1 5 2 4 5 1 S 1 4 5 0 4 5
- 3 - 3 - -
4 1 3 1 I 1 1 5 I S 5 T l 3M5 1 1%5 I S I i N E M N I A 7 6 7 6 7 6 7 6 T 4 4 3 3 2 2 1 1 N 6 6 6 6 6 6 6 6 O
- - - - - - - - C R
I 1 1 1 I I 1 E D S 5 S S S- S IS 5 AS EE N n , M -g n HV - . ~
)
- 9
- 3 )
)3 s I
L A
)
g 3 n.
- s s a SV s a. a.
P H i G @ c.,, ( ~
- Cs s
( O (s. l M E T S Y S 1 2 N I I O SR SR I O PD 8 PD 9 T I I I I 9 t iH 9 C 6 6 E
- - J 1 I 1 N -
S 5 I 1 Y 5 T E 6 9 FA
' E 5 S R 6 6
- 2 4 5 U I 4 0 0 E G S - 4 4 k ' I 1 - - U F 5 I I S S S S S .
E R F l i G I H S 4 ) 2 2 P 2 n 10 O 20 M 0 4 s P P U 6 - P -
- P - P a, B 6 1 s MA
- I S
- 5 (
UI PS $' f ; MS I I S P t i 4 3 7 7 4 1 3 5 6
% %5 0 2
6 1 5 I S 6 P t H - M U [ h i 1 C C 5 ML S T T -
) )a N E
W M R N [6 I A 2 [)h b
)J T 0 5 6 N 3 0 0 O 5 3 2 6 5 C
- - - 7 7 H H 1 6 6 C C $ - -
I I S S O i$
O e h t r K o N f A T d H n C a N E d U e Q s O T o l
; c .
sn ee vp l o a vs e kv 2 3 cl 3 oa
@n1 C R
- n3 1
C R
- S E
V L l v b k A hc V to il
- F
_- E 2 wb O I L 1 E sh
' 0 1 1 R 5 et 3 ti D
aw
@n3 1 C
R
- n1 C
R E T A R E 6 E R U r es pe G P O I ot F a R t r E W ne ap O P l o . p
,t n na gl ip s
e , d n g li as R ue E nd Z a I J mc R U S S V k et i E ha R t m P o rt ou Fa I O n cE~
O G N I E G = NI R A L H C 3 mN34 V
~ 4 O 3 4
V 0 4 2 5
- a 3 V 4 D -
P V N 1 XF C
% R E
EG
$ Vh w IA TH AC liX T EE N N E S ET EM
/ GA - 0 IDNI A EE RH +7 - SA
+ N V INT N O
D EE C T N DM I N SI TA M 4 UT E 3 2 ON T - N5 O O S 1
@ V
- C Y S 5 H
G 6 N I E 9 G R 2 R U 4 A G
- H l V C f 9 7 5
%3 3
V
- x3 3 V
- H3 3 V
_ - 8 - 4 N3 1 _ 2 3 3 aQ 3V-3 V V 1 2 3 P P P M M U U P M P 6 1 9 1 2 AR N V3-3 - V N 3 V G N N I G R A C H U C S O
- u r
1089b(83G13)bt-30 O steem throush the e0Rv5 and by providin9 primary inventory makeup from one HPSI pump and one charging pump or two HPSI pumps until shutdown cooling entry conditions are achieved. The Primary Feed and Bleed support system dependency diagram is provided in Figure 6.5.1-4. 6.5.2 Assumptions The following assumptions were made in performing the fault tree analysis:
- 1. Failure of Feed and Bleed Operation is defined as the inability to establish flow through the PORVs and deliver sufficient HPSI and charging flow to the reactor core.
- 2. Operation of both PORV trains is required for successful Feed and Bleed operation.
O 3. Sufficient flow is defined as flow from at least one HPSI and one charging pump or flow from two HPSI pumps. For HPSI, at least two flow paths (i.e., injection into two cold legs) are required to deliver full flow. _
- 4. Isolation of the HPSI pumps mini-flow lines could result in dead head operation and damage to the pumps.
- 5. Both HPSI pumps are available to start on SIAS.
I
- 6. The following operator actions were considered:
e Opening of the PORVs (and block valves for manual design) from the control room, e Manual generation or backup of SIAS from the control room. O 6-43
O N I A) R T2 GP N M ' , U IG R (P A M H s E l : s i GT I e S c Y I N c u MS IA) R 1 s T d e GP e i N M I U 4 l B G P & R( A
- H d e
e f e h
' T.
d
' e a " '
l e B D & YE s R V d A i R e M O e I 3 P f R r P o E
' f F
i " ic g l o e r lu 8 20 ia f I N P-I A R 1 T 5 8 d' 6 4 e e r t O I P t S P U M lu H (P a f
~
~ e l
- h t
t ,
- n M e e s c n
i 5 bI - e r p e t a n e t r
- i n
t o a
- n m
)
s r A 20 ^ e f o
~- o N P- d n
- m wo IA R AIS 3
T 4 a r 2. d M I P g a 5. b e A R S P M i6 D G H P t
; i ' n o A 5 yo t DI ED ci nt d meu E
4 LY BC deec
- N nS s 1 DE e pn s ND l l a 5 AN 8 A B A B D ei E A B 6 DP n n n n me d 15 EE E ED o o o o l e le en R i 6 i A B ti U
F M s is is is p p n n n n sf3 y e G YE E i i RT l v v v v o o a a Sd I F AS - i i i R o o h h C p N D iD D D I L t C t s m IMY S O n A ri u R N C T o pa P PT N R C A C pi g O A A E C E E G ur n P P E E T E l D 1 Mt N Se t ig U T I T S S R IR S si 5 I S V S 1 LE A r S I t r a S f S A S A 5 OT I O N f O N O C L 2 L 1 C l N I OA CW S E Ilhch 2 C l l O f:
1089b(83G13)bt-31 m U e If the charging pumps are not running, manual initiation of charging flow from the control room. The operator is allowed 25 mines following a loss of heat sink to complete these three actions.
- 7. The containment sump isolation valves are closed.
- 8. Since maintenance can only be performed on one HPSI Pump during plant operation, unavailability contributions due to pump maintenance are included only for one of the pumps.
- 9. Two charging pumps (1 and 2) are operating at the time of the initiating event and charging pump 3 is in maintenance.
- 10. The availability of charging flow is modelled by includin3 CVCS components from the charging lines to the RCS loops, to the suction side of the charging pumps. Svetion flow is assumed available to the pumps due to the fact that modelling the redundant sources of CVCS inventory would unnecessarily complicate the fault tree without significantly contributing to the overall failure probability of the Feed and Bleed System. ,
, 6.5.4 Results l The fault tree logic diagram for Failure of Feed and Bleed Operation was ! used to determine the probability of failing to achieve feed and bleed operation for the Loss of Secondary Heat Sink with Feed and Bleed Operation event tree. The model was used to evaluate the following cases: l e Failure of feed and bleed operation (manual design) l e(a) Failure of feed and bleed operation (manual design) given loss of MFW and loss of AFW. \ (~) L' (b) Failure of feed and bleed operation (automatic design) given l loss of MFW and loss of AFW. l l 6-45 l l
1089b(83G13)b2-32 For Case Two the dependencies which exist between the three systems (Feed h and Bleed, MFW anJ AFW) have been incorporated into the Feed and Bleed System failure probability. (In addition, the probability of restoration of AC power following the loss of AFW is incorporated into the Feed and Bleed System failure probability for Case Two.) The quantitative results of the analyses are presented in Table 6.5.3-1. The confidence distribu-tions of the failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. Table 6.5.3-2 c.ontains a list of the dominant cutsets for the two cases. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. O i l l l O 6-46
1089b(83G13)bt-33 O TABLE 6.s.3-1 FAILURE PROBABILITIES FOR PVNGS PRIMARY FEED AND BLEED SYSTEM Case Failure Probability Error Number Description (Median Value) Factor One Failure of Feed and Bleed 3.3E-2 4 Operation (manual design)- System Unavailability l Two (a) Failure of Feed and Bleed 4.0E-1 1.9 Operation (manual design) - System Unavailability given loss of MFW and loss of AFW (b) Failure of Feed and Bleed 2.0E-1 2.4 Operation (automatic design) - System Unavailability given loss of MFW and loss of AFW O h
- 1. For the manual design, plant operates with block valves closed and for the automatic design, plant operates with block valves ope.1. For both designs, Feed and Bleed is manually initiated.
O 6-47
1089b(83G13)bt-34 TABLE 6.5.3-2 h DOMINANT CUTSETS FOR PVNGS FEED AND BLEED SYSTEM Case % of Total Failure Number Cutset Description Probability One 1. VVZ02550 Operator fails tc open valves 86%
- 2. VVMA2552 Block valve RC-131 fails to 3.4%
- open
- 3. VVMA2551 Block valve RC-130 fails to 3.4%
open
- 4. VVSA2555 PORV RC-133 fails to open 3.4%
- 5. VVSA2553 PORV RC-132 fails to open 3.4%
Two 1. EBGP2680 Spurious grid collapse and 37% (a) Manual EDDJ2817 DG E-PEB-G02 fails to start Design
- 2. EBGP2680 Spurious grid collapse and 29%
ECBV2852 Battery E-PKA-Fil Unavailable
- 3. EBGP2680 Spurious grid collapse and 25%
EDDJ2816 DG E-PEA-G01 fails to start (b) Auto- 1. EBGP2680 Spurious grid collapse and 61% - matic ECBV2852 Battery E-PKA-Fil Unavailable Design
- 2. VVS02550 Operator fails to open valves 17%
- 3. EBGP2680 Spurious grid collapse and 15%
EDDI2816 DG E-PEA-G01 fails to start and EDDJ2817 DG E-PEB-G02 fails to start O 6-48
1089b(83G13)bt-35 O 6.6 TURBINE BYPASS SYSTEM AND TURBINE TRIP Various functional modes of the Turbine Bypass System were evaluated for input to the systemic / action level event trees. For the SGTR event trees, fault tree logic diagrams were used to evaluate the following TBS functions: e Quick Open of TBVs following Turbine Trip e Close all TBVs after Quick Open or during cooldown e Maintain TBV flow prior to isolation of the affected (or most affected)SG e Maintain TBV flow after isolation of the affected (or most affected)SG For the Spurious PORV LOCA event tree, a fault tree model was used to evaluate Failure to Open the TBVs. The probability of failing to trip the turbine was used in the SGTR event (] trees and is discussed in Section 6.4. 6.6.1 System Description
- Figure 6.6.1-1 provides a schematic of the Turbine Bypass System. The turbine bypass system (TBS) consists of eight air-operated globe valves and associated instruments and controls. These valves branch from each main steam line downstream of tne Main Steam Isolation Valves. Six of these valves direct steam to the condenser and the remaining two vent directly to the atmosphere. The TBS provides a maximum steam dump capacity of 55% rated main steam flow.
The valves are designed to fully open or close within 1 second or to modulate full open or closed in a minimum of 15 seconds and a maximum of 20 seconds. The valves are equipped with remote-operated handwheels to permit manual operation at the valve location. o 6-49
O 0 1 8
- 0 0 C.
f e H r V D N O 6 C 0 0 O 1 T CP V
, 8 , 7 0 C 0 B.
V p V O k y 5 0 N O C 0 O 1 T V cP 5 6
, 7 O C 0 B.
V r V k g 4 D N O C 0 0 O M 1 T E V T cP S Y 1 S - 3 4 . 3 1
, 7 6 6 S 0 t 0 0 C 0 S 6 f
p X r 3 V A. D N O C A. D Od N C v I
]2 0 V A P
V B E 6 E R U O 0 N G 0 O 0 0 1 I I 1 T 1 B r - CP V (P V R U - T - 0 1 _ e 6 - 0 C 0 A. r v V h g 1 O O C N . 0 0 O 1 T V CP e 9 e 6 0 0 . 0 0 V p r M . TT i r f H 7 0 U ANE 0V 1 E [8 0 0 0 1 - 1 V CP V CP _' 7 - ' 1 2 2 - G G G 5" S S S O
?
1089b(83G13)bt-36 O The two valves which exhaust to the atmosphere are the last to open and the first to close during load rejections, thus minimizing the quantity of steam discharged to the environment. The valves and piping for the system are located in the turbine building. During normal operation, the TBVs are under the control of the Steam l Bypass Control System. The main function of the TBVs is to limit the pressure rise in the steam generator, following a reactor trip, to a level l which prevents opening of the main steam line safety valves. The bypass valves also open to the condenser to remove decay heat following a reactor shutdown or during hot standby conditions. During plant shutdown, one turbine bypass valve is remotely or manually positioned to remove Reactor Coolant System sensible heat to reduce the reactor coolant temperature. Since steam pressure decreases as the system temperature is reduced, bypass valve flow capacity becomes limited at low pressures and other bypass valves are opened to complete the cooldown at the design rate until shutdown cooling is initiated. All turbine bypass valves can be remotely operated from the main control room. These valves are pneumatically operated. i The valves in the turbine bypass system are designed to fail closed to , prevent uncontrolled bypass of system. 4 A simplified schematic of a turbine bypass valve is presented in Figure i 6.6.1-2. An excess of energy in the NSSS caused by a load reduction transient or other conditions will result in an increase in the main steam header pressure. If that pressure increases above a programmed setpoint , value, the SBCS will sequentially modulate the turbine bypass valves open j to limit the main steam header pressure to the setpoint value (modulating mode). However, the rate of change of excess NSSS energy that may be j dissipated by the modulating mode is limited due to the 15-20 second stroke time required for the valves. P
- O 1 6-51 l
O s == MJ Ze E 2:2 a s, g
*C s ~
y 'd so S ?-
- g $9 b Et .
.r gg < e ae v 8
= =
c f m I Z
=47 m 55d M 88S s
- b
{ b t E a-i
.c 3 0
6-52
1089b(83G13)bt-37 O when e decreese in ioed is detected so ierse thet it cannot be accommodated by the Modulation control of the valves, a " Valve Quick Opening" signal is generated which overrides the Modulation control and opens the valves in one second or less. To prevent a single component failure from opening more than one valve, the coincidence of two independently generated demand signals is necessary for the quick opening of any one valve. For this, two parallel circuits (Channel 1 and Channel , 2) are used to generate redundant " Quick Opening" signals. From these redundant signals a " Main Quick Opening Demand" and a " Permissive Quick Opening Demand" signal for each valve is derived and sent to the valves through independent channels. To carry the redundancy as far down as possible, as in the Modulation control case, the coincidence of these two signals is made to occur at the valves themselves. The Turbine Bypass support system dependency diagram is provided in Figure 6.6.1-3.
] 6.6.2 Assumptions The following assumptions were made in performing the fault tree analyses:
- 1. TBVs are designed to fail closed on loss of instrument air or loss of ,
offsite power. TBVs PV1001 through PV1006 also require a condensor available signal for them to open.
- 2. Two redundant Quick Opens Signals (Channel 1 and Channel 2) are required to open a bypass valve in the Quick Open mode of operation.
- 3. The SBCS receives power from 120V AC Instrument and Control Panel E-NNN-Dil.
- 4. The fault tree "TBVs Fail to Quick Open" refers only to the Quick Open mode of operation. Given that instrument air and condenser vacuum are available at the time of the initiating event, the O
6-53 l
O FIGURE 6.6.1-3 TURBINE BYPASS TURBINE BYPASS SYS E SUPPORT SYSTEM DEPENDENCY DIAGRAM l ONSITE AC NON-1E l 4 l OFFSITE AC l u ONSITE AC Division A ; CLASS 1E Division B I 125V DC Division A ; CLASS 1E Division B 5 l INSTRUMENT AIR ! Loop A ' COOLING ' WATER Loop B , Channel A ESFAS 5 Channel B 0 6-54
1089b(83G13)bt-38 (C probability of losing them before the TBV Quick Open Signal is generated is negligible. Therefore, instrument air and condenser vacuum, are not modelled in the fault tree "TBVs Fail to Quick Open".
- 5. During plant cooldown, only one TBV is initially used to reduce the RCS temperature. At low pressure, when the valve flow capacity becomes limiting, the second valve is opened. Therefore, the fault tree ' Failure to close all TBVs after Quick Open or during Cooldown' is defined as follows: one out of eight valves fails to close after Quick Open or one out of two valves fails to close during cooldown.
6.6.3 Results For the SGTR event trees where offsite power is available at the time of the initiating event, fault tree logic diagrams were used to evaluate the following TBS failure modes: e TBVs Fail to Quick Open e One TBV Fails to Reclose after Quick Open or During Cooldown e Termination or Loss of TBV Flow prior to Isolation of the ! Affected SG e Termination or loss of TBV Flow after Isolation of the Affected , l SG The quantitative results of the analyses are presented as Cases One through Four respectively in Table 6.6.3-1. It should be noted that for SGTR with coincident LOOP, the TBS is not available. For the Spurious PORV LOCA event tree, a fault tree model was used to c'etermine the probability of failing to open the TBVs during cooldown. The results are presented as Case Five in Table 6.6.3-1. The confidence distributions of the above failure probt.bilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. . 6-55
1089b(83G13)bt-39 Table 6.6.3-2 contains a list of the dominant cutsets for each case. h Included in the table is a brief description of each cutset as well as the percent bontribution to the total failure probability. The percentage is based on a point estimate ratio. O O 6-56 1
1089b(83G13)bt-40 0 TABLE 6.6.3-1 FAILURE PROBABILITIES FOR PVNGS TURBINE BYPASS SYSTEM Case Failure Probability Error Number Description (Median Value) Factor One TBVs Fail to Quick Open - 3.5E-3 7 System Unavailability Two One TBV Fails to Reclose after 2.1E-2 4 Quick Open or During Cooldown - System Unavailability Three Loss of TBV Flow Prior to 1.1E-2 4 Isolation of the Affected (or Most Affected) SG - System Unavailability Four loss of TBV Flow After 2.1E-2 3 Isolation of the Affected (or Most Affected) SG - System Unavailability Five Fail to Open TBVs - System 1.7E-2 3
. D. availability i .
J 6-57
.-------<---,,.-,r p.,-,..--,~_., - - - _ - . , , _ _ . , , . _ , , . , _ _ . , _ , - . , . , _ , . . _ . , , . , . _ , _ , , _ , , , _ , , _ , . , , _ , _ _ _ . . ,
1089b(83G13)bt-41 TABLE 6.6.3-2 h DOMINANT CUTSETS FOR PVNGS TURBINE BYPASS SYSTEM Case % of Total Failure l Number Cutset Description Probability ' One 1. EBFB2699 13.8 KV Bus E-NAN-S01 32% Fast Transfer Breaker Fails < to Close , 2. EBFA2697 Unit Auxiliary Transformer 32% l (13.8 KV Bus E-NAN-S01) Fast l Transfer Breaker Fails to Open
- 3. ECBV2810 Battery E-NKN-F17 Unavailable 32%
l Two 1. TVP02291 Operator Fails to Close TBV 17% During Cooldown
- 2. TVPB2263 TBV Mechanical Malfunction 13%
- 3. TVPB2264 TBV Mechanical Malfunction 13%
Three 1. THS02292 Early SG Isolation by Operator 100% Four 1. TSM02293 Operator Fails to Lower MSIS 50% Setpoint
- 2. IZZX2063 Loss of Instrument Air - 45% a Demand Failure W
- 3. TVSA2295 Permissive Solenoid Malfunction 5%
Five 1. IZZX2063 Loss of Instrument Air - 66% l Demand Failiure
- 2. ECBV2810 Battery E-NKH-F17 Unavailable 8%
Grid collapse on Turbine Trip 1 3. EBGP2682 8% _ l 4. EBFA2697 UAT (13.8KV Bus E-NAN-501) Fast 8% l Transfer Breaker Fails to open ! 5. EBFB2699 13.8KV Bus E-NAN-501 Fast 8% ! Transfer Breaker Fails to close l l l 6-58
1089b(83G13)bt-42 O ss4 Tur84ae Tria The probability of failing to trip the turbine was determined based on an earlier analysis performed for St. Lucie 2. Both St. Lucie 2 and PVNGS turbines have four steam inlet paths to the high pressure (HP) turbine; each path contains in series a stop valve and a governing control valve. Each valve has an individual actuator, controlled by E/H governing system. The dominant contributors to the failure to trip turbine are the mechanical malfunction of the stop and governing control valves or their actuator. Because of similarity of the inlet valve arrangements and their actuators, the results of the St. Lucie 2 analysis are concluded to be applicable to this analysis. The following assumptions are applicable to the SGTR event tree branch heading " Turbine Fails to Trip on Reactor Trip":
- 1. Failure to trip the turbine is defined as the inability to completely terminate steam flow to the high pressure turbine.
- 2. The stop, intercept, and governing control valves are initially fully open.
- 3. The reactor trip signal is generated.
- 4. An operator action from the control room is included as a back-up in case the turbine fails to trip automatically.
- 5. The turbine valves are tested bi-monthly.
The median failure probability for " Turbine Fails to Trip on Reactor Trip" used in the event tree analysis is 7.1E-6 with an associated error factor of 11. 6-59
1089b(83G13)bt-43 6.7 MAIN STEAM ISOLATION h 6.7.1 System Description Each of the Main Steam lines is equipped with one quick acting Main Steam Isolation Valve (MSIV). Figure 6.7.1-1 provides a schematic of these valves. Each valve has an actuation time of 5 seconds or less and operates automatically in the event of rupture in the main steam piping or associated components either upstream or downstream of the MSIV. They prevent blowdown of more than one steam generator (assuming a single active failure). The valves are designed to close upon loss of electric power. Once isolation is initiated, in response to a main steam isolation signal, the valves continue to close and cannot be opened until manually reset. Each valve has two physically separate and electrically independent solenoid actuators in order to provide redundant means of valve operation. The Main Steam Isolation support system dependency diagram is provided in O Figure 6.7.1-?. 6.7.2 Assumptions , The following assumptions were made in performing the fault tree analyses:
- 1. Each MSIV receives both MSIS signals (MSISA and MSISB), however, only one signal is required to close the valve.
- 2. The MSIVs fail close on loss of power.
- 3. The only operator action addressed in the model is a manual backup of the MSIS from the control room. Manual closure of an MSIV with a handwheel is not considered.
O 6-60
O e kA VM c 58 - d 5 *---- SW n LA FM
- in
'I O
a egs m e m 8s= S 5 n e S 5 2 d
= _
- E 8 5
- c sk G:2 5
*E 8e 1 r, e, r, r, v LJ LJ LJ LJ g -
wg me me 95 \ sv l I I f f 7 ( 9 8
~
S (x I l l O i 6-61 l
O FIGURE 6.7.1-2 MAIN STEAM fiAIN STEAM ISOLATION ISOLATION SUPPORT SYSTEM DEPENDENCY DIAGRAM SYSTEM ( l i MSIV ON SG-1 MSIV ON SG-2 UV-170/UV-180 UV-171/UV-181 l ONSITE AC NON-1E ! ; lOFFSITEAC l ; ONSITE AC Division A ; CLASS 1E Division B ; 125V DC Division A ' - CUSS IE Division B : l INSTRUMENT AIR l J Loop A ; COOLING WATER Loop B ;
^
Channel A ESFM l Channel B l O' 6-62
1089b(83G13)bt-44 () 4. The MSIV bypass valves remain close. This is because the bypass valves are nomally closed and they fail close on loss of power. 6.7.3 Results Fault tree logic diagrams were used to evaluate the probability of failing to close both MSIVs on a steam generator. It should be noted that the unavailability of the MSIVs is not a function of the availability of offsite power. The quantitative results of the analyses for the two steam generators are presented as Cases One and Two in Table 6.7.3-1. The confidence distributions of the failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. Table 6.7.3-2 contains a list of the dominant cutsets for the two cases. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. t O 6-63
,,-,-,.--v-.,--c,
., ,,. --, . - -.---,- . , - , . , - - . _ ,, ,,,-n-. ,,,. _ - . _ _ . . - _ . , , - _ , , , - _ _ _ , . , , _ , _ , , . , _ , _ , , _ , , _ , _ . , , , . _ , ,
1089b(83G13)bt-45 TABLE 6.7.3-1 h FAILURE PROBABILITIES FOR PVNGS MSIVs Case Failure Probability Error Number Description (Median Value) Factor One Fail to close MSIVs UV-170 and 1.8E-3 3 UV-180 on SG System Un-availability Two Fail to close MSIVs UV-171 and 1.8E-3 3 UV-181 on SG System Un-availability O O 6-64
1089b(83G13)bt-46 O TABte 6.7.3-2 DOMINANT CUTSETS FOR PVNGS MSIVs Case % of lotal Failure Number Cutset Description Probability One 1. DVEB2065A MSIV UV-170 Mechanical Mal- 49.5% function - 2. DVEB2066A MSIV UV-180 Mechanical Mal- 49.5% function
- 3. FSMR2000 MSIS A not generated and 0.2%
FSMR2001 MSIS B not generated and FSM02002 Operator fails to generate MSIS. Two 1. DVEB2065 MSIV UV-171 Mechanical Mal- 49.5% function
- 2. DVEB2066 MSIV UV-181 Mechanical Mal- 49.5%
function
- 3. FSMR2000 MSIS A not generated and 0.2%
FSMR2001 MSIS B not generated and ( )) FSM02002 Operator fails to generate MSIS 1 O 6-65
1089b(83G13)bt-47 6.8 ATMOSPHERIC DUMP SYSTEM h Various functional modes of the Atmospheric Dump System were evaluated for input to the systemic / action level event trees. For the SGTR event trees, fault tree logic diagrams were used to evaluate the following ADS functions. e Open ADV HV184 or ADV HV178 on SG-1 e Open ADV HV185 or ADV HV179 on SG-2 e Terminate flow through ADV HV184 and ADV HV178 on SG-1 e Terminate flow through ADV HV185 and ADV HV179 on SG-2 For the spurious PORV LOCA event tree, a fault tree model was used to evaluate Failure to Open One of Four ADVs. 6.8.1 System Description The PVNGS Atmospheric Dump System consists of four Atmospheric Dump Valves g (ADVs) and eight solenoid valves. Two redundant ADVs are provided for each steam generator, one per main steam line. The ADVs are pneumatically operated and can be controlled from the main control room. A handwheel is also provided with the atmospheric dump valve for local hand operation. _ Schematics of the ADS are presented in Figures 6.8.1-1 and 6.8.1-2. In the "open" mode, two solenoid valves (per ADV) open and align to supply air to the underside of the actuator piston. The air pressure under the actuator piston opposes the spring tension above the piston. An increased air pressure under the piston allows the at tuator piston to move upward, raising the plug, and increasing flow through the valve dump. In the "close" mode, the solenoid valves close and align to vent the air from the ADV to the atmosphere. The spring tension above the piston provides the driving force to close the valve. O 6-66
( E W
~
S 5
$ 5 m
< s S E a a m a a
\>-
r en
=
en= e
=
z z z N b u .) h r -= k-C r ?! gQ O (.-a Ig
, :4-c e :
ens "
= r, i=
a O L; y S E - M " "
. 3
~
o 96 9@f EZ u ,, E m E m k m E Is
=<
S 5 O 6-67
e E A R E H M P A S E O T M S T A N I O A T M O Vg % n g7 B 9 1
&A 9 7
1 9 1 l Y Y V 0 H H H 1 3 V 2 C - P A 3 C G S N O 1 7 S 3 3 R M 2 V 3 O E - P V T T 1 A h S 3 N g L J H L C C A2c S Y S P M U 8 6 E R 9 g A [ D U N G B N C I 6 3 E I F 0 6 G R 3 3 O E V V R H P T P O I S N O 3 H 2 T 3 A 0 V C P B A 5 5 5 8 8 8 1 V
@l &lY H
Y H H m
; 8 N I 4 :
_ E M _ R A _ E E _ H T S . P _ S O N M I A T A M O T A 9 p$ d
1089b(83G13)bt-48 O The Ciass 1E 125 vDC Power system Provides Power to the soienoid veives that control the ADVs. The solenoid valves are designed to fail "open" in the exhaust positior.; therefore, ADVs are fail closed on loss of electrical power. Air supply to the ADVs is provided by the turbine building instrument air header. Should instrument air be lost, a nitrogen accumulator supplies backup pressure automatically. The ADVs are designed to fail closed on a loss of air pressure. Cooldown can also be accomplished through manual operation of the atmospheric dump valves. Each valve has a handwheel that can be operated locally to override the actuator soring. The Atmospheric Dump support system dependency diagram is provided in Figure 6.8.1-3, 6.8.2 Assumptions The following assumptions were made in performing the fault tree analyses:
- 1. The operator is required to open or close the ADVs from the control room. (No automatic signal is assumed). The ADVs can also be manually open or closed with a handwheel.
- 2. The solenoid valves receive the following power supplies:
HYl84A and HY179A 125 VDC Bus E-PKA-M41 HY178A and HYl85A 125 VDC Bus E-PKB-M42 HYl84B and HY1798 125 VDC Bus E-PKB-M43 HY178B and HYl85B 125 VDC Bus E-PKD-M44
- 3. Air pressure to the ADVs can be supplied by either the Instrument Air System or a nitrogen accumulator of Instrument Air is unavailable.
- 4. The ADVs fail closed on loss of power or loss of instrument air.
6-69
9 FIGURE 6.8.1-3 ATMOSPHERIC ATMOSPHERIC DUMP S Di SUPPORT SYSTEM DEPENDENCY DIAGRAM l I ADV HV184 ON SG-1 ADV HV178 ON SG-1 ADV HV179 ON SG-2 ADV HV185 ON SG-2 l ONSITE AC NON-1E l l OFFSITE AC l 125V DC Division A ( CLASS 1E Division B l t i r
~
l l 120V AC Division A ,, l CLASS 1E Division B l INSTRLHENT AIR l Loop A I COOLING , WATER Loop B , Channel A , ESFAS Channel B , I For this system Instrument Air has a nitrogen backup. 6-70
1089b(83G13)bt-49 O 5. The eight solenoid valves HYl84A and B, HY178A and B, HYl85A and B, and, HY179A and B fail open in the exhaust position on loss of power, thereby preventing air and nitrogen from opening the ADVs.
- 6. Nitrogen accumulator isolation valves PV313B, PV306A, PV306B and PV313A open on loss of Instrument Air and fail open on loss of Offsite Power.
- 7. The following operator actions were considered:
o manually opening the solenoid valves from the control room, e manually closing the solenoid valves from the control room. e manually closing the ADVs with a handwheel. 6.8.3 Results For the SGTR event trees where offsite power is available at the time of p the initiating event, fault tree logic diagrams were used to evaluate the following ADS failure modes. e Failure to open one of two ADVs on SG-1 e Failure to open one of two ADVs on SG-2 , e Failure to close both ADVs on SG-1 e Failure to close both ADVs on SG-2 For the SGTR event trees where offsite power is unavailable at the time of the initiating event, the above failure modes were re-evaluated. For the Spurious PORV LOCA event tree, a fault tree model was used to determine the probability of failing to open one of four ADVs. The quantitative results of the analyses are presented as Cases One l- through seven respectively in Table 6.8.3-1. The confidence distributions of the failure probabilities are presented in terms of the mecian values and associated error factors. The error factor is defined as the ratio of i 6-71
I 1089b(83G13)bt-50 the 95 to 50 percentile. The results of Cases Two and Four indicate that h loss of offsite power is not a significant contributor to the unavailability of the ADVs. Table 6.8.3-2 contains a list of the dominant cutsets for each case presented in Table 6.8.3-1. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. O F 1 l l O 6-72
1089b(83G13)bt-51 O TA8LE 6.8.3-1 FAILURE PROBABILITIES FOR PVNGS ATMOSPHERIC DUMP SYSTEM Case Failure Probability Error Number _ Description (Median Value) Factor One Failure to open ADV HV184 or 1.6E-2 4 ADV HV178 on SG-1. System Un-availability given offsite power available Two Failure to open ADV HV184 or 1.6E-2 4 ADV HV178 on SG-1. System Un-availability given offsite power unavailable Three Failure to open ADV HV185 or 1.6E-2 4 ADV HV179 on SG-2. System Un-availability given offsite power is available Four Failure to open ADV HV185 or 1.6E-2 4 ADV HV179 on SG-2. System Un-availability given offsite power is unavailable O Five Failure to close ADV HV184 and 3.4E-3 6 ADV HV178 on SG-1. System Un-availability Six Failure to close ADV HV185 and 3.4E-3 6 ADV HV179 on SG-2. System Un- - availability Seven Failure to open one of four 1.6E-2 4 ADVs. System Unavailability l l l O 1 6-73
1089b(83G13)bt-52 TABLE 6.8.3-2 h DOMINANT CUTSETS FOR PVNGS ATMOSPHERIC DUMP SYSTEM Case % of Total Failure Number Cutset Description Probability One 1. DVS02173 Operator fails to generate >99% open signal Two 1. DVS02173 Operator fails to generate >99% open signal Three 1. DVS02196 Operator fails to generate >99% open signal Four 1. DVS02196 Operator fails to generate >99% open signal Five 1. DVS02155 Operator fails to generate 33% close signal
- 2. DVPB2160 ADV HV178 mechanical mal- 33%
function (FTC)
- 3. DVPB2156 ADV liv 184 mechanical mal- 33%
function (FTC) h Six 1. DVS02164 Operator fails to generate 33% close signal
- 2. DVPB2169 ADV HV179 mechanical mal- 33%
function (FTC) -
- 3. DVPB2165 ADV HV185 mechanical mal- 33%
l function (FTC) l Seven 1. DVS02173 Operator fails to generate >99% open signal l O 6-74
1089b(83G13)bt-53 O s 9 a^in sTe^a sareTv va'ves The MSSVs are included in various manners as branches in the systemic / action level event trees. For the Loss of Heat Sink event trees, the probability of failing to provide sufficient heat removal with the MSSVs is included in the branch titled " Failure to Remove Seccadary Steam". Following a reactor / turbine trip, RCS heat is removed from the steam generators by operation of the TBVs, ADVs or MSSVs respectively. Cooldown can be initiated using one SG. Failure of the TBVs and ADVs to remove secondary steam results in a demand for the MSSVs to open. The probability of failing to remove secondary steam is conservatively defined as the probability of failing to remove secondary steam with the MSSVs. The MSSVs are modelled in the Spurious PORV LOCA event tree as the branch
" Failure to Open MSSVs".
For the SGTR event trees, fault tree logic diagrams were used to evaluate the probability of failing to reclose one MSSV given: e one MSSV opens on the affected (or most or least affected) SG e six MSSVs open on the affected (or most or least affected) SG 6.9.1 System Description A schematic of the PVNGS MSSVs is presented in Figure 6.9.1-1. The springloaded MSSVs provide over pressure protection for the secondary side j of the steam generator and the main steam piping. Each main steam line is provided with five safety valves (ten valves per steam generator). The 6 total receiving capacity of the safety valves is 11.13 x 10 lb./hr. per steam generator. The valve setpoints are as follows: 6-75
O e -- _. g 6 g L s 4 J V2 V9 V4 V1 : S7 - S7 : S5 t S6 P5 ; 4 P5 1 A P5 : A P5 0 A
, t ,
i
; a ;
a V3 V8 V5 : V0 ; S7 . S7 . S5 S6 P5 - P5 : A P5 - A P5 ' g , g i a a J a V4 V7 V6 , V9 : S7 S7 . S5 S5 : P5 - P5 4 P5 4 P5 A i a 3
; a S
E V5 S7 P5 : 4 V6 S7 P5 y 4 V7 S5 P5 4 V8 S5 P5 A V L A V 1 O Y 1 T E 9 F A 6 S
, , g g E
M j a j R A U E G T I V2 V1 V5 ,, V4 : S F S9 , S9 ; S9 S9 P6 : 4 P6 ; A P6 : 4 P6 A N 8 I A M T N E EM DN I ISA TT UN OO C l ) .
. J I L O L
\ '
g 2 m$ g Y mS [ G s v O
- N*
1089b(83G13)bt-54 O '4<t Sett4as 1250 psig 1290 psig Note: Two valves per SG at 1315 psig each setpoint. 1315 psig 1315 psig Successful operation of a MSSV requires the valve to open at the proper pressure setpoint and to reclose upon decreased pressure. 6.9.2 Assumptions For the Loss of Secondary Heat Sink event trees and the spurious PORV LOCA event tree the following assumptions were made in performing the reliability analyses:
- 1. Failure to Remove Secondary Steam and Failure to Open MSSVs are defined as the failure to open one of ten MSSVs on either steam generator.
- 2. The ten main steam safety valves on one steam generator are ,
independent of the main steam safety valves on the other steam generator.
- 3. Failure of a MSSV is defined as failure to open when the pressure in the associated steam generator equals or exceeds the setpoint pressure of the valve.
For the SGTR event trees, the following assumptions were made in performing the fault tree analyses:
- 1. One MSSV Fails to Reclose is defined as one MSSV failing to terminate steam flow after secondary pressure has decreased below the valve lift setting.
6-77
, y, .-,,,,w.--w-n ---
,m,a - ,--- a,-y -- - ,--,,--r -
e- .- wp, ,e ~
1089b(83G13)bt-55
- 2. If the TBS is unavailable following turbine trip, six MSSVs per SG h will open.
6.9.3 Results For the Loss of Secondary Heat Sink event trees and Spurious PORV LOCA event tree, the probability of failing to open 1 of 10 MSSVs on either SG was determined to be 10-9 . Therefore, a probability of 10-9 with an I associated error factor of 10 was assumed. For the SGTR event trees, fault tree logic diagrams were used to evaluate the following failure probabilities: e One MSSV on the affected or most affected SG fails to reclose (MSSV PSV-692 on SG-1) e One MSSV on the unaffected or least affected SG fails to reclose (MSSV PSV-695 on SG-2) g l e One MSSV on the affected or most affected SG fails to reclose given the TBS is unavailable following turbine trip. (Six valves on SG-1 are assumed to open). , e One MSSV on the unaffected or least affected SG fails to reclose given the TBS is unavailable following turbine trip. (Six valves on SG-2 are assumed to open). The quantitative results of the analyses are presented as Cases One through Six respectively in Table 6.9.3-1. The confidence distributions of the failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. O 6-78 l
1089b(83G13)bt-56 ! i O TABLE 6.9.3-1 FAILURE PROBABILITIES FOR PVNGS MSSVs Case Failure Probability Error Number Description (Median Value) Factor One Failure to Remove Secondary 1.0E-9 10 Steam - System Unavailability Two Fail to Open MSSVs - System 1.0E-9 10 Unavailability Three One MSSV on SG-2 fails to re- 1.0E-2 3 close - System Unavailability Four One MSSV on SG-1 fails to re- 1.0E-2 3 close - System Unavailability Five One MSSV on SG-1 fails to re- 6.1E-2 3 close given TBS is unavailable following turbine trip - System Unavailability Six One MSSV on SG-2 fails to re- 6.1E-2 3 close given TBS is unavailable O turbiae trip - syste= Unavailability i O 6-79
...m - - , - - -
,s, - - ---n.--n- -,-,-- -. ,.,,n.-,,,.-,r--, ,-+r ,.,.w,.. ,,,,,,--,-,-re , - - , e- ,, , , .
1089b(83G13)bt-57 6.10 MAIN FEEDWATER SYSTEM h For the loss of Secondary Heat Sink event trees, an analysis was performed to determine the frequency of loss of main feedwater events. The analysis includes a review of initiating events which result in a reactor / plant trip condition and a fault tree analysis to determine the probability of loss of the post-trip 5% MFW flow. The frequency of Loss of Main Feedwater Events is defined as the frequency of automatic plant / reactor trip events and the probability of loss of post-trip 5% Main Feedwater Flow. Included in this definition are plant trips that are a result of perturbations in the main feedwater system or its support systems as well as malfunctions in other plant systems. The resulting frequency represents the frequency of total loss of Main Feedwater events. System perturbations or malfunctions that result in reactor / plant trip events were determined based on Reference (15_) and operating experience. g Reference (15,) provides a list of PWR initiating events, their frequency of occurrence and the associated error factors. These initiating events were divided into three categories based on their subsequent impact on main feedwater system operation (Table 6.10-1). , Initiating events which have a direct impact on the probability of the ! main feedwater system providing post-trip 5% flow comprise Category 1 initiating events. This includes failures within the main feedwater system, electrical power distribution system, condenser and circulating I water system. To account for the PVNGS-specific feedwater system design, the main feedwater system and electrical power distribution have been modeled at the component level in the fault tree logic diagram. Therefore, system / component failures which result in a trip condition and impact the operation of post-trip 5% flow are treated directly in the fault tree logic diagram. O 6-80
1089b(83G13)bt-58 O TA8Le e.10-1 LOSS OF MAIN FEEDWATER PLANT TRIP EVENTS Category 1: Loss of reduction of feedwater flow (1 loop) Total loss of feedwater flow (all loops) Loss of condensate pump (1 loop) Loss of condensate pumps (all loops) Loss of condenser vacuum Loss of power to necessary lant systems Increase in*feedwater flow 1 loop) Increase in feedwater flow all loops) Feedwater flow instability, misc. mechanical causes Loss of circulating water Loss of offsite power Category 2: Generator-trip or generator caused faults Loss of 125 vdc Class 1E Bus Full or partial closure of MSIV (1 loop) Closure of all MSIV l O Sudaea oPenin9 or steem relier veives Loss of component cooling Loss of service water system Turbine trip, throttle valve closure, EHC problems ! Partial loss of RCS flow Total loss of RCS flow Category 3: Spurious trip, cause unknown Auto trip, no transient condition Pressurizer spray failure CEDM problems / rod drop Leakage from control rods Low pressurizer pressure High pressurizer pressure Inadvertent safety injection signal Containment pressure problems Pressure / temperature / power imbalance - rod position error Pressurizer leakage Misc. leakage in secondary system O 6-81 l
1C89b(83G13)bt-59 Category 2 initiating events include those events which have a potential h interaction with systems modeled in the Loss of Secondary Heat Sink event trees. This category of events includes failures of secondary or primary systems that influence the establishment of a secondary heat sink. Category 2 events are modeled as separate events in the fault tree logic diagram. The initiating events in Category 3 are those events which do not have a direct impact on the main feedwater system or the Loss of Secondary Heat Sink event trees. These events do, however, result in a reactor trip and require a secondary heat sink to prevent core damage. Category 3 events have been combined and are represented in the fault tree logic diagram as
" Additional Trip Events."
Several initiating events are outside the scope of this analysis and are notaddressed(Table 6.10-2). Steam Generator Tube Rupture is addressed in a separate analysis. The plant is assumed to be operating in the automatic mede at the time of the initiating event. Therefore, manual g trips and operator error feedwater instability are not addressed. O l 6-82
1089b(83G13)bt-60 () TABLE 6.10-2 4 INITIATORS EXCLUDED FROM LOSS OF MAIN FEEDWATER ANALYSIS Loss of coolant accidents Uncontrolled rod withdrawal Leakage in primary system CVCS malfunction - boron dilution Startup of inactive coolant pump Feedwater flow instability - operator error Steam generator leakage i Manual trip - no transient condition l i I !O 1 l . O i 6-83 _ - _ _ _ . . , _ _ . _ . _ _ _ . _ ._ . _ ._._ .._ __ _ ..._ . . _ , _ . _ _ _ _ _ _ _ . - . . _ ~ , _ , _ . , _ . _ , _
1089b(83G13)bt-61 For the Spurious or Transient Induced PORV LOCA event tree, a fault tree jh logic diagram was used to evaluate the probability of failing to deliver 5% MFW flow to both steam generators. For the PORV LOCA following SGTR l event tree, a fault tree model was used to determine the probability of failing to deliver 5% MFW flow to the unaffected steam generator. 6.10.1 System Description A schematic of the PVNGS Condensate and Main Feedwater System is presented in Figure 6.10.1-1. The condensate and feedwater system consists of motor driven condensate pumps, low pressure feedwater heaters, heater drain tanks and pumps, feedwater pumps and drive turbines, and high pressure feedwater heaters. Three 50% capacity condensate pumps are provided, taking suction from the main condenser hotwells. The condensate pumps discharge into the low-pressure feedwater heaters. During abnormal condensate water chemistry tue condensate is passed through the polishing demineralizers before going to the feedwater heaters. The system is designed to permit continued full-load operatior of the plant with one of g three condensate pumps unavailable. The low-pressure feedwater heaters are mounted in the condenser neck. From the intermediate-pressure heaters the feedwater is pumped, by two , 65% capacity turbine-driven main feedwater pumps, to the high pressure feedwater heaters. The main feedwater pumps are single-stage, horizontal, centrifugal pumps capable of variable speed and parallel operation. The feedwater pump speed is controlled by the three-element control system that regulates the feedwater flow to each steam generator. The feedwater pumps discharge into a common header which branches into two lines. The outlets of the heaters merge into a common line where the two feedwater streams are mixed to provide the SGs with feedwater of equal temperature. The feedwater flow again branches into two parallel lines which conduct feed flow to the SG system. The flow is then split into two streams with the great amount entering the steam generator economizer O 6-84
( v g 2 g G R E M O C N : S R E Z R E M O C N S VR E Z I r I W M W M O O O D 3 O 0 N 0 O D %N O O 2 V C a 3 V C n5 E 5 E 6 6 V 7 V 5 0 0 0 0 V 3 V n2 4 6 V 2 3 1 8 V 9 6 7 3 1 V V U U
) - )
)
A3 0 1 V 3
,L 3
g - ) ^v 5 3 1 s t s M
~
s ~ U ( - S ? t ( i 4 I 7 s 7 S 7 M ~ 1 M I ( 2 V U ( 5 V 7 7 U
-U 1 V
^U 1
V 2 2 l 2 l l i i 3 V 3 V N l F 2 F E
%i l V
l i V 6 T S Y 1 F
^5HV F V H
S 1 bv R E T A 0 1 6 N W E D E V E R I d E U RP F G D1 # A - g I l 1 N g N F EP 0 W o I N P F p A I W H BF RH U ' t T i N I A R DS B P RM EU TP A E [ H
- _-
E T A S - A1 B N D D 1 E N 0 N 0 N D C P P N O [ C e R ES SL NL EE DW NT O0 CH l u ng c I' ,I il !
1089b(83G13)bt-62 section. The smaller amount of feedwater enters the downcomer section. h The feedwater economizer and downcomer control valves and containment isolation valves are located outside the containment. The Main Feedwater support system dependency diagram is provided in Figure 6.10.1-2. 6.10.2 Assumptions The following assumptions wera made in performing the frequency evaluation for the Loss of Secondary Heat Sink event trees and the fault tree analysis for the PORV LOCA event trees:
- 1. For the Loss of Secondary Heat Sink event trees, Loss of Main Feedwater is defined as the occurrence of an automatic plant / reactor trip or load rejection event with the subsequent loss of post-trip 5%
main feedwater flow to both steam generators. O
- 2. For the Spurious or Transient Induced PORV LOCA event tree, Failure to Deliver 5% MFW is defined as failing to deliver 5% MFW flow to at least one steam generator.
l 3. For the PORY LOCA following SGTR event tree, Failure to Deliver 5% MFW to One SG is defined as failing to deliver 5% MFW flow to the unaffected SG. 1
- 4. The minimum equipment required to maintain main feedwater operating flow for 50 - 100% power operation includes:
2 Main Feedwater Pumps 2 Heater Drain Pumps 2 Condensate Pumps Circulating Water System Condenser O 1 6-86
O FIGURE 6.10.1-2 MAIN FEEDWATER WN F ER SUPPORT SYSTEM DEPENDENCY DIAGRAM l ONSITE AC NON-1E l t lOFFSITEAC l ,, QNSITE AC Division A ' CI. ASS IE Division 8 ' O - 125V DC Division A i CLASS 1E Division 8 i l INSTRUMENT AIR ! Loop A i COOLING WATER Loop 8 I Z . ESFAS Channel A i Channel 8 I For this system Instrument Air has a nitrogen backup. 2 The MFIVs are assumed to close on spurious MSIS or CIAS. l l O 6-87
,v. -- -- , -, --: ,,.,,--_v.,,-- , , , , - - --+,w-,,,,-e- - , ,-, - - , - - ~ . - ,-e.w, n, ------- -- -ww--- , -- -,v--, w,r~r
1089b(83G13)bt-63
- 5. The minimum equipmene required to provide 5% MFW flow to 1 SG h includes:
1 Main Feedwater Pump 1 Condensate Pump 1 Downcomer Bypass Feed Control Valve Condensate Hotwell
- 6. The Feedwater System and support systems are in the normal, automatic mode of operation at the time of the initiating event.
- 7. The plant is operating at 50 - 100% power at the time of the initiating event.
- 8. One condensate pump (Pump C) is unavailable due to maintenance.
- 9. No operator action to restore main feedwater system is taken.
- 10. Main Feedwater Pumps trip on O
High pump discharge pressure Low net positive suction head , Low pump lube oil pressure Pump turbine driver overspeed Turbine driver exhaust low vacuum Turbine thrust-bearing wear excessive Low turbine lube oil pressure Turbine vibration high.
- 11. Class Non-1E DC Power is available before and after reactor-turbine trip.
- 12. Condensate pumps will trip on low hotwell level.
O 6-88 l
1089b(83G13)bt-64 O 13. Failure of the feedwater heaters does not prevent delivery of feedwater flow. 6.10.3 Results For the Loss of Secondary Heat Sink event trees, a fault tree logic diagram was used to determine the frequency of Loss of Main Feedwater. For the PORV LOCA event trees, fault tree logic diagrams were used to evaluate the probability of failing to deliver 5% MFW flow to a single SG and to one of two steam generators. The quantitative results of the analyses are presented as Cases One through Three respectively in Table 6.10.3-1. The confidence distributions of the initiating event frequency and failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. O Table 6.10.3-2 contains a list of the dominant cutsets for each case presented in Table 6.10.3-1. Included in the table is a brief description of each cutset as well as the percent contribution to the total frequency or failure probability. The percentage is based on a point estimate , ratio. (a3 6-89
1089b(83G13)bt-65 TABLE 6.10.3-1 h INITIATING EVENT FREQUENCY AND FAILURE PROBABILITIES FOR PVNGS MAIN FEEDWATER SYSTEM Case Failure Probability Error Number Description (Median Value) Factor One Loss of Main Feedwater 1.12 per year 3 Initiating Event Frequency Two Fail to deliver 5% MFW to the 1.4E-2 4 unaffected SG given PORV LOCA following SGTR - Systein Unavailability Three Fail to deliver 5% MFW to at least one of two SGs given spurious or Transient Induced PORV LOCA - System Unavailability s (a) Manual PORV Design 1.4E-2 4 (b) Automatic PORV Design 5.2E-2 2 O 6-90
1089b(83G13)bt-66 TABLE 6.10.3-2 DOMINANT CUTSETS FOR PVNGS MAIN FEEDWATER SYSTEM Case % of Total Failure Number Cutset Description Probability One 1. MPMC2365 Loss of Condenser Vacuu:n Pumps 33%
- 2. FSMQ2351 Spurious MSIS 7.4%
- 3. MZZZ2368 Loss of Circulating Water System 7.4%
System . Two 1. EBGP2682 Grid Collapse Following TT 9.7% i
- 2. EBFA2697 Unit Auxiliary Transformer for 9.7%
E-NAN-S01 Transfer Breaker Fails to Open Three 1. EBGP2682 Grid collapse Following TT 9.9% (a) Manual PORV 2. EBFA2697 Unit Auxiliary Transformer 9.9% Design Transfer Breaker Fails to Open
- 3. EBFB2699 Bus E-NAN-S01 Fast Transfer 9.9%
Breaker Fails to Close (b) Auto- 1. EBGP2680 Spurious Grid Collapse 81% matic PORV 2. ECBV2810 Battery E-NKN-F17 2% - Design Unavailable i O 6-91
1089b(83G13)bt-67 6.11 AUXILIARY FEEDWATER SYSTEM h Various functional modes of the Auxiliary Feedwater System were evaluated for input to the system / action level event trees. For the Loss of Secondary Heat Sink and PORV LOCA event trees, a fault tree logic diagram was used to determine the following failure probabilities: e Failure to deliver AFW to at least one SG e Failure to deliver AFW to at least one SG given loss of MFW as the initiating event e Failure to deliver AFW to at least one SG given a spurious or transient induced PORV LOCA as the initiating event and condi-tional on loss of 5% MFW flow to both SGs e Failure to deliver AFW to the unaffected SG given a PORV LOCA following SGTR as the initiating event and conditional on loss g of 5% MFW flow to the unaffected SG. For the SGTR event trees, fault tree logic diagrams were used to determine the following probabilities: , o Excess AFW flow to the affected or most affected SG e Excess AFW or MFW flow to the least affected SG given offsite power is available at the time of the initiating event e Excess AFW flow to the least affected SG given offsite power is unavailable at the time of the initiating event The fault tree logic diagram for Failure to Deliver AFW models the AFW System from the condensate water sources to the steam generators including pumps, valves, the electrical power distribution system, the turbine O 6-92
, 1089b(83G13)bt-68 O driver and control systems. Not modeled are drain lines, drain valves, piping, miniflow lines, and connection lines which are small in size.
Failure of these components has little impact on the tota'l system failure probability. The fault tree logic diagram incorporates the contribution to system failure from random system failures, test and maintenance, human error and comon cause failures. Random system failures reflect the system malfunctions that occur as a result of random component failures. The contribution to system failure from test and maintenance is addressed by
- considering the associated system unavailability. The plant technical
- specifications limit the amount of time an auxiliary feedwater pump or associated train may be out of service to 72 hours while at power operations. All system components were reviewed for possible contribution to maintenance unavailability.
AFW motor-operated regulating and isolation valves are maintained only , Q during plant shutdown (per technical specifications). These valves do not contribute to the maintenance unavailability of the AFWS. Pump maintenance consists of a range of actions from major disassembly to packing adjustment. For the AFW pumps, most maintenance performed _ requires isolation of the pump from the system and, therefore, contributes to the maintenance unavailability of the pump train. Because of the lack of operating history for PVNGS, the maintenance unavailability of the different pump trains were determined based on generic values from WASH-1400 (16). From WASH-1400, the expected frequency of pump maintenance is one at every 4.5 months. This maintenance is assumed to include the pump, the driver (turbine or motor), and associated control circuits. The maintenance duration is limited to 72 hours by technical specifications. The lognormal mean maintenance-duration is 19 hours. Based upon these assumptions, maintenance / unavailability contributions for the AFW pump trains was determined. O . 4 6-93
1089b(83G13)bt-69 Testing of the AFW System consists of surveillance and flow testing to h satisfy the plant technical specifications and ASME requirements. Monthly testing is performed on each AFW pump. For each test, the pump is manually started and tested for a minimum flow and differential pressure on the bypass recirculation flow line. If the AFWS is required to operate, local operator action is required to align the train to provide AFW flow. The unavailability due to testing was determined by assuming an average test duration of 1.4 hours (7) and 12 tests per year. Failure to close the bypass recirculation flowline after pump testing was also considered. The Auxiliary Feedwater motor-operated regulating and isolation valves are tested every 18 months. The test involves the operator verifying that each automatic valve actuating to its correct position upon receipt of an AFAS. The valves are also verifieo to be in the correct position every 30 days. Testing of the motor-operated valves does not contribute to AFW System unavailability since the valve is capable of responding to an AFAS or providing AFW flow to the SGs. g Monthly testing is also assumed to be performed separately on the AFAS. For each train, the actuation or control logic matrix and circuitry are tested. This testing does not impact the availability of the AFW System. , Human interaction with the AFW System that results in system unavailability has also been considered. Human error resulting in the misalignment of the AFW pumps manual valves (suction, discharge and bypass recirculation line) is included directly in the fault tree analysis. The AFW manual suction and discharge valves are normally open valves. The AFW pumps bypass recirculation line valves are normally closed and are opened for pump flow testing. It should be noted that the monthly flow test on the AFW pumps provides indication of the suction manual valves position. O 6-94
1089b(83G13)bt-70 0 Operator action to restore the Auxiliary Feedwater System as a response system failure on demand is not included. Restoration of auxiliary feedwater is addressed in a separate task analysis. The restoration analysis is presented in Section 6.17. The method used to perform the common cause failure analysis is based on the system logic model. The fault tree logic diagram was used to determine the failure characteristics of the system. A search was then performed to identify potential common failure causes for the dominant failure characteristics of the system. Common cause contribution to system unavailability was found to be primarily due to comon human facilities. Human failure resulting in misalignment of manual valves has been addressed in the maintenance contribution. In addition, there is a potential for comon miscalibration errors to be applied to all instruments of a particular set. The AFAS and was reviewed for possible miscalibration errors. During periodic calibrations, a single technician or group of technicians performs the tests necessary to ensure instrument accuracy. These tests are usually performed sequentially among identical channels. This leads to a close coupling between acts. However, most calibration errors do , not result in an instrument that fails to provide the proper signal due to system diversity and redundancy. The PVNGS AFAS is a two train system with multiple channels. 6.11.1 System Description A schematic of the PVNGS Auxiliary Feedwater System is presented in Figure 6.11.1-1. The AFW System is designed to supply an assured source of water to the steam generators during normal plant startup and shutdown in the event of loss of main feedwater supply. The AFW System will start automatically on actuation of an auxiliary feedwater actuation signal (AFAS). The AFW System maintains flow control during system operation. O 6-95
N HV54 V002
=
V4 V HV32 W36 .g V3 V016 g * - _ MAIN V015 V006 V007 ' CONDENSATE j" TRAIN I V STEAli STORAGE M TANK ' ' _ VO V044
)(V021
- V HV30 UV34 V024 V080 h Y- TRAIN 2 N+ SG-2 V058 V022
. HV31 UV35 REACTOR u MAKEUP M u MfW** - WATER V028 V00M i N- N = = g gg n n TRAIN 3 V012 V013 V008 UV4 uvi V001 AUXILIARY FEEDWATER SYSTEf1 FIGURE 6.11.1-1 Pump train intersects Main Feedwater,line upstream of the MFW isolation and control valves. Refer to Figure 6.17.4-1. O O e
1089b(83G13)bt-71 (% v/ The AFWS consists of one Seismic Category I motor-driven pump, one Seismic Category I steam turbine-driven pump, one non-Seismic Category I motor-driven pump, associated valves, piping, controls, and instrumentation. The primary source of auxiliary feedwater is the condensate storage tank. The Seismic Category I motor-driven pump and all motor-operated valves receive power from both onsite and offsite power sources. In the event of a loss of offsite power, power to the motor driven pump is supplied by a standby diesel generator. The turbine-driven pump is supplied with steam from the main steam lines of either steam generator upstream of the MSIVs. Signals from the AFAS start the Seismic Category I motor-driven and turbine-driven pumps, shut all isolation valves, and opens the associated isolation valves to the downcomer nozzles of the steam generators. The non-Seismic Category I motor-driven pump is started manually. Its associated valves are powered from Class 1E sources and are opened manually from the control room. Operation of the non-Seismic Category I, non-essential pump is considered in the AFW Restoration Analysis, Section 6.17. The AFWS unavailability analysis
]
includes only the Seismic Category I essential pumps and associated valves. The Auxiliary Feedwater support system dependency diagram is provided in Figure 6.11.1-2. _ 6.11.2 Assumptions The following assumptions were made in performing the fault tree analyses for the Loss of Secondary Heat Sink event trees and the PORV LOCA event trees:
- 1. Operation of the none-essential motor-driven AFW pump is not included in the AFW unavailability analysis but is addressed in the AFW Restoration Analysis in Section 6.17. In addition, the AFW analysis does not credit the capability to transfer AFW flow from Units 2 or 3 to Unit 1.
A U 2. For the Loss of Secondary Heat Sink and Spurious or Transient Induced l PORV LOCA event trees, Failure to Deliver AFW is defined as failing to deliver sufficient AFW flow to at least one SG. 6-97
O FIGURE 6.11.1-2 AUXILIARY FEEDWATER SUPPORT AUXILIARY SYSTEM DEPENDENCY DIAGRAM FEEDWATER tV9TFM O l l NON-ESSENTIAL AFW PUMP AFW PUMP AFA-P01 AFB-P01 $,$0
)
- ~
l ONSITE AC NON-1E l 5 lOFFSITEAC l ONSITE AC Ofvision A CLASS 1E Division B O 12SV DC 01 vision A CLASS 1E Division B lINSTRUMENTAIR
' '1 -
Loop A '. COOLING , WATER Loop B - Channel A ::2 ESFAS Channel B n2 MFW Downcomer Isolation and Control Valves. For this system Instrument Air has a nitrogen backup. 2The AFAS closes valves UV4 and UV1. O 6-98
1089b(83G13)bt-72
- 3. For the PORV LOCA following SGTR event tree, Failure to Deliver AFW to One SG is defined as failing to deliver sufficient AFW flow to the unaffected SG.
- 4. Sufficient AFW flow is defined as flow from one AFW pump delivered to at least one SG.
- 5. Passive failures (breach of pressure boundary events) of the AFW system are not considered. Pipe rupture and missile evaluations are not within the scope of work.
- 6. Operator action to man -11y actuate the AFW system or to re-establish AFW flow is not considered. Recovery of the AFW system is addressed in a separate analysis. (Section 6.17).
- 7. The startup suction strainers located in the suction line of each AFW pump have been removed.
O 8. System boundaries are defined to be the SG inlet nozzles to the condensate water storage tank.
- 9. For the SGTR event trees, Excess Feedwater flow is defined as continued un-desired feedwater delivery to the affected (or most or least affected) SG. _
6.11.3 Results , l The fault tree logic diagram for Failure to Deliver AFW was used to determine the probability of failing sufficient AFW flow to at least one SG. For the Loss of Secondary Heat Sink event trees, the probability of failing to deliver AFW is l conditional on the initiating event, Loss of Main Feedwater, i.e., the dependencies which exist between the MFW System and AFW System have been incorporated into the AFW System failure probability. For the Spurious or Transient Induced PORV LOCA , event tree, the probability of failing to deliver AFW is conditional on the loss of 5% MFW flow to both 6-99 l-
1089b(83G13)bt-73 steam generators. For the PORV LOCA following SGTR event tree, only the h portion of the logic diagram including flow to one SG was used to generate a failure probability for Failure to Deliver AFW to the unaffected SG. For this event tree, the probability of failing to deliver AFW to the unaffected SG is conditional on the loss of 5% MFW flow to the unaffected SG and the dependencies which exist between the two systems have been incorporated into the AFW System failure probability. It should be noted that the results of the above analyses do not include operator action to initiate or restore Auxiliary Feedwater flow or operation of the non-essential auxiliary feedwater pump. . For the SGTR event trees, fault tree logic diagrams were used to determine the following probabilities: o Excess AFW flow to the affected or most affected SG e Excess AFW or MFW flow to the least affected SG given offsite power is available at the time of the initiating event g e Excess AFW flow to the least affected SG given offsite power is unavailable at the time of the initiating event. The quantitative results of the analyses are presented as Cases One through Seven respectively in Table 6.11.3-1. The confidence distributions of the failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. Table 6.11.3-2 contains a list of the dominant cutsets for each case presented in Table 6.11.3-1. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. O 6-100
1089b(83G13)bt-74 TABLE 6.11.3-1 FAILURE PROBABILITIES FOR PVNGS AUXILIARY FEEDWATER SYSTEM Case Failure Probability Error Number Description (Median Value) Factor 1 One Failure to deliver AFW to at 1.3E-3 7 least one SG - System Unavailability 1 Two Failure to deliver AFW to at 1.6E-3 7 least one SG given loss of MFW - System Unavailability Three Failure to deliver AFW to at least one SG given loss of 5% MFW to both SGs - System Unavailability (a) Manual PORY Design 2.1E-3 3 7 (b) Automatic PORV Design 2.4E-3 6 Four Failure to deliver AFW to the 2.9E-3 6 unaffected SG given PORV LOCA (%) following SGTR and Loss of 5% MFW to the unaffected SG - System Unavailability Five Excess AFW to the affected or 2.8E-4 14 most affected SG given a SGTR - System Unavailability - Six Excess AFW or MFW to the least 3.0E-4 16 affected SG given offsite power is available at the time of the initiating event (SGTR) - System Unavailability Seven Excess AFW to the least affected 2.8E-4 14 SG given offsite power is unavailable at the time of the initiating event (SGTR) - System Unavailability I These values do not include operator action to initiate or restore AFW l flow or operation of the non-essential AFW pump. See Section 6.17 for restoration analysis. l O l 6-101
1089b(83G13)bt-75 TABLE 6.11.3-2 DOMINANT CUTSETS FOR PVNGS AUXILIARY FEEDWATER SYSTEM h Case % of Total Failure Number Cutset Description Probability One 1. APTA2414 Turbine pump fails to start 12.4% and APMV2399 Motor pump in maintenance
- 2. FSER2029 AFAS-2 failure and 10.5 FSER2417 AFAS-1 failure
- 3. APTV2398 Turbine pump in maintenance 6.5%
and AVNZ2427 Motor pump suction valve closed 4 APMV2399 Motor pump in maintenance and 6.5% AVNS2410 Turbine pump suction valve closed Two 1. APTA2414 Turbine pump fails to start and 9.7% APMV2399 Motor pump in maintenance
- 2. FSER2029 AFAS-2 failure and 8.2%
FSER2417 AFAS-1 failure
- 3. APTV2398 Turbine pump in maintenance 5.0%
O and AVNZ2427 Motor pump suction valve closed
- 4. APMV2399 Motor pump in maintenance 5.0% -
and AVNZ2410 Turbine pump suction valve closed Three 1. APTA2414 Turbine pump fails to start 6.6% (a) Manual and PORV APMV2399 Motor pump in maintenance Design
- 2. FSER2029 AFAS-2 failure and 5.6%
FSER2417 AFAS-1 failure
- 3. APTA2414 Turbine pump fails to start 4.2%
and EDDJ2817 DG E-PEB-G002 fails to start and EBGP2682 Grid collapse on turbine trip (b) Aute- 1. APTA2414 Turbine pump fails to start and 8% PORV APMV2399 Motor Pump in Maintenance Design 2. FSER2029 FSER2417 AFAS-2 Failure and AFAS-1 Failure 6% h 6-102
1089b(83G13)bt-76 TABLE 6.11.3-2 (Continued) DOMINANT CUTSETS FOR PVNGS AUXILIARY FEEDWATER SYSTEM Case % of Total Failure Number Cutset Description Probability Four 1. AVCA2397 Check valve V079 fails to open 8.8%
- 2. APTA2414 Turbine pump fails to start 5.1%
and APMV2399 Motor pump in maintenance
- 3. FSER2029 AFAS-2 failure and 4.3%
FSER2417 AFAS-1 failure Five 1. AICP2970 AFW flow control system 100% malfunction AZZ02971 Operator fails to take action Six 1. AICP2972 AFW flow control system 97% malfunction AZZO2973 Operator fails to take action
- 2. MICP2974 Feedwater control system 3%
malfunction MZZ02975 Operator fails to take
- action Seven 1. AICP2972 AFW flow control system 100% -
malfunction AZZ02973 Operator fails to take action i O 6-103
1089b(83G13)bt-77 6.12 STEAM GENERATOR BLOWDOWN SYSTEM h Fault tree logic diagrams were used to calculate various Steam Generator Blowdown System (SGBS) failure probabilities that were used as input to the SGTR event trees. The following fault tree models were developed for evaluation: e Failure to Initiate Blowdown from the Affected SG (SG-2) e Failure to Open Blowdown Isolation Valves on SG-2 (most affected SG) e Failure to Open Blowdown Isolation Valves on SG-1 (least affected SG) e Failure to Initiate Blowdown from Both Steam Generators (least affected and most affected SGs) It should be noted that for SGTR with coincident LOOP, the SGBS is O unavailable. 6.12.1 System Description A schematic of the PVNGS Steam Generator Blowdown System (SGBS) is presented in Figures 6.12.1-1 and 6.12.1-2. The SGBS processes water from the tube bundle area of the steam generators. The blowdown water is filtered and purified to remove any impurities. Then, if meeting appropriate specifications, it is returned to the Condensate System for reuse. The SBCS is an integral part of the Secondary Chemistry Control System (SCCS). Each SG is equipped with its own blowdown processing line with the capability of blowing down either the primary inlet or primary outlet regions of the SG shell side. Each blowdown line leaves the containment through its own penetration and discharges into the steam generator O 6-104
O F E G MA TH AC N OWEX TBHE 9 9 3 V 9 5 O Y 1 0 h H X W O N , L 2 B F R E E T T A L A L R A R A M M l R i R G O G O N I N I H H t t E C 0 A 2 C 5 A 5 T l 1 l 0 2 2 0 S A 0 Y Y H C I 1 V Y H A I 0 V Y H C 2 V 1WV lviY t H 2 V V S V . V S 1 H N S H S H H e W 1 O - O l bM D 1 I W O 2 1 L 4 B 9 1 A 4 6 0 1 0 0 V AWiV l 0 0 V R O E V R _ T A U
; R G E I 5 N F 0 E y
$ Q Y0 5 G U 0 0 R 0 R U5 0 M I 5 I A
A - A ' M5 - E V V T T U T S N N ] U _ E E - h N R P 0 R u Y 0 R l Y0 0 R $ T U5 0 U 0 T S N I 5 y U S I N M5 V U 0 9A 8 2N V 2N 9 V 3 2 4 M 4 V H 4 V H n4HV 1 2 G G S S O 7g 1' j lfJ i l ! iI : .
O K N P EA U TT D S L AR OS WEZ HR L LI S AL DN CA TI R IMT EUDGN HK OlENIA TONAHT 8
." N2 C2 SP 1 0 P 8
1 8 1 M L V V S S D T S P H M G U I P H D N N WA ) A O N2 D d 7 8 C2 W e 9 7 SP O u 2 1 L n V V U B it n o c ( H E T S 2 Y - 01 S 1 2 V vW 9 f N 2 O W 1 k R O E D 6 Z W N I O E W L L R O A B U D R G WE R I O NI O F L T B M A R
, 6 E
D E N E 9 G 2 V M 9 A _ E T 4 S _ R0 EFN _ DT 2 _ BLNR IC _ FS _ V 2 6 0 V R E GN NN2 WAR OH DC2 WX0 OEE L - BTN _ AC ES H O m o*
1089b(83G13)bt-78 m b blowdown flash tank. The liquid position flows through the blowdown heat exchanger to the blowdown filter where the major portion of suspended particles are removed. After filtration, the blowdown fluid is processed by the blowdown demineralizer. The containment isolation valves are normally open and can be remotely operated from the main control room. These valves automatically close upon receipt of a Main Steam Isolation Signal (MSIS), an Auxiliary Feedwater Actuation Signal (AFAS) or a Safety Injection Actuation Signal (SIAS). Any of these signals will close the valves. The valves fail closed on loss of air. The blowdown is measured for radioactivity in order to detect primary to secondary leakage. If significant steam generator tube leaks exist, blowdown flow from the demineralizer is routed to the Blowdown High Total Dissolved Solids (TDS) Sump and to the Chemical Waste Neutralizer Tank. From there, the liquid is processed by the Liquid Radwaste System (LRS) via the High TDS holdup tank. t] The Blowdown support system dependency diagram is provided in Figure 6.12.1-3. 6.12.2 Assumptions The following assumptions were made in performing the fault tree analyses:
- 1. System failure is defined as the inability to initiate and maintain blowdown flow from the affected (or most or least affected) steam generator following a SGTR.
- 2. In the event of SGTR, blowdown system boundaries are assumed to include flow to the Chemical Waste Neutralizer Tank. Flow from the tank to the Liquid Radwaste System is not modelled in the fault tree.
The LRS is assumed to have sufficient capacity to store the desired O quantity of blowdown inventory for subsequent processing. d > 6-107
1 l l l l O 1 l I l FIGURE 6.12.1-3 SLOWDOWN 8 LOWDOWN SYSTDI SUPPORT SYSTDt CEPENDENCY DIAGRAM IOnstTEaCN0n-tE l 4 l OFFSITE AC l ONSITE AC Otvision A ' CLAS3 1E Division S : 125V DC Olvision A I M 1E Olvision 8 l INSTRUMEW AIR l l ! Loop A : ! COOLING WATER Loop 8 ! 08""'I A I ESFAS Channel 8 t l l i O l 6-108
1089b(83G13)bt-79
- 3. Since blowdown flow from the affected SG will include relatively low temperature safety injection inventory, the blowdown heat exchanger is not considered to be a required component for successful SGBS operation.
- 4. The blowdown flowpath shown in Figures 6.12.1-1 and 6.12.1-2 is inferred from information available in Reference (_7_).
- 5. The flowpaths to the condenser have been isolated prior to initiation of flow to the Liquid Radwaste System, i.e., there will be no flow diversion to this area.
- 6. Flow to the Blowdown Flash Tank is aligned for the " normal rate".
- 7. Motor valves HV-41, HV-42, HV-43 and HV-44 are fail as is. HV-43 and HV-44 are assumed to be closed; HV-41 and HV-42 are assumed to be open.
O V
- 8. One of the two BD High TDS sump pumps is sufficient to provide adequate flow to the Chemical Waste Neutralizer Tank.
6.12.3 Results . Fault tree logic diagrams were used to evaluate the following probabilities for input to the SGTR event trees where offsite power is available at the time of the initiating event: e The probability of failing to initiate and maintain blowdown flow from Steam Generator 2. This model is applicable for tube rupture (s) in one SG. (Assumed to be SG-2). e The probability of failing to initiate blowdown flow from Steam Generator 2. This fault tree refers only to opening the blowdown isolation valves on the most affected SG (SG-2) assuming tube ruptures have occurred in two steam generators. 6-109 l
1089b(83G13)bt-80 e The probability of failing to initiate blowdown flow from Steam h Generator 1. This fault tree refers only to opening the blowdown isolation valves on the least affected SG (SG-1) assuming tube ruptures have occurred in two steam generators. e The probability of failing to initiate and nintain blowdown flow from both steam generators. This model includes failures which would simultaneously prevent blowdown initiation from both steam generators assuming tube ruptures have occurred in both steam generators. The quantitative results of the analyses are presented as Cases One through Four respectively in Table 6.12.3-1. The confidence distributions of the failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. Table 6.12.3-2 contains a list of the dominant cutsets for each case g presented in Table 6.12.3-1. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. O 6-110
I 1089b(83G13)bt-81 () TABLE 6.12.3-1 l FAILURE PROBABILITIES FOR PVNGS STEAM GENERATOR BLOWDOWN SYSTEM Case. Failure Probability Error Number Description (Median Value) Factor One Failure to Initiate Blowdown 7.2E-2 3 from SG System . Unavailability Two Failure to Open Blowdown 1.7E-2 3 Isolation Valve on SG System Unavailability Three Failure to Open Blowdown 1.7E-2 3 Isolation Valve on SG System Unavailability Four Failure to initiate Blowdown 5.1E-2 3 from Both Steam Generators - System Unavailability O I i l O 6-111
1089b(83G13)bt-82 TABLE 6.12.3-2 h DOMINANT CUTSETS FOR PNVGS STEAM GENERATOR BLOWDOWN SYSTEM Case % of Total Failure Number Cutset Description Probability One 1. BVN02907 Operator fails to open manual 56% valve KV-920
- 2. BVZ02902 Operator fails to open blow- 17%
down containment isolation valves Two 1. BVZ02902 Operator fails to open blow- 69% down containment isolation valves on SG-2
- 2. BVDA2901 UV-500R fails to open 7.~7%
- 3. BVDA2904 UV-5005 fails to open 7.7%
Three 1. BVZ02920 Operator fails to open blow- 69% down containment isolation valves on SG-1
- 2. BVDA2918 UV-500P fails to open 7.7%
- 3. BVDA2921 UV-500Q fails to open 7.7%
Four 1. BVN02907 Operator fails to open manual 73% valve KV-920 - G 6-112
1089b(83G13)bt-83 O 6.13 ALTERNATE SECONDARY HEAT REMOVAL CAPABILITY 6.13.1 System Description In the event of a total loss of all feedwater, an alternate method for decay heat removal involves the rapid depressurization of the steam generators and the use of low head pumps for cooling. The preferred source of low pressure feedwater is the condensate system. The condensate pumps (differential head of 1030 feet) can use water from the condenser hotwell and through the use of the feed pump bypass line, deliver makeup directly to each steam generator. The Alternate Secondary Heat Removal Capability will refer to the use of the Condensate System provide feed flow following a loss of main and auxiliary feedwater. (Theanalysisdoes not consider the capability to transfer condensate flow from Units 2 or 3 to Unit 1.) The Condensate System is composed of a surface condenser, three 50% ] capacity pumps, low pressure feedwater heaters and the required piping and valves. A simplified flow diagram of the condensate feedwater system is given in Figure 6.13.1-1. The condensate system can supply water directly to each steam generator via the condensate pumps following depressurization of the secondary system to below the pump shutoff head. _ The condensate flow bypasses the feedwater pumps and the high pressure feedwater heaters and deliver flow to the downcomer MFW lines. The Alternate Secondary Heat Removal support system dependency diagram is provided in Figure 6.13.1-2. 6.13.2 Assumptions The following assumptions were made in performing the fault tree analysis:
- 1. System failure is defined as failure to achieve sufficient secondary flow using the condensate pumps.
- 2. Sufficient flow is defined as the flow from one condensate pump delivered to one steam generator.
6-113
O B _A 6 6
,2 1 2
A B b 5 1 2 2b i A 3
,4 4
,2 1 S T R N TE E m AG M EN N HA G 6x 9
0 V PX H C e IL A N
-, LE P
M 40 4 7 W , R 3 U O D 0 E V ~ V P ON: T W J" O T A W DS E T A L R EP S B E EM N Z FU s E 1 ILS AS N P O C""~ D N O 1 g1 I 9 : EP RA A C 3 9 M 1 - 1
- INY B QM 3
8 1 3'.
;N Y
T 6 a V H M E D V H g0 V I IL E R n i a' 5 9 1 3 7 4 7 B A P A C U G I F O m V D V H V H Y R P A D igV 1 N 9 O 1 C
- ' E S
H
^
" "" E T
A N
= _ R E
T 1 2 L
, 2 3 0 0 A g V H
g3V H 1 V H 1 V H E : T A . : 2 j - SS 1 l 2 2 NP 1 l l l EM I I I r DU NP O C V F V F V F 2 3 4 4 5 7
- - - 7 7 NC n7V
- M5 V V V 1 1 1 1 C
H H yC H V H H V H V 2 7 3 3 3 5 1
- n1V -
1 V 1 V E
+V H e H i l
T AE S" MSGK
=
ONAN RERA FDOT NT OS C n2 G 9 n c A
O FIGURE 6.13.1-2 CONDENSATE CONDENSATE SUP. PORT SYSTEM DEPENDENCY DIAGRAM SYSTD1 lONSITEACNON-1E l 4 l OFFSITE AC l ONSITE AC 01 vision A ; 5 IE Division B ; 125V DC Division A CLASS 1E ; Division 8 IlINSTRUMENTAIR l ; , Loop A ' COOLING ' IdATER Loop B , l Channel A ESFAS Channel 8 ' l 10cwnccraer MFW ! solation and Control Valves include Nitrogen backup to Instrument Air. O 6-115 l
. , . . _ _ - . ~ . - . -. . , _ _ _ . _ _ _ _ _ _ _ _ . . - _ - - . . . _ - - _ - - - . -_- _ _ -
1089b(83G13)bt-84
- 3. Both steam generators are intact for secondary flow delivery. h
- 4. Pressure on the secondary side will be reduced using the atmospheric dump system.
- 5. The operator has a written procedure detailing the necessary actions to establish the alternate flow from the condensate pumps.
- 6. One condensate pump (CDN-POIC) is unavailable due to maintenance.
- 7. Failure of the condensate pump recirculation line will result in condensate pump failure.
- 8. Failure to bypass the main feedwater pumps and high pressure feedwater heaters and close the line to the blowdown heat exchanger results in failure to deliver sufficient condensate flow.
- 9. The following operator actions to align the condensate system to g deliver flow directly to the steam generators are considered:
e Operator action to bypass the main feedwater pumps and feedwater heaters. Open Motor Valves HV-103 _ Open Manual Valves V018 V013 Close Manual Valve V096 l The Motor-operated valve may be operated from the control room, e Operator action to assure correct positioning of the l feedwater economizer and downcomer control valves and l isolation valves. l l The operator will have approximately 60 minutes to align the system. 1 0 6-116
1089b(83G13)bt-85 C) 6.13.3 Resuits The fault tree logic diagram for Failure of the Alternate Secondary Heat Removal Capability was usea to determine the probability of failing to achieve sufficient alternate secondary flow for the Loss of Secondary Heat Sink event tree. The model was used to evaluate the following cases: e Failure of the alternate secondary capability - condensate pump alignment e Failure of the alternate secondary system - condensate pump alignment given loss of MFW and AFW For the latter case the dependencies which exist between the MFW, AFW, and condensate system have been incorporated into the Alternate Secondary Heat Removal Capability failure probability. In addition, the probability of restoration of AC power following the loss of AFW is incorporated into the system failure probability. The quantitative results of the analyses are presented as Cases One and Two respectively in Table 6.13.3-1. The confidence distributions of the failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the - 95 to 50 percentile. [ Table 6.13.3-2 contains a list of the dominant cutsets for each case presented in Table 6.13.3-1. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The percentage is based on a point estimate ratio. l l O 6-117
i 1089b(83G13)bt-86 I TABLE 6.13.3-1 h l FAILURE PROBABILITIES FOR PVNGS l ALTERNATE SECONDARY HEAT REMOVAL CAPABILITY I Case Failure Probability Error Number Description (Median Value) Factor 1 One Failure of Alternate Secondary 5.8E-2 3 Capability - System Unavail-ability ; i Two Failure of Alternate Secondary 5.5E-1 1.56 Capability given loss of MFW and AFW - System Unavailability ( I O l l l l l l l O 6-118 l
1089b(83G13)bt-87 TABLE 6.13.3-2 DOMINANT CUTSETS FOR PVNGS ALTERNATE SECONDARY HEAT REMOVAL CAPABILITY Case % of Total Failure Number Cutset Description Probability One 1. MPZ02953 Operator Fails to Align 84.9% , Condensate System
- 2. EBGP2682 Grid Collapse turbine trip 2.1%
- 3. ECBV2810 Battery E-NKN-F17 Unavailable 2.1%
Two 1. EBGP2680 Spurious Grid Collapse 85%
- 2. MPZ02953 Operator Fails to Align the 8.1%
Condensate System l l O l l IO l \ 6-119 l
1089c(83113)bt-1 6.14 ELECTRICAL DISTRIBUTION SYSTEM $ The Electrical Distribution System fault tree logic diagrams were constructed to support development of the system level fault trees used as input to the systemic event trees. Utilization of the EDS logic diagrams as support branches to other fault trees provides a consistent method of modelling the EDS interactions between mitigating systems. The EDS fault tree logic diagrams were not independently evaluated, therefore, no quantitative results are provided in this section. It should be noted . that the fault tree models include system faults that lead to reactor trip as well as failures that may occur after the reactor has tripped. In some cases the EDS logic diagrams were modified to suit the particular system being evaluated, e.g., the HPSI System is actuated post reactor trip, therefore, EDS failures that lead to reactor trip (e.g. a generator fault) would not be applicable as input to the fault tree " Fail to Deliver Sufficient HPSI Flow". Or, if offsite power was given as unavailable, spurious grid collapse would not be included as a valid failure mode in the HPSI fault tree. g 6.14.1 System Description Schematics of the PVNGS EDS are provided in Figures 6.14.1-1 to 6.14.1-10. . The electrical distribution system is divided into two categories, the non-class 1E power system and the class 1E power system. Both the non-class 1E and class 1E power systems are further divided into AC and DC systems. The non-class 1E AC system distributes power at the 13.8KV, 4.16KV, 480V, and 208/120V levels for all non-safety related loads. The non-class 1E AC buses normally are supplied through the unit auxiliary transformers from the main generator. However, during plant startup or shutdown, power is supplied from the switchyard through the secondary windings of the start up transformers. In the event of failure of the unit auxiliary 0 6-120
O O O i I i i .i k 13.8 KV INTER BUS 13.8 KV BUS SUT(P) SUT(B) FRM FRM SWITCHYARD SWITCHYARD E-MAN-SOS E-NAN-503 E-NAN-XO3 E-NAN-X01 E-MAN-506 E-NAN-504 E-MAN-XO2 E-NAN-X01 i ! SUT W SUT N l ( o NC (oNO 13.8 KV INTER. BUS T 9 i 5 TO k ) 13.8 KV BUS 4 l 4 LOAD 1 1 1 i j P... PREFERRED STARTUP TRANSFORMER l Q... ALTERNATE STARTUP TRANSFORMER l 1 i i TYPICAL 13.8 KV INTERMELIATE BUS SCHEMATIC l 4 j FIGURE 6.14.1-1 1 4 i
R 34 M 0O F XX FX - - S NN EE BB C NN V - S ED t 12 M 0O LF XX AX - - M NN RE B OC NV - S NW E S . EU 3 0 IB SV 5W- - SK AB S A SB U L6 F B C1 - 4 EM V K E 8 lS f 3 t 12 S 1 SB S AV 02 5 U B. LK NN R C BB E 6 NN MT N1 - - ON O EE RI ( D N4 F A V K
- k8y O L
3 ( 0 5W- - 8 3 IC T N 1 A M Am N E H EE C S 2 OO - S TT S 1 U FER U B 12 00 [gv SCM EVF B 4 1 V 5 O ( SX V K - K 6 N N 8 A 8 E N y8 R 3 - ( 3 U 1 E 1 G I L F - X : A , A o o, - C - U ( S I U P EB Y l T R V O OSK T L TS AER A6 -
^ MC1 L1 -
( RVF C OSX 4 - E N G NR _ I M { - AF MX : E D 1S
- A U
( O SB L S OAV TLK S C U - 6 B N1 D O . R V N4 OA K TY H 8 C T 3 I 1 W S i " or" L
.O O O 1
i t I i 1 I FROM NON-CLASS lE NORML 13.8 KV BUS 4.16 KV BUS SVCE XFM
E-NBN-501 E-NBN-X01 E-NBN-502 F-NBN-XO2 NORML SVCE XFP R i
(o i q f NON-CLASS IE 4.16 KV BUS I m > 8 I,8 k w h3 - W l LOAD i i TYPICAL NON-CLASS lE 4.16 KV BUS SCHEMATIC 1 l FIGURE 6.14.1-3 1 i i i ! e 1 i }
1 I i 1 1 1 l 1 l e i i 1 1 1 l i 1 i
$ 1 l $"> 93 '
l mm C* ka i 52 EE *
"4 aa E 83 mm m
it mz "O EE a ao S
-~
t
~
se 88 5 M& ks w de $ 4 ow e. r. =, e C wm c
- 5 w
E 2 w De
- M
=
u 3 Ce
.c w
d w~ M Q
$ d
= y a -
5:2~ 50fgoob , 5.. "at - a-M M 1 O 4doch g I s .b_ 9 Nh Ch I
=W ow Q
s l O 6-124 1
m I. u b h h h
=
assitanssastst accacasacasacca M Mu 22 M28 RSES$882 5" TTTTTTTTTTTTTTT gg 555555555555555 x< asacasaaaaaaaaa M
~
w E ------------- E
=
8888888888888 jj E g jgj g 9 51=1555!55511 =
= asaccacascaac =
5 o w 2 ? S eg Mu
"" =28N208B50009 >
f V d> 1111111111111
==== zz g o
m 6 555WWWWIWWh'5k
$ng assasaaaaassa M "$
G d h m a - 2" 6 r2 2 gS : Y" 58 z, O i dQ- Oh ha r" W uE OO b i
% an -
A i N
.)
t 6-125
~ _ , ._. - . - . . - _ - - - _ . ._ . . . . . . _ . . _ - -
CLASS IE CLASS IE FROM CLASS lE 480 V LC 4.16 KV BUS 4.16 KV BUS E-PGA-L31 E-PBA-503
,, E-PGA-L33 E-PBA-503 E-PGA-L35 E-PBA-503 E-PGB-L36 E-PBB-504 E-PGB-L34 E-PBB-504 LC E-PGB-L32 E-PBB-504 XFMR O
p { CLASS IE 480 V LOAD CENTER
$! F t
LOAD TYPICAL CLASS IE 480 V LOAD CENTER SCHEMATIC FIGURE 6.14.1-6 9 O O O
O O O
~
480 V MCC__ 480 V LC 480 V MCC 400 V LC E-NHN-M21 E-NGN-L13 E-NHN-M18 E-NGN-L26 E-NHN-Mll E-NGN-L13 E-MHN-M06 E-MGM-Ll4 N -LOS N -M74 W -Ll4 E-NHN-M27(3) E-PGA-L35 E-NHN-M22 E-MGM LO8 E-NilN-M19 E-NHM-M23 E-NGN-LIS E-NHN-M20 III E-PGB-L36 FROM E-Nhd-Ml? E-NGN-L19 E-NHN-M16 E-NGN-L20 480 V LOAD CENTER E-NHN-MIS E-MGM-LO9 E-NHN-M04 E-NGN-LO4
E-NHM-H01 E-NGN-LO7 E-NHM-M30 E-MGM-LO4 E-NHM-M09 E-NGN-LO7 E-NHN-M10 E-MGM-LIO E-NHN-MOS E-MGM-LOl E-NHM-MOB E-NGN-LO2 E-NHN-M07 E-MGM-L01 E-NHM-M02 E-NGN-LO2 (Q*
g, E-NHN-M13 E-NGN-L25 E-MHN-M26 E-NGN-LO6 E-MIN-M03 E-MGM-L25 E-NHM-M2B E-NGN-LO6 480 V MCC E-MIN-M25 E-NGN-LO3 E-NHM-M50 E-NGN-LO6 m E-PHA-M31 E-PGA-L31 E-IMN-M14 E-NGN-Ll6 s E-PGA-L33 E-PHB-M36 E-PGB-L36 IV E-PHA-M37 N M E-PHA-M33 E-PGA-LJ3 E-PHB-M34 E-PGB-L34 E-PHA-M35 E-PGA-L35 E-PHB-M32 E-PGB-L32 E-PHB-M38 E-PGB-L32 LOAD
- 1. MCC TRIPS OM SIAS TYPICAL 480 V MCC SCHEMATIC FIGURE 6.14.1-7
FROM 4B0 V MCC 4 MCC
^ " ^ ' '
U i' E-PKA-M41 E-PKA-Fil E-PKA-Hil E-PHA-M35 E-PKA-H15(1) E-PHA-M33 E-PKC-M43 E-PKC-F13 E-PKC-H13 E-PHA-M31 STANDBY (1) E-PKA-H15(1) E-PHA-M33 BATTERY E-PKB-M42 E-PKB-F12 E-PKB-H12 E-PHB-M36 CHARGER ffff E-PKD-M44 E-PKD-F14 E-PKB-H16(1) E-PHB-M34 E-PKD-H14 E-PHB-M32 E-PKB-H16(1) E-PHB-M34 ( NC ( NO CLASS IE 125 VDC LOAD CENTER _ f [ co ( NC (
- 1. THE STANDBY BATTERY CHARGER OtITPUT SWITCHES ARE MECHANICALLY INTERLOCKED TO OFFER THE
~6 POSSIBILITY OF EITHER BOTH OPEN OR ONE OPEN LOAD AND ONE CLOSED AT ANY TIME.
BATTERY TYPICAL CLASS IE 125 VDC LOAD CENTER SCHEMATIC FIGURE 6.14.1-8 O O O
O O O T i 4 i I i 125 VDC DP 125 VDC LC i FROM E-PEA-D21 E-PKA-M41 l 125 VDC LC E-PKC-D23 E-PKC-M43 j 1r E-PKB-D22 E-PKB-M42 E-PKD-D24 L-PKD-M44 (oE
; l CLASS 1E 125 VDC DISTR. PANEL , (
)-
?
I N i W A LDAD 4 l i a l TYPICAL CLASS IE 125 VDC DISTRIBUTION PANEL SCHEMATIC } ! FIGURE 6.14.1-9 i I i i i 1 I l, i
FROM 480 V MCC FROM 125 VDC LC o VOLTAGE REGULATOR INVERTER l AND TRANSF. < swr 'cH CLASS 1E 120 VAC
? DISTR. PANEL U 120 VAC DP 125 VDC LC INVERTER VOLT. REG 480 V MCC E-PNA-D25 E-PKA-H41 E-PNA-Nil E-PNA-V25 E-PHA-M35
( E-PNC-D27 E-PKC-M43 E-PNC-N13 E-PNC-V27 E-PHA-H31 E-PNB-D26 E-PKB-H42 E-PNB-N12 E-PNB-V26 E-PHB-H36 E-PND-D28 E-PrD-M44 E-PND-N14 E-PND-V28 E-PHB-M32 LOAD TYPICAL CLASS lE 120 VAC DISTRIBUTION PANEL SCHEMATIC FIGURE 6.14.1-10 l D O O O
1089c(83I13)bt-2 p d transformer, a generator trip, or backup protective trip, fast transfer to offsite power (switchyard) maintains continuity of power to the 13.8KV and 4.16KV non-class 1E buses. The class 1E AC system distributes power at the 4.16KV, 480V, and 120V levels to safety-related loads. The class IE AC buses normally are powered from non-class 1E AC buses 13.8 KV E-NAN-S03 and E-NAN-SO4. In the event of loss of the preferred power source, the class IE AC system is powered from the standby diesel generators. 6.14.2 Assumptions The following assumptions were made in constructing EDS fault tree logic diagrams:
- 1. The 13.8KV intermediate buses E-NAN-SOS and E-NAN-506 are normally powered from the switchyard via start up transformers E-NAN-XO3 and
] E-NAN-X02 respectively.
- 2. No credit was taken for powering the class 1E 4.16KV buses E-PBA-S03 and E-PBB-504 from the same preferred power source i.e.,13.8KV bus E-NAN-S03. ,
- 3. No credit was taken for cross connecting the non-class 1E 4.16KV l
buses E-NBN-501 and E-NBN-S02.
- 4. Spurious opening of normally closed circuit breakers. is not considered.
l l 5. The 125 VDC non-class IE control power for normally operating loads is available. l 6-131 l ._ --- . _ - , . _ . _ _ . _ - _ .
1089c(83113)bt-3
- 6. Battery charger E-PKA-H15 and E-PKB-H16 output switches are h mechanically interlocked; therefore, battery chargers E-PKA-HIS and E-PKB-H16 backup battery chargers E-PKA-H11 and E-PKB-H12 respectively.
- 7. Operator action is required to realign class 1E 120 VAC power supply to the 480 VAC source.
- 8. Operator action is required to realign the 13.8KV intermediate buses to their backup sources.
6.14.3 Results The results of this evaluation are in terms of fault tree logic diagrams. EDS interactions can be modelled by utilizing these logic diagrams as support branches to other fault trees. O
~
1 1 l 1 l l l e
- 6-132
1089c(83113)bt-4 O 6.15 C00 tina WATEa SYSTEsS The Cooling Water Systems fault tree logic diagrams were constructed to support development of the system level fault trees used as input to the systemic event trees. Utilization of these logic diagrams as support branches to other fault trees provides a consistent method of modelling these interactions between mitigating systems. The Cooling Water Systems fault tree logic diagrams were not independently evaluated, therefore, no quantitative results are provided in this section. 6.15.1 System Description The Cooling Water Systems for the safety related and normal shutdwon components, as shown in Figure 6.15.1-1 and 6.15.1-2 are: Essential Cooling Water System (ECWS) and Essential Spray Pond System (ESPS). O All heat absorbed by the systems through the nuclear components of the station is dissipated to the atmosphere via the essential spray ponds. The ECWS consists of two independent, closed loop, safety-related traira. _ Either train of the ECWS is capable of supporting 100% of the cooling functions required for a safe reactor shutdown or required folk ; an accident. Each train of the ECWS includes a 100 percent heat dissipation capacity heat exchanger (shell side), or 100 percent capacity pump, a l surge tank and a chemical addition tank. The cooling water is pumped by the ECW pumps through the shell side of the ECWS heat exchangers, to the components being cooled and back to the pumps. The tube side of the heat exchangers is furnished with cooling water from the ESPS at a higher operating pressure than the shell side in order to prevent leakage into the ESPS from the ECWS. O 6-133
, . , . . . ~ ,
O 6 - 3N 1 V C R H S 6 E P W 4 G 2 Nl to PP C N C N A H Vg 4 C
- O H NC H 6 SB WW CE E
T WX OE D TT UA HE 1 SH 0 t TR ubH E B I AE S EG HN - A SH WC 1 4 5 CX 0 V EE E
- CN H
AW B W E S Gu 2 - V C 74 H M E T S Y O S R 1 E - T 1 A . W 5 1 G N 6 I 5 L E O R 3N 1 V C S W C R E O C L U G I F H A P N e G 1 Ml Uo PP M O R vse NC N A H Vg 4 C H I T N E
- SA F WX S WW OE D
S E _ CE _ E TT UA _ HE 1 S SH 0 t V E TR AE NCH A I EG S HN A - SH WC 3 _ CX EE 1 0 V E 5 C M^ H A
- EW
$sS 1
7 V C _ H O I
4. O W .
--< c .___
I I mE WC' S
--< E a_ s E
AA - m
- ca5 Wl. I ga w md
;~
b5_ $ m Q mm 5 Os a
'Y O- ~
m
>=
g *
- m d
=
@Kj= @Kim n 0 -
23-W
- <s ~
I l
--<s
%& 8 "5 i ~
i g8 a.
=
g
- m
=s e M"I I a
s8 W Ma , 3 h
$ 5,5_ m m
O 6-135 r i l
1089c(83I13)b2-5 Each train of the ECWS provides cooling for the following safety related h components: Shutdown Cooling Heat Exchangers Essential Chillers However, the ECWS can provide cooling water to the safety related Fuel Pool Heat Exchangers and to the non-safety related following components:
- Reactor Coolant Pumps CEDM Coolers Nonnal Chillers Nuclear Sample Coolers in the event the Nuclear Cooling Water System (NCWS), which normally cools g these components, becomes inoperable. In this case the operator can align ECWS train A from the control room or locally align ECWS train B if ECWS train A fails.
During normal plant operation the ECWS is not operating. The ESPS provides cooling water needed for those components that must operate following a loss-of-coolant accident (LOCA) and that are essential to a safe reactor shutdown:
- Standby diesel generator cooling systems
- Essential Cooling Water System (ECWS) Heat Exchangers.
The system consists of two redundant, safety-related ESPS trains. Each ESPS train in conjunction with the associated ECWS train is capable of l supporting 100 percent of the cooling functions required for a safe shutdown or required following an accident. Each train includes a 100 0 6-136
1089c(83113)bt-6 r percent capacity ESPS pump and a 100 percent heat dissipation capacity
\
spray pond (ultimate heat sink). The water is pumped through the components being cooled, to the spray nozzles and back to the pump. The ultimate heat sink consists of two Essential Spray Ponds (ESP) that are adjacent to each other. The two ESP are interconnected with redundant valves installed in their common wall in order to permit equalization of the water levels between EPS of the same unit. Discharge from the spray pond system is directed through the spray nozzles during operation of the sprays. During the time that the sprays are operating, the thermal load is dissipated to the air by the sprays and the surface heat exchange of the unsprayed area. During the time when the sprays are not operating, a part of the themal load is dissipated to the atmosphere by the surface heat exchange of the total pond area, whereas the remainder goes into raising the spray pond temperature. During normal plant operation, the ESPS is not operating. O The motors of one ECWS pump and the related ESPS pump are connected to a Class IE bus in one division and the motors of the other pumps to the other division. Loss of offsite power results in the shutdown and restarting of the ECWS and ESPS in accordance with the direct generator load sequencing. _ Both trains of the ECWS and ESPS are actuated by any single or any combination of the following signals or operations:
- Safety injection actuation signal (SIAS) j - Control room ventilation and isolation actuation signal (CRVIAS)
- Control room essential filtration actuation signal (CREFAS)
- Diesel generator start signal (DGSS)
- Loss of offsite power signal (LOP)
- Manual start by control room 6-137
1089c(83I13)bt-7 6.15.2 Analysis Assumptions $ The following assumptions were made in performing the reliability analysis.
- 1. System failure is defined as the inability to deliver Essential Cooling Water to the required components. One 100 percent capacity train including a ECWS pump, a ECWS heat exchanger, a ESPS pump and an essential spray pond is assumed to provide sufficient cooling.
- 2. The only operator action considered is manual backup of the SIAS from the control room.
- 3. The ECWS and ESPS are not normally operating.
- 4. The motor valves HV49A and HV50A are FAI (fail as is) and are manually open.
It is assumed that components in train A receive SIAS-A and O 5. components in train B receive SIAS-B.
- 6. Since maintenance can only be performed on one ECW pump or on one ESP ,
pump during plant operation, unavailability contributions due to pump maintenance are included only for ECW pump EWA-P01 and ESP pump SPA-P01 respectively. 6.15.3 Results The results of this evaluation consist of fault tree logic diagrams. Cooling Water Systems interactions can be modelled by utilizing these logic diagrams as support branches to other fault trees. O1 6-138 l 1
1089c(83I13)bt-8 m C 6.16 INSTRUMENT AIR SYSTEM This analysis includes construction and evaluation of a fault tree logic diagram for Loss of Instrument Air. The results are used as input to the system level fault trees. 6.16.1 System Description Figure 6.16.1-1 presents a schematic of the PVNGS Instrument Air System. The Instrument air system has three parallel trains, each consisting of an intake air filter, a compressor, an after-cooler with moisture separator, an air receiver and interconnecting piping and valving. The three air receivers are connected in parallel by a common header. The Instrument Air then passes through two parallel drying / filter lines. Each line has a prefilter, an instrument air dryer and an afterfilter. Downstream of the afterfilter, the two lines join into a header from which all instrument air requirements are supplied. O The compressors are reciprocating type with water cooled cylinders. Each compressor is capable of delivering 100% of the instrument air requirement or 50% total (i.e., instrument air and service air) requirements. The two drying / filter trains are each of 100% capacity. Each dryer has dual , towers loaded with activated alumina, a desiccant. An automatic control system reverses the chambers operation every five minutes to provide continuous drying of the air. The instrument air system is required for nonnal operation and startup of the plant. One air compressing train is in service during normal operation with the other two in standby. A pressure switch installed in the instrument air supply main header provides an actuation signal for the standby air compressors and the backup nitrogen system. The instrument air system is not essential for safe shutdown of the plant. I V i 6-139 l 1 -. . _ _. _
O P B B 2 1 3 0 0 0 3 f M F 8 1 - - - 1 0 N N N 0 V R A A R A V { E T I R E I E R. T I (
} EL RI RY IR TL FI
) 0 I PF AD AF 5 S 0 0 V V h
A A A 2 1 3 0 0 0 0 F M F ? 1 - - - l 0 N N N 0 V R A A R A V E 1 R I RE I
- T E LT El TL Ri IRYR FI PF AD AF t
v r N00 6
,N 23 N3 3
M VV ,v V V0 V0V E T S 1 Y S R 1 6 O 5 4 1 y2 I qb0 0 V 2 0 V 3 0 V A T N 6 E E R M U U G R I T F RA RC S E1 V0 D1 V0 0 E1 V0 N I R!X R!X IE - IRIX E - OACN IE - OACN EA RI e OACN EA RI EA RI S R R R O O O &T & &T A A RR R RR EA EA EA LP A L B LP C OE I O 1 OE 1 OS D O 0 OS 0 C E C E C E E - - E - RR N R N RR N EU A E A EU A TT I T I TT I FS F FS AI A AI O 0 M M R R R O A O B O C S S E jO L I S S E j 1 0 C S S E j 1 0 C R - R - R - P N P N P N M A M A M A O I O I O l C C C m , ," O ZO
1089c(83113)bt-9 O 6.16.2 Assumptions The following assumptions were made in performing the fault tree analysis.
- 1. System failure is defined as the inability to maintain sufficient compressed air supply in the instrument air lines. Sufficient compressed air is defined as the air supplied from one compressor train.
- 2. System boundaries are defined to be from the air intake filters to the instrument air header.
- 3. Compressing Unit C01A is in service during normal operation.
Compressing Units C01B and C01C are in standby.
- 4. Following a turbine trip, the Instrument Air System Components are transferred to the offsite power source.
- 5. Operator action to establish a compressed air supply is not included.
The Instrument Air dryer M01A is in service. The air dryer M01B is isolated and requires an operator action (open valves V013 and V018) to bring it into service. Since operator actions to establish air , supply are not included, air dryer M01B is not modelled. Similarly, nitrogen back-up is also not modelled as it requires an operator action to open valve V052. 6.16.3 Results A fault tree logic diagram was used to evaluate the following failure probabilities: a Loss of instrument air prior to reactor trip. This value was used as input to the Loss of Main Feedwater frequency evaluation. O 6-141
1089c(83I13)bt-10 e Loss of instrument air following reactor trip. h e Loss of instrument air following reactor trip given offsite power is available at the time of the initiating event. This value was used as input to fault trees in the SGTR event trees. It should be noted that the Instrument Air System is assumed to be unavailable following loss of offsite power. The quantitative results of the analyses are presented as Cases One through Three respectively in Table 6.16.3-1. The confidence distributions of the failure probabilities are presented in terms of the median values and associated error factors. The error factor is defined as the ratio of the 95 to 50 percentile. Table 6.16.3-2 contains a list of the dominant cutsets for the three cases. Included in the table is a brief description of each cutset as well as the percent contribution to the total failure probability. The g percentage is based on a point estimate ratio. O; 6-142
1089c(83I13)bt-11 1 O TABLE e.18.3-1 FAILURE PROBABILITIES FOR PVNGS INSTRUMENT AIR Case Failure Probability Failure Rate Number Description (Median Value) (Median Value) One Loss of Instrument Air before N/A 2.23E-5/hr Turbine Trip Error Factor 4 Two Loss of Instrument Air following 1.1E-2 1.64E-5/hr reactor trip Error Factor 4 2 Three Loss of Instrument Air Given 8.1E-3 1.64E-5/hr offsite power is available Error Factor 5 2 O O 1 6-143
1089c(83I13)bt-12 TABLE 6.16.3-2 h DOMINANT CUTSETS FOR PVNGS INSTRUMENT AIR Case % of Total Failure
- Number Cutset Description Probability One 1. IARC2062 IA Dryer Fails 56%
- 2. IFAT2061 Pre /After filters of the dryer 19%
fails
- 3. ECRP2791 Voltage regulator for 120VDP 10%
E-NHN-Dil fails
- 4. EXLP2758 480VLC E-NGN-L25 transformer 7%
fails Two 1. IARC2062 IA Dryer fails 33%
- 2. ECBV2810 Battery E-NKN-F17 for 125VDC 16%
Bus not available
- 3. EBGP2682 Grid collapse on turbine trip 16%
- 4. EBFA2697 UAT Fast Transfer breaker 16%
fails to open
- 5. EBFB2699 13.8KV Bus E-NAN-S01 Fast 16%
Transfer Breaker fails to close Three 1. IARC2062 IA Dryer fails 39%
- 2. ECBV2810 Battery E-NKN-F17 for 125VDC Bus not available 20% $
- 3. EBFA2692 UAT Fast Transfer breaker 20%
fails to open
- 4. EBFB2699 13.8KV Bus E-NAN-S01 Fast 20%
Transfer Breaker fails to close. -
- Percentage of failure rate for Case 1 and unavailability for Cases 2 and 3.
O 6-144
1089c(83I13)bt-13 3 (0 6.17 RESTORATION OF FEED FLOW ANALYSIS The restoration of feed flow analysis for PVNGS includes an analysis of l the human error probability of the operator manually restoring the Seismic Category I auxiliary feedwater pumps and an unavailability analysis on the non-essential motor-driven auxiliary feedwater pump. (The non-essential AFW pump is manually actuated and aligned from the control room,) The restoration analysis assumes a loss of MFW flow and the failure of the Seismic Category I motor and turbine-driven AFW pumps to automatically daliver flow to at least one steam generator. Operator actions to manually establish flow from the Seismic Category I AFW pumps are analyzed in Section 6.17.1-6.17.3. Operation of the non-essential AFW pump is addressed in Sections 6.17.4 and 6.17.5. The results of the combined restoration of feed flow actions are presented in Section 6.17.6. 6.17.1 Restoration Methodology O An analysis of the Human Error Probability (HEP) of the operator manually restoring secondary feedwater flow following a loss of heat sink was performed. The analysis was based on the methodology developed by Swain and Guttmann (14,). A model of operators' actions was developed based on plant system descriptions, operating procedures and instructions, and , interviews with an operator and an operator instructor. A human error probability event tree was then developed. The event tree models the operators actions as discrete events performed sequentially. Recovery factors were also considered in the analysis. Recovery, physical indications, such as meters or status lights, provide indication that previous actions were done incorrectly. This gives the operator an opportunity to correct himself. Each discrete action is analyzed and a total error probability for each activity is calculated. The discrete actions are then combined to give operator error probabilities. The methodology used in this analysis is described in the PRA Procedures Guide (6) and in a specific procedural guide for human reliability analysis (14). O 6-145
1089c(83I13)bt-14 The first step in developing the HEP event tree was to become familiar h with the loss of heat sink event and secondary systems. The MFW and AFW systems were reviewed. For the purposes of this study, total loss of feedwater flow was the initiating event and restarting any one of the two AFW pumps and associated valve train constituted successful recovery of feed flow. SGTR was not considered. The review of the AFW system design, and previous interviews with operators were used to determine how the operator would attack the problem and in what order he would attempt to restore auxiliary feedwater equipment. A HEP event tree was developed which graphically displays operator actions as a series of single discrete action which the operator either successfully completes or fails to complete. The actions are ordered sequentially in time. The HEP event tree was reviewed with the instructor and an operator. The HEP event tree was generated for the most general case, failure of the AFW actuation signal (AFAS). In this case, both AFW trains are available. g For more specific cases, such as having one pump out of service for maintenance or testing at the start of the transient, the general HEP event tree was modified by eliminating non-existing branches. A task analysis table was generated for the total restoration activity. Each specific task was listed and human error probabilities including dependencies and modifications were assigned. A HEP for each specific action was calculated. The full HEP event tree was then evaluated for the failure of the AFAS. For other failure modes, specific parts of the total event tree were used. Success was obtained if the operator started any one of the two auxiliary feedwater trains. 6.17.2 Restoration Analysis and Assumptions The analysis for restoration of auxiliary feedwater was divided into two parts: 1) detecting no feedwater flow and 2) starting one of the two auxiliary feedwater trains. O 6-146
1089c(83I13)bt-15 g U The initial actions of the operator following a reactor scram are shown in Table 6.17.2-1. These actions are automatic and occur with every reactor scram (about 7 times /RY). The operator first checks that the reactor scrams. He then checks for AC power and ESF actuation. These actions include checking the displays from his present location and take only a few seconds. Next, the operator checks the feedwater panel to verify delivery of 5% MFW fl% or auxiliary feedwater flow. The operator spends little or no time trying to restore main feedwater. His primary concern after reactor trip is to stabilize the plant and he will rely on the auxiliary feedwater system since this system is simpler and designed as a redundant backup. The operators scan the engineering safeguards panel NP-10 or feedwater panel NP-5 to recognize the total loss of feedwater condition (Step 8 of Table 6.17.2-1). The operator will check feedwater flow and steam generator level. These meters are located in a prominent locations on the panels and are used constantly during normal operation (NP-5). If the O operator misreads these meters, he will assume that the automatic control (MFW or AFW) is operating and will not spend any more time on the feedwater panel. He may recover from this error by reading the AFW status on the ESF panel or by noting alarms. He could later recover by noticing primary coolant pressure and temperature are increasing. Approximately 25 _ minutes after reactor trip, the primary safety valves lift and additional alarms go off indicating to the operator that there is a RCS heat generated / heat removed mismatch. The operator has about thirty-five minutes after the safety valves lift (60 minutes after reactor trip) to recognize that there is no feedwater flow before core damage conditions cannot be prevented (2_8, 8 Section 2.8). The operators are assumed to be at a normal stress level for the initial SG status readings and at a moderately high stress level for subsequent actions. One operator is assigned to the primary side and the second operator is assigned to the secondary side and operates the AFW controls. It is assumed there is a high dependency between the two operators. The control room supervisor assists the two operators after twenty minutes but i l 6-147 t
1089c(83I13)bt-16 also has a high dependency on the actions of the secondary side operator 9 (model suggested by Swain and Gattmann). Contributions by the shift supervisor, the shift technical advisor, and the nuclear auxiliary operator (NAO) are neglected although they would also be present. Dependencies of specific actions on the execution of the previous action are also considered in the analysis. The probability of the operators not recognizing total loss of feedwater in the allotted time is less than 10-4 . Operator action includes three basic activities in restoring the AFW, He first attempts to start AFW by manually activating the AFAS (assuming no signal was generated). If he fails at this activity, he will manu611y start the pumps and open the AFW valves. Only one recovery activity at each step is considered. For manual override of the AFAS, the operator has two push buttons he can activate on NP-6. He can omit this step or make a commission error (wrong pushbuttons). Complete dependency between the two switches is assumed, g i.e., if he fails to activate the first switch, he will fail to activate the other switch. If he fails to start the pumps, he may correct himself by noticing the pump status indicators. If the operator fails to initiate AFW by activating the AFAS (or the AFAS fails) he can manually start the pumps from the control room. Again complete dependency between the operator starting the first pump and starting the other pump was assumed. The operator starts both pumps as a single activity. The HEPs for failure to start one pump and for failure to start both is therefore identical. If he fails to start one of the pumps, only one chance to recover was considered. He can notice there is no pump discharge pressure (with high dependencies on starting the pump). If he fails to start the pump, he does not recover during the valve alignment step and AFW is not restored. This is a conservative assumption. O 6-148
1089c(83I13)bt-17 b) The next general task required of the operator is to open AFW control and isolation valves. For the loss of feedwater cases, he can open anyone of the valve trains to each of the two steam generators. The two pumps feed each of the two steam generators through two motor-operated valves in series. All valve controls on each train are located together on the panel with status lights. Because of the grouping of the valves, omission errors dominate and commission errors were neglected. A single recovery factor was considered and manually activating the valves from the Auxiliary Building was neglected. When combining major activities, a mild dependency was assumed between tasks. For example, for an AFAS failure, the operator can either activate the AFAS override or manually start the pumps. If he failed to activate the AFAS override, (HEP = 0.008) then the HEP for manual activating the pumps was 0.15. The independent failure probability for starting the pumps was 0.003. One of the failure modes considered in this study is station blackout. (] Recovery is defined as restoration of offsite AC power or restoration of the diesel generator. The restoration of offsite power was taken from an EPRI study (21) for the Western Systems Coordination Council (WSCC) region. Failure probabilities for restoration of offsite AC are 0.23 , (60 min.) and 0.30 (25 min.). The failure probability of restoration of the diesel generator was taken from Reference (4_2) and is 0.77 (60 min.) and 0.92 (25 min., linear interpolation). The combined failure to restore any AC power is 0.2 (60 min.) and 0.27 (25 min.). It was also assumed that for station blackout, manual correction of valves was not possible in Case 1 because the operator would concentrate on restoring power (Step 3, Table 6.17.2-1). 6.17.3 Restoration Results The Human Error Probabilities (HEPs) for specific actions and combined actions (Table 6.17.3-1) were used to calculate the probability of failing n to restore auxiliary feedwater for specific failure modes. An earlier (.) 6-149
l 1089c(83I13)bt-18 1 I fault tree analysis of the AFW system identified the dominant failure $ modes. For the most probable failure modes, restoration failure probabilities were calculated and are given in Table 6.17.3-2. Results for both the sixty minute period and twenty-five minute period are given. Case 1 represents the best estimate case where the operator has 60 minutes I to restore feedwater before fuel damage is unavoidable. Case two represents the case where the operatcr has 25 minutes to restore feedwater before he must commit to use of feed and bleed operation (2_8, Section 2.8). The results are based on a three operator model with high dependency between the three operators. However, other people (shift supervisor, shift technical advisor and NA0) could assist the operators. This would reduce the HEPs since the additional personnel could identify errors. Also additional instrumentation and manual operation from the auxiliary building was neglected. These effects have not been considered in this study and therefore the results are very conservative. The error bounds for HEPs listed in Table 6.17.3-2 are given in Table 6.17.3-3. These values are taken from Tables 20 - 26 of Reference (1_4_). 4 I 1 l l l O 6-150
1089c(83I13)bt-19 () TABLE 6.17.2-1
! INITIAL OPERATOR ACTIONS FOR TOTAL LOSS OF FEEDWATER
- 1) Reactor scrams. Lights and alarms alert operator.
- 2) Operator scans reactivity control panel to see if rods entered and if power is decreasing.
; 3) Operator verifies turbine trip.
- 4) Operator scans power panel to see if transfer from auxiliary to startup transformer has, occurred.
- 5) Operator verifies unit output breakers are open and turbine speed is decreasing.
- 6) Operator scans ESF panel for power and actuation
- 7) Operator verifies SG pressure is at 1000 psia.
- 8) Operator scans feedwater panel for 5% runback (MFW flow) i i
6-151
, - . -e.- -_9,,,r- -.
y - , - , , . . - , _ . . ,s.r,., g -,..,+,,y, _-,,.4,,.% n,- __.,,-,__.-v__ -,,_._,-y,._- , ,, _ , ,w-r,.. %,.e.,,%,._.,..n.,m.v..--,,---.w_,
1089c(83I13)bt-20 TABLE 6.17.3-1 h HEP FOR COMBINED TASKS Actuate AFAS Train 1.0E-3 Manually Turn On Pump 3.0E-3 Change Valve Position from Control Room 4.0E-3 nd st 2 Operator Backup 1 Operator .5 3 rd Operator Backup (50 Minute Only) .5 Single Operator at Moderately High Stress with One Recovery Activity 9 l O 6-152 t
1089c(83I13)bt-21 O TABtE e.17.3-2 HEPs FOR RESTORATION OF AUXILIARY FEEDWATER FOR SPECIFIC EVENTS Failure Mode (60 Min.) (25 Min.) TDP Fails Start, MDP in Maintenance 8.0E-4 1.5E-3 AFAS Failure 2.5E-4 5.0E-4 TDP in Maintenance, MDP Suction Line 1.0 1.0 Closed . MDP in Maintenance, TDP Suction Line 1.0 1.0 Closed TDP in Maintenance, MDP Discharge 8.0E-2 1.0 Line Closed MDP in Maintenance, TDP Discharge Line 8.0E-2 1.0 Closed TDP in Maintenance, MDP Recirc. Bypass 8.0E-2 1.0 Open MDP in Maintenance, TDP Steam Line 1.0E-3 2.0E-3 Closed MDP in Maintenance, TDP Recirc. Bypass 8.0E-2 1.0 Open TDP Fails to Start, MDP in Test 4.0E-4 8.0E-4 TDP Fails to Start, Grid Collapse, DG02 4.0E-4 8.0E-4 Fails to Start TDP in Test, MDP Suction Line Closed 2.0E-2 4.0E-2 MDP in Test, TDP Suction Line Closed 2.0E-2 4.0E-2 TDP in Test, MDP Discharge Line Closed 1.0E-2 2.0E-2 MDP in Test, TDP Discharge Line Closed 1.0E-2 2.0E-2 TDP in Test, MDP Recirc. Bypass Open 1.0E-2 2.0E-2 MDP in Test, TDP Steam Line Closed 5.0E-4 1.0E-3 MDP in Test, TDP Recirc. Bypass Open 1.0E-2 2.0E-2 O 6-153 I
1089c(83I13)bt-22 TABLE 6.17.3-2 (Continued) HEPs FOR RESTORATION OF AUXILIARY FEEDWATER FOR SPECIFIC EVENTS Failure Mode (60 Min.) (25 Min.) TDP in Maint., Grid Collapse, DG02 2.0E-1 2.7E-1 Fails to Start TDP Fails to Start, Grid Collapse, DG02 4.0E-4 8.0E-4 Fails to Operate TDP Discharge Line Closed, Grid Collapse, 1.0E-2 2.0E-2 DG02 Fails to Start TDP Steam Line Closed, Grid Collapse, 5.0E-4 1.0E-3 DG02 Fails to Start TDP Recirc. Bypass Open, Grid Collapse, 4.0E-2 2.7E-1 DG02 Fails to Start TDP Suction Line Closed, Grid Collapse, 2.0E-1 2.7E-1 DG02 Fails to Start TDP Maintenance, MDP Fails to Start 8.0E-4 1.5E-3 $ O 6-154
1089c(83I13)bt-23 . -O - TABLE 6.17.3-3 ERROR BOUNDS FOR AFW-HEP CALCULATIONS GIVEN IN TABLE 6.17.3-2 Basic Value Error Bounds HEP Task Probability < 10-1 X + 10 HEP Task Probability > 10-1 X * [1/(HEP + e)] e = Small Number O I e J O 6-155
1089c(83I13)bt-24 6.17.4 Non-Essential AFW Pump Operation g A schematic of the non-essential, non-seismic Category I AFW pump is presented in Figure 6.17.4-1. The non-essential pump (AFN-P01) is normally used for startup, hot standby and normal shutdown plant operation. The motor-driven pump can be manually started and its associated valves manually aligned from the control room. The pump takes suction through a separate line from the condensate storage tank. The pump supply lines join the main feedwater supply upstream of the main feedwater control and isolation valves. The pump and associated valves receive power from offsite and onsite power sources. The support system dependency diagram for the non-essential AFW pump is provided in Figure 6.11.1-2 of Section 6.11, Auxiliary Feedwater System. 6.17.5 Non-Essential AFW Pump Analysis Assumptions The following assumptions were made in performing the fault tree analysis for the Loss of Secondary Heat Sink Analysis:
- 1. For the Loss of Secondary Heat Sink analysis, Failure of the non-essential AFW pump is defined as failing to deliver non-essential
~
AFW pump flow to at least one SG.
- 2. The motor-operated isolation valves from condensate storage tank have closed on AFAS.
6.17.6 Results_ A fault tree logic diagram was used to evaluate the probability of failing to deliver non-essential AFW pump flow to at least one SG. A human error probability task analysis was used to evaluate the probability of failing to restore automatic AFW pump flow to at least one SG. Both analysis were O 6-156
O 1 G AS V _- = T 3 N 2 N6 i E 5 5 M 6 V N V I A-T - - 3, N 4 9 O 6 6 C v P 0 M S 3 1
)s 5 3
U P E V E 1
. U 3S V R U E a 3O' T 2
7 3n g 5 A W 1 V ( 7 1 D E U V 1 U E 3 F - l 3 4 l 2 Y i 1 R 7 V 1 A 1 F V I F L 6 O I o X E 2 3 h8 0 U A R U 1 0 G
- 0 V = L A
I F V I T R w 2 R N E E E S T AR WE DME 1 l
&1 y
0 V T AR WE DME S E EON N EON O ECI O ECI N FNL P , FNL W - 2, W NO N NO ID ID A A M M 5 9 1 V 0 H 1 eF 0 0 V 5 1 A. A V i V U b4 i E V SS iU AO FL AC = E T A S N u E D N O s C O iGw i .;! ! 4 j l l 1 . ! l
T 1089c(83I13)bt-25 performed assuming a 60 and 25 minute time period for operation actions h for the current plant design and the plant design assuming feed and bleed operation respectively. The HEPs developed fo the various failure modes of Table 6.17.3-2 were combined to determine the total failure probability for restoration of the Seismic Category I AFW pumps. To determine the total failure probability, the restoration failure probability for each failure mode was multiplied by the fraction of AFW unavailability contributed by that failure mode. Failure modes not addressed in detail by the analysis were conservatively considered to be non-restorable and therefore have a HEP of 1.0. The failure modes specifically analyzed comprise approximately 85.7% of the total AFW unavailability. The sum of the products of the HEP and fraction of system unavailability yields the probability of failing to restore feedwater flow given a loss of MFW and AFW flow. The restoration of secondary feedwater flow analyses was used to determine the following probabilities: g e Probability of failure to deliver non-essential AFW pump flow to at least one SG. e Probability of failure to deliver non-essential AFW pump flow to at least one SG given a loss of MFW and AFW. e Probability of failure to restore AFW flow, failure to restore Seismic Category I AFW pumps and failure to deliver non-essential AFW flow. e Probability of failure to restore AFW flow, failure to restore Seismic Category I AFW pumps and failure to deliver non-essential AFW pump flow given a loss of MFW and AFW. The quantitative results of the analyses are presented as Cases One through Four respectively for the 60 and 25 minute time periods in Table 6.17.6-1. The confidence distributions of the failure probabilities are 6-158
1089c(83113)bt-26 4 () presented in terms of the median values and associated error factors. The error factor is defines as the ratio of the 95 to 50 percentile. For cases two and four, the dependencies that exist between the MFW, AFW and the non-essential AFW pump have been incorporated into the non-essential AFW pump failure probability. Table 6.17.6-2 contains a list of the qualitative results for Cases 1 and 2 in terms of the dominant cutsets for those cases. Included in the table is a brief description of each cutset as well as the percent contribution of the total failure probability. The percentage is based on a point estimate ratio. The qualitative results of the restoration analysis of the Seismic Category I AFW pumps is presented in Table 6.17.3-2 in terms of the restoration actions considered. l l l 6-159 I - _ _ - _ - -
1089c(83113)bt-27 TABLE 6.17.6-1 h FAILURE PROBABILITIES FOR PVNGS RESTORATION ANALYSIS Failure Probability Error Case Median Value Factor Number Description (60 Min) (25 Min) (60 Min) (25 Min) One Failure to deliver non- 8.6E-3 1.1E-2 3.5 3.0 essential AFW pump to at least 1 SG - System Unavailability Two Failure to deliver non- 1.5E-2 1.7E-2 3.0 2.8 essential AFW pump to at least 1 SG given loss of MFW and AFW - System Unavailability Three Failure to restore AFW 4.0E-3 8.4E-3 3.5 3.4 flow, failure to manually restore Seismic Category I AFW pumps and failure to deliver non-essential AFW pump flow to at least 1 SG Four Failure to restore 6.9E-3 1.3E-2 3.1 2.9 AFW flow, failure to manually restore Seismic Category I AFW pumps and failure to deliver non- - essential AFW pump to at least 1 SG given loss of MFW and AFW O 6-160
1089c(83I13)bt-28 TABLE 6.17.6-2 DOMINANT CUTSETS FOR PVNGS NON-ESSENTIAL AFW PUMP
% of Total Failure Case Probability Number Cutset Description (60 Min) (25 Min)
One 1. AVM02448 Operator Fails to Open Pump 16.8% 26.9% Suction Valves
- 2. APM02447 Operator Fails to Start 16.8% 20.2%
Pump
- 3. AVMA2452 Pump Suction Valve UV1 Fails 16.8% 13.4%
to Open
- 4. AVMA2451 Pump Suction Valve UV4 Fails 16.8% 13.4%
to Open Two 1. EBGP2680 Spurious Grid Collapse and 17.4% 14.6% EDDJ2816 DG G01 Fails to Start
- 2. EBGP2680 Spurious Grid Collapse and 14.6% 11.7%
EDDK2818 DG G01 Fails to Operate
- 3. AVM02448 Operator Fails to Open 11.1% 18.6%
Pump Suction Valves
- 4. AVM02447 Operator Fails to Start 8.9% 13.9%
l Pump O j 6-161
A V 7.0 ACCIDENT SEQUENCE ANALYSIS 3 7.1 LOSS OF SECONDARY HEAT SINK SEQUENCE ANALYSIS The core damage scenarios resulting from loss of secondary heat sink were determined based on the systemic event trees developed in Section 5.1. (See Figure 5.1.4.1-1 and Figure 5.1.4.2-1. ) The loss of heat sink analysis was performed with and without primary feed and bleed capability. Section 7.1.1 will discuss the minimal core damage scenarios for the current plant design including the use of a low pressure secondary alternate decay heat removal capability. Section 7.1.2 will discuss the minimal core damage scenarios assuming primary feed and bleed operation is provided. 7.1.1 Loss of Heat Sink Core Damage Scenarios The loss of heat sink core damage scenarios are presented in O Tebie 7 1 1 oae =ia4=ei core de=ese sceaerio es ideat4ried. The totei frequency was filtered using a cutoff frequency of 10-8 per year. The result is presented in terms of the median frequency and associated error factor. The scenario can be described as failure of the safety function, RCS Heat Removal. The magnitude and impact of the core damage frequency , are discussed in Section 9.0. The accident sequence is discussed below: l l Scenario 1. This sequence is defined by Loss of Main Feedwater, LF-Gi1 UV Failure to Deliver AFW Flow, Failure to Restore Feed Flow and Failure of the Alternate Secondary Heat Removal Capability. In this sequence, core damage conditions are a result of failure to provide a secondary heat sink. This loss of heat sink involves the failure of the AFW System, and a failure to manually establish the low-pressure alternate heat sink. The preferred course of action following a loss of main and auxiliary feed flow is the restoration of , the Seismic Category I AFW pumps or operation of the non-essential AFW pump with the condensate system 7-1 l l
TABLE 7.1.1-1 h LOSS OF SECONDARY HEAT SINK CORE DAMAGE SEQUENCES Frequency Error Path Description (Median value per year) Factor
- 1. LF- e Initiating Event 7.27E-06 11 GuV ig e Fail to Deliver AFW Flow e Failure to Restore Feed Flow e Failure of Alt. Sec. Heat Removal Capability Total Core Damage Frequency 7.3E-06 11 O
O 7-2
being employed after restoration actions have failed. The analysis assumed a 60 minute time period following reactor trip on low steam generator level for operator action (28, Section 2.8). (Introduction of feed flow after the 60 minute time period, while resulting in core damage conditions as set forth in this study, would aid in the accident mitigation).
'The loss of secondary heat sink analysis determined a core damage frequency of 7.3E-6 per year. Factors that contributed to this loss of heat sink core damage frequency are:
e AFW System Design. There are no major single component cutset contributors to the PVNGS AFWS system unavailability. In addition, the major contributors to system unavailability are restorable by operator action within the 60 minute time period employed in the analysis. fm O e Electric Distribution System Design. Electrical power is supplied to plant equipment through multiple power sources. Four class 1E 125 VDC power subsystems are provided for each unit. Each subsystem is independent and consists of one 125V battery, _ one battery charger, one distribution panel and is supplied with 480 VAC power from a different MCC. Each unit has 2 backup diesel generators available in the event of loss of offsite power. l e Operator Action. The operator has approximately 60 minutes following reactor trip to restore the AFW system or establish flow from the non-essential AFW pump to prevent core damage conditions. The time period allowed consideration of local manual actions. e Alternate Secondary Heat Removal Capability. The analysis also considered the use of a low-pressure source of secondary I feedwater flow (condensate pumps). l 7-3
7.1.2 Loss of Secondary Heat Sink with Feed and Bleed Operation Core Damage h Scenarios The loss of secondary heat sink with feed and bleed capability core damage scenarios for the manual and automatic design feed and bleed system are presented in Table 7.1.2-1.1 Two minimal core damage scenarios were identified for each design. The scenarios were filtered using a cutoff frequency of 10-9 per year. The scenarios can be described as failure of the safety function RCS Heat Removal by the primary feed and bleed system. Also listed in Table 7.1.2-11s the total core damage frequency contribution for the Loss of Secondary Heat Sink event assuming feed and bleed operation is provided. The total core damage frequency represents a statistical combination (using the SAMPLE code described in Section 2.2.3.5) of the two core damage sequences identified in Table 7.1.2-1. The magnitude and impact of the core damage frequency contribution due to loss of heat sink assuming feed and bleed capability is provided are discussed in Section 9.0. The accident sequences for the manual and automatic designs are identical and are discussed below: g Scenario 1. LF- This sequence is defined by loss of Main Feedwater, G)U2 Y Failure to Deliver AFW Flow, Failure to Restore Feed Flow, and Failure of Feed Bleed Operation. In this _ sequence, main and auxiliary feed flow are unavailable and primary feed and bleed operation, primary depressurization by the PORVs and injection by Charging System and/or HPSI System, has failed. The analysis assumed that the operator initiated feed and bleed operation at 25 minutes into the transient for both the manual and automatic designs (_28,Section 2.8). For the 25 minute time period following reactor trip, plant personnel will be directed towards restoration of AFW. Restoration of AFW following the initiation of feed and bleed operation is not considered. Due to the For the manual design, plant operates with block valves closed and for the automatic design, plant operates with block valves open. For both designs, feed and bleed is manually initiated. 7-4
TABLE 7.1.2-1 LOSS OF SECONDARY HEAT SINK WITH FEED AND BLEED OPERATION CORE DAMAGE SEQUENCES Frequency Error Path Description (median value) Factor (a) Manual Feed and Bleed Design 1
- 1. LF- e Initiating Event 9.87E-06 12 GUY 12 e Fail to Deliver AFW Flow e Failure to Restore Feed Flow e Failure of Feed Bleed Operation
- 2. LF- e Initiating Event 1.60E-09 57 GUR 12 e Fail to Deliver AFW Flow e Failure to Restore Feed Flow e Failure to Achieve HP Recirc.
Total Core Damage Frequency 1.0E-05 12 (b) Automatic Feed and Bleed Design l
- 1. LF- e Initiating Event 4.93E-06 13 GUY 12 e Fail to Deliver AFW Flow e Failure to Restore Feed Flow e Failure of Feed Bleed Operation
- 2. LF- e Initiating Event 1.60E-09 57 -
GUR 12 e Fail to Deliver AFW Flow e Failure to Restore Feed Flow e Failure to Achieve HP Recirc. Total Core Damage Frequency 5.0E-06 13 1 For the manual design, plant operates with block valves closed and for the automatic design, plant operates with block valves open. For both designs, feed and bleed is manually initiated. O 7-5
time limitations, use of low-pressure alternate secondary capability is also not considered. A separate task analysis was performed to determine the probability of restoring AFW in a 25 minute time period. Note also that the Feed and Bleed System design employed is not redundant. Both trains of PORVs located off the pressurizer are required for successful depressurization. (See Section 6.5). Scenario 2. LF- This sequence is defined by Loss of Main Feedwater, R 12 Failure to Deliver AFW Flow, Failure to Restore Feed Flow, and Failure to Achieve HP Recirculation Flow. In this scenario, the normal secondary heat sink, main and auxiliary feedwater flow, is unavailable. The primary Feed and Bleed System is successful in depressurizing the primary system and providing makeup fl ow. However, to reach Shutdown Cooling entry conditions, Feed and Bleed Operation is assumed to h require the HP recirculation flow. Failure to achieve recirculation flow will result in depletion of the RWT inventory and subsequent HPSI pump failure and core damage conditions. _ O 7-6
)
7.2 STEAM GENERATOR TUBE RUPTURE SEQUENCE ANALYSIS The core damage scenarios resulting from SGTR were selected from the list ! of event tree output sequences provided in Figures 5.2.4.1-1, 5.2.4.2-1, 5.2.4.3-1 and 5.2.4.4-1. Any sequence including a failed open secondary valve or a failure to deliver sufficient HPSI flow was assumed to lead to core damage. Only the minimal core damage scenarios were used to calculate the total core damage frequency. The accident sequences associated with each SGTR initiating event are discussed in detail in the following sections. , Only one of the minimal core damage scenarios obtained from the four SGTR event trees contained the branch Fail to Initiate Auxiliary Spray Flow due to the cutoff frequencies used to filter the accident sequences. Therefore, the use of PORVs as a backup to the Auxiliary Spray System is expected to have a negligible impact on the total core damage frequency derived for each of the four SGTR initiating events. The effect of PORVs
-O on SGTR core damese frequency is quentitativeiy discussed in Sectioa 7.2.5.
7.2.1 SGTR in One Steam Generator Core Damage Scenarios 7 The SGTR in one SG core damage scenarios are presented in Table 7.2.1-1. - Eight minimal core damage scenarios were identified. The total frequency of scenarios eliminated by the cutoff frequency of 10-8 per year is approximately 2.9E-7 per year. The results are presented in terms of the median frequencies and associated error factors. Also listed in Table 7.2.1-1 is the total core damage frequency contribution for SGTR in One SG. The total core damage frequency represents a statistical combination (using the SAMPLE code described in Section 2.2.3.5) of the eight core damage sequences identified in Table 7.2.1-1. The magnitude and impact of the core damage frequency contribution due to SGTR are discussed in Section 9.0. The core damage scenarios are discussed below. . O 7-7
-_, .__ __ - _ _ . _ . _ . . _ . _ _ . . . - _.__. ~ _ _ ~ . _ _ _ . . . _ . _ . _ . . - _ . _ _ _ __
TABLE 7.2.1-1 $ SGTR IN ONE SG CORE DAMAGE SEQUENCES Frequency Error Path Description (Median Value per Year) Factor
- 1. T1-0QiL e Initiating Event 6.08E-7 13 e Fail to Throttle HPSI e Fail to Initiate Blowdown e ADV on Affected SG Fails to Reclose
- 2. T1-0Q KM1 i
e Initiating Event 2.76E-8 12 e Fail to Throttle HPSI e Fail to Initiate Blowdown e ADV on Affected SG Unavailable e 1 MSSV on Affected SG Fails to Reclose
- 3. T1-0NL e Initiating Event 3.06E-8 13 e Fail to Throttle HPSI e Fail to Initiate Auxiliary Spray Flow e ADV on Affected SG Fails to Reclose g
- 4. T1-F M11 e Initiating Event 1.02E-6 8 e Loss of TBV Flow Prior to Iso of Affected SG e 1 MSSV on Affected SG _
Fails to Reclose
- 5. T1-DM 1 e Initiating Event 1.97E-6 7 e TBV Fails to Reclose e 1 MSSV on Affected SG Fails to Reclose
- 6. T1-DE 1 e Initiating Event 3.66E-7 7 e TBV Fails to Reclose e MSIV on Affected SG Fails to Close
- 7. T1-C 11 M e Initiating Event 2.11E-6 10 e TBVs Fail to Quick Open e 1 MSSV on Affected SG Fails to Reclose
- 8. T1-A e Initating Event 5.14E-7 15 e Fail to Deliver Sufficient HPSI Flow ll)
Total Core Damage Frequency: 1.1E-5 5 7-8
p b Scenario 1. T1-0Q1L Following a tube rupture in one SG, the affected SG is isolated and RCS cooldown is initiated using the intact SG. However, the operator maintains RCS pressure by failing to throttle HPSI which results in a large integrated leak flow through the tube rupture. If blowdown is not initiated from the affected SG, the SG is assumed to fill with subcooled water. The ADVs on the affected SG are opened by the operator (to prevent a MSSV from opening) and begin to discharge primary inventory. When one of the two ADVs fails to close (outside containment LOCA) a large pressure differential develops between the RCS and the SG which supports a continued leak flow. Eventually, RWT inventory is assumed to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. Scenario 2. T1- Following a tube rupture in one SG, the affected 1 1 SG is isolated and RCS cooldown is initiated using the intact SG. However, the operator maintains RCS pressure by failing to throttle HPSI which , results in a large integrated leak flow through the tube rupture. Blowdown flow from the affected SG is not initiated and the SG is assumed to fill with subcooled water. The operator fails to open the ADVs from the control room which results in a challenge to the MSSV with the lowest open setpoint (2PSV-8401). The MSSV opens and begins to discharge primary inventory. When the MSSV fails to reclose (outside containment LOCA) a large pressure differential develops between the RCS and the SG which supports a continued leak 7-9
flow. Eventually, RWT inventory is assumed to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. Scenario 3. T1-0NL Following a tube rupture in one SG, the affected SG is isolated and RCS cooldown is initiated using the intact SG. However, the operator maintains RCS pressure by failing to throttle HPSI and failing to initiate auxiliary spray flow which results in a large integrated leak flow through the tube rupture. Although the SGBS is available, the SG is assumed to fill with subcooled water. The ADVs on the affected SG are opened by the operator (to prevent a MSSV from opening) and begin to discharge primary inventory. When one of the two ADVs fails to close (outside containment LOCA) a large pressure differential develops between the RCS and the SG which supports h a continued leak flow. Eventually, RWT inventory is assumed to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. - Scenario 4. T1-F 1M In this scenario, turbine bypass flow is lost prior to isolation of the affected SG. The resulting upward pressure transient in the steam generators causes one MSSV on each SG to open. The MSSV on the affected SG fails to close (outside containment LOCA) and a large pressure differential develops between the RCS and the SG which supports continued leak flow. Eventually RWT inventory is assumed to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. O 7-10
O Sceaerio s. 11-oM 1 Foiiewine e tube rupture in ene SG. the 18vs ouick Open following Turbine Trip to prevent the MSSVs from being challenged. In this scenario, one TBV fails to reclose which leads to low SG pressure and a subsequent MSIS. The resulting upward pressure transient in the steam generators eventually causes one MSSV on each SG to open. The MSSV on the affected SG fails to close (outside containment LOCA) and a large pressure differential develops between the RCS and the SG which supports continued leak flow. Eventually RWT inventory is assumed to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. Scenario 6. T1-DE g Following a tube rupture in one SG, the TBVs Quick Open following Turbine Trip to prevent the MSSVs from being challenged. In this scenario, one TBV fails to reclose which leads to low SG pressure and a subsequent MSIS. One of the two MSIVs on the affected SG fails to close which results in uncontrolled blowdown through the TBS. The large _ pressure differential between the RCS and the affected SG supports a continued leak flow. Eventually, RWT inventory is assumed to reach the RAS setpoint and the potential lack of inventory l leads to subsequent core damage. l Scenario 7. T1 C M y1 In this scenario, the TBVs fail to quick open
- following turbine trip. The resulting pressure spike opens 6 MSSVs on each SG. (The steam flow j through 12 MSSVs is estimated to be equivalent to l the steam flow capacity of the TBS). One MSSV on the affected SG fails to reclose (outside containment LOCA) and a large pressure l
l 7-11 l
differential is assumed to develop between the RCS h and the affected SG. The continued leak flow eventually causes RWT inventory to reach the RAS setpoint and the potential lack of inventory leads i to subsequent core damage. Scenario 8. T1-A Following a tube rupture in one SG, the HPSI system fails to deliver sufficient HPSI flow. Decreasing RCS inventory combined with the lack of inventory makeup is assumed to lead to core uncovery and subsequent core damage. 7.2.2 SGTR in One Steam Generator with Coincident Loss of Offsite Power ) Core Damage Scenarios The SGTR in one SG with coincident LOOP core damage scenarios are presented i n Table 7.2.2-1. Six minimal core damage scenarios were identified. The total frequency of scenarios eliminated by the cutoff frequency of 10-10 gl per year is approximately 1.4E-9 per year. The results are presented in terms of the median frequencies and associated error factors. Also listed in Table 7.2.2-1 is the total core damage frequency contribution for SGTR in One SG with Coincident LOOP. The total core damage frequency represents _ , a statistical combination (using the SAMPLE code described in Section 1 2.2.3.5) of the six core damage sequences identified in Table 7.2.2-1. The magnitude and impact of the core damage frequency contribution due to SGTR are discussed in Section 9.0. The core damage scenarios are discussed below. Scenario 1. T2-M 2 F llowing a tube rupture in one SG with coincident LOOP, the TBS is unavailable on turbine trip. The secondary pressure spike following turbine trip causes 6 MSSVs to open on each SG. In this scenario, one MSSV on the affected SG fails to reclose following turbine trip (outside contain-ment LOCA) and a large pressure differential is g 7-12
TABLE 7.2.2-1 SGTR IN ONE SG WITH COINCIDENT LOOP CORE DAMAGE SEQUENCES Frequency Error Path Description (Median Value per Year) Factor
- 1. T2-M 2 e Initiating Event 6.23E-7 15 e MSSV on Affected SG Fails to Close Following TT
- 2. T2-L e Initiating Event 3.23E-8 24 e ADV on Affected SG Fails to Close
- 3. T2-KM i e Initiating Event 1.39E-9 25 e ADV on Affected SG Unavailable o MSSV on Affected SG Fails to Reclose
- 4. T2-0KM 1 e Initiating Event 3.74E-10 33 e Fail to Throttle HPSI e ADV on Affected SG
/'l Unavailable D e MSSV on Affected SG Fails to Reclose
- 5. T2-A e Initiating Event 2.26E-8 23 e Fail to Deliver Sufficient HPSI Flow ,
- 6. T2-A' e Initiating Event 9.52E-9 54 e Fail to Maintain HPSI Flow Total Core Damage Frequency 8.0E-7 14 l
[ G V 7-13 l l t . _ , - - _ _ - . _ . . . _ , . , - _ . _ _ _ . _ _ _ , , . . _ _ -
l l l assumed to develop between the RCS and the affected SG. The continued leak flow eventually hl l causes RWT inventory to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. Scenario 2. T2-L Following a tube rupture in one SG with coincident LOOP, the TBS is unavailable. The operator is required to open the ADVs to initiate cooldown. In this scenario, one ADV on the affected SG fails to close (outside containment LOCA) and a large pressure differential is assumed to develop between the RCS and the affected SG. The continued leak flow eventually causes RWT inventory to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. Following a tube rupture in one SG with coincident O Scenario 3. T2-KM 3 i LOOP, the operator is required to open the ADVs to initiate cooldown. In this scenario, both ADVs on the affected SG fail to open (e.g., the operator , fails to open the ADVs from the control room) l which causes one MSSV on the affected SG to open. The MSSV fails to reclose and a large pressure differential is assumed to develop between the RCS and the affected SG. The continued leak flow l eventually causes RWT inventory to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. Scenario 4. T2-0KM 1 Following a tube rupture in one SG with coincident LOOP, the affected SG is isolated and RCS cooldown is initiated using the intact SG. However, the operator maintains RCS pressure by failing to 7-14
O throttie HeSI which resuits in a ier9e inteereted leak flow through the tube rupture. Since the blowdown system is unavailable the SG is assumed to fill with subcooled water. The operator fails to open one of the two ADVs on the affected SG from the control room and one MSSV on the affected SG opens and fails to reclose. The resulting pressure differential between the RCS and the affected SG supports a continued leak flow until RWT inventory reaches the RAS setpoint. The potential lack of inventory is assumed to lead to subsequent core damage. Scenario 5. T2-A Following a tube rupture in one SG with coincident LOOP, the HPSI system fails to deliver sufficient HPSI flow. Decreasing RCS inventory combined with the lack of inventory makeup is assumed to lead to core uncovery and subsequent core damage. Scenario 6. T2-A' In this scenario, 480V AC power is being supplied ' to the HPSI system from the diesel generators. The HPSI system is unable to maintain sufficient flow for eight hours following the SGTR with coincident LOOP. Decreasing RCS inventory l combined with insufficient inventory makeup is assumed to lead to core uncovery and subsequent core damage. 7.2.3 SGTR in Two Steam Generators Core Damage Scenarios The SGTR in both SG core damage scenarios are presented in Table 7.2.3-1. Fourteen minimal core damage scenarios were identified. The total frequency of scenarios eliminated by the cutoff frequency of 10-8 per j year is approximately 5.8E-7 per year. The results are presented in terms o 7-15
1 l TABLE 7.2.3-1 SGTR IN TWO SG CORE DAMAGE SEQUENCES i l Frequency Error Path Description (Median Value per Year) Factor
- 1. T3-DE 2 e Initiating Event 6.69E-8 11 e TBV Fails to Reclose e MSIV on Least Affected SG Fails to Close
- 2. T3-DE i e Initiating Event 6.93E-8 11 o TBV Fails to Reclose e MSIV on Most Affected SG Fails to Close
- 3. T3-C y1 M e Initiating Event 3.65E-7 15 e TBVs Fail to Quick Open e MSSV on Most Affected SG Fails to Reclose
- 4. T3-C 11 1 e Initiating Event 3.98E-7 17 e TBVs Fail to Quick Open e MSSV on Least Affected SG Fails to Reclose $
- 5. T3-F yt M e Initiating Event 1.93E-7 10 e Loss of TBV Flow Prior to Iso of Affected SG e MSSV on Most Affected SG Fails to Reclose _
- 6. T3-F1l I e Initiating Event 1.97E-7 12 e Loss of TBV Flow Prior to Iso of Affected SG e MSSV on Least Affected SG Fails to Reclose e Initiating Event 3.90E-7 10
- 7. T3-DMt e TBV Fails to Reclose e MSSV on Most Affected SG Fails to Reclose
- 8. T3-DI l e Initiating Event 4.23E-7 9 e TBV Fails to Reclose e MSSV on Least Affected SG Fails to Reclose O
7-16
TABLE 7.2.3-1 (Continued) SGTR IN TWO SG CORE DAMAGE SEQUENCES Frequency Error Path Description (Median Value per Year) Factor
- 9. T3-0Q4L e Initiating Event 8.83E-8 19 e Fail to Throttle HPSI e Fail to Initiate Blowdown e ADV on Most Affected SG Fails to Reclose
- 10. T3-0Q 4H e Initiating Event 8.36E-8 18 e Fail to Throttle HPSI e Fail to Initiate Blowdown e ADV on Least Affected SG Fails to Reclose
- 11. T3-002L e Initiating Event 2.61E-8 16 e Fail to Throttle HPSI e No Blowdown from Most Affected SG e ADV on Most Affected SG Fails to Reclose O 12. T3-00 3H e Initiating Event 2.90E-8 16 e Fail to Throttle HPSI e No Blowdown from Least Affected SG e ADV on Least Affected SG Fails to Reclose ,
- 13. T3-F 2H e Initiating Event 1.37E-7 13 e Loss of TBV Flow After Iso, of Affected SG e ADV on Least Affected SG Fails to Reclose
- 14. T3-A e Initiating Event 1.12E-7 15 e Fail to Deliver Sufficient HPSI Flow Total Core Damage Frequency 4.2E-6 8 O
7-17
of the median frequencies and associated error factors. Also listed in $ Table 7.2.3-1 is thE total core damage frequency contribution for SGTR in Two SGs. The total core damage frequency reyesents a statistical combination (using the SAMPLE code described in Section 2.2.3.5) of the fourteen core damage sequences identified in Table 7.2.3-1. The magnitude and impact of the core damage frequency contribution due to SGTR are discussed in Section 9.0. The core damage scenarios are discussed below. Scenario 1. T3-DE 2 Following tube ruptures in both SGs, the TBVs quick open following turbine trip to prevent the MSSVs from being challenged. In this scenario, one TBV fails to reclose which leads to low SG pressure and a subsequent MSIS. One MSIV on the least affected SG fails to close which results in uncontrolled SG blowdown through the TBS. The large pressure differential between the RCS and the least affected SG supports a continued leak flow to the least affected SG. Eventually, RWT inventory is assumed to reach the RAS setpoint and g the potential lack of inventory leads to subsequent core damage. Scenario 2. T3-DE 1 This scenario is similar to T3-DE except that 2 the MSIV on the most affected SG fails to close on MSIS. Scenario 3. T3-C Miy This scenario is similar to T1-C Mi t except that the MSSV on the "affected" SG becomes the MSSV on the "most affected" SG. Scenario 4. T3-C 11 1 This scenario is similar to T3-C M1 1 except that the MSSV on the least affected SG fails to reclose following failure of the TBVs to quick open. O 7-18
( Scenario 5. T3-F g1 M This scenario is similar to T1-F Mg 1 except that the MSSV on the "affected" SG becomes the MSSV on the "most affected" SG. Scenario 6. T3-FgtI This scenario is similar to T3-F Mg i except that the MSSV on the least affected SG fails to reclose following loss of TBV flow prior to isolation of the most affected SG. Scenario 7. T3-DM 1 This scenario is similar to T1-DMi except that the MSSV on the "affected" SG becomes the MSSV on the "most affected" SG. Scenario 8. T3-DI t This scenario is similar to T3-DMt except that the MSSV on the least affected SG fails to reclose. () Scenario 9. T3-0Q4L This scenario is similar to T1-00 l except that i blowdown flow is not initiated from either SG and the ADV on the "affected" SG becomes the ADV on the "most affected" SG. Scenario 10. T3-0Q4H This scenario is similar to T3-00 L except that 4 one ADV on the least affected SG fails to reclose following SG overfill. Scenario 11. T3-002L This scenario is similar to T1-0Q l except that i the ADV on the "affected" SG becomes the ADV on the "most affected" SG. Scenario 12. T3-00 3H This scenario is similar to T1-00 L except that 1 blowdown flow is not initiated from the least affected SG and one ADV on the least affected SG faits to reclose following SG overfill. /" V) 7-19
Scenario 13. T3-F 2H Following tube ruptures in both SGs, the most h affected SG is isolated and RCS cooldown is initiated using the TBS in conjunction with the least affected SG. In this scenario, turbine bypass flow is lost after isolation of the most affected SG. The operator is assumed to continue cooling using the ADVs on the least affected SG. One of the two ADVs fails to close (outside containment LOCA) and a pressure differential is assumed to develop between the RCS and the least affected SG which supports a continued leak flow. Eventually, RWT inventory is assumed to reach the RAS setpoint and the potential lack of inventory leads to subsequent core damage. Scenario 14. T3-A This scenario is similar to T1-A. Only the initiating events differ. O 7.2.4 SGTR in Two Steam Generators with Coincident loss of Offsite Power Core Damage Scenarios The SGTR in two SGs with coincident LOOP core damage scenarios are . presented in Table 7.2.4-1. Eight minimal core damage scenarios were identified. The total frequency of scenarios eliminated by the cutoff frequency of 10-10 per year is approximately 1.4E-9 per year. The results are presented in terms of the median frequencies and associated error factors. Also listed in Table 7.2.4-1 is the total core damage frequency contribution for SGTR in Two SGs with Coincident LOOP. The total core damage frequency represents a statistical combination (using the SAMPLE code described in Section 2.2.3.5) of the eight core damage sequences identified in Table 7.2.4-1. The magnitude and impact of the core damage frequency contribution due to SGTR are discussed in Section 9.0. The core damage scenarios are discussed below. O 7-20
t TABLE 7.2.4-1 SGTR IN TWO SG WITH COINCIDENT LOOP CORE DAMAGE SEQUENCES Frequency Error Path Description (Median Value per Year) Factor e Initiating Event 1.12E-7 18
- 1. T4-M2 e MSSV on Most Affected SG Fails to Close Following TT
- 2. T4-1 2 e Initiating Event 1.13E-7 17 e MSSV on Least Affected SG Fails to Close Following TT
- 3. T4-L e Initiating Event 7.00E-9 21 e ADV on Most Affected SG Fails to Close
- 4. T4-H e Initiating Event 5.99E-9 26 e ADV on Least Affected SG Fails to Close
() 5. T4-KM1 e Initiating Event e ADV on Most Affected 3.14E-10 24 SG Unavailable e MSSV on Most Affected SG Fails to Close
- 6. T4-JI t e Initiating Event 3.13E-10 21 '
e ADV on Least Affected SG Unavailable e MSSV on Least Affected SG Fails to Close
- 7. T4-A e Initiating Event 3.77E-9 28 e Fail to Deliver Sufficient HPSI Flow
- 8. T4-A' e Initiating Event 1.71E-9 50 e Fail to Maintain HPSI Flow Total Core Damage Frequency 3.1E-7 13 7-21
Scenario 1. T4-M 2 This scenario is similar to T2-M2 except that the MSSV on the "affected" SG becomes the MSSV on g the "most affected" SG. Scenario 2. T4-1 2 This scenario is similar to T4-M2 except that the MSSV on the least affected SG fails to reclose following turbine trip. Scenario 3. T4-L This scenario is similar to T2-L except that the ADV on the "affected" SG becomes the ADV on the "most affected" SG. Scenario 4. T4-H This scenario is similar to T4-L except that the ADV on the least affected SG fails to close. Scenario 5. T4-KM 1 This scenario is similar to T2-KM1 except that the MSSV on the "affected" SG becomes the MSSV on the "most affected" SG. O Scenario 6. T4-JI g This scenario is similar to T4-KMy except that the ADV on the least affected SG fails to open and the MSSV on the least affected SG fails to reclose. Scenario 7. T4-A This scenario is similar to T2-A. Only the initiating events differ. Scenario 8. T4-A' This scenario is similar to T2-A'. Only the initiating events differ. O 7-22
n U 7.2.5 The Effect of PORVs on SGTR Core Damage Frequencies The consequences of a SGTR and PORV LOCA are addressed in Section 7.3.2. For this discussion, the role of PORVs in SGTR events will focus on the backup RCS depressurization capability provided by PORVs should the Auxiliary Spray System be unavailable. In order to quantify the effect of PORV depressurization capability on SGTR core damage frequencies, all minimal core damage scenarios containing the branch Fail to Initiate Auxiliary Spray Flow were selected from the list of potential core damage sequences including those that fell below the cut-off frequency for each event tree and the one scenario that appeared above the cut-off frequency (T1-ONL). The accident sequences were quantified using the branch median failure probabilities to determine the core damage frequency for each scenario. The results are presented in Table 7.2.5-1. (See Section 5.2.4 for branch descriptions). Table 7.2.5-2 provides the total core damage frequency of all minimal sequences that include failure of the Auxiliary Spray System for each event tree with and without the added O dearessurizat'oa ceaeb'iity or aoavs- ^s sao a ia Tebie 7 2 s-2. the decrease in core damage frequency due to the added depressurization capability of PORVs is negligible compared to the core damage frequency contribution from all other SGTR accident sequences. 7.2.6 Steam Generator Overfill Scenarios One of the NRC questions concerning SGTR focused on the likelihood of steam lines filling with subcooled water following a SGTR event. Potential SG overfill scenarios were selected f rom the list of event tree output sequences provided in Figures 5.2.4.1-1, 5.2.4.2-1, 5.2.4.3-1 and 5.2.4.4-1. SG overfill was assumed to occur if one of the following failure combinations appeared in an accident scenario: l e Excess feedwater to tho affected (or most or least affected) SG ba l 7-23
TABLE 7.2.5-1 $ MINIMAL CORE DAMAGE SEQUENCES INCLUDING AUXILIARY SPRAY SYSTEM FAILURE Core Damage Sequence Frequency (Per Year) T1-0NL 3.1E-8 T1-0NKM 1 1.5E-9 T1-NQyL 9.0E-9 T1-NQ iKMy 4.2E-10 T2-NL 3.6E-10 T2-NKM y 1.7E-11 T3-0NL 6.1E-9 T3-0NKM t 2.9E-10 T3-0NH 6.1E-9 T3-ONJI t 2.9E-10 T3-NQ2L 4.2E-10 $ T3-NQ 2KMg 2.0E-11 T3-NQ3H 4.2E-10 T3-NQ3dIl 2.0E-11 T3-NQ4L 1.2E-9 . T3-NQ 4KM1 5.9E-11 T3-NQ4H 1.2E-9 i T3-NQ4 JIt 5.9E-11 T4-NL 7.1E-11 T4-NKM 1 3.3E-12 T4-NH 7.1E-11 T4-NJI t 3.3E-12 I l O 7-24
TABLE 7.2.5-2 CHANGE IN CORE DAMAGE FREQUENCY (ACD) DUE TO ADDED DEPRESSURIZATION CAPABILITY OF PORVs ACD (per yr.) ACD (per yr.) Event Tree ED (per yr.) Aux. Spray with AACD From All Other Description Accident Scenarios PORVs (per yr.) Scenarios SGTR in One SG 4.2E-8 4.6E-11 4.2E-8 1.1E-5 SGTR in One SG 3.8E-10 1.3E-12 3.8E-10 8.0E-7 with Coincident LOOP SGTR in Two SG 1.6E-8 1.8E-11 1.6E-8 4.2E-6 SGTR in Two SG 1.5E-10 5.3E-13 1.5E-10 3.1E-7 with Coincident O '00e 1 Column one provides the total core damage frequency of all minimal sequences that include failure of the Auxiliary Spray System for each SGTR event tree. Column two is similar to column one except that each core damage frequency includes the additional failure of backup PORV depressurization capability. The change in core damage frequency presented in column three is , obtained by subtracting column two from column one. This value can be considered negligible when compared to tne core damage frequency contribution from all other SGTR accident sequences. The core damage frequency contribution from all other SGTR accident sequences is provided in column four. (These values are the results of Sections 7.2.1-7.2.4). l l l l 1 ln U t 7-25
e Failure to throttle HPSI and failure to initiate auxiliary spray h flow. The high primary to secondary pressure differential would result in a high integrated leak flow to the affected (or most affected and least affected) SG. e Failure to throttle HPSI and failure to initiate blowdown from the affected (or most or least affected SG). Failure to throttle HPSI leads to a large integrated leak flow. If the blowdown system was unavailable, SG overfill could occur. For SGTR with coincident LOOP the blowdown system is unavailable, therefore, failure to throttle HPSI flow would result in SG overfill. e Failure to initiate auxiliary spray flow and failure to initiate blowdown from the affected (or most or least affected) SG. The failure to initiate auxiliary spray flow results in a high primary to secondary pressure differential and therefore a large integrated leak flow. If the blowdown system was unavailable, SG overfill could occur. For SGTR with coincident LOOP the blowdown system is unavailable, therefore, failure to initiate spray flow would result in SG overfill. The accident sequences presented in Table 7.2.6-1 are assumed to _ represent the minimal sequences that lead to SG overfill for each of the four SGTR initiating events. The results are presented in terms of the median frequencies and associated error factors. (SeeSection 5.2.4 for branch descriptions). Table 7.2.6-2 provides the total SG overfill frequency for each initiating event. l 9 7-26
TABLE 7.2.6-1 STEAM GENERATOR OVERFILL SCENARIOS Frequency Error Sequence (Median Value per Year) Factor T1-P g 2.6E-6 16 T1-0N 9.5E-6 9 T1-0Qt 1.8E-4 6 T1-NQ1 2.7E-6 8 T2-P t 2.6E-9 48 T2-0 2.9E-6 13 T2-N 1.1E-7 16 T3-P g 5.4E-7 24 T3-P 3 5.7E-7 25 n U T3-0N 1.9E-6 9 T3-0Q2 8.0E-6 9 T3-0Q3 8.1E-6 8 T3-00 4 2.4E-5 8 T3-NQ2 1.2E-7 12 - l T3-NQ 3 1.3E-7 10 ( T3-NQ4 3.6E-7 13 T4-P i 4.9E-10 49 T4-P 2 5.3E-10 41 T4-Q 4.6E-7 18 T4-N 2.1E-8 15 iO l 7-27
TABLE 7.2.6-2 lll FREQUENCY OF STEAM GENERATOR OVERFILL Event Tree Frequency of SG Overfill Error Description (Median value per year) Factor SGTR in One SG 2.0E-4 5 SGTR in One SG 2.8E-6 16 with Coincident LOOP SGTR in Two SG 4.8E-5 8 SGTR in Two SG 5.3E-7 16 with Coincident LOOP O l l l l llh 7-28 l
V . 7.3 PORV LOCA SEQUENCE ANALYSIS The core damage scenarios resulting from PORV LOCA were selected from the systemic event tree sequences provided in Figures 5.3.4.1-1, 5.3.4.2-1, and 5.3.4.3-1. Only the minimal core damage scenarios were selected to calculate the core damage frequency for each of the three types of PORV LOCA. The accident sequences associated with the different types of PORV LOCA are discussed in Sections 7.3.1, 7.3.2, and 7.3.3. 7.3.1 PORV LOCA Following Loss of Secondary Heat Sink Core Damage Scenarios Two minimal core damage scenarios for PORV LOCA following loss of secondary heat sink were identified in Figure 5.3.4.1-1. These scenarios are presented in Table 7.3.1-1 along with the median frequencies and the associated error factors. Also listed in the table is the total core
/~3 damage frequency which represents a statistical combination (using the V SAMPLE code described in Section 2.2.3.5) of the individual core damage scenario frequencies for this type of PORV LOCA. These scenario frequencies are then statistically combined with the other types of PORV LOCA scenario frequencies to represent the total core damage frequency for the three types of PORV LOCA considered. The magnitude and impact of the l core damage frequency contribution due to PORV LOCA are discussed in Section 9.0. For this type of PORV LOCA, no scenario was eliminated by the cutoff frequency of 1.0E-15 per year. The core damage scenarios are described as follows:
Scenario 1. P1-R This scenario refers to a PORY LOCA following loss of secondary heat sink and the inability to achieve high pressure recirculation. Following the initiation of PORV LOCA the HPSI System ! provides makeup to the RCS until the RWT inventory is depleted. Normal operating procedures require i that the HPSI System be realigned to the O 7-29
TABLE 7.3.1-1 $ PORV LOCA FOLLOWING LOSS OF SECONDARY HEAT SINK CORE DAMAGE SEQUENCES Frequency Error Path Description (Median Value per Year) Factor
- 1. P1-R e Initiating Event 1.22E-9 70 e Failure to Achieve High Pressure Recirculation
- 2. P1-A e Initiating Event 1.06E-9 29 e Failure to Deliver Sufficient HPSI Flow Total Core Damage Frequency: 3.7E-9 46 0
O 7-30
containment sump when the RWT inventory is depleted so that high pressure recirculation through the reactor core can be achieved. The failure to achieve high pressure recirculation leads to increased core temperature, core uncovery, and subsequent core damage. Scenario 2. P1-A This scenario refers to a PORV LOCA followingloss of secondary heat sink and failure to deliver sufficient high pressure injection. Failure to deliver sufficient high pressure injection flow following the initiation of a LOCA results in continued loss of RCS inventory which leads to sore uncovery and subsequent core damage. 7.3.2 PORV LOCA Following SGTR Core Damage Scenarios Three minimal core damage scenarios for PORV LOCA following SGTR were identified in Figure 5.3.4.2-1. These scenarios are presented in Table 7.3.2-1 along with the median frequencies and the associated error factors. Also listed in the table is the total core damage frequency which represents a statistical combination (using the SAMPLE code described in - Section 2.2.3.5) of the individual core damage scenario frequencies for this type of PORV LOCA. These scenario frequencies are then statistically combined with the other types of PORY LOCA scenario frequencies to represent the total core damage frequency for the three types of PORV LOCA considered. The magnitude and impact of the core damage frequency contribution due to PORV LOCA are discussed in Section 9.0. Two scenarios l were eliminated by the cutoff frequency of 1.0E-15 per year. The total frequency of scenarios eliminated by the cutoff frequency is 9.9E-16 per year. The core damage scenarios are described as follows: Scenario 1. P2-R This scenario refers to a PORV LOCA following SGTR l and the inability to achieve high pressure O recircoiet4e#- roiio 4e9 the 4#4t4 t4o" of roav l LOCA the HPSI System provides makeup to the RCS 7-31 1
TABLE 7.3.2-1 PORV LOCA FOLLOWING SGTR CORE DAMAGE SEQUENCES Frequency Error Path Description (Median Value per Year) Factor
- 1. P2-R e Initiating Event 8.98E-9 51 e Failure to Achieve High Pressure Recirculation
- 2. P2-Z 12 G e Initiating Event 5.43E-9 -
20 e Failure to Deliver 5% MFW to One Steam Generator e Failure to Deliver AFW to One Steam Generator
- 3. P2-A e Initiating Event 7.85E-9 17 e Failure to Deliver Sufficient HPSI Flow Total Core Damage Frequency 3.9E-8 15 0
O 7-32
until the RWT inventory is depleted. Normal operating procedures require that the HPSI System be realigned to the containment sump when the RWT inventory is depleted so that high pressure recirculation through the reactor core can be achieved. The failure to achieve high pressure recirculation leads to increased core temperature, core uncovery, and subsequent core damage. Scenario 2. P2-Z i2 G This scenario refers to a PORV LOCA following SGTR, failure to deliver 5% MFW to the intact steam generator, and failure to deliver AFW to the intact steam generator. For this type of PORV LOCA the intact steam generator becomes unavailable due to loss of both 5% MFW and AFW flow. This condition will inhibit the rapid RCS cooldown which will cause a large pressure () differential between the RCS and the affected steam generator that supports continued leak flow. Eventually, the continued leak flow will cause the core to become uncovered and subsequently core damage will occur. , S Scenario 3. P2-A This scenario refers to a PORV LOCA following SGTR and failure to deliver sufficient high pressure f injection. Failure to deliver sufficient high pressure injection flow following the initation of a LOCA results in continued loss of RCS inventory which leads to core uncovery and subsequent core damage. l f l i '3 (V I j 7-33 s
7.3.3 Spurious or Transient Induced PORV LOCA Core Damage Scenarios Three minimal core damage scenarios for Spurious or Transient Induced PORV l LOCA were identified in Figure 5.3.4.3-1. These scenarios are presented in Table 7.3.3-1 along with the median frequencies and the associated error factors for both PORV designs that were considered. Also listed in the table is the total core damage frequency which represents a statistical combination (using the SAMPLE code described in Section 2.2.3.5) of the individual core damage scenario frequencies for this type of PORV LOCA. These scenario frequencies are then statistically combined with the other types of PORV LOCA scenario frequencies to represent the total core damage frequency for the three types of PORV LOCA considered. The magnitude and O impact of the core damage frequency contribution due to PORY LOCA are discussed in Section 9.0. The core damage scenarios are described as follows: Scenario 1. P3-R This scenario refers to a Spurious or Transient P R Induced PORV LOCA and the inability to achieve h high pressure recirculation. Following the initiation of PORY LOCA the HPSI System provides makeup to the RCS until the RWT inventory is depleted. Normal operating procedures require - that the HPSI System be realigned to the containment sump when the RWT inventory is depleted so that high pressure recirculation ! through the reactor core can be achieved. The failure to achieve high pressure recirculation 1 leads to increased core temperature, core uncovery, and subsequent core damage. Scenario 2. P3-Z 2y G This scenario refers to a Spurious or Transient or Induced PORV LOCA, failure to deliver 5% MFW, and P4-Z G failure to deliver AFW. For this type of PORV 21 LOCA, the steam generators become unavailable due to the loss of both 5% MFW and AFW flow. This g condition will cause the RCS temperature and 7-34
TABLE 7.3.3-1 SPURIOUS OR TRANSIENT INDUCED PORV LOCA CORE DAMAGE SEQUENCES Frequency Error Path Description (Median Value per Year) Factor
' (a) Manual PORY Design
- 1. P3-R e Initiating Event 2.14E-9 78 e Failure to Achieve High Pressure Recirculation
- 2. P3-Z 2t G e Initiating Event 9.17E-10 49 e Failure to Deliver 5% MFW e Failure to Deliver AFW
( ') 3. P3-A e Initiating Event e Failure to Deliver 2.03E-9 30 Sufficient HPSI Flow Total Core Damage Frequency 9.7E-9 21 (b) Automatic PORY Design
- 1. P4-R e Initiating Event 3.91E-7 51 e Failure to Achieve High Pressure Recirculation
- 2. P4-Z216 e Initiating Event 6.57E-7 24 e Failure to Deliver 5% MFW e Failure to Deliver AFW
- 3. P4-A e Initiating Event 1.14E-6 20 e Failure to Deliver Sufficient HPSI Flow O Total Core Damage Frequency 3.1E-6 21 7-35
- r-- _w- yr-- -,
e- y . , - - , _ , - , , , - . , - - - - - - - .
pressure to increase thus inhibiting makeup. Eventually, the core will become uncovered and subsequently core damage will occur. Scenario 3. P3-A This scenario refers to Spurious PORV LOCA and r p _A failure to deliver sufficient high pressure injection. Failure to deliver sufficient high pressure injection flow following the initiation of a LOCA results in continued loss of RCS inventory which leads to core uncovery and subsequently core damage. O l I l O 7-36
7.4 OTHER CORE MELT SEQUENCES The NRC questions focused on those particular initiating events which the staff considered to be most relevant with respect to the PORV issue. The purpose of this section is to survey other potential core damage scenarios and to identify those which could be mitigated via improved methods of depressurization or decay heat removal. For the purpose of this survey, the results of the draft Calvert Cliffs IREP(g)arereferenced. The survey method used was to identify those IREP sequences which contributed more than 1% of the total core damage probability, and to determine which of those sequences have not been covered in the models presented in Section 5.0, and of these identify the ones that could be prevented or mitigated through improved means of depressurization or decay heat removal. Table 7.4-1 contains a list of the dominant sequences from Reference O (n> - Table 7.4-2 defines the terms used in Table 7.4-1. Table 7.4-3 categorizes each of the dominant sequences as covered in . Section 5, not covered in Section 5 and not PORV related, or not covered by 1 Section 5 and PORV related. As shown in the table, no sequences were identified as PORV related which have not been covered in the event trees of Section 5.0.
/~T V
7-37
. - - , ,.,----.,m,--- -. - - . . , . . - -y-- - - - - -
TABLE 7.4-1
SUMMARY
OF DOMINANT SEQUENCES (No Feed and Bleed)1 Sequence Event Sequence Fraction Core Status Number Tree Description Melt (w/ recovery) Shorthand S3 Large LOCA AHH' S13 Large LOCA AD' O.3% Less Dominant S17 Large LOCA AD 2.5% Dominant S36 Small LOCA SH y S39 Small LOCA S1D" S43 Small LOCA SX1 S48' Small-small 2.4% Less Dominant S'2H LOCA S67' Small-small S'2K LOCA S91-l' Loss of Off- T 'l i 50% Dominant site Power S93-l' Loss of Off- T1'LCC' 2% Less Dominant-site Power S91-2' Loss of Off- T 2'L 45.6% Dominant site Power 1 This information was obtained from the draft Calvert Cliffs IREP Study and is not necessarily applicable to PVNGS. O 7-38
TABLE 7.4-2 KEY TO ACCIDENT SEQUENCE SYMBOLS EVENT TREE FRONT LINE SYSTEM FAILURE SYMBOL C Containment Air Recirculation and Cooling System (CARCS) C' Containment Spray System - Injection Phase (CSSI) D Safety Injection Tanks (SIT) D' Low Pressure Safety Injection - Injection Phase (LPSI) D" High Pressure Safety Injection - Injection Phase (HPSI) F Containment S"ay System - Recirculation Phase (CSSR) H High Pressure Safety Injection - Recirculation Phase (HPSR) H' Low Pressure Safety Injection - Recirculation Phase (LPSR) K Reactor Protection System (RPS) L Secondary Steam Relief and Auxiliary Feedwater System (SSR & AFWS) M Secondary Steam Relief and Power Conversion System (SSR & PCS) 0 Primary Safety Relief Valve Demand (SRV Demand) P Primary Safety Relief Valve Open (SRV Open) O e' eo er oPereted aeiter vaives Biocked oPea ceoavs Biocked oPea) Q Primary Safety Relief Valve Reclose (SRV Reclose) U Chemical, Volume, and Control System - Emergency Boration (CVCS) INITIATION ! A large Break LOCA ! S i Small LOCA l S 2 Small-Small LOCA T 1 Loss of Offsite Power ! T 2 Loss of Power Conversion System T 3 Transient requiring reactor coolant system pressure relief T All other transients not included in T , T , or T 4 1 2 3 l i 7-39
TABLE 7.4-3 $ DOMINANT SEQUENCE CATEGORIES SEQUENCE DISPOSITION Covered in Number Description Section 5.0 Not Covered in Section 5.0 Irrelevant to PORVs could Prevent PORV Issue or Mitigate 53 AHH' X S13 AD' X S17 AD X S36 SH1 X S39 SgD" X g S43 SKg X S48' S'2H X (PORV incr. freq.) S67' S'2K X S91-l' T i 'l X 593-l' Ti'LCC' X S91-2' T 'l 2 X O1l 7-40
p d 8.0 STEAM GENERATOR TUBE STRENGTH MODEL The empirical tube strength model and simulator described in Appendix B were used to analyze the consequences of a group of events which provide excess primary / secondary pressure differences. The events, frequencies, and primary / secondary pressure differences are given in Table 8.0-1 (10,15_) . The simulation consisted of many trials for each of the listed events. With the exception of the Steam Line Break, no event resulted in more than 2 ruptured tubes, in one steam generator, for any trial. The event-specific tube failure probabilities (0,1, 2, etc.) obtained from each simulation were weighted by the event frequencies to obtain the results shown in Figure 8.0-1 for the affected steam generator (the steam generator exposed to the higher primary / secondary pressure difference). Examination of Figure 8.0-1 shows an increase in frequency between 3 and 4 O ruptured tubes. This 4s e consequeace of the Steem tine Breek for which the most probable number of tube failures is fcur. It should be noted, however, that no tube failures were observed for the less affected steam generator. A second simulation was performed to evaluate the probability of concurrent ruptures in both steam generators. The Steam Line Break event was excluded from this study because of the low level of insult to the unaffected steam generator. The simulation was performed with a 1420 PSID insult to both steam generators. Simultaneous tube ruptures in both steam generators (i.e. one tube rupture in each SG) were observed in only 9 of the 104 trials (P(E )1 = 9 x 10-4). The cumulative frequency of events with similar symmetric insult is approximately 1.56/yr. yielding a frequency of tube ruptures in both steam generators of 1.4E-3/ year. In all the observed cases, no more than 1 tube rupture was encountered in any steam generator. O 8-1
TABLE 8.0-1 $ EVENTS CONSIDERED IN TUBE STRENGTH MODEL Event Frequency (per year) SG-1 P SG-2 P (PSID) (PSID) Turbine Trip 1.0 1190 1190 Loss of Offsite Power 4.0E-2 1200 1200 Loss of Condenser Vacuum 2.0E-1 1085 1085 Loss of MFW 1.0E-1 1320 1320 Increased MFW 7.2E-1 1320 1320 Steam Line Break 3.4E-41 2060 1090 h Open TCVs 1.7E-2 1400 1400 Loss of One RCP 4.3E-1 1158 1158 - l l CEA Withdrawal 2.0E-2 1420 1420 CEA Drop 7.0E-1 1420 1420 Let-Down Line Break 1.0E-3 1340 1340 l 1 Obtained from Reference (2_) O 8-2 l
, , , . - - . ~ . - ~ - . - --_~__n_.- , -- - .. a _ - . . , .e n.- .m., aa _-_...-sw.~a . - _ _ , - . - _.-a .n.. .a.- - - - . . _. --. x .s.
- FIGURE 8.2-1 4
f . 2 FREQUENCY OF TUBE RUPTURES FOR AFFECTED STEAM GENERATOR k L.___. 9._ _. 4 __ _
- 7. __
4.__. 5.__ ,
._.__ l 1
a._ _ 1 i 3.__. I' x10-2
- n. . .
9.__ i S._. 7.__ ,
=
l S._ _ 3 4.__ ! 3,_ _ . . _ a __
- 4
- - x10-3 .
-4
= 9.. ._
- - ~ -
p S. _ 7.. 3 " 8._
- . 9. _
- ~
l > 4..
~
3.. -_- 4 ,
.a K t._
i .n. x10-4 i. . i ! 9. I S. * ' t 7 ,. g M =W '='..:.
'==.....E=='M
--- r E --a ._--. :c .e- r A g _.:t _ _ _ _ _ _
- -s g,
p _ e m= n e e H
- - - a = -u=_g j j . .__ _
-*==**?
! x10-5 ' 2 h 3 NUMBER OF RUPTURED TUBES 4 5 6 i 8-3
+c _e m.v.e,,.-%.5,w,...-w, ,s - - - ,-r,, . - , , - ,,--,w,,%,.,m...w,,-m,-w,me,..wn.,..%_ _ y,-ri,.y.., . _. ._,,,,-mm.%-,vw,
An alternative computation of frequencies of tube ruptures in multiple steam generators was performed using tube rupture frequencies for individual steam generators. In the second sirculation a single tube rupture in one steam generator was observed in 302 of the trials (P(E2 )=0.0302) and double tube ruptures in one steam generator were found in 12 of the trials (P(E )=0.0012) 3 combining event probabilities gives: P(Eg ) = P(E2 nE 2 ) = P(E2 ) = 9.1E-4 P(E4 ) = P(E2nE3 ) = P(E2 )*P(E3 ) = 3.6E-5 P(ES ) = P(E3 nE 3 ) = P(E3 ) = 1.4E-6 where: P(En ) = probability of N th event Eg = occurrence of a tube rupture in each steam generator E 2
= occurrence of one tube rupture in one steam generator E
3
= occurrence of two tube ruptures in one steam generator E
4
= occurrence of two tube ruptures in one steam generator and simultaneous occurrence of one tube rupture in the remaining steam generator h E = simultaneous occurrence of two tube ruptures in each 5
steam generator The value computed in this manner for F (E g ) agrees well with the results - of the second simulation. Confirmation of the remaining probabilities (P(E4 ), P(ES )) w uld require an extensive modification 'l the second simulation procedure. The following conclusions may be made from the present work. The frequency of a multiple steam generator tube rupture with more than one tube rupture in either steam generator is therefore less than 1.0E-4/ year. The frequency of an event involving multiple ruptures in both steam generators is much less than 1.0E-4/ year. When the probability of loss of offsite power is included, the frequency of a multiple SGTR in both SGs with f coincident LOOP is much less than 1.0E-7/ year. G. l l l 8-4
l 4 0 9.0 RESULTS 9.1 CORE DAMAGE FREQUENCY CONTRIBUTIONS The core damage frequencies determined in Section 7.0 are further combined and summarized in Table 9.1-1. The 90% confidence distributions of the core damage frequencies are presented in terms of the median values and associated error factors. .The error factors are defined by the ratio of , the 95th percentile to the 50th percentile. The frequency of the accident sequences involving SGTR have been statistically combined (using the SAMPLE code described in Section 2.2.3.5) into two categories: 1) scenarios resulting from SGTR in one or two steam generators assuming offsite power i is available and 2) scenarios resulting from SGTR in one or two steam generators with a coincident loss of offsite power. As noted in Section 2.2.1.2, the purpose for evaluating SGTR with the unavailability of offsite power incorporated into the initiating event frequency was to minimize the ( size of the extensive SGTR event trees. The LOHS and PORV LOCA event trees ,- employed the fault tree linking approach (see Section 2.2.1.2) to model the l i availability of offsite power. , It should be noted that there is substantial conservatism in the calculated base values of core damage due to SGTR. The emphasis of the analyses was to estimate the change in core damage frequency rather than develop an accurate estimate of the absolute values. The following major assumptions were made for the SGTR analyses which may have resulted in an over estimate of the base value of core damage frequency of as much as an order of magnitude. Assumption 1. HPSI is needed to prevent core uncovery and subsequent core damage following SGTR. This assumption is conservative in that, if faced with a SGTR with no HPSI available, the operator could initiate an aggressive cooldown and thereby ( minimize leakage to the secondary system and bring the primary system pressure down to where the safety injection tanks could prevent or mitigate
- 9-1
TABLE 9.1-1 CORE DAMAGE FREQUENCY CONTRIBUTIONS DUE TO L0llS, SGTR AND PORV LOCA v SGTR WITH SGTR WITH INITIATING EVENTS L0lis 0FFSITE POWER COINCIDENT PORV LOCA AVAILABLE LOOP Case One: Median ACD (per year) without PORVs, with ASHR* capability 7.3E-6 1.7E r 1.5E-6 N/A Error Factor 11 5 10 Case Two: M*nACD (per year) 4 with manuall.e e u ted PORVs. 1.0E-5 1.7E-5 1.5E-6 8.4E-8 without ASH.~- --a,wfQity Error Factor 12 5 10 11 Case Tiiree: Median ACD (per year) with automatically actuated PORVs, 5.0E-6 1.7E-5 1.5E-6 3.9E-6 without ASHR* capability Error Factor 13 5 10 17 Case Four: Median ACD (per year) l with no PORVs or ASilR* capability 1.1E-5 1.7E-5 1.5E-6 N/A Error. Factor 13 5 10 Alternate Secondary Heat Removal 9 O O
core uncovery and prevent core damage. Additional transient analysis would be required to verify the effectiveness of this action. Current emergency procedures do not suggest this action. Assumption 2. A SGTR followed by a stuck open secondary valve is assumed to lead to core damage. This assumption is conservative in that no credit was taken for the operator recognizing early in the transient that there is a danger of running out of borated water in the long term. This event is essentially an outside containment LOCA. Therefore, when the Refueling Water Tank (RWT) is drained and the Recirculation Actuation Signal (RAS) is generated, the Safety Injection System will switch-over to a dry (or insufficiently filled) containment sump. This switch-over would occur at approximately 15
%> to 30 hours after the SGTR. The leak will persist until the primary coolant system is cooled to 212*F. For SGTR events that have occurred (e.g.
Ginna) it has taken approximately 24 hours to get to shutdown cooling entry conditions. It could - take an additional 10 to 20 hours to cool to ! 212 F. l Emergency procedures provide no guidance on the need to make-do with the limited supply of borated water in the RWT, or to supplement it. Therefore, no credit was taken for other sources of water, including borated water in the spent fuel pool. No credit was taken for early recognition of the problem followed by an aggressive cooldown. Also, no penalty was assigned to the PORVs for their (a3 9-3
potential for aggravating the problem, i.e., use of the PORVs (and possible subsequent containment spray) would tend to drain the RWT sooner and lead to an RAS and a switch-over to an inadequately filled containment sump. The frequency of the accident sequences involving PORV LOCA were also statistically combined into a single distribution representing the total core damage frequency of PORV LOCA. The result provides an estimate of the magnitude of the core damage frequency contribution due to PORV LOCA. The core damage frequencies were evaluated for the currently planned plant design which includes alternate secondary heat removal capability but has no PORVs (presented as case one) and the alternate plant design which does not credit alternate secondary heat removal capability but includes PORV depressurization and decay heat removal capability (presented as case two). In this design, the PORVs are manually opened and the plant is assumed to operate with the PORV b'.ock valves closed which minimizes the h risk associated with PORV LOCA. It should be noted that the use of PORVs as a backup to the safety related Auxiliary Spray System was determined to have an insignificant impact on the total core damage frequency derived for each of the SGTR initiating events as discussed in Sections 5.2.4 and - 7.2.5. Therefore, the decrease in core damage frequency due to the added depressurization capability of PORVs is considered to be negligible. If automatic actuation of the PORVs were to be assumed and if the plant were to operate with the block valves open, the core damage frequencies for case two (with PORVs) could be re-evaluated assuming an automatic PORV design. The results are presented as case three (automatic PORVs) in Table 9.1-1. O 9-4
O The event tree model for the loss of secondary heat sink evaluation which included alternate secondary heat removal capability was re-evaluated to determine a core damage frequency due to loss of heat sink assuming no alternate secondary heat removal capability and no PORY depressurization and decay heat removal capability. The results are presented as case four of Table 9.1-1. 9.2 CHANGE IN CORE DAMAGE FREQUENCY DUE TO IMPROVED DECAY HEAT REMOVAL CAPABILITY 9.2.1 Change in Core Damage Frequency due to Added Alternate Secondary Heat Removal Capability As shown for case four in Table 9.1-1, core damage frequencies were determined for the plant configuration prior to the APS agreement to provide ADHR capability via the condensate pumps and associated procedures. Core damage frequencies were also calculated for the currently planned plant configuration which includes- ADHR capability via the condensate pumps. The results are presented as case one in Table 9.1-1. In order to determine the reduction in total core damage frequency associated with utilizing alternate secondary heat removal capability, the LOHS core damage frequency which included alternate secondary heat removal - , capability (case one) was statistically subtracted from the LOHS core damage frequency pres'ented as case four (no alternate secondary heat removal capability and no PORVs). The calculation was performed with the SAMPLE code at the sequence level to account for dependencies between the sequences using branch median failure probabilities and associated error factors as input. The result indicates a net decrease in core damage frequency due to alternate secondary heat removal capability of 5.0E-6 per year (median value) with an associated error factor of 16. 9-5
9.2.2 Change in Core Damage Frequency due to Installation of PORVs h As shown in cases one and two of Table 9.1-1, core damage frequencies were determined for the proposed plant configuration which includes alternate secondary heat removal capability but has no PORVs (case one) and the alternate plant design which excludes alternate secondary heat removal capability but includes PORV depressurization and decay heat removal capability (case two). In this design, the PORVs are manually opened and the plant is assumed to operate with the PORV block valves closed. The overall change in core damage frequency (net gain or loss in safev.y) due to the installation of PORVs was determined by examining only those events which were considered to significantly contribute to an increase or decrease in the total core damage frequency, i.e. core damage frequency due to LOHS events and PORV LOCA is impacted by the presence of PORVs while the change in SGTR core damage frequencies does not contribute appreciably to a net gain or loss in safety. The calculation was performed with the SAMPLE code at the sequence level to O l ! account for dependencies between the sequences using branch median failure probabilities and associated error factors as input. For Case Two in Table 9.1-1, the core damage scenario frequencies which contribute to the LOHS _ (with manually actuated PORVs) core damage frequency and the PORV LOCA core damage frequency were statistically subtracted from the scenario frequency which comprises the LOHS without PORVs core damage frequency (Case One). In equation form: Change = LOHS without PORVs - [LOHS with PORVs + PORV LOCA (manually actuated)] or (LF-Gi1u V) - [(LF-G y2 V Y) + (LF-G y2 V R) + (P1-R) + (P1-A) + (P2-R) + (P2-Z12 G ) + (P2-A) + (P3-R) + (P3-Z21 G)+ (P3-A)] O O 9-6
O The quantitative solution to the above equation (see Section 5.0 for branch definitions) is presented in Table 9.2.2-1 in terms of a median value and . 5% upper and 5% lower limits. The negative median value indicates a net increase in core damage frequency due to PORVs of 1.2E-6 per year if PORVs were added. Recalculating the above equation, assuming an automatically actuated PORV design (where the plant operates with the block valves open), i.e.: Change = - LOHS without PORVs - [LOHS with PORVS + PORV LOCA (automatically actuated)] the resulting negative median value would indicate a net increase in core damage frequency due to PORVs of 2.6E-6 per year. The quantitative. solution is presented in Table 9.2.2-1. It should be noted that the above values are very small compared to the proposed NRC safety guideline of 10-4 coremelts/ year (E). O 9-7
TABLE 9.2.2-1 h l CHANGE IN TOTAL CORE DAMAGE FREQUENCY DUE TO PORVs Manually Actuated PORVs Automatically Actuated PORVs ( A.CD per year) ( ACD per year) Median -1.2E-6 -2.6E-6 5% Upper Limit 2 2.7E-5 4.4E-5 5% Lower Limit 3 -6.7E-5 -1.0E-4 O l 1 A positive value indicates a net decrease in total core damage frequency while a negative value indicates a net increase in total core damage frequency. 2 Based on data uncertainty the reduction in core damage risk due to PORVs is less than the 5% Upper Limit, with 95% probability. 3 Based on data uncertainty the increase in core damage risk due to PORVs is less than the 5% Lower Limit, with 95% probability. $ 9-8
10.0 REFERENCES
- 1. NRC Letter, R. L. Tedesco to A. E. Scherer, dated March 26, 1982,
Subject:
Depressurization and Decay Heat Removal Capability of the CESSAR Design.
- 2. Zion Probabilistic Safety Study, Commonwealth Edison
- 3. ACRS Letter, J. Carlson Mark to Nunzio J. Palladino, dated December 15, 1981,
Subject:
ACRS Report on Final Design Approval for Combustion Engineering, Inc. Standard Nuclear Steam Supply System.
- 4. SCE Letter, K. P. Baskin to Frank Maraglia, Branch Chief, dated April 30, 1982.
- 5. CE Letter, A. E. Scherer to D. G. Eisenhut, dated May 26, 1982,
Subject:
Rapid Depressurization and Decay Heat Removal Capability.
- 6. PRA Procedures Guide, NUREG/CR-2300, January 1983.
- 7. Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2 and 3 Final Safety Analysis Report.
- 8. Palo Verde Nuclear Generating Station Units 1, 2 and 3 System Descriptions (various systems).
- 9. C-E Emergency Procedure Guidelines, CEN-152, Revision 1, November, 1982.
- 10. Responses of C-E NSSSs to Transients and Accidents, CEN-128, Ap ri 1, 1980.
- 11. Palo Verde Nuclear Generating Station Units 1, 2 and 3 Operating Instructions (various systems).
- 12. Palo Verde Nuclear Generating Station Units 1, 2 and 3 Single-Line Diagrams (various electrical buses).
- 13. Palo Verde Nuclear Generating Station Units 1, 2 and 3 Main Control Board Layout Drawings and Equipment Lists.
- 14. Swain, A. D. and Guttman, H. E., Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Operations,
,NUREG/CR-1278, October, 1980.
- 15. Generic Data Base for Data and Models Chapter of the National Reliability Evaluation Program Guide, EGG-EA-5887, June,1982.
- 16. Reactor Safety Study, An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants, WASH 1400/NUREG-75/014, October, 1975. O 10-1
- 17. IEEE Guide to the Collection and Presentation of Electrical, Electronic, and Sensing Component Reliability for Nuclear Power Generating Stations, IEEE-5TD500-1977.
- 18. Design and Application of Combustion Engineering's Reliability Data System for Nuclear Steam Supply Systems, TIS-6736, April,1981.
- 19. Combustion Engineering Interim Data Base, " Failure Rates for Nuclear Plant Components", 207010, Februa ry , 1976.
l 20. PWR Power Plant Pump Reliability Data, EPRI-NP-2592, September, l 1982.
- 21. Loss of Offsite Power at Nuclear Power Plants: Data and Analysis, EPRI-NP-2301, March, 1982.
- 22. General Evaluation of Feedwater Transients and Small Break Loss of Coolant, NUREG-0635, January,1980.
- 23. A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants, NUREG-0666, April,1981.
- 24. Vesely, W. E. and R. E. Narum, PREP and KITT: Computer Codes for the Automatic Evaluation of a Fault Tree, IN-1349, August,1970.
- 25. Analysis of Steam Generator Tube Rupture Events at Oconee and Ginna, INP0 82-030, November, 1982.
g
- 26. Bourne, A. J. and Green, A. E., Reliability Technology,1972.
- 27. Nuclear Power Experience: Reactor Coolant System, Relief and Safety Valves, Vol. PWR-2. _
l 1
- 28. Depressurization and Decay Heat Removal, CEN-239 Main Report.
- 29. Interim Reliability Evaluation Program: Calvert Cliffs Unit 1, SAI-001-82-BE, January 15, 1982.
- 30. Combustion Engineering Standard System Analysis Report.
- 31. Kolb, G. J., S. W. Hatch, P. Cybulskis, and R. O. Wooton, Reactor Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant, NUREG/CR-1659, January 1981.
1
- 32. W. R. Corcoran, et. al "The Operator's Role and Safety Functions",
Presented at Workshop on Licensing and Technical Issues - Post TMI, March 1980, TIS-6555A.
- 33. ATWS Analysis, Analysis of Anticipated Transients Without Scram in Combustion Engineering NSSSs, CENPD-158, Revision 1, May,1976.
O 10-2 l
i
- 34. ATWS Early Verification, Response to NRC Letter on February 15, 1979 for Combustion Engineering NSSSs, CENPD-263, November 1979.
- 35. NRC, " Data Summaries of Licensee Event Reports for Diesel Generators at U.S. Commercial Nuclear Power Plants", NUREG/CR-1362, March 1980.
- 36. Review of Small Break Transients in Combustion Engineering Nuclear Steam Supply System, CEN-ll4-P, Amendment 1-P, July,1979.
- 37. Safety Goals for Nuclear Power Plants: A Discussion Paper, NUREG-0880 (Draft), February,1982.
O h O 10-3
O. . O APPENDIX A NRC STAFF REQUEST FOR ADDITIONAL INFORMATION O G O A-1
,,,,_,,_.,,-,-------w--wy<ww,r-yr-- ,w--------v- e +w-v- +-e---'---"7- -"**'" ' ' """~ - " - " "' " " * " ~~~ '
' CAPABILITIES FOR THE DEPRESSURI7.ATION A'iD DECAY '
.. HEAT, REMOVAL WITHOUT POP.Ys
~
REQUEST FOR ADDITIONAL INFOP.MATION O- .
- 1. CE has not de=enstrated that the auxiliary spray " system'can satisfactorily depressurize the reactor coolant system during events where depressuri:ation ~
must be accomplished and the norma 1' spray is unavailable.~. In addition, for some scenarios,' containment isolation results in a loss of preheiting to - the auxiliary spray, which can result in a thermal transient 'to the spray
. . nozzle piping and pressurizer spray. Please address the capabilify of the -
. spray system 'to accommodate such thermal transients.
Please address the following aspects of ' auxiliary ~ spray system: ,, l t - i ~ . a. A full description of the system. . .
- b. The means to control the depressurization rate. -
- c. The maximum depressurization rate available.
~
- d. The co'nsequences of 'a failed open spray valve,
- e. An evalu'ation of the ability to depressurize using the' technique in the event of void formation in the vessel upper head. In such .
an eventuality, continued auxiliary spray operation could collapse - the pressurizer steam bubble and result in a rapid insurge' producing water solid pressurizer. It is not readily apparent that the auxiliary spray would b'e effective in such a situation. .-
"f. The sources of reactor coolant grade horated water for auxiliary spray. :
- g. The time available for manual leading of the charging pump onto the emergency diesel generator. ,
. h. The stresses indu:ed in the pr:ssuri:ar and czzle must be shown to be.
O. . acceptable, considering the worst combination of flows, temperatures , and pressures.
. . . . - - - T In general, it is desirable.to limit the number of challenges to the reactor l 2. l protection system to minimize the probability of ATWS. Moreover, it is , . : desirable to minimize the number of reactor trips during the lifetime of I c the fla'~nt for.the following reasons: First, a ramp down in the reactor -
i powe'r will reduce the likelihood of a turbine trip. A turbine trip has I the potential to cause a loss of condenser system and lift the secondary -
. safety valves, increasing releases'to the environment. 5dcond, a contro-11ed power reduction will increase the availability of the reactor coolant pumps. Third, a crud burst is less likely during a controlled reactor l
. shutdown recucing the possibility of increasing coolant activity levels. ;
' Based on these considerations, as well as the lessons learned from the TMI !
, accident, how is the overall plant safety effected by the absence of FORVs.
., g l
. \
~
. l i
O
\
c
\
I
'3. Even though the Co::ission has .at approved a fir.a1 ATWS rule, tne ability to limit RCS pressure rise in an A7,S event is being contem-
~
plated for most LKR designs. Address- the advantages and disadvantages of p0RVs from the ATWS standpoint. , i
- 4. A PORY or other direct depressurization methods may be a viable te:hnique )
- for mitigating pressurized ther=al shock (?TS). Address the exclusion of the p0RV from the CE55AP.-80 design considering PTS. .
~'
l
- 5. While the p0RV ma'y not be required based on classical safet'y analyses,
- there are a nu=ber of relatively low. probability scenarios in which the
- . ability to directly depressurize the.RCS or to initiate primary feed and bleed may be essential for plant safety. For ext ple,-should tube ruptures occur in both steam eenerators to the extent that offsite releases would be excessive if the secondary systems were.used, a p0RV may be the only means of removing core decay heat without excessive 6ffsite releases or running out of ECCS water. Small break LOCAs could .
- be dealt with by depressurizing the RC5 dcwn to the pressure where low head safety injection pumps replenish fluid volu=e. Show howa. variety
.. of multiple failure events, including the above, are satisfactorily - ~ -
- . handled without the p0RY. .
- 6. CE has proposed thelse of a low pressure- system to supplement the
. auxiliary feed system. The submittal did not specify which low pressure system, so an evaluation of its capabilities or' uses could not be ,- *
. . performed. provide'the following specific information: .
- a. Describe the system and its use, including water supplies
' - (and their capacity), flew paths,"pucos. power supplies .
to.compor.or.ts, control equipment and procedures. G
- b. Describe the water chemi'stry interface requirements for the
~
-proposed 1cw pressure system in order to assure its use will not cause unacceptable steam generator integrity degradation
- r. .
or heat transfer capability. (see item 7) .
~
- c. Show that blowdown of the. steam generator is a viable technique - '
without adverse core cooling consequences. Shok that a concurrent rapid primary system cooldown and potential primary system contract ~ does not result in inadequate core cooling or a return to pcwer.
- d. Show that there are.no adverse consequences while feeding a dry .
steam generator with the low pressure system.
- e. If steam generator pressure rises above the shutoff head of the low pressure pumos intended to be used, describe the cethod of regaining feed flow without compromising core cooling.
m , e- ,
~ .
- A-3 c;n- a m __ _ __ _ _ _
- 7. Provide information .and test data which will dem:nstrate that st'ea'm generator structural . integrity and heat transfer ca;3bilities will he maintained under secondary water chamistry conditions that deviate
. from the rec'ommended CE water chemistry program. Specifically, the following
.Q.
i.
.%.) .
considerations should be addressed for the spectrum of CESSAR plant sites:
- a. Provide data to demonstrate that excessive corrosion of the :.,
Primary pressure boundary will not occur which couldiresdit" in primary .to secondary leakage complicating the accident - condition. ,(Data pertaining to synthetic cooling. water.is. . not considered a.ppropriate, due to the' inability.tc include: .
. ..all potent.ial.1.y corrosive species in their. exact chemical conditions). . .
b".' Provide an assessment of the total corrosive-damage anticipated in the steam generators as a consequence.of main condensor :I l- cooling water injection; Relate the anticipated corrosion : damage to the steps which will be necessary to ensure structural ,
; integrity prior to a restart. - -
J
.c. For y'o ur proposed shut'down method, provide calculations and/or test data which will demonstrate that excessive heat transfer - -
surface foulin.g will .not occur and impede the. ability. of the . :'
~ *
. ,'steam ge,nerator,s to perform their . cooldown function.
. d. . Describe the st'eam generator desiga features which dill reduce .
their susceptibility to excessive corrosion during the proposed : injection of main condenser cooling water. - J. fer extended le:: Of main and auxil.iary. faedwa'ter case wheri fled / bleed
.would be a potential Backup: ,
- a. What is the frequency of loss of main feedwater cvents; break ~
down initiators that affect more than MFW e.g., DC power? .
.'b . What is the probability of recovering main fee'dwater. Provide ,
your b'ases such as availability of. procedures and the human - -- error rates? .,
- c. What is the probability of losing all auxiliary feeddater (given Item a)? Include considerations of recovering auxiliary feedwater l
as well as common cause failures (including those which could affect j main.feedwater availability and support system dependencies) and failures that could be hidden from detection vi,a tests?
- d. What is the uncertainty in the estimates provided for a), b) and c)?
. . e
~ '
1 O .. l
- A-4 - e .v.-- - - - , - - - - - - - ,.-.,--..--,,-.--,_,.,_,,..-.,-_,,,-,,.,,,,<.aw,,- ,-,.,,,,,,-,---.--.g._ ..,m - - , - - - - - - - - - - - - - _ . . , , . . _ , ,e,--,e ,, ,n
- e. How long wo'uld *t take for core melt to initiate? .
- f. Were' core to melt under these conditi$as, what is the . likelihood
- of steam generator tube rupture (s) due to steam' pressure from slumping core?
- g. Characterize the consequences from core melt eve'nts of e) and f).
- 9. What is th'e risk frem steam generator (s) tube failures? As a' minimum, consider the following: . .. .
a.. Scenarios le'adin'g to core melt from one or more steam generator. . tubes failing in one steam generator. Include paths which consider failure of relief or safety valve in the faulted steam
. generator, capability of (br loss thereaf) to depressuri:e the
. secondary side, the role of the ECCS including inventory and Earon availability. ,
- b. What is the frequency of steam generator tube ruptures in two steam generators ? This estimate should include consideration of ce=en
'cause failures such as design errors, events resulting.in extremely high AP across the tubes, aging, etc. If tubes were to fail. in both . steam generators, what is the probability of core melt and genera.11y -
characterize the consequences. ,
- c. For a) and b) above, discuss the likelihood of.steamlines filling -
with subecoled water and any consequent,:a1, failures. -
- d. For a) and b), discuss uncertainties including human error rates (carefully con >idaring tha chrity and u .cebiguity of proc: dure:). .
- 10. What is the core melt frequency ' rom PORY initiated 1.0CA? Characteri:e :
- the consequences? , . .
- 11. What is the net gain (or loss) in safety considering 8, 9 and 10 above
~ . if>,0RVs were to be installed? Are there any additional benefits (or
, drawbacks) achieved by installing PORVs? Examples of potential benefits , ,
are mitigation of ATWS and pressurized thermal shock, and reduced risk associated with depressurized primary system during a core melt. ,
- 12. If the results in 11 yield appreciable gain in safety, wha,t could be the -
cost of installing PORVs? .. , 1 1
- 13. One of the main reasons CE has concluded that PORVs are not needed for emergency decay heat removal is that alternative water sources could be made available to the steam generators for decay heat removal purposes.
An inherent assumption in this approach is that staam generator integrity l will be maintained throughout the life of the ;ilant. One method of assuring combined steam generator integrity is by inservice inspe: tion ! - and plugging of tubes excessively degraded. Please discuss the folicwing: ,
- e
- e e-A-5 i ~ _. m
, a. What is the minic.um allewable wall thining that could exist in the steam ganerator tubes without plugging? .
- b. What is the probability that ISI will not detect a degraded tuie?
O' provide the margin of error in eee rcurrent =easure=ents at varrou: depths of degradation. - - .
- c. Given a steam generator with the maximum allcwed tube thinning and degradation, confirm that those tubes will maintain their integrity by demonstrating they have been analy:ed and shown -
., .to remain intact for all design basis leadings used for ,the
. steam generator design including se,ismic loads.
- d.
- Describe the analytical and experimental Justification for
- establishing a minimum acceptable steam generator tube wall thickness for the CE System 80 steam generators in acccrdance with guidelines in Regulatory Guide 1.121. " Eases for Plugging Degraded Ph'R Steam Generater Tubes". The justification shculd include tha analyses to calculate the hydraulically induced ~
loading on the steam generator and the thermal response of its tubes and shell to an assumed LOCA, P.5LB and an WLS. .
- 14. Fretting wear type damage of steam generator tuses in the vicinity of ' '
- the feedwater inlet has been observed in certain preheat type st'emm generators of design similar to the CE System 80 steam generators.
.~ This damage is attributed to flew induced vibrations originating in-the economizer of the steam generator. Provide a descriptien of vibration analyses and model flow testing performed during the design
~
of the CE System E0 steam generators to assura that no camaging ficw induced vibrations wo,ld u occur in these steam generators. Q. - I l . p 8 . r .
' ~
O
** e A-6 t 1
O. ' l APPENDIX B lO PROBABILISTIC TUBE STRENGTH MODEL l l
~
O B-1
O ~ I. INTRODUCTION An empirical tube-strength model has been developed to evaluate steam-generator tube rupture probabilities. The failure mechanism assumed in the model was tube rupture caus,ed by overpressurization. A sequence of transient events resulting in increased primary / secondary pressure differences were included in the analysis. The failure probabilities for individual steam-generator tubes were derived from bursting experiments using undefected and mechanically defected steam-generatpr tubing. In order to model the mechanical state of an aging steam generator, a defect inventory distribution was included in the model. The defect distribution was inferred from current steam generator inspection procedures. In practice, a measured defect inventory can be used. The model uses Monte-Carlo simulation to compute tube rupture probabilities on an event-specific basis for each of two steam generators. For a given event, the probabilities of 1 to 30 tube ruptures are computed. These probabilities are convoluted with the event probabilities to compute an byerall frequency distribution (Figure 8.0-1). At present, the model does not include provisions for non-mechanical degradation of tube performance or loose-part impact induced failure. For the purposes of the PORV risk impact study the question that this model is designed to answer is "What is the expected frequency and character of events involving simultaneous tube ruptures in both steam generators?" Therefore, failure modes involving loose-parts or jet impingement were not considered. O O B-2
II. PROBABILITY DISTRIBUTIONS FOR TUBE BURST PRESSURE In a PWR steam generator, tubes are pressurized from the interior by primary coolant. The primary / secondary pressure difference under normal operation can range from 1000-1350 psid. Experimental evidence has suggested that the pressure required to burst steam generator tubes is a random variable and can be described by an appropriate probability density function. Since this model was concerned with computing the probabilities 4 of 1 to 30 tube failures out of a population exceeding 10 tubes, an adequate treatment of extremal phenomena was required. For this reason an extreme value distribution was chosen to model the probabilistic behavior of burst pressure. Trankel (Reference 1) and Kao (Reference 2) have used Type I and Type III (Weibull) extreme value distributions to describe tube bursting phenomena. In the present model, the Weibull distribution, which has been widely applied for the analysis of fatigue data, is used. This distribution has the distinct advantage of possessing a finite lower bound. Since the present model does not analyze the steam generator tube rupture as an initiating event, but as a consequence of an event resulting in an increased primary / secondary pressure difference, the Weibull distribution, with a lower threshold burst pressure, was particularly appropriate. - l The cumulative distribution function (CDF) of a Weibull variate is given by: F( X;N,c,u) = 1 - EXP -(
- -") J 0
for X > p where X = burst pressure N, o - location and scale parameters l u = lower limit value l F(X,) = probability of burst pressure < X \ . O B-3 ( l
For undefected tubing, the data of Kao (Reference 2) was used. This data set agreed well with later investigations of tube bursting documented in Reference 3. The fit obtained for the data is given by: F(X) = 1 - EXP -(h)17.13- X > 1.0 ksi Based on this expression the following results were obtained for undefected i tubing: Prob (B.P. [ Burst Pressure] f 3 KSI) = 5.78 x 10-11 Prob (B.P. I 3.5 KS1) = 2.64 x 10-10 Prob (B.P. f 4. KS1) = 6.0 x 10-8 Prob (B.P. I 7. KS1) = 8.6 x 10-4 Prob (B.P. I 11. KS1) = 0.995 ( An extensive examination of the effects of various types of mechanical defects on steam generator tube performance was presented in Reference 3.
- Burst pressure performance was seen to be a complex function of defect geometry and length as well as wall thickness degradation. Because present tube plugging criteria are based primarily on defect depth expresed as a percentage of wall thickness, asymptotic behavior with regard to defect length and geometry was conservatively assumed. Burst pressure then could
! be expressed as a linear function of percent remaining wall with an intercept at the origin: f BPd = BPu xP RW/100 where: BPd = Burst pressure of defected tubing l BPu = Burst pressure of undefected tubing PRW = Percent remaining wall The data of Reference 2 was adjusted using the above equation to allow th3 fitting of Weibull distributions for various levels of damage. The probability density functions (PDF) obtained using this procedure are shown in Figure B-1 for various damage levels. These burst pressure probability density functions were incorporated into the tube strength model. B-4
4 s._. . . ._p :- =t- .-- t= . ___, $___: :==;2::x-.2_ : 2: _ _t: . _h-=hr . _ . -.. _ i _ ._. =. = t_ . _ _ - .+ n- : r- - r;t :.- r :t- .- h -'--*t"--._. . br:-'~ ~t- T: *-~ --
~T --l !_. *- . .h ma . =_d' g.g g ggpy- 54 l l f M, gjbW F "* * '* = - * * -
_.;g_ . . . . . _ _ _ , _ _.
.; 4. =.... _ . p.- mouut rnsaaunc rrwoMD.A L A 6 i UcruthF .
..g : : . . n n.
f_- . ; ., m.. ..cn em u m m i.e, n - e e ruci e r=~ t.-- .t.-- :-
. - _ _ . ._.s w e m e,i a
. no s a e uns a m a w w .n uru u nu a.- u a. e a 6.s.. , .
- -f r: . t. r .-,,, .
.m.___ _ _ . . _ __
=. r- :; - -
.: .. t_ _: u . . -
t-_ .__..t.;_ ..;_. _. t . .s . : - - -
= __m.._.. --
- _ ; = ...;_ __t--- .. ;, =;=- : - --- n-
.._n'. ~/T c -4_ _L! .- __.4-_.._ _:. -- 12'- *.. '!!T '. Z* I '-~ . _ u'~=rU* 'LI*
t"._ _ + - -_ . - -
-r..-. -._._-
- - - . . ~
__ _.; _-_._J.* .. __ .__;_._ _.4
. . . . . . . . _ _ ___ *t**~~ZZb- _: :L* .__d._ --.*7: * : C.; 7
_,. ..p. .
- c. - __ _-, __ . _ . . - . .
- a=r 5_ .,u- _. -
e nr.:- %t-_.. ___.2.._ _. _ . _ .- . - _ . . _ t=----r :- - - - - . .
' ~ * ' * '
[ k [_ ;* .1-- - -- _ ) '** . =. .: '
.b
5 .. * .
- *i . ' = . . . _. --
2===:2 ::_._____._: - t=_- rr -- - =rr =;-_ = :. .. :.* .t .-t_r:p':-
. - *7 7* ._ . __ ._ : 2: : !---':....'~.-:*- . _ . " . . . "!
2 -~~r . _ . .._.__t.. - . - * - - . 2C*-~ T ZI . ".- *:.. _4 ..
.f*... ""- k{g M-* Nh.. L . .
. . . . . .. _ f .;' T.;;. ( ~' L . .;' C ; -.J*.. . . i^.
T TT'=g____.. . _ . . _ _ _ . . ._.
-~~
- t-"".* u . _ . _ _ . - . . . 't:rt-- .;__ _ .
=.
. _.= _pm_=.g::_.- _ ... r-. _,
=. r=u_x-_ _ . _ =_=_ 32.. . = _ . _ . _- ,
_.4_-.
. .. _ . . - . . . - _t. .r_2--
=
_'C __ --~ 4
..{_. - ,.~~_y.-
. ___!. 'jllO
. .C. . !CC ~2. 7 ! ; . T- . :: Cp-': '!^.I-.--'- 20~ L . '! G; - L. ...
_._ .. _ . . _ . _ .J
-- JIC.]-
t __ . - ' .. _ _ . .__ ._ t. __.,.._. . . . . . . . _
".p_._J.*..-'* :.. . =. . .;. ::
* * - -- ; ; ; n
. - - ' ... ,. . p. ._7...-
.7.._. . -.-
--.g
.%. . ..__g__.. . _ . . . _ __._.g.
. , .2. 1. _ . . . , ,
=.=i;:g= = in- =-; = " '" : :- pxg_:- -- @r ==E.. = t=-- -9h 2 --lr { pip percent RemaihinQ l Wall' ..=!':
- aux. d. ;.2 a=
~~ 2 7 32- "-" '
'= - - ~ ' - - " ";"'" --=-#-" '2"
'"~f
.= .. =. = - .: = = === = r= = -- -.= ==,_-. = r_ = . = r- "= " P='.= (" =- ' [='=L ='- .
- 5 *
-. 1 --
; ---~~. . _ . .
=~.is ? E24 = ~~J* --E 5 -~~ i=2E: d P 5I? .-Y 35 12=55E i=EE5- "-TI" =--iMf-':2? E.ih? - ni :-
= ==
=.=_m._ _ i-2. _
- . - - =_.
= .t.=s.F_=2 =__u.=. .=_= _
- _ = = . _ = _ =w Lu_+_=_ __ = - =- a=.=..z_.-..L.=...L
_=-..z=_= - _ ... - . . . _=. : = i..=_= I _ . . _._ . m.m_ . . . ., . ; .- _
= ~ * '~~"-
- =.+. _ . -_=_.;:i. : _i_=l=._ - _=Et.
_ .. _ _E. _ i='
- =.= =. =._..i i_-__ l=. 2_id:-. - _ . _ -
. . . .ni_x._.. . _ " ._C_._.1 __ . _ _ . . _ . . = =. .E. -- L29.- 1 : 2..i.E=. . .E =
n.
- .- I m. = = - ..-- r
.s u
_ . = . .
-+ =tp . . . * -
- r N.We = >._$a--
-t e e ..
,. t= _ ,.. -
. . _n : -= y. .- r: :--.. .
..;. _., p_ y. .7- -,
- -l
- . .! . : it-- =__._ : - . .
m t----'
-t.-- =r'-- t" --
_"k",..
.-_,',__r---
^
j . .. ~~. _ . . . _ , -
=
h;:.' . h . .l_.~h She
- g. ..CJ ' '
L.-
.n :.L.--. _
--'{'
" :; ; T_ ;.L_ .
_1._ . l . _; .1."
.g _ 2. ;..
.2 NE- sii L _.
jEyr "r p Lin. _. ig _+iE # ji=p ;i'= ii =r-Ed= ::_ 4 ..(y 2.2
^
[: g_ . _. p . ..i .. .
..._ j . . ,r - _x. ;- e ..
__ _. c .qu L q_24. g.. .. . g . j . . ._ n - E e;- A=x+ = - it t.: P = = m N #=Wi !=-st= W r=- - t='- _..5 -{ .. p_u_: --
- t. . . .
p-E : i : p:i - iii "$- i=-~ t [ c i;"- m .. _ . b... . _ _
. .. be. . .. _ _ _ .- .t_
t ';.. -- .
. ._ { ' : n; p. ~_ ..
.. , P1 = 4@ .g.
5_. =__ =._r - c p. : ._ .==,=.. -_.- _3.._ .=.
. =. .g u . p . _ . ... =.+.. .- _=#- , _m.
.g . .. __ _ . . _ .
4
.. . p . .
._.p. .j 4 i r f t=. ;_ .] p / f_ (
t . _. . . _ .. q i pp4 l +. -. n . . u. . u_.. j_ p; j
=ag . , 3 . .. .._ - p -. _ . .
h: g
;_ p . . : . u.._ . .
- j. -g _q..._. _3_, _. -
- 7. g. p._ j [ ._ [ j. H l . ._ .a a .
.3n .._. . ii . . _.n ; . p_ . u.. n- u_q .4 _a._. i
[- ;_ . .(7 ._ l ,
.- ! i e i in .
I ! == p- a- = 4- ~ = = 1: 1&n w m 16 -.
+ =-
h := l m;; tn -
! . E [- :i: - l-r4 f;. _ p
_ .m p p =. #_ s!. 1_ = ,.. . _ .: = =r= y .E= =.y mp=. i_ a= p.. . 4_u.a =_ .#
. s h.2 _q . . i= e .: p=r =
4 cf=1=y L p = 3 ii -; }; _. - - i -- - -*~
!l --"i .
l l l
.=, . ;=. .p e up.. = 4 ./. = . .=m
- f. = 3 i i ._
l a = a=w g:2 7 : p-- p jg u-p j;-
/.p3; =
- g c
_. ; j g ; i i ( ; j J. . l + y n,y =i
\ y +
# + j f.
#w# u.a .p. m. p.+ .. s y n: i
!y; i O l t . _.._ y ; p., p m.t_... t, ,, g_ ~ . . .
- _. w i ii Rait -in : r i 3 -l BURhT PR555URE (K$ID) ~L ! l !
B-5
/ l p - III. DEFECT INVENTORY , A second important element in the probabilistic tube strength model is the defect inver. tory, that is, the distribution of damage level among the more than 11000 tubes in a steam generator. Preliminary computations showed that only tubes degraded more than the assumed plugging limit of 60% contributed significantly to the risk of tube rupture. Since current inspection plans called for sampling at least 3% of the steam generator tubes (more if any tubes are degraded beyond the plugging limit), an estimate of the percentage of the remaining population degraded beyond the plugging limit could be made from the Binomial distribution. The "best" estimate made at a 50% cumulative probability was approximately 1/4% or 28 tubes degraded beyond the 60% level. The model used in this report assumes that the damage distributic.1 can be represented by a continuous-analytical probability density function (PDF). Of the analytical PDF's, the Beta distribution most adequately models the physical limits of damage (0-100%) and provides sufficient flexibility in shape to model both relatively new and aging steam generator damage distri butions. The Beta distribution has four parameters; two of which define the limits and two which can be adjusted to obtain a wide variety of - shapes. The second pair of parameters were obtained by determining the parameter sets which satisfied the 1/4% tail criterion. Of these sets, the j values leading to the most extreme distribution in the tail were chosen. The Beta distribution used in the model is shown in Figure B-2 for damage levels beyond the 60% plugging limit. l i I B-6
- . . .. _ ZJ
- . +_~_;.~ *
- 17 = Cu i .'--- " - - * - ' - -
'-"-'- r.ir : _ _ -'
C]--- nz:.---. . . . :.-.- . --+-: --j =;. ' , - - ---c-- --- l 4 -. _;ct ; ---t-. _. ;: art :- x;=t: --t-- rn r - -
' ;--- t_. n - ; n -' rt--- 'n 2. . _tn.; l
- u. w_
- :=r :_. ' ._2:.-- _ --
2= _ ___ _ = . . = _. _. - . . _ .
. _ . - _ . _ _ = _~==.n
_ :- - - .2 -
--__ ^
i l
- = t = =t:- . . _ _ . _ . 4 .
=MGUNt t .gr _ _ _ _ _ _ m_ __. . . _ . _ _ __ _ __4__
_.7_- .y . ._- . . _ , . _ . .._, >_ _ . . _ . . _ _ ._...-.. _1_. . .=,_ ._
= f -.=_. . .. .,. ... .}. . ._ _. 4. .2--
=t .
. t =___ ._
. .;. .. __:____ _ .3_m_ . . . _ _ _ _1. _ =u : . . . . ..- .
=:-i = _:J: =r- z;:.' 7.MDISTRIBUTIONj0FFTUBES 1EGRADEDt=p _E__ m. z;&.R.=; -
. 2.;n.- . - ; :--+ - ._5tYUMU .t'LUtabLNbi L flL1 ==r_r- Lnt_- = t "-=-- =r;r .n
----+n_. .=r _-J_."_. _.t-- -e_r
.-4
.r r: .-=
- - - 2_-
_T *L - ;. -- TC :: . . _ . . _ . =;i C ' :-- '.^ C.- ..Z*--- - - - - *~~ - ZZL: i' "* ' r; -- t n _'.. . t.---' ._-- ,._.4_..
- i =. - t r- =t:==:g.. 7m-- .; .r-!.- __ -- : . -_ -
_. - . . _ _ _-!_- : =. -1_ _.c. ---- I Zr L - - __e__. . . _ . . _ . . _ . ._ . . . . - _ _ _ . . . . . - . _ . ._. . _ _ _. .. 1 %. - ~ :* '.TI*- '-.t---'. r.t:- ^. *'t~ :,7 i .T
-a__. 2i_ _ . . - - * . - ' ~T 4.- ._r_ - . . . _ _ . . .
.. : _ .: . :J2. .
;;j
.e: ;' . .: '. "yLJ . =j . . :.;.J J .
- }*' . 1. ' C : . .; _ f _. _ _: Z -
- .01;. : ;. - J. : t _. ^ !. ...i
- 1 !.'
* !U;-
. ._ i ....E
*: : L* --
_Z.--- _._....t__. _ .'--[.~_...-. MJ - ~
.;-
- I ' -
_.-* 1.C'.i
~9,~~f-
- _ _ .
_.._'.: _.._ . ' .. .-. t _ _
. - _ ;'. F' - :.. . .. .
'n_ d.' Mi'~~-3-:
~
' ~ -!: _:.._ - - * - - - -
._-2._ *----
'1
.1... . . _ . .
' . iY ~~ ~i - i- -
c_; .
._.gil x jg .ziiii - -Ji.3c=[ .
f_-
-Eji_nf
--[-i i T
- xjii" =ij.. -
. .J =- . ._ : .
.._p . , . .
2 T'l~_Y ".i ._ : ;._. - - - ~ - - 'm~' _ . . . ._---P-~i-;;;;; :Ep;--.- - ;+ ; ;;;---*; . .;; ==~'~{~;- _
; _ .-- 2 -- ; --P.--' i
_'4' 3. ' $' ~
~~ '
Z. Z - E: nua .; - ..=_.;_=___ ;_,. E l$.t _ ._ ..'ti. _ 2rr _..I._ : 12.._:
= _4 n=n_T.-
- il.ns: .u ins
._.a..____..i. . _ -_ +. nu ;=_ _u-
'..'C.'. :.'-
- 4 .. ....J2.. .r m-
___g_. _., 9 .Q , J, .C,. :' - .. ..q .9 : .: {.. '- '_.Z' - - * - - - -~9 w
,9.__. 4_' . . ], - _L : . . Z. 12.._ t.jC.
9 . . {_ _ . . . . _ . - '. .. . j ;- ,
,L'
' ^
! LL.
4.. .I.-
- nLa._ =: ' : . . I' . -' .-- -
..;;4. :
. . . . . .- ._;-I ;L.- - -- -- 1. . . .:---.}.....
. '_ 4. .;
-~----g_..J._- .L - - - -. --..~.]-. r -- - - - --
---...l.-i - ~ j -.. - - ~
=.......o- n b : . .= ;.w_Ent. =- =--= .-x:l;m;..;;_; . __ _ _ r } _u a n =n_ l- _ : .1= : _. . _ L_ _
m: . i--3u_
- --m m 2. - - - - -
_: -i r - .+. r-i.i( ij-E- -h 42E . -ii=1.1x;ii'h-.i_, - ' = "ijg : ".j --i'}; "-t '-j9 . , _ "r- : d _- -- -i 1 gi:i":i. . . ;jj. :. .' \:[_2 . .i_L=_juni" _ r: Miii."Eji_~':p;f_"5: jiii$"il;9.j..i.ili:2 ..;2 ;q _npx; _
= i:h "*" =i:!F iVi Y !;=~-iEEEE E Z E - Wi=M=f=#i=% i: =EnE51=4his= i:E 2-pi-i_. ill . . ;--j-fE . t\E ___.' _ . ' .}EEiI=- .!!!Eri.--i;-~"_-i_=-}_li- EEj'-ifiipi";;qp";h.g_i{ =j' 2;jl.:f n-
= . = _ .;-i.- . = _- . ._E.t=_- + a- =_is_- s_i.=. 1 .=. j E. =.p..=4m_._ .__r --cr
_ ;_=r- - = 2 .. ..
- z _ [==i = t.w .
E = =. "-] 12=ir- .i2% ~.=j _; yl- ;-- SE E Ej- r_. ' _1 _y....- t-ir'Mr=2.li-f~_i_:[--
\-+=._..; r ~.15E];". -[r:-id2i'- il-- Ei--- - - - - - - + - -
m =" -E- - -2".; --- g b-- 1 '_ii. J.,i. . ".EE4 _iad=-i. uliE:li. _d - -i;-
. . _ .u-li E--- __ :dh- . . _ . . ." !E2 b
= _ . ._._;4 _{Q. ;;. . =:. Aj== -== cc:---+ un-- : .=2-- a==,. p . _ . l ., _
\ ._ -. a ---. 1. :. . ; nc. ._i_ti- . . . __ - . _ _...- .- . . . _ ..
- ar: = . :=nc c =n =: r
_= _ . . -_ ._. . . 2.g2. .u. .u_-. -. q:_ . .x.r,_:xg c n_=_ _7
; tu
- 2. 7, .... __ ;_;,
..r...an_ .:... =.__ _: 2_ .
7
._ n m _{. 3 ._
m
. "i r . .1~ pi n'j\ : p. Ei . "i = -" ._-dE ' : _.b -i _ _ . . ~ ~ -"=i!Q.T_; -~ ~ "_Iiha~ :n- . - ,
- E.iq Ax ,= . + - .nE-jz ai-- -di_t --h:j--y=-D =t= c = .
2.::r;}= ! - ---iin. -id=i! -ipj.i"j\ ii.;j_ g. a r-lE;il- . ir]":i"' iElQ2:iE~Et " fib _ :
~
- H :._=
- = - .m...- -
2r7--+ ~ =.n.r== m=__ _ .+i .:=. . ==. .. . . . _t. _ .2 -t =.:nr= :r:_=- - -+m= =cr u9{ :xt
. . . - _.___.- - . _ . . _ ._ :m1
-t _.-~= -
u:4: =. 2-r . -. .. =_
...._..._t_..
.y;- . :j . :" - i"--'- . dh ( -- i p :-i-
.. .;_. M "..p. . ._. l .J f ' _r[--- -{c.: % l- -
] .: . -
.r-. . . . .._r--
- a. -r--. . ~ . . . . .
-i.-
~--- :-j.".= "b i" = " }=ii-- :-F 'h.ni~ F r""3-H -i ="f"-d-:- - utE]" i---
.i- g[_._ 4_. fixa mi-i:n Q. :j=_ #it e lL: c_i:T!l."6 _ } - : -. :x ; - . . :. : c _i . - .j . - :j g o,1L. -
m-
=e zin 7 N_;z:7 a- eg y; sit J.
y- E i' - ~Z:;.))- fp=f '-f j j- -ly" :";; r ={f '-:i'"j " ~ E==-j =" 8 - - -il -j; -l
+ -t"t-t "f "hl -i.bt A ="i"W"=E s in t i5" :"i "t rl fi:i= 4 =
-L."-
- . ,q;. .
_n L. x :ici=_h _.j.:..c_ p:. . .%j_.} - $:gp:_2_.j _a[.2 :.2.-j :.:p nj_q_:.__l_- ._._1. :__
- a. . .
r- : 2: :: a .r._- ; _. .
. . , , J".; ;. . . .- .. .
;?} . ,r- }
.j . . .., ..
.f- p. . . .
. . . i . 4.J - . . ...a.._. . . _: __.J ' - -
j _ __n__L __K4_1{.1, ]_ _' ? _ .
. __;.._jg.; ;_4}; ___. . ._}. . _ .
. , - . . g. _ ,.
._..._i..
. , . . . ......g; i.,.
y , }
. . _ q_ n . . -m= xEj _il:.;:.a . 1. ; .2 : .=_E{i_il= ";- '% : .u.4
._p_; - ---j i . :_.- 4,n_;.
- =
- =-p=_{;. _i_.; xhjiL. 'E 92rj .yj ' 4 n_. j.
- r .p. ; j : -- .i'n p r.u. :.fr?p i-i JS ci tr A .1 -
M w: p 1 - iX t !- ! l 1 O
- .p , .i . l !..
{i- * :i[:_ : N .. { l i '}
. a, - -j . ., j
,. w y .
.+.
,. p 6
.n.g..
.u u v.-
. , n m
s.a
! - i ;. . ,! ;
'!~ ~l I i F; ELATIVE DEFECT DEPYf D/D i 1 I" -
I- I i
.p m j
.[ ~!. ! . .t .-l ,
nj; . .m 2. ; ' - . .n j. . ... i L. . 4_
.jn . _.;. . . _xp. . ._4 c . u.4_ . .: . j. _.h..F '
- iF: "i -~i 4
.' l - , - -i" .
i- l , B-7
c O - IV. SIMULATOR STRUCTURE , Monte-Carlo simulation is used to compute tube failure probabilities on an event-specific basis. The general structure of the simulator used for these computations is shown in Figure B-3. The overall computation is a repetition of the computation shown in Figure B-3 for J events (x 2 steam generators per event). The first step in the simulation is the computation of tube rupture probabilities for a set of four damage levels. These are computed using the distribution functions shown in Figure B-1. The probabilities thus computed represent the expected failure proportion for tubes at each damage level given the specific overpressurization characteristic of the event. The second step in the computation is to obtain sample values for the number of tubes in each of four damage intervals. This is accomplished by randomly sampling from the distribution shown in Figure B-2. The expected G failure proportions computed in the first step are then combined with their l respective interval subpopulations to compute Hypergeometric cumulative distribution functions for the number of ruptured tubes in each interval. Uniformly distributed random variates are then used to obtain the number of ruptured tubes. The entire second step is repeated for the required number - l I of trials to obtain the probabilities of N tube ruptures (N = 1,30) for the steam generator. l The output of the simulator is a [2J x N] matrix of probabilities (P(j, )). Each row contains the probabilities of n or less tube failures for a specific event / steam generator. The odd numbered rows contain the results for the more severely affected steam generator. The even numbered rows contain the results of the less affected steam generator. The frequency of tube ruptures for the spectrum of J events is computed from: l F(n)= P (j ,n ) E (j ) j = 1,3,5,...affected S.G.
. j = 2,4,6,... unaffected S.G.
O l B-8
3 FIGURE B-3 SIMULATOR STRUCTURE
~
A P EVENT PRIMARY /" - - BURST PRESSURE CDF's FOR SECONDARY PRESSURE ::0MPUTE FAILURE PROPORTIONS L DAMAGE LEVELS (L=1,4) DIFFERENCE FP(L)= EXPECTED FAILU g PROPORTION AT GIVEN P FOR L DAMAGE LEVEL OBTAIN SAMPLE POPULATIONS ' FOR EACH DAMAGE LEVEL BETA PDF th g N(L)= POPULATION OF L DAMAGE LEVEL COMPUTE HYPERGEOMETRIC CDF's FOR EACH DAMAGE LEVEL Pr(N(L) M)=F(FP(L),N(L)) M=0,1,2,3,... El y COMPUTE NUMBER OF O H RUPTURES AT EACH " UNIFORM RANDOM DAMAGE LEVEL VARIATES 5 N(L) L DAMAGE RANGE - a H 1 60%4Ds70% SUM RUPTURES l NS = N(L) 2 70%<D580% i 3 80%dDS85% O s 4 85%<D190% E l YES T=T ? NO < DO NEXT STEAM GENERATOR OR EVENT O B-9
O- nere: . n = number of ruptured tubes E(j ) = frequency of jth event P(j ,n) = probability of n tube ruptures given jth event F(n) = overall frequency of n ruptured tubes A special feature of the simulator is the ability to check for multiple generator tube ruptures. This is accomplished by storing and comparing numbers of ruptured tubes for both the affected and unaffected steam generators on a trial-by-trial basis. O O B-10
7 APPENDIX B ( REFERENCES J., " Burst Pressure Statistics for Non-Degraded Tubing",
~
- 1. Franke1, BNL20368 [ Appendix II],1975
- 2. Kao, C. S., "The Distribution of Burst Pressure for Tubes",
BNL21917, 1976
- 3. Alzheimer, J. M. et. al., " Steam Generator Tube Integrity Program Phase I Report", NUREG/CR-0718 PNL2937, September 1979.
O i { l l . . . i 9, B-11 ( . L )}}