Text

Review of Millstone 3 Probabilistic Safety Study, Incomplete Preliminary Draft
	ML20086L913
Person / Time
Site:	Millstone
Issue date:	01/25/1984
From:	; LAWRENCE LIVERMORE NATIONAL LABORATORY
To:	;
Shared Package
ML20086L910	List: ML20086L913;
References
	NUDOCS 8402150392
	Download: ML20086L913 (200)
	v • d • e

..

INCOMPLETE PRELIMINARY DRAFT 4

A Review of the Millstone - 3 Probabilistic Safety Study i

January 25, 1984 i INCOMPLETE PRELIMINARY DRAFT 8402150392 840203 PDR ADOCK 05000423 A PDR , ,

+ .__. . . - . . - - , - - - , , . -- . . , - . - .

i TABLE OF CONTENTS NOTE: Only sections marked with asteris,ks are included in this draft i

1. Executive Summary

2. Introduction

2.1 Background

2.2 Scope 2.3 Assumptions

3. Internal Events Analysis

3.1 Initiating Events

3.2 Event Trees LOCA Transient Other

3.3 Success Criteria

3.4 Systems Descriptions Fault Tree Models

3.5 Fuman Factors l

3.6 Faildre Data 3.7 Operating Experience Analysis 3.8 Analysis Codes

3.9 Accident Sequences

3.10 Dependencies 3.11 Quantification l 4. External Event Analysis

4.1 Seismic 4.2 Fire 4.3 Industrial' Accidents 4.4 Other

5. Summary and Conclusions

5.1 Dominant Sequences Corresponding to Each Plant Damage State 5.2 Important Problems and Omissions 5.3 Treatment of Uncertainties 5.4 Overall Evaluation of Millstone-3 Risk Assessment

6. Appendices (as required)

l l 3.1 INITIATING EVENTS i

The MP-3 PSS evalueted more than sixty individual initiators in the process of defining a set of twenty-two classes of initiating events for the study. This Lection presents the results of a review of the completeness of the set of ~

initiators considered and of the frequency estirr.ates assigned to each.

3.1.1 Completeness of Initiating Events Considered The PSS considered two general classes of initiating events, LOCAs and transients, in keeping with the traditional classifications established in previous PRAs. The LOCA classes were defined by examining those in WASH-1400 (the Reactor Safety Study) and from an evaluation of the Millstone plant design to determine if any special LOCA evaluations were required. The transients were developed primarily from the PWR transient list contained in EPRI NP-2230, ATWS: A Reappraisal, Part 3: Frequency of Anticipated l Transients. This list was augmented by the development of plant specific initiators which were selected because they had unique effects on the plant response following the occurrence of the initiator. The list of initiators considered is consistent with those from previous PRAs, and the methodology used is consistent with those espoused in NUREG/CR-2728 (the IREP Procedures Guide) and NUREG/CR-2815 (the draft NREP Procedures Guide). No significant inter'nal initiators were identified as having been omitted from the ,

evaluation.

Table 3.1.1 lists the 21 specific initiator classes which were used in the PSS. These classes were developed to represent differences in plant response to each initiator class. Most of the classes are reasonable and consistent with previous PRAs except for the division of the majority of the anticipated transients into event classes 7 through 12. Although these groupings represent differences in the initial phenomenology of transients, they do not represent differences in the plant response or in their effects on mitigating systems. FurthEr, these groupings do not account for the possiblity of the power conversion system (PCS) being availa'ble (see Section 3.2.1.3). For these reasons, the events in these classes were regrouped for this review into 3.1-1

two classes, one for loss of PCS and one for PCS available. These new classes are shown in Tables 3.1.2a and 3.1.2b, and it is noted that some transients ,

appear on both lists. These transients, wnile not automatically f ailing PCS, result in significant, asymetric perturbations which are more likely to fail the PCS than other transients. The probability assignments for these transients were made on the basis that 50% of the time these transients occurred the PCS would definitely fail and the other 50% of the time it would be available.

3.1.2 Frequency of Initiating Events A list of the final initiating event classes used in the PSS and their mean and median frequencic; are shown in Table 3.1.3. These values are compared with point (or best) estimate values from either NUREG/CR-2787 (the AND-1 IREP study) or from other sources recommended in the NREP Procedures Guide and presently available. The ANO-1 IREP study was used since it is the most recently completed and approved NRC sponsored PRA for a PWR. The point estimate values are used in the reevaluation of the dominant core melt sequences for each plant damage state. The source of the point estimate values is also shown in the table. The remainder of this section discusses the methods used by the PSS to establish some of the values used in the study, and to explain the source of some of the point estimate values used in the requantification where the sour.:e of the values is not obvious and strai ghtforward .

3.1.2.1 Quantification Methods The PSS used very sophisticated calculational methods to develop frequencies for some of the initiating events. For the events involving pipe breaks, they took the 5th and 95th percentile frequencies from WASH-1400 and used them as the 20th and 80th percentiles of prior distributions for a Bayesian estimation of pipe failure rate distributions. Bayesian techniques were also utilized in the PSS for loss of offsite power, using the history of LOSP over the entire U.S. as the prior and the Millstone site specific data as the posterior. In the quantification of interfacing systems LOCA, the utilization of the-3.1-2

loguniform distribution and discrete probability distribution (OPD) technique results in an unrealistically skewed distribution, with the mean value being more than two orders of magnitude higher than the median, and even slightly higher than the 90% confidence bound. This example demonstrates that the use of Bayesian techniques to incorporate " plant specificity" may not be meaningful in data bases this small. The ceviations which are credited to plant specific differences could also be caused by random distributions of occurrences within the general population.

3.1.2.2 Steam Generator Tube Rupture The point estimate for steam generator tube rupture (SGTR) was developed from actual operating data for Westinghouse reactors in the U.S. A review of available data on steam generator tube leaks found three SGTR events through early 1982. This represented a total of 212 reactor-years of operating experience. The point estimate value is essentially identical to the median value used in the PSS.

3.1.2.3 Steamline Breaks The PSS apparently made an error in its selection of data for the steamline break events. The PSS states that one of the causes of steamline break inside containment is ".. steam generator relief valve failures..." This is ' a reasonable statement since "inside containment" here refers to cases where the break path originates upstream of the main steam isolation valves, regardless of where the break ultimately discharges the steam. The concern is whether or not MSIV closure will terminate break flow as opposed to where the steam actually goes. However, in the quantification of steamlline break events, event #29 from EPRI NP-2330 (sudden opening of steam relief valves) was added to the steamline break outside containment category. This event logically belongs in the inside containment catagory, and it is the dominant contributor to the frequency of steamline breaks inside containmen't. The case of steamline break outside containment is dominated by large pipe breaks and would have a frequency identical to large'LOCAs, which is consistent with assumptions made in previous PRAs.

3.1 - 3

3.1.2.4 Anticipated Transients The discussion in Section 3.1.1 describes the regrouping of transient classes 7 through 12 into two-classes representing the condition of the PCS following the initiator. Tables 3.1.2a and 3.1.2b show the point estimate frequency calculations for these two classes. The frequencies for the individual transient types were taken directly from EPRI.NP-2330. The frequency of events which appear in both classes was split equally between the classes.

There is no significant difference between the total frequency of classes 7 through 12 from the PSS and the frequency of the two new classes developed here since the same basic data source was utilized for both.

3.1.2.5 Loss of Offsite Power The Bayesian treatment of this event in the PSS is judged to be reasonable.

The historical frequency of LOSP events at the Millstone site (one event in thirteen years) cannot be statistically demonstrated to be significantly different from other sites in the region. On the other hand, there is sufficient evidence to suggest that the regional grid is a contributor to differences in LOSP frequency across the country. That is, statistical evidence shows that plant location (in a regional sense) does have an effect on LOSP frequency. Although it is by no means the only effect, it is one which has easily accessable data. The point estimate for the historical LOSP frequency for the nuclear sites in the Northeast Power Coordinating Council (from NUREG/CR-2815, the NREP Procedures Guide) is 0.3 LOSP events per year.

The value for LOSP used in the PSS is 0.11, substantially lower but not unreasonably so, and there appears to be evidence to support this number. The PSS, however, did not provide adequate justification for the use of this lower number.

The recovery of offsite power values developed in the PSS were also reviewed. This analysis utilized data specifically pertaining to facilities in the Northeast Power Coordinating Counci'l. The PSS, however, did not include the 1976 event at Millstone Point which resulted in an extended loss 3.1- 4

of offsite power. They removed this event from the data base because they felt that improvements in switchyard design completely eliminated this specific failure node. In addition, the length of the outage reported for this event is noted to be conservative, because offsite power was recovered earlier but ne operators chose to stay on emergency power since it was available. The PSS values were compared wi.th the recovery values developed for the same site during the Millstone 1 1 REP study which were taken directly from EPRI NP-2301, " Loss of Offsite Power in Nuclear Power Plants: Data and Analysis." Although the PSS values are somewhat more optimistic than the IREP values, they are surprisingly close, especislly in the early time frame (less than a factor of two reaching about a factor of 2 at two hours and about a factor of 5 at eight hours). Thus, the offsite power recovery values developed in the PSS were judged to be acceptable, with recognition of the fact that use of the EPRI/IREP values would affect the values of extended total station blackout sequences by factors of two to five.

3.1.2.6 Incore Instrument Tube Rupture It is unclear how the PSS came up wit'n its values for this event, other than a statement that the values are based on WASH-1400 and utilize the Bayesian techniques previously discussed. We performed a simple bounding calculation based on the assumption that each tube is a single pipe segment of less than 3-inch diameter and thus has a failure rate of 1E-9/hr (from WASH-1400). We estimated that there are 6pproximately 40 such tubes. This results in a frequency for the tube rupture event of approximately 4E-4/ year, which we will use as our point estimate value. This is the same as the PSS median value for this event.

( ,

1 3.15

3.1.2.7 Interfacing Systems LOCA (Event V)

The PSS determined that the frequency of event V is dominated by the RHR suction line valve failure and that injection line valve failure is not significant. This is ' logical since the injection lines contain three valve 3 and the suction line only two. Both NUREG/CR-2787 (ANO-1 1 REP) and NUREG/CR-2515 (Crystal River-3 Safety Study) concluded that these frequencies were small. The Crystal River study estimated that the frequency of event V das approximately 1E-9 per injection path for paths containing two check valves and a normally open motor operated valve which could be closed following initial blowdown. Using the same method as used in the Crystal River study, we performed a simple bounding calculation of a point estimate of event V in the RHR suction line at Millstone. Using a failure rate of 1E-7/hr for catastrophic internal leakage in a motor operated valve (from the NREP Procedures Guide), and assuming that the inboard valve must fail first before the outboard valve is exposed to high pressure, the frequency of event V is estimated to be:

(IE-7/hr

8760hr/yr) * (1/2 yr

1E-7/hr

8760hr/yr) = 4E-7/ year As previously stated, the presence of an additional valve in the injection paths would make the contribution to event V from these other paths negligible. Thus our point estimate is based only on the RHR suction path.

The sophisticated treatment of this event in the PSS by the use of PDP arithmetic is not considered justified since it results in a remarkably skewed distribution for this event, as discussed in Section 3.1.2.1. Although this result is a consequence of the consistent application of the techniques utilized throughout the study, which were based on the NREP procedures guide, the result should have been recognized by the PSS study team as being unrealistic. This particular case is clearly an exception to the general rule governing the use of a loguniform distribution, and a distribution should have been found which had a lower mean/ median ratio and which did not place the mean near the 90% confidence bound. This problem is particularly meaningful in this case since this event is the dominant contributor to the final risk results for internal events, so that the final risk curves for early

~

3.1 - 6

fatalities have the same distribution as this event. Thus, the conclusions drawn from the risk curves are driven solely by the statistical technique utilized rather than the plant model itself: this fact alone argues for the rejection of the PSS distribution. It was replaced with the above calculated best estimate in our r'eauantification.

3.1.3 Issues of Importance to the NRC In their instructions for this review, the NRC listed certain issues which were of concern to them. They wanted to know in what way these issues were treated in the PSS. Some of those issues were either treated or should have been treated in the initiating event analysis. This section discusses those issues.

3.1.3.1 Issues Directly Included as Initiating Events A number of the issues of concern were directly included in the analysis as initiating events. This was done in one of two ways. Some of the events became specific initiator classes. Other events were subsets of other initiator classes and were therefore included as contributors to those classes. Whenever a comment in parentheses refers to "now..." it means~that the event in question has be'en regrouped into one of the two new initiator classes discussed in Section 3.1.1. The events which become initiator classes are:

Loss of DC Power Loss of Instrument and Control Power Steam Generator Tube Rupture Loss of Service Water Turbine Trip (now divided between Loss of PCS and PCS available)

Loss of Main Feed (now part of Loss of PCS) l l

l 3.17 w . w A

.The events which were subsets of another initiator class (and which class) are:

Loss of Component Cooling Water (Loss of Main Feed)

Reactor Coolant Pump Seal Failure (Smoll LOCA)

Baron Dilution (Core Power Excursion, now PCS available)

Excess Feedwater Flow (Primary / Secondary Power Mismatch, now Loss of PCS)

Loss of Instrument or Control Air (Turbine Trip, now Loss of PCS) 3.1.3.2 Loss of Component Cooling Water (CCW)

Although this event was treated as part of another initiator class, further discussion is warranted. The CCW system has been shown to be a.significant dependency in previous PRAs because it usually serves to provide cooling to many key components and systems. At Millstone, however, the design is very different: .first, Millstone has two CCW systems, one for the turbine plant (TPCCW) and one for the reactor plant (RPCCW); second, neither CCW system provides cooling to any safety related equipment. Unlike other designs, essential coolinn to the safety related equipment is provided directly by the service water system without the use of an intermediate loop. The TPCCW cools a number of components in the secondary cycle, but no safety related equipment would fail due to loss of this system so that this event has no effect worse than any loss of PCS event. The RPCCW likewise cools a number of components in the primary system, but also likewise, no safety related equipment would fail due to loss of this system. Therefore, this event has no effect worse than any PCS available event. .

3.1.3.3 Multiple Instrument Tube LOCA Below Core Level

, The PSS does not treat this event. It does treat the single tube LOCA as a special class of small LOCA. Since the small LOCA catagory ranges up to a two-inch equivalent diameter break, multiple breaks-would still fall generally into the small LOCA class. However, no specific analysis was performed to determine if the behavior of multiple tube rupture events was essentially identical-to 3.1- 8

.. - ~

the single tube events. This event has not been modeled in previous PRAs, and it is beyond the scope of this review to perform a detailed analysis of these types of events. ,

3.1.3.4 Pipe Breaks i,n the Auxiliary Building This class of events, as well as pipe breaks in all other plant areas, was evaluated in the external events portion of the PSS in the analysis of internal flooding mechanisms. Our review of these events is discussed in Section 4 of this report.

3.1.3.5 Loss of Ventilation in the Auxiliary Building Loss of ventilation events are not treated as initiators in the PSS. In general, previous PRAs have not considered these events as initiators. This approach is considered to be reasonable since ventilation losses to specific plant areas are not likely to result in plant trip and degradation of mitigating systems in ways not ' forseen by other initiators. It is our judgement that the omission of this event as an initiator does not affect the study results.

l I

4 3.1 . .

Table 3.1.1 Internal Initiating Events for Millstone Unit 3 ;

EVENT <

CLASS EVENT NAME 1 Large LOCA 2 Medium LOCA 3 Small LOCA 4 Steam Generator Tube Rupture 5 Steam Line Break Inside Containment 6 Steam Line Break Outside Containment 7 Loss of RCS Flow 8 Loss of Main Feedwater Flow 9 Primary to Secondary Power Mismatch 10 Turbine Trip 11 Reactor Trip 12 Core Power Excursion 13 Spurious Safety Injection 14 Loss of Offsite Power 15 Incore Instrument Tube Rupture 16 Special Large LOCA Initiators

a. Interf acing Systems LOCA

b. Catastrophic Reactor Vessel Rupture 17 Loss of a Single Service Water Train 18 Loss of'a Single Vital DC Bus 19 Total Loss of Vital DC Power 20 Loss of Vital AC Bus 120-VAC-1 or 120-VAC-2 21 Loss of Vital AC Bus 120-VAC-3 or 120-VAC-4 3.1-10 -

. , - - - - - ~ - - . . . - - -

1 Table 3.1.2a i PCS Available Transients for Millstone Unit 3 EPRI NP-2330 ' FREQUENCY Event No. TRANSIENT NAME (PER YEAR) 1 Loss of RCS Flow .39 l 2 Uncontrolled Rod Withdrawal .02 3 CRDM Problems and/or Rod Drop .65 4 Leakage From Control Rods .02 5 Leakage in Primary System .08 6 Low Pressurizer Pressure .03 7 Pressurizer Leakage .01 8 High Pressurizer Pressure .03 11 CVCS Malfunction - Baron Dilution .04 12 Pressure / Temperature / Power Imbalance . .16 13 Startup of Inactive Coolant Pump .00 14 Total Loss of RCS Flow .03 15 Loss or Reduction in Feedwater Flow (1 loop) (50%) .94 17 Full or Partial Closure of MSIV (1 loop) (50%) .12 19 Increase in Feedwater Flow (1 loop) (50%) .35 23 Loss of Condensate Pump (1 loop) (50%) .04 26 Steam Generator Leakage .04 27 Condenser Leakage .05 28 Miscellaneous Leakage in Secondary Systems .08 33 Turbine Trip, Throttle Valve Closure, EHC Problems 1.38 34 Generator Trip or Generator Caused Faults .38 36 Pressurizer Spray Failure .04 37 Loss of Power to Necessary Plant Systems'(50%) .05 38 Spurious trips - Cause Unknown .14 39 Automatic Trip - No Transient Condition 1.55 40 Manual Trip - No Transient Condition .62 Total - PCS Available Transients 7.24 i

l 3.1-11 i

Table 3.1.2b Loss of PCS Transients For Millstone Unit 3 EPRI ,

NP-2330 FREQUENCY Event No. TRANSIENT NAME (PER YEAR) 10 Containment Pressure Problems .01 15 Loss or Reduction in Feedwater Flow (1 loop) (50%) .94 16 Total Loss of Feedwater Flow (all loops) .15 '

17 Full or Partial Closure of MSIV (1 loop) (50%) .12 18 Closure of all MSIV .03

. 19 Increase in Feedwater Flow (1 loop) (50%) .35 20 Increase in Feedwater Flow (all loops) .01 21 Feedwater Flow Instability - Operator Error .15 22 Feedwater Flow Instability - Misc. Mechanical Causes .21 23 Loss of Condensat'e Pump (1 loop) (50%) .04 24 Loss of Condensate Pumps (all loops) .00 25 Loss of Condenser Vacuum .20 30 Loss of Circulating Water .06 31 Loss of Component Cooling .00 37 - Loss of Power to Necessary Plant Systems .05 Total - Loss of PCS Transients 2.32 3.1-12 l

i l

Table 3.1.3 l

Internal Initiating Event Frequencies for Millstone Unit 3 (Frequencies in Events Per Reactor Year)

EVENT EVENT NAE EVEN1 FREQUENCIES F01*J EST.

CLA55 P55 Mean P55 Piedian Point Est. 50HRCE 1 Large LOCA 3.88E-4 1.4 E-4 1E-4 A!S 1 IREP 2 Medium LOCA 6.11[-4 2.56E-4 3E 4 A' S 1 IREP 3 5=s11 LOCA 9.07E-3 2.33E-3 2E-2 A'O-1 ! REP 4 Stesa Generator Tube Rupture 3.92E-2 1.33E-2 4E-2 Section 3.1.2.2 5 Steam Line Break Inside Centatnaent 3.88E-4 1.4 E-4 4E-2 Seetter 3.1.2.3 E Steam Line Bresh Outside Containment 3.78E-2 1.4 E-2 1E 4 EFRI NP-2330 7 Loss of RC5 Fics 4.91E-1 3.26E-1 )

B Loss of Main Feed.ater Flo. 7.29E-1 4.77E 1 ) ( 7.24* )

9 Primary to Secondary Po.er Mismatch 3.83 2.53 ). <( ). Sc:t wa 3.1.2.4 10 Turbine Trip 2.33 1.99 ) ( 2.32" )

11 Reactor Trip 3.03 2.32 )

12 Core Power Escurston 7.18E-2 3.17E-2) i 13 Spurious safety injection 4.99E-2 1.83E-2 6E-3 'EPRI NP-2330 14 Loss of Offsite Power 1.1 E-1 9.23E- l % -1 Section 3.1.2.5 15 Incore Instrwient Tube Rupture 9.2 E-4 4.37E 4 -

Section 3.1.2.6 16 5pecial Large LOCA Initiators

a. Ir.terfacing Systems LOCA N 1.9 E-6 7.4 E-9 4E-7 Section 3.1.2.7

b. Catastrophic Reactor vessel Rupture 3 E-7 1 E-) 1E-7 WA5h-1400 1? Loss of e Single Service water Train 1.27E-2 7.23E-3 IE-2 EPRI NP-2330 18 Loss of a $1ngle Vits1 DC Bus 3.91E-3 2.79E-3 1.8E-2 AND-1 1 REP 19 Tetal Loss of Vital CC Power 1.4 (-8 9.91E-9 ANO-1 1 REP 20 Loss of Vital AC Bus 120-VAC-1 or 120-VAC-2 6.15E-2 1.72E-2 3.5E-2 ANO-1 1 REP 21 Loss of Vital A; Bus 120-VAC-3 or 120-VAC-4 6.15E-2 1.72E-2 3.5E-2 ANO-1 18EP PCS Avatlebte Transtents Loss of PCS Transtents 3.1 13

l 3.2 EVENT TREES The MP3 PSS constructed 22 event trees to represent plant response to the i initiators discussed in Section 3.1. We have reviewed these trees to determine if they are,a reasonable represention of that response. The assumptions which went into the tree construction were compared to assumptions used in previously performed PRAs. Where there were notable differences, these differences were evaluated to determine if they were reasonable. Each of these differences is discussed in this section. Additionally, a number of issues of specific interest to the NRC were also examined.

! 3.2.1 General Event Tree Findings This section presents the results of our evaluation for items which pertain to i more than one event tree.

1 3.2.1.1 Treatment of Operator Action The event trees were constructed by including major operator actions as events on the trees. The inclusion of these actions for the purpose of crediting successful operator response to the mitigation of accident conditions was performed in a consistent and correct manner. however, the possibility of erroneous operator action due to incorrect interpretaticn of plant conditions

was not treated. In particular, this pertains to the operator performing one of the major actions modeled during a sequence of events when the operator action is not required. Since these actions are called for in procedures, it cartainly seems to be possible for this type of error to occur. For most of the operator actions modeled, this is not a problem since they involve backup methods of performing safety functions. Performing these actions when they are not required would not degrade performance of the function. However, there are two actions which involve shutting down or reducing flow from safety systems. Performing these actions at the improper time could result in a situation where there is insufficient core cooling. Thus, it was considered necessary to include two additional actions on the event trees.

3.2-1

o Operator Action 0A-2-E, Improper Throttling of HPI: The operator has determined that he can conserve RWST inventory by reducing HPI flow. In performing this action he.does not correctly determine how far he can throttle HPI, and he throttles it back too far resulting in insufficient injection flow. He fails to notice this in time and tnus does not recover his error, resulting in core melt. He also overrides quench spray actuation to further conserve RWST inventory, resulting in the sprays being unavailable. This error is applicable to Small LOCA and Incore Instrument Tube Rupture events. The event trees have been modified to incorporate this new event Figures 3.2-1 and 3.2-2 show the original trees from the PSS, and Figures 3.2-3 and 3.2-4 show the revised trees.

o Operator Action 0A-6-E, Erroneous Shutdown of HPI: The operator believes that a Spurious Safety Injection event has occurred and that auxiliary feedwater is operating. Following procedure, he shuts down the HPI system. He fails to notice his error in time and a core melt results. This event applies to the Spurious SI and Steamline Break (inside or outside containment) events when auxiliary feedwater has failed, and also to a misdiagnosis of Small LOCA, Incore Instrument Tuba Rupture, and Steam Generator Tube Rupture events. The event trees for these five initiators have been modified to incorporate this new event. These are shown, respectively, in Figures 3.2-10, 3.2-6, 3.2-3, 3.2-4 and 3.2-5.

/

3.2.1.2 Use of Secondary Depressurization The Millstone 3 PSS assumes that it is possible to provide safety injection during small and medium sized LOCA events when HPI is unavailable by depressurizing the secondary and using Low Pressure Injection (Event 0A-1).

The phenomenology assumed is that by opening the secondary atmospheric relief valves, the increased heat removal rate will depressurize the primary sufficiently to allow the accumulators to inject, which will reduce pressure further until it is below the RHR pump discharge shutoff head. This method has not been credited in previous PRAs. However, calculations by Westinghouse 3.2-2

published in WCAP-9754 have shown that this method will work and they have included instructions on performing it the Emergency orocedure Guidelines for this type of plant. This technique is considered viable, and we have no reason to'believe that the Westinghouse calculations are incorrect. Thus, credit for this scenac.io is assumed to be justified.

3.2.1.3 Availability of the Power Conversion System No credit is taken in the PSS for cooldown following plant trip using the Power Conversion System (PCS)*. The assumption made is that whenever a plant trip occurs, the PCS will be caused to trip. Previous PRAs have determined that for some transients, the PCS will be available to provide the necessary cooling. Discussions with Millstone 3 operations personnel have verified that the PC5 will often be available following plant trip. Not taking credit for this capability is a conservative assumption which will result in an overestimation of risk for these transients which do not affect secondary systems operation. A revised transient event tree is shown in Figure 3.2-7 to represent plant response to transients where the PCS remains available. The transients which fall into this class were discussed in Section 3.1.

The loss of feedwater event tree from the PSS shown in Figure 3.2-8 can be used to evaluate the loss of PCS events. This tree would be used not only to evaluate the event class referred to as loss of PCS, but also all other transient event classes which result in loss of PCS. In this case, these would be all of the other transient events included in the study (e.g., loss of offsite power, loss of service water, loss of an electrical bus, etc.).

3.2.1.4 Containment Spray Recirculation The PSS does not consider that core melt may result from the failure to provide containment cooling during recirculation. Previous PRAs have assumed

The power conversion system is defined as the main steam, turbine or turbine bypass, main conde0sor, condensate, and feedwater systems operating at sufficient capacity to remove primary heat.

3.2-3 j 1

that even when core recirculation cooling is provided, in many cases it is still necessary to provide containment spray recirculation (CSR) in order to prevent containment overpressure failure. Tn,e failure of the containment in this way would result in recirculation sump steam flashing with associated cavitation and failure of all recirculation pumps, resulting in core melt.

The PSS assumes that core recirculation alone is sufficient to prevent the addition of hcat (i .e., steam) to the containment in amounts significant enough to cause containment rupture. This assumption was initially considered unjustified for sequences where all the heat is dumped to the containment prior to being transferred to the ultimate heat sink. However, NUSCO provided t..e reviewers with additional MARCH 1.1 calculations in response to questions about this scenario. These calculations showed that containment pressure would not exceed design for at least 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months for both large and small LOCAs with core recirculation and no sprays at all. The calculations were considered to provide adequate justification for the assumption, and no changes were made to the event trees.

3.2.1.5 Primary Bleed and Feed' (Once Through) Cooling In scenarios where auxiliary feedwater is needed for heat removal but is unavailable, the PSS considers providing the necessary cooling by opening the primary power operated relief valves (PORVs) and using high pressure injection pumps to supply sufficient cooling flow to the core. This technique, referred to as bleed and feed, or once through cooling, has been determined to be a reasonable cooling method for certain PWRs. It has been shown not to apply in every case. In the case of Millstone 3 class plants, Westinghouse has performed analysis which shows this method to be viable. The analysis has I been published in WCAP-9744. Westinghouse has included bleed and feed in the l

Emergency Procedure Guidelines for implementation in the plant procedures. It is concluded that the credit taken in the Millstone 3 event trees for this cooling method (0A-3 for small LOCAs and steamline breaks, 0A-7 for transients) is appropriate.

3.2-4

3.2.1.6 Conservation of RWST inventory for small LOCAs and incore instrument tube rupture initiators., the PSS takes credit for the operator taking action to conserve RWST inventory when both high pressure injection and auxiliary feedwater are available, thus extending the injection phase of the accident. Tnis action, referred to as Controlled Primary Depressurization (OA-2), has the operator throttling back HP1 in conjunction with depressurizing the secondary, which will reduce break flow and therefore the need for HP1 flow. Further, the operator will act to shut down quench spray to further conserve RWST inventory. The combination of these two actions is assumed in the PSS to allow the cooldown of the core i without the need for recirculation.

e This action has not been credited in previous PRAs, and appears to be a somewhat optimistic view of the scenario. While the break flow'is reduced, it is not apparent that the break flow can be terminated by this means.

Therefore, although the injection phase can be extended the need for recirculation is not completely ~ eliminated. This is especially true of the instrument tube rupture event, which would logically be expected to be below the core level so that it would be impossible to stop the break flow. At some point, the RWST will be depleted and recirculation will be required to replenish the continued leakage from the break. The utility supplied additional information regarding this scenario, but it is insufficient to justify the sequence. The only information provided is an emergency procedure guideline (EPG) which instructs the operator on how to perform this action.

The procedure by which this action is performed is very complex, and the EPG contains a number of caveats which indicate that there is no guarantee that recirculation can be avoided. Specifically, the EPG instructs the operator to abandon this procedure. and switch immediately to recirculation if the RWST level reaches a certain point. It also instructs the opcrator to return to the LOCA procedure if certain conditions are not met. No calculations were referenced which support the time frames specified by the utility regarding the extension of the injection phase beyond 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Thus, it is considered that the only credit which is justified for this action is an extension of the time available for other operator actions and recovery actions. Therefore, 3.2-5

the applicable trees, which are shown in Figures 3.2-3 and 3.2-4, have been ]

modified to reflect the eventual need for recirculation during these event sequences. .

3.2.2 Specific Event < Tree Findings _

This section presents review results applicable only to specific event trees.

3.2.2.1 Steamline Breaks (Inside or Outside Containment)

For steamline breaks,'the PSS assumes that the failure of main steam isolation (MSI) results in the failure of auxiliary feedwater. The basis for this assumption is unclear, and there seems to be no reasonable explanation for it. In most previous PRAs, main steam isolation has not been assumed to have any affect on the availability of safety systems and was considered only as a key part of the containment isolation system. In the case of auxiliary feedwater, the worst one could assume is that the failure of MSI could affect the availability of the steam turbine-driven AFW pump due to steam diversion, although this would be unlikely since very little steam is required to operate this pump. Specifically, for the most likely break, a stuck open secondary steam relief valve, the flow diversion would be small enough that the steam supply to the turbine would still be sufficient to provide the required feedwater flow regardless of the state of MSI. For the less likely case of a major rupture in the steam line, the turbine-driven pump would definitely fail if none of the steam generators were isolated from the break. In either case, the ability of the motor-driven pumps to supply water to the steam generators would not reasonably be expected to be affected at all. As long as water is supplied in sufficient amounts, cooling will be established regardless of main steam isolation. This assumption is conservative and unjustified. The steamline break trees shown in Figure 3.2-6 have been modified to reflect this judgement.

3.2-6

3.2.2.2 Steam Generator Tube Rupture (SGTR)

The PSS gives credit f or three alternate methods of cooling following SGTR if either high pressure injection or auxiliary feedwater are unavailable. Each of these methods requires operator action. When auxiliary feedwater is unavailacle, the necessary cooling is provided by initiating bleed and feed cooling as discussed in Section 3.2.1.5. When HPI is unavailable, it is required to find alternate means of maintaining primary inventory while AFW is utilized for heat removal. One way to ao this is to prevent inventory loss, i

as opposed to replenishing lost inventory. The PSS assumed this could be accomplished in one of two ways. The preferred method is to use secondary depressurization to reduce the primary pressure to below that of the secondary in order to terminate the break flow (0A-4). Failing that, the primary could be depressurized directly by opening a PORV (OA-5), with the same overall effect. The key to the use of these methods is performing the action quickly enough so that the break flow is terminated prior to core uncovery, thus j eliminating the need to replenish inventory. If this is accomplished, cooling can be performed by auxiliary f'eedwater through the unaffected steam I generators. These methods have been analyzed by Westinghouse and found to be viable, and they have been included in the Emergency Procedure Guidelines.

The credit given to these procedures in the event tree are considered to be reasonable and justified.

1 Another assumption the PSS makes is that if HPI and AFW are both available following a SGTR Event, the event is terminated successfully without further action. This does not seem reasonable, since the primary would be kept at high pressure by the HPI pumps, and water would continuously be pumped out of the RCS and into the steam generator. Eventually, the RWST would empty with the RCS still at high pressure and no recirculation available. It seems that some additional operator action is required to gain control of the scenario following the start of HPI and AFW. Discussions with plant personnel indicated their agreement that some operator action is required. The emergency procedure guideline for this event instructs the operator to reduce pressure and terminate HPI flow. It does not imply that this is required to prevent core melt, but is intended rather to reduce the release of primary 3.2-7

ccolant (and thus radioactivity) through the secondary. The reviewers, however, consider this action to be ultimately required to prevent core melt due to pumping the entire contents of the RWS,T out of the containment. A new operator action has been defined to cover this case as described below.

o Operator Action OA-10, SGTR - Control HP Flow: The operator takes manual control of the HPI flow, throttling it down to reduce the primary pressure to below the secondary pressure. When primary pressure is below secondary pressure, he terminates HPI. Note:

This action is similar to 0A-2, and therefore it is similarly accompanied by 0A-10-E, where the operator overthrottles HPI resulting in insufficient inventory.

The SGTR tree shown in Figure 3.2-5 has been modified to include this action.

3.2.2.3 Large LOCA The PSS assumes that high pressure injection (HPI) is sufficient to provide coolant injection for the large LOCA event. Previous PRAs have usually assumed that the HPI system is not capable of supplying thir function for large breaks. Part of the reason is that these systems are usually not sized to provide the amounts of flow required to replenish the coolant lost during large LOCAs. This,' however, is only a secondary concern. The major concern is that tne HPI pumps are designed to provide flow against relatively high pressure. They utilize a lot of power to produce the required head. When a pump of this type pumps against minimal or no head, as is the case for a large LOCA, the power which usually goes to overcoming the pressure at the pump ,

discharge is converted to greatly increased flow. The tendency in this case is for the pump speed to increase, due to the decreased resistance, beyond the point at which the pump is still capable of drawing sufficient amounts of water through the suction lines. At this point, pump cavitation would occur and the pump would trip on low suction pressure or overspeed. If pump trips are not provided, the pumps would be destroyed. In either case, the pumps would not be able to provide coolant to the RCS. There is no reason to believe that the Millstone pumps are immune to this phenomenon, and the 3.2-8

assumption that HPI could supply injection during large LOCAs is not justified. The event tree shown in Figure 3.2-1 has been modified to reflect this judgement.

l In addition, the original event tree showed a decision point for event R-1, l low pressure recirculation cooling, in sequences where no injection cooling was available. Due to the design of this plant, it is possible for this to occur. However, this does not change the outcome of the event, as can be seen on the tree. Regardless of the state of R-1, an early core melt still occurs. Although the presence of this decision point on the tree does not impact the results of the study, it has been removed from our modified tree because it is meaningless.

3.2.2.4 Spurious Safety Injection The use of operator action OA-7, primary bleed and feed, is incorrect on this tree. While bleed and feed cooling is valid for this event, 0A-7 includes the unavailability of HPI in its un' availability value. The initiating event itself implies that HPI is already operating. Further, the other events on the tree, such as 0A-6, assume that HPI is already operating. Thus, the proper event to use on the tree would be operator action 0A-3, primary bleed. This would serve to establish bleed and feed cooling. The modified event trae is shown in Figure 3.2-10.

3.2.2.5 Anticipated Transients Without Scram (ATWS)

In the sequences where the initial power level is less than 257, or the moderator temperature coefficient is more negative than -5pcm/ 0F, and auxiliary feedwater is unavailable, the PSS assumes that it is possible to effect reactor shutdown and cooling by using emergency boration with PORVs locked open. This action would provide boration to shut down the reactor simultaneously with bleed and feed cooling. This method has not been considered in other PRAs, and appears questionable. Neither the amount of coolant that can be pumped in under the conditions which would be present and the amount of time required to effect the shutdown are defined. This ;

3.2-9 i

assumption takes an inordinately large amount of credit for the ability of HPI to provide flow at reactor pressure. It would seem that only the charging i pumps would be capable of pumping anything at all, as the pressure should be too high for the safety injection pumps. Also, there would be much greater amounts of heat to be, removed through the PORVs with makeup flow than for a normal bleed and feed scenario. It is not clear just how this heat can be removed and the reactor shut down under these conditions without assistence l from the auxiliary feedwater system. Due to these considerations, the assumption made in the PSS is judged to be optimistic and the credit I unjustified. Accordingly, the ATWS event tree shown in Figure 3.2-11 has been modified to remove credit for this scenario.

3.2.3 Issues of Importance to the NRC In their instructions for this review, the NRC listed certain issues which were of concern to them. They wanted to know how these issues were treated in the PSS. This section discusses those issues which affect the event tree analysis.

3.2.3.1 Recirculation Pump Seal Failure During Station Blackout This event is explicitly considered on the loss of offsite power event tree for support state 7. It is included in the frequency of consequential S2 LOCA and the failure probability has different values related to the length of the blackout: for less than one hour P(SW) = .0858, from one to two hours P(SW) =

.164, and for greater than two hours P(S2) = 1.0.* In the PSS section on recovery, credit is taken for the capability of the seals to hold out even longer, such that the probability of core uncovery in under 8.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months is only 2 percent (P(S2) = .02). The method of treating this event is considered satisfactory, however the review of the quantification indicates that the

The PSS calculated other numbers in addition to these, including a probability for the time period out to fo'ur hours. However, the values shown here were actually used in the initial quantification.

3.2-10

values used are optimistic. The PSS obtained the initial values by applying the standard exponential f ailure rate equation, using a failure rate obtained from a Westinghouse internal letter. This information was not available to us, but the results obtained contradict the present NRC position on RCP seal i failures, which is thgt Westinghouse tests performed through June 1983 have failed to confirm the coility of the seals to survive, although they agree that there is insufficient information for a final judgement. The method utilized in the PSS to justify the 6.5 hour5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months number appears inappropriate and arbit ra ry. It is stated in the PSS that 8 incidents of loss of seal cooling ranging in duration from 2 minutes to 65 minutes have occurred at operating nuclear plants without a seal failure. This is said to represent 66 0-ring hours without a fHlure. They also include tests on mainloop stop valve O-rings, which they say are sufficiently similar, to bring the total to 186 0-ring hours without failure.

This treatment is considered to be completely unjustified. First, the inclusion of the stop valve 0-ring experience is unfounded. These 0-rings and their application are similar o'nly in that they see the same temperature and pressure and are nominally of the same material. This is insufficient justification for including them in the data base. Second, describing the RCP 0-ring data as "66 hours7.638889e-4 days 0.0183 hours 1.09127e-4 weeks 2.5113e-5 months without a failure" is simply wrong. This implies that data for 3 0-rings without cooling for 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months each is the same as data for 10-ring without cooling for three hours. This treatment is then used to justify a distribution which will be used to quantify failure of 0-rings due to continuous loss of cooling. Since the whole problem of seal failure is based on continued exposure to heat and pressure without cooling, this type of analysis cannot be used. The fact is, no seal has survived such exposure for longer than 65 minutes without failure, and there is no reason to believe that it is possible for a seal to survive for as long as 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months without failure.

The probability of seal failure in the 1 to 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months time frame sh6uld be considered as certainty (P(S2) = 1.0). Thus, a LOCA will occur if offsite power is not recovered after one hour without cooling.- However, it is believed justified that core melt can be averted if power is recovered and HPI restored within two hours. This essentially eliminates sequence #11 on the Loss of Offsite Power (Support State 7) event tree (see Figure 3.2-9) since 3.2-11

1 I

its probability goes to zero. This leaves the problem of determining a value to use for the probability of seal. failure in the first hour. Utilizing the Chi-squared zero failure technique used in IR,EP (see e.g., Millstone 1 1 REP, NUREG/CR-3085, Chapter 4), it can be stated that the value lies somewhere between the zero failure value based on 8 trials (the number of loss of l cooling' events) and the value based on 1 trial (the number of events actually lasting 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ). These values are:

P(S2(8)) = ((1/8)*1.386)/2 = .09 and, P(S2)(1)) = ((1/1)*1.386)/2 = .7 For the purpose of the simplified requantification contained in this review, a simple average of these two numbers is taken to represent a reasonable approximation of the probability of seal failure in the first hour of loss of cooling, i.e., P(S2) = .4.

3.2.3.2 Depletion of DC Batteries During Station Blackout This event is included implicitly in the loss of offsite power event tree for support state 7. For events where the blackout lasts longer than two hours, a core melt is assumed. However, recovery of quench spray is considered as a means to reducing consequences. This recovery is limited to the time period from two to eight hours, which corresponds to the estimated eight hour lifetime of DC batteries. Limiting the recovery of quench spray to eight hours therefore implicitly deals with the depletion of DC batteries in that time frame.

3.2.3.3 Pressurized Thermal Shock The PSS does not deal explicitly with the issue of pressurized thermal shock, although sequences resulting in this event are included in the event trees.

For example, sequence #2 on the spurious safety injection and steamline break (inside and outside containment) trees, where the operator fails to control HP1 (0A-6), are pressurized thermal shock events. The PSS considers these sequences to be " success" and does not carry the analysis any further. Since 3.2-12

e the sequences exist it is possible to calculate the frequency of PTS from these trees. However, the probability of core melt given PTS is not straightforward, and i . not dest.ribed in the PSS. It is beyond the scope of

' this review to attempt to determine this probability, so that only the frequency of PTS events can be determined from the PSS and not the frequency of PTS induced core melt.

3.2.3.4 Steam Generator Tube Rupture (SGTR) With Stuck Open Se'condary Steam Relief Valves (SRVs)

This event is modeled directly on the SGTR event tree as the steam leak event. It explicitly models instances where the occurence of a steam leak precludes preventing core melt. Als], in sequences where a core melt would occur regardless of the presence of a steam leak, the tree differentiates in the plant damage state. A core melt in conjunction with a steam leak will always result in an interfacing systems L0CA plant damage state, whereas without a steam leak the result will be either a transient or small LOCA plant damage state.

3.2.3.5 Anticipated Transients Without Scram (ATWS)

The analysis of ATWS is handled explicitly on its own event tree as a consequential event following each of the initiator classes. Each of the event trees for the various initiators has a branch for failure to scram which transfers to the ATWS tree.

3.2.3.6 Stuck Open Primary Safety / Relief Valve (S/RV)

The stuck open S/RV is dealt with explicitly on each non-LOCA event tree. It is included in the frequency calculation of consequential S2 LOCA and results in a transfer to the small LOCA event tree whenever this branch occurs. The PSS uses a value of 3E-5 for the occurrence of this ev'ent. This value is based on three factors: (a) that the valves are demanded, (b) that at least one valve sticks open, and (c) that the op'erator fails to recover by closing the appropriate PORV block valve. The values used for these parameters have

.J 3.2-13 ,

1

l r

been reviewed and found to be reasonable, thus the ultimate value used is valid except for ATWS and total loss of all feedwater. In this situation, the s

only way to prevent core melt is to utilize feed-and-bleed, which would require the PORVs to be open anyway. The treatment of ATWs pressure relief on the ATWS tree, while being somewhat out of sequence, adequately represents the overall scenario of concern and thus no overall improvement on the answer would be attained through further modifications to the tree.

1 i

1 J

4 e

9 j

i

)

i f

i i

I 3.2-14 4

I

. l

l. --, ...- . ._._ ,_ _ , _ _ . _ . , _ . , , , _ , ,, . - - . - _ . - _ . _ - . . _ . . . _ . .

. 4 g s g s e

' r - C C' C C' C e C f E E E E e E L C.

g 4 L

n' s i t

.t 4 4 A A A s 4 k 3 e I 8 9 o 1 8

, 2 J . s s t I l 1 1 s 2 2 s

J.

a

,I ,i n

e e

r s T o

t n

e v

E A

C O

L e

g r

a L

P L

1 2

C C

A 3

'e r

u g

i 4 F 5

t i

l

. i t

P' ~'. x

l1l l, l1 ,ll j 9

, ' . ~

s S S S S S S S S E E E E : -

3 C ' C

C ' C - C 'C C c C C t C C U L L U L L u L t U L LA Af AEA E f r E t r C C C S A 4 C C

$ A 4 s 4 A S n A A A A A l 2 3 A 5 G 7 8 9 0 1 a

l 2 3 4 S 6 r n s 2o i 1 l I 1 i i I 3

R

,a i' ii ii ,I I l I 2 - '

R R b_ e gl e

r T

5 t 0 n e

v E

A C

O.

4 L 0

m u

i d

e M

2 P

H 7

A. .

C C

3 4

e r

u g

i F

4

. E l

2

I T

.7y 0

jl

. * - t.,- , .

M F

M3 T _

F u _

o

% c

tr e

f a S s s s S 5 S s r t S 5

- r p tt C -

t F - e

l r C * ' C C 'C C *C C C _

p e. ' C - -

t C C C C c C. [ t L st JSL$ LS iSESESUSLSt sus S L$ ES ES FS F'. TS [$ cs ES s $

C C e 0 C su S LS L $Ust SL S LS ut C f C t I s

2 3 4 5 6 7 8 3 0 i 2 g

r2 3 4 1 a' 8 9 s o 5 6

2 3 4 5 6 F 8 1 1 1 1 1 I 5 n20 1 2 2 2 2 2 2 2 2 2 3 s 3 g

~

3 R

I 2

T st R R

,j

,l

,l e

e r

T S t O

n e

v E

3 T A

C 2 A O 4 A 0 O o L l

l a

m S

l '

e g

3 a

2 t

3 te

~ "e r

u g

- i F

4 9

4

. 8 4

3 t .

I o

t. 7' ~ -

.. l~ * . . * . - '

. - a, .

.- ~ -,

. ~ -

. ' . . ,'t , s.~, , .

.e g l-a e u O o S

$2Q

d g O d Qy .

J M

44 W 4 o a 4 5 n n D 4 % 4 g M M M M $ n A M

4 C o O O % q e 2 4 b s. 3 e M w 4 e M w -4 w -= 4 - " d 1

M V

A E

b w

- m-> $

y b

a i

E 4 e

b

'd!

O o C

J

~ ,

e g s &

O tu -

S A i i C .

M

O -

. M w N

- A*

2 u O g 7 R A w o 3 *

- a $ 4

,. 4 % M g

9 4 .

l l

I 1

i 1

3.2-18 1

p- y n m os

v o

t .

r O n u

u z

T p

u #

g p

x 5 S S S S S S 5

,5 S S 5 E

E'

EC * '

C C C C *L *L CE E C* -c ESC E SC* -$E scS ECSE -Cs t E C

.f s C E

E C

C C *

( ' c C L C C C C L, r E U L L U L gC C C C C 3 $U st st $US L$ $ *L

U L S S o

f T L

$' 5' c s S C -s $ S S S S 5 $ S S s 2 3 4 5 3 d 5 6 T s 9 02 2 2 2 3 4 5 6 1 s 9 0 1 g2 3 . 5 6

g 4 9 o ' '2 t 6 e e i I i 1 8

22222a2333333 g

e 3 e 4

- r a

T

,i

,i i

,i

,7

,i t

n e

i I v 2

E 4 N S e

,[ r l u

,i t

p u

9 4

R 3

e b

u T

t V 5 0

il EI i! il n

e m

u r

g t s

3 n 2

4 3

A g I O e r

o c

n t

I r

A f

3 -

p 2,,

u s

e r

a g u

$

i F

a 4

3 1

F .

Q i

g' ib

~

g 4 ._e -

p

~ . . ...- , .~*.

. . . . . .C = * *** h :.* - ~ . -- .. l

. * ; .t . . . . A

, , '3. =

. J. . . ' ' * , - . *

i

.t .

. *. l bg .

, y *

t ' w I - .

N' J V V o a4 40yy 0 4 s NV%9 ,%

d u s

yy 4 o u o ,e ' s W% ,%

g 5

)

4 " M ne M w p

q C d O '1 0 1 4 h, -, E ,4 [

, . ,~ , , o w s , ,

V

.f en d V 8

W 0 e

b

__ __ __ p 4

i fd W 2

W es

)

-a O~ C-I $

c cc O

v 3

O .

d D

f 3

A 10 "63 PE $

i H e

0 e b

e

. 4 d

= f

.a

. s 8 e .

O I

si N D e .

p E M -

s o iu 1 5-

3 y I 4 b e 3 y w

u.

4 J 8

N

'. g l

3.2-20 I

i

. /

. =

.7, . *. * .

e* * ., + .s '

i !

/ , -

L s

s 5 5 5 S 5 h

5 5 S i $ $ ' .

L r t Ct t F- F C C cC

- f -

C C

' E t c 'C E

C c C' C C c C .

fgUr t#tl [ f L

%L d. t- &tt u ;L r C C

csu C. L S :J c L t C

/ / U 2 2 (

C. L C 'C E t Y2C E E C t f t C t [ E E E E C 2 T 2 $

J V 2 Y 2 v : $ U v 2 f 2 1 2 Y2 v 2 f2 T E I C'

C i t V t L C '

2 Y 2 Y 2 $ E S C c E $ t S E a'3 i

% *\

VvvS

L S S h t

' t v S v v f l i v 4 S 6 7 9 g 0 4 5 6 T 8 9 o J n d J 4 % b ' is 9 0 1 2 3 4 5 6 e 1 e 1 8 9 0 3 1 2 2 8 2 2 a2 2 2 J 2 2 J 3 1

J u3 J J 3 3 s 4 f'C 0tf- r.

JT 1 1 1 1 1 i'F 1 is I t e #

J.

R l g I ,L ,n ',' ,I ,' ,' ,' ,' I' ,' i'

,a 2

R

,l t

1! l'- lI '1 'l ' 'I iI -

e r

' rr L

S T_

t n

[

0 1

C- n E_

1 f A o O O r t

m E n 4

l R

n 0

4 n O , . e

, b

, T m

2 P

, r E

f t

s

_ m 2* ,

re P

H~ ,

_ G

~

. me

- t

. S

- A S

E _

4 I

R .

. 'v _

. a g

4 .

t . - oo F

- r m

u r

/

~ .

. e.

'. f e l s

l ', ,+ g.

l' , we pk" . :.;! , , s!,

- !II.

r a C

..r e

s g % l o s S g S C e S E

g F t- c

C * *

g C g C c C C c* C C C

. - C C C cC C C C C

( [ E E ET E I 2 g U u g S s S S S S %

L L uL L r f I f I I E T E U s E E E I I I S I I I 1 f T I I $

2

, t 34 S 6i R 9 0 i 1 s

.$j0 l l 2 2 8

2 2 J 2 2 2 2829 03 34 3 2 3 4 5 8 7 J.

R c

_ ec

,' ,' ,' ,' ,' ,' e&

i' rT T L 2

- t

R . nav e

, lI .

E vE t

t =e n

S O e~

mn n

iu a l t e S n A

O C

oC e

l e c.

d t 6 f iL 4

r o

6 A sL n

I (

o

, (,

),w'- ~ !

kaee h.

e 2 r F B B A

e nw ii l

2 P

mm a

H e t4 S5 4

S .

d A.

4 I 3 R

n u

g 2

F I.

I f

Wtoloort 9 ~.

,! .I 1 i ' l1 , ; .

6 *

* . e * $

j e

. v.

a- *..

O e O

% e a $ M. *e %'

w els 84s g y

3: a o

'dY=g'ug $ h, ,

S E. m E~2;-

,s,, _ . - ta c .S- '2

- - u,,w. .e o

- 22: e L.

t-k en

? 3 (n

a 10 N.

E t

g M

__ q C

w D

a 6.

==

a %

2

o M

A d

.' th

. 1

.I g D

+ 0 V

c C

. . 5, e

i . 3

.. j! < 0 C ,. . e .. .

, 4

= -

I i

/ .-

y

. y y : M

' d

}

s E i -

W

. (

L ai I .-

1

I.

I i

i g e

. . 'j .

I g

[e. .

l l

e 3.2-23

. . - e w

. e

~

f S S S S S S E E E C C

C *

S C C C C C C C C W 0 1 2 9 8

\

U U L L b L t E.E E f F A 5 5 5 S S S S S S s I I 2 3 4 -

2 3

5 6 , 8 9 0 8

I I 3 1 1 e

. e n

7 3 r q ~

c

,' ,. I' u

e 2

m n

e rc

,l ,l Y

K g

o w o

'I z s

e e

r a v c u o.

e t

r t

a r

a w o

P f

l o

i t t s

o.

1 2

S g.

s .

A.

O s.

. O S

t e.

t u

_ G 1

I G

S

F t

. i f

,~

gu

0.mk*

., 0 I s. .

. . - 1, _ . , ,. . .

~

. *t.,, . ' , ' , .; 9 -

'.) " $ . ,*

.- ,o -

.=.

, .s 05 R-2 '-3 g $UCCT 320 AF3 52 047 _

4's are Eno r:4 l $UCCll e 3 SLC

! 4 SLC*

O A "f

$ $UCCf.

/ $

6 $LC* '

I ' SL s $EC

! , $rC-so SE II SUCCT 82 $UCCC 83 SL C O .3 *7 ' s id SLC*

l5 $UCC1 16 $LC*'

I E 9? $L st $EC 1

i 19 $EC*

20 SE 28 IEC g$* ,

n 22 fEC*

J3 IE 24 $UCCE 25 $UCCE 26 $LC O R7' 2r $LC.

28 $UCCl l

29 SLC*

s i JO $L

. Ji SEC 1

s 32 SEC*

33 SE 34 SuCC7, J5 SLC n

i 36 SLC*

. 37 $UCCT 30 $LC*

I a J9 SL 80 SEC s

x al SEC*

42SE*-

43 IEC E

e ' de TEC*

d5 IE ,

as fEC gg* ,

= 4F IEC*

d$ (( ~

49 IEC'

' ~

50 IEC-58 fE 52 fEC 1

- 53 IEC-Se TE 55 IE.

figure ,3. A - ? Loss of Offsite Power (Suppt,rt State 7) Event Tree 3.2-25

+, , - - , - -

l \ 1

- - :; '.*'- .l . J

, .* ,e f .

/. . '. ,,

. s -

J s S -

s I S '

e S s>

E 0 r e c c C '. 6 C C E c 'c u

c c c. C e- 'c E 6'T e E c r A 0 e

~ c. u c L L S

c e t. T r T r A S 5 s Rr' .Ac ns ? 6 0a s

n S 5' S u s S s

J ?. 5 f L 5 6 y8 9 o t 1 :

z i

5 1

9 1

f i i

3 -

0 1

e e

r T

l t n

e

. v E

S Q n o

i t

c e

j 3 n n I o y t

e f

E a g l S n P s o O u o

,- i r .

u p

S f

e n

o l

1 -

r 2 R .

s

?. u s

F,a o

e .

S r

a c '

A 3

s

. v

. '?N*

- y- , " . , ., . ,.

Pat. ' g"As as R2 R-3 I suCCES

[.- '

F22 Rf3 t' FL AFI -

a SLC O A '7 l - 4 SLC*

& SLC*

I i ' SL S TEC

- l 9 TEC*

l _ IO TE il SUCCES 12 TEC l i3 TEC-i4 TE ,

21 TEC i

i 22 fEC*

23 TE 24 SUCCES

_ 25 TEC n 26 IEC*

27 TE 28 SEC 29 SEC*

30 SE 31 SEC i

> 32 SEC*

33 SE 34 $UCCES!

35 IEC i

a 35 TEC*

. JF TE .

44 TEC 5 45 TEC' 44 TE 41 SEC

! . SEC-49 SE 50 SEC Si sEC-12 SE 1

1

, o e. '

Figure 3.I-11 Anticipated Transients Without Scram Event Tree 1 l . 3.2-27 l

?-

l l

p. 3.3 SUCCESS CRITERIA The success criteria used in the PSS for the functions of Emergency Core Cooling Early, Emergency Core Cooling Late, and Containment Heat Removal are shown in Table 3.3.1.' Review of these criteria determined that they are for the most part reasonable. Where criteria used differed from criteria used in the past for similar reactors, examination of the bases of the criteria was undertaken to determine if they were valid. Some of these were discussed in the section on event trees (Section 3.2). A summary of our findings for each function evaluated is discussed below.

3.3.1 Emergency Core Cooling Early 3.3.1.1 High Pressure Injection During large LOCA The PSS assumes that HPI can be utilized for this function during large LOCA events. This is not consistent with previous PRAs and it is not considered justified for the reasons discussed in Section 3.2.2.3.

3.3.1.2 High Pressure Injection During Medium LOCAs The PSS assumes that any one-out-of-four HPSI pumps are capable of providing this function during medium LOCA events. Previous PRAs for plants of this type have assumed that one-out-of-two charging pumps AND one-out-of-two safety injection pumps are required for this function, based on analysis provided in plant FSARs. Plant specific calculations performed by Westinghouse and documented in calculation number CN-PRA-83-022 determined that any one-out-of-four pumps is sufficient. The calculation appears to be reasonable in removing excess conservatisms in the analysis codes used for FSAR calculations. The PSS assumption is therefore considered reasonable and acceptable.

l .

l l 3.3-1

h 3.3.1.3 High Pressure Injection During Small LOCAs The PSS assumes that any one-out-of-four HPSI. pumps are capable of providing this function during small LOCA events. Based on the discussion above, it seems reasonable on the surface that if this is true of the medium break, it should also be true of the small breas. However, this does not account for the slower pressure drop for these breaks, which may keep the RCS pressure above the safety injection pump shutoff head. The PSS alludes to this by mentioning that for some small breaks the operator may have to depressurize using a PORV if only a safety injection pump is available. However, the PSS does not deal with this problem. In order to remove this optimistic assumption, it has been assumed that one-out-of-two charging pumps is sufficient but that one-out-of-two safety injection pumps is valid only in combination with one-out-of-two PORVs.

3.3.1.4 Secondary Depressurization and Low Pressure Injection On Table 3.3.1 for medium LOCA, small LOCA, and incore instrument tube rupture events, success criteria (b), (c), and (c) respectively refer to the use of secondary depressurization to reduce primary pressure. This is intended to allow the use of low pressure injection cooling in sequences that would otherwise require high pressure injection. Although inconsistent with previous PRAs, these criteria are based on improved analysis and appear to be reasonable. Our reasoning is discussed in Section 3.2.1.2.

3.3.1.5 Bit.ed and Feed Cooling The PSS assumes that bleed and feed cooling can be utilized for small LOCAs, incore instrument tube rupture, steam generator tube rupture, steamline breaks, and transients. This is represented by criterion (b) on Table 3.3.1 for each of these initiators. The success criteria presented appear to be reasonable. Our reasoning is discussed in Section 3.2.1.5.

l l

3.3-2 l

l

i

-- - __ 3 . 3 .1. 6 Primary Depressurizatior, for Steam Generator Tube Repture ..

I :. -

l Success criteria (c) and (a) on Table 3.3.1 for the SGTR initiator represent the PSS assumption that it is possible to depressurize the primary rapidly enough during this event to terminate break flow prior to core uncovery. This dllows the use of auxiliary feedWater dione to provide the required core cooling. This scendric has not been credited in previous PRAs, but there is sufficient justification to accept the success criteria presented. Our reasoning is discussed in Section 3.2.2.2.

3.3.1.7 Main Steam Isolation During Steamline Breaks The PSS assur.es that man steam isolation is required during steamline break events in order for auxiliary feedwater to function. This assumption is conservative for the reasons discussed in Section 3.2.2.1. Iso'lation is not required.

3.3.1.8 Power Conversion System During Transients

~

The PSS assumes that the power conversion system is never available to provide cooling during transients. This assumption is conservative for the reasons discussed in Section 3.2.1.3. The PCS should be included as a valid success criteria.

3.3.2 Emergency Core Cooling Late The success criteria for this function are reasonable and consistent with the Plant FSAR and the corresponding early cooling success criteria, with one exception. The PSS assumes that it is possible to avoid recirculation for small LOCAs and incore instrument tube ruptures by conserving RWST inventory. This is represented on Table 3.3.2 by late success criteria (a) and (c), respectively. These criteria allow late cooling to be provided by injection in the same manner as early cooling. This criteria are considered unjustified for the reasons discussed in Section 3.2.1.6. ,

l .

l

! 3.3-3 -

~

- : ,3. 3. 3 Containment Heat Removal '-

~~

.. a

~

The success criteria for this function is reasonably consistent with the plant FSAR and previous PRAs.

3.3.4 Revised Success Criteria The revised success criteria shown in Table 3.3.2 are based on the discussions above. These criteria are used for the requantification of the dominant core melt sequences.

3.3-4

L ..

g. .

u m, -

E _- n 9 b .y 2.-

~

/abIe 3. 3 . I Cv.Le N. I/s a,%<. 3 PSS @ 64 kEl h ec ,,s .s c ~, .go w ,g % F~e. y w.g co- cm u. % 6 T., . b s a L.> < Ca ---p I C o>.1. L a t. <. He.1 r>on. s

, - - - - .C. v o I .M_

t. n et c. a (b '/:. L a sr * % n e e. ch t/z Les a r /z c.su ca.

LocA (5) 2/4, g4rr + 3/3 ne c (c- ~.14 e/[

'meo.ru*s (e % uPsI e.E. + '/3 ace (a\ '/ , u os a s n <a e.E s Loc A (Q h A nws

ss a

h Lpsr a) *), p yws , s s a ., y, ,,,, g

3/3 nc c. ,

s m a t t. cn % u es x * '/2 a rws (4 V upst * */s efws tse os. o r.

s, a c. e {b) Yv M PZZ

Va ?ORV (0 Ya. H Ps R s p M Gr on 9.9 Ce) /

'2 A Fws

s sit

la LPsZ l!) /3 4pwss 5sn + V2LPCtt

' se, r a cu % upsr~ % arws c4 'h afw.s n me p,_ft., .o !!.

M % u rsx */a Pan u (Q Yz u p.ra es i ch n Ar ws rs a l

c2 s-(h A ,a pw1. '/z Pogo .

z u cea. -usr (4 % H psz ~ V1 Acws ca) Vs os 'lu upsn on -

o 2

!- nueruns (a '/, pe sz '/z Pon v 6) '), e s . */s ars.,,s +sse SR M G'

-s '/, L Ps R l' ruse o,,,$,,

g Cr) % 4 rws + ssa * % LPtr

{c) 'l4 HPsZ

Ya AP4 *$sR

! sTemrus a c<.') /, e r ws + s s x g) h arms su s-93 . .o.A BREnkt 6) % HPs1 * */s Po n v ( Ya. H Ps R rn a uszcu r c s) '/3 arws (s) % nFws snus PG _o_!L (d % u psz e */s. poe v (b) '/, 8 ps n 3.3-5 l

h-

~ ^: _...=_..y._

T a b i e.

'5. ~5. 2 -

- ' - ==- y - - -

~

Re vrsed Vfilis k , 3 ~ n y df Q u c_ e ,, ,, ( y ,1.e g a ~. . , ., a~ e - . s. - ., c. - c a.~ _ .

C es I .~m ., L a 4. <. Hes4 o n.. e T ,.bos lov Cao y Cu 14 a n et c. c (4 'It c e sz - % n ee. (ed '/z ti's a t /z esa t o e. a (e- .~. it ~ ts) n e o.ru m (d Vu upsz * % ace (a) % u ns a e.E -

r nur e_s ,

L oc A ($ % A cws

ss a * /r LPsz (d '/ A Fws 3 + s s n ~ 'Ja s.p.s n

3/3 nee.

(a) 'h. c P

G.'/s R F ~s

.C.

SM OLL (Q '/z $7p . Ys pscu e % AF"$

e.ls.

2. c e e '/v " Psz * % PO R V (d h M Ps it swa (d) on o tt

, '/2 A f wT* s s it s '/a LPs r (b) fg Apu.,3 5Cn

VaLPftt (d)

Ss r it (a) / u Ps r * */s A Fws

'w 'l> A Fws .5"P M s

.5 O. c (d 'h a psr ~ s/a Pott v '/z H p.r n.

e$

ce) n A r ws . r s a o ft (d). .. b A F w3 + '/s. Po M

'E vcone TAosr (a) '/4 HPSI * 'ln ACw3 (a) l, Q $ * '/a HP.SR o R_ g wse n u'-r- n e (t,) */, a p sz - % paa v (a s as . s ops s ssa es me g * % L PS R (e) '/3 A rc-s + s sst

Va LefI sTemoruc 4 (d '/3 AFwS l' W Arws OC rp ,, c OR 6e r ax3 6) '/q ups 1 * */n po s u ($ */, y ps n rR a us z curs (* ) '/3 nrws @ h AFws sans SS .a.2.

[ (n % H ps x , % ' po e v (b /, a ps a G.E oR (c) Pc.S (c,) pg 3.3-6

6 '

L 3.4 Systems

- S .- This section provides the results of our review of system descriptions and system fault trees in the Millstone 3 PSS. The systems descriptions were l reviewed with regard to whether the information provided enabled us to verify the fault tree analysis and system success criteria. The fault trees were reviewed with regard to their accuracy, validity and completeness in quantifying accident sequences.

There are 16 systems for which fault trees were used in the Millstone 3 PSS. These systems and the system failure probabilities for the total system and redundant trains within the system under Support State 1 are provided in Tabl e 3.4-1. The fault trees and descriptions of associcted systems were provided in Volumes 4 and 5 (Section 2.3) of the PSS. The fault tree for the vital de system was included in Appendix l-E of Volume 1.

Our review concentrates on those systems that provided important support functions and those system that were involved in high risk accident sequences. In this regard, the following systems were found to be of particular importance:

Main Electrical Vital AC ESF Actuation Emergency Generator Load Sequencer Auxiliary Feedwater Quench Spray Service Water A system-specific review is provided in each of the 16 subsections below.

These subsections are divided into three parts. The first part provides a

system description based on the system descriptions in the PSS and the Millstone 3 FSAR. The second part discusses the system fault tree in light of the system description. Particular attention is given to the treatment of l test and maintenance, human errors and common cause failures.

.m ^_

3.4-1

...., t-

~

Table 3.4-1 RESULTS OF THE S14 EM FAULT TREE ANALYSIS .

System Unavailability (1 )

1. Main Electrical 4.56 x 10-4

2. 120V AC 8.43 x 10-6 (per bus)

3. ESF Actuation 1.17 x 10-3 (per signal / train)

4. Loading Sequence 1.59 x 10-5 (per signal,both trains)

5. Auxiliary Feedwater 6.8 x 10-5

6. High Pressure Injection 5.87 x 10-5 (for small & medium LOCAs)

7. Low Pressure Injection 1.74 x 10-4

8. Main Steam Isolation 8.197 x 10-4(2) ,1.5 x 10-5(3) 9 .' Quench Spray 3.2 x 10-4 10 Safety Injection Pump Ccoling 7.32 x 10-3 (per train)

11. Charging Pump Cooling 5.32 x 10-4

12. Low Pressure Recirculation 3.0 x 10-3

13. High Pressure Recirculation 5.85 x 10-3

14. Containment Recirculation Spray 2 x 10-3

15. Service Water 7.44 x 10-6(4)

16. Vital de 1.4 x 10-8/yrI4)

(1) All values are failure on demand (except 16.)

(2) For steam line breaks inside containment (3) For steam line breaks outside containment (4) For a 24 hr. period 3.4-2

l t

Our evaluation in this part also considers consistency among the fault tree. ; _

components, the top event and the system success criteria. The last part.of

~

each subsection provides our conclusions and comments on the system fault tree with regard to accuracy, validitj and completeness.

In general, we found the system fault trees in the Millstone 3 PSS to be accurate, valid ano complete. There was consistency between the system

~

success criteria and the top event of each tree. The effects of test and maintenance, human error and common cause were included in almost all of the fault trees. Nevertheless, there were several minor and a few pote. tially significant exceptions regarding accuracy, validity and completeness. Most would not contribute more than a few percent error to the overall frequency of core melt so the reader is referred to individual subsections for a discussion of the minor problems. The potentially significant errors are taken up in the paragraph below.

An important dependence of the vital ac, main electrical systsen, and emergency generator load sequencer on the vital de system was not included in the corresponding fault trees. In the event of a loss of offsite power, the vital ac system would initially be dependent upon the batteries in the vital de system. This is an apparently critical dependence, because the emergency diesels cannot tranmit power to the emergency bus unless the load sequencer is operating, but the sequencer requires vital ac to function. The real difficulty occurs in the individual fault trees for the vital ac and vital de system. The unavailability of each system is calculated assuming that ac power is availabale on the emergency bus. This makes the results invalid for those cases when no power is available on the emergency bus. Thus, the PSS provides no estimate of the unavailability of the vital ac and vital de systems, on demand, for those cases in which offsite power is unavailable.

Yet, such a case is precisely when the unavailability of these systems is extremely important. The significance of this problem increase in light of the fact that loss-of-offsite-power-initiated sequences are responsible for almost 20% of the latent cancer risk. This issue is taken up in more detail in subsections 3.4.1, 3.4.2, 3.4.4 aind 3.4.16 below.

Quantification of system failure with fault trees depends directly on the use and application of component failure data. However, the revierw of the validity of the Millstone 3 PSS failure data is discussed in Section 3.5.

3.4-3

4- --

3.4.1 Main Electrical System ,

System Description *M '

The main electrical system is designed to provide a reliable source of power to the normal and emergency AC power system. The normal AC power system supplies power to non-safety related equipment that is necessary to support power operation of the plant under normal conditions. During off-normal conditions the emergency power system is designed to provide power to safety systems that are required for plant shut-down and mitigation of postulated accidents.

The PSS indicates that, during normal plant operation, the main generator provides power to the electrical system through the normal station service transformer (NSST). However, the information we received at the plant tour indicates that the offsite grid provides eletrical system power to the NSST during normal operation -- a procedure that is typical of other plants. The NSST supplies power to the 4160 V emergency buses via the normal buses 34A and 34B. If the preferred source of offsite power is lost, the system makes an automatic transfer to the reserve station service transformer (RSST). The RSST provides power directly to the emergency buses 34C and 34D from an alternate offsite source.

If both sources of offsite power are unavailable, the emergency AC power system is designed to provide power directly to both emergency buses 34C and 34D. This system consists of two diesel generators each of which is dedicated to one emergency bus and is capable of providing all engineered safety feature equipment and essential shutdown loads on that bus.

A diagram of the main electrical system showing the link between the offline and online portions of the emergency AC system is provided in Figure

3. 4.1 -1.

System Fault Tree The Fault tree for the main electrical system was used to model the l unavailability of power on emergency buses 34C 'and 34D. The structure of event trees and support states ,in the Millstone PSS requires that the l

3.4-4

I >-c @ ..-

u ' ~

E .[

@ ~ -* =

T- .; . .

-l,.

]< .. I.

2 ,4 .4. ..

_=..... .

g;!a ><

u

@ -- - - . [,. .

..q sli . .

r-

!!jjii;.,:g ]< $ .=:,:'.. ::. ; " -

< !! . -~ . . _ - [ ' -

._ i 4, -c @ _ i t:=!!! j 1 .

r '. . q p. m ..g y:-c s_

>!- l .

-c $ .- e, +g gw

%l:s $ - - ---

re

, 3< - : .

D < @ !'

< @ *== l .

11 " - ~

liti --c @

-c @ = I iljj!

i.=; -c @

! I -c @ - == -:=

-c b . -c @ - - c== l 1 -c @@ .:.16

~18._ j: -c @ ==:=

-c

@ --- I -c

-c -c @@ ==.::

H;Hi 5 -c ii ! @ = ==: :

l -c

-c !I r e @ - .::::=

-c - 1H;H;H =!I i Il! -c '

-c = !

I I! -c @s'-~~ ~ -

-c ;H s3 ! is -c ,,

-c 3 . I! -c @@. .e.=.::= !=3

-c ;HlH =!I = I -

l~ -c @ - :. -= 1

-o- - =! 1 -c 8 1 -c I -c IW;H;H inli l.. W

- sl.g i 'g ;

gg

., 8- l l wq it.1R_3t -

il l ly _ l 8 8 st

[ - !.l It lg t

lh .c "TM!""*"* w k ---

I gg i! I -c " w l

II1 I 1 c- =

-o- -

l

'C E'i

.!!'! < i 1 N

-c

%il=y"1,!

i !,

. i ij <* @@. ===

i il

-c "i i: ; I C_.j..~ !:

-C 3 l8 'C

'C @ ..-. ***""*

!. !; -c P-l;Hl [I

=ql @ -.== @

ll :l<c r si;2; i -c @ == 'C"*A'E ll

il= : -c @ - - =.=

$< .. l!

"U b " " ' " " " ' "

'C @ .~"."d.Id.E ilsi [1 - !* .c @@' "WM l "C @ EM il{i!I c

@g' *~."';M l

-c @ -- - -

_.np l -c y

-c l

W -c i i_y --=::::

8 I.

"C @@' ~~"

l_____________

b I "j,f C @< *=E g ~

, =- ~ = =

i,i!!;hi i I

I:it;ti

c

'==

i ii -c 1

at _n,,_ l l - ,u

unavailability of the main electrical system be modeled for three cases.

~~w.~ . : v. .

Case 1 models the unavailability of power on either bus (34C and 34D) with'.' ~- j loss of offsite power. Case 2 models random failures on a single bus that" could lead to its failure. The Case 2 motel forms part of the input to the Case 1 model. Also the Case 2 model is used to calculate the unavailability !

< 1 of the emergency bus in other fault trees and in the support state model. '

Case 3 is used to model unavailability of all ac power for an initiating event other than loss of site power. The probability of no power on buses 34C and 34D ir calculated using both the probability of bus fahures and the probability of losing offsite power within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of a postulated accident.

Figure 3.4.1-2, which is taken directly from the Millstone PSS, was used to calculate the unavailability of offsite power. Figure 3.4.1-3 shows a substantially reduced form of the Millstone PSS Fault tree used to calculate the unavailability of ac power on a single ac emergency bus. The circuit breaker referred to in this tree is the large breaker between the emergency generator and the emergency bus. The PSS' Fault tree. for this component is extremely detailed. Figure 3.4.1-4 provides a simplified fault tree for the main electrical system and shows the relative ' positions of each of the three cases in the system logic.

Table 3.4.1-1 provides a summary of the system unavailability that was obtained in the PSS for each case and the dominant cut sets in each case. For Case 1 common cause failure of both emergency diesel generators is the dominant contributor, contributing 53 percent to total unavailability. the remainder of the unavailability is contributed by combinations of random failures in the emergency electrical equipment. However, none of these' cut

. sets . contributes more than 1 per cent each. The dominant cut set for Case 2 is the failure of a diesel generator to start ud ren, contributing 16 per cent to the total. The next most significa01. cd set for this case involves l mechanical failure of the circuit breabr md r stributes about 2.4 percent.

Remaining cut sets contribute no more then 1 percent each. The dominant contribution to unavailability for Case 3 is loss of offsite power combined with cormion cause failure of both diesel generators. Ynis cutset contributes l 57 percent of the total unavailability. Nc other cut set contributes more than 1 percent.

v:

l 3.4-6

9 l

F._

. ; Q."_*.l r--~ ,

._ ~ ~

~ ....

- .:l

. Less of % ;k

' ?cWCV cn ?ll ,

5.01*I0 "

~

() ,

E .

84

- 3 -

I l srw 9, p, ,, 5 % 6 14 i* , b Ndyard , on 34 c- l

\ F,,Isvu how % s Fo ~<> s

\ .

f.7vto '

.r..<10-1 .

m D -

J .

I Fault, ,a Faull-s .

~

os ossr i i essr Fu d I Feed i- -

2.IvIb" > l.0=10" i .

Ryure 3 . 4 .~ 1 : 2. Faall ' +ra unel So caIcu lale & pshabil; 0F loss **oFFstl<. 'w o durn Ok 2.'l vv (1.2 rEo d . y .

l .

1 .

3.4-7

l l

+=a

- ~.,..---

._-_==...

f 5 ~.

l.oSS o f Yva'<**1f .

ftWev ces kk MIb

=

5 24 . ' '

l .3%v10'E si 51

(\ _

~ -

ci<euir Diesd Bu.s i poul[5 Breakew Mis \

Genvakv \

Foils, s operal.c.

3 .

,J 2.0 Y I O. c.

l.151 l0* * ,

2.35sIo' f**

Redtm.d fauff 4'"- N' Rqave 2.4.1 - 3

-Ila- loss sT entgene.o pwev- m u 0F k -lwo ewevqwy buses,

. 1 1

7

< 3.4-8 l

. _ gr

. l l -

1 n

- . m .-

.s.. . .

. ;;._g ~

g

. ~~ ,

.,.;.E

- ..~ , ,

Loss o F All Ac. Po u se v '

On $lll .avd 1'lO .

~ -7

1. 37 x /0 i84

.- Case 3 -

bl - ,

g i -

Loss oF Loss oV Ewevqc"cy

. o pp,; y po w o Y * "" b"'S '

3 tic'oad li/D

' ~

'LI,5 p 10 $

n A sc L 2.0 x10 n

. Loss of.: Enrpy Co'mm,n

%u. av R<sesyle .

Ca.uu ovMof 34D fra - Failures

< r.;Iave s (h ..

2.fo

10'4 l O Loss o'F 1 1.as eF -

. F0WCv

?*kkY $

Eney . Env9 Bus

- Bus S'It SLID i .

. l.41Ib~' l. 4 s 10' C.Q1<. 1 l

l .

5 , 'I. I 't fauII 4 ret. Tw fla A.n Fleeltical I

1 ficivvc.

E Simpl.'aci s...,... 3.4-9

1 w :. . . ,

l , _

7 yy :a..

Table 3.4.1-1 Dominant Cut Sets for Failure of the Main Electrical System .lJ . . -

= 3 .--- - ..

l

~

Dominant Cut Set Unavailability i

Case 1 Both Emergency Buses Unavailable

Common Cause 2.6 x 10-4 .

Random Failures 1.96 x 10-4 Total 4.56 x 10-4 Case 2 One Emergency Bus Unavailable

Diesel generator failure 2.33 x 10-3 Circuit breaker mechanical failure 3.40 x 10-4 Other failures 1.13 x 10-2 l .4 x 10-2 Total Case 3 No AC Power Available on Either Emergency Bus Loss of offsite power combined with common cause failure of both diesel generators 7.80 x 10-8 Other failures 5.90 x 10-8 Total 1.37 x 10-7

With loss of offsite power as an initiating event

\

3.4-10 l

I

l N . . . . . . . _ .

2

.._e,...-. ;.

According to the Millstone PSS, the only significant ccamon cause -;-7 contribution to electrical system failure is that associated with the diissef l o

generat.rs. All other components, such as wiring, circuit breakers, '

i protective relays, etc. were determined to have common cause failure rates that were negligible when compared to their random failure rate. This was determinea by examining common cause failures for components with and without aggregate control circuit failures. Common cause calculations for diesel generators assume a binomial failure rate model.

The Millstone PSS found no credible human crrors which could lead '

component unavailability in the main electrical system. Aside from the emergency generators, the electrical system is in continuous use and thus not subjected to any formal tests. Each diesel generator and its associated control circuitry is tested monthly on a staggered basis. Operational tests are performed during refueling shutdown. No maintenance is scheduled for the electrical system during normal operation.' Nonetheless, unscheduled maintenance on the diesel generators as a result of periodic testing is included in the calculation of their unavailability.

Comments on the Main Electrical System Fault Trees The fault trees for the main electrical. system are, for the most part, accurate complete and valid. However, several notable exceptions require discussion.

~

One item of interest involves the circuit breaker between the diesel generator and the corresponding cuergency bus. Closure of this breaker requires that a trip coil be energized. This coil is energized by a trip l

contact that must be closed either manually or automatically. According to the fault tree for this system (Figure 2.3.2.1-3 of the PSS), failure of this trip contact requires failure of both the automatic and the manual mode. The l automatic trip contact requires a signal from the emergency generator load sequencer (EGLS) for operation. However, the EGLS is modeled as failed when there is no power on the 120V ac vital bus from the corresponding power train. But this train is modeled as failed when there is no power on the corresponding emergency ac bus (34C or 34D). The problem is that, if there is power available to operate the automatic trip coil, then the circuit breaker 3.4-11

w., *

. . 1 2D &

will not be called upon and, if the circuit breaker is called upon,~ th'e hire will be no power on the corresponding emergency bus with which to operate it.

There appears to be an inconsistency in the fault tree in this case which could be remedied 'by either changing the fault tree for the 120V vital ac system or by deleting the trip coil from the electrical system fault tree. We estimate that if these errors were corrected it would increase the unavailability of ac power on bus 34C for Case 2 by 14 percent.

Another item of concern involves the difference in system resolution for subsystems in the electrical systems fault tree. Diesel generator failure is modeled as a base event, but the circuit breaker between the generator and emergency bus is modeled in significant detail. No explanation is given for the large difference in resolution. If data was available on the overall failure rate for these breakers, it should have been used in preference to such modelling detail. Additionally, the' fault tree reveals that the circuit breaker relies in part on the Emergency Generator Load Sequen'c er l

l which is powered by the vital ac. There appears to be a dependence of the electrical system on itself via the load sequencer that is buried within a rather large fault tree.

3.4.2 120V AC Vital Bus

! System Description l

The 120V ac vital bus system is a safety related, voltage-regalated support system. It supplies control and instrument power to the plant protection systems. The 120V ac vital bus is divided into four separate channels. Each vital bus or channel provides a unique source of power to a corresponding ESF or EGLS cabinet. Vital buses VIAC-1 and Vl AC-2 supply power to ESF cabinets (trains A and B), respectively. Similarly, vital buses VIAC-3 and VIAC-4 provide power to EGLS cabinets (trains A and B). These four vital buses appear as basic events in the ESF actuation system and emergency l 1

generator sequence loading system fault trees.

In each channel, the 120V ac vital bus normally receives power from a solid state inverter through a high speed static transfer switch. The primary I 3.4-12 .

1

I

--,- - -- -+=s r- w .=,.

7 source of power to the inverter comes through a rectifier from a 480V ac busi ^ P.

(one for each channel). If rectifier ' output is. lost, a secondary DC su'p' ply is available from the associated 125 V dc battery charger and/or battery. In the event of inverter J oss, a third source of 120V ac vital power is proviaed through a 480V to 120V stepdown and regulating transformer from the 480V emergency bus. ,, simple schematic for the Vl AC-1 channel is provided in Figure 3.4.2.1.

Voltage on each 120V ac vital bus is continuously monitored and di' splayed in the control room. It is stated that an alarm is sounded in the control room on change of state in the static transfer switch due to loss of inverter output. However, what is not clear exactly what is sensed by this alarm system (i.e. voltage, current).

System Fault Tree The system fault tree for the 120V ac vital bus was used to determine the unavailability of 120V ac power on each channel. Because all four channels are assumed identical only one fault tres was developed.

The unavailability of the V1 AC-1 vital bus was calculated to be 8.4 x 10-5 .

Almost 99% of the unavailability is contributed by 9 cut sets (4 singles, 4 doubles, and 1 triple). Two singles contribute 66%. These are failure of either the bypass switch or the static transfer switch. The third single cut set (which contributes 14%) comes from a fuse failure, but this fuse was not identified in the schematic for this system. A fourth single

. involves bus faults on the 120V ac bus and contributes about 2%

unavail ability. The four double cut sets involve failure of the regulating transformer and some other compcnent. These contribute about 16%. The final cutset is a triple that includes loss of off-site power, loss of on-site power and loss of the 480/120V transformer. Because loss of power would not require unavailability of the transformer for system failure, this cut set points up an error in the structure of this fault tree. This error is discussed below.

! Table 3.4.2-1 lists the dominant cut sets that contribute to the f unavailability of the vital ac on one channel.

Test and maintenance, common cause and human error are not modeled in the l

vital 120V ac fault tree. The system is in continuous use and there are no tests requiring any of its components to be taken out of service. All l 3.4-13

- l

~~ '

--maintenance is performed during refueling outage. Unscheduled. maintenance,,1 s , ,

supposed to be performed only with continuous power maintained to the vit'a1W" I_

~

bus through an alternate source. The PSS report states that no commorCcab5e' failure,s were postulated for tne vital ac because they were accounted for by commar.d faults that are incluced in pump and MOV start logic. It is also stated that there are nc credible human errors that could contribute to syster unev ail abil i ty.

Comments Our review of the vital 120V ac fault tree found several inaccuracies.

These errors result in a major problem in the representation of the system l ogic. Nonetheless, we estimate that these errors do not contribute more than a 10% error in the calculation of system unavailability. The two major problems are 1) the failure to model the contribution of the' batteries to system success and 2) the treatment of the single failure -- loss of power on i

bus 34C -- as two separate failures on either side of an AND gate.

Figure 3.4.2-2 provides a reduced form of'the Millstone PSS 120V vital ac fault tree in order to illustrate these inaccuracies. This figure reveals that loss of offsite power in combination with loss of power on the emergency bus 34C occurs on two branches of the top AND gate. In addition, these events are given different labels and, in the case ,of loss of offsite power, different probabilities. This error results in the generation of logically inconsistant cut set which requires loss of offsite power, loss of power to bus 34C and failure of the transfer between 34C and 32R for system failures.

Also shown in this tree is the model of battery failures as passing through an OR gate with power failures on bus 32T. Thus, whenever there is no power passing from bus 34C to buses 32T or 32R the system is modeled as failed and no credit is given to the batteries.

Our analysis of the fault tree reveals that, because the system failure is dominated by switch, fuse, and transformer failures, these errors do not contribute significantly to the unavailability estimate of this system.

Nonetheless, the problems that we noted could become significant for cases in which the probability of basic events changes. Thus, the usefulness of this l fault tree for uncertainty and sensitivity analyses may be limited until these problems are corrected.

3.4-14

-lq - - , l

- . . \

"..me

~

3" 4. Ko Vv . EE2W--

Ewcrqc n4 bu

~

l .

. 4. . .

OT ..

D ua m .u D 4.lGkv/4 tov.-

m w~_ . .!

L s .-

- - .)

]

b ' 480Y a c

. 4 2 0- V a c. . - .

,, Emerya 9 bus 4l; &2 31Ps 32T h\ Ewrqw

[j"c -

[]NC g bit

[] Alt Ban

" ChomQ e r

- 4so/flA0v m _

) ,

e, J D ue 12SV de.

I i n c. .

~ - .

RECT l zuv g .

s/s . .

_; M -J Bgyas.s . .

1 l

=

VtAc.I liav ai vilal @ur -

1 J

s .c .

F;1uve 3.4. 2 - 1 ScLemde of L VIAc-l s Channd.

3.4-15

s% '

Table 3.4.2-l- Dominant Cut Sets for the Unavailability at the 120V Vital 'JMZC'.:;g* >I~

tr.i.

Component failures Cut Set Probability (failu e/deamand)

Static transfer switch fails open. 2.8 x 10-5 Rotary bypass switch transfers open 2.18 x 10-5 .

Fuse opens prematurely 1.2 x 10-5 Power Transformer Fails and Inverter fails 1.13 x 10-5 Bus Faults on the vital 120 ac bus 2.0 x 10-6 Power tran former (480/120) fails and Power transformer (4.16kv/480v) fails 1.3 x 10-6 m

e i

I 3.4-16 I

- Ilo- '

i

~ 5 .a.

. .: . :.=: . .

[9ss o F 120U o e'. .

- viki Pouser ou Bus VI/t C- 1 .-

5 v g i se .

} IS A Ms Powev- ot Bas bl \

W '

Milal Bus Fuulf.s t

, Ofsn1

( . . _ .

}.2 v 10 . 2. 0 w 10' '

- 3 6

~

09pass Ho 'Pa u x e ' d Stali' -

LakL kl2 Tro m Fer Sblic Traa2Ff"

] og i

gg; peg i

M ek b ls

].9 x 10' # .2.2 x 10-C

~

r .

yo . ya;<v. % Ho Pouso- Fry

%vevke S Iclt- :

% >Torm sif m.

2

/

?

R avc. 2. 'l. 2 - 2 f?edaua v;lrd AC>%IF F. 1 Tcm. -

l 3.4-17

-ig- -

y e,=m :.

bo Pau>cv h~ . . - .=i kvevkv sida .

1 .

~ . s .

E I

hj Ho Inful k,D. hueVhv

! % bib

}

ft . wverle v .

e

, G. ]

IO_ v .

m, .

Cowpoua

% f***'

Failuves in Fcalure s **

MkFter 9d.e SW -

, sa Herl AJ* Power cd et -3

_. . 72s10 19 x/O

. Bus. 32 T .

t rio Pou,ev k Foalls

~

in a hcl "l1elar m bu.s l'lC- 3:1c o.io( 32T

.t.

I4#/O'"

1 - - .

L'E A 00{ _ no _. ye .

- 7 P to onsik dFF:ik gg Tower Power 2.G v to <t e fra st w _3__________3 4-18 0

...n.

m - -

e. ~

. . a -U': * * *

~ ~ ' '

yo Powev .

Roy Tra v 2 fiv-ev sich.

, e

- 1 s .

/m

}E E2 fa; laves Mi* Ud 4W8 # M on and hekw 6 I, Bus 32 R 12R as Tm Jr-Swifeb l

1. < / O ' "

m i

' u, po u, e , suuns on and befasces b bu5 34 d ,

IIR aq. gy 5

O l.(. v 10 f

/Jo do Onsde OFFsik Youte hu&

l .

LS Aoo 7. LEkco3 I.4vto-3 L00i/0~"

2.4. 2 - 2 C cm4;uved )

Fcqurc m

3.4-19 .

1

~

I 1

~

.._. } '.. _

m.~~ :..a

....m. . . . .

.]C 3.4.3 Engineered Safety Features Actuation System -

.'._1~

System Description

The Engineered Safety Features (ESF) actuation system examines selected plant parameters and determines whether predetermined protection limits are being exceeded. The ESF actuation system consist of two separate sets 'of electronic circuitry.- The first set is an analog portion consisting of three to four redundant channels per system parameter. The second set is made up of two redundant logic trains which process the analog inputs and actuate ESF equipment as required.

Each channel of the analog portion is connected to a separate and redundant sensor for the parameter of interest. This channel is made up of four major components: 1) the channel test switch, 2) the loop power supply,

3) the comparator and 4) the comparator trip switch. With the exception of the containment spray system, the comparator trip switch operates on the "de-energize to actuate principle" so that the analog portion of the ESF actuation system cannot be disabled during test.

The output signals from the analog channels are transmitted to two separi;e and redundant logic trains corresponding to the separate sa'fety system trains (Train A and Train B). The logic trains pass the channel output through input relays to the logic cabinet. The logic cabinet uses 2/3 or 2/4 logic to trip a relay driver which actuates the corresponding safety system.

-Each logic train is independently capable of actuating the required ESF equipment.

l System Fault Tree The ESF actuation system was modeled to determine the unavailability of I

actuation signals on the final outputs. The Millstone team determined that a model for the safety injection (SI) signal would adequately represent all other signals.

The results of the fault tree quantificati.on for the SI signal yield an unavailability of 1.17 x 10-3/ demand per signak per train with a variance of 1.53 x 10-6 The calculated unavailability for both trains (including common cause 3.4 1

-. ~ , _ - . . . -, , . .. -. _

I

~

failures) is 1.60 x 10 per signal' for both trains. Almost 99 percent.of) ..:

.: =

T **

the unavilability for a single train is contributed by five dominant 7c ut=;- .' - --

sets. These single member cut sets are sumarized in Table 3.4.3-1.

The dominant pontributor to system unavailability is a bimonthly logic test which temporarily disables the system and a up 29 per cent of the total. This is followed by failure of two cifferera ersal logic cards which respectively make up 14 and 27 per cent of the tvu Failure of vital ac power supply and a relay driver comprise a respective 7 and 5 percen't of the remaining contributions.

Even though testing of the digital portion of the system makes a significant contribution to unavailability, testing on the analog portion does not. This is because the channel being testing is energized and thus in

" actuate" mode. The exception to this is the quench spray actuation which has a separate model for unavailability that is discussed in Section 3.4.9.

System unavailability due to maintenance is included in random hardware faults.

The comon cause failure analysis is limited to command faults within the ESF sensors. According to the PSS this limita' tion is due to the diversity within the ESF which makes other common cause failures noncredible. Failure of the main electrical system and the emergency ac buses is treated as resulting in a dependent failure of both the ESF and ESF actuation system.

The authors of the Millstone PSS judged that the common cause failures of both trains of the ESF actuation system occur at the rate of 1.5 x 10-5 per demand. This value is obtained from the overall reliability of the electrical portion at the Reactor Protection System as cited in NUREG 0460.

The Millstone PSS considers two sources of human errors that contribute to ESF actuation system unavailability. One source is associated with periodic testing of the analog portion of the system the other with periodic testing on the digital portion. In the analog portion, the quench spray sensor channels, because they are the only set of channels that do not operate on the "de-energize to actuate" principle, can contribute to unavailability from failure to restore the channels after testing. This source of human error is unique to the quench spray system and included in its fault tree.

For the digital portion of the ESF actuation system, test unavailability due l to human error is insignificant compared to that contibuted by the test itself.

l 3.4-21

v.--- . . , .

~

~ **

Table 3.4.3-1 Dominant Cut Sets for the Unavialability of an Actuation SignaT ' i.

on One Train of the ESF Actuation System jjj;;;ht ' . .. - -

Con %onentFailure Probability (failure / demand)

Unavailability due to test of the 3.4 x 10-4 digital circuitry Improper operation of universal 3.2 x 10-4 logic card ..

Improper output.from the universal 1.6 x 10-4 logic card Reb contacts fail to transfer 1.0 x 10-4 Unavailability of 120V vital ac 8.4 x 10-5 Relay driver receives improper 5.3 x 10-5 output from one gate.

Total .1.17 x 10-3 i

i l

3-4.22

l

~.___.- . . . . ,

' G a_TO,[.

Corr.ents -' . q

_ f.Q, .';{ : ..

Our review of the fault tree for the ESF actuation system found it complete, accurate, and valid. However, a few items require some further consideration. Unavailability of a single train is dominated by tests on the digital protion of the system. Thus, any errors in estimating the acount of .

time necessary for the ~ test procedure could be important. In addition, the

~

calculated unavailability of both trains is dominated by common cause failure. But common cause failure is estimated from a value derived from NUREG-0460 which considers a different system. There is limited consideration given to the validity of this value. Finally, the calculation of variance in system unavailability for both systems is not provided.

3.4.4 Emergency Generator Loading Sequencer (EGLS) System.

System Description

The EGLS is a solid state digital system that is designed to sequence the reloading of ESF systems in order to prevent electrical . system instability caused by motor starts when power from the diesels is transfered to 'the emergency bus. The system provides actuation signals to shed loacs, l temporarily block manual equipment starts, and sequentially load ESF equipment I on buses 34C and 34D during-emergency conditions. The overall sequencing system is comprised of two idential EGLS cabinets, Trains A and B, which are powered from separate 120V ac vital buses, VIAC-3 and VIAC-4.

The EGLS receives signals of bus under voltage due to loss of power (LOP), safety injection (SIS), containment pressure change (CDA),

recirculation (RECIRC), reserve breaker (AR BKR), and diesel generator breaker (DG BKR) status. The EGLS automatically performs the functions of load shedding, load blocking, and sequential load application under conditions of LOP, SIS with LOP, and CDA with LOP. Under the conditions of SIS without LOP and CDA without LOP, the EGLS does not introduce load shedding, load blocking or sequential load application into any of the control circuits of the 3.4-23

~' ~ *

... engineered safety features (with the exception of the containment ;; .

~

recirculation pumps which are always time delayed). An EGLS is provided f$.D 4

. m.:g . -- -

each emergency generator. , ,..n . , .._ .

During the first 40 seconds, the EGLS sequences intial damage mitigating loads automatically. After the first 40 seconds, the manual star- block sigr.al a s removed and additional emergency bus loads may b2 started manually.

Typical loads manually started are the pressurizer heaters, the fuel pool .

cooling pumps, and turbine protection equipment. '

The EGLS has seven operating modes. Five of these modes are for plant emergency conditions which involve LOP. The other two are for plant emergency conditions which do not involve a loss of offsite power. The modes are:

1. SIS only

2. CDA only or SIS and CDA

3. LOP only

4. SIS and LOP

5. (CDA and LOP) or (SIS and CDA and LOP)

6. SIS, RECIRC, and LOP

7. CDA or SIS with CDA, RECIRC, and LOP The modes are prioritized such that a CDA mode will always take precedence over an SIS mode when both inputs are p'esent. A LOP mode will always take precedence over a non-LOP mode.

In each of the LOP operating modes, the EGLS first recognizes a loss of

-power on the plant safety buses and immediately generates LOP and Manual Start Block (MSB) output signals to plant safety equipment. These signals effectively strip the bus and temporarily inhibit the operator from restarting any loads. This allows each diesel generator time to start, achieve proper voltage and frequency, and be ccnnected to its dedicated safety bus without incurring adverse loading conditions. Upon receiving a signal confirming that the DG BKR has closed, the EGLS will begin generating time sequenced

" Safeguard Sequencer Start" (SSS) and Manual Trip Block DiTB) signals to plant equipment. The SSS and MTB signals, once initiated, are maintained until the EGLS is reset or a change in operating mode occurs. Should a SIS or CDA input l

3.4-24

(*.....-..-.. .. .. .. ..

occur without a LOP, the appropriate SSS and MTB signals are generated .. __L ;

immediately without time sequencing. The MTB signal inhibits the operato'r?^E V from tripping loads once they have been au,tomatically started. "cNiN ' .

Systen Fault Tree -

The sequencer System Fault tree was used to determine the unavailability of one or both EGLS systems. This information was employed in the support states model as the unavailability of EGLS trains. It is also used as 'the unavailability of the EGLS signal for the diesel generator breaker in the main electrical system fault tree. Two fault trees are used to represent the seven sequencer modes. These two are the SIS signal only mode and the SIS with LOP mode. The quantified output of these fault trees is used to represent the operating mode unavailability of the sequencers.

In the " SIS only" operating mode, four dominant cut sets are reportea to contribute 80 percent of the total availability of 8.2 x 10-4 . The remaining cut sets contribute less than 1 percent each. The dominant contributor is stated to be failure of ac power which makes up 30 percent of the total. Failure of sequencer input relays to energize reportedly contributes 25 percent. Failure of the sequencer output relay and failure of an input signal from the diesel generator auxiliary breaker contacts reportedly contribute 12.5 percent each. ,

In the " SIS with LOP" operating mode, approximately 94 percent of the total unavailability of 9.3 x 10-4 is stated to be due to four cut sets. -

The remaining sets contribute less than 1 percent each. For this mode the dominant contributor is input relay failure, which contributes 37.5 percent.

Another 30 percent is said to be due to failure of the ac power supply. i Failures of the output relay and diesel generator auxiliary breaker contacts contribute 12.5 percent each. Both operating mode failures are summarized in l Tabl e 3.4.4-1.

There are no test and maintenance procedures that are credited as contributors to system unavailability. The EGLS has two manual test modes and l

l-L l

3.4-25

_ ,. _ . . - . - , -. - g

1 one automatic test mode. One of the manual tests, which is performed mo_ nth}y, _.,. 7 does not prevent the sequencer from responding to accident signals. The $tlier=@ ~

manual test is performed only during refueling outages. The automaticNsitW N

~

sequence is performed at 30 second intervals and also does not inhibit .

accident signals. , There is no scheduled caintenance on the sequencer. j Unavailability due to un cheduled maintenance is not included in the fault tree, Two sources of common cause failure are considered for the sequencer.

One source is a dependent failure due to the loss of vital ac. The oth'er is failures within the sequencer hardware. The common cause failure rate between both trains of EGLS actuation is judged to be 1.5 x 10-5 per demand. The justification for this value is the same as is used for the ESF actuation system. The justification is that the reactor protection system (RPS) used in NUREG-0460 has an equal or greater diversity than the EGLS and thus deserves the same cor.raon cause failure probability.

Comments on the EGLS Fault Trees Our review at the EGLS fault tree reveals that to some extent it is invalid, inaccurate and incomplete. Several major problems were identified which make it difficult to assess the final top event unavailability without more information and a restructuring of the. fault tree logic. Our c'oncerns are enumerated below.

The major problem involves the failure to accurately model the dependence of a single sequencer on the co; responding vital ac and vital de systems. A major difficulty comes from the use of the output from the vital 120 ac fault tree as a substitute for the vital de failure. The fault tree model does not deal with the fact that, following a loss of power accident, the EGLS would be the primary initial support system and that for the first 10 to 40 seconds following this event, it would be functioning with ac power unavailable on buses 34C and 34D.

The unavailability of both EGLS cabinets is apparently dominated by common cause failures. However, the common cause failure is based on the electrical portion of the reactor protection system (RPS) in NUREG-0460. This system was used to represent the EGLS because the RPS has an equal or greater diversity. This basis for sequencer common cause failure appears weak and 3.4 26

i 1

optimistic. . . . i_.,- gf ,

There are many aspects of the load sequencer operaticns which are not"EE5lhEI ,

addressed in the PSS. In particular the lpading sequencer performs fu'iti8NI n -

which raise questions relative to the possibility of exacerbating accident conditions. The sequencer strips loads on plant safety buses when it receives a loss of offsite power signal. During subsequent diesel generator startup, it blocks manual starts of safety equipment. When the diesel generator breaker closes, the sequencer begins to load the safety buses with safety equipment in a timed sequence, and initiates manual trip blocks so that the equipment cannot be tripped. The system fault tree does not address the following concerns:

o can the load sequencer fail after stripping and blocking manual starts to safety equipment ? This could lead to serious consequences.

o If the diesels fail to start (after the sequencer strips and blocks

. loads), how does the operator reload safety buses if offsite power is recovered? Can the sequencer fail in a manner that would prevent this?

o It may become desirable for the operator to trip safety equipment or optimize the configuration or to shut off partially failed equipment. Can he override the sequencer manual trip block?

As a final point, we note that the dominant cutsets described in the text do not correspond to those provided in the computer-output listing. However, the same total unavailability is reported in both places.

i l

l i

s 1 l l

l 3.4-27 l

l i

I _ __

1

\ ,

1 l

3.4.5 Auxiliary Feedwater System -PF:' sC 6 rra -- --

l

_----.- 1 Systen Description The Auxiliary Feedwater System ( AFWS) is an engineered safeguards system which is designed to provide a supply of ~high-pressure feedwater to the secondary side of the steam generators, for reactor coolant system (RCS) heat removal fcilowing a loss of normal feedwater. The AFWS also provides this cooling function in the event of a main steam line break, feedwater line break, small break loss of coolant accident (LOCA), loss of power, or low-low steam generator water level conditions. In addition, the AFWS is designed to respond to all of the above conditions whether or not all ac power is availabl e.

The AFWS consists of two motor-driven auxiliary feedwater pumps, one turbine driven auxiliary feedwater pump, and the associated controls, piping and valves necessary to perform the RCS heat removal function. Each auxiliary feedwater pump normally takes suction from the' demineralized water storage tank (DWST). The DWST, which is sized at 340,000 usable gallons, has sufficient capacity to provide the short term safety grade source of auxiliary feedwater for the steam gelierators. An additional source of 200,000 gallons of water is provided to the auxiliary feedwater pumps by the condensate storage tank. This non-safety grade source of water is connected to each pump suction line through normally closed air-operated valves. The long term safety grade ~ source of auxiliary feedwater is provided by the service water

- system.

The AFWS is normally lined up to all four steam genera. 2rs through normally-open motor-operated control valves. In the event of an AFWS demand the minimum success criteria stated in the PSS is that one of the three auxiliary feedwater pumps start and run. Redundant piping flow paths from the pumps to the steam generators provide at least two of the steam generators with the required flow even if only one pump is available for service. Each of the two motor driven pumps is capable of feeding two steam generators while the tubine-driven pump is capable of feeding all four steam generators.

3.4-28 ,

1

' - lE~. . g

~ '

~

System Fault Tree

, .%si ' h.

The auxiliary feedwater system fault tree was used to assess the failure of the system to meet its success criteria for a period of twenty-four hours following any postulated accident or transient. System success is defined as delivering 235 GPM of auxiliary feedwater to at least three of four steam generators following all accident transients.

The auxiliary feedwater system fault trees (with and without a faulted steam generator) were quantified for six cases in order to represent the effects of the plant support states:

Case A Both trains of AC Power Available - No Faulted Steam Generator (Addresses support states 1 and 5)

Case B One Train of AC Power Available or Equivalent - No Faulted Steam Generator

. (Addresses support states 2, 3 and 6)

Case C Ho AC Pcwer Available - No Faulted Steam Generator

( Addresses suport state 7).

Case D: Turbine-Driven AFWS Pump Train Not Available and Both Trains of AC Power Recovered - No Faulted Steam Generator (Addresses support state 7 for loss of offsite power as ' the initiating event)

Case E: Both Trains of AC Power Available or Equivalent - One Faulted Steam Generator (Addresses support states 2, 3, 6 and 7)

Table 3.4.5-1 summarizes the unavailabilities of the auxiliary feedwater system for each support state with/without a faulted steam generator. For support state 8, both ESF actuation Trains A and B are assumed to be unavailable. Thus,. AFWS unavailability is 1.0 by definition. Table 3.4.5-2 lists the dominant contributors for each of the six cases A through F.

3.4-29 g e % w . -- =- --

e- 4

'_ w ,

Table 3.4.5-1 Summary of Unavailability Results for the Auxiliary Feedwater. .. 'rs-

.;; d W System. -

Support State Status of Steam Generators System unavailability Case 01 None Isolated 6.8 x 10~ A 01 Steam Generator "A" Isolated 4.94 x 10-4 'E 02 None isolated 5.9 x 10-4 B 02 Steam Generator "A: Isolated 4.53 x 10-2 F 03 None Isolated 5.9 x 10~4 B 03 Steam Generator "A: Isolated 4.53 x 10-2 7 04 None Isolated 1.0 -

04 Steam Generator "A: Isolated 1.0 -

05 None Isolated 6.8 x 10-5 A 1

05 Steam Generator "A" Isolated 4.94 x 10-4 E 06 - None Isolated 5.9 x 10-4 B p

06 Steam Generator "A" Isolated 4.53 x 10-2 07 None Isolated 4.52 x 10-2 C 07 None Isolated *2.77 x 10-4 D 07 Steam Generator "A" Isolated , 4.53 x 10-2 7 08 None Isolated 1.0 -

08 Steam Generator "A" Isolated 1.0 -

For support state 07 with loss of offsite power as the initiating event and recovery of offsite power occurring within one hour.

O 3.4-30

$E' -L..

E,.Z .WS.

Table 3.4.5-2 Dominant Contributors to Unavailability for Case A-F ..,,,.,;

~_..---.-,..'.,J l

. MT- 1 l Case Dominant Contributors A Common Cause 96%

B Motor drive pump "A: and r turbin driven pump both fail 37%

Pump "A" actuation logic and turbin pump fail 16%

Common Cause 10%

C Turbine driven pump failure 90%

D Common Cause i4%

Raindom Failures in

.the motor driven pumps 46%

E Failure of Pump "B" and steam pump 64%

Common Cause 13%

F -

Turbin driven pump failure 90%

i 3.4-31

- - =- -

- =1 . ;-i; The common cause failure analysis for the AFWS used a binomial failure ~ -.- !-

rate model. The analysis treated the turbine-driven auxiliary feadwat,ej}$ ump # --

as a diverse system with respect to the motor-driven auxiliary feedwatdr~ pump'- I trains. Analyses were performed for both those accidents and transients that do not require a steam generator to be isolated and those that do require l i sol ation. A total of seven coma:n cause analyses were performed. Those are:

1) No faulted steam generator, both emergency ac buses available.

2) No faulted steam generator, one emergency ac bus available.

3) No faulted steam generator, no emergency buses available.

4) No faulted steam generator, loss of turbine-driven auxiliary pump.

5) One faulted steam generator, both emergency ac buses available.

6) One faulted steam generator, one emergency ac bus available.

7) One faulted steam generator, no emergency bus available.

Comments on the AFWS Fault Tree In general, we found the fault trees for this system to be accurate complete and valid. Nonetheless, we noted issues of concern regarding success criteria and the overall unavailability of the system. One issue is whether the trains can meet the success criteria when pumping agains't the i

steam generator relief valve set pressure (a condition which exists for some important accident sequences). A second issue is that the auxiliary feedwater unavailability probability (6.8 x 10-5/ demand) appears optimistic. Other

. assessments have derived values 5 to 10 times greater for similar systems, and even higher failure rates may be expected early in life. A further discussion of this matter is provided in Section 3.6.

i l

I 3.4-32 l

r

__ . _ _ = _ _ .

l l . ...: .

7 .re-~.:s._ $ .

l j .. :MM--- l l

.nx .;; . . : .. -

\

a-TABLE 3.4.6-1 HIGH PRES 5' ORE SAFETY INJECTION SYSTEM UNAVAILABILITY RESULTS .

System Unavailability (Mean Values)

Support States Large LOCA Medium and Small LOCA (HP-1) (HP-2) t per demand per demend 1 1.12 x 10-4 5.87 x 10-5 2 5.19 x 10-2 7.01 x 10~4 3 1.0 1.0

4. 1.0 l.0 5 1.38 x 10-4 5.88 x 10-5 6 5.19 x 10-2 7.01 x 10-4 7 1.0 1.0 8 1.0 . 1.0 l

l l

R 3.4-34 t

, , , w e- . , e *, *W -v 4

i

'~ ~

" ;ig .

=

=.4. -$

-- r n cd. .: .

s.w . . -

i TASLE 3.4.6-2 i

HIO.H FEf.14E SAFETY ItGCT:DN SYSTE** D MINANT CONTF.190 TORS Hypothet1 Cal A Cident System Unavailability Dominant Co.tributer Percent Contribution (Mean) (Ran)

Large LOCA (W-1) 7.47 x 10-5 Common cause Failure 67 a-c power available 1.12 x 10**

2.38 x 10-2 51 and O g Cooling 46 loss of one bus 5.19 x 10-2 loss of offsite a-c power 1.38 x 10** 8.27 x 'w-5 Common Cause Failure 60 Medius and Small LO*A (@-2) 3,g7 ,gg-5 Common Cause Failure ~ 100

.i a-c power available 5.87 x 10-5 7.01 x 10** 1.42 x 10*' 51 and Chg Cooling 20 loss of one bus ,

Iss of effsite a c power 5.56 x 10-5 5.88x10-5 Common cause rallure

100 B

e w

3.4-35 .

i

r. , _ . _ . _ . , ,-

N The effects of common cause failures, test and maintenance jN -

unavailability, and human errors were all' included in the HPSI f ault tree.

Common cause failure was modeled using a binomial failure rate model. The only human error that was included was failure to restore equipment after test ar.d maintenance. These failures were included along with random equipment failures.

Comments on the HPSI Fault Tree Our review of the HPSI fault tree indicates no major problems with regard to vr.lidity, accuracy and completeness. The HPSI fault trees indicate that, for small, medium and large LOCA, the unavailability in support states 1 and 5 is dominated by common cause failures. Unavailability in support states 2 and 6 is dominated by the unavailability of the oil cooling system for the charging and SI pumps. In support states 3, 4, 7, and 8 the HPSI system unavailability is 1 due to dependent failures.

One item of concern is the vague description of success criteria. It is stated that 2 of 4 charging or HPSI pumps are required for a large LOCA and 1 of 4 charging or HPSI pumps are required for a medium LOCA. It is not clear, under this criterion whether 2 charging pumps or 1 charging pump and 1 HPSI pump are the minimum requirement for system success in a large LOCA.

Similarly, it is equally unclear whether the sue. cess criteria imply that 1 charging pump is sufficient to mitigate a medium LOCA. Also there is no consideration given to pump "run-out."

3.4.7 Low Pressure Safety Injection System System Description I The low pressure safety injectijon (LPSI) system is designed to provide a large voltme of water to the cold legs.of the reactor coolant system in the event of a loss of coolant accident (LOCA). In the first phase of emergency core cooling (ECC), borated water from the RWST and the accumulators is i 3.4-36

~

... ' ~ '

~. ?. ..

=

x:

delivered to the RCS cold legs of the reactor coolant system in the evenJ3fia 7-loss of coolant accident (LOCA). In the first phase of emergency core cooling

(!CC), borated water from the RWST and the accumulators is delivered to the RCS cold legs. Wnen the water level in the RUST reaches t!,e low-low level limit, the LPSI system terminates injecticn and the second phase of ECC begins. This phase involves the recirculation of borated water from the containment sump to the RCS cold legs by the residual heat removal (RHR) pumps.

The LPSI system consists of the accumulators, the RHR pumps, and the associated valves, orifices, piping and supporting circuitry. There are four independent accumulator trains each of which is dedicated to one of the four reactor coolant system loops. The two RHR pumps are included in two redundant and independent trains. Each train delivers water to all four RCS loops.

System Fault Tree The LPSI system fault tree was used to calculate the probability of system failure based on two system success criteria. The first criterion is associated with the large LOCA, vessel rupture, or interfacing systems LOCA initiating events. Water must be delivered from three accumulators and at least one full capacity RHR pump. System failure occurs when either one accumulator fails to discharge into an unbroken loop or when both RHR pumps fail to deliver water to three intact RCS loops. The second criterion is associated with the medium LOCA initiating event and requires that one out of two full capacity RHR pumps deliver to two intact cold legs.

Compatability with the support states model required that the LPSI system fault tree be quantified for two cases. Case 1 addresses situations in which both trains of ac power are available and corresponds to support states 1 and

5. Case 2 addresses situations in which only one train of ac power is available and corresponds to support states 2 and 6. The LPSI system is unavailable in support states 3, 4, 7, and 8.

The LPSI system unavailability and dominant cut set contributions for cases 1 and 2 are summarized in Table 3.4.7-1. When both trains of ac power are available (case 1), unavailability of the accumulators is the dominant cut set, contributing 92 percent of the overall system unavailability.

, 3.4-37

, Q , , [, ,

- . . e.

-- n g-Tabl e 3.4.7-1 Dominant Contributors to LPSI System Unavailability . u->

.M... a,;,.

Components ,

Failure Probability (per demand)

Case 1: Both AC Trains Available Accumulator check valves 1.9 x 10-3(92%)

Common cause 1.6 x 10-4( 7%)

Total system 2.1 x 10-3 Case 2: One AC Train Available Circuit breaker on pump fails to close 2.1 x 10-3(31%)

Accumulator check valves 1.9 x 10-3(29%)

Accumulator check valves 1.4 x 10-3(21%)

Other check valves 6.4 x 10-4(10%)

Total system 6.7 x 10-3 3.4-38

of ac power is available-(Case 2), 32 percent of the system failure ][_-- .4

'~. y g.-- ; . .:.

3.

probability is attributed to spurious closure of the actuation circuit of the motor-cperated valve in the pump miniflow~line. Failure of accumulator check valves contributes approximately 29 percent. Hardware faults of the RHR pump contribute 21 percent. Failure of the check valves in the suction and discharge lines of the RHR pump account for 10 percent of the failure ,

probability.

Test and maintenance unavailability, common cause failures and human error are all included in the system fault tree. A test unavailability analysis is not included in the LPSI fault tree, because it is stated that tests do not make the system unavailable. Components cutside of containment that can be isolated and tested for failure are maintained on an unscheduled basis. Thus, maintenance unavailability calculations have been done for check valves, air-operated valves, motor-operated valves and the RHR pumps. A common cause failure analysis was performed for the two RHR pumps and the motor-operated isolation valves in the pumps' miniflow lines. The common cause failure calculations were based on a binomial failure rate model. Human errors that were given credit for system failure involve failures to restore the RHR pumps and vital motor-operated and air-operated valves following test and maintenance.

Commonents on the LPSI System Fault Tree In general, the LPSI system fault tree appears to be accurate, complete and valid. Nonetheless, with regard to the long and short-term system success criteria there are issues that may require additional analysis.

The LPSI system is defined as including the RHR pumps and the accumulators. The success criterion is stated to be three accumulators and one RHR pump for the large LOCA, a vessel rupture or an interfacing systems LOCA (Event V). According to this criterion, the system is modeled as failed when one of three accumulators fails even when two RHR pumps are available.

It is not likely that failure of a single accumulator would result in a core melt when ene or more RHR pumps is operating. The fac,t that accumulator failure appears ,to dominate LPSI failure could make this criterion an'important 3.4-39

~

. . . .~3 :

However, The LPIS is not a contributor 'to any risk at MillstonielC';

~

conservatism.

. - .r

3. Thus, this conservatism is not likely to be significant. Nonethel ess >.

, i t '.. ."'

should be recognized that for Event Y the accumulators are of little use.and* "

the operation of the RHR system is not sufficient for success against this sequence. Finally,. it is also speculative whether one RHR pump could prevent core nelt for a rupture low in the reactor vessel.

The requirement for long-term operation of the RHR is not considered in the fault tree analysis. For long-term decay heat removal, the RHR may have to operate several weeks. However, this would be the case only if the plant were not restarted. Additionally, the active components of the RHR are outside the containment where maintenance and repair could be readily performed. Thus, it is likely that failure of the RHR in extended cooling mode is probably not a significant risk contributor.

3.4.8 Main Steam Isolation System

System Description

The main steam isolation (MSI) system is designed to prevent uncontroled blowdown of the steam generators in the event of a steamline break. The system consists of one 30 inch steam-operated "Y" pattern globe valve per

, loop, for a total of four valves. The valves are located in the main steam i

piping downstream of the main steam safety and relief valves, in the main steam valve building.

The main steam isolation trip valves are designed to close within 5 seconds of receipt of a steamline isolation signal for all values of pressure differential across the valve. They are designed to fail in the closed position upon loss of electrical power or steam header pressure and are spring loaded in the close direction. Main steamline header pressure acts as the l operating medium for both the opening and closing operations of the valves.

l An external nitrogen supply is used for operation and testing of the valves when steamline header pressure is below approximately 185 psig.

l 3.4-40

^

.. 7

= . .'-- . -

Each main steam isolation trip valve is controlled by redundant pairs _o~f; -

scienoid valves (a set of train A and train B solenoid valves). Opening and closing sets of scienoid valves pressurize and vent the bottom and top of the' valve operating piston compartment.

System Fault Tree The MSI system fault tree was used to determine the probability of failing to achieve the system success criteria following a postulated steamline break. Two types of steamline break are considered, a steamline break inside containment and a steamline break outside of containment. For a

~

steamline break inside containment the success criterion is closure of the MSI valve on the faulted steam generator /steamline or the closure of 3 out of 3 f1SI valves on the unfaulted steam generator /steamlines. For a steamline break I outside of containment the success criterion is closure of any 3 out of 4 MSI valves.. Because the MSI system fails safe upon loss of power and does not depend on service water, the support states that relate to ESF electric power and service water supply are not addressed in the MSI failure analysis.

The calculated unabailability for the MSI system is:

Case Main System Variance Unavailability Steamline break 8.2 x 10-4 7.1 x 10-7 inside containment Steamline break 1.5 x 10-3 4.9 x 10-6 outside containment The dominant contributor to total unavailability in both cases is common cause failures. Common cause contributes 92 percent of the total mean unavailability for steamline breaks ins'ide containment and 91 percent for steamline break outside containment.

3.4-41

. . g.g, , ,

Cormients on the f451 System Fault Tree

~~s%'

=& .

g ._ .

No problems in terms of accuracy, cocIpleteness and validity were found with the liSI syste.7, feult tree. System failure is dominated by common cause contributions. The common cause failure analysis employs the binomial tailure rate model, sthich is described in Appendix 2-C of the PSS and reviewed in Section 3.10 of this report. A separate common cause analysis was performed' for each success criterion.

3.4.9 Quench Spray System

System Description

The quench spray system is designed to provide rapid short-term quenching of steam relecsed from pipe breaks within containment. The system consistis of two ider;tical trains each of which contain a quench spray pump. These pumps feed two ring headers near the containment dome. The quench spray pumps take suction from the refueling water storage tank (RWST).

The quench spray system is intiated by a containment depressurization actuation (CDA) signal that results from coincident high containment pressure signals. The quench spray system is automatically terminated by a low level switch in the RWST. 14aOH is added to the spray water in order to maintain a minimum pH and thus prevent long-term corrosion of stainless steel inside the containment once quench spray has been actuated.-

The quench spray system in conjunction with the containment recirculation system is used to maintain the integrity of the containment structure.

Following a major primary or secondary pipe rupture inside containment, the s system returns the containment to subatmospheric pressure by removing heat from the containment atmosphere. Figure 3.4.9-1 provides a schematic view of the quench spray system.

3.4-42

l

- 1 1

.s. 1

\

- + t -M_,,

=?.%- . :e W ..

5 \

5 7

c UT "

%Q q p b

' o e

@NN

~

d D v v .

_5

<d

* --+.

0 l*

w p E E W E z w d >

d 5" 3.f

@!5 w EE a a g < (f)

U E k- d D

' i- e, 5 i= h. Id $

= :: 8 v 2 s

A c e ,

:.: s 3--

a o e ,,

=

=, au a zw ~~g

,, a e e 3 og _3Z,,,,,3Z,, __W w

1. o o E Q,,,

t7 I o3 td u om y

.- e

-=

>- -h w 4

_ ,o*,a a

Q , _ _ , , , , _ ..- ---------- ---= R U Es w C g Uey b Ey o g

- o, c. a - o -

I, y'e:'d E E

e Ee d

v v o i d e., s g

W -

g 0' ,- m-x rg

=

v -p r4 -

r ' M

's

> 3 RL 1 s-x

.l. 5= 2 A ".

m a m.x_ _ -

yd W W d

w -

M ID 1,,

I* *

g a m=

w E p

?? ?

E*,

, EN EE Y

z f k CX>--- -

' Ir

U k '

( !"; !

Xw $

[1 l

c 2:5 s @

Ena 3.4-43

.. 7 _,

N .',6_j System Fault Tree 7

-2 _---

3 -4.

The quench spray fault tree models the capability of the two pumps to start End run end the availability of various valves to open on demand. In preparing the system Fault tree the Millstone team gave consideration to the impact of independent component failures, test and maintenance, common cause failure and human errors. We have reviewed the fault tree and found it to be ,

accurate, complete and valid with minor exceptions discussed below.

The quench spray system fault tree was quantified for two cases in order to represent the effects of the eight plant support states. These cases are:

Case A: Two trains of ac power available, corresponding to support states 1-and 5.

Case B: One train of ac power available, corresponding to support states 2 and 6.

For support states 3,,4, 7 and 8 the quench spray system is unavailable (Q=1). For case A the unavailability of the quench spray is 3.2 x 10-4 with ;

a variance of 1.0 x 10-7 and for case B the calculated unavailability is 8.2 x 10-3 with a variance of 5.6 x 10-5 ,

When both trains of ac power are available, the dominant contributor to quench spray unavailability is comon cause failures. Common cause makes up 70 percent of the system unavailability. Most of this is associated with comon mode failures of both pumps to start and includes factors such as common design errors, common actuating logic and common test and maintenance procedures. Much of the remaining common cause unavailability comes from the two motor-operated discharge values (MOV34A and MOV34B.) Other contributors to overall unvailability are ESF logic (9%), pump faults (3%), and failures in the motor-ooerated discharge values (2%). The residual unavailability comes from cross-train component failures.

When only one train of the Quench Sprasy System is available the major contributors to unavailability are pump failure to start (28%), pump hardware faults (17%), motor-operated discharge value failure to open (26%),

motor-operated dis 1 charge value failure to remain open (12%) and check value f ailures (12.7). Table 3.4.9-1 sucmarizes the 1 major contributors to quench spray system unavailability for Cases A and B.

3.4-44

.__ . 3_ , , , ,

~J:.;r.:0gt.

Table 3.4.9-1 Quench Spray Unavailability . r 2-y .- - -

f Dominant Contributors Unavailebility

( f ail ure/ demand)

CASE A Common Cause 2.24 x 10-4 ESF Actuation Logic 3.00 x 10-5 Pump Faults 9.60 x 10-6 Faults in one of the motor operated 9.8 x 10-6 values MOV34A MOV34B and in one pump in an opposite train Faults in the M0Y34A and MOV34B 6.4 x 10-6 Other Faults 4.0 x 10-E Total ,

3.2 x 10-4 CASE B Pump failure to start 2.3 x 10-3 Failure of motor-operated 3.13 x 10-3 valve MOV34A to open Pump hardward faults 1.40 x 10-3 Failure of motor-operated 9.84 x 10-4 valve to remain open Check valve faults 9.84 x 10-4 Other faults 4.02 x 10-4 Total . 8.2 x 10-3 3.4-45

l 1

_q , {.

' y . . ar Four sets of common cause failure are used to calculate the common.caugg,. p unava. lability of the quench spray system. These are 2eF6 3 7-

1) Failure of the quench spray pumps in the A and B train to start ;

2) Failure of the quench spray pumps in the A and B train to run.

3) Failure of the motor-operated valves in the A and B train to open and allow spray discharge through the ring headers.

4) Falure of the motor-operated valves in the A and B trains to remain open.

Common cause calculations for the que.nch s,nray system assume a binomial failure rate model. This failure rate model is described in Appendix 2-C of the Millstone PSS and reviewed in Section 3.10 of this report. Contributions to each . failure mode from actuation logic are included in the individual binomial failure rates for the components.

Two additional common cause failures were considered, but judged by the PSS authors to be insignificant contributors to unavailability. These are

1) freezing of the RWST and quench spray lines and 2) common cause failures of pairs of check valves.

There are three human errors which are included in the quench system fault tree as contributors to system unavailability. These are 1) failure to properly close the gate valves (valves 36 and 37 on figure 3.4.9-1) in the pump test line following test or maintenance, 2) failure to restore the locked open gate valves (28 and 29) following tests of the motor-operated discharge valves (40 and 41), and 3) failure to restore the quench spray actuation of the ESF logic follow its test.

Comments of the Quench Spray Fault Tree Our review of the quench spray system fault tree indicates that it is accurate, complete and valid with only minor reservations. One question is why the effect of test and maintenance on the motor operated discharge valves 3.4-46

1

, ~~'

MOV34A and M0Y34B (valves 40 anf41 on the' f and ID) was not modeled in 'the ^_tr

.- m-fault tree. Another concern involves the exclusion of freezing RWST and

"(

--c,-...

quench spray lines and common cause failures of pairs of check velves from2the n -

list of categories. Our concern is not that these could be major contributors but that the authqrs judged these moces are insignificant contributcrs to unavailability without demonstrating this quantitatively. Finally, it is of interest t::at failure of RWST wate. ccoling is not modeled. It seems clear that, although this system is not necessary for proper functioning of the RWST, it's failure would effect containment performance during LOCA accidents. We feel that some estimate of chilled water system availability would be useful in making an accurate assessment of damage states or accident recovery.

3.4.10 Safety Injection Pump Cooling System System Description !

L The purpose of the safety injection pump cooling system is to cool the bearing oil of the safety injection pumps. It is a safety related system and a critical support system for the High Pressure Safety Injection System. The system is made up of two safety injection pump cooling pumps, two safety injection pump oil coolers, two heat exchangers, and a shared cooling surge tank. Each safety injection pump has dedicated cooling pump, heat exchanger and oil cooler. The heat exchanger interfaces with the service water system.

the surge tank is supplied by the reactor plant component cooling water.

Normally, the safety injection pump cooling system is not in operation. It is designed to start automatically when the associated safety injection pump starts.

System Fault Tree The system fault tree was used to model the unavailability of safety injection pump cooling in a single train. The calculated unavailability of each train is 7.32 x 10-3 per demand. Pump faults contribute g6 percent of the overall system unavailability. Furthermore, actuation system faults are associated with 36 percent of the unavailability, loss of control power to the 3.4-47

q.;, ,,,

~~D .

l pump circuit breaker contributes 32 percent and hardware faults contribute 20_ :: p .g- .",

R percent. Residual unavailability for each train is due to piping faults,_hia~t exchanger faults and check valve faults. Table 3.4.10-1 summarizes the dominant cut sets that contribute to overall unavailability of the safety injection pump cooling system.

Unavailability of both pump cooling systems is only a consideration when ac power and service water is available to both trains. In this case common' cause failure dominates the calculated unavailability of both systems. 'The common cause unavailability contribution from the safety injection pump cooling system to the high presure safety injection system is calculated to be 1.43 x 10~4 .

The safety . injection pump cooling pumps are tested monthly on a staggered basis. However, the system is not unavailable during tests. All components that can be isolated and are outside containment are maintained as necessary on an unscheduled basis. Maintenance unavailability estimates for the high pressure injection system includes contributions from maintenance on the safety injection pump cooling system.

Consideration of human errors resulted in the conclusion that no human errors were judged credible for the safety injection pump cooling system.

Comments Our review of the safety injection pump cooling system revealed no significant omissions or problems. Nonetheless, the fault tree was remiss in some general areas. Pump capacities, water source requirements and power requirements were not fully described. The system success criteria were not fully described. Table 2.23.2.10.3-1 lists the mission time for the motor operated pump as 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . However, the basis for this value is not presented. It should be noted that failure of this system when both trains are e.vailable is dominated by common cause failures.

I 3.4-48 i

-- . 3 Tabl e 3.4.10-1 Dominant Cut Sets for the Safety Injection Pump Cooling ..; -fEI System j b:: l Component Cut Set P robability (failure / demand)

Motor dirven pump actuation circuit fault 2.6 x 10-3 Loss of control power.to circuit breaker or pump 2.34 x 10-3 Failure of Motor driven plump to start and run 1.49 x 10-3 Failures of bus circuit breaker 2.43 x 10~4 Check valve failure 3.2 x 10~4 Motor driven pump trip circuit faults 2.34 x 10-4 Other faults 1.3 x 10-5 Mean Value 7.32 x 10-3 9

3.4-49

.... -.__.;..~.,;.,_.

~

3.4.11 Charging Pump Cooling ... T

.g R- -

System Description

The charging pump cooling system is a safety-related system that cools gear and bearing oil of the charging pumps. This system is essential for the l operating of the charging pumps and thus necessary to mitigate the consequences of a loss of coolant eccident. The system consists of two*

charging pump cooling pumps, two heat exchangers which transfer heat from the cooling system to the service water, three charging pump oil coolers, and a shared surge tank. One. of the cooling pumps is normally running while the other is on standby. In the event of a safety injectijon signal or loss of power signal, the standby pump automatically starts. In addition, when the standby pump is running, the isolation valves are aligned so that each cooling pump and heat exchanger is dedicated to one charging pump.

System Fault Tree The system Fault tree was used to model the effect of charging pump cooling system unavailability on the unavailability of the high pressure safety injection system (HPSI). One Fault tree was used for both trains of the charging pump cooling system. However, different calculations were used for component unavailabilities in the train of charging pump cooling in which the cooling pump is operating (train A) and the standby train (train B). For loss of offsite power events (Support State 5) both systems were modeled in standby.

The calculated unavailability for the operating train was calculated to be 5.3 x 10-4 The dominant cutsets for thi:: train are listed in Table 3.4.11-1. Check valve faults contribute 60 percent to unavailability and failures of the motor-driven pump pump to run contribute 28 percent.

Unavailability of the standby train was determined to be 1.2 x 10-2 ,

The dominant cutsets for this system are also listed in Table 3.4.11-1.

Ninety eight percent of the unavailability is due to faults in the motor-driven pump. These are further composed of 41 percent contribution from 3.4-50

77.1:2

- =II circuit faults, 22 percent from actuation system faults, 20 percent from loss r of central power to the pump circuit breakaer,13 percent from pump hardwareEY faults and 2 percent from circuit breaker hardware faults. ,

Comon cause failures are determined for Support States 1 and 5 (AC and servke water avai5able to both trains). For all other Support States only one train of charging pump coding is available. The common cause calculations for the charging pump cooling system assume a Binomial Failure Rate Model.

For Support State 1 (all systems available) the calculated ui. availability of both cooling trains is 3.6 x 10~0 The unavailability for Support State 4 (loss of offsite power) is 5.4 x 10-5 ,

The charging pump cooling pumps are tested monthly on a staggered basis.

All isolable components outside of centainment are assumed to be maintained as necessary on an unscheduled basis. The cooling system unavailability as a result of maintenance has been incorpoorated into the maintenance unavailability of the charging pumps.

No human errors were judged to be credible for the charging plump cooling system..

i Comments l

Our review of the charging pump cooling system fault tree ident'ified some l

items of note. There is an inconsistency in the faulure probability listed in l the input table and the value listed for the same component in the list of cut sets. The pump trip ciricuit for both the operating and standby pumps is calculated to have a component failure probability of 2.34 x 10-4 .

Nonetheless, the cutsets for this component list its failure probability as {

4.01 x 10-5 for the operating train and 4.83 x 10-3 for the standby train. The reason for the difference is not discussed.

o 3.4-51

.- - -n - . .

t-.

Table 3.11-1 Dominant cut sets for the Charging Pump Cooling System .,

[-

f Component Failure Probability (failure / demand)

Operating Train Check valve failure to operate 3.2 x 10-4 Motor driven pump failure to run 1.46 x 10-4 Trip circuit faults on motor driven pump 4.01 x 10-5 Loss of central power to circuit breaker 1.95 x 10-5 on. motor-driven pump First moment 5.3 x 10-4 Standby Train Trip circuit faults on motor-driven pump 4.83 x 10-3 Actuation system faults for motor-driven 2.6 x 10-3 pump Loss of control power to circuit breaker on 2.34 x 10-3 motor-driven pump hotor driven pump failure to start and run 1.49 x 10-3 Bus ciricuit breaker failure to close 3.38 x 10-4 Check valve failure 3.4 x 10-4 Hean Value 1.19 x 10-2 3.4-52 v - - - ---y. p

=.,.. 3-l:. . ,.;

T~Q. .

__T

.m =:

it should be noted that for the charging pump cooling system the .p* " - -

unavailability of both trains due to random failures is greater than that due-to co rion cause. For Support State 5 (no off;ite power), the unavailability )

of both trains of the charging pump cooling system due to random failures is 1.42 x 10-4 which is roughly a factor of two larger than the common cause unavailability (5.40 x 10-5). When offsite power is available (Support State 1) the unavailability of both trains due to random failures is 6.3 x 10-6 and that due to common cause is 3.6 x 10-6 ,

3.4.12 Low Pressure Recirculation System

System Description

The low pressure recirculation system ic an engineered safeguards system which is designed to provide long-term core coverage and decay heat removal following a medium or large LOCA.

The low pressure recticulation system becomes functional in the latter phase of a LOCA. The system is designed to operate in two modes, spray mode and safety injection mode. The system takes suction from the containment sump and pumps it through coolers (cooled by service water) to the contanment recirculation headers (spray mode) and/or to the reactor coolant system (safety injection mode). The spray mode of operation is actuated automatically on high-high containment pressure. The safety injection mode of operation is actuated manually from the main control board. The system then remains in long-term operation after an accident until terminated by administrative control .

System Fault Tree The fault tree was developed in accordan:e with the system success criteria which require delivery of coolant flow from one containment recirculation pump to at least one intact reactor coolant loop following a large or medium 4.0CA.

3.4-53

1

~

': =.,- ;.. ... ,;

- 2E T

Operator action is required to isolate flow to the spray headers, secyd the refueling water storage tank (RWST), and align valves for iniection to the reactor coolant system (RCS). These operator actions have been explicitly modeled in the fault tree.

The low pressure recirculation system fault tree was quantified for two cases in order to represent the effects of the eight support states. Case 1 addresses situations in which both trains of ac power are available and corresponds to support states 1 and 5. Case 2 addresses situations in which only one train of ac power is available and corresponds to support states 2 and 6. F . cases corresponding to support states 3, 4, 7 and 8 the low pressure recirculation system is unavailable. Table 3.4.12-1 summarizes the calculated unavailability of this system for each of the eight support states.

The calculated system unavailability for case 1 is 3.0 x 10-3 Common cause failure is the dominant contributor and accounts for 18 percent of the total unavailability. The dominant random failure contributor was found to be plugging of the service water motor-operated butterfly valves. Coincident failure of these valves accounts for 6 percent of the total system unavailability. The remaining unavailability is made up of hundreds of two-element cut sets.

The calculated system unavailability for Case 2 is 4.9 x 10-2 Of this approximately 26 percent is due to the single failure of a motor-operated service water isolation valve on one of the containment cooling heat exchangers. The unavailability of this valve is the result of flow tests during refueling. Local faults of other valves account for an additional 33 percent of system unavailability.

Contributions from test and maintenance, comon cause failure and human error were included in the system fault tree.

Comments No significant problems were found regarding the accuracy, completeness i and validity of the fault tree analysis for the low pressure recirculation

! system.

l l

3.4-54

i

. . . ~ . . . . . . . .

3*f.

Table 3.4.12-1 Low Pressure Recirculation System Unavailability Results . 20 e-

_2'F-+ -

Suport Stet;e <- System Unavailability i

_ ( fail ure/ demand) 1 3.0 x 10-3 2 4.9 x 10-2 3 1.0 4 1.0 .

5 3.0 x 10-3

. 6 4.9 x 10-2 i

e 7 1.0 8 1.0 8

1 4

9

~ '

3.4-55

^

Y .. -.' [.,

l

-:n 3.4.13 High Pressure Recirculation System

[N SistemDescription ,

l l

High pressure recirculation is an operational mode in which the charging 1

and safety injection pumps are aligned in series, or " piggy-back operation",

with the containment recirculation system (CRS) pumps. These engineered '

safeguards systems act to maintain long-term reactor coolant system inventory while removing decay heat during recovery from a small or medium sized LOCA.

The recirculation pumps take suction from water in the containment sump and pump it through heat exchangers to the suction of the high pressure pumps, which inject to the RCS. Alignment of valves and starting of the low pressure pumps is performed manually at the main control board when indications of low-low RWST level and automatic shutoff of the RHR pumps are received.

System Fault Tree The fault tree for the high pressure recirculation system (HPRS) was used to calculate its unavailability in terms of the system success criterion.

This criterion specifies that coolant flow be delivered to two of three intact

~

reactor coolant loops from one of four pumps (two charging pumps and two HPSI pumps) by taking suction from one of two recirculation pumps. Component unavailability for system operation was analyzed for the initial phase of coolant recirculation following a LOCA. The analysis assumed a total run time of twenty-four hcurs just prior -to recirculation switch-over to the hot legs of the reactor coolant system. The analysis also assumed successful operation of the HPSI pump during the injection phase of emergency core cooling.

Operator action is requited to initiate H.P. injection recirculation flow. The operator has to isolate flow to the spray headers from the two recirculation pumps and align the discharge of these pumps to the suction of the charging and safety injection pumps. This is accomplished by opening isolation valves in the cross-connect lines that link the suction lines of the-charging pumps with those of the safety injection pumps. At the same time, 3.4-56

A.T the operator must close isolation valves that tie the suction of these pumps .--

.~ ~ 1 to the refueling water storage tank (RWST). The closing and opening of the.~ !

isolation valves by the operator was modeled in the system fault trees. l The HPRS system fault tree was quantified for two cases in order to )

repre ent the ef fects of the eight support states. Case 1 addresses situations in which both trains of ESF ac power and both trains of service water are available and corresponds to support states 1 and 5. Case two ,

addresses situations in which only one train of ESF ac power is available and corresponds to support states 2 and 6. The HPRS is unavailable in support states 3, 4, and 8. Table 3.4.13-1 summarizes the calculated unavailability of the HPRS for each of the eight supprot states.

7he calcualated system unavailability for case 1 is 5.85 x 10-3 per demand. Common cause is the dominant contributor, making up approximately 30 percent of the total. Random failures of motorized valves in the service water system is the next most dominant contributor. At least one of these valves must open to admit service water into its associated containment recirculation cooler. Coincident failure of both valves failing closed accounts for 3 percent of total system unavailability. Mechanical failure of either valve coincident with failure of some other HPRS component accounts for an additional 10 percent of total system unavailability. The remaining unavailability is made-up of hundreds of two element cut sets.

The calculated system unavailability for case 2 is 5.84 x 10-2 per demand. Approximately 19 percent of the total is due to the single failure of a motor-operated service water isolation valve on one of the contanment cooling heat exchangers. An additional 32 percent of system unavailability is due to failure of any one of seven motorized valves in the system to change state to its required ace.ident position. The residual system unavailability is made up of other single component random failures including failure of the containment spray pump to start and run and failure of an operator to open two motorized valves.

Connents on the HPRS System Fault Tree In general, the fault tree for the HPRS system was accurate, complete and valid. !!onetheless, there are some potential problems concerning the assumptions made in the common cause calculations. These assumptions require 3.4-57

_ . - ~ ~- - ._... , .- . _ _ _ . - - _ _ - - . _ ..

. . _ . ... s., .. ,

A ,

TABLE 3.4.13-1 High Pressure Recirculation System Unavailability Results ..

y M.:. :

Support S. tate System Unavailability (failure /derr.and) 1 5.85 x 10-3 i

2 5.84 x 10-2 t

j 3 1.0 t

i 4 1.0 5 5.85 x 10-3

. 6 5.84 x 10-2 7 1.0 8 1.0 t

M t

3.4-58 !

c s

.p' ~ , - , . se ,w y , , ,,.

- - , ., e g ,e-

24:;-

scrutiny since corr.on cause is a major contributor to system unavailability. #-

The comon cause failure analysis for the HPRS system required an [' #

understanding of which permulations of components (or trains) are comon and which cre diverse. , In order to carry out the analysis the PSS makes the fulowing asumptions regarding the commonality of components:

1. The HPSI pump trains are diverse from the charging pump trains because the charging pumps are operating type pumps whereas the HPSI pumps are standby type pumps.

2. Motor-operated gate valves (MOGV) are assumed to be common.

3. Motor-operated globe valves (MOGl.V) are assumed to be common.

4. Motor-operated butterfly valves (MOBV) are assumed to be comon.

5. . Motor-operated gate, globe and butterfly valves are diverse from each other.

6. No comon cause potential exists between containment recirculation pumps and either HPSI or charging pumps because of the significant differences in the pump design.

7. No common cause potential exists for redundant pairs of check valves failing to open in high pressure systems.

8. The contribution to comon cause failure due to plugging of the sump screens was assumed to be negligible when compared to other common cause contributors.

In general no supportive basis was given for these assumptions. While most of the assumptions appear reasonable, item 7 does not. We suggest that consideration be given to common cause failures in check valves. The most likely cause for such failures would appear to be corrosion effects or design defects both of which are potentially comon cause effects. Such a problem has been found on at least one occasion.

3.4-59

....w.-.

.2Wa 3.4.14 Containment Recirculation Spray System System De:.cription, The conuinment recirculation spray system is designed to provide long tera removal of heat from the containment atmosphere following a LOCA or steam line break inside containment. This system operates in conjunction with the quench spray system to restore the containment to subatmospheric pressure. )

The containment recirculation spray systerr consists of two 100-percent capacity trains which.are each connected to both of the ring spray headers inside containment. Each train has two of the following items: a normally open containment sump suction isolation valve, a recirculation pump, a heat exchanger, and a'normally open spray header isolation valva. Pump operation and valve opening is automatically actuated on high-3 containment pressure after a five 1 minute time delay. This delay is provided to ensure an adequate supply of water in the sump for pump operation.

l System Fault Tree j l

The system fault tree was used to calculate the failure to achieve the system success criteria which is to deliver sufficient recirculation flow to 1 of 2 containment spray headers.

The effects of test and maintenance and common cause are considered in the fault tree model. The analysis assumes that testing will not contribute to system unavailability of the containment recirculation spray. This is based on the observation that sufficient time will. be available, between the onset of an accident and the time when the system is actually needed, for an operator to remove a component from test and place it in the required operating mode. The only maintenance included in the system fault tree is that of the recirculation pumps. Common cause failures are modeled using the Binomial Failure Rate Model.

The system fault tree was quantified for two cases in order to represent the effects of the eight plant support states. Case 1 addresses situations in which both trains of ac power are available and corresponds to support states 1 and 5. Case 2 addresses situations in which only one train of ac power is available and corresponds to support states 2 and 6. The.

I 3.4-60

l 1

-W.,

Containment recirculation spray system is unavailable in Support States 3, 4[

7 and 8. Table 3.4.14-1 summarizes the calculated unavailabilities of the recirculation spray system for each support states.

In case 1 the dcminant contributor to system unavailability is common cause, accounting for 28 percent of the total. The dominant random failure contributor to system unavailability was found to be local faulats resulting in plugging of service water motor-operated valves. Coincident failure' of these valves accounts for 8 percent of the total system unavailability. The residual unavailability is made up of hundreds of two element cutsets, such as failure of a plump in one train while a motor-operated valve in the opposite train fails to open.

In Case 2 the dominant contributor to system unavailability is failure of the service water containment cooler isolation valve, accounting for 34 percent of the total system unavailability. The large unavailability associated with this valve results from the length of the interval between flow tests. The valve is only tested during refueling outage.

Comments on the System Fault Tree For the most part, the containment recirculation spray system fault tree was found to be accurate, complete and valid. Failure of this system when both trains are available is dominated by connon cause failures. However, in the fault tree model, the plugging failure of containment sprays was identified as a noncredible event and thus not included in the analysis. No qualitative or quantitative justification was given for this exclusion.

I 1

3.4-61

m~=. a..

Table 3.4.14-1 4.9.~

Containment Recirculation Spray System Unavailability Results .--

er' :-

, 7 Support State System Unavailability

, (f ailure/ demand) 1 2.0 x 10 3 2 3.8 x 10-2 3 1.0 4 1.0 5 2.0 x 10-3 6

3.8 x 10-2 7 +

1.0 8 1.0 9

5 h f O

3.4-62 ,

8

. l l

~~

q' 3.4.15 Service Water System [

System Description <

1he Service Water System (SUS) is a major plant support system. It cools a number of important emergency and normal system heat loads. The systems relying on the service water system for cooling include:

Auxiliary Feedwater Emergency Makeup Charging Pump Cooling System Containment Recirculation Coolers Containment Recirculation Pump Vent Units Control Building Chillwater Backup Control Building Air Conditioning Water Chillers Emergency Diesel Generator Coolers Eme.rgency Diesel Generator Coolers Emergency Spent Fuel Pool liakeup Lube Water to Circulating Water Pumps MCC and Rod Control Area Air Conditioning Units Post Accident Liquid Sample Cooler RHR Pump Vent Units RPCC Heat Exchangers Safety Injection Pump Cooling Service Water Pumps Lubricating Water TPCC heat Exchangers The Service Water System consists of two trains each of which contains an inservice pump and a standby pump. The standby pumps are blocked on the discharge side by normally closed motor operated valves. Each pump is used in the service mode 50 percent of the time and in the standby mode the remainder of the time. If an inservice pump fails, the drop in pressure downstream of the pump is sensed and the correspondirig standby pump is automatically started. The MOV downstream of the standby pump receives an opening signal as wel,1. ,

4 3.4-63 p ,

_ . _ _ . _ . _ _ . . - _ - _ - - - . _ _ _ _ - - -- r

-~ ~

. . _ . - ._ q_

b!-

System Fault Tree C y _._= -

.~

The Service Water System Fault Tree was used to calculate the probability that the system fails to feed emergency loads. The fault tree model includes the ef fects of maintenance and cor:.oncause failures on system unavailability.

Test unavailability was not modeled because there are no formal tests on the system. Common cause failures are modeled using the Binomial Failure Rate Model. The study identified no human errors that could significantly '

compromise system ' availability.

The service water fault tree was quantified for four cases. These four cases and the calculated unavailability for each case is sumarized in Table 3.4.15-1.

For cases 1 and 3 the dominant contributor to system unavailability is strainer plugging due to common cause. This failure is responsible for essentially 100% of the system unavailability in these two cases.

The dominant contributor to system unavailability for Case 2 is also strainer. plugging, responsible for 30 percent of the unavailability. The remainder of the unavailability is attributable to a number of random failure cut sets, none of which contributes msore than 81 percent to the total unavailability.

The dominant cut set for Case 3 is the random failure loss of de control power to the pumps circuit breakers lwhich prevents both pumps from starting.

This contributes 67 percent of the total unavailability. The residual

~

unavailability is made up of many cut sets each of which contributes no more than four percent. Common cause failure due to strainer plugging is responsible for four percent of the unavailability.

Coments on the Service Water System Fault Tree

~

Our review of the service water system fault tree identified a number or concern regarding the accuracy, completeness and validity of the analysis.

These concerns are enumerated in the paragraphs below.

j 3.4-64 l

l

1 .

e ..

3- .

Tabl e 3.4.15-1 System Unavailabilities for Service Water System ,

'22-for,.w .r. .:'

Case , Unavail abili ty (failure / demand)

Case 1: AC Power Available to Both Buses 7.44 x 10-6 Offsite Power Available to Both Buses Case 2: AC Power Available to Both Buses 2.47 x 10-5 Offsite Power Available to Both Buses One Train of Service Water Available Case 3: AC Power Available to Both Buses 7.44 xc 10'-6 No Of fsite Power Available Case 4:. AC Power Available to One Bus 1.80 x 10~4 No Offsite Power Available One Train of Servcie Water Available 9

L J

3.4-65

.. ~.

g On Page 2.3.3.15-2, it is stated that the " potential diversion paths" to "

.g turbine plant and reactor plant component cooling heat exchangers are not f-considered the SWS f ault tree. They a*e stated to be included in the

" recirculation cooling system fault tree". It is not clear what " diversion flon" meens, or its consequence. Furtner, there is no fcult tree analysis pmvided f cr any system entitled " recirculation ccolir.g".

It is stated on Page 2.3.3.15-2 that "significant potential for blockage of the (SWS) strainers exists upstream of the service water pumpe". Indeed, strainer plugging was subsequently found to be the major contributor to SWS failure for Case 1, 2 and 3. However, on Pg.1-D-4 ( App.1-D, Vol . 2), the common cause strainer plugging failure was ruled out, apparently based on (1) automatic backwash capability, (2) high pressure differential alarms in the control room, and (3) greatly reduced intake water flow should one train fail. The probability of total loss of the service water system was subsequencly determined to be 8.68 x 10-I2/hr in Apendix l-D (Pg.1-D-5).

However, the results in Table 2.4.15-1 indicate that the failure rate is 3.1 x 10 /hr.(assuming a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time).

The SWS failure considered in Section 2.3.3.15 was only for the case where SWS is required after an accident has been initiated by other means. A 24-hour mission time was assumed, yielding a failure rate of (3.1 x 10-7/hr)

~

(24 hr) = 7.44 x 10-6 Actually, the mission time required could be much longer since core cooling is needed for several weeks if the plant remains in a shut down condition following sustainea power operation.

Another concern regards the failure to treat (SWS) failure as an initiating event in light of the fault tree results. If SWS fails, the plant would trip, and it appears the only available core heat removal system is auxiliary feedwater H there are no dependencies between SWs and AFS (see also Pg. 1-D-5). While there appear to be no direct dependencies, this should be clearly demonstrated. For example, the SWS provides cooling for the component cooling system (per Fig. 2.3.3.15.2-1) which may provide cooling to AFS pumps, lubricating oil, or pump rooms.

In any event, the possibility of SWS failure was considered in Appendix 1-D and dismissed due to the extremely low probability (based on t he 9.68 x 10-12/hr failure rate) and independence from the AFS. If the Section 2.3.3.15 failure rate of 3.1 x 10-7/hr is used, the annual failure probability is 2.72 x 10-2/hr. If the AFS is assumed to be independent of the SWS, the core melt probability would be:

3.4-66

a . _.: .- ;

'd '

g~'

(2.71 x 10-2)(6.8 x 10-5) = 1.8 x 10-6 /yr.

l This result would not be a dominant centriautor to the core melt probability i (total = 4.5 x 10-5), out it could be to latent fatality risk, although it is doubtful if the number of latent fatelitities cculd approach to number computed for the V-sequence with a probability of 1.9 x 10-6/yr. This assumes, of course, that there are no SWS-AFS dependencies, and that th'e AFS failure probability is correctly assessed in Section 2.3.3.5. As indicated previously, the AFS failure probability appears optimistic, especially early in the plant operating life.

Also at issue in this asssessment is he choice of a realistic valve for service water failure given the substantial difference between the results in Appendix.1-D and the result ir. Section 2.3.15. In attempting to resolve this issue we reviewed a recent ORNL report on' service water system events.I2)

In the ORNL report,16 events involving service water systems were found, including two events involving strainer plugging, during the January 1979 through June 1981 time period. In one case, total loss of service water did occur, but the function was eventually restored by use of other systems. The ORNL report concludes that screens and filters in SWS are susceptible to clogging whether or not self-cleaming mechanisms are used. These results would tend to indicate a failure rate closer to the Section 2.3.3.15 value

than Appendix 1-D. .

3.4.16 Vital DC System .

The fault tree was not formally included in the main text of the Millstone PSS. However, a fault tree for this system was developed in Appendix I-E for input to the initiating events analysis. We are reviewing this system here because it is an important support system for the loss of offsite power and because the results of the vital de fault tree are used in other fault trees as a basic event.

l

. l l

3.4-67 l

i

- ; ::r, System Description _[

E. ~ :

i The vital dc buses provide essential dc loads to normal and safety related equipment. ,The dc power system has 6 separate systems -- two normal dc power systems serving nonsafety related loads and four Class IE dc power systens serving safety related loads.

The Class IE dc power is divided into four separate channels. Two channels are devoted exclusively to supplying power to an associated 120 ac vital bus, VIAC-3 and VIAC-4, in the event of a loss of power on these buses. The other two channels, in addition to being able to supply vital 120 ac buses VIAC-T and VIAC-2, also supply other safety related de loads. The redundancy of the system is such that modeling the failure of the two de buses supplying VIAC-1 and VIAC-2 essentially corresponds to a model of the failure of all dc. power.

The class IE 125V de power system equipment for each channel consists of one operating battery charger, one spare battery charger shared by two channels of the same train, one 125V de battery, and one distribution swi tchboard. On each of the two channels that also supply other safety related de loads, additional distribution panels are included. Figure 3.4.16-1 provides a simplified line drawing of the vital de bus 125-VDC-1 that was used for the system fault tree.

The source of power to each of the four Class IE 125V de bus channels is

' supplied from either its associated battery charger or battery. The battery charger is powered by the emergency 480V buscorresponding to that train. Each set of two 125V de buses has one spare battery charger to serve as a backup for the two operating battery chargers. This spare battery charger is connected to both buses of the set through normally c?ened circuit breakiers, which are key-interlocked to prevent inadvertent interconnection of both emergency 125V dc buses. The spare battery charger is powered from the associated train emergency 480V ac bus.

System Fault Tree The system fault tree model was used to quantify the frequency of failure of a single dc bus and the frequency of total de power failure. The fault tree model including the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission failure rates is shown in Figure 3.4-68

. - . - - ~.

3.4.16-2. The fault tree calculation provided a failure probability of 5.36'x ~ ~ Z_.

10-6/ day for losing a single bus. The frequency of losing any one of the I two mest critical DC buses (125 - VDC-1 and 125 - VDC-2) was quantified by [~

doubling the failure probability of a single bus. This gives a failure f requency of 3.91 x 10-3/yr for losing one of the two critical buses.

The frequency of losing the ertire vital dc power system was defined in the !hlistone PSS as the f requency of losing a second vital de source given that the other vital de source is already in an available state. This failure rate is cciculated using a time-dependent reliability model which includes a a time-dependent recovery model . This model treated the two channels as completely independent. No allowance was made for common cause failures. The recovery model assumes there is a 0.34 probability that a single channael will be recovered within 20 minutes and probability of 1.0 that a single channel will be recovered within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The calculated frequency for losing all de power is 1.4 x 10-8/yr.

The system fault tree for vital de does not account for unavailability due to test and maintenance or human error.

Comments of the Vital de Fault Tree Our review of the de fault tree revealed potentially significant problems regarding the accuracy, completeness and validity of the sys;em fault tree.

These concerns are enumerated in the paragraphs below.

Our major concern involves the faillire of the fault tree to model the unavailability on demand, given that there has been a loss of offsite power.

The fault tree (figure 3.4.16-2) models the availability of de power given that ac power is available in the vital ac. The structure of the tree does not allow the determination of de unavailability given loss of offsite power.

l During the first few seconds of this event the portion of the vital de system 1

l that includes the batteries and the components that transmit power from the de l bus to the vital ac bus and the EGLS is a crucial subsystem whose failure could rapidly lead to pucentially serious damage states (see Section 3.4.4).

Another issue is the optimistic treatment of the failure rate for both de l channels. Two rather speculative assumptions lead to a result of 1.4 x 10-8/yr which is quite low for the frequency of losing the 3.4-69

. - iv -

E ._ .. . :- - .' , .1_.

N -R.

g

~ :. . . + -

5 ...-

5 .

P

, 12S V D.C . 125 -V DC - !

~

[] INVERTER BATTERY C H AR GE R lI -

1 VITAL AC BUS 120 -V AC - 1 125V DIST. PANEL

[] [] [] []

RPS I D.C. DIST.

PNLS F -- ' i i

,; I , a 3 3 1 I l, I _ _ _ _

l

. I _ _ _ _

l 7 __ __ __

l l l 1 I

I ASOV 05 RHR SI l MCC I I i l I f g _ 34C SWGR C ONTROL PO'MER j 1;

I ,

1 1

I l

Figure suit,-t Simplified Diagram of Vital DC Bus 125-VDC-1 3.4-70

M.

1 L e'O D.C. PWR TO CliTL CKT FOR RPS '

[+) GDCRPS F 7

I I I D.C. OlST. PNL BUS FAULTS L /O D.C .

BKR OPENS ON DIST. POWER FR OM PRE M ATURELY PNL MAIN BUS i

CDOBRKOP CBUSPNLF [+) GMSUSDCF 9.!XIO -7 i.7 5X IO -6 I I TIE BKR FROM M AIN D.C. L /O D.C .

MAIN BUS OPENS BUS FAULTS POWER.ON PREMATURELY M Alti BUS CTBKR*OP C MDCBUSF o C DC MBUSF 9.lXio -7 1.75X 10 -6 I

BATTERY ,-BATTERY CHARGER FAtts FAILS CBATCHRF CBATTRYF 7.7Xio -4 2 Axio -5 '

l Figure 3.4./4-2 Fault Tree Model of Loss of Vital DC B'us 3.4-71 l

~

entire de system. One assumption is that there is no allowance made for ~,2 common cause failures in the de system. The second involves rather optimistic --

value for the recovery of a single channel once it has failed. It is our j,: 1 opinion.that a more realaistic value for the failure rate of both dc channels would be of the order of 10-5 ,

3.4.17 General Comments Regarding the Millstone 3 System Fault Trees In the preceeding subsections, we have provided a review of the systems descriptions and system fault trees from the Millstone 3 PSS. In general we have found the fault trees to be accurate, complete and valid. Never the less, as was stated at the outset, there are some notable exceptions and these have been identified and discussed system by system. In addition to our system specific comments we have also developed a number of general comments that apply to the system analysis in general. These comments are taken up in .

the paragraphs below.

In. general, we found system hardware and operational mode descriptions to be inadequate. Pump capacities, water source capacities, and power requirements are generally not provided. System success criteria are not always complete and nomenclature is sometimes inconsistent.

The report gives almost no consideration to time-dependent failures. The problem of higher system failure rates that are experienced early in the plant j life (" wear-in" failures) is not addressed in the report. An example of particular relevance in this regard is the auxiliary feedwater (AF) system.

The NRC has determined that well-designed, mature AF systems may have failure rates as low as 10-5 per year, while newer systems may have failure rates as i high as 10-3 per year. j A mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months was assumed in the determination of system l success. This value appears to be adequate for many systems. Nevertheless, it should be recogni7ed that forced conveection cooling may be required for several weeks after shutdown to remove decay heat. This means that some systems, such as the RHR system and the Service Water System, may be needed for extended periods. Appendix 1-A briefly considers accidents initiated from shutdown, but failure of heat removal systems is not included. The neglect of 3.4-72

- =~ .

this issue deserves note as potentially limiting the completelness of the ,-

analysis. ---

.e Finally, many conservative assumptions were included in the systems .p-analysis. Several of these are described on pages 2.3-3 and 4 of the liillstone PSS. We have not focused on these assumptions in our review nor have we attenpted to quantify their impact on the results. Nevertheless, it is 1,Tportant that we acknolwedge their existence.

References for Section 3.4 (1) Wear in Swing Check Valves, Power Reactor Events, USNRC, Vol. 4, No.1, May, 1982.

(2) Evaluation of Events Involving Sert cei Water Systems in Nuclear Power Plants, NUREG/CR-2797, J. A. Hariec., ORNL, November 1982.

3.4-73

l

~

.s w ;

3.5 HUMAN FACTORS

[

The PSS considered a number of human actions ,in the analysis of Millstone Unit

3. These can be generally categorized into two types: actions in response to dcCident cCnditions add dCtionS reIcted 10 the unavailability of an individual component. Actions of the first type were included in the event trees. There are several different kinds. Tne adjor actions were direct operator response in accordance with procedures to diagnose the plant conditions and perform the necessary actions to assure the performance of each safety function. Such actions were modeled as individual events on the trees. Other actions included manual backup actuation of systems as required, which was included in the quantification of the top event to which it applied, and recovery of failed systems where possible, which was added to the event sequence analysis in a special additional step following the initial quantification.

Human actions of the second type are actions related to the unavailability of an individual component, due either to a failure to restore a component to service fol' lowing test or maintenance, or to an error of ommission or commission in the operation of a component in response to an accident. These actions were modeled directly in each system fault tree and were thus part of the system unavailability. We have reviewed the human factors analysis and have concluded that it was generally performed in a reasonable and consistent manner in keeping with the methods suggested in the NREP Procedures Guide, NUREG/CR-2815. A few things which should have been analyzed differently are discussed.later in this section. In addition, it was necessary to add three operator actions to the analysis The need for these actions is discussed in Sections 3.2.1.1 and 3.2.2.2, and their quantification, when not obvious, is discussed in this section. The review results are shown in Tables 3.5.1 and 3.5.2. Where there is a number in the " Review Assessment" column of the tables, that number was used in any sequence requantification subsequently performed.

3.5-1

~

ni. .

3.5.1 Operator Actions Modeled on the Event Trees g The PSS assured that essentially all of these actions are dominated by ed cognitive error as cpposed to procedural error. That is, the failure of the operator to make the correct diagnosis of the plent conditicas and determine wr.:cn actions to :dke is dominart over his f ailure to perform the action correctly given that the ciagnosis is made. In general, this appears to be a sound assumption. Although there are no specific procedures for this plant, the Westinghouse Emergency Procedure Guidelines which pertain to these actions were reviewed, and run-throughs of selected operator actions were performed with plant operators in the control room. Almost without exception, the manipulative actions which the operator is required to make are simple, few in number (usually from 1 to 4), and are performed on no more than two control panels, using indicators which are also on those panels. These observations support the assumption that cognitive errors are dominant. The'PSS generally utilized the cognitive error model in the NREP procedures guide for quantifying these errors, although there are some exceptions. The following sections di'scuss these differences. The time frames allocated to perform the various operator actions were also reviewed, since these form the basis for obtaining the quantitative values from the cognitive error model. These time frames are in keeping with those used in previous PRAs, which have shown that most operator responses are required in the 20-30 minute time frame. Those events in the PSS with shorter or longer time frames appear to be reasonable. The PSS and review values for these events are shown in Table 3.5.1.

3.5.1.1 Operator Action 0A-1 The correct value for this event from the NREP guide is IE-1. The PSS value used appears to be simply a data transposition error.

3.5.1.2 Operator Action 0A-8

\

The PSS value for 0A-8 is not consistent with the value from the NREP guide.

The NREP value of IE-3 should be used instead, because this event is 3.5-2

- - _ - _ - - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _______j

'~~~* ~

independent of other events on the tree and there is ample time (> 60 min.) to 1.

j perform the action. No review is' required for associated action 0A-8' because it was rejected in the event tree review in Section 3.2.2.5. #"

3.5.1.3 Operator Action OA-9 The PSS modifiec the NREP value beceuse the operator has only minutes to diagnose the location of the LOCA, even though he only has ten, minutes from the time quench spray fails until he must override the recirculation signal. This modification is considered to be unjustificd since the cognitive error model is not based on the time from the start of the event. It is based on the amount of time the operator has to diagnose a situation from the onset of conditions which would tend to lead him to the I

diagnosis. In this case, review of the Emergency Procedure Guideline shows i that the diagnosis of, and response to, this situation begins with the

, occurrence of the CDA signal followed by the continued increase in pressure resulting from the failure of quench spray. The unmodified NREP value of SE-1 should be used for this event.

3.5.1.4 Operator Action 0A-2-E This new action (see Section 3.2.1.1) is assumed to be proc.edural in nature as opposed to cognitive, because it results not from misdiagnosing the situation,

, but rather from the improper performance of the procedure. This procedure is the exception to the rule that operator actions are simple. Review of the guideline for this procedure indicated that it could be quite complex. This error is considered recoverable, however, based on the feedback provided to the operator through the procedures. The NREP screening value of IE-3 for procedural errors with recovery possible has been assigned to this error.

3.5.1.5 Operator Action 0A-6-E s

This new action (see Section 3.2.1.1) is somewhat unique 'n t, hat it .actually consists of two separate but related cogn-itive errors. The first error consists of the operator misdiagnosing the initial plant condition and 3.5-3 ,

i

l initiating operator action 0A-6. The second cognitive error consists of the g.

operator failing to diagnose his first error and reversing his cction. This l action has been evaluated using the NREP model for congitive errors as applied / '-

to both of'the errors involved in CA-6-E. The first error is evaluated to be equal to the probooility of failing to perform CA-6 in 30 minutes. That is, tne error of tailing to perform 0A-6 is nominally equivalent to the error of performing 0A-6 when not required. The 30 minute time frame is chosen because it represents the best estimate of operator response time for the OA-6 actions, which gives a failure probability of IE-2. The actual time frame the operator will believe he has will depend on exactly what he misdiagnoses the plant conditions to be. Once he has performed this action the cognitive error

" clock" starts again. And the operator has a certain amount of time to interpret the information feedback from the control room instruments. The review estimate of this time is on the order of 30 minutes. This was chosen because 30 minutes was used for other similar actions, that is, actions which represent the actuation of systems to restore the core cooling function, e.g.,

OA-1, 0A-3, 0A-4, and 0A-7. The NREP cognitive error value for failure to act within 30 niinutes is 1E-2. Thus, the total probability of error becomes the probability of misdiagnosing the situation and performing 0A-6 times the probability of failing to recognize the error, or:

P(OA-6-E) = P(0A-6) x P(FTR/0A-6) = .01 X .01 = 1E-4 3.5.1.6 Operator Actions in RT-3 and RT-4 The PSS used a value of IE-2 for the failure of the operator to act to manually scram the reactor within the first minute of an initiator. This i value is substantially Icwer than the NREP value, which assumes no action is possible within the first minute. However, the use of this value for this particular action is judged to be reasonable. As stated in the PSS, the operator is highly sensitized to the need to hit the manual scram button following a trip signal. Additionally, we note that the cognitive error model

! is a tool for estimating the probability of proper diagnosis of a situation in a given time frcme. In this case, no diagnosis takes place. The operator merely automatically responds to an annunciation of a trip condition without 3.5-4

i any attempt to determine the whys and wherefores. The action is instinctive g, as opposed to cognitive. Thus, that the estimate of one failure in 100 demands is judged to be a reasonable, if not conservative, estimate of failure .-

~

to perform this action.

3.5.2 Operator Acticns Modeled on the Fault Trees The PSS included two generic types of operator errors in the fault tree ,

analysis, errors in response to accidents and errors in failing to restore components after test or maintenance acts. These errors are shown in Table 3.5.2 with the human error probabilities used in the PSS and the results of our review of these values.

3.5.2.1 Failure to Restore Following Test or Maintenance The PSS evaluated these errors using the THERP methodology from NUREG/CR-1278. The use of this methodology is considered inappropariate for this analysis. 'The THERP system quantifies procedural errors by a detailed analysis of the procedural and decision-making steps the operator must follow in the course of performing a specific act. It was not possible to do this for the PSS since there are no actual procedures available for Millstone.

Therefore, the PSS designed its trees based on their perception of what the procedures would be like. In doing so, they did not rigorously model all of

~

the steps the operator has to deal with. Even if it had been possible to .do this, a simpler screening calculation is more easily justified. A reevaluation of these errors was performed using the IREP methodology described explained in the Millstone 1 IREP study (NUREG/CR-3085). A full discussion is not necessary here, but the expression for unavaildbility reduces to:

P(Error) = P(error per act) x (fraction of time error exists) time between status checks

= (0.01) x time between manipulations l

I 3.5-5 I

9 l

.w The calculation for errors numbered 2 and 3, which pertain to monitored g, components checked each shift (every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ), is straightforward and is performed for components manipulated monthly and quarterly, which should f ' *"

suffice for most ESF components. The results are: .

P (monthly ) = (0.01) x (8 hrs / 720 hrs) = IE-4 P(quarterly) = (0.01) x (8 hrs / 2160 hrs) = 3E-6 The calculation for error number 1, which is for unmonitored components, must be made on a per component basis using reasonable assumptions regarding the ratio of checks to manipulations. The conservative screening value of 0.01 could be used as a scoping value.

3.5.2.2 Errors in Response to Accident Conditions The PSS used the screening value for procedural errors with recovery potential f rom the NREP guide (IE-3). This value is reasonable, but it is noted that there may b'e errors which fall into this class for which there is no recovery potential. For example, failing to open a pump suction valve prior to starting a pump may result in irrepairable damage to the pump in a very short time period, resulting in no chance for recovery. Each error so modeled in the fault trees must be evaluated individually to determine if recovery is viable. If recovery is not possible, the NREP screening value of IE-2 should be used.

3.5-6

TABLE 3.5.1 HUMAN ERROR PROBABILITIES FOR 0P,ERATOR ACTIONS IN EVENT TREES .

Operator Applicable Time Dominant Hurean Error Review Action Event Trees or Analysis Available Failure Probability Assessment 0A-1 ET03, ET15 30 C 1 x 10-2 OK s 0A-l' ET02 20 C 2 x 10-I 1E-1 (see Sec. 3.5.1.1) ,

0A-2 ET03, ET15 30 C 1 x 10-2 OK OA-3 ET03, ET06, ET15 30 C 1 x 10-2 OK OA-4 ET04 30 C 1 x 10-2 OK OA-5 ET04 10 C 5 x 10-I OK OA-6 ET05 Support States 1, 5 30 C 1 x 10-2 OK Support States 2, 3, 4, 6 60 C 1 x 10-3 OK +

0A-6' ET06, ET13 Support States 1, 5 20 C 1 x 10-I OK Support States 2, 3, 4, 6 30 C 1 x 10-2 OK OA-7 ET07 - ET21 (ET14A) 30 C 1 x 10-2 OK ,

0A-7' ET14B 30 C 1 x 10-2 OK OA-8 ET22 >60 C 1 x 10-2 1E-3 (see Sec. 3.5.1.2)

OA-8' ET22 10 C 1 x 10-I NA (see Sec. 3.5.1.2) 0A-9 ET15 10 C 1 x 10-I SE-1 (see Sec. 3.5.1.3) 0A-10 >60 C NA 1E-3 (NREP) ,

OA-2-E NA P NA 1E-3 (see Sec. 3.5.1.4) .

0A-6-E 30 C NA 1E-4(seeSec.3.[.1.5) .

i ik ,-

,,_ . e ,nt c " ' ~~ ~

TABLE 3.5.1 (Continued)

HUMAN ERROR PROBABILITIES FOR OPERATOR ACTIONS IN EVErlT TREES .

Operator Applicable Time Dominant Human Error Review '

. Action ~ Event Trees or Analysis Available Failure Probability Asses went RT-3 ET22 1 C 1 x 10-2 OK '

RT4 ET22 1 C 1 x 10-2 OK R-1 ET01 - ET04 60 C 1 x 10-3 OK R-2 E102 - ET15, ET22 60 C 1 x 10-3 OK QS' ET14B 60 C 1 x 10-3 OK ESF ESF Recovery, Section 2.2.6 30 C 1 x 10-2 OK SI SI Recovery, Section 2.2.3.4 NA C 1 x 10-1 OK

'SBI consequential SBI, Section 2.2.3.5 30 C 1 x 10-2 OK SB0 Consequential SBO, Section 2.2.3.5 30 C 1 x 10-2 OK S2 Consequential S2, Section 2.2.3.5 10 C 5 x 10-1 OK SEQ Fire Analysis, Section 2.5 NA P 1 x 10-3 ___

HP-2 Recovery Analysis, Section 3.0 NA C 1 x 10-2 OK OA-3 Recovery Analysis, Section 3.0 NA C 1 x 10-2 OK AFR Recovery Analysis, Section 3.0 60 C 1 x 10-3 OK 9

I i.e qp

TABLE 3.5.2 HUMAN ERROR PROBABILITIES FOR FAULT TREE ANALYSIS HUMAN ERROR RATE Type Operator Error ESF HEP Review of Error . System Per Demand ' Assessment *

1. Ommission Failure to restore a manual All ESF 1 x 10-4' O.1 x Tim et n no ations valve to normal position Systems ,

After test or maintenance act.

2. Omission Failure to restore a motor- All ESF 1 x 10-5 lE-4 (monthly) driven pump or an air or Systems 3E-5 (quarterly) motor operated valve to normal position after test or maintenance act.

3. Omission Failure to restore an All ESF 1 x 10-5 1E-4 (monthly) alarmed motor-driven pump Systems 3E-4 (quarterly) or an air or motor operated valve to normal. position after test or maintenance act.

Ste Section 3.5.2.1 ,

[

t' l

TABLE 3.5.2 (Continued)

HUMAN ERROR PROBABILITIES FOR FAULT TREE ANALYSIS IlUMAN ERROR RATE Type Operator Error ESF llEP Review ,

of Error System Per Demand -Assessment *

4. Procedural Error of omission /comission All ESF **1 x 10-3 OK (see Sec. 3.5.2.2) s

~

Error /With in operation of air-or Systems ;

Recovery motor-operated valve required for accident mitigation.

5. Procedural Error or omission /comission All ESF **1 x 10-3 OK (see Sec. 3.5.2.2)

Error /With in operation of motor- or Systems Recovery turbine-driven pump required for accident mitigation. *

See Section 3.5.2.2

- Data Source NREP -U.S. Nuclear Regulatory Commission, " National Reliability Evaluation Program (NREP) Procedures Guide,"

NUREG/CR-2815, BNL-NUREG-51559, Review Draft, June 21, 1982.

. i l .

4 3.6 FAILURE DATA

~~~

This section presents the results of a review of the failure (and #

unavailability) rates used in the MP-3 PSS. The review consisted of: (1) a , ,

comparison of the individual random component failure rates with similar rates from other sources (2) a review of the system failure probabilities and una.cilobilities, and (3) a review of the common cause failure assessment.

Thae subjects are considered ir, separate ~ subsections, following.

3.6.1 Random Component Failure Rates It should be noted that most of the MP-3 PSS component failure rates were, according to the !!P-3 report, derived from a data base for Millstone-3 which was developed by Westinghouse Nuclear Technology Division (WNTD). This data base is described as proprietary, was not provided as part of the MP-3 PSS documentation, and was not included in this review. The data are stated (pg. 2-A-2) to be based extensively on Westinghouse nuclear plant experience which covers the time period of 1972 through 1981 and contains over "200 years" (we assume this should be 200 reactor-years) of plant operation.

The use of a data base derived extensively from Westinghouse operating plants can provide valid component failure rates for the Millstone-3 plant. However, use of such data does not necessarily assure that the derived rates are applicable to MP-3, nor can it be concluded that this data base is the most applicable of the available data. Most safety system components are p.ocured by the architect-engineer and are not the direct responsibility of the vendor. Thus, Westinghouse plants can have a variety of components supplied by different manufacturers with different procurement specifications and different failure rates. One of the most significant parameters influencing component failure rates is the manufacturer of the component.

The MP-3 PSS random component failure rates are given in Appendix 2-A, Section 2, Volume 6. This Appendix also provides the assumptions which were used in deriving the rates. These assumptions were reviewed, and the l

following comments were developed. Each comment includes an assessment of the I 1

t l influence of the discrepancy, when appropriate.

l 1

O 3.6-1

- . . . _ e. . ;

~ ~ ~

1. Pg. 2-A Under subsection A.2.1, it is stated that, for the purpose'of~ T I deriving a failure rate for motor-driven auxiliary feedwater pumps, "It #

was assumed that the ' fails-to-operate' failure rate would be similar to ,

that for pumps classified as alternating pumps; i.e., component cooling and service water pumps. These f.lternating pumps are assumed to operate 50 percent of the plant operation time." This statement implies that one l of the motor-driven auxiliary feedwater pumps was assumed to be operating at all times that the plant was in operation. However, auxiliary feedwater pumps are actually used only during plant startup and shutdoun, and on those relatively rare occasions when main feed-water is lost, and when tested. Thus, this assumption is invalid and would produce an optimistic failure rate when used in conjunction with Equation 2-A-3, Pg.

2-A-3.

The influence of this assumption is not expected to be great, since auxiliary feedwater failures are typically dominated by failure to start of multiple pumps. A further discussion of auxiliary feedwater failure is provided in Section 3.6.2 following.

2. Pg. 2-A The turbine-driven auxiliary feedwater pump, according to item 3.1, was assumed to operate 10% of the total plant operating time. This seems excessively long (876 hrs per year) for reasons stated in 1 above 2

(and als,o since the turbine-driven pump cannot be used for startup) and would produce an optimistic failure rate. ~

For reasons stated in 1 preceding, this assumption is not expected to have a significant influence on the overall results of the PSS.

4

3. Pg. 2-A The containment spray pump failure rate (item 4.1) "...is derived from the ' fails during operation' mode of the service water and component cooling water pumps." The meaning of this statement is not i clear.

3.6-2

=

~

The remainder of the review of random component failures consisted of ~ -

comparing the rates provided in Tables 2-A-2 (fluid system components) and 4 2-A-3 (electrical / electronic system components) contained in Appendix 2-A, . .

Vol . 6, with cther rates. The MP-3 PSS values in these tables were compared with the NRC-developed values as contained in the NREPU ) and IREP I2) procedure guides, and with values contained in the Zion PRA(3) , a recent industry-spensored PRA for a Westinghouse plant similar to MP-3.

Table 3.6-1 provides the quantitative comparison for fluid systems and Table 3.6-2 for electrical / electronic systems. The first column lists all the component types which were included in Table 2-A-2 of the MP-3 PSS, in the same order. The second column gives the system (s) for which the corresponding component failure rates were used, and the third column is the failure mode (s) for the component. The next three columns provide the values used for the MP-3 PSS, NREP/IREP, and Zion PRA. THe NREP and IREP values 'were combined since they are essentially identical. In a few cases, only IREP values (taken from Appendix C of the Millstone Unit 1 IREP studyI4)) were available.

These cases are identified in the comments (last) column.

All values in Tables 3.6-1 and -2 are mean values. The IREP data, which are given as median values in Reference 4, were converted to mean values by using the conversion relationship in Appendix C of the NREP GuideUI for loguniform distributions. The NREP/IREP values are also essentially identical to corresponding values used in WASH-1400. The NREP values are all given as hourly rates, while many MP-3 PSS values are on a demand basis. The NREP hourly rates were converted to de'nand rates assuming a monthly test interval.

Tables 3.6-3 provides a listing of the MP-3 PSS values which were significantly different from the NREP/IREP values. The measure of significance was somewhat arbitrarily selected as a factor of 5. In other words, any MP-3 PSS value which was a factor of 5 greater or less i 1

3.6-3

Table 3.6-1 ql '

,j E0i'#AR15CN OF COMP 0'.EN7 FAILt:EE RAVE DATA - FLUID ST5 TEM

. . . . ~COMPONEN l

taisure -

taisures per Hour or utmand - '

EL ponen; ny-a rs) hate / intr tion er,A Comnents ._

System Moce .l-ly;e k

Transfers 2.15E 6/hr 2E-7/nr 5.2EE-8/hr Manual Yalve All ELF Systems a. ~

1. Closed e '

b. T r ansf ers 4.9?E-7/pr IE-7/hr t:0(l)

Open All E5F iyster.s a. Failure to 3.20E 4/D 7E-5/D(H) 4.32C-E/D

?. Ebeck Va1.e Operate on Derand Failure to 1.5tE-5/hr IF-6/hr B.3BE-7/nr

b. ,

seat 1.65E-6/hr Zion value

a. Premature 1.90E-6/hr NG includes leakage

3. Spring toaded All ESF systens Opening Safety Valve Failure to 2.98E-3/D NG NG b.

Reclose

a. Failure to 2.63E-3/D 4E-3/D(M) 1.55E-3/D 4 Motor Operated All [5F Systems except Cont. Spray Operate on Yalve and CVC5 Demand Zion value includes

b. Transfers 4.57E 6/hr IE.7/hr 3.14E-8/hr excessive leakage Open

c. Transfers 2.15E-6/hr 2E-7/hr NC Closed

a. Failure to 9.54E-4/D 4E-3/ DIM) 2.26E-5/D(M) motor 7 ton operated value for all

5. Motor Operated Containment Spray Operate on valves Yalve Demand 1E-7/hr NG MP-3 values assumed

b. Transfers 4.57E-6/hr the same as item 4 Open Same as above

c. Transfers 2.15E-6/hr 2E-7/hr NG W

Closed

. e 1

l 3.6-4

- 1 Table 3.0-1 (Eentinued)

- ,j CD'7AR157: or CDidonENT FAILURE RATE DATA - FLUID ST5-r TEM . . m CDMPDNEETS t

Failures per Hour or Ler.ano - - 'j failure CO m ents L. ALP HREP Zion FRA~

Empc* t nt Mode 12-J P55 i Type System

a. Failure to 4.53E-3/D 4E-3/D(M) 1.44E-3 -

6. Air C;tra v.d all ELF listems '

Operate en ,

Vain Demand *

b. Transfers 4.3CE C/tr 1E-7/tr

' Dpen 1.IIE-7/tr

c. Transfers 1.37E-6/nr 2E-7/hr Closed Failure to 5.cCE 3/D 4E-3/D(M) NG 1 sal 11ery a.

7. P.c et D r i . L .. Start en Funp Feecm.ter Demand Falls During 1.69E-5/hr 1E-4/hr 9.87E-5/hr

b. .

Run 0;eration

a. Failure to 1.34E-3/D 4E 3/D(M) 7.21E-4/D

8. Motor Driven Safety injection Pump Start on Demand 1.55E-5/hr

b. Fatis During 4.86E 5/hr 1E-4/hr Run Operation

a. Failure 1.34E-3/D 4E-3/D(M) 7.21E-4/D

9. Motcr Driven Residual Heat Pump Removal. Start on <

Demand 2.53E-6/hr

b. Fails During 6.SDE-5/hr IE-4/hr Run Operation

a. Failure to 1.34E-3/D 4E-3/D(M) 7.21E-4/D

10. Motor Driven Service Water Pump 5 tart on Demand Falls During 2.47E-5/hr 1E-4/br 1/32[-6/hr b.

Run Operation i

e 3.6 5

t lable 3.5-1 (Continued) '

C0" PAR 150110F CO*70? jet:T F A:WE PATE DA7A - FLUID SYSTEM COMP 0NENTS....% ~.--- .

tallures per Hour or Demand

Loop 6r. era System taisure Mode m .a r32 uxtr/.wu t wn r f Coments .

Tyse .,)I Containment Spray a. Failure to 1.34E-3/D 4E-3/D(M) 7.21E-4/D 3 .

11. Hotor Driven Start i,r, .

Fu ap De-and .

1E-4/hr 1.5E-5/hr

b. Fails 0 rtr.9 1.E9!-5/hr t

,. Run c.seration Fell';rt t: 2.?!I-2/D 4 E- 2 /D! *.) 2.291-2/D

12. lurt,trie A.uxiliary 4. .

Driven fucp Feed ater Start en Dc .e ..

Fails During 6.15E 4/hr 2E-S/hr 7.63E-c/nr b.

Run 0;.eration 4E-3/D(M) WG MP-3 PS$ value 13, Isolati:n Main $ team a. Failure to 4.63E-3/D assumed the same Valve C;trate on as item 6 Demand Same as above

b. Transfer 1.37E-6/hr 1E-7/hr NG Closed 3E-6/hr 7.13E-7/hr HP-3 PSS value

14. Heat Ex: hanger All E5F Eystems a. External 1.00E 6/hr stated to be from Leakage :

NREP *

b. Tube side 8.50E-9/hr 4E.9/hr c(2)

Plugged (IREP)

HP-3 PS$ value

c. Shell Side 8.0DE-10/hr 4E-10/hr stated to be from '

Plugged (IREP) WASH-1400

a. Failure to 5.74E-4/D 4E-3/D(M) 3.72E-3/D '

15. Fotor-E;erated Chemical and Operate on valve Volume Control syste:n De:nand Zion PRA value

b. Transfers 1.58E-5/hr IE-7/hr 3.14E-8/hr includes excessive Open leakage 2E-7/hr NG MP-3 PSS value

c. Transfers 2.15E-6/hr assumed to be Closed the same as item 4

.ee e

3.616

Table 3.61 (Continued)

CDhPAR150U OF CDKPONENT FAfLURE RATE DAT/- - TLU10 -

r....... SYSTE .

idilurts ptr hour or Demand istlure Couments __ ,

Compor.ent F#-J P55 CEEP/JsEP Zion FRA System ftode Type HP-3 P55 value stated 8.50E-9/hr 4E-9/br 8.6E-9/t.r All E5F Systems e. Euptures/ to be from *15H-1400 pe..

16. Fire Sectica Plugget l

<3" 1r diareter Same as above 6.CCE-10/hr 4!-10/hr 8.EE-10/hr A1; E'T Syt le**. a. Raptures /

1/. Pipe Station Flugged

>3" in '

dia:eter MF-3 PSS value

a. tupture5 3 00E-10/hr <!-10/hr MG assurec the same

18. Stos.3e Tera All ESF Systers as item 17

~E-S/hr NG

a. Ruptures 2.70E-8/hr

19. F10w/lietering All E5F Syster.s Orffice b. Plugged 3.70E-4/D E 4/D(M) WG NG MP-3 PSS value

a. Plugged 1.00E-5/hr 3C-5/hr stated to be from All ESF Systems

20. Strainer NEEP MP-3 PSS value Failure to 4.63C-3/D 4 -3/D(M) NG assumed the same

21. Air Operated All E5F Systens a.

Operate on as item 6 Chect Yalve Demand Same as above

b. Failure to 1.55E-5/hr 2E-6/hr NG Seat 4E-3/D(M) NG Same as above All ESF Systems a. Failure to 4.63E-3/hr

22. Air Operated Bypass on Three Way Demand Sare as above Bypass Valve b. Transfers 1.37E-6/hr EC-7/hr NG Closed Same as above

c. Transfers 4.30E 6/hr IE-7/hr NG Open 3

1 l

4 1

e . .sp e.

- 6 e en-a- e ammmm. .eame F *

1 4

O 3.6-7

Table 3.6-1 (Continued) *

- .t

COMPAR15DN DF COMPONENT FAltURE ,

RATE DAT

-w.....

4,j tallures per Hour or Demand Comments ;

Eunr,cnent tatlure F.r-J r>> hatr/anty zica rKA~-

System Mode J Type MP-3 P55 va Failure to , 2.64E-3/D 4E-3/D(M) NO All EST Systems a. Jessumed to

23. Putterfly Opgrate on same as it Valve Dtr.and I:: Same as at 2.15E-6/hr 2E-7/hr

b. T ransfers Closec 1[-7/pr NG

1. Sit-5/p-

, c. Tree <.ftrs bpera MP-3 P55 va 1.00E-4/D 2E-3/D(4) NG All (5T Systems a. T411ure to stated to b 24 Yalve Licit 0perate from AREP 5=(tch Froperly NG 17-3 PSS v0 2.70.'- 8/hr 2E-8/hr stated to U

b. Ccr. tacts (1 REP) VASH-1400 St. ort MP-3 PSS va 7E 5/D(H) NG stated to k All E5F Systems a. Failure to 1.00E-4/D

25. Valve Torque 0;erate from NREF Switch F reperly NG MP-3 P55 vs 2.7DE-8/hr 2E 8/hr stated to t

b. Contacts (IREP) from WASH-1 Short NOTES and footnotes:

These cases are 1,

2.

Sc-e Iion heurly rates were converted to demand rate idertified by /D(M).

3.

Iich FRA values are from u;tated, plant s;ecific values given in Table 1 I (1) IlG = not give (2) s = negligible

' 1. .

('

v s- ,,*

' a f

P r .- t s

..+

b

,s 4

+

3.5-8s V- &

Table 3.6 2 I ELECTRICAL / ELECTRONIC SYs1EH

CC1'.PONENTS

',i 00!' PAR 15CN OF CC!*.PC'JENT FAILURE BATE CATA -.. ._

- .-~~s. _,

tailures per Hour or ve6ano Coments t

natiure wrF71EEP sion PKA

_ I w ponent l'cde TTP-4 Ps> _

Systera l Tyre l _

2E-7/D(ri) 1.E?E-2/D Er.wreency AC a. falh.re to 2. 33E -3 -

9. Dfestl Staet on Generators Electrical Power t,e::.a r,4 3I-3/br ! 57I-3/hr j b. E.ii: Nrir 3 i;G j ,

Run L*;er.ttin y

3.2EE-4/D 4E-3/DOO 1.C3E-3/D 4

AC Electrital a. Failure to

2. Bus Teed Close en Fc.cr Ler a d .

4 4E-3/DPA) 5,31E.4/D

b. Failure to 1.58E-4/D Open on Demand 3E-5/hr 2.22,.*-7/hr 4

c. Transfers 1.52E-6/hr Open Fails During 2.80E-6/hr 6E-7/hr 1.73E-6/hr AC Electrical a.

! 3. Main and Operation Ausiliary Power Transfomer Falls During 2.80E-6/hr 6E-7/hr 1.72E-6/hr 1 a.

! 4. ESF Auxiliary AC Electrical Operation Power Trans. Power former Falls During 2.39E-5/hr 1.09E-5/hr AC Electrical a.

5. DC to AC Operation Power Power ^

Inverters MP-3 P55 values Falls During 1.00E-6/hr 2[-6/hr 7.01E-P/hr stated to be from 5torage DC Electrical s.

i' 6. Operation NREP Battery Power (Wet Cell)

Falls During 3.16E-5/hr 6E-7/hr 5.54E 7/hr DC Electrical a.

7. Battery Operation Chargers Power l

4 I

f l 3.6-9 i

'l.

Table 3.6 2 (Continued)

TEM C0HPONEWT5 C0KPARI504 CT CC:: ct;Inf FAILURE RATE DATA, _- -ELECTRIC

, Failure. per hour or Demand ~ EDuments Failure hatF/JhtF 4100 FRA MF-J F 5h Corponent Mode system

. Type 3E 8/hr NGII)

a. Open Circuit 1.6BE-8/hr 3E-8/hr NG *'

b. bus-to- 5.60E-8/br -

8. Petal-Encicsedfc.er DC El(ctrical (,rofnd Short MP-3 PSS valv 3E-8/hr 1.91E 8/hr Open Circuit 1. tee-8/hr assumed the E

a. as item F

5. Pets 1. Enclosed AC I1(ctrical F o.er l';-3 PLS solo bus 3E-C/hr NG o 5.fCI-B/hr a.suned tha

b. Bus-to- as item B Ground ihert 1; REP /lREP va' a.03E 6/D 1E-3/D(H) 6.28E 6/D based on 5o1'

a. ratis to state cevice!

10. Underyc1tage AC Electrical Trep cn Relay rever Demand Same as abov 4.03E-6/D 1[-3/D(H) 6.2BE-6/D

a. Fails to At Electrical Trip on

11. Overcurrent rower Relay Demand Same as abov 4.03E-6/D 1E 3/D(H) 6.2BI-6/D

a. Falls to

12. Underfrequency AC Electrical Trip on Relay Pcwer Demand 3.3SE-4/D 4E-3/D(M) 9.79E-3/D Falls to

13. Trip /eypass Reactor Protection a. Open on System Breaker Demand MP-3 P55 vc 1.00E-4/D 1E-3/D(M) NG stated to b Failure to tcactor Protection a. Operate on from liREP

14. DC Master MP-3 PSS v.

and E5r Actuation Relay Dt and 1.2CE-7/hr it-7/hr 2.43E-7/hr stated to t

b. Contacts (IREP) f rom k'A$H-1 Transfer Same as abt Dpen 2.70E.8/hr 2E-8/hr NG

c. Contacts Transfer Cicsed f.

3.6-10

' Tabic 3.6-2 (Cantinuec) '

COMPAR15CW OF CC:*.PO?;E!!T FAILUPE RATE DATA . ELECTRICAL .-

". "I;.i

--m._

/ ELECTR

., y , ?

-.9

~

Failures per Hour or Dc. mana Ecr;cnent Failure ny-s m liML V/ WL V UtX T [ CoITents t'.u c t -

3yte Eystem MP-3 P55 value 1E-3/D(t!) Nb -

EST Actuation a. Frilure to 1.00E-4/D assumed the same -

?'"

15. DC Slave Operate on es item 14 .

Re'ay Lt:.and

b. Centacts 1.20E-7/nr II-7/hr fl0 1rrnsfer (IREP) f Open

c. Coritec ts 2.70E-8/hr 2f-6/hr fG 1rentfer (IEEP) .

Clot ec 3.22E-6/hr HP-3 P55 value Line-to.line 2.70E-8/hr 3E-8/hr stated to be

16. Centrol Cable / Reactor Protection a. Short from WASH-14DO Viring and ESF Actuation Same as above Line-to. 8.00E-7/br 1E-6/hr 7.52-6/hr b.

Ground Short Same as above c, Open Circuit 3.70E-6/hr 1E-5/hr NG .

MP-3 P55 value 1[-3/D(M) NG

17. AC Output ESF Actuation s. Failure to 1.00E-5/D assumed the same Operate on as item 14 Rtley Demand Same as above *

b. Contacts 1.20E-?/hr 1E-7/hr 2.43E-7/hr .

(! REP)

Transfer Open Same as above 2.70E-8/hr 2E-8/hr NG (

c. Contacts (IREP)

Transfer Closed Same as above TE-3/D(H) NG E5F Actuation a. Failure to 1.00E-4/D IC. AC Outpet Operate on latching Ocmand Eelay 1

i t

i d

l 1

l l

e .

l i

0 1

e 3.6-11 e - -. '!

,1 a t-Table 3.6 2 (Continued) :t

- + COMPAR!$0N OF C0!1PONElff. FAILURE RATE DATA - ELECTRICAL '

~~ :.: ;."**;i. . '

~

/[L f ailures per Hour or Demand _ CotMtnts Failure FiV-J V35 hMLP/JHLF D0n FnA **

Ccoponu t Mode Type System 2.43-7/hr 1-.P-3 P55 value Contacts 1.20E-7/hr IE-7/hr assuned the same ,

b. (IREP) -

18.(Cor.tinued) Transfer , as item 14 Open Same as above

/

Contacts 2.70E-8/hr 2[-2/hr NG

c. flREP) j f Transfer .

Close c NG HP-3 F55 value All R des 1.00E-6/hr EE-7/hr stated to be EST Actuation A. '

! 19. Control f rom !: REP Transformer l ',

6.52E-5/hr 6E-5/hr I:G

20. Pressure Reactor Protection a. Fails to (IREP) and Efr Actuation Provide Transmitter Preper Dutput 4.29E-5/hr 6E-5/hr 1.00E-6/br

21. Water tevel Reactor Protection a. Fails to (IREP) and E5' Actuation Provide ,

Transmitter Proper Output .

4.83E-6/hr 6E-5/hr NG Reactor Protection a. Falls to

22. Temperature Provide (IREP)

T ransmitter and EST Actuation Preper Dutput C 3.86E-5/hr 6E-5/hr NG

23. Flow Reactor Protection a. Falls to (IREP) a q

and EST Actuation Provide Transmitter Proper Output 8.33E-6/hr 6E 5/hr NG f 24. Temperature Feactor Protection a. Falls Frevide to (IREP)

Element (RTO) and EST Actuation Proper Output

4 4

e 3.6-12 l 1 W

i

~ - - - - - - - - . . - _ _ - . - - - - ~~~

{

Table 3.6-2 (C:ntinued)

I TRICAL/ ELECTRONIC SYSTEM COMP 0

r CCTAR150u 0F COMPcutNT FAILURE RATE DATA Failures per hour or Denand ~ Cornents " '

'*C - ELEC e ', hht} / 3 ht P dion t hA Iallure IV-3 Fn fiode Eponent Svttem 6E-5/hr NG 6.52E-5/hr (IREP)

Tyke Falls to w..

Peactor Protection a. Provide

25. Dif f erential and 15F Actuation Proper Catpat Freswre 3E 6/hr NG irans:ai* ter 7.75I-7/hr Fails te Frovide 26.ingAr?;;,ales ::le i*oand :s EM Octor Protution Actu*.cn Prcper a.Cut; t NG Falls high 2.40E-6/hr LG Reactor Protation a. Output 1.6EE-6/hr

27. Cooperstor and E5F Actuation Falls io.,

(Bistable) b.

Output Zion PRA value 2E-8/hr c(2) (negligible) based (IREP) on engineering Short Acrcss 4.04E-7/hr judgment Reactor Protection a. Cont 4 cts

28. Manual $ witch and EST Actuation (Pushbutton) $ame as above e

2E 8/hr Short Across 1.70E-6/hr (IREP)

P.eactor Protection a. Contacts IE-7/hr NG

29. P.anual $ witch and E5F Actuation b. 1.70E-6/hr (IREP)

(Rotary) Contacts s'all (pen 8.32C-7/hr 2 ion PRA value 3E-6/hr stated to be Open prs- 4.37E-7/hr for ESF DC power a.

All Electrical maturely fuse

30. Fuse Systems NREP/IREP value 6E 7/hr HG transforrners Falls to E.97E 6/hr Reactor Protection a. Provide l

31. Loop Power ar.d ESF Actuation Proper Output supply

\

I l

. . . g 3.6-13

Table 3.6-2 (Ctntinued) '

CU*.U.R150N OF C0tP0tJENT FAILUP.E EATE D!.TA - ELECTRICAL / ELECTRONI . -- - --

Failures per hour or Demand Component failure kode 1. -s v n tantvi in y non vnA - Coments Type System Reactor Protection a. Fails to 1.06E-5/hr 6E-5/hr NG T--*

32. Radiation Frovice . (IREP)

Monitor and ELF Actuation Froper Output '

r N0'f 5 and to:*r.cter:

1. All NREP/IFIP demand values were ccmpied fro 7 hourly rates assuming conthly testing. These cases are

2. Sone Zion t.curiv rates were converted to denand rates assuming rionthly testing.

identif u: if /b(14).

Zion FT! values are from updated, plant s;c:if t: values given in Table 1.5.15 (Vol. 3).

3.

i (1) NG = not give (2) : - negligible i

I I

l a

n

{

4 i

3.6-14 t

1 y >-- -w - -

-wm -.~ e , ,-a w - w - - ~ - y e-m

than the NREP/IREP value appears in Table 3.6-3. It is considered that "~- -

differences less than a factor of 5 are probably not significant in most, if not all, cases. The first column in Table 3.6-3 lists the component and ,_

f ailure mode, and the second column provides the factor of difference in terms NREP Value of the ratio

. In other words, a column 2 value of 5 mcans that MP-3 PSS Value the failure rate used in NREP/IREP is 5 times greater than the corresponding rate in the MP-3 PSS. A total of 23 component failure modes in the PSS were found to vary by more than c fcctor of 5 from the NREP/IREP values. This represents 23". of the total co..iponent failure modes in Table 3.6-1. Numbers in the second column less than 0.2 (or 1/5) indicate that the MP-3 PSS values are greater than (or conservative with respect to) the NREP/IREP values.

Numbers greater than 5 indicate that the MP-3 values are less than (or unconservative with respect to) the NREP/IREP values.

As Table 3.6-3 indicates for fluid system components, four MP-3 PSS values were more than a factor of 5 greater than the NREP/IREP values, while four rates were less (by >5) than the NREP/IREP values. For electrical /

electronic system components, the majority (12 of 16) of the MP-3 PSS values are lower than the NREP/IREP values, indicating a nonconservative bias with respect to the NREP/IREP values.

Table 3.6-4 provides a similar comparison between the MP-3 PSS values and values used in the Zion PRA. (It should be noted that the Zion PRA did not provide values for a number of the MP-3 PSS entries in the Tables 3.6-1 and

-2). The majority of the MP-3 PSS values, as shown in Table 3.6-4 are conservative (higher) than the equivalent values used in Zion. Of the 20 entries, Zion failure rates are lower than the PSS values on 13 cases.

It is difficult to draw conclusions regarding the validity of the MP-3 PSS failure rates based on these comparisons. Since the data base used for the MP-3 was not available for review, the validity and robustness of the da,ta could not be ascertained. It was considered significant that so many of the MP-3 rates varied by large amounts from the NREP/IREP values. These variations did show a trend to be on the nonconservative side, but the trend was not strong..

3.6-15

.L.

" " - " ~ -

Table 3.6-3 3..

COMPARIS0N OF MP-3 PSS AND NREP COMPONENT FAILURE RATES I ~

z NREP Value Component and Failure Mode MP-3 PSS'Value fluid System Compo'nents

1. Manual valve transfers closed 0.1

2. Check valve fails to seat 0.1

3. 110V transfers open 0.02

4. Motor driven AF pump fails to run 5.92

5. Motor driven CS pump fails to run 5.92

6. Turbine driven AF pump fails to run 0.03

7. MOV (CVCS) fails to operate 7.

8. Valve limit silitch fails to operate 20.

Electrical / Electronic System Components

9. Diesel genert:or fails to start 8.5

10. Bus feed breaker fails to close 11.8

11. Bus feed breaker fails to open 25.

12. Bus feed breaker transfers open 20.

13. Battery charger fails to operate 0.02

14. Undervoltage relay fails to trip 250.

15. Overcurrent relay fails to trip 250.

16. Underfrequency relay fails to trip 250.

17. Trip breaker fails to open 10.

18. Relay fails to operate 10.

19. Temperature transmitter fails 12.

20. Temperature element fails 7.

21. Manual pushbutton short 0.05

22. Manual rotary switch short 0. 01 2

23. Manual rotary switch contacts fail open 0.067

24. Fuse opens prematurely 7.

25. Radiation monitor fails 6.

IMillstor.e-3 PSS value is conservative if ratio is less than 1.

2NREP values are essentially identical to IREP values. Where only the NREP value was available, or both values were available, the NREP value was used.

~

Where only the IREP value was available it was used.

3.6:16

l

~

- l ' --

Table 3.6'-4 COMPARIS0!! 0F MP-3 PSS AND ZION PRA COMPONENT FAILURE RATES I

Zion Value .

Compnent ar.d Failure Moce MP-3 PSS Value Fluid Systen Cor.ponents

1. l'anual valve transfers closed 0.03

2. Check valse fails to operate 0.14

3. Check valve fails to seat 5.34

4. 110V transfers open 0.007

5. MOV (containment spray) fails to operate 0.023

6. Air-operated valve transfers closed 0.033

7. Motor-driven AF pump fails to run 5.84

8. l'otor-driven RHR pump fails to run 0.037

9. flotor-driven SWS pump fails to run 0.053

10. Turbine-driven AF pump fails to run 0.01 2

11. NOV (CVCS) fails to operate 6.5

12. M0V (CVCS) transfers operate 0.002 Electrical / Electronic System Components

13. - Diesel generator fails to start 7.8

14. Bus feed breaker transfers open 0.153

15. Storage battery fails to operate 0.076

16. Battery charger fails to operate 0.01 8 j

17. Trip / bypass breaker (RPS) fails to open 28.9

18. Control cable / wiring short (line to line) 119.

19. Control cable / wiring short (line to ground) 9.4

20. Water level transmitter output failure 0.039 l

IMi11 stone-3 PSS value is conservative if ratio is less than 1.

3.6-i7

- m ___ _m______ _ _ _ _ _ _ . . _ _

i * % ...

A further extension of the comparisons was undertaken to determine which"MP-r d.

variationr were significantly different in the same direction with respect to both the Zion PRA and f1 REP /lREP data. Table 3.6-5 provides the results of _

this comparison. As shown in the table, t total of eight component failure rates were found. One-half of the MP-3 rates are non-conservative with i

respect to the otner failure rates, and one-half are conservative.

J Generally, system failures are dominated by active components which are required to change state when the system receives a command to operate.

Passive component failures (check valves, etc), active components which fail ,

by incorrect transfer (M0 valves, etc), and active components which start (pumps, motors, etc.) but fail to sustain operation, usually are not dominant contributors. In Table 3.6-5 the only components whicP meet these general critaria as potentially significant component failures are CVCS MOV fails to operate, die::el generators (fail to start), and trip / bypass breaker (RPS) fails to open. The battery chargers are normally operating and o change of state is required. Furthermore, battery chargers do not appear as risk dominant components (see Section ). Thus, lowering their failure rate to be consistent with NREP/IREP and Zion PRA values would make their already negligible contribution to risk even lower. The CVCS MOV failures are not expected to be dominant contributors since the CVCS is not a safety system and is not typically involved in initiating or terminating dominant accident sequences. As shown in Section , the CYCS does not appear in any of the dominant sequences for any of the risk indices. The RPS relay failure would appear to be significant only in terms of influencing the probability of failure to scram. The RPS system (scram) failure probability was not considered in the MP-3 fault tree assessments (Section 2.3), rather it appears that a scram failure value of 3.0x10-5 was adopted based on NUREG-0460 recommendations (Section 2). Thus, the RPS relay failure rate does not appear to be a significant issue.

This leaves only the diesel generators as both " outliers" with respect to the NREP/IREP and Zion data and potentially significant contributors to risk.

Diesel generator failures were found to be one of the more significant components in terms of influence on latent fatality risks, and a lesser, but 3.6-18 9

w

. .~ . . -

NiJ~

Table 3.6-5 MP-3 COMPONENT FAILURE RATES SIGNIFICANTLY DIFFERENT THAN __ _,.

l BOTH NREP AND ZION PRA VALUES NREP Value 2 Zion Value Component and Failure Node MP-3 P5'S Value MP-3 PSS Value Fluid hystem Components

1. Manual valve transfers closed 0.1 0.03

2. MOV transfers open 0.02 0.007

3. Motor-driven AF pump fails to run 5.92 5.84

4. Turbine-driven AF pump fails to run 0.03 0.01 2

5. MOV (CVCS) fails to operate 7. 6.5 Electrical / Electronic System Components

6. Diesel generator fails to start 8.5 7.8

7. Battery charger fails to operate 0.02 0.018

8. Trip / bypass breaker (RPS) fails ' 10. 28.9 to open I Mi11 stone-3 PSS value is consertative if ratio is less than 1.

2 NREP values are essentially identical to IREP values. Where only the NREP value was available, or both values were available, the NREP value was used.

Where only the IREP value was available it was used.

3.6-19 ~

. l 1

. . .= 2$. .*

' not negligible, influence on core melt probability (Sect. ). Because of this significance and the optimistic failure rate (compared to other sources) '

given to diesels in the MP-3 PSS, the iss,ue of diesel generator failure rates (to start and assume load) was given rather comprehensive consideration, as ,

l l described in the following subsection.

3.6.2 System Failures This subsection provides the results of a review of the MP-3 PSS system failure rates. The first part of the review consisted of screening the MP-3 values against independent assessments for similar systems to determine if large discrepancies existed. This was followed by an evaluation to determine if the system failure rate discrepancies found had the potential for influencing any of the risk indices (core melt, early fatalities, late fatalitites) computed for the MP-3 plant. If such a potential was found, an attempt was made to requantify the risk indices to assess the potential impact of the apparent discrepancies, it should be emphasized that the use of alternate failure rate assessments for the MP-3 systems does not imply that they ar2 more applicable. The basis for and validity of these assessments need to be considered and judgment used it, reaching conclusions regarding realistic failure rates. Such rates are, of course, unknown and must be estimated. Frequently it is difficult to judge which value is a better estimate.

A second evaluation of the validity of the MP 3 system failure rates was also performed by reviewing the fault trees used for system failure quantification. The results of this review is presented in Section 3.4 and will not be considered further here.

The alternate sources of system failure rates were selected to provide a diverse spectrum from available literature. Accordingly, the following sources were used:

3.6-20

~ '

di

.. y..

Zion PRA - An industry-sponsored PRA for a Westinghouse plant similar to MP-3. ".'

Sequoyah RSSMAP PRA - An NRC-sponsored PRA for a Westinghouse plant' similar in many respec.ts to MP-3.

ORNL: Accident Precursor Study - A study which used generic PWR LER data to estimate system failure rates for PWRs.

Reactor Safety Study - An NRC-sponsored PRA which is frequently used as the baseline to compare with other studies.

Various other sources for individual systems.

Table 3.6-6 lists the systems which were determined to be important to safety l in the MP-3 PSS. These systens represent all of those which were analyzed by l fault trees in Section 2.3 of the MP-3 PSS. The first column lists the 15 l systems considered, and the remaining columns provide failure rates from the various sources at identified at the top of each column. The first column of failure rates is from the MP-3 PSS. Comparable failure rates for a few systems could not be found readily in the literature, but for all 11 of the systems, some comparison values were found.

In reviewing the Table 3.3-6 comparisons, it is apparent that some of the MP-3 values are outside of the range provided by other sources and others are questionable. For all of these cases, the MP-3 values are lower (non-conservative) than the comparable values. Each of the systems will be considered separately, with substantially more discussion provided for MP-3 failure rates which seem to be inconsistent with other rates. In all cases, the rates quoted are for no degradation of support equipment. Other qualifications on the values are provided in the notes at the bottom of Table 3.6-6 and are discussed further, as appropriate, in the discussion of each system.

1. Main electrical system, onsite emergency power'- The MP-3 value for.this system is lower than any other in Table 3.6-6, from a factor of 3.6-21

j .

. . .".. Table 3.6-6 f *

,..g

f. 00MFAR150u 0F. SYSTEM FA!LilRE RATES _ .

k. ,' ' ' t atiures Nate sequoyant>J utner __

un tion VMA r.v-J r u 1.8E-3f7),

7,cE-4(13) <tt-3(11) 1E-2(12)

~

1.1E-3{p) hstem _

4.50E-4 6.EE-I ? I

1. Main Electrical , '

a. 09 site euergency pu-er e

E.43C-$(2) 170s AC 4_ .7E-5

?. G.7E-5 1.6E-5

3. EST Actuation 1.59E-5I23 1 -3 ,

Loading Sequencer 4.2E-6 g-5 _

4. 3.?E-5 6.8E-5

5. Auxiliary feedwater 3.ff-3 1.3[-3III 1.4E-619) 5.67I.g(16) 6.3E-3 7.4E-9(10)

6. High Pressure Injection 1.9E-3 4.7E-4 4.2C-3 I.2E*3 1.74E 4

7. Low Pressure Injection I

8. Main Steam Isolation 8.2E-4(4I 1.5E-4 5) 1.7E-3 5.5E-5 2.4E-3 3.2E-4

9. Quench Spray 7.32E-3(2)

10. safety injection Pump Cooling 5.3E-4

11. Charging Pump Cooling 4.6E-3 5.2E-3 S.EE-3 3.0E-3 SE-3

12. Lc Fressure Recirculation 3.BE-4 9.0E-3 5.65I-3

13. High Pressure Recirculation 1.6E-3

. 2E-3

14. Containment Recirculation 2.7E-5/y 5 pray 2.2E-8(6) ,

7.44E-6(6)

15. service Water .

L**. .

.s .

, "7 t

w l

3.6-22 <

I

.i

_ _ _ _ _ _ _ _ . _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ A.

O

Table 3.6-6 s,,,

CDIDAR150!J OF SYST[f t FA! LURE DATES I;0Tf t.

1. Per bus 9. Medium L Cte. (2 of 4 pumps)

2. Fer trair, 10. Small LOCA (1 of 4 purps)

3. Both trains 11. Has inter-unit bus ties,1 of 2 diesels 4 5ttan lir.e t reak ir side ccriain;..ent 12. Ao Iced sequenc er, 1 cf 2 diesels with s.ing unit

5. Str a . lire bre ak cutsfce cor.' air.ec *i; 13. Cr:e of t r. e /

6. 14. Eattle paper (I:e f els 0, ring a 24-hr perlop5) 15. f rom Ocone e P55::AP FRAIEI, 1 cf ? purps 7.

CEtt FrecursIll* Study Etasco Stucy 16. !;edium ar.d small LC;As S.

i

)

f I

o

' *

ee . . . ee , , ,,,

e e

3.6-23

~

~-

' ~ ~ ~ ~ ~

about 2 for the Zicn PRA value, to about 20 for the RSS value. The most comprehensive assessment of onsite emergency power reliability was performed by Battle, et al.(7) , and the range of values found (for 1 of 2 diesels, the MP-3 configuration) was 2 to 15 times higher than lip-3.

Because of these dif ferences, c review of the basis for the !!P-3 value was performed, and the results are summarized herein.

The MP-3 value for loss of onsite emergency power (4.56E-4) is dominated (as would be expected) by the common cause failure of both diesel generators. This contribution was assessed at 2.59E-4 (Table 2.3.3.1-3, Pg. 2.3.3.1-48) which represents about 60". of the total. The common cause failure assessment was performed using the Binomial Failure Rate model.

The single diesel failure rate used in the MP-3 BFR model was 2.33E-3.

Thus, the MP-3 common cause quantification corresponds to a 6-factor of about 0.1, a reasonable value. The 8-factor model is equivalent to the Bincminal Failure Rate model for tuo redundant trains or components (13) . However, the value of 2.33E-3 for a single diesel generator failure is not consistent with other results. Single diesel generator failure rates have consistently been found to be in the range of 1 to 10E-2(7,11,12) ,

The basis for the MP-3 diesel generator failure 'rate is given in Appendix 2-E of the MP-3 PSS (Vol . 6, Sect. 2). This appendix derives the single diesel generator failure rate based on a large number of tests on the MP-3 diesel units and similar tests. A total of 300 tests were said to have been performed on the MP-3 diesel generators, and additional tests stotaling 1,839) were used to establish the failure rate. The test details in Appendix 2-E are very sketchy. It is merely stated that the 300 MP-3 tests "were performed under conditions which rigorously stressed the diesels under numerous load conditions." It is not stated whether, and to what extent, " prepping" (pre-lubing, pre-warming, pre-checking) of the diesels was performed prior to testing, whether the tests were under

" fast start" conditions which would exist under actual demands, time interval between tests, whether -

3.6-24 ;

l

~

. =.

~

the other tests (other than the 300 MP-3) were under the same " rigorous" -

conditions, and what other measures and ccnsiderations were employed to assure that the test data represents " field" conditions. In view of this ~

lack of information regarding the tests, it was not possible to evaluate the validity i]f the MP-3 diesel generator failure rate based on the tests. However, the derivation of the failure rate given that the test data are applicable does appear valid. Other investigators '" } have

-2 concluded that reliability improvements below about 1x10 are probably not readily achievable for diesel generators. Further, Reference 12 indicates that Fairbanks-Morse diesels (the manufacturer of the MP-3 units) have a somewhat worse than average failure rate, and larger units (the MP-3 units, at 5000 kW, are among the largest used at nuclear plants) tend to be less reliable, i

In view of these considerations, it seems highly unlikely that a failure l

rate of less than about 2x10-2/ demand can be achieved for diesel generators at the MP-3 site unless extraordinary measures have been taken to improve reliability.

If a value of 2x10-2/ demand were substituted for the MP-3 rate of 2.33x10-3 , the probability of onsite emergency power failure would be about 2.2x10~3 assuming the same relative common cause contribution and that the other contributors to the failure probability remain the same.

This represents about a factor of 5 increase in the MP-3 value. The significance of this increase is assessed later in this section.

2. 120V AC System - No comparable failure rates for.this system could be readily found in the open literature. A review of the fault tree i

quantification for the derivation of this value is given in Section 3.4.

It should be noted that failure of the l?OV AC system does not appear as a risk contributor for any of the risk indices (Sect. ).

. 3.6-25

' ~~

3. ESF Actuation - The MP-3 result for the probability of ESF actuation failure (1.6E-5) is about a factor of four less than the equivalent value

~"

from the RSS and less than a factor of four less than the Sequoyah value.

This is considered reasonable agreement. Further, since ESF actuation failures do nbt appear in any of the risk dominant accident sequences (Sect. ), a factor of four (or even greater) increase would have an insignificant effect on the risk results.

4. Load Sequencer - No values in the open literature could be readily found to compare with the MP-3 failure rate for the emergency diesel generator loading sequencer. However, the value appears reasonable, and loading sequencer failures are not among risk dominant systems (Sect. ).

Further, since the loading sequencers are a part of the emergency onsite power system, the MP-3 failure rate for the sequencers would have to be raised by over an order of magnitude to become a contributor to emergency power failure.

5. Auxiliary Feedwater - The MP-3 auxiliary feedwater system failure rate was assessed to be 6.8E-5 per demand. This value is, as shown in Table 3.6-6, somewhat higher than the RSS, Zion, and Sequoyah assessments (all have similar systems, consisting of two 50% capacity motor-driven pumps and a 100% steam turbine-driven pump). However, more recent assessments (shown in the other" column of Table 3.6-6) indicate significantly higher failure rates, being 5 (for the Ebasco study) to 16 (for the ORNL precursor study) times higher than the HP-3 rate. It should be noted, however, that the ORNL assessment is for all auxiliary feedwater systems (including designs other than MP-3) based entirely on LER data. It appears, based on the comparison, that the MP-3 value is not unreasonable for a mature system.

However, for the first year or two of operation, the NRC has estimated, based on LER data, that the auxiliary feed-water failure rate may be in the range of 10-4 to 10-3/ demand, corresponding to the Ebasco(6) and i ORNL Precursor Study (5) values. It therefore seems appropriate to I 3.6-26

a . . .

~

. . . :. = w .: l

~~~~

examine the risk impact of assuming a factor of 10 increase in the MP-3 auxiliary feedwater system value to determine the potential significance during the first years of operation. This impact is evaluated later in ,

this section. <

6. High Pressure Injectica System - MP-3 PSS failure rcte assessed for tije HPIS is lower than all Table 3.6-6 values except for Zion. However, there are significant differences for the success criteria and the system designs assumed for the RSS and Sequoyah PRAs. In the RSS, the Surry plant HPIS consists of (App. II, Ref.16) three charging pumps, one of

~.

uhich is required to operate for success during small and medium LOCAs.

4 In the Sequoyah study (Sect. B.9, Ref. 9), the HPIS consists of two charging pumps plus two safety injection pumps. For success, at least one pump from each system is assumed to be required. In the MP-3 PSS, the HPIS is described as including three charging pumps (one of which is in a 4

standby condition) and two safety injection pumps. According to the PSS l (Tabl e 2.3.3.6.2-1 ), only one pump of the four available (the standhy pump is not considered available under LOCA conditions) is required for success. In view of these differences, the MP-3 HPSI failure rate does not seem unreasonable. Further, the Zion HPIS design is similar to MP-3 (two independent systems of two pumps each) and success for small LOCAs is one of any four pumps (Sect. II-4.5.2.3.1). In this instance, the Zion PRA assesses the failure rate (Table 3.6-6) at 7.4E-9, well below the MP-3 .

value.

7. Low Pressure Injection System - The MP-3 LPIS failure rate is lower than all other values, ranging from a factor of 2.6 lower than Zion to a factor of 23 less than the RSS.

The LPIS is needed as a safety injection system only for large break ,

LOCAs. In this case, the accumulators are also required, such that the success criteria becomes operation-of. both systems. It is thus important to consider both systems in combin.ation. Table 3.6-7 provides a comparison between Zion, the RSS, and the MP-3 failure rates for these systems (Sequoyah does not have the same accumulator system design).

i 3.6-27

-- ~:.. 2:

~~

As shown in Table 3.6-7, the failure rates for the systems considered in combination are quite similar, with the MP-3 PSS value being between Zion

"~

and RSS. It should also be noted that neither the LPIS nor~ the accumulator system is a risk dominant system (see Sect. ).

Table 3.6-7 CG". RAP.IS0N OF LOW PRESSURE SAFETY INJECTION SYSTEM FAILURE RATES Failure Rate System MP-3 PSS Zion PRA RSS LPIS 1.7E-4 4.7E-4 4.2E-3 Acccc.alator 1.9E-3 , 7.2E-4 9.5E-4 TOTAL 2.lE-3 1.2E-3 5.2E-3 l

l It is concluded that the MP-3 assessment of LPIS failure is acceptable within the context of the system influence on overall risk results.

8. Main Steam Isolation - The Main Steam Isolation System (MSIV) failure rate assessed in the PSS is somewhat lower (for inside containment steam line breaks) than the only cther value found (ORNL Precursor Study). This !

difference is less than a factor of 2, however, which is not considered significent. l For breaks outside containment, the difference is somewhat more significant, with the MP-3 value a factor of 8 less than the Precursor assessment, which does nct distinguish as a function of steam line break location. These differences are not considered significant since a factor of 10 increase in MSIV failure rate would only raise the CMP by 30% and would have an even less significant effect on early and late fatalities (Sect. ).

3.6-28

i

-.. .... : - ---Y h~: .

..""' 9. Quench Spray - The MP-3 quench spray design is very similar to the \

containment spray injection designs for the RSS and Sequoyah plants. The

^

MP-3 quench spray failure rate is between the Zion value and the RSS and ORNL precursor values (which are roughly equivalent). The largest di:4arity is 6etween the RSS and i'P-3 values, with the MP-3 rate being about a factor of b less than the RSS. However, the RSS failure rate included a large contribution (over 40%) from failure of the Consequence Limiting Control System which monitors plant parameters and actuates the containment spray injection systeri.. The equivalent MP-3 system (designated ESF Actuation System) is considered in the event trees as a separate failure. In view of these differences, the MP-3 value seems reasonable.

10. Safety Injection Pump Cooling System - No independent failure rate values for this system were found in documents reviewed for the comparison.

11. Charging Pump Cooling System - No independent failure rate values for this system were found in documents reviewed for the comparii;on.

12. Low Pressure Recirculation System - The MP-3 PSS assessment of the LPRS failure rate corresponds very closely to all other values in Table 3.6-6 and is therefore considered reasonable.

13. High Pressure Recirculation System - The MP-3 PSS value for the HPRS is very nearly the same as the RSS and Sequoyah results and is therefore considered reasonable.

14. Containment Recirculation Spray System - The MP-3 PSS value is comparable to the Zion rate. No other equivalent rates were found. The MP-3 rate is also comparable to those of other recirculation systems considered previously. It is therefore concluded that the MP-3 CRSS failure rate is reasonable. :

3,6-29 i l

l

,; : ... 7

15. Service Water System - The MP-3 service water failure was assessed for the 24-hour period following the initiation of an accident during which ~~

service water is assumed to be required to maintain cooling of essential safety equipment. The !!P-3 SWS failure rate is much higher than Zion (a factor of 3387 and also higher than the equivalent Oconee RSSMAP(0} rate by a factor of 100 (obtained by converting the Oconee yeerly rate to a 24-hour rate). However, for the 24-hour period assumed as the mission time, the failure probability is so low that SUS failure does not contribute to any dominant accident sequence. Therefore, assuming a lower rate would have no effect on the probability of any risk dominant sequence.

It is of interest to note that a second independer.t assessment of SWS failure is included in the I;P-3 PSS in Appendix l-D. This failure rate was assessed in the context of SWS failure as an initiating event. Since the service water system cools a large number of both normally operating and emergency equipment (see Sect. 9.2 of Ref.15 for details), sustained SWS failure would appear to lead to core melt if either auxiliary feedwater fails independently or a reactor coolant pump seal LOCA occurs as a result of the SWS failure.

The Appendix 2-F assessment of SWS concludes that the failure rate of the SWS is 8.68E-12/hr. , much lower than the Table 3.6-6 rate (taken from Sect. 2.3 of the PSS) which would be 3.lE-7/hr. Further, the Appendix 2-F assessment concludes that simultaneous plugging of the SWS inlet screens is not a credible event, while Sect. 2.3 assumes that this failure mode is the only credible failure mode. If the Section 2.3 rate is used to compute an annual frequency of SWS failure as an initiating event, a value of 2.7E-3/yr is obtained, compared to 7.6E-8/yr based on the Appendix 1 -D. This is a very large discrepancy of potentially significant proportions especially if reactor pump seal LOCAs are likely as a result '

of SWS failure. It should be noted that the Section 2.3 rate of 2.7E-3yr is considerably higher than the Oconee 3.6-30

~

=..= =.:..l'_I

- ;. i ~,.

assessment from Table 3.6-6. A recent assessment of events in service water systems (6) indicates that a number of problems have occurred,

^~

including a complete failure (which was recovered in time to preclude serious consequences) in approximately 200 reactor-years of experience surveyed.

In discussing this issue with NUSCO in December 1983, it was pointed out by NUSCo that the Section 2.3 assessment includes no credit for recovery of the SWS in the event of screen plugging, while Appendix l-D discusscs the basis for and quantifies credit for screen plugging recovery.

Furthenaore, NUSCo contended that SWS failure would not result in reactor pump seal failure since the component cooling water system could be drained for an extended length of time providing sustained cooling to the reactor pump seals by maintaining flow through the heat. exchanger which provides cooling to the seal cooling system. This means that core melt from SWS failure would not likely occur unless auxiliary feedwater also occurs.

On balance, it appears that SWS failure is not risk significant either as an initiating event or as a support system failure following other initiating events.

3.6.3 Requantification of Accident Sequences Based on System Failure Rate Revisions This section provides an estimate of the change in risk as a result of revisions to the MP-3 PSS system failure rates which appear justified based on the preceding discussion. Two such changes are considered: (1) an increase of a factor of S in the emergency power system failure rate based on a revised failure rate for the diesel generators, and (2) an increase of a factor of 10 in the auxiliary feedwater system failure rate which is judged to apply only to the first year or two of operation.

l 3.6-31

.2,: m..- : .l ., -

v. The results Table 3.6-8 provides the results of the requantification.

indicate that the core melt probability would be increased about a factor of 3 ""

over the MP-3 PSS value for the first year or two of operation and would be The early fatality risk would not be changed only slightly higher thereaf ter.

for any of the propo5ed revisions. The late fatality risk would increase l about a factor of 5.5 for the first year or two and would remain less than a factor of 2 higher thereafter.

It should be emphasized that these changes are valid only if the revisions are considered separately; that is, no other changes suggested elsewhere in this review are considered.

3.6-32

. -, ,. . . . _ . _ _.. . _. - ~. . _ .- - - - - .- .. .

_ . . ~.

s

._...-4 .- _ . .. ; ., .

Y, ,

Table 3.6-8 SECUANTIF EAfl0N tr R!$K SASED ON REVISIONS TO SYSTEM TAILURE RATES e

Risk III l tarly Late System failure Rates _ Fatalities i Eraerger.cy Auxiliary Core fielt Fatalities Probability ( >100) ( 11000)

+

Puer Feed ater 4.5E-5 1.9E-6 91-9 4.56E-4 6.8E-5

, 1. Current HF-3 F55 i

5.1E-5 1.9E-6 1.5E-8 2[-3 6.8E-5

2. Revised diesel generator failure rate

! 1.3E-4 1.9E-6 5.0E-8

3. Same as 2 above with 2C-3 6.8E-4 I

revi}ty AFS failure rate

f- IIIsased on results f rom Table V-1 of the FP-3 P55.

IIIIstimated to apply only to the first year or two of opeation, l l

i i

i I

+

t .

p

}

I i

8 4

e G

S 3.6-33 i'

I ,

y e. y .,.. - es y y y 7

)

~ -

.. . . . 0.* ~.. :La..".& .h; s*2-- ,

REFERENCES

1. pational Reliability Evaluation Program (NREP) Procedures Guide, NUREG/CR-2815, Final Draft, September 9,1982.

2. IREP Guide

4. Interim Reliability Evaluation Program: Analysis of the Millstone Point Unit 1 Huclear Power Plant, NUREG/CR-3085, February 1983.

5. Precursors to Potential Severe Core Damage Accidents: 1969-1979 A Status Report, NUREG/CR-2497, J. W. Minarick and C. A. Kukielka, June 1982.

6. Auxiliary Feedwater Systems Reliability, J. J. Raney, Ebasco Services, Inc., presented at International Meeting on Thermal Nuclear Reactor Safety, August 29-September 2,1982, Chicago, IL, NUREG CP-0027.

7. Reliability of the Emergency AC Power System at Nuclear Power Plants, R.

E. Battle, et al., presented at International Meeting on Thermal Nuclear Reactor Safety, August 29-September 2,1982, Chicago, IL, NUREG CP-0027.

8. Reactor Safety Study Methodology Applications Program: Oconee #3 PWR Power Plant, NUREG/CR-1659, G. J. Kolb, et al., Sandia Laboratories, May 1981.

9. Reactor Safety Study Methodology Applications Program: Sequoyah #1 PWR Power Plant, NUREG/CR-1659, D. D. Carlson, et al., Sandia Laboratories, February 1981.

' 3.6-34 l

l

' l

\

)

--,.:5=',h ' L-

10. PRA Procedures Gtride, NUREG/CR-2300, January 1983.

m.

11. Reactor Safety Study, WASH-1400, USNRC, October 1975.

l?. Data Sumoar% of Licensee Event Reports of Diesel Generators at U.S.

Commercial Nuclear Power Plants, NUREG/CR-1362, J. P. Poloski ar.d i!. H.

Sullivan, EG&G Idaho, Inc. , March 1980.

13. Data Analysis Using the Binomial railure Rate Common Cause Model, HUREG/CR-3437, C. L. Atwood, EGSG Idaho, September 1983.

14. Enhancement of Cn-Site Emergency Diesel Generator Reliability, NUREG/CR-0660, G. L. Boner and H. W. Hanners, University of Dayton, February 1979.

15. Millstone Unit 3 Final Safety Analysis Report.

16. Evaluation of Events Involving Service Water Systems in Nuclear Power Plants, NUREG/CR-2797, J. A. Haried, ORNL, November 1982.

e 3.6-35 k

. . . . . . . _ r::

~ -

3.9 ACCIDENT SEQUENCES This section provides the results of a review of the MP-3 PSS assessment of

~

t' e progression of accident sequences. T.he review encompassed an examination l of assumptions, analysis, and predicted phenomena associated with the progression of se0ere accidents as considered in the PSS. The review is l limited to considerations of accident progression within the primary system and reactor vessel ' v i ty . It does not consider other phenomena in the containment such as H combustion, overpressure failure, and basemat 2

penetration.

A discussan of accident sequence analysis occurs in Section 4, Volume 8 of the MP-3 PSS and related appendices in Volumes 8 and 9 (Appendices 4-A through 4-N). In addition, as part of the accident sequences review, Section 3

(" Analysis of Recoverable Degraded Core Cooling Sequences") and th2 related Appendix 3-A ("In-Vessel Debris Coolability") was reviewed.

Emphasis in this review was placed on those accident sequences which were found to be risk dominant as well as phenomena and assumption expected to have a significant potential for controlling risk, based on previous PRA results and severe accident research. It should be noted that much of the phenomena associated with the progression of severe accidents is not well understood.

Thus, considerable engineering judgment is required in estimating the realistic progression of such accidents, and disagreement exists among investigators. (On-going research is expected to help-resolve much of the uncertainty.) In the discussion which follows, an attempt has been made to clearly delineate those issues which are subject to differences in. judgement

, and those for which some data base exists.

The format of this section consists of: (1) a listing of significant comments generated as the result of the review, (2) a listing of conservative assumptions and analysis as described in the PSS, and (3) a summary evaluation which attempts to develop an overall conclusion regarding the significance and implications of individual elements in (1) and (2). The conservative assumptions are listed and evaluated in order to provide additional j perspective.

l l

3.9-1 r

.L_ - _-:;

F 3.9.1 Cc: aments on MP-3 PSS Assessment of Accident Sequences This subsection provides coments on Secti::n 4 of the MP-3 PSS, as follows: ..

1. P_3 4.2 Failure of containment isolation is considered as a containment f 5ilure mode. The probability of sucn a failure is quantified in Section 4.7.1 where a value of 10 /-4demand is essigned. l:hile the PSS argues that operation of a sub-atmospheric containment precludes the possibility of significant pre-existing undetected penetration openings, very litle justification is given for the 10-4 value. fJo fault tree is provided, and very little description is given of the isolation system.

While such a low failure rate may be justified, it cannot be evaluated from information provided. In view of the very important role long-term containment integrity assumes in the MP-3 PSS and considering the rather poor experience which has been observed with penetration / isolation systems U '2) , it appears that further analysis to justify the 1ow failure rate is required (Reference 2 suggests a general failure rate for PWRs of 0.1 for leakage being beyond technical specification limits).

2. Pg. 4.2-8,9 - A discussion of the likelihood and consequences of water being in the lower vessel cavity during the discharge of molten core material from the reactor vessel is included here. However, no consideration of the possibility that the contents of the shield tank could be discharged to this esvity is incluc'ed. The shield tank is supported by a skirt extending to the region beneath the reactor vessel.

It seems possible thet thermal attack of this skirt by the discharge and accumulation of molten core material could fail the shield tank, allowing the contents to mix with the molten debris. This could increase the hydrogen generation for some scenarios and contribute to steam pressure spikes in the containment. The prospect of the failure of the shield tank skirt is discussed in Section 4.3, but no consideration of shield tank failure is included.

l I

3.9-2

^

. ,. . =: 5. -3. .

3. Section 4.3.1.3 In this section, the core overheating and melting process is discussed. On Page 4.3-7 and 8, it is postulated that control rod materials would melt first and flow to the lower core regions, resolidify, blocking channels and enhancing the nonuniform nature of the core hratup process by blocking fluid flow (and, therefore, cooling) to the hotter core core regions. It has been demonstrated experimentally (for example, Ref. 3) that the silver in the control rods would likely be released early (by rupture of the stainless clad) in the heat up process and that the silver would probably dissolve in the zircaloy cladding, destroying its integrity and causing the formation of undefined geometries in the core. This scenario is different from the process postulated in the MP-3 PSS and may influence subsequent assumptions regarding coherency of core heatup.

4. Pg. 4.3-14,15 - Arguments are provided here to establish that significant pressurization of the reactor coolant system under high pressure degraded core conditions would r.ot occur. 1he conclusion is based on CHF (critical heat flux) correlations and steaming rates which are described to be very sensitive to pressure. Recent Sandia results I4I have indicated-that "the increase in the (heated debris bed) coolability limit with increasing pressure is much less than predicted by the current models. This result means that pressurized cores have considerably lower coolability limits under reflooding than had been previously thought." The implication of this result on the MP-3 PSS analysis here (and also in Appendix 3-A, In-Vessel Debris Coolability) is not clear, but the models used-may be inaccurate.

5. Pg. 4.3-30,31 - It is argued here that an " offset" in the instrument tunnel leading out of the reactor vessel cavity would preclude the discharge of molten material from the cavity to the containment floor-(such an occurrence was postulated fo.r Zion (5) , creating a large steam pressure spike in the containment). Figure 4.1-4 and 4.1-6 are referenced to support this assessment. However, these figures do not appear to show any " offset". Further, during the plant visit in October 1983, such a 3.9-3 I

- % ;t.. d,,

configuration was not apparent. In any case, more quantitative justification, with some analysis, seems required to support this assumption, which could be important relative to the assessment of containment integrity.

6. Section 4.3.1.5 - This section covers the failure scenarios postulated for the reactor vessel during core melt progression. However, there is no consideration here (and none could be found elsewhere in the PSS) of the potential for primary system failures preceding reactor vessel mel t-through. Such failures could have a significant impact on containment response and source terms. The most likely conditions for such failures are during accidents wherein the primary system pressure remains at or near the pressurizer relief valve setpoint. (Many important sequences result in these conditions.) Under these conditions, the entire primary system will be heated due to natural convection of steam through the core. Additional heating would occur from release of hot hydrogen gas after metal-water reaction commences. Eventually, some parts of the primary system may become hot enough to fail under the elevated pressure conditions. Steam generator tubes may be susceptible to such failure, particularly if some are in a degraded condition. Such failures would be particularly onerous since a fission product pathway directly to the atmosphere (through the steam generator relief valves) could result.

In a recent analysis (6) , the possibility of such failures was examined.

Steam, generator tube failures as well as primary piping and reactor vessel ruptures were examined. It was concluded that -failure of-the main coolant pipes would occur ohen the maximum cladding temperature reached a rather modest 1300*K for ~the station blackout accident scenario. (This I

calculation presumably assumed no prior degradation of steam generator tubes.) -It was further concluded that the steam generator tubes would be the likely failure point if the secondary side were in a depressurized condition (which could occur from 'a stuck open relief valve or:from-operator action in efforts to cool the primary system).

3.9-4 l

. = _ _ y.,.

The Reference 6 calculations have not been reviewed as part of this ;

I effort. However, the results suggest a potentially significant failure l mode which should receive further consideration. Overpressure spikes when molten core material drops into residual water in the reactor vessel lower plenum could also contribute to these failures.

7. Section 4.3 - The MP-3 PSS analysis used Westinghouse codes for assessing the containment thermal-hydraulic conditions. In particular, "COLO-Class 9" (Pg. 4.3-49). "CORCON-MODl, Westinghouse Version", and "MODMESH" were used for various phases of the accident. These codes are not described in detail in the MP-3 PSS, and very little information was provided to verify l l

their capability. They do not appear to have been subjected to extensive peer review or to have been assessed against experimental data. As a result, the results have not been, and probably cannot be, fully evaluated as part of this review. While no obvious problems appear to exist, it is not possible to conclude that the analyses are valid.

8. Pg. 4.4 It is stated here that containment electrical penetration integrity was " conservatively" assessed to be maintained up to temperatures of 400*F "as the lower bound". Reference is made to tests of l CONAX penetrations (the MP-3 type) in which 400*F temperatures were withstood for several days. There is no referenced literature or test details, however, from which to evaluate this result. In a recent report (2) , it was concluded that CONAX penetrations should withstand at least 340*F for several days, and that leakage is unlikely up to at least 350*F. While these results are not necessarily inconsistent with the i4P-3 assessment, they do not support the 400*F value as a conservative lower bound.

The penetration failure temperature could be important since the results described on Page 4.4-37 (with incorrect figures referenced) show temperatures approaching and exceeding 400*F. -

3.9-5

.. - .. . - - . _ _ -. y

~

9. General - There appears to be an inconsistent and somewhat confusing discussion at various locations in Section 4 with respect to the operability of the recirculation spray system without previous operation of the quencn spray. On Pege 2.2.7-1 it states, unequivocally, that recirculation' spray failure was assuned if quench spray failed. However, on Page 4.4-15 recirculation spray is considered operable for "T" sequences, and on Page 4.4-27 recirculation spray only cases are considered for sequences AEC", ALC", SEC", SLC", and TEC". Furthermore, it is stated that for these sequences, the accumulator water would be available for these sequences when recirculation spray is actuated, but this water would not be available until after RV failure (and subsequent depressurization) and then only if accumulator water is vaporized and condensed on the containment walls. The question of sufficient NPSH for these sequences appears not to be addressed.

10. Pg. 4.4 The production of CD is mentioned here as a by-product of the concrete erosion process, but the combustion of CO as an additional energy i source to the containment is not considered here or elsewhere in the PSS.

11. Pg. 4.7 It is stated here that the Millstone Unit 3 containment "is an l open volume with no regularly spaced objects to generate strong I turbulence. " This assessment is used to argue that hydrogen detonation is not credible. Based on a tour of the Millstone 3 unit, just the opposite i impression was obtained regarding objects in the containment; i.e., there appeared to be many objects of various size, some regularly spaced, especially in the lower regions of the containment where the hydrogen is expected to be released.

12. General - Analysis of Recoverable Degraded Core Cooling Sequences Section 3, Vol, 7) - This section, in general, appears to be reasonable. While several questionable and insufficiently justified assumptions appear to heve been made, none of these seem overly significant. Further, the PSS consideration of recoverable core cooling sequences has very little 3.9-6

l l

. ,. 2 . . _ . _ . .

1 _. . .

significance to the results. For example, no- change was made to the early fatalities since these are dominated by the V-sequence which was excluded from consideration (see following comment). The late fatality risk is also not significantly influenced since the major contributor is the V-sequence. The core melt probability was only reduced by 36% due to consideration of recoverable degraded core cooling sequences as shown by Table 3.3-3 (Pg. 3.3-9).

13. General - There is no consideration in Section 3 of a recoverable degraded core condition in conjunction with the V-sequence accident scenario. In view of the fact that the V-sequence accident was found to overwhelm (99.8% of total) all other contributors to latent fatality risk and is also the single more dominant contributor to early fatblities, this omission seems significant. Further, there appear to be opportunities to interrupt the progression of the V-sequence accident and restore adequate core cooling.

In view of the extraordinarily significant contribution of the V-sequence to public risk as assessed in the PSS (see Section ), a rather comprehensive review of the accident and the corresponding PSS analysis was undertaken. Several deficiencies were found in the PSS assessment, one of the most significant of which is a misleading protrayal of the results and an unrealistic assessment of the accident probability distribution. These problems are considered at length in Section 3.1 and will not be repeated here. Additional apparent deficiencies in the PSS relative to the assessment of the V-sequence accident are described below:

a. There appear to be discrepancies in the pipe and valve configuration assumed in the PSS for the RHR suction. This portion of the RHR system was found to dominate the probability of a V-sequence accident. The assessment of the V-sequence probability for this case is provided in Section 1.1.2.1.7 (Vol. 2) of the PSS. The -

configuration used in the assessment is reproduced as-Figure 3.9-1.

I 3.9-7

l .

- . n .. .

.. y _ n -

a r

ll

. HIGH LOW

' PRESSURE PIPING PRESSURE PIPING ll I .

Tirl .jul .II -

MV870lc MV8701 A Ie PIA

~

-l ll

. ll .

il INSIDE , OUTSIDE

. CONTAINMENT s ! CONTAINMENT I ll I . ii-I tul LM_) II A g MV8702C tj l MV87028 ,, [ PIB o

tc rj' .

l

. - }l 11 .

i 1

Figure 3.9-1. MP-3 PSS Diagram of RHR Suction (Reproduced from Fig.1.1-5 in PSS.) .

.3.9 .

I

. . . . _ . . . .,. . .J. . v .

so ,

According to the Section 1.1.2.1.7 description, the accident would occur upon failure of both valves in either pump suction 'ine. The transition from hign pressure to. low pressure pipe is shown on Figure 3.9-1. Thus, rupture could occur inside the containment, but this is conservatively assumed nct to occur in the PSS. (Rupture inside containment would not lead to severe offsite consequences since the containment barrier is not breeched.

l Based on an actual P&ID drawing (S&W drawing #12179-EM-112A-1),

Figure 3.9-2 has been prepared. This drawing indicates that a third valve (MV8702A and B) exists in both RHR suction lines. Based on other plant designs, it seems likely that the transition from high to l

low pressure pipe would occur at the location of these valves rather j than inside the containment. If this is the case, the probability of the V-sequence accident would be reduced dramatically since a third valve, normally locked closed, would have to fail. (The S&W drawing l does not indicate the design pressure transition point.) If low I pressure pipe is located between the inside and outside valves (as implied by the PSS assessment), then there is a possibility of a rupture outside containment. However, depending on relative pipe segment lengths inside and outside the contaimnent, the probability of an outside rupture would be reduced over the PSS value.

b. The PSS description of the progression of the V-Sequence accident is very sketchy, and some of the results seem unusual. If the accident were to occur, it appears that the pipe would rupture in the RHR pump cubicle. Following rupture, a high energy blowdown process would i

. 1 e

4 3.9-9

.1 m.

/ 0'JT51DE I IN51De nefuelir.g \ Luromhr. chi LLh i Ai h.sth i

'.:st e r ,

l 5;or?;e ,

-a r.s LC LC l

l h- .MV6/019l MV elbA MV 8701C Ia ry system 351L V1 ' High Pressure r

\

Injection / l j l

l kA l N

l - -

MV 8812A ,

M'.' 88128 I

1 l.

6n L l LC l LC fra primary system MV8702A! MV 8702B MV 8702C Figure 3.9-2. MP-3 Simplified RHR System from S&W Drawing No.12179-EM-ll2A-1 (4/14/82).

. l 9

3.9-10

. . . .~.- ..

ensue. This would likely cause pipe whipping and the generation of

. high velocity debris in the pump cubicle. It seems these occurrences could disable the operation of the RHR pumps even though t' hey would be commanded to start following the rupture. Further, the high j 1

temperature steam environment would likely cause the pumps to fail. l If they were to operate under these conditions, they would very likely become flooded from the large amounts of water discharged to the area (from blowdown, accumulator discharge, HPIS, drain from the RWST to the break, and LPIS flow).

J If the LPIS pumps were to fail, the core would very likely remain cooled from operation of the HPIS. The HPIS run-out flow, assuming operation of both charging and safety injection pumps, is 1700 gpm (Tabl e 4.1 -1, Pg. 4.1 -4). ihis is more than adequate to maintain core cooling. (In fact, the PSS states on Pg. 2.2-25 that one high pressure safety injection pump is sufficient to recover from a 6" LOCA.) Assuming a refueling water storage tank volume of 1.2 x 10 6 gallons (Table 4.1-1, Pg. 4.1-13), the core would remain cool for 11.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months if the drain from the RWST to the break location is either negligible or terminated by operator closure of valves MV8812A and MV8812B (see Fig. 3.9-2). If the operator throttles down the HPIS flow to conserve RWST water, an even longer time for sustained core 1 cooling could be realized for this scenario. Table IV-5, Pg. IV-31, indicates a radionuclide release time of 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months for the V-sequence. This value was apparently derived based on full capacity

. operation of the !PIS which would empty the RWST in about 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

c. The scenarios described previously for the V-sequence suggest that the accident could be term'nated or mitigated. (None of these i possibilities were explored in the PSS.) Since about 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months may exist before core uncovery occurs, it seems reasonable that an alternate source of water supply to the RWST could be obtained. If so; the HPIS could provide core cooling indefinitely, provided that 3.9-11

these pumps do not become flooded from water injected into the LPIS pump cubicle. _

It also seems likely that the LPIS rupture may become submerged early in the scenario due to the large amounts of water delivered to the LPIS pump cubicle (see b. above). If core melt occurs while the pipe is submerged, a large fraction of the radionuclides released from the core would be expected to be secured in the water, greatly reducing the source term assumed in the PSS (Table IV-5, Pg. IY-31) for this accident. Since only small floor drains were found in the LPIS pump i

cubicle during the plant to,ur in December 1983, it seems likely that

the pipe rupture location would be submerged unless large openings exist in the pump cubicle below the rupture sensitive piping, allowing spillover into adjacent areas.

The preceding discussion suggests that the V-sequence accident is a couplex event with many possible outcomes depending on assumptions made and operator actions taken. Figure 3.9-3 qualitatively depicts these alternatives in event tree format. As indicated by the figure some 20 different outcomes appear feasible. Of these 2'0, some 17 would appear to result in 1ower offsite consequences (and therefore lower risk) than assumed in the PSS due to either sustained core cooling, delayed melt, or removal of radionuclides from 'a submerged rupture. The only scenario apparently considered in the PSS is No. 9' in Figure 3.9-3. Quantification of the event tree in Figure 3.9-3 would require additional effort and detailed knowledge of plant design features.

3.9.2 Conservatisms in the MP-3 PSS Assessment of Accident Sequences Table 3 c.1 provides a list of conservative assumptions' which were found in reviewing the PSS assessment of accident sequences. As indicated in the third colur,-none of the conservatisms were found to have a large influence on the results, although in three cases the' significance was undetermined.

i y 1

3.9-12

. -,._ _4 b

^ ' , , ' -

Rupture j t e LP* e mi- RW57 c. rain ! r.te.-l.:.te . .

'i-seccanct ,

HP; { LPI nated by Op. s coped ' . ate-5 arce U. der k' ate"

1) OK

2) late melt, low consequences l 3) late relt, high consequences

4) OK r

5) ir.;er .eciate n.elt, ic, conse-quences

6) intermed' ate melt, high conse-

- -- cLences

7) OK

8) Early melt, icw consequences

9) early melt, high conseq ences

10) OK

11) late melt, low consequences

12) late melt, high consequences

-13) OK

14) intermediate melt, low conse-q.ences

15) intermediate melt, high conse-quences

16) OK

17) early nelt. low consequences

~

18) early melt.- high, consequences

19) very early melt low consequences *

20) ' very early melt, high consequqnce Figure 3.9-3. Example Event Tree for V-Sequence.

e I

3.9-13 !

1 I

i 1

-- Table 3.9-1 .' . --

.._, ~ CDUSERVATIVE ASSUMPTIONS USED IN MP-3 P55 ACCIDENT SIGUIN;E ANALYSIS Location Significance.

Item Vol . 8. rg. 4.3-0 Doe net appeae significent since

1. Zircal:y oxidaticr. procee;s to comple- tydrogen combustion cor.tribution tc tion prier to ccre slua;. rist is not significant.

Vol . 6, Pg. 4.3 30 f.ct significant.

2. Con;cted concrete Lasee.a. pe etr. tion higher than expected due tc dif ferent concrete type, etc.

Vol. 6, Pg. 4.3-32 Does not appear significant since

3. Containrent pressure from core steaming contair. ment overpressure f ailures due to assumption regarding high heat from steam are not risk dominant.

sinks.

Vol . 8, Pg. 4.4-4 Does not appear to be a conservatism

4. Electrical penetration capability as claimed (see comment 9 of this assessed at 4DO*F. section).

Vol . 8. Pg. 4.4 4 Does not appear significant.

5. Baser.at penetration assu ed to occur when core melt reaches " popcorn" con-crcte. Allows caximum time for over-pressure f ailure.

Vol. 8, Pg. 4.4-7 Not significant since large LOCAs are

6. 20t of unreacted 2irconium reacts at not risk contibutors, core slump for large break LOCAs.

Vol. 8, Pg. 4.4-8 Unknow,

7. Core ccncrete reaction tegins inmedi-y ately af ter bollof f of RV cavity water (no heatup period).

Vol . 8. Pg. 4.4-9 Unknown

8. Conservative estimate of adiabatic burn pressure.

I g..e .

. 1

-'3.9-14 1

1

Table 3.9-1 (Con?inued) o.

m -. , .

Location Significance Item Lo credit taken for operater to resuoe Vol. 8. Pg. 4.4-11 Probably not significant. Sequences

g. af fected are not risk significant, EC injection af ter recirculaticn failure.

10. Lete predicted containnint f ailures 401. 8, Pg. 4.4-21 Undetermined. Late containment fail-(e ceeding 1 dai) are m: deled as cres .re significu.t centrib ters tc late f atalitics, but the infit.ence of l 1. day failures. centaine.er.t failure time on risk (for l late failures) is riot knowr. (see Note l

(1) below).

(1) According to Volume 1 (Pg. V-1) of the PSS, all dominant contributors (>5%) to the risk of latentAccording to Volume f atalities except the V-sequence (a 27.9% contributor) involve plant damage state TE.

6 (Pg. 4.4-25), the best estimate containment failure time for the most likely TE damage state is 2-1/2 cays. However, the release time for Release Category H7 (which includes the TE sequences according to Table V-3, Pg. Y-25 Vol.1) is 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months according to Table JY-5, Pg. IV-33. These values are inconsistent, and the origin and significance of the different f ailure times (including the 1 day modeling {

assumption in 10 above) was not evaluated further. l

);

i l

9 3.9-15

.. . . . _ . . . __ _ _ _ _ _ _'__i_ __

w. ~~

3.9.3 Conclusions .

The major findings from review of the PSS assessment of accident sequences are as follows:

1. tb consiaratica is included of primary systen failure prior to vessel r.:el t-thro u gh. Consideration of these failure nodes would ;end to increase risks.

2. The V-sequence accident is inadequately considered in terms of opportunities for terminating and mitigating the accident. Consideration ,

of these factors would tend to decrease risks.

3. The remaining deficiencies:

Inadequate support for containment isolation failure probability, Lack of consideration of shield tank water being available to the RV cavity, No consideration of interaction between control rod materials and cladding, l Influence of recent core coolability limit experimental results, l Inadequate justification for assuming no discharge of molten debris l in containment, Lack of assesu.ent for codes used in core melt progression calculations, Electrical penetration failure assumptions appear nonconservative, Inconsistent. assessment of operability of containment. recirculation sprays, .

e ,, e No consideration of C0 combustion,r~ ~ ~"m*

Insufficient justification for assumption of no containment turbulence generation, Lack of justification for some degraded core cooling recovery assumptions, do not appear significant in terms of having the potential for influencing the PSS risk results as they currently exist. ,

3.9-16

F~ _ . _

m n-; -

f:, _ - .

sw- -

~ ~g -

4. None cf the conservatisms found in the PSS assessment of accident sequences were determined to be significant. The significance of three conservatisms was not determined.

1

)

l S

5 g s, e

o N

l t- .,

J 9

3.9-17

' - - -- -. _ - _ _ - _ _- ____ . _.______ _-_ _ _ _ _ _ . _ _ _ ___.___] __

t . -

. . s a s. f. .

u . .. , _

' ~

REFERENCES

1. Data Summaries of Licensee Event Reports of Primary Containmeni Penetrations at U.S. Commercial Nuclear Po.ser Plants, !!UREG/CR-1730, D. W.

Sams and M. Tfojevsky, EGSG Idaho, September 1980.

2. " Primary Containment Leakage Integrity: Availability and Review of Failure Experience", M. D. Heinstein, Nuclear Safety, Vol. 21-5, September-October 1980.

3. Influence of Variable Physical Process Assumptions on Core-Melt Aerosol Release, G. W. Parker, et al . , ORNL.

4. Weekly Information Report - Week Ending September 9,1983, to NRC Commissioners from T. A. Rehm, Enclosure E, September 9,1983.

6. RELAPS Station Black-Out Transient Analysis in a PWR, L. Winters, Energieonderzoek Centrum Nederland, July 1982.

l

~ ~;, :W J t;. ' u. :' , ht_,;f m-L.R L:Qrg,; g

. . ,, ; z_

- ..m. .. ic .. e, . . . . , , x,, , g gu . ;

4 3.9-18

- ~- ---

c.. .

3.10 DEPENDENCIES This section presents the results of a review of the consideration and l treatment of dependencies in the MP-3 PSS The actual meaning of

" dependencies" is somewhat vague and occasionally inconsistent within the risk.

l dssessment cominunity. Generally, dependencies can be defined as initiating i

events or system and component failures which are related to or have a detrimental influence on the probability of successive failures. Failures involving dependencies have been found to be very important to nuclear reactor risks, both in PRA studies and in actual accidents. The TMI-2 and Bro::n's Ferry accidents are examples of actual occurrences which have involved dependencies.

It is usually convenient and useful to subdivide sthe general area of dependencies into more explicit sub-issues. The subdivision chosen for the purposes of the MP-3 review was that recently proposed by Fleming, et al.I4) In this case, three subdivisions are used, defined as follous:

1. Comon Cause Initiating Event - In this case, an initiating event occurs which simultaneously causes multiple system failures and/or degrades systems, increasing their unavailability. The most dramatic examples of this type of dependency are external events, such as earthquakes, which can cause multiple system degradations. However, some important internal initiating events, such as loss of offsite power, can represent important internal initiating events with dependencies.

2. Intersystem Dependency .In this case, .a : system failure. occurs which causes the simultaneous degradation ,(either failure or an it. crease in unavailability) of other systems. An example of such.a failure would.be the service water system (see Sect. 3.6) which causes the eventual loss of numerous components which depend on SWS for cooling.

3. Intercomponent Dependency (Common Cause Failure) - This dependency .

involves the simultaneous (or near simultaneous) failure of components from the same cause. This type of dependency is often referred to as 1

3.10-1 _

i

~y-..,..

L. -

Dw# ' -

common cause failure, a term which will be used-in the remainder of this

. section. An example of common cause failure would be the simultaneous' failure to start of pumps in a multi-train system due to seized pump shafts from cacessive carrosion. In the MP-3 PSS, these three types of dependencies 6re not all considered separately. Rather, a discussion of each type is considered in various locations, with special cases of each type also considered. These discussions include the following:

- Vol . 3, Part 1 of 4, Section 2, " Plant and Systens Analysis" (particularly Sections 2. 2.1, 2. 2.3, and 2.2. 5) ,

Vol . 6, Appendix 2-C, " Common Cause Failure Analysis",

Vol. 6, Appendix 2-F, " Analysis of Corxaon Cause Service Water Strainer Plugging",

Vol. 6, Appendix 2-G, " Analysis of Conaon Cause Actuating System Logic Unavailability".

The remainder of this section evaluates separately the three types of dependencies as considered in the MP-3 PSS. External events and related dependenceis are excluded here, but are considered in Section 4 of this ,

report.

3.10.1 Comraon Cause Initiating Event Considerable attention has been given to initiating event dependencies for internal events since the publication of the Reactor Safety Study.(}2) ,and

.r the MP-3 PSS appears to adequately recognizeithe role of such dependencies-and appropriately consider them as described in Section 2, Vol. 3, with the following exception:

It was assumed that the power conversion system would.be -isolated and unavailable for all transient initiating events. This is a conservative assumption which' is considered further in Section .3.1.

In actuality: it appears that the PCS would be available for many j transients and could serve as a system for core cooling.

1 3.10-2 i

)

) . .

c. a.. . : w : . - n. l GiL~~ . In reviewing Section 2.2, a nurm1ber of inconsistencies and errors were found

\

1 which appear to be minor. They are as follows:

1

1. Figure 2.2.3.2 There appears to be an incorrect double entry (" Failure of Eitr.er Pressurizer PORY Block Valve to Open") on this fault tree.

j 2. Page 2.2 The quantity Q (TK) in Equation 2.2.3.3-2 is not defined, and the quantity Q (TR) is not in Equation 2.2.3.3-2.

I !

l 3. Page 2.2-50, Item 7 - Pressure relief failure during ATWS is stated to be dominated bj failure of pressurizer relief valves to close. It is not clear how this failure causes failure of the overpressure function.

4. Page 2.2 For support state 7, it appears that a probability of 1.0 t was assumed for restoration of ac power after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . This seems optimistic and does not agree with values on page 2.2-58 or page 2.2-69.

I

5. Page 2.2 It is stated here that "..only the loss of offsite power initiator was adjudged to have the potential for initiating an accident and then influencing the accident progression sr.quence." The interfacing systems LOCA accident initiator is an even more important example of this type, wherein the LPIS is failed and the containment is bypassed.

6. Table 2.2.1.3.1-1 (Pg. 2.2-76) - Does not include the support systems which provide pump room cooling or lube oil and lube oil cooling for any j plant systems. It is not clear that these support systems have.been determined to be unnecessary for the plant systems. They have been found to be ~important in other PRAs.

7. Item 3 on Page 2.2.7.1 Indicates that cooling is necessary for high pressure injection pumps. However, no such dependency is indicated in ,

Table 2.2.1.3.1-1 on Page 2.2-76.

3.10-3 s

_- ..k . .. . . - -

r n ..

On Page 2.2.714B A loss of ac power scenario is described, with

~

8.

operation of the steam generator PORVs in conjunction with the ,

turbine-driven AFW pump utilized to depressurize the primary system.

However, on page 2.2.7.14B-2 it is stated that "...potentially the steam' generatcr PORVs would be disabled by the loss of ac power...".

A number of conservative assumptions were found in the review of Section 2.2 even though on Page 2.2-24 it is stated that "The ultimate objective...is to present realistic estimates of public risk...". These can tend to bias the risk towards a high value and should be considered for proper perspective in PRA reviews. These conservatisms are listed in Table 3.10-1. The table includes the location in the PSS where the conservatism is described and an assessment of the potential significance.

~

.u .

g..

? ,

l .

3.10-4

Table 3.10-1 CONSERVATI$lis es,, .

Significance Cements ltem Location 8 support states conserva-

1. Using 8 'st; pert s: n t." tc Vol . 3, Pg. 2.2-12 Unde temined thely used to i,cund 72 states repre sent c" c c .! a tictiv initially icentified.

of v; port ,j m s Lould be sigr.ificant Pg. 2.2-20 lists exemples of Sneral ac tuation sipals. Vol . 3, Pg. 2.2-15 th(se.

2.

plant systic.s. anc c: :<c ter actions nct modeled.

Vol. 3, Pg. 2.2-23 Probably not significant

3. Some success criurie since irportant sequences utilized corser.a*.ive used realistic analysis.

FSAR analysis.

During Plant tour of Octpber PCRV block valves essur.ed Vol . 3, Pg. 2.2-32 25t reduction in failure 1983, PORY block valves were

4. of feed and bleed.

closed during cb .dion. and Pg. 2.2-52 stated to remain open during operation.

Vol . 3, Pg. 2.2-49 Appears not significant,

5. Failure of RT-4 (ranual or automatic reactor trip) results in core celt.

Vol . 3, Pg. 2.2-50 Not significant (ATWS

6. All three pressurizer sequences do not relief valves assumed to contribute to risk).

lif t during ATW5.

Vol . 3 Pg. 2.2-59 Appears not significant.

7. Operator assur,ed to isolate PORY in 10 min.

Vol. 3. Pg. 2.2-60 Not significant,

8. For non-LOOP transients and support state 7. DCP seal LOCA occurs.

e e

3.10-5

'tj lable 3.10-1 (Continued) .

LWSERVATISMS Qyy .

J

.5 Corraents Locatien Significance Itea- . . .

Vol . 3, Fg. 1. C.7.1-4 Probably r.:t significant to .

9. ftblic risk since operation f Credit no' quench

.termitter' .tasen spray for ' of qu*nch spray delays or c;traticr.to ; reserve eliminates centairir+r.t F.L'T i n u r.t ory. f a il ure.

Large LOCA does have a ef acr Vol . 3 Pg. 2.2.7.1-5 f.ct significant - large contribution to core melt

10. Accu ulater f ailure LOCA eccidents not risk (See Section _).

causes core celt for si;nificant.

large break LOCA. Pg. 4.4 27 of the 1.P-3 PSS Vol. 3, Pg. 2.2.7.1-C C:. ld bc significant, but indicates recirculation

11. If containmant spray it coes not appear this spray is operable in the injection anc quench assu .ption was retained. absence of previous spray f ail, neither LPRS containment spray injection.

or CSRS can succeed, Medium LOCA with accu =ulator Vol . 3, Pg. 2.2.7.2-7 t;ot significant to public failure not a dominant

12. Acci.mulator f ailure risk since medium LOCAs sequence for core melt.

causes core melt for are not risk significant.

nedium break LOCAs. ^

1 e

I' D kb. . s . - . 3. . .. ..g g _ . , _ ..

~ ~ _. p y ,

. m.

I L

i .

3.10-6

~ - - ~ .. 1

tr

w. ~

3.10.2 Intersystem Dependency .

This subsection provides a brief overview of the results of an assessment of the MP-3 PSS method of accounting for intersystem dependencies.

The Millstone-3 P6S uses support states to represent the dependencies of front-line systems on support systems. A major assumption in this method is that no subtle interfaces or interactions within or between the various support systen trains exist. That is, the support system trains are truly independent and affect only the associated front-line system trains. This is the design philosophy for the plant. However, other studies which have done more rigorous analysis of support system interfaces through the propagation of the connections through detailed fault tree models, e.g. - the Interim Reliability Analysis Program (IREP) studies, have shown that this assumption is not always valid. While there are no obvious deficiencies in this area in the PSS, it is beyond the scope of this review to invest the required effort to determine if any subtle dependencies exist which were nis.ced. There is no easy way to determine if anything of significance was omitted. This would require using fully integrated fault trees for each accident sequence or performing a separate component level systems interaction study.

Another problem area comes from the need to combine the many different possible support states into a much smaller number of simplified support states. These simplified support states consist of collections of actual support states which are similar in their effect on the plant response, but not comple'tely identical. The assumption made in the analysis is that they are similar enough to be treated equally and that the effects of any simplified support state on the plant response are taken to be the effects of the most limiting actual support state in the group. This may . add an element of conservatism in the analysis. However, this is a simplification which may or may not be valid and which is beyond the scope of this review to evaluate.

In either case, it can be stated that this treatment does not accurately represent the various possible effects and conditions stemming from the-dependence of front-line systems on support systems.

i l

l 1

i 3.10-7

'M' The above discussion points out problems with the support state method of analysis which would apply to any study which utilized it. As stated, it is not possible within the scope and time available to perform this re' view to determine if any of these probleras are significant to the PSS. It is importent to note', however, that other studies have uemonstrated the potential for errers to Le introduced in this way. Support system interf aces have been shown to be very important to risk and sometimes very subtle in nature. The support state method tends to treat these interfaces in a less rigorous manner than the use of fully integrated fault tree analysis. The use of the support state method may inject additional uncertainty into the PSS.

As far as the application of the support state method in the PSS is concerned, the potential loss of de power was not treated in the support states utilized. Although electric power was selected as one of the support systems, the concentration was on the unavailability of the main ac engineered safety features busses. The effect of losing one dc power train can be more far-reaching than the loss of an ac train in that it causes more equipment l failures. Additionally, the loss of some or all dc power following a loss of offsite power will have a significant effect on recovery of offsite power due to the unavailability of various control room indications and control circuits for breaker manipulations. It is generally assumed that in the total absence of de power it is not po:sible to recover ac power in any reasonable amount of ,

time. Although loss of de power is treated as an initiating event, its lack l i

of treatment in the support state analysis is a deficiency in the PSS. In )

examining the significance of this deficiency, it has been concluded that the omission is probably not significant 'if the turbine-driven auxiliary feedwater pump can successfully operate without dc. power as maintained.by the applicant during a meeting at NUSCo headquarters in December 1983.

I s 3.10.3 Common Cause Failure Analysis The MP-3 PSS employed the Binominal Failure Rate model to assist in quantifying the contribution of common cause failures to system failure-rates. Common cause failures have long been recognized to have a very important impact on nuclear power plan't system failure rates. This occurs because many of these systems have redundant trains, each of which are 3.10-8 f

. . =: C .

,, m generally of high reliability. Under-these circumstances, common cause failures are almost always dominant contributors to system failures. Since common cause failures have been very rare, at nuclear plants, there is !

generally insufficient data to permit a direct cuantification of common cause failure contributions. As a result, various mathematical models have been proposed, and quantification of common cause failures in probabilistic risk assessments remains an uncertain and somewhat controversial area.

Of various models to quantify common cause failures, two are generally preferred by the reactor rhk assessment communityIII. These are the e-factor model and the Bhominal Failure Rate (BFR) model. These two models are similar, and for two redundant train systens they produce equivalent resul ts. The BFR is somewhat more sophisticated and generally represents the state of the art in common cause failure modeling. Much literature is available(1,2,3) which describe models. Thus, a detailed description will not be provided here.

It is important to recognize that the BFR and 8-factor models do not produce common cause failure rates from strictly random failure rates. Instead, they require input from the analyst on the potential for common cause failures.

This is obtained usually by examination of data to determine which observed failure mechanisms contained the potential for common cause failure, or by actual use of common cause failure data if available. (For example, for a three-train system, common cause failures of two trains can be input to the BFR model in order to compute the common cause rate for three trains.) These data can be from identical systems or,,if data are sparse, may be inferred from data on similar systems. In any case, considerable judgement is frequently required on the part of the analyst in inputting data (or assumptions related to data) to the BFR or in deriving a value for 8 for the 8-factor model . As a result, significantly different results can be obtained by different analysts for the same system with the same model. Thus, while use of the BFR for comon cause failures in the MP-3 PSS represents a generally acceptable state-of-the-art model, its use does not necessarily assure that common cause failures have' been realistically estimated.

3.10-9 j 1

m

.~*, =e m . . z.: . = = . -

4? ;rt -

A general description of the MP-3 PSS common cause failure assessment is discussed in Appendix 2-C. This description appears adequate and includes a consideration of the important aspects of common cause failures. The Appendix includes a description of the BFR model and provides data used to quantify the common cause contribut on.

Two specific com. mon cause assessments are provided in the MP-3 PSS as indicated previously. These are common cause service water strainer plugging (Appendix 2-5) and best estimate common cause actuating logic unavailability.

The SWS failure assessment and related implications are discussed in Section 3.6 of this report. Based on that discussion, it appears that SWS common cause failure is not of concern for the MP-3 plant. The assessment of actuating system logic appears reasonable.

In summary, it is concluded that the MP-3 PSS common cause failure models are reasonable and valid. The actual quantification of common cause failures is discussed, as part of the overall assessment of system failures, in Sections 3.4 and 3.6 of this report.

2%~

l l

j 3.10-10

-.=.p..:-

y.- .

REFERENCES -

1. PRA Procedures Guide, NUREG/CR-2300, final Report, January 1983.

2. Data /.nalysis'Using the Binominal Failure Rate Com,on Cause Model, NUREG/CR-3437, C. L. Atwood, EG8G Idaho, September 1983.

3. Estimators for the Binomial Failure Rate Cor:non Cause i4odel, NUREG/CR-1401, C. L. Atwood, EG&G Idaho, April 1980.

4. "On the Analysis of Dependent Failures in Risk Assessment and Reliability Evaluation", K. N. Fleming, et al., Nuclear Safety, September-October 1983 (Vol . 24-5) , pg. 637.

1 I

t t 3.10-11

~1 -'

. . . . .. . = . = . - -

5.0 Summary and Conclusions 5.1 Dominant Sequences Corresponding to Each Plant Demoge State 5.1.1 Internel Event's A simplified requantification was performed for the internal event sequences affected by the findings of the review. The requantification process used and the results are presented in this section.

I All of the suggested modifications to the internal events analysis that are described in Chapter 3 have been included in this simplified requantification. The results should be used with care with due consideration given to potential shortcomings in these results arising from the necessarily simplified methods used to perform the requantification. The following assumptions and limitations are applicable and should be kept in mind when the results are examined.

o The initiating event categories and frequencies used are the revised events and frequencies discussed in Section 3.1 and summarized on Table 3.1.1 under the column titled " Point Est."

o Requantificatior is based on the revised event trees presented in Section 3.2. Event probabilities are generally taken from the PSS, except for system failure and human error events, and for the recirculation pump seal LOCA during station blackout (event 52 for support state 7) as described in Section .3 2.3.1. _ ,

o With two exceptions, the models and data used in the PSS to assess system failure probabilities and support state probabilities were evaluated as reasonable and used in the requantification.

- The first exception is for LOSP in support states 6 and 7, where the data used in'the PSS for diesel-generators was evaluated as optimistic, as discussed in Section 3.6.-

5.1-1

. L.: m s..

Using the revised diesel-generator data, the support state failure probabilities changed from 0.014 to 0.04 for support state 6 and from ,0,00018 to 0.002 for support state 7.

It e second exception concerns a modeling deficiency j involving the DC batter ies, the vital AC power supplies.

l and the emergency-generator load sequencers. The deficiency, which is particularly important during LOSP events, is discussed in Sections 3.4 and 3.10. The requantification did not treat this issue because the significant effort that would have been required is outside the scope of this review. This is a limitation on the results of the requantification.

o The aperator action failure probabilities used are the revised and appended values discussed in Section 3.5 and summarized in Table 3.5.1 in the column titled " Review Assessment".

o All of the requantification effort was performed and checked by hand. No independent review of these results has been performed.

o In order to perform the requantification in a time frame and level of effort in keeping with the scope of the review, it was necessary to truncate the analysis at IE-7/ Reactor-year for any given sequence.

Thus, no sequences of lower frequency are accounted for. This means two things: First, plant damage state frequencies around IE-7 have inherently greater uncertainty than those of higher frequency since truncated sequences could contribute significantly to them. Second, plant damage states which have no review estimate va?ue given are not necessarily lower than IE-7; they simply do not have any sequences of IE-7 or greater contributing to thee. These limitations must be kept in mind when using the requantification results.

5.1-2

g. . . ..=.

" 5.1.2 Requantification Results The results of the requantification discussed above are presented in this section. It is very important tc reaember that these results shoald not be present ed without reference to the ae.sumptions and limitations discussed in Section 5.1.1. Table S.1.1 presents the review requantification estimate for each plant damage state and compares it to the mean value from the HP-3 P55.

Table 5.1.2 presents the dominant sequences whose frequency is at least IE-7/ Reactor-year for each plant damage state as determined by the requantification. The format of the sequence representation is the same as was used in the PSS. A legend to aid in interpreting the sequence representations is provided on the last page of the table. The remainder of this section discusses the reasons for the major difference in certain plant damage states between the PSS mean and the review point estimate.

5.1.2.1 Small LOCA with Early Core Melt l

The principal reason for the increase in the frequency of these plant damage states (SEC, SEC', S'EC), which includes incore instrument tube ruptures, is inclusion of the procedural human error 0A-2-E. This error, which was not considered in the PSS, accounts for the operator overthrottling the high pressure injection system when he tries to take control of it during these sequences. The error is evaluated and discussed in Sections 3.2.1.1 and 3.5.1.4.

5.1.2.2 Small LOCA with Late Core Melt I The principal reason for the increase in the frequency of these plant damage states (SLC, SLC', S'L) is rejection of the PSS assumption that it is possible l to avoid the need for recirculation by conserving RWST inventory for these events. A detailed discussion of this subject is contained in detail in Section 3.2.1.6 of this report. Adding the need for recirculation to these events created a new set of core melt sequences, and the PSS recirculation failure probability was high enough to raise the frequency of these damage states. .

l .

5.1-3

[.

.-b. :..L

.xy . .

5.1.2.3 Transients with Early Core Melt There are two principal reasons for the increase in the frequency of these plant demoge states (TEC, TE). Both are related to loss of offsite power events. The first is the increase in the support state 6 and 7 probabilities discussed in Sections 5.1.1 and 3.6 The second is tne change in the recirculation pump seal failure probability discussed in Section 3.2.3.1.

These items in combination contribute most of the increase in these plant damage states. It is important to note that the modeling deficiency pertaining to loss of offsite power which was discussed in Section 5.1.1 might have caused this damage state to rise even further if it could have been treated in the review. It is also possible that both the initiating event frequency and that the failure to recover probability could be higher, as discussed in Section 3.1.2.5. If this were the case, the TEC plant damage state could be as much a factor of 3 higher than it is now, although a factor of 2 would be more likely (to 8E-5/yr) whereas the TE plant damage state would likely increase by approximately a factor of 5 (to 3E-5/yr) and as much as a factor of 10.

5.1.2.4 Transients with late Core Melt The principal reason for the increase in the frequency of this plant damage state (TLC) is inclusion of operator action 0A-10 for steam generator tube rupture events. This action represents a requirement that the operator must act to reduce primary system pressure by controlling HPI flow for steam generator tube rupture events where both auxiliary feedwater and high pressure injection are functioning. This requirement, which was not considered in the PSS, is evaluated and discussed in detail in Section 3.2.2.2.

5.1.2.5 Steam Generator Tube Rupture with Steam Leak and Early Core Melt The principal reason for the increase in the frequency of these plant damage states (V2EC, V2EC') is inclusion of operater action 0A-6-E. This error accounts for the operator misdiagnosing the plant conditions and terminating 5.1-4

~2.

~~

.:.t; . n: '

m. _

' " ' high pressure injection when it should not be terminated. This error, which was not considered in the PSS, is evaluated and discussed in detail in

~

Sections 3.2.1.1 and 3.5.1.5.

5.1.2.6 , Steam _ Generator Tube Rupture with Steam Leak and late Core Melt The principal reason for the increase in the frequency of this plant damage state (2LC) is the same as for transients with late core melt (see Section 5.1.2.4 above).

5.1.2.7 Interfacing Systems LOCA The principal reason for the decrease in the frequency of this plant damage state (V) is requantification of the initiator frequency, which is evaluated and discussed in detail in Section 3.1.2.7.

This reanalysis does not include the considerations discussed in Section 3.9, which would reduce interfacing systems LOCA probability even further. It is important to note, however, that the overall results of the requantification ef fort shown in Table 5.1.1, which show a higher probability of core melt, do not immediately imply a greater risk to the public. The reduction in the probability of the interfacing systems LOCA is expected to result in a reduction in the overall risk for early fatalities in spice of the significant increase in the overall core melt probability.

I e

i .

5.1-5

[

'e TABLE 5.1.1 Plant Damage Sta e Frequencies for Internal Events *

.. (per Reactor-Year)

SYMBOL DESCRIPTION PSS REVIEW

~

MEAN ESTIMATE *

, AEC LARGE LOCA, EARLY MELT 1.92E-06 UE-7 AEC' LARGE LOCA, EARLY MELT, FAILURE OF RECIRCULATION SPRAY 4.17E-09 ----

AE LARGE LOCA, EARLY MELT, NO CONTAINMENT COOLING 2.68E-09 ----

ALC LARGE LOCA, LATE MELT 5.44E-06 2E-6 ALC' LARGE LOCA, LATE MELT, FAILURE OF RECIRCULATION SPRAY 4.88E-07 IE-7 ALC" LARGE LOCA, LATE MELT, FAILURE OF QUENCH SPRAY 3.42E-09 ----

AL LARGE LOCA, LATE MELT, NO CONTAINMENT COOLING 3.36E-10 ----

SEC SMALL LOCA, EARLY MELT 1.12E-06 2E-5 .

SEC' SMALL LOCA, EARLY MELT, FAILURE OF RECIRCULATION SPRAY 2.76E-09 6E-7 SE SMALL LOCA, EARLY MELT, NO CONTAINMENT COOLING 1.17E-07 ----

S'EC INCORE INSTRUMENT TUBE LOCA, EARLY MELT --------

4E-7 S'E INCORE INSTRUMENT TUBE LOCA, EARLY MELT, NO CONT. COOLING 1.83E-09 ----

SLC SMALL LOCA, LATE MELT 9.81E-06 1E-4 SLC' SMALL LOCA, LATE MELT, FAILURE OF RECIRCULATION SPRAY 4.79E-07 1E-5 SLC" SMALL LOCA, LATE MELT, FAILURE OF QUENCH SPRAY 5.77E-08 ----

SL SMALL LOCA, LATE MELT, NO CONTAINMENT COOLING 2.73E-09 ----

S'L INCORE INSTRUMENT TUBE LOCA, LATE MELT 3.35E-10 1E-7 -

TEC TRANSIENT, EARLY MELT 1.81E-05 4E-5 [.

c:

~

.i

A i

TABLE 5.1.1 (Continued)

Plant Damage State Frequencies for Internal Events (perReactor-Year) l SYMBOL DESCRIPTION PSS REVIEW MEAN ESTIMATE + ,

TEC' TRANSIENT, EARLY MELT, FAILURE OF RECIRCULATION SPRAY 3.46E-07 2E 7 TE TRANSIENT, EARLY MELT, NO CONTAINMENT COOLING 5.31E-06 7E-6 TLC TRANSIENT, LATE F.LT --------

4E-5 V2EC STEAM GENERATOR TUBE RUPTURE, STEAM LEAK, EARLY MELT 1.11E-07 4E-6 V2EC' SGTR, STEAM LEAK, EARLY MELT, FAILURE OF RECIRC. SPRAY 1.03E-09 3E-7 V2E SGTR, STEAM LEAK, EARLY MELT, NO CONTAINMENT COOLING 1.29E-08 ----

V2LC SGTR, STEAM LEAK, LATE MELT 2.16E-09 2E-7 V2LC' 35GTR,STEAMLEAK,LkTEMELT,FAILUREOFRECIRC. SPRAY 1.49E-10 ----

V2LC" SGTR, STEAM LEAK, LATE MELT, FAILURE OF QUENCH SPRAY 1.77E-11 ----

V2L- SGTR, STEAM LEAK, LATE MELT, NO CONTAINMENT COOLING 8.40E-13 ----

V INTERFACING SYSTEMS LOCA 1.90E-06 l 4E-7 TOTAL ** 4.53E-05 2E-4 l

The review estimates provided are preliminary estimates based on a number of simplifying assumptions and subject to a number of limitations discussed in Section 5.1.1. The reader is cautioned to keep these assumptions and limitations in mind when considering the various potential implications of these results.

- It'is important to note that the increase in the plant damage state frequency does not necessarily insnediately imply a corresponding increase in overall public risk. The reduction in the f requency of interfacing systems LOCA, which was a dominant contributor to early fatalities risk, will result in a reduction in overall risk for early fatalities.

!1-h

- ^'- TABLE 5.1.2 Dominant Sequences By Plant Damage State (All Values per Reactor-Year) i i

' BE-7 AEC E2(1)/ACC 6E-7 El(1)/ACC 2E-7 ALC 2E-6 E2(1)/R2 2E-6 El(1)/R1 4E-7 ALC' IE-7 E2(1)/R2/R3 1E-7 SEC 2E-5 E3(1)/0A2E 2E-5 E3(1)/0A6E 2E-6 E14(7)/E60/0A7' 2E-7 E14(7)/S2/0A7' IE-7 SEC' 6E-7 E3(1)/0A2E/R3 6E-7 S'EC 4E-7 E15(1)/0A2E -

4E-7 SLC IE-4 E3(1)/R2 1E-4 E3(2)/R2 SE-6 E15(1)/R2 3E-6 E20(2)/AF1/R2 3E-6 E21(2)/AF1/R2 3E-f E7(2)/PCS/AF1/R2 1E-6 E8(1)/AF1/R2 1E-6 E17(2)/AF1/R2 7E-7 1

l l

L -

~l

g.; P;-

%.?& #. .

TABLE 5.1.2 (Continued)

Dominant Sequences by Plant Damage State

( All Values per Reactor-Year)

SCL (cootinued)

E5(2)/Af2/R2 SE-7 E4(2)/AF2/R2 SE-7 E7(1)/PCS/AF1/R2 4E-7 E8(2)/AF1/R2 3E-7 E14(7)/E60/S2/R2 1E-7 E5(1)/AF2/R2 1E-7 E4(1)/AF2/R2 IE-7 SLC' IE-5 E3(1)/R2/R3 1E-5 E3(2)/R2/R3 2E-7 E15(1)/R2/R3 2E-7 E20(2)/AF1/R2/R3 1E-7 E21(2)/AF1/R2/R3 1E-7 S'l 1E-7 E15(1)/QS/0A9 IE-7 TEC 4E-5 E14(7)E60/E120 2E-5 E18(2)/AF1/0A7 6E-6 E8(1)/AF1/0A7 5E-6 E7(1)/PCS/AF1/0A7 2E-6 E20(2 /AF1/0A7 IE-6 E21(2 /AF1/0A7 IE-6 E14(7 /AF1/E60/E120 1E-6 E14(7 /AF1/E60 8E-7 E14(6 /AF1/0A7 BE-7 ES(1)/AF2/0A3 6E-7 E4(1)/AF2/0A3' 6E-7 E7(2)/PCS/AF1/0A7 SE-7

/

7

y. - -

F.;w .

TABLE 5.1.2 (C,ontinued)

Dominant Sequences By Plant Damage State

- (All Values per Reactor-Year)

TEC (continued)

E17(2)/AF1/0A7 4E-7 ES(2)/AF2/0A3 2E-7 E8(2)/AF1/0A7 2E-7

, E4(2)/AF1/0A3' 2E-7 E13(1)/AF1/0A3 IE-7 TEC' 2E-7 E18(2)/AF1/0A7/R3 2E-7 TE 7E-6 E14(7)/E60/E120/QS' 6E-6 E20 4 /AF1/0A7/QS 8E-7 E14 7 /AF1/E60/E120/QS' 3E-7 TLC 4E-5 E4(1)/0A10 4E-5 E4(2)/0A10 2E-7 V2EC 4E-6 E4(1)/0A6E 4E-6 V2EC' 3E-7 E4(1)/0A6E/R3 3E-7 V2LC .2E-7 E4(1)/0A10/SL 2E-7 V 4E-7 E16 4E-7 e

e.

0 4

e* ,

-^

_ _ _ _ _ _ . _ . .-__.____m.

^'

'-.. . . 'L....-

sv. -

TABLE 5.1.2 (Continued)

Dominant Sequences By Plant Damage State LEGEND Init'iating Eventi

'~ ~

El Large LOCA E2 liedium LOCA E3 Small LOCA E4 Steam Generator Tube Rupture E5 Steamline Break Inside Containment E7 Power Conversion System Availabke E8 Loss of Power Conversion System E13 Spurious Safety Injection E14 Loss of Offsite Power E15 Incore Instrument Tube Rupture E16 Interfacing Systems LOCA E17 Loss of a Single Service llater Train E18 Loss of a Single Vital DC Bus E20 Loss of Vital AC Bus 120-VAC-1 or 120-VAC-2 E21 Loss of Vital AC Bus 120-VAC-3 or 120-VAC-4 Support States (1) All support systems available (2) One support train unavailable (4) All ESF signals unavailable (5) LOSP, all support systems available (6) LOSP, one support train unavailable (7) LOSP, both support trains unavailable l

l l

'~.__.,

Ed Tur?" w TABLE 5.1.2 (Continued)

Dominant Sequences By Plant Damage State L'EGEND (C6iitinued)

~

Events ACC Failure of Accumulators AF1 Failure of Auxilicry Feedwater AF2 Failure of Auxiliary Feedwater (SGTR and Steamline Breaks)

E60 Failure to Restore Offiste Power in 1 Hour E120 Failure to Restore Offsite Power in 1-2 Hours OA2E Operator Overthrottles HPI Resulting in Inadequate Flow OA3 Operator Fails to Establish Primary Bleed 0A6E Operator Erroneously Terminates High Pressure Injection OA7 Operator Fails to Establish Primary Bleed and Feed 0A9 Operator Fails to Delay Recirculation When Sump Empty A010 Operator Fails to Control HPI During SGTR PCS Failure of Power Conversion System QS Failure of Quench Spray R1 Failure of Low Pressure Recirculation R2 Failure of High Pressure Recirculation R3 Failure of Containment Spray Recirculation S2 Consequential Small LOCA SL Consequential Steamline Leak (Break)

.

ML20086L913

Contents

Text

2.1 Background

System Description

System Description

System Description

System Description

System Description

System Description

Navigation menu

ML20086L913

Text

2.1 Background

System Description

System Description

System Description

System Description

System Description

System Description

Navigation menu

Search