ML20090M528
| ML20090M528 | |
| Person / Time | |
|---|---|
| Site: | Beaver Valley |
| Issue date: | 03/17/1992 |
| From: | DUQUESNE LIGHT CO. |
| To: | |
| Shared Package | |
| ML20090M527 | List: |
| References | |
| NUDOCS 9203240307 | |
| Download: ML20090M528 (907) | |
Text
{{#Wiki_filter:. . - . . __ __ l Beaver Valley Power Station , Unit 2 ! Probaalistic Risk Assessment Individua 3 l 1 ant Examina: ion Summary Report -
-l 1 I i t i l !
i ! l l a a v v v gitiffiliin ISS 2$8SEE o$$SM12-P PDR Duquesne Lij1t l l
BEAVER VALLEY UNIT 2 PROBABILISTIC RISK ASSESSMENT O PROJECT TEAM V froject Managers r
- Karl N. Fleming (PLG)
Carl O. Richardson (S&W) Stephen A. Nass (DLC) m;' Principal Investigators Donald J. Wakefield (PLG) R. Kenneth Deremer (PLG) James E. Metcalf (S&W) Senior Advisors B. John Garrick (PLG) Richmond Gardner (S&W) Nelson R. Tonet (DLC) . ,q Other Key Contributors PLG- S&W DLC Grant A. Tinsley Lisa O'Neill F. William Etzel Y, J. Kim Karl Swenson Sum T. Leun0 Shobha B. Rao Robert Ma ti Phillip Spano James P Moody G . B ollo m o James Szyslowski Jack W. Read Sharon Hallett Pak P. Seto . Wee Tee Loh - Joe Creamer Dennis C. Bley
.J-
8:svar Vt.ll;y Pcwcr Stati:n Unit 2 Rsvision 0 Probsbilistic Risk Asssssmsnt
-p CHAPTER 1 EXECUTIVE
SUMMARY
i.m,/ TABLE OF CONTENTS Section Title Page 1.1 B ACKGROUND AND OB.lECTIVES 1.1-1 1.2 PLANT FAMILIARIZATION 1.2-1 1.3 OVER ALL METHOD' OLOGY 1.3-1 1.4
SUMMARY
OF MAJOR FINDINGS 1.4-1 1.4.1 Results of Core Dama0e Frequency 1.4- 1 1.4.2 Contributors to Core Damage Frequency 1.4-3 1.4.3 Results for Release Frequency 1.4 17 1.4.4 Contributors to Release Frequency 1.4-20 1.5 IMPORTANT OPERATOR ACTIONS 1.5-1 1.0 IMPORTANT PLANT HARDWARE CHARACTERISTICS FOR 1.6-1 CORE DAMAGE FREQUENCY 1.7 IMPORTANT PLANT CHARACTERISTICS FOR 1.7-1 CONTAINMENT PERFORMANCE
1.8 REFERENCES
1.8-1
'L)
O 1 L- ,- . .
B::v:r Vcilsy P:w:r St:tien Unit 2 Rsvislan 0 Prcbsbilistic Risk Asstymnt CHAPTER 2 EXAMINATION DESCRIPTION TABLE OF CONTENTS Section Title Page
2.1 INTRODUCTION
2.1 1 2.2 CONFORMANCE WITH GENERIC LETTER AND SUPPORTING 2.2-1 MATERIAL 2.3 GENERAL METHODOLOGY 2.3-1
.2.3.1 Introduction 2.3-1 2.3.2 Causes and Consequences of Failure 2.3-2 2.3.3 Methodology of Probability and Risk Assessment 2.3-5 2.3.4 Summary 2.3-14 2.4 INFORMATION ASSEMBLY 2.4-1 2.4.1 Plant Layout and Containment Building information 2.4- 1 2.4.2 Review of Other PRAs and insights 2.4-1 2.4.3 Plant Documentation 2.4-1 2.4.4 Walk-Through Activities 2.4-1
2.5 REFERENCES
2.5-1 l O 11
B:av:r Veltsy Pcwsr Statlan Unit 2 Revision 0 Probabilistic Risk Assessmsnt CHAPTER 3 - FRONT END ANALYSIS A) ( TABLE OF CONTENTS Section Title Page 3.1 ACCIDENT SEQUENCE DELINEATION 3.1 1 3.1.1 initiating Events 3.1 5 3.1.2 Event Sequence Diagrams and Success Criteria 3.2-18 3.1.3 Frontline Event Trees 3.1 61 3.1.4 Special Event Trees 3.1-127 3.1.5 Support System Event Tree 3.1-134 3.1.6 Sequence Grouping and Back-end Interfaces (Plant Damage 3.1 145 States) 3.2 SYSTEM ANALYSIS 3.2-1 3.2,1 System Descriptions 3.2 32 3.2.2 Systern Analysis 3.2-113 3.2.3 System Dependencies 3.2-124 3.3 SEQUENCE QUANTIFICATION 3.3-1 3.3.1 List of Generic Data 3.3-i 3.3.2 Plant-Specific Data and Analysis 3.3-24 3.3.3 Human Failure Data 3.3 3.3.4 Common Cause Failure Parameters 3.3-96 3.3.5 Quantification of Unavailability of Systems and Functions 3.3-118 3.3.6 Generation of Support System and Quantification of Their 3.3-136 Probabilities 3.3.7 Quantification of Sequence Frequencies 3.3-137 3.3.8 Internal Flooding Analysis 3.3-152 3.3.9 HVAC Dependent Failures 3.3-160 3.4 RESULTS AND SCREENING PROCESS -3.4-1 3.4.0 Overview of Results and Contributors 3.4-t 3.4.1 Application of Generic Letter Screening Criteria 3.4-5 3.4.2 Vulnerability Screening 3.4-44 3.4.3 Decay Heat Removal Evaluation 3.4-67 3.4.4 USl and GSI Screening 3.4-70 . /] v iij
Deaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment CHAPTER 4 - BACK END ANALYSIS TABLE OF CONTENTS Section Title Page }
-4.1 PLANT DATA AND DESCRIPTION 4.1 1
- 4.1.1 Comparison of Beaver Valley Unit 2 and Surry Unit 2 4.1-1 Containment Walk Through 4,1-2 4.1.2 - 4.1.3 Containment Systema Analyses 4.1 5 s 4.1.4 Equipment Survivability 4.16 4.2 PLANT MODELS AND METHODS FOR PHYSICAL 4.2-1 E PROCESSES k 4;' Analogy to Surry 4.2 1 Plant-Unique Analysis of Beaver Valley Unit 2 4.2-1 a} 4 's > ,2 . 4.1.3 Containment Response issues 4.2-2 s: IEr - 4.3 BINS AND PLANT DAMAGE STATES 4.3-1 Selection of Plant Damage State Parameters 4.3-1 4.3.1 4.3.2 Plant Damage State Definition 4.3-3 4.3.3 Comprehensive PDS Matrix for Beaver Valley Unit 2 4.3-5 4.3.4 Condensed PDS Matrix for Beaver Valley Unit 2 4.3-10 4.4 CONTAINMENT FAILURE CHARACTERIZATION 4.4-1 4.4.1 Containment Design Comparison 4.4 1 4.4.2 Penetration Leakage 4.4 2 , 4.4.3 RPV Support Failure 4.4-3 4.4.4 Containment Failure Modes Associated with ATWS Events 4.4-3 (Excessive LOCA) 4.5 CONTAINMENT EVENT TREE 4.5-1 4.5.1 Containment Event Tree Logic 4.5-2 7 4.5.2 Description of CET Top Events 4.5-3 4.6 ACCIDENT PROGRESS 4 AND CET QUANTIFICATION 4.6-1 4.6.1 Selection of Accident Scquences for Release Category 4.6-1 Definition 4.6.2 Accident Progression Analysis 4.6-1 4.6.3 CET Quantification 4.6-9 4.7 RADIONUCLIDE RELEASE CATEGORIES 4.7-1
'4.7.1 Releast. Category Definition 4.7-1
[ 4.7.2 Release Category Source Terms 4.7-5 iv
B cvar Vallry Pewar Statien Unit 2 Revision 0 Probabilistic Risk Assessment CHAPTER 4 DACK END ANALYSIS
- TABLE OF CONTENTS Section Title Page 4,8 BACK END RESULTS 4.8-1 4.8.1 Releaso C:tcgury Group i (Largo, Early Containment Failure 4.8-1 and Bypasses) 4.8.2 Release Category Group 11 (Small, Early Containment 4.8-2 Failures and Bypasses) 4.8.3 CET Split Fraction importance 4.8 2 4.8,4 Sonsitivity Study 4,8-4 4.8.5 Release Category Group Uncertainties 4.8-6
4.9 REFERENCES
4.9-1 1 o u V
Beaver Valley Power Station Unit 2 Revision 0 t Probabilistic Risk Assessment CHAPTER 5 - UTILITY PARTICIPATION AND INTERNAL TABLE OF CONTENTS Section Title Page 5.1 IPE PROGR AM ORGANIZATION 5.1 1 5.2 COMPOSITION OF INDEPENDENT REVIEW 1EAM 5.2-1 5.3 AREAS OF REVIEW AND MAJOR FINDINGS 5.3-1 5.4 RESOLUTION OF COMMENTS 5.4 1
5.5 REFERENCES
5.5-1 O 0 9 vi
Barvsr Vctisy Pawsr Statlan Unit 2 Revision 0 Prcbabilistic Risk Assessm:nt CHAPTER 6- PLANT IMPROVEMENTS AND UNIQUE SAFETY
- v. TABLE OF CONTENTS Section Title Pa00
6.1 INTRODUCTION
6.1 1 6,2 BEAVER VALLEY UNIT 2 MAIN BENEFICIAL FEATL'RES 6.2 1 6.2.1 Beneficial Operator Actions 6.2-1 6.2.2 Beneficial Plant Hardware 6.2-1 6.2.3 Beneficial Containment Features 6.2-2 6.3 BEAVER VALLEY 2 VULNERABILITIES IDENTIFIED & 6.3-1 POTENTIAL ENHANCEMENT 6.3.1 Operator Actions 6.3-1 6.3.2 Plant Hardware 6.3 2 6.3.3 Containment 6.3 3 6.4 ADDITIONAL OPER ATOR ACTIONS THAT INFL UENCE THE 6.4-1 CORE DAMAGE FREQUENCY 6.4.1 Depressurize the intact Steam Generators During a Steam 6.4-1 Generator Tube Rupture Sequence or Small LOCA When, In Either Case, All High Head Safety injection if Failed 6.4.2 Gag Closed a Failed Open Steam Generator Safety Valve 6.4 1 During a Steam Generator Tube Rupture Sequence 6.4.3 Manual Loading of Standby Service Water Pumps cnto the 6.4 1 Diesel Generators Given Failure of Both Service Water Pumps to Restart Following a Loss of Offsite Power 6.4.4 Terminate HHSI Prior to a Pressurizer PORV Challen0e. 6.41 Given an inadvertent Safety injection Signal 6.4.5 Realign HHSl Suction Flow Around Check Valve 20SS'27, 6.4-2 Should it Fail To Open When HHSI is Required to Pump Water from the RWST 6.4.6 Open Cold Leg Alternate Injection Path for HHS! 6.42 6.4.7 Manual Equipment Actuation, Given a LOCA with Failure of 6A-2 St Actuation Relays . 6.4 8 Loss of Control Room Ventilation for a Station Blackout 6,4-2 s vii
B: aver Vcil;y Pcwcr Stati:n Unit 2 Rsvisi:n 0 Prcbabilistic Risk Ass:s:m:nt CHAPTER 7 -
SUMMARY
AND CONCLUS!ONS TABLE OF CONTENTS Section Title Page 7
SUMMARY
AND CONCLUSION 7 -1 O O viii
~ _ - -- -
Beaver ValleylPower Station Unit' 2 Revision 0 , l Probabilistic Risk Assessmerit i 1 EXECUTIVE SUMMAR.Y l
1.1 BACKGROUND
AND OBJECTIVES l i.- ! A systematic safety assessmunt was performed for Beaver Valley Umt 2 using probabihstic : risk assessment (PRA) technology. The purpose of the PRA was twofoli (1) to initiale a ! y comprehensive risk management program for Duquesne Light Company, and (2) to satisfy the U.S Nuclear Regulatory Ccmmission (NRC) reqmroment for each plant m the U S to perform ao mdividual plant- exammation (IPE). The PRA was performed by an miegrated team of engineers and PRA specialists from Duquesne Light Company (DLC); Pickard. Lowe and Garrickc inc. (PLG); and Stone & Webster Engineering Corporatico (S&W). The overali 01 jectives of the PR A program are to
. Develop plant specific Level 2 PR A noodels for Unit 1 and 2 to support a comprehensive risk management program, l
Apply and develop (g neric and plant specific PRA databases for imtiatmg event L fregunncies, component failure rates, maintenance unavadabihties. common cause failure
~
parameters, and human error rates. > h 4 Develop point estimale .,ad uncertainty distribution results for the frequency of core L- damage and a full spectrum of radioactive release categories for Units 1 and 2. > U
- Determino the . underlying risk controlling f actors and key sources of uncertainly in developing the risk estimates.
Provide PR A technology transfer to DLC including methods, sof tware, and training
- Meet- the NRC requirements :for IPEs as set forth in NRC Generic Letter No. 88-20.
i (Reference 1-1) and NUREG 1335 (Reference 12). l The scope of the assessment is classified as a Level 2 PRA in which the accident sequences are developed sufficient to define a reasonably complete set of radioachvo material release . categories and a definition of thc source terms for radioactive release. The scope of the , initiating event coverage.is currently limited to what are normally referred to as internal ' events and internal plant floods. However, the accident sequence models have been >l developed to facilitate future expansion to include a full treatrnant of external events, The purpose of this summary is to present the current results for the Level 2 PRA on Unit 2.
- These results 'nclude i an ' estimate of the core damage frequency; a quantification of r uncertamties in this estimate: and a delineation of the key plant states and release categories ,'
as well as the sequences, systems, and sources of uncertainty that are driving the results in addition, infortnation is provided on the nature, timing, ed magrutude of potential releases of " radioactivo material based on the results of plant-specific analyc and NUREG-1150 results for Surry. Because of substantial changes in licensing requirements that have occurred over tirne and, j in particular; after the Three Mile Island accident, there are differences in the details of the l plant. design and general layout between Unit 1, which went online in 1976, and Unit 2; which 1 l went into operation about 11 years later. In view of these differences and the need to 5 accomplish a strong degree of PRA technology transfer, the work to complete the PRAs on , i both units was organized as follows: ' j 1.1-1 u aaorcuna ana cteue for man Aaera 1- - --- _ _ , ,. _ -- -
NLI B?av r Vclisy Pow 3r Stction Unit 2 Revision 0 Prebsbilistic Risk Asssssmsnt
- In 1988, a team of experts from PLG and S&W completed Phase A of a PRA on Uni: 0 This phase incluoed system familiarization, system notebook preparation, reliability block diagrains, system dependency matrices, and a preliminary list of initiating events.
- In 1989, the PLG/S&W team completed a plant specific Level 2 PRA on Unit 2 using generic data on component reliability parameters and initiating event frequencies. In parallel, a team of DLC personnel, with support and guidance from PLG and S&W, reviewed the Unit 2 Phase A work and then completed a similar phase on Unit 1.
- In 1991, the DLC PRA team developed unit specific, plant specific PRA databases for component reliability parameters and initiating events based on a total of almost 16 reactor-years of Beaver Valley Units 1 and 2 operating experience. The Unit 2 PR A model was requantified by DLC to incorporate the Unit 2 plant-specific data.
O 38 9 1.12 11 na 6 ground ano ooiectives for Human Act,ons
- - - - - -. . - - . ~ - .. ~~ . .
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 1.2 PLANT FAMILIARIZATION j PLG's principal investigator and lead systems analyst met at S&W offices and at the plant site early in the project. During this period, an intensive effort was made to collect plant information and docurnentation, and to interact with many engineers and operations personnel on questions and issues relating to plant behavior during abnormal conditions. The plant visits included a plant walk-through. Following these imtial visiw, severa' additional visits by PLG personnel were made to the plant to perform walk-throughs and inspections, and to describe PRA results and models. The major walk-throu0h and plant visits included:
- A 2-day plant walk through and inspection of DLC's detailed scale model facility in support of the internal flood analysis task. A Unit 2 operator and other DLC engineers participated.
- Two separate containment building walk-throughs (first, Unit 2, and later, Unit ?) in support of the back end analysis.
*A 3-day meeting with DLC management, engineering, licensing, operations, and maintenance personnel to present qualitative evaluation results. This included preliminary initiating events, event sequence diagrams, system descriptions and success diagrams, and intersystem dependencies.
- Several multi-day meetings to discuss the draft of this report and to cbtain input on the human reliability tasks from operations and training personnel from D'_C.
O V in addition to the above plant visits, several additional steps were taken to ensur6 adequate plant familiarization. Several PRA deliverables were reviewed by cognizant DLC/S&W engineering, licensing, operations, and trainlag organizations to ensure that key assumptions about plant and systems configurations, success criteria, procedural factors, and other plant-related factors were correct or reasonably justified. The DLC portion of the PRA team is located at the site and is very familiar with the plant The S&W portion of the team has significant experience at the site since it consists of the original designers and engineers. r l l n/ l i. 1.2-1 12 nant Famoamation. 7r
--------.-- -----.-..--.----.-.-...-.--.---,---.--.---..m,--.-.-- - - - - - - -- . - - -------w---.- . - -----_-.------.----x--.---.-,------------------.----- - . - - - - - - - - - ----
O O
)
O
Banysr VcIlsy Powcr Ststlen Unit 2 Rsvisien 0 Prcb:bilistic Risk Asesssmsnt ] 1.3 OVERALL METHODOLOGY The Beaver Valley Unit 2 PRA is founded on a scenario-based definition of risk. In this
' application, " risk" is defined as the answers to three basic questions:
- 1. What can go wrong?
l ,
- 2. _What is the likelihood?
- 3. What are the consequences?
Question 1 is answered with a s'ructured set of scenarios that is systematically developed to account for design and operating features specific to Beaver Valley. Question 2 is answered with a prediction or estimate of the frequency of occurrence of each scenario identified in the answer to question 1. Since there is uncertainty in that frequency, the fell picture of likelihood will be conveyed by a probability curve-a curve that conveys the state of knowledge, or confidence, abou: that frequency. The third question is answered in a Level 2 PRA with the key characteristics of radioactive i material releases that could result from the scenarios identified. In Level 3 analys:s, offsite consequences such as public health effects and property damage are estimated for these releases. -The results currently reported are for a Level 2 PRA. A large fraction of the effort needed to complete a PRA is spent in the development of a model to define a reasonably complete set of accident sequences that is appropriate for the specific plant. An overview of the accident sequence model for Beaver Vaiiey is presented in i Figure 1-1. This model contains a very large number of different scenarics that are systematically developed from the point of initiation, on the left, to terminaticn, on the right. A series of event trees is used to systematically identify the scenarios from the initiating events to the point .of termination. The event trees are quantified by assigning event tree
" split f actions" to each node in the trees. The split fractions quantify the relative frequency of success versus failure at each node of the tree, given that the scenarlo has progressed to that point in the tree. The split fractions are assigned probability values as well as names to facilitate the quantification and the decomposition of the results. Given knowledge of the
- event tree structures, specific accident sequences can be uniquely identified by specifying:
_1. The initiating event.
- 2. The split fraction names for each event tree node that is postulated to fail aiong the accident sequence.
- 3. The end state of the accident sequence.
As noted in Figure 1-1, rather than using a single, large event tree that would be cumbersome to analyze and document, a series of linked event trees is used. The linking is accomplished within the RISKMAN@ Version 3 PC based software system that effectively constructs a single, large tree inside the computer. Unlike previous PRAs performed using 1; PLG methods, all scenarios with significant frequencies are linked together without the need for the use of support states or impact vectors to accomplish the linking. The end states _that are used to terminate the sequences are the plant damage states for the Level 1 part of the risk model and release categories at the end of the Level 2 event trees. For the first time in Q this PRA, the Level 1 and Level 2 event trees have been fully integrated and linked together to provide a clear and cornplete definition of accident sequences, )' 1.3-1 13 overan uemoooiogy. j
D:av:r Vcilty Powcr Station Unit 2 Revirilon 0 Probabilistic Risk Assesstnent The initiatin0 events and the event trc:e split fractions are quantified using different types of models and data. The vstem failures that contribute to these events are analyzed with the use of fault trees that relate the initiathig events and event tree spht fractions to their underlying causos. These causes are quantified, in turn, by application of data on the respective probabiiities of tmavailabihty duo to hardware failure, common cause failure, human error, and out of survice for test and rnaintenance. Dependt ncy matrices that are developed from a detailed examination of all of the plant systems f elp to account for important interdependencle* and interactions that are highly plart spccific. Event sequence diagrams are used to incorporate operator actions from their application of the plant specific emergency operating procedures, To facihtate a clear definition of plant conditions in the scenarios, separate stages of event trees are provided for the response of the sapport systems (e.g., electric power, service water, etc.), the frontline systems (e.g., auxiliary feedwater, quench spray, etc.), operator recovery actions, and containment phenomena; (e g., containment overpressurization fal!ure). The latter stage of event tree 9 is only included in a Level 2 or Level 3 PR A. A detailed definillon of plant darnage states provides a cican interface between the Level 1 and Level 2 event trees. The systematic, structured approach that was followed in constructir' t:,e acr.ider.1 scenario model provides assurance that plant specific features will be iC
- rib 6 .nd that a reasonable degree of cornpleteness will be achieved, it also provides for the systematic, top-down development of engineering insights about the key risk controllin0 factors that drive the results The current perspective of these results is provided in II e next section.
i l l l l O 1.3-2 o ovem uemmow
Bonysr Vell2y Powsr Station Unit 2 Revision 0 Probsbilistic Risk Assassmsnt Figure 11. Definition of Accident Sequences in the Beaver Valley Unit 2 PR A. O f
- f %
i n
; ~. u Yh Ih i
i
~
v -
~
gi 55 l w:,.L. un ,
'O' *3 {"l O ,
111 ttt "ttttt l 44 i_ I r5 __ E* I!!1 f
!_ ! g 1,3 3 1.3 overen vemoooiogy.
Beaver Valley Power Station Unit 2 Revision 0 Probabilit, tic Risk Assessment 1.4
SUMMARY
OF MAJOR FINDINGS 1.4.1 Results of Core Damage Frequency For the Beaver Valley Unit 2 PRA, core damage was assurned to occur when the loss of core heat removat pro 0ressed beyond the point of core uncovery, and core exit temperatures exceeded 1,200"F. Although this assumption is less conservative than equating core damage l with core uncovery, it is still conservative because actual core melting and release of radioactive material from the fuel would correspond with much higher core outlet temperatures. However, this is also a reasonable assurnption because a large fraction of the thne to core melt is consumed by the time to reach 1,200'F core exit temperatures for sequences of interest in the PRA. The frequencies of all of the scenarios that ended with these conditions were summed up to provide fbe overall coro damage frequency (CDF). To provide this inforrnation, it was only necessary to link together the stages of the Level 1 event trees that span the sequences from the initiatin0 events to plant damage states The ;< rmat for presenting the CDF is to express it in a prooability distribution. This is known as the probability of ',equency format, and is designed to communicate both the results and the analyst's confidence in the results. The probabihty distribution for CDF for Deaver Valley Unit 2 is presonted in Figure 12. Figure 12. Probability Distribution for Core Dama0e Frequency. , O Core Damage Frequency Distribution l 12 l _ $0th pertmule i j 10 - . l.6E44 E p mee l _gg_ , 1.9 E 04 , E a i
'\
i ! !.- l b SW pecenule l
&4
- , 9 4E-05 .
.c c2- \95t$
'q. o4Ecaoule I _
n o00001 0.0001 0.00t Frequency (events per year) l 1.4 1 4 4 summaw e ua m rmanos
. _ . - . . _ . _ _ _ _ . . _ - _ . _ . . . ~ . - . - - - . . - - . . - . - - - - . .
B :v:r Vcil:y Powcr Stction Un't 2 Revision 0 Preb:bilistic Risk Asssssm:nt There is considerable information in Figure 1-2. First, the probabihty curve tells us that we g, are 90% confident that the true CDF lies in the range of approximately 1 in 10.000 per year to W approximately 1 in 3,000 per year, or within a range of a factor of about 3.5. It further tells us that the median frequency ic just over 1 in 6.200 per year, and the mean is approximately 1 in 5.200 per year. The above results are on the order of the corresponding results from PRAs on other pressurited water reactor plants that were derived from comparable inethods, databases, and work scopes. This perspective is supported by the comparison of the results from recent full scope PRAs that used PLG methods and plant specific databases, as shown in Table 11, Also included in this table are NUREG 1150 (Reference 13) results developed by the NRC and its contractor for Surry. It should be noted that the Surry results were obtained using methods and databases different from the other PRAs hsted. The Surry rebults are presented i for two cases: with and without credit for Unit i to Unit 2 uossties that provide enhanced opportur,ities to recover failures in the auxiliary feedwater. high pressure injection, cornponect cooling water, and refueling water storage tanks. These specific crosstles are not present at Bo ver Valley. I Table 11. Comparison of PRA Results for Internal Events Mean Core Damage Plant PRA Frequency from Internal Events' l Three Milo Island (Reference 1<4) 4.4 x 10'8 l 7 Midland (Reference 15) 2.9 x 10 4 1 Beaver Valley Unit 2 (this stur;y) 1.9 x 10 4 Seabrook Station (Reference d6) 1.7 x 10 4 South Texas Project (Referenco 17) 1.7 x 10 4 Diablo Canyon (Reference 18) 1.3 x 10 4 Surry(without crossties)(Reference 13) 1.2 x 10 4 Surry (with crossties) (Reference 13) 0.4 x 10 4
- Events por reactor year.
l Thus, of the six plants analyzed by similar methods and databases (i.e., all except Surry), four have core damage frequencies within a factor of less than 2 of the current results for Beaver Valley Unit 2. It is important to note that of these six plants, all except Seabrook and Beaver Valley have incorporated jnto the results plant and procedural modifications to reduce core damage frequency guided by earlier PRA results. The results for Surry without credit for crosstles between the ECCS systems at both units are slighHy lower than the Beaver Valley Unit 2 results, although the Surry results are developed using different methods and datacases. It is believed that this combination of different methods and databases, such as the inclusion of certain scenarios in the Beaver Valley Unit 2 PRA that were not included in the NUREG 1150 studies for Surry is the primary reason why the Beaver Valley results are slightly higher. In addition, the Beaver Valley results include contributions from internal 1.4-2 u summary of var rno>ngs
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment floods that were not included in the results for Surry. The Surry results also reflect plant and I procedural changes that were incorporated since the original PRA was completed and l specifically intended to reduce core damage frequency. l 4 i Factors that contribute to the nature of the results ate summanted below.
- The accident sequences that were analyzed are limited to those imtiated by internal ;
events and internal floods in accordance with current IPE requirements. Sequences initiated by internal fires, seismic events, and other external events have been found in , some other PRAs to be important. i
- The current results were obtained using plant specific data for component failure rates. '
maintenance unavailability, and initiating event frequencies. The common cause parameters of the MGL model were used in this study and were first estimated with the benefit of a plant specific screening of industry comrnon causo event data in accordance with NUREG/CR 4780. Plant specific data was then used to update the common cause failure data.
- The current results do not reflect any plant or procedural changes that OLC may decido :o make to improvo safety after the IPE submittal. .
- The containment perfortnance (bac'eend) analysis included in this study relies heavily on information developed in NUREG 1150 for Surry, it is believed that a plant specific evaluation would tend to show that this treatment is conservative.
It is emphasized that any PRA resuh is a strong function of the scope, level of detail, and i stato of knowledge associated with the undorlying models, data, and assumptions. As such, the results are expected to change in future updates. 1.4.2 Contributors to Core Damage Frequency i What separates the PRA approach to safety assessment from the more traditional deterministic analyses that have been performed in the Updated Final Safety Analysis Report is the emphasis placed on the quantification of risk factors such as core damage and accident sequence frequencies. Thus, the presentation of the results in the previous section began with the numerical results for core damage frequency. But simply knowing these numbers is not as important as understanding what is driving the results. By identifying the underlying contributors to core damage frequency, a botter understanding of the importance of plant features and operator actions that contribute to plant safety can be developed, in this way, the soft spots in our state of knowledge regardit." severe accidonis can also be determined, and strategies to minimize their risk significance van be developed, t The numerical results devaloped in this study for Beavor Valley Unit 2 are based on a plant specific risk model that was developed to meet two different kinds of specifications. - The first kind is intended to ensure that the results will account for important plant specific characteristics and will incorporate a reasonably complete set of accident sequences for dependencies. The second kind is aimed at supporting the systematic decomposition of the results from bottom line numbers to engineering insights about safety, The capabihties of the risk model that are derived from this second set of specifications are exercised in this section. The following analysis of the contributors to core damage frequency is performed in a top-dowr. manner, workin0f rom the general to the specific. First. the results are broken 1.4 3 14 sumey of vag rmomgt
Deavcr Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment down to examine general classes of accident sequences. Several dificrent approaches are followed to define accident sequence classes by a common characteristic. These characteristics include initiating event, plant damage state, spht fraction, and combinations of these. Once accident se uonces have been classified in this manner, the importance of each group can be evaluated in both percentaDe contribution and results sensitivity. Next, the results are exammed in scenarios as defined by the initialmg events, spht fractions at failed event tree top events, and the end states of the Level 1 event trees. Finall), the causes of each event in the important scenarios are delineated to root out the fundamental contributors to risk. 1.4.2.1 Important Classes of Accident Sequences The first approach to defining classes of accident sequances is to group the sequences by a common imtiating event or initiating event category. The initiating events are the events that are postulated in the risk rnodel to trigger a plant trip, and a challenge of the plant systems to successfully cope with the initiating event, if the subsequent actions of the plant systems and operators are unfavorable or if the imtiating event challenge is beyond the capabilities of the plant equiprnent, an accident sequence with some degree of dam 400 may result. Thus,the initiating events are fundamental building blocks of the risk model. The computation of their percentage contributirs is a straightforward task. Forty five initiating event categories were identified as the basis for structuring the scenario risk mode! of Beaver Valley Unit 2. The inte0 rated plant risk model was quantified separately for each category sununarized in Table 12. Table 12. Summary of initiating Events O Number of Major Class initiating Event Categories Loss of Coolant Inventory 7 General T ransients 15 Common Cause initiating Events:
- Loss of HVAC Systems 1
- Other Support System Faults 13
- Internal Floods 9 Total 45 Figure 1-3 displays the contributions that result when accident sequences are grouped by initiating event. The percentage of the total core damage frequency associated with sequences in each of these exclusive groups provides one measure of the relative importance of the different initiating events. It should be noted that in most cases, the initiating events do not directly result in core damage. Thus, the relative importance of initiating events that are identified with this method includes the frequency of the initiating events themselves as well as the unavailabilities and unreliabilities of the systems and operator actions designed to prevent core dama0e following these initiuting evente.
1.4-4 14 sumary of vapr Frongs
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment Figure 13. Contributions to CDF from Sequences Grouped by initiating Event Loss of ciF6nE POWEll(t 4 BN OTHL H (??.8%) Loco of cv4TCHOCAn
)NAC (12,2%)
IcotADl0 GMAll. % ~ TURDir4E tHtP (2.4N LOCA (1174
' IMSiv (2 LN SGT11(3 7N 40NtsotAnt0 SM4 '
LOCA (10.7N Loss OF ClW4NCL tlVliAL DUS (3.6% N Loss or Ct WJNrt Iv!TAL Hus 13 BW O \ toss or Ac rov 4 H PURPLE TRAIN (4 EN LOSS of AG POWLR OlWJGE THNN (7.7N As can be seen in this figure, loss of offsite power accounts for about 15% of the total CDF. This initiating event and the second ranked contribution, loss of switchgear ventilation. are important because of their roles in triggering sequences that involve a total loss of emergency AC power (also referred to as station blackout). More than one quarter of the total CDF results from these two initiators. The remaining contributors include a 11.2% contribution from isolable small LOCA,10.7% from nonisolabie small LOCA,12.5% from loss of a ulngle train of AC power scenarios, 7.6% from loss of vital bus scenarios, and the remainder from various transient initiators. Another way to group accident sequences to gain important insi0 hts is to key on particular conditions of the plant along the accident sequence that depend not only on the initiating event but also on the response of one or more plant sys' ems. The following results were obtained for accident sequence classes of general interest. Note that because each sequence can possess more than one of these conditions, the resulting sequence Oroups are not always mutually exclusive. O 1.4 5 14 summary of vapr r.no,ngs.
B::ver Vcil:y Pow r St: tion Unit 2 Rsusion 0 Prob:bilistic Risk Asssssmsnt Percentage Accident Category Contribution
- to CDF RCP Seal LOCA 53.4 Station Dlaaout 25.3 Containment Bypass / Isolation Failure 23.9 Loss of Switchgear HVAC 17.1 Transient without Scram 4.2 Thus, a large fraction of the core damage frequency is associated with a RCP seal LOCA. A largo fraction of these events are caused by a station blackout and by a loss of switchgear ventilation. The RCP seal LOCA results do not include sequences in which there is also a a LOCA v!a a failed open PORV. Almost ona quarter of the total CDF is attributed to sequences that involve containment bypass or isolation fai>ure conditions.
The following table breaks down the total CDF to show the distribution of scenarios grouped by the pressure rance of the RCS at the time of core demage. Pescentage RCC Pressure Range Contribution to CDF Idear System Pressure (2: 2000 psia) 25 High (600 - 2000 psia) 68 Medium (200 - 600 psia) 3.2 Low (< 200 psia) 3.6 Tnus,68% of the total CDF in associated with a high pressure condition,25% is associated with RCS system pressure,3.8% is associated with low pressure and 3.2% is associated with medium pressure. The hi0h pressure category includes transients and small LOCAs with no secondary (steam generator) cooung. The high pressure category is significant because of the potential for natural convection-induced heatup of various RCS components such as tha RCS hot legs, pressurizer surge line, and stearn generator tubes between the times of core uncovery and core melt penetration of the lower vessel head. If the RCS pressure remains high until lower head penetration, there is the additional concern of the possibility of high ! pressure me!t ejection and increased containment pressure loads. These events are discussed further in Section 1.4.4 below. 1.4 6 14 summary of vapr nnengs.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment An alternr.tive way to define accident sequence groups is to key on the end states of the O Level 1 event trees known as the plant damage states. T ie plant darnage states define in,pnrtant conditions of the plant status. reactor coolant systern conditions, and containment status at the tiene of reactor vessel failure. The Level 1 event trees contein 17 plant darnage states. Each plant damage state is identified by a five character code to define RCS pressure, availabihty of containtnent heat retnuval systerns, and status of containtnent isolatiori or bypass at the time of reactor vessel f ailure af ter core damage, respectively. The results for the percentage contribution of sequences grouped by plant darnage state are suminarized in Table 13. O sne-0 1.4-7 14 summyy v uapr rinn,nn,
i D::vsr Vcll:y Pcwsr Sistion Unit 2 Rtevision 0 l Prebsbilistic Risk Assassmant -
)
Table 1-3. Plant Damags State Annual Frequency and Percentaga of CDF Containment isolation /Not Dypassed Containment Containment Containment l With Without Not isolated g ,, Containment Containment < 3 inch Dypass Dypass Heat Heat Lenk Removal Removal RCS near 5.30 x 10 7 1.18 x 10 6 3.45 x 10 $ 6.81 x 10 7 System 0.3% 6.1% 17.9 % 0.4% Pressure (t2000 psla) RCS at High 4.80 x38 7.48 x 108 2.11 x 10 8 6.93 x 108 Pressure 24.9% 38.8 % 1.1% 3.6% (600 psia - 2000 psia) RCS at 2,11 x 10 5 4.00 x 108 4.84 x 10 8 1.92 x 10 8 Meduim 1.1% 2.1% < 0.1 % < 0.1% Pressure (200 psla - 600 psia) RCS at Low 4.34 x 10 5 1.00 x 10 8 2.28 x 10 7 1.35 x 10 8 3.44 x 10 7 Pressure 2.3% 0.5% 0.1% 0.7% 0.2% (< 200 psia) l O l l 1.4-8 u summary e vapr fina ngs.
l Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment A final way to denne meaningful accident sequence categories is to key on the importance of specific plant hardware and operator actions that are identified with specific event tree split fractions; i.e., the values of event tree top event frequencies evaluated under specific boundary conditions. The Beaver Valley PRA event trees coratain two types of split fractions: one type whose failure probability is 1.0 because of its dependence en associated equipmem l or operator actions that failed eather in the sequence; and another type for events with a finite, nonzero chance of success. h, this discussion, only the nonguaranteed failure type i split fractions are examined. A0ain, because each sequence may contain two or more failed j split fractions, the resulting sequence categories are not exclusive. The results obtained for some of the relatively high importance split fractions are presented in Table i 4. I Table 14. Split Fraction importance Ranking for Core Damage Frequence ,
- Split Fraction PercentaDe Name Description p Contribution to CDF i Fe equency RE' Failure to Recover AC Power Various 20 VL1 HHSI Suction Path from RWST 1 x 10 3 14 l WB4- Loss of Service Water / Standby 7.7 x 10 13.5 SW Header 6 flow path - CIB signal AO2* B P5 Loss of Both Trains of Onsite 1.6 x 10 2 10 Power After LOSP PR9 Small LOCA via PORV alter 7.7 x 10: 6.3 PORV Lift AF4 Loss of Turbine-Driven AFW 5.0 x 10 2 5.4 Pump after Station Blackout BV2 Loss of Switchgear Room 5.3 x 10 5 2.7 Ventilation aftei moss of Or,n AC Power Train 4
'includos several different split fractions.
1 The results in Table 14 provide one way to set priorities for enhancements to plant equipment and emergency procedures to reduce CDF. It is important to note that all of the listed split tractions, except for VL1 and WB4 are associated with sequences myolving a station blackout. 1.4.2.2 Important Accident Sequences Experience has shown that a most valuable output of a risk assessment Rr purposes of risk ; management is a list of scenarios ordered accordmg to their importance a risk. This turns out to be more valuable, 'u example, than the importance ranking of scenario classes and equipment that was exammed in the previous section. The reason i# that equipment importance is scenario dependent; that is, the importance of a piece of equipment depends on how it contributes to a scenario. In some accident scenarios, a given piece of equipment may require a support system such as auxiliary power or cooling, while in others, it may not. 1.4 9 - 14 Summary of Major Fino4ngs--
Bosvar Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assessment The point is that working at IM scenario level helps to keep dependencies and system interactions in perspective. Literally, many milhons of scenarios are contained in the Beaver Valley Unit 2 PRA. The l scen&rios were dcveloped and quantified in stages. Starting with a hst of initiating events, event sequence diagrams (ESD) were developed that oocument how the plant actually responds to a progression of events. Consideration is given to equipment bohavior and the impact of operator actions under a variety of operating conditions. A key element of the scenario structuring process is the docurnentation of tne events in the sequence and of the plant end operator response. The actual quantification of the scenarios comes about by converting the ESDs into event trees, and employing event tree, systems analysis, and , i database software in RISKM AN to carry out the calculations, A key result of the Beaver Valley Unit 2 PR A is that no single scenario makes up a lar0e I fraction of the core damage frequency. The top ranked sequence is initiated by a complete loss of both trains of emergency switchgear venlitation This sequence contributes about 11% of the total core damage frequency. Table 15 provides a detailed analysis of this sequenca.
~'
Table 1-5. Analysis of Top-Rankin0 Sequence Contributing to Core Damcoe Frequency
~
Sequence Element Event Description (effects on plant) Mean Frequency initiating Event Total loss of ventilation to both 1 A9 x 10 3 per year safety-related 4,160V AC switct gear rooms, resulting in a room heatup transient. Operator Actions Failure to recover HVAC operation 1.58 x 10 2 and failure to install portable fans, resulting in thermal damage to i switchgear room equipment. System Failures Consequential loss of all emergency 1.0 AC-powered equipi.1ent and RCP seal LOCA resulting in core damage. , No additional system failures postulated for this sequence. Remaining Plant Successful operation of all 8.75 x 10 i Response equipment not dependent on emergency AC power. Total Sequence Frequency (product of element frequencies) 2.06 x 10 5 per year 11 should be noted that the first three sequence elements are sufficient to resolve whether core damage would occur. The "rernaining plant response" refers to many event tree top events that are tracked to assign the appropriate plant damage state. The value of 0.875 appears to be somewhat low only because of the rehtively large number of systems and actions that are needed to be successful for this particular sequence. It is necessary to examine a large number of sequences to account for a large proportion of the total core damage frequency. To ; count for 95% of the total CDF, it is necessary to 1.4-10 u summary of va;or Fina nos
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assesstnent examine the top 510 sequences. The distribution of the top ranking c ore damage sequences over the frequency range is indicated in Table 1-6. Table 16. Dreakdown by Plant Model(Level 1) Event Sequence Ficquency Range Frequency Range Number of Percentage of Total (event per year) Sequences Core Damage Frequency
> 1.0 X 10 5 2 19 1.0 X 10 * - 1.0 X 101 30 41.5 1.0 X 10 7 1.0 X 10 5 164 26
> 1.0 X 10 7 Very Large Number 13.5 _
A discussion of the highest frequency sequences that result in core damage is provided below in terms of the initiating event and the response of rmtigating systems. Their main characteristic are summarized in Table 17. This table includes the 12 %p ranking sequences to CDP that account for about 42% of the total CDF. The highest frequency sequence that was introduct ' in Table 17 is initiated by a complete toss of emer0ency switchgear ventil.stion; i.e.. f ailure of both tan trains. Due to the loss of , room coolmg. both the orange and purple emergency switch0 ear rooms begin to heat up. The stoppmg of the running fan tram is alarmed in the control room, as is high room temperature. Upon receipt of the alarm or alarms. the operators are directed by procedure and trained to ensure that the standby train m and to investigato the cause of the loss of air flow and/or excessive room temperature. This first sequence is for the case when the operators fail to establish alternate room coolin0 to the effected areas prior to equipment failures due to overheating. There is predict' ;o be a lim ~ted amount of time before the room temperatures exceed equipment limbs in the _ absence of ventilation; that is, less than i heur. Eventual failures of power at the 4 kV and 480V emergency buses, the vital instrument buses, and from 125V DC are assumed if HVAC recovery actions are unsuccesstui. The loss of all emergency AC power results in a plant trip followed by a loss of al; RCP seal cooling without high head safety mjection. The loss of all vital instrumentation may also eventually result in a loss of all secondary heat removal. The containment is successfully isolated. Due to the loss of all emergency AC power, neither containment radioactivity removal nor containment heat removat is available. 1.4 11 14 summmy of usarinmnm
L iu[ l [ .
!i ! ; , > , :! lh :
2 g Cg$ 7 n t
<7~C3 o T3[c=- r <g=ufe4o'fEOe3C*M
=n "y 3>* o *
- 3 U~ ~
y c n a a~ o u gm f
)
2 t
)
8 Y
}
t
%)
6
)
5
)
t 4
)
4 Q T
%y q
G qt au) 2 2 2 t t i 7 M ( ( 2 f ( ( ! entuF Fr ab D $ 5( 7 4 - E 8 *
?
8
?
4 0 6 - ciC 0 1 0*
& 0 0 l r r 1 i 1 t ? 1 1 aef X ;
X X X X W u n A ; nwo n C X 1 d. e e 6 4 4 6 3 A 2 t 7 4 a 4 4 3 3 T. e S A !
!e s H 4 S vS f r M f
+ fm f L r
f o o o e H o oS e a eewSS e cS 6. n a o ,
- c eeu r f e *m C.
- m o i
e r H n v t S
&S 4'S r r *
'a M aH a a t m ra J e a H
- F a : s a t C aR Bf .
g r u aR
/ F o F in F F *L t
s c
& mtnwa'
?
m sa, a
+
S ; L a +. d a d M8, S y v M ^a
- , ws # *9 m t
e c r w a w r r u
-# m ed r wa F w S yH -
~d f' n t S P te
- P h a*
E - g s AS A h a A -
- C s A t i
AS d*f - l in CC CS T F Cn + a en Cn w nc a Oo Oe C C. - I r
- la O OS # tr S A O o?
Cm i e la L t sa c L: S LR o M L t L8 S t c C er n e p %% t laH te e aL e ar Rw g t-V im *r C H f eM t f f f t
'a *;
*M O S L
rah
*L S i.
4 eg u g - o $ t VRS
. f f e o o S f, S I o o S o o S !. cF g s s 3 S PS sso 'm s PS T
s sh s s P S R PS s m s = CM ec s o CM s o oa s* e Ca Oe CM sh o w4 t Le Lo R >* o "C ** C I
?
H LC L RH L LP L R H P s C H L ,, w w o e f le t v e r v u T T 'A B" s e A 8 P s S S T S r e e r r n- n n a ?c W a < - u c o c er t e W R W a c a + a a y c M F a a a a R y R m R a e W* T r T y T r
.r y n a a e dn -v or m or m - -
e u q e t m e y W H H W S a g n f a oc f F h f o r W S H H W S g a e r ev f c a v4 a c ~ st e c G S r
- e ma m F
r S s y ~ v y y O fe
- R P
F a P a y y O P R a
?P a a t Cr e o b en C r C C r C C c g
a t i t e d n A R a w n o n o n o ca @n A A o A A e ** w e u R a a y r e o t' ! t i t t a y qcw y y F o m a q e o t s
's.
c n t n P t u t u c s SmS e a #ta ht c n e c n pay P c D s r t a
'e c c e
gs u < s S S S
<P <F g ePcn e g
r e m s ' t e t I I r c r t u - wh e r m a e c S S S vw vw - e - c t e
- to c C
o S O p r
- ea
- a SP SF "er r Ea ET P t
H N M H M H r eie SF SF r e,o n m e EmE m E" E E i A u Ee o t * * * * * * * * * * *
- c * * **-
g i n t u b ir ) t n e o
- v e e c r u d e t s
n - W e a r oi e a (
!c R
( 'o a' *
- m. r e
yt c!: a sa w o f i si i s w o w o n n t a r t a r: to F e o 4 o P P w i it n ge t ts o e 9 H B N d e d e S A s ta A, !a A, s s g i ma r C " t r C t C n E eg O O V O W O O" O" s - fohc L
'o f
o L f o L f o f o
*r l t h
a st la s s ia s a s s s s r s s s R-p ow LS S m L o L o S m L o S m L o L o o T f
- 7. -
1 k _ e n 2 3 4 5 6 7 6 9 l a 1 _ b R a _ T 9 p *- )f% "Frj3g< o, [3, 39f
1 Deaver Valley Power Station Unit 2 Itevision 0 Probabilistic Risk Assessment
?% 7; Y
s
?
Iks { r ,, .. e - 4e ry l li" "U e, e e ( b l 1 g t t g t' ti O g )t> ij b g .b. d <t is g 1 4 {u > .- L r, (s c ! 'c h c g N r. k e A E ins *f *4
,4 0 1 { J*3 sdv, 8s 8o g
=Eh3 3 o r _. .? ,?, _
y [ $.t a . sr07 1 0I 4t: I Of
& 1 e e e e e N
( [- ' j e a C
. .. s a
[ k n *I;. e-A b D I ' {$ t $
- f. c
@' t >
g f 0 = S$ a I f E! E t
$ rl s
o 6.t $; , E 1, m$ m - 2 . . . .. - I 1 t 2 y u g s. , 2 Sm %
, j t 56 0 0 r I I,
I I O ta goe <"f' O a eL 0$ $aa2 e* 8 g sa a: a6
- p. .-
j - a
$, , o.. - -
1.!
' I 4 humPiaf y Of Mdjor EindifM)$
Dea.cr Vcil2y Power Station Unit 2 Revision 0 Probabilistic Risk Assessment The second and seventh highest frequency sequences listed in Table 17 are initiated by a small LOCA followed by a total loss of normal and clandby service water. A loss of all service water results in a total loss of component cooling, HHSI pumps, containment instrument air compressors and RCP thermal barrier cooling. i i For the second sequence in Table 17, a loss of thermal barrier coohng and RCP seal ; injection eventually develop a RCP Seal LOCA. The containment isolates successfully, but ! long-term heat removal of the containment is lost due to the loss of service water. For the seventh sequence, the pressur"er PORV successfully rescats initially, but all HHSI and RC ? are postulated to fail due to the loss of service water, this results in a loss of all primary heat remo.al. The RCS pressure increases due to the failure of the primary heat removal. One or more of the pressurizer PORVs cycles to relieve pressure. The loss of RCS inventory out the PORV results in core uncovery and damage. The containment istdates successfully, but again, long term heat removal c! the con %nment is lost due to the loss of service water. The third, eighth and ninth ranking sequences are station blackout sequences initbted by a loss of effsito power. A loss of offsite power resuhs in a plant trip. Power from both the - 138 kV and 345-kV switchyards is unavailable, resulting in a challenge to the onsite emergency power system. Both trains of the emergency power system fail. Failure of both diesel generators 21 and 2-2 to start, load and run until electric power is restored from offsite is the key cause of failure of the onsite emor0ency power system. For the third sequence in Table 17, a pressurizer PORV fails to reclose after opemng to relieve RCS pressure. Auxiliary feedwater operates successfully to provide secondary heat
- removat. The load rejection tests at Beaver Valley have shown that at least one PORV will be challenged to open during such events. if the pressuriter PORV fails to rescat, the resultant LOCA leads to core uncovery much soonar than would otherwise occur due to RCP seal leakage only, During the accident sequence, the operators are directed to follow Emergency Procedure ECA-0.0 and to successfully depressurize the steam generators. The operators also locally M .~e the RCP seal return line so that the containtnent is isolated at the time of core d g oce power is not restored for this sequence, both the quench spray and recirct '6 3p. .y systems are unavailable to limit containment pressure at the time of core damage For the eighth sequence, the pressurizer PORVs successfully rescat, and auxiliary feedwater operates. However, the loss of emergency AC power leads to failure of both RCP seal
[ injection and thermal barrier cooling, as with all station blackout sequences. Efforts to restore electric power from either onsite or offsite supplies are unsuccessful for several hours. An RCP seal LOCA develops that leads to core uncovery because of the unavailability l of high head safety injection. l The ninth highest sequence is also a station blackout. In this case the pressurizer PORV successfully rescats initially, but auxiliary feedwater is postulated to fail, resulting in a loss of all secondary heat removal and failure of all primary coolant injection. The RCS pressure increases due to the failure of the secondary heat sink. One or more of the pressurizer PORVs cycles to relieve presue. The loss of RCS inventory out the PORV results in core uncovery and damage. The u.s of secondary heat sink shortens the tirne available for l recovery of electric power in comparison with that determined by an RCP seal LOCA alone. Electric power recovery is unsuccessful prior to core damage. l 1.4 14 i e summarv of umr renmngt
d
^
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment The fourth ano sixth sequences are initiated by a loss of Vital Bus il (White) and Vilat Bus I (Red) respectively. The failure of these vital buses will cause the HHSl suction path to automatica'ly switch from the VCT to the RWST, this results in a loss of all high pressure injection. for cases when the RWST suction path fails. The failure of high pressure injection leads to core dama0e. Containment radioactivity removal and heat removal are successfully provided by the quench spray and recirculation systems. The containment isolates successfully. The fifth ranking sequence is initiated by a small LOCA that cannot be isolated. High head safety injection is unavailable due to failures of the valves in the cold 100 injection flow path. . The failure of high pressure makeup leads to core dama00. Containment radioactivity removal and heat removal are succus.diully pm,Had by the quench spray and recirculation i spray systems. The containment isolates successfully. The tenth ranking sequence is initiated by a loss of emergency AC power train purple, which causes a plant trip. The orange train emergency AC Power then fails independently, and the i operator has failed to recover the emergency AC power, this results in a complete loss of emergency AC power. The complete loss of emergency AC power leads to an RCP ser.t
-LOCA with failure of all high head safety injection. Containment radioactivity removat and heat removal are unava.ilable due to 'he loss of all emergency power. The containment isolates successfully.
The twelfth ranking sequence is similar to sequence ten. The difference is that the opposite trains are affected; i.e., the cuent is initiated by failure of the orange emergency AC power train, the service water pura Train B and the standby service water Pump Train B falls independently, this also resuib in a complete loss of emer0cncy AC power due to a loss of cooling water to tne B diesel generator, See the preceding paragraph for a more complete description. The eleventh ranking sequence is initiated by a total loss of normal and standby servico
- water. Although_ the frequency of such a failure is very low, the impact is sufficient to cause core damage without any additional failures. An RCP seat LOCA develops without any high
- head safety injection. The containment isolates successfully, but long term heat removal of the containment is lost due to the loss of service water, -
1.4.2.3 Underlying Causes of System Failure The previous sections have broken down the contributors to CDF into scenario groups, '
- specific scenarios, and the systems and operator actions postulated to fail along these sequences. The systems and operator actions were initially defined by the initiating events ;
and event tree split fractions that comprise the basic building blocks of the accident sequence model. In this section the underlying causes of the hardware and operator failures are examined in more detail. The event . tree split factions that contribute the most to core damage frequency were analyzed in Table 1-4. In cases in which the event trees contain two or more top events to represent separate trains or subsystems, any given a:cident sequence may contain two or more split fractions that collectively represent a single state of the system. In these cases, the split fractiun importance is evaluated for the entire system state as well as for the individual subsy' tems. This is the case witn electric power, as indicated in Table 14. As a group, the most important split fraction was shown to be the nonrecovery frequency for AC 1.4 15- u summary of Major rmomst
. .- - . , - - - - -..- - .- , . - . _ - - ~ . - _ - , - - _ - - . . - . . - . - -
I Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 1 power. These itonrecovery frequencies were evaluated with the use of e tirne-dependent model that considers the timing of loss of AC power and the recovery possibihties for offsite power, onsite power, and the time available for recovery based on the cornpeting effects of battery depletion, RCP seal LOCA development, RCS depressurization, and core uncovery. The fourth most important split fractions in Table 14 are associated with loss of both trains of
- emergency AC power following a loss of offsite power. This pair of spht tractions (A02' BPS) one for each train of the emergency AC power systems, is applicable to all station blackout sequences in which both diesel generators are challenged and fail due to internal causes.
They were derived frorr i systems fault tree analysis, as were all of the event tree spht fractions that are associateo with system failures or unavai;abihty The results of the systems analyses are organized into "cause tables" to permit examination Of the principal contributors to system unavailabihty or failure. The cause table for the irss of b7th AC power trains is presented in Table 1-8. Similar cause tables were developetf for severa! hundred different event tree split fractions that were analyzed for the Beaver Valley unit 2 iisk model. At this level, the results can be examined for the different initial alignments of the systern, the minimal cutsets of the system, failure on demand versus failure to run, and independent failure versus common cause. Thus, in Table 18, it can be seen that the lar0est contributor to failure of both power trains is independent failure of both diesel generators (or generator output breaker) to start or run f r the assumed 24 hour mission time. The common cause contribution is relatively small, in part due to relatively high failure rates for this component. A 24 hour mission time was assumed for the diesels. The time-dependent recovery of offsito power at earlier times,is fully accounted for in the electric power recovery analysis. Table 18 Analysis of Contributors to Failure of Both AC Orange and AC Purple Electric Power Trains (Split Fraction A02* BPS) centage of Total Contributors to Failure of All AC Power Failure Frequency l Two Diesel Generator Trains Fail (independent) (includes 73.2 diesel generator fait to start, fail to run, and output breaker tall to close) Tw Diesel Generator Trains Fail To Start or Run due to 13.0 Common Cause One Diesel Generator in Maintenance or Test Alignment and 4.0 Opposite Train Fails To Start or Run One Diesel Generator Train Fails To Start or Run and HVAC 3.2 Damper on Opposite Train Fails To Open One Diesel Generator Train Fails To Start or Run and HVAC 2.2 Fan on Opposite Train Fails To Start or Run Other Causes 4.4 l Total Failure Frequency 1.6xib2 0 1.4 16 14 summary of va;y Fmomas-
0 Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 1,4,3 Results for Release Frequency The results presented in the previous section for core damago lrequer v are based on the Level 1 portion of the accident sequence model that is illustrated in Figure 11. The purpose of this section is to present the results of the entire accident sequence model in the frequencies and magnitudes of the different types of releases. These results are derived from the integration of the Level 1, or " front-end," model in which the responses of the plant systerns and operator actions are modeled, and the Level 2 or "back-end," model whose containment event tree resolves the outcome of the core damage scenarios in the timmg and magrutude of radioactive material releases. ; To facilitate the proper treattnent of intersystem dependencies that result in interaction i between the systems involved in preventing enre damage and the systems needed to ensure long term, leak tight containment integrity, the Level 1 portion of the accident sequence , model includes all of the reactor protection, core cooling, active containment, and plant support systerns. All pertinent information on the status of the containment opray, heat removal, isolation systems, and containment bypass conditions is passed on to the Level 2 model by the definition of the plant damage states. In this way, the plant damage states serve as the "inillating event" for Se containment event tree and the interface between the
" front end" and the "back-end* models it was found to be convenient to quantify the Level 2 containment event tree by physically linking it to the i.evel 1 event tree and then quantifying the entire accident sequence frequencies from iratiator to release category, thus eliminating the need for plant damago states.
O Q in principle, there is a continuum of possible releases that could result uom a core damage event. A seasonable treatment of this continuum is afforded by the use of a representative i set of discrete " release categories" that span the full spectrum from relatively large, early releases to long-term release from the containment of the radioactive material. The containment event trees described more fully in Section 4 are developed to resolve the end states in a total of 21 different release category sets, whose major characteristics are summarized in Table 19. To facilitate the interpretation of the results, these 21 release categories can be placed into 4 general release types that are defined in Table 1-10 below. Also provided.in this table is the percentage of the' total mean core damage frequency assigned to each release type, ' Table 110. Definition and Results for Release Types Release " "I'U' Description vype of CDF l Large, Early Containment Failures and 4.5 Bypasses ll Small, Early Containment Failures and 25,7 Bypasses lil Lato Containment Failures 45.1 IV Long Term Contained Releases (containment 24.7 intact) in the above scheme, containment failures include isolation failures and structural failures of l i various sizes. Containment bypasses include steam generator tube ruptures as 'nitiating ,
-1.4 17 u summary or vapr aamos . ,
_ _ _ _ _ . _ . _ = _ -. . _ _ _ - _ _ _ _ __ - _ _ _ _ _ _ Beaver Valloy Power Station Unit 3 Revishn 0 Probabilistic Risk Assessment events, thermal creep rupture of steam generator tubes during high pressure core melt sequences, and interfacing system LOCAs. The terrn " bypasses" refers to the condition when a release path from the reactor coolant system bypasses the containment building atmosphere and instead releases into systems and buildings located outside the containment. Small releases are classified as those whose equivalent single release path penetratin0 the containment is less than approximately 3 to 4 int hes in diameter. Steam gr nerator tube ruptures are classified as small when they are initiators and as large when thermally Mduced. Early releases include leaks, bypasses, and isolation failures that exist at the time of core damage and structi al sailures that occur at or shortly after reactor vessel failure. The remaining releases, incladin0 late hydrogen burns, basemat melt through, and decay heat-driven overpressuritation, are classified as late. The largo, early releases represented in type I are called out with special reporting requirements in NUREG 1335 (Reference 12). Experience with published Level 3 PRAs in which offsite consequences are estimated (References 13,15, and 16) has shown that early fatality risk, however small, is dominated by type I event since these are the only scenarios that would result in potentially life threatening doses in the same time frame as needed to implement protective actions like sheltering or evacuation. Type:,11 and 111 involve deDraded containment performance, but generally have not contributed significantly to early health effect risk. Type IV, which in several respects resembles the Three Mile is'and accident, results in successful containment of the release and no offsite health effects. The large fraction of CDF assigned to type til is the result of two factors found to he important for Beaver Valley Unit 2. One is the large contribution of station blackout sequences that are assumed to nault in long term loss of containment heat removal. The other is the low probability assigned to large or small, early containment failure for these same sequences. The current model takes no credit for recovery of AC power and containment heat removal after the time of core damage. Such consideration, which is more appropriate during the accident management phase of the IPE, would result in a shifting from the type ill contribution to type IV. The small action assigned to type i reflects a high containment strength and a low potential for interfacing LOCAs and design features of subatmospheric cantainments that preclude large preexistin0 leaks and the need to isolate large penetrations. O 1,4-18 u Suery of Major Fmdings.
Beaver Valley Power Station Unit 2 Revision 0 Probabillt, tic Risk Assessment Table 1-9. Deaver Valley Unit 2 Release Cate0ories and Major Release Types gli . . . . . = z [? R-5 E ee v 5 ed } I !. 'h ; _ .m . . . . . . eeeeb : t u e i y
=
g 5
$ h O
f fl ==== = = = = = hu === = r = =
- gl= = n n = = u a a " u Q
f O j i - .. - .. - --
=
= ,.
, m
- =
j si ,, ,, = = ,, ,, , W I' y = f* a g' I a = l 5 g = = = = = = = = = e g g 5 8 1 x = = =
=
g 3=== f $\
= = = ====== 0, w$
$==== ==== gg g BS E" E
na B 58 ft [\ u = = = = x = = n a u " gggy
, 91 _ 1- m ,.
}=a..
11
'll== j
- a tis!bi
- g!-{d g
= n E- a a a a O zian iti-tissi s ssa i n : !t Mid Qasi 1.4-19 u senmary of uap, r.n+ngs
02avar Valley Power Statlor. Unit 2 Revision 0 Probabilistic Risk Assessment 1.4.4 Contributors to Release Frequency A comparison of the results for the four inain release types between Beaver Valley Urut 2 from this study and Surry from Reference 13 is presented in Table 111. This cornparison is extended to Table 1-12 in which the major contributors to large, early release (type 1) are examined. The frequency results for type I releases are about a factor of four higher for Deaver Valley Umt 2 than for Surry. This is the renuit of two factors thc:t ter:d to compound. The NUREG-1150 resnits for CDF at Surry are almost a factor of two lower than the current results for Beaver Valley Unit 2. This lower CDF results in a lower frequency of challenges to containtnent integrity due to such causes as early overpressure and induced htcam generator tube rupture (ISGTR). These challenges are keyed to the occurrence of high prnssure core damage events, in addition to a smaller CDF, the Surry results assume a much greater piobability that the RCS will be depressurized by the time of core darnage. Compensating for this effect, however, is a reduced susceptibility to interfacing system LOCAb at Beaver Valley Umt 2 because of a higher level of redundancy in check valves in the low head safety injection system, f Table 111, Comparison of Release Freque,ncy Results Mean Annual Frequency (percentage of CDF) Description SurrY Type beaver Valley ggy (Inter nal eventc) [ Reference 13] , i Large, Early Containment Failures 8.44 x 10 5 (4.5) 2.1 x 10 5 (5.2) and Bypasses 11 Small. Early Containment Failures 4.87 x 10 5 (25.7) 1.8 x 10 5 (4.5) and Bypasses 1ll Late Containment Failures 8.54 x 10 5 (45.1) 2.6 x 10 5 (6.5) lV Long Term Contained Releases 4.69 x 10 5 (24.7) 3.4 x 10 5 (84) (containment intact) Table 1-12. Comparison of Major Contributors to I,arge, Early Release Frequency for Internal Events Percentage Contribution to Scenario Class Beaver Valley Unit 2 Surry (1989) In:crnal (this study) Events (Reference 1-3) Early Overpressurization 86.0 7 Induced Steam Generator Tube 5,1 10 Rupture (ISGTR) Reactor Vessel Steam Explosion 4.6 6 (Alpha-Mode) Interfacing System LOCA 4.3 77 1,4-20 u sammary of uajor rmeng.,
Deaver Valley Power Station Unit 2 Resision 0 Probabilistic Rit.k Assessrnent lable 112 shows that the Deaver Valley Un t 2 and Surry results for type i release frequency, also hne up quite differently, in the case of Beaver Valley Unit 2, largo, early releases are prunarily the result of early overpressurization, with a very sinall contribution from ISGTR, ' postulated reactor vessel steam explosions, and interfacing systerns LOCAs. The Surry results, on the other hand, are donnnated by interfacing systems LOCAs with rather small contributions frorn the other hsted contributors. The principal physical difference between the respective plants that helps to explain these differences is a higher level of redundancy to the I low head safety injection reactor coolant system check valves at Beaver Valley Umt 2, which results in a lower absolute and relative frequency for the class of scenarios. The "back end" analyns of lar go, early releases due to such causes as stearn explosion, early overpressurization, and induced steam generator tube rupture was fairly consistent between Surry end Beaver Valley. Although this study used a relatively simplified containment event tree, all of the severe accident phenomena that were included in NUREG 1150 for Surry were _ accounted for, and the containment event tree quantification for Beaver Valley rehed heavily on the data presented in NUREG,1150. The principal differences between the studies beyond the interfacing systems LOCA treatment are the different assumptions made regaiding in vessel recovery of core damage events (Surry took such credit; Beaver Valley did not) and RCS depressurt/ation. In the accident management phase of the IPE, operator actions for m-vessel recovery and RCS depressuritation should be explored further for Beaver Valley. , This could result in a further reduction in the frequency of largo, early releases. Table 113 hsts several of the top ranking sequences contributing to type I (large. early release) frequency. These six sequences cornprise about 21*'o of the total frequency of type I releases. These coquences are obtained by knking the plant (Leve! 1) event trees that produced the sequences that were analyzed in Section 1.4.2 to the containment event tree to provide an integral perspective of scenarios with different release characteristics. , Sequences ranked first, and third in Table 113 involve core melt sequences at RCS pressures greater thr,n 2000 psia that result in a high pressure mest ejcction (HPME). Sequences ranked fourth, and sixth are intermediate RCS p essure core melt sequences ~ which also result in a HPME. The fifth ranked sequence is an HPME at a high RCS pressure. These HPME sequences lead to large, early containment failures due to the resulting combined pressure loads from RCS deoressurization, hydrogen barnmg, direct containment heating, and exvessel steam explosion. The second ranked sequence in Table 1-13 involvet an interf acing systems LOC A (V sequence), which leads to a direct large containment bypass. This sequence is caused by multiple check valve failures at the mterface between the low head safety injection and reactor coolant systema.
.)
1,4 21 14 summary v uajor rmngs
Serv:r Vcliery Pow::r St:ti:n Unit 2 Revision 0 Pr:b:bilistic Risk Assessm:nt 5 )M
- 5" l:( !
s j!f !n j'
" " ~
i' ! l
*!{!?
B! ! i4
!q 1 4 ,
!N 4 !4
!3 l4 l7 l
l a -- L:E .; ,.la
- a la ;.
n l l l l l
?
.-r ill V - [
1 I l[ l-U l i l
. l l
- 8 G 9 !
ggs. E vE gag. i g e
-gg-r uns Ie I a e 5:8 5 g a$gg,g r; e, ,g51 caj9 gg r g- E ,
g- I sgicalg a ! sr Ian r;
- s: -
.g I -
x l
'!ar! Est 8
- !h
.!,!wEjell! ! a5
!$y ! E wr!
Est !;l; [!s; EE a 8 E'I: li !tfa Er I ;![aI'lg E Ev-- 5 nr [ e
.Ev! =c m ;3ldag'jgga
'5
;t 5
;8g=:"5sg 5e l
g a mi ei.go.E! E i *eEE[rE;IE:E! Ig
.w...
g! E,bgs;3I_! 5 EQEli s3go.! e I :I:
- - eg a =a e e_gs:3g:
*5 SI &
a3 FE iI lE! al ::g5*g3ggs Ihs!"!g g -tag
* *!!!!!ging;[gg 9
""gl95lag d y
e g; jj w .j'.esseur al 'il!!grb@:E;l :
!!lini i
!l*!!g!gg!aus alilli itinir '*Ig!!! ha _
g h
...... .. .. ........ . .......... ....... .. ...i E 8 ;
ff a n v
$. _hEn.
W IEi GI E D 5 ! ,
' 11 i ; i k!$ 5 85 B' 5 Eh 5 0
$ li 5:- e-I j 5I 5 I a:- I l 0
?,
i FlQgEs s :y sp *gr; s r gr,, s gi e-is,e
- .gg , 2 g..sgo gr
' jai EEE ' IEEE
* !!EEE,,
a EEE EEE o :
! asis 5*s Q !!%'5E5 g:g: .!g,;.5%[
g laIE
-aig5*s *Rg5=5 3
5 i ifagge:g:= ; g E: 1-5
- svgk"E.rar w :E:-
l::..svgI. 1 !, !g.:grsI ,g - Erg" E t E3 :s:vgI" r Ir g sto. . Eg.I glgl2 3 3*W-E ~ N' wE If{gh..E ell'f. l - E - a o g Gee E E_s I v a rEra 0 see E E_l i 5 899{gia!fEEeE_t s gg e3 : e a-sa f E_ra e s j' ijaw&Bg ij :g!$$ ., g.Ess53 e3:s u;gr!es 15a95 8? g!!E0!!$3 m... l - ! ... ... _ s. .. s . ... ... ..... ...
- u m ,,. t in 4 ,o 1.
t g l-i 1.4-22 14 summary at uajor rino,ngs.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Rick Assessment The importance evaluation for core dar iage frequency was carried out for each group of core damage sequences defined by the four inajor release types; i.e.,1,11, Ill, and IV, The spht fraction irnportance measure exarnined here is the percentage contribution to the frequency I c' each release type made by sequences with that spht traction postulated to fail along :he sequente. The split fractions from the containment event tree that make the greatest contributions to release type I (large, early releases), are hughlighted in Table 114. Table 114, Split Fractlen importance Ranking for Release Type i reentage Split Fraction Name Description Contribution to Frequency Type i Frequency .. C2S Containment Failuie at 1.875-1 35.6 Vessel Breach due to HPME, given that RCS Pressure is at the PORV Setpoint (System Pressure) C2J Containment Failute at 1.8G5-1 20.4 Ve%el Breach due to HPME, given that RCS Pressure is High C22 Containment Failure at 1.27 1 17.8 Vessel Breach due to HPME, given Qunnch Spray Fails and Medium RCS Pressure C12 Containmeni Failure 1.0 13 8 Prior to Vessel Breach due to Level 1 , Containment Isolation Failures C2A Containment Failure at 6,33 2 11 [ Vessel Breach due to HPME, given Quench Spray Works and Medium RCS Pressure 4 ISS Induced Steam 1.B 2 5,1 Generator Tube Rupture, Given High RCS Pressure IPS Induced Hot Leg or 7.2-1 1.8 Surge Line Failure, Given High RCS Pressure Note: Exponential notation is indicated in abbreviated] form; e.g., 8.0-3 = 8.0 x 10 3 , 1,4 23 s 4 summary of vapr rirangs
Doaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment it should be noted that tne probabilities assigned to the containment event tree (CET) such as those listed in Table 111, represent a quantification of uncertainty about the outcome of a covere accident This is inherently a t,ubjectivo quantification and reflects the current state of knowledge of the reactor safety research arid PRA community about the physical processes of core damage events. There are good reasons to believe, and, in fact, many experts believe, that some of the containment failuro mechanisms currently postulated. sut h as reactor vessel srearn explosions and direct heating from a high pressure melt ejection, are physically impossible. Thus, the CET probabilities for such events should be interpreted as a staterr.ent of conhdence about the outcome of an event rather than the outcome of a random process, $c, when we assign the spht traction valve of 1.875 x 10' for a high pressure amlf ejection at system RCS piossure resultin0 in containment failrre, it means that we are (1 - 1.875 x 10 ') x 100 - 81.25% confident that in anv , umber of systern pressure core damage events, there would never occur a coritainmor 9 due to high precsure melt ejections. Conversely, it means that we assign a 18.75% , hat any system pressure core damage event would result in such a containment tailure. O l l-l t O 1.4 24 1. suwa,y et van < r,namm
Beaver Valley Power Station Unit 2 Revision 0 j Probabilistic Risk Assessment , 1 i
^
1.5 IMPORTANT OPERATOR ACTIONS, i I The estimate of core damage frequency provided in the evaluation depends huavily on the credit given to the operating crews in performing actions before and durmg an accident. l Those actions occurring during an accident are especially important. For Beavor Valley Umt i 2, operator actions found to be important are discussed below. ;
- Critical actions to be taken in response to f ailures in the electric power systems include- ;
3 -Losses of all emergency switchgear ventilation may lead to complete loss of all , amergency AC power. The ability of the operators to promptly provide alternate room i cooling to the switchgear areas is important. Currently, alarm response procedures , inform tho operators to investigate the cause of trouble, but do not provide explicit guidance on how to establish sufficient alternate cooling in the event that both emergency switchgear ventilation fan trains fail. The alarm response procedures are being reviewed , to see if they can be enhanced to cover these scenarios, ;
-For station blackout sequences, both onsite and offsite recovery actions to reestablish power to 4,160V emergency AC electrical buses are important. A cross tie connecting the ;
4kV normal buses of UV 1 and BV 2 will be installed. This crossetic will permit either of
~
the emergency diesel generators of the non blacked out unit to be connected to either of the emergency buses of the blacked out unit in the event of a station blackout. This modification is being implemented to provide an acceptable station blackout copin0 capability usin0 the emergency diesel generators of the other unit as the alternale AC (AAC) source. DLC is committed to installing the necessary hardware, revising existing ,
* - procedures, and providing training to effect this crosstle capability, !
1- -For each plant trip, a fast transfer is made of the 4,160V buses from the unit station service transformers to the system station service transformers. Failute to successfully transfer may. result in a loss of power to one or both 4.160V emergency buses if the i associated diesel generator does not function properly. The operator action to locally ali0n or replace the breakms from the emergency buses to the system station service transformers following a failure of the fast transfer is important because the frequency of such failures is predicted to be significant. Procedures will be prepared and traininD Will be provided on how to promptly repair or change out the failed breakers.
-For station blackout sequences, operator actions to manually isolate containment i penetrations with motor-operated isolation valves, as called for in the procedure, are important to ensure leak tight integilty of the containment and avoidance of potential -
containment bypasses, !
-For sequences involving station blackout and no steam generator cooling, current ;
procedures (ECA 0.0) preclude RCS depressurization via the PORVs as would otherwise be - directed for other sequencns per FR-C.1. This contributes to a relatively high frequency of high. pressure core melt events, which, in turn, contributes to early containment failure due to induced steam generator tube rupture and high pressure melt ejection driven overpressurization. During the accident management phase of the IPE, consideration will be given to oxtendin0 existing provisions for RCS depressurization to l cover station blackout sequences. 1 .
- Actions that are important 'or the mitigaticn of LOCAs include:
-In the event of a small LOCA with failure of both QSS pumps that is sufficiently large to ,
cause a Phase B containment isolution (CIB) signal, the RSS pumps are automatically , started after a 10.5 minute delay. At the time that they begin operation, there may not be 1.5-1 L5 knponant Owator Actions -
Dav:r Vcilsy Power Stellen Unit 2 Rovision 0 Probabilistic Rl:k Asussmsnt sufficient NPSH to prevent the pumps from cavitating. Emergency procedures instruct the operators to protect the pumps by securing them until adequate NPSH is obtained. This action can be important since, if the pumps do cavitate and eventcally fall, the capability for recirculation from the sump would be lost.
-In the event of a LOCA W '+ failure of recirculation from the sump, the Beaver Valley Unit 2 procedures direct tha tators to provide makeup to the RWST from the spent fuel pool or via blending. This action is irnportant because, at some other plants, LOCAs with failure of recirculation were found to bo relatively high frequency core dainage sequences, when no credit was taken from makeup to the RWST.
- Key actions for other scenarios include:
--The important containment bypass sequences at Unit 2 are initiateo by a ct3am generator tubo rupture. The operator response to cool down and depressurize the RCS in order to facilltate isolation of the ruptured steam generator may therefore be important.
However, substantial time is available for this action. That such sequencet are among the highest frequency containment bypass scenarios is an indication of the protection ! afforded by the Beaver Valley Unit 2 design features concerning those sequences relative l to other Westinghouse PWRs. It is desirable, however, to have the emergency procedures for stearn generatof tube rupture events more explicitly instruct the operators to perform the depressurization for sequences in which all high head safety injection is also failed. Procedures are being updated accordingly.
-Also, for steam generator tubo rupture events, the potential exists for a safety relief valve on the ruptured steam generator to stick open. Procedures and trainin0 are being improved to ensure that such a stuck-open valve would be locally gagged closed, thereby isolating the ruptured steam generator.
-The primary component cooling water system design is such that RCP thermal barrier cooling may be lost in a variety of sequences.. The operator actions to restore CCP flow to the RCP thortnal barriers given a CIA signal, ClO signal, loss of containment instrument air, or f ailure of a vital instrument bus (i.e., red or white) are important to prevent potential losses of RCP seal coolin0 in nonstation blackout scenarios, t
l 9 1.5-2 ts i$pmtant omatar Actons.
B:av:r Vcil:y Pcwer St:ti:n Unit 2 Rsvisi:n 0 Prch;bilistic Risk Ass:ssm:nt 1,6 IMPORTANT PLANT HARDWARE CHARACTERISTICS FOR CDF. Characterir a of the Beaver Valley Unit 2 plant design and operation that have been found to M !moortt : in the analysis of core damage frequency include:
' i- Ut that RCP seal injection and thermal barrier cooling are not both dependent on 3.Jnent cooling wat3r (CCP), as in some plants, is an important strength of the f t. Anal arrangement of Beaver Valley Unit 2.
- r. ton blackout sequences, both thermal barrier cooling and RCP seat injection are ce loss of all seal cooling could lead to seat failure and a po antial LOCA. The
' 1 cross-tie connecting the 4kV normal buses of BV 1 and I"' 2 will provide an tAAC) source. Additional .sodifications to further address r<CP seal integrity 6 seal cooling are under review and both new seal materials anr', alternate
, systems will be considered. Any modifications will be implemented in cx a vrith the resolution to Generic issue 23.
- 1, . .e of a failure of au;omatic reactor tip, the operators can attempt to manually 1.-lp the ru ; rom the control roorn. Heoever, this manual action does not remove power to he cu col rods. Removal of power must be accomplished by locally tripping the
- r'1 tor-generator sets. In the event that both reactor trip breakers mechanically bind. it is u.15.ely that the operators could remove power locahy prior to RCS r.ressure peaking Juring ATWS scenc ios hwed by a total loss of main feedwater. Adding the capability for the operators to remove power from the control room would reduce the reactor trip g failure imquency ind is be!ng conside*ed, ij
- Beaver Valley Unit 2 has two emergency diesel generators with which to mitigate an extend 3d loss of offsite power. A cross-tie connecting the 4kV normal buses of BV 1 and BV 2 will be installer'. This cross-tie will permii either of the emergency diesel generators of the non-blacket cw to.f to be connected to either of the emerge cy buses of the blacker, est unit ir. "iu event of a static' blackout. This modification is being implenrred to provide an acceptable sta on blackout coping capability using the emergency diesel gnerators of the other unit as the alternate AC (AAC) Source. Credit for this enhancement has not been included in the current PRA results, and will be included by ULC in a future PR A update
- In the event of a plant trip fobowed by a loss of all auxiliary feedwater, several design features at Beaver Valley Unit 2 ...ake it less susceptible to foss of all secondary heat removal sequences then some other plants. The electric motor-driven main fee twater pumps make it less likely to lose and easier to restore main feedwater than at plants with steam-driven main feedwater pumps. The pressurizer has three PORVs with which to perform bleed and feed or feed and bleed cooling, should ali secondary heat removal be loM. Moreover, engineering calculations indicate that in the event of a loss of al!
secondary heat removal, the HHSI pumps have sufficient head capacity to successfully provioe sufficient flow for ble9d and feed coo'.ing with the operators holdmg open just one of the pressurizer PORVs.
- Beaver Valley Unit 2 is designed to try and stay online following a load rejection accident.
Fc 0100% load rejection accident, it is not expected that run back to house loads would A be cuccessful with a high degree of reliability. Consequently, the net effect of this design C featu,e for a loss of offsite power event is just to delay the time of reactor trip. This delay is expected to result in a challenge to the pressurizer PORVs to lift n occurred during a loss of load test. In the event that the PO'1Vs fail to reclose, the time available for el'ctric power recovery f'om a station blackout event is significantly reduced. The option d 1.6-1 16 Impor. Ptn! Hardware Cnaracteristics for CoF.
Beavar Valley Power Station Unit 2 Revision 0 P >obabilistic Risk Assessment eliminating the challenge by defeating the 100% load rejection capabihty is being considered.
- The emergency switchgear ventilation is a normally operating two-train fan system.
Complete losses c'such systems have been known to occur in the past at other plants. The rooms served b/ emergency switchgear ventilation contain a number of heat loads. Current thermal hydraulic analyses indicate that equ!pment design temperatore limits may be exceeded in less than 1/2 hour if all ventilation is lost. These rooms are also situated so that simply opening doors will not produce a chimney effect. Alarm response procedures are being reviewed to d9termh.e if they can provide more explicit guidance on Law to establish sufficient alternate cooling in the event that both emergency switchgear ventilation fan trains fail. O O 1.6 2 :.6 Impor. Ptnt Hardware Characteristics for CDE
Baaver Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assessmsnt
-f
-d 1.7 IMPORTANT PLANT CHARACTERISTICS FOR CONTAINMENT PERFORMANCE The following characteristics of the Beaver Valley Unit 2 containment structure and systems are important to containment performance during severe accidents:
- Subatmospheric Containment Operation The Beaver Val;ey Unit 2 containment is I
' maintained at a subatmospt eric pressure (9.0 to 10.5 psia) during normal operation. Containment in-leaka00 is continually monitored. Because of this feature, the likelihood of large leaks in the containment existing at the time of a severe accident is negligible, and r ;)otentially irnportant contributor to the risk of early health effects is eliminated.
- Containmen. Building Design. A detailed comparison of the Surry Unit 1 and Baver Valley Unit 2 containment designs indicates tha they are very similar. It was concluded l that the Surry 1 containment failure probability distribution would be somewhat I conservative for the Beaver Valley Unit 2 containment, NUREG-1150 concluded that the Surry " containment volume and high failure pressure provide considerable capacity for accommodatson of severe accident pressure loads."
I j
- Reactor Cavity end instrument Tunnel Configuration. The reactor vesset is supported by a cylindrical steel support skirt and is surrounded by an annular neutron shield tank, which, in turn, is surrounded by the concrete primary shield wall.
The -instrument tunnel and primary shield wall form a " key"-shaped structure, l appropriately referred to as the " keyway " The concrete rectangular section of the keyway l is cover d by steel decking, upon which some of the RHR equipment rests. The platform , O for mot ' d the RHR equipment is adjacent to this docking. Access to the keyway is i
\ through a steel hatch, which is hir, d on one end of the hatch and positively tatched to L the steel decking on the opposite c.d of the hatch with a screw. The platform is located at Elevation 707'6',- whereas the floor of the keyway is at Elevation 690'11". Thus, water h the containment proper would have to rise to a level of 14'7" above the floor before it would overflow into the keyway. Tho exception is the case af a LOCA involving leaking instrument tubes that would directly wet the cavity, Conversely, water that enters the reactor cavity from the refueling tank would be unavailable for recirculation until the reactor cavity and instrumentation tunnel filled to a level 16'7" above the cavity floor
- before it reached _ the deckW above the keyway. Approximately 62,700 galions are
- l. estimated to be required to fill the reactor cav4v and instrumentation tunnel up to the RHR l platform elevation.
Approximately 975.000 gallons of water are required to reach the 707'6" level in the L containment (excluding the volume in the keyway). The RWST has a minimum capacity of l 859.250 gallens. Another 90.000 gallons are available from the accumulators, chemical L addition tank, and reactor coolant system. As is the case for the Surry Unit 1 containment, the Beaver Valley Unit 2 reactor cavity de9s not communicate directly with the containment sump. A small sump pumo (rated al 10 gpm) is located at the bottom of the instrument tunnel near where the instrumentation ibes rise vertically toward the seal table. Since it is not possible (unless an outside source of makeup is provided) to flood the reactor cavity _via " overflow" from the containment, the only signihcant source of water in (A the reactor casity prior to vessel failure results from operation of the quench spray system (QSS). If both 03S pumps operate, it is estimated that approximately 140 gpm of the 1 spray will fall into the reactor cavity. At this rate, water tevel in the reactor cavity and i instrumentation tunnel would rise approximately 0.03 fee:/ minute. Susta:ned makeup of 1
-1 i
1.7-1 O ImrM Rant Charac for Contain, Perf.
D:sver Vcllay Pewsr St: tion Unit 2 Revision 0 Prob:bilistic Risk Assessrnent 140 gpm would be adequate to cool core debris once decay heat level reached 0.75% of full power. The above features impact the ability to ensure that there is a means to cool the fuel melt debris bed atter the core melts through the vessel bottom head. They also influence the capability to reduce radioactive release scurce terms via the cooling and scrubbing effects of introducing additional water to the containment.
- Containment Heat Removal, The Beaver Valley Unit 2 containment fan coolers (containment atmospheric recirculation system) are not designed to provide a safety functinn. Furthermore, the coolers are automatically tripped and isolated on a safety signal, and would flood out during accidents in which the RWST is injected into the containment. Therefore, only containment heat rentoval by the recirculation spray systems (RSS) is given credit (where appropriate) in the Beaver Valley Unit 2 PRA.
O O 1.7-2 1.7 Import, Plant Charac. for Contain. Perf.
83avsr Vclicy Pcwcr Station Unit 2 Revision 0 Probsbillritic Risk Assessment
1.8 REFERENCES
1 1. U.S. Nuclear Regulatory Commission, Generic Letter No. 88-20, December 1988. 1 2. U.S. Nuclear Regulatory Commission *individaal Plant Examination: Submittal Guidance," final report, NUREG 1335, August 1989. 1 3. U.S Nuclear Regulatory Commission, " Severe Accident Risks
- An Assessment for Five U.S. Nuclear Power Plants, NUREG-1150 Summary Report," second draft for j peer review, June 1989.
14, Pickard, Lowe and Garrick, Inc., "Three Mile island Unit 1 Probabilistic Risk Assessment," prepared for GPU Nuclear Corporation, PLG 0525. November 1987. 1 5. Pickard, Lowe and Garrick, Inc., ' Midland Probabilistic Risk Assessment," prepared for the Consumers Power Company, May 1984. 1 6. Pickard, Lowe and Garrick, Inc, "Seabrc ok Station Probabilistic Safety Assessment," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, PLG-0300, December 1983. 1 -1. Pickard, Lowe and Garrick, I nc., " South Texas P;oject Probabilistic Safety Assessment, Summary Report," prepared fc- Hot"'on Lightirg & Power Company, PLG 0700, April 1989. 1-8. Pickard, Lowe and Garrick, Inc., ~Diablo Canyon Probabilistic Risk Assessment," prepared for Pacifi: Gas and Electric Company, PLG-0637, Au0ust 1988. i N 1-9. Fleming, K.N., "Recent Trends in Evaluation of Large Early Release Frequency in PWR Plants " Transactions of the American Nuclear Society, Winter Meetmg, San (. Francisco, Novernber 1989, 1-10. Pickard, Lowe and Garrick, Inc., " Risk Management Actions To Assure Containment Effectiveness at Seabrook Station," piepared for Public Service of New Hampshire, PLG-0550, July 1987. l v
- 1. 8--1 1.8 Refwences.
- ~ - ~. .- - -
l B=v:r Vallay Powcr Station Unit 2 Revision 0 Probcbilistic Risk AssessmsrJ G 2 EXAMINATION t/CSCRIPTION V
2.1 INTRODUCTION
j l The objectives described in Section 1.1 were accomplished by the completion of a Level 2 l PRA on Beaver Valley Unit 2. Reference 2-1 defmes the three levels of PRA work scopes as follows:
- Level 1 considers the performance of the plant systems to the extent needad to resolve scenarios to the point of success or core damage.
- Level 2 includes issues of core and containment phenomenolo0y to the extent needed to resolve scenarios to the point of release of radioactive material.
- Level 3 includes an assessment of offsite consequences to public health and property.
The study described in this report represents a Level 2 analysis. It includes an assessment
- l. of the frequency of a spectrum of retcase categories, together with information to describe l the timing and magnitude of source terms, that could be expanded into a Level 3 PRA at a l later date, if desired.
1 1 The scope of accident sequences that are included in the PRA is hmited to those initiated by the so-called internal events and interna! floods in conformance with NUREG-1335. The PRA models and sc,.iware will accommodate future extensions of this analysis to cover a full spectrum of internal and external plant hazards as needed by DLC.
- O- The technical ccope of work that is necessary to perform a Level 2 PRA was organized into tno following taskt
- Task 1 - Germric Letter Review l
- Task 2 - Plant Event Sequence Model a- Task 3 - Systems Analysis
+ Task 4 - Data Analysis l
- Task 5 - Human Actions Analysis
- Task 6 - Level 1 PR A Quantification
-
- Task 7 -- Uncertainty Analysis
- Task a - Containment Performance Analysis
!
- Task 9 - Report
- Task 10- Project Management
- Task 11 - Clerical Support and Publications
- Task 12 - Technology Transfer
- Task 13 - NRC Maetings and Support
- Task 14_- Accident Management
* - Task 15- Teclinical Review and Quality Assurance The above technical and administrative tasks are interrelated and were integrated by the pro ct team.
I PLG provided project management and PRA technology. S&W provided plant intormation.
'O technical reviews, and analyses of severe accidents and effects of HVAC loss. DLC provided project direction; DLC personnel from engineering and operations were directly involved in the projec; to ensure accuracy of the documentation, to provide independent in-house review, 2.1 -1 2.1 introducion.
B vsr Vallsy Powsr Statirn Unit 2 Rovision 0 Probabilistic Risk Assessmsnt and to validate the process and its results, Additional discussions on the PRA organization and DLC's involvement are provided in Section 5. The technical quality of the project was ensured by a combination of approaches:
- Thr4 assignment of highly competent, experienced personnel to the project team.
* ',he use of the state-of the art methods and software to perform the analysis.
- The complete and systematic docurnentation of all models, input data, computer programs, and other aspects of the analysis.
- The involvement of DLC management, engineers, and operators who are familiar with the .
design and operation of Beaver Valley Unit 2 to ensure that the models accurately describ.' the plant, its operating environment, and implementation of plant procedures. ,_
- The performance of independent technical reviews within F' 3 and S&W.
- The reviews and comments of the DLC Independent Review Team (see Section 5),
- The use of quality assurance (OA) procedures that are appropriate for PRA.
The QA procedures used for this project (Reference 2-2) cour a variety of activities, including procurernent, document control, computer program verification and documentation, the o , performance of QA tts, and the performance of technical reviews. These procedures, which are based on Appendix B of 10CFR50, are believed to meet or exceed the requirements cf NUREG-1335. O f O i 2.1 -2 2.1 introduction. y
Beaver Valley Power Station Unit 2 ' Revision 0 Probabilistic Risk Assessment 2.2 CONFORMANCE WITH GENERIC LETTER & SUPPORTING MATERIAL NRC Generic Letter No. 88-20, which was issued on November 23,1988 requested that an IPE } for severe accident vulnerabilities be performed and that the results of the examination be ) submitted to the U.S. Nuclear Regulatory Commission. Supplen:ent No.1 in Generic Letter 88-20 was issled August 29, 1989, announcing *he availability of NUREG 1335, ~lndividual Plant Evaluation: Submittal Guidance ~ and requesting, in accordance with Generic Letter 88-20, a submittal, within 60 days, describing proposed programs for completing IPEs. The following discussion summarizes conformance with the generic letters and NUREG-1335:
- Summary. This PRA is written according to the NUREG-1335 format and content and provides a plant-specific, systematic examination of Beaver Valle y !Vt 2 for vulnerabilities. DLC is using the PR A to develop an appreciation of severe accidents, understand mou hkely sequences, gain a more quantitative understandmg of core damage and release probabilities, and, if necessary. redi ':e these probabilities. The Beaver Valley Unit 2 results are consistent with the NRC% Safety Goal Policy Statement.
- Examination Process. DLC personnel, who are familiar ith the details of the design, controls, piocedures, and system configurations, have been involved with the analysis and technical reviews, and are performing the Beaver Valley Unit 1 PRA. In addition, a DLC Independent Review Team is used to ensure accuracy of the documentation and to validate both the IPE process and its results.
- Internal Events. This PRA includes a full treatment of internal initiating esents and
$ , internal floods. c y
- Methods of Examination. This is a Level 2 PR A using current state-of-the-art methods consistent with NUREG/CR-2300 and severe accident phenomenological issues discussed
( in Appendix 1 of Generic Letter 88-20.
~
- Resolution of Unresolved Safety / Generic issues (Relationship to USl A-45). Decay Heat Romaval Systems have been included in the models and the rt suits show no significant vulnerabilities.
- PRA Benefits. This study is a Level 2 FRA. DLC recognizes tne pote> J benefits of a PR A, and plans to use and rnaintain it.
- Severe Accident Sequence Sciection. The results of accident sequence screen:ng are presented in Section 3.4.1, as described in NUREG-1335. Section 2.1.6, for syshmic sequences.
- Use of IPE Resuhs. OLC will ensure that 10CFR50.59 is met regarding changes as the result of improvements ident;fied from the IPE.
- Accident Management. After completion of the PRAs on Beaver Vahey Unit 2 and Beaver Valley Unit 1. DLC plans to have training programs that provide orientation on the use of PR A, important results, and conclusions. More detailed training is planned for those personnel who are directly involved in configuration management and plant change evaluations.
- Documentation of Examination Results. This summary report, with Appendices A through E, provide the cu: rent tier 2 documentation. The summary report alone satisfies the requirements for the IPE submittal per NUREG-1335.
2.2-1 7 2 centomance wan cenenc ur. and suppormg virt
Beaeer Valley Pt wer Station Unit 2 Revision 0 Probabilistic Risk Assessment
+ Licensee Response, A DLC letter, dated October 30,1989 (Reference 2-3), documents the g 60-day response. A letter dated September 18,1991 (P..ference 2-4) notified the NRC of a W change in the schedule for submittal of the IPE reports.
i e B94 7 e u.2 g ,c _ _ _ _ m,.. s _ ,_ i
Beaver Valley Power Station Unit 2 Revis!on 0 Probabilistic Risk Assessment 2.3 GENERAL METHODOLOGY T ao purpose of this section is to summarizo the technical approach and methodology used in the development of a risk model for Beaver Valley Uni' 2. More detailed descriptions of the methodology are included throughout the report. The overall PRA methodology closely follows the series of analytical tasks and methodologies that PLG has developed and implemented in performing more than 20 PRAs of nuclear power plants having various work scopes. Mathematical bases 'or the approach are given in Reference 2-5. 2.3.1 Introduction The Beaver Valley Unit 2 PRA is founded on a scenario-based definition of risk. In this ' application, risk is defined as the answers to three baJIC questions:
- 1. What can go wrong?
- 2. What is the likelihood?
- 3. What are the consequences?
Question 1 is answered in the form of a structured set of scenarios that is systematically developed to account for design and operating features specific to Beaver Val ley Unit 2. Question 2 is answered in terms of a prediction or estimate of the frequency of occuirence of each scenario identified in answer to question 1 Since there is uncertainty in that frequency, the full picture of likelihood will be conveyed by a probability curve--a curve that convoys the state of knowledge, or confidence, about that frequency. t The third question is answered in a Level 2 PRA in terms of the key characteristics of rachoactive material releases that could reult from the scenarios identified. In a Level 3 analysis, offsite consequences such as public health effects and property damage are estimated for these releases. The results currently reported are for a Level 2 PRA, as defined in the IEEE/ANS "PRA Procedures Guide * (Reference 21). A large fraction of the effort needed to complete a PRA is spent in the development -of a t model to define a reasonably complete set of accident sequences that is appropriate for the specific plant. An overview of the accident sequence model for Beaver Valley Unit 2 is presented in Figure 2,3-1. This models comains a very large number of different scenarios l that are systematically developed from the point of initiation, on the left, to termination, on the right. A series of event trees is used to systematically identify the scenarios from the , initiating events to the point of termination.. Dependency matrices that are developed from a 1 detailed exar' , ' tion of al! of the plant systems help to accou nt fnr important ' l Interdeper.lencies and intaractions that are highly plant specific. Event sequence diagrams !. .are used to incorporate operator actions from appli, alior, of the plant-specific emergency operating procedures into the scenario identification process. To facilitate a clear definition of plant conditions in the scenarios, separate stages of event
- l. treas are provided for the response of the support systems (e.g., electric power, service l water, etc.), the frontline symms (e.g., auxiliary feedwater, quench spray, etc.), operator
- recovery actions, and coaksaent phenomena; e.g., containment overpressurization failure.
A detailed definition of pla:n damage states provides a clean interface between the Level 1 and Level 2 event trees. The systematic, structured apprcach that was followed in constructing the accident scena.io rnodel provides assurance that plant-specific features will be identified and that a reasonaole 2.3-1 . 22 cenera! uemoamogy.
Bav2r Vcil:;y Power Station Unit 2 Revision 0 Probabilistic Risk Assessment degree of completeness will be achieved. it also provides for the systematic, top-down development of engineering insights about the key risk controlling factors that drive the results. The first step in risk analysis is to make a list o oossible scenarios. As a matter of principle, we wish to make this list as long as possible; lt, to think of and separately identify as many ccenarios as we can. In the case of a nuclear plant, tne list of scenarios can literally run into the billions. It is necessary therefore to develop methods for identifying scenarios, and for organizing and structuring the list so that it can be comprehended and its analysis made manageable. We begin by following a deductive line of thought that leads to the identification of possiLle initiating events. The next step is to organize the possible ensuing event sequences into a
" plant" model. The model building begins with the development of event sequence diagrama (ESDs) that are reviewed w!!h operations personnel from the plant to ensure a proper integration of the plant emergency operating Procedures. Each ESD is then converted into an event tree that follows the scenarios up to the point where either the reactor is stabilized, or plant damage has occurred. At this point, as suggested in Figure 2.3-2, a coalesce, ice of scenarios, or "pinc5 point," occurs in that, given a certain state, y,, of plant damage has occurred, the remainder, or downstream portion of scenarios, is the same regardless of how that state was arrived.
When the PRA is extended to Level 2, the next portion of the scenarios is modeled by a
" containment event tree" that follows the progress of the scenarios through the containment from the plant state to the occurrence or nonoccurrence of a release of radioactivity into the environment. Thus, the entry states to the containment event tree are the plant damage states; i.e., the exit states from the plant event tree.
1 The Axit states from the containment are called " release categories." each of which specifies a " source term;" 1.e., a certain quantity and mix of released radioisotopes together with informatlan describing the timing and energy of release. At this point, another coalescence of sequences occurs in that the effects in the environmeat of a given category of reloase are the same regardless of the particular scenario that led to that release category. In a Level 3 PRA, the environmental effects are then studied by a " site model" that takes the release category source term as its input event, follows the movement of the radioactivity, and c.omputes the final damage state. x,, in terms of public health and property damage ! impact. l l The Beaver Valley Unit 2 PRA is a Level 2 (Reference 2-1) analysis, as it includes the initiating events, the plant model, plant damage states, and containment model; it stops at the release category (source term) level. 2.3.2 Causes and Consequences of Failure l Because reactors are protected by reliable, diverse, and redundant safety systems, it is ! .necessary to postulate a series of multiple failures of systems, components, and humans before core damaga can occur. The likelihood of a chain of independent failures leadhig to accidents has been shown to be extremely small. However, actual operating experience and l more advanced modeling techniques demonstrate that, although their likelihoods are quite l smali, they are numerically higher than would be estimated solely from a postulated chain of 1 2.3-2 2.3 cenes Memocokxn.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment independent f ailures. This is because physical and human interactions cause dependent ! failbres that increase the probability of each successive failure in the chain. In fact, I dependent failures tend to dominate the likelihood estimate. l Thus, realistically estimating the likelihood of potential reactor accidents is determined principally by the ability to analyze dependent multiple failures (Reference 2-6). The concept of deperdence is important in both probability theory and probabilistic risk assessment. In fact,it is the modeling of the dependencies among various combinations of components in a nuclear powe: plant that makes the PRA job complicated, if every component failure or other situation could affect only a sin 0le component at a time, the reactor core would probably never be threatened because it would require the coincidence of several failures before a serious accident could develop. Such " independent
- coir,cidences are truly rare. There would still be e 4 rod for logic modeling to be sure of the impact of a failure, of course, but such modeling would bc relatively simple. In general, no singie component tailure can, by itself, result in core damage, except for very unlikely events such as rupture of the reactor vessel. Core damage can occur only if more than one failure occurs independently, or if one
. failure leads to another, oi if one condition causes 3nore thar one failure.
A dependent event is a rystem action or physicai condition whose likehhood is changeo by the events that precede it or by the conditions that exist when the event occurs. (The term
" condition" is used here in a broad sense to represent either environmental conditions, equipment conditions, or plant state.) in general, the likelihood of each event in a scenetic is conditioned by all previous events in the scenario. As will be seen later, the impact of previous events is sometimes not significant. In other cases, such events are of great
, . concern. The joint likelihood of two or more avents occurring simultaneously, but independently, is usuelly so small that it is not important to risk. For example, if two independent events each have a chance of I in 1,000 of occurring, tha joint likeliheed is 1 chance in 1,000,000. Therefore, the PRA focuses its attention on multiple events that result from each other or from the same cause. Examples of such cause3 include conditions in the plant, such as
- those resulting from minating events, or the occurrence of the same maintenance error for different components having similar vulnerabilities. In the numerical example cited above, a dependent failure would exist if the likelihood of one event was dependent on whether the-l other event "ad occurred. If the degree of coupling (dependence) between the failures is l- strono, the joint -likelihood of both events in that example could be closer to 1 chance in 1,000
' in to 1 in 1000,000.
Consideretion of dependent events occurs at many pl3ces in a PR A. For example.
- Each initiating event is carefully examined to see which of the systems that must function to mitigate its consequences might also be made unavailable by the in:tiating event. Such I depende"ce is modeled by Grouping those initiating events that require similar oiihgating systems, then defining the boundary conditions for each mitigating system to make them specific to those initiators =
- Each event in a scenario is examined to specify the correct boundary conditions for it, given the previous events in the scenario. -in such cases, a branch may be eliminated under specific boundary ' conditions if it is not needed, certain to be successful, impossible, or already failed because of events that have occurred previously in the scenario. Previous events may also change the availabili'y of a mit' gating system without eliminating the corresponding branch. Such a situation is indicated in a boundary 2.3-3 23 ceneras Memoasogy.
Beaver Valter Power station Unit 2 Revision 0 Probabilistic alsk Assessment condition table by a numerical specification indicating the boundary condition to be used for that system in each case.
- Swort systems whose failure would impact the operability of frontline systems are modeled expliciily in the support system model; that is, for example, an electric power system may havc multiple states so that in the event trees there are more than two branches at the electric power system. In it a fault tree diagrams for each other system, the state of electric power is used as a boundary condition in the top structure of the tree.
Thus, in effect, a different fault tree is calculated for each system, assuming different states of electric power (availability of buses). From this fault tree, the split fractions are calculated for the appropriate branch point in the event tree. To irnplement this process, i the impact of the support system state on each event in a scenario is shown in the boundary condition table for the corresponding event tree.
~
- Human actions that occur during event sequences and might affect more than one event in a scenario are best modeled in the event trees or added as recovery actions on a sequence-by-sequence basis. For such actions, great care must be exercised to acc. 't for all dependent effects such as competing demands on operators and the impact of i previous actions.
Human actions that affect only one system (but might affect more than one component in that system) are modeled with the system. Examples include a single maintenance man making the same mistake on two redundant pumps, two operators influencing each other so that they both make the same mistake, or sequential testing by one operator who makes the same miatake in each test.
- Any initiating event that might affect more than one event in a scenaric is modeled ,
explicitly if' its likelihood and potential consequences are judged to be significant. Examples of such initiatin0 events include steam line breakr, loss of coolant accidents, and internal floods. All dependencies identifi-ed during the course of a PRA are modeled explicitly with the - following two exceptions. First, an implicit allowance for real but undefined dependencies is made by using parametric "cc ,mun cause" terms in the support system and froatline system analyses. Secondly, certain dependencies acknowledged by the nuclear industry and i specificahy considered in the plant design are judged to be ir,significant contributors to risk and are therefore not explicitly modeled. The following terms represent various types and aspects of dependence. They are defined here for purposes of clarity.
- Common Cause Failure. A term used for dependent events that share a common cause.
Operating history has shown that such failure mechanisms occur with a predictable froquency. When they may be significant contributors to risk, they will be modeled as depender,t failures. The term " common cause failure" is used in this study to refer only to those den ndencies that are either intentionally not modeled explicitly or cannot be explicitly modaled because their joint failure mechanisms are not understood. The treatment of common cause events in this PRA is explained in Section 3.3.1 and is consistent with the procedures defined in Reference 2-7.
- Intersystems Dependency. A term usually used to refer to adverse or unrecognized dependencies between events in a scenario. In its most general use, this term refers to all such dependencies regardless of whether they are significant contributors to risk.
Intersystems dependencies are generally divided into " functional" (Section 3.2.1), " spatial" 2.3-4 u cenera. Metnocciogy.
Basysr Vallsy Powsr Stati n Unit 2 Revision 0 Probabilistic Risk Assessment (Section 3.3.6), and " human interactions" (Section 3.3.3). All three types of interactions , V can be explicitly modeled in a PRA if they are founo to be significant contributors to risk. l
- Environmental Effects. A term that refers to dependencies stemming from environmental conditions in the plant; e.g., a ventilation support system failure that causes more than one frontline system to fail.- Such conditions are explicitly considered in a PRA.
2.3.3 Methodology of Probability crd Rlsk Assessmeet Core damage may be initiatec; either by internal events, such as a loss of coolant accident, or external events, such as fires, wrthquakes, etc., with simultaneous, or nearly simultaneous, hurnan errors contributing to either type of causal event. . The tasks necessary to perform a Level 2 PRA include:
- 1. Definition of all potential initiating events and the resulting sequence-of event scenarios.
- 2. Calculation of the frequency for each scenario (and because there is uncertainty, a probability distribution over frequency mu; be determined).
- 3. Reporting of the results, including quantification of the probable fregunncy of reactor core damage and a relative ordering of the specific scenarios (initiating events, system failures, human actions, etc.) leading to it.
The usefulness of a Level 2 PRA is not only as an assessment of risk, but also as a tool that O D plant operators and managers can use to identify, assess, and control specific risk. By using the results of the PRA to play "What if ...?" games and to perform cost-benefit analyses of potential equipment changes or other plant modifications, plant operators can (1) better understand the potential contributions of faltures of various plant systems to core damage, andi2) mitigate potential occurrences and their consecuences, thus reducing risk. 2.3.3,1 The Quantitative Definition of Risk i 1 in analyzing risk, we are attempting 'o envision aow the future will turn out if we undertake a certain course of action (or inaction). Fundamentally, therefore, a risk analysis consists of answers to the following three questions:
- What can happen; i.e., what can go wrong?
l
- How likely is it that this will h6ppen?
- If it does happen, what are the consequences? -
L To ar.swer these questions, we would make a list of outcomes, or " scenarios," as suggested in Table 2.3-1. L _ The ith line in this table can be thought of as a triplet:
- j. < s,, $,, x, > (2.1) where
- s,= a scenario identification or description.
(L
$,= the 'requency rf that scenario, p
2.3-5 2.3 ceneras uemocoiogy.
l Bonv:r Vctisy Power St:tinn Unit 2 Revision 0 Probnbilistic Risk Asssssm nt . x,= the consequence or evaluation measure of that scenario; i.e., the rneasure of dama00-
-If this table contains all of the scenarios we can consider, we can then say that it (the table) is the answer to the questions and therefore is the risk. More formally, using braces, { }, to denote " set of," we can say that the risk, R, "is* the set of triplets R = { < s,, 4,, x, > } , i = 1, 2, .. N (2.2)
This definition of risk as a set of triplets is our first level definition; we shall refine and enlarge ii later, For now, lot us see r.ow to give a pictorial representation of risk. Imagine, in Table 2.3-1, that the scenarios have been arranged in order of increasing severity of damage; that is, the damages, x,, obey the ordering relationship; xi S x2 5 Ka 5 ' ' S Xu (2.3) Now add to the table a fourth column in which we write the cumulative frequency, adding f' rom the bottom (Table 2.3-2). The cumulative frequency is represented by the unper case @, as shown. If we now plot the points < x., Q,> , we obtain the staircase function shown as a dashed line in Figure 2.3 3. Let us next note that what we called " scenarios" in Table 2.3-1 are really categories of scenarioa. Thus, for example, the scenario " pipe b*eak" actually includes a whole category of different kinds and sizes of breaks that might be envisioned, each resulting in a slightly differcnt damage level, x. Thus, we can argue that the staircase function should be regarded as a discrete appr'oximation to a continuous reality; i.e., if we draw in a smoothed curve through the staircase, we can regard that crve as representing the actual risk, Thus, we call it the
- risk curve." When a risk curve is plotted on a log-log scale, it takes on the characteristic concave downward shape shown in Figure 2.3-4.
Note, however, that we do not precisely know the frequency of each scenario. The same is true therefore of the risk curve Q(x); 1.e., we have uncertainty about what it would be. The degree of uncertainty depends upon our total state of knowledge as of right new; upon all of the evidence, data, infoimation, and experience with similar courses of action in the past. We seek therefore to express this uncertainty us'ng, naturally, the language of probability. l Since the thing we are uncertain about is a curve, Q(x), we express the uncertainty by embedding this curve into a space of curves and erecting a probability distribution over this space. Pictorially, this is rer.rese 'ed by a diagram of the form of Figuie 2.3-5. This figure is what we call a " risk curve in probability of frequency format," or, alternatively, a
" risk diagram." It consists of a family of curves, Q,(x), with the parameter P being the cumulative probability. To use this diagram, we could, for example, enter with a specific x value and choose, say, the curve P 4 0.90. The ordinate of this curve, Q w(x), is then the 90th percentile frequency of x; that is, we are 90% confident that the frequency with which damage level x or greater occurs is not larger than Q (x).
i l 2.3-6 23 cenerai Memocology. !
Banysr Valley Powar Station Unit 2 ' Revision 0 Prebsbilistic Risk Ass:ssmsnt
.A Returning to our set of triplets for a proposed course of action, suppose we now acknowledge Q that we du not know the frequency with which scenario category S, occurs. We would then express out state of knowledge about this frequency with a probability curve:
P,($,) = probabili:y density function for the frequency, @,, of the ith scenario Thus, we now have a set of triplets in the form R = { < s,, p,(p,), x, > ) (2.4) which we could say is the risk including uncertainty in frequency. From the set in Equation (2.4), we can conctruct the risk family, Figure 2.3-5, by cumulating frequencies from the
' bottom in a manner entirely parallel to that used in Table 2.3-2.
Similarly, if there is uncertainty in the damage aise, we would have the set of triplets: R = { < s,, p,(@,), q,(x,) > } (2.5) or, more generally, R = { < s,, p,(@,, x,) > } (2.6) using a joint distribution on @,, x,. In Equations (2.5) and (2.6), we can also construct the 7 family of risk curves. It is conceptually and computationally much clearer, however, to stick
- [d with Equation (2.4), if possible. One way of doing this is to make the damage levei part of the definition of the scenario. There is then no uncertainty in the x,. All of the uncertainty is then in the functions p,($,).
2.3.3.2 Initiating Events, the Plant Model, and Filsk Decomposition A PRA is basically a listing and an analysis of scenarios, and a full-scope PRA can contain literally billions of scenarios, depending on how broadly they are describad. Assembling a PRA of workable size therefore takes acNantage of several " pinch points" that help limit the total number of s:enarios requiring separate calculation. At a given pinch point, event sequences are coalesced into groups (states) that are indistinguishable in terms of future behavior; i.e., accident sequences emanating from a pinch point state depend only on that state and not on the path up to that p; int, Major pinch points in the Level 2 PRA are initiating ,
- events, plant damage states, and release categories. As explained below, several intermediate pinch points betvceen the initiating eventa and plant damage states are defined by the process of event tree modularization.
In defining the scenarios and their consequences, there are two major steps, one deductive
. and one inductive Each scenario consists of an initiator, or something that starts a sequence of events. This might be-a system failing, a pipe break!ng, a fire,'or a human error; something that. perturbs the reactor cooling system. The rest of the scenario' consists of passive and active (automatic or manual) processes that determine the consequences of the
{. ( .
. scenario. These-actions or events, consist of syatems, working or not; buildings and pipes remaining intact or not; the direction and speed of the wind when the scenario extends to a release; whether it rains during a release; how people move away from the plume; etc.
S
-2.3-7 2.3 cenerai Memodotogy.
B:sv';r Vcil y Pcwsr St: tion Unit 2 Revision 0 Prob:bilistic Rizk Assecament in the PRA models, all scenarios were identificel by a combination of deductive and inductive thought processes. First, a set of all possible initiating events was deduced. Then,the events that occur in each scenario stbsequent to the initiator were characterized inductively, using event trees and a meteorological sampling process. 2.3.3.2.1 Initiating Events. Three analytical methods are used to identity candidate initiating events:
- Master Logic Diagram
- Heat Balance Fault Tree
- Failure Modes and Effects Analysis The maswr logic diagram is a deductive approach for directly addressing the question "How can a significant release of radioactivity to the environment occur?" The h9at balance fault tree attacks the initiating event issue frem a different direction. The top event for the heat balance fault tree method is " initiating P.ent Occurs." The fat - Nee logic development that ensues is based on the concept that any initia!'ng event must involve an upset or imbalance in the thermal equilibrium that otherwise exists in the reactor core and its heat removal systems. This approach results in a finer structure for defining initiating event categories and enhancing completeness. Failure modes and effects analysis can be used to systematically identify support system failure modes that result in common cause initiating events. The FMEAs are not only used to generate additional initiating event categories but also to subdivide the original set in order to facilitate the treatment of dependence in event tree quantification. The application of these methods to Beaver Valley Unit 2 is discussed in Section 3.1.
2.3.3.2.2 The Plant Model. A great variety of possible ccenarios must be enumerated in the plant model. To do this requires detailed modeling of the plant, its systems, its components, and 3 heir interdependencies. Physical and human interactions with the plant that can affect the frequency of occurrence of an accident scenario must also be included. Event frequencies and their associated uncertainties are quantified using historical evidence in both nuclear and nonnuclear experience, when applicable. The plant model contains the reliability wpects of all of the systems, including the engineered safety features of the containw '. Once im Wtiating events are identified, the scenarics or accident sequences tnat could result are identified using a plant event tree. The plant event tree is actually a network of event tree modules. The top ever.ts of each event tree represent the responses of the . various plant systems, so that each path through the tree represents an event sequence. In this way, the event tree embodies a truth taole of all possible success and failure combinations of the plant systems. At the end of each sequence, the plant is either in a stable, recovered condition or has suffered some core damage. A set of plant states, y,, is defined, and each path tnrough the tree is assigned to one of these states. This point in the analysis is called a pinch point. Once a scenario has reached this ooint, its further development depends only on plant state y and not on how that state was reached. Each plant state is carefully defined so that the further analysis is the same whether that state was reached because of a LOCA, a loss of offsite power, etc. Figure 2.3-6 is a symbolic representation of an event tree diagram. Arrayed across the top O are various systems or safety functions in the plant; e.g., the reactor protection system. the auxiliary cooling system, etc. At the left, we enter the tree with the initiating event and then 2.3-8 2.3 General Methodology.
Beavsr Vclisy Powsr Station Unit 2 Revision U Probabilistic Risk Assessment ' ask "Does system A work or not?" Thus, the tree branches at this point, with the upper
' branch representing " system A works" and the lower branch representing
- system A fails."
At system 8, there is another branching, and so on. In this way, the event tree diagram is developed. Each path through the tree thus represents a " scenario," an envisioned sequence of events beginning with the specified initiating event and leading to a " plant damage state
- represented by the symbol y,.
These plant damage states are defined in terms of the conditions in the reactor vessel, the type and degree of coherence of core melt, and the status of the containment safety / mitigation systems. These states se chosen and defined with sufficient specificity that once such a state has occurred, the subsequent events in the containment are the same regardless of the path by which that state was reached. As a result of this definition, a coalescence of scenarios occurs at this point that structures the scenarios list and greatly simplifies the computational labor involved in the analysis. Also noted in Figure 2.3-6 is the fact that a given system need not be restricted to the two states; works or falls, in some cases, il is appropriate to use a multistate model of the system, thus representing various states of partial failure. Electric power, for example, is often treated this way. How many states should be used for a given system is a question of modeling detail or " degree of aggregation" as is the liumber of systems identified in the event tree in the first place. Tho situation here is identical to that present whenever a symbohc model is made of a real O,. world entity, whether it be a mathematical model, an engineering model, a computer model, or, indeed, a verbal model. The point is that the model is not the entity, it is only a symbctic representation of the entity. Modelers sometimes tend to forget that "the map is not the territory," and "the menu is not the meal." The concepteal event tree of Figure 2.3 6 ne,m io account for- a very lar0e number of systems and system dependencies. At a momum, the event tree needs to include a sufficient number of event tree top events to be able to unambiguously determine the_ end state, or the plant damage-state bin to assign to the sequence, in addition, the event tree must be-structured in a manner that facilitates the quantification of the scenario frequencies. This. In turn, requires that all important dependencies and interactions be accounted for. Two basic approaches are described in the PRA Procedures Guide (Reference 2-1) for accomplishing this. One involves direct modeling of these dependencies .,i :mouence fault trees (fault tree linking). The other approach, the one followed in this PRA, involves ht ' modeling of the. dependencies in the event trees. Rather than burdening the computer ll hardware and software resources with a single large event tree or fault tree, the approach
- followed here involves the use of modularized and linked event trees. The use of L modularized event trees in constructing the Level 1 PRA accident sequence model for Beaver l Valley Unit 2 is illustrated in Figure 2.3-1. Two event tree modules express the evolution of l
the accident sequences from initiating event to plant state: one that models the response of
- l. the support systems, and one that models the frontline safety systems. The event trees are l constructed, quantified, and linked with special event tree analysis software that uses l: _
dependency matrices as input. Event sequence diagrams are used to develop physical plant Q scenarios and application of emergency operating procedures. Each scenario terminates in 1 of 18 different scenario end states. One of these is successful termination, and the remaining l
- 17. involve core damage in a variety of different states of the reactor coolant system and ll active containment systems.
2.3 u Gweral Memoddogy. i
Boavsr Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment in PRAs conducted previously by PLG, the concept of support states was used to facilitate the - quantification and linking of the modularized event trees, in that procedure, end states were assigned to a suppor1 system event tree to represent the different ways the support systems states could impact the systems represented in the frontline event trees. The assignment and grouping of sequences into support system states and the binning together of similar support states were an mtegral step of the quantification process and also affected the presentation of results. This support state methodology was adopted in a simplified version of PLG's methodology that was adopted in the IDCOR IPEM. Because of enhanced capabilities of the PRA software that was used in this project, known as RISKM AN, there is ro need ior the introduction of support states. This is true because the software links together all of the sequences between the event tree modules, creating what amounts to a single, large event tree. The trees are input and reviewed by the analyst in modules only for human factor considerations.
- Determining Split Fractions for the Plant Trees, Let us turn now to the question of determining the split fracilons for a typical branch point in the plant event trees. The basic process used here is to perform an analysis of the system to which that branch point relates; that is, v:3 break the system down into its components and determine the relationship between the performance of the components and the performance of the system. From this relationship, and frorn the likelihooo of various component failures and various combinations of component failures, the split fractions for the system are calculated. This process involves the following steps:
- foualitative Analysis. This step includes system familiarization and walkdown, definition of system functions and success criteria, definition of system and component boundaries, definition of all event tree top events and split fractions to be analyzed, collection and review of all relevant system documentation, and definition of common cause groups.
2 Logic Modeling Development. This step includes the development of a reliability block diagram, conversion of this diagram to a fault tree, incorporation of common cause basic events into the fault tree, and screening analyses to support logic model simplification.
- System Failure Equation Development. For each system, top t *ent, and split fraction an algebraic equation is developed to compute the failure frequ ncy and to serve as e model for uncertainty propagation. The equations are developed by
- Incorporating boundary conditions for the split traction into the system fault tree.
-- Incorporating initial system alignments into the fault tree.
- Determining the fault tree minimal cutsets.
- Appiying the " rare event approximation" or basic probability combination laws, as appropriate.
- Applying probability models for common cause failures, failures on demand, mission failures, and various contributions to system, subsystem, and component unavailability.
- Database Development. For each equation parameter (e.g., failure rate, conmon cause failure parameter, maintenance or testing frequency, etc.), a probability I distribution is developed that describes the state of knowledge or uncertainty associated with the parameter value. This includes Sant-specific screening for i determination of common cause pa ao.eter in accordance with Reference 2-7. ;
2.3-10 2.3 Generai ucmoamogy.
= - - . . . . . - . . -- - - - - _ - - . -
Beavor Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assessment
- Quantification and Analysis of Results. Results are than obtainec, by propagating point 'O (mean values) and uncertainty distributions of the database param.'ters therefore system equations. Resu'ts are dir. played in "cause tables" that show the contributors in terms of initial alignments, and major groups of cutsets and individual .;utsets, as needed to make appropriate use of the results. The numerical ou put of this analysis becomes the input for the event tree quantification and for the final uncertainty analysis
- Relating System Analyses and Event Trees. Figure 2.3-7 shows the relationship of tne structurin0 ideas that we have been discussing. Thus, at the top (i.e.. the plant level) is the event tree diagram, This level shows which combinations of system failures, together with which initiating events, could result in any given plant state.
At the next level down, the system level, fault trees express the relationship of the system to its components. This level shows which combinations of component failures result in failure of the systems. Below that is the cause level, showing which causes could result in component failure and which combinations of causes could result in those combinations of component failures that cause system failure Particular interest centers at this level on single causes that by themselves could fail more than one component cr more than one system.
- Calculating Scenario Frequencica. Each scenario is then analyzed to detotmine its frequency of occurrence and the magnitude of the consequent damage, as inenured by several damage indices. In calculating these frequencies and damage magnitudes, it is important to explicitly qJantify the uncertainty, as any competent scientist does when presenting results. in the case of risk assessment, it is especially important to quantify uncertainty since we are dealing with rare events and with a skeptical audience of regulators, intervenors, and the general public. Therefore, we incorporate uncertainty into the PRA from the beginning, from eacn piece of input data up to the final results.
The uncertainty in the rlsk comes frorn a lack of prior knowledge about exactly how frequently each scenario will occur and exactly which consequences it will produce. Both of these sources of unce,tainty are carefully tracked throughout a PRA to specify, as accurate;/ as possible, the risk from operating the plant. A general framework for organ! zing a PRA, describing the uncertainties, and presenting the_ results was presented in Section 2.3.3.1. Once the possible scenarios have been qualitatively defined, the next step is to calculate the frequency with which they occur. Each path through an event tree is characterized by the particular entry state and by the failed systems in the path. Thus, for example, in the simphfied plant event tree diagram of Fi0ure 2.3-8, consider the scenario S=l A F C 6 (2.7) This is the scenario consisting of initiating event or entry state I followed by success of systems A and C, and failure of B and D. This scenario is represented by the darkened line in the diagram (the lower branch at each node represents failure of the correspondir.g system). The frequency of this scenario may be written
$(S) = $(I)f(A ll)f(5llA)/(CllAB)/(D llA5C) (2.8) where ,
@(S) = the frequency of scenario S.
2.3-11 2.3 Generar uernoooiogy.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment
$(I) = the frequency of initiating event 1.
f(All) = the fraction of times system A succeeds given that I has occurred. ) ((EllA) = the fraction of times systern B fails given that I has occurred and A has succeeded, f(CllA5) = the fraction of times C succeeds given that I ha; occurred A has succeeded, and B has failed. ((6llA5C) ' the fraction of times D fails given l , A,".5, and C. The quantitles f(All), etc., are called the " split fractions" at the nodes of the tree. What this i means exactly, for example, is that for an ir. finite population of hypothetical clones of our plant (all run for their full lifetimes), out of all of the scquences that reach node B1, the fraction f(EllA) takes the lower branch at this point. With the split fractions established at each branch point, we may then calculate the frequency of each scenario path as the frequency of the initiating event times the appropriate spilt fraction at each branch on the path; i.e., j
$(S) = @(1) fu, 2f r, - f4 - (2 9) where /.,is the branch chosen by the path at node n.
Now note in Equation (2.9) that if we divide by @(t), we obtain
$(S)
= fu, (2t, - f% ... = f(S) (2.10)
Here, the term on the right-hand side, the product of split fractions along a given path, thus has the interpret,'lon of " conditional frequency" or the split fraction of that path; that is, out of all of the timec :litiating event I occurs in our thought experiment, f(S) is the fraction of times in which scenario S results.
+ Quantifying Uncertainties. The event tree computations outlined above must account for a variety of sources of uncertainty that prevent the -development of highly accurate estimates of accident sequence frequencies. These sources of uncertainty include the lack or sparcity of data from which to quantify the risk model input parameters (i.e., ,
component failure rates, ir;itiating event frequencies, etc.), plant-to-plant variability in the performance of similar equipment at other plants, modelin0 uncertainty, ergipment behavior in harsh environments, uncertainty in classification of common cause event data, and many other sources. The basic approach to quantifying the effects of these uncertainties on the PRA rCsults is to assign proba,bility distributions across the range of possible values for each uncertain parameter. Those assignments are made with the use of data analysis software that uses Bayesian dating tc;5niques for incorporating operating experience from other plants. expert op;r. ion, and plant-specific data. Next, these probability distributions are propagated progressively through the syste ms models and event trees, using a Monte Carlo sampling procedure to develop unt.artainty distributions for the core damage frequency and other risk factors. The overall flow of data associated with this process is illustrated in Figure 2.3-3. This figure shows use of the four principal modules of the RISKMAN software program and identifies where poira estimates and full distribution results are obtained. It is important to note that when the event trees are quantified and linked together in the Event Tree 2.3-12 2 3 cenerai vetnodoiog
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment-Analysis module, only point estimates are obtained because of the large number of l sequences that are included. These point estimates approximate the mean values of the , sequence frequencies because mean values of the split fraction, initiating event, and I human error rato distributions are used from the preceding steps of the uncertainty propaga' ion. Although the systems are quantified using point estDnates for the purpose of reviewing and screening, these estimates frequently underestimate the means of the ! system level uncertainty distributions occause of the use of tha failure rate couphng assumption. Therefore, the event trees are quantified using the means of the system level Monte Carlo results rather than the point estimates. Past experience has shown this to be important for redundant systems. The important sequence model accepts a prioritized set of important sequences for predefmoo groups of accident sequences from the results of the event tree module. These groups include, for example, one for all core damage sequences, one for each plant damage state or plant oamage state group, one for each release category or release category group, one for each initiating event, .ind others for any other groups of interest, j Then, for each group, the equations for each sequence within that Group are used in another Monte Carlo sampling step to propagate the split fraction uncertainties to obtain
- the uncertainties in the overall iesults.
- Decomposing Risks Contributors. Once all of the event trees have been quantified and the logic for linking the event trees has been implemented, a large database of risk information is provided to produce the necessary numerical results and, more importantly, the engineering insights needed to best manage the risk of the plant. When the PRA is extended to Level 2 cr 3, there is a convenient matrix formalism to systematically diagnose the portions of the event sequence model that dominate the results (Reference 2-5). Some basic possibilities are illustrated in Figure 2.3-10. For a Level 1 PR A, a variety of approaches can analyze the results for these important insights. These approaches irvolve the examination of the risk contributors at four distinct levels of detail:
- Accident sequences grouped by some common characteristics such as presence of core damage, particular initiating event or event type, particular plant damage state or plant damage state group, or presence of a particular system top event and/or split fraction. This facilitates the evaluation of the importance of specific plant hardware and operator actions in determining core darnage frequency and other risk factors.
- Individual accident sequences ranked according to core damage frequency or l frequency of any of the above sequence groups.
- ~
- Contributorc to specific system failure modes that are identified with a particular event .
tree top event and split fraction. Contributors can be progressively decomposed into ~ ditforent initial aiignments, groups of numerical cutsets, individual minimal cutsets, and basic events. 4
- When a particular database parameter is identified as importAnt (e.g., beta factor or failure rate), the ultimate contributors to these parameters can be analyzed by determining the particular evidence that was incorporated into the database. In most cases, this evidence includes a listing of the events in the database that were classified in support of parameter estimatiori Application of these aoproaches to risk decomposition is illustrated in Section 3.4.
el 2.3 13- 2.3 cenerai Memoauogy.
l l Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 2.3.4 Summary A summary of the specific methods -amployed in each major phase of the Beaver Valley Unit 2 PR A is provided in Table 2.3-3. More details are available in t ie appropriate report sections. t O c . O 2.3-14 23 cenerai vetnodoiogy,
- Osav r Vallsy Powsr Stati:n Unit 2 Rsvlaign 0 -
Probtbilistic Risk Assessmsnt . #3 .
- t Table 2.31. Scenario List
' 's_) Scenario Frequency Consequence Si - $i xi Su pa .xs
. . e e e e
=
. e .
Sn pu 4 (
%/
E l 2.3 15 2 3 General Methodol%y.
Cenvtr Volley Powar Station Unit 2 Revislan 0 Probabilistic Risk Assessment Table 2.3 2. Scenario List with Cumulativo Probability Scenario Frequency Consequence Cumulative Frequency f, @i x3 4. = Q, + @, fi, 0, x, @, = G, + @, S. &, x, @,= Q,.,+ o, 1 S._, c. _ , x. _ , Q ,_,= $ + p._, f 0' S. @a x, @u = $a O. 4 e ss 1 9 2.3 16 22 cencrai uamocomoy. I
w .a_ Lw- . + sJ.4 _ _,aR___.A4.a L._ __..%is, 1.JM L3,.;3 4M, _J,J _ ,.;s,a.4 .. 4 J _m a 4 g w 0 m IMAGE EVALUATION I
/[
g /'s.' %
\p \,:[V'[9 ig TEST TARGET (MT-3) 4 /
[' y
,gfkf
'\
>J)f ( 4s f' c28 ^25
[, .t we (t w z sO
. I -= t. h2.2
[; en '
< !L (SR I.I e si ts !
w+a 1.25 1.4 i.6
= __
l m,
- 150mm >
l 6" > A ess ,,* k *,k 4 .s
<>q+i;>,),,rg. v>z,4 -p#1 ,
- m4 ff op/ >
1 g&g L *
- yt , .a
^#
~ /an 4 A fibAWd _
s j
+fph i/ (O ov.w.'
v &Q as ~o ,, SW O t, @ ' O IMAGE EVALUATION /' ,j
';::, 't@g@ TEST TARGET (MT-3) ft #g
'% , ' Af Q 9 Rf(9 & ,
'W 49' 4'7<e&p*
4 f' _ C 5 p 2.2
~ n, aem L h c-4 3
* .= $ x l.1 '
I Ml")ar.8 l.25 i.4 t'i 1.6
=== == llpm 4- 150mm >
d 6" > ik Ar %#p 4.p+, /Ao
<>e;gy , y.
s /4 g iy s o- 6 e. , ,, ,
' y (h fk*
}/ .
r
- p O
N C. fd O LA , ,.
,E 46.4s F!d
" ~ ' ' - " - - - - , - - - - - , . , . _ , _ _ , _ _ _ _ _ _ _ _
h eit 4 O [0
.;> n . e e a
[' IMAGE EV ALU AT',0N A% O y,i,g*,&'4:sk K, 1Es1 1AaeEr <m1 3) m 4 . j g 3 s ;, e ,
. p ,tr
' 9
\ 9 s <
4*9
\-
I.U n.
~ =<
L a
$25 .maa
{ 2] I
,,i ni t.8
!irea 1.25 'i I.4
= -.= I = = =1.6 1ll 4 150mm - >
d 6' - > 4 %p 4(V- g-A A eggy ;g 47 --
+4,a'ggg(x _
c o
%'x _e r.'~gls
.6 v%*v /
+
- a. "t,% l k 'ch 6 A 4, j 4(&
Yw ._
. . . ,,3;a t> w:{ - _
. _ __ : a
yp a Beav;r Vall:y PIwer Stati:n tinit 2 R0visi:n 0 Pr:b:bilistic Risk Assessm:nt-
+
. j' .
J( N = -); Table 2,3 3,- Specific Methods Employed To Accomplish Major PRA Tasks g PRA Task- Specific Methods Employed initiating Event Selection
- Master Logic Diagram Method for Similar Plants'
- Heat Balance Fault Tree Method for Similar Plants'
- FMEA of Major Plant Systems
- Internal Floed Analysis ,
- Compsrison with Previous PRAs and Geno-ic Lists Accident Sequence DefMition
- Systems Dependency Matrix Development )
- Event Sequence Diagram Development
- Support Systems Event Tree Develooment i
- Frontline Systems Event Development
- Plant Damage State Definition and Grouping !
- Recovery Action incorporation l Systems Analysis and
- System Reliability Block Diagram Development
- Gystem Fault Tree Develorment Quant lilcation.
J
- System Quantification Model Development
- Common Cause Failure Analysis
- Database Development
>,
- Systems Quantification Accident Sequence Model *- Event Tree Quantification and Linking 4
f-~g ; Quantification
- Quantification of Operator Actions j !
- Dominant Accident Sequence Model Development
- Uncertainty Quantification and Propagation.
- Sensitivity Analyses -
- Determination of Principal Contributors to Risk e issue Resolution
'These methods were incorporated via lists of initiating events from PR As on other Westinghouse plants including Diablo Canyon, Seabrook Station, South Texas Project, Indian Point Units 2 and 3, and Zion.
1 L E. - 45
~
- lg-y
~ 2.3-17 2 3 cenerai uemoadagy.
i "U 15 O go I su er ,e
~<
=
E_ 9._!.
- D
- l LEVEL 1 LEVEL 2 7$
# :E ACCIDENT SEOtJENCE ACCfDENT SEQUENCE [$ l)
MODEL MODEL g cn j A A EE r V T 35' s A ea i f T T T 3C ' irdTERNAL ' _ DEPENDENCY MATRICES + + 5-INIT!ATORS PJ
, 4 4 SUPPORT 4+ FROffTLPdE RECOVERY 4 [ \
CONTAINVENT a ACCCENT SCENARIOS SYSTEMS SYSTEMS ACTIONS
- EVENT EVENT
? 4 EVENT -e + ACCfDENT FREQUENCtES EVENT PVNT TREE RELEASE RELEASE CHARACTERiSTBCS p TREE TRLES (C) TREE 4 DAMAGE + CATEGORIES \ / $ UNTERNAL *
- cn PLANT -
+ +
FLOODS EVENT SEQUENCE DIAGRAMS + + __ L 2 L 2 \ 1 L 2 y V Y Y INITIATING PLANT RESPONSE CONTAINMENT RESULTS EVENTS SCENAROS RESPONSE SCENAROS 9 w
? Fi,;u re 2.3-1. Definition of Accident Sequences In the BVPRA 8
a Y ? 3 s 8 E o O b s o e 9
~
9 . . _
! ,[ 't II !!
- l:I if- L' '!I I
.sD<t <2".is* T"Ee, mF-s e C 3_ M W# o3 O ,Ocmc~=%~n I:r E >seE=M P*
E A TE f " A AT
" S 1
- L E
D O M E T I S
= s Y t E R n h SO i P AG o EE P LT tA h nC c n
i P f o T p N i E h M )E s N I S n o A AL T EE i t _ N ELD O a O l C (R M e R s
- o i
r E a y T n A e T c S S T = f N o A t- j LP g n i L r E u t D c O u M r T t N S A L . P
\
2 3 2 G e N r I T u g T A I I N i I T E I F J f V I E
]
[ae nM O3gE EO L 23<
B::v:r Vcil y Pcwsr Stcti:n Unit 2 Revision 0 Prob: bili: tic Risk Asssssm:nt
- ST AIRCA$t Ft>m, TON 4
9 g BM30TNED A'SX CURVE D 1 c L. ., b ! I I u, L L i f e ., .,................... Figure 2.3-3. Risk Curve u= . i 2 e E j .. l tava6orcamAct Figure 2.3-4. Risk Curve in Frequency Format Loo . e . .e E I. ... E p .i LEVfL OF DAMAGE _. m l Figure 2.3-5. Risk Curve in Probability of Frequency Format 2.3-20 22 ceneral Metnocology.
Bsav:r Velisy Powsr Station Unit 2 Revision 0 Probabilistic Risk Assessmsnt O INITIATING EVENT I A B C D j N0DE j B - i f(AlIl NODE A fl5llA) NODEC3 IABC5=S 1 f(AlIl
~
SIATCY flS) " ((I)f(A Ili(5$ Alf(ClI Allfl5 I ATC) Figure 2.3-8. Simplified Plant Event Tree Diagram . L-LO l 2.3-23 22 Generai Metnodoivay.
TW
- es Oy 7<
u CD ym E< m of NNT 1 f vf L 2 * * - 3,8 EstwATE PESULTS r03 CON T A8NMCwt Ovre#7 Inst EF 2 x sedT E 8%F ACsNG 4( 3 3 neverw Atro SCatt.M*G
$$iff 8HACTsOM Mot +ts
~T m
M. O LOOA MOOFL NOM $7STEtJ INsTtAtCAS $ l *AF AN VAtt E5 l l MEAM VattsES ! 2 93 ; 4 S Tsu 3 rom
! OfST RIOUTCNS
- k MOOLAE ?- ALL SEOuf MCE S g %
{',' J DAT A "..t i Ar&LY$(S - [ s idYSTrus ^ y'[TtNALYSs3 I MI"* W NS 3O~
~ Ci MODULET, f J O 3 I
% ;[JaOQt;tJg .. ; 3
. E AN WE CytNTingt r %
N*ILI 68"t fi
- RACTON$
g gggy, .9 y 8"eTE AN aL -
~ INe ILA T HQ M'"*"
gyg y g g 5 W FL OOD CVCNT FRCOUCNCY RELIANL1W INITIA TORS I""@I MOUf t S RFCUvF ftf _ MAINT[NANCg MODELS ,g.,3y , ggg UN AVAft/Wt D T V _ gaygg PJ COMW)H C AUSE ' w PAHAME T EH g , NONSY9f EM tmflATomq W EM POD T ANT . g ti.5cg,cri]p : k LEGEno
. CORE MELT FRECLCMCY FICLCASC
- C AT60Cav f "CCt CMC *Cs EPfC8AL MOOE LS
= 1)AMAGE St A f F f 79EOLENCtf i T'. +. i ':. y ..
,, '; l' _ ; R SMuard *.*CDU.E
".f-,'..
u Figure 2.3-9 PDA Qisant f f'ic At t on Flow Chart rnOSAcettiV Os0TruDUT!ONS 10 OU AATif. Y UNCFRT ANTGS - a 8 e._ m c 2 3 w 3 x ~ O
~~
O 9 9
f ~g (T g w O c, I [$ o-I t INITIATING EVENT I hh
- c. =
LEVEL OF DAMAGE TYPE OF RELEASE I TYPE OF PLANT DAMAGE l l no l I (4, }',M) ] y x (tMC. ($S) I (fM.((C) 14MCS) l l i I i PDS CDF I i MIEs e i f* ya CDF j l l P DnC i \ \ I
*m 1
'r j P j : P j E t / P
\
X ll AM f l I 2 A-4 l I A. f l I 11 5 M I i w I FAILURE CAUSES INPUT DATA EVENT SEQUENCE SYSTEM UN AV A.'. ABILITY I I Es i I l SYSTEM B CAUSE l IEl A l B lC l I [B l l I TADLE I I 1. INITIATING EVENTS l n I l - 1 2. COM PON ENT S LOGIC CAUSES 3. M AINTEN ANCE
+ /y L f 8 7
r 7 FREQUENCIES l
- 4. HUMAN ERROR L--
/ l ~
l j EFFECTS l S. COMMON CAUSE L_. N [ ] 6. ENVIRONMENTAL l--
\ ' ! C2 @ 4 n l l T.OTHER I I MAJOR DOMINANT I ' -
l system SEQUENCE l DOMINANT FAILURE I MODES N oac tow +aw, actsase cartcomy
$ kI e cn~u I Ea's a$t a re == ma .m eevem, k 2 Firure 2.3-10. Risk Deecmpositiv (Anatomy of Risk) E a w ,
5 5 l t 3 !
$ l 4
l
.I
1 1 Beaver Valley Power Station Unit 2 Revision 0 l Probabilistic Risk Assessment l l 2.4 INFORMATION ASSEMBLY 2.4.1 Plant Layout and Containment Building Information l Plant layout information is found in the Updated Final Safety Analysis Report (UFSAR), Section 1.2. UFSAR Figures 1.2-1 and 1,2-2 show the site plant and station arrangement, respectively. Information on the containment building is found in the UFSAR and Section 4 of this report. Tables 41 and 4-2 of this report provide an extensive comparrison of Surry Unit 1 and Beaver Valley 2 containment designs. , 2.4.2 Review of Other PRAs and insights The PR A Team has reviewed the Surry PR A in NUREG 1150 (Refarence 2-8) and supporting documents, as the Surry design is very similar to that of Beaver Valley. Other PRAs reviewed by the PR A Team include Zion, Indian Point and Millstone. PLG has also performed about 30 major PRA projects, many of which are Westinghouse PWR plants with large, dry containments, and has reviewed numerous PR As of different scopes. Insights derived from r'eview of these PRAs have been applied to the Beaver Valley Unit 2 PRA. Insights include the use of plant specific failure rate data, methods, the addition of failure modes for various equipment and determination of success citeria. 2.4.3 Plant Documentation l The PRA is based primarily on the plant-specific information that is contained in the l dNuments identified in Table 2.4-1. Exceptions include generic issues such as RCP seal LOCA information and the PLG generic PRA database. Results are based on generic nuclear plant and component data collected and analyzed by PLG in a generic databasc (Reference 2-9) updated with Beaver Valley Umt 2 plant-specific data. Specific references to actual diagrams, calculations, procedures, etc., that have been used are found in the system analysis writeups and design basis documents. The Beaver Valley Configuration Management- Program ensures that the PRA represents the as-built, as-operated plant. Plant modifications and procedure changes were screened for incorporation in the model. Certain members of the PRA Team are also responsible for-10 CFR 50.59 safety evaluations and this keeps them abreast of changes. 2.4.4 Walk-Through Activities The DLC PRA team is located at the plant and is involved with plant walk-throughs and inspecticas almost continuously. The following describes the FRA team walk-throughs on Unit 2, including scope and team makeup: Walk-Through Scope Taam Makeup November 1988 Plant DLC PRA Team Leader (1 day) Familiarization Tour DLC Operator (SRO) O.-- DLC PRA Team Engineer PLG Principalinvestigator PLG Lead System Analyst
, PLG_SyIf10mADalyst 2.4-1 2 4 ema%n AmWy
Bsav:r Vall2y Pow 2r Ststlan Unit 2 Revision 0 Prcbabilistic RI:k Asesesmsnt I Walk Through Scope Team Makeup July 1989 Internal Flood DLC Operator (SRO) (2 days) Ar.alysis DLC PRA Team Leader Walk Through DLC PRA Team Engineer PLG Principal Investigator PLG Flood Task Leader August '.989 Internal Flood DLC PRA Team Leader (% dcy) Analysis PLG Flood Task Leader Follow-up March 1989 Containment DLC PRA Team Leader (% day) Walk-Through DLC PRA Engineer for Unit 2 Back End DLC PRA Engineer Analysis S&W Civil / Structural Engineer S&W Civil / Structural Engineer PLG Level 2 Task Leader September 1989 Containment DLC PRA Team Leader (% day) Walk Through DLC PRA Engineer (Plant Model) for Unit 1 Back-End DLC PR A Engineer (Back-end) Analysis , PLG Independent Reviewer for Level 2 Analysis on Unit 2 O e l 2.4-2 2 4 mformahon AssemNy.
.~ - - .- . . .~ . . . _ - . - - - - .-
82avsr Vcilay Pcwer Station Unit 2 Revision 0 Probsbilistic Risk Assassmsnt Table 2.41. Beaver Valley Unit 2 Specific
-v- Information Sources Final Safety Analysis Report Fire Hazards Analysis Report Design Basis Documents Flow Diagrams Valve Operating Number Diagrams Electric One-Line Diagrarns Logic Diagrams Elementary Diagrams Test-Loop Diagrams Plant Operating Procedures Plant Surveillance Procedures Operating Manual Emergency Operating Procedures Abnormal Operating Procedures Operating Crew Surveys Equipment Qualification Reports Pla~nt Walk-Throughs l
l
- Ov I
I e 2.4-3 2A informatoi Assembly.
- Beavar Vallay Pcwor Station Unit 2 Revision 0 Probabilistic Risk Assessment - p
2.5 REFERENCES
2-1, Americari Nuclear Society and Institute of Electrical and Electronics Engineers, "PRA Procedures Cuide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," sponsored by the U.S. Nuclear Re0ulatory Commission and the Electric Power Research Institute, NUREG/CR 2300, April 1983. 2 2. Pickard, Lowe and Garrick, Inc., " Quality Assurance Program," PLG 0223, March 1985. 2-3. Duquesne Light Company Letter to the U.S. Nuclear Regulatory Commission providing the 60-day Response to Generic Letter 88 20, dated October 30,1989. 2-4. Duquesne Light Company Letter to the U.S, Nuclear Regulatory Commission providing notification of a change in the schedule for submittal of the Unit 1 and Unit 2 Individual Plant Examination reports, dated September 18,1991. I 2-5. Kaplan, S., G. Apostolakis, 8. J Garrick, D. C. Bley, and K. Woodard, " Methodology for Probabilistic Risk Assessment of Nuclear Power Plants," PLG-0209. June 1981, 2-6. Fleming, K. N., A. Mosleh, and A P. Kelley, Jr., "On the Analysis of Dependent Failures in Risk Assessment and Reliability Evaluation " Nuclear Ss/ety,
- September-October 1983.
I-2-7. Mosleh, A., et al., " Procedures for Treating Common Cause Failure in Safety and l Reliabihty Studies," prepared for the U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, Pickard, Lowe and Garrick, Inc., NUREG/CR-4780, EPRi\NP-5613, October 1988. j 2-b. U.S. Nuclear Regulatory Commission, " Severe Accident Risks: An Assessment for E Five U.S. Nuclear Power Plants, Summary Report " second draft for peer review, _ NUREG-1150, June 1989. 2-9. Pickard. Lowe and Garrick, Inc., " Database for Probabilistic Risk Assessment of Light Water Nuclear Power Plants," PLG 0500, Volumes 1 through 4. 1. l
- i l
O 2.5-1 2.5 References
i, D::vsr Vcilsy Powsr Stztlon Unit 2 Revision 0 Prcb:bilistic Risk Assssem2nt
,G 3 FRONT END ANALYSIS V
3.1 ACCIDENT SEQUENCE DELINEATION This section describes the accident sequence rnodels that were developed for the front end analysis. The accident sequence models are used to combine the results of the systems analysis (presented in Section 3.2) in order to perform the front end sequence quant fication, as described in Section 3.3. This section describes the selected initiating event categories, the response of each system needed to mitigate each initiator, and the assignment of end states to each accident sequence. Overview of the Dvver Valley Unit 2 Plant Model The purpose of the plant model is to defino a set of potential accident scenarios that could result in core damage. Accident scenarios are defined by evaluating the plant response to an initiating event. An initiating event is any everit that initiates a plant transient condition or otherwise perturbs the normal operation of the plant, which, together with associated failures k evaluated in the plant model, results in a sequence of events that may mvolve undesirable consequences such as the release of radioact!ve material. " Plant response
- refers to the progression of a wide spectrum of possible event sequences based on the success or failure 4
combinations of certain plant systems / equipment and human operator actions that could either prevent core damage or mitigate the accident consequences should core damage occur. The plant model therefore consists of scenarios that begin with imtiating events and (~N end with either stable plant conditions or states of core damage. " Stable plant condition means that the plant is in either a stable hot shutdown or a cold shutdown condition 24 hours after tne initiating event has occurred with core decay heat being safely rejected or removed. 3 The first objective of plant modeling is to construct a set of accident scenarios that begins ,, with initiatmg events and ends with successful termination or states of core damage categorized into plant damage states (PDS). The second key objective of the plant model is ,,, to quantify the likelihood and associated uncertainties of these accident scenarios. To accomplish these two objectives, it is first necessary to identify a sufficiently complete and well defined set of initiating events to characterize the risk levels for Beaver Valley Unit 2. The identification of initiating events for the plant model is performed using two methods: a review of initiating event lists from other studies. and a failure modes and effects analysis (FMEA) of plant systems and components. Section 3.1.1 describes in detail the process followed in the selection of initiating events for Beaver Valley Unit 2. After the initiating events are determined, the next step is to identify the equipment items or systems that are required to operate and the operator actions that are necessary to successfully mitigate the event, it is essential to have an intimate understanding and detailed analysis of all plant systems and operator actions that influence the unfolding of accident sequences. The model for all possible event sequences after an initiating event is made up of two parts: the support systems model and the frontline systems model. Support systems are those plant systems that do not directly perform the plant-mitigating functions in response to a plant transient. Instead, they provide the necessary motive and control power, cooling water, and actuation signals needed for the frontline systems to perform the plant-mitigating t g functions. An example of such a support system is the electric power system; the auxiliary feedwater system is an example of a frontline system. 3.1 -1 3i ewm smume nenneemn
~~- -- _ _ - . _ - - . - - . .
Boav:r Vellay Pour Station Unit 2 Revision 0 Probabilistic Risk Asssssment At the heart of these models are dependency tables that show how a failure of each support . system (major electric power bus or vital instrument bus) affects equipment in other support f systems, and how a failure of support system equipment affects frontline system trains or i equipment. Information from the dependency tables is used to construct the support system ! model. Section 3.1.5 describes the process throu0h which the support system model is constructed. The intersystem dependency tables are presented in Section 3.2.3. The unfolding of event sequences involving the frontline systems after each initiating event io developed with the aid of event sequence diagrams (ESD). ESDs are logic diagrams that display the analysts' understandirg and assumptions about the physical development of accident scenarios and the key interactions that ensue between system responses and operator actions. The ESDs are coniposed of various event and explanatory blocks, and are useful in describing the various sequences paths in a more general and easily understood manner than with event trees. The ESDs for Beaver Valley Unit 2 are presented in Section 3.1.2. The events in the ESDs are keyed to the steps in the emergency operating procedures to facilitate review and to ensure proper consideration of the specified operator actions. Since they do not easily lend themselves to direct quantification, the ESDs are conv irted into equivalent event tree models for sequence quantification. Because more emphasis '1 placed on the ESDs in the development of the underlying acciJent sequence logic, the ownt trees themselves become less useful for this purpose and more of a computational tool. Sections 3.1.3 and 3.1.4 provide a detailed description of the frontline event sequence models for the initiating events considered in the plant model analysis. A great number of possible scenarios must be specified in the plant model, beginning with an initiating event and ending with a PDS. The PDSs define the categories of core dama0e sequences to be considered in the back-end analysis; e.g., whether, in addition to core l damage, the containment isolates successfully, The PDSs defined for Beaver Valley Umt 2 are summarized in Section 3.1.6. Their development is discussed in Section 4.3. It is important to note that in this study, all active containment systems are included in the plant event trees and in the definition of plant damage states. This ensures proper treatment of mutu I dependencies between core cooling, containment, and their support systems. To quantify the frequency of each accident sequence defined by the plant model, system-specific logic models are developed for each mingating system. The system models development and subsequent system quantifications are presented in Section 3.2. The data used to quantify the system models are presented in Sections 3.3.1 throu0h 3.3.4. The human failure analysis is provided in Section 3.3.3, These systems results are then used to quantify the plant event tree models. The proper assignment of system quantification results to each node in the support and frontline event tree models, as a function of initiating event, is first performed. Once the support system event tree model and the frontline system event tree model for each selected imtiating event have been set up, RISKMAN (Reference 3.1-1) links the two models and performs the necessary calculations to give the frequencies of each complete accident sequence. The assignment of system quantification results to each node in the support and frontline event tree models is presented in Section 3.3.5 and Reference 3.1-2. Operator recovery actions that can be apphed to a specific accident sequence or group of sequences are described in Section 3.3.3 and Reference 3.1-3. Recovery models were constructed based on the results of a preliminary quantification. These recovery models include a new event tree in which recovery actions were explicitly modeled, updating the 3.1-2 31 Accment sequence Denneanon
Bssysr Vollry Power Station Unit 2 Revision 0 Probabilistic Risk Assessmint
; system unavailabilities to incorporate operator actions into recoverin0 a failed system (s), and updating the existing event tree stru;;ture to allow for the modeling of operator recovery actions.
Finally, the results of the sequence quantification activity, including a comparison with the individual plant examination screening criteria, are provided in Section 3,4. Figure 3.1-1 shows the various modules involved in the plant model analysis. Only those accident sequences resulting in core damage are conside"ed in the back-end, or Level 2, analysis. References 3.1 1, Pickard, Lowe and Garrick, Inc., "RISKMAN* PRA Workstation Software, Overview," l Release 2.0, Proprietary, November 1989. l 3.1 -2. Pickard, Lowe and Garrick, Inc., and Stone & Webster Engineering Corporation,
" Beaver Valley Unit 2 Probabilistic Risk Assessment,* prepared for Duquesne Light Company, PLG-0730 Appendix D, Sequence Quantification. December 1989.
3.1-3. Pickard, Lowe and Garrick, Inc., and Stone & Webster Engineering Corporation,
- Beaver Valley Unit 2 Probabilistic Risk Assessment," prepared for Duquesne Light Company, PLG-0730, Appendix B Human Action identifiers, December 1989.
i l \ i 1 e 3.1 -3 31 reciaent sequence Delineauon
B v:r Vdi:y P:wcr St: tion Unit 2 Rsvisi:n 0 Pr:bibill:tle Risk Ass:ssmsnt Figure 3.11, Beaver Vtiley Unit 2 Plant Event Tree Model TRANSIEC/
-+ $LOCA -+ GTm.
#N l
EVENT TREE 1 1 M'0CA
. c 4 '
EVEM TREE 4 LARGE LOCA EVENTTREE f g $g 3 I a t i ALL J S'PPORT EXCES$fvi INiilATW3 --+ SYSTEMS ; i LOCA : EVEm3 EVENT TREE EVEM TREE ( W 3 F.ECSTRY SGTREEOR; MC T 1E DME SGIR EVENT TREE EVENT TRIE 4 L" J g A1WS EVENT y TREE ETERFADNG LOCA SEQUENCE O 3.14 3.1 Accident Sequence Dehneation.
Botver Velisy Pewsr Station Unit 2 Revision 0
'Prebsbilistic Risk Asssssment 3.1.1 Initiating Events
( This section presents the initiating event categories selected for quantification in the Beavet Valley Unit 2 Probabilistic Risk Assessment (PRA) model. The three main objectives to the selection of initiating events are described as follows:
- To provide adequate completeness that all possible events are accounted for. l
- To account for unique plant design and operational features.
- To provide a way to categorize the events in all of the unique ways that the event may impact the rest of the plant.
This process of grouping initiating events by similarity of plant response is common to all PRA models, and helps to limit the number of plant event sequence models to be developed. It is necessary and practical to analyze only those initiating events that make appreciable contributions to risk, Given knowledge of the approximate frequency of the initiating events and the relative impact of these events on plant systems, it is possible and desirable to group and screen initiating events to simplify the qualification of risk, without introducing significant errors in the risk estimate. The list of initiating event categories selected for consideration in the Beaver Valley Umt 2
- PR A is presented in Table 3.1.1 t. Each initiating event category identified in this table should lead to a plant trip; i.e.,' either a reactor trip or turbine u condition. Events that lead only to a requirement for an orderly, controlled shutdown re not considered. This is f
because during a normal, controlled shutdown, the plant is near equilibrium, shutdown proceeds at a controlled rate, and standby systems are started before they are needed. if such systems fail, most of the normal systems are available to maintain operation, the allowed response and recovery times are greater, and, since the reactor is already tripped, the number of safety functions that must be performed to provide sufficient core cooling is reduced. Therefore, normal, controlled shutdown and startup are not considered as initiating events for quantification. Failure of the reactor to trip automatically [i.e., anticipated transient without scram (ATWS)] is considered in the PRA models in the course of developing plant response scenarios. Therefore. ATWS events are not defined as a separate imtiating event category. A separate set of event trees is developed instead for all initiating events that are followed by a failure of reactor trip. Table 3.3.7-1 identifies which initiating events were quantified through the ATWS tevent trees, So-called external events such as internal plant fires, earthquakes, and severe weather conditions are not included in the current list of initiating event categories. With the exception of internal floods, such events need not be analyzed for the initial IPE submittals, although such events are-expected to be required for future IPE submittats and may be needed 13 support the Beaver Valley risk management program. A task to investigate scenarios initiated by imernal floods was performed. The initiating event categories listed in Table 3.1.1-1 are identified using several approaches;
. i.e., a comparison with previous lists, an FMEA of plant systems, a review cf Beaver I
Valley-specific plant trip summaries, and a review of the Updated Final Safety Analysis Report. l 3.15 31 .uent seauence oeia.eation ! t
Baavsr Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assassment A very effective approach in identifying initiating event categories and in ensuring completeness is to compare similar lists prepared for other Westinghouse reactors Numerous lists are available and were considered during the preparation of the initiating event category list for Beaver Valley Unit 2. In particular, the lists included those prepared for the Diablo Canyon PR A (Reference- 3.1.1-1), the South Texas Project PR A (Reference 3.1,1-2), and the recent core dama0e frequency analysis from internal events performed for l Surry Unit 1; i.e., NUREGICR-4550, Volume 3 (Reference 3.1.1-3). The Diablo Canjon and South Texas Project PRAs are of particular use since they include a formal application of the master logic diagram and heat balance fault tree techniques to search for key initiating events in a further attempt to ensure completeness. In addition, these lists of events were compared against other published sources, including the NUREGICR 3862 report (Reference 3.1.1-4), WASH 1400 (Reference 3.1.1-5), and the mdian Point Probabilistic Safety Study (Reference 3.1.1-6). The initiating event categories selected for Beaver Valley Unit 2 and presented in Table 3.1.1-1 fall into three broad groups: losses of reactor coolant inventory, transients, and common cause initiating events. Internal floods are considered to be a subgroup of common cause initiating events. The list of transient initiating event categories prepared for Beavei Valley Unit 2 closely parallels the lists developed for the South Texas Project and for Diablo Canyon in that the list of event categories is more detailed than the list prepared for the analysis of Surry Unit 1; i.e., the transient categories, with and without main feedwater (MFW) available, have been further subdivided for a more accurate treatment of the plant response to each subcategory, The loss of coolant inventory initiating event categories are the same as those quanti,fied in earlier studies, included in this group are the mterfacing loss of coolant accident (LOCA) events and stecm generator tube rupture (SGTR) events, each of which may lead to release paths that bypass the containment. For the IPE program, therefore, these initiators receive special consideration. J The common cause initiating event group considers support system faults and internal flooding scenarios. Future analyzed events such as earthquakes and internal fires would fit into this category. The support system faults of interest were identified by an FMEA of all key plant support systems. This analysis is documented in Table 3.1,1-2. Heating, ventilating, - and air conditioning (HVAC) systems are given special consideration in bection 3.3.9. T he -- t@ysis makes use of information in the intersystem dependency tables presented in Section 3.2.2. Support system faults are of special interest for PRA quantification because they are very plant specific and because they not only cause a plant trip but also degrade the systems designed to mitigate such events. As such, they have often been found to be important risk contributors. The support system faults that are listed in Table 3.1.1-1 provide a thorough coverage of electrical and other support system faults. The loss of offsite power initiating event is modeled as if power is unavailable from both the 345-kV and 138-kV sources. Losses of sir.gle vital instrument buses have occurred at Beaver Valley in the past. However, since these failures, the Unit 1 system has been redesigned to provide a backup automatic switchover to a redundant power source, and the Unit 2 system was originally designed with this redundant power source. Therefore, these events are included based on historical precedence, but the frequency of such failures has been reduced to reflect the improved system desigr* of Beaver Valley Unit 2. 3.1-6 3.1 ecident smuence Denneanon
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment Another group of initiating events also falls under the generat category of common cause initiating events; i.e., internal floods. A toial of nine internal flood initiators, each with a different frequency and flood damage impact, were selected for quantification, The approach followed to identify and select the internal flood initiators is documented in Section 3.3.8. Although the list of initiating event categorie., for Beaver Valley Unit 2 is more detailed than that developed for Surry in NUREG/CR-4550, two of the thirteen initiating event categories considered in the Sarry analysis were not considered for Beaver Valley Umt 2. Because of the similarity in the nuclear steam supply system and containment design between Surry and Beaver Valley Unit 2, the reasons for these differences are summarized below. Losses of charging pump cooling at Beaver Valley Umt 2 are much lower in frequency than those at Surry because charging pump cooling is supplied to all three charging pumps from both service water headers. No strainers are associated with the charging pump coolers at Beever Valley Unit 2, which might be susceptible to plugging, as at Surry. Instead, the strainers are associated with the service water system itself. Loss of one or both service l water system headers is considered, however, as initiating events for Beaver Valley Unit 2. Finally, an initiating event category for very small loss of coolant accidents (i.e., less thr
%-inch equivalent diameter) was considered for Sorry but not for Beaver Valley Unit 2.
Instead, such events are assumed to be within the makeup capacity of the notow charging system and therefore would not lead to an immediate plant trip. Such events, etich have in 1 fact let; to an automatic plant trip, are conservatively included in the frequency of the isolable or non-isolable small LOCA initiating event categories whose frequencies are computed directly from data. The plant event sequence models that were developed to consider the plant response to each of these initia,mg event categories are presented in the following sections. Table 3.1.1-3 summarizes the mean frequency of events per year for each category. Section - 3.3.5 discusses the quantification of initiating events. Further discussion of the system success criteria for each initiating cvent category is provided in Sections 3.1.2 through 3.1.5, and cspecially in Section 3.3.7. Although the initiating event groups could be further grouped without significant impact on the final results, it was decided to quantify each group listed m Table 3.1.1 1 separately for added clarity. References 3.1.1-1. Pacific Gas and Electric Company, " Documentation of Long-Term Seismic Program Probabilistic Risk Assessment," DCL-88-260, October 28,1988. 3.1.1-2. Pickard, Lowe and Garrick. inc.. 'Sout h Texas Project Probabilistic Safety Assessment, Summary Report," prepared for Houston Lighting & Power Company, PLG-0700, Volume 1, April 1989. 3.1.1-3. Bertucio, Robert C., et al., " Analysis of Core Damage Frequency from Interr .t Events: Surry, Unit 1,* prepared for U.S. Nucler Regulatory Commission, NUREG/C44550, Volume 3, November 1986. 3.1.1-4. EG&G Idaho, Inc., " Development of Transient initiatirg Event Frequencies for Use in Probabilistic Risk Assessments," prepared for U.S. Nuclear Regutatory Commission. EG&G-D23, NUREGICR-3862, May 1985. 3.1 -7 31 Amnt sequance t*neson
Barv:r Vall2y Pcwcr Ststlen Unit 2 Revision 0 Prob:bilirtic Risk Assessmsnt 3.1.1 5. U.S. Nuclear Regulatory Commission, " Reactor Safety Study: An Assessment of g Accident Risks in U.S. Nuclear Power Plants.* WASH-1400, NUREG 75/014,1975. W i 3.1.1 -6. Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corporation, and Fauske & l Associates, Inc., " Indian Point Probabilictic Safety Study ~ prepared for the Power Authority of the State of New York and Consolidated Edison Company of New York, Inc., March 1982. O O 3.1 -8 3* Accident Sequence Dehneation
(
- e m tn Table 3.1.1-1. List of in!tlating Event C4ecries Selec'ed for Beaver Valley Unit 2 hE Group initiating Event Categories Code U$
s! < Designator ng Loss of Caolant 1. Excessive LOCA (reactor vessel failure, not cootable by ECCS)
'WW ELOCA p inventory 2. Large LOCA (> 6-inch dia.neter up to design bases) 3.
LLOCA $8 ; 4. Medium LOCA (2 to 6-inch diameter) MLOCA >$ Small LOCA. Nonisolable (% to 2-inch diameter) SLOCN
- 5. Sma!! LOCA, Isolable (PORV train leakage) (% to 2-inch diameter) SLOCl
{d'
=g
- 6. Interfacing Systems LOCA VSX 3$
- 7. Steam Generator Tube Rupture SGTR .!
Transients 8. Reactor Trip (( RT a
- 9. Turbine Trip TT l
[
- 10. Loss of Condenser Vacuum LCV
- 11. Closure of All Main Steam isolation Valves (MSIV) AMSIV
- 12. Steam Line Break Upstream of MSIVs
, a. Steam Line Break in One Steam Generator SLB1 y b. Main Stearn Relief or Safety Valve Opening MSV
- c. Steam Line Break in Common Residual Heat Removal System (RHS) SLBC Valve Line
- 13. Steam Line Break Downstream of MSIVs tBD
- 14. Inadvertent Safety injettion ISI
- 15. Miscellaneous Transients
- a. Total Main Feedwater Loss or Condensate (includes TLMFW '
feedwater line break of condensate failure) [
$ b. Partial Main Feedwater Loss (one loop) PLMFW I
- c. Excessive Feedwater EXFW ,
$ d. Closure of One Main Steam isolation Valve IMSiv j j e. Core Power Excursion CREXC
{ f. Totat less of Primary Flow tone _or more lognsi l LQPF I a fa 4, x + iE iE o 4 1 g a > c
m ur Table 3.1.1-1. List of Initiating Event Categories Selected for Beaver Valley Unit 2 hE Code 5 Group initiating Event Categories E< Designator gm ir iir Common Cause 2< - initiating Events [? Support System 16. Loss of Offsite Power LOSP 3$ Faults 17. Loss of One 125V DC Emergency Bus a.125V DC Bus 2-1. Orange DOX je ;ist b.125V DC Bus 2-2. Purple DPX 3@ "#
- 18. Loss of Service Water and Standby Service Water 8 c
- a. Loss of Service Water Head:er A WAX p.
- b. Loss of Service Water Header B WXB [
- c. Loss of Both Service Water Headers WBX
- 19. Total Loss of Primary Component Cooling Water CXI
- 20. Loss of One Vital Instrument Bus e, a. Loss of Red Vital Bus . IRX
[ b. Loss of White Vital Bus IW.X o c. Loss of Blue Vital Bus IBX
- d. Loss of Yellow Vital Bus lYX
- 21. Loss of One 4.16-kV Emergency Bus
- a. Loss of 4.16-kV Bus 2AF. Orange AOX
- b. Loss of 4.16-kV Bus 2DF Purpte BPX
- 22. Total Loss of Emergency Switchgear Ventilation BVX
- 23. Loss of Non-Emergency Bus 2A LB2A
$ External Events 24. Internal Flood Scenario Location / Flood Source
- a. Intake Structure / Service Water or Fire Water ISFL
$ S. SWS Valve Pit / Service Water VPFL y c. Turbine Building / Circulating Water TBFL 3 d. Auxiliary Building / Service Water (< 30 minutes) ABFL1 $ e. Auxiliary Building / Service Water (> 30 minutes) ABFL2
- f. Cabte Vault / Service Water or Fire Water CVFL l g. South Safeguards Area /RWST (< 20 minutes) SGFL1 9 3
? h. South and North Safeguards Areas /RWST (> 20 minutes) SGFL2 E
- i. Conit0LSulldiDg_ Elevation 707'/ service _ Water or Fire Water CEEL E h
P o t O O O
Table 3.1.12. Failure Modes and Effects Analysis of Beaver Valley Unit 2 Key Systems gg t3 < impact on Safety Syste s) or SystemISubsystem C d hw 4 Designator ga h'~ 5' Offsite Grid ga:: 345-kV Line Turbine Trip 9/TT Results in generator trip but equipment listed is -T Reactor Trip repowered when fast transfer to 136-kV line is .ry completed gg 138-kV Line None - Does not cause a plant trip. g, Both 345 and 133-kV RCPs 16/LOSP Results in plant trip Equipment listed is e, g Lines MFW unavailable. Equipment normally operating and y{-- Condensate powered from emergency buses must restart. r, s Secondary Component Cooling Water ". C3
~
Non-Emergency AC Subset of Equipment impacted by Loss of Both 16/LOSP Loss of these electric power subsystems is PJ Unit Station Service Trar.sformers 345-kV and 138-kV Lines bourided by the loss of offsite power event for frgu cy f occurrence and impact. ! 416-kV Buses 2A,20, 2C, or 20 w 450V Buses 2A,28, 23/LB2A The only exception is that for bus 2A, which has
? 2C. 2D, 2E,2F. 2G, or already occurred once, 2 2H ;
Emergency AC 416-kV Bus 2AF (O) Numerous Systems, including HHSI, LHSI, CCP, 21a AOX Loss of a single bus may require the opposite
' ' ' "' '^ ' "'" ** *"I #* "I* * * *'9*
416-kV Bus 2DF (P) CCP, charging. Loss of a singte bus does le.ed to loss of one service water header, which leads to 4SOV Bus 2N (0)
* * * * '"E~
480V Bus 2P tP) y 125V DC Emergency
- ' Bus 2-1, Orange CC Cortrol Power to Orange Loads 17alDOX MStV Closure PORVs 4550 and 456 R MStVs 3 Letdown $ Bus 2 2, Purple DC Control Power to Purple Loads 17b/DPX MStVs, and feedwater control and bypass vatves y MStVs close. @ PORV 455C j um I kY Letdown [
1 s g 5' a g' O l
T tp Table 3.1.1-2. Failure Modes and Effects Analysis of Beaver Valley Unit 2 Key Systems 3g tr < impact on Safety S stem ( ) or System / Subsystem C te cry / Cod Comment Dea 81nator E t_s 120V Vital AC Bus If a Red SSPS Train A 20a/tRX Plant trip caused by loss of CCS. h <o . Charging and VCT Makeup ry CCP >a SwS ll ' CCS
- Atmospheric Dump Valves Condenser Dump Valves
}E-as Letdown F. c White Pressorizer Heaters SSPS Train B 20b/tWX Loss of this bus is similar to that of red y
Charging CCP SWS CCS p Condenser Dump Valves
? Letdown $ Pressurizer Heaters Blue PORVs 455D and 456 20citBX Plant trip caused by excessive MFW when control MFW valves fail onen.
Condenser Dump Valves Letdown Pressurizer Heaters l RHS Yellow PORV 455C 20d!!YX Loss of this bus is simetar to that of blue. t , MFW Letdown RHS R Condenser Dump Valves i 3 Pressurerer Heaters I i SSPS HHSI 14/ISt Spurious signal of most interest causes an y LHSI inadvertent safety injection. Spurious actuation of i
@ OSS individual systems also possible.
l3 Reactor Trip jS Turbine Trip [ l [ Containment Isolation 1 o T
@ O
- - 2 O
l l
- 9 9 9
f% y ' U . V (v - Table 3.1.1-2. Failure Modes and Effects Analysis of Beaver Valley Unit 2 Key Systems 3g tr < System /Sub system impact on Safety System (s) or ", ",' Designator 9, m_ RSS- N/A Loss of one trair* will lead to orderly plan. AFW shutdown, as required by technical specifications. 12 And Many Others rj Instrument Air MFW 15a'TLM 8W MStVs, MFW control, and condenser cump valves >e MStVs Condenser Dump Valves , all fait closed Loss of backup to containment instrument a.r. Event impact similar to toss of Eh Eg
' Containment Isolation main feedwater and of lower frequency. y '*g . ,
Containment CCP N/A CCP isolation valves for RCP thermal barrier o ::: Instrument Air Containment isolation cooling fait closed RCP seal injaction still ?. c Pressurizer Spray available. RCP motor coofing remains available ' {- Does not cause a plant trip. y Service Water One Header CCS 18a rb/ WAX, Low pressure on either header causas isolation of CCP WXB service water to CCS. resulting in eventual loss of Diesel Genera
- ors MFW. Only the 9 he: der es used as a backup
. AFW supply of water for AFW. r L bHSf W RSS Both Headers Same as Above 18ciWEX Same as above. Loss of both is fess frequent but affects both traens of supported systems.
Primary Component CCPs 19/CXI RCPs are tripped to prevent overheating RCP Cooling Water Containment instrument Adr seat injection is required to protect the seats. RHS Loss of CCP flow to one header conservatively . modeled as foss of flow to both. [ Reactor Trip Turbene Trip BIRT Spurious opermng wit' result in a reactor trip. I y Breakers MFW [ ERF ibtack) Diesel - N'A Only impacts supported systems if there is a i 3 Generator concurrent toss of offsite trawer_ , 8 a E 1,2 i 2 :22 2_ E I l O i
T ED Table 3.1.12. Falture Modes and Effects Analysis of Beaver Valley Un:t 2 Key Systems 3g c' <
" " ' "I Impact on Safety System (s) or $-
SystemISubsystem Designator E_ .E, Secondary MFW 15a/TLMFW MFW and instrument air both fail. Event impact Component Cooling . Instrument Air similar to loss of main feedwater and of 'ower yT Water Condensate frequency. Wj Normal DC supply CCS 8/RT Systems supported only require DC control power go (buses 2-5. 2-6) RCPs to start. Since they are already running. loss of gg MFW cne or both DC buses does not cause a plant trip. vi Pressurizer Spray f2-5) Pressurizer spray matfunctions are included tr. the }g{- reactor trip category. os Reactor Coolant 1Cs Pumps . Loss of All RCPs Pressurizer Spray 15f/LOPF Low RCS flow reactor trip signal. Normal M pressurizer spray unavailable. Trip of one RCP - 8/RT Causes a plant trip a low RCS flow if power level
> 30% Prest,urizer spray sell available.
Pressurizer PORVs - 5/SLOCl Spurious opening or leakage is an isolable $ SLOCA i Main Feedwater - 15arTLMFW Total loss of feedwater results in reactor trip from zm low-low steam generator level 15b/PLMFW Partial loss of MFW resuits in reactor trip from low-low steam generator level or high pressurizer pressur e. 15c/EXFW Excessive MFW results in reactor trip from high neutron flux. overtemperature 6T. or overpower AT. Eventual MFW pump trip assumed on b-he steam generator level. sj Condensate MFW 15a/TLMFW Loss of condensate leads to loss of main Circulating Water MFW 10/LCV feedwater. 3 Loss of condenser leads to loss of main U feedsater. 9 2 I i,' S 2 e i w~ 3 R o o
? O 9 9 9
fv f v mm Table 3.1.12. Failure Mr. des and Effects Analysis of Beaver Valley Unit 2 Key Systems 3g tr < initiating Event m tr ,o - i impact on Safety System (s) or System / Subsystem
- 9 # ****"I
=<
Mey Plant Equipment Des?'I igns1or m __ e_s Turbine - 9/TT Spurious action causes plant tr*p. ' 13ISLGD Opening of turbine control / bypass vatves looks .y m similar to a steam line break downstream of r 3>jo MSIVs. Main Steam Isolation One MSiV closes: single MSIV dosure causes Ed 15d'1MSIV Vaives reactor trip and a safety injection signal. Eg
- 11b'.MSIV - All MSIVs close: closure of all MSIVs results in " 2.
turbine and reactor trip. 3o os
- 12afSLB1 Sterm ime break upstream of MSIVs both a AC 3 reactor trip and a safety injection signal on low g ;
steam line pres >ure, low pressurizer pressure, or y high-1 containment pressure would occur. MSfV j closure does not isolate break. Mam Steam Safety - 12beMSV Main steam safety va!ve opening similar to Valves upstream steam line break except no Ngh-1 y cc9tainment pressure signal, some potential for
? isolating the opening $ Steam Generator --
12b/MSV Spurious opening similar *a upstream steam line Atmospheric Stearn break except no hi-containment pressure signal; + Dumps possible isolation of the ' reak o Condanser Dump - 13/SLBD Spurious opening: similar to steam line break Valven, downstream of MSIVs. Residual Heat - 12c/SLBC Spurious opening or break in common steam line Release Valve outside containment: small steam line break, which depressurizes all three steam penerators.
, Pressurizer Spraf -
8/RT Spurious opening or dosing excessive or
- Valves insufficient spray may lead to reactor trip on low or high pressurizer pressure. l R Auntiary Feedwater -
N/A inadvertent startuo discussed with SSPS , O S a E e s 8 x E s tu 8 3 O
7 tD Table 3.1.12. Failure Modes and Effects Analysis of Beavw Valley Unit 2 Key Systems 3g q:r < Initiating Event se o Impact on Safety System (s) or System / Subsystem Key Plant Equipment g <, Designator __ E_ High H 4 Sa # sty - N/A inadvertent safety injection discussed with SSPS Injectiort ,-- t Low Head Safety - N!A i Potential fer rNsing plant tro not idant,fied Yy injection >e Ouencn Spray - I 8/RT Spraysng down of contaenment espectes to result in reactor tng by operators, or electncal
*h eg N/A equaprwnt failures _
Potential for causmg piant try not identified.
}g Recirculation Spray -
oa Residual Heat - N'A Potantial for causing plant trip not Mattfrad. EC Removal 3_ Containment isolation - NJA Pntential for causing plant trip e et identified y Spuncus actuation is covered by SSr*S and the systems that penetrate the contamt High Head Sa - UA Spurious operahon considarad with SSPS Loss injectron/ Char e of chargeg flow would resuit in lev.,own isotation 9 on low presswizer level. ? Letdown - 1 47151 Break in letdown tine outside cor.tainn=nt: $ letdown isolates en safety W:e ?@at caused by low pressurizer presswe. Thar;-fore, net result is a sa'ety 6.iect:en M 2#ron without a LM_ A u a e S a vs 3 s2 a 1 O =- o 3 o O O O
B::v;r Vall:y Power St:ll:n Unit 2 Revision 0 Preb:bilistic Risk Ass:ssm:nt Table 3.1.13. Initiating Event Category Frequencies initiating Event Code frequency (events per Designator reactor year)
- 1. ELOCA 4007
- 2. LLOCA 2034
- 3. MLOCA 405-4 4 SLOCN $55-3 5, S .OCl 1.82 2
- 6. VSX 3.78-8
- 7. SGTR 2.0S 2 8 RT i,14 9 TT 8831 10 LCV 1,01 1
- 11. AMilV 1.83 2 124- SLB1 4044 12b. MSV 3 Bi ?
12c. SLBC 1.48 3 13 SLBD 4 26-3 14 ISI 2.22 2 15a TLMFW i 20 1 15b, PLMFW 5531 15c. EXFW 2411 15d IMSIV 0062 f 15e. CPEXC 2392
\ 15f LPRF G 52 2 16, LOSP 5212 17a DOX 1482 <
17b. DPX 1482 18a. WAX 7833 18b, WXB 7.83 3 18c. WBX 3976 a
- 19. CX1 5963 20a. IRX 3073 20b. lWX 3.07 3 20c. IBX 3 07-3 20d. lYX 3073 21a. AOX 106-2 21b. BPX 1.60 2 I
- 22. BVX 2.11 5 23- LB2A 1.14-1 24 ISFL 1.20-3 24b. VPFL 1.40 3 24c, TBFL 7.70 3 24d. ABFL1 1.40-3 24e. ABFL2 4.5-0 241 CVFL 100-4 24g. SGFL1 74-4 24h. SGFL2 5255
_24LfDEL O 3.00-4 3.1 17 3.1 Acadent Sequence Dehneation b.m i
Daevsr Vclisy Powar Station Unit 2 Revision 0 Prob:bilistic Risk Asssssment 3.1.2 Event Sequence Diagrams and Success Criteria ESDs are used to document the possible scenarios and courses of action that can be taken by the operators alter a specified initiating event has occurred. Such actions include the l plant hardware responso and the steps taken by the operators. The ESDs document the PR A team's understanding of how the plant functions and how it is operated. Analysis of ESDs is the first step towards the development of event trees that will subsequently be used to ] quantify the frequency of all rnodeled accident uequences. Although ESDs are easily I understood and are useful tools for documenting required plant system and operator actions after an initiating event has occurred, they do not lend themselves directly to accident sequence quantification. A nececsary next step therefore is to convert the ESD mio an event tree for the purpose of quantification of event or accident sequences. The event tree I represents the transformation of the quelitailve details contained in the ESD into a functional logic framework for quantihcation. Specific actions identif ed in the ESD arc nrouped into top events for the corresponding event tree. For each top event, the system boundary, boundary coniitions, and success criteria are defined for the syr:9m or operator actions associated with 'he top event. The event trees are described in Sections 3.1.3 through 33 6. 3.1.2.1 ESD Symbology The symbols used in constructin0 ESD3 are shown in Figure 3.1.2-1. The initiating event is idenhfied by a Naving flag" block. This first event is drawn in the upper left hand corner of the diagrarn. Subsequent operator actions and system responses to he initiator are then presented throughout the remainder of the figure. ihe normal, or expected, sequence of events is drawn straight down the figure, beginning with the initiator. These events are l arranged, for the most part, in chronologi:al order. This is not always strictly adhered to because sometimes it is easier to follow events if related actions, dependent on each other, are grouped together even though they may not be closely related in .ime. Events whose occurrence or nonoccurrence influences the course of a scenario are represented by rectangles. Successful occurrence of the event described within the rectangle is lepresented by the arrow exiting the base of the rectangte; failure of the described event is represented by the arrow exiting the right side of the rectangle. These events are the only symbols in the ESDs having two exit paths. The path sequences leading into the events are shown by arrows entering from the left or from the top of the rectangle. These events are sometimes asked in multiple places in the ESD, even though they are along a single sequence path. This is because, like the emergency operating procedures (EOP). not all paths up to a specific point in the ESD are unique. While it may have been asked already along one path, it may not have been asked along another path to that point. The oval symbol is used as a place for describing the status of key plant parameters or the phenomena that would likely occur as a result of an accident sequence described by the events up to that point in the ESD. Since the symbot is only a descriptivo block, only one exit path is allowed. The exit path may be drawn from the bottom or the right side of the ovat. The position of this exit path does not signify anything special, but is merely to tacilitate the linking of the events. Several entry paths are permitted, however. The entry paths may enter from any direction. E' ents representing an entire sequence may result in either successful mitigation of the O initating event or in core damage. Success or stable end states are syrnbolized by parallelogram-shaped figures. Sequences resultin0 in core dan, age are shown ending in 3.1 18 31 ute.t seunce Demm ~
t Bssysr Vall2y Power Station Unit 2 Revision 0 Probabilistic Risk Assesement diamond shaped symbols. Descriptive information within the diamond shape details containment system conditions that help to define the resulting plant darna0e state. There are no exit paths from such syrnbcis. Two additional symbols are used to represent transfers to other places in the ESD logic that cannot be conveniently connected by continuous solid lines. The triangle transfer syrnbols connect two locations in the same ESD. These transfers are numbered to permit ease of identification. The large arrowhead symbol transfers the reader to a completely different ESD. The specific ESD transferred to is identified within the symbol. The arrowhead syrnbol is very sparingly used. Some paths through the ESD are judged to have so small a hkelihood of occurrence that no further modeling is performed. These paths may terminate in elor, gated hexagons that explicitly say, "Not developed further
- The preceding stochastic event is then assumed to always result in the alternative outcome, which is developed furth'.er.
Throu0hout the ESD, reference is made to numbered steps in the Beaver Valley Unit 2 EOPs, These references indicate the places in the EOPs where the operators wou!d be if the accident sequence had progressed to that point. The particular referenced step corresponds to the point in the procedures that instructs the operators to carry out or to verify the actions represented by the nearby event. 3.1.2.2 Beaver Valley Unit 2 Event Sequence Diagram Table 3.1.21 identifies the emergency procedures modeled explicitly in the detailed ESD. These procedures cover the plant response to all transient events, such as reactor trips, turbine trips, losses of MFW, etc., and for a full spectrum of LOCA sites. The detailed ESD developed for Beaver Valley Unit 2 applies to all initiating events and is presented in Figure 3.1.22. ATWS conditions (EOP FR S.1) and SGTR events (EOP E-3) are transferred from Figure 3.1.2 2 to other ESDs. The SGTR ESD is presented in Figuro 3.1.2 3. Tf e ATWS ESD is presented in Fio':ro 3.1.2-4. Pressurized thermal shock (PTS) conditions (EOPs FR P.1 and FR-P.2) are not considered. Beaver Valley Unit 2 meets the U.S. Nuclear Regulatory Commission (NRC) criteria for the reference temperature for PTS; i.e., 270*F for longitudinal welds, plates, and forgings and 300'F fdr circumferential welds. For Beaver Valley Umt 2. the end of life values are all less than 160*F at end of life (Reference 3.1.2-1). This realistically implies a bl0 h degree of margin against such potential challenges to the reactor vessel. PTS considerations are not expected ' to be evaluated as part of the individual plant evaluation requirements. They have not been found to be important when realistically evaluated in other PRAs, and are therefore not included in the ESD or in the associated event trees, if, on the other hand, conservative values for the conditional vessel failure probabilities under PTS conditions (e.g., Reference 31.2-2) are used, we would expect that PTS would be a small but nonne 0ligible contribution to the core damage frequency. It is difficult to refine the conservative estimates of reactor vessel failure probabilities, by accounting for vessel surveillance and initial crack size and frequency. It was judged that the effort to do so would better be spent in other areas. Therefore, PTS concerns are not considered further. O The purpose of these ESDs is to cocument in a tairly detailed way the possible plant response and the procedural guidance provided to the operators for a wide range of events. The intention is to identify plant conditions that may lead to core damage and to relate such l 3.1 19 3i Accident Sequme Detneecin
Beev:r Vcil2y Power Station Unit 2 Revision 0 Probsbilistic Risk Assessment conditions to the place where the operators may be in the procedures up to core damage so that the operator actions are properly accounted for, Once the core damage conditions are identified, the events that may affect the subsequent response of the containment and amount of radioactive release from the containment (e.g., containment isolation, heat removal, spray status) are questioned. The detailed ESD is said to be fairly detailed in that it portrays more events than are actually in .luded in the fmal event sequence models (i.e., event trees) used in the quantLcation of the core damage frequency. This is true even though the diagrams represent a substantial simplification of the complete EOPs. The specific events portrayed in the event tree models are indicated on the ESDs as dashes surrounding one or more events. The Beaver Valley Unit 2 ESD consists of several sheets, each indicated by transfers from the first or subsequent sheets. 3.1.2.2.1 General Transient /LOCAs ESD, The logical structure of the Beaver Valley Unit 2 ESD is developed so that it can be specialized for plant response to rnany initiating events. It includes various success paths that satisfy the major core protection functions; i.e., core reactivity control, coolant inventory control, and core heat removal. The model also includes important features that can affect p! ant and containment response if core dama0e occurs; i.e., core debris cooling, containment heat removat, containment pressure control, fission product removal, and containment lwlation. The specific plant response to each init'ating event is modeled by adjustin0 the general event sequence framework to account for the unique impact of the event on each system, operator action, and furction. Thus, the ESD can be viewed as the parent for the large family of detailed plant response event trees that are used for each specialized initiating event model. Individual sequences can also be traced from beginnin0 to end through the event requence ' d!agrams. Selected sequences are now described with reference to the ESDs. This should provide the reader with a General feel for the response of Beaver Valley plaru systems to dilferent plant trips, and especially for the role of the operators following a riant trip. After the sequences are described, some additional explanation for each part of the ESDs is presented. The f;rst sequence discussed is that of a station blackout. The sequence bo0 ins with a loss of offsee power. The loss of offsite power causes the control rods te fall. This is interpreted as a successful automatic reactor trip; i.e., see Part 1 of Figure 3.1.2-2. While the conditions for a turbine trip will certainly be present, the actual turbine trip may or rnay not occur. For the sequence being discussed, turbine trip is assumed to be successful. The reader should therefore follow down through the " automatic turbine trip" box, which is the success path. Early in Emergency Procedure E 0, the operators are asked to verify that at least one of the two 4.16-kV emergency buses is energized. For the station blackout sequence, all emergency AC power is lost. The ESD indicates that the reader should proceed to transfer 12 on Part 13 of the figure. The operators then follow the loss of all AC power procedure; i.e., ECA-0.0. Early in this procedure, the operators are instructed to verify that certain piping lines are isatated and, if not, to isolate them. The pressurizer power-orerated relief valves (PORV) may have been challenged to relieve pressure earlier in the srquence and then failed to reclose, if so, it is at this point that the operators are directed to check the pressurizer to try and prevent a LOCA in addition to the station blackout. A so, the operators are to verif* that the reactor , coolant pump (RCP) seal return is isolated .ind, if not, to locally isolate it. Failure to isolate 3.1 20 31 eocent smume teneancen.
Deever Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment
- !tus 'h would result in a failure of contamment isolation, The procedures then direct the J
g'eqQJ om 1 to verify that the turbme-driven auxiliary feedwater (AFW) pump is operatmg, and if
;e.4 a start it. For this sequence, it is assumed that the ArW pump functions as expected, pro"iding t.econdary heat removal. ECA-0.0 then directs the operators to try anJ restore
[ electric power to at least one of the 4.14kV emergency buses. For the extended t-tation i blackout sequence bein0 described, ottsite power recovery is assumed to be urisuccest.ful, The operators continue trying to start one of the diesel generators. Later, the operators place selected pumps into the pull-to-lock position. This prevents the pumps from inadvertently starting, should power be restored from offsito. This action is not included in the model but is noted in the diagram for completeness. Putting the pumps in pull to lock may be of interest later when accident management is considered; i.e., because the quench spray pumps would not auto start when power is eventueny rdored. Thr mi poup i of events is concerned with estabhshing containrncnt air. The ERF diesel generator is required smce offste power is unavaifable, For this sequence, the ERF diesel is assumed to operate successfully so that containment air is restored. The ESD then asks the operators to check for a steam generator tube rupture. This is not the case for the stahon blackout sequence, so ) that secondary radiation is normal, and all three steam generators are available for heat removal. The opera.oss must take manual control of AFW to ensure adequate steam i generator level. If all vital instrument power is lost, this achon in assunmd to eventually fail, resulting in a loss of all secondary heat removal. If AFW ls milially available, the ESD then questicas whether DC bus loads are shed. This action is not modeled in the event trees because the individual loads are all small, and the procedural go;datae m not specific as to which loads to shed. Therefore, the batteries are assumed to only last for as long as their initial charge will hold. ECA 0,0 then directs the operators to locally depressurtie the steam generators. Successful depressurization limits the challenge to the RCP seals, extending the time of seal damage. As a result of the depressuritation, the accumulators may mject, and a safety injection may occur. These events are indicated in the E3D. For the staticm blackout being described, it is assumed that the steam generators are depressurited, thereby extending the tirno for electric power recovery. Verification of containment isolation is then asked. Recovery of electric power remains unsuccessful, however, resultmg in an RCP seal LOCA and eventual core melt. With AFW initially available, there is a race as to whether core melt results trom the RCP coal LOCA, or from a loss of secondary heat removal caused by a loss of level control as the batteries supplying vital instrumentation discharge. Once it is > concluded that the sequence resuhs in core melt, the ESD then transiers the reader to Part 14 of Figure 3.1.2-2. The first event on Part 14 questions whether the operators open the pressuriier PORVs to reduce RCS pressure. Since the inadequate core cooling procedure is not entered from ECA 0.0, this event lads. The ESD then questions whether the refueling water storage tank (RVVST) is available. For the sequence of interest, the RWST is available but is not injected prior to or after melt due to the unavailabihty of electric power. Smco recirculation spray requires that the successful injection of the RWST inventory and power is not available, all containment spray also fails. The fmal event in the ESD for ttns sequence is that of containment isolation. Since the operators remain in ECA-0.0 for this sequence, no additional e chances to isolate containment are provided. Recall that the operators were instructed to verify or manually isolate containment back in Part 13 of figure 31.2-2. The plant damage
. states indicated in part 14 of the ESD correspond to those initially used in Reference 31.2 4.
This sequence is assigned to plant damage state NNN 1, as dehned in Part 14 of Figure 3.1.2-2. 3.1 21 31 tuent sm-o rewan
Bnv3r Vcll;y Power Station Unit 2 Revision 0 Prob bilistic Risk Assessmsnt The nest sequence traced tnrough the ESD is that of a small LOCA with failure of all g recirculation from the containment sump. The sequence bcpins on Part 1 of the ESD with a W successful automa',lc reactor trip.- Automatic turbine trip is also assumed to be successful. Power is available to both 4.16-kV emer0ency buses. The operators are then asked to verify that safety injectMn is not activated and is not required, for the small LOCA sequence, it is assur',ed that prer,suriter pressure drops below 1,845 psig and a safety injection si0nal is gerwtod by SSPS. Pressurizer level falls, and subcoolin0 degraden The ESD then transfers the reader to transfer 4 on Part 5 of the general transient ESD. With safety injection actuated, the feedwater isolation condition % outh the main feedwater pumps and the startup pump. The ESD then sks about the availabihty of steam relief for secondary heat removal. Decause of the substantial redundancy provided in the design, loss of all steam dump is not modeled, except to determine whether steam generator depressurization is possible. The availabihty of AFW is then questioned. Long-term makeup to the primary domineralized water storago tank (PDWST) is also questioned, and both are assumed to be successful. The operator then verifies that high head safety injection (HHSI) and low head safety ir.jection (LHSI) operate sus /cssfully. Service water and primary component cooling water function normally. The MSlVs are assumed to close on high containment pressure. As the LOCA contmues, a CIB condition is reached. Quench spray and recirculation spray pumps operate normally. Main feedwater isolates successfully due to the safety injection signal. The pressurizer PORVs are not challenged by the initiating event. The RCPs are successfully tripped by the operators due to the phase B containment isolation CIB signal, which stops primary component cooling water. Containment air is then restored following the CID signal. The ESD continues on Pari 6. For the small LOC A sequence being discussed, the steam generators are not faulted, secondary radiation and steam generator levels are normal, but containment conditions are not normal. These conditions lead to the recogmtion that a LOCA or secondary break inside containment has occurred. The ESD then transfers to 7 on Part 8 of the General transient ESD. The safety injection termination criteria are not satisfied, indicating that the event cause is a LOCA rather than a secondary break. The LOCA is small so that the added questions about accumulators and LHSI, which are important for larger LOCAs, are not asked. The HHSI pumps operate to provide inventory conirol. Containment pressure rises until the CIS setpoint, at which time the quench spray system (QSS) pumps are actuated automatically. The operators are instructed to reset the CID si0nal and stop the quench spray systems (OSS) pumps once . containment pressure falls below 13.7 psia. The flow from HHSI stabilizes RCS pressure so that safety injection is then reset and the LHS1 pumps are also stopped. Emergency power to the recirculation spray system (RSS) pumps is then verified to be available. Auxiliary q, building radiation is normal since the break flow is confined to inside the containment. Because the break is small, the operators transfer to the post-LOCA cooldown and depressurization procedure detailed in Part 9 of the ESD; i.e., ES 1.2. For the sequence being described, all of the events shown are assumed to be successful. The safety injection signals are reset, power to the emergency buses is available, costainment air is reestablished, the LHSI pumps are stopped, reactor coolant system (RSS) subcoolin0 is adequate, RCS cooldown is initiated, tne RCPs are runnin0, and RCS depressurization is initiated using pressurizer spray. The small LOCA is assumed to be large enough to cause a high containment pressure CIB si0nal, wqich actuates the quench spray pumps. As a result, the RWST reaches low level before the residual heat removal system (RHS) system can be placed in service and cold leg recirculation is required. 3.1-22 11 tecent seauence teneaten
Beavsr Vallay Power Station Unit 2 Revision 0 Probsbilistic Risk Assessment The ESD then transfers the reader to transfer 9 on Par 110 of the ESD; i.e., to the steps in Procedure ES 1.3. As a result of quench spray pump operation, water is available h1 the containment sump for recirculation. The RSS pumps operate normally. The containment vents and drains are isolated prior to resetting the safety injection signal. Service water is available to the RSS coolers. However, the auto and manual valve realignment for recirculation fails on both trains. RCS pressure is still high when the RWST reaches low level so that recirculation to the suction of the HHSI pumps is required. There is a failure of recirculation from the sump. The ESD then transfers to 10 on Part 11 of the ESD; i.e., Procedure ECA 1.1 for Loss of Emergency Coolant Recirculation. No credit is taken for the operators locally aligning for cold leg recirculation, given the earlier remote transfer attempts. Instead, another path is fcilowed as directed by plant procedures. Borated water is aligned for makeup to the RWST. Pump suction from the RWS1 is minimized. The RSS pumps operate in the recirculation spray modo for containment heat removal without drawing on the RWST. Another check that the containment vents and drains are isolated is considered in ECA-1.1. The operators then establish the minimum safety injection flow needed to remove decay heat while continuing makeup to the RWST to maintain level greater than 30 inches. Success of these actions places the reactor in a stable state. Longer term actions to cool down the RCS that allow the accumulators to inject and place the RHS in service are seen as helpful, but are not necessary to avoid core damage. The actions in ECA 1.1 permit the operators to stabilize the reactor and avoid core damage despite the loss of recirculation cooling. A third sequence traced through the ESD is that of a loss of main feedwater followed by a O failure of reactor trip and insufficient RCS pressure relief. As with the other sequences, initially, the conditions for a plant trip are annunciated in the control room. This is shown as the entry condition to Procedure E-0 on Part 1 of the general transient ESD. Both automatic and manual reactor trip fall. The ESD transfers the reader to the ATWS ESD (i.e., Figure 3.1.2-4) to follow the steps in Procedure FR S.I. Per FR S.1, the operators initiate manual control rod insertion. This action is expected to insert about one control rod bank per minute. Reactor power Invel is assumed to be initially greater than 40% and main feedwater is lost. These conditions pose a substantial challenge ; to the RCS pressure re}ief system to keep RCS pressure below 3.200 psig; i.e., a realistic failure pressure for the reactor vessel. ATWS mitigating system actuation circuitry (AMSAC) operates to provide a diverse signal to trip the turbine. The turbine trips automatically, thereby reducing the pressure challenge. Auxiliary feedwater initiates either on low-low steam generator level or by AMSAC. An insufficient number of pressurtzer PORVs and safety valves open to relieve RCS pressure. Reactor vessel integrity in lost. If is casumed that the failure of the vessel cannot be mitigated, resulting in core damage. The ESD then transfers to 14; i.e., Part 14 of Figure 3.1.2-2 As a result of the vessel failure, RCS pressure is assumed io be low at the time of core damage, All of the containment systems operate as designed. The RWST is available. Due to the high pressure, the HHSI pumps do not inject prior to core damage, but the LHSI pumps and the HHSi pumps do operate after core damage to inject the RWST contents. The
- containment sump is not plugged. The QSS pt.nps also operate. The RSS pumps operate to O- provide containment heat removal via recirculation spray cooling. The containment isolates automatically on high containment pressure. These conditions result in plant damage state YYY-1, as defined in Part 14 of Figure 3.1.2-2, 3.1 23 31 Amdent Sequence Dehneabon
.-_ -, _ . . _ . _ . _ _ . - _ _ - - . _ __ _ _ ~ _ _ - - - _ _ . . _ . .- . _ __ _
8::v:r Vcil2y Power St:ti:n Unit 2 Revisien 0 Preb:bilistic Risk Asssssm;nt The last sequence to be traced through the ESD is a steam Oenerator tube rupture with a failure of the operators to depressurite the steam generators. The tube rupture results in g both reactor trip and safety injection conditions, which are initiated in the control room. These conditions cause the operators to consult Procedure E-0; i.e.. Part i of Figure 31.2-2. This time, the reactor trips automatically. Automatic turbine trip also occurs. Power is found to be available to 4.16 kV bus 2DF but not bus 2AE; i.e., the power to emergency AC train orange is lost. Since power is available to the purple train, no transfer is made to ECA-0.0. The operators are instructed to attempt to restore the orange train while proceeding in E-0. The safety injection signal occurs on low pressurizer pressure. The ESD then directs the reaoer to transfer 4 on Part 5 of Figure 3.1.2-2; i.e., later in Procedure E-0. This steam generator tube rupture sequence then follows the same path as that describeo previously for small LOCAs. One exception is that the steani generator atmospheric steam dump valves are not available for remote operation due to the loss of emergency AC train orange. However, the steam generator safety valves function to provide steam relief. The flow of events is then continued on Part 6 of Figure 3.1.2-2. Initially, the safety valves cycle as needed so that none of the steam gener4 tors are faulted. Abnormal secondary radiation levels are detected indicating that there is a steam generator tube rupture. The ESD then transfers the reader to the SGTR ESD; i.e., Figure 3.1.2-3, which covers the steps in Procedure E-3. The RCPs are left running. The operators identify the ruptured steam generator and isolate flow from it. The operators also take manual control of feed to the ruptured steam generator to prevent overfilling it. Due to the size of the rupture, the pressurizer PORVs are not challenged. Power is available to nonemergency 480V buses 2J and 2K so that primary component cooling water is realigned to the containment air compressors and containment air is reestablished, h.4l ally, the ruptured steam generator pressure remains above 500 pig, as the safety valves cyr,lo as nee & ' Quench spray pumps need not be stopped because a ClO signal did not occur along acquence being described. Containment pressure is controlled to greater than 9.0 psia. The ESD then transiers the reader to 15 on Part 2 of Figure 3.1.2-3. The pressurizer 'ORVs are available IN pressurizer control Subcooled recovery is initially appropriate because there is no indication of increasing sump level and the ruptured steam generator level is being controlled. The condenser steam dumps are assumed to close. This is conservative because, while they do depend on DC train orange, which, in turn, depends on emergency AC train orange, the DC train will last for more than 3 hours just on the battery. As previously mentioned, the atmospheric steam dump valves are not available for remote actuation due to the loss of emergency AC train orange. The operator action to locally depressurize the steam generators usin0 the atmospheric steam dump valves is modeled but assumed to fail for this sequence. Because RCS cocidown is unsuccessful, pressure ramains up causing the safety valves to cycle. One of these valves is eventually assumed to fall open. This leads to a loss of reactor coolant, makin0 a subcooled recovery desirable, RHS cannot be placed in service because RCS pressure is too high. lhere is still a need for additional injection once the RWST inventory is depleted. Makeup to the RWST is considered but fails. The ESC recognizes the need for alternative injection sources and directs the reader to transfer 11 on Part 12 of Figure 3.1.2-2;1.0, to consider the actions in Procedure FR-C.2. 3.1-24 3i Awdent SMuence Dehneaten.
Buvsr Vellsy Power Station Unit 2 Revision 0 Probabilistic Risk Assessment in FR C.2, the operators are instructed to isolute the pressurizer on the chance that the
, source of RCS leakage may be a PORV train. This is rol the case for the steam generator tube rupture sequence being described. Atter the RWST empties, the HHSl pumps will be lost. Once sufficient RCS inventory is lost to allow core tunperatures to exceed 1,200 F the operators are to enter Procedure FR-C.1. Auxiliary feedwater is avadable to the remaining intact steam generators. The secondary sido leakage throu0h the failed open safety valve ;
1 cannot be recovered so that RCS integrity is not restored. The ESD then describes a series of actions that are called for by Procedure FR-C.1. There is. however, no evidence that RCS pressure could be reduced sufficiently to permit LHSt pump injec' ion prior to core damage, even if oil of the actions were completed successfully. Therefore, the ESD directs this
- sequence to core melt and transfers the reader to 14: i.e., Part 14 of Figure 3.1.2 2.
The first event in Part 14 of Figure 3.1.2-2 considers the actions to reduce RCS pressure. This event is conservatively omitted from the current event sequence quantitative rnodel. Such ) degraded core actions may be reconsidered durin0 the accident management phase of the
, Beaver Valley evaluation. Since the operators also failed to depressurize the steam generators in this sequence, RCS pressure is judged to be high at the time of core dama00.
Since the RWST emptied prior to core damage, and the water was lost through the secondary rather than to the containment, the RWST is unavailable as a sourco of water for containment heat removal or for containment spray after melt. The containment is also bypassed because a pathway exists from the RCS through the broken steam generator tube ar.d through the failed open safety valve to the environment. This sequence is assioneo to plant damage rtate NNN-O as defined in Part 14 of Fi0ure 3.1.2 2. t The following paragraphs describe each sheet of the general transient /LOCAs ESD. The . reasons for not rnodeling selected paths through the ESD as part of the event tree models is also provided. The particular events that appear in the ESD and are modeled in the . associated event trees are enclosed by dashed boxes. In the upper ri 0ht corner of the dashed box is a two-letter character desi0 nation. This designation is the abbreviated name of , the event tree top event heading that models the enclosed events. Some dashed boxes are designated "lE," which stands for initiating event. Such events enclosed by these boxes are considered in the selection of initiatin0 event categories. Individual causes for the occurrence of a safety injection condition as the cause of a plant trip are not modeled , explicitly. Instead, such causes are modeled implicitly by definin0 the imtiating event categories appropriately to cover each situation. As is standard practice, the frequencies of these initiating event categories are then derived directly from industry experience and plant-specific data. l The ESD is entered if the conditions exist for a reactor trip or safety injection signal. The expected sequence of actions is shown down the left sido of the diagram. With everything successful and no safety injection signal or conditions present, the operators then continue to EOP ES 0.1; i.e., reactor trip response. The normal plant response following a reactor trip without a safety injection signal is for the MFW regulatin0 valves to close when RCS temperature is reduced to less than 55PF; i.e., a partial feedwater isolation occurs because the RCS temperature is reduced to 547'F. AFW then actuales automatica:ly on low-low steam generator level, and becomes the first option for secondary heat removal. The multiplicity of i steam rehef paths for each steam generator is very large. Failure of all of these paths was therefore not considered as a significant failure modo for secondary side heat removal. Operation of the steam generator atmospheric steam dump valves for controlled l; depressurization of the secondary side is, however, considered. If the reactor trips, no credit - i I 3.1 25 31 Accient Sepote Dehneeon
Bsant Vati;y Powsr Stction Unit 2 Revision 0 Prcbsbilistic Risk Assessmsnt is taken in the model for manual turbine trip and generator trip prior to a safety injection condition. If there is no safety injection condition or signal, and secondary heat sink is established, transfer is made to tranwer 1 of the ESD. The events depicted cover the plant response when the reactor has tripped and a safety injection is not required Consideration is given in this portion of the ESD to events that may lead to an induced small LOCA. Two situations are considered: a stuck-open PORV train and an RCP seal LOCA. If the sequence of events leads to a small LOCA, transfer is made to transfer 4. If the sequence of events does not lead to a small LOCA, then the plant is assumed to bo stable at ho' standby. The actions to proceed to cold shutdown are then not necessary, and therefore, are not modeled in the eve'n trees. Long-term manual action to ensure a continued water source for steam ge~, erator cooling may be necessary. This action is modeled in the event trees. Tri nsfer 2 is entered wnenever a loss of secondary heat sink has occurred. If secondary heat sink is eventually recovered, then the operators are directed back to the procedure and the step in effect at the time that the secondary heat sink was lost. Since EOP FR-H.1 may be entered frorn the critical safety function status tree, it may be entered from any number of places in the procedures. For the purposes of this diagram, it is assumed that the loss of secondary heat sink procedure would be entered when feedwater status is first checked; i.e., EOP ES-0.1 or EOP E-0. The event tree models consider the primary actions to restore core cooling; i.e., restoring MFW and establishing bleed and feed coohng. Credit for recovering AFW is not modeled. The additional action to depressurize the stea'n generators sufficiently to permit feeding the steam generators with condensate is not modeled in the event trees. Because of the redundancy of main feedwater pumps (MFP) available (including the startup feedwater pump), it is assumed that for cases in which MFW cannot be reestablished, neither can the condensate system alone, Bleed and feed cooling then becomes the last-ditch core cooling mechanism considered. The bleed and feed cooling option is considered in transfer 3. This transfer is entered when secondary heat sink cannot be recovered. Only one of the three pressurizer PORV trains are needed for successful bleed and feed cooling (Reference 3.1.2-3). Successful bleed and feed cooling is then modeled as leading to an eventual requirement to go to cold leg recirculation (securing safety injection is not modeled) when RWST inventory is low. This part of the ESD also indicates another place in the procedure (i.e., EOP FR H.1) where consideration is given to depressurizing at least one steam generaMr to allow feeding with a low pressure water saurce. This backup core cooling mechanism is not modeled in the initial event tree models. Also, recovery of containment instrument air is not modeled alon0 this path. Recovery of containment instrument air is only considered following a CIA or CIB signal if there has been no LOCA and feed and bleed cooling is not needed. For sequences in which a safety injection signal is present or the conditions for one exist, I transfer is made to 4. As indicated by the dashad boxes, nearly all of the events shown in l this part of the ESD are included in the event tree models. One exception is, again, the omission cf the events concerned with secondary-side steam rehef. The multiplicity of steam relief paths for each steam generator is judged to make such failures sufficiently low in frequency as to obviate their consideration in the event tree models. In addition, the reactor coolant pumps are conservatively assumed to operate if offsite power and other support systems are available. 3.1 26 31 enort seven Denneanon
Desvsr Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment if a safety injection signal is initially present, but the RCS is later determined to be intact, or , at least leaking only at a slow ram, the ESD transfers to transfer 5 (safety injection j termination criteria is satisfied). These actions then consider the termination of safety injection and the establishment of normal chargin0 and letdown. If normal charging and letdown cannot be established, RCS inventory is, by procedure, controlled usin0 the reactor vessei head vents. All of the events indicated in this part of the ESD are at least irnplicitly modeled in the event trees. The failure to establish a chargin0 and letdown path is not modeled as a likely small LOCA. Falture to promptly terminate safety injection flow is modeled as leading to a challen0e to the pressuriter PORVs for pressure relief. Il safety injection, in the absence of a LOCA, is successfully terrainated, the LSD transfers to transfer 6 on the same sheet as transfer 1. This transfer recogn zes that the series of events following safety injection termination in EOP ES-1.1 are snitar to those previously outimed _ for EOP ES 0.1: i.e., hke reactor tr6p with no safety injection. Transfer 7 is for sequences in which safety injection conditions have been verihed to have occurred indicating that a LOCA or secondary-side break within containment is in progress, if the safety injection termination criteria cannot be satisfied, a LOCA is in progress. Again, nearly all of the events shown in this transfer are modeled in the event trees. No credit is taken for isolation of LOCAs outside containment. Interfacinc LOCA sequences are discussed - further in Section 3.1.3.6. Another exception is the requirernent for the operators to stop the LHSI pumps if RCS pressure remains above 185 psig and is either stable or increasin0 At Beaver Valley Umt 2, the LHSI pumps recirculate back to RWST. Therefore, the danger of overheating the pump by raising the temperature of the puroped fluid is minimited. Also, the LHSl pumps need only run until the RWST inventory is injected, a relatively short period of time. No impact is modeled if the operators neglect to turn off these pumps. Success of the events associated with this transfer means that LHS! or HHSI is successful. If the LOCA is larDe. the next events of interest are the transfer to cold leg recirculation, EOP ES-1.3. If the LOCA is small or medium, the EOPs transfer to post LOCA cooldown and depressurization; i.e., EOP ES 1.2. Transfer 8 considers the actions in the post-LOCA cooldown and depressuritation procedure. Success of the events in this procedure means that the RCS is cooled down and depressurized sufficiently to avoid the need to transfer to cold leg recirculation. This is likely to be accomplished for only very small LOCAs in which some form of secondary heat sink is available. If the LOCA is not very small, the RWST will likely empty before RCS pressure can be reduced sufficiently to terminate the leak. Since it is difficult to distinguish occurrence frequencies for very small LOCAs versus small LOCAs, the event tree models treat very small LOCAs as small LOCAs that still require cold leg recirculation. Consequently, the actions followed to avoid the necessity of cold leg recirculation are not modeled in the event trees. The events that are modeled help to distinguish RCS pressure at vessel breach in the event recirculation fails. Transfer 9 models _the actions applicabic when the RWST empties (i.e., is less than 450 inches), for LOCA sequences in which injection is successful. Successful completion of the actions in this part of the ESD leads to a stable plant configuration in cold shutdown. Most of the events showti are included in the event tree models. The action to align a redundant recirculation path given that both RSS and HHS1 pump trains are available is not modeled in the event trees. The event trees model success of the HHSI function for 24 hours. Therefore, success of HHSI in the event tree models also implies success of the injection flow path during recirculation. The alternate cold leg injection path is not necessary. The operator 3.1 27 3i Acuomt Swere Demneahon-
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Rish Assessment action to stop the QSS punips is not modeled in the event trees. Cavitation of the QSS pumps should not occur as long as water is available in the RWST. Once the RWST is emptied, the QSS pumps are no longer necessary to mitigate the accident. Therefore, this pump protection action is not rnodeled. Approximately 14 hours after cold leg recirculation is established, the procedures instruct the operators to establish hot leg recirculation to avoid boron precipitation concerns. Every 24 hours thereafter, the operators are to switch from hot to cold leg recirculation, or hom cold to hot leg recirculation, as appropriate. This action is not modeled in the event trees. Thcre is ample time to establish such alternate injection flow paths, and even 'l the plant remained on cold leg recirculation, it is doubtful that boron precipitation would lead to fuel damage after the plant had already achieved such a stable state. If containment atmospheric pressure exceeds the containment design pressure, there is a potential (i.e., a small chance) for containment f ailure. In the NUREG/CR 4550 analysis for Surry Unit 1, such an event was modeled. For Beaver Valley Unit 2, it is beheved that the realistic containment failure pressure is sufficiently high that the containment will not fail during the blowdown if OSS fails, even for large LOCAs. If the containment did fail in such events, there is still only a small chance that the subsequent blowdown of the contamment to the atmosphere would be sufficiently energetic to fall recirculation from the sump; in the Surry analysis, a 2% chance of consequential recirculation failure was assumed. Such a mechanism for f ailing recirculation is not modeled in the event trees. If cold leg recirculation is required but cannot be established, the actions indicated on transfer 10 are of interest. These actions have the operators reduce the amount of safety injection flow to minimize the amount of RWST required. Makeup to the RWST is then provided to ensure continued inMction. The event tree models do not take credit for the operators locally aligning valves for cold leg recirculation. The diagram assumes that if the operators establish the minimum safety injection flow required to remove decay heat, as specified by procedure, and if they provide even a slow rate of makeup to the RWST, then continued injection at a rate sufficient to cool the core may be sustained, and the RWST level would remain above 44 inches. The actions to cool down the RCS and to place the residual heat removal system (RHS) in service would affect the time available to accomplish such actions, but are not believed to be esse.itial to maintain core cooling. For the event tree models, in the event of a failure to establish cold leg recirculation, makeup to the RWST is required first from the spent fuel pool at a relatively high rate, and then via blending operations after several hours, at a lower, although sustained, rate. In tne presentation of transfer 7 actions (i.e., for loss of reactor or secondary coolant), failure of HHSI durmg a small LOCA or medium LOCA is mapped to transfer 11, Transfer 11 considers the actions to establish LHSl in order to provide RCS inventor / control. These actions are described in EOPs FR-C.1 and FR-C.2. If the LOCA is small, the RCS must be depressurized sufficiently to permit LHSI pump injection. While this cooling option may be appropriate for a amber of initial plant states and LOCA sizes, the PRA team is unaware of any thermal hydraulic analysis to support the contention that the operators could wait until the entry conditions for EOP FR-C.1 or FR C.2 are satisfied before implementing these actions. Therefore, no credit for preventing core damage is given for these actions. One alternative HHSI system configuration has been identified but is not indicated in the ESD. For failures of the HHSI suction valves the LHSI pumps could be used to transfer RWST inventory to the HHSI pumps, bypassing the failed suction valves. Current procedures do not instruct the operators to perform such a realignment. EOP E-0 instructs the operators to verify that power is available to one of the 4.16-kV emergency buses. Loss of all emergency AC power transfers the operators to EOP ECA-0.0; 3.1 28 as Amoent seven oenneaton
Bocytr Valley Power Ststion Unit 2 Revision 0 Probabl3stic Risk Assessment i.e., loss of all AC power, The events in EOP ECA 0.0 are presented in' transfer 12. The actions in this procedure are directed at restoring electrical power and taking the steps necessary to extend the time available for electric power recovery. For these sequences, the time dependent RCP seal leak rate model becomes important. Availabihty of vital bus instru". "ation, as governed by the battery capacity and actions by the operators to shed loads from the batteries (conservatively not modeled), is also important since without vital Instrumentation 11 will be ditlicult to control secondary heat removal In cases where the operators successfully depressurize the RCS, the accumulators are assumed to successfully inject, Failure to eventually recover electric power from either offsite or onsite is rnodeled as coro damage, The electric power recovery actions considered in this part of tho ESD are modeled in the electric power recovery analysis presented in Section 3.3.3, which is separate trom the event tree models. Transfer 13 is a transfer point within the first sheet of the ESD and within the transfer 4 sheet. The sequence of events is returned to this point if electric power is recovered while in EOP ECA-0.0, or if secondary heat sink is recovered while in EOP FR H.1. For all places in the previously described portions of the ESD transfers that result in core damage, the dia0 ram transfers to transfer 14, Transfer 14 considers the status of containment systems and other parameters important for considering the performance of the containment boundary durmg a core damage accident. The status of such systems is important input to the Level 2 analysis for determining the hAelihood and magnitude of rmhoactive release into the environment. The events shown for transfer 14 are actually a simplification of all the plant events of interest for Level 2. The definitions of thu endpoints in transfer 14 are consistent with those identified in NUREG/CR-4550 Volume 3. for the Surry plant, except that the status of the containment is also questioned. The more complete definitions of plant damage states usec for this study are described in Sections 3.1.6 and 4.3. One simphfication is the response of the operators after it is determined that a core damage event has occurred. These actions are not included in the initial frontline event trees. Such actions will be considered as sequence specific recovery actions for sequences that are shown to be important. One such action indicated in transfer 14 is that of opening the pressurizer PORVs to depressurize the RCS. Analysis of core melt progression scenarios has shown that reducing the RCS pressure prior to reactor vessel molt-through helps to mitigate the impact on the containment. Although not written for pestmelt conditions, currently functional Response Guideline FR-C.1 does instruct the operators to open the pressurizer PORVs to lower RCS pressure. This action is not considered in the event tree modela. However, the post-LOCA cooldown action to depressurize RCS also by opening the prer.serizer PORVs is modeled. 3.1.2.2.2 SGTR ESD: In the event of an SGTR event, the EOPs transfer the operators to EOP E 3. This transter to the SGTR proc 6dures is shown in transfer 4. The operators detect the ruptured steam generator based on the level of secondary radiation and/or the level in the steam generators. For the purposes of ; esentation, the actions associated with miti 0atinD SGTRs are covered in a separate ESD; i.e., Fi0ure 3.1.2-3. Most of the actions indicated on the first page of Fi ure 0 3.1.2-3 are modeled in the SGTR event tree. The status of the RCPs is not tracked as a separate top event in the event trees. It is assumed that tne RCPs are available if needed for pressurizer spray, provided that the support systems required for them to function [i.e., nonemer0ency power and primary component cooling water (CCP)] are available and if the RCPs were not lost as the initiating event. This assumption neglects the failure to run probability of two or more RCPs which 3.1 29 3i Ami Seme D&neaba
B::v;r Vcil;y Pc Or St ticn Unit 2 Rsvisl:n 0 Prcb:bilistic Risk Ass:ssm:nt should be very smill. As a result of the SGTR, RCS pressure is expected to fallinitially; see, for example, Figure 1$h4 of the Updated Fmal Safety Analysis Report (FSAR), Consequently, the events associated with imtlal challenges to the pressurizer PORVs immediately following the plant trip are also not modeled in the event trees. All of the other events on the first page of the SGTR ESD are rnodeled in the event trees. Transfer 15 of Figure 3.1.2 3 considers the st.bsequent actions called for by procedures to initiate an RCS cooldown. To simplify the event tree model, no credit is given for the condenser steam dumps when considering the equipment required to initiate depressurization of the intact steam generators. The event free model does consider the steam generator atmospheric stearn dumps. This assumption is conservative because it forces the two remaining steam generator atmospheric dump valves on the intact steam heaters to be available for successful cooldown. If support for these valves is unavailable, credit for the operators locally manipulating the valves is modeled. Omission of the condenser steam dumps is not significant because of the common operator action required to initiate the cooldown. Also, for sequences in which the main steam isolation valves (MSIV) close (e.g., containment pressure greater than 3 psig), the condenser steam dumps would not be available. Numerous options are available to the operators for accomplishing RCS deptessurization. As a last resort, the procedures call for use of the RCS head vents to
- d. .ressurize. This option is not considered in the event tree. The head vonts may be of ir..ufficient capacity to perform the RCS depressuritation. A stuck open safety valve on the ruptured steam generator is modeled; however, termination of safety injection is assumed to occur before a primary PORV challenge occurs. The initial safety injection signal occurs on low RCS pressure. When HHSI operates, RCS pressure increases. Before RCS pressure is rtised to the pressurizer PORV setpoint, the steam generator sleam dumps and safety valves on the ruptured steare generator would lift to mitigate the pressure rise. Any steam generator tube leak sufficient in size to cause a safety in! action condition is assumed to also be large enough to allow the secondary valves to prevent a subsequent challenge to the pressurizer PORVs. Three events at the end of transfer 15 in the SGTR ESD are not considered in the event tree. These actions affect the amount of radiation telease into the environment assuming that core damage is prevented. However, the amount of radiation of concern is relatively small, compared with core damage events. In keeping with the focus of this study, these events are not modeled in the event tree because they do not affect the frequency of SGTRs leading to core datnage.
Transfer 16 considers the final actions needed to mitigate SGTR events, These events consider the potential for a consequential small LOCA that would complicate the recovery. Such LOCAs may develop trom RCP seal leakage or from failing to rescat a pressurizer PORV If it was opened earHer to depressurize the RCS. In the event that a small LOCA does develop, the need to transfer to cold leg recirculation would eventually result. The RHS system is needed only if a release path through the secondary side remains open so that the RCS must be further depressurized to reduce the break flow to inconsequential levels, l thereby minimizing the need for makeup from the RWST, Feeding the ruptured steam ( generator informittently to support cooldown is not considered essential and is not modeled. Late in the procedures for mitigating an SGTR, the operators are instructed to check for l adequate shutdown margin. The reactivity concern is due to the possibility of backflow of l unborated water from the ruptured steam generat >r into the RCS while the operators attempt to achieve cold shutdown conditions. As long as high pressure injection is accompl!shed via the HHSI pumps, there should be no problem. For SGTR sequences in which the HHS1 l pumps are not available (i.e., no borated water max,oup is available), when the operators l attempt to cool down, there is a reactivity concern. This potential problem is not modeled in l 3.1 30 31 uceent smuence Denneanon
Beaver Valley Power Statloa Unit 2 Revision 0 Probabilistic Risk Assessment the initial event trees. However, it 6s believed that as the plant is cooled down by depressutiling the steam generators, borated water from the accumulators would be sufficient to keep the reactor subcritical. 3.1.2.2.3 Anticipated Transient without Scram ESD: This section presents the ESD for the ATWS event. This ESD is entered from the general transient /LOCAs ESD on f ailure of the reactor to sci _. n on demand. The EOP then leads the operator to EOP FR S.1 to mitigate the ATWS event. Figure 3.1.2-4 shows the ESD derived for the steps listed in the EOP. For certain plant conditions, there is no chance of the RCS pressure becoming sufhciently high to threaten the primary boundary. In these cases, the mitigahon of the event is modeled the same as for normal shutdown after a general transient, and the ESD leads back to the general transient / LOC As ESD. For all other plant conditions, the ESD reflects the steps _ outlined in EOP FR S.1. In case of equipment or operator failures that lead to core melt, the ESD transfers to the general transient /LOCAs ESD that models containment cooling and containment isolation (transfer 14). At the end of the transient, when reactor shutdown has been achieved, the ATWS ESD also transfers back to the general transient /LOCAs ESD if the primary boundary was breached. Some of the steps in the EOP do not impact the transient and are not specifically modeled in the ATWS event tree as top events. These steps include repeated attempts to trip the reactor, sound alarms, verify AFW flow rate, and the like. An SGTR coincident with the ATWS is considered unlikely, and the steps to check for ruptures are also not modeled. Currently, all steam generator tube ruptures followed by a failure of reactor trip are conservatively modeled as core melts with containment bypass. The step requiring the isolation of all dilution paths to the RCS is also not modeled as a top event because these paths are open for a very small fraction of the time, and, if indeed they are open when the ATWS event occurs, the only effect would be to prolong the transient to the shutdown point. Other manual actions in the ESD that are not modeled in the event trees include manual generator trip, MSIV isolation, and manual start of AFW pumps. _ 3.1.2.3 Success Criteria The system success criteria for each of the key safety functions for a variety of initiating event categories are provided in Tables 3.1.2-2 through 3.1.2-8. These criteria are consistent with the as bu4t plant design and as operated by the Duquesne Light Company staff. As the name implies, the general transient success criteria apply to a wide variety of initiating event catep ries. Table 3.3.71 identifies which initiating event categories use the general transient event tree and, consequently, the general transient success criteria. Accident sequence frequencies for many of the initiating event categories identified in Section 3.1.1 are quantified using the criteria in Table 3.1.2-2. The effects of different initiating event categories (e.g., loss of offsite power versus a simple turbine trip) on the abihty of the miti0ating systems to respond are reflected in the unavailabilities of the mitigating systems. These differences are discussed later in Section 3.3.5. Separate system success criteria tables are provided for the ditterent LOCA categories; i.e., Tables 3.1.2-3 through 3.1.2 7. The different size LOCAs impose different success criteria on the mitigating systems. These different criteria are also reflected in the event tree structures, as seen in the next section. The isolable small LOCA initiating event category uses the small LOC A success criteria if the operators f ail to isolate the leak. If they successfully isolate the leak the general transient success criteria are then used. 3.1-31 3i Amnem sewee owam
8::v:r Vcll y Pcwor St: tion Unit 2 Rovision 0 Prcb:bilistic Risk Assessment The success criteria for ATWS sequences are presented in Table 3.1.2-8. A separate event g tree structure is also used to quantify the reactor trip failure sequences. The ATWS event W tree is presented in Section 3.1.4. The success criteria presented in Tables 3.1.2 2 through 31.2-8 are consistent with those documented in Reference 3.1.2-4 with the exceptions noted below. The applicability of these success criteria was established by reviews of the Beaver Valley UFSAR and, wherever appropriate, Beaver Valley specific thermal-hydraulic calculations. For blecd and feed cooling, one HHSl pump with one of three cold leg injection paths and one of the three pressurizer PORVs is adequate for heat removal (Reference 3.1.2-3). The ATWS system success criteria is similar to those adopted in Reference 3.1.2 5. One difference is the criteria assigned for adequate pressure relief, The criterla developed in Reference 3.1.2 5 were also adopted for use here. These criteria are further described in Section 3.1.4. For steam generator tube rupture events, which were not developed in Reference 3.1.2-4, the criteria are easily extrapolated from that for small LOCAs. One complication is the control of leakage through the ruptured steam generator. It was determined that if the ruptured steam generator is not isolated, successful RCS inventory control can still be achieved without HHSI, by successfully cooling down and going on RHS to stop the leak. 3.1.2.4 References 3.1.2-1. Ray, N. K., et al., " Response to USNRC Generic Letter 8B-11 for the Scaver Valley Unit 2 Reactor Vessel," Westinghouse Electric Corporation, prepared for Duquesne Light Company, Noverrber 1988, AT-SM ART-210(88), project number SWEC 1210-DOC-77. 3.1.2 2. Cheung, A. C., et al., "A Generic Assessment of Sigmficant Flaw Extension, including Stagnant Loop Conditions, from Pressurized Thermal Shock of Reactor Vessels on Wes, ghouse Nuclear Power Pla nt s," Westinghouse Electric Corporation WCAP-10319. December 1983. 3.1.2-3. Pickard, Lowe and Garrick, Inc., and Storie & Webster Engineering Corporation,
" Beaver Valley Unit 2 Probabilistic Risk Assessment," prepared for Duquesne Light Company, PLG 0730, Appendix C Thermal Hydraulic Analyses, December 1989.
3.1.2-4 Sandia National Laboratories, " Analysis of Core Damage Frequency: Surry Unit 1 Internal Events," prepared for the USNRC by Sandia National Laboratories, NUREG/CR 4550. Volume 3, Revision 1 SAND 86-2084, April 1990. l 3.1.2-5. Westinghouse Electric Company," Joint Westinghouse Owners Group / Westinghouse Program: Assessment of Compliance with ATWS Rule Basis for Westingt'ouse PWRs," WCAP-11993, December 1988, proprietary. O i l i 1 1 3.1 32 31 Accio nt seavence Denneanon.
. ~ _ _
I l B::v:r Vcil:y Pcw:r Stction Unit 2 Revision 0 Probabilistic Risk Assessment Table 3.1.21, Relationship of EOPs to Beaver Valley Unit 2 ESD ESD (Transfer Procedure Number Number) Reactor Trip of Safety injection E-0 GT/LOCAs (0,4,7) Rediagnosis ES 0.0 N/A , Reactor Trip Response ES 0.1 GT/ LOC As (0,1) Natural Circulation Cooldown ES-0.2 GT/ LOC As (1) Natural Circulation Cooldown with Sinam Void in ES 0.3 N/A Vessel (with RVLIS) Natural Circulation Cooldown with Steam Vold in ES-0.4 N/A Vessel (without RVLIS) Loss of Reactor or Secondary Coolant E-1 G1/ LOC As (4,5,7,0) Safety injection Termination ES 1,1 GT/ LOC As (1,5) Post LOCA Cooldown and Depressuritation ES 1.2 GT/ LOC As (0) Transfer to Cold Leg Recirculation E S-1,3 GT/ LOC As (9) Transfer to Hot Leg Rocirculation ES 1.4 GT/LOCAs (9) Transfer from Hot Leg to Cold Leg Recirculation ES 1.5 N/A Faulted Steam Generator Isolation E2 GT/ LOC As (4) and SGTR (0) l Steam Generator Tube Rupturo E3 SG1R (0,15,16) Post SGTR Cooldown Using Backfill ES 3.1 SGTR (16) Post SGTR Cooldown Using Blowdown ES 3.2 SGTR (16) Post-SGTR Cooldown Using Steam Dump ES 3.3 SGTR (16) Loss of All AC Power EC A-0.0 GT/LOCAs (12) Loss of All AC Power Recovery without Safety EC A 0.1 GT/ LOC As (12) Injection Required Loss of All AC Power Recovery with Safety ECA 0.2 GT/LOCAs (12) Injection Required Loss of Emergency Coolant Recirculation ECA 1.1 GT/LOCAs (10) LOCA Outside Containment EC A-1.2 GT/LOCAs (7)
- Uncontrolled Depressurization of All Stearn EC A 2.1 N/A l Generators l' SGTR with Loss of Reactor Coolant-Subcooled EC A 3.1 SGTR (0.15.16)
Recovery Desired SGTR with Loss of Reactor Coolant Saturated ECA 3.2 SGTR (15,16) Recovery Desired SGTR without Pressurizer Pressure Control ECA 3.3 SGTR (15,16) Critical Safety Function Status Trees: Subcriticality F.01 N/A Core Cooling F.0-2 N/A fic.aLSink F.0-3 ,JL/A , Key: GT/LOCA - General Transient /LOCAs ESD SGTR + Steam Generator Tube Rupture ESD l- ATWS - Anticipated Transients without Scram ESD l N/A - Not Applicable. Not Explicitly identified in the ESDs Note: Transfer number 40) is the first page of the ESD. l t
-3.1 33 31 Acceent bewu e Deneahon
B;;ver Vcil:y PO:: r Stctl:n Unit 2 Rsvis.cn 0 Probabilistic Risk Ass:ssment Table 3.1.21. Relationsliip of EOPs to Beaver Valley Unit 2 ESD ESD (Transfer Procedure Number Number) Integrity F.0-4 N/A Containment F.0-5 N/A inventory F.0 0 N/A Response to Nuclear Power Generation /ATWS FR S.1 ATWS (0) Response to Loss of Core Shutdown FR-S.2 N/A Responto to inadequate Core Cooling FR C.1 GT/ LOC As (11,14) Response to Degraded Core Cooling FR-C.2 GT/ LOC As (ii) Response to Saturated Core Cooling FR-C.3 N/A Response to Loss of Secondary Heat Sink FR-H.1 GT/ LOC As (2,3) Response to Steam Generator Overpressure FR H.2 N/A Response to Steam Generator High level FR H.3 N/A Response to Loss of Normal Steam Release FR H.4 N/A Capabilities Responso to Steam Generator Low Level FR H.S N/A Response to Irnminent Pressurized Thermal Shock FR P.1 N/A Condition Response to Anticipated Pressurized Thermal FR P.2 N/A Shock Condition Response to High Containment Pressure FR-Z.1 GT/LOCAs (14) Response to Contalument Flooding FR Z.2 N/A Respunse to Hi0h Containment Radiation Level FR Z.3 N/A Response to High Pressurizer Level FR 1.1 N/A Response to Low Pressurizer Level FR l.2 N/A hansn_1LVolds in ReaC10LYessel _EfhL3 N/A Key. GT/ LOC A - General Transient /LOCAs ESD SGTR - Stearn Cenerator Tube Rupture ESD ATWS - Anticipated Transients without Scram ESD N/A - Not Applicable, Not Explicitly identified in the ESDs Note: Transfer number (0) is the first page of the ESD. O t 3,1 34 31 Amoent See;ence Dehneahon j
iO ( s T 12 Table 3.1.2-2. General Transierst Success Criteria Summary Information 8g
~- y4 Reacter Core Hest Core Heat c' E Suberiticalkty Removal. Early '" 8 Y Removal. Late #'"*P ***# * ' 33 < f St.ppression Heat Removal
- a_r RPS 1/3 AFWP Any Open Hone Required 1/3 it[RSS (A/B) k RCS pressure rePef f or or Charging!HHS1 in Sp;ay Mode not required -7 l Manual Reactor 1/2 fAFWP PORVs and. Redose . ! and arwJ Hoe.ver. FORV may x-l Trip or RCP Seat [1/2 RSS (C/D) SWS/$i(5 !a opsn. POWS- >e 1 SU FWP Integrit/ Abgr+d to AINxiated assurned chattenged h [
or vesset in;ection Host if norman .~ '
! "'8
, 1/3 Charging! HHSI Pump to 3 with SWSISWE to Associated Enchanger) or pressurizer spray unava+1at:de or if {as 1/3 Cold Legs 9 Heat Erchanger 1/2 RSS (C/D) steam generator AC and or in Vessel steam dg 3.-
" ~
1 PORV Opens gp g Continuous injecta Mode unavailabl# y l (in Feed and Makeup wth SWS/SWE 2, Bleed) Barts d d Provided to to Associasad RSS Wms R'MT i RCPs g RWST)] Heat Ercargar [ g3 , yp3g i operator rnust turn
- - off pumps to avoid
$ Cooling t Available with 3. Core Nat removal. ;
RCS intact late and , containment I atmospherre heat removat are required only when ,. feed and bleed is j
, demanded or RCS - -- integrity is lost CIB [t actuation setpoint R assumed reached i a . $ 4. Secondary steam
[ relief assumed ' i ac available. , 3 5. AFW/MFW to one O steam genera'or ( , S suf'icient 5. 5 w , 2 o~ g 3
? o
- 7 In Table 3.1.2-3. Small LOCA Success Criteria Summary Information 3g tY <
Reactor Core Heat
'" '8' " *"'*
Core Heat hE Suber*ticality Removal, Estly Y Suppression R emoval. Late E E< Heat Removal g >_ RPS 1/3 Charging / See Comments Not Requ' red 1/3 Charging / h '2 RSS (A/B) 1. Faiture of RFS and or HHSI Pump to HHS!. H Spray Mode manual reactor trip ,- 7 Manual Reactor Trip 1/3 Cold Legs and and [1/2 RSS (C/D) SWS/SWE to Associated transfers to ATWS tree.
>j w
a 1/3 AFW Pump Aligned to Heat or Vessel injection Exchanger)
- 2. E int @ty is bt E g 'g 1/2 MFWP Mode with as a resWt of the e or or SWS/SWE to 1/2 RSS (C/C) hS 1 Startup FWP Associated in Vessd ?. C os Heat Exchanger injection Mode }
1/3 Chargingt- or w th SW'4YE y
! HHSI Pump to Continuous to Associated 1/3 Cc4 Legs Makeup Heat Exchanger and Prowded to 1 PORV Opened RWST] l Y
c.a ot 4 N a e a 8 3 a :n ? E 5 ;r 2 o-5 3 ? o O O O
O C\ b Table 3.1.2-4. Medium LOCA Success Criteria Summary Inbemailon 3g t7 < Reactor Core Heat Core Heat
#'"** ***** bI SubertMeality Removat. Enefy Suppression Removal Late E<
Heat Removal
** E_
Not Required 1/3 Charging,- See Comments None Required 1/2 RSS (C/D) 1/2 RS$ (A!8) 1. 10 injecta imes HHSI Pump to Aligned to in Spray Mode adaquate fc/ LMSt. -T 2G Cold Legs Vesset Injection and SWS/SWE rj 7 g , l and eth SWS/SWE to Associated g gg' >
,e i 1/2 LHS1 to to Associated Heat Erchanger
~.13 Cold Legs Heat Exchangee er 3. Reador g ,g and or 20 1/3 Chargmg*
1/2 RSS (C/D) b Vesset sutx:ritica!:tf is not espi.cstfy recurred
}g F oa ;
Accumulators HHSt Pumps Injection Mode ff RFS fai!s. the ?. C ' with Continuous wth SWS/SWE reactor mit be 3 MaAcup to Associated mamiained g Pronded to Heat Exchange
- subenteaf by ,[
RWST myectron of RWST inver tory 4 RCS integnty is lost
-$ l as a result of the. .
4, j intiator. N l l { 5 RSS requ res RWST L to be m;ec'ad wa ' i OSS for NPSH or
!, operator ewst tum !
I c'f t% pumps to j f avced cawtatron i w i a i' c , t 4 f 2 m > ,i , g ._. o l i 5
=
3 ' o
. - r _ . . _ _ _ _ . _ _ _ _ _ . _ _ _ _ _ . _ . . _ . . _ _ _ _
7 tn Table 3.12 5. Large LOCA Sucress Criteria Summary taformstien 3g tr < Centabrne st 4 Centomment ** Su lity Re n.E fy R f'
- S n H R Not Required t/2 LHS1 to See Comments "
1/2 Cold Legs None Requ= red 1/2 RSS (C/D) AhW to 1/2 RSS (A/B) in Spray Moda
- 1. Inrnt:-on of LHSt into one RCS loop
[
,- 7 and Wessetin w ien and was conhed ry 2/2 mth SWS/SWE SWSSTE to surro et. >e w -=
Accumulators to Associated Associale:t 2 RmW *M eat s eat h W subentica'ity is not *k 1/3 Ch rgingt 1/2 RSS (CV) p l HHSt Pumps m Vessel gy c injection Mode j meth Continuous ; a Maneup with SWS/SWE , y Frtmded to to Associated i d MST RWST Hea: Exchar:gw - inventory 1 RCS integnty is lost ; P m as a resuft of it e b initiator. CD ta a b o 2 A t' j , m ? 3 w $ 0 E 3 o e O G
~ ^
,. q
~
I Tabte 3124 Steam Generator Tehe Rupture Success criteria Summary ardermatsori ge contra at if , Conta6nmerit Containment
#' "* Remowad, te _
1 e lity R al E y Suppression Heat Removal n, y Generster M* _y
*O F
RPS to AFW Pump (Sae Not Remared 10 Charpf9f HNSt 1/2 RSS (A/B) ertSoray Moce Ruptured Steam
- 1. Fa+!ure of RPS and manual reactor tr*p >g se
- or or Corr ~er:ts)
- and and Generator trans'ers to ATWS tree.
Manual 1/2 VFWP Reacer Trr, or 7, ;
,<2 Rss (Cec; sws,swt to tsoiated 1 m ,, , ,,.y ;g m
are to Assoasted =~s ,,,,, , , t startua Fwe to charg not g,,,,,,, t% RCS Y'" myxt.on uode Exchav "C8 De ressurized man k= 7
,y,3 to RHS - my 3. Core heat reaevat. aste ~C _
HHS! Pump to weh $WS/SwE or
?O Cold Legs to Assocated 1/2 RSS (C/D) Condtons andCTta M 1-gp g,, Heat in Vesset or a*mos ve. 'C
- eat g aw in Cha post re-owat are rmreo iPORV Enchanger enrectier, ucce or w th SWS/SWE HMSt Pump cr*y wNm W and Opened g Stea,, ,o Assecat-d a~, u-e .s -m et
,,, _ ,, Ganara*cr l Heat RW$TUmkedp RCF seals feel. Or a Cootmg E e anger or RCS pressurirer ORv stos Avadable Depressurtrad opert.
to R S s e y t, cc, ,, a% RMS
- Treemat y Baerier of All gg, RCDs w
a R k m O' h 2
? o b
h-
- ia =
9
, n
T En Table 3.1.2-7. Excessive LOCA Success Criteria Summary information 8g tr < Containment Containment *a Su itcality Re vs Early '"'*8' '*** Re 3. L to "*E """ '
=<
Suppression Heat Remova! g, m_ No: Required Failed by See Comfrents None Required " Failed by 1/2 RSS (A/B) 1. RCS integeity is lost Definiticn of Definition of in Spray Mode as a result of the -T imtiator initiator and i M ator. SWS/SWE to .,
>y F
e
.. Reactor is
^
- eat Shp suberiticainty is not SM er liciffy required Ek If RPS fails. the 3o reactor witt be $#
~
rnaintamed
'W" subcritical by 3
W with SWS/SWE , injection of RYG,. M to Associated Heat Exchangar ;
" D Y
a , o u e S a f
; :o o
~
s g r. a 5 "
= O O O O
q p, t I \ v J % Table 3.1.2-8. ATWS Success Criteria Summa y information ha
==
Core Heat RCS RCS Pressure E' Reactor Suberiticality
- Corr ants =<
Integrity Relief l Removal, Early g m. WX Manual insertion of control VeW All SRVs Turbine Trip
- 1. Entry into the ATWS tree zw rods by operator. or and and assumes the reactor protection {g or 2 AFW MDPs PORVs n SRVs and m svstem fa!!ed. >$"
Emergency boration using or Must PORVs m one charging pump taking 1 AFW TDP Reclose 1 AF'W mM k Wid 6 th e 1;7 suction from boric acid or ( ee c mments for of th steam gensatom g tank, or the RWST 1 Startup FWP E ** 3. If moderator temperature i" discharging through the coefficient (MTC) < -20 pctn 'F EL normal charging line or the pressure relief required. [ safety injection path, and
- 4. If MTC > -7 pcm 'F pressure remaining at elevated temperature to maintain ca subcriticality. 5. Turbine trip not required for
{ low power initiators, or if MTC is very low.
- 6. MTC criteria apply to high power only. !
- 7. The number of SRVs and PORVs required varies with time of cycle and other i
$ conditions. See top event descriptions for the ATWS i 3 event trea. ,
[ "Except when MFW is availabfe. !
?
i 3 a z
? E 7
I o 3 5 a 1 n
C::v:r Vciley P; er St:ti:n Unit 2 Revisi:n 0 Frcbabilistic Risk Ass:ssm:nt Figure 3.1.21. Event Sensence Diagram Symbology h 9
,/
i INITIA11NG EVENT -ENTAf 10 ESD j h DE SCR!D11VE NOTES FOR SEQJENCE SEGMENT f VENT DLOCK WITH TWD OUTCOMES
/ NOT DEVELOPE 0 FURTHER s
TRANSrER OF SEQUENCE SEGMENT TO O ANOTHER PART OF SLOJENCE PLANT DAMAGE STATE ENDING SED'JENCE DEVELOPMENT SHUTOOWN OR STABLE STATE ENDING SEQUENCE DEVELOPMENT l\ TRANSFER OF SE0'JENCE SEGMENT TO ANOTHER EVENT SEQUENCE DIAGRAM 9
- 3.1 Acudent Seavence Dehneation
48 lith J- -
'll Eu 1
.%g s2P.S .j 5
() g % 9
,,....__....I""" Q BN! /, b! b I 4 l-z tigl 10 t: N,, n ; e
.. .. . . J . . .. I ..J isi {,I
! il -
u g l G,5 , Y r" "" "'I'~ ' I ia % ~i} 1gir t 4,
)g,.j..e p
I+ ; I I 5 ** 1 p1 L QU
. g z.
.m y =
u h.... .... y .. . t s t# s! - t* iagi I {a l s%e 1 = (rrrpjpp=1 5 QP $l 5
;.. .._... 9 .._.. ..>
,_...3..., ,,......_..,......,
5 r iM T i V r~~~"'1'~"')l E M..,..)::.:4:: g
~ ~ ~ ~ ~ ~ ~~ ~~
~! I ~ ~ ~
i I Qsj i J L f
........; ..._.................I_..]i..........;......_..
[sD 5 l!t
%l@I l x!!!
Vlit ll
% p.4
l [N - Reavsr Velisy Pcwsr Statien Unit 2 Revist:n 0
)
Probabilistic Risk Assessment - l
\/ ,
. I le g _.
4l s, _ . ,1.1 31 B
- e =
gl :* , k._) \
,- n !
I
. tE
' . si a VI APERTURE i h gll, @ CARD {i j :
E 8
'5 %
I' Also Available On y Aperture Card g I bgr 3 s (g hu
-"l- T4 DEI A gi 33 E- r
, ! g yd E Li h g Q3) y s y o A O I 4H r -i 15lt! il j' 'y. ! il
;g! j I Is [
5slP. lbil Pd 1 lxl. is - 1-p . Qll1
-(l1)!' ,
L.
- s. .. ..;
it
-l (( _
!"~~ "~ ~'
/ ) hO, [;
~" ~ ~ ~ ~ ~
. . _J f ! , .9. .. .d hE .
4 5
.9 920324,0307-6!
3,1-43 l
- c. -
e m-'P p-TM Py'T7
- 19'
- wt ' M
- c -.hW'NFFM?=4-9-9-W55 ' mew 9= 9= - P9 9waer w irr e&_ytA-+=we m =y3w p ie- e --we+- e e gF
4 % ,4@. 4 # A Al ,A-g- .M#4*-L-M r.M M* 4=*A v4M---.4AMh Je * . 4 .a-Me8 MSA ,f W e sALMA--4h-m4e
- 44AAdMb bhah*ai. 4m-..n. _-4.ta- adFe- U- E'4.4 f
b b [ %/ **umid . I z, e , , e . w- x !s 'N !a u u (e.g e-h ~ ; Ra.: QE " " gl5 gg N an a w
,............ ................. , r. .. . . . . . .. ,J ........... ,
6-p-. a - .! ,. a wsQem M $ gE
- glE i E@-l
- g"gns.
m l.gse.- s n
- e y
a l i E$ga
! gg g !a I- ..
i i e ! a N 1-
! . J
,.m.........................q I
_T, ; r
- i : ! E s i :m : Rsgh ~ .
~.
t ,b(lll g j L j s- , h hh esp , 5 s_
~. . . s y
! t.......... ...............)
(l s \ 3 l D" t . l
$ lae i ! e gil
-i
- ga!gn o-i
=
! l5e i, 235
~
i i gp
- t. .. . . .. . .. . . ! . . . . . . . . . . . . . . . .;! ! t k')
i i a 3........ ._ 52 s.a L : ._ %g [ !
- u- !am w s
-i @ -i g : :
gll3 -
~
-i
.e e j qlgj !
L....L:=SI . ............> [ ! u..................a
-! i
.o s/.
p-ab l s w- .- , _ , , , . . . , . . . . . . . , _ . - _ . . . - . . - . . _ , - _ , , . . - - . _ . _ - . . , .
Basysr Vallsy Pcwsr Statinn Unit 2 Revision 0 - Probabilistic Risk Assessment-f i t
, ,\- .
E '/ : N./ . a 3 >
] '
bg 0 - S ai 31 $ $t p M,> nr j 1 q _sperture _.etar r 2,
~ _ .
~ ,
,ll e. egg r;
.u -
s\ $ D m b' w k
- i, g:
ed as i, i ge A # ! lqlal g -lij$~ Ig i llgsgg lg i ;;eN@4!--4!!-) i i
* ' 4g Ia$s V
.sm . -8
! .8......................j U
e gy xq, . i s n ' 9 co b 9203240307-6L .5 m y l 3.1-44 c
]
'1stW aweie '.
I l 1 E i vi git A -
,e
. ad hd L = Nl-i
.i i E a p. .. . . .
l Ill : blR! 'l1 8d il,!!! en i . I'l. i Ig r I,i , in m.
!jt ae Ig rg Ig n
w
- p. y 7 tr-- --- - T-
g UV l W 3. .. i l . i p g 21 - g) e ~ f g _i :__b EI g i _d.I. "5d,! ___aI. 3
}I _I. h _
C. !L ;: 1 tr_ I pf!; ; = r1 = j ; ! !; s. , i .r. .J _. ; t . _. __. _; ; a i : _ L_ _ _.- .J 1 . + s f h,N ,
.d 5 8-
,, l m a
,e M
es bh ^ a b '
/ l.
g
.f-9
. e I
c . 6% , w 4 -. . . , . . . ...__.4, . .._.s , _ , , . . . - . , _ . . .
. .- - . . . . . . . . - . ~ - - . - . . . , . . -. . ..~ . . . . - . . - - . - . _ . - , _
- Bsaver Vallsy Pewsr Ststian Unit 2 Probsbilistic Risk Asssssmsnt Revislen 0 l / :- ]
S pt ! j [- l I. li n- - 8} i Oi O ~ E
<f _t. :!d- e pfpq /
8 - Bj.lll - ifI -! :;= kg j l,ig- j 4 l .. Vl Ogt I l-I {-
._. . T - '- -] i >
ge . 91
! g e t. - ,g/ . =
i - i -_. - _: g I
,l s y g-9.g N l
- g i O O b. . $ E:
E a
.s -
O
=
8 i 8 gi F-ggnTORF' Ch%D
}
a y Also Agabic On _. gprture Card o n Y a b a i: ;
=
(~ M
- u.-
L 9203'240307-o3 3.1-45
.bw...
mv- - ty e w r, e ~. .,.m..m -.w. , ,. w -.-
1jl l11l4I - ijjjfI;li i1 ! ! 4jiii' k /% s
\ 4 g
1 s t Mg gMe n Tr. N
!/O EP s
HPIqT es
- n TuC ' Io Ar Ag gJE. Tr TEM NA LRI O n.
FP Co M s
~ i
/[,
,.:::3I I .
C . s . 3 s TD . 3 E DTe s E Te 1 Z P ERcos R Stg e r ys DRT RIDC TU ASS MSS - E T s ILaT.
*Su fSeDs wEscs rA i vS R.R O
T E
. P
. E
. T 1S7 1
Rrr UCa T R A?D Rl/
" E 8 rP=s _ EAs PRt is *- s. t 1
t
+-
CPpT E A a
= Es
=WTt- e.m o
Ci 1t 4 P L1 OcN te D F tOA.A L es . 5 s_ fv M F s . Pt S - N , . I o . L si.i j i O , .!: 28$: C . .-. J. C . 3 . D . 1 E . E . P 1S F . E N .
. T TE C . S SP P . AO A 1 E D .
LY 5 4 R . 0 E . 4 TO E M AP 8-L F 9 . 8-
^
c . . M 5-
, t 5 9 . 8 e 9 .
!*J. 1
!!: Mi ::3.. ... .~
- $ :: .t4 o
sta eu D E S
.~
. 3s sy t .
)O MD " F O/
E.s L EV NE D'v P L
- 3 He T - .
. .T s Ie w
Lsp
. P S N 8T ES . . ROA .~ 1 f< . :w 0r.
. E nSE O D iN G . SO V . Q W- . TA 0 s.
NEE R T DEIYI TTFTT AAIFC ItT S RSA l
" tSM1I N
' f. sRPit p . s
. .jy e CPT R SL 3RO
.~~
L u. ~- CD.e> ~ PErnr
.es ,.
. DY eT Ce 3T A
. 1 AURFE i. A/t AA r . P M IO ATAus . .P 3s
. 4 ETEAJ PCYEN
. HD0' CE8 E.
HIu t C 15 R
. . T E S/FL Iw
. - SU<.se AT s
. M E E-e
. -4 OA/ I . /T1 . . .B . - IToe . Mr E
. M
. P 1A 5U 9
tA T
- 1. C
" T36 9 A
.ss.
.4 4
JHMY ATER TAPO E SPOP .
~
CCCn A P O T up s sT Acs
.. .. nr 7l oj
~
~
il!: j::L 7. f:E: L-- . r:II .:tiL G DN EI EL LO BO C R OD FE E DF T EC S> A 3 g/ \'
! ,l l j' .i !ll - illl' lI'Il
- . _.-_..m_..- . - . ~ ~ _ . _ - - - _ - _ . . _ _ _ . . _ _ _ . _ . - _ _ . _ _ _ . - . . _ . . . . _ . . . -
' .~m l
) . Beaver Valley Power Station Unit 2 1
,! ggg-. Revision 0 i
~=2 Probabilistic Risk Assessment k $fz _
o............, l k,,a
.-! EM 5
i -] i i 1 10, i
- -g .: . -l (X H i
8 E j !h 8p ! g E
!;I !_ .
3: _. . e$ i' I!ps i ' 4 l tg-$. -;-!- ji l'O e is g .
)
9
..a '
8... .f l 2- ! Z} [--r--;
- i. ga p! g.g f-w q
- i. i =
e ..., : I o ! e"., E i , i I E En , t2 " .4g EEf. gl"E E;5 g I* .-N
,5 w l iG l 3
- ii I i' { ab l \ T y
u...J l ll l . . ...J
! Ql ' =
a
- l. >
t;- .
;- l
. e e-3hX- I r
leess a '
- E-5:
- co +
\' f
.g
]
I s1 Ir - ig APERTURE : ;- g V CARD j ' Also Available Qn j; ! Aperture Card 7 , Y. s
- N 9
m 9
.. h
~
9 20 3 2 4 0 3 0 7 ~ 6'4 I' < , 3.1-46 c
= _ ~ -o r .-- .m. .....v-w -,,-.,,,,,,-~w >~e'm-v.,m..%, wow..v. ,-,w.-,,,,. ,. ,,,.wwy,-,-w , ,,-y p ww 9 ,p , . . , , ,
k
/
/e\SLg f.
.)
f N i
.lyl .r.Q s jr g
pj q Et / dy -- {- e. ,,f I ; II$ e l i . I,' ~ l!
!d' l i Il d l5 R-th H
~ -
I q v :: r: it Lig! il I : ; !: 7 ii ' 5 i _ -_ 4 ;T 1
=: j,pI:l!: :. ! t1
!= H L i i:
t, c [!. e
- r;i a rrp i.,
i i dl n ; gI 3
!4 r,
'I L;d:: i- ,lh
$ Bi -it spri lj: i-l-
,z!. f.: :::it 8, :: :
- i. : a: 4 y. . 1a
- ., . : r,.
- _ ; , , . l .- a I I l i - i
/-' :
i8 I[I-4 i Il [ N .
, f!
I s h:
- :: I i g i I II l g l ,
-- 1
!!.[ i 1 ;T i Ri n 5Mf' egg :1: a -q : :g 3
- e.
- i. s#5 pep lii i 0 55
- :__ [ rg i is i Ei
!d _: _ .: _: - ,
i:
- 1;p;I.Y ,th I:5, iib g~3 2 jjj i ij i ill :: Ililey tI j lI- rs j
!! l-l! -
' J
,^*
{ s I
J Bsavar Vallsy Pcw:r Statlan Unit 2 ; Revision 0 Probabilistic Hisk Assessment '
]
i e I y, j , t i
/ !- '
r Wl ll I
!- O [3 "
! !i
!L fig 3 !
x [ l l
. l-i i/ ( E E
I
- E
! i [ S' +
i i4.i l 1l- g i- !. I k j u i g;j 4 ; y! o e ,
-E t cr :,
SI $ ) APERTURE CARD " l -! Also Availabla On g . Aperture Card . t es N. ci u o
.'9 920 3x4 0 3 0 7 - 05 3.1-47
. . - - . , , , .-.m . _... ,_ . c. . . , -
7 em J4 +-eJA e. L n- d.Jh-X e4J.A s- - uu.a, l d/ .
/
\
. c-N b <{N -q n,
-t
)
.,-) .
# w_
^
sj
!'l G /
g
$ j j L
r 9 4 1.!
,v u
!4 ,i v
oa ! !- 1: igi
~" -
i: , -mg / t
~' ~~ ~ ~
~l n
t ri - iis.-- i , -- ir o {'
' ~ ' - - ' 'I '
Beavsr Vallay Powsr Station Unit 2 Resision 0 Probabilistic Risk Assessmant n N i
- s
& g
%- I b
a. m L 2 E 5 E l 5
?
- i. -
E a E SI $ APERTURE a a CARD Also Available On _ Aperture Card y N. M W en 9 2 0 3 a 4 0 3' O 7 - 0(o 3.1-48
-r,..,
. - - _ _ _ _ _ _ _____ __._____.__m______________ _ _ _ _ _ _ . _ _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _
l
$ [ /
d o,/ e_ 6
- I :
. N
*R :
- 3 d l I 8 ib
- it, 6 a . . 3
- d$*f s l.
!? E" !
\[/ : '"
o : (' r E s- .- 5 5 i ! I 733 : 8 : N *gg8 - 2 :
- 5- g : "E,r :"
258- , . ,
-It:$4-l t
*dh :
ig
" : a :
4 a
" (
/r
- : i .
- : : 1
- n
- 18 : :
- : : 9 :
6.g :$ 8 8;n 35- "I';@$ - = i E y 8
.0.0 4 8 " i :
*$ "$E- i :
l l:a ig ; I,*53 a : 5d
- gg . : - *5' : : :
E (")
.c.
]
g
- o i'
i
' .. J i
a-
" ..............J l
8 l 3---~., ', l
- ;W : :d ,
mo : :
"E Eg : A : .E g*IE L" :
4o g.h,_g :
- : '"$ E"89 < : "$ '6*" b : :
c_ . "*"a .: _ L_ g
$:1 _" p _LRs t In.I : 1: 2'. L.9* gg; ~
- g. _::
~1Eh :
vi _.
- : >1 E gg : :. _ Ja.i g:; Et:bh :
y"h o
""h:5f. : E3 82, ; ;f [*h c " ? d% : .
- a:
ag92
)
' 7 t *$2 :
E1: : : (' V : : . .. . L................J
. ...........................J $ 1. .. .. . . .. . . J l m e.
fiillI fi Il l!i!1!ll!llj l1liI1( 1!!\iI!
- t } i,8 goa<t <S a< [Ee, t
)* u=E c2:: "
gmOCWrEEr'yE#>e0e*! T e
- e a oi&oo
;o
- i N
2 O I 3
\ 1 T
\
% S- CA*Z 7
\ E AI A R 8 OC S
L S TOmU Y RT R TS0P E NC0E FPCC W O L L E 4, V E L g A Z R P
\^ 2 t
N i I n T O U NS y E e AE l C CW LO l V a m R LP r L A e M S v a e 2 B r
- f o
YT A0a m C rad pre S S A a SAH RFVE RH r CS O D S g R I ZNL RWB POA OT r TLTVT AONAN RRE E ETVGV a iD PNN4 LTS AFE OOIL e L E C SJ c A : n I oS e C. I t A ; u q E
. ^
e S S 1.% ; > :5 ~ t
- E. _ n
. S TA A Ls .
m- e T i NIrtN v
. CRR PFASW E E PtO
. 5 P
EII NAA N N TuY D LHBoT >1MM .c "U )
. E ONT AH eE 4 T CDM I P I *3 L H O SG TRAL ES O >e ~*
- 1
. S. STC 1 INRVS f 1
SI OTO k. LIELE BGDAC o
. 1 RST ARAVX .
S
.. E ._
C E TAE E SHH >cc >s::y.:, : O=
.: 7
. 7 EC t r
l >o4E o O= c. a 8 * " P ( 1
. - 1
. 4 OL 2-EW 1
2
.- L V TE T 1 0-S 2
CA4 . ANE N0 f L . 8 9 T 1 MNL A- E 1 S f.S . . R0 OLS R R OTO
. P
. E I'97N f*
0 1 O0 NT3 TPE O T 3 $SSNS . T
. S LEC BM S~
HLF EH SE0 NZ1
- V e r
kSES AUo NE I i EPf. OI m DfNR . 1 TBT ST T S/ IGN ILR TIA / N u _ g I JI.P fSR S LNI E T ACTO TM . 1
- NI EIA (
SIA AST CBL AAI / 1 iF
. S .
TRN TM bCNC O E R . . SI M C w N k CC C C Q*O d~~ RC 1 SAI C 'OI TA -%
;; .: :'L E S
- EHA CM S
D i [ l YaA*
,i!;
il I(t(l lil 1 e
i
/
/
's.'3 JNd u g 0 g /. o
,$.1
. .",E .s <4
" h \* hd" Y
1V
< a W{gE o
- p. . .. 7.. ..,
,... ...,N.....,....,
7 ,
- : u: :: : -
- . ": E :: gg : f* .
- s. : 5: ;{:5 : : "r" ... K.. : "ggae
- . - . o -: . . < :-
o I'"g.E
- : : - I :: :; $ :
l : pg" : : y"l :: . L. W(0* L.......... .J '
..........J t .. .J D
E [) [gh 6-. 5 E 7"
! e-1 v
V t
= . ("a E ,4 <
1 ($T./ y d$* ) :
= g I h
".. l . . . , . . . . . ,,
,7...
g
*:: : I : : i -. : :
MI : : ; '; :* r.rba-
<.o83 : _: l_L. [.. : L:
l b i;!"d s : 5 : : : la obs : $ : :
- 4 I : : .
9 : 5 . .
'.... ..J l : :
. . .. . J t R
{ 7........,
>- l
*< g a '.g 9
>. .: I g :
/ y
- W3 _.
i"[ _L:.: C:1 m _:: _ . e-3 ...e $ " or "g 15, qd a 1:: *"I:s:: : 's -
$:5 g :i s[- -
,/
h xs
/% #,
, . ' 4 r o ;
, g ! ;! , ;. :,pii[I >' ;:it,t; a
.. D__un aw84H <gu Gg U" "IH- Be cEz M ' NEEo3
- 8 t s .
o'O7M7Et"g
- e" 2= w )peM##3wU.,
=
t . t.a 7
. aL hA C t _c
_C 8 Z t 3.C s o O
% .e E;- ts
\0 0 7pT 9 sT e.a C 1 oN o T,r .
Y C R.AOL .e
/ T~a
*/ T.O N
ewC
- =
T.A. 2 eu NT t i n U y
\ 2 l e
7L T-A e
^T l a
.kev e'
H8 T1 CS C R A-T 0eeT
.,RdCP P V N I2 r 6 >S i Ym N CL eB M
e 7TDN AIe o IS C e , 8 4 LT Ra Te a p A. M sLse s e LeN v LSe AP NHT ewe t H t eOtt e8O t e a IsL u Se gt C cSui P .vOP M Ts9 *p Oo M s NDe .A A TIOh E T uT e - i.O A AT pf AC IER AT e.V 1 A T T A fOAr 5 c R B Urt UN mb e*CO S. OE
. em l s
Tere TA Ee LW A.
- A O.C 1 T.eT s r TONA CC - Hs I NL OO O t C L - .
. A e- c o A _A CS C - E . "N m f I T e r a
.S
.P I
W r I
- ^ A s m C a
[_[' i ,- ' Tu v- ' oc.e 1 gj.1!t$t 83r. ju -
-e . i: j. .j mt r
g s3 j:8$13 3 5) l*3 .
. ~- Ts wo
\ a .
- . , :liA 8 iI
- - ~ eP i
1i
- s 0
we D
- e ,5 ~ . I . - - 1 os e re Av Tu1 m8 .
. ./EDHeT
.dLPe
.a 'f
- t e Y 49 .
9 1 e4 aoP0 re ost c n
'Sn B' . . - LA
.e gs s >
. P Aog 4
8a RG0 , M5 - ee penX - o .e Ps e 2 4
;7 osSeeO wIl nAt zrNfePs il AGOe TNTR 3IS u. g e
r c.P C s S A m SL i1 f p AN1L IITA AM g l" f
.u.U0 1 1 e.P<mi No mP t
f u q - A - t PSG g i eCFI s LD.IR It E PI o SPsS P k meAIP e ovAS EP T D sL
-, c aS 1 AS5
.eeF t
wRpA oEur . X!DD U0AN . P.EsHD
.s e
t 2 t N S e AO I - . . - PCPA 1 A9M 1 e,LL GTTC SO - . An R eCS e pRA free e le - e n,' P aA wC t N ei A T ,PsCutPNPA f e n
- - Pc 7S - I . . s D, e
D 1- e . I I v
- E
.- _. tL .
'-.. . l l i4
- .I j j L ii1f *II!*t
)
i 4 1 f
-r l $i L o mW '8 ysp 0N*3gWg a
0
= t r
a
- 0. %O P
( 2-s , 2 - y- ><tC. 'c o O3 1 t 3
., 4 Ca n a.4C- -
- e i u ig qCo F ACCoN1 C Duc - W~?8
.i
;. g*
; :ii' I; , . !} t* ( ;- , .h :1: v; ,i
' i i ,
r!'
'T- -
sO Ia I' ,;i 3 4 - 3
,VE
.RBF c O
- t. aLPY 7 S -E P OAE- 2 RSR O
A eIeCM T t P EOEU TTLTF A. w E A A = wCSto TETPD l T L UE0 ; N T OWTR0 S. E
- 4
=IVILNENE 4 IU Hs< b e CF?
N LDD 1 CIT oAAE - A-O T S I T SHU E Z I A /EES [
- R U -
E S E f ' " ES P T GE E T "" O ' O =.- CRR RE D N 4 PDP a EII s AR E"T I P SATA D P @AA 'D eE LG RlO i P _ W M DDJ . E ON. mP _ %)9 A N Ia A Tf iI f " TE S. CEE2K FTD 2 RRAR I T s. COT STP IM [ t PP rT O OF MN f . _
- W Nf 2 E 2 SAC sS- UI
/y% O O: Tt CT 4
'_ I D 2 i
'S EAD.N 1 RSO
- C T u' DA EC L C* s S d
'f
( O E E -L C ' ( " -
!T.
r{aD A 1 - ^ C C O D L ].8'! J , T S 1
-9;: - N.
.,l 2
,I3 M ! j C
]g 2 38li* i O
w L E L D T J NE
- OR I0 ' 7 5
H t _ 0 1
- s&
.2 1
MR A F .E - . . A OE
.PTT A 4 - T8F STi P Te RG 3 3
P OT Ss P OSS-D RFK A5 TE SRm s P INM LEL E b_.T U75ES ER5ON 4 1 I 1 sLA-: 4! IT t S EO tR TTsE ED EL T1EEE TM E E BD S eS
. T
. S NI EAR I )IT S nT NU O
I O@T TOA T l} S AUO TRT ST 2 P 17LA Os5A BE 1Q
'C0U R0G L. '1 {
2 SAP s e >s A esEO VR'C dSMBR --SD CE
. a O^ L, -- 2 WAPV CV 2 EEA . i S 9TO
. i DaLGM 1
ea tt , 1 OEDC PLNS A R A ER WI
.1
- -R
- I EDA
. S E
Tw1SP t> I PP 2. 1 UA-S-
. .E
.E U OA a$DPT C
. EE D .** _
- E OA P
s E S
.n _
. pg:.!:j.5M
_ . s ., i E g
.I'
- ~ -C
! i!
~
(g o .I!:j 4t i. A@I CAs I l O
- LNi W
- SJ TOW Ot Pc' O
CE 2
\-
-Q i S
E D
\*
?' T
/ 'Y
)
R T
, N E
-5l _ 1f .,
h
, he , ii j
*jl i !7!' i ',i ;J11: ,i !:, )ia i 6i j. t 1 jf! . 4' 9
(. ; -~ l T 100F/ HOUR C00LDOwN LIMIT ES-1.2 5"EPS 17,23' i NORMAL PRZR SPRAY RCP*S RuPMING' ,. NOT AVAILASLE -
- a. .
.I
[~ES-1.2 S S 18,24 - 100
--.I - DEPRESSURIZE i RCS w/ PRZR , !
SPRAY 1 PORY -i - - ' = l- OR AUh SPRAY I
} - - -
l. 1 6 : . a gy 1 > -= g
.PRZR REFILLED.. ! Om l LEVEL >145 7< +
-
- 3 08 4
- j. .
I y "t
! Es-i.2 STEPS <
.i, as-stas.. , .: ' !" "__
i REDUCE l 8 O
- ' CHARSING >NSI 8 I
- rtow wnIte - )-: -- --
MAINTAINING.
-~
- [- 5 IA
.j. O-4 I.
suecooLING i l': l 8 F
>ge
~ - L' .... 3 en = i l , . . . . . . ., IE ,g _ya. . 4 - i # e-D g
, I- LOCA IS VERY $ '3 E
- ti.e. e3 L
. I <3 e LIOUID- -: - - : 3 ; 4
! oR <1* stem ' : -C -
- 3 BREAf0- I 3o
&) I.- S X g L . . . . .. . . .3. .;..........i u
- c. . *-r ES-1.2------- ---------
TEP 34 1.aa ES-1.2 STEPS 11. 35
-To >
,y .>-
i h COPCITIDH S FNTnY To E5-1.3 I i , *M >M > i ', place RHs Is ? l
-d cootoown wrm tem roa com u a '-4 i g- :30 Gy
**J senvIce -: - sss to < toor - Rust < ec INCHES RECIm a a fIog
.j
.. g ;
O 3y l'+ l R.
- g E$ > W th y H >=*
L .........g-........2-
- i - -
9 g pf t o o E__- cC - h .- I wa *X . N 2 O' N . I D MINIMAL f4CE tE** STASLE OPf '! w Rave - - on ss s r
- s. O- :n :
u ,.
, s . .
< , /. 4 . v _
=_. . -
i O i r 3 ! f o ;f. ! s s i Figure 3.1.2-2 (Part 9 of.14). Event Sequence Diagram for Beaver Vaney Urlt 2- ; o
# ,. ._. ..wr- .4-.ma.w.,%..-.., .-,..u....m..+_ ._ _ ,--w% we-e..,, ,,w. ,,-m.- _w m...,.,,.y,w,--- - . _ , m _,e. 3... ,,,y.,,,.-.,w .,w .w .p , m w. m.m .-
d J
-e -. .
4 g 2 e. eg . i[ a
, G 1
a 1 i . he. g.- all 9 t V r 3-V. . s i - . . ! g O s-
- i!.
g!
.I.
=
..,i.
[IF t H : -g 4 _:: - n ya e : 1[45~ -"
- . u91 i l
- p j i s_ H" a. ! gh !_ ..
r g 2
-j ] <
-j- k 1 g - i
- 9
,r--- , , :
-.._1....
-:-- ~1f-. .T. :: -
- r----l
- r
- E :-
~
;d
.' 1 :" E : :d i.e :: :
[ggl --: E[E
; . 3 egai i.
c c: : : .- : i :
-- l -
- -. :: : :: s i.
- :- .: ~ : : - :-
. r' :
^
- 7 - :7 til '
9 l-7 - 33 -- W h { :-::.
'J{""il- -:: : .: -
- : .: t 1, 3 :- < -
- g'l a r
! y: y[ :::.::i ' [a[- : s' gg, :
- gy -
=
- " " ; : 0* - 2 l : l l l , ::~ :10 :: .
- l- - .
l l l l l l l l l l 1 J.'.._ J'~.-.J 1 . -.J ;- 8
.* a
.9 .
E
. x .I
- il 1, I-e: :> .
,,,a @ " C ~ , y 3
COU<G W .OW. xQEo3 o 5,. O TCD *.O FxS*#,O * $ E.a 2 t i n U y l e l a s E D V D E r E A *M O e FW 3 LE v s E M! VT f H 7H vT a e eT hs ER eR B uu DU DU PR F F T T r sN O N O N f o sE OHr t
/ m I - R _
a r o g
'*I,]
. a m
u- iD a N e v e o . T N se c w T t s
. e svP ae e .
SMD UOI MPT O I T 4Ns >1MnA'CXn t n e w t.M oR t erS .P l8o ePT t .
. sT A A
oTD ru o O ENC u I } .ET +6s eRi i R!C DPN T, H q l yC A !. I hAr sIO t e
. s. (ss sse uTR psi CC u4 S
. a. aaH . EC E Cc muP R OR
.t sPE a R R
P Cr yTo ><a:=p=X ou t n s
,C e
.e R > c 4 c C r'c 1 E v
s a .e 1
)
.Pt 4
.rs
' ] 1 s'/
. 5
- . 2 s .s
. a f
. P . 4u N o
~
ep . s. . E N 4 a O 4 O O l. s . T O 0 A e
.t- Ass . E T 1 T 1 1T.I
- Tt r
.a 0 I
A i H r QA jd. j
.e
.r oIwR ss P o eT a .
1 g sTe RfAT ELLe F UL g y s s ETs LAR TCO U I4 C.T F oL DTU E C A EGwG" LNs B1 A OEF T C 1 t r I' NT . 0s !. E. sDCP ORH T,R Tco itEF a I . . iw . 1 N LH M X V . . . O- AO2o 1 HI FyI sea CE P RCCc P C'l L C A A . . >uL . Ts e RCOe ( h[Gso r E T Ei T Ssr T V C . . . l A cNa t A . . . N f nA
. . RO O C ,.
2-
. . UT r
[
. T 2
. . . ER
. RO 1 V _ .
jI L 3 e r u
- g OMgC2 OCACUCNs ~Q fg i
F pa&"
. . ls l
lll' j jl 11Il]lijl '}) ll
.ll tl IJ R , .j;*
1: l;1:tt8] G N O3D TTE'
. S N I N . 7 . 0 Li .
O Y EpE . Cs . . tic . I T NAs . T PT I LuT SrR
. P
. E Ree vIo> EFE .
A ME AMO . T LCvP . e e . L J EW R LAH . s J tEP s . eN P . O IwS AA Tl IO! . P L AF A
.- J yME l., I AIs .
VEs eTuPP TT . I UO ADI
. t. -
r aR C . NAN . C T ! s sam a . OLE . E N @vT - TsF COH . R E . A S I SP . V T)CG HW . C . I . T ( E . E .
. \
',P(R P
A . L . g O . . c C . . o C u . ]1 l i-'- ' l, r a . J. g- Y hP . . . . jI ~ 1 l 3j C - ~ . . llg 1l
^
. A N
E
- f 4
- 3 D . . 4 G - .
F WET EB . . . . . s R - P D E 7 D
- YEee*A RI Cs . .s T 1
'l - E U ANbP UC R . . . HO P ,
M E T0 S DOT EDE 4 PNT RCuCI P P E S D E .E IwG CtN
. e tASs.T P .
E T F O 1 4 TAW A R RP I l' l y Er ZdE Iom SO FF P HA#Z T eat RtA PE/~ 1 FPI( R
.vAL@D
. p
. T e N DSImE ATA E L
!.1"'
s j S S
- IG
- A 0uO 6fT s MIR IT NC C ID .
NSTE3 .PT C RR
. s TNRaP T
PEDt
. t.
s O C& k
& 1, IU EWIP1 U*CP4 T4 0. A Ms P
. s. OV o C s - -
4 M 1 ME CUOO P8 C . i I A
. . t
- E D..
- . A
- PAT S
C .
~ . . - C rg3I! Aj!{
- C E
. A
. C
.e .
.e pyd
- j1l gt gjl. i 'I: tL S
E L 2 t e d P 3.h K t G8O t0 P SIfI \ - CM E RLLT S C T OA A EOI S T DL TT AYLU 9 O A 1, RLOC TML fLCR I EL 1 pA 4FC r
- OCRC HER A OOE LNI C LFR TAC E ERE RTR T
C N E S N O 0 1 WT E A I L FTU C(*C
/ AR sL!
soc DCE LCR 4I. k. l I ( l l i I' l llltlll! j',llI jl! l. il' tl
- 4
+_m ;m
*- -~ - ...1a , .. - . .
J Bsavsr Vellsy P:wsr Strtisn Unit 2 Rsvisisn 0 ) Prebsbilistic Risk Asssssmsnt- j 9
)
L
;/
/ .,
i 3
?
.b i 3 /N <
- . t.
i I , g kV b i D 'l -i b) : G %g/
.i 7
) . ..._,,
8 g i e si - i - I1 6
- i. : ((,li g
1-
! ElEll
! P. ~)
e a llh g
=>
1 i'h
$~ i inI a es:g 2 I5 n E$c ~
W
' Il i
=$
NJ d
;k) a gg t.
5.5 j m-g
- I i e ; a d ! EsE E i 5 E l, B a. i. i"g
- m .
B E-o G s es a. e- 1 /s# 5 g r
;i g- 2 .,
jga ipJ lI1 a 2E,.-
. vf5 ;\! l- }e s
'I i:; 2 "l.g -
4 1*,2 -'
,3 e :p . t i
. - JC I ~
m
?
E i
=
l' : l g: gy -. l APERTURE y CARD ; ~ t- - n - Also Available On E . Aperture Card a ; m - e + a
.e L '
o 9203'%4030.7-1( l- 3.1-53 L. [ .
.. i
e ~ k -- e % es A' V %w. - l
,e m I ~C 3 I d a F~ ff lg !Gefj i
. let m.4 4
l gj h ,- l j a I e -
< ll s
g Y, E /
,- g]
j
........s........
,, y n. g i jn! ,I ell !!!e! 5s -! .L l I l,l -
n r V ai r ir
! ..... ..r..... .j W y\
di NS l i- 8a: ri
! l gl --
- i:
/
a V li ! E i! i' i E W
......._,..J g
li (/ s
=
N
I Basv:r Vcil3y Pcw:r Stetlan Unit 2 Revislan 0 Prebsbilistic Risk Assessmint
/
<=
'N e A
E!
.- -. g- .
Ol t ; tlj 3 5- h il f!El1 l $
=
llkt.f lE'r[ ll!)fE I l .l II {' jf = <s'N " V s
=?
s i a 5' b O b! la: - all AI
)
8- .: l- I C
.- g-
=
\
SI 3 e f! APERTURE " ! CARD E 5: I Also Availabic On a Aperture Card .."g '[ i g 5 *
-_ ?
9203,240307-lL- 3.1 54 I t A %,. -ww
, , . . , , - - , -r ,-
jjl jl j l:i ], ilj,j Illl' l! g L fj O g - "
, 5:I
-
- i. 3I!*
. 3
.;1:
- .J.
. 1 .
\ . . . .
A Mc e3 .
. R5E . y h 54 I4L . r S 4 .
. 1 GsTR ( A3B . t Y M> f 3 E . 5A . s *DT181 83 InDJ .
d8L AFA E r 4 . DrE2 e D2IA , 1
- 3. e. TD !. g I- . 0 otLR .P L
.V l
~ 2- *gRAR . T- #' sTWMa
/ +s AO? . A .4 1o .
A T *. N
. - IFPUv klAD Rs D SCU A
- 7 .
. Tc_PTLu Sr F P
_ .. C 8 .
* . 3 A .,I':-lI.i _
. E T cl .:" . .
T T - g . . 4 g . . E C
- 8 0
* ; :t1
- g g
f T *
!J. 3
;a. . .
A . .
* .c goP R
y
- _TAF J . "
#D CE T
. - *S gns g \
- _ D04s .a ,~ T HfT
*d TR AU AT
- EF Mem
~
_ Tt-e s
.E W.j
.s T IMP >
LM R R' FF Msu L Tn u NL . Y Auep 3 1 ~ t 1e# l BI*I AARA L ER . R a. sp
- 0 S . Aa
. . O. TTT . .
Tsi
- rA v . . 0 ENE . . Ws i .
Ov 42 sTfsmo e 0 Ler
- 0r . EDN .
tac -
*- - P Pt e A CI . 'At
'e >%
ePT r
- aE d . . TS
. tE e" f
.C l
A
- r . . .
D
-
- Fu l .F . .
EL T S
. i* !I f i-. ., .
rI <'!- .
*- 16 ^
, . p
, - . I
. a
);:*
q.2e J. . J..
. 0. R N}
I o t sta
- N 0 .
P
. P P eC D . -
- .I A M SI
.p 3
Ete
. AE
. CT RsC DE TT T T
cC I-9 D.SA A S
.e WDD es
. EB OnIRP) . ET S WD 1
- R PO .Wv e .
. D 3 TeR5A v T 'riaD
- ST P Y I Rt L"1.L .
. R oCo' t .1
'r r
0 n
- . Eg RCO's .I. z...sy PdEa. 3
. TCEPE . l F. w-T eL bL
. T
. S A(TWs vV W r E.1 i
PcL A OME 2
. FDe RE 4- uU . U, s.E.C O DA T 0 P .t PP A i e C . , AJr eT .
P . A , C,tD wefDE t
. O 0 . 4- Ese u .
C TN L s R F J . mV L B A a . P P' I . N C Y
- 1 4~
t f 7*!:* **I13*L . S
* = .e A
V e~ r A . jIgL g j
- lfg3: L w
F A m I /
/ T
.S _ RR C uT _ Af A AA Tw E C0f L i PR A eH s 9 t DFv m,' T I
V sR sA Y 0,
-M tic PSE To A
o.C A MFR . tP TF . L A C O 0Cu AT CT-TO T I E fAA A e C S _ s s m
- g **
- o. "
Il.:! E -
]
.:t 1'j-j: ,j . l*J. 1 8
. ].- 31
- li.
D
. N B S I
. S T
. TE 7 S V / . P E AH . 9 P CD . E wT 5 OE
. HEMNEWL
. T E
ErAw NARP M1 P RSC TT W TPOA .' I ES YB L T T OMIR T 'i R = ST _F T a T A. DE 3 ,s. 9wP 11 RA AvTw C _ E s F t 4.T R . . *EOS AT I..S, RoCo e
' /
3 1 C 0.e- I0Z' P . 4 Lv 9 . CS . PCfP sM C RSRU.C EIP.
. A T;P3 aM3
. PE O 0 _ PFL DRE
/ F
.A*
yV R. . C
. E cU P
C Ea .A 0
. / U
.Eu C Si r
S E
.C
.C
;* 13 jIl hE T
.~
3Ij ( . L i a E mBD iOT F
!TN N
OTW W Of. S N4
*PJIT4 HEts P
R E W O 0.P CC A A CL EL 2 A 1 O
/ TF O
/ W RS TS NE EL i\ l.
l,I?l!. !l;
Bravsr Vality Pewar Stati:n Unit 2 Rsvislan 0 Probabilistic Risk Assessmerit -i
.1
-1 i
tg. n - nA l
-I i r-s :
j; -- lo i = gi s l p i B V V i h ! p.__ _.r-in
!I I 'E q
I-h.h I gII !I pl p-- - i-g :: q [ ..._,_...., p u ., A j; I o
+- -
v
$5 !
jkj. E I ! [ rir l 'si
- ll bg gr Lv jg gjil j g a? li l" !I
- _a ! b d 3 d .'.'....._.j L3 ._] O V E!
s 2 7 E: 2 E 2- ! O !
.s :
-O i
'e- ;
m h)
~~ c s
. i a .;
- . t SI' F l
-APERTURE y
._ CARD . !
Also Available On g Aperture Card {
- e. .
O a-9 2 0 3 9 4 0 3 0.2 ._ l 3 3.1 55 , tu '-Nw-' awi4Wr 43 e- + m - r
-' F e *w-1--
F # dnm- w- h%-* --- -4
---,----------.-__-----.----------------------------..__,7------ - - , . - - , - - - - - - - - - - _ - . - - - - - - - . - - - - - - .
W NN
/
N 9 /N g \. :": / d p....,......, l l ig i G E*
;4
- l I
- id !
6{h E
,j i
{'E: S
- - "l
'v-
-e : p- :
()
$m 5 . -
i .. . . . .. ...j r.........., 4 I d $! a ! b* : : agg Y I. i
- 1) .s .
g
'}5 y)
- 6 : 0 6
g V[ i t ...] d E
, !sg
- -sg3e
.z. h
- O 2 l .e pd[(p".
-v -
' 9e o ly1,.
~ies Iand 494.:svi - ds
- t.s 1::!=.L:n 8s .
e-n.8 -- ps s.g3:
$$4*
l.* !lark"n~.- e: . y \l~ I I"a l'gsL.g9I2lm:E""mA[J"ggBg + f .. .. .. _t .. ,
- . - - , a- .-.
W Gt
!. i. !.
- i. !.-
4 - e. go y Es o--
<': -i8i' !. g4 i ja ! i- Ed -i l-N 6 4
ink i i s,,e ! i
,l g .L * *
- D-- !
W M9 l ,- . . . . .
- - - . _ __-- - - _ __.---- - - - _.__ _ _ _ _ - _ w
d["'
~
T2i4I B Gea:<sSc G< M, Nggg c3
- M .,
3 2E.gs 5 o "UencMg.~ r . M 3g
'3
**g 3**d l
O M Y'
^
\
e t . . T UFE A so
- e. .
1 EITF T H 1O A T Y r C C- ^ T H rL D 1 .1: M11
)
FrT AIE ADT Ae Ev v J-N Is T sol e v"Y E N FnA s e* T O S T I se Te TrN Is5RTT3CrI A E e1E A_CA1IeM D PnT
~
T O T=Em%RCPm IWe
!TI2STsosM.
S= ST8E i -N ' T cT menty T :Tn 1 eOuI eATie A P /!D1 - ECsAYCmII s AmAA C MaRR E* I .rp>Ncv P* 7DS W' e E 4 4 e HPAPR3A e T eTS awfcSH M aATe i
- S.
*IA CAP v
'Y A
Ccs NT one CsE.OTaTox*TDTEni.s 1 LY gx $D a
- OS TrmeHmCDRIYCAcA Aa Z S Ne oNR VA L LNTA
- I -
c*IEOR 3 *Po CENEm M L AaweLMDRPWs Lr
- P q' PrTseTTPSTZT1Oc.Tu a
- 2
. s.
1
~ . C 2 *1 .fi:L i 1lI.
- ~ 2 Y' - t A
- T i
- 1 O n R . N
' P- ~ P D U e
w A,
' s LE LL
- AI 3 0 Y
N Y
/\ ~ ET
~ S
~. 4
/E TDs
.TAEs CAP i
/
1 W Y Y l y e A - LY l w 4F - Z OS a s-i t e- [ -- M I S .
. V v
lC -
. P
. r o.
a . *
. e s.
. v c r
't a t
f
-+ C 3 . . 133 [
oa ti - e
!t ' B 9g83it8t:1
- i. :
- i. -
1
~,,% pWa.e.CWm
.- r o
O T S
+ - 8D
. T O
4 TAD Y O;>- g f m M 3 5E . fRE ,KI rOS P s#L
' O
. 1 N D OPL 3
/ a r
y /v e5Os /E I SI < e S E p TDs - g H A - g uEU T u Cu- . TMF y
> $* y<,, dR O2 Y w rLL - E.
PE S TS i.l . Es 't N \ a, IR y y \ a NTA / Y WEH i i
=SP =A -
1 sARV sRES
. ' .. 1.
AP LY
.\ w TEO TT t \
- Q,o. D_
=IBLP 'U YS Z
R REC P OH .
.-.1
- I 0S s g LNS EO s. :
\ yCoa. t'.** e c
ML 1 A N U F
.' . RP g C n e
/
!s LE. ". .
L g, p 1,: .::: 31 * } u q 7' a .31M8t- . l - j -
- u *] ,.J.. . -
It! t I i. y1
- 1s.j!a.- .-- -
L t
. - . - n R . g S -
-.T e
'E
. O .
. 3 sR S g M -
O v
/I .- . 3 SL . P s . ~s ND / E PIT' T>R .-
~y M a =.Y /e-eML-i..y
.s f I
B u ES TDs - . . 4
- DU . u E . v V )
- ED g.l PEM- T
- i S.
Py Tx3 sAuE l.
~t -
CAP Es TA l
- v Y
1 4 sSL e '. 1. SAD sRT 1 sRHL .
.s
- s. Lr Qe e
\
.\
LU . aE O f WLW . . eE P
. Z P O ..
z S
. o PP .
. .Z C
N O C . R I
. .N
. P i
1 4 a. g, ll u--- t
*.t ; L tli ;.::t* L r j 1, :.G g .1*
a P ( 2-2 1 3 e
~ r
[* ' u g
@ w QC D g p C Q C N ,
- i F
a.a, *E l,
4 1% D T1 C Y3 R _ OdED R-TA T0R C0I NC EE ACS EBE RUD S F Y O .R TE SNV SAC OLC LOE CR t C
) :j*]
..!.1 5 .
4
. S mM A ER 2- ETO .
- TST .
E A A
. - LDR I.+ .
. a OEE .
. STN P ILE E UG
. T A
. S F .
. ' L; .
. E
*.:*; :L .
E MK AA EE TL. S M RT o UOA ET AO WRT TE FN tE SS 1 i. 3 3 A i'
) '
A C E C C E e D D T _ E R T R E D>- v R U O m_D n E Y OLE T0R _ STE T R R C0I m
- PR Cw I T ACS N GUU A :-S N E SRS ESE E ESE S RUD RUD S 1i S T>E F Y F Y _
C R O .R O .R AEP TE TE T@G SNV SNV M SAO S ISS OLC C A. OC _ S E LOE LM O R DR C P C
~ -
2 7 S K K. S. AI R W .E A IS OE EE . E -. R4L L RF .N V ELR S G EHSDB EAYWL
* .L0A S E KER"RI CSO S T//IA 0SP3V DH 7 OC NP IWSSL PPW DNP EAS LLLE R CPI A TMUOR t O P BCAH5 iI 2 C .R FUSLN F E JW8 D 5d I LSM T YE>& 1 P PEG IIN1N 4f E.D 1 MB.A. TLT PLA RVAD2 E MASS UI S. OLMT<
T RFI E RS E L D S
- j.: :i * .* :.*3 3: .: {..:.:::i::
L 8
- N 5 - O .
P M I T G.. E S OT ._, u C. F S
. T EMRC TOFA L O ()
$ A C G RORL S. AR T Ro % DT TTTA . S 3 LFAN E E .
E SYMES RO T FG EN
. 4 RED DIE) E
- O CI SW 6
TTG0 N S5 CD - 7 GSS YNLO g RONE TFRS IOG1 q REIL i! LI CED5 l
]
OTRE RFLS TS E OLAZ
. TNFES N E
Y( .F A R )0R SPN PU CR In. ] AIJ( RTTS ENPS PEU ODA O DS TMEA AARE S LFRL A UE jFTV EE 3 PLFE A R HO CP TO3 T R S. 3 I REUL 3 aOPE t A Ut - A . NS 4 - ETT MR E EEE E PSPT E . . C UA . .
. R .
.
- j : .'L
. :I : j '!. :. ::. .* :* j .: : i !
.l I#
It: aver Vclio) P :: r St:ti:n Unit 2 Revist:n 0 Probabilistic Risk Ass:ssm:nt SI APERTURE CAltD 4 Also Availabit 0:n E Aperture Card
- D O /\s !
5 I; d E h fi dgN tj$
- 6 I f4QEf f,_ _ $
a b .[ s g , EId Ig4 s eli 3 & l N i[ / o E6 I h I
\(' h
.. _ ,w .. ..,. Q = .: <
1 hj I3a
!!i ii7
- 1$
':n a .. du
$$jEI r, (J i
{. [I) I @si IQ l In h" g a 2 E a u iyc .E['g e ~!
@g :y$Eg 4
[. g~ gW$
$g!
h v> a n o :: : k.. s
?f" < .> <>
f b$b i g E id B j j > Br = :r. ::. . . . . . .. . j 1- o
,c --
}
l- , , , , ,,, ,,,l ; ; g l k Esg ! !! l i !$ , I $ a19 - 2. 8 hg jL [kE .!.S. b 9 I khg
-[x'N h n 2 :. g3 pk ..g o - $,J . 4 <
M ' "' # * :ij *f T I ,,6 ila .EE i li
~ pu ~~j
! i ((% T5 E
5 5 E p' k ':: *- ::? :Q Q -
- b ::
l
. I.
. J =-=. . . .. . e J 1, ,, , , . . . . . . . . . . . . . j i . .. .. . . . . . . . . j .................]
/ 3.1 57 9 2 0 3 z 4 0 3 0.2 - 15
. . . _ . - m-_ _ _ _ _ _ __ . . . _ . _ _ _
A# % ./" R e n$.,2.l / l, kj$ f, b.j _
's" {[
g3W x N
.J N ,
( ,- 4 U ,
? e k 2 q59 sp p'i l' !sE! Eh < s rd"p b- .
vl y i , , e a r
-y, .....,......,
etti . 5 j:: :
- t I:. !;4:
w{0
- 1. 1 t._) l, 1~::..
< 5,.
.g l'
g
* < i LAW E :.'l : .J IVf g gI t.24 k"3 WW g8 :
j' 6h E5 1 l
; : p q 3E *1 e l; 4
~ """" "" '
g d, . . . r .. ..,:,{} t i. : ,
- t Q
g r- r , ! ._ ! sp i r .;;.
- : : aps .!
4 r l f gg:5' :
! t,9e5t q : :
A i g V :- L A tg P.R i i t g p. 3 : [1_i F8 '4 5 .. p.ge > pu ig ; h; gg,sn :: _. = g
!! :sP ig [zp :: - et E : ._ (;:. )
g ~6; : :]. ._. sr . s .. S04 : n p ttp : ? IE% h:+- *: '1 ' .
.f NJ i; 8 ig a= .0 T.8 q ,g j gSg
_a g .a_ r:g{ j j g[_. - l.z_
. . . . .. a . ,
. u -
......J
. . _ . . .. J .
h
i l D :v;r Vcil:y P;w:r St:ll'n Unit 2 Rcvisi:n 0 ; Probabilistic Risk Assessment l
/
gpn ggi h-j Apr
.r!a . $n VI ,/ r a eg1 y h
I [E8h Es d I e EE
- t # ja e 5 l.
6lll e a St O APERTUltE i A Qll! 5 S j; c [gI f CAllD
!w! h"g -
~
.Id Also Available On f, [!eg Aperture Card a qb ,-
. a8 l
-r-d d
-} r e
- g. b d .j
' e M3 r!" J : sK
- 28. -o gj
- 9,.
aI "g 6 "p. .h'j! " s.9.I.65l h.U V rp .. ja ' E
- - ~
5 53] {f. h,tfj, Jr g i, {. f-i i1 Eu Qi is h ig N a, h;ir.is L r3i !. gi 3y s . (.*y y Qj (gg.b is,.3 fin l d ;;:-~ '- - J , 8 ~ V f 4, a LC _ _ _
=
g E I,g ' j g:l :.a.a,r- -- j-- 1 L.19$. i g'."$ l EjulEg
~!
g $EK:: m
- er
['I}:
,,5 sS$
tr- . a. yg $ .g ' & c a h Ebl
$}k35 z.g q
! P.!
- :- 5g "NEN ! Y gf lD'l h.t,ar s h"3.,,
E ch h n !!
- -- EEIaLg!v
-<je s
g.: e :R:
- - 2
- [f,Rj : s [Gg,i.
or E [{.pI
- ' e
.3 p: 1 g th. ra ft x g!:h gf p5 g .g. . y ';
.e sr .
- t: : ca a. et.J t.. . .x [p{"
3 E- t... e >p g
/ t-
-J
- , .j . .4 4g _
, {.
l . . . .
.h E
, ... , Bh a;n . b a";" :k - r- , ,d y 3 '
'. . : *8 / :8 74:
- 6 s
.th .h 5 *
/ :: eE- El EIfL X '! g$'! ' h"EE;: ! } g6C4 ' gl,aa
- a: . * . . g d : -- i: p[?J"dg r : "t: gg^? :: m ." &p
- +
(.a: at a
. if.a:. ..(-
gLTD ed et i .k M }h9d6 ! b'! l $$' H . : rat :
.ig:'
J: .fM a.
. .J . . .J 3.1 58 9.2 0 3 z.40 3 0 7 - l(o . ,
a j la m- +--A A .a _____J. .Auu -._, -4A- --J- J -4" - --.--s-- -
?
b 4 g a Q'x M O 8ri 6 9
^f , / en a 4 t 8 (s.N. s 2 E
x
-s Y
g (' W t g. .. . . . 3. .. . . . . .q I...............,......... i i ! : "l . gb.E I hggEE ! : h3 Uhg ! Ej@a Mag ! --- i
-l ek, i il tilj"
.i &
i-i e6 !
...........".........J!
kM i L............. '........J el II a e B Se a% ' 5 n8 p-a @1= gl Wgg) a( sg a n " y ,.4.....,/
- -; $...........,......... ,g' T atU} -l : ! .. S
. .. . . . . . ., ?
- O afhd.
'E : 8jEo
_ .. g.- l 10 Oh'!! v Y'h
- ^
-9 R $, 9:' 3.Wa d : va gu $l :
@ N?: t J P l-xs: 55 ll : ~m @a :--pg?
- : :' "Rn:'gBsg s
e
?gs: [ BED l:!!',g h, GI g >?.,! 5 d
8 " $5 d! N N Nh l :! 7 : - ab.;1
? 4 hJ:e lgb :!
?
t.................; : : -: : L ......... ... .....J J.... ............)
- , . . + ,. , .., - . - - -, ,- ,, , , . , -
Beav:r Yciby Pcw:t St:ti:n Unit 2 i Probabilistic Risk Assessment Revisi:n 0 ' l l E 2 cm 8 E SI APERTURE sk{ CARD y O Also Available on lb i
- Aperture card $
i n 5 I"5 e, a /% s a 5 i glii & Eg d u I F jE $' & {I ) 'w/ 9 20 3 x 4 0 0 0 7 17
e isss ach
<: i x
p'N.., b { Y,L 4';
,_ _.q I !
5 p, [, i ...l, s-lr i N _ _.J
- l--,
En,i-in
'?['E'7 st, no h :-
f a- fkto , sa bb( y ty
, .=n
/ s i hg f '" .
t..I ,[ [~~h 54 4;d, 4 1 11,4 -- e
, d[ > 4 y;[p
- i ; i.
LH fie ; i ,J r-~~E-r5 i 7-.--! - g p;=1=-y Q ': i: : at : wi g#g r- iiq!-!,-!,gl[!.fg-IIg f ![!~if
- alli!
V 1 J L . _.. .~.....; i. i f... _ _ 7, r e j k ! O 4 [7" e .- 1 .
~"-~]. [' g ,1, [~"
"] j' %e r
- 1 ii p ii q t! IN 1
2 E*hI i i pi: .
!jHeS!!ri ltri: i,l ,,ger a:iti. .:li ipa -i - ~!,r!
4 . V i.. 1 eS. i b_[B l _ - . _ .
- t. _. . ... .;
~-
t..._.. ..-..a
-- ~~
=--
Bssvar Vcllay Pcwsr St:tisn (Jnit 2 Rovlsign 0 Prchsbilistic Misk Asessemsnt g ;
<N: s
.:j3 . J j N/ ,
ll g 'i l di i _ . ._!!_ .. ._ .! L--- J [ ], L_ !i.
.a
.Tq
- e. ,
M b,
.E' i
3.1 60
- 9s03z403.01 Q ._,
w,.~r . , _
_ _ _ . _ _ _ . _ _ _ _ _ _ _ _ _ _ ~ _ _ - _ . _ _ - _ - _ _ _ _ _ . _ Beave r Valley Power Station Unit 2 Revision 0 Probabillstic Risk Assessment 3.1.3 Frontline Event Trees The Beaver Valley Unit ? ESDs were described in ino previous section. The events enclosed by dashed boxes in the ESD are modeled as tcp events in the frontline and support system l event trees. This section presents the frontline event tree top events for the general transient /small lor'A event tree, the medurn LOCA event tree, the large LOCA event tree, the excessive LOCA event tree, and the SGTR event tree. The ATWS event tree top events are described in Section 3.1.4. Sper'.al Event Trees. The support system event tree top events are described in Section 3.'.5. The general transient /small LOCA even: tree is used to quantify all the initiating everns in Table 3.1.11 that are not otherwise addressed by an event-specific tree. The procras of tailoring the general transient /small LOCA event tree for quantification of each of the initiating events is discussed in Section 3.3.5. The event trees referenced in this and following sections are all drawn in the sarr.e tormat. Branches that go straight across sigmfy that the top events along that path are successfyl. - Down branches sFgnify that the top event, under which the down branch is drawn, is failed. This is referreri to as the " wind swept" approach to event tree drawing. The dotted line shown under Top Event SE at sequence 10 in Figure 3.1.3-16ignifies a transfer to another portion of the drawing. This sequence transfers to substructure X2, which is shown along sequence 8, also under Top Event SE. Use of transfers allows the analyst to depict large event irees in a campact form, which takes advantage of repeated substructures that appear in the drawing. The 34 branches shown in Figure 3.1.31 actually represent 818 sequences when tully expanded. The dotted lines signify that a transfer is to take place. and the transfer name is lis'ed just to the right af the reduced sequence number. 3.1.3.1 General Transient /Small LOCA Event Trees Tables 3.1.2 2 and 3.1.2-3 summarize the system success criteria needed to ensure each of the key safety functions for the generat transient and small LOCA initiators, respectively. More details concerning the syr, tem success cuteria are provided in the top event 1 descriptions that follow. To simphfy the model preparation, the general transient /small LOCA event tree has been divided into two parts; i.e., the GENTRANS and GTRECIRC event trees. Both the GENTRANS and GTR2 CIRC frontline event trees are used to quantify each initiating event category that uses the general transient /small LOCA system success criteria._ The GENTR ANS event tree structure is shown in Figure 3.1.3-1. The GTRECIRC event tree , structure is shown in Figure 3.1.3-2. For convenient reference, Tables 3.1.31 and 3.1.3-2 summarize the top events that appear in the general transient /small LOCA event tree models. The following top events make up the GENTR ANS event tree, oTop Event OT - Operator Act!on To Manually Trip the Reactor. This event models only the operator action to manually trip the reactor from the control room. The equipment needed to actuate in order to trip the reactor is modeled in Top Event RT. This particular operator action is separated to enhance visibility and to ensure that subs 9quent operator actions along the same sequence (Top Events RI and OA in the ATWS tree) are made dependent on the status of this action. On slowly developing sequences, manual reactor 1 trip may occur prior to the automatic reactor trip. For the PRA model, the manual reactor trip action is conservatively quantified atiif all sequences are " fast"; that is, the automatic O reactor trip signal fails so that manual reactor trip is required. The allowable time for manual reactor trip is further limited by the most limiting ATWS sequence: 1.e., one - initiated by a total loss of main feedwater. Top Event OT is asked prior to Top Event RT in 3.1 61 31 Accment Se@ence ochneaSon.
Ocev:r Vellsy Powar Station Unit 2 Revision 0 Probsbilistic R!sh Assessment the event trees to facilitate the quantification of Top Event RT, which is conditional on the status of Top Event OT.
- Top Event RT - Automwic and Manual Reactor Trip. This top event considers the automatic reactor trip system function and tha backup operator actions to maaually trip the reactor. The backup manual actions are accounted for by evaluating Top Event RT conditionally on the matus vl Top Event 07. Success of this event requires that at least t of 2 reactor inp breakers open (or the initiator is a loss of offsite power), and that 47 of 48 control rod clusters are inserted into the reactor core. This assumption is conservative because, for many times during the operating cycle, deper: ding on the particular accident sequunce of intemt and on the particular arrangement of control rod clusters that fail to insert, many more than one such cluster may fail to insert and yet the reactor may remain subcritical, Major equipment modeled in this top event includes the undervoltage coils, shunt trip coils, reactor trip breakers, and the control rods. Successful operation of at least one train of SSPS, manual operator action to initiate reactor trip, or a loss of offsite
' power is required for success of Top Event RT. Failures of Top Event RT are considered further in the ATWS event tree (Section 3.1.4).
- Top Event TT - Turbine Trip. This event models the likelihood of the turbine to trip following an initiating event. Success requires that all four steam stop valves or all four governor valves must close. The signal to close cornes from the auxiliary contacts on the reactor trip breakers, which goes through solid state protection system (SSPS). An additional turbine trip signalis provided by AMSAC, which does not go through SSPS. No credit is given for the AMS/,0 signal except in the ATWS event tree (Section 3.1.4), where reactor trip fails.
es
- Top Event MS - Main Steam isolation, This event models the successful isolation of the main steam lines by closure of at least two of three MSIVs. This event is of interest for steam line creaks inside or outside containment. Failure to isolate implies that two or three steam generator inventories blow down to the atmosphere or turbine building given a main Fleam line break outside containment, and into the containment if the break is inside containment. Failure to isolate at least two MSIVs is assumed to lead to failtro of the turbine-driven AFW pump due to loss of steam pressure; i.e., failure of two or three MSIVs to cinse is conservatively modeled as if all three failed to isolate. For steam line breaks outside containment, MFW is conservatively assumed failed, whether or not the MSIVs close.
For initiators other than steam line breaks, the status of main steam isolation is only of interect if the turbine fails to trip; i.e., it is assumed not to have an impact on subsequent events. Failure of both Top Events TT and MS (i.e., two of three MSIVs must close for success) leads to failure of the turbine-driven AFW pump. Inadvertent MSIV closures are not considered here but, rather, in the definition and frequency quantification of initiating , events that involve such events. For large steam line breaks outside containment and for turbine trip failures, failure to close two of three MSIVs may potentially result in recriticality, as the RCS is quickly cooled down. This concern is not modeled in the event trees. The frequency of such sequences is low, and the impact of going recritical is not expected to alter the success
- criteria for the mitigating systems. Similarly, for a steam line break inside containment l
with successful MSIV closure, but with failure of all HHSt, concerns about recriticahty j were not modeled in the event trees for the same reasons.
- Top Event AF - Auxiliary Feedwater System (AFWS) Provides Flow from One Pump to at least One Steam Generator. For success of Top Event AF, at least one pump is required l
l- 3.1 62 3i Accent Sequence oe.ineation
. - . . - - - . _ - . ~ . ... .-
Beavor Valley Powsr Station Unit 2 Revision 0 Probabilistic Risk Assessment f to supply one steam generator for 24 hours. Each of the two motor-driven pumps and the one turbine-driven pump is headered to provide flow to any of the three steam generators. The AFWS is demanded by a safety injection signal, loss of MFW, or low-low steam generator level signal. Loss of power to at least two RCP buses will demand the turbine-driven AFWS pump. Following an initiating event, wh;ch involves loss of MFW, the motor-driven AFW pumps are actuated upon the trip of all running MFW pumps via hardwiring through a relay. The SSPS is not required for this to occur, in the imtial PRA model for general transient /small LOCAs in which reactor trip is successful, credit is only given for inose signals thLt go through SSPS. The turbine-driven pump may subsequently initiate from low-low steam generatar level, but this signal was not modeled. This top event includes the required valve position changes, pump starts, and pump operation to provide flow to the steam generator by taking suction from the primary demmeralized water storage tsnk (PDWST) (2FWE*TK210) or service water system. It also includes the equipment and operator actions needed to provide long term makeup from the domineralized water storage tank (DWST) (2WTD TK23) to the PDWST, The principal mode of makeup to the PDWST is automatic using a modulating supply valve (2FWE LCV104A) that passes up to 200 gpm flow from either one of t.vo 350-gpm-capacili domineralized water distribution pumps 2WTD-P23A or 2WTD P238. The second source of makeup is through an 8-inch line that feeds up to 585 gpm to the PDWST from the DWST through a normally locked-closed manual valve. The valve for this second source (2FWE*1165) must be opened before the PDWST is depleted, approximately 6 to 9 hours after pump start. The PDWST must contain 127,000 gallons at a minimum, per plant technical specification ls. Service water would be used only if no other source of water is O available, and PDWST level has decreased to less than 25 inches. After reactor ti;p with . MFW available, MFW regulating valves will close on low T,,,, and feedwater continues into the steam generators through bypass valves, which are only 10% open. Ttis flow through the bypass valves is insufficient to prevent an automatic start condition for the AFWS if the operators have not already manually started AFWS. Thus, AFWS is modeled as having to start following every plant trip. If the MFW regulating valves do not close following a plant trip, excessive steam generator cooling would occur. Once T,., dropped to less than 547'F, the operators would reduce feedwater flow and, evemually, manually close the steamline isolation valves if the cooldown continued. Once AFW flow is activated, bo',n main feedwater pumps would be stccred. Given that the MSIVs are closed (i.e., so that the condenser steam dumps are not available), decay heat may be removed by AFWS using one of the following sets of valves:
- Steam Generator Atmospheric Steam Dumps (1 of 3) (nominally set at 1,040 psig)
- Residual Heat rtelease Valve (manually controlled)
- Steam Generator Safety Valves (setpoints range from 1,075 to 1,125 psig) (1 of 15)
Historical data and previous analyses for other plants mdicate that the failure-to-open frequency of these valves is sufficiently small so that modeling the failure to open of all of these sets of valves is not required in this study. Failure to act ieve at least one steam relief path for DHR will not be a dominant risk contributor. Therefore, to simplify the model, such failures are neglected. This assumption is even more valid if the MSIVs are open, and if flow through the condenser steam dumps is possible. For steam line break sequences downstream of the MSIVs or for turbine trip failure sequences, the analysis considers the unava; lability of the affected steam generator's
-ability to supply steam to the turbine-driven feed pump. If the MSIVs fail to isolate (i.e.,
3.1 63 31 Accment Sequence DeMeeon.
B::v:r Vcli:y Paw:r Station Unit 2 Rsvision 0 Preb:bilistic Rir,k Ass:ssm:nt Top Event MS falls), the turbine-driven feed pump is unavailable due to the loss of a steam supply. Failure of this event (i.e., Top Event AF) is modeled as placing a demand on the condensate, MFW pumps and valves, or stariup feed pump and valves to provide steam j generator feed flow. This modeling is consistent with the sequence of EOPs E5-0.1 and FR H.1 for loss of AFW sequences.
- Top Event PR - Pressurizer PORVs Are Challenged and, if Challenged, Pressure Relief is !
!aolated after Challenge. This event models the RCS pressure relief function. Top Event PR is guarantead to fail if the initiating event is a small LOCA. This is how small LOCA initiating events are modeled using the GENTRANS event tree. Otherwise, at least one of three pressurizer PORVs, if not isolated by its block valve, must open to relieve RCS pressure, if a challenge occurs. PORV trains that are not initially isolated and therefore assumed to have lifted must then either reclose or be isolated. One PORV may hft early to prevent challenges to the other two, but it is assumed not to relieve sufficient pressure to prevent challenges to the other two PORVs. If all three PORVs are challenged and fail to open, success of this top event conservatively requires that at least one safety valve must open to prevent overpressure. This is conservative because the safety valve setpoint is 150 psia higher than that of the PORVs. The automatic closure of the PORV block valves to isolate a PORV that falls to reseat (i.e., on RCS pressure less than 2,185 psig) is modeled. The conditional frequency of the leak rate through a PORV that fails to reclose being sufficiently large to cause RCS pressure to fall below the block valve isolation setpoint (i.e.,2,185 psig) is assumed to be 1.0.
The analysis includes the successful reclosing of all PORV(s) and/or safety valves after the challenge, or alternately, the successful automatic closure of the block valves to isolate the pressurizer PORV relief line(s). This event includes the conditional probability that the pressurizer PORV(s) are challenged during the sequence. Four situations are considered separately: simple reactor trips, events involving loss of normal pressurizer spray or steam generator steam dump-or turbine runbacks, loss of all feedwater, and inadvertent safety injection signals. For simple reactor trips, a small fraction of the sequences may lead to the need for pressure relief. The conditions in which simple reactor trips lead to RCS pressure relief challenges are not well understood. Others have tried to use historical data to infer a challenge fraction, but the collected data are sparse, instead, for Beaver Valley Unit 2, a simplifying assumption was made. Sequences without a safety injection signal and in which normal pressurizer spray is available (i.e., the RCPs are running) are assumed to not require pressure relief. Sequences without normal pressurizer spray or steam generater atmospheric steam dump (e.g., losses of offsite power, loss of primary component cooling water, and the loss of all primary flow initiating event category) or with failure of all three steam generator atmospheric steam dumps, (i.e., loss of emergency AC orange or of vital instrument bus red) and condenser steam dumps, or sequences with turbine runback are assumed to require pressure relief. It is assumed, for simplicity, that any plant trip followed by failure of all feedwater (i.e., both AFW and MFW) will eventually cause a demand on one PORV, which, due to repeated cycling, is assumed to fail open. Non-LOCAs involving a safety injection signal are not assumed to pose an initial challenge to the pressurizer PORVs. The operator action to control charging following an 3.1 64 31 Accioeu seauence Dennenon
Banver Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assessment inadvertent safety injection signal (per EOP ES 1-1, it should take less than about 4 minutes) or following a safety injection response to an excessive cooldown to prevent a subsequent PORV challenge is analyzed in this top event. Failure of the operator to terminate the safety injection before the pressuritor filis is assumed to lead to a pressure relief challenge in which the PORVs must pass water. In the event that both instrument air and containment instrument air are lost, which prevents the estabhshment of normal leiduwn but requires continued charging for RCP seal injection cooling, the operators will follow OM 2.34.4.AAC for loss of containment air and control RCS inventory using the fiU header or bypass valve along with excess letdown or using the reactor vessel head vents. There is no need to consider a challenge to the PORVs. The opening of the head vents for long-term RCS inventory control is assumed successful fcr such low frequency situations. Fallure of this top event is treated in the remainder of the model as a small LOCA; that is, it is assumed that failure to isolate will occur in only one pressurizer relief path.
- Top Event OF - Manual Actions To Reestabilsh MFW, This event models the operator actions to reestablish MFW following either a partial feedwater isolation alter a simple plant trip, or following a safety injection signal that resulted in a full feedwater isolation. If
- the MFW pumps had to be stopped to terminato an excessive cooldown, no credit is taken for this action.
If AFW is insufficient, the operators look to the MFW equipment to provide flow to at least one steam generator through either the feedwater control and regulating valves or the feedwater bypass valves. Should the AFW fail to provide sufficient water and MFW pumps are still operating, then EOP ES-0.1 provides for supplementing flow from the MFW pumps by opening the feedwater bypass valves. If MFW pumps are not operating, then EOP FR H.1 is entered. Following a safety injection signal, the ruactor would trip, and a feedwater isolation signal would cause turbine trip, close feedwater isolation. valves, control and regulating valves, and the bypass valves, and would shut off the startup and MFW pumps. The turbine would trip, and the AFW pumps would actuate from the safety injection signal. If pressure in the containment rises above 3 psig, the MSIVs would close, isolating the steam ilnes. EOP E 0 instructs the operator to verify and close all feedwater control and bypass valves, and to stop mamfeed pumps as required, following a safety injection signal. These equipment responses are assumed to be successful because they lead to a requirernent for subsequent manual intervention in order to reestablish MFW if AFW falls. If MFW pumps are operating (i.e no safety injection condition), the modeling of this top event evaluates the operator actions noted !n EOP ES-0.1. Although not specifically spelled out by procedure, the operators do initially trip one of the running MFW pumps. The MFW pump recirculation line only opens following a plant trip if one MFW pump is not running. By tripping one pump, the recirculation hne opening permits continued operation of the second pump. This action is assumed to be successful, so that when evaluating Top Event MF, only one pump is initially operating. If MFW pumps are not operating, then this event models the operator actions noted in EOP FR H.1. Functional response EOP FR H.1 provides the steps to recover from an initial loss of flow ( to-the steam generators, given that AC power is available. The procedure calls for restoration of secondary heat sink in the following order:
- AFW, 3.1 65 3i Accident Sequence Dehneation.
l
B:cv r VoMy Pewsr $tstion Unit 2 Revisl::n 0 Probsbilistic Rick Assessmsnt
- MFW by using the startup feed pump in accordance with OM 2.24-4A (preferred), or one MFW pump.
- Condensata system into a depressurized steam generator.
- Bleed and feed, if a safety injection dignal has eccmrect the cpcmtora must reset safety injection and the lecawater isolation signal in order to reopen the feedwater isolation valve. T her.,e isolation valves and the feedwater byoass valves must be opent d to allow the startup feed pump, MFW pum;is, or the conk nsato system to feed the st .m generators. As a simplifying approximation, the model conservatively neglects the potential of achieving flow from the condensate system it ough a depressurized steam generator; i.e., given that both the MFW pumps and the startup pumps are unavailable.
- Top Event MF - Condensate /Mainfeed/Startup Feed. This event includes the ability of the main condenser and the condensato system to provide sufficient flow and not positive suction head (NPSH) to either a MFW pump or startup feed pump, and the ability of MFW pumps or startup feed pumps to provide flow to a steam generator. Failure of condensato precludes both main feed and startup feed flow to the steam generators. The condensate system is not available if normal (nonemergency) power is lost. As the individual causes of events included in the loss of MFW initiating event category are not easily. identified (i.e.. sufficient to know whether the availability of the startup feedwater pumps would allow quick recovery from the initiater), the analysis conservatively assumes that Top Event MF is guaranteed failed for total or partial loss of MFW initiators.
The condenser hotwell maintains a water volume of about 71,000 gallons by virtue of a gravity feed line from the secondary turbine plant domineralized water storage tank (TPDWST; 2WTO-TK211), assuming condenser vacuum is maintained. The TPDWST contains 200,000 gallons. To achieve a continuous supply of steam gencrator feed at 350 gpm for 24 hours, either the MSIVs and condenser steam dump valves must be open, or a makeup supply to the TPDWST must be provided. The TPDWST is filled from the domineralized makeup system. Upon low level indication. the fill line Invel control valve is actuated, the level in the TPDWST is indicated, and the low /high level alarm is experienced. For simplicity, this model assumes one of four success paths:
- 1. Makeup to the TPOWST is provided fiom the DWST (2WTD-TK23).
- 2. Makeup from the DWST is supplied directly to the condenser hotwell.
- 3. MSIVs and condenser steam dump valves are opened before de 'etion of the TPDWST.
- 4. Feedwater flow is successfully con: rolled to match decay heat so that for 24 hours even without makeup, sufficient water is available for condensate pump suction.
The analysis of this top event includes only the failure modes involving the equipment mentioned. The operator actions to realign MFW after trip are modeled in Top Event OF. The equipment response modeled includes success of the condensate system, that the feedwater isolation and/or regulating valves are opened, recirculation valve 2FWR FCV155 and startup feed pump injection valve MOV152 are opened, the startup feed pump or one MFW pump starts (DC control power supplied from a nonemer0ency bus) and runs, and the startup feed seal water pump starts and runs. it needed. 3.1 66 31 Accent Sequence Dehneate
Beavor Vall2y Power Station Unit 2 Revision 0 Probabilistic Risk Assessment
- Failure of Top Events MF and AF is treated as a requirement to establish coolin0 via feed and bleed. Therefore, the operator actions to restore adequate MFW finw must be accomplished prior to the time when feed and bleed is to be mittated; i.e., < 8% wide i range level in at least two steam generators. The model assumes that the RCPs are l i trapped !n accordance with EOP FR H.1, il both Top Events AF and MF are unavailable. i
- Top Event OB - Bleed and Feed Cooling. This event is queried if no other sou ce of secondary heat sink is available; i.e., Top Events AF and MF failed. The operator actions considered in this event are in EOP FR H.1. In particulat, the operators inmate safety injection, open the PORVs reopen the PORV block valves after their au!cmatic closure, ensure that at least one pressurizer relief line flow path remains open, and verify HHSI pornp operation. If the PORV block valves were initially closed prior to the initiating event, then power must be restored to these valves in order to open them. Following l l ablomatic closure of the block valves on low RCS pressure, the low RCS pressure block l
, valve closure signal is defeated by arming the cold overpressure protection signal, and . 4 then the valves are reopened. To extend the time available to initiate feed and bleed cooling, the operators must have stopped the RCPs earher, in accordance with EOP FR H.1. 1 Hand calculations based on pump capacities, decay heat levels, and pressurizer PORV relief capacity have been performed to investigate the success criteria for feed and bleed coohng at Beaver Valley Unit 2. These calculations are docurnented in Reference 3.1.3-1. It was concluded that for Beaver Valley Urut 2, one HH5I pump with relief via one PORV train won'd provido adequate core coolmg. Furthermore, it was concluded that only one 4 cold leg injection path is required to provide sufficient flow. Failure of this event is treated as a complete loss of reactor cooling without the possibihty of depressurization for 1.HSI prior to core damage. In addition to the operator actions, the equipment that must function to provide at leaste one pressurizer relief path (i.e., the PORVs and associated block valves) are modeled in this top event. The HHSI pumps are modeled in Top Event HH.
- Top Event HH - High Head Safety injection Pumps. This top event modets the two HHSI trains with pumps 2CHS*P21 A and 2CHS'P2tB. Success requires one pump train to be operable. The third pump, 2CHS'P21C, may be electrically aligned to either or age or purple emergency power, if either of the other two paps fail. Only two pumps at a time.
however. receive an automatic start si0nal. Pump 2CHS*P21C is included in the model, as a backup to olther pump 2CHS*P21A or 2CHS*P21B, with the associated operator actions to align it, if both pumps 2CHS'P21 A and 2CHS*P21B have failed, but the required support systems are available to each train, the operator is modeled as aligning pump 2CHS*P21C to train A. l These pump trains share a common dependence on the single suction line from the l RWST, which is modeled in Top Event VL of the support tree. The RWST itself is modeled in Top Event RW of the support tree. EOP E-0 asks the operators to recognize if the RCS is intact. If they decide that the RCS is intact following a safety injection, they are then instructed to go to EOP ES 1.1 for
" Safety injection lermination." There is a danger, as occurred at Three Mile Island (TMI).
that the HHS1 will be tempora,-ily stopped. EOP ES-1.1, however, provides for a recheck of safety injection termination and an escape back to EOP E 1. Nevertheless. this potential error of commission is included in the system rnodel for this top event for sequences in which a safety injection signal has occurred. 3.1 67 M AccideN sewence oehneaton. _ _ - _ _ _ _ _ . _ _ _ ._ . _ _ _ _ _ ~ _ ._-. __ __
B::v;r Vcil;y P;w:r Stati:n Unit 2 Rsvisi:n 0 Pr:b:bilistic Risk As::ssm:nt This top event includes considoration of the failure modes of the relevant pipes, valves, and the HHSI pumps needed to model availability of the HHSI. Failure of this event implies that HHSl and charging flow for RCP seal injection are unavailable. Success of Top Event HH means that these two functions are possible. HHSI further requires the availability of water in the RWST (i.e., Top Event RW), and of a flow path from the RWST to one of the three cold leg injection line entry points in the RCS: 1.e.. as modeled in Top Events VL and HC. Success of RCP seal injection does not require flow from the RWST, provided the volume control tank (VCT) remains available as a source of water for HHSI pump suction. RCP seat injection is considered further in Top Event SE. Successful RCP seal injection flow also requires that flow paths from the discharge of the operable HHSt pump to each of the RCP seals be available. These RCP seal injection flow paths are modeled in Top Event SE.
- Top Event HC - HHSl Cold Leg injection Path Available. Both HHSI and LHSI provide flow to the RCS tt-ough the same three cold leg lines. inpction into one of three cold legs is sufficient for either HHSI or LHSI. If Top Event HH is successful (i.e., HHS) is available),
then the three cold leg injection paths of interest include six check valves that are modeled in Top Event HC as follows:
- To cold leg 21,2CHS*139 and 2 SIS'548 must open.
To cold leg 22,2CHS'138 and 2 SIS'550 must open. To cold leg 23,2CHS'137 and 2 SIS'S$2 must open Top Event HC also includes the redundant MOVs (i.e.,867A,8678. 867C, and 867D) at the pumps discharge and the common check valve on the flow path from the pumps to the redundant MOVs.
- Top Event SE - RCP Seal injection / Thermal Barrier Cooling. The charging system provides RCP seal injection. Normally, the primary component cooling water system (CCP) provides RCP thermal barrier cooling, bearing cooling, and motor cooling. Either thermal barrier cooling provided by CCP or seat injection provided by the charging system is sufficient to prevent a seal LOCA if the RCPs are not running.
Top Event SE models RCP seal cooling from both thermal barrier cooling and seal injectica. RCP seat injection is modeled as a success path if one of the HHSI (charging) pumps (i.e., in Top Event HH) is successful, and either flow from the RWST is available or there has not been an automatic switchover to the RWST and flow from the VCT remains available. Switchover of HHS! pump suction from the VCT to the RWST occurs on a safety injection signal. Switchover to the RWST also is necessary on low VCT level. On low level, the switchover may occur automatically or be initiated manually. Isolation of letdown alone is assumed to not require switchover because normal charging should automatically run back to minimum flow. However, loss of vital instrument bus I,11, or til (i.e., red, white, or [ blue) could lead to failure of pressurizer level control, depending on how the system is l aligned. If vital instrument channel i fails, there is also a less of automatic makeup to the l VCT. Loss of pressurizer level control results in full flow from normal charging. Operator l action is then required to return pressurizer level control before switchover occurs. The i flow path from the common charging header to all three RCP seals is also included in the Top Event SE mooel. All three charging pumps are headered so that any one pump can provide seal injection to all three RCPs. The valves in the seal injection flow path from the discharge of the HHS! pumps are either motor operated and normally open, or they are manual valves ar" normally open. 1 3.1 68 11 AcC4ent sequence Dehneation.
Beavsr Vallsy Power Station Unit 2 Revision 0 Probabilistic Risk Assessment if CCP flow to the RCPs is initially unavailable, but the RCPs continue to run, then success of Top Event SE requires that the operators quickly trip the RCPs, in accordance with the RCP seat trouble alarm procedure, before any seal damage occers due to purnp vibration, whetner one mode or both modes of seal cooling are available later. Thertual barrier cooling for tne RCP seals is modeled in support system Top Event TB. lf Top Event TB is successful, RCP seat injection is not required Top Event SE is queried followmg non LOC A initiatino events with a successful isolotion of the pressurizer: Le., rm RCS leakage. This event is considered irrelevant if a LOC A has already occurred. Failure of Top Event SE is assumed to load to a small LOCA by virtue of RCP seal leakage.
- Top Event CD - Cooldown of RCS and Depressurization of Secondary Side. This event models the operator action and equipment needed to cool down the primary and depressurize the secondary. Some form of steam generater cochng (i.e., on either AFW or MFW) is required. This action covers ES-1.2 or EC A-0.0. Failure of this event implies
- that the steam generators are not used for active plant cooldown in order to reduce RCC
- pressure.
Two of the three steam generators' atmospheric dump valves or the residual heat ielease valve is assumed to be required for success of this event. To simplify the model, use of the andenser steam dumps and the condenser is conservatively neDi ected. instead, the cocidown and .'eptersurintion are accomphshed by the operators lowering the pressure setpoint or locally opening two of the steam generator atmospheric dump valves. Success of HHSt and Top Events CD and OD given a small LOCA. followed by a failure of recirculation, results in r9duced RCS pressure m the time of core damage. For sequences involving losa of all emergency / C power, success of Top Event CD implies that the RCS is cooled down and depressurized to limit the leakage rate of RCS through the RCP seals.
+ Top Event OD - Depressurizatlori of the RCS to MHS Entry Conditions. This event models the successful depressurization of the RCS to RHS entry conditions (Le., RCS temperature less than 350 F, and RCS pressure less than 360 psl0 ), given that the operators have already successfully cooled down the RCS and depressurized the steam generators; i.e., success of Top Event CD. The RCS depressuritation is accomplished using normal pressuri7er spray, auxiliary pressurizer spray, or the preuurizer PORVs in accordance with ES 1.2. Credit for using the RCS head vents alone, which may not be a viable opptcach, is conservatively noglected. Normal pressurizer spray requires successful operation of RCP A or C. RCP A or C is assumed to be available if both offsite power and primary component cooling water are successful. Auxiliary pressurlier spray requires that at least one of the three HHSI pumps be available to supply charging and that letdown is maintained. For successful depressurization using the pressurizer PORVs, the operators must reopen the pressurizer PORV block valves to depressurite below their autoclosure setpoint of 2,185 psig. Once depressurized, reclosure of the pressuriier PORV trains is modeled in Top Event Pl.
Failure of Top Event OD implies that RCS pressure remains high, For LOCAs this can affect the leak rate from the RCS. If steam generator cooling is not available, this top event is not queried instead, RCS depressurization is modeled in Top Event OB for feed and bleed cooling. 3.1 69 31 Accioent sequence Denneanon
l B=v:r Vall:y Prw:r Stati:n Unit 2 Revisi:n 0 Prcb:bilistic Risk Ass:ssm:nt
- Top Event Pl- Pressurizer PORVs Arc isolated after RCS Depressurization. In the event that pressurizer spray is unavailatsle, the pressurizer PORV is assumed to be opened whenever Top Event CD is successful. The RCPs are assumed unavailable for normal presuurizer spray if offsite power or primary CCP (support system Top Event OG or CC),
needed for RCP operation, have failed. The analysis of Top Evem Pl modeis the successful reciosing of the affected PORV(s) after the challenge or, alternately, the successful automatic closure of the block valves to isolate the pressurizer PORV relief line(s). Failure of this top eve'it is treated in the remainder of the model as a small LOCA; that is, it is assumed that failure to isolate will occur in only one pressurizer rel.cf path.
- Top Event RR - Residual Heat Removal. Top Event RR evaluates the availability of the RHS to provide core decay heat removal, and the ope Mc- eions to initiate RHS once the RCS has been cooled dowa and depressurized sufficiently to allow RHS to be placed in service (ES 1.2). To place RHS in service, RCS temperature must be less than 350 F, and RCS pressuro roust be less than 300 psig.
This event is only asked if the RCS must be cooled to cold shatdown conditions to limit RCS leakage. Success of this event implies that cooldown to cold shutdown conditions is completed so that RCS leakage can be minimized, thereby avoiding the need for switchover to recirculation. Failure of this event indicates that RHS was not successfully established so that RCS leakage into the environment must be remedied some other way. For small LOCAs, the PRA model assumes that a CIB signal is reached that would trip the RHR pumps. This event may ba of more interest later, should plant trips involving very small LOCAs be of interest. The GTRECIRC event tree makes up the second part of the genera; transient /small LOCA evsnt tree sequence model. The top events in the GTRECIRC tree are summarized in Tabic 3.1.3 2 and described below.
- Top Event NR - Recirculation from Sump Not Required. This top event acts as a switch to ensure that sequences in the GENTRANS event tree are correctly connected to the remainder of the sequance model in GTRECIRC. If Top Event NR is successful, this implies that the plant is in a stable configuration with recirculation from the containment sump not required, steam generator cooling successful, and no LOCA condition. Failure of Top Event NR implies that the status of containment systems is of interest 1or recirculation from the sump.
- Top Event NM - No Melt Condition from injection Phase. This top event is also a switch, it is asked only if Top Event NR is failed. Success of Top Event NM implies that during the early or injection phase of the accident, plant systems responded correctiy but that recirculation from the containment sump is required to prevent core damage. Failure of Top Event NM implies that during the early or injection phase of the accident, core damage occurred. The status of containment systems is then queried to define the hkely rebase paths from containment.
- Top Event QS - Quench Spray. A high containment pressure of 8 psig initiates a CIB signal that starts both QSS pumps. The motor-operated valves in the saction and discharge piping are normally open. Check valves in the discharge piping would be required to open, if not already open. The QSS is not required for core melt prevention.
Its operation influences the time to depletion of the RWST, and knowledge of its availability is required for containment analysis, in the plant sequence model, a l 3.1 70 31 Accment sequence ochneaton.
Deaver Valley Power Station Unit 2 Revision 0 Probabillstic Rh,k Assessment l containment pressure of 8 psig is assumed to be reached for all LOCA sims, steam line breaks, feed and bleed cooling scenarios, and for any scenario renulting in core dama .6. i
- Top Event LH - Low Head Safety injection Pumps. This top event queries the availabihty of LHSI pump trains previomg ilow from the RWST suction valves 2 SIS 8809A and 2 SIS 88098 through the pumps 2 SIS'P21 A and 2 SIS'P2tB to the discharge check valves -
2 SIS'6 and 2 SIS'7 and manual isolation valves 2 SIS'3 and 2 SIS *4 up to the pomt where recirculation spray flow joins th., lines. For small LOCAs in which HHSI is availablo and RCS pressure is greater than 185 psig, the LHSI pumps are turned of' per EOP ES 1.2., post-LOCA cooldown and
- depressurization. For LOCAs in which HHSl is not availabte, RCS pressure would not be stable or increasing so that LHS1 would remain operating to transter RWST water to the containment once RCS pressure dropped sufficiently.
For the purpose of containment status, success of either HHSt or LHSt is treated as a successful transfer of the RWST inventory into the reactor vessel Transients and LOCA initiated core meltdowns in which the pressute stays above about 250 psig do not provide the opporturuty for LHS! prior to core damage. In these cases, the RWST water may not have been injected before core meltdown. The actions identified in EOP FR-C.1 are assumed not to be sufficient to lower RCS pressure to permit _LHSt prior to core damage. Alter vessel failure, however, the head against which the low pressure pumps must operate may fall below their shutoff head, and injection of the RWST inventory may then be achieved. The status of RWST inventory in the containment, particularly in the sump and reactor cavity, is required for containment analysis, should the accident progress to core damage. -
- Top Event LC - LHSI Cold Leg injection Paths. Both HHSI and LHS1 provide flow to the RCS through the same three cold leg lines, injection into one of three cold legs is sufficient for either HHSI or LHSI.
If both trains of HHSl are not available during a small LOCA (i.e., Top Event HH falls). then the operators would attempt to use LHSl; i.e., Top Event LH. in this case, the cold leg injection paths of interest involve six check valves that are modeled in Top Event LC as follows:
- To cold leg 21,2 SIS 107 and 2S15'548 must open.
- To cold leg 22, ? SIS'108 and 2 SIS 550 must open.
- To cold leg 23,2 SIS 109 and 2 SIS'552 must open.
Valves 2 SIS'548, 2 SIS *550, and 2 SIS'552 are also modeled in Top Event HM. Top Event LC also considers the valves (i.e., 2 SIS'8888A and 2StS'88888) in the LHSI tiow path downstream of the points where recirculation spray joins, but before the injection paths header, and then split three ways for flow into each cold leg.
- Top Event SM - Containment Sump. This event includes three failure modes: tailure to stop RSS pumps, if necessary, to avoid pump cavitation; unavailability of the containment l sump (e.g., due to plugging with containment debris); and common cause unavailability of all four reHrculation spray trains. Small LOCAs that reach 8 psig in the containment and cause inution of recirculation spray may not provide sufficient water in the containment
! sump to meet the minimum recirculation spray pump suction requirements with the 10.5-minute delay time if at least one QSS pump does not operate. Therefore, in accordance with EOP E-0, if sump Svel is inadequate due to failure of QSS, the operators l -are instructed to reset the CIB signal, stop the recirculation spray pumps, and restart l them when containment sump level is sufficient (about 44 inches). For small LOCA, the 3.1 71 M Acedent Sequwe ooknemn
B: v;r Vcil:y Pcwcr St: tion Unit 2 R vision 0 Prcb:billstic RI:k Ass 2ssm:nt operators could prevent a CIB signal by following procedures to reduce pressure and terminate safety injection. However, for this study, all small LOCAs are assumed to reach 8 psig in containment (Reference 3.1.3 2). Success of this action is therefore mcluded in the rnodel for Top Event SM. If Top Event SM fails, then all recirculation spray pumps are meficctive, and neither recirculation spray nor recirculation mode core cooling is available. The assessment of sump unavailability in this top avent assumes that the scenario has not yet progressed to a core damage condiflon. Postmelt containment environment effects (i.e., sump plugging) are deferred for consideration in the Level 2 analysis.
- Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event models the autornatic signal to transfer to recirculation and the operator actions considered in realigning the plant from the injection mode to the recirculation modo for LOCA sequences when RWST inventory level is low. Realignment for both high pressure and low pressure recirculation is considered. Proper calibration of the RWST level sensors is considered in the model.
When the RWST level reaches 450 inches. the operators are instructed to enter EOP ES 1.3, verify that the system is properly a!i0ned, and, if not, manually align for cold leg recirculation. (Actions to reset the safety injection signal, such as in EOP E-1, do not reset the recirculation mode signal.) The recirculation modo signal, however, does not then restart the recirculation spray pumps. The operators must manually restart the pumps in order to complete the recirculailon switchover, if the purnps had been stopped previously to avoid cavitation caused by insufficient NPSH. This action to restart the purnps is modeled in Top Event SM. In the event that a CIB signal did not occar, the operators need not stop the RSS pumps, but must start them for the first time to go to recirculation. For steam line breaks inside containment, sufficiently large to lead to a CIB signal, EOP E 1 permits the operators to stop the QSS pumps once containment pressure is reduced to less than 13.7 psia. This action preserves RWST inventory in case it is needed later; i.e., for subsequent, induced small LOCAs following the steam line break initiating event. Success or failure of this action can affect the required timing for switchover to recirculation from the injection mode. For the current model, the QSS pumps are assumed not to be stopped, which shortens the time available for successful switchover to recirculation, although it minimizes the likelihood of cavitating the RSS pumps. Also considered in this top event, for all initiating events, is the isolation of the four paths ( from the recirculation lines to the RWST. This is to ensure that water from the I containment sump is not inadvertently pumped back into the RWST and thus is unavailable for recirculation. The four lines considered are the two flow paths back through the idle LHSI pumps and MOVs 8809A or 88098, and reverse flow through the two HHSl suction valves (LCV1158 and LCVIISD). Failure of the redundant valves on any one of these pathways to rescat or reclose is assumed to result in failure d Top Event OR. Establishment of separate recirculation flow paths by isolating the redundant lines from each other is not considered necessary for success. The model, however, conservatively assumes that the trains are isolated. Isolation of the lines, in this case, can actually reduce system availability because once separated, it then reauires operator action to establish crossover paths to recover from certain combinations of failures that involve two trains. These failuro combinations are believed to be more likely than single pipe breaks, from which separation of the two trains was meant to protect. 3.1 72 31 Accident Sequence Dehneation
Beaver Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assessment This event includes operator actions to control service water flow to the RSS coolers to O controt containment pressure, and to restart the RSS pumps for cold leg recirculation as well as verification and establishment of correct valve alignment for recirculation. The valve hardware failure modes thmnselves are modeled in Top Events RC and RD. . Failure of this event is treated as failure of the cold leg recirculation mode of emergency core cooling system (ECCS). The long term transfer to hot leg recirculation 14 hours after the LOC A starts (i.e., following EOP ES 1.4) is not modeled. It is assu*ned that in the long period available before boron precipitation could becomo a problem, the operating staff # will find a way to transfer to hot leg recirculation, even if initially unsu(cessful.
- Top Events RC and RD - Low Head Cold Leg Recirculation Core Cooling. These events model the availability of recirculation spray pump trains C and D, and the valve realignment needed to establish cold leg recirculation through the LHS1 lines; i.e., the cross-connect valves to the suction of the HHS1 pumps are modeled in Top Event HR for high pressure recirculation. Recirculation spray tialn C is aligned to recirculation core cooling Train A, and recirculation spray from D is aligned to recirculatWn core cooling train B.
The following equipment actions are mode led herein:
- Start and run of 2RSS*P21C and 2RSS*P21D following a CIB, or a manual start if a CIB does not occur. For purposes of this analysis, a CIB condition is assumed. (The operator actions are modeled in Top Event OR.)
- Opening of the service water header, and intet and outlet valves for the coolers
/ 2RSS*E21C and 2RSS*E21D, Proper positioning of suction and discharge valves MOVs 2RSS 1550 and 2RSS 1550, which are normally open and must remain open. MOVs 2RSS-15GC and 2RSS 156D must close. MOVs 2RSS 154C and 2RSS-154D, minillow valves, must open. MOVs 2 SIS 8811 A and 2 SIS 88110 must open. Checis valves in the injection paths mu.st open, and MOVs 2 SIS 8888A and 2 SIS-88888, which are normally open, must remain
~
So. Because cold leg crossover valves 2 SIS-8887A and 2 SIS 88876 receive an autoniatic command to close from a recirculation mode signal, failure of Top Event RC or RD fails train A or 8 of low pressure cold leg recirculation, respectively. Subsequent reopening of 2 SIS-8887A and 2 SIS-8887B to establish the initially f ailed recirculation is not considered.
- Top Event RS - Recirculation Spray from Pump A or D. The four recirculation spray pumps are automatically started following a 628 second delay after a CIB. This is to gNo the quench spray pumps sufficient time to fill the containment sump to provide the required NPSH for the recirculation spray pumps. This delay time, however, may not be
- sufficient (i.e. depending on the RCS leak rato) to allow ample water to collect m the containment sump if at least one QSS pump does not operate. The recirculating spray pumps-must sometimes be manually turned off to prevent them from cavitating and then turned back on when NPSH is sufficient. Operator actions to first turn off and then to turn on the pumps are modeled in Top Event SM.
Both the suction and discnarge motor operated valves (MOV) from the containment sump and to the spray headers are normally open. The discharge check valves must open, if not already open. Trains A and B are dedicated to providing recirculation spray. Trains C and D are realigned following a recirculation mode si;;nal, during LOCA scenarios, to provide in-vessel core cooling. Top Event RS includes the start and run of either 3.1-73 M Ament sequou Decatm -)
Bacvsr Vall2y Powcr Station Unit 2 Revision 0 Preb:bilistic Risk Assasstnant i recirculation spray trains A or B (or t:oth) with the associated piping, valve operation, and , spray header. Knowledge of success or fai:are of RS is required only for containment analysis; i.e., it does not impact the calculation of the core damage frequency. The model assumes that service water must be available to the RSS pump seals and associated spray coolers for RSS pumps 2RSS P21 A or 2RSS P21B for success of Top Event RS. This is conservative because service water to the seals or the coolers is not actually requl*ed for initial RSS pump operation. They are only reautred for long term successful coritainment heat removal. Due to this assumption, the Unit 2 model does not idenhfy seque.nces in which recirculation frone the containment sump is successful but containment heat removat is failed. These so-called ' core vulnerable
- sequences are instead modeled conservative!y as failure of all containment recirculation and of heat rumoval.
Given successful operation of recirculation spray trains C and D for high pressure recirculation, but failure of recirculation spray trains A and B, it is possible that the train C or D pump, if realigned, could also provide the recirculation spray function. This realignment is not modeled because it is currently not specified by procedures.
- Top Event HR - HHSl Flow Path for Recirculation Core Cooling. Estabhshment of high head recirculation, given that low head recirculation is available, depends on the availability of the charging pumps and the opening of valves 2 SIS 863A and 2 SIS-863D.
These valves receive an automatic command following a recirculation modo signal. Success of the recirculation mode signal requires proper opMation and calibration of the RWST level sensors. The recirculation mode signal is considered in the Top Event OR event analysis along with the backup manual actions to establish recirculation. EOP ES 1.3 provides for keeping MOVs 2CHS-8131 A and 2CHS4131B, and 2CHS-8130A and 2CHS-81308 open if recirculation flow cannot be established from both char 0 in0 pumps, i.e., one is available and one is not. This permits a suction side crossover path so that either recirculation spray train C or train D can provide suction to both chargin0 pumps, provided that its respective MOV 2 SIS-863A or 2 SIS 8638 opens on demand. As the alternate cold leg injection path via MOV 2 SIS 836 has its power removed and is not called out by procedure as an alternate flow path for HHSI, this flow path is not modeled for the injection phase. It is also not modeled for the high pressure recirculation phase because success of Top Event HC already implies that a cold leg injection flow path is available for 24 hours. Success of Top Event HR requires that one or both of MOVs 2 SIS 863A and MOV 2 SIS-863B open permitting flow from either 2RSS'P21D or 2RSS'P21C, which must be operable (i.e., as modeled by Top Events RC and RD), to the suction of all three HHSl pumps.
- Top Event MU - Makeup to RWST. This event models the operator action and equipment necessary to supply borated water makeup to the RWST. The makeup actions are called
- for by procedure; i.e., EOP ECA 1.1 when RWST level is low and cold ie0 recirculation is unavailable.
Borated water from either the spent fuel pool or the boric acid tanks may be used to make l
- up to the RWST. The spent fuel pool is normally filled to a level 20 incter, above the l technical specification limm The technical specification required level is 23 feet above the top of the spent fuel, The total supply of borated water available for rapid makeup to the RWST is then approximately 108,000 gallons. Emergency makeup from the service water system into the spent fuel pool is also possible but requires that a spool piece be 3.1-74 31 Awaent sequence Dehneabon l
i i Reever Vallsy Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 1 l l installed. Since use of this system connection is not procedurah/ed, no credit for it is ] taken in the initial plant rnodel. At the fuel pool purification pump des'On rating of 400 j gpm, the extra spent fuel pool water inventory can be transferred in about 4.5 hours. The
- required makeup rate to sustain high head injection at a rate sufficient to maintain RCS inventory above the fuel, as indicated by Attachment A 4.7 of EOP ECA 1.1, as less than j 200 ppm for times greater than 100 minutes after plant trip. Therefore, this volume of J borated water is sufficient to tast at least 9 hours, af ter makeup begins.
I
- Makeup from the boric acid tanks can only be provided at 120 gpm. At this rate, if the j RWST inventory is reduced sufficiently to require makeup in fhe hrst 8 hours after plant
. trip, then the alternate mode of providing borated makeup, via the boric acid tanks, would i bo insufficient. Therefore, makeup from the spent fuel pool is assumed required initially, and then to continue oroviding makeup for 24 hours, manual blending operations using i the boric and tanks is also required. 1 i l Makeup from the spent fuel pool requires one of the two fuel pool purif cation purnpt (i.e., 2FNC P24A and 2FNC P248) to start and run, and rnanual valves at the discharge of the _ pamps to the RWST must be opened. The spent fuel pool inventory should already be { borated to 2,000 ppm. For rnakeup from the boric acid tanks and the prirnary Orade water storage tank, using 9 manual blender operations, the makeup alignment is more complex. Clean water from ' the primary water storage tanks (i.e.,1BR TK 6A and iBR TK 6H) is blended with boric j acid from the boric acid tanks; i.e.,2CHS TK21 A and 2CHS TK210). Manual intervention is l required to ensure the proper blend of boric acid and clean water to achieve a mixed l concentration of roughly 2,000-ppm boron, Both boric acid tanks, but only one primary
- water storage tank, are needed to supply sufficient rnakeup for the remainder of the 4 24 hour mission time; i.e., after successful transfer of the available spent fuel pool inventory, only an additional 10 to 15 hours is needed. One of two of the primary water supply pumps (i.e.,1BR P-10A and 1BR P 100) and either of the boric acid transfer pumps f (i.e.,2CHS-P22A and 2CHS-P228) are required for success since the boric acid transfer pumps can be crosstied. . .
j Success of Top Event MU means that continued HHSi injection can be performed for RCS j inventory control at full RCS pressure despite continuinD RCS leakage. For sequences m which RHS cannot be placed in service because either the initial cooldown and l depressurization could not achieve RHS entry conditions (i.e., less than 350"F and less j than 360 psiO) or the RHS system is unavailable, success of Top Event MU can be very
- important, Failure of Top Event MU means that inventory control is not availablo, and eventual core dama0e results.
- Top Event Cl- Containment isolation. This top event questions the failure to create and
; maintain an isolated containment followin0 safety injection, and CIA and CIB signals. The contumwmt penetrations explicitly modeled are
- Containment Major Vents and Drains; e.g., sump pump discharge ,
- Connections to RCS; e.0., RCP seal water return
- Connections to Containment Atmosphere; e.g., containment vacuum line
- This trodel also includes operator actions to ensure that the isolation valves remain closed (e.g., in EOP ES 1.1), after the resetting of the CIA and CIB sl0nals. The safety injection, CIA, and CIB signals are reset in accordance with procedures by the operators it i mber of situations. Examples of such situations include: post LOCA cooldown and P varization (i.e., EOP ES 1.2), transfer to cold leg recircuulon (i.e., EOP ES 1.3), the
.3.1 75 u Amant scavence Denneen
Dxv:r Vcll y Ponar Station Unit 2 Revision 0 Prob:billsti: Risk Asssssmant resoonse to loss of emergency rec! ant recirculation (i.e., EOP ECA 1.1) and for safety injection termination (i.e., IOP ES 1.1). Manual isolation of the RCP seal return line durmg a loss of all vital AC (i.e., EOP ECA 0.0) is also modeled in this top event. The status of containment isolation is needed for the containment analysis. Some comments about the potential release path through the RCP seal return line are now noted. The sea' return ime headers flow from the three RCPc' number 1 seal leakoff Imes. N common seal return line has a relief valve back to the pressurizer relief tank with a setoolnt of 150 psig. Downstream of this relief valve are two motor-operated isolation valves used for containment isolation. Downstream of the isolation valves is a second roiiof valve which discharges to the volume control tank (VCT). This relief valve is set at 140 psig. Downstrearn of this second relief valve, the seat return line connectu to the seal water heat exchanger, and eventually to HHS1 pump suction and the VCT. The VCT has its own relief valve with a setpoint of 70 psig, which discharges to waste tanks. It both trains of emergency AC power are unavailable, the seal return line could only be isolated by local operator action, as is directed by procedure. If the seai return line is not isolated, flow through the nur,1ber one seal in each of the RCPs may tind its way back to the VCT; ko.. outside containment. If the number one seal of each RCP fails, this leakage flow ce sid be significant. Therefore, if Top Event SE fails (i e., the RCPs lose cooling) and Top Eve.u Ci fails, the sequence is modeled as a small containment bypass; i.e., a flow path that connects the RCS to locations outside the containment. This model is conservative because other penetrations are also included in the mv.M for Top Event Cl, which, if un6solated, would not lead to a contamment bypass. Numerically, however, the amount of conservatism introduced by this assumption is minor. This model may also be concervative because much of the seal leakage may instead pass through the first relief valve into the containment. The flow split inside or outside containment would be a function of the pressure drops along the seal return line and the response of the relief valves. It would also be dependent on the status of the number two and three seals. 11 these other RCP seals fail, another flow path to containment would be opened up. If cooling to the RCP seals is maintamed so that the number one seals are also intact, leakapo would be minimal (i.e., approximately 3 gpm per pump), whether or not the seal return line is isolated. To simolify the model for Top Event Cl, however, it is conservatively assumed that failure to isolate the seal return knc, but with success of Top Event SE, is still a failure of containment isolation. The intact seats preven it from being a potentially significant bypass path. To eliminate the unisolated seal return line as a containment isolation failure, one would have to show that all three number one seal leakoff lines remain intact atter core damage and that the number one RCP seals maintain their integrity, For now the conservative assumption is made for sequences with RCP seal cooling maintained; i.e n that fallore to isolate the seal return line is a failure of
-containment isolation that represents a significant path for release.
If the seal return line is isolated, the flow rate through the failed number one seal in each RCP, prior to failure of the number two seais, would be governed by the flow losses in the number one seal leakoff lines, assuming that the leak is directed to the PRT insido containment via the 150 psig relief valve. In Reference 3.1.3-6, this flow is estimated to he limited to about 65 gpm per pump in a typical plan. A plant-specific calculation for this situation at Beaver Valley has not been perfctmed. The estimate in Reference 3.1.3-C assumes that the seal return line is isolated md that the seal leakoff lines remain intact except for the opening of the relief valve insiA containment. This limits seal leakage to 65 gpm per pump until degradation of the number two seals occurs. This leak rate for 3.1 7G 31 Accioent smme twneeon.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment failure of just the number one seals is consistent with the seal failure model adopted in Section 3.3.3 for determining the allowable time for electric power recovery. Since the seal leakoff line piping is designed for low pressure,11 is unclear whether the piping tould realistically withstand the higher pressures and temperatures associated with pausing hot RCS water after failure of the number one seals. Should the seal leakoff piping instead ruptare, the RCP seai leak rate may approach the 480 gpm leakage rate that is normally associated with complete RCP seal failure, and at an earlier time than currently assumed in the RCP seat failure model. For the purposes of this analysis, the
- smaP diameter of the seal leakoff piping, which gives it a relatively hi0h realistic failure pressure, and the reduction in RCS pressure expected to occur prior to failure of the number one RCP seals (i.e., estimated to occur at about 1.5 hours after loss of cooling),
together are assumed to preclude the seal leakoff piping from failing due to overpressure. The status of seat return line isolation may affect the conclusion. With the current - assumption, the seat failure rnodel used in Section 3.3.3 is still appropriate. Two other potential failure rnodes have Feen postulated for loss of containment mtegrity. For small LOCAs, the CIA and CIB signals would not be generated immediately. If the containment vacuum line or sump pumps discharge line is open at the start of the LOC A, a portion of the containment air would be swept out of the containment and replaced by steam prior to successful containment isolation. 11 a CIB signal then actuates the QSS and RSS pumps, containment pressure should quickly fall to subatmospheric. If the operators fall to terminate the OSS pJmps or to throttle service water to the RSS coolers, those is the potential for co'itainment pressure to fall below design limits, i.e., less than 9 psia. However, a realistic containment failure modo for such sequences has not been identified. This potential containment failure modo is not unique to Beaver Valley Unit 2. Because the penetrations at Beaver Valley Unit 2 (which may be open while at power) are relatively small, this makes it difficult to purge much containment air prior to isolation. Therefore, this failure mode is not quantified in the PR A model. A second potential failure mode is associated with steam line breaks within containment. , If feedwater falls to isolate, two or more steam generators blow down inside containment, e or if the operators fail to control AFW flow to the faulted steam Generator, containment pressure may exceed design limits. In the current model, it is assumed that the realistic containment failure pressure would still not be exceeded, so that contaimmmt integrity is maintained. Consequently, this postutated containment failure mode was also not quantified. 3.1.31 Medium LOCA Event Tree Medium LOCAs are quantified using a separate event tree from that of the - general transient /small LOCA event trees. This was found to be convenient to reflect the different system success criteria to mitigate medium LOCAs. For example, both HHSI and LHS! are required for success to cover the full range of medium LOCAs. Table 3.1.2-4 summarizes the system success criteria neded to ensure that each of the key safety functions are performed. More details concerning the system success criteria are provided in the top event descriptions that follow. For convenient reference, Table 3.1.3-3 summarizes the top events that appear in the medium LOCA event tree models. The medium LOCA event tree structure is shown in Figure 3.1.3-3.
- Top Event HH - High Head Safety injection Pumps. This top event models the two HHSl trains with pumps 2CHS*P21 A and 2CHS*P21B. Success requires one pump train to be operable. The third pump,2CHS'P21C, may be electrically aligned to either orange or 3.1 77 3i Acceent Sequence Dehneeon
B:ov:r Vcll;y Pewsr St: tion Unit 2 Rovision 0 Prob:bilistic Risk Assessm:nt purple emergency power, if either of the other two pumps fail. Only two pumps at a time, however, receive an automatic start si0nal. Pump 2CHS'P21C is mcluded in the model as a backup to either pump 2CHS*P21 A or 2CHS'P210 with the associated operator actions to align it. If both pumps 2CHS*P21 A and 2CHS*P218 have failed. but the required support systems are avallat le to each train, the operator is modeled as aligning pump 2CHS'P21C to train A. These pump trains share a common dependence on the single suction line from the RWST. which is modeled in Tep Event VL of the support tree. The RWST itsell is modeled in Top Event RW of the support tree. EOP E O 1sks the operators to recognize if the RCS is intact. If they decide that the RCS is intact following a LOCA, they are then instructed to go to EOP ES 1.1 for " Safety injection Termination
- There is a danger, as occurred at TMl, that the HHS! will be temporarily stor 'ed. EOP ES-1.1, however, provides for a recheck of safety injaction termination anc i escape back to EOP E-1. Nevertheless, this potential error of commission is included in the system model.
This top event includes consideration of the failure modes of the relevant pipes, valves, and the HHS) pumps needed to model availability of the NHSI. Failure of this event implies that HHSI and charging flow for RCP seal injection are unavailable. Success of Top Ever.t HH means that these two functions are possible. HHSI further requires the availabihty of water in the RWST (i.e., Top Event RW), and of a flow path from the RWST to two of the three cold !cg injection hne entry points in the RCS; i.e., as inodeled in Top Events VL and HM.
- Top Event HM - HHSI Cold Leg injection Paths. Both HHSI and LHSI provide flow to the RCS through the same three cold leg lines. Injection into two of three cold legs is sufficient for HHSI. If Top Event HH is successful (i.e., HHSI is available), then the three cold leg injection paths of interest melude six check valves that are modeled in Top Event HM as follows:
- To cold leg 21,2CHS*139 and 2 SIS'548 must open.
- To cold leg 22,2CHS*138 and 2 SIS'550 must open.
- To cold leg 23,2CHS*137 and 2 SIS *552 must open.
Top Event HM also includes the redundant MOVs (i.e.,867A. 8678,867C, and 867D) at the pumps' discharge and the common check valve on the flow path from the pumps to the redundant MOVs.
- Top Event AM - Two of Three Accumulators Discharge. Current success criteria for medium LOCAs require adequate accumulator discharge to avoid core melt. Top Event AM requires that the water from two accumulators entar the vers 01, it is traditionally assumed that the water from one accumulator is lost out of the break during a large LOCA because certain cold leg break locations will cause this to occur. This conservative l assumption is not made for a medium LOCA. Accordingly. Top Event AM is successful if l
two of three accumulators and the associated valves operate properly. l The equipment included in this top event is as follows: l 1 - The accumula'or tanks at the specified 600 psia over pressure.
- MOVs 2SnS-865A,2 SIS 8658, and 2 SIS-865C on the discharge hnas. These valves are normally open with power removed during Modes 1 and 2. In addition, they are given a safety injection signal to open.
3.1 78 3s Amoent seauence Denneaten
Beevar Vality Power Station Unit 2 Revision 0 Probabilistic Risk Assessment
- - Two normally closed check valves m each accumulator discharge line must open. Top Event AM is not questioned in the event tree if Top Event HH or HM fails smce core damage is already assumed to have occurred.
Failure of Top Event AM implies that as a resul' of the LOCA, the core uncovers, and ! before RCS pressure drops sufficiently to allow adequate inject on, fuel damage occurs. Success of Top Event AM means that sufficient water is injected to keep the fuel cooled until RCS pressure falls to allow adequate injection via the LHSl pumps.
- Top Event AF - Auxiliary Feedwater System Provides Flow from One Pump to at Least One Steam Generator. For success of Top Event AF, at least one pump is requked to l supply at least one steam generator for 24 hours. Each of the two motor-driven pumps and the one turbine driven pump are headered to provide flow to any of the three steam generators.
As can be seen from the medium LOCA success criteria summary provided in Table 3.1.2-4, the status of AFW has no direct bearing on the frequency of core damage from medium LOCAs in the current model. Top Event AF is included in the event tree for two reasons. One reason is to distinguish seq'Jences in which the operators must follow EOP FR H.1 from those in which they do not A second reason is because AFW provides
- another means of removing heat from the containment in the event that the RSS' pumps
! operate but without service water to the RSS heat exchangers. This heat removal path is not considered in the current analysis but may be of interest in iuture model versions. In the initial PRA model for medium LOCAs, credit is only given for those AFW actuation signals that go through SSPS. O This top event includes the required valve position changes, pump starts, and pump operation to provide flow to the steam generator by taking suctio't from the PDWST (2FWE'TK210) or service water system. It also includes the equipment and operator actions needed to provide long-term makeup from the DW3T (2WTD-TK23) to the PDWST. The principal mode of makeup to the PDWST is automatic, using a modulating supply valve (2FWE LCV104A) that passes up to 200-gpm flow from eitner one of two 350-gpm-capacity domineralized water distribution pumps 2WTD-P23A or 2WTD P238. The second source of makeup is through an 8-inch line that feeds up to 585 gpm to the PDWST from the DWST through a normally locked closed manual valve. This valve (2FWE'1165) must be opened before the PDWST is depleted, approximately 6 to 9 hours after pump > start, Service water would be used only if no other source of water is available, and PDWST level has decreased to less than 25 inches. Given that the MSIVs are closed (i.e., so that the co, denser steam dumps are not available), decay heat may be removed by AFWS using one of the following sets of valves: I
- Steam Generator Atmospheric Steam Dumps (nominally set at 1,040 psig)
- Residual Heat Release Valve (manually controlled)
Steam Generator Safety Valves (setpoints range from 1,075 to 1,125 psig) Historical data and previous analyses for other plants indicate that the failure-to-o;en frequency of these valves is sufficiently small so that modeling the failure to open of all of these sets of valves is not required in this study. Failure to achieve at least one steam relief path for decay heat removal will not be e dominant risk contributor. Therefore, to simplify the model, such failures are neglected.
- Top Event LH - Low Head Safety injection Pumps. Following a medium LOCA, this top event queries the availability of LHSi pump trains providing flow from the RWST suction 3.1 79 M Acceent Smence Dehneahon.
.- - - -. - ,, - .,- - .-.,- - - -...- - ..~. - -., .- _ -,. - -
B::v;r Vcil;y P w:r St :ti:n Unit 2 Rcvi:lon 0 Prcb:bilistic Risk Asssssm2nt valves 2 SIS 8B09A and 2 SIS 8809B through the pumps 2 SIS'P21 A rnd 2 SIS *P216 to the discharge check valves 2 SIS'6 and 2 SIS *7, and manual isolation valves 2 SIS *3 and 2 SIS'4 up to the point where recirculation spray flow joins the lines. Failure of botn trains is treated as leading to core damage-For the purpose of containment status, success of either HHSI or LHSI is treated as transfer of the RWST inventory into the reactor vessel. LOCAs characterized by medium pressure core moltdowns (e.g., failure of Top Event HH during a medium LOCA in which the pressure stays above about 250 psig), do not provide the opportunity for LHSI. In these cases, the RWST water may not have been injected before core meltdown. The actions identified in EOP FR C.1 are assumed not to be sufficient to lowu RCS pressure to permit LHSI prior to core damaga. After vessel failure, however, the head against which the lov> pressura pumps must operate may fall below their shutoff head, and injection of the RWST inventory may then be achieved. This top event is then queried to determine the potential for postmelt core cooling. However, the status of RWST inventory in the containment, particularly in the sump and reactor cavity, is required for contaitunent analysis, should the accident progress to core damage.
- Top Event LM - LHSI Cold Leg injection Paths. Both HHSI or LHSI provide flow to the RCS throt.gh the same three cold leg lines. Injection into one of three cold legs is sufficient for LHSI.
In this case, the cold leg injection paths of interest involve six check valves that are modeled in Top Event LM as followu:
- To cold leg 21,2 SIS *107 and 2 SIS'548 most open. - To cold leg 22,2 SIS'108 and 2 SIS'550 most open. - To cold leg 23,2 SIS'109 and 2 SIS *552 most open.
Valves 2 SIS *548,2 SIS *550, and 2 SIS *552 are also modeled in Top Event HM. Top Event LM also considers the valves (i.e., MOV8888A and MOV8888B) on the LHSt flow path downstream of the points where recirculation spray joins, but before the injection paths header, and then spht three ways for flow into each cold leg.
- Top Event QS - Quench Spray. A containment pressure of 8 psig initiates a CIB signal, which starts both OSS pumps. The MOVs in the suction and dischar0e piping are normally open. Check valves in the discharge piping would be required to open, if not already open. The OSS is not required for core melt prevention, its operation influences the time to depletion of the RWST, and knowledge of its availability is required for containment analysis. In the plant sequence model, a containment presst.ro of 8 psig is assumed to be reached for all LOCA sizes. The modeling assumes that one of two QSS pumps is needed to fill the containment sump to provide minimum NPSH for the recirculation spray pumps.
- Top Event SM - Containment Sumo. This event includes three f ailure modes: (1) failure to stop the RSS pumps if necessary to avoid pump cavitation (2) unavailability of t'.e containment sump (e.g., due to plugging with containment debris), and (3) common cause unavailability of all four recirculation spray trains. Medium LOCAs that reach 8 psig in the containrrent and cause laitiation of recirculation spray may not provide sufficient water in the containment sump to meet the minimum recirculation spray pump suction requiremerits with the 10.5 minute delay time if at lease one OSS pump does not operate.
Therefore, in accordance with EOP E4, the operators are instructed to reset the CIB signal, stop the recirculation spray pumps, and restart them when containment sump level 3.1 80 3i Accident Seavence Dehneaton.
Beavsr Vallsy Power Station Unit 2 Revision 0 Probabilistic Risk Assessment is suffiwnt (about 44 inches). Success of this action is therefore included in the model for Top Evert SM If Too Event SM fails, then all recirculatior, spray pumps are ineffective, and neither recitculation spray nar recirculation modo core cooling is available. The assessment of sump unavailability in this top event assumes that the scenario has not yet progressed to a core damage condition. Postmett containment environment effects (i.e., sump p'.sgging) are deferred for consideration in the Level 2 analysis.
- Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event models the automatic signal to transfer to recirculation and the operator actions considered in realigning the plant from the hjection mode to the recirculation mode for LOCA sequences, when RWST inventory level is low. Both realignment for high pressure and low pressure recirculation are considered. Proper calibration of the RWST level sensors -
is considered in the model. When the RWST level ror Aes 450 inches, the operators are instructed to enter EOP ES 1,3. verify that the system is properly aligned, and. if not, manually align for cold leg recirculation. (Actions to reset the safety injection signal, such as in EOP E 1, do not resei the recirculation mode signal.) The rceirculation mode signal. however, does not then restart the recirculation spray pumps. The operators must manually restart the pumps in order to complete the recirculation switchover, if the pumps had been stopped previously to avoid cavitation caused by insufficient NPSH. This action to restart the pumps is modeled in Top Event SM. In_the event that a CIB signal did not occur, the operatu s need not stop the RSS pumps but must start them for the first time to go to recirculation. Also considered in this top event is the isolation of the four paths from the recirculation lines to the RWST, This is to ensure that water from the containment sump is not inadvertantly pumped back into the RWST and thus is unavailable for recirculation. The four lines considered are the two flow paths back through the idle LHSI pumps and MOV - 2 SIS-8809A or 2 SIS 88098, and reverse flow through the two HHSI suction valves (2CHS-LCV1158 and 2CHS LCV115D) Failure of the redundant valves on any one of these pathways to rescat or reclose is assumed to result in failure of Top Event OR. Estaolishment of separate recirculation flow paths by isolating the redundant lines ,:om each other is not considered necessary for success. The model, however, conservatively assumes that it'e trains are isolated. Isolation of the lines, in this case, can actually reduce system availabihty because, once separated, it then requires operator action to establish crossover paths _to recover from certain combinations of failures that involve two trains. These failure combinatiens are believed to be more likely,than single pipe breaks, which is the reason the operators are instructed to isolate the trains. This event includes operator actions to control service vcater flow to the RSS coolers to control containment pressure and to restart the RSS pumps for cold leg recirculation as well as verification and establishment of correct valve alignment for recirculation. The valve hardware failure rnodes themselves are modeled in Top Events RC and RD. Failure of this event is treated as failure of the cold leg recirculation mode of ECCS. The long-term transfer to hot leg recirculation 14 hours after the LOCA starts (i.e., following . EOP ES 1.4) is not modeled. it is assumed that in the long period available before boron precipitation could become a problem, the operating staff will find a way to transfer to hot leg recirculation, even if initially unsuccessful. 3.1 81 31 Atodent sequente oehneam
Bav:r Vcil3y P:w r St:ti:n Unit 2 Revisl:n 0 1 Prchabill: tic RI:k Assessm:nt l
)
- Top Events RC and RD - RSS Cold Leg Recirculation Cooling, Train C and Train D.
These events model the availability of recirculation spray pump trains C and D, and the valve realignment needed to establish cold leg recirculation 1:aough the LHSI lines, Recirculation spray train C is aligned to recirculation core cooling train A, and recirculation spray train D is aligned to recirculation core cooling train B. The following equipment actions are modeled herein:
- Start and run of 2RSS*P21C and 2RSS*P21D following a CIB, or a manual start if a CIB does not occur, For purposes of this analysis, a CIB condition is assumed. (The operator actions are modeled in Top Event OR.) l
- Opening of the service water header valves for the coolers 2RSS*E21C and 2RSS*E21D; i.e., (2SWS*MOV103A and 2SWS*MOV1038).
- Proper positioning of suction and dischw;,e valves MOVs 2RSS 155C and 2RSS 155D are normally open and must remain eten. MOVs 2RSS 156C and 2RSS 156D must close, MOVs 2RSS 154C and 2RSS-154D, miniflow valves, must open. MOVs 2 SIS-8811 A and 2 SIS 88118 must open. Check valves in the injection paths must open, and MOVc 2 SIS-8888A and 2 SIS-88888, which are normally open, must remain so.
Because cold leg crossover valves 2 SIS-8887A and 2 SIS 88878 receive an automatic command to close from a recirculation mode signal, failure of Top Event RC or RD fails train A or B of cold leg recirculation, respectively. Subsequent reopening of 2 SIS 8887A and 2 SIS-8887B to establish lost recirculation will be considered as a recovery action.
- Top Event MU - Makeup to RWST This event models the operator action and equipment necessary to supply borated water makeup to the RWST The makeup actions are called for by procedure; i.e., EOP ECA 1.1 when RWST level is low and cold leg recirculation is unavailable.
Borated water from either the spent fuel pool or the boric acid tanks may be used to make up to the RWST, The spent fuel pool is normally filled to a level 20 inches aoove the technical specification limit. The technical specification required level is 23 feet above the top of the spent fuel. The total supply of borated water available for rapid makeup to the RWST is then approximately 108,000 gallons. Emergency makeup from the service water system into M spent fuel pool is also possible but requires that a spool piece be installed. Since use of this system connection is not proceduralized, no credit for it is taken in the initial pt it model. At the fuel pool purification pump design rating of 400 l gpm, the extra sperc fuei nr 31 water inventory can be transferred in about 4.5 hours. The I required makeup rm e onler to sustain high head injection at a rate sufficient to maintrin RCS inventory above the fuek as indicated by Attachment A-4.7 of EOP ECA 1.1, is less than 200 gpm for tim::s greater than 100 minutes efter plant trip. Therefore, this volume of borated water is sufficient to last at least 9 hours, after makeup begins.
- Makeup from the boric acid tanks can only be provided at 120 gpm. At this rate, if the l RWST inventory is reduced sufficiently to require rnakeup in the first 8 hours after plant l trip, then the alternate mode of providing borated makeup, via the boric acid tanks, would i be insufhcient, The;efore, makeup from the spent fuel pool is assumed required initially, and then to corJinue providing maxeup for 24 hours, manual blending operations using the boric acid tanks is also sequired.
Makeup from the spent fuel pool requires one of the two fuel pool purification pumps (i.e., 2FNC-P24A and 2FNC-P248) to start and run, and manual valves at the discharge of the 3.1-82 3M Accident Sequence Dehneabon.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment pumps to the RWST must be opened. The spent fuel pal inventory should already be borated to 2,000 mm. 3 For makeup from the boric acid tanks and the primary grade water storage tank, using manual blender operations, the makeup alignment is more complex. Clean water from the primary water storage tanks (i.e.,1BR TK-6A and IBR TK 68) is bicndeJ with boric acid from the boric acid tanks; i.e.,2CHS-TK21 A and 2CHS-TK21B, Manual iitervention is required to ensure the proper blend of boric acid and clean water to achieve a mixed concentration of rou0hly 2.000-ppm boron. Both boric acid tanks, but only one primary water storage tank, are needed to supply sufficient makeup for the remainder of the 24 hour mission time; i.e., after successful transfer of the availabic s)ent fael pool inventory, only an additional 10 to 15 hours is needed. One of two of the primary water supnly pumps (i.e.,1BR-P-10A and 1BR-P-108) and either of the boric acid transfer pumps (i.e., 2CHS P22A and 2CHS P228) are required for success since the bor c acid transfer pumps can be crosstied. Success of Top Event MU means that continued HHSI injection can be performel for RCS inventory control at full RCS pressure despite continuing RCS leakage. For sequecm in which RHS cannot be placed in service because either the initial cooldown and depressurization could not achieve RHS entry conditions (i.e., less than 350 F and less than 360 psig) or the RHS system is unavailable, success of Top Event MU can be very important. Failure of Top Event MU means that inventory control is not avaitable, and eventual core damage results.
- Top Event RS - Recirculation Spray. The four recirculation spray pumps are automatically started following a 628 second delay after a CIB. This is to give the QSS pumps sufficient time to provide the required NPSH for the recirculation spray pumps.
l This delay time, however, may not be sufficient to allow ample water to collect in the containment sump if both OSS pumps fa The recirculating spray pumps must sometimes be manually turned off to prevent them from cavitating and then turned back on when NPSH 'is sufficient. Operator actions to first turn off and then to turn on the pumps are modeled in Top Events SM and OR. Both the suction and discharge MOVs from the containment sump and to the spray headers are normally open. The discharge check valves must open, if not already open. Trains A and B are dedicated to providing recirculation spray. Trains C and D are realigned following a recirculation mode signal, during LOCA scenarios, to provide in-vessel core cooling. Top Event RS includes the start and run of either recirculation spray trains A or B (or both) with the associated piping, valve operation, and spray header. Knowledge of success or failure of Top Event RS is required only for containment analysis; i.e., it does not impact the calculation of the core damage frequency. The model assumes that service water must be available to the RSS pump seals and associated spray coolers for RSS pumps 2R ,3 P21 A or 2RSS-P218 tor success of Top Event RS. This is conservative because service water to the seals or the coolers is not actually required for init.al RSS pump operation. They are only required for long-term successful containment heat removal. Due to this assurnption, the Unit 2 model does not identify sequences in which recirculation from the containment sump is successful but containment heat removal is failed. These so called " core vulnerable" sequences are instead modoled conservatively as failure of all containment recirculation and of heat removat. I Given successful operation of recirculation spray trains C and D for high pressure
- recirculation, but failure of recirculation spray trains A and B, it is possible that the train C 3.1-83 31 Accent sequence D eaton
Brav:r Vcil;y Pcw:r Stcti:n Unit 2 Rzvisi:n 0 Preb:bilistic Risk Ass:ssmsnt or D pump, if realigned, could also provide the recirculation spray function. This realignment is not modeled because it is currently not specified by procedures.
+ Top Event Cl- Containment isolation. This top event questions the failure to create and maintain an isolated containment following safety injection, CIA, and CIB signals. The containment penetrations explicitly modeled are
- Containment Major Vents and Drains; e.g., sump pump discharge
- Connections to RCS; e.g., RCP seal water return
- Connections to Containment Atmosphere; e.g., containment vacuum line This model also includes operator actions to ensure that the isolation valves remain clased (e.g., in EOP ES 1.1), after the resetting of the CIA and CIB signals. The safety injection CIA, and CIB siDnals are reset in accordance with procedures by the operators in a number of situations. Examples of such situations include: post-LOCA cooldown and depressurization (i.e., EOP ES-1.2), transfer to cold-leg recirculation (i.e., EOP ES 1.3), the response to loss of emergency coolant recirculation (i e., EOP ECA-1.1) and for safety l
injection termination (i.e., EOP ES-1.1). Manual isolation of the RCP seal return line during l a loss of all vital AC power (i.e., EOP ECA-0.0) is also modeled in tnis top event. The I status of containment isolation is needed for the containment analysis. 3.1.3.3 Large LOCA Event Tree Large LOCAs are quantified using a separate event tree from that of the general transient /smah LOCA event trees and the medium LOCA event tree. For example, only LHSI is required in the injection phase for core heat removal. This was found to be convenient to reflect the different system success criteria to mitigate large LOCAs. Table 3.1.2-5 - summarizes the system success criteria needed to ensure that each of the key safety functions is performed. More details concerning the system success criteria are provided in the top event descriptions that follow. For convenient reference, Table 3.1.3-4 summarizes the top events that appear in the large LOCA event tree model. The large LOCA event tree is shown in Figure 3.1.3-4.
- Top Event HH - High Head Safety injection Purqps. HHSt is only modeled to track whether water from the RWST is injected inside containment, This information is used in the Level 2 analysis to determine the containment response to postmett conditions, itis not used to determine the core melt frequency.
This top event models the two HHSI trains with pumps 2CHS*P21 A and 2CHS*P218. Success requires one pump train to b' e operable. The third pump, 2CHS*P2iC, may be electrically aligned ;o either orange or purple emergency power, if either of the other two pumps fail. Only two pumps at a time, however, receive an automatic start signal. Pump 2CHS*P21C is included in the model as a backup to either pump 2CHS*P21 A or 2CHS*P21B with the associated ope'rator actions to align it. If both pumps 2CHS*P21 A and 2CHS'P218 have failed, but the required support systems are available to each train, the operator is modeled as aligning pump 2CHS*P21C to train A. These pump trains share a common dependence on the single suction line from the RWST, which is modeled in Top Event VL of the support tree. The RWST itself is modeled in Top Event RW of the support tree. This top event includes consideration of the failure modes of the relevant pipes, valves, and the HHSI pumps needed to model availability of the HHSI. Failure of this event implies that HHSI is unavailable. Success of Top Event HH means that this function is possible and that the RWST inventory will be transferred to the RCS and eventually to the 5.1-84 31 Accident Sequence oekneation.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment containment. HHS! further requires the availabihty of water in the RWST (i.e. Top Event RW), and of a flow path from the RWST to one of the three cold leg injection line entry points in the RCS; i.e., as modeled in Top Events VL and HC.
- Top Event HC - HHS! Cold Leg injection Paths. Both HHSI and LHSI provide flow to the t
RCS through the same three cold leg lines. Injection into one of three cold legs is sufficient for HHSI. It Top Event HH is successful (i.e., HHSI is available), then the three cold leg injection paths of interest include six check valves that are modeled in Top Event HC as follows:
- - To cold leg 21,2CHS*139 and 2 SIS'548 must open.
- To cold log 22,2CHS'138 and 2 SIS'550 must open.
- To cold leg 23,2CHS*137 and 2 SIS'552 must open.
Top Event HC also includes the redundant MOVs (i.e.,867A 8678,867C, and 867D) at the - pJmps discharge and the common check valve on the flow path from ihe pumps to the redundant M OVs. Success of both Top Events HH and HC assumes that the RWST inventory will be transferred to the RCS and eventually to the containment via the break. HHSI is only modeled to track whether water from the RWST is injected inside containment. This information is used in the Level 2 analysis to determine the containment response to postmelt conditions, it is not used to determine the core melt frequency,
- Top Event AL - Two of Two Accumulators Discharge. Current success criteria for large LOCAs require adequate accumulator discharge to avoid core melt. Top Event AL requires the water from two accumulators to enter the vessel, it is traditionally assumed that the water from one accumulator is lost out of the break during a large LOCA because certain cold leg break locations will cause this to occur. Accordingly, Top Event AL is assumed to be successful if two of two accumulators and associated valves operate properly.
The equipment included in this top event is as follows; _
- The accumulator tanks at the specified 600 psia over pressure.
F
- ; - MOVs 2 SIS-865A,2 SIS-8658, and 2 SIS-865C on the discharge lines. These valves ,re normally open with power removed durmg Modes 1 and 2. In addition, they are given a safety injection signal to open.
- Two normally closed check valves in each accumulator discharge fine must open.
Rilure of Top Event AL implies that as a result of the LOCA, the core uncovers, and oetore RCS pressure drops sufficiently to allow adequate injection, fuel damage occurs. Success of Top Event AL means that sufficient water is injected to keep the fuel cooled until RCS pressure falls to allow adequate injection via the LHS1 pumps.
- Top Event LH - Low Head Safety injection Pumps. This top event queries the availability of LHSl pump trains providing flow from the RWST suction valves 2 SIS-8809A and 2 SIS-88098 through the pumps 2 SIS *P21 A and 2 SIS'P21B to the discharge check valves 2 SIS *6 and 2 SIS *7 and manual valves 2 SIS *3 and 2 SIS *4 up to the point where recirculation spray flow joins the lines. Failure of both trains is treated as leading to core damage.
For the purpose of containment status, success of LHSI is treated as transfer of the RWST inventory into the reactor vessel. The status of RWST inventory in the containment, 3.1-85 31 Accident Sequence o%neation.
B :v:r Vcil:;y P:wcr Stati n Unit 2 Rcvisisn 0 Prcb bilistic Risk Ass:;ssm:nt particularly in the sump and reactor cavity, is required for containment analysis, should the accident progress to core dama00-
- Top Event LL - Low Head Cold Leg injection Path and Valves 2 SIS *MOV8888A and 2 SIS *MOV8888B and Valves 2 SIS *132 and 2 SIS *133. Both HHSI and LHSI provide flow to the RCS through the same three cold leg lines. Injection into one of two cold legs is sufficient for LHS!. The third cold leg injection loop is assumed not to be available because of the break. For LHSI, as required for large LOCAs, the cold leg injection paths of interest involve six check valves th9 are modeled in Top Event LL as follows:
- To cold leg 21,2 SIS *107 and 2 SIS *548 must open.
- To cold leg 22,2 SIS *108 and 2 SIS *550 must open.
- To cold leg 23,2 SIS *109 and 2 SIS *552 must open.
Valves 2 SIS *548, 2 SIS *550, and 2 SIS *552 are also modeled in Top Event HC. Failure of Top Event LL is conservatively treated as precluding all injection. One of these cold legs must provide a flow path. Top Event LL also includes the LHSI train flow paths downstream of the recirculation line connections; that is, one of two of the following paths must be available:
- MOV 2 SIS *8888A snd 2 SIS *133,
- MOV 2 SIS *8888B and 2 SIS *132.
- Top Event QS - Quench Spray. A containment pressure of 8 psig initiates a CIB signal, which starts both QSS pumps. The MOVs in the suction and discharge piping are normally open. Check valves in the discharge piping would be required to open, if not already open. The QSS is not required for core melt prevention, its operation influences the time to depletion of the RWST, and knowledge of its availability is required for containment analysis, in the plant sequence model, a containment pressure of 8 psig is assumed to be reached for all LOCA sizes. The modeling assumes that one of two of the OSS pumps are needed to fill the containment sump to provide minimum NPSH for the recirculation spray pumps.
Large LOCA sequences in which both QSS pumps fail would lead to very high pressures in the containment; i.e., beyond the containment design pressure. However, the peak pressures projectcd for the blowdown are not expected to exceed the realistic containment pressure capacity, which, by analogy with the Surry plant design, is believed to be greater than 100 psia. During and after the blowdown, natural heat transfer to the containment walls and later containment heat removal via the RSS coolers should continue to limit containment pressure to less than the realistic containment pressure capacity. Therefore, the model assumes that large LOCA sequences with QSS failure do not overpressurize the containment.
- Top Event SM - Containment Sump. This event includes three failure modes: (1) tallure to stop RSS pumps if necessary to avoid pump cavitation, (2) unavailability of the containment sump (e.g., due to plugging with containment debris), and (3) common cause unavattability of all four recirculation spray trains. If Top Event SM fails, then all recirculation spray pumps are ineffective, and neither recirculation spray nor recirculation mode core cooling is available.
The assessment of sump unavailability assumes that the scenario has not yet progressed to a core damage condition. Postmelt containment environment effects (i.e., sump plugging) are deferred for consideration in the Level 2 analysis. 3.1-86 3.1 Accident sequence oenneation
- - - " . a eJ - -- e- u%-- -- -- - - A -
Bsevsr Vallsy Powsr Station Unit 2 Revision 0 Drobabilistic Risk Assessment (' + Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event modelu
!\ . the automatic signal to transfer to recircu!.ation, and the operator actions considered in realigning the plant from the injection mode to the low pressure recirculation modo fo' LOCA sequences when RWST inventory level is low. Proper calibration of the RWST tevel sensors is considered in the model.
When the RWST level reaches 450 inches, the operators are instructed to enter EOP ES 1.3, verify that the system is properly aligned, and, if not, manually align for cold leg recirculation. (Actions to reset the safety injection si 0nal, such as in EOP E-1, do not reset the recaculation modo signal.) The recirculation mode signal, however, does not then restart the recirculation spray pumps. The operators must manually restart the pumps in order to complete the recirculation switchover, it the pumps had been stopped previously to avcid cavitation caused by insufficient NPSH. For large LOCAs, the RSS pumps need only be stopped to avoid pump cavitation if both QSS pJmps fail. With only one QSS pump operating, sufficient water should be available in the sump by the time the RSS pumps have started. Also considered in this top event is the isolation of the four paths from the recirculation lines to the RWST. This is to ensure that water from the containment sump is not inadvertently pumped back into the RWST and thus is unavailable for recirculation. The four lines considered are the two flow paths back through the idle LHSI pumps and MOVs 2 SIS 8809A or 2 SIS-88098, and reverse flow through the two HHSI suction valves (2CHS-115D and 2CHS-11SB). Failure of the redundant valves on any one of these j pathways to reseat or reclose is assumed to result in failure of Top Event OR, t' Establishment of separate recirculation flow paths by isolating the redundant lines from each other is not considered necessary for success. The modet, however, conservatively i assumes that the trains are isolated. Isolation of the lines in this case can actually reduce system availability because, once separated, it then requires operator action to establish crossover paths to recover from certain combinations of failures that involve two trains. These failure combinations are believed to be more likely than single pipe breaks, which is the reason that the operators are instructed to isolate the trains. This event includes operator actions to control service water flow to the RSS coolers to control containment pressure and verification and establishment of correct valve alignment for recirculation. The valve hardware failure modes themselves are modeled in Top Events RC and RD. Failure of this event is treated as failure of the cold leg recirculation mode of ECCS. The long term transfer to hot leg recirculation 14 hours after the LOCA starts (i.e., following EOP ES-1.4) is not modeled. It is assumed that in the_long period available before boron precipitation could become a problem, the operating staff will hnd a way to transfer to hot leg recirculation, even if initially unsuccessful.
- Top Events RC and RD - RSS Cold Leg Recirculation Cooling, Trains C and D. These events model the availability of recirculation spray pump Trains C and D. and the valve realignment needed to establish cold leg recirculation through the LHSI lines.
Recirculation spray train C is aligned to recirculsion core cooling train A, and recirculation spray train D is aligned to recirculation core cooling train B.
=V The following equiprnent actions are modeled herein:
3.1-87 31 Accment Sequence ochneahon
B:cv:r Vclhy Pow r Station Unit 2 Revision 0 Pr:bcbilistic Risk Assessment
- Start and run of 2RSS'P21C and 2RSS*P21D following a CIB, or a manual start if a CIB does not occur. For purpores of this analysis, a CIB condition is assumed. (The I operator actions are modeled in Top Event OR.)
- Opening of the service water header valves for the coolers 2RSS*E21C and 2RSS'E21D; i.e.,2SWS*MOV103A znd 2SWS*MOV103B.
- Proper positioning of suction and discharge valves MOVs 2RSS-155C and 2RSS-155D are normally open and must remain open. MOVs 2RSS-156C and 2RSS-156D must close. MOVs 2RSS-154C and 2RSS-154D, miniflow vt.lves, must open. MOVs 2 SIS-8811 A and 2 SIS-88118 must open. Check valves in the injection paths must open, and MOVs SSIS-8888A and SSIS 88888, which are normally open, must remain So.
. Because cold leg crossover valves 2 SIS-8887A and 2 SIS-8887B receive an automatic command to close from a recirculation mode signal, failure of Top Event RC or RD fails train A or B of cold leg recirculation, respectively. Subsequent reopenin0 of 2 SIS-8887A and 2 SIS 8887B to establish lost recirculation is not considered.
1
= Top Event MU - Makeup to RWST, Given Recirculatien Falls. This event models the l l operator action and equipment necessary to supply berated water makeup to the RWST. l The makeup actions are called for by procedure; i.e., EOP ECA-1.1 when RWST level is I
low and cold leg recirculation is unavailable. Borated water from either the spent fuel pool or the boric acid tanks may be used to make up to the RWST. The spent fuel pool is normally filled to a level 20 inches above the technical specification hmit. The plant techmcal specification required level is 23 feet above the top of the spent fuel. The total supply of borated water available for rapid makeup to the RWST is then approximately 108,000 gallons. Emer0ency makeup from the service water system into the spent fuel pool is also possible. Since use of this system connection is not proceduralized, no credit for it is taken in the initial plant model. At the fuel pool purification pump design rating of 400 gpm, the extra spent fuel pool water inventory can be transferred in about 4.5 hours. The required makeup rate in order to sustain high head injection at a rate sufficient to maintain RCS inventory above the fuel, ar indicated by Attachment A-4.7 of EOP ECA-1.1, is less than 200 gpm for times Greater j than 100 minutes after plant trip. Therefore, this volume of borated water is enough to last at least 9 hours, after makeup begins. Makeup from the boric acid tanks can only be provided at 120 gpm. At this rate, if the RWST inventory is reduced sufficiently to require makeup in the first 8 hours after plant
- trip, then the alternate mode of providing boratea makeup, via the boric acid tanks, would
! be insufficient. Therefore, makeup from the spent fuel pool is assumed required initially, and then to cont nue providing makeup for 24 hours, manual blending operations using the boric acid tanks is also required. j Makeup from the spent fuel pool requires one of the two fuel pool purification pumps (i.e., 2FNC P24A and 2FNC-P248) to start and run, and manual valves at the discharge of the pumps to the RWST must be opened. The spent fuel pool inventory should already be borated to 2,000 ppm. l For makeup from the boric acid tanks and the primary grade water storage tank, using manual blender operaticns, the makeup alignment is more complex. Clean water from - the primary water storage tanks (i.e.,1BR-TK-6A and 1BR-TK-68) is blended with boric acid from the boric acid tanks; i.e.,2CHS-TK21 A amd 2CHS-TK218. Manual intervention i3 required to ensure the proper blend of boric acid and clean water to achieve a mixed 3.1-88 11 Ament Sequence oehneabon.
Beavar Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment O concentration of approximately 2,000-ppm boron. Both boric acid tanks, but only one primary water storage tank, are needed to supply sufficient makeup for the remainder of the 24-hour mission time; i.e., after successful transfer of the available spent fuel pool inventory, only an additional 10 to 15 hours is needed. One of two of the primary water supply pumps (i.e.,1BR P-10A and 1BR P-106) and either of the boric acid transfer pumps (i.e.,2CHS P22A and 2CHS P228, which can be crosstied) are required for success. Success of Top Event MU means that continued HHS! injection can be performed for RCS inventory control at full RCS pressure despite continuing RCS leakage. For sequences in which RHS cannot be placed in service because either the initial cooldown and depressurization could not achieve RHS entry conditions (i.e., less than 350*F and less than 360 psig) or the RHS system is unavailable, success of Top Event MU can be very important. Failure of Top Event MU means that inventory control is not available, and eventual core damage results.
- Top Event RS - Recirculation Spray Pump A or B. The four recirculation spray pumps are automatically started following a 628-second delay after a CIB. This is to give the QSS pumps sufficient time to provide the required NPSH tor the recirculation spray pumps.
This delay time, however, is not sufficient to allow ample water to collect in the containment sump if at least one QSS pump does not operate. The recirculating spray pumps must sometimes be manually turned off and then turned back on when NPSH is sufhcient. Operator actions to first turn off and then to turn on the pumps are modeled in Top Events SM and OR. Both the suction and discharge MOVs from the containment sump and to the spray headers are normally open. The discharge check valves must open, if not already open. Trains A and B are dedicated to providing recirculation spray. Trains C and D are realigned following a recirculation modo signal, during LOCA scenarios, to provide in-vessel core cooling. Top Event RS includes the start and run of either recirculation spray train A or B (or both) with the associated piping, valve operation, and spray header Knowledge of success or failure of Top Event RS is required only for containment analysis; i.e., it does not impact the calculation of the core damage frequency. The model assumes that service water must be available to the RSS pump seals and associated spray coolere for RSS pumps 2RSS P21 A or 2RSS P218 for success of Top Event RS. This is conse.vative because service water to the seals or the coolers is not actually required for initial RSS pump operation. They are only required for long-term successful containment heat removal, Due to this assumption, the Unit 2 model does not identify sequences in which recirculation from the containment sump is successful but containment heat removal is failed. These so-called " core vulnerable" sequences are instead modeled conservatively as failure of all containment recirculation and of heat removal. Given successful operation of recirculation spray trains C and D for high pressure recirculation, but failure of recirculation spray trains A and B, it is possible that the train C or D pump, if realigned, could also provide the recirculation spray function. This realignment is not modeled because it is currently not specified by procedures. Containment heat removal can be provided by trains C or D without realigning for containment spray. I
- Top Event Cl- Containment 1sclation. This top event questions the failure to create and maintain an isolated containment following safety lnjection, CIA, and CIB signals. The containment penetrations explicitly modeled are 1
3.1-89 31 Academ Seynce D@neLon
B:ay;r Vcil:y Power Stetlon Unit 2 Revision 0 Probabilistic Risk Ass:ssment
- Containment Major Vents and Drains; e.g., sump purnp discharge
- Connections to RCS; e g,, RCP seal water return .
- Connections to Containment Atmosphere; e.g., containment vacuum kne This model also includes operator actions to ensure that the isolation valves remain closed (e.g., in EOP ES-1.1), after the rese!!ing of the CI A and CIB signals. The safety injection, CIA, and CIB signals are reset in accordance with procedures by the operaturs in a number of situations. Exarnples 01 such situations include: post-LOCA cooldown and depressurization (i.e.. EOP ES-1.2), transfor to cold-leg recirculation (i.e., EOP ES-1.3), the response to loss of emergency coo l ant recirculation (i.e., EOP ECA-1.1), and for safety injection termination: i.e., EOP ES-1.1. To simplify the model, when evaluating Top Event Cl, it is conservatively assumed that resetting CIA and CIB was always performed so that this potential failure mode is always included. Manual isolation of the RCP seal return line during a loss of all vital AC power (i.e., EOP ECA-0.0) is also modeled in this top event. The status of containment isolation is needed for the containment analysis.
3.1.3.4 Steam Generator Tube Rupture Event Trees SGTR initiating events are quantified using two event trees; i.e., SGTR and SGTRRECIRC. Table 3.1.2-6 summarizes the system success criteria needed to ensure that each of the key safety functions is performe1 More details concerning the system success criteria are provided in the top event riescriptions that follow. For convenient teference, Tables 3.1.3 5 and 3.1.3-6 summarize the top events that appear in the SGTR event tree models. The SGTR event tree structures are dispinye d in Figures 3.1.3-5 and 3.1.3-6. Steam generator tube rupture events that result from other initiating events (e.g., steam line breaks) are not modeled. It han been postulated that in a steam line break accident with limited AFW flow, the affected steam generator may experience one or more drying and rewetting transients, which tvould be very hard on the tubes. Such consequential steam generator tube failures are not n odeled. They have not been modeled in other PR As. Scoping analyses of this issue are documented in Reference 3.1.3-5. The reference suggests that steam line break and ATWS induced tube ruptures may be significant. However, the analyses noted that 75% wall penetrations would be necessary where Beaver Valley is limited by plant technical specificat;or;s to less than 40% wall penetration. This suggests that the probability of an induced tube rupture caused by sequences involving an increased pressure drop across the tubes vrould be much lower for Beaver Valley. Thermally induced tube ruptures are considered separately in the back-end analysis, as documented in Section 4. The SGTR event considered herem is for a single tube offset rupture. Multiple tube rupture events would be more seveic, but also much less freauent. Previous PR A studies (e.g., for indian Point, Seabrook, and Diablo Canyon) have argued that such initiators are much less risk significant than the modeled single tube offset. This is assumed to be the case for Beaver Valley Unit 2. No plant-specific features have been identified that make Beaver Valley Unit 2 more suscephble. The following described top events make up the SGTR event tree.
- Top Event OT - Operator Action To Manually Trip the Reactor. This event models only the operator action to manually trip the rehttor from the control room. The equipment needed to actuate in order to trip the reactor is modeled in Top Event RT. This particular operator action is separated to enhance visibility and to ensure that a sut'sequ e nt 3.1-90 31 Acaoent secuence Denneation.
. _ . . .~ . ~.- -
, l 1 1 Beaver Valley Power Station Unit 2 Revision 0 ! i Probabilistic Risk Assessment i 1 O operator action.along the same sequence (Top Event RI in ATWS tree) is made dependent
~h on the status of this action.
- Top Event RT - Automatic and Manual Reactor Trip. This top event considers the 2.
automatic reactor trip system function and the backup operator actions to manually trip the reactor. The backup manual actions are accounted for by evaluating Top Event RT l conditionally on the status of Top Event OT. Success of this event requires that at least 1 of 2 reactor trip breakers open (or the initiator is a loss of offsite power), and that 47 of 48 control rod clusters are inserted into the reactor core. This assumption is conservative j because, for many times during the operati..g cycle, depending on the particular accident j sequence of interest and on the particular arrangement of control rod clusters that fail to j irisert, many more than one such cluster may fail to insert and yet the reactor rnay remain
- subcritical. Major equipment inodeled in this top event includes the andervoltago coils, shunt trip coils, reactor-trip breakers, and the control rods. Suct Mul operation of at least one train of SSPS, manual operator action to initiate reactor trip, or a loss of offsite power is required for success of Top Event RT. Failures of Top Event RT are only considered further in the ATWS event tree; i.e., Section 3.1.4.
f
- Top Event TT - Turbine Trip. This event models the likelihood of the turbine to trip i following an initiating eved. Success requires that all four steam stop valves or all four
- governor valves must close. The signal to close comes from the auxiliary contacts on the
! reactor trip breakers, which goes through SSPS. An additional turbine trip signal is l provided by AMSAC, which does not go through SSPS, No credit is given for the AMSAC 1 signal except in the ATWS tree (Section 3.1.4) where reactor trip fails.
- Top Event MS - Main Steam Isolation, This event models the successful isolation of the
% - main steam lines by closure of at least two of three MSIVs.
- For steam Generator tube rupture initiators, the status of main steam isolation is only of j interest if the turbine fails to trip; i e., it is otherwise assumed not to have an impact on i subsequent events. Failure of both Top Events TT and MS leads to failure of the i turbine-driven AFW pump; i.e., failure of two or three MSIVs to close is conservatively modeled as if all three failed to isolate.
Consideration of MSIV closure for the purpose of isolating the ruptured steam generator is modeled in Top Event SL.
- Top Event AF - Auxiliary Feedwater System Provides from One Pump to at least one bleam Generator. For success of Top Event AF, at least one pump is required to supply at least one of two steam generators for 24 hours. Each of the two motor driven pumps and the one turbine-driven pump are headereo to provide flow to any of the three steam generators. However, steam flow from tha ruptured steam generator is assumed unavailable; i.e., cuccessfully isolated.
The AFWS is demanded by a safety injection signal For the initial PRA model. credit is only given fo' those signals that go through SSPS, This top evem includes the required valve position changes, pump starts, and pump operation to provide flow to the steam generator by taking suction from the PDWST (2FWE'TK210) or the service water system. 11 also incNdes the equipment and operator actions needed to provide long-term makeup from the DWST (2WTD-TK23) to the PDWST. The principal mode of makeup is automatic, using a modulating supply valve (2FWE-LCV104A) that passes up to 200 gpm flow from either of two 350-gpm capacity demineralized water distribution pumps 2WTD-P23A or 2WTD-P238. The second source of make-up is through an 8-mch line that foeds up to 585 gpm to the PPDWST from the DWST 3.1 91 31 Accident sequence Dehneation,
B:av:r Vall:y Pcw:r St:ti:n Unit 2 Revisien 0 Prcb:bilistic Risk Ass:ssm:nt through a normally locked-closed manual valve. Thia valve (2FWE*1165) must be opened before the PPDWST is depleted, approximately 6 to 9 hours after pump start. Service water would be used only if no other source of water is available, and if the PDWST level has decreased to less than 25 lnches. Given that the MSIVs are closed (i.e., so that the condenser steam dumps are not available), decay heat may still be removed by AFWS using one of the following sets of valves:
- Steam Generator Atmospheric Steam Dumps (nomintity set at 1,040 psig) (only two available)
- Residual Heat Release Valve (manually controlled, but not used for SGTR)
- Steam Generator Safety Valves (setpoints range from 1,075 to 1,125 psig) !
Historical data and previous analyses for other plants iredicate that the failure-to-open frequency of these valves is sufficiently small so that modeling the failure to open of at least one of these sets of valves is not required in thia study. Failure to achieve at leaFt l one steam relief path for DHR would not be a dominant risk contributor. Therefore, to l simplify the model, such failures are neglected, This assumption is even more valid if the MSIVs are open, and if flow through the condenser steam ciumps is possible. l Failure of this event is modeled as placing a demand on the condensate, MFW pumps and valves, or startup feed pump and valves to provide steam generator feed flow. This modeling is consistent with the sequence of EOPs found in ES-0.1 and FR-H.1 for loss of AFW sequences.
- Top Event OF - Manual Actions To Reestablish MFW. This event models the operator actions to reestablish MFW following a safety injection signal due to the SGTR event that resulted in a full feedwater isolation.
-lf AFW is insufficient, the operators look to the MFW equipment to provide flow to at least one steam generator through either the feedwater control and regulating valves of the feedwater bypass valves.
Should the AFW system fail to provide sufficient water and the MFW pumps are not operating, then EOP FR-H.1 is entered. Following a safety injection signal, the reactor would trip; a feedwater isolation signal would close feedwater isolation valves; control and regulating valves, and the bypass valves; and it would shut off the startup and MFW pumps. The AFW pumps would actus:e from the safety injection signal. If pressure in the containment rises above 3 psig, the MSIVs would close isolating the steam lines. EOP E-0 instructs the operator to verity and close all feedwater control and bypass valves, and to stop rnain feed pumps as required, following a safety injection signal. These equipment responses are assumed to be successful because they lead to a requirement for subsequent manual intervention in order to reestablish MFW, if AFW fails. Since the MFW pumps are tripped off, this event j models the operator actions noted in EOP FR-H.1. Functional response EOP FR-H.1 provides the steps to recover from an initial loss of flow to the steam generators, given that AC power is available. The procedure calls for restoration of secondary heat sink in the following order:
- AFW 3.1-92 31 Accioent se-oence oehneanon.
Beavsr Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assessment p - MFW by Using the Startup Feed Pump in Accordance with OM-2.24-4A (preferred), or A one MFW Pump
- Condensato System into a Depressurized Steam Generator ,
- Bleed and Feed The operators must reset the safety injection and the feedwater isolation signal in order to reopen the feedwater isolation valve. These isolation valves and the feedwater bypass valves must be opened to allow the startup feed pump, MFW pumps, or the condensate system to feed the steam generators. As a simplifying approximation, the model conservatively neglects the potential of achieving flow from the condensate system through a depressurized steam generator; i.e., given that both the MFW pumps and the startup pumps are unavailable.
- Top Event MF - Condensate /Mainfeed/ Start Up Feed. This event includes the ability of the main condenser and the condensate system to provide sufficient flow and NFdH to either a MFW pump or startup feed pump, and the ability of main feed or startup feed pumps to provide flow to a steam generator. Failure of condensate system precludes both main feed and startup feed flow to the steam generators, The condensate system is not available if normal (nonemergency) power is lost.
The condenser hotwell maintains a water volume of about 71,000 gallons by virtue of a gravity feed line from the TPDWST (2WTD-TK211), assuming condenser vacuum is maintained, the TPOWST contains 200,000 gallons. To achieve a continuous supply of steam generator feed at 350 gpm for 24 hours, either the MSIVs and condenser steam dump valves must be open, or a makeup supply to the TPDWST must be provided. The TPDWST is filled from the demineralized makeup system. Upon low level indication, the fill line level control valve is actaated, the level in the TPDWST is indicated, and the low /high level is experienced. For simplicity, this model assumes one of four success paths: (1) makeup to the TPDWST is provided from the DWST (2WTD-TK23), or (2) makeup from the DWST is supplied directly to the condenser hotwell, or (3) the MSIVs and condenser steam dump valves are opened before depletion of the TPDWST, or (4) feeowater flow is successfully controlled to less than 350 gpm to match decay heat so that for 24 hours, even without makeup, sufficient water is available for condensate pump suction. The analysis of this top event includes only the fa::ure modes involving the equipment mentioned. The operator actions are modeled in Top Event OF. The equipment response modeled includes the feedwater isolation and regulating valves are opened, recirculation valve 2FWR-FCV155 and startup feed pump injection valve MOV152 are opened, the startup feed pump or one MFW pump starts (DC control power supplied from a nonemergency bus) and runs, and the startup feed seal water pump starts and runs. Failure of Top Events MF and AF is treated as a requirement to establish cooling via feed and bleed. Therefore, the operator actions to restore adequate MFW flow must be accomplished prior to the time when feed and bleed is to be initiated; i.e., < 8% wide range level in at least two steam generators. The model assumes that the RCPs are tripped in accordance with EOP FR-H.1, if both Top Events AF and MF are unavailable. D + Top Event OB - Bleed and Feed Cooling. This event is queried if no other source of d secondary heat sink is available; i.e., Top Events AF and MF failed. The operator actions considered in this event are in EOP FR-H.1. In particular, the operators mitiate safety injection, open the PORVs, reopen the PORV block valves after their automatic closure, ensure that at least one pressurizer relief line flow path remains open, and verity HH31 3.1-93 31 accent sequence Denneanon.
Bm:ver Vcil::y Powrr Station Unit 2 Revision 0 Prebabilistic Risk Asussmsnt pump operation. If the PORV blon valves were initially closed prior to the initiating event, power must be then restored to these vah/es in order to open them. Following automatic closure of the block valves on low RCS pressure, the low RCS pressure blxk valve closure signal is defeated by arming the cold overpressure protection signal, and the valves are then reopened. To extend the time available to initiate feed and bleed cooling, the operators must have stopped the RCPs earlier, in accordance with EOP FR-H.1. Hand calculations based on pamp capacities, decay heat levels, and pressurizer PORV relief capacity have been performed to investigate the success criteria for feed and bleed , cooling at Beaver Valley Unit 2. These calculations are documented in Reference 3.1.3-1. It was concluded that for Beaver Valley Unit 2, one HHSI pump with one cold leg injection path and relief via one PORV train would provide adequate core cooling. Failure of this event is treated as a cortplete loss of reactor cooling without possibioty of depressurization for LHSI prior to core damage. In addition to the operator actions, the equipment that must function to provide at least one pressurizer relief path (i.e., the PORVs and associated block valves) is modeled in this top event. The HHSI pumps are modeled in Top Event HH.-
- Top Event HH - High Head Safety injection Pumps. This top event models the two HHSI trains with pumps 2CHS*P21 A and 2CHS'P218. Success requires ont pump train to he operable. The third pump,2CHS*P21C, may be electrically aligned to either orange or purple emergency power, if either of the other two pumps fail. Omy two pumps at a time, however, can receive an automatic start signal. Pump 2CHS*P21C is included in the model as a backup to cither pump 2CHS'P21 A or 2CHS'P21B with the associated operator actions to align it. If both pumps 2CHS*P21 A and 2CHS*P218 have failed, but the required suppor^ systems are available to each train, the operator is modeled as aligning pump 2CHS*P21C to train A.
These pump tra:ns top events share a common dependence on the single suction line from the RWST, which is modeled in Top Event VL of the support tree. The RWST itself is roodeled in support system Top Event RW. EOP E-O asks the operators to recognize if the RCS is intact. If they decide that the RCS is intact following a LOCA, they are then instructed to go to EOP ES-1.1 for " Safety injection Termination." There is a danger, as occurred at TMI. that the HHSI will be temporarily stopped. EOP ES-1.1, however, provides for a recheck of safety injection termination and an escape back to EOP E-1. Nevertheless, this potential error of commission is included in the system model for this top event. This top event includes consideration of the failure modes of the relevant pipes, valves. and the HHSI pumps needed to model availability of the HHSI. Failure of this event implies that HHSI and charging flow for RCP seal injection are unavailable. Success of Top Event HH means that these two functions are possible. HHS1 further requires the availability of water in the RWST (i.e., Top Event RW), and of a flow path from the RWST to one of the three cold leg injection line entry points in the RCS; i.e., as modeled in Top Events VL and HC. Success of RCP seal injection does not require flow from the RWST, provided that the VCT remains available as a source of water for HHSI pump suction. Successful RCP seal injection flow also requires that flow paths from the discharge of the l operable HHSI pump to each of the RCP seals be available. These RCP seal injection l flow paths are modeled in Top Event SE. l 3.1-94 M Accident Sequence Dehneahon.
f Bnvsr Vall2y Pcwsr Station Unit 2 Revision 0 Pr:bsbilistic Risk Asssssmsnt O
- Top Event HC - HHSI Cold leg injection Paths. Both HHSt and LHSI provide flow to the l b' RCS through the came three cold leg lines. Cnjection into one of three cold legs is l
sufficient for either HHSI or LHSI, if Top Event HH is successful (i.e., HHSI is available).
- then the three high head cold leg injection paths of interest include six check valves that are modeled in Top Event HC as follows: J
- To cold leg Pi,2CHS'139 and 2 SIS *548 must open.
- To cold leg 22,2CHS*138 and 2 SIS *S50 must open.
- To cold leg 23,2CHS*137 and 2 SIS *552 must open, Top Event HC also includes the redundant MOVs (i.e.,867A,8678, 867C, and 867D) at the pumps discharge and the common check valve on the flow path from the pumps to the redundant MOVs,
- Top Event SE - RCP Seal Ir.jection/ Thermal Barrier Cooling. The charging system provides RCP seal injection. Normally, the CCP system provides RCP thermal barrier cooling, bearing cooling, and motor cooling. Either thermal barrier cooling provided by CCP or seal injection provided by the charging system is sufScient to prevent e seal LOCA if the RCPs are not running.
Top Event SE models RCP seal cooling from both thermal barrier cooling and seal injection. RCP seat injection is modeled as a success path if one of the HHSI (cl.arging) pumps is successful, and either flow from the RWST is available or there has not been an automatic switchover to the RWST and flow from the VCT remains available. O V Switchover of HHSI pump sucticn from the VCT to the RWST occurs on a safety injection signal. Switchover to the RWST also is necessary on low VCT tevel. On low level, the ( switchover may occur automatically or be initiated manually. Isolation of letdown alone is l assumed to not require switchover becauso normal charging should automatically run back to minimum flow. However, loss of vital instrument bus I,11, or 111 (i.e., red, white, or blue) could lead to failure of pressurizer level control depending on how the system is aligned, if the failure involves vital instrument channel 1, there is also a loss of automatic makeup to the VCT. Locs of pressurizer level control results in full flow from normal charginq, . Operator action is then required *o restore pressurizer level control before switchover occurs. The flow path from the common charging header to all three RCP seals is also included in the Top Event SE model. All three charging pumps are headered so that any one pump can provide seal injection to all three RCPs. The valves in the saal injection flow path are either motor-operated and normally open, or manual and riormally open. If CCP flow to the RCPs is unavailable but the RCPs continue to run, then success of Top Event SE requires that the operators trip the RCPs before any seal damage occurs due to pump vibration whether one rnode or both modes of seal cooling are available later. l Thermal barrier cooling for the RCP seals is modeled in support system Top Event TB. If l Top Event TB is successful, RCP seal injection is not required. Top Event SE is queried l following steam generator tube rupture initiating ever,ts with a successful isolation of the I pressurizer; i.e., no RCS leakage. This event is considered irrelevant if a LOCA caused by a stuck open pressurizer PORV has already occurred. Failure of Top Event SE is b assumed to lead to a small LOCA by virtue of RCP seal leakage. l
- Top Event SL - Secondary Leakage to the Environment. This event models the operator actions and equipment needed to isolate the ruptured steam generator from the
! 3.1-95 31 Accent Sequence Dehneation.
Brav2r Vall:y Power Station Unit 2 Revision 0 Prebsbilistic Risk Assessmsnt environment. The analysis of actions to isolate the ruptured steam generator is simplified by' assuming that the corresponding MSIV and all steam valves upst.eam must close. The operators must identify and manually isolate these valves, if open, in accordance with EOP E-3. The valves that must close are, in addition to the MSIV, the five safety relief valves, the steam generator atmospheric relief valvo, the residuai heat release valve, the steam generator blowdown valves, and the steam supply from the ruptured steam generator to the turbine-driven AFW pump. In requiring each of these valves to close, it is conservatively assumed that thn steam generator atmospheric steam dump, the five safety valves, and the residual heat release valve t. ave all opened sometime during the sequence. In addition to identifying and isolating the ruptured steam generator to prevent it from leaking, the operators must also control feedwater level to ensure that it does not overfill the ruptured steam generator (i.e., EOP E4) and stop unnecessary HHSt pumps (i.e., EOP E 3, EOP ECA-3.1, EOP ECA-3.2, and EOP ECA-3.3) to allow RCS pressure to be reduced. Failure of the operators to limit these later challenges to the same stearn valves on the ruptured steam generator is conservatively assumed to lead to a failure of Top Event SL due to repeated challenges to the steam valves to pass water and then reclose. A second operator action is also included to consider locally isolating one of the ruptured steam generator valves should it stick open follow!ng the initial challenge. Except for the MSIV and the steam generator safety valves, EOPs (i.e., EOP E-3 and EOP E-2) instruct the operator to isolate the steam generator steam valves locally if they cannot be closed remotely. A similar operator action to locally ga0 a stuck-open safety valve is also believed credible, though not explicitly specified by procedures. Two operator actions are included in the model for Top Event SL to consider these local valve isolations as a backup. While failure of the ruptured steam generator MSIV to close could be mitigated by isolating all three secondary steam lines downstream of this valve, this success path is conservatively neglected in the Top Event SL model. This alternative path to secondary isolation may be considered in the future on a sequence-specific basis. Success of Top Event SL means that the ruptured steam generator is initially isolated. Failure of Top Event SL means that a release path from the RCS to the environment is ! available; consequently, to preserve RCS inventory, the RCS pressure must be reduced and maintained below the ruptured steam generator pressure, or a long-term source of RCS makeup must be provided. Normally, the operators would be required to place RHS in service in order to proceed to cold shutdown, effectively stopping the leak. If RCS inventory control cannot be established (i.e., either by continued makeup or stopping the leak), eventual core damage is assumed with containment bypass through the ruptured steam generator.
- Top Event CD - Cooldown of RCS and Depressurization of Secondary Side. This event models the operator action and equipment needed to cool down the primary and depressurize the secondary in order to subcool or saturate the RCS relative to the ruptured steam generator pressure. Some form of steam generator cooling (i.e., on either AFW or MFW) is required. This action covers steps in EOP E-3. EOP ECA-3.1, EOP ECA-3.2, and/or EOP ECA-3.3. Failure of this event implies that the steam generators are not used for active plant cooldown to stop leaka0e from the RCS to the ruptured steam generator. Failure of this event is assumed to result in an eventual filling of the ruptured steam generator and. subsequently, continued leakage from the ruptured steam generator into the environment.
3.1-96 31 Acc@ ant smuence Dohneaton.
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment Two of two intact steam generators' atmospheric dump valves are assumed to be required for success of this event. The ruptured steam generator is isolated on the steam side in accordance with EOPs (i.e., EOP E 3); consequently, its atmospheric dump valve and the residual heat release valve are assumed unavailable for the cooldown. To simplify the model, use of the condenser steam dumps and the condenser is conservatively neglected. Instead, the cooldown and depressurization are accomplished by the operators lowering the pressure setpoint or locally opening one of the steam generator PORVs.
- Top Event OD - Depressurization of the RCS to RHS Entry Conditions. This event models the successful depressurization of the RCS to RHS entry conditions (i.e., RCS temperature lecs than 350 F, and RCS pressure less than 360 psig), given that the operatora have already successfully cooled down the RCS and depressurized the intact steam generators; ia., success of Top Event CD. The RCS depressurization is accomplished using normal pressurizer spray, auxiliary pressurizer spray, or the pressurizer PORVs in accordance with EOP E-3, EOP ECA-3.1, EOP ECA-3.2, or EOP ECA-33. Credit for usirg the RCS head vents alone, which may not be a vicble approach, is conservatively noglected Normal pressurizer spray requires successful operation of RCP A or C. RCP A or C is assumed to be available if both offsite power and primary component cooling water are successful. Anxiliary pressurizer spray requires that at least one of the three HHSI pumps be available to supply charging and that letdown is maintained. For successful depressurization using the pressurizer PORVs, the operators must reopen the pressurizer PORV bloci valves to depressurize below their autoclosure setpoint of 2,1B5 psig. Once depressurized, reclosure of the pressurizer PORV trains is modeled in Top Event Pl.
Failure of Top Event 00, even if Top Evr.nt CD is successful, is assumec' to imply that RCS pressure remains above the steam generator safety valve setpoints, so that reacto: cootant is lost to the environment l'irough the ruptured steam generator. If steam generator cooling is not available, this top event is not queried. Instead, RCS depressurization is modeled in Top Event OB for feed and bleed cooline.
- Top Event Pl - Pressurizer PORVs isolation Given RCS Depressurization. For SGTR sequences, RCS pressure imtially fails to the low pressure safety injection setpoint.
Consequently, an initial PORV demand for RCS pressure control is not assu med. ' However, during such sequences, the operator may open the PORVs for feed and bleed cooling or, in the event that pressurizer spray is unavailable, for RCS depressurization. A pressurizer PORV is assumed to be open whenever Top Event OD is successful, but the RCPs are not available for normat pressurizer spray; i.e., offsite power or primary CCP (support system Top Event OG or CC) needed for RCP operation have failed. The analysis of Top Event PI models the successful reclosing of the affected PORV(s) af ter the challenge or, alternately, the successful automatic closure of the block valves to isolate the pressurizer PORV relief line(s). Failure of this top event is treated in the remainder of the model as a small LOCA; that is, it is tacitly assumed that failure to isolate will occur in only one pressurizer relief path.
- Top Event RR - Residual Heat Removal. Top Event RR evaluates the availability of the RHS to provide core decay heat removal, and the operator actions to initiate RHS once the RCS has been cooled down and depressurized sufficiently to allow RHS to be placed in service. To place RHS in service, RCS temperature must be less than 350 F, and RCS pressure must be less than 360 psig.
3.1-97 31 Acacent secuence oehneation
l l B:av:r Vctl:y Pow:r Station Unit 2 Revision 0 l Pr:b:bilistic Risk Ass:ssmwt This event is of particular interest if there is a failure to isolate the ruptured steam generator (i.e., Top Event SL fails), so that the RCS must be cooled to cold shutdown conditions in cruer to stop the RCS leakage into the environment. Success of this event implies that cocidown to cold shutdown conditions be completed so that RCS leakage to the environment can be minimized. Failure of this event indicates that RHS was not successfully established so that RCS leakage into the environment must be remedied some other way.
- Top Event WM - Makeup to RWST, Given Leakage through Secondary. This event models the operator action and equipment necessary to supply borated water makeup to tha RWST for SGTR sequences. The makeup actiens are called for by procedure; i.e.,
ECA-3.2 and EOP OM-2.7.4.N. EOP ECA-3.2 is entered from EOP ECA-3.1 when RWST leve' is low without a corresponding increase in containment sump level, or when the ruptured steam generator level is high. These are both indications that the ruptured steam generator may not be isolated, allowing RCS leakage into the environment. If the secondary side is leaking, makeup to the RWST is important if the RHS is not placed in service to cool down the RCS to cold snutdown conditions in order to stop the leakage. Makeup to the RWST is then recessary for continued HHSI pump injection to maintain RCS inventory. Borated water from either the spert fuel pool or thu boric acid tanks may be used to make up to the RWST. The spent fuel pool is normally filled to a level 20 inches above the technical specification limit. The plant technical specification required level is 23 feet above the top of the spent fuat. The total supply of borated water available for rapid maleup to the RWST is then approximately 108,000 gallons. Emergency makeup from the - service water system into the spent fuel pool is also possible, but a spool piece must be installed. Since use of this system connection is not procedurahzed, no credit for it is taken in the initial plant model. At the fuel pool purification pump design rating of 400 gpm, the extra spent fuel pool water inventory can be transferred in about 4.5 hours. The required makeup rate in order to sustain high head injection at a rate sufficient to maintain RCS inventary above the fuel, as indicated by Attachment A-4.7 of EOP ECA-1.1, is len than 200 gpm for times greater than 100 minutes after plant trip. Therefore, this valume of borated water is enough to tast at least 9 hours, after makeup begins. Makeup from the boric acid tanks can only be provided at 120 gpm. At this rate, if the RWST inventory is reduced sufficiently to require makeup in the first 8 hours after pl ant trip, then the alternate mode of providing borated makeup, via the boric acid tanks, would be insufficient. Therefore, makeup from the spent fuel pool is assumed required initially, and then to continue providing makeup for 24 hours, manual blending operations using the boric acid tanks is also required. Makeup from the spent fuel pool requires one of the two fuel pool purificat5n pumps (i.e., 2FNC-P24A and 2FNC-P248) to start and run. and manual valves at the discharge of the pumps to the RWST must be opened. The spent fuel pool inventory should already be borated to 2,000 ppm. For makeup from the boric acid tanks and the primary grade water storage tank, using manual blender operations, the makeup alignment is more complex. Clean water from the primary water storage tanks (i.e.,1BR-TK-6A and 1BR-TK-68) is blended with boric acid from the boric acid tanks; i.e.,2CHS-TK21 A and 2CHS-TK218. Manual intervention is required to ensure the proper blend of boric acid and clean water to achieve a mixed concentration of roughly 2,000-ppm boron. Both boric acid tanks, but only one primary water storage tar k, are needed to supply sufficient makeup for the remainder of the 3.1-98 31 Amdent Sequence ochneaton.
Beavsr Vcilzy Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 24-hour mission time; i.e., atter successful transfer of the available spent fuel pool j v' inventory, only an additional 10 to 15 hours is needed. One of two of the primary water i I supply pumps (i.e., IBR P 10A and 1BR P-108) and either of the boric acid transfer pumps (i.e., 2CHS-P22A and 2CHS-P22B) are required for success since they can be cross connected. Success of Top Event WM means that continued HHSI injection can be performed for RCS inventory control at full RCS pressure despite leakage through the ruptured steam generator. For sequences in which RHS cannot be placed in service because either the ) initial cooldown and depressurization could not achieve RHS entry conditions (i.e., less i than 350 F and less than 360 psig) or the RHS system is unavailable, success of Top Event WM can be very important. Failure of Top Event WM means that inventery control is not i asailable, and eventual core damage results. Top Event WM is also asked if all steam generator cooling is lost. For bleed and feed scenarios, these would be continued leakage through the ruptured steam generator,
. Eventua! makeup the RWST would then be required. The required RWST makeup rate for bleed and feed scenarios should be greater than for SGTR events with AFW available.
The PRA model conservatively assumes that the makeup rate foi continued bleed and feed is also necessary for scenarios with steam generator cooling. The SGTRRECIRC event tree makes up the second part of the steam generator tube rupture event tree sequence model. The top events in the SGTRRECIRC tree are summarized in Table 3.1.3-6 and described below. , p
- Top Event NR - Recirculation from Sump Not Required. This top event acts as a switch to ensure that sequences in the SGTR event tree are correctly connected to the remainder of the sequence model in SGTRRECIRC. if Top Event NR is successful, this implies that the plant is in a stable conf guration with recirculation from the containment sump not required, steam generator cooling successful, and no LOCA condition. Failure of Top Event NR implies that the status of containment systems is of interest for recirculation from the sump.
- Top Event NM - No Melt Condition from injection Phase. This top event is also a switch.
it is asked only if Top Event NR is failed. Success of Top Event NM implies that during the early or injection phase of the accident, plant systems responded correctly but that recirculation from the enntainment sump is required to prevent core damage. Failure of Top Event NM implies i at during the early or injection phase of the accident, core damage occurred. The a us of containment systems is then queried to define the hkely release paths from containmer't.
- Top Event OS - Quench Spray. A containment pressure of 8 psig initiates a CIB signal that starts both QSS pumps. The MOVs in the suction and discharge piping are normally open. Check valves in the discharge piping would be required to open, if not already open. The QSS is not required for core melt prevention. Its operation influences the time to depletion of the RWST, and knowledge of its availability is required for containment analysis. In the SGTR plant sequence model, a containment pressure of 8 psig is assumed to be reached for scenarios in which the pressurizer PORVs are used to oepressurize the RCS, all LOCAs, feed and bleed cooling scenarios, and for any scenario p resulting in core damage.
V
- Top Event LH - Low Head Safety injection Pumps. Following a smah LOCA with f ailed HHSI and successful depressurization (i.e., Top Event HH has failed, but Top Event SD has been successful), this top event queries the uanability of LHSI pump trains providing flew 3.1 99 31 Acader sequence Deimeanon.
B:cv:r Vallsy Pow:r Station Unit 2 Revision 0 Probabilistic Risk Ass:ssm nt from the RWST suction valves MOV8809A and MOV88098 through the pumps 2 SIS *P21 A and 2 SIS *P21B to the discharge check valves 2 SIS *6 and 2 SIS *7 and manual isolation - valves 2 SIS *3 and 2 SIS *4 up to the point where recirculation spray pump flow joins. For the purpose of containment status, success of either HHS! or LHSI is treated as a successful transfer of the RWST inventory into the reactor vessel. Transients and LOCAs, characterized by mgh pressure core meltdowns (e.g., failure of Top Event HH during a small LOCA, or complete loss of heat sink during a non-LOCA transient), in which the pressure stays above about 250 psig, do not provide the opportunity for LHSI prior to core damage. In these cases, the RWST water may not have been injected to the RCS before core meltdown. The actions identified in EOP FR-C.1 are assumed not to be sufficient to lower RCS pressure to permit LHSI prior to core damage. After vessel failure, however, the head against which the low pressure pumps must operate may fall below their shutoff head, and injection of the RWST inventory may then be achieved. The status of RWST inventory in the containment, particularly it' the sump and reactor cavity, is required for containrr.ent analysis, should the accident progress to core damage.
- Top Event LC - LHSI Cold Leg injection Paths. Both HHS! and LHSI provide flow to the RCS through the same three cold leg lines, injection into one of three cold legs is sufficient for either HHSI or LHSI. If Top Event HH is available, then the three cold leg injection paths of interest include six check valves that are modeled in Top Event HC as follows:
- To cold ic0 21,2CHS*139 and 2 SIS *548 must open.
- To cold leg 22,2CHS*138 and 2 SIS'550 must open.
- To cold leg 23,2CHS'137 and 2 SIS *552 must open, if both trains vf HHSI are not available during a small LOCA (i.e. Top Event HH fails), then ooerators would attempt to use LHSl; i.e. Top Event LH. In this case, the cold leg l injection paths of interest involve six check valves that are modeled in Top Event LC as l follows:
- To cold leg 21,2 SIS *107 and 2 SIS *548 must open.
- To cold leg 22,2 SIS'108 and 2 SIS *550 must open.
- To cold leg 23,2 SIS *109 and 2 SIS *552 must open.
Valves 2 SIS *548,2 SIS *550, and 2 SIS *552 are also modeled in Top Event HC. Top Event LC also considers the valves on the LHS! flow path downstream of the points where recirculation spray joins, but before the injection paths join, and then split three ways for flow into each cold leg; i.e.,2 SIS *8888A and 2 SIS *8888B.
- Top Event SM - Containment Sump. This event includes three fai!ure modes: (1) failure to stop RSS pumps if necessary to avoid pump cavitation, (2) unavailability of the containment sump (e.g., Ne to plugging with containment debris), and (3) common cause unavailability of all four .rculation spray trains. Small LOCAs that reach 8 psig in the containment and cause initiation of recirculation spray may not provide sufficient water in the containment sump to meet the minimum recirculation spray pump suction requirements with the 10.5-minute delay hme if at least one QSS pump does not operate.
Therefore, in accordance with EOP E-0, the operators are instructed to reset the CIB signal, stop the recirculation spray pumps, and restart them when containment sump level is sufficient (about 44 inches). Success of this action is therefore included in the model for Top Event SM. If Top Event SM fails, then all recirculation spray pornps are ineffective, and neither recirculation spray nor recirculation mode core cooling is available. 3.1-100 31 Accent seauence Denneenn.
l B2avcr Vall:y Power Stction Unit 2 Rsvision 0 Probabilistic Risk Assessmsnt O The assessment of sump unavailability assumes that the scenario has not yet progressed to a core damage condition. Postmelt containment environment effects (i.e., sump plugging) are deferred for consideration in the Level 2 analysis.
- Top Event OR - Automatic / Manual Actions for Cold Leg Recirculation. This event models the automatic signal to transfer to recirculation and the operator actions considered m reali0ning the plant from the injection modo to the recirculation mode for LOCA sequences when RWST inventory level is low. Both realignments for high pressure and low pressure recirculation are considered. Proper calibration of the RWST level sensors is considered in the modal.
When the RWST level reaches 450 inches, the operators are instructed to enter EOP ES-1.3, verify that the system is properly aligned, and, if not, manually ah0 n for cold leg recirculation. (Actions to reset the safety injection signal, such as in EOP E-1, do not _ reset the recirculation modo signal.) The recirculation mod? signal, however, does not then restart the recirculation spray pumps. The operators must manually restart the pumps in order to complete the recirculation switchover if the pumps had been stopped previously to avoid cavitation caused by insufficient NPSH. This action to restart the pumps is modeled in Top Event SM. Also considered in this top ovmt is the isolation of the four paths from the recirculation lines to the RWST. This is to ensure that water from the containment sump is r.ot inadvertently pumped back into the RWST and thus unavailable for recirculation. The four lines considered are the two flow paths back through the idle LHS1 pumps and MOVs 8809A or 88096, and reverse flow through the two HHSI suction valves (LCV115B and ( LCV115D). Failure of the redundant valves on any one of these pathways to reseat or L reclose is assumed to result in failure of Top Event OR. Establishment of separate recirculation flow paths by isolating the redundant lines from each other is not considered necessary for success. The model, however, conservatively assumes that the trains are isolated, isolation of the lines, in this case, can actually reduce system availability because, once separateo, it then requires operator ac' n to establish crossover paths to recover from certain combinations of failures that involve two trains. These failure combinetions are believed to be more likely than single pipe breaks, which is the reason that the operators are instructed to isolate the trains. This event includes the operator actions to control service water flow to the RSS coolers to control containment pressure and to restart the RSS pumps for cold leg recirculation as well as verification and estabhshment of the ccrrect valve alignment for recirculation. The valve hardware failure modes themselves are modeled in Top Events RC and RD. Failure of this event is treated as failure of the cold leg tecirculation mode of ECCS. The long term transfer to ho! leg recirculation at 14 hours atter the LOCA starts (i.e., following EOP ES-1.4) is not modeled. It is assumed that in the lona period available before boron precipitation could become a problem, the operating staff will find a way to transfer to hot leg recirculation, even if initially unsuccessful. -
- Top Events RC and RD - RSS Cold Leg Recirculation Core Cooling. These events modnl the availability of recirculation spray pump trains C and D, and the valve realignment needed to establish cold leg recirculation through the LHSI lines. Recirculation spray O train C is aligned to recirculation ccTe cooling train A, and recirculation spray train D is (O abgned to recirculation core cooling train B.
The following equipment actions are modeled herein: 3.1-1 01 31 Am@nt semence D%nuton
BryJr Vcil:;y Pow;r St ti:n Unit 2 Revision 0 Pr:babilistic Risk Ass ssm:nt
- Start and run of 2RSS*P21C and 2RSS*P21D following a CIB, or a manual start if a CIB does not occur. For purposes of this analysis, a CIB condition is assurned. (The operator actions are modeled in Top Event OR.)
- Opening of the service water header, and inlet and outlet valves for the coolers 2RSS*E21C and 2RSS*E21D.
- Proper positioning of suction and discharge motor-operated valves 2RSS155C and 2RSS155D are normally open and must remain open. MOVs 2RSS156C and 2RSS156D must close. MOVs 2RSS154C and 2RSS154D, mlniflow valves, rnust open. MOVs 2RSS8811 A and 2RSS8811B must open. Check valves in the injection paths must open, and MOVs 2 SIS 8888A and 2 SIS 8888B, which are normally open, must remain so.
Because cold leg crossover MOVs 2 SIS 887A and 2 SIS 88878 receive an automatic command to close from a recirculation mode signal, failure of Top Event RC or RD fails train A or B of low pressure cold leg recirculation, respectively. Subsequent reopenin0 of MOVs 2 SIS 8887A and 2 SIS 8887B to establish tost recirculation is not considered.
- Top Event RS - Recirculation Spray from Pump A or B. The four recirculation spray pumps are automatically started following a 628-second delay after a CIB. This is to give the quench spray pumps sufficient time to provide the required NPSH for the recirculation spray pumps. This delay time, however, is not s Jfficient to allow ample water to collect in the containtrent sump if both QSS pumps fait. The recirculating spray pumps must sometimes L a manually turned off and ther. turned back on when NPSH is sulticient.
Operator actions to first turn off and to turn on the pumps are modeled in Top Events SM and OR. Both the suction and discharge MOVs from the containment sump and to the spray headers are normally open, The discharDe check valves must open, if not already open. Trains A and B are dedicated to providing recirculation spray. Trains C and D are realigned following a recirculation mode signal during LOCA scenarios to provide in-vessel core cooling. Top Event RS includes the start and run of either recirculation spray train A or B (or both) with the associated piping, valve operation, and spray header. Knowledge of success or failure of RS is required only for containment analysis; i e., it does not impact the calculation of the core damage frequency. The model assumes that service water must be available to the RSS pump scals and associated spray coolers for RSS pumps 2RSS-P21 A or 2RSS-P218 for success of Top Event RS. This is conservative because service water to the seals or the cuolers is not actually required for initial RSS pump operation. They are only required for long-term successful containment heat removal. Due to this assumption, the Unit 2 model does not identify sequences in which recirculation from tne containment sump is successful but containment heat removal is failed. These so-called " core vulnerable" sequences are instead modeled conservatively as failure of all containment recirculation and of heat removal. Given successful operation of recircula. tion spray trains C and D for high pressure recirculation, but failure of recirculation spray trains A and B, it is possible that the train C or D pump, if realigned, could also provide the recirculation spray function. This realignment is not modeled because it is currently not specified by procedures. i
- Top Event HR - HHSI Flow Path for High Head Recirculation Core Cooling. Establishment
, of high head recirculation, given that low head recirculation is available, depends on the l availability of the charging pumps and the opening of valves 2 SIS-863A and 2 SIS-8638, l and the closure of valves LCV1158 and LCV1150 to prevent backflow to the RWST. These l 3.1-102 3i Accidant sequence Dehneation
=. - . . - - - - . - - - - .- -
Bencr Vallay Poner Station Unit 2 Revision 0 Probabilistic Risk Assessment p valves receive an automatic command following a recirculation mode signal Success of V tho recirculation modo signal requires proper operation and calibration of the RWST level sensors. The recirculation modo signalis considered in the Top Event OR event analysis along with the backup ruanual actions to estai,hsh recirculation. EOP ES-1,3 provides for keeping MOVs 2CHS-8131 A and 2CHS 81310, and 2CHS 8130A and 2CHS-8130B open if recirculation flow cannot be estabbshed from both charging pumps; i.e., one is available and one is not. This perm 9s a suction-side crossover path so that either recirculation spray train C or train D can provide suction to both charging pumps. provided that its respective MOV 2 SIS-863A or 2 SIS 863D opens oa demand. As the alternate cold leg injection path via valve 2 SIS-MOV836 has its power removed and is not called out by procedure as an alternate flow path for HHSI, this flow path is not modeled for the injection phase. It is diso not modeled for the high pressure reciiculation phase because success of Top Event HC a:mady irnplies that a cold leg injection flow path is available for 24 hours. Success of Top Event HR requires that one or both of 2 SIS-863A and 2 SIS-863B opens permitting flow from either 2RSS*P21D or 2RSS*P21C that must be operable (im., as modeled by Top Events RC and RD) to the suctior of all three HHSI pumps. l
- Top Event MU - Makeup to RWST, Given Recirculation Failure. This top event is l_ essentially the same as Top Event WM asked earher in the SGTR event 1:e0. The only difference is that, this time, makeup is to be provided in response ' s an SGTR sequence with a coincident small LOCA and failure of recirculation from the contauunent sump. Top Event WM was for makeup to the RWST in the event that leakage occurred theough the ruptured steam generator to the environment, bypassino containment, The success critnria for Top Event MU is assessed to be the same as for Top Event WM.
- Top Event Cl- Containment isolation. This top event questions the failure to create and maintain an isolated containment following safety injection, CI A, and CIB cignals. The containment penetrations expliciuy modeled are
-' Containment Major Vents and Drains; e.0., sump pump dischargo Connections to RCS; e.g., RCP seat water return
- Connections to Containment Atmosphere; e.g, containment vacuum ime This model also includes the operator actions to ensure that the isolation valves remain closed after the resetting of the safety injection and CIA signals; e.g., in EOP ES 1.1. The safety injection, CtA, and CID signals cire reset m accordance with procedures by the operators in a number of situations. Examples of such situations include SGTR G o., EOP E-3), post LOCA cooldown and depressurization (i.e., EOP ES-1.2), transfer to colo 'aa recirculation (i.e., EOP ES-1.3), the response to loss of emergency coolant recirculation (i.e., EOP EC A-1.1), and for safety injection termination; i.e., ES.1.1. Manual isolation of the RCP seal return line during a loss of all vital AC power (i.e., EOP ECA 0.0) is also modeled in this top event. The status of containment isolation is needed for the containment analysis.
One other potential failure rnode has been postulated for loss of contamment integrity. For small LOCAs, the CIA and CIB signals would not be generated immediately. Ifthe containment vacuum line or sump pumps discharge hne is open at the start of the LOCA, I a portion of the containment air would be swept out of the containment and replaced by k steam prior to successful contamment isolation. If a ClO signal then actuates the QSS and RSS pumps, contamment pressure should quickly fall to subatrnospheric. If the operators fail to terrninate the QSS pumps or to throttle service water to the RSS coolers, 3.1-103 31 Acadent sequence Denemn
Be var Vcil:y Pcw:r St:ti:n Unit 2 Rcvisisn 0 Preb bilistic Risk Asssssmsnt there is the potential for containment pressure to fall below design limits; i.e., less than 9 psia. However, a realistic containment failure mode for such sequences has not been identified. This potential containment failure mode is not unique to Beaver Valley Unit 2. Because the penetrations at Beaver Valley Unit 2 (which may be open while at power) are relatively small, this makes n difficult to purge much containment air prior to isolation. Therefore, this failure mode is not quantified in the PR A model. 3.1.3.5 Excessive LOCA Event Tr e Excessive LOCA events (i.e., too large to be mitigated by the ECTS) are quantified using a separate event tree; i.e., excessive LOCA. Table 3.1.2-7 summarizes the system success criteria needed to ensure that each of the key safety functions is performed. Table 3.1.3-7 summarizes the top events that appear in the excessive LOCA event tree. The excessive LOCA event tree structure is displayed in Figure 3.1.3-7. By definition, excessive LOCA events all result in core damage. The event tree structure is only to determine the status of containment systems. Therefore, the event descriptions are nearly the same as those for large LOCAs. The reader is referred to the large LOCA top event descriptions for complete descriptions. There are three top event differences between the excessive LOCA and large LOCA event trees. Top Events AL (Accumulators) and MU (Makeup to the RWST. Given Recirculation Failed) are not asked in the excessive LOC /s event tree because these events only prevent core damage, but, by definition of the initiating event, core damage is known to occur. The third difference involves Top Event LC. Again, since core damage is assumed, the more stringent success criterion for low pressure cold leg injection paths defined for large LOCAs is not required. Only one flow path is needed for cold leg injection after core melt. This relaxed success criterion is consistent with Top F.ven.t LC, described in the discussion of the GTRECIRC event tree. 3.1,3.6 Containment Bypass LOCA Events i 3.1.3.6.1 Introduction. A containment bypass LOCA is mitiated by a failure in an interface l ' between the RCS and low pressure system piping or components. It can lead to a loss of l high pressure reactor coolant and could disable all or part of the emergency core cooling system (ECCS). It is characterized by reactor coolant discharge outside of the the containment and, if core melt occurs, the potential for a radioactive release with a direct release path from the RCS to outside or bypassing the containment. At Beaver Valley Unit 2, l' it is CL-153 pioing and associated flanges and seals that would be succeptible to rupturing I from exposure to RCS pressure. Such an occurrence would require at least three normally closed valves, which isolate the RCS from low pressure piping, to fail in the open position. 3.1.3.6.2 Bypass Paths Review: In many PWRs, the residual heat removal (RHR) system has the most potential for initiating a bypass LOCA. The RHR system at Beaver Valley Unit 2. I however, is entirely ;inside the containment. The normal ct;arging path (including the pressurizer spray) is also not a viable candidate for a l bypass event because of high pressure piping in the charging system and multiple check valves within the containment. The coolant letdown flow becomes designed for low pressure (less than 600 psig) downstream of the regenerative heat exchanger inside the containment. Similarly, the excess letdown line pressure is low downstream of the excess letdown heat 3.1 104 3.1 Acodent Sequence Dehneatm
~ _
Bsavsr Vallay Power Station Unit 2- Revision 0 Probabilistic Risk Assessment exchanger inside the containment. Reactor coolant pump seal injection lines are hi0h pressure lines, and since this is a normally operating system, the flow is from the charging pump to the RCS. The high head safety injection (HHSI) system provides numerous paths from the RCS to the low pressure piping on the suction side of the charging pumps. The high pressure piping from the pumps to the RCS hot and cold legs is protected from intrusion of RCS pressure by at least four check valves and one normally closed MOV (Figures 3.1.3-8 and 3.1.3-9). Once again, since the charging system is normally in operation and at higher pressure than the RCS, intrusion is not possible. H 1 The low head safety injection system also provides numerous paths for intrusion of the RCS into CL-153 piping; i.e., a Stone & Webster Engineering Corporation 150-psia pipino class. l This piping begins close to but outside the containment. As shown in Fi0ure 3.1.3-10, paths , from the hot legs are isolated by three check valves and a normally closed, motor-operated ! valve 2 SIS *MOV8889. Paths from the co!d legs are isolated by three check valves with the potential of closing normally open motor-operated valves 2 SIS *MOV8888A and 2 SIS'MOV88888 in the hig'. pressure piping (CL-1502), also a Stone & Webster Engineering Corporation piping class. All other low pressure piping that might be reached through the LHSt (e.g., HHSI suction and recirculation system) is isolated by at least three check valves and a normally closed motor-operated valve, as shown in Figure 3.1.3-10. Inadvertent discharge through the accumulator test line into the LHSI system piping should not pose a threat because of the ( relatively low accumulator pressure (approxi iately S00 psig). l 3.1.3.6.3 Bypass through the Cold Legs to the LHSI Piping: The most likely paths for initiatio 1 of a bypass event appear to be therefore from the three cold legs, through the three check valves, and into the LHSt piping. Tha three check valves are inside the containment, and the two normally open MOVs are outside the containment but within the CL-1502 piping. Just upstream of the two normally open MOVs are three rGi valves in the CL-153 piping. These ac e set to lift at 220 psig and discharge to the liquid waste tank (2DAS-TK201). Their capacity at 220 psig is 50 gpm of water. Of the three sets of check valves, the valves 2 SIS *132 and 2 SIS *133 are different from the other six. They are weighted to aid seatin0 and have telltales to indicate if they are open. The CL-1502 piping can handle the RCS pressure (design pressure 2425 psi, at 600*F) but the CL-153 cannot. The design rating for this class of piping is given as: Piping Design Values Maximum Pressure .,. p) l (psig) p 1,425 100 869 600 t i l 3.1-105 31 Acacent Sequence Dehnea00n.
BnvIr Vall:y P:wsr Statisn Unit 2 Pavision 0 Prsbibilistic Risk Assessment and for valves of this class: Valve Design Values Maximum Pressure (psig) 140 553 130 600 120 650 Although these components can handle higher than the design pressures, no attempt will be made to determine this limit, and it is assumed that if the pressure in the CL-153 piping exceeds the relie! valve setpoint, then the piping will rcpture and there will be a large area open for RCS bypass. OST 2.11.16, Parts A and B, are performed prior to restarting if the unit has been in cold shutdown longer than 72 hours and if the test has not been performed in the last 9 months. The testing is carried out at reactor pressure between 250 and 300 psig. Part A tests the check valves 2 SIS *132 and 2 SIS'133. These are tested first by applying the LHS! pressure on the downstrearn side of the valves and by checking for leak to the upstream ude. Leakage rates of 5 5 gpm at full differential pressure are considered to be acceptable. Part B tests the check valves 2 SIS *107,2 SIS *108, and 2 SIS *109. These are tested by applying O the charging pump pressure to the downstream side and by checkin0 for leakage to the upstream side. The upstream side tap for the test, however, is also upstream of the check valves 2 SIS'132 and 2 SIS'133, and one of these valves is blocked open for this part of the t est. The procedure calls for verifying the closure of these valves at the end of the test, and this can be visually verified by checking the position of the telltale on the weighted valves. , independent person verifi::ation is also required, Once again, a leak rate of $ 5 gpm at full pressure differential is considered to be acceptable. The check valves closest to the RCS (9 2 SIS *548,2 SIS'550, and 2 SIS *552) are not tested. For the analysis presented on the following pages, it is assumed that Parts A and B are performed sequentially. Assuming a trip and cold shutdown rate of about three times per year, the test is assumed to be performed after every third trip, making the time that the valves are exposed to the RCS pressure about 9 months. The procedure, together with the assumption about the sequence of testing, makes it possible that (a) the three check valves 2 SIS *S48,2 SIS'550, and 2 SIS *552 failed to reseat after the last flow test and are leaking grossly. -subjecting the next set of valves (2 SIS *197, PSIS*108, and 2 SIS *109) to full RC2 pressure, and (b) the check valves 2 SIS'132 and/or 133 are left blocked open or not fully reseated. 3.1,3,6.4 Bypass Scenarios
- Small Leak. If a small leak develops past the three check valves, the CL-153 piping would slowly get pressurized until the relief valves lift. As long as the size of the ieak is within the capacity of the three relief valves, the pressure in the piping would stay below 220 3.1-106 3.1 Acc'Oent Sequence Dehneabon.
i Boavsr Vollsy Power Station Unit 2 Revision 0 Probabilistic Risk Assessment i 1 psig, The RCS is relieved to the liquid waste tank, which is' monitored by level w,/ transmitters. For very small leaks, the charging pumps will make up the lost RCS, and j eventually, either the liquid waste tank level or the continuous requirement to make up to l the VCT will alert the operators to the Inak. For larger small leaks, there will eventually -I be a safety injection signal, and the reactor will be tripped and depressurized, reducin0 the amount of RCS leak. For leaks t"at start pressurizing the CL-153 piping and if all of the three relief valves do not litt, the pressure will keep 'ncreasing slowly until some component fails. Usin0 the , frequency of a relief valve failure to open on demand as 2.42 x 10' the frequency of this l scenario is 1.04 x 10", given a leak.
- Rupture of Three Check Valve Disks. The failure mode here is either a complete rupture i or a gross leakage of a seated check valve at the pressure boundary. Although events like this have not occurred, some leak events that have occurred were used as precursors, and a failure frequency was derived for different leak sizes. This is described in Reference 3.1.3-3, and the failure frequency for check valve disks resulting in leaks larger than 150 Opm was considered for this scenario, (The capacity of the three relief valves is 150 gpm.) Based on Reference 3.1.3-3, this has a median of 1,7 x 10' per hour, with a range factor of 10, Each path with three check valves is considered to be a system with three redundant comoonents. The first check valve is exposed to the RCS pressure, and only after its failure is the second check valve exposed to the RCS pressure. The third valve is exposed to the RCS pressure only after the failure of the second valve. The expression for such a system is
$ = (A x6 'r) * *#
where A = the failure frequency of a check valve by disc rupture. T = the total exposure time. n = the total number of paths that can give rise to such scenarios. N = the number of times per year such scenarios can occur. The term (A x 7)'/6 is derived from the reliabihty expression for three identical independent units operated sequentially during time 7, with perfect switching
.r .r Rsystem
- R1 (r) + (3(t)R;(t - 7)dt + /32(t)R3 (t - 7)dt o o The exposure time for the valves is the time between cold shutdowns. Assuming that Beaver Valley Unit 2 has an availability factor of 0.7, the exposure time is 4,600 hours.
The number of times this scenario can occur during the year is 1.5. and the number of possible paths is 6. l The total frequency of such scenarios is 1.20 x 10' per year. This frequency and the other sequence frequencies in this section are the result of Monte Carlo quantification and cannot be duplicated using mean values for the various parameters.
\
+ One Valve Stuck Open and Two Valve Disks Rupture. If a check valve c;osest to the RCS is not fully seated, the OST 2.11.16 criteria are still met, and the second check valve is l' exposed to the RCS pressure. In this case, if the seated check valve disk ruptures, the 3.1-107 31 Acacant St quence oehneaDon
Brav:r V:lley Pcw:r St ti:n Unit 2 Rovlsinn 0 Prcb:bilistic Risk Ass:ssm:nt , l open check valve is subject to the reverse flow of thu RCS aiding it in seating, if the open check valve fails to seat under this condition, then the the third check valve (*132 or *133) l is exposed to the RCS pressure, if this check valve disk then ruptures, the low pressure piping will be exposed to the high RCS pressure. Assuming the conditional probability of a check valve to be stuck open = 1.0, then the frequency of this scenario is given by (A x i)'
$= ,
x A, x n, x N where A, is the frequency of a check valve f ailing to rescat, and n, = 12. The term (A x r)2/2 is derived from the reliability expression for two identical independent units operated sequentially during time 7, with perfect switching
.r R,g,.n = R,(r) + 1 (t)R2 (t - 7)dt 3
*O The description of the parameters in as exp!ained earlier.
The total frequency of these type of scenarios is 2A9 x 10' per year.
- Two or More Check Valves Stuck Open. In addition to the first check valve in any of the three lines being stuck open, it is possible that the valves 2 SIS *132 and/or 2 SIS *133 are not fully seated after Part B of the test. This scenario describes the event that only one check valve is well seated between the RCS and the CL-153 piping, and upon its gross failure, the stuck-open valves fall to seat with reverse RCS flow, in other words, there is a common cause failure of valves fail to seat on reverse flow. Such events have occurred at nuclear plants, and some have been described in Reference 3.1.3 4. This document describes failure to seat-type events for check valves in the RCS/ECCS boundaries for a period from the early 1970s to 1985. The failure events represent the effects of boric acid environment and other corrosion and agirig processes. This group of events consists of 9 events, out of which 4 involve failure of 2 check valves. These data were used to derive a Beta factor for check valves failing to reseat in the LHSI lines. The distribution is characterized by the following values:
- 5th percentile : 1.32 x 10-' - 50th percentile: 2.60 x 10 ' - 95th percentile. 3.82 x 10' - Mean 2.70 x 10 '
For this analysis, we have assumed a Gamma factor of 1.0, meaning that if two check valves have failed to reseat, then all of the check valves in the population have failed to reseat, allowing for the three that must be seated to satisfy the OST 2.11.16. We assume that the valves 2 SIS *132 and 2 SIS *133 fall in the same population as 2 SIS *S48, 2 SIS *550, and 2 SIS *552. Even though they are different, there is no evidence that they are not as equally susceptible to the effects of the environment as the other sit it is assumed that about 10% of the times, after the OST 2.11.16 Part B, the check valve 2 SIS *132 or 2 SIS *133 may not reseat fully. With time, deposits from baron and corrosion effects may prevent the valve from rescating even when there is reverse flow from the RCS. The scenario described here is the failure of the well-seated valve by disk rupture, and failure of the other two to reseat due to reverse flow. p = (A x 7) x (# x A 3) x N x 3 The frequency of such scenarios is 2.21 x 10* per year. 3.1-108 31 Accmm sequmce oenneanon.
Baavor Vall2y Power Static" Unit 2 Revision 0 Probabilistic Risk Assessmeit 3.1.3.7 Check Valve Blocked Open
\
In addition to the first check valve in any of the threo lines being stuck open, it is possible 1 that the valves 2 SIS *132 and/or 2S!S*133 are also stuck open. The frequency of one of these two valves being blocked open is the frequency of human error after the test OST 2.11.16, Part B. This is described by the variable ZHE01 A in the database, where the operator is specifically instructed in the test procedure to close the valve and fails to do so. Under this condit!an, the blocked valve cannot rescat on reverse flow, if one of the check valves 2 SIS *107,2 SIS *108, or 2 SIS *109 ruptures under the RCS pressure and the first check valve in line 2 SIS *548, 2 SIS *550 or 2 SIS *552 fails to reseat with reverse flow, then there is a direct path to the low pressure piping from the hi0h pressure RCS. This scenario is described by the following equation: , $ = (A x t) x ZHEO1 A x A, x N x n I v,here A, is the frequency of a check valve failin0 to rescat on reverse flow. l The frequency of such scenarios is 3.92 x 10' per year. The total frequency of bypass events through the LHSI piping is the sum of all of the scenarios described above and is equal to 3.75 x 10' per year. The frequency of this scenario can be reduced by considermg a different testing scheme. Part B of the OST 2.11.16 is performed first with the check valves 2 SIS *132 and 2 SIS *133 being blocked open. After this. 3 O Part A is performed with the charging pump pressure still applied to the downstream side of ! the valves 2 SIS *107,2 SIS'108, and 2 SIS *109 to keep them from opening during the test when , LHSt pressure is applied to the upstream side of them. After verifying that the valves j 2SlS*132 and 2 SIS'133 are well seated. the LHSt pump is turned off first and then the l' charging pump. At the end of this procedure, the seated position of two sets of check valves in the lines is verified. Under these conditions, then, the total bypass frequency is described 4 by the first two scenarios, adding up to 2.44 x 10' events per year. I 3,1.3.8 References * ? 3 1,3-1. Duquesne Light Company, Design Analysis Calculation 10080-DML-0093 Unit 2. May l l 15,1990. 3.1.3-2. SWEC letter from Carl V. Richardson dated May 23, 1989, SWEC-1210-DOC-77, 3- referring to Battelle Memorial Institute (BMI) report 2104, Volume V, Figure 6.24 (page 6-47), Surry S2DE. i 3.1.3 3. Pickard, Lowe and Garrick, Inc., "Seabrook Station Risk Management and Emergency Planning Study," prepared for Public Servae of New Hampshire, PLG-0432 December 1985. F l 3.1.3-4. U.S. Nuclear Regulatory Commission, "Intertacing LOCA: Pressurized Water Reactors," NUREG CR-5120, February 1989. 3.1.35 U.S. Nuclear Regulatory Commission, "NRC Integrated Program for the Resolution of Unresolved Safety issues A-3, A-4, and A 5 Regarding Steam Generator Tube
,' Integrity," draft report for comment, NUREG-0844, April 1985.
3.1.3-6 U.S. Nuclear Regulatory Commission, " Leak Rate Analysis of the Westinghouse
- Reactor Coolant Pump," NUREG/CR-4294. July 1985.
4
- 3.1-109 31 Acaaeni sequente rwneation I
1 B::vcr Vall;y P ccr Station Unit 2 R:vist:n 0 ! Pr:bebilistic Risk Ast:ssm:nt l Table 3[1,31. Top Event Names for the GENTRANS Event Tree
, h Event
* ** EI ' "
OT Operator Action To Manually Trip Reactor RT AL;omatic and Manual Reactor Trip TT , Turbine Trip MS Main Steam isolation ; I AF Auxiliary Foodwater PR Pressuriter Rollef and Reclosure OF Manual Action To Reestablish MFW MF Condensato/ Main Feedwater/Startup Feed OB Bleed and Feed Cooling Hu High Head Safet/ Injection Pumps HC HHSI Cold Leg injection Paths SE RCP Seal injection / Thermal Barrier Cooling CD Cooldown RCS and Depressurite Secondary OD Depressuritation of RCS ior RHR Entry Pl Pressuriter PORV isolation, Given RCS Depressurization RR Residual Heat Removal . O 3.1 110 3i Accdent bequence Dehnutch.
Boaver Vcti:y Pm:r St:ticn Unit 2 Rovision 0 l Pr:b:bilistic Risk Ass 2ssmsnt Table 3.1.3 2. Top Event Names for the GTRECIRC Event Tree _ Descriptioa Event NR Recirculation $ rom Sump Not Required NM No Melt Condition from injection Phat.o QS Quench Spray LH Low Head Safety injection Pumps LC LHSI Cold Leg injection Paths SM Containment Sump OR Automatic / Manual Actions for Cold Leg Rocirculation RC RSS Train C for Cold Leg Recirculation ; RO RSS Train D for Cold Leg Recirculation RS Rocirculation Spray from Putnp A or B HR HHS! Path for Recirculation Core Cooling MU Makeup to RWST, Given Recirculation Failure , Cl Containment isolation i 1 10 3.1 111 31 Acadent t.eauence Denreation.
Brav:r V:ll;y Pcw:r St:ti:'i Unit 2 Rsvisi:n 0 Pr:babilistic Risk Ass:ssm:nt Table 3.1.3 3. Th5vNi Names toIthe Medium LOCA Event Tree Eve t
""" E" "
HH High Head Safety injection Purnps HM HMSC Cold Leg injection Paths (two of three) AM Two of Three Accun.iulators Discharge AF Auxiliary Feedwater LH Low Head Safety injection Pumps LM LHS! Cold Leg injection Paths QS Quench Spray SM Containment Sump OR Automatic / Manual Actions ivr Cold Leg Recirculation RC RSS Trcin C for Cold Leg Retirculation RD RSS Train D for Cold Log Recirculation MU Makeup to RWST, Given Recirculation Failr, RS Recirculation Spray from Pump A or B Cl Ccntainment Isolation __ .J O O l l 3.1 112 31 Amnent seaaence oennt non. l
B0v:r Vcil:y Pcccr Stati:n Unit 2 Rovision 0 Prcb:bilistic Rl2k Ass:ssm:nt s (u ))' _. Table 3.1.3 4. Top Event Names for the Large LOCA Event Tree Description Event HH High Head Safety injection Pumps HC HHSl Cold Leg injection Paths (one of *.hreo) AL Two of Two Accumulators Dischargo LH Low Head Safety injection Pumps LL LHSI Cold Leg injection Paths (largo LOCA) ) QE Quench Spray SM Containment Sump Co Automatic / Manual Actions for Cold Leg Recirculation ; RC RSS Train C for Cold Log Recirculation RD RSS Train D for Cold Leg Recirculation MU Makeup to RWST, Given Recirculation Failed RS Recirculation Spray Pump A or B Cl Containment isolation l l l l f 1 (u 3,1 113 D Attident Sequence Delineaton
{ B::v:r Vcti:y P:acr St:ti:n Unit 2 Rovlsl:n 0 Prcb:bilistic Risk Assessm:nt Table 3.1.3 5. Top Event tJames for the SGTR Event Tree l Event
#E" "
OT Operator Action To Manually Trip the Reactor RT Automatic / Manual Reactor Trip TT Turbine Trip MS Main Sleam Isolation AF Auxillary Feedwater i OF Manual Actions To Reestablish MFW t.1F Condensate / Main Feedwater/Startup Feed OB Bleed and Feed Cooling HH High Head Safety injection Pumps HC HHSl Cold Leg injection Paths i SE RCP Seal Injection / Thermal Barrier Cooling SL Secondary Leakage to Atmosphere CD Cooldown RCS and Depressurize Secondary OD Depressurization of RCS for RHR Entry Pl Pressurizer PORV lsolation, Given RCS Depressurization RR Residual Heat Removal WM Makeup to the RWST, Given Leakage throu0h Secondary O 3.1 114 3i Acciaent seoence Denneaton.
Rosv;r Velisy P:wsr St:ti:n Unit 2 Revision 0 Probabilistic Risk Assessm2nt Table 3.1.3 6. Top Event Names for the SGTRRECIRC Event Tree
' ' ' E " "
Event NR Recirculation from Surrp Not Roqtbred NM No Melt Condition from Injection Phase QS Quench Spray LH Low Head Safety injection Pumps LC LHSI Cold Leg Injection Paths SM Containment Sump OR Automatic / Manual Actions for Cold Leg Rocirculation RC RSS Train C for Cold Log Recirculation RD RSS Train D for Cold Leg Rocirculation RS Rect Ala. i Syr" from Pump A or B HR HHS' Ma lo ,< > cul v. MU Makey b., LVI' . 43vt , f ecinculation Failure Cl Containmern it alation O 3.1 115 31 Acudent Scauente Dweation
B::v:r Vcil:y P wer St:ti:n Unit 2 Rcylsl:n 0 Prch:bilistic Risk Ass:ssm:nt l l 1 Table 3.1.3 7. Top Event Names for the Excessive LOCA Event j Trce i _ _ l Deseriptlon Event HH High Head Safety injection Purnps I HC HHSI Cold Leg injection Paths (one of three) LH Low Head Safety injeclion Pumps l LC LHSI Colci Leg injection Paths QS Quench Spray SM Containment Sump OR Autornatic/ Manual Actions for Cold Log Rocirculation I RC RSS Train C for Cold Leg Rocirculation RD RSS Train D for Cold Leg Rocirculation RS Recirculation Spray Pump A_ or B Cl Containment isolation i O O 3.1 116 3i Acaden* $ewence Dehneabon.
Besvar Valley Power Station Unit 2 Revision 0 , Probabilistic Risk Assessment t went l'ee Pepe 81 tPI.tTC31 Evert free Citit Anis lll Cl it il 81 5 Al PI 08 pf Og my h* $[ gp (g) p) 33 l 16 sT = a3 i s l ! I- 6 7 2 j l L- 3 3 L 4
! 5 5 6 6 i ?
- 12 8 6 us 9 9 l
k- 10 13 11 11 k- il 17 il 13 i 14 14
.................... .. Il at 1b21
? .... ............... 16 n 21 77 I
l .............. ..... 11 to 28 33
.................... 1R 36 34 39
- ... ... ........ ..... . . . . . . . . . . . 19 13 40 60 k-a 6 I 20 61 l --
21 62
!! 63 23 64 II -
24 1% 65
................... .......... ......... 24 14 67*T2 21 39 T3 93 l k ..........
...... .......... ...... .. 28 54 91 96
.............................. ..... ... ?9 34 9F'137
...................... ....... ........ .................... 30 17 103+?04 k ....... ........................... ....... .................. . 31 IT 205 3M 5 ........................... ....................... 32 IF 3m4M 33 409
.... .... ................ ........ .. ............... .......... .. ..... 14 38 410 818 I t "M" teen NW of Ore'ator Adton to uom ally trip Reada 08 Bleca 6 wt i re$ CMir g Rf AJometic orni Manaat Reai.sw itlp HH Hy') Head f.eWy ejer149n Ptept il Ivtese irlp HC HHLl 3d W injn:Uno Path
- 9$ Ma*n Steaan twstoon SE ACP besiinject orVifwmas Bemn* Conting AF AuWila'y f oer' motes CD Coomown NC$ em1 Dnt4enar=re fworwary PD Presttw13er 8tebet and FmJon.se CD (MresMitaonn of NCS for WHR Ihery Of Mamaal Attlor. To Reestattsh LIFW Pl PietlJrtyer PQ6N 83 Mile Qven NOS pr Concemawuain f eedestr/5te' tap Feed - ter eseranon RG fittidual HM huhovel Figure 3.1.31. GENTR ANS Event Tree Structure i
? l 3.1 117 31 Accident Sequence tuneahon.
.-,,.m>+----r --evww-y e--- w- evr----t-M+rP:- + ' - + ' - &--T-
Bc:v:r Vcll:y Pcw:r St:ti:n Unit 2 R:vist:n 0 Pr:babilistic Rl:k Ass:ssm:nt f et free O Feve 81 RPT.f fCC1. f veet f ree; 6ftlCitt if est sta es LN tt $4 ot 8C 00 18 ht % Cl 1 1 I J ss ~3- -x2 2 1 L- 3 3 i
-J 1- 4 4 6 $ %
... ........... 6 KF e9
.................... ? 13 10 17 8 A.3 18 ?$
I.................... ? 26 L-.~ 10 11 27 21 l .... 11 M L .... 12 Il 30 31 13 3? L. . . . . 14 31 31 14
- il 3%
L ..... 16 11 IT H 36 37
............... .... . .. .............. 38 73 18 84 76 109 L .......................................
....................................... 19 84 110 141
.................................................. 20 81 146 289 XT 15 ,
c ..... 21 11 M0 791 792.?c3 1 ..... !! :1 L-.................... 23 a6 294.???
.................... 74 E6 196 101 k - .................... 2) to IN 135
. . . . 26 21 E6107
. . . . If it E81M
.. .......... .......................... 28 El 310 !N
?? 13 310 349 L .......................................
......................... .. . ........ 10 38 350 369
.................................................. 31 IT 319 449 g ,g DesertifM g Descriphon NR Rectrcde!<st from Sump hat Readrgd ifC R$$ ff am C ke Cod (eg Rectrru att:n ku Mo ued Corenmn kom mpton Fress AC Rss f ram D ly Cow Leg Roc rculatom QS Quench Noaf RS Red edt>on Spraf from Purnps A or B LH Low Need Lafety injecuart Purns HR .e 4 Pari brRarstesialm cetCamg LC LH51 Cold Leg IN6:t on Paths ML: W< cup b RW37 Ole 6 Re:Pcmcri Fare su ContaW Sump Cl Contavrney iso'aum 04 kJio'ralwa%ia! ktfov br cow Leg Rac6rcu!stran
! Figure 3.1.3-2. GENTRANS Event Treo structure l 9 3.1 118 3i Acadent $eouence Caehneattort
Bssv:r Vellsy Powsr Stcllon Unit 2 Revision 0 Prchabilistic Risk Asssssment O N/ Ivent tree cope et Ref.tttet . tweet frees mera of Jae 1999
- p. .e .. . ., i. u. .i a t. .c .. . ..
n l
.__ - e e ' , t 1
I I I 4 4 L--a t- s- t - $ 1 . .l
....... t at F8
....... A st 9.is
...................................... 9 its o1 to
' ..................................... to as 'ido L
- t1 I
,...... tf a1 241 TF O' . . . . . . . . . 4 12 34 37 1
l ...... 14 ft le )$ l ....... In 8t 4 41
' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... 14 84 41 47
"" "" ....... 1P t1 44 49 3
............. 18 at Std) l ........... 19 tl 64 SP y ............. 70 El ll et
.............. t 61
. . . . . . {t r 2.2 81 62 ed et ,
..... 23 at 68 et
............................................... le 31 FD 89
................................................. il 8F e3 itPb
........................................................ ...... 74 to 10s l'8 8te..............................*.............. . . . . . . . . . If 89 211-164 l 75 59 514............................................................ 79 $10 247 lf t 3D 454 '
..............................,............ 33 ste 4)S el&4 Si il $47164 L,,.............................................
32 si 35 sf leF.lsa
$416tf
............................................ 34 al 661 477 I *"***** II 8I II'03'
.. .. 54 Rt a'fl+4fe
................................................ St K1 all set
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . Ja sta 663 sa Top Description D De setiption fvent t vent HH H!gh Head Salety trye: tion Pvmps $M Containment Surnp HM HMSI Cold L*0 Injection Paths (ten of thrM OR Autamatic/Manua! Actions for Cold Lug AM Two of Throo Accurnutators Dische ge Herircuintsen AF Auxi"ary Feedwater RC R$$ Train C for Cold Leo Cecirculation LH L.ow Head $afety lejection Pumps RD RSS Tra!n D for Cold Leg Recirculatio's LM LitSI Cold leg injaction Paths Mt) Manpop to MST Cive'i Rootcutation Falls OS Quench Way RS Recirculation cpray ho<n Pump A or D Cl Contaouennt lanlatirwi Fi0ure 3.1.3 3 Medium LOCA Event Tree Structure b
3.1 119 31 Acodent Lepoce (Wmeaton
I B::v:r Vcll y Pow:r St:ti:n Unit 2 R;visi:n 0 Preb: bill: tic Risk As::ssm:nt twent tree ene #1 Pet.fft01 Ivent teces tio: A tu NC M 18 tl CS $84 OA #C 90 8U Al fl l llt 1 ___,- st- ' 1 1 8 l 3 3 I - - 4 4
- l. -IlM 1 - $ 5 t--- 6 6
..... T 51 1-3
..... 4 at 9 40 9 it
' ... 10 si 12 15
.............. ................ ... 11 12 14 26 at . ... .. . 12 a.3 FF 10 l
l- ..... Il at 11 12
..... 14 Il 33 54
........... ....................... il B4 35*4l
- 17 Ki .......... 16 r1 45 46 I 17 E3 47 50
...... ... il d $1$4 I ... ...... 19 K3 $$48
~~ ..... ?0 31 $ t-60
. . 71 F1 61 42
.............. ............. ..... 88 r1 L1 82 at .......... 23 K3 83 86 I
I
. . . . 24 51 57 84
... . 25 11 IMP 40
................................... 24 58 9I 98
......... . ..... 27 27 99 154 k .......... ........ ...
.. ............................... .......... Et 51 19 52 111 113 ttt St1
~51?
L- ......... .............. . ... ....
........ ......................... 30 *! ??6 256 l .......................... .. ..... 31 14 237 744 I ..... 32 s1 745 146
-o l .................................. 33 Il 34 s1 247 266 267 768 l ... . ... .... ...... ............. 35 38 269 276 I .. . 36 31 7F7 21 37 39 279 310 L . ..................................
.............. ........... ... ............ .......... 18 39 311 142
.................. ....... . .......................... 39 310 141 474 I8P Teg.
I"' 8 #'N*" g yent DMCTW Ivont HH High Head SeWy thject>gn Pumsus OR AJtom.tn;/M.%a: Actirn see cois Leg HO HH$i cad tag inje: Dun P sun (pre c' the ee) Recrculabon At u e w w w.w pien. . ne ass i,.i i...n c o w co',s w cei.es neeveaenan ut i.= H e s.
- y n . coon % :o an o t n-nu.aon L.L LHSl Cce$ Leg tr)DCllon Peas (large LOCA) uJ ueveup to kwst Oiven ato. 4.cr '+ne es ou o m ey ns s.wce.i.or w y e vvi o a I su cani ~.w se ci cm...m incwe,i l
Figure 3.1.3-4 Large LOC A Event Tree Structure O 3.1 120 3i Ace,e sequence t>enneanon
Usovar Vallcy Powsr St: tion Unit 2 Revision 0 Prchtbilistic Risk Asssssmsnt
- s. - 1,..
F.ve el tPl.tf(Cl . l.ent tree Stin I., ., .. .. .. .. - .. ,. , .. .. n m ,, .. I _ . . . _ ,, _-- ,5- _ 3 i I I -- _
! t :
g 3 31 - 4 4
" ) )
p si pf
. . . 9 81 10 11
..... 10 si ls 33
---..... 11 31 84 1%
+- 1# 16 g
18 17 l ..... 14 91 16 19
.. 1% 31 70 7%
,.... to .1 27 t)
~f g 17 si 10 51 to rt R619
.... 19 st 74.tv I
70 30
#1 11 l tt St
- F3 11 to 34
-- PS ll I Pa 36 l !! St 18 18 79 19 l 30 40 l- I -
II 17 41 47 54 41 I 64 44 l 35 ei , 14 46
.. . ... . ............ ........ 37 El 47 41 O i L-. .-
__ 18, i a.3 64, i ., t J 6 L_ to tre l el 159
-- 42 110 41 ilt
* .................,.+............... . . ........ 44 44 11P a l M
+ ...................................................... . . . ..... 45 KS 11 P. 7 F7 44 st 273 408 b-a..................................................................
.............................. .. .................... .......... of E1 LO' 544 48 44%
....... .... . ..... . ....... ........ ................ ...... .. ..... .9 he h6 40h9 .
3 _ - - - . Sc im l . ,' NHS1 cusa tag teq.cnon rettes of cm < tor Actkm to uernasoy Irtp IM p sw * *C ae uw.evueme s...as trip se ace s.. we.ctiarv&ermai tsare .e ceasir, TT hartWet. Tflgs $L S urist..y ( ek.g. 60 Alamtp%re u wen w..m eu .w co cc.swn acs em (=w....ue 6. care.., At Aue ery r.=,..i., op tepee.sune etion et ncs iu, ei.tk tneri ce u.%e Ame= te n c.ense. usw ei r. .witsa rorav i onian civan ecs ' ur ceaaw sm./u m aww.c ru n w se : tw ... umian
>= tmum ne.i n ,vio..t ou 6
j en m a oms e e cacao .a eum
. tic n..a s.9n, i.y.a= wu ua.m in m. emt o.v , L.. op e. ,.
s.:nnn , c Figure 3.6.34. CGTR F.ent Tree $ttucture Figure 3.1.3-S. SGTR Event Troo Structuro > - [ I l l i i 3.1 121 3i Accident Sw.nce (Wineaton.
Benv:r Vcil;y Pcw r St:ti:n Unit 2 Revisl:n 0 Prcb:bilistic Risk As::ssm:nt ( nnt free O Page il RPl.llCCI f rent f reel l'1881Cits l l st se n es tu LC 54 et kC to as as wJ Cl 1 1 I
-15 - t6-.-- *3 - 32
- 2 2
* - 3 3 L _xt- 6 6 L .- % 5
............... 6 22 69
.................... ? 13 10 17
.. 4................ 4 13 it b i I
- 9 26 )
L ..... 10 Il 27 26 11 29 L--..... 12 Il 30 31 , i
- 13 32 L-- ..... 14 Il 33 M l l
11 35 L ...., 16 il 36 37
.................. ........... ......... 11 34 3M3 18 s4 76 109 L ....................................
..................... 4.................... 19 84 110 14%
146 ?M
.................................................. 20 15 21 11 2 0 291
- 87 fd E6 .....
..... 22 kl 2V N 93
.................... Il N6 P& Nt
~ 24 56 ht 301 L ....................
.................... 25 E6 332 305
..... 26 X1 3 W 307
..... 21 X1 3 1 309
........................................ to x6 310 329
....................................... 29 18 330 349 L-- ....................................... 33 XS 35C 169
........................ ......................... 31 17 370-649 Tw p,,,,,,,,, Top p,,,,g ,
tnnt ined NR Redreueson frcan Tump W Required RC R55 freir' C tar Cod Lac Locvcuet o3 hu #43 Welt Cond Don trcan injectum thase R0 RLS ftaan D tar coia tog Recewet on C/3 Quest Suray 4S RodrwaHon Spraf trum PJrps A ct B LH Low Head Saeety tryede Psnpt M4 MH$1 Path for Resreulation LC LitSt Cold Leg injodion Petro MU Makeap to RWST Oiven necircula*Jon isitwo su Corunment mimp ce cwun,eni wenon on a.enswvesw Acnons sor cuo Leo Recirtuiation Figure 3.1.3-6. SGTRREClRC Event Tree Structure e l
- 3.1 122 31 Amdent Sequence Dehneation.
lB=v:r Vcliey Pow;r St:ti:n Unit 2 Revisi:n 0 lPrcb:bilistic Risk Asssssment ivent iret Papa #1 RP1.t1C01 tvent freet (KLOCA It HH HC LH LC 05 TA OR RC RD R$ Cl XS--K 7-K6-X5-X4 K342M1-* 1 1 2 2 l ..... 3 X1 34
.......... 4 X2 58
............... 5 K3 9 16
..... 6 x1 1T.18
..... 7 M1 19 20
....... ...................... 8 R4 21 40 9 X5 41 80
........................................ 10 x6 81 160 11 M7 161 320
( -( 12 x8 321*b40 Description ,(OP DescripUon ci'ln, nt OR Automatic / Man 51 Actions for Cold Leg HH High Head Safety injection Pumps HC HH$f Cold Leg injection Paths (one of three) Recl'culation Low Head Safety injection Pumps RC R$$ Train C for Cold urg Rectreulation LH LH$l Cold Leg injection Paths RD RSS Train D for Cold Leg Pacircutation LC Quench Spray R$ Recirculation Sprmy Pumps A or 0 QS su Containment Sump C1 Containment isof ation , Figure 3.1.3 7. EXLOCA Event Tree Structure t, 3.1 123 3i Accident Sequence (Eneation,
s-8::v:r Vall:y P::: r St:ti:n Unit 2 Revi:len 0 Prcb bilistic Risk Ass:ssm:nt i O11 M... g N,, L, ce ue * /,,' 6,, ,
'M, win :;
e ,
,ws nre 0o
/,,,,,.
/.. m ,. ,
M.i. m
) -
=n g' ==>. 7 ..
~ "a w g g
/
' J. J, m- ,u 'w' 'i
, l m .<, m
*/.- M" M--
) I
!EoGo mw ****=
,me w Figure 3,1.3-8. Bypass Paths from Cold Legs to HHSI Pumps and Low P: essure Piping 9
3.1 124 31 ace,ay,i seavene, oei,ne,1,3n
l l
- 8::v:r Vcil:y P:w:r St:ti:n Unit 2 pisi:n 0 Preb: bill: tic Risk Asssssin;nt ,
1 m 1
'/
uus ,n 1 L&O n.us M ne.n . ri aM 7@#*f3
~.
pyg g
" " E . ,in.
M. ) e .
,,m WJ; M n.
i.A .
.sa., , no ...
i m ,,u. nein
-/T m
/,n ,,' 'd ~ --l/
*** ,8
,*n w e
,, s n.
M,,, ' (v) M, Wila n,s ,s. Figure 3.1.3-9. Bypass Paths from Hot Legs to HHSI Pumps and Low Pressure Piping t r 3.1 125 3i m,oeni senme mi,ne.i,on. i-
B::v:r Vcil:y Pc::r Stctl:n Unit 2 R::visi:n 0 Pr:b:bilistic Risk Ass:ssm:nt O 1 l l
- ._ 1 -_. _ . l $g V>=s w /.in
- n. I I
l
/
an in n _ _ __ _ )O. ac I l
"~
[J' , new d... I l l i i l I b"a new m.i. . l
' >< l r ro ue.
M... i mwu o l % ~.. l; wa
'* --M =,, ~ "a s' i
mw ,j; ... : l i
, a ! .::,
O
~
l ""f M... i
- $_ ,! ~ N-- ,o ,e E Ua mw . in i n im 4--- l --+ n.iu Figure 3.1.310. Bypass Paths from RCS to LHSI Low Pressure (CL-153) Piping O
3.1-126 31 Accident Sequence Dehneation.
.-. .- ._ - ~ - - - _ . . .- - . - - - . . -~ - - - - - ---
Bxvir Valley Pcwsr Stati:n Unit 2 Rovision 0 Probsbilistic Risk Ass:ssment 3.1,4 Special Event Trees This section presents the event tree top event debcriptions and the event tree for the anticipated transient without scram (ATWS) event and a brief discussion of the tecnvery tree. 3.1.4.1 Froatline Top Event Description for ATWS Tree For successful ATWS mitigation, certain systems must operate in the early part of the transient. The success criteria for these systems and the assurnpllons that are made for initial conditions of the reactor at the time of the transient are shown in Tablo 3.1.2 8. Table 3.1.41 lists the top events considered for the mitigation of the ATWS. The ATWS trees are not linked to the GENTRANS event tree. Instead, selected initiating event categories are quantified through both the GENTRANS and the ATWS trees. If Top Event RT falls in the GENTRANS tree, the sequence frequency is not counted towards tbo ATWS sequences. In the ATWS trees, if Top Event RT succeeds, the sequence frequency is also not counted. By asking the frequencies of RT success sequences in the GENTRANS tree to RT failure sequences in the ATWS trees, all frequencies from such sequences are accounted for.
- Top Event OT - Operator Actions To Trip the Reactor after a Trip Signal. Following their '
training, the first action of the operators in the control room after the receipt of a trip signal is to verify that the reactor did intfeed trip. If this has not occurred, the next step is to manually trip the reactor. This top event models the actions of the operators only. Hardware that is associa.ed with the opening of the trip breakers or dropping of the control rods is considered next in Top Event RT, O d
- Top Event RT - Reactor Trip. This top event models the hardware that is associated with tripping the reactor. The top event is conditional on the failure or success of the previous l Top Event OT, if the operators have been suscessful, then the availability of the SSPS is not questioned, and only the breakers and the rods are required to function correctly, if tho operators have fal!9d, then the reactor trip depends on the signal from the SSPS. In this case, the top event includes the SSPS logic and circuitry in addition to the reactor trip breakers and the control rods.
- Top Event PL- Power Level <40%. This top event evaluates the fraction of the time that the reactor is operating at a power level higher than 40% power. At power levels below 70%, even with no MFW, the RCS pressures will not rise beyond the American Society of Mechanical Engineers Level C service limit criterion (> 3,200 psig). Pressures greater than 3.200 psig are anumed to guarantee a break in the RCS boundary (see discussion for Top Event VI), Reference 3.1,41 conservatively assumes that at power levels below 40% the RCS pressure will not exceed 3,200 psig since the AMSAC is activated at all ,
power levels above 40% The Beaver Valley Unit 2 model also assumes the power level cutoff to be 40%.
- Top Event MF - Maln Feedwater. This top event evaluates the availability of the MFW system after the initiating event urd tlic peak RCS pressure has occurred. If MFW remains available, then, for all power levels, boration is required through the normel charging and letdown lines with long term shutdown cnoling. With MFW available, there is no chance that the RCS pressure will exceed 3.f 10 pMg for any reactivity feedback and RCS pressure relief capacity. For continued MRV operation, sufficient relief must be s
- available from the steam generator atmoscheric dump valves and the safety relief valves because, according to procedure,.the operators will have closed the condenser dump valves.-
3.1 127 u Accioent sequence ochneenn.
Doav;r Vcll:y Pow:r Station Unit 2 Revision 0 . Preb:bilistle RI:k Assessment
- Top Event AS - ATWS Mitigating System Actuation Circuitry. This top event questions the availabihty of the AMSAC to provide redundant signals to trip the main turbine and to actuate the AFW system; i c., independent of SSPS. AMS AC gets its input from the status of the MFW system (i.e., low f!ow in two of three steam generators) and is activated at all power levels above 40%. This event is not asked if the power level is less than 40%; i.e.,
PL = success or if MFW is successful, as determined from the high pressure turbine impulso pressure, Failure of Top Event AS results in no automatic turbine trap signal.
- Top Event TT - Turbine Trip. This top event questions the availabihty of a turbine trip after event initiation. Given loss of main feedwater without a reactor trip, a turbine trip is required to occur within 60 seconds after the initiating event. Without a turbine trip, the steam generators will contirsue to boil off the inventory at the same rate as before, and the heat transfer will reduce drastically after the steam generator tubes are exposed. Failure of both turbine trip and MFW will result in the RCS pressure rising above the referented 3,200 psig, possibly resulting in a vessel suptare. For ATWS events involving a loss of MFW, turbine trip failuro is conservatively assumed to lead to core melt, due to RCS overpressure (i.e., Top Event Vi failure), regardless of the response of the pressurizer PORVs and safety valves.
The early turbine trip signals come from the auxiliary contacts on the reactor trip breakers or from AMSAC. If the reactor trip breakers do not open, the only e..rly signal for turbine trip is from the AMSAC. Credit is taken for operator actions to manually trip the turbine only if Top Event OT is successful; i.e., if the operators attempted manuai reactor trip. Secondary signals that may come in for main steam isolation valve (MSIV) closure from low steam line pressure are not included. For successful turbine trip, all four steam stop valves must close or all four governor valves rnust close.
- Top Event R1 - Manual Rod insertion. If the reactor fails to trip, the EOPs instruct the operator to manually trip the reactor from the control room and, it this fails, by manually inser1ing the rods, This top event questions the success of the operator in starting to step in the control rods within the first 1 minute after the event. To limit the peak RCS pressure, at least 1 minute of this action should have been completad at the time that the peak pressure is expected. The number of pressurizer valves that is required for RCS pressure relief depends on the status of this top event.
- Top Event AW - Auxiliary Feedwater Actuation. Flow from one AFW pump can provide sufficient makeup for long-term core decay heat removal after the reactor has been shut down. However, during the early stages of an ATWS ovent, an AFW flow rate greater than 700 gpm is required. For this model, it is assurned that the turbine-driven pump or both motor-driven pumps must actuate and supply water to all three steam generators within 1 minute. (The flow rate through each steam generator is limited to approximately 300 gpm.) For steam generator tube rupture initiated sequences, it is assumed that even the ruptured steam generator would be used initially to mitigate the RCS pressure increase.
AFW will initiate automatically from SSPS on low low steam generator level. on MFW trip, and through AMSAC on low feedwater flow. Failure to actuate the AFW in time will result in RCS pressure rising to levels above 2,900 psig, where the HHSI pumps are not capable of injecting. The continuously increasing RCS pressure will eventually result in damage to the RCS boundary. The model here assumes that if AFW fails to actuate automatically and MFW is not available, the sequence will result in a high pressure early melt. 3.1 128 3t meioent semence Denneam
B2cv;r Vellsy Pcwcr Stat en Unit 2 Rsvision 0 Prob:bilistic Risk Ass:ssment
- Top Event PA - Primary Relief, This top event represents the availabihty of pressure relief for the RCS after :oss of MFW and failure of the reactor to trip. The success of this top event implies that sufficient relief capacity was available for the existing core conditions such that the RCS peak pressure did not exceed 3,200 psig, if this pressure is exceeded, the integrity of the reactor vesset is questioned.
The number of required pressurizer valves PORVs and SRVs depe,1ds on the moderator temperature coellicient, the status of secondary cooling, and whether manual insertion of control rods was successful. The analysis that is presented in Reference 3.1.4-2 for determining the number of valves for RCS pressure relief was adapted to Beaver Valley Unit 2 by adjusting for vatve capacities. The Beaver Valley Unit 2 valve capacities are given in Reference 3.1.4 2 as 345.000 pounds per hour of steam for each SRV and 210,000 pounds per hour of steam for _ each PORV. The table for base case (18 month cycle core) is then as follows: Unfavorable Exposure Days Avait- in addition to Three SRVs Condition Three Two ggg PORVs PORVs
- 1. With Success of Top Event RI and AFW 0 18 = 9 82 0 h
L/ 2 With Failure of Top Event RI and with AFW 110 7 154 8 2011 For condition one, there are 18.9 days during which rollef from more than three SRVs and two PORVs is required, and there are an additional 63.7 days during which relief from more than three SRVs is required. Following theso first 82.6 days, relief from threo SRVs is sufficient to keep the RCS pressure from exceeding the established limit of 3.200 psi0.
- For this condition, we will assume that for the first 18.9 days, relief itam three SRVs and three PORVs will be required; for the following 63.7 days, relief from three SRVs and two PORVs will be required; and following this period, relief from three SRVs is sufficient for the rest of the fuel cycle.
For condition two, for the first 110.7 days, even three PORVs do not provide sufficient overpressure protection. For the next 44.1 days, more than two PORVs are required, and for the following 54.3 days, two PORVs are syfficient. Following this time, relief from three SRVs is sufficient for the rest of the fuel cycle. Using Table D-3 from Reference 3,1.4-1, the following is derived:
- Condition 1: For 18% of the time, three SRVs and three PORVs are required.
For 23% of the time, three SRVs and two PORVs are required. For 59% of the time, three SRVs are sufficient (or two SRVs and two PORVs).
- Condition 2: For 48% of the time, there is insufficient RCS relief.
For 10% of the time, three SRVs and three PORVs are required. For 12% of the time, three SRVs and two PORVs are required. For 30% of the time, three SRVs are sufficient (or two SRVs and two PORVs). 3.1 129 11 Accent sequence Deimeatm
D2sv:r Vcll2y Power Station Unit 2 Revision 0 Prob 2bilistic Risk Asssssmsnt
. Top Event OA - Operator Actions for Emergency Boration. This top event models the operator actions to stari emergency boration after the failure of reactor trip following s reactor trip demand. After aligning emergency boration and verifying its success, the operators are required to trip the reactor by deenergiring the motor generator sets. ll this action is successful, the's emergency boration is not longer required, and the operators proceed to cold shutdow in a norr%' way. )
For emergency boration, c0P FR S.1 requires the operator to open the charging flow pat 5 ; 2CHS'FCV122 and to align the source of br ration to the chargmg pumps through any of ; the following three paths: A. Open emer0ency boration isolation valve 2CHS'MOV350. B. Open alternate emergency boration isolation valvo 2CHS'SOV20G ano flow control valve 2CHS'FCV113A. C. Open boration flow path from refueling water storage tank (RWST) t;y opening 2CHS'LCV115B and 2CHD'LCV115D, and by closing valves 2CHS*LCV115C and 2CHS'LCV115E. If the charging flow path throu0h 2CHS'FCV122 is not successful, then the flow path through valves 2 SIS *MOV867C, 2 SIS'MOV867D, and 2 SIS *HCVS68B is considered next. Although the EOP does not specifically call for an atternate flow path in case this second path is not successful, it is obvious that the operator will try to inject the boron into the RCS through the normal safety injection path. For this top event, we will take credit only for this last flow path, as is described in the discussion for Top Evehts HH and HC in the general transient initiating event tree. To allow continuous injection, a relief path must be available, and this has already been questioned in Top Event PA. However, to depressurize the reactor for cold shutdown, at least one of the three PORVs must be manually locked open. This action and the availability of a PORV are included in this top event. If a break has already occurred, then a safety injection will eventually be generated from containment HI 1 input, and operator actions are riot required for boration except as recovery actions. For the initial PRA model, manual initiation of emergency boration is assumed to always be required. If, earlier in the sequence, the operators failed to attempt a manual reactor trip (i.e., Top Event OT = F), no credit is given for initiation of emergency boration.
- Top Event VI - Vessel integrity. This top event evaluates the chance that the vessel ruptures from excessive RCS pressure following failure to trip the turbine or failure of sufficient RCS pressure relief through the pressurizer PORVs and SRVs. If the vessel does not rupture, then a small LOCA is assumed. Failure of Top Event VI results in a low pressure early rnelt. Top Event VI is currently assumed to fail if RCS pressure exceeds 3.200 psia. MFW must fail for this to occur, and even then vessel fail use is not assured; i.e., vessel integrity may realistically be maintained to even higher pressures.
- Top Event HH - High Head Safety injection, Charging Pumps. Same as for General Transients (see Section 3.1.3).
l
- Top Event HC - High Head Safety injection, Flow Path. Same as for General Transients (see Section 3.1.3).
- Top Event PK - All Pressurizer PORVs and SRVs Reseat. After successful boration and reduction of the reactor power level to zero, this top event questions the integrity of the 3.1-130 31 Amoent Sequence Dehneabon
B ever Vall:y Pcwcr Station Unit 2 Revision 0 Prob 2bilistic Risk Assessment primary boundary. Since the pressuriter relief valves have tu open for the irillial pressure sur0e or for establishing the boration path, all of these valves must rescal. If they do not rescat, then long-term high head recirculation is required after the entire RWST has been injected into the core. This event models the reclosure of the pressuriter valves. Ieilure of Top Event PK is modeled as a small LOCA. The rest of the top events (Top Events SE through Cl described in Table 3.1.41) are irdentical to those defined for general transients in Section 3.1.1 Credit for lon0 term makeup to the RWST. in the event of failure of recirculation from the sump, is conservatively omitted from consideration in the ATWS tree. 3.1.4.2 Recovery Event Tree The recovery event tree structure is not presented as a separate figure because it consists of only one top event (i.e., Top Event RE), and just two branches. This special tree is used to assign nonrecovery factors to the frequency of individual sequences through the plant model. The definitions of recovery Top Event RE change, depending on the sequence that is t eing considered. Dn this initial PRA Model. Top Event RE considers the nonrecovery of electric power in those sequences _for which emergency AC power is lost. The modeled recovery actions consider the cause of emergency AC power loss, difficulty in restoring power, and the time available for recovery before core damage becomes inevitable. The electric power recovery models are described in Section 3.3.3. It is possible that the same recovery action for all component level cutsets along a single sequence may not apply, in such cases, the recovery factors must be weighted by the fraction of the component-level cutsets, or O. sequence frequency for which the recovery does apply. No recovery should be credited to the remaining sequence frequency. In practice, the recovery actions are Generally selected so that they are applicable to all or nearly all of the sequence frequency. This is the case for the recovery actions modeled for Beaver Valley Unit 2 3.1.4.3 References 3.1.4-1. Westinghouse Electric Corporation, " Joint Westinghouse Owners Group / Westinghouse Program: Assessment of Compliance with ATWS Rule Basis for , Westinghouse PWRs." WCAP-11093 December 1988. 3.1.42. Duquesne 1.ight Company, " Beaver Valley Power Station Unit 2 Design Basis Document on Reactor Coolant System," DBD-6, Revision 0. O 3.1 131 31 Amoent Sequence Dehneaten
De:v:r Vcti:y Pcc r St:ti:n Unit 2 Rsvision 0 Prcb:bilistic Risk Assetssm:nt Table 3,1.41. Top Ever.t Descriptions for ATWS Event Tree P D"**' Eil " E *nt OT Operator Actions To Trip the Reactor after a Trip Si0nal RT Reactor Trip PL Power Level < 40t'. MF Main Feedwater AS ATWS Mitigating System Actuation Circuitry T1 Turbino Trip Rl Manual Rod insertion AW Auxiliary Feedwater Actuation PA Primary Relief OA Operator Actions for Emergency Boration VI Vessel Integrity HH High Head Safety injection, Charging Pumps HC H10h Head Safety injection, Flow Path PK All Pressurizer PORVs and SRVs Rescat SE RCP Seal Injection / Thermal Barrier Cooling LH Low Head Safety injection Pumps LC Low Pressure Cold Leg Injection Paths QS Quench Spray SM Containment Sump OR Automatic / Manual Actions for Cold leg Recirculation RC Low Head Cold Leg Recirculation Core Coolin0 RD RSS Train D for Recirculation HR HHS! Flow Path for Recirculation Core Cooling PS Recirculation Spray from Pump A or B Cl Containment isolation O 3.1-132 31 Accent Sequence DehneaSon.
Bocver Vclisy Pcw:r Stati n Unit 2 Revision 0 Preb:bilistic Risk Ass:ssm:nt
._ sah, atammvedstram1,d!!Nntmtmt/nnervsliiMr7dHWijli*d s m ss:Is = m t:sta m m Ust!w h f!st!!!!t!!tE n !!!UE
----~ amseanv.u:w.wnuurms.rmnms ~<~vnsmn e n-I t th I' b i - . . . - _ .
s v _ _ _ - 8 :l - 4 i , ; 4 . _
< i } 1 gt N r y
;}
e - _ 0 f
.b ,g I }j S
ii .!Ejili n
- a)uln li n$.3 I $} E
- 5 S Bi!8 W 21 R 0 v
8 P ' h g 6 et s f g ) ..
. 4 L 1 ]
! l g l ol '
d # I "" 8 0 -
${d fIl v 1 :
I
=
o k.l!y}i,N1l[$h[jjtzj
$#} ti
$f E, trittn2(185IV a .
e
& l.
b
?.
Fi0ure 3.1.41. ATWS Event Tree Structure 3.1 133 3i Aceoeniseauenu twineanon. i
I Bacvsr Vcllay Power Station Unit 2 Revision 0 Prob bilistic Risk Assessment 3.1,5 Support System Event Tree j i The support syttom model in this study is used to characterize the response of Beaver Valley Unit 2 support systems following an initiating event. This response is described by event sequences that model various combinations of support system successes and failures. Support systems are those plant systems that do not directly perforrn the plant mitigating fur'..;tions in response to a plant transient. Instead, they provide the necessary motive and control power, cooling water, and actuation signals needed for the frontline systems to perform the plant-mitigating functions. However, the distinction between support and frontline systems is not rigorous. The support system event tree model ;s largely dictated by the dependencies between support systems and by the dependence of frontline systems on specific trains of the support systems. The intersystem dependency tables, which are an intermediate product of the systems ana( cs, are presented in Sectior' 3.2.3. The support model event tree structure is displayed in Figures 3.1.5-1 and 3.1.5-2. The support tree branches everywhere, so that a very large number of possible support system success and failure stato combinations are considered, The top event names are indicated in Tables 3.1.5-1 and 3.1.5-2. The branch everywhere support tree differs from cupport tree structures used in other large event free-small fault tree models. In the past, if failure of one support system top event guaranteed failure of a subsequent top event in the support tree, this would be reflected in the tree structure by not branching at the f ailed top. This practice was adopted to limit the number of sequences to be processed. Software improvements have eliminated the concern about too many sequences. Therefore, dependencies between support system top events are now accounted for in the branch point assignment rules rather than by the tree structure. So, if failure of one top event leads to failure of a second top event, a failure probability of 1.0 is assigned to the branch point under the second, failed top event. The top events of ti,e support model event tree are defined below.
- Top Event RW - RWST Availability, This event models the availability of water in the RWST. The RWST must contain the minimum inventory allowed by technical specifications: i.e.. 859,000 gations. Success of this event implies that a source of water exists for LHSI, HHSt, and QSS. Proper RWST water temperature is also required by plant technical specifications to maintain the water between 45*F and 50"F. A cooling water system is provided to maintain this temperature range. Heat tracing is provided to keep level transmitter lines from freezing. However, neither of these subsystems is modemJ explicitly. Even assuming that these systems fait at the time of plant trip, the temperature is not expected to drift sufficiently to prohibit use of the RWST as a water source.
Temperature indications and surveillance requirements are also expected to minimize the possibility of gettinD into any problems. Historical events related to freezing of RWST suction lines in cold weather at other plants are very unlikely at Beaver Valley Unit 2 due to the temperature indications and survehlance requirements imposed; e.g., the heat tracing panel is checked every day.
- Top Event OG - Offsite Grid. This event models the supply of AC power from the 138 kV switchyard following a plant trip. In the event of a loss of offsite power initiating event, which is assumed to result in loss of power from both the 138 kV and 345-kV grids, this event is assumed failed. Loss of power at the 138-kV grid would result in failure of the normal power supply to all of the emergency and nonemergency AC buses.
3.1 134 M Accicent Sequence Dehneaton,
Davir Vellay Power Station Unit 2 Revi lon 0 Probabilistic Risk Assessmsnt (~ The DC control power from batteries 2 5 and 2 6 that is needed to permit the fast transfer of nonernergency buses 2A and 2D to the system station transfortners is modeled in this top event, it is possible to backfeed the emergency buses fron; the 345 kV switchyard via the umt station service fransformers if that grid is ava;lable. This action, however, requires substantial time. This action is therefore not considered m the initial PR A model.
- Top Event AO - 4.16 kV and 480V AC Emergency Buses Train A (orange) T his event models the supply of AC powcr at emergency buses 2AE and 2N and associated MCCs for 24 hours following a p! ant trip. If power is available from the 138-kV grid (i.e.. success of Top Event OG), this event models system station transformer 2/ s, the 4.16-kV nonemergency bus 2A, and the fast transfer of bus 2A from u nit station service transformer 2C to the system station service transformer as one source of power to the _
emergency switchgear, if this equipment fails, power from emergency diesel generator (EDG) 2-1 is also modeled. If power is not available from offsite (i.e., Top Event OG f ails), then just the power from the EDG is considered. The sJpply breaker from bus 2A must then open, and EDG 21 must stmt and load. The diesel is required to run for 24 hours. The 125V DC control power neec"d to start the diesel and the service water from header A needed to cool the diesel are assumed to be available for the purposes of this calculation. These support system dependencies are modeled separately in later top events; i.e. Top Events DO and WA.
- Top Event DO - 125V DC Bus 21, Train A (orange). This event models the availabihty of DC control power at DC bus 2-1. The 4,16-kV bus 2AE supply and feeder breakers requae control power from bus 21, or they fail as is. In the event that AC power is avaihble from (V) offsite (i.e., success of Top Event OG), success of Top Event DO requires that power ba available at bus 21 for 24 hours via a battery charger from a motor control comer (MCC) supplied by 480V bus 2N. DC control power is only required for less than 6 hours ander most conditions. Most systems that require DC power only need it within the rst few minutes; i.e., to start pumps. Six hours was judged to be sufficiently long for the mission time of a battery charger sirce if it were lost after six hours, ample time would likely be available to effect repairs or manually actuate the needed equipment. Also, within 6 hours, the need to start recirculation spray purens for LOCAs or to hold open the pressurizer PORVs to perrmt bleed and feed cool .g for losses of secondary heat sink should be completed. Therefore, the mission time for the battery charger was assumed to be 6 hours. The mission time for other DC control power equipment was assumed to be 24 hours. If AC power from offsite is not available (i.e., Top Event OG fails), but EDG 2-1 is available to supply power to emergency bus 2AE, success of Top Event DO also requires that the battery for DC bus 21 be available initially in order to start EDG 2-1, Assuming successful start of the diesel, DC control power must again be supplied for 24 hours.
Again, the mission time for the battery chargers was assumed to be only 6 hours. Failures of a battery char 0er after 6 hours are assumed to be unimportant, mostly because offsite power is likely to be repaired well before 6 hours. DC power would hkely still be available for another 3.5 hours usin0 the batteries after battery charger failure. If offsite power is not available and EDG 2-1 is unable to supply AC nower to 4.16-kV emergency bus 2AE, DC power at bus 2-1 can only be supplied by the associatec' battery. Since this battery has the capacity to last only 3.5 hours without recharging or operator
\ intervention to shed loads, success of Top Event DO under these conditions only requires U that DC control power be available for 3.5 hours, after which time DC control power is unavailable.
3.1 135 31 Accmeni sequence Dennten
Dacvsr Vellay Pcwcr Station Unit 2 Revision 0 Prebsbilistic Risk Assessment
- Top Event BP - 4,16 kV and 480V AC Emergency Buses Train B (purple). This event models the supply of AC power at emergency buses 2DF and 2P, and associated MCCs are for 24 hours following a plant trip. If power is available from the 138 kV grid (i.e.,
success of Top Event OG), this event models system station transformer 28, the 4.16-kV nonemergency bus 2D, and the fast transfer of bus 20 from unit station service ; transforme" /D to the system station service transformer as one source of power to the ( emergency switchgear. If this equipment fails, power from EDG 2 2 is also modeled. If power is not available from offsite (i.e.. Top E;ent OG fails), then just the power from the EDG is considered. The supply breaker from bus 2D must then open, and diesel generator 2 2 must start and load, ihe diesel is required to run for 24 hours. The 125V DC control power needed to start the diesel and the service water from header 0 needed , to cool the diesel are assumed to be available for the purposes of this calculation. These ' support system dependencies are modeled separately in later top events; i.e.. Top Events l DP and WB. l
- Top Event DP - 125V DC Bus 2-2, Train B (purple). This event rnodels tho availability of DC control power at DC bus 2-2 for 24 hours following an initiating event. The 4.16-kV bus 2DF supply and feeder breakers require control power from bus 2 2, or they fail as is. In the event that AC power is available from offsite (i.e., sucr ess of Top Event OG). success of Top Event DP requires that power be available at bus 2-2 for 6 hours via a battery charger from an MCC supplied by 400V bus 2P. DC control power is only required for ler than 6 hours under most conditions. Most systems that require DC power only need it within the first few minutes; i.e., to start pumps. Six hours was judged to be sufficiently long for the (nission time of a battery charger since if it were lost after six hours, ample time would likely be available to effect repairs or manually actuate the needed equipment.
Also, within 6 hours, the need to stari recirculation spray pumps for LOCAs or to hold open the pressurizer PORVs to permit bleed and feed cooling tor losses of secondary heat sink should be completed. Therefore, the mission time for the battery charger was assumed to be 6 hours. The mission time for other DC control power equipment was assumed to be 24 hours. If AC power from offsite is not available (i.e., Top Event OG falla), but EDG 2-2 is available to supply power to emer0ency bus 2DF, then success of Top Ever:t DP also rnquires that the battery for DC bus 2 2 be available initially in order to start EDG 2 2. Assumin0 successful start of the diesel, then DC control power must again be supplied for 24 hours. Again, the mission time for the battery chargers was assumed to be only 6 hours. Failures of a battery charger after 6 hours are assumed to be unimportant, mostly because offsite power is likely to be repaired well before 6 hours. DC power would likely still be available for another 3.5 hours using the batteries after battery I charger failure, if offsite power is not available and EDG 2-2 is unable to supply AC power I to 4.16-kV emergency bus 2DF, then DC power at bus 2-2 can only be supplied by the associated battery, Since this battery has only the capacity to last 3.5 hours without recharging cc operator intervention to shed loads, success of Top Event DP under these conditions only requires that DC control power be available for 3.5 hours, after which DC control power is unavailable.
- Top Event FA - Service Water Pump Train A. This event models the supply of service water pump 2SWS*P21 A to header A fotbwing a plant trip. The successful supply of service wate to essential header A loads also requires the success of the common header A flow path (Top Event WA). Swing pump 2SWS*P21C can also be aligned for flow to header A. However, the manual action to align this pump for service to a particular header is not included in the analysis of Top Event FA. It may be considered as a recovery attic i for particular sequences in which the appropriate operator response is better defined; i.e., without regard to the specific sequence, it is unclear whether the 1
3.1 136 31 Acaaent sewence Dewanon
, _ _ _ _ _ _ _ . _ _ _ . _ _ _ _ _ _ _ _ ._m _ . _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ _
Beaver Vall2y Power Station Unit 2 Revision 0 Probabilistic Risk Assessment swing pump should be aligned to header A or to header B and whether there is sufficient time to align it. Therefore, the actions in Procedure AOP 2.30.1 for loss of service water / normal intake structure to restore service water (i.e., to align the backup pump or to cross connect to Unit i river water or a diesel fire pump) are all considered as recovery l actions rather than being considered here. Success of Top Event FA implies that I sufficient flow is provided by the service water pump train A to header A and is available for 24 hours.
- Top Event EA - Standby Service Water Pump Train A. This event models the supply of water from standby service water pump 2SWE*P21 A to heador A following a plant trip.
The supply from the standby service water pump is required only after failure of service water pump 2SWS'P21 A (Top Event FA). In the event ut a loss of offsite power followed by a failure of pump 2SWS'P21 A to restart and run (failure of Top Event FA), EDG 21 must be tripped within 5 minutes to prevent it from overheating, and the standby service water pump 25WE'P21 A must be manually loaded onto the diesel. This action is included in the model. Swing pump 2SWS*P21C can also be aligned for flow to header A. However, the manual action to align this pump for service to a particular header is not included in the analysis of Top Event EA. It may be considered as a recovery action for particular i sequences in which the appropriate operator response is better defmed; i.e., without regard to the specific sequence, it is unclear whether the swing pump should be aligned to header A or to header B and whether there is sufficient time to angn it. Therefore, the actions in Procedure AOP 2.30.1 for loss of service wator/ normal intake structure to restore service water (i.e., to align the backup pump or to cross-connect to Umt i river water or a diesel fire pump) are all considered as recovery actions rather than being considered here. Success of Top Event EA implies that sufficient flow is provided by the standby service water pump train A to header A and is available for 24 hours.
,
- Top Event WA - Service / Water Standby Service Water Header A Flow Path. This event models the flow path that is common to both the service water pump and the standby service water pump, modeled in Top Events FA and EA, respectively. Top Event WA is only required if one of the pump train top events (FA or EA) is successful. If a CID signal is present, then the valves to the RSS coolers, for the purposes of evaluating Top Event WA, are assumed to be opened for contala nont spray. For flow from one pump still to be sufficient. valve 2SWS*MOV106A must close to ellrninate header A flow to the CCP and '
secondary component cooling systems (CCS). Success of Top Event WA imphes that sufficient flow is provided to service water header A to supply all of its loads for 24 hours. Individual coolers supplied by service water header A (e.g., recirculation spray system heat exchangers, primary CCP heat exchangers) are modeled with the respective system served, rather than being included here.
- Top Event FB - Service Water Pump Train B. This event models the supply of water from service water pump 2SWS*P21B to header 8 following a plant trip. The successful supply of service wate essent'al header B loads also requires the success of the common header B flot _iop Event WB). Swin0 pump 2SWS'P21C can also be aligned for flow to header P iiowever, the manual action to align this pump for service to a particular header is not . included in the analysis of Top Event FB. It rnay be considered as a recovery action for particular sequences in which the appropriate operator response is better defined; i.e., without regard to the specific sequence, it is unclear whether the swing purnp should be aligned to header A or to header B and whether there is sufficient
- time to align it. Therefore, the actions in Procedure AOP-2.30.1 for loss of service water / normal intake structure to restore service water (i.e., to align the backup pump or to cross connect to Unit i river water or a diesel fire pump) are all considered as recovery 3.1 137 M Amnt SMuence ochneaton
.. . -- -. - -. - -, . - - -- .. - _ ~ - - - .
Bravsr Vallsy Power Station Unit 2 Revision 0 Probabilistic Risk Asssssment actions rather than being considered here. Success of Top Event FB implies that Lufficient flow is provided by the service water pump train B to header B and is available for 24 hours.
- Top Event EB - Standby Service Water Pump Train B. This event models the supply of water from standby service water pump 35WE*P21B to header B following a plant trip.
The supply from the standby service water pump is required only after failure of service water pump 2SWS*P218 (Top Event FB). In the event of a loss of offsite power followed by a failure of pump 2SWS*P21B to restart and run (failure of Top Event FB), EDG 2-1 must be tripped within 5 minutes to prevent it from overheating, and the standby service water pump 2SWE*P218 must bu manually Ir ded onto the diesel. This action is included in Se model. Swing pump 2SWS*P21C can ano be aligned for flow to header B However, the manual action to align this pump for service to a particular header is not included in the analysis of Top Event EB. It may be considered as a recovery action for particular sequences in which the appropriate operator response is better defined, i.e., without regard to the specific sequence, it is unclear whether the swing pump should be aligned to neader A or to header B and whether there is sufficient time to align it. Therefore, the actions in Procedure AOP-2.30.1 for loss of service water / normal intake structure to restore service water (i.e., to align the backup pump or to cross-connect to Unit 1 river water or a diesel fire pump) are all considered as recovery actions rather than being considered here. Success of Top Event EB implies that sufficient flow is providcd by the standby service water pump train B to header B and is available for 24 hours.
- Top Event WB - Service Water /Stardby Service Water Header B Flow Path. This event models the flow path that is common to both the service water pump and the standby service water pump, modeled in Top Events FB and EB, respectively. Top Event WB is only required if one of the pump train top events (FB or EB) is successful. If a ClB signal is present, then the valves to the RSS coolers, for the purposes of evaluating Top Event WB, are assumed to be opened for containment spray. For flow from one pump still to be sufficient, valve 2SWS*MOV106B must close to eliminate header B flow to the CCP and secondary component cooling systems (CCS). Success of Top Eveat WB implies that sufficient flow is provided to service watet header B to supply all of its loads for 24 hours.
Individual coolers supplied by seivice water header B (e.g., recirculation spray system heat Enchangers, primary CCP heat exchangers) are modeled with the respective system served, rather than being included here.
- Top Event IR - 120V AC Vital Bus Red. This event models the availability of 120V AC vital bus red; i.e., channel I Success of this event requires power from one of two sources of 480V AC power from emergency bus 2N, or from DC bus 21 through an inverter. If AC
! power is available, success of this event requires that 120V AC power be available for 24 I hours following a plant trip. If 480V AC power is unavailable, success of this event is defined to mi an that 120V AC power is available for as long as the batteries last; i.e., about 2.5 hours. Therefore, this event depends on the status of both Top Events AO and ; DO.
- Top Event IB - 120V AC Vital Bus Blue. This event models the availability of 120V AC vital bus b!ue; i.e., channel 111. Success of this event requires power from one of two
! sources o 180V AC power from emergency bus 2N, or from DC bus 2-3 through an ' inverter. If AC power is available, success of this event requires that 120V AC power is available for 24 hours following a plant trip. If 480V AC power is unavailable, success of this event is defined to mean that 120V AC power is available for as long as the batteries last; i.e., about 8 hours. This event depends on the status of Top Event AO. DC bus 2-3 is also modeled in this top event. 3.1-138 31 Accment seauence Denneanon
Seavsr Valley Power Station Unit 2 Revison 0 Probabilistic Risk Assessment s
- Top Event IW - 120V AC Vital Bus White. This event models the availability of 120V AC s vital bus _ white; i.e., channel ll. Success of this event requires power from one of two sources of 480V AC power from emergency bus 2P, or from DC bus 2-2 through an inverter, if AC power is available, success of this event rt quires that 120V AC power is available for 24 hours following a plant trip, if 480V AC po 'er is unavailable, success of this event is defined to mean that 120V AC power is availabh for as long as the batteries last; i.e., about 3.5 hours. T herefore, this event depends on the status of both Top Events BP and DP.
- Top Event lY - 120V AC Vital Bus Yellow. This m snt models the w ability of 120V AC vital bus yellow; i.e., channel IV. Success of this event requires pt v from one of two sources of 480V AC power from emergency bus 2P, or from D: t ;s 2-4 through an inverter, if AC power is available, success of this ever41 requires that 120V AC power is availabic for 24 hours following a plant trip. If 480V AC power is unavailabia, success of this event is defined to mean that 120V AC power is available as long as the batteries last; i.e., about 8 hours. This event depends on the status of Top Event BP. DC bus 2-4 is also modeled in this top event, i
- Top Event BV - Emergency Switchgear Ventilation. This event models tne two-train emergency switchgear ventilation system, which supplies outside air to locations SB 1 and SB-2 at the 730'6" elevation of the service building. These rooms contain the 4.16-kV l
and 480V AC emergency switchgcar,120V vital instrument buses, battery chargers, and batteries 2-1, 2-2, 2-3, and 2-4. Due to the many heat sources in these rooms, failure of both trains of the emergency switchgear ventilation system would result in increased room temperatures, which, if not recovered, could exceed equipment qualification and O vendor-specified peak operating temperatures; I,c., see Section 3 3.9. Operator action to recover from the loss of ventilation to these rooms prior to equipment failure is included in analysis of Top Event BV, it is assumed (cr the purposes of evaluating the .scovery action that simply opening doors to these areas would not sufficiently limit room temperatures. Recovery would also require the installation of portable fans. To ensure that this recovery stralogy would be effective for sequences involving losses of power to the nonomergency buses, these portable fans would have to be powered from other sources, Failure of Top Event BV is assumed to result in permanent failure of all emergency AC power, and therefore of eventual core damage. Steam generator cooling is also assumed to be unavailable later in the accident due to failure of the 120V vital instrument buses. However, if emergency AC power is lost for reasons other than loss of emergency switchgear ventilation; the vital instrument buses may still be available since the heat loads in the switchgear rooms would be much reduced; i.e., the inverters should not overheat within 8 hours.
- Top Event SA - S' /S Acsuation Train A (SI, CIA, CIB). This event considers the
- __ operability of train e of the solid state protection system. Success of this event ensures .
that the appropriate train A actuation signals are provided to the safeguard equipment. The signals that are required from the SSPS depend on the specific initiating event; e.g., safeguards actuution, MSIV closure, AFW startup, containment isolation, and containment spray actuation. Failure of Top Event SA implies that the associated emergency core cooling system (ECCS) equipment and containment isolation valves are not actuated. In l j __ addition, failure of Top Event SA prevents the associated reactor trip breakers from l receiving an automatic trip signal. Major equipment modeled in this top event includes i the process and -control signal channels (i.e., fit!d transmitters, signal modifiers, and 3.1-139 31 Accident Sesquence hebneation.
B :v:r Vclliy P:wcr St:ti:n Unit 2 Revision 0 Prob:bilistic Risk Ass 2ssmint bistables), the SSPS internal cabinet power supplies, SSPS input relays, and SSPS logic train A and the associated master and slave relays. k
- Top Event SB - SSPS Actuation Train B (SI, CIA, CIB). This top event is similar to Top Event SA but involves SSPS train B.
- Top Event OS - Manual Actions for Safety injection. The operators are asked to verify and actuate safety injection, and to verify operation of certain equipment given a safety injection. These actions are found in the procedures; i.e., E 0. Manual intervention is required whether only one or both trains of SSPS fail, as modeled in the proceeding Top Events SA and SB.
This event is important if automatic actuation of safety injection has failed up.en a demand for it; e.g., for a small LOCA or a steam line break. Failure of Top Event OS is treated as a failure to both automatically and manually initiate one or more trains of high pressure injection, auxiliary feedwer, and containment isolation following a demand for it. Success of Top Event OS mans that the operators have manually actuated HHSI, auxiliary foedwater, and containment isolation. If bo". trains of SSPS are successful. Top Event OS is guaranteed successful. Different operator error rates are used, depending on the specific initiating event being evaluated; i.e., smar LOCA versus a large LOCA.
- Top Event BK - Nonemergency 4.16-kV Buses 1G and 1H and 400V Buses 2J and 2K.
This event questions whether AC power is available to 4.16-kV and 480V buses 1G,1H,2J, and 2K for 24 hours following an initiating event. These buses are of interest because they provide power to the compressors for the station instrument air and containment instrument air systems, in the event that power is not available to the nonemergency busea (i.e., Top Event OG fails), the emergency response facility (ERF) (black) diesel generator starts and loads. If offsite power is available (i.e., success of Top Event OG), then this event models both the supply of AC power from the 138-kV grid via the ERF station transformer and the black diesel generator supply. The DC control power for the black diesel generator, which comes from a separate ERF battery and charger, is also modeled in this top event, in the event that offsite power is lost, the diesel must operate for 24 hours for success of Top Event BK.
- Top Event CS - Secondary Component Cooling and t!.ilt 1 Filtered Water. This event models the equipment needed to provide cooling water to the station instrument air compressors for a 24-hour period following a plant trip. Failure of this top event implies that cooling water to the station instrument air compressors es unavailable, in addition to CCS (i.e., also known as the turbine plant component cooling water system),
this event models the nonemergency power from the offsite grid to power the CCS pumps. Therefore, given success of Top Event OG, the model for Top Event CS includes the system station transformers, fast bus transters, and nonemergency 4.16-kV buses 28 and/or 2C that are needed to power the CCS pumps. If offsite power is not available, then CCs cooling to the station air compressors is unavailable. The top events that model the 4.16-kV emergency buses (i.e., Top Events AO and BP) also include the nonemergency equipment (e.g., system station service transformers) that provide power to these buses from off.c%. Consequently, if one of the emergency AC buses is unavailable, the correspcndng nonemergency buses that feed from the same station service transformer are also conservatively assumed to be unavailable; i.e., for power to be available to both CCS pumps, Top Events OG, AO, ano BP niust all be successful, if flow to one service water header is unavailable, then service water would initially be isolated from CCS on low service water header pressure. Cooling water would then have 3.110 31 Acaoent sequence Denneanm
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment to be manually reestablished to the station air compressors if offsite power is available, the model requires that for a loss of one service water header, the operators then reopen the service water isolation valves to CCS II offsite power and flow fNm the other service water header are available, then the operators align this coolitig water supply to CCS in accordance with Procedure AOP-2.30.1, Loss of Service Wa6r/ Normal intake Structure, if power from the offL,e grid is unavailable, then the operators are required to ali0n cooling water to the station air compressors from the Unit i filtered water system since the CCS pumps require offsite power to operate. Therefore, the portions of the Unit 1 filtered water system that can be powered from the ERF diesel (i.e., Top Event BK) are also included in the model for Top Event CS.
- Top Event IA - Station Instrument Air System. This event models the equipment needed to provide station instrument air for a 24-hour period following a plant trip. Failure of this top event implies that station instrument air is unavailable to all of the air-operated -
equipment supplied by the instrument air system; e.g., the feedwater valves, the conde iser dump valves, the MSIVs. and the crosstie to the containment instrument air system. Major equipment modeled in this event includes the station air compressors that can be powered by the black diesel generator in the event that power is lost from the offsite grid. The station air compressors require cooling water from CCS; i.e.. Top Event CS. E Success of Top Event I A requires successful operation of one of two station instrument air compressors. g
- Top Event CC - Primary Component Cooling Water to Both Headers A and B. TW event
/ models the availability of the CCP for the 24-hour period following a plant trip. Major pieces of equipment included in the model are the three CCP pumps and the three CCP heat exchangers. Success of this event implies that at least one CCP pump operates to supply water through at least one heat exchanger cooled by service water to both CCP headers. Under extreme conditions. when all enrr.peneete rewire coslh@ waim and the service water temperature is at its maximum, two of 'he three CCP pumps may be ,
necessary. However, since this occa s only infrequently and the system is only marginally degraded, for the purposes of the PRA model, one pump is always assumed to be sufficient to provide cooling for the RCP thermal barrier coolers, the residual heat removal system heat exchangers, and the containment instrument air compressors. The individual cooling water loads on each of the two headers (i.e., including the cooler, and its inlet and outlet isolation valves) are modeled separately with the system served by CCP; e.g., cooling to the individual RCP thermal barrier coolers is modeled in frontlire Top Event SE, which considers all forms of RCP seal cooling. The CCP system is normally operating.
- Top Event IC - Containment Instrument Air. This event models the equipment needed to provide containment instrument air for a 24-hour period following a plant trip. Failure of this top event imolies that containment instrument air is unavailable to the air-operated equipment supplied by the system. In particular, compressed air would then be unavailable to the RCP thermal barrier cooling isolation valves in the CCP system, and to the air-operated inboard containment isolation valves. Major pieces of equipment included in this top event model are the containment instrument air compressors. One of two is required for top event success. The containment instrument air compressors are cooled by CCP.
- Top Event TB - RCP Thermal Barrier Cooling. RCP thermat barrier cooling requires success of CCP, modeled in support system Top Event CC, and also that the CCP thermal 3.1 141 31 Accment smuenm oenneenn
Bxv;r Vcil;y Pcwcr St:tlen Unit 2 Revision 0 Pob:bilistic Risk Assusm:nt barrier isolation valves 2CCP'AOV107A. 2CCP' AOV1078, and 2CCP'AOV107C remain open. Containment instrument air supplies these three valves, which fait closed on loss of air. Loss of vital instrument bus I or 11 (i.e., red or white) fails thermal barrier cooling because loss of either bus causes a spurious low CCP surge tank-level indication, which, in- turn, isolates CCP cooling to the containment instrument air compressors. The eventual loss of containment instrurnent air causes the thermal barrier isolation valves to fait closed. Given loss of vital bus I or 11, these valves do not automatically reopen when containment instrument ai is restored. The system model for Top Event TB does consider recovery actions to reestablish thermal barrier cooling under three other conditions:
- When a CIA signal occurs without an accompanying CIB signal, by resetting the signal and realigning CCP to the containment air compressors.
- When a ClO signal occurs, by resetting the signal, realigning service water to CCP, restarting CCP, and aligning CCP to the containment instrument air t.ompressors.
- When the containment instrument air system fails, by cross-connecting containment instrument air to instrument air.
For the above actions, with control power available, the therrna" barrier isolation valves reopen automatically when containment instrument air is roste nd. The further backup action to cross-connect containment instrument air directly to service air,. by opening a manual valve, is conservatively neglected.
- Top Event VL - RWST to HHSI Pump Common Check Valve. This event models the successful opening of check valve 2 SIS'27 and one or the other of 2CHS*LCV115B and 2CHS*2CV1150. The check valve is common to the suction of all three HHSI pumps from the RWST. This equipment failure mode is modeled separately from the rest of the HHSI system because its failure would prevent HHS1 for cold leg injection but would not prevent RCP seal injection unless there was a switchover of HHS! pump suction from the VCT to the RWST, Failure of Top Event VL along with the conditions for switchover of the VCT to the RWST is modeled as failing both HHSI cold leg injection and RCP seal injection.
Subsequent RCP seal ajection would be precluded even, for example, if the safety injection signal were later reset. l O i-3.1-142 31 Acceent secuence Denneanon.
Beaver Vall2y Power Station Unit 2 Revision 0 Probatallistic Risk Assessment Table 3.1.5-1. Top Event Names for Support Event Tree Top Event Description RW RWST Availability l OG Offsite Grid AO 4.16-kV and 480V AC Emer0ency Buses Train A (orange) DO 125V DC Bus 2-1. Train A (orange) < BP 4.164V and 480V AC Ernergency Buses Train B (purple) DP 125V DC Bus 2-2 Train B (purple) FA Service Water Pump Train A FB Service Water Pump Train B EA Standby Service Water Pump Train A EB Standby Service Water Pump Train B WA Service / Standby SW Header "A" Flow Path WB Service / Standby SW Header "B" Flow Path IR 120V AC Vital Bus Red IB 120V AC Vital Bus Blue
-- lW 120V AC Vital Bus White lY 120V AC Vital Bus Yellow BV Emer0ency Switchgear Ventilation 3.1-143 31 Acadent Sequence Delineation
B::v:r Vcil;y P:w r Statitn Unit 2 Rcvisl:n 0 Pr:b bill: tic Risk Ass:ssmsnt Table 3.1.5 2. Top Event Names for Support 2 Event Tree Top Event Description SA SSPS Actuation Train A (SI, CI A, CIB) SB SSPS Actuation Train B (SI, CIA, CIB) OS Manual Actions for Safety injection BK Nonemergency 4.16-kV Buses 1G and 1H and 480V Buses 2J and 2K CS Secondary Component Cooling and Unit 1 Filtered Water IA Station instrument Air System CC Primary Component Cooling Water to Both Headers A and B IC Containment Instrument Air TB RCP Thermal Barrier Cooling VL RWST to HHSI Pump Commoh Check Valve O O 3.1-144 3.1 Accident Sequence Dehneation.
B2 v:r Valley Pawsr St: tion Unit 2 Revision 0 Prch:bilistic Risk Asssssm:nt
/O mLittreet meame.t
.v7 a**ca t 14tCO:09 fM 64 C 1991
( page me. I twent b g .. .. . ., .- .. ..- .. .. . . i. i. .. i, .. 1 41Wa ts-s t4--A t3 - s t 3- a11 -31(- rS-as -. a7--a6-mS -a4-3 5-a2-s ) ^ l l 1 L l l ..... . i .. . . . .. i . . . . . .. . . .
-.u.. ........ . .. ... .. ..... ...... ..... .. . . .... .. . ... ...... .. ..... .
Top Description Event RW RWST Availability OG Offsete Grid AO 416-kVB and 480V AC Emer0ency But.es Tram A (orange) DO 12SV DC Bus 21, Train A (orange) BP 4164V and 480V AC Emergency Buser. Tram B (purple) DP 125V DC Bus 2 2. Train B (purple) FA Service Water Pump Train A FB Service Water Pump Train B g EA Standby Service Water Pump Ttain A EB Standby Service Water Pump Train B . - (v WA WA Service / Standby SW Header *A* Flow Path WB WB Service / Standby SW Header *B* Flow Path IR 120V AC Vital Bus Rod IB 120V AC Vital Bus Blue IW 120V AC Vital Bus Wtwe lY 120V AC Vital Bus Yellow J_. Emergency Switchgeatycattlatton Fi0ure 3.1.5-1. Support System Event Tree Structure t f i C . 3.1-145 31 Accionnt sequence, o.inneatioit
Bsav:r Vcil:y Poxr Station Unit 2 R2visisn 0 Prcbibilistic Risk Ass 2ssment EDEL kane: 8V2 Pope No. 1 Event free: SUPPORT? If $A $8 05 BK Cs IA c: It TB vt r9 X" E7 X& K5 R4 K3---z? - x1 1 1 l 2 2 l ....... 3 El 34
.............. 4 X2 58
..................... 5 x3 9 16
............................ 6 x4 17 32
......................... ........ 7 x5 33 64
.......................................... 8 x6 65 128
................................................. 9 x7 129-256
...................... ................................. 10 x8 257-512
............................................................... 11 X9 513-1024 Top Deser ptioni Event SA SSPS Actuation Train A (El, ClA. CIB)
SB SSPS Actuation Train B (SI, CIA, ClB) OS Manual Actions for Safety lqection BK Nonemergency 4.16-AV Buses 1G and 1H and 480V Guses 2J and 2K CS Secondary Component Cooling and Unit 1 Filerted Water lA Station instrument Air System CC Primary Component Cooling Water to Both Headers A and B IC Containment instrument Air
- TD RCP Thermal Barrier Cooling VL RWST to HHS1 Pumo Commor ChecLyalve Figure 3.1.5-2. Support 2 System Event Tree Structure O
1 l 3.1-146 31 Acadent Sequence Delineation.
Baavar Vallay Power Station Unit 2 Revision 0 Probabilistic Risk Assessment
. 3.1.6 Sequesne Grouping and Back end Interfaces (Plant Damage States)
To complete the accident sequence models, each sequence through the linked event trees is assioned to an end state; i.e., to success or core damago, in past PR As, core damage sequences were further subdivided into plant dama0e states. The plant damage states were defined in such a way that all core damage sequences assigned to a single plant damage : state would be modeled the same in the Level 2 containment event iree quantification. For l core damage sequences, the parameters of interest for Level 2 analysis are the RCS pressure at the time of vessel failure, the availability of steam generator cooling, the transfer of RWST inventory to the containment, containment isolation or bypass, the availabihty of containment heat removal, and the availability of containment spray. The process of developing these relatively finely divided plant damage states specifically for Beaver Valley Unit 2 is described in Section 4.3. The number of plant damage states of interest for Level 2 analyses is large; i.e., more than 100 plant damage states are defined in Section 4.3. The frequencies of all of the plant damage states could be computed by RISKM AN* as part of the Level 1 analysis. However, it was found to be more convenient to quantify the Level 2 containment event tree by physically linking it to the Level i event trees and then quantifying the entire accident sequence frequencies from initiator to release category. The grouping of Level 1 sequences into fine plant damage states then becomes unnecessary because, by directly linking the trees, the containment event tree branch probabilities can then be made dependent on any or all of the top events in the Level 1 event trees. s it was judged appropriate, however, to group the core damage sequences whose frequencies are computed in the Level 1 analysis for purposes of presentation and understanding. A much coarser grouping of core damage sequences than that represented by the plant damage states was selected for these purposes. Four parameters were selected to define the Level 1 coarse plant damage states: RCS pressure at the time of core damage; containment isolation status; the siza of the opening, if not isolated; and, if the containment isolates successfully, the status of containment heat removal. The coarse plant damage states are illustrated in Table 3.1,6-1. The four ranges of RCS pressure were selected to be compatible with the plant damage states defined in Section 4.3. RCS pressure at core damage is a partial measure of the threat to the containment later in the accident. The live different containment states were chosen because, prior to considering additional containment falture modes in the containment tree, they define categories of core darnage sequences with roughly simitar radiological release. The assignment of core damage sequences to the coarse plant damage states is performed by specifying logic rules in terms of the successes and failures of top events in the event trees. With these rules, RISKMAN can then evaluate each sequence through the plant model and assign it to one of the sequence groupings listed in Table 3.1.6-1. The thinking behind these logic rules is now described. The rules themselves may be examineo in Reference 3.1.6-1. Rules for identifyin0 sequences not resulting in core damage (i.e., successes) are first explained, The frontline event tree structures have all asked the containment isolation question, Top Event Cl, as the last event in the sequence. In developing the event trees, if the sequence did not result in core damage, there was no branch drawn under Top Event Cl. Therefore, most of the success sequences are easily seen to be those in which there is no branch at Top Eves CL For those sequences in which the last top event in the last event tree used is recovery Top Event RE, the success paths are 3.1-147 31 Acadent sequence Denneation.
Bssysr Vclisy Pcwsr Station Unit 2 Revision 0 Prcbabilistic Risk Asssssmsnt also success sequences. All other sequences, whether ending in Top Event Cl or Top Event RE, result in core damage. RCS pressure is low (i.e., less than 200 psia) at the time of core dama0e for excessive, large and medium size LOCA initiating events; i.e., LOCAs greater than 2 inches in diameter. RCS pressure is also assumed to be low for ATWS events in which vessel integrity is lost due to inadequate pressure relief and for interfacin0 system LOCA events. All other core damage sequences are at higher RCS pressure at the time of core damage. The logic for assigning core damage sequences to medium, high, or system setpoint RCS pressure at the time of core damage, given that it is not assigned to low RCS pret.sure, is illustrated in Table 3.1.6-2, for sequences with successful reactor trip. For ATWS sequences resulting in core damage, but in which vessel integrity is maintamed, system pressure is assumed at the system setpoint if steam generator cooling fails and at high RCS pressure otherwise. , Steam Generator coolin0 i s successful if either auxiliary teedwater or main feedwater systems ! operate successfully and emergency switchgear ventilation is successful. For sequences in I which main feedwater is initially isolated, operator action to restore main feedwater must also be successful to provide steam generator cooling with main feedwater. For sequences in which steam generator cooling is initially available, but there is a loss of emergency switchgear ventilation, the vital instrument buses and 125V DC buses may eventually overheat and fail; steam generator cooling is then assumed to be lost. The resulting core damage sequences for these cases are assumed not to have steam Generator cooling at the time of vessel breach. The containment may be bypassed for two initiating event categories: steam generator tube ruptures and interfacing system LOCAs; i.e., V sequences. All V sequences are currently assigned to the large bypass grouping. Steam ge. erator tube rupture sequences that result in core damage are assigned to the small containment bypass grouping if a secondary valve in the ruptured steam generator fails open and RCS leakage continues through the secondary side of the environment. Containment isolation is successful if Top Event Cl is successful. The containment has a small leak (i.e., less than 3-inch diameter) and is included into the small bypass groupmg if Top Event Cl fails and Top Event SE fails. Such sequences represent a bypass via the failed RCP seals and through the unisolated seal return line. ContaNment isolation failures resulting in large leak areas (i.e., greater than 3 inches in diameter) have not yet been identified for Beaver Valley Unit 2. For core damage sequences in which the containment is isolated and not bypassed, the status of containment heat removal is established. Containment heat removal is successful whenever recirculation spray operates, in addition, containment neat removal can be provided by operation of RSS pump trains C and D operating in the vesselinjection mode. By suitably combining the parameters described above, each core damage sequence is assigned to one, and only one, coarse plant damage state indicated in Table 3.1.6-1. Later, in l Section 3.3, a description is provided of how the frequencies of coarse plant damage states I and the total core melt frequency are computed. 3.1-148 31 Acciced sequence oenneanon
Brevar Vcllay Powsr St ti:n Unit _2 Revision 0. Probabilistic Risk Assassmsnt
, References 3.1.6-1. Pickard, .Lowe and Garrick, Inc., and Stone & Webster Engineering Corporation,
" Beaver Val:oy Unit 2 Probabilistic Risk Assessment." prepared for Duquesne Light Company, PLG-0730, Appendix D, Sequence Quantification. December 1989.
-(/
l- [.q j l l 3.1-149 31 Acacent sequence Deiineation.
I mm Table 3.1.6-1. Level 1 Sequence Groupings hE Containment Bypassed Containment isolated kI RCS Pressure at Core Damage Containment =< Small Large Not isolated With Heat Removal No Heat Removal yE (SBYP) (LBYP) - (WCHR) (NOHR) p
;;;- m Low (L)) (0-200 psia) LOSBYP LCLBYP LONISO LOWCHR NONOHR xj Medium (MD) (200-600 psia)
MDSBfP
>e MDNISO MDWCHR MDNOHR High (HI) (600-2.000 psia)
R a '52 HISBYP HINISO HlWCHR HINOHR EE 3o System Setpoint (SY) (>2.000 SYSBYP - SYNISO SYWCHR SYNOHR @" psia)
~ $. .
.W a ?? 2 ?
?
a & t- s-3 o e O O --
f p., _
,a Table 3.1.6 2. Assignment of RCS Pressure at the T?me of Core Damage for Sequences with Reactor Trip Successful o@
g,
* '7 * * *
- 7 Steam Generator HHSI Cooling AnHable Available "'***"#*' ** E<
Cootdown Damage " 8' _= no Yes RCP Seals only Yes Yes. Medium y w
.m Yts RCP Seals only Yes No j High [60:E ,
> r3 Yes RCP Seals only No Yes High e
$W Yes RCP Seals or ~y No No High e E.
m. Yes Pressurizer PORV or Ruptured Steam GearatorM Yes Yes Medium hh n Yes P(essurizer PORV or Ruptured Steam Generatord Yes No High ~h= Yes Pressurizer PORV or Ruptured Steam Generatorm No Yes H,gh n Yes Pressurizer PORV or Re Stured Steam Generator") No No mgh No None Nom Nom System Setpoint'*)
$ No RCP Seals only NoS No** System Setpoint No Pressurtzer PORV or Ruptured Steam Generator") Nom No* High No y N/A Yes* flo$ Wgh (t) The ruptured steam generator is not isolated so that leakage of reactor coolant through the secondary side to the environment occurs. HHSI is considered unavadab!e in the long term for such circumstances if it is initially successful, but makeup to the RWST is not provWed (2) Bleed and feed cooling unsuccessful.
(3) No secondary depressurization possible if steam generator cooling unsucces-ful
$ (4) At or above the pressurizer PORV se: point (5) Bleed and feed cooling successfut.
O S a 1 3 'a a e 2 < e = 0 e m o P o k
' ~ " " " ' " 'L'* mas, y,__ _, _ ' ' ' '"'* *-A--,m. m,s ,
)
I
. I 1
0 i l l l 0 l I (- l o O I
o Beaver Valley Power Station Unit 2 Revision 0 ProbaWilstic Risk Assessment 3.2 SYSTEMS ANAuYSIS 3.2,0 Systems Analysis Methodology The determination of the split fractions for each system in the plant event trees is done t y a process called systems analysis. This task assesses the likelihood that a system will fail to meet its functional success criteria as defined by the plant response event tree models. System failures may result from independent or dependent equipment hardware failures, human error, or from combinations of equipment failure, human errors, maintenance actions, and testing activities. Specific system failures may affect the availability of other systems (e.g., support system failures), or they may directly affect the ability to mitigate the consequences of accidents or transient events; e.g., frontline system failures. The systems analysis defines physical and functional dependencies among the systems and is used in constructing the plant event tree models. The lo0i cal structure of the event trees. in turn, defines scenarivspecific success criteria for system performance and boundary conditions within which the system is required to operate. Therefore, the systems analysis task provides-.
- EngineerinD knowledge about the plant systems needed to develop the plant risk model; i.e., dependency matrices and event tree models.
- Input for quantification of the integrated plant event tree models; i.e., failure frequency of each system top event split fraction for specified boundary conditions.
Note that a frontline system directly maintains the reactor core or containment protection safety functions. The support systems provide support functions, such as motive power, control power, actuation signal, cooling water, etc., for the frontline and/or other support systems. This section describes the approach used in developing systems analyses for this study. Because the systems in a plant differ greatly from each other, the analyses of different systems have different detailed formats. Nevertheless, all of the systems alyses conform to the same analysis structure and contain the same essential elements. 3.2.0.1 Scope of Systems Analysis it is important to recognize that the system models developed in these analyses include only those components necessary to quantify system unavailability for the split fraction boundary conc;itions of this study. The levet of detail in modeling subcomponents is consistent with the best available equipment data. For example, the models for motor-operated valves do not specifically identify individual motor circuit breakers, torque switches, and limit switches because the best available data for valve failures include all subcomponents of the valve assembly and its motor operator. Similarly, relay models do not separately identify individual , contact failures, and electranic ciicult models are developed only to the level of replaceable modules or major circuit boards. The boundaries of certain systems may also be redefined slightly from normal engineering and design descriptions to facihrate efficient model integration. For example, the support system event tree model includes the top event that evaluates the unavailability of the
\ primary component cooling water (CCP) system. This system provides cooling to various vital and nonvital components. To efficiently model the effects from failure of CCP, the analysis of this system includes only those components that are common to all equipment cooled by CCP. Failures of individual CCP valves branching off from the common headers 3.2-1 32 system AnEYM
B2: var Vall;y Powcr Station Unit 2 Revision 0 Probabilistic Risk Assessmant are included with the failure frequency distributions for the equipment cooled by CCP. Without this simplification, the suprort system event tree model would require considerably more system top events since the additional valves are not common to all components cooled by this system. This modeling treatment does not effect the estimate of system unavailability with its use in providing a good estimate for the frequencies of various plant damage states. However, analysts must be aware of this division if they attempt to separately evaluate system unavailabihty outside the context of this study. Because of their broad effects and interrelationships among several components, these modeling boundary divisions are most often redefined in PRAs for support systems. The boundaries and scope of frontline system models are generally the same as those found in plant system engineering descriptions. Electrical boundaries for mechanical and fluid systems are generally made between the bus or panel containing the supply circuit breaker and the supply breaker itself. Failure modes involving the circuit breaker are included as a part of the failure rates for the component being supplied. The boundaries between actuated systems and the solid state protection system (SSPS) are made at the point where the commonality ends. For example, a relay that is common to the actuation of several systems is modeled as part of SSPS. and the successive relays are modeled as parts of tha actuated systems. The boundaries between cooling water systems and the systems that they support are made so that the cooling water system analysis includes all components needed for support of more than one other system. Generally, this includes pumps, headers, and header isolation valves. Failure of cooling water system components that support only one other system is included in the analysts of the supported system. Examples of these components are branch lines to individual cooling loads, cooling load isolation valves, and individual load cooling coils. However, piping or valve failures that might disable an entire train of a support system or impact more than one analyzed system are included in the cooling system. Each system analysis contains all major components required for system success as defmed by the event tree system split fractions. The contribution to system unavailability from common cause dependent failures is treated by the multiple Greek letter (MGL) method for each system analysis, according to the general methodology described in Reference 3.2.0-1. The databasc used for quantification of the system models includes generic failure rate and maintenance data and common cause parameters that have been screened for Beaver Valley Unit 2. The plant-specific operating and test procedures were reviewed during the systems analysis task. Human errore dur00 testing that could contribute to system unavailability are included in the systems moceis wten considered significant. 3.2.0.2 Systems Analysis Approar.h The systems analysis approM described in this section involves the methodology associated with modeling in the RISKM AN format (Reference 3.2.0-2). 3.2.0.2.1 Qualltative Systems Analysis 3.2-2 32 Symm AVyrs
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 3.2.0.2.1.1 System familiarization and documentation: For operating a ' ' ear power plant. s good engineering knowledge of plant systems is an integral and essential element of a PRA. i The systems analysis is designed to integrate this knowledge with the plant model f development and quantification process. The first step in the systems analysis is the collection of - applicable documentation. The_ documents include the UFSAR. system descriptions, plant procedures (maintenance test, operations), and drawings; e.g., electrical schematics, logic drawings, and piping and instrumentation drawinOs. These documents are used in the systems analysis as well as in the development of the plant event sequence models. During the plant familiarization task, the plant response to various initiating events is used to select systems for possible further analysis. The systems screening process encompasses all systems at Beaver Valley Unit -2. It determines the response of each system to normal and transient operating cond:tions. The combinations of alt - possible system successes and failures characterize the possible responses of the plant to initiating events. One result of the initial screening was a categorization of each system as either a "suppcri" system or a "frontline" system, Each system was also classified as to whether further analysis was required. Those systems considered as important to risk were analyzed in detail, After the systems screemag. a summary is developed for each of these selected systems. These summartes briefly describe the system and generally include:
+ System Functian
- System Success Criteria
- Support Systems Required for System To Perform Function
- Systems Supported
+ System Operation and Special Features
- Testing
- Maintenance =
- Recovery Considerations
+ Technical Specification Requhements
- Surveillance Tests
- References 4 Modeling Assumptions The purpose of this system summary is to help the analyst document how the system works, how it is tested. how it is maintained. and how it can be misaligned, etc. The first section.
System Function. provides a general discussion of the system functions to be considered in the analysis. Some systems may have many functions. Each function should be hsted here since this aids in ' understanding intersystem dependencies, one of the most difficult aspects of systems analysis. System interdependencies are also established by careful enumeration of support systems required in the third section of the summary.
-The second section of the system summary contains the system success criteria in general, the system success criteria for this study are derived from the UFSAR. In the case of e exceptions where UFSAR criteria are not directly apphcable or are unrealistically conservative. success criteria are developed by application of engineering judgmeni bated on documented analyses and previous probabilistic risk assessments using similar success criteria.
3.2 3 32 system Anpysis
B:sv:r Vcil2y Pcw:r Stztisn Unit 2 Revisitn 0 Pr:bsbilistic Risk Asssssm:nt The third section lists the support systems acquired for the system to perform its functions. Variations in support system requirements for differrant system functions, if applicable, should be listed in this section, All system dependencies on AC or DC power, actuation signals, ventilation, cooline; for heat exchangers, etc., should be included in this section. The tourth section lists the systems support 3d by this system. The fifth section outlines information about system operation and special features. Included in this section are special operating configurat5ns, system actioru, interlocks, and manual actions required for the system to perform its function. System actions involve normat and automatic operations. Normal system lineup during plant power operation should be indicated. Which equipment is normally runnin0 and how the system is designed to respond automatically to emergency actuation signals should be explained. Manual actions that must be performed for the system to achieve the designated success criteria should also be described. The sixth section describes surveillance tests that are performed on the system. This section includes descriptions of how the system alignment changes during testing, the frequency and approximate duration of each test, ar.d the possible system misalignments that could go undetected folicwing tests. The seventh section describes maintenance that is performed on the system, inc ; ding maintenance alignments and potential misalignments following maintenance. Maintenance frequencies and durations are generated as part of the data analysis. The eighth section describes recovery considerations such as alarms and indications, abnormal procedures, and any possible operator recovery actions. The ninth section presents possible system failures that can cause one or more of the initiating events, directly or indirectly. This provides feedback from the systems analysis to the process of initiating event selection documented in Section 3.1. The tenth section lists applicable technical specification requirements, including limiting conditions for operation -(LCO). The eleventh section lists important assumptions related to the system. The twelfth section describes the logic model representing the system by referring to the block diagram and component table for the system. The thirteenth section lists the references used in the system analysis. 3.2.0.2.1.2 Definitions for quantitative analysis: Once the system information is documented and the event sequence diagram developed, the next step is to define the top event split tractions for the quantitative systems analysis. The split fraction definitions identify the success criteria for each system under a specific set of boundary conditions. These definitions include the major components (or systems) requ' ired to operate, the operating mission time, and the support systems available. The grouping of system equipment withia each top event is performed in the support and frontline event tree development task. The event tree top events model the effects from system and subsystem successes and tailures. These provide efficient event logic models for the plant response to various initiating events and also preserve all important physical and functional dependencies among the plunt systems. Scenario-specific boundary conditions may affect the number of r vailable components or the detailed success criteria for a system. These effects are evalJated by defining one or more conditional split fraction under each top event. Top even, success 3.2-4 M Symm An#ym
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment l
criteria and quantification boundary conuitions are determined and provided as input to the l
systems analysis. Some systems and/or components of a system may be included in more than one top event. When this is done, the event tree models and spht fraction success criteria are carefully structured to avoid double counting or asking if a system or piece of equipment is failed when a prior spht fraction has already analyzed that failure. This structuring is done by carefully partitioning parts of the system into different split fractions (i.e., usually by train) or by evaluating the system for different time periods and ensurmg that failure in a prior period logically results in faHure at a later time. In some cmes, only portions oi a dy3tcm are includod in the top everi split fractions. In other cases, independent parts of a system are assigned to different split fractions. _ Furthermore, some systems included in this study perform multiple functions. The event tree analysis defines the specific functions modeled for each system. Some general modeling assumptions that are applicable to most system models follow: s a The important plant systems are assumed to be operated and maintained in accordance with the plant technical specifications except for explicitly modeled system misalignments and maintenance errors. .
- A mission time of 24 hours is assumed for most systems. This provides a sufficient time base on which accident progression can be measured, and provides a realistic and consistent time m which outside actions could be started to prevent later (after 24 hours) core damage.
- Other systems are assumed to be operated and riaintained in accordance with the current, written operating and maintenance procedures.
- Pipe b,eaks are considered in the model only if the break by itself can fail the system.
Additional pipe breaks are considered in the internal flooding analysis (see Sechon 3.3.8). , a Vents and drains are not modeled for flow diversion because of their small leak sizes and because they are normally closed.
- Relief valve leakage or premature opening is only considered if it is deemed possible to divert sufficient flow to defeat the train or system.
- Common cause failures are assumed to exist and are modeled for the components and failure modes, which are listed in Table 3.2.01, when the f aHure mode is applicable. The common cause failure contributions to system failures were quantified using the multiple Greek letter method, as defined and explained in Reference 3.2.0-2. The treatment of common cause failures is consistent with NUREG/CR-4780.
3.2.0.2.2 Logic Model Development: Using the system summaries and top event success criteria, the systems analysts then develop the system logic models. The logic model relates a system output state, such as a system success or failure, to combinations of more basic events, such as component states. 3.2. 0.2. 2.1 Reliability block diagram and component table: A piping and instrumentation diagrarn or schematic diagram, such as an elementary electrical drawing. is used as a basis for constructing the block diagram. The block diagram portrays the ~ success paths" of the system. These paths are combinations of component success states that enable successful 3.2-5 32 Snw.,Auyw
Baavsr Vall2y Pcw:r Station Unit 2 Revision 0 Prob:bilistic Risk Assessmsnt functioning of the system. The success paths, which have the same logica: information contained in a listing of the minimal cutsets, provide the basis for calculating system unavailability. In general, a block diagram showing the success logic for the normal system aHgnment is prepared for each top event. Figure 3.2.0-1 gives an example of a block diagram for Top Event RS. Major system components included in each bbck of the block diagram are listed in the block component description table. Table 3.2.0-2 is an example of the comnonent table for Top Event RS. For each component, the postulated failure modes, the support systems needed for the component to perform its function, the actuated position of the component while performing its function, the initial component state prior to the initiating event, and the position that the component fails to on loss of support are listed. The construction of the block component description table links the plant-specific data table to the systems models. The level of detail .ia the models is dictated by the level of detail in the database. The designator and failure frequency distribution for the failure of a pump to run, for example, includes the pump, pump motor, coupling, and controls. The level of detail in the system l model therefore should be at the pump level, not at the level of the pump motor, pump packing gland, pump rotor, etc. The interrelationship between data and model requires that the systems analyst be knowled0eable about the data and data requirements in order to match the comporant failure modes and data to the model 3.2.0.2.2.2 Fault tree models: Fault tree models of each system top event are constructed to provide the logic strudure for deriving the algebraic unavailability equations that are used to quantify the top event aplit fractions. The development of the fault trees is based on the block diagrams and conerts the success logic of the block diagrams to failure logic. Fault trees serve three purposas. (1) to provide a cross check of the system model logic versus the actual system, (2) to provide an analysis format that can be easily reviewed, and (3) to allow the generation of minima! cutsnis to be used by RISKMAN to quantify top event split fractions. Basic events associated with common cause failures are added to the fault trees prior to Poolean reduction in accordance with NUREG/CR-4780. The basic event designators used in the fault trees have been standardized according to the naming convention presented in Figure 3.2.0 2. Up to 16 characters may be used in each basic event designator, in all cases, the first two chaiacters represent the type of component being modeled, and the next two characters represent the failure mode modeled for that component.- The remaining 12 characters are available for including the I.D. for the component as shown on the VOND (Valve Operating Number Diagram). Some components do not use all 12 characters. The minimal cutsets are determined by using the RISKMAN code (Reference 3.2.0-2). The fault trees, developed to the component level, are the primary input to RISKMAN, Figure 3.2.0-3 gives an example of a component-level fault tree for Top Event RS. Tabin 3.2.0-3 lists the fault tree basic events (i.e., CVF02RSS29) with a description of what the batic event represents. 3.2.0.2.2.3 Common cause modeling: To incorporate common cause events into the systems arealysis, the analyst must understand the factors that determine the dependence or independence among the components in the system. Such factors include how groups of components are used the extent of their diversity (if any), the physical proximity or 3.2 6 32 system Anaiym.
- .- - - _. _ -. .-. ._~ - _- .~.
4 Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment . 1 I
-O d
separation of redundant components, and the susceptibilities of system components to varied environmental stresses. Similarity in design, manufacture, and type among components of different trains implies the existence of strong dependencies. On the other hand, common cause effects would not be expected for dissimilar equipment. To scount for these factors, the analyst must identify those components in the system that will be included or eliminated from the common causo analysis and categorize common cause groups of components for systems of interest. A common cause group is a group of components having a significant likelihood of experiencing one or more common cause events affecting two or more cornponents in that group, Based on experience in evaluating operating data, the following guidelines are developed to help assign component groups:
- When identical, nondiverse, and active components are used to provide redundancy, they should be considered for assignment to common cause groups, one group for each identical redundant component.
- When identical, nondiverse, and active components are present in the system, the probability of common cause events linking diverse components in the system can always be assumed to be negligible.
i
- When diverse redundant components have parts that are identically redundant, the '
l components should nu be assurned to be fully independent. (One approach is to break down the component boundaries anu identify tne parts as a common cause component group.)
- When each redundant leg of a system c -tains one or more active components, the contributions due to both independent und common cause events involving passive l l -
components are generally insignificant . the cale datio, u system unavailability. l
- In redundant systems in which no identirA octive components or parts can be identified, no common cause groupin0 can be aMempted.
The outcome of this part of the analys-is is .. hM o! ine various groups of sirnitar components that are judged to be subject to somn s' cNse failures. It should be noted that, due to practical limitations, all of the poss ' 'e wayr that similar components within a system can be Drouped for common cause analysb ma; not be able to be modeled. Once the common cause groups hava beso determined, the groups are entered as input to the RISKMAN code Table 3.2.0 4 is a report of the common cause group information for Top Event RS. RISKMAN then expands the component failures to include all possible common caase combinations within a common cause group and adds these common cause failures to the fault tree input. l l l 3.2-7 32 S"^W" Y
I B :v:r Vall:y Power Station Unit 2 Revision 0 ) Probabilistic Risk t.sses:.msnt i l l 3.2.0.2.3 Algebraic Model Development i 3.2.0.2.3,1 Unavailability causes and boundary conditions, Having developed the logic model, the next step is to convert the logic model into a model in parameters that can be quantified. The logic model discussed in the previous section was only developed for the norrnal alignment case. The initial conoitions for the normal alignment assume that no equipment is unavailable due to test or maintenance at the time of the initiating event and that ah support systems are available. However, when the system is under maintenance conditions or test alignments, the equipment may be functionally unavailable due to system configuration changes, such as valve position changes. Therefore, in addition to the component failure modes of the system identified in the logic model development task, the analyst must also identify all of the important causes for the unavailability of components in the system. These include:
- Functional Unavailability due to Lack of Required Support
- Independent and Dependent Hardwa" "1ilures. These random failures include undetected failures while in standby, failuies on demand, and failures during operation.
- Test and Maintenance. System unavailability may change when test or maintenance is in progress. Since technical specifications do not allow systems with redundant fra .is to be disabled during test and maintenance, additional failures must occur for the system to fail.
- Human Errors. System misalignments may occur du? to errors of ornission and commission.
The first cause (i.e., conipanent unavailability due to degraded support states) is accounted for by the use of boundary conditions and the conditional split fractions technique in the event tree quantification. For each Top Event T. the unavailability, F(T), can be expressed as i F(T) = f F(B,)
- F(TIB,)
in 1 where f(B,) = frequency of boundary condition i (or the ith set of boundary conditions), determined by the total frequency of all scenarios grouped in this boundary condition. F(TlB ) = conditional split fraction for Top Event T, given boundary condition l set B.. and I f F(B,) = 1.0 w
#w1 Since the integration of boundary conditions and conditional split fractions is performed in the event tree quantification process, systems analysts need only evaluate each tap event split fraction under a specific set of boundary conditions; i.e., F(TlB,). Table 3.2.0 5 is an example of the split fraction report for Top Event RS with a key added to identify the events used to 3.2-8 n syst~n Anaivsis
1 Beaver Valley Power Station Unit 2 Revision 0 Probabiliste Risk Assessment represent st pport system trains. These events appear in the fau;t tree input and are represented in the graphical fault tree as " house
- events. These house events are either successfal or failed, as shown by the boundary condition file, and do not appear in the minimal cutsets for the top event split fractions.
3.2.0.2.3.2 System aligriments. For the remainin0 causes of unavailability, the algebraic model must combine their contributions in accordance with how the sys'em is designed and operated. If there are no dependencies as to how these unavailability contributions may be combined, the al0ebraic equations nmy be directly enumerated from the Boolean analysis of the logic model. However, when plant procedures are being followed, certain combinations of unavailability co.. sos cannot coexist. The technical specifications disallow the coexistence of maintenance or test activities on redundant components. To correctly model these dependencies, one approach uses the coexistence dependencies tc defino a complete and __ mutually exclusive set of system alignments or initial conditions; i.e., the different possible sa:as that the system might occupy at the time of the initiating event or svr*,. demand, in general, the following alignments are considered in the develcpment of algebraic models: ,
- Normal A;;gnment <
S
- Test Alignments
- Maintenance Ali 0nments ,
- Misalignments a
The system can be in only one of these alignments at any given time. Thus, the contribution to the system failure frequency from a specific alignment is the conditional system failure frequency, given that the svstem is in that alignment, multiplied by the fraction of time that the uystem is in that alignment. Consider this example. System X it tested monthly. The test takes 1 hour to perform.' The system failure frequency while in this test is Xl71 (read as conditional failure frequency of system X, given test alignment T1). The contribution to the overall system failure frequency ~ rlue to this test, XT1, is given by XT1 = (fraction of time in T1)*Xl 71
= (frequency of T1)*(average duration of T1)*Xl 71 1 test 1 hour ,Xl T1 7D hours test
= ()/h.0)* X I T1 Each split fraction is quantified by summin0 the contributions from the various alignments for the system. A set of minin al cutsets is developed for each alignment based on the initial conditions imposed by that alignment. Each minimal cutset frequency is determined by solving algebraic equations for the basic events and multiplying them together. For simplicity, the frequency of the basic _ events is also represented by the basic event designators in the algebraic model. For example, the frequency of basic event PMSS2RSSP21A is simply indicated as PMSS2RSSP21 A, the notation of its Boolean designator. The frequency of each minimal cutset is the product of the frequencies of the basic events making up the cutset. Therefore, the frequency of minimal cutset (PMSS2RSSP21 A, PMSS2RSSP218) is PMSS2RSSP21 A PMSS2RSSP216. Since each minimal cutset is a means of failing the system white in a particular alignment, the sum of the minimal cutset troquencies for an alignment is the conditional failure frequency of that alignment.
3.2-9 32 syrem Anaiys,s
Basvar Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment Table 3.2.0-6 shows the ali0 nments modeled for Top Event RS, the fraction of time that the system is in each alignmer.t. and the effects on the system of those alignments. For example, the MAINT1 alignment corresponds to the guaranteed failure of basic event PMSS2RSSP21 A, which represents the start failure mode of pump 2RSS'P21 A. Alignment MAINT1 is the syrem alignment when pump 2RSS'P21 A is in maintenance and is unavailable for service. The equations that are used to calculate the fraction of time that the system is in each of the alignments are also presented in Table 3.2.0-6 f ar Top Event RS. 3.2.0.2.3.2.1 Normal alignment. In the normal alignment, no components are out of service for maintenance, and no tests are in progress. For a standby system or an infrequently operated system, the normal alignment is the alignment that the system is in most of the time. It is from this alignment that the system is reconfigured to other alignments, and it is to this ali 0nment that the system is returned after test or maintenance. To develop the algebraic equation for this alignment, the algebraic equation for the failure frequency of each
.f the minimal cutsets for the normal alignment is developed, and then al.1 are added together.
3.2.0.2.3.2.2 Test alignments. When a system is taken out of its normal alignment for a test, the minimal cutsets for system failure are often changed. For some tests, the system failure frequency is reduced while being tested, such as when a standby system is actuated for an operability test. The system is therefore in the alignment needed to perform its function during the test. In these cases, no credit is taken for the test alignment. The traction of time spcot in such tests is conservatn,ely modeled as if the system were in the normal alignment. Other tests increase the system failure frequency during the test. An example of this is when one train of a two-train system is placed in a recirculation mode, preventing that train from performing its function. In these cases, *ne minimal cutsets for the test alignment can be generated from a fault tree that is modified from the normal alignment tault tree, the frequency and duration of testing can be determined, and the equations for the contribution to system failure can then be written. Assume that the above recirculation test is performed once every T hours on each train and that the mean duration of the test is 7. The system failure occurs when one train is being tested and the other train fails, The fraction of time of being in this test alignment is 2d All tests on analyzed systems and their alignments are considered in the systems analy' sis, but only those judged to be significant are explicitly modeled. 3.2.0.2.3.2.3 Maintenance alignments. Scheduled and unscheduled maintenance on system components can affect the system failure frequency in much the same way as testing. When components are removed from service for maintenance, trains are often made inoperable, redundancy is reduced, and functions can be defeated; all of which impact the system failure frequency. Maintenance on all major components that is possible with the reactor at power and is allowed by the plant technical specifical ons is considered, j The general approach to determine the contribution of maintenance is to modify the logic l models for each maintenance alignment, and then to determine the new minimal cutects. l These are represented by algebraic expressions that are summed to determine the l conditiond failure frequency while in each alignment. Each of these expressions is multiplied by tle fraction of time that the system can be expected to be in the given alignment. 3.2.0.2.3.2.4 Misalignments. Misalignments are generally caused by human error. Improper restoration of the system after testing or maintenance is the most common type of misalignment. Misalignment can also result from errors in calibration that leave the system 3.2-10 u symm Ana>yse
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment or components within the system inoperable. Misalignments, as considered in this study, do not always imply a violation of the technical specifications. System alignments that are less than optimal, but allowed by technical specifications, fall into this category. The approach to analyzing misalignments is similar to that for testmg or maintenance alignments. Possible misalignments that could reasonably occur are posiutated, and their impacts on the logic models and minimal cutsets are determined. The frequency of being in each misalignment is determined by researching the operation, maintenance, and test procedures for operator interaction with the system. The duration of being in each misalignment is determined by analyzing the checks, tests, and operator interactions that would detect the misalignment and the intervals between them. 3.2.0.2.3.3 Basic event frequency and component unavailability. The spht fraction frequency is the sum of the alignment failure frequencies, the alignment failure frequencies are the sums of the minimal cutset frequencies, and the minimal cutset frequencies are, in turn, the products of the basic event frequencies, the building blocks of the analysis. The basic event frequencies are determined by identifying the failure modes for the components making up the basic events and by assigning failure rates to the failure modes based on industry and plant specific failure information. The failure modes and frequencies used in this study are listed in the data analysis section. The calculation of component unavailability can be explained by evaluating the faiiure modes of the example components. For a standby pump to be unavailable for an emergency mission, it may fail to start on demand or fait during operation. For a normally closed, motor-operated valve to be una"ailable to pass flow. it may fail to open on demand or f ail to remain open during the mission time. For a normally open, motor-operated alve to be unavailable to pass flow, it rnay fail to remain open during the emergency mission time or during the period of time between the previous test and the initiatmg event. The unavailability for these three components can then be modeled as Q,, = standPy pump unavailability. (Pump must start and run for I, hours.)
= gos + A,te' 1
Q,, = normally closed MOV unavailability. (Valve must open and remain open for ty hours.)
= q, + A,le' s
F
- Note. M is an approximahon for the exact expremon 1 - e*
3.2-11 32 SysMm Andysd
B:av:r Vcil;y Pcw:r Sh:ti:n Unit 2 Rsvisitn 0 Prcb::bilistic Risk AsJessm:nt Q,, = normally operi MOV unavailabihty. (Valve must be open and remain open for G hours.) A, T,'
= ,
+ A,td where q,, = demand failure rate for pump; failure ~o start per demand.
q,, = demand failure rate for MOV; failure to open per demand. A, = operation failure cate for pump; failures per operating hour. A, = transfer closed failure rate for MOV; failures per operating hour. T, = system flow test int 9rvat; hours. t, = system mission time; hours. 3.2.0.2.3.4 Multiple top events for redundant trains in a single system. In the analysis of many systems, redundant trains of a system are modeled in a single top event. However, to provide better train-dependency tracking in the event tree models, certain plant systems with redundant trains are modeled by multiple top events. This section describes the approach used to develop the algebraic squations for conditional split fractions with the consideration of dependencies, such as technical specifications and common cause failures, across these top events. Consider the event tree for a typical two-train system with associated Top Events A and B, as shown in Figure 3.2.0-4. The conditional split fractions that can be used directly in event tree quantification are denoted by S1, S2, and S3. For example, conditional sput fraction 33 represents the failure frequency of train B, given that train A has failed. ie sequence frequencies of this event trae are denoted by it, f2, f3, and f4. To express the split fractions in terms of train and system unavailabilities, consider the frequency of each sequence: /1 = (1 - S 1) (1 - S2) = 1 - [P(K) + P(5)] + P(XE) 12 = (1 - S1) S2 = P(6)- P(Iff) 13 = S1 (1 - S3) = P(X) - P(kF)
~
f4 = S1S3 = P(AB) where - P(X) = the unavailabihty J train A due to all causes. P( 5) = the unavailability of both trains A and B or the probability of system failure. The above train and system unavailabilities include common cause contributions, and the system unavailability takes into account the technical specification dependency. ! Solving for split fractions S1, S2, and S3, we have 0.2-12 32 system Analysis.
B::v:r Vcil:y Pcw:r Station Unit 2 Revislan 0 Prebsbilistic Risk Assassmsnt [ v S1 = P(I) P(8)-P(A8) S2 = _
- 1 - P(A )
P(h8) S3 = _. P(A) The expressions for the conditional split fractions derived above are applicable to 'um two-train-system top events. If trains A and B are completely symmetrical, P(X) is equal to P(6). The above split fraction expressions become Si = P(X) P(A )-P( AB ) S2 = _ 1 - P( A ) P(X6) S3 = _ P(A) 3.2.0.2.3.5 Modeling of initiating event frequency. In addition to developing and quantifying split fractions in the systems analysis task. certain initiatin0 event frequencies are also evaluated, when generic or plant specific data on initiating event frequency are not available. The logic models developed for the all support systems available split fractions are applicable to the initiating event frequency analyses. The quantification of the minimal h \ cutsets differs somewhat for the initiating events. Basic events are identifiec that can first disturb the system from normal operation. New equations are written for these basic events to quantify the possibility that the basic event occurs during some longer exposure time (usually 1 year, 8,760 hours). Each of these basic events is combined with other, normal basic events, representing failures subsequent to the initial system disturbance, to create a set of minimal cutsets for the initiating event frequency. A set of minima: cutsets is created for each system alignment. The initiating event model is then quantified in the same way as the system unavailability models. For systems with a normally operating train and a standby train, the basic events involving the' operating train are identified as the first failures to disturb the system. For cases with multiple trains normally operating, any of the basic events could first disturb the system. Therefore, each basic event is chosen, in turn, to be tne first failure. 3.2.0.2.4 Split Fraction Quantification and RISKMAN implementation 3.2.0.2.4.1 Split fraction quantification. In summary, the first step in analyzing system failure for each top event split fraction is to identify allimportant unavailability causes for the system components in the fault tree. The fault tree provides the logic structure for evaluating system failure; i.e., it identifies the logic combinations of component failure modes that are necessary and sufficient to prevent the system from meeting its success criteria, RISKMAN generates a set of basic cutsets from the fault tree input. These basic cutsets are f'N reduced using the initial conditions and boundary conditions to produce a set of minimal h' cutsets for each of the system alignments. The minimal cutsets are then converted into equations that can be used to quantify each of the system split actions. A separate group of cutsets are generated for each alignment that is considered significant. The alignment ' contributions are summed to give the total for a particular split fraction. 3.2-13 32 system Analysts.
Doev2r VcHey powcr Stction Un!t 2 Revlslon 0 I' reb:bilistic Risk Assessm2nt The basic algebra.c expressions that gonarated by RISKMAN an in terrna of cutsets that g are, in turn, basic events from the it ' tree input. Tliese basic events must be rotated to T failure designators from the database. RISKMAN allows the system analyst to provide an equation that applies to each basic event, and may include database variables, local variables, or contgants. 3.2.0.2.4.2 RIFKM AN implememiation. All of the system spht fractions, cutsets, and basic events are managed and quantified by the RISKMAN computer code. RISKMAN stores the basic events and combines them, as necessary, for quantification of tha ,plit fractions. A simphfiud schernatic of the RISKM AN information structure is presented in Figure 3.2.0-5. The top event split fractions are quantified usin0 componant failure data, maintenance frequency and duration data, hu. nan error rates, and common csuse parameter data stored in the RISKMAN database file. CSF.RM3. RISKMAN uses the Monte Carlo technique to combine the discrete probability distributions for the database elements modeled in each spht frhction equation. This results in a mean or point estimate value and a discrete probability distribution for the cor6tional unavailabihty of each spkt fraction. The mean or point estimate values are used initially tu quantify the support and frontline event trees. Subsequently, the discrete probability distribution for each split traction is used in the plant model uncertainty analysis for the identified importan' sequences. Once the spht fracHons are quantified, there are several RISKMAN system reports with which to examine the quanhfication results. Once such report is the cause table for the top event split fraction. A sample cause table for split fraction RS1 is presented in Table 3.2.0-7. The cause table lists the cutsets, in order of importance, with the cutset value, cutset irnportance, the cumulative importance, and the associated system alignment. Cutsets that are surrounded by brackets represent common cause failures of the basic event (s) within the brackets. Shown at the top of the cause table are the results of split fraction quantification by point ert' ite and includmg uncertainty (Monte Carlo or Latin Hypercube method). Another art that is available from RISKMAN is the alignment contribution report. A sample report for slit fraction RS1 is presented in Table 3.2.0-8. This report lists the alignments defined for the top event, the probabihty of failure given the ali0nment, the fraction of time that the system is in the allonment, the total contribution to top event failure from the alignment, and the importance of the alignment. 11 must be emphasized that the systems analysis methodology outlined !n the preceding paragraphs provides a set of general guidelines for the systems analysis task. Each system summary, RISKMAN input set, and set of RISKMAN reports follows those generni guidelines. Individual analvsrs may not have a'l of these elements documented in the same style or detail. Bese variations in model structure are expected, depending on the system conhguration and split fraction quantification requirements. However, analysis input to RISKMAN must adhere to the rules listed in Reference 3.2.0-2. 3.2.0.3 Assignment of Systems for Analysis As discussed in the preceding section, an initial stop in systems analysis is plant familiarization and the definition of split fractions. The preceding discussion also describes the approach used in the Beaver Valley Unit 2 PRA to make these systems assignments. Table 3.2.0-9 presents a list of the systems modeled in the Beaver Valley Unit 2 PRA. 3.2 14 n symm Awyn
Bsevsr Vallsy Power Station Unit 2 Revision 0 Probabilistic Risk Assessment 3.2.0.4 References i 3.2.0-1 Packard. Lowe and Garrick, Inc., *PR A Procedures for Dependent Events Analysis, j Volume ll, Systern Level Analysis," prepared for Electric Power Research Institute, PLG 0153, Docornber 1985. 0 2.0 2 Pickard, Lowe and Garrick, Inc., *RISKM AN' PR A Workstation Software, User Manual i ll: Systems Analysis," Releaso 3.0, Proprietary, Novernber 1989 3.2 15 M System Analyn, .. . . . . - _ . . _ . , . _ . _ _ . ~ _ , , . . . . . . - - . . . . . . . . . . . _ . - . - _ _ _ . - - . . _ . . _ - . . . , . . _ , . _ , - , . _ . _ . _ . - .
Deaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment Table 3 2.01. Common Cause Faltures Typkally Modeled Cornponent Failure Mode Pump Fails To Start Pump Fails during Operation Diesel Generator Fails To Start Diesel Generator Fails during Operation Ventilation Fan Fai s To Start Ventilation Fan Fails during Operation Motor Operated Valve Falls To Open on Demand Motor Operated Valve Fails To Close on Demand Air Operated Valve Falls To Open on Domand Air-Operated Valve Falls To Close on Demand Clieck Valve Falls To Open on Demand Solenoid Valve Falls To Open on Dernsnd Solenoid Valve Fails To Close on Demand Air Compressor Fails To Start Air Compf tssor Falls during Operation Air Conditioning Unit Falls 'to Start Air Conditioning Unit Fails during Operation Circuit Breaker Fails To Open on Demand Circuit Breaker Fails To Close on Demand O l 3.2-16 32 eyvem Anaiysis.
a!!f lI! 1 jj l Wutgsgf* o c=s gg 62 3 c[- " 3o<Eo3 O
. n 7"*O {t =,h ME# 3 e ne es3M3 l
g s g B B. s
- er s
, C
+
C o C t C C n t . . ea C o a n s n n a o o a a a e a
, o e o c
c
=
e 4 e . s a e %%%a. m s 'n eooe t o
's m .
A O cc c S e S ta O c O p O Mwt . l $ l r M . t, s s s s s o ss8 s
. Me v
s s - e. s
+
- e. - e+
a s ss_uA t s e. s s - - sA e WS A A A A a a AA W
] i I l,I l 1 ee se . = a = = ne a s p e n m n e e e - =: we m o
E m$ t a O p O O O c O c
- h. O c
0 w CC t t r C t
. f[l e
ta d d d S t e
- e a e n 9 s e r e *p e e e ee cc - so se it W
C % C* C W O O s o O O v O p p - s e p O OO O u h
}
t n e ) 1 tt ) s 1 e e ) c 1 1 ) 1 r ( m ip 0: P-2 E 2 F 2 t o 0.=t t 1 3 P: 2
?2Fae P. te*:
o t 1 e e M 1 m7E t t t WO e g E E E # r E E E' 4 EE E a a E 2 2 A e C 2 e 2 2 e -2 2 22
, c
* - 2* u 2- - - -
- 2- o C
C C S. M
- S Nm f
C C C-C CCC C C C CCnC CC eC e f 0s M E i 4 W M MSu M UUSU S l) s s g g d e e G d d e es s ,oe d t o essg en s e e e s e yn*tu *e nN s* s s e s s un d u , e o o e O C So Popne t S ae8 o
'm O OO OO o w *re O eeNp o O C' P O O f e
o moc M t e sse > os s s s s os s - g e r o e e e e T TO s s o ts s TTO e e e snTsec e r e eenT r
- e m
o u % e M t s f daaaT 4 f vn
- n s 'sa pu4 sf 8
ca a*wF T n
- d a a w aa m a-ea a F a r
a e F F ds *F s d a r r e a r aeR r r F ra T T a a T T T T T TT T F F A t
$ d A 4 2 P
8 R n !
- S - A A a a s B 95 4 0 a !
t.s n t v t v 3 n o nv *. o1 t V a
- No a t
w o it O o R 2 T r T e sC W M- ow- 1 vv w E e _ p , A B se s t e e r oe o n S S r - S v. nr +e SW o _ g
~, S te S S a t
_ T r o f. M R 2 e a n 9 a e 0 c W5 Sw o V e e o WS 52 v, W a m e _ f _ A D T 2 T
- 3 C 2 2 c C 2t e e s n p - d t t c s8t e "w tBa9 e c y ,
e
- e v =
n 3 nae eeAaA s tta .D
- a6 5 S i e3 a%mO2HC m e7 e m
T T a r T a r *u f w c P u 8 2 a6 et Wen 3 e tr 2 Hc s e1 i E T S p s n nBt e nt r e e y/ mV eeSee W. o , r - r n e e e i s a. u SLOS a taS
. o te n na v a r C
. L e
a L a t ia e viw rv o2 t a ia L fs 5+V g W w e
*S a e e c e ar-a w+e eS r a,
t5 ee eVWhNmv: g - 5 e s h d a tm c eS w
- cE vci v r t 5 et e w
- o. sc e
- s m e
r
- S e eeww2 w
eW<N *s # rvn t t + c e e cW s, 2 e c c c r e e C w e re e e S S M f. R C 0 S S c' D SSCS R k. 9 2- r fV 3 k e cb e Ma Sw tom 5 4 8 4 t a 2 1 6
$ 2 2 T M 9 7*"y )a
( A t t U Y 5 3 > $ i _e
.14 ' ,j ;
l) =2 r 4 . :i5 !t
8:av:r Vcll;y Pcw:r Stati:n Unit 2 Revision 0 ' Prcb:bilistic Risk Asssssm:nt I Table 3.2.0 3 (Page 1 of 3). Basic Event Report for Top Event RS Basic l Description
.........' vents
[f MSR2RSSP21 A,l'MSR2RSFP21B)Corfton Causet Group PMR, 2/J ( BPMER)*(ZTPMSR * (T) = 1.1710E-06 ( PMt.5 2 k.b S P21A ) Cothon Causes Group PMS, 1/2 (1*(2BPHES)) * (ZTPMSS) = J.1903E-03 CVTC2RSS29 CHf'CK VALVE 2RSS$29 FAILS TO OPLN Ho Bacio Event EgJation Entered CVF02 RS$30 CHICK VALVE 2RES*30 TAILS TO OPEN llo Desle Event Eq aation Ertered HVA' t EWSMV104 A SERitCE WATTR INLET 25WS*MOV104 A TRANSTERG Ca.,:.t> 2TVM?T
- PT = 2.224B0-06 XXDPrr 1455 0F t.NERGENCY DC PURPLE Constant Value: 1 HVXC2RSSI.0V1$$D SUCTION If0V 21;SS*MOV155D TRANSTERS Clart:0 ZTVNOT
- ST = 2.2240E-06 XXACPU 145$ OF ENERGEllCY AC PURPLE Constant Valuot 1 XXACOR I4SS OF EMERCENCY AC OEANGE Constant Value 1 SNPL2RSSD QUCHCtf SPRAY HEADER B SPRAY N0ZZLES Pl.UGCEta ZTSPNP
- PT = 1.69440-06 (FMSR2RSSP21A) Coraon Causet Group PMR, 1/2 (1-(ZDPMER))*(ZTPMSR
- 97)
- 8.1363L-04
!!VXC7RSSMOV156A DISCf1RGE HOV 2RSS*MOV156A TRANSIERS CLOSED ETVMOT
- ST = 2.224BE-06 PMSE2RSSP21B RSS PUMP 2RSSa P21B FAILS 'K) RUN No Basic Event Equation Entered i
e i 3.2 18 32 system Analysis
i D: v;r V ll:y Power St: tion Unit 2 R: vision 0 Probabilistle Risk Assessment
'.- 1
) Tablo 32.0-3 (Page 2 of 3). Basic Event Repori for Top Event RS J l
)
hsic tvents Description j HVAC/SWCHSV105D SEI.VICE WATER OUTLET 2SW.*H0V105D TrJJDfERS CLOSI.D
- TVWJT
- PT = 2.22401-06 PMDS!LSTP21D P.SS PUMP 2R$5* T21D TAILS TO START No Bat.ic Event Equation Entered HY.KP2 RSS E21D COOLER 2R$$*I:210 PUPTURES 2THXRb a pr = 4.6800E-05 XXVerr SERVICE WATTR EEADER D TAILS Constant Value: 1 FMSR27tSSP21A P.53 P"MP 2RSS*F21A lAILS TO FUN Ho Bs::ic Event Tepation Entered
[FMSR2RSSP21B) Corunon cause Croup PG, 1/2 (1-(2DrHEP.))*(ITPMSR
- l'T) = 6.13631-04 (CV102RSS29,CVP02RSS30) Core n Cause: Group CVD, 2/2
(*BVC03) * ( TVCOD) = 1.6076E-06 HVXC25W 5HOV10'. A SERVICE WATI.R D RLET 25WS*M3V105A TRANSFERS C!ASFD TVHOT
- OT = 2.224fE-06
[CVT02RSS29] Common Causet Group CVO, 1/2 (1-(ZbVCOD))*(tTVCOD) = 1.8111E~04 PMSS2MS P21 A P.S$ PUMP 2RSS*P21A FAILS TO START No basle Event Equaticn Entere:1 MVXC25WSMOV104B SERVICE WATER INLET 25WS*MOV104h TPJSSFERS CLOSED ZTVMOT
- 07 = 2.2248E-06 (PilSS2F. SSP 21B,PMSS2RSSP211.)Co n on Cause Group r.95, 2/2 (ZBPMES)*(ZTPMSS) = 1.0968E-04 (THSS2RSSP21D) Com:ron Cauter Group 1r.S. 1/2
,- s I
)
3.2-19 32 S v$w". Wv'd
I B:av:r Vclicy P:wcr 5t:ti:n Unit 2 Revision 0 Prch billstic Risk Ass 2ssm;nt Table 3.2.0-3 (Pa00 3 of 3). Basic Event Report for Top Event RS 1 BasicEvents Des:riptien (1-(2MXES))*(2TFMSS)
- J.1803E-03
)7XC2RS$X0V156B DISCt!ARGE K0V lRSS*H0V1563 TPMSTERS CLOSED 2DDT
- ti = 2,2248E-06 M C2RSSX0V155A SUCTION }DV 2RSS*MOV155A TPMSTEP.S CLOSED 2 MOT *iT=2.2248E-06 X M ff SERVICE WATER HfADER A TAILS ConstantValue:1
$NPL2RSSA RECIRCt/IATION SFFM HEADER A E022Ll3 FLMED ZISPNP
- 07=1.(944E-06 ETRP2RSSE21A COOLER 2RS$8E21ARUPMES ETEXR3iST=4.6800E-05 (CViO2RSS30] Cononcause:CroupCVO,1/2 (1-(ZEVC00))*(2n' COD) = 1.8111E-04 XXDOTT LOSS OF ENER3ENCY DC OPEGE ConstantValue:1 l
l l l 3.2-20 32 ygs),m an,y3,:
. _ . . - - - . _ . . . ~ . _-~ .- ..-.- - - - . - - - . _ - . . - _ _ .
B3sv:r Vcilty Pcwsr Ststi:n Unit 2 Rovision 0 Prob:bilistic Risk Assessment Table 3 2 0-4. CCF Model Report for Top Event RS O ! Group ID : PHS Basic Events Description TMS$2RSSP21B RSS P'.'MP 2RSSt P21B TAILS TO START i TMS$2RSSP21A RSS PUMP 2RSS*P21A FAILS 70 START order other Than All = 1 Failure Mode ID START Tctal Failtre Rata = ZTPMSS Beta = ZBPES Group ID : PER Basic Events Description PMSR2R$5P21A RSS PUMP 2RSS*P21A TAILS TO RUN , PMSR2RSSP21B RSS PUMP 2RS$t P21B TAILS TO RUN OrderOtherThanAll=1 Failure Mode ID : EUN O Total railure Rate = ZTPMSR
- 97 Beta = ZBPMER Group ID : CVO BasicEvents Description CVT02RS$29 CliECK VALVE 2RSS*29 TAILS TO OPEN CVT02RSS30 Cl!ECK VALVE 2RSS*30 TAILS TO OPEN orderOtherThanAll=1 rallure Mode 10 : OPEN Total Failure Rate = ZTVC00 Beta = 2BVCOD l
l t O l. 3.2 21 3? System Ana!ysis.
110 v:r Vallry Pow:r Stction Unit 2 Rsvit.!on 0 Prcb2billstic Risk Asssasmont Table 3.2.0-5. Split Fraction Report for Top Event RS split Traction RSI - idCIRC. FPPAt TMINS A & B - ALL SUPPORT Fr Nean a 1.47301-04 Date : 19 Al'R 1991 09:04 M"/LH Mean a 1 641,0L-04 Date 19 APR 1991 09:06 Basic Event Impacts for bplit Traction i ns) Basic Event state Doctription XWAFF S CEkVICE WATEli HEADI.R A TAILS XXDPff S LDSS OF D!ERGENCY DC PUPPLE XXVf.rr D SERVICE NATER HEADER D FAILS kktorr S toCS OF F.HERGENCY DC OP,ANGE e XXACPU $ th8S CT IMEROLNCY AC Pl4PLE XXACOR S LOSS OF IAER3ENCY AC OPANGE Split Traction R$2 . FECTRC STRAY TRAINS A & B .1 DSS OF 1 SLTPCRT TP.AIN PE Mean = 5.64$0r-03 Date : 19 APR 1991 09:04 MC/1Jt Mean = $.9900E-03 Date 19 APR 1961 09:06 Dasic tvent Tepnets fut split Tsaction : RS2 Eatic Event State Description XXA00ft l' I45$ or IMER0ENCY AC CMSCE XXDorT T toss or INERGENCY DC ORAAGE XWAFT T $1PVICE WATLR MEADER A Fall 4 XAACPU $ LOSS Of EMER0ENCY AC ITRitE XXDFir 5 loss or EMLitCENCf DC itH1't.E XXVBrf S SERVICE WATut HEADER B TAl!4 Split rtaction FST - CUARANTLED TAILVRE . PE Nean = 1.0000E400 Date : 19 APR 1991 09:04 NC/LH Mean = 1.0000E+00 Date 1 19 APR 1991 09:06 Basic Event Iepacts for Split Traction i R$F Basic l State Description
. . . .. . . . .'v....... ent . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ......
XXACOR r 103S OF IXP.RCENCY AC OPANGE XXACPU T IDSS OF DTERCENCY AC PURPLE XXDOFF F 1455 0F EMERGENCY DC ORANCE XXDPff T loss OP IXER0ENCY DC Pt'RPLE XXWAFF F SERVICE WATER HIADER A Tall.S kXVBff F nERVICl; WATER HEADER E TA11.5 9
)h hYNN M'Y N
B:::v:r Vclisy P:w:r Steti:n Unit 2 Rovlsicn 0 Prchtbilistic Risk As:sssmsnt O Table 3.2.0-6. Alignment Report for Top Event RS V 1:09m1, Alignment - NORMAL ALIGNMINT Traction of Time in the Alignrent is: ' 1.0 - 2
- EMPMSF
- ZKF'MSD = 6.6487E-01 MAINT1 Alignment - PLKP P2:.A MAINTENAN; Fraction of Tice in the Alignment is:
2,XPMST
- ZMPMSD = 9.01331 04 Basic Event Impacts for MAINT1 Alignment Basic Event State Dn:ription PMSS2RSSP21A ? RSS PlfMP 2RSS*P21A FAILS 70 START O
V MAlllT2 Aligna.cnt - PUMP P21B MAINTENANCE Traction of Time in the Align:ent is: 2MPilSF
- 2MPMSD a 1.3827E-03 Basic Event Impacts for HAINT2 Alignment Basic Event State Description .
PMSS2RSSP21B T RSS PURP 2RS$* P21B FAILS "O START 3.2 23 3 2 .. System Analysts.
00 v:r Vall:y Pcwsr St: tion Unit 2 Revisi:n 0 Prob: bill: tic Risk Ass 2ssm:nt Table 3.2.0 7. Cause Table for Split Fraction RS1 MODEL Names DV2 Cause Table for Top Event RS and Split Fraction RS1 PE Value of RS1 = 1.4730E-04 Date : 19 APR 1991 16:05 MC/1Ji Value of RS1 = 1. 64 50E-04 Date : 19 APR 19'11 16:04 16:07:21 19 APR 1991 Page 1 No... Cutsets........... Value..... 4 Importance % Cumulative Alignment... 1 (> MSS 2RSSP21B 1.004E-04 74.25 74.27 NORMAL PMSS2RSSP21A) 2 PMSS2RSSP21B 1.009E-05 6.85 81.12 NORMAL PMSS2RSSP21A 3 (PMSR2RSSP21A 7.152E-06 4.86 85.98 NORMAL PMSR2RSSP21B) 4 PMSS2RSSP21A 4.134E-06 2.81 88.78 MAINT2 5 PMSS2RSSP21B 4.134E-06 2.81 91.59 MAINT1 6 PMSS2RSSP21B 2. 581E-( a 1.75 93.34 NORMAL PMSR2RSSP21A 7 PMSS2RSSP21A 2.501E-06 1.75 95.09 NORMAL PMSR2RSSP21B 8 (CVF02RSS29 1.603E-06 1.09 96.18 NORMAL CVF02RSS30) 9 PMSR2RSSP21A 1.058E-06 .72 96 90 MAINT2 10 PMSR2RSSP21B 1.058E-06 .72 97.62 MAINT1 11 PMSR2RSSP21h 6.603E-07 .45 98.07 NORMAL PMSR2RSSP21B 12 PMSS2RSSP21D 5.745E-07 .39 98.46 NORMAL CVF02RSS29 13 PMSS2RSSP21A 5.745E-07 .39 98.85 NORMAL CVF02RSS30 , 14 CVF02RSS30 2.354E-07 .16 99.01 MAINT1 15 CVF02RSS29 2.354E-07 .16 99.17 MAINT2 16 PMSS2RSSP21A 1.485E-07 .10 99.27 NORMAL HXRP2RSSE21B l 17 PMSS2RSSP21B 1.485E-07 .10 99.37 NORMAL HXRP2RSSE21A 18 PMSR3RSSP21A 1.470E-07 .10 99.47 NORMAL CVF02RSS30 19 PMSR2RSSP21B 1.470E-07 .10 99.57 NORMAL 1 0 3.2-24 n symm Ana'ym
Scav:r Vall2y Pcwsr Stellen Unit 2 Revision 0 Prebebilistic Risk Assossmsnt Table 3.2.0 8. Alignment Contribution Report for Split Fraction RSi
,p , 6 i. . t I 4 1
PE Xeu = 1,010Hi Dre :19 APR199116:05 Ep Xeta = 1,450H4 Dre :19 APR199116:N : ALipen; fotalrob,Irepency tota. )00r;ance 9,9HR :,360H In :.,3640E N 9,2320M1 O ?Dil '.35:.0M) :. 300H 5 6560M6 3 8390H2 Ed i,35:0H3 1.300 H 5.6560 H 63,8)!0 H 2 ,
.h i
y ,V 3.2 25 32 System Arialysis/
. , , . . . _ . . , _ _._-.._...r..,__...,___., .. .-_ ,.. _.._ ,, _ ,_ . - - - - - . _ _ . . . . . - . . - . . _ . . _ . -
00cv:r Vcli:y Power St ti:n Unit 2 Rcvision 0 Prcb:bilistic RI:k Asssssmsnt Table 3.2.0 9. List of Beaver Valley Unit 2 PRA Systems AC Electric Power DC Electric Power instrument Air / Containment Instrutnent Air Reactor Protection System Solid State Protection System Service Water and Standby Service Water , Primary Component Cooling Water I Secondary Component Cooling Water Chilled Water Ventilation Systems Primary Relief Turbine Trip / Main Steam Isolation Auxiliary Feedwater Matt FeMwater System Containment Isolation Emergency Core and Containment Systems
- High Head Safety injection
- Low Hecd Safety injection
- Recirculation Spray
- Quench Spray Residual Heat Removal System -
Miscellaneous Top Events
-- ATWS Top Events
- SGTR Top Events
. .- Elecitic Power _Rm; cry l
l [ O l l l 3.2 26 32 System Analysis.
B::v:r Vcil:y Pemr St:tien Unit 2 Rovisi:n 0 Prcbsbilistic Risk Ass:ssm:nt O p M f BLOCK.45 DLOCK.49 DLOCK.53 ft.0CK.5T g comet N k$ kk tbYPflR EC R3A7Ygs i h -
*gipo, i-OLocK 48 block.s2 DLocK.56 DLocK.$e
- Nkk$ b[ tRYsPfle M hakN"N -
og as HON 't' RECISCLLAfl0N SPARY (fop EYCNT RS) ACLIABILITY block otA7m Figure 3.2.0-1 Reliability Block Diagram for Top Event RS I l O . 1 3.2-27 32 System Analysis j
-. , . ~ - . .
COMPONCMT TTPE Fattunt Moct DESIGMATOR DESIGEATOR CcMPost4T t.D. (free P & I D) mm
*, o O 3 7<
26 e w, C .. Fat a<
?" '"'I" .'"c'!?t '*".. ...... . '"f*ure Mode"*!" .'"".!E!!*"..........
e em T iiF
~
AV BC Air Operated Velve Bettery Charger St Fall to Start - Storrby Caecnent mx SI - Sistabte SR Fall During Opeestion - Stancy Cceponer t y7 85 CS Fe 1 to $ tert - Worstelly Operati yC St Bus Bettery C4 Feli Durleg OperetIcri - NormsL1yComerwnt
. etIrg Corporent >e 7t 70 Fe i to Ctw.rs CS Cirevit Breeker FC Fe I to Close # -5 CC Certtrol Cebte FR Fe i to oesent
- m
% Chitter FD Fs i to operate on Cemenql CP Comressor FF Fe i to Go to feited Pcsttfort , 2 CR Centre' Rod XO ** 'er'sf er Open :3 -
CV DA Check Velve
' Pneuwt*C Dareer YC ansfer Closed g2" 08 Se:Ldraf t Danper RP we -
PL Plug LC DF fire Dam er LK Gross Leskoge :2 DG Diesel Generatet Po Preesture opentrg = EV Electro stydraulic Velve to Spurious Operation FI Flow Indicator FW M FL Filter. Ventitetten Tell to Reciese f eltewire Water Relief FN Fen ' FS Fuse FK Flow Trensmitter u GV Turtrine Centret Velve ni nest Trecing y MV Manust Vette M RX Pest EKLhanger
- 14 Inverter LG Logle ModJit LX Level Trensaltter MG M*stor Cenerater PfV Moter Operated Valve CA Op-Am 5f rwt Matriz CP Opearter falls to do ...
PC Pressure Control Velve PM Motor Driven Ptso ' PP Pipe Sectim PS Power Supoly PT Turbine Ortvert Ptry PV Power Operated Retnef Yalve PX Presstare Transmitter RL Retsy RV Relief Valve Rx Rasctor Trip Bresker SL tevet Switch SM Slgnal Modifier SW Spray Nottles
$P Pressure Swltch to so Sequencer
.o ST Strainer SV Safety Yatve tn TC Tewcerature Centrol velve TK Storege Tart 3 TV Turbine Stop Velve g VL Ventit9 tvm Louvre 2 3 VS Solenoid Ysive o > XR Trens forwier <
^
a_ s e o-w 3 Figure 3.10-2. Basic Event Designators o O O O
Bacvsr Vallsy Powsr Stati:n Unit 2 Revision 0 Prob:bilistic Risk Asssssmsnt Q n n i {t* v ijh i v o n g l l V b O [I
~
[ G n n
~
~ ~
b b V V O O o V O A
~
br I
!, ~
s,' i V 'V f7
,I V F % e O l 3 -
l V O O {iNI 1 itif I V V m
---, o n E
- ~ ~
3 v m , f* n - l { I 6-I lg G
' ~
[. $
-Q ,!
-- n n
~ ~ ~
v v s n '
-- p 6
fle 'I d
~ ~ ~
h V v n n 9
- t _
q _lv _ g;v .9 3.2-29 32 Sv5 tem ^^8'Y5'$-
BC:v:r Vall y Pcw:r St:ti:n Unit 2 Revision 0 Prcb:bilistic Risk Ass:ssm:nt O A B 11 lSP S1
^
g3 S3 I4 0 4 Figure 3.2.0-4. Event Tree for a Two-Train System. O 3.2-30 32 System Ahatyos
o Ostv:r Vcil;y Power Stati:n Unit 2 Revision 0 Preb:bilistic Risk Ass 2ssmsnt SYSTEMS INPUT INFORMATION 1 l DATA INPUT INFORMATION FOR EACH TOP EVENT: FAULT TREF COMMON CAUSE GROUPS DBF RM3 (DATABASE) AUONMENTS (INITIAL CONDITIONS) SPUT FRACTIONS (DOUNDARY CONDmONS) LOCAL VARIABLE EQUATIONS DASIC EVENT EOUATIONS U p RISKMANS o p e SYSTEM OUTPUT INFORMATION MASTER FREQUENCY OUTPUT FILES QUANTIFIED CAUSE TABLES MASTER FREQUENCY FILE (MEAN VALUES RISKMAN SYSTEM REPORTS FROM WNTE CARW QUANUFICADON) CSF.RM3 (SPUT FRACTION DISTRIBUTION) v 1f PRA DOCUMENTATION _ TO EVENT TREE QUANTIFICATION l Figuro 3 2 0 5 RISKMAN Information Structure 3 (d 1 3.2-31 32 System ^"a'vs'S.
. - . . . _ _ _ _ _ _ _ ~.
B::v;r Vcil:y Pcw:r Stcti:n Unit 2 Rsvlel:n 0 Prcb:bilistic Risk Assessment 3.2.1 System Descriptions System summaries were created for the systems analyzed in the Deaver Valley Unit 2 PRA. These system summaries or system descriptions are the result of the qualitative systems analysis, as described in Section 3.2.0, and are presented here. The system descriptions are arran0ed into the following subsections:
- 1. System Function
- 2. Success Criteria (For Each Mode of Ope:ation)
- 3. Support Systerns
- 4. Systems Supported
- 5. Operating Features including Test /Mahitenance and Recovery Considerations
- 6. Technical Soecifications
- 7. Surveillance 'fests (Dono during Operation or Shutdown)
- 8. References
- 9. Modeling Assumptions The content of each subsection is described in Section 3.2.0.
Detailed information concerning the quantitative system models is not presented here, but is presented in Reference 3.2.11, which includes the reliability block dia0 ram for each top event and the component table associated with each block dia0 ram. The component table lists each piece of equipment rnodeled for a particular top event and includes a list of the support systems required, the failure mode, initial state, actuated state, and loss of support state for the components in the table Reference 3.2.11 also includes the fault tree for each top event and the RISKMAN input flies and output reports for each top event. O 3.2 32 32 smem Ana'yvs.
Beaver Valley Power Station Unit 2 Revision 0 Probabi!istic Risk Assessment 3.2.1.1 AC Electric Power 3.2.1.1.1 System Function: The electrical power systems include the facihties for providing power for operation and control of all Beave Valley Unit 2 auxiliary electrical equipment and instrutnentation during norinal operations, and for the protection sybtem and emergency safety features (ESP) system during abnormal and accident conditions. 3.2.1.1.2 Success Criteria (For Each Mode of Operation)
- FSAR. During normal operations, ensite electrical power from the main generator via two u nit station service transforrners (USST) supphes all AC loads. Durmg nortnal startups/ shutdowns, all of the AC loads receive power from offsite power supply via two system blation service transforrners (SSST). Followin0 a loss of offsite power, the two onsite emergency diesel generators supply AC power to the emergency buses. The fuei oil transfor system supphes fuel from the underground storage tank to the day tank at the diesel generator to ensure continuous operation or the diesel generators for up to 7 days.
- PR A. Each of the two emergency AC power trains (orange and purple) will be modeled separately. The success criterion for each 'tain is the continuous supply of AC power to the safety related loads for a mission time of 24 hours.
3.2.1.1.3 Support Systems Emergency 125V DC (Orange) Control power for orange emergency 4.160V and 480V substation breakers. Emergency 125V DC (Purple) Control power for purple emergency 4.160V and 480V substation breakers. Normal 125V DC Supply Control power for f2st transfer breakers. Offsite Power Supply Backup power upon loss of onsite AC. Service Water Syrlem Coolin0 water for emergency diesel Generators. ? 3.2.1.1.4 Syr.tems Supported
- Systems
- High Head Salety injection System Low Head Safety injection System
- Residual Heat Removal System
- Containment Spray System Containment Air Recirculation System
- Primary Component Coollng Water System
- Service Water System
- Auxiliary Feedwater cvstem
- Spent Fuel Pool Cooling dystem
- Safety Related Air Conditioning and Ventilation Systems
- Post DBA Hydrogen Control System
- Supplomontary Leak Collection and Release System O - Emergency 12SV DC
- 120V AC Vital Buses
- Nortnal AC Lighting
- Emer0ency Diesel Generator System l_______.___
Bravar V ll:y P:wr:r St: tion Unit 2 Ocvision 0 Prcb:bilistic Risk Ass:,sm:nt Reactor Coolant System Containment Isolation System
- Control Rod Drive Mechanism (CRDM) Ventilation System
- Powered by 120V AC Vital Duses
- Reactor Prctection System (RPS)
Engineered Safety Features Actuation System (ESFAS)
- Solid State Logic Protection System - Post Accident Monitoring System
- Alternately Supplied from ERF (Black) Diesel Generator
- Portions of the Radiation Monitoring System - Station Air Compressors Containment instrument Air Compressors - Reactor Containment Vacuum Purnps - Essential Duses 2 5 and 2-6 - Post Accident Monitoring System 3.2.1.1,5 Operating Features
- 1. System Actuation
- a. Aufomafic
- 1) Following a Generator trip, a f ast transfer (.15 seconds) to the offsite power source, via the two SSSTs, will occur, delayed by 30 seconds for reactor >
trip or turbine trip.
- 2) For e plant trip and coincident loss of offsite power, emergency AC power is supplied from the two emergency diesul generators (EDG). Each train related (orange and purple) EDG will supply its own respective emergency 4,160V bus. All 4 kV loads, including the bus tie to the normal 4-kV bus, will be tripped off he emergency buses except the connected 480V substations and reconnected by the load sequencer, as required.
- 3) For a safety injection without a loss of offsite power event, a fast transfer from the USSTs to the SSSTs will occur. The EDGs will start automatically and accelerate up to rated speed, but the EDG output breakers will not close as lorig as adequate vol' age is sensed on the emer0ency bu >
- 4) For a safety injection with a loss of offsite power event, the EDGs will automatically start, trip emergency bus feeder breakers, shed all 4-kV loads except the connected 480V substations including the bus lie to the normal 4-kV bus, energize emorgency buses from their respective EDG, and reconr.ect the required emergency loads according to a predetermined sequence.
- 5) On loss of power to the emergency buses, all diesel generator trips, except overspeed, generator differential current, and Generator over excitation, are automatically disabled. ,
- 6) Supply breaker 2A10(2L10) from 4,160V bus 2A(2D) (USST or SSST) to emergency bus 2AE(2DF) trips open on undervoltage at bus 2AE(2DF). The supply breaker 2E7(2F7) from the respective diesel generator also trips open on emergency bus 2AE(2DF) undervottage.
3.2 34 37 system An#ysis.
Baavsr Vall2y Power Station Unit 2 Revision 0 Probsbilistic Risk Assessment
- 7) The EDGs start automatically due to any of the follow.rg conditior's:
a) Low volta 00 on the emergency bus. b) Opening of the supply breakers to the emergency bus from the preferred source. c) Safety injection signal. The EDGs are started using a compressed air system. Each EDG is capable of rea:hing rated speed and voltage and is ready to accept the load 10 seconds after receiving a start signal.
- 8) Each EDG has onsite fuel storage to rur at rated load for 7 days. Each EDG has a day tank (1,100 gallons) and a storage tank with two transfer pumps (four total) that operate automatically at preset levels in the day tank. The first pump starts on a low-level signal from the day tanr,; if the first pump fails, the second pump starts on a low-low level signal from the day tank. The fuel oil transfer pumps are powered from their respective EDGs following a loss of offsito power. The fuel oil transfer putop is tripped off on high level in the day tank and restarts when low level is reached again. This cycle takes apprcximately 1.6 hours, which loans to three start demands for the fuel oil transfer pump during the 6+ hour mission time of the emergency diesel generator. The first cycle inay be shorter because only 350 gallons are required to be in day tank par technical specifications.
\ 0) The vital 120V AC buses have four separate power supplies: onsite (USST)/offsite (SSST) power, emergency diesel generator, and 12SV DC batteries.
- 10) Electric power trains are completely separated with no swing buses; however, sorne loads can be manually aligned to either train,
- b. Afanual. A single nonsafety diesel generator is shared with Unit 1 to provide backup powar to significant nonsafety-related loads. This black (ERF) diesel starts automatically on low bus volta 00, and loads are controlled by an automatic, programmable centroller system.
- 2. Tests / Maintenance (Frequency, System Reconfiguration, and Potential Misalignments)
- a. The EDGs can be synchronized manually to the offsite power source for periodic festing.
- b. The EDGc are tested monthly. During the test, the startin0 air is blocked from reaching tha diesel generator for a period of about 20 minutes. The valves l used to block the air are double verified to be open tollowing the tect.
l 3. Recovery Considerations (including Alarms, Indications, and Abnormal Procedures) l l l l a. Numerous alarrns and indications m the control room indicata the condition of s l the emergency buses. C b. Operators are directed by emergency procedures (ECA-0.0. Step 9) to attempt to restore emergency AC power if it is lost. 1 3.2 35 32 syst-m AnWysis. l
Doavsr Vallay Pcwer Station Unit 2 Revision 0 Probabilistic Risk Assessment 3.2.1.1.6 Technical Specifications (LCOs)
- 1. One offsite circuit or diesel generator may be out of service for 72 hours with the plant at power, given successful testing of the other diesel generator (3.8.1.1).
- 2. One offsite circuit and one diesel generator may be out of service for 12 hours with the plant at power, given successful testing of the other diesel generator (3.8.1.1).
- 3. 1wo offsite circuits may be out of service for 24 hours with the plant at power, given successful testing of the other diesel generator (3.8.1.1).
- 4. Two diesel generators may be out of service for 2 hours with the plant at power, if two separate offsite sources are available (3.8.1).
- 5. An emergency bus (4 kV bus 2AE or 2DF or 480V bus 2N or 2P) or a vital bus (120V bus 1.11. til, or IV) may be out of service for 8 hours with the plant at power (3.8.2.1).
3.2.1.1.7 Surveillance Tests (Donc during Operation or Shutdown)
- 1. Breakers from offsite sources to the Class 1E distribution system are verified to be in correct ahgnment every 7 days (4.8.1.1.a).
- 2. Transfer from the unit circuit (USST) to the system circuit (SSST) is tested, manually and automatically, every 18 months (4.81.1.1.b).
- 3. Each diesel generator is started and loaded every 31 days on a staggered basis (4.8.1.1.2.a).
l 4. Diesel generators are tested with a simulated loss of offsite power in conjunction with a safety injection signal every 18 months (4.8.1.1.2.b).
- 5. Correct breaker alignment on the emergency buses and vitat buses is verified every 7 days (4.8.2.3.1).
3.2.1.1.8 References
- 1. Technical Specification 3/4.8.
- 2. FS AR, Section 8.
- 3. Design Basis Docu uents DBD-35A, DBD-358, DBD-368. DBD-37, DBD 38A, and DBD=38C.
- 4. System Descriptions / Logic Diagrams 22 1.1, 22 1.2, 22-2. 22-3.1, 22 3.2. 22-4,22- 5.
22-6, 22-7, and 22-8.
- 5. Drawings RE-1 A, RE-1B, RE-1C, RE-1D RE-1E, RE 1F, RE 1G, RE-1H, RE-1J, RE-1 AB, RE-1 AR RE 1 AW, RE-1 AX, RE-1BC, RE-1GF, RE 1 AA, RE-1DA, and RE-1DB.
3.2.1.1.9 Modeling Assumptions
- 1. Equipment Boundaries
- a. The block diagram for the AC electric power system is presented in Appendix A (Reference 3.2.11) along with the component table.
- b. Emergency 480V AC supply is included with the 4,160V AC supply model, but is a small contribution to system failure smce 480V AC failures are passive failures (e.g., breaker fails open), which are relatively low frequency compared 3.2-36 32 syMem AnMysis
Beaver Valley Power Station Unit 2 Revision 0 Probabilistic Risk Assessment to the breaker demand failures needed to transfer the 4,160V breakers after a plant trip.
- c. It is assumed that failures of the air start system are included in the failure rate data for diesel generators and are therefore not modeied exphcitly.
- d. The response of the emergency diesel generators is not modeled as dependent on the occurrence of an SSPS signal. Instead, the occurrence of an SSPS signal is reflected in the individual sy:, tem models for each piece of equipment loaded onto the diesels.
- 2. Inititil Conditions. AC power being supplied from turbine generator through USSTJ, EDGu are in standby, and plant is operating at 100% power at the timo of the initiating event.
- 3. Failure Mode Impacts. The ERF (black) diesel gerierator is rated at 2.600 kW and is not of sufficient capacity to power the startup feed pump.
- 4. Common Cause. See Table 3.2.2-3.
i 3.2 37 n syu-nexym
B::v:r Vciley P war Station Unit 2 Revision 0 Prob:bilistic Risk Assessmsnt 3.2.1.2 DC Electric Power (125V) 3.2.1.2.1 System Function. The 125V DC supply system provides power for the safety and nonsafety equipment listed in the Systems Supported section. 11 provides a backup supply of power for the 120V AC vital and essential bus inverters and control power for all of the emer0ency and normal 4.160V AC and 480V AC substation breakers as well as power for many other safety functions. 3.2.1.2.2 Success Criteria (For Each Mode of Operation)
- FSAR. The 125V DC power supply is designed to be available even during a station blackout to provide the power necessary for the restoration of other sources of power.
- PR A. Each of the DC buses will be modeled separately. The success criterion for each bus is the continuous supply of DC power to the safety-related loads.
3.2.1.2.3 Support Systems Offsite Power Supply Backup power upon loss of normal AC. Emer0ency Diesel Generators Backup power upon loss of offsite power. 480V Emer0ency AC Power Provides power to battery charger 21 and Oran0e Train rectifier /chan0er 2 3. 480V Emergency AC Power Provides power to battery charger 2 2 and Purple Train rectsfier/ changer 2 4. Area Ventilation Synom Provides required coolin0 of equipment for proper system (DBD-44F1 and DPA44F2) operation 480V Normal AC Power Provides power to battery chctgers 2-5 and 2-6. 3.2.1.2.4 Systems Supported Safety Related Systems Powered by DC Buses 21 and 2 2 4,160V Emergency AC Switchgear Breaker Control 480V Emeroency AC Substations Breaker Control Emergency Diesel Generators Field Flash Miscellaneous Valves. Cabinets. Protective Circuits, etc. 120V AC for NSSS Circuits Channels I and 11 Provides backup DC power to vital bus inverters 2-1 and 2 2 upon loss of 480V emer0ency power. Reactor Trip Switchgear Provides power to shunt trip coils. O i 3.2 38 32 system Autysis
Brav:r Vcil:y Pcwsr Strti:n Unit 2 Re elslen 0 Prebibilistic Risk Asssssm:nt
+ Safety Related Systems Powered by DC Buses 2 3 and 2 4 l pJ l 120 AC for NSS Circuits Channels lll and IV Provides backup DC power '
to vital bus inverters 2 3 and 2-4 upon loss of 480 V AC emergency power.
- HHS1 Cold Leg Throttle Valves Reactor Vessel Vent to Pressurizer Relief Tank
- Nonsafety Related Systems Powered by DC Buses 2 5 and 2-6 4,160V Normal AC Switchgear Breaker Control 480V Normal AC Substations Breaker Control Essential Turbine Auxiliaries Emergency Lighting Panels Backup Lighting upon Loss of AC Miscellaneous Valves Control Circuits, etc.
Fire Protection Powe- for Control Panels Fire Detec3 ion 120/ AC Power for Computer, " ovides backup DC power to essential 120V AC Power for Computer, Provides backup DC power to essential Communications, and Annunciators bus inverters upon loss of 480V AC normal power. 3.2.1.2.5- Operating Features
- 1. Initial Configuration. _ Each emergency 125V DC bus 2-1 and bus 2-2 has an assoc!ated battery and battery charger. Each emergency 125V DC bus 2-3 and bus 2 4 has an associated battery and rectifier / charger. 125V DC buses 2-3 and 2-4 are part of the redundant supplies for vi'al bus channels lit and IV, respectively, and 1?5V DC buses 21 and 2-2 are part o' the redundant supplies for vital bus channels I and 11, respectively. The chargers and rectifier / chargers provide a cantinuous float charge to the batteries and are supplied from emergenev 480V AC buses.
- 2. System Actuation a, Automatic
- 1) The 125V DC supply automatically supplies power to the 120V AC vital buses following a loss of AC power, through inverters.
- 2) Following a loss of AC power, the batteries have the capacity and capability to supply the emergency loads for a minimum of 2 hours.
O V
- b. Menual. An emergency 125V DC bus can be manually connected to a spare battery charger or rectifier / charger, powered from the same AC bus, if the normal charger fails, l
3.2 39 37 tystem Anwym
l Sc:v2r Vclisy Power Station Unit 2 Revision 0 Probabilistic Risk Assessmant l l l
- 3. Tests / Maintenance (Frequency, System Reconfiguration, and Potential MNalignments). The temporary char 0er is alloned to perform ..iaintenance on the normal chargers, so that the system configuration is the same for rnaintenance as it is for normal operation.
- 4. Recovery Considerations (including Alarms, Indications, and Abnormal Procedures) ,
I
- a. Nurnerous alarms and indications in the control room indicate the condition of the emergency buses,
- b. The connection of a 125V DC bus to the s7are charger requires a manual action by the operators.
3.2.1.2.6 Technical Specifications (LCOs). One train of emergency 12SV DC power may be inoperable for 2 hours during power operation (3.0.2.3.a). 3.2.1.2.7 Surveillance Tests (Done during Operation or Shutdown)
- 1. Br eakr.t alignment and power indications are verified every 7 days for each l emergency bus of DC power (4.8.2.3.1).
- 2. Battery charger and rectifie:! charger operabihty and battery condition are verified every 7 days (4.8.2.3.2.a).
3.2.1.2.8 References
- 1. Technical Specification 3/4.8.
- 2. FS AR Section 8.3.
- 3. Desi0n Basis Document DBD 39.
- 4. System Descriptions Logic Diagrams, Beaver Valley Unit 2 Operations Manual, Chapter \39
- 5. Drawings RE 1 AN, RE 1 AR, RE 1 AS, RE 1 AT, RE 1 AU, RE 1 AV, RE-1 AW, RE 1 AX, RE-1BC, and RE 1BE.
3." * .2.9 Modeling Assumptions
- 1. Equipment Boundaries
- a. The block diagram for the DC electric power system is pt?sented in Appendix A (Reference 3.2.1-1) along with the component tabla.
- b. Loss of power al 125V DC bus 2 3 (2 4) is modeled as part of Top Event IB(lY)
Pat represents vital bus channel lil(tV).
- c. Power to the associated bus switchboards, equipment. and distribution panels is required for success of that train.
- d. The spare battery chargers are not modeled as they require a manual operator
, action to align which is sequence dependent. l l e. The battery and the charging system associated with a particular train are bc4n required to be available for success of that train for 24 homs. If AC power is unavailable, DC powar is evaluated for a mission time of just 2 hours, durin0 which the charging systems are not necessary. 3.2-40 M Sysu Analym
Beevsr Vallay Power Station Unit 2 Revision 0 Ptchabilistic Risk Assessment 2.' initial Conditions. DC power is being supplied from the battery chargers and I
- rectifier / chargers, batteries are fully charged, and plant is operating at 100% power at the time of the initiating eve....
- 3. Common Cause. See Table 3.2.2-3, I
v I. n I o l i 3.2 41 32 system Anatysis
- . . . . - _ . . . - - ~ - , . .
Bccvsr Vallsy Power Station Un': 2 Revision 0 Probabilistic Risk Assessmsnt l 3.2.1.3 Instrument Air and Containment instrum snt Air , 3.2.1.3.1 System Function. The instrument air system is a subsystem of the stat on air system and provides compressed air for air-operated instrurnents and controls outside of the containment.: The containment instrument air system is a separate system that provictes compressed air to instrumentation, controls, and air-operated valves inside the containment. Both the instrument air system and the containment instrument air system are nonsafety-related systems. 3.2.1.3.2 Success Criteria (For Each Mode of Operation)
- FSAR
- Instrument Air. A . mas 100% of the station M;trument air requirements at a discharge pressure m 110 psig.
- Containment instrument Air. Provides 100% of the antainment instrument air requirements at a discharge pressure of 110 psig,
- PRA
- Instrument Alt. One of two station air comoressor trains operates and supplies instrument air for a mission time of 24 hours,
- Containment Instrument Air. One of two containment instrument air comprerm trains operates and supplies containment instrument air for a mission time of b hours.
3.2.1.3.3 Support Systems Turbine Plant Component Coch.ig Water Cooling water for station air compressors and air intercollers and aitercoolers.
- Primary Component Cooling Water Cooling water for containment instrument air compressors.
480V Substation 2-5 Bus 2J' and 480V AC Station air compressor 2SAS-C21 A, MCC 2-23 containment instrument air compressor 21 AC-C21 A. 480V Substation 2-5 Bus 2K' and 480V Station air compressor 2SAS-C218. MCC-2-26 containment instrument air compressor 21 AC-C218. 480V Substation 2-2 Bus 2N Instrument air dryer 21AS-DRY 21. 480V Emergency Substation 2-8 Bus 2N Containment isolation valves 21AC'MOV133 and 2l AC*MOV130. 480V Emergency Substation 2 9 Bus 2P Containment isolation vane 2iAC*MOV134. O l l 'Nonsafety-ref a?ed power with alternate supply frorn ERF (black) diesel generator. 3.2-42 32 system Analysa o
Haav2r Vall:y Pcwcr Station Unit 2 Revision 0 Probabilistic Risk Ass 2ssment 120V AC From F NL AC2-03 (MCC 2-08) Containment instru.aent air dryer A 21 AC-DRY 21. 3.2.1.3.4 Systems Supported Containment Isolation System Containment instrument Air MSIVs instrument Air Cor: denser Dump Valves 3.2,1.3.5 Operating Features
- 1. Initial Configuration
- a. One compressor normally operates in a load / unload mode whi i the second compressor is in standby. This is the case for both the instrument air system and the ontainmerit instrument air system; each system is equipped with two compressors,
- b. The containment instrument air system takes suction from the containment atmosphero and discharges to the instrumentation and control header inside containment.
- 2. System Actuation
- a. Automatic U 1) The standby compressor in each system starts ori low pressure in the corresponding system.
- 2) If instrument air pressure drops below a predetermined point. the station service air header AOV (2SAS AOV105) will close automatically to divert all station air to the instrument or header.
- 3) The station air compressors and the containment instrument air
- compressors can be supplied with electric power from the nonsafety (black) diesel generator. The black diesel generator starts and loads automatically to power the buses that supply these compressors.
-4) A containment isolation (CIA) signal causes suction valves 2lAC*MOV133 and 2 TAC *MOV134, as well as discharge valve 2 TAC *MOV130. to close.
Closing any one of these valves disables the containment instrument air system,
- b. Manual. The containment instrument air system can be aligned for supply from the instrument air system by openirig 21AC*MOV131 from the control room or can be supplied from the station service air system through a filter by opening .
two manual valves.
- 3. Tests / Maintenance (Frequency, System Reconfiguration, and Potential Misalignments). During normal operation. periodic tests are performed on the
(' standby compressors to ensure their ability to start. Oil chan0es are performed on _( the compressors but they are done infrequently. The air dryer is bypassed during air dryer maintenance. 3.2-43 32 system Analysis.
i l Bccysr Vcliey Pcwcr Station Unit 2 Revision 0 Probtbilistic Risk Ass 2ssm:nt
- 4. Recovery Considerations (including Useful Alarms, Indications, and Abnormal <
Procedures)
- a. Annunciation is provided in the control room for station air system trouble and for instrument air receiver tank trouble.
- b. Indication is provided in the contro' room for station air pressure a .d Instrument air p essure,
- c. Annunciation is provided in the control room for low containment instrument air pressure.
- d. Indication is provided in the control room for containment instrument air pressure.
3.2.1.3.6 Technical Specifications. None. [
, ' References i
! 'S AR, Section 9.3.1.
.ogic Diagrams 16-3 and 16-5.
Electrical Drawings 12241-RE 1H. 12241 RE-1L. 12241-R E- 1 Y. 12241-RE-1 AA, 12241-RE-1 AB, 12241-R E-1 AH, 12241 RE-1 AJ, 12241-RE-1 AK. 12241-RE-1 AS. and 12241-RE 1BD. 3.2.1.3.8 Modeling Assumptions
- 1. Equipment Boundaries
- a. The block diagrams for the instrument air system and containment instrument air system ara presented in Appendix A (Reference 3.2.1-1) along with the component tables.
- b. The instrumen air system model includes the compressors and associated components from the station air system that are necessary to supply compressed air to the instrument air system main headers. Air supply paths to individual loads are included in the models for the equipment served.
- c. The containment instrumen; air system model includes the compressors, valves, and associated components that are necessary to supply air to the main l
headers of the containment instrument air system. Air supply paths td ! individual loads are included in the models for the equipment served.
- 2. Initial Conditions. One compressor operating in the instrument air system and one compressor operating in the containment instrument air system.
- 3. Dependencies Not Modeled. None.
- 4. Failure Mode Impacts. Loss of support for the air dryer in the instrument sir system or the containment instrument air system is assumed te be a failure of the particular system.
- 5. Common Cause. See Table 3.2.2-3.
l 3.2-44 32 System Ana'ysis
i 4 Beaver Valley Power Station Unit 2 _ Revision 0 1- Probabilistic Risk Assessment 3.2,1.4 Reactor Protection System i, 3.2.1.4.1 System Function. The reactor protection system trips the reactor on a signal from
- the solid state protection system (SSPS) or manual signal from control room. The SSPS signal is generated when sensed and calculated process and nuclear parameters fall outside preset safe limits. The purpose of the sudden trip is to protect against the onset and conse'. ' onces of conditions that threaten the integrity of the fuel barrier. The trip action consists of rapid insertion of the control rods.
3.2.1.4.2 Success Criteria (For Each Mode of Operation) l b + FSAR. The reactor protection system automatically hitiates reactor trip whenever necessary to prevent or limit fuel damage and to protect the reactor coolant system l_ pressure boundary. The reactor protection system initiates a turbine trip to prevent excessive cooldown of the reactor coolant system. {
+ PRA. System success is defined in all cases as at least 47 of the 48 control rod clusters successfully inserted into the core on demand. This is conservative. since it is possible for several rods to fail to insert and still maintain subcriticality.
i 3.2.1.4.3 Support Systems l 1. SSPS Train A. Provides trip signal to ?
- a. Undervoltage coil 52(UV)/RTA that opens trip bmaker 52/RTA under normal operation.
l
- b. Shunt trip coil 52(SHTR)/RTA that acto like a backup to 52(UV)/RTA.
j' c. Undervoltage coil 52(UV)/PYd that opens bypass trip breaker 52/BYB when train B is in testing or tiie maintenance mode.
- d. Shunt trip coi! 52(SHTR)/BYB that acts like a backup to 52(UV)/BYB when train l B is in test.
i i- Note: Opening a trip breaker causes loss of power to the control rod drive power bus and an immediate gravity-powered rod insertion. != ! 2. SSPS Train B. Provides trip signal to l
- a. Undervoltage coil 52(UV)/RTB that opens trip breaker 52/RTB under normal operation.
- b. Shunt trip coil 52(SHTR)!RTB that acts like a backup to 52(UV)/RTB.
- c. Undervoltage coil 52(UV)/BYA thc! opens bypass trip breaker 52/BYA when train A is in testing or the mainte}}