ML20112J154
| ML20112J154 | |
| Person / Time | |
|---|---|
| Site: | Comanche Peak  |
| Issue date: | 06/14/1996 |
| From: | John Marshall, Terry C TEXAS UTILITIES ELECTRIC CO. (TU ELECTRIC) |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| GL-88-20, TAC-M74397, TAC-M88982, TXX-96390, NUDOCS 9606190296 | |
| Download: ML20112J154 (242) | |
Text
M Log # TXX 96390 "lllllllll" """ Fi1e # 10010 '
L 4 10035 (GL-88 20)
C -
C Ref. #-10CFR50.54(f) ;
i 1UELECTRIC June 14, 1996
- c. i nce Terry i Gnmp M President U. 5, Nuclear Regulatory Commission Document Control Desk Washington, DC 20555
Subject:
COMANCHE PEAK STEAM ELECTRIC STATION (CPSES) UNITS 1 AND 2 ]
0OCKET N05. 50 445 AND 50 446 :
RESPONSE TO NRC REQUEST FOR ADDITIONAL INFORMATION ON CPSES INDIVIDUAL PLANT EXAMINATION FOR SEVERE ACCIDENT ,
VULNERABILITIES (IPE) (TAC NOS. M74397 AND M88982)
Ref: 1) NRC Generic Letter 88 20. " Individual Plant Examination ,
For Severe Accident Vulnerabilities," ,
dated November 23, 1988
- 2) NRC Generic Letter 88 20, Supplement 1. " Initiation of Individual Plant Examination For Severe Accident ,
Vulnerabilities," dated August 29, 1989 '
dated August 28, 1992 I
from William J. Cahill, Jr., to the NRC, ;
dated October 30, 1992 ,
- 5) NRC letter from Timothy J. Polich to C. Lance Terry, !
dated January 23, 1996 l Gentlemen:
As requested by References 1 and 2, TV Electric submitted responses to NRC Generic Letter 88 20 via References 3 and 4. The NRC subsequently issued a Request for Additional Information (Reference 5) regarding TU Electric's responses (References 3 and 4). Reference 2 had requested a response within 60 days of receipt of the Request for Additional Information. As a ,
result of conversations with Tim Polich of the NRC staff on March 18, 1996, the response due dete was extended to June 14, 1996.
Attachment 1 to this letter provides responses to the NRC Request for Additional Information (Reference 5). Attachments 2 through 15 to this letter provide supplemental information and are referenced within Attachment 1.
200020 9606190296 960614 '
()((
e-, n_ io .. s_ mn..m. moi.m >
TXX 96390 Page 2 of 2 Should you have any questions, please contact Carl Corbin at (214) 812 8859.
Sincerely, C. L. Terry By:
'J. S. Marshall Generic Licensing Manager CBC\cc Response to NRC Request for Additional Information (RAI) on CPSES Individual Plant Examination (IPE) Submittal Level I Question 8 Level I Question 15 Figure HRA 01 1 Figure HRA-Q7 1 Figure HRA 09 1 Figure HRA 013 1 Figure HRA 015 1 Table HRA 015 1 0 Table HRA 015 2 1 Teble HRA 015 3 2 Table HRA 015 4 3 Figures HRA 015 2 and HRA 015 3 4 Figure HRA 015-4 5 Probability Analysis for Off Site Power Non Recovery Events c- Mr. L. J. Callan, Region IV Ms. L. J. Smith, Region IV Mr. P. M. Ray, NRR Resident Inspector, CPS 5
Attachment I to TXX-96390 Response to NRC Request for Additional Information i Page 1 of 130 on CPSES IPE Submittal Questions for Level 1 Review Level 1 Question 1: ,
This question concems the completeness of the treatment of any twin-unit effects at the !
Comanche Peak Steam Electric Station (CPSES).
The submittal represents both units of the plant (see p.1-4). The system descriptions of l several electrical systems (offsite power and switchyards,6.9 kV EAC buses) and fluid systems (SW, CCW, and Chilled Water) indicate crossties between the units. Operational aspects of the IPE analysis also indicate the usage of the other unit (e.g., recovery actions, CCXTIE and SWXTIE on p. 3-201, -202 respectively). On the other hand, p. 3-177 of the :
submittal states that Unit ! started its commercial operation in April 1990, and Unit 2 is still 2 under construction, and consequently, sufficient plant-specific operating data cannot be i i available for the IPE study. (Unit 2 started its commercial operation only in 1993.) It is not !
clear from the submittal which systems were considered to be shared or only cross connected. Please provide a list of the cross connected and shared systems modeled for the IPE and describe the present (real) situation. (Multiunit considerations are addressed in Section 2.1.4, Guideline No. 3 of NUREG-1335.) }
Response
- At Comanche Peak Steam Electric Station (CPSES), there are several shared and cross-tied systems incorporated in the design of the two units. The shared systems important to the IPE are the Service Water Intake Structure and Traveling Screens and Screen Wash Systems; the Switchyard; the Instrument Air Common Compressors; and the Circulating Water Intake Structure. The systems capable of being cross-tied are the Station Service Water System and the Component Cooling Water System. In addition to these systems, there are electrical cross-ties for certain of the common load centers. Most of the safety systems (e.g., AFW and Safety Injection systems) have intra-system cross-tie capability but do not have inter-unit cross-tie capability. The Diesel Generators are unit specific (two per unit).
4 The two systems capable of being cross-tied between units, namely the Station Service Water >
I
i t
1 Attachment I to TXX-96390 Response to NRC Request for Additional Information !
,' Page 2 of130 on CPSES IPE Submittal !
System and the Component Cooling Water System were modeled with the cross-ties in the 4
. IPE. At the time of the IPE submittal, the Unit 2 Service Water and Component Cooling l j Water systems were operating and had been turned over to operations, and thus were-
- available. Therefore, these cross-cennect features were appropriately credited in the IPE for - !
[ the corresponding loss of support system initiating events. l The electrical systems that provided alternate sources of power to equipment were not necessarily turned over at the time the IPE was frozen. Therefore, these alternate supplies I
were modeled as undeveloped gates and were not credited in the IPE.
The present real situation is that both units are fully operational with all'such system cross-
- ties available. The IPE model still reflects the conservatism of the undeveloped gates. ,
i i
l
- t I l k l 4
4 4
i ,
1 l
- i i
.. I j'
l
)
- v w w
W i
e Attachment I to TXX-%390 . Response to NRC Request for Additional Information Page 3 of 130 on CPSES IPE Submittal Level 1 Question 2:
t It is not clear from the submittal how the cross-tied and shared systems are treated for the unit at power if the other unit is in cold shutdown and some of the shared (or potentially ;
. cross-tied) systems are experiencing extended downtime. How do you account for the ;
unavailability of the systems that are capable of being cross-tied or shared during the time the opposite unit is in shutdown? Please show how each shared / cross-tied system was treated in this regard and what was the impact on your results if this was not considered.
Response
As noted in the response to the previous question, the only cross-tied systems that were l
Water (SW) System. Shared systems were assumed to be available and powered from the Unit I system and the altemate supply modeled as undeveloped gates. For the systems that j 3
were credited, the following discussion is provided.
l The plant tecimical specifications for the Station Service Water System require all four [
pumps (two per unit) to be available during modes 1 thru 4. (That is, if both units are in {
modes I thru 4, all four pumps are operating.) With one unit in modes 5 or 6, at least one .
service water pump must be available in the shutdown unit with the cross-connect valves to f the operating unit available. This assures that the cross-tie capability is available during ;
l maintenance outages. The Component Cooling Water System has a technical specification i
requirement that two independent loops be available (per unit) in modes 1 thru 4. l The recovery of SW or CC via the cross-ties was used in the model only as a recovery for f
. total loss of SW or CC initiating events. It was not used to recover progressive random
[
failures that led to loss of CC or SW systems. This is reflected in the loss of CC or SW _}
initiating event frequencies. That is, the initiating event frequencies were recalculated taking s I into account recovery of failed equipment and availability of the cross-tie in the loss of !
CC/SW initiating event fault tree. The ratio of the non-recovered loss of CC/SW initiating -
)
event frequency to the recovered loss of CC/SW initiating event frequency was used as a :
recovery factor for the original initiating event frequency in the final quantification. The f
cross-tie was only one means of recovering total loss of the CC/SW initiating event. l t
.h Is y n
i h
Attachment I to TXX-96390 Response to NRC Request for Additional Information ;
Page 4 of 130 ~ on CPSES IPE Submittal The use of the cross-tie was a point estimate that considered both human recovery actions and opposite unit cross-tie availability. The point estimate was assumed to be driven by the 4
human action, a screening value of 1.0E-02. The value did not explicitly account for the unavailability of the cross-tie capability during shutdown periods. This is a very reasonable i assumption for the Station Service Water System, given the technical specification requirements. It may be reasonable for the Component Cooling Water System, but since the !
technical specifications do not require at least one pump and the cross-connect valves to be available, one could assume that there is some period of time during the cycle (e.g., the
, outage of the opposite unit) when the cross-tie is not available. Two weeks out of the fuel cycle is a reasonable estimate of unavailability. This results in a system unavailability of about 2.6 E-02. If the non-recovery probability is increased by this amount, the change in core damage frequency is approximately 2.3E-06.
l t
d l
4 1
9
,_, + ..-,--.-n. m - - , ,- -- . , -- - - - - -
__ _ ..._ _ _ _ _ _ . - _ _ _ . - ~ _ . _ __ _ _ . _ __
4 i l Attachment I to TXX-96390 Response to NRC Request for Additional Information ,
Page 5 of 130 - on CPSES IPE Submittal ;
7 .
Level 1 Question 3: .
t i
~
The initiating event analysis of the submittal is fairly detailed. However discussion of two
, areas is lacking: The treatment of common cause loss of AC or DC Buses as initiating j
] events, and the possibility of dual unit initiators. Please provide the initiating frequencies
[ and associated CDF contributions for:
(a) Initiating events caused by common cause loss of AC or DC Buses, and {
i i' (b) dual unit initiators.
L If any of them can be neglected, please provide the reasons.
'i l
l Response: i s
-l
. t 4
(a) Common cause initiators generally refer to those events that cause a plant trip and cause failure or degradation of one or more systems needed to respond to the plant trip. The
! approach used to develop initiating event categories for the CPSES IPE is based on the PLG I- methodology and is similar to that used for the Seabrook PRA and the South Texas Project :
PRA and is consistent with the recommendations of the IDCOR. With this methodology, 1 common cause initiators are grouped into two main categories: support system faults and
- extemal events. The extemal event common cause initiators were addressed in the CPSES IPEEE. Intemal flooding, which is a special case, and support system faults were addressed j I
- in the IPE.
I Using this methodelogy, the common cause initiating events were developed for the CPSES l
i IPE. These are loss of offsite power, loss of a DC bus, loss ofinstrument air, loss of service l water, loss of component cooling water and loss of safety chilled water. The latter three were designated special initiators. System faults trees were developed for the service water, component ecoling water and safety chilled water systems and quantified to obtain initiating
- events frequencies.
The LOOP initiator involves loss of both vital AC busses. A special case of this event e evaluated common cause failure of the vital AC busses due to equipment failures following a "BOS" signal. This common cause event is found in the top ten cutsets. The LOOP 1
1
_ .. - . _ _ __ . . _ - . . _ _ _ _ . . _.. _ ..__ .___. . _. ~_ . _ _ _ _ _
4 Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 6 of130 on CPSES IPE Submittal i
initiating event frequency is 3.5E-02 events per year; the CDF contribution for LOOP is i 1.59E-05 events per year.
The loss of a DC bus initiator involves only one of the DC busses. As part of the DC power ;
system evaluation, common cause failure of all four vital station batteries was considered.
This is not a significant contributor to core damage frequency. The loss of a DC bus initiating event frequency is 3.35E-02 events per year; the CDF contribution for this
- initiating event is 2.17E-06 events per year.
) (b) Dual unit initiators were not explicitly considered in the CPSES IPE. ,
j 4
i i
I 4
f r i
i 1
i ,
d i
d t
4 t
J a
3 4
4 e 5
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 7 of130 on CPSES IPE Submittal Level 1 Question 4:
The value of 0.035/ year for the loss of offsite power (LOOP) initiating event frequency 'for a single unit) is at the low range of typical LOOP frequency values, as provided in your data source; NSAC/166. The total CDF is dominated by this initiator (28%). Therefore, the LOOP frequency will directly influence a major portion of your results.
Please explain how you estimated the LOOP frequency (both for single and dual units).
Include in your discussion what guidelines were followed and how plant specific information and data, e.g., maintenance activity in switchyards, " Type B human action faihires" [see p.
3-179], anticipated frequency ofdisturbances from Unit 2, etc. were accounted for, including ,
weather related events, anticipated frequency of disturbances from Unit 2, etc. were
, accounted for, including weather related events.
Response
l The value of 0.035/ year for the LOOP frequency was used directly from NSAC/166 (page 2-14) without any modifications. This value represents the frequency of total loss of offsite j power to a generic unit from all causes while under power operation. The means of arriving at this estimate is provided in NSAC/166.
As mentioned in the IPE report, no plant specific data was collected for the Comanche Peak IPE evaluation (Section 3.3.2, page 3-177) and no specific Type B human actions were
- evaluated (Section 3.3.3, page 3-179). Therefore, there was no event by event screening of l the loss of offsite power events for maintenance activities or weather or for any other cause.
i-l To evaluat loss of offsite power frequency at the Comanche Peak site, data from NSAC/203 was used for plant specific screening. Data for ten years was considered, from 1984 to 1993, and the following screening criteria was used:
. Event must cause at least one of the two units to trip (if at power) and the diesel
. generators on that unit to start and load.
g
. Event must not be initiated by failure of the main transformer, fast transfer breakers, ;
l I
i 1
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information Page 8 of 130 on CPSES IPE Submittal or any components specifically modeled in the electric power system of the PSA.
. Loss of offsite power must not be a result of a unit trip.
. Events must not be caused by unique configurations during cold shutdown and affect only the shutdown unit. If maintenance operations during cold shutdown of one unit cause loss of offsite power to the other unit (which may be at power or shutdown),
this event is considered to be a relevant event.
This screening criterion provides a slightly conservative estimate of the loss of offsite power frequency at a site, because it includes events where only one of the multiple units tripped.
In some cases, offsite power is still available, but must be manually restored. The units for this frequency are loss of power events per site-year.
These data were used to generate the first stage generic distribution for loss of offsite power frequency in a two-stage Bayesian update process. The generic distribution was then updated with Comanche Peak site specific information of 0 events in four years (1991 through 1994). The following are the main characteristics of the prior and the posterior distributions:
Loss of Offsite Power Frequency Events / Site-year Distribution Characteristics Mean 5th %ile Median 95th %ile Prior 1.06E-01 5.38E-03 4.87E-02 4.01E-01 Posterior 5.80E-02 4.43E-03 3.46E-02 1.90E-01 Plant Specific data: 0 events in 4 site years This is an average frequency ofloss of offsite power during any mode of the site. To arrive.
at the frequency of LOOP events that will see a given unit at power, the above posterior must be multiplied by the availability of the unit. The average availability factor for the two units over the four years has been 0.83. Therefore, the frequency that would be used for a power
1 1
Attachment I to TXX-96390 Response to NRC Request for Additional Information
!- Page 9 of130 on CPSES IPE Submittal i :
- PSA is 0.83*0.058 = 0.048 events per year. ;
j -- The plant-specific frequency is a 37% increase over the generic estimate used for the IPE. j This may seem like a major increase over the estimate used in the IPE, but it actually is not, especially in a " log world" of the PSA results. The total core damage frequency estimated -
by the IPE is 5.72E-05, of which 1.59E-05 is from itss ofofTsite power events. The impact l
of the revised frequency will increase the LOOP cc,ntribution to 2.18E-05. The total core damage is then 6.31E-05, an increase of 10% in the overall core melt frequency. !
4 3 '.
4 i
s l !
- i e'
{
i 1 ,
j_
4 P
I I
i i
r a
t s
t 4
Attachment I to TXX-96390 Response to NRC Request for Additional Information
The CDF contribution due to SBO is an appreciable fraction (28%) of the total CDF. Unit I started in commercial operation in April 1990, while Unit 2 started in 1993 after the freeze date of the IPE, January 1,1992. From the submittal, however, it is not clear whether plant changes (design or operational) due to the Station Blackout rule were credited in the iPE model or not.
Please provide the following: (1) identify whether plant changes (e.g., procedures for load shedding, alternate AC power) made in response to the blackout rule were credited in the IPE and what are the specific plant changes that were credited; (2) if available, identify the total impact of these plant changes to the total plant core damage frequency and to the station blackout CDF; (3) if available, identify the impact ofeach individual plant change to the total plant core damage frequency and to the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF); (4) identify any other changes to the plant that have been implemented or are planned to be implemented that are separate from those in response to the station blackout rule that reduces the station blackout CDF; (5) identify whether the
! changes in #4 are implemented or planned; (6) identify whether credit was taken for the changes in #4 in the IPE; and (7) if available, identify the impact of the changes in #4 to the station blackout CDF.
Response
- 1. TU Electric initially responded to 10CFR50.63, " Loss of All alternating Current Power", in TU Electric letter log #TXX-901008, William J. Cahill to the U.S. Nuclear
. Regulatory Commission, dated November 5,1990. In order to perform an assessment of CPSES's ability to withstand and recover from an SBO for Unit 1, TU Electric used the guidance of NUMARC 87-00," Guidelines and Technical Basis for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors". This response was for Unit 1 only and Unit I was considered a single unit site. Therefore, no credit was taken for electrical or certain fluid system cross-ties to Unit 2 in the IPE systems fault trees. The only plant specific change which was proposed in the initial response was the addition of DC powered ventilation fans for the Uninterruptible Power Supply (UPS) rooms to supplement the existing UPS IIVAC units. These fans had not been installed as of the IPE freeze date. In the IPE electric power system fault trees the UPS IIVAC system is conservatively modeled
't
I Attachment I to TXX-96390 - Response to NRC Request for Additional Information
- Page11of130 on CPSES IPE Submittal so that the UPS system will fail upon a loss of UPS HVAC. ABN-601 A," Response to a
- 138/345kv System Malfunction," was revised to direct operators to open doors on UPS rooms within 30 minutes after the SBO occurs. No credit was taken in the IPE for any i recovery action such as opening doors.
Subsequent to the IPE freeze date, TU Electric submitted an additional assessment of 4
l CPSES's ability to withstand and recover from an SBO for both Units 1 and 2 in TU Electric letter log #TXX-92447, William J. Cahill to the U.S. Nuclear Regulatory Commission, dated October 1,1992. The response states, "With the availability of an emergency diesel
- - _ generator in the non-blacked-out unit, credit is taken for the operation of selected systems 1
, which service both Units 1 and 2 " . , The two systems ofinterest to the IPE are Control i Room Ventilation and UPS room ventilation. With the addition of Unit 2, the control room
! ventilation system now consists of four 50% capacity air conditioning units (2 per train per
- unit) each with an electrical power supply common to both units. The UPS room ventilation system contains two 100% capacity air conditioning units each with an electrical power !
supply common to both units. When the next IPE update is performed the addition of the j Unit 2 cross-ties will be considered for incorporation into the model.
1 j 2 and 3. Based upon the discussion in number 1 above, there is no information available for these questions.
4,5,6 and 7. There are no other changes pending which are separate from the blackout rule.
l
)
i
?' ,
3 L t
l.
.,.-.n . ..g-,. r-,,, , -
Attachment I to TXX-96390 Response to NRC Request for Additional Information j Page 12 of130 on CPSES IPE Submittal Level 1 Question 6:
The rupture of the steam supply line to the turbine-driven AFW pump during plant operation I would be expected to result in a plant trip. At the same time, the TD AFW pump would be j disabled due to exposure to steam and moisture effects. Th'e IPE is not clear as to whether or not a break in the steam supply line to the TD AFW pump was considered as an initiating :
event. Please clarify the modeling of this potential initiating event. If this initiating event i has not been accounted for, please provide the basis for its omission. !
Response
In the CPSES IPE, rupture of piping was generally not included in initiating events with ;
notable exceptions, namely the reactor coolant system LOCAs, interfacing systems LOCAs, main steamline break and internal flooding, because the initiating event frequency is small. :
For ordinary process lines, the pipe break frequency is on the order of 1.0E-9 breaks per pipe segment per year which results in a typical low frequency event for any pipe. For example, ;
the number of pipe segments associated with the steam supply line to the turbine-driven 3
AFW pump in the pump room is relatively small, thus the expected pipe break frequency is small. ,
All this notwithstanding, the internal flooding analysis portion of the IPE assumed that the ?
steam supply line was a flooding source, i.e., a fled initiating event. A non-mechanistic rupture of the line was assumed to occur, and it was assumed that, as a consequence, all IPE ;
l '
1 equipment in the flood initiating compartment failed. Thus, the event described in the ,
question was addressed in the IPE. See also the response to Level 1 Question 11. !
4 I
f I
'f
I y:
4 Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 13 of130 - on CPSES IPE Submittal i Level 1 Question 7: .;
The ISLOCA is included in the study. However, there is no description about the method ]
used to evaluate the initiating event frequencies. Provide the leak / operational testing periods - l
. of the valves involved, the potential human errors associated with the testing, and a brief summary of the calculational approach used.
- i
., Response: i a . .
l
- With regard to testing of valves and potential human errors associated with testing, errors of commission were not included in the initiating event frequency, consistent with I NUREG/CR-5102. However, latent human errors associated with test and maintenance were considered in the calculation of core damage frequency, that is, these errors were included in the system models, including the interfacing systems analyzed.
The following is a brief summary of the calculational approach used for the inter-facing system LOCA evaluation.
Four classes ofISLOCA events were defined for this analysis. The criteria for defining these classes are: a) a contained release, after failure of the pressure isolation valves, through the relief valves or rupture in a low pressure system, and b) release inside or outside containment. The four classes are: i) small LOCA inside contai:unent, ii) small LOCA outside containment, iii) over pressurization LOCA inside containment, and iv) over pressurization LOCA outside containment.
The interfacing pathways were identified through a review of all the containment piping penetrations. This was done to assure that all potential interfacing systems LOCA candidates were identified. The review focused on all intersystem pathways where the boundary is represented by a high to low pressure valve arrangement.
The interfacing lines were identified as potential ISLOCA pathways if they satisfied the criteria identified in NUREG/CR-5102. These criteria are: 1) the line connects to the RCS,
- 2) the interfacing system penetrates the containment and has a design pressure lower than that of the RCS,3) the path could become over pressurized by the primary system due'to
' inadvertent valve opening or valve failure and the path could produce a leakage rate of l
l Attachment I to TXX-96390 Response to NRC Request for Additional Information . ,
- Page 14 of 130 on CPSES IPE Submittal - ,
1 primary system coolant of sufficient magnitude to cause a significant risk,4) the interfacing
- lines are greater than 2 inches in diameter, and 5) the interfacing system boundary is not a -
i heat exchanger tube or cooling coil.
, Using this approach the following interfacing system lines were identified: 1) the Letdown -
i line,2) the Excess Letdown line,3) The RHR Suction Line,4) the Low Pressure Injection to Cold Legs lines,5) the Low Pressure Injection to Hot Legs lines,6) the Intermediate
! Pressure Injection to Cold Legs lines, 7) the Intermediate Low Pressure Injection to Hot Legs lines, and 8) the Accumulator Injection to the Cold Legs lines.
a The determination of the ISLOCA initiating event frequencies through these various pathways was accomplished by adapting the generic system failure models identified in i NUREG/CR-5102 to the specific valve arrangements found at CPSES. Using the formulas ,
j provided in NUREG/CR-5102 the initiating event frequencies were calculated. Then each line was reviewed and the initiating event frequency for the line was partitioned based on break size into small and over pressurization categories, consistent with the .i recommendations of the NUREG.
i
- Following this, a failure analysis was done on the interfacing system to determine the failed
~
equipment, given the size and location of the break, and the events were classified as small, l 4
medium or large LOCAs. The events were then evaluated to determine if they were bounded by an existing accident sequence analysis. If they were, the conditional core damage
]^
probability (CCDP) of the existing accident sequence was used with the initiating event
- frequency of the ISLOCA event to obtain a core damage frequency for the event. For those .
cases that were not bounded, the affected equipment was failed in the model and the resulting tree was quantified to obtain the conditional core damage probability. This CCDP was multiplied by the initiating event frequency of the ISLOCA event to obtain the core damage probability for the event.
These ISLOCA cutsets were included in the final quantification and were reported in the IPE submittal.
d
t i
4 Attachment I to TXX-96390 Response to NRC Request for Additional Information ,
Page 15 of130 'on CPSES IPE Submittal Level 1 Question 8:
In the submittal the link between the "ftmetional top events" of the event trees and the " top.
- gates" associated with the system unavailabilities and the " dynamic human actions" (listed
- . in pp. 3-195 through 3-200) is missing. Since the front-line system success criteria are >
defined for the top gates (listed in Table 3.1.1-1) it is not possible to always interpret the !
- event sequences unambiguously (in terms of these system and " dynamic" human failures). -
Please provide the missing connection between the functional top events and the system unavailabilities and human actions.
Response
7 The relationship between the functional top events of the event trees and the top gates
! - associated with the system unavailabilities and the dynamic human actions are shown in the ;
! accident sequence fault trees which are provided as Attachment 2 to TXX-96390, " Level 1 l Question 8, Accident Sequence Fault Tree." In the parlance of the CPSES IPE, the intermediate logic connects the top logic with the system top gates. An example is provided
- below that shows the link. It should be noted that certain dynamic actions are in the 7 intermediate logic. However, as noted on page 3-195 of the IPE submittal, some of the
i dynamic actions were modeled most appropriately in the system models rather than in the
. intermediate logic. For example, RC&8000A and B, " Operator fails to open block valve when manually opening PORV", were modeled in the Reactor Coolant System. The remainder of the dynamic actions are in the accident sequence logic, for example
&BFXXINITNY, " Operator fails to initiate feed and bleed", t The general transient event tree shown, shown on page 3-37 of the IPE submittal, is used in ,
. the following example to shown how the front-line success criteria are tied to the event trees. .l The event tree shows the progression of the sequence. First, the initiating event occurs i followed by failure to establish secondary heat removal, $SGXX01. $SGXX01 is connected to the front-line success criteria (AF1000) as shown on page 4 of the accident sequence fault trees. The next event is failure to establish feed and bleed, $BFXX01. $BFXX01 is connected to the front-line success criteria (RC2000, CSG1000 and SIl000) and to the l dynamic operator action (&BFXXINITNY) as shown on page 5 of the accident sequence ;
faults trees. The final event, establish recirculation, $RCXX01, is connected to the front-line ]
l l
l l
1
. Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 16 of130 on CPSES IPE Submittal ,
success criteria (CSG2000, and S12000) as shown on pages 77 and 78 of the accident sequence fault trees. The dynamic operator action required for realignment of ECCS systems
(&RCXX01) is also shown on page 77. For the other event trees, a similar progression through the accident sequence faults trees can be used to identify the system success criteria required for each event.
i L
6 i
}
i i d
4 l
i t
i a
n l.
e
?
1 2
9., ., ,-_
' Attachment I to TXX-96390 ' Response to NRC Request for Additional Information -
Page 17 of130 on CPSES IPE Submittal Level 1 Question 9: -
In certain (mainly transient) event trees found in the submittal the steam release during secondary side heat removal is 'modeled together with the secondary feed (top event
$$SGXX0lS). In other event trees the multiple steam release paths were assumed to be negligible contributors (top event $$SGXX01). Please explain the criteria used to determine which modeling option was chosen for each tree.
In addition, in some event trees (e.g., in the Loss of Service Water event tree; Figure 3.1.2-11 and in the loss ofInstrument Air event tree; Figure 3.1.2-12) the top event designator
$$SGXX01, which indicates only secondary feed by the AFW, is inconsistent with the associated event descriptor, which characterizes the event as "AFW with steam relief", i.e.,
as $$SGXX0lS. Please clarify this apparent discrepancy.
I
Response
In the accident sequence fault tree, $SGXX0lS is used to model failure to establish secondary heat removal afkr an "S" signal has occurred; $SGXX01 is used to model failure to establish secondary heat removal prior to an "S" signal. At CPSES, a significant system reconfiguration occurs upon receipt of an "S" signal. This reconfiguration makes some systems more reliable by providing an auto start signal, but makes other systems less reliable by tripping running equipment. To account for this, the two gates were defined and used where appropriate in the logic. Since any sequence that uses $SGXX01 S begins without an "S" signal, but ends with an "S" signal, it was necessary to either run the tree in two stages, ;
or make a single tree with flags set appropriately. The latter method was used. l l
With regard to any discrepancy in the event trees, it should be noted that halb $SGXX01 and l
$SGXX0lS refer to events with tuxiliary feedwater flow to the steam generators and steam relief. - The oni,v difference between them is the reconfiguring due to the "S" signal as discussed above:. Specifically with regard to the Loss of Service Water and Loss of Instrument Air event trees, there is no discrepancy. Both event trees require $SGXX01 for success, that is auxiliary feedwater flow to the steam generators and steam relief (pages 3-27 and 3-28 of the IPE submittal).
I i
l l
i
i j
- Attachment I to TXX-96390 - Response to NRC Request for Additional Information -
Page 18 of130 on CPSES IPE Submittal Level 1 Question 10:
This question concerns the modeling of DC power: :
(a) In the event tree for "Very small break LOCA" (FIG. 3.1.2.17) there is a top event with designator "EPBATfDEPL" and descriptor "TDAFWP Runs Until Battery Depletion." This event indicates failure of the TDAFWP at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, due to loss of DC power that leads to overfill of the steam generators and failure of the TDAFWP.
During this accident the chargers are operating. Explain the reason why this top event is included in the event tree.
(b) It is not clear from the submittal whether the 4-hour battery depletion time under SBO conditions assumes load shedding. Ifload shedding is necessary, (i) what is the ,
battery life without load shedding, (ii) how was load shedding modeled, and (iii)
- what are the HEP values for operator actions connected with load shedding?
Response: q (a) As noted in the IPE submittal, the event "EPBATTDEPL" was used primarily for the l Level 11 analysis. In the Very Small Break LOCA tree based on MAAP analyses (for ;
binning), the availability of auxiliary feedwater for four hours will redirect the binning from ;
PDS3 to PDS4. The difference between the PDS3 and PDS4 bins is the timing of core melt, early versus late, respectively. ,
Thus, the event "EPBATTDEPL"is nothing more than a tag in the accident sequence / system :
fault trees that provides indication to the analyst of the timing of the sequence. Itis specifically located in the trees to account for sequences where only the battery is providing !
DC power, that is, the other sources such as battery chargers are unavailable either due to initiating events or due to random failures. ,
(b) No load shedding is necessary for a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> battery capacity. .
t 1
,- - y cr , - - - .
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 19 of 130 on CPSES IPE Submittal Level 1 Question 11:
On p. 3-227, the submittal discusses the approach used in the flood analysis. It states that "other (flood) hazards such as pipe whip, steam impingement, and specific liquid jet, or spray pattems were outside the scope of this analysis."
It is not clear why the IPE team limited its consideration of flooding-related events to the relatively low energy flood sources. For example, a break in the steam supply line to the TD AFW pump could disable equipment via the effects of the spray.
Similarly, the spurious actuation of the fire suppression equipment may also disable safety related system operation or damage essential system components.
Please provide a rationale for the exclusion of flood sources involving spray and splashing.
Response
' The internal flooding part of the IPE included an evaluation of flooding hazards from all plant liquid (primarily water) sources that could affect IPE equipment. For that analysis, the Appendix R fire zones were used to identify the fleod initiating zones. Internal flood hazard sources in these zones included all installed fixed liquid systems and certain temporary hose or tubing installations. In the initial screening analysis, any source of water, including liquid l jets and sprays, was assumed to fail all IPE equipment located in the associated flood -
initiation zone and certain equipment in compartments into which the flooding could spread. i This conservative assumption was refined for each scenario until the result met the screening l f
criteria or until the scenario was considered to reflect actual plant response. However, the failed equipment in the flood initiating compartment remained fixed during this iteration, i.e.,
all IPE-related equipment in the flood initiating compartment was c.ssumed to be failed.
- Thus, for example, the steam supply line to the turbine-driven AFW pump was assumed to l
. be a flooding source for this evaluation. The statement quoted from the report, namely
"....other (flood) hazards such as pipe whip, steam impingement, and specific liquid jet, or
. spray pattems were outside the scope of this analysis.", means that the specific effects of pipe whip, steam impingement, and specific jets and spray pattems were not determined mechanistically, rather as stated above, it was assumed that all IPE equipment in the flood initiating compartment failed for each such source, whether from pipe whip, steam
-r , , , m
l l
i Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 20 of 130 on CPSES IPE Submittal impingement, or specific jets or spray patterns. This is a conservative assumption given that not all sources have sufficient water or energy to produce this effect.
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 21 of130 on CPSES IPE Submittal
- Level 1 Question 12:
The flood source selection criteria includes the following statement: " Temporary hose or tubing systems that could potentially be used for one-time maintenance or repair applications were outside the scope of this analysis."
Please discuss how other types of maintenance failures were treated in the flooding analysis.
Include errors committed while in cold shutdown, which were left undiagnosed (e.g., blocked drains) during operation while the unit is at power until the flood event.
~ Response:
Maintenance related failures were addressed in the flooding analysis, as they were in the rest of the IPE, by modeling latent human errors at the component level in the systems fault trees.
Such errors included mis-positioning valves and failure to restore equipment following test or maintenance. To the extent that such failures were part of the cutsets that resulted from the flooding scenarios, they were included in the scope of the analysis.
The flooding methodology did not credit the use of sump pumps or the availability of drains to mitigate the effects of the flood. Rather, drains were considered to propagate the effects of the flood to other compartments. This propagation, i.e., flow out of the flood initiating compartment, was not used to reduce the effects of the flood in the flood initiating 2 compartment, rather it was assumed that all IPE components in the flood initiating compartment failed irrecoverably. Thus, any maintenance errors associated with sump pumps or drains have no effect on the results, and therefore, they were not modeled.
4 4
i t
4 r
W i
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 22 of130 on CPSES IPE Submittal Level 1 Question 13:
Section 3.4.2 of the submittal is called " Vulnerability Screening." The screening finds no vulnerabilities at the Comanche Peak units.
NUREG-1335 requests that the licensee 1) provide a list of any vulnerabilities identifi"d by the review process,2) a concise discussion of the criteria used by the utility to define vulnerabilities and 3) fundamental causes of each vulnerability. Please provide such information.
Response
(1) No plant specific vulnerabilities were identified for CPSES Units 1 and 2. This is noted in Sections 3.4.2 and 7 of the submittal.
(2) The vulnerability screening used in this evaluation started with the reporting criteria specified in Appendix 2 of Generic Letter 88-20. These criteria are:
(i) Any functional sequence that contributes 1.0E-06 or more per reactor year to core damage, (ii) Any functional sequence that contributes 5% or more to the total core damage frequency, (iii) Functional sequences that contribute to a containment bypass frequency in excess of 1.0E-07 per rector year, (iv) Any functional sequences that the utility determines from previous applicable PRAs or by utility engineering judgment to be important contributors to core damage frequency or poor containment performance.
Then a qualitative analysis was done. A review of the sequences that screened into the reporting criteria showed that the core damage profile by initiating event is relatively flat.
That is, the core damage frequency is uniformly distributed among initiating events and different sequence types. Given this flat profile,it was concluded that no single sequence type or initiating event indicated a weakness, i.e., a vulnerability, in plant design or operation.
'i l
i l
- Attachment I to TXX-96390 Response to NRC Request for Additional Information j Page 23 of130 on CPSES IPE Submittal i I
Level 1 Question 14-Section 3.4.3 of the submittal discusses the evaluation of the Decay Heat Removal (DHR) ;
at the CPSES. The CDF contributions of DHR failures are presented for the leadmg i t
sequences and for appropriately selected initiators.~ Explicit results, however, are not given for the relative CDF contributions due to failures of the systems constituting the DHR or of :
their support systems. l l
Therefore, please provide the CDF contribution for f i
(a) the individual systems constituting the DHR (including feed and bleed), and (b) the individual support systems providing support to front-line systems that perform ,
DHR.
i Response: l The systems that constitute the decay heat removal function for CPSES are certain of the ]
front-line systems shown in Table 3.2.3-1 of the CPSES IPE submittal. These are the t auxiliary feedwater system, the chemical and volume control system, the residual heat j removal system, the safety injection system, and portions of the main steam system and the l reactor coolant system. The following is a listing of the Fussell-Vesely importance measures t for these front-line systems. (The importance measures were computed for these systems for ;
Maintenance Rule purposes.) Whereas these are not core damage frequency contibutions per se, the FV measure provides insight into the importance of the systems t3 core damage j frequency.
Front-Line System Fussell-Veselv Importance J
Auxiliary Feedwater 0.34 Chemical and Volume Control 0.09 Residual Heat Removal 0.05 l Safety injection 0.11 i Main Steam 0.02 Reactor Coolant 0.42 i
The systems that provide support to front-line systems that perform the decay heat removal I function are also shown in Table 3.2.3-1. These are the component cooling water system,
- the safety chilled water system, the diesel generators and auxiliaries (part of electric power),
]
the electric power system, the engineered safeguards features actuation system (ESFAS) and
1 i
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information l
- Page 24 of 130 on CPSES IPE Submittal j the station service water system. The following is a listing of the Fussell-Vesely importance measures for these support systems. -
t Support System Fussell-Veselv Importance Component Cooling Water 0.10 i Safety Chilled Water 0.02 !
Diesel Generators and Auxiliaries 0.20 ;
Electric Power 0.14 ;
ESFAS 0.02 l Station Service Water 0.15 l t
I l
l l
l l
l l
l 1
I i
i t
, , , - . , - , . - . , . - . . c _ - , -
1 I
-l
[ Attachment I to TXX-96390 Response to NRC Request for Additional Information' i
Level 1 Question 15: . 1
, f i -
RCP Seal LOCA contributes approximately 29% of the total CDF (p.1-4). Part of the l
analysis is the description of the " Induced LOCA".special event tree (p. 3-56). The details -
l of the' model applied, however, are not clear.
l (a) Please provide a discussion of the RCP seal LOCA model used.
l !
j (b) . Provide the probability vs. leakage rate vs. time data and any specific test results. j s
I i (c) Provide a discussion of operator actions, which are proceduralized and their timing
[a. in the event of a loss of one or the other (or both) methods of seal cooling.
l (d) Is seal cooling isolated in certain accidents (e.g., steam line break inside the I. containment), what are the operator procedures for this and how is this treated in the l model?
i f Response:
4 i
e
- (a) Because of their unique progression to core damage, induced L #CA's, e.g., LOCAs
. caused by RCP seal failure as a result ofloss of supports were evaluated using special event trees. These event trees were developed to account for any transient condition or event that i could result in an induced LOCA. These special event trees were integrated with the accident sequence logic as described below.
l ,
i For any transient or event other than a LOCA (i.e., a very small, small, medium, large or j very large LOCA initiating event), the event was evaluated for conditions that could lead to
positive displacement pump or the centrifugal charging pumps. Thermal barrier cooling is l- provided by Component Cooling Water. Thus any transient or event that results in a loss of
- both seal injection and thermal barrier cooling results in an induced seal LOCA. [For i
example, since the positive displacement pump is cooled by component cooling water and the centrifugal charging pumps are cooled by service water, a loss of service water event causes loss of both seal injection and thermal barrier cooling.] Given these conditions, the P
probability of a seal failure is assumed to be 1.0 with no probability of recovery. From this
. i l
i I
Attachment I to TXX-96390 Response to NRC Request for Additional Information i Page 26 of130 on CPSES IPE Submittal i
point, the determination of the severity of the induced LOCA depends on the timing and the sequence of failure of other mitigating systems, e.g., auxiliary feedwater.
In the accident sequence logic (provided in response to Level I question 8 above) there is a :
top event named @ INDUCED (page 23). This event includes all the transient induced. ,
LOCAs (i.e., all non-LOCA initiating events that lead to an induced LOCA from RCP seals,
. PORVs and SRVs). Sequences #1ND2 and #IND4 (page 23) and #IND1 and #IND3 (page
- 33) show the modeling of the logic. Sequences #IND1 and #1ND2 assume successful secondary heat removal and result in small or large seal LOCAs. Sequences #1ND3 and ;
- IND4 include the probability and failure of secondary heat removal and the resulting size !
of the seal LOCA. i i
(b) The probability that a transient results in a large versus small RCP seal LOCA and ,
the effects of availability of secondary heat removal on the timing of the event were evaluated in a supporting calculation and are summarized below.
l In doing this evaluation, no plant specific 1csts were done. Rather, the event trees and other i information provided in NUREG 1150 and certain information from the NSSS vendor were used to develop the leak rates and associated failure probabilities. Then MAAP runs were i done to determine the effects of secondary cooling on the timing.
NUREG 1150 provides an event tree that displays the degradation phenomena of the seals and provides the long term leak rates and the endpoints of a given path in the event tree. The event tree is provided in Figure A (and Figure B) of Attachment 3 to TXX-96390. " Level 1 Question 15." The event tree was quantified as discussed below. The seal ring faihire probabilities are time-independent while the o-ring failures are time dependent. Since for some events, such as station blackout (SBO) without secondary heat removal (AFW) core melt occurs within a short time (< 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) time-dependent failures were categorized as either likely (i.e., p = .95) or unlikely (i.e., p = .05). With this assumption, the various paths were quantified and the results are shown on Level 1 Question 15 Figure A. These were combined into representative early SBO cases according to leak rate. For events where
, secondary heat removal is available for at least 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, core damage occurs late so there is a longer time period where the seals are without cooling. For these late cases, all time dependent failure probabilities were increased and were considered likely (i.e., p = 0.7).
With this assumption, the various paths were requantified and the results are shown in Level
i Attachment I to TXX-96390 Response to NRC Request for Additional Information
- I Question 15 Figure B. These were combined into representative late SBO according to
~
leak rate. MAAP runs were done that showed the dependence of the leak on the timing, i.e., !
the availability of AFW.- As a result of these considerations, the front-end analysis utilizes !
l the availability of secondary heat removal (i.e., AFW) to determine the split fraction between l
large and small RCP seal LOCAs. This was done using Level 1 Question 15 Figures A and 1 i B. Thus, for smaller seal LOCAs where AFW is not available, the frequency is 0.76, and for ,
j Jarger seal LOCAs with no AFW the frequency is 0.24. Similarly, for cases where there is j i AFW for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the small seal LOCAs have a frequency of 0.24 and the large seal LOCAs i have a frequency of 0.76.
$ These probabilities appear in the accident sequence fault trees as:
i l
- $SFSMALL2 - Probability that induced LOCA small after failure of secondary heat removal (P = .76)
- $SLARGE2 - Probability that induced LOCA is Large after l failure of secondary heat removal (P = .24)
)
i . $SFSMALLI - Probability that induced LOCA is Small after 1 1 j successful secondary heat removal (P = .24) l
) . $SFLARGEl - Probability that induced LOCA is Large after s
' successful secondary heat removal (P = .76) .
l
- (c) Plant abnomial conditions procedure ABN-101, " Reactor Coolant Pump 1 Malfunction", provides the operator actions to be taken in the event ofloss of seal injection, l
loss of component cooling water to the reactor coolant pump (here to the thermal barrier 1 cooler) at high temperature or both. Some of the highlights of the procedure are provided I i here. !
- Section 7.0 cautions the operator that with loss of both seal injection and thermal
! barrier cooling, the pump must be stopped within one minute. The procedure verifies i thermal barrier cooling is present, otherwise Section 8 is performed in parallel. The operator then checks that a centrifugal charging pump is running and the charging flow control valves are operating properly. RCP temperatures are checked, and if bearing temperatures are elevated, the pump is stopped. (The reactor is tripped prior to stopping the pump, if necessary.) If seal leakoff temperature is elevated, the seal leakofrand seal injection throttle valves are closed. When the problem is corrected,
- - , , . y y
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 28 of 130 on CPSES IPE Submittal seal injection flow is slowly restored.
Section 8 implements actions that verify seal injection is present. If seal injection is not present, Section 9 is used. The operator then checks pump temperatures and proceeds as in Section 7. If thermal barrier retum water temperature is elevated, the Component Cooling Water retum is isolated.
- Section 9 contains the same caution as Section 7 regarding stopping a RCP within one minute if both seal injection and thermal barrier cooling are lost. The reactor is tripped if necessary, and the affected RCP is stopped. Seal injection and thermal barrier cooling are isolated. Reactor leak rate is checked. Seal injection and thermal barrier cooling are restored if the conditions are corrected. Seal injection is restored as in Section 7 and thermal barrier cooling is slowly restored by manually opening the Component Cooling Water return valve outside containment.
(d) Thermal barrier cooling is isolated for certain accidents that result in a containment Ili 3 pressure signal, a "P" signal. The Non-safeguards Component Cooling Water loop which provides cooling to the reactor coolant pumps and thermal barriers is isolated on receipt of the "P" signal. Seal injection (cooling) is isolated as part of operator actions for only one Emergency Response Guideline, namely ECA0.0, " Reactor Trip or Safety Injection".
In addition, other ERGS have actions to isolate seal injection and thermal barrier cooling to prevent a delay in retuming a centrifugal charging pump (CCP) or the Component Cooling Water System to service. These same ERGS direct that seal injection and thermal barrier cooling be restored as soon as practicable and in a manner to prevent seal damage after the CCP and the Component Cooling Water System have been restored.
For site events that result in a containment Ili3 or "P" signal, e.g., steam line break inside containment, thermal barrier cooling is assumed to be unavailable and is failed in the accident sequence fault trees. The operator actions that are part of the ERGS are modeled as part of the human reliability analysis and are included in the accident sequence fault trees where appropriate.
4 4
Attachment I to TXX-96390 Response to NRC Request for Additional Information ;
l Page 29 of130 on CPSES IPE Submittal Level 1 Question 16:
1
- The submittal in Section 6 (p. 6-1) discusses a number of plant improvements concerning )
) emergency procedure changes and upgrading of the RCP seals in 1993 for Unit I and prior ;
j to initial startup for Unit 2. The IPE did not take credit for these improvements.
Please provide the following:
(a) The status of each improvement, i.e., whether the improvement has actually been implemented already, is planned (with scheduled implementation date), or is under 5- evaluation.
(b) If available, the reduction to the CDF or the conditional containment failure
, probability that would be realized from each plant improvement if the improvement l 4
were to be credited in the reported CDF (or containment failure probability), or the ;
. increase in the CDF or the conditional containment failure probability if the credited l'
! improvement were to be removed from the reported CDF (or containment failure I
probability).
(c) The basis for each improvement, i.e., whether it addressed a vulnerability, was l
i otherwise identified from the IPE review, was developed as part of other NRC rule l making (e.g., as the Station Blackout Rule), etc.
i
! Response:
(a) The status of each improvement is as follows:
! (1) Procedures have been revised to provide explicit instructions to the operators to manually control the flow to the steam generators to prevent overfill on loss of a
- - support system to the Turbine Driven AF pump. ;
Emergency Response Guidelines have been revised to explicitly instruct the operator f (2). l to verify the availability of component cooling water when checking for recirculation i L
capability. j
[
i
e 4
4
^
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information
- (3) The procedure for restoring RCP seal flow following loss of a support system has been revised to instruct the operator to locally manually throttle the flow to normal l
]
charging in order to divert flow to the seals.
i (4) The procedure has been revised to instruct the operators to start the non-running
} safety chilled water train upon auto-start of the auxiliary feedwater pumps.
l i .
(5) The procedure for re-establishing main feedwater upon loss of auxiliary feedwater
< has been revised to direct operators use the main feedwater flowpath alignment from i i
the control room as the preferred means.
1 i The IPE results identified two additional areas for improvement in the area of plant design. ,
l - As a result, changes were recommended based on the IPE insights: ,
{
- There are two trains of component cooling water (CC) per unit at CPSES. The units can be cross connected per design, via normally locked closed valves. This feature !
l.
had been removed and the piping was blank flanged during Unit 2 construction and !
l was being considered for a permanent design change. After an initial quantification, l it was fcund that the availability of the cross connect was important to the reliability
- of the CC system, and the IPE staff recommended that the feature be retained. Based l on this recommendation, the cross-connect was restored and remains an integral part
- i. of the design. Further, the use of the cross-connect during loss of component cooling
- water events is included in procedures. .
i i -
TU Electric has replaced the Reactor Coolant Pump (RCP) seals originally installed l at CPSES Units 1 and 2 with seals of a new design that will function in a high fluid l
temperature environment. The IPE models are based on the characteristics of the I
origina' seals. Seal LOCAs contribute approximately 29% to the total core damage frequency, which is expected to decrease with the upgraded seals. The impact of these new seals on seal LOCA characteristics will be considered in a future update of the IPE.
i :(b) As noted above, certain procedures were modified to provide high assurance of success of the action. These are discussed here.
,_.r.,.._.m ,. .-
)
Attachment I to TXX-96390 Response to NRC Request for Additional Information j Page 31 of130 on CPSES IPE Submittal l 4
(1) AFTDMAN - Manual Control of Flow to Steam Generators to Prevent Overfill.
l j The objective of modifying the procedures that govem control of flow to steam generator to !
- prevent overfill in the event loss of air or power to the control valves was to raise the actions l
to a higher level procedure, that is, to an ERG family of procedures versus an abnormal .
j conditions procedure. This was thought to provide a higher level of assurance of success.
The current HRA value is appropriate without this enhancement because the actions are i proceduralized and because the operators are trained on the procedures, and because similar detection and implementation is required in the high level procedure (i.e., the ERG) related to station blackout, and finally because there is a reasonably long detection period and a !
fairly short time required for the operator to reach the area and begin manual control of flow. .
The core damage frequency for CPSES Units 1 and 2 is somewhat sensitive to the availability of the turbine driven auxiliary feedwater system fer secondary heat removal. A i sensitivity analysis shows that doubling the failure probability for this event results in an ,
increase in core damage frequency of 7.0E-07 per reactor year. l 5
(2) &RCXX01- Operator Fails to Realign ECCS to Recirculation The operator action to verify the availability of component cooling water is not credited per se in the Iluman Reliability Analysis but is assumed to be part of the operator actions to l realign ECCS for recirculation. The specific direction to verify availability of component l cooling water is provided in lower tier procedures. Ilowever, to provide a high level of assurance that this occurred, the direction was added to the ERGS. ;
1
\
A sensitivity analysis shows that doubling the failure probability of &RCXX01 results in an
)
increase in core damage frequency of 4.8E-06 per reactor year.
1 (3) CSilCV182 - Operator Fails to Manually Control HCV-182 After Loss of Support l
Systems l l
The operator action to manually control this valve on loss of component cooling water (CC) l is proceduralized in the Abnormal Conditions Procedures for the CC system. However, this action was not explicitly directed in the procedures for loss ofinstrument air or power to the valve, rather alarm procedures directed responses. Thus detection was assured, but diagnosis
i i
l Attachment I to TXX-96390 Response to NRC Request for Additional Information '
Page 32 of 130 on CPSES IPE Submittal may have been delayed. The procedures dealing with loss of seal injection due to loss of supports was modified to provide a high level of assurance of success of the action.
A sensitivity analysis shows that doubling the failure probability of CSHCV182 results in a negligible increase in core damage frequency. Increasing the failure probability by an order of magnitude results in an increase in core damage frequency of about 3.0E-07 per reactor year.
(4) &CilSTART - Operator Fails to Manually Actuate Standby Safety Chilled Water Pump (and Chiller).
During at power operation, one safety chilled water train is normally in service and the other is in standby. The standby train automatically starts when its associated component cooling
- water train starts. Ilowever, the standby train does not automatically start when an associated motor driven auxiliary feedwater (MDAFW) pump starts. Thus the standby train must be manually started to prevent overheating of the MDAFW pump, an action that was not proceduralized. However, the room temperature is monitored and subsequent high temperature alarms would ultimately direct operators to start the associated safety chilled water train. Procedures were subsequently revised to direct this action, and it is reflected in the IPE results. ;
l I
A sensitivity analysis shows that a doubling of the failure probability for this action results in a negligible increase in core damage frequency. Ifit is assumed that the operator always fails to start the standby train, the increase in core damage frequency is 4.0E-07 per reactor year.
l (5) CF&MFWREST - Operators Fail to Re-establish Main Feedwater After Loss of Auxiliary Feedwater.
The objective of modifying this procedure was to provide for restoring the main feedwater flow path from the control room as the preferred path rather than sending operators to various locations in the plant to manipulate valves. This procedure modification is reflected in the IPE.
A sensitivity analysis shows that doubling the failure probability for this action results in an j
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 33 of130 on CPSES IPE Submittal increase in core damage frequency of about 1.0E-07 per reactor year. Increasing the failure probability by an order of magnitude results in an increase of about 1.4E-06 per reactor year. )
(c) As noted in the IPE submittal,' the IPE did not identify any plant-specific l vulnerabilities at CPSES Units I and 2. The core damage pronle is such that the core I damage frequency is distributed uniformly among the initiating events and sequence types. l Thus, the improvements discussed above did not result from any perceived vulnerability. !
Rather, they were identified during the course of the IPE review, some based on preliminary . ;
results and some based on final results. The procedural changes ;,ere recommended
, following a review of the cutsets to assure a high probability of success of operator actions important to the results. The recommendations associated with hardware, namely retaining the unit-to-unit component cooling water cross-connection and replacement of RCP seals, .
l were also based on review of the IPE results. The recommendations were based on the observation that component cooling water and RCP seals are important contributors to core damage frequency and that since the changes could result in a decrease in core damage frequency, they should be investigated.
\
i w
]
. - _ ._~ . - - . - - . . , . . - - . . - . - -. . . - . . -
k Attachment 1 to TXX-96390 Response to NRC Request for Additional Information . j Page 34'of130 on CPSES IPE Submittal i
. Level l' Question 17: :
i The MGL parameters applied in the Common Cause Failure (CCF) analysis (see Section 3.3.4 of the submittal) were obtained by the Bayesian updating technique: generic CCF data j had been screened (p. 3-207) to determine Comanche Peak specific " prior parameter l distributions" which were then updated with CCF events (" evidences") experienced at the ~ l plant. The process resulted in proper " posterior" MGL parameters.
l In the absence of plant specific events, the posterior MGL parameters are " prior dominated,"
i.e., strongly biased (usually downward) by the screening process. (The process seems to allow neglect of CCF events that have not yet occurred at the plant or were not identified.) l Please discuss how you ensured that no vulnerabilities were overlooked by the application -
of this process. l
Response
The methodology that was used to determine the MGL parameters was developed by PLG .
}
and is described in NUREG/CR-4780. This document has been accepted as an industry f, norm for the Common Cause analysis methodologies (MGL and others) presented therein.
The standard methods used to develop failure rates cannot be used on common cause failure data because such events are extremely rare. Due to this fact, it becomes useful to examine ,
common cause events from similar equipment at other similar locations and use these events to build a generic database. !
It is also true that common cause events are very highly dependent on plant and system ;
design, logic, plant operating procedures, etc. For example, consider a common cause events database for diesel / generators developed from diesel / generators at all the U.S. Nuclear sites. ,
It would be highly conservative to accept diesel cooling related common cause failure events from water cooled diesel generators and from air cooled diesel generators as equally likely to occur at Comanche Peak. Unlike the statement " neglect of CCF events that have not yet occurred at the plant or were not identified", the events that are removed from the generic database-are the ones that cannot occur at Comanche Peak because of design, logic, procedural or other similar reasons. Whether a certain event has occurred at Comanche Peak t
Attachment 1 to TXX-96390 . Response to NRC Request for Additional Information '
Page 35 of130 on CPSES IPE Submittal l or not, the onlyjustification for keeping that event in the generic database is that it can occur l at Comanche Peak. This type of screening of the generic events results in a database that is ;
- considered to be 'a " plant-specific generic" database. 'j i It is true that with a given generic database, any screening will only reduce the number of l events in the database, but it does not produce a " downward bias" to the entire evaluation. -{
. Two factors about this methodology prevent the systematic downward bias. One factor is ;
the plant-specific event mapping process and the second factor is the use of priors to update !
with the " plant-specific generic" information. l
,! . i I If a generic common cause event describes a failure of two pumps out of a population of j
- three, what does it imply of a system of four pumps if such a failure event is possible? Will .j only two pumps fail? Or three? Or is there a chance that all four will fail? The methodology 4 of mapping events to adjust for size of populations (Section 3.3.4, page 3-211) addresses j i these questions. While mapping down to lower population levels conserves the failure :
l events, mapping up is not deterministic and according to the methodology, actually creates j
- failure events. The Comanche Peak analysis mapped all the events to a population level of ;
l four, first, before they were mapped down to their required population levels. This is a i 3
j conservative step (not described as part of the methodology in NUREG/CR-4780), which !
l means that each common cause event that was retained in the database was enhanced for its
- impact on Comanche Peak. In addition, the independent events are also mapped from a !
I generic population level to the level of population at Comanche Peak. If the population of equipment is smaller at Comanche Peak, then the denominator of the p factor is smaller than ;
- the generic value.
a The second factor that prevents the systematic downward bias is the use of priors. Even if
[ '
i all the events in the generic database were to prove to be inapplicable to Comanche Peak, there still would be the prior. The prior not only provides for the situation when no events remain in the database, but it also provides for the class of events that have not occurred at {
l-all, at Comanche Peak or in the Nuclear Industry. Thus, it can be said that the pnors provide ;
i a sufficient buffer for unknown events and make the entire process of common cause ;
analysis a robust methodology and provide reasonable assurance that no vulnerabilities were
! overlooked in the process.
i h
f
~
- i
I
. i Attachment I to TXX-96390 Response to NRC Request for Additional Information :
Page 36 of130 on CPSES IPE Submittal !
Level 1 Question 18: ;
i The sequence descriptions (p. 3-241) and the sequence classification unit's POS bins provide j conflicting information, e.g., the first leading sequence #ISCM2X3 from the sequence '
l descriptions has a frequency of 1.2E-5. In the PDS Table (Table 3.1.5-3 on p. 3-74)
} #ISCM2X3 has no entry. The entries are all from #ISCM2 (the entry 1.2E-5 from #ISCM2 under PDS IH is assigned to #ISCM2X3).
An analogous case is the sequence #1SCM2TR which is described on p. 3-244. It has a
{
frequency of 3.3E-6. There is no such entry in the PDS Table. The sequence #ISCM2 in i PDS 1F has the closest frequency of 2.4E-6. This sequence may be taken as #ISCM2TR, even with the difference in value.
. 7 1
'. The description on p. 3-250 states that sequence #IVSCM5 is binned into the PDS 3SBO.
However, Table 3.15-3 bins it into 4SBO and 3CB.
i ,
Please provide a corrected PDS Table or correct the sequence descriptions.
Response
Sequences #ISCM2X3 and #ISCM2TR were binned into #ISCM2 only. This was done because it was not necessary to make a distinction regarding initiators in binning the sequences into the various PDS. The last two characters in the descriptor, namely X3 and l TR, are initiator designators.
i With regard to #IVSCMS, the table is correct. In keeping with the way this sequence was treated in subsequent analyses, the description on page 4-250 should indicate that the j sequence was binned into 4SBO and 3CB.
i h J
l i
l l
Attachment I to TXX-96390 Response to NRC Request for Additional Information 1
- Page 37 of130 on CPSES IPE Submittal j Level 1' Question 19:
)
In the peer review it was pointed out that the actual duration of corrective maintenance was ')
longer than that implied by the generic data used in the IPE model. Please' discuss how you l
ensured that no vulnerabilities in thir, area were overlooked.
.l
Response
As noted in the CPSES IPE submittal, generic data was used for the evaluation because plant
. specific data was not available given the recent commercial operation of the plants at the time of the submittal. The corrective maintenance unavailabilities used in the CPSES IPE (
are based.on the PLG generic database which correlates corrective maintenance duration with l the technical specification allowed outage time for the system / component. These durations 1 are'for modes 1 and 2 operation and are comparable to the durations recommended in .l IDCOR Technical Report 86.3Al for plants with no plant specific data. Longer durations j might be expected during plant outages, but plant outages are outside the scope the IPE. j Therefore, since the generic data apply to conective maintenance events during operation in I modes 1 and 2 and because technical specifications place a practical limit on the durations I (i.e., allowed outage times during modes 1 and 2 ), the generic data used in the study are :
reasonable estimates of maintenance duration. Thus, it is not likely that any vulnerabilities ;
in this regard were overlooked. I
[ The comment in question was made during review of the system models with the system engineers. The systems analysts discussed the fact that the generic data applied to corrective maintenance events during operation and that because technical specifications placed a limit on the durations, this was a reasonable amount of time. Longer durations might be expected j during plant outages, but plant outages are outside the scope the IPE. The commentor was also informed that as plant specific information becomes available, it will be reflected in the i study.]
l b
l i
l Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 38 of130 on CPSES IPE Submittal j Human Reliability Analysis (HRA) Questions i 1
References to Human Reliability Analysis Questions
[A} Moleni,P., Spurgin, A.J. & Spurgin, J.P., Human Reliability Analysis (HRA) Calculator, Vol 1t Technical Description, (EPRI RP-3082-03 Dran Report), Electric Power Research Institute, Palo Alto, CA, USA,1992.
lB} Spurgin, A.]., Moleni,P., & Spurgin, J.P., Human Reliability Analysis (HRA) Calculator, Vol 21 User 's Afanual, (EPRI RP-3082-03 Dran Report), Electric Power Research Institute, Palo Alto, CA, USA,1991. i
[C] Moieni,P. et al., A PC-Based Human Reliability Analysis (HRA) Calculator, in Proceedings
, ofPSA '93, international Topical Afecting on Probabilistic Safety Assessment, American i
Nuclear Society, La Grange Park, IL USA,1993,
[D} Moieni,P., Spurgin, A.J. & Singh, A., Advances in Human Reliability Analysis Methodology. Part I: Frameworks, models and data, Part II: PC-based HRA sonware. In Reliability Engineering andSystem Safety,44 (1994),27-55 and 57-66 respectively. l
[E] Mosely, A. Et al. " Procedures for Treating Common Cause Failures in Safety and ,
Reliability Studies ", Vols I and EPRI NP-5613, NUREG/CR-4780, December 1988.
[Fj Moieni, P.& Spurgin A.J., "Afodeling ofRecovery Actions in PRAs", EPRI RP 3206-03, Dran Report, September 1992.
[G} Spurgin, A.J., et al. " Operator Reliability Experiments using Power Plant Simulators", Vols .
1-3, EPRI NP-6937, July 1990. ,
[H] Moleni, P. Et al. "A Human Reliability Analysis Approach using Afeasurementsfor Individual Plant Examination ", EPRI-6560, July 1989.
, [I} NUREG/CR-4639, " Nuclear Computerized Library for Assessing Reactor Reliability (NUCLARR)". :
[3] Comer, M.K., Seaver, D.A., Stillwell, W.G. & Gaddy, C.D., " General Human Reliability Fatimates Using Expert Judgement", NUREG/CR-3688, SND84/7115, Volumes 1 and 2, Main Report,1984.
[K } NSAC-161," Faulted Systems Recovery Experience", May 1992.
4
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 39 of 130 on CPSES IPE Submittal Responses to CPSES Iluman Reliability Analysis (HRA) Questions PREAMBLE As an active member of the Electric Power Research Institute (EPRI), TU Electric has been fully supportive of EPRI's development of a viable Iluman Reliability Analysis (lira) methodology.
Such a methodology was developed over an entire decade. The principal constituents of this methodology are as follows: (a) Systematic liuman Action Reliability Procedure (SHARP); (b)
Human Cognitive Reliability (IICR) Correlation; (c) Operator Reliability Experiments (ORE) project which resulted in development of simulator data collection and interpretation methodology, the revised IICR Correlation named IICR/ ORE as well as several other IIRA applications such as the one for the Individual Plant Examinations (IPE) documemed in EPRI NP-6560; (d) An update of SHARP named SIIARPl; (e) lluman Reliability Analysis (lira) Calculator; and (f) Modeling of Recovery Actions in PRA.
TU Electric was a co-sponsor, in conjunction with EPRI and Accident Prevention Group (APG), of the llRA Calculator which is a personal computer (PC)-based software program designed to aid the IIRA analysts in performing human reliability assessments in the context of PRA/IPEs. The CPSES l
IPE HRA made use of the HRA Calculator as well as of the whole EPRI HRA methodology summarized above. In order to make sure that best HRA advice was available, TU Electric retained a principal EPRI contractor, APG, as the advisor to the CPSES IPE lira study.
Numerous conference and journal papers describe the EPRI HRA Methodology and its various constituents. In addition, the methodology is fully documented in a number of either EPRI or contractor reports. Some of these reports have been publicly available for some time. Hence,it was assumed that the NRC staff was fully familiar with their content. Some have been kept as EPRI proprietary. One of them, Volume 3 of the ORE report containing simulator data, was recently released by EPRI to the NRC. With regard to the HRA Calculator and Modeling of Recovery Actions in PRA, APG as the contractor, prepared the contractor reports which, however, have not been released as EPRI reports. These as well as any other reports employed to support the CPSES IPE HRA methodology will be made available to the NRC upon request.
In the development of EPRI IIRA methodology, pre-initiators, or Type A Human Interactions (His),
were considered to be less significant risk contributors compared to post-initiators. This conclusion was arrived at upon review of a large number of PRAs and revisited from time to time with the same conclusion. Last year's revision of the Zion IPE HRA reconfirmed this conclusion. As a result, no
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 40 of130 on CPSES IPE Submittal significant resources were expended for advancements of the established THERP/ASEP basic methodology other than introduction of the decision trees as a part of the HRA Calculator developments.
One of the premises was that, by and large, well performed systems analyses account adequately for both hardware and human contributions since the component reliability data base employed does not distinguish between the two. This is much the same as treatment of Type B HIs or the initiators.
Nonetheless, CPSES IPE HRA emphasized Type A HIs by virtue ofexamining closely 162 of them.
In addition, as an added assurance during the quantification process, Common Cause Failure (CCF) analysis, using the Multiple Greek Letter (MGL) method, was performed. This applied not only to the equipment but also to the human dependencies. Generic beta and in some cases gamma factors were applied. One such example is the treatment of calibration errors in channels within the Engineered Safeguards Features Actuation System (ESFAS). The starting point was the value associated with the calibration decision tree of the HRA Calculator.
Regarding post-initiator HIs, or Type C or more precisely Type CP where P stands for proceduralized, the TU Electric preferred approach was to employ the HRA Calculator decision trees for screening purposes. These trees incorporate the key influence factors (ifs), their interactions, dependencies and a relative importance of human error likelihood. The basis for selection and ordering ofIFs is deemed to be scrutable and transparent. The ifs selected as well as their order of importance are heavily influenced by results/ insights gained from the ORE project. The ORE project clearly demonstrated the controlling impact of Procedures / Training.
Those HIs having a potential for risk significance were re-evaluated. The TU Electric preferred approach would have been use of plant specific data. At the time ofinitiating the CPSES IPE HRA, only a very limited number of simulator runs were available. Hence, it was necessary to look into attematives. One such attemative was use of an expertjudgement method. Those limited simulator runs showed close similarities between Comanche Peak and Diablo Canyon operating crew responses. It should be noted that in the ORE project, Diablo Canyon was the plant for which most simulator data were obtained.
The expert judgement method consisted of the following principle elements: (a) The TU Electric HRA analyst and the APG consultant generated detailed descriptions for each HI examined and acted as facilitators for the whole quantification process; (b) Two highly qualified TU Electric Senior
I i
L Attachment I to TXX-96390 Response to NRC Request for Additional Information j Page 41 of130 on CPSES IPE Submittal l l
j Reactor Operator (SRO) training instructors were selected as experts; (c) The facilitators ensured independence between the instructors, provided them with probability scales and requested that {
- - estimates include upper and lower bounds as well as an average value; and (d) Direct estimation j method, recommended by Comer, was employed by the facilitators. j i- !
l l The approach used in analyzing recovery actions, or type CR HIs, was fully compatible with the ,
!- ' appropriate EPRI sponsored methodology which recommends the following four stages: (a)
Identification and description of potential recovery actions with an assessment of allowable time l l windows followed by a feasibility analysis; (b) Data /information collection and estimation of ,
probabilities of selected recovery actions; (c) Incorporation of quantified HIs into sequence cutsets -
- . or scenarios; and (d) Internal review. ,
i The methodology employed incorporates several generic empirical recovery actions for selected equipment, i.e. diesels, pumps and valves. These were taken from NSAC-161. Wherever possible, j NSAC-161 data were used and combined with the assessed plant specific time windows. In cases
- where data were unavailable, use was made of decision trees with estimates provided by the expert judgement approach briefly described above. In this case, the expert was a highly experienced
)'
CPSES trainer with background as an auxiliary operator, reactor operator and a senior reactor operator, t In the future update of the CPSES IPE HRA, TU Electric plans to make further use of the EPRI developed IIRA methodology. With regard to data, the following will be the order of preference:
(a) Actuarial from plant specific operating experience primarily and secondarily from the industry l
experience; (b) Simulator data from CPSES plant specific data collection and interpretation program l
- primarily and secondarily from other generic plant simulator data; and (c) Interpretive data as a last j' resort employing expert judgement approaches. I J
4-l T
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 42 of130 on CPSES IPE Submittal HRA Question'1:
The basis for the screening methodology used for pre-initiator human errors is unclear. On page 3-180 the submittal states that the screening methodology is a " melding of several previously published methodologies" and that "the framework and mechanics are original."
It also states that "the backbone of this methodology is a event or decision tree that is based on a series ofstructured questions that lead an evaluator to a Human Error Probability (HEP) screening value." Please provide:
(a) A list of the published methodologies from which your screening methodology was -
derived.
(b) A discussion of how the methodology was derived.
(c) A discussion of why the specific " questions"in Figures 3.3.3-3 and 3.3.3-4 were selected (i.e., why were these performance shaping factors (PSFs) chosen and not others?).
(d) A discussion of the basis for how the " questions" in the decision trees presented in Figures 3.3.3-3 and 3.3.3-4 were used to estimate the non-success probability assigned to each path through the trees (i.e., how did you arrive at the number for each path through the trees?).
(e) A discussion of how and why Figure 3.3.3-3 leads to higher failure probabilities for trains than for individual components. In other words, the basis and intent of the second decision point in the tree (" comp / train") is not clear.
Response
The screening methodology used was that of the Human Reliability Analysis (HRA)
~ Calculator. The HRA Calculator is a PC-based software program sponsored by EPRI, TU Electric and Accident Prevention Group (APG). It is designed to aid the HRA analysts in performing human reliability assessments in the contexts of PRAs/IPEs (see References A-D]. Reference D contains a comprehensive list of references which explain the evolutionary pathway to development of the HRA Calculator.
i' !
h 1
~ Attachment 1 to TXX-96390 Response to NRC Request for Additional Information
- c. :
r In the EPRI funded HRA program, pre-initiators or type A Human Interactions (HIs) were considered as less significant risk contributors compared to post-initiators. 'Ihis position was !
I arrived at upon review of many PRA/HRAs. However, the issue was revisited from time to l time and the conclusions reconfirmed. f j Revision of Zion IPE HRA reconfirmed lack of risk significance of pre-initiators upon a j' review of a large number of PRA/HRAs sponsored by both the NRC and the utility industry.
} In addition, the Zion specific personnel errors were examined. This contained 124 items over j i a two year period.
l The HRA Calculator, following the established principles of both SHARP and SHARP 1, i
i incorporates screening as a fundamental part of HRA. The Calculator offers several screening analysis options as displayed in Attachment 4 to TXX-96390, " Figure HRA-Ql- !
1." One of them is a quantitative screening method novelty in the form of" decision trees",
f i developed by TU Electric and APG, which has been employed in the CPSES IPE/HRA.
l !
l The decision tree method incorporates the key influence factors (ifs), their interactions, j dependencies and a relative importance to human error likelihood. Reference D contains a i
- notable explanation for a logic behind construction of the decision trees. The most important l IF is placed to the immediate left in the tree headings while the least important to the far ,
- right. Composition of the testing / maintenance decision tree differed from that associated with the calibration tasks.
i
!. Situation factors have been shown to be important and exhibit a large influence on human l performance. Thus, there will be differences in reliabilities of staff performing testing and
- maintenance (auxiliary operators) versus calibration tasks (I&C technicians). The approach
- adopted was to investigate fundamental processes behind maintenance / testing and ;
i calibration. To aid in understanding of these processes, interviews were conducted with j
! several experienced TU Electric training instructors of both auxiliary operators and I&C .
l technicians. They focused on two principal subjects: (a) What type of errors have been j experienced at CPSES?; and (b) What programs or features are in place to limit error j
- j. frequency? . j 1
i 1 ,
! The information obtained led to the following logic behind testing / maintenance decision tree ;
r i headings: 1
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information :
Page 44 of130 on CPSES IPE Submittal
. Probability of an error affecting performance of a train is higher than for a single component.
. Training and quality of procedures are significant factors.
. If after maintenance the system is tested, the error rate is reduced.
. If the system is re-configured, the error probability is increased.
. Checking after configuration can lead to a reduction in previously committed errors, although effectiveness of checking could be overstated.
The information obtained during interviews confirmed the following decision tree headings in calibration tasks:
- Testing and procedures.
. Testing of system. ;
- Independent checking. l The pre-initiator human actions were based on the maintenance and testing and calibration decision trees embodied in the lluman Reliability Calculator (IIRC). As structured in the '!
liRC, the user has the following options; a) se'ection of top and bottom end state I probabilities as anchor values and b) selection of either linear or logarithmic distribution of probabilities.
In this case, the anchor points were; 5E-03 and 1.0 in the case of the calibration /DT and the 1E-03, SE-02,1E-02 and 0.5 in the case of the Testing / Maintenance /DT.
In both cases, logarithmic distributions were used to predict the intermediate end state probabilities. It is a customary position of the analysts that the logarithmic distribution more faithfully simulates the increasing probability of failure with increasingly worse performance due to deteriorating influencing factors.
Attachment I to TXX-96390 Response to NRC Request for AdditionalInformation Page 45 of130 on CPSES IPE Submittal <
. The actual value selected for a given HI is obtained by tracking through the decision trees ;
i by using information about the influence factors.
l The basic decision trees (DTs) shown in Figure 3.3.3-3 were taken from the HRA I Calculation Report [ Reference A). The decision point in the tree related to whether or not ,
the DT was to be used for the estimation of component-related or train-related human error probabilities. The human error probabilities are considered to be potentially higher for trains 1
- than individual components and the DT reflects this situation. This is a screening approach '
to the detailed evaluation of either the component-related HEP or the train-related HEP.
$ i
! )
4 5
, e , - -
- s. ,
Attachment I to TXX-96390 Response to NRC Request for Additional Information i Page 46 of130 on CPSES IPE Submittal q HRA Question 2:- l The screening process for pre-initiators made use of the decision trees in Figures 3.3.3-3 and j 3.3.3-4. It is not clear from the submittal how the screening process ensured that potentially t important human events and accident sequences were not eliminated. Some outcomes 1
- provide screening values as low as 1.0E-3. Please provide
. (a) The rationale for how the selected screening values did not eliminate (or truncate) .
- important pre-initiator human events. (In addition, please include a list of errors
- initially considered but later screened.) -
Response
l i No human action (llA) or interaction (HI) identified is eliminated by the screening process. !
, Those IIIs having a potential for being significant risk contributors, such as those contained in the dominant accident sequences, get re-evaluated. Hence, those which are not re-evaluated retain their conservative values.
i I
The legitimate question is whether the screening values are appropriately conservative. If p they are, say, optimistic, some sequences containing such optimistically assessed HIs would l
. not show as dominant sequences. As a results they would not be evaluated.
TU Electric was meticulous in assuring that such a case does not take place. There are two distinct aspects that give confidence of success: (a) Review of the operating records and l
programs in place, such as INPO's self-verification or equipment labeling, with regard to maintenance / testing and calibration area; and (b) Making sure that the values used in the screening process are conservative compared to other industry sources such as NUCLARR.
l l
l l
i I
s
Attachment I to TXX-96390' Response to NRC Request for Additional Information
' HRA Question 3:
The submittal is unclear on what types of dependencies were addressed. The failure'to ,
identify and evaluate different types of dependencies that could potentially exist can result I in failure to recognize vulnerabilities associated with the design, operation, maintenance or j surveillance of the plant. In addressing dependencies, whether miscalibration or failure to -i restore, the process utilized should consider plant- conditions, human engineering, performance by same crew at same time, adequacy of training, adequacy of procedures, and . _
interviews with training, operations and various crews. Please provide a brief discussion on what dependencies were identified and how they were identified. l
Response
The following sources of dependencies were considered: training of the crews, procedures, checking, relationship of crew members, who executed the task and who checked, the way systems were tested after maintenance and the extent of the test- problem of not being able i to test complete system, use of secondary and primary calibration sources, and problems I with access and environment in performing tests, checks and maintenance operations.
i In order to model the pre-initiator HIs and consider the effects of dependencies, interviews ;
were carried out with training staff, maintenance and test personnel and HPES personnel.
The objective of interviews was to determine how operations were carried out, how the crews were trained, and what precautions were taken to ensure that errors were not propagated through the plant. The interviews with the HPES personnel focused on review of plant experience with these operations.
In addition to understanding the process of carrying out maintenance / testing and calibration, the analysts were also seeking to understand how and in what manner dependencies might !
be present in the operations. TU Electric carries out these operations in a way to minimize !
the effects of dependencies. For example, one item which was ofinterest was the process ofjunior staff carrying out the calibration and the senier staff checking the results. This -l process enhances the checking process and reduces the effects of dependency between one
_ operation and another, compared with the more usual way of the senior staff calibrating the
. devices and thejunior staff checking the result. The process of using the HPES also sets up a process whereby any errors associated with the procedures are identified. Again, these
i s
l Attachment I to TXX-96390 Response to NRC Request for Additional Information - t
- Page 48 of 130 on CPSES IPE Submittal precautions limit the degree of dependency between operations.
As a result of reviewing TU Electric's operations, a qualitative evaluation concluded that dependencies due to inter crew relationships could be eliminated from direct consideration; however some dependency was accounted for by the introduction of a common cause r contribution between systems. The basic decision trees (DTs) for both maintenance / testing
- and calibration, as discussed in the HRA Calculator, were used since lhese DTs correspond closely to the situations at Comanche Peak. The important influences are
training / procedures, functional testing of the system, reconfiguration of the system for testing, and independent checking of the results. Man-machine interface aspects were included in the training / procedure heading.
ll V t
1 9
+
s I
)
i i
i
- - -.~ - __ _ . . _. . _
l U
. Attachment I to TXX-96390 Response to NRC Request for Additional Information
. Page 49 of 130 - on CPSES IPE Submittal HRA Question 4:- ,
The submittal'is unclear on how dependencies were treated. It is not clear from the submittal
- how' dependencies associated with pre-initiator human errors were addressed and treated, j 'Ihere are several ways dependencies can be treated.' In the first example, the probability of the subsequent human events is influenced by the probability of the first event. For example, !
in the restoration of several valves, a bolt is require to be " tightened". It is judged that if the
- operator fails to " tighten" the bolt on the first valve, he will subsequently fail on the ;
remaining valves. In this example, subsequent HEPs in the model (i.e. representing the ;
second valve) will be adjusted to reflect this dependence. In the second example, poor
- lighting can result in increasing the likelihood of unrelated human events; that is, the poor l lighting condition can affect difTerent operators' abilities to properly calibrate or to properly [
- i. restore a component to service, although these events are governed by different procedures and performed by different personnel.- This type of dependency is typically incorporated in ,
! the HRA model by " grouping" the components so they fail simultaneously. In the third l example, pressure sensor x and y may be calibrated using different procedures. However,
). if the procedures are poorly written such that miscalibration is likely on both sensor x and I y, then each individual HEP in the model representing calibration of the pressure sensors can i be adjusted individually to reflect the quality of the procedures. Please provide a concise
- discussion of how dependencies were addressed and treated in the pre-initiator HRA such
- that important accident sequences were not eliminated. If dependencies were not addressed, pleasejustify.
1
Response
i Dependencies were incorporated into the study by virtue of considering the effects of 4
training / procedures, complexity of task, etc. relative to each other in terms of their effects on the HEP. These effects are covered in the DTs. The dependent effects caused by the use
- of same procedures and crews are minimized by TU Electric's approach to the issue of maintenance / testing and calibration. However, the analysis does include common cause
- elements to account for any uncertainties in the allocation ofinfluences due to humans. The failure of the crew to perform any of the actions within one operation, such as correct reassembly of a pump, is covered by a single number. The importance of pre-initiator events L in safety systems is not such that one would undertake this level of detail, i l
1
,y ..,- --
4 i
Attachment I to TXX-96390 Response to NRC Request for Additional Information 1 Page 50 of130 on CPSES IPE Submittal i
HRA Question' 5:
I The modification of screening HEP for pre-initiator human events unclear. On page 3-178 l
- of the submittal it states that "Ifit was found that these His were significantly important in terms of their contribution to core damage frequency, these HIs were requantified using an ' l
- q. expertjudgement approach." The expert interview is also mentioned on page 3-187. Does. !
this mean that the HEPs assigned to pre-initiator human events were modified? If so, please describe the expert judgment process and provide a few examples illustrating the process. j i i 1
I Response: ;
, The statunent on page 3-178 is a general statement reflecting the intent to perform re- l
! evaluations of screening values in general. It was expected that re-evaluations would be :
i confined to type C His being part ofdominant sequences. The process ofre-evaluation would i i- be based on expert judgement as discussed in response to the Question # 11. Type A or latent !
j errors are typically not re-evaluated except to account for common cause effects. !
l However, there was one exception, i.e. RHR valve 1-8717. [The associated HI is j
- RHXVX8717XNX.] The initial screening value of SE-03 was assigned. On closer {
examination, it became apparent that existence oflimit switches on the actuator tied into the j
[4 Safety System inoperable Indication (SSil) was not accounted for in this value. Alarms l
j- would signal to the operating crew that the valve is misaligned. In order to account for this l f feature, the initial screening value was multiplied by 1E-2 resulting in a final value to 5E-05. l i The value of 1E-2 represents an estimate of the HRA analyst. !
4 t
)' ;
4 e
i 4-
i t
- Attachment 1 to TXX-96390 Response to NRC Request for Additional Information :
Page 51 of130 on CPSES IPE Submittal HRA Question 6:
I 4
Some pre-initiator human events have HEPs different from those that would be derived from ,
.the decision trees. From Figures 3.3.3-3 and 3.3.3-4 of the submittal, one can see that the l ranges of HEP screening values are 5E-1 to 1E-3 and 1.0 to SE-3, respectively. In the list of latent errors given on page 3-191, event "AFCTDAFWPNX" (Both TDAFWP steam admission lines unavailable due to latent human error) has a value of 1E-4. Was this event's value determined using Figures 3.3.3-3 and 3.3.3-4, and if so, please describe the process
~
used to determine this value. If the event's value was determined by some other process, please describe this process and explain how the value was obtained. Please list all events 1 that were quantified with this "different" approach and provide examples illustrating how the HEPs were obtained. ;
Response
i i
The pre-initiator human events identified below are ones that are associated with either l multiple trains or multiple components. The rest of the HIs given on page 3-191 have been classified as independent events. These represent the human common cause failure (CCF) contributions. As such, these CCF are obtained by multiplying the single decision tree (DT) -
- 4. contribution by a beta factor. The HEP for a single TDAFWP steam admission valve being i unavailable would be 1.0 E -03. The common cause contribution for both valves being unavailable is 1.0 E -03 multiplied by beta, where beta is 0.1. Thus the value for both valves I
being unavailable due to lat. nt human action is 1.0 E-04.
l The basic HEP is obtained by using the decision tree approach for testing of a component.
1~ The conditions are: procedure available for the testing, the system is not reconfigured, and the testing is independently checked. The process of estimating the CCF contribution by multiplying the independent contribution by beta was used for other latent errors associated j with multiple components or trains.. The following are quantified by this process:
AFCDAFWPNX CW&CCFLS2915 EPXBA1EAX2NX MSXVPARV00NX l RC&CCFSRVS SICCFMISCAL SIXVX8816FX SIXVX8822FX 4
1 l
i~ Attachment I to TXX-96390 Response to NRC Request for Additional Information 5 Page 52 of130 on CPSES IPE Submittal In the case of AFXPMPMD00FX, the Multiple Greek Letter formulation for common cause contribution was employed. For two out of three auxiliary feedwater steam generator flowpaths, the values for beta and gamma were 0.1 and 0.1, respectively [ Reference E, !
4 Equation 3-17]. ;
i l
d
{
f 4
6 J
d d
1-1
,. -- -. , , . - -. ~ r.,,. . . , - - ,n, . ,,c a
i' Attachment I to TXX-96390 - Response to NRC Request for Additional Information Page 53 of130 on CPSES IPE Submittal HRA Question 7:
The basis for common cause calibration errors is unclear. Page 3-187 states that "it was concluded that significant human errors could be due to the common cause error in calibration of channels within ESFAS" and that "the base calibration error rate of a single channel ..." using Figure 3.3.3-4 was SE-3. This base calibration error rate was then
" adjusted by applying two modifying factors that account for the common factors." Please provide the following:
(a) The basis for this quantification technique.
(b) The basis for the values used for each of the two modifying factors (0.05 and 0.01).
(c) The list oflatent errors that begins on page 3-191 contains events that appear to be common cause calibration errors (e.g.,"ESCCFMISCAL"). Please describe how the values for these common cause latent errors were determined.
(d) liow were the common cause events placed in the fault trees and accounted for in the system logic? Essentially, describe how the common cause failures were incorporated and their potential impact accounted for.
Response
During the evaluation of the human events associated with the Engineered Safeguards Features Actuation System (ESFAS) model, it was assessed that significant human errors could be due to conunon cause calibration errors of channels within ESFAS. These errors could lead to the unavailability of an actuation logic channel.
When evaluating calibration errors, the base calibration error rate of a single channel and those factors that are common when calibrating ESFAS channels were assessed first. This starting point was assessed using the calibration error tree. All tasks are performed using procedures that the technicians are trained on, and the steps are checked independently. This leads to a non-success probability of 5 E-3 using Figure 3.3.3-4.
The first common factor in the calibrations is the procedure. Although there is a single
4- j i
Attachment I to TXX-96390.
Response to NRC Request for Additional Information Page 54 of130 on CPSES IPE Submittal :
procedure for each channel calibrated, they were written as a group by a single person.- ;
j Therefore, it is highly likely that an error in the procedure could propagate to all the other f
procedures. Another important factor to assess is the use of the procedure. A significant -i j factor is failure of the use of a procedure is when a procedure is written for several channels ;
and the user is expected to select the proper portion of a step that is applicable to the channel ;
]
j - under calibration. When an individual procedure is written for each channel, this possible j j source of error is eliminated. This factor has been assessed a " common" factor of 0.05. ;
) i j The second an most significant factor is the fact that the calibration of ESFAS channels at ;
j CPSES is performed on a cyclic basis (approximately one channel every week). Several points come out because of this. First, the possibility of the same team performing the calibration is greatly reduced.' Second, the control room operators are required to perform ,
a channel check once each shift. This consists of comparing one panel's indication to all the l
l others. It is very unlikely that an operator following a procedure will fail to recognize that I
- the meters do not indicate the same value (0.01). A calibration of the analog signal would j show a difference on the indicator. With three shifts per day and seven days per week, there !
- are 21 channel checks between calibrations. Additionally, most logic channels would require .
the failure of three channels to prevent logic actuation. This would double the numbers of !
checks performed between the first channel calibration error and the third. The conservative assessment of all these factors is a " common" factor of 0.01. ,
t l The product of the base calibration error rate and the two modifying factors above yields a I l
value of 2.5E-06. [
i i The list of latent errors also contains " common cause" calibration errors, for example, ESCCFMISCAL through ESCCFMISCAL7. The CCF contribution due to human was calculated by taking the independent channel calibration number and multiplying by beta ,
1 factor of 0.1. For example, the base number for the instrument calibration was 1 E-3 and the ;
j value of ESCCFMISCAL is therefore 1E-3 times 0.1 or 1E-4.
, t l The " common cause" contribution is incorporated at the system level in the fault tree. The independent or random human error is incorporated at the component level. See Attachment j 5 to TXX-96390, " Figure llRA-Q7-1." l I
i i g - , - - . -q
- w - - , - . - , -
,y y , .- y . - , , , - ------y
Y t
Attachment I to TXX-96390 Response to NRC Request for Additional Information a Page 55 of130 on CPSES IPE Submittal l l
POST-INITIATOR HUMAN ERRORS i
f HRA Question 8: i
'Ihe submittal is unclear oa why non-proceduralized post-initiator actions were considered.' ,
On page 3-179 the submittal states that post-initiator human errors "may or may not be covered by procedures." Please provide a list of the human actions considered in the :
. analysis that are not proceduralized, and justify why credit was taken for these non-proceduralized actions. !
Response: f Type CR (or recovery actions) contain a large variety of activities ranging from actions to support the main control room crews in following Emergency Operating Procedures (EOPs) !
and Abnormal Procedures (ABNs) to more complex recovery actions including repair of ,
failed equipment. A key part of modeling recovery actions is understanding the role of 'l auxiliary operators and other station personnel.
In recognition of the above, Electric Power Research Institute (EPRI) has sponsored development of a distinctive methodology for modeling of recovery actions (see Reference D and F ]. This methodology permits consideration of either proceduralized or non-l proceduralized operator actions. The latter would be considered only if deemed feasible and l a potential significant risk contributor. Such an action would be subsequently proceduralized.
Ultimately, in the CPSES IPE/HRA, no non-proceduralized recovery actions were i considered. Initially, the HI for service water system cross-tie was not proceduralized.
I i !
L ;
i:
I
I
, Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 56 of130 on CPSES IPE Submittal !
i HRA Question 9:
The basis for the screening methodology used for post-initiator immediate action (C,) human j errors is unclear. On page 3-180 the submittal states that the screening methodology is a l
" melding of several previously published methodologies" and that "the framework and mechanics are original." It also states that "the backbone of this methodology is an event or ;
decision tree that is based on a series of structured questions that lead an evaluator to a . i Human Error Probability (HEP) screening value." Please provide: l (a) A list of the published methodologies from which your post-initiator screening ,
methodology was derived. !
(b) A discussion of how the methodology was derived. >
(c) A discussion of why the specific " questions" in Figure 3.3.3-2 was selected (i.e., why I were these performance shaping factors chosen and not others?). ;
(d) A discussion of the basis for how the " questions" in the decision tree presented in .
Figure 3.3.3-2 were used to estimate the non-success probability assigned to each l i path through the trees (i.e., how did you arrive at the number used for each path through the tree?). !
(e) A discussion of how the diagnosis and execution portions of operator actions are addressed with the screening methodology. j i
Response: j The screening methodology used was that of the Human Reliability Analysis (HRA) l
. Calculator. The HRA Calculator is a PC-based software program sponsored by EPRI, TUE l and Accident Prevention Group (APG), designed to aid the HRA analysts in performmg ;
human reliability assessments in the contexts of PRAs/IPEs [see References A-D]. )
)
I
' Reference D contains an overview of EPRI funded HRA projects including the seminal, four year project named Operator Reliability Experiments (ORE) [ Reference G] which generated j more than 1000 simulator data points illustrating a range of responses in excess of 100 i i
i l
i 1
L . ..i.. ,
Attachment I to TXX-96390 Response to NRC Request for Additional Infomiation Page 57 of130 on CPSES IPE Submittal ;
control room crews to a spectrum of acciderncenarios. It also coMains a comprehensive list j of references which explain the evolutionary pathway to development of the' HRA l Calculator, including reference I..
The HRA Calculator, following the established principles of both SHARP and SHARP 1, incorporates screening as a fundamental part of HRA. The Calculator offers several ;
screening analysis options as displayed in the attached flowchart (Attachment 6 to TXX- .;
%390, " Figure HRA-Q9-1"). Ora of them is a quantitative screening method novelty in the l form of" decision trees", developed by TU Electric and APG, which has been employed in the CPSES IPE/HRA.
The decision tree method incorporates the key influence factors (ifs), their interactions, dependencies and a relative importance to human error likelihood. Reference D contains a notable explanation for a logic behind construction of the decisiemes. The most important i IF is placed to the immediate left in the tree headings while the least important to the far >
right. The ifs selected as well as their order of importance are heavily influenced by results/ insights gained from the above referenced EPRI and utility sponsored ORE project.
This is in contrast with some other established HRA in which the basis for selection and ordering ofIFs is less than transparent.
The ORE project clearly demonstrated the controlling impact of procedures and training.
' Limited data taken at the Comanche Peak simulator, when compared with the Diablo Canyon data, provide necessary corroboration to support use of ORE insights at least for the l screening purposes. Task complexity is secondary to procedures / training, but it becomes
}. important when the operating crews need to apply their knowledge. The reluctance factors ;
3 were partially observed in the ORE simulator data but even more so in some notable !
)
incidents such as the Davis Besse one in 1985 which entailed reluctance to use the PORVs.
4 Time available is the final IF chosen. ,
i i The end state human error probabilities (HEPs) run from the lowest value at the top to the {
. highest value at the bottom. For screening purposes, the values chosen are typically
. conservative, such as a range between 1E-03 and unity. In the CPSES IPE/HRA, a range ,
- between 5 E-02 and unity was chosen with the adjacent end states at the same value. A check versus the NUCLARR data base [ Reference I] was made to ensure that the values chosen !
were conservative enough. 95% values were used as a comparison with the range. The h
. . -, ,.w, --- .,
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 58 of130 on CPSES IPE Submittal ;
distribution of the HEPs in the end states is essentially logarithmic using an expert judgement approach. With appropriate data, such as simulator data, it could take other forms.
t In the screening process no breakdown of operator actions into Detection, Diagnosis and (
i
' Decision'(D3) was attempted. Values associated with the execution portion of operator actions are typically much lower than the D3 contribution and as such are subsumed.
k A
1 i
l t
l l
t l
l i
i
l Attachment I to TXX-96390 Response to NRC Request for Additional Information ,
Page 59 of130 - on CPSES IPE Submittal HRA Question 10:
The screening process for the post-initiator (C,) hmnan errors made use of the decision tree in Figure 3.3.3-2. Several questions arise regarding the use of this tree. Since screening ,
values as low as 0.05 can be obtained from use of the tree, it is not clear from the submittal i
how'the screening process ensured that potentially important (C,) human events and accident sequences were not eliminated.' Furthermore, it is not clear how issues such as dependencies '
-among human events were addressed in the screening process. . Please provide:
(a) The rationale for how the selected screening values did not eliminate (or truncate) important post-initiator (C,) human events.
(b) A discussion of what dependencies among human events were considered.
-(c) A discussion of how dependencies were addressed (i.e., how did dependencies affect the HEP estimate of a human event. l 1
(d) Several examples of the consideration ofdependencies in determining HEPs for post-initiator events.
(c) A list of human actions which were initially considered, but which were later screened.
4
- The discussion of dependencies in items (a), (b) and (c) above should address the two points
. below: I 1
- Human events are modeled in the fault trees as basic events such as failure ]
to manually actuate. The probability of the operator to perform this function
- is dependent on the accident in progression - what symptoms are occurring, what other activities are being performed (successfully and unsuccessfully),
etc. When the sequences are quantified, this basic event can appear, not only i
in different sequences, but in different combinations with different systems failures. In addition, the basic event can potentially be multiplied by other human events when the sequences are quantified which should be evaluated for dependent effects.
i I
. - . - -- - - . - - - - _ . ~ - - . - - - .
l 1 l' j i
Attachment I to TXX-96390 Response to NRC Request for Additional Information j Page 60 of130 - on CPSES IPE Submittal Human events are modeled in the event trees as top events. The probability f
of the operator to perform this function is still dependent on the accident -!
progression. The quantification of the human events need to consider the i different sequences and the other human events.
I
$ Response:
- No human action (HA) or interaction (HI) identified is eliminated by the screening process. !
h Those actions having a potential for being significant risk contributors, such as those ;
I contained in the dominant accident sequences, get re-evaluated. Hence, those which are not l
re-evaluated retain their conservative screening values.
The objective of " fine" screening (see SHARP) is to use conservative but not overconservative values. Use of the latter would raise the tail of the non-dominant sequences.
Using unity as a screening value heavily increases the tail compared to use of either l
- conservative or realistic values, i
i j " Values as low as 0.05", in case of the CPSES IPE/HRA, were actually conservative. One !
j could expect a more typical value of 0.005 for those HEPs when performing a more realistic re-evahiation. In addition, the His in these top set sequences as well as dominant sequences :
l are subject to re-evaluation.
4 By way of construction of decision trees, as in the case of event trees, interdependencies j between ifs are inherently accounted for. Ultimately, it is the skill of the analysts that j determines how well the dependencies are captured. This is true in any methodology !
i including THERP/ASEP. In case of CPSES IPE/HRA, the utility HRA analyst was qualified -
as a Senior Reactor Operator (SRO). This background qualified him, as an expert in the 5
i control room operations, to make informed judgements on the likely interactions between crew members in an accident environment. In addition, a reputable consultant from APG, ,
human reliability specialists, was involved in every aspect of the analyses.
i ,
t Hence, the following types ofdependencies are explicitly accounted for: (a) Actions due to t cognitive dependency, i.e. actions connected to the same basic D3 event; (b) Actions carried
[ by the same operator; and (c) Actions carried out within a limited time frame (after a lengthy interval such as I hour, the dependency was assumed to be zero). Beyond this there is +
. accident sequence dependence. In discussions with experienced TU Electric training' v+ .e -
.* , , - - e , -
4%., m-,,,, .-.-,w- - - . .,. -- _ %. ,--s- , .- - a
i Attachment I to TXX-96390 Response to NRC Request for Additional Information !
- Page 61 of130 on CPSES IPE Submittal h instructors, their awareness of dependencies came clearly across. ' Faced with the same !
nominal operator action reliabilities over a spectrum of accident sequences, they suggested
]
' a range between unity and 1.0E-3. ;
The screening phase of the analyses was a primary vehicle for accounting of dependencies. :
The following basic principles were followed: (a) If the events were deemed to be closely j linked then second and subsequent HEPs were set to unity; and (b) If the events were deemed j to be essentially independent, the screening values from the decision tree were used. !
Lastly, construction oflogic trees is addressed. CPSES IPE made use of so called large fault ;
tree / small event approach. The event trecs are essentially functional event trees and hence l
l are not featured. Type CP His have been placed in the top echelon of fault trees connected j via "OR" gates with system unavailabilities. On the other hand, type A His are typically placed either at the train or component level.
4
{ As stated above, dependencies were predominantly addressed during the screening portion i of the analyses. For type As, both hum:.n and equipment dependencies are addressed
! through common cause effects between the trains or components. For type CP, the cutsets ;
were examined for possible dependencies. Predominantly, there was only one HI per cutset.
- In rare cases of multiple HIs, careful scrutiny was performed. Dependencies were accounted i for in the degree ofinteraction between the crew members.
4 l A set of rules was used to assist in the evaluation of the effects of dependency between l multiple human events. The rules are:
i
- 1) A clear time separation between events would lead to the assumption that the events i were independent. A time separation of 30 minutes was considered appropriate.
l
- 2) If the operations were carried out by different persons operating on different i
t indications, the operations were independent.
a'
- 3) If the event was diagnosed by one person but it lead to two separate operations, the ,
- operations were dependent. If the indications were strong, the dependency was mild, that is, some modification of the independent second action was made to account for !
j dependency. If the diagnoses were not very comprehensive, then the second and I
4 w m.,-m,. , _ _ . , - > y -- ,,y , - ., _ 7, _ . . ,
Attachment 1 to TXX-96390 . Response to NRC Request for Additional Information -
Page 62 of 130 on CPSES IPE Submittal subsequent actions would fail if the first action failed.
Because of the nature of the cutset sorting, sequences with multiple human actions ( and equipment unavailabilities) quickly disappears from the list of sequences making noticeable contributions to CDF.
Some examples ofdependencies considered in the CPSES IPE are provided here. The first example deals with coupling effects.
DG failure recoveries (DGSTARTl/DGSTART2)---There was an acknowledgment by the analyst that although there is sufficient indication, man-power and time to recover either or both DG's the value was modified to reflect the potential coupling effect during the diagnosis of the situation. e.g., DGSTARTI = 2.5E-01 vs DGSTART2 = 1.0E-01
' Die second examples deals with operator actions where time exists to allow for de-coupling the actions.
For Large and Medium LOCAs the operator action &RCXX01( Operator Fail to Re-align ECCS Pumps for Recirculation) is found in the cutsets. However, for Small and Very Small LOCAs operator actions &RCXX01 and LATERRECIRC (Operator / Plant Staff Fails to Re-align ECCS for Late Recirculation Events)
For EGTR the operator actions ECA-1.1 (Operators Fail to Use ECA-1.1 on Loss of Recirculation Capability) and CIBRESETSINY (Operator Fails to Re-Establish i Instnunent Air Following "S" Signal). These two action are both time and
- scenario / procedurally independent, therefore no coupling was assumed and value changes made.
For various initiators the operator actions CIBRESETSINY (Operator Fails to Re-Establish Instrument Air Following "S" Signal) and CISTARTX (Operator Fails to Start Either Common Compressor Train) were evaluated for dependencies and were found to occur in cutsets also containing a flag indication that air accumulators were available to provide 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of air prior to equipment failure, t
1
.. _ = _ . . - - - . - -.- . . .. .
I I
4
~
Attachment I to TXX-96390 Response to NRC Request for Additional Information l 4
Page 63 of 130 on CPSES IPE Submittal l i
t The third example deals with cases where screening values were reviewed for two coupled j events. It was the analysts decision to leave both actions at their screening values in lieu of j replacing one action with a value based on a detailed evaluation and the second action f revised based on the coupled effect. It was determined that the screening values were f conservative with respect to the re-evaluated values. -
. r' CISTARTX01 (Operator Fails to Start Common _ Compressor X-01) and CISTARTX02 (Operator Fails to Start Common Compressor X-02) both have a screening value of 1.0E-01. ;
1 l
4 a
] ,
1 J
Y .
l <
! l l
l f
l l
4 d
i 1
l h l 3
I i
Attachment 1 to TXX-96390 Response to NRC Request for Additional Infonnation Page 64 of130 - on CPSES IPE Submittal
) HRA Question 11:
- The modification of screening HEP for post-initiator Cp human events is unclear. On page 3-178 of the submittal it states that "If it was found that these His were significantly
- !
< important in terms of their contribution to core damage frequency, these HIs were requantified using an expertjudgement approach." Does this mean that the HEPs assigned to post-initiator Cp human events were modified? If so, please describe the expert judgment process and the extent to which HEPs would be modified. Provide an example illustrating the process.
Response
Fully in line with the approach advocated in SHARP / SHARP 1, upon completion of the l screening process discussed above, potentially risk significant His are subjected to a process i of re-evaluation. A preferred approach is to make use of plant specific data already available or to be generated by virtue oflaunching a simulator data collection and interpretation program. At the time ofinitiating CPSES IPE/HRA, only a limited number of simulator runs l were available. Hence. it was necessary to look into alternatives. One such alternative was 4-use of an expertjudgement method.
! The expert judgement method employed consisted of the following principle elements:
! The principal TU Electric HRA analyst, with background in plant operations :
including the SRO license, in conjunction with a consultant from APG, human reliability specialists, generated detailed descriptions of each Hl. The descriptions included clear definitions of boundary conditions, accident sequence dependencies as well as time windows available. Overall, the two acted as facilitators for the whole process. :
Two highly qualified Senior Reactor Operator (SRO) Training Instructors were ;
selected as experts. Expert A worked as an instructor between 1981-1988, as a Unit Supervisor 1988-1989, and SRO instructor since. Expert B worked as an auxiliary operator 1982-1984, Reactor Operator (RO) 1984-1987, Operations Specialist 1987-
, 1990, SRO instructor since. In addition, Human Performance Evaluation System i (HPES) coordinators were consulted.
i l
I l
I i j A i i
- Attachment 1 to TXX-96390 Response to NRC Request for Additional Information ,
Page 65 of130 on CPSES IPE Submittal 3
Upon ensuring that characterization of His selected (ten CP His overall) was unambiguous, facilitators presented the above referenced descriptions and entered ;
j into a discussion focusing on specific difTiculties the instructors may have observed j during the simulator runs. Subsequently, the facilitators ensured independence i between the instructors and provided them with probabilistic scales as recommended 4
by Comer et. al. [ Reference J]. Estimation included upper and lower bounds as well as an average value. !
i
- The direct estimation method, as defined by Comer, was employed by the facilitators.
' The example chosen for illustration purposes is HI, designated as RC&8000 A and B, when the operators fail to open block valve when manually opening PORV. This HI needs to be ' i split into different His for different accident scenanos. .i When the PORV is being manually opened in order to reduce pressure, if the block i valve is closed, the operator will not see expected pressure reduction. This in turn .
will necessitate an examination first by the same operators and subsequently by other j operators. Both experts estimated average HEP value at 1/1000 with a band in between 1/500 and 1/2000. l l
In the event of a transient, the operators are instructed to open the block valves to !
allow auto opening ifnecessary. Expert A estimated average HEP value at 1/100 with ;
j a band 1/50 to 1/200. Corresponding Expert B estimates were: 1/200,1/100 and j l 1/500. For ATWS, these estimates would have been optimistic had it not been for a l L cue in the emergency boration procedure to verify that the primary coolant pressure is below 2335 psig. ;
i Given loss of main feedwater, there is a specific step in the procedure that demands i operators to check the status of the PORVs and block valves. Both experts arrived at average HEP value of 1/5 with a band in between 1/10 and 1/l, The principal ;
~
reason for these estimates to be higher was a lack of a cue to alert the operators to i switch attention from the secondary to the primary side.
4
. - - ~ . . _ - . -.- _. _ .. ._ - . - .- - - - .
1 l
Attachment I to TXX-96390 Response to NRC Request for Additional Information H Page 66 of 130 on CPSES IPE Submittal -!
l HRA Question 12: l Some post-initiator Cp human events appear to have llEPs other than those presented in the )
decision trees. From Figure 3.3.3-2 of the submittal, one can see that the range of HEP screening values is~ 1.0 to SE-2. In the list of dynamic actions modeled given on page 3-195, l event "&BFXXINITNY"(Operator fails to initiate feed and bleed) has a value of 1 E-3. Was this event's value determined using Figures 3.3.3-2, and if so, please describe the process j used to determine this value. If the event's value was determined by some other process,
[ please describe this process and explain how the value was obtained. Which of the other j human action events were quantified using methods different from the decision trees and .
{
how were they quantified?
Hesponse: i 4
The values listed on page 3-195 are the final values arrived at the conclusion of the quantification i h process. Hence, it is only to be expected that some values would be different from those at the l l conclusion of the screening process. Specifically, Ill &BFXXINITNY was re-evaluated using the ;
expert judgement described above. In addition to &BFXXINITNY and RC&8000, the following l 3
His were subjected to the expertjudgement process:
- ACHSTART (operator fails to manually actuate standby chilled water pump;
- RCAVM8000AFY (operator fails to close MOV l-8000A);
- &CRACSNY ( operator fails to manually trip emergency safeguards actuation system upon
- exceeding control room equaiization temperatures);
i:
. -. . &SGLXAFWXNY (operator fails to control auxiliary feedwater flow to 4 steam generators);
l
- * CIBRESETSINY (operator fails to re-establish instrument air following "S" signal);
- &RCXX01 (operator fails to realign CCPS, SIPS and RHPS to recirculation);
- &SGTR01'(operators fail to isolate break flow on steam generator after 2 hrs).
e I
- -. . . . _ - . - _ . . . . ~ .. .-
i f
Attachment I to TXX-96390 Response to NRC Request for' Additional Information -!
Page 67 of 130 - on CPSES IPE Submittal HRA Question 13:
v i
The submittal is unclear on the quantitative approach used for post-initiator recovery (Ca) l human events. On page 3-190 of the submittal it states that "the quantification of these !
recovery actions consisted of an interview of an expert with the results interpreted by decision trees. Two decision trees from SHARP 1 were used in the recovery analysis. One was for detection and diagnosis (Pi ) and the other was for auxiliary operator action (R )." l Please provide a detailed description of how this approach was used to quantify post-initiator -
Ca human events. Please be sure to:
i I (a) Describe what plant-specific performance shaping factors were used during the [
quantification of the human error, along with the values of the factors. ;
(b) Describe how dependencies were addressed and treated in the post-initiator Ca HRA l such that important accident sequences were not eliminated. .
- (c) Illustrate the quantification process and treatment of dependencies with examples i
from the IPE.
j Response: .
i The approach to the evaluation of recovery actions was developed in the EPRI sponsored
- project RP-3206-03. It v.as documented in Reference F. Parts of this report are abstracted . ;
and reproduced in the SIIARP1 report. Reference D provides an overview of the EPRI ;
$ sponsored recovery analysis methodology (EPRI Recovery Methodology). The framework I for the analysis consists of the following tasks (Attachment 7 to TXX-96390, " Figure HRA-Q13-1"): )
- Diagnosis & Identification of Recovery Actions; )
- . ' Transit of Plant Personnel to Equipment Location;
. Access (if required);
. Obtaining Special Equipment (if required);
- Special Suit Up (if required);
- Diagnosis and Assessment of Equipment Status (if required);
e Arrival of Other Plant Personnel (if required);
. Perform Recovery Task.
I
F P l
l Attachment I _to TXX-96390 Response to NRC Request for Additional Information Page 68 of 130 ' on CPSES IPE Submittal i
' The EPRI recovery methodology recommends four stages: (a) Identification and description f of potential recovery actions, with an assessment of allowable time windows, followed by f
, a feasibility analysis; (b) Data /information collection and estimation of probabilities of. !
- selected recovery actions; (c) Incorporation of quantified values into sequence cut sets or l scenarios;(d) Internal review. -
l ,
i The EPRI recovery methodology incorporates several generic empirical recovery curves for k selected equipment, i.e. diesels, pumps and valves. These were taken from NSAC-161 j [ Reference K]. :
e i
- Wherever possible, use was made of NSAC-161 data combined with assessed plant specific l time windows. The NSAC data was taken to encompass the Detection, Diagnosis and Decision (DDD) aspects in the recovery of equipment. The transit time aspect was covered
- by virtue of reducing the available time with the transit times. The need to recover auxiliary feed pumps, diesels, electric buses, component cooling and service water systems would be l well within operator capability to deduce from the control board displays. j In cases where data was unavailable, use of made of decision trees with estimates provided l
. by the expert judgement approach. The expert consulted had impressive qualifications: (a) l Auxiliary operator for 3 1/2 years; (b) Reactor operator for 11 1/2 years; (c) Senior reactor operator for 5 years.
The TU Electric IIRA analyst, with background in plant operations including the SRO l license, in conjunction with a consultant from APG, human reliability specialists, led the
~
expert through the details of the following scenarios: loss of all component cooling water; loss of all service water; and station blackout.
For the total loss of component cooling water (CCW) the following framework was used:
. .Many alarms on the same panel provide indication for CCW loss. The operators are i exposed to CCW loss scenarios on biannual basis. The immediate action is to restart '
~
the tripped pump. If unsuccessful send an auxiliary operator (AO) to check status of the failed pump. Another AO is sent to check the electrical bus. The RO is advised to trip the plant and enter into EOPs. Swing unit supervisor assumes responsibility I to recover CCW. j
~
Attabhment I to TXX-96390 Response to NRC Request for Additional Information
. AO transits to equipment location.
. Uses key card to gain access. l
. No special equipment required. l
. No special suit required.
. AO checks pump for physical damage. AO at breaker cabinet checks for tripped l relays and will change breaker if necessary. i
. Electrical (E) and Mechanical (M) personnel are dispatched if failures not recovered ,
by AOs. Some modes of failure are recovered within two hours.
. In recovering a system function, it might be necessary to restart the pump or even realign, say, CCW to the opposing service water system. In the first case, use was made of NSAC data. Non-recovery probability for a pump is 0.3. Whereas, in the latter case the expert assigned probability of 0.1. ,
The EPRI recovery methodology distinguishes between DDD and Execution phases. In the :
CPSES IPE IIRA, the two were lumped together resulting in a modified decision tree. The tree headings were: (a) Man-machine interface (alarms and indicators); (b) Access to equipment; (c) Complexity of task getting the equipment to operate; and (d) Environmental conditions.
No post-initiator CR was eliminated. The dependencies were explicitly addressed by the structure of decision trees and implicitly by either the expert or NSAC data. The times U
available were long. The expert viewed control room indications as clear. These resulted in dependencies being regarded as minimal.
1 Appendix B of reference F contains two case studies (a) and (b).
(a) Recovery of the CCW system and associated equipment, in particular recovery actions
, consisting of restart of the failed pump, replacing its breaker, and other minor repairs. t
~ (b) The CCW system was postulated to be unrecoverable. The pumps provide cooling to the charging pumps which provide cooling to reactor coolant pump seals. Recovery action is
- alternate actions of cooling the charging pump through the fire water system.
Case study (a) provides an excellent example of support of the recovery methodology !
applied in the CPSES IPE lira.
i a
b
, p -
p
.n- -
l 1
Attachment I to TXX-96390 Response to NRC Request for Additional Information -
Page 70 of130 on CPSES IPE Submittal
- HRA Question'14: ;
1 It states on page 3-190 that after final quantification, additional recovery actions were
' identified. Please provide the following information concerning these additional recovery i
actions:
(a) List and discuss the recovery actions credited in this phase. !
(b) - Describe how it was ensured that appropriate dependencies were considered in !
l applying recovery actions in this phase.
(c) ~ Discuss any sequences / cut sets to which a second recovery action was applied.
1 Response: ;
3 As a result oflogic tree requantification, there was a shift in ordering of dominant sequences. .
- This necessitated a review of some sequences with attendant feasibility considerations for ,
additional recovery actions. The process for examining those was identical to that described l above.
e f
O f
9
?
i
t t Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 71 of130 on CPSES IPE Submittal HRA Question 15:
i
. The submittal is not clear on how "available" time was calculated for the various post- :
initiatm human events. Please discuss how the total available time for an action (diagnosis ;
and execution) was generally determined, e.g., MAAP runs. Then, for several of the post-initiator human events
- examined, provide: .
.(a) - The time estimated to be available for the operator to diagnose and perform the [
action and the bases for the time chosen. ' Please illustrate that the time at which operators would receive " cues" and indications in the control room regarding an event was taken into account. In other words, significant time can pass before -
operators will be alerted to certain conditions. Please illustrate that this factor was .j considered in determining the time operators would have available for diagnosis and !
perfonnance of a task.
(b) Examples illustrating that different times were calculated for the same task occurring -
in different sequences.
- In selecting the events to be used for examples, please select actions which vary in terms of when operators would be expected to receive relevant indications that a particular situation existed.
Response
Allowable times were primarily assessed by virtue of employing a variety of established transient analysis computer codes such as MAAP and RETRAN. In addition Reactor Vendor (Westinghouse) estimates were used. Some limited T-H hand calculations were also performed.
A good example, uaing MAAP,is Analysis of Station Blackout with Failed Turbine Driven Auxiliary Feedwater (TDAFW) Controls. Flow controls may fail when the power is transferred to battery power and air accumulators. Should this happen, the feedwater is pumped into the steam generators (SGs) at maximum power capacity. This will eventually cause the SG to overfill. At that time, loss of the TDAFW pump is postulated. i i
Attachment I to TXX-96390 Response to NRC Request for Additional Information I Page 72 of 130 on CPSES IPE Submittal 1
The objective of MAAP analysis performed was to determine time to core uncovery for those !
types of sequences. Figure HRA-Q15-1 (Attachment 8 to TXX-96390) provide plots of key -
plant variables versus time. The main finding is that overfill takes place at around 3000 secs; l
steam generator dryout around 16000 and core uncovery around 18000 secs or 300 mins.
l There are many sequences like this one which illustrate ample time available for operator ;
actions. Tables lira-Ql5-1 (Attachment 9 to TXX-96390) and HRA-Q15-2 (Attachment :
- 10 to TXX-%390) provide summaries of MAAP runs performed in support of the IPE HRA f
effort.
i Table llRA-Q15-1 provide a summary of MAAP runs for transient initiators with no ,
feedwater as well as cases with 4 hrs of turbine driven auxiliary feedwater. Table HRA-Q15-2 provides a summary of MAAP runs for representative accident sequences. Simulations of the steam generator tube ruptures were performed using the RETRAN 02 computer code.
A sequence of events time line is illustrated in Table HRA-Q15-3 (Attachment 11 to TXX-
- 96390). Table HRA-Q15-4 (Attachment 12 to TXX-96390). summaries key points in the ;
transient plots while Figures llRA-Ql 5-2 and 15-3 (Attachment 13 to TXX-96390). illustrate ]
l pressurizer pressure and pressurizer level versus time. ;
A good example of Westinghouse generated transient analyses, which resulted in vendor recommendations, is Westinghouse Owners Group Emergency Response Guideline FR-H.1
" Response to Loss of Secondary Heat Sink". l Feed and bleed cooling, given total loss of feedwater, is to be initiated when the wide range
]
level in any three SGs drops to less than 27% of span or when the total mass is l approximately 5000 lbm. This cond! tion is reached in 30+ minutes. Figure HRA-Q15-4 (reproduced from FR-il.1) (Attachment 14 to TXX-96390) illustrate that for plants like CPSES, Feed and Bleed can be successfully initiated before or even shortly after the steam I
- generator dryout occurred if the PORV flow rate is greater than 420,000 lbm/hr/MWt. One j centrifugal charging pump and two pressurizer PORVs must be available for feeding and
.)
, bleeding respectively. j i
i 4
rye ..e - c-- , , . - - - - , - . . ,, -
l 8 t
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information i Page 73 of130 on CPSES IPE Submittal HRA Question 16: - ;
4 The submittal is unclear on how the time required to perform particular actions was ,
determined. For example, were times calculated from simulator exercises or from walkdowns? For each post-initiator human event examined, provide the time needed for the operator to perform the actions (in-control room and ex-control room) and the time assumed to be available for the operator to diagnose the need for the actions. Also provide the bases for the times chosen. That is, how was the time assumed to be necessary to perform the needed action determined and how was the diagnosis time determined?
Response
Times required to perform operator actions were estimated in a number of differmat ways depending whether a screening evaluation, CP evaluation or a recovery is conducted.
The extensive background of the TU Electric analyst, discussed above, was a primary vehicle for estimations during conduct of the screening process. Typically, the time required for an operator action was small compared to time before irreparable equipment or core damage would occur. Simulator runs or walkdowns were not deemed necessary. It should be remembered that the screening approach used two states: (a) Adequate time; and (b) Time was limited, l
For CP evaluations, estimates combined diagnosis with execution time. During the simulator !
)
runs, it was ollen experienced that the operating crew would announce their diagnosis ahead !
of the procedure use. Hence, it becomes an issue how to handle the split-up between detection, diagnosis, decision making and an execution. The approach adopted was to take the time for detection, diagnosis and decision making as the time from the key alarm indications to the first action as the D3 contribution and the first action is subsumed into this time. Diablo Canyon simulator data were closely examined. It should be noted that in the l ORE project referenced above, Diablo Canyon was the plant for which most simulator data was obtained.
In prior limited CPSES simulator runs, close similarities between Comanche Peak and i Diablo crews were established. This background plus the TU Electric HRA analyst l experience provided necessary confidence, it should be pointed out that the HRA analyst was l
i-Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 74 of130 on CPSES IPE Submittal in simulator training on a regular basis to retain his license.
- For recovery actions, either plant walkdowns were conducted or the times were estimated using plant layout drawings. This is compatible with the procedure established in the EPRI sponsored recovery report referenced above for feasibility considerations. Both the TU Electric analyst and the consultant participated in walkdowns. ,
l 1
i i
i 1
l l
1 l
. , . . .anu ..a.-.a+ .- ax- .u n - a n. a-1 Attachment I to TXX-96390 ' Response to NRC Request for Additional Information-Page 75 of130 on CPSES IPE Submittal HRA Question 17:
l The submittal is unclear on how the HRA was performed for the flooding analysis. Please !
describe the HRA process used in the flooding analysis and provide the following: ,
(a) Example calculations of all types of human actions considered in the flooding analysis.
(b) A list of the human actions modeled in the flooding analysis and their HEPs.
Response
Section 3.3.8 of the main report provides an overview of the internal floods methodology -
employed as well as the results obtained. The HRA portion of the methodology consisted of i three parts: (a) Initial screening analysis; (b) Second screening which includes those "Ex- i control room" Human Interactions (HIs) not affected by the flood scenarios; (c) Third :
screening which credits "Ex-Control room" HIs following flood mitigation.
In the initial screening analysis all His identified were quantified by postulating an ultra-conservative value of unity (the operators would not perform the task). This is true for all ex-i control room His as well as in-control room HIs for those flood scenarios initiated in the control room or propagated through the control room.
In the second screening or refined quantification process ofpotentially risk-significant flood scenarios, the His were reviewed from the standpoint ofidentifying those unaffected by the flood scenarios. Those unaffected, modeled in the functional fault trees, were assigned HEPs as assessed in the HRA for intemal events. For the remaining ex-control room HIs, a multiplication factor of two was applied to reflect a THERP recommended multiplier for moderate stresses. In other words the original (mainstream HRA) values were doubled. This factor, which allows for hesitancy and/or confusion, applies to the His associated with mitigation of break flow by virtue of tripping the pumps, closing valves based on flow, rates, sump alarms, level alarms etc. It should be pointed out that the operators have four possible options for exiting the control room: (a) Normal stairwell; (b) Second stair well leading to the switchgear room and out to the main corridor that leads between the Safeguards and Turbine Buildings; (c) The doorway out onto the turbine building roof which leads to several turbine building stairwells; and (d) Through a normally closed and sealed door at the back
. . - - . . -- . -- - = - - . -. _ .. ..
d 1
i
' Attachment I to TXX-96390 Response to NRC Request for Additional Information !
Page 76 of130 on CPSES IPE Submittal of the control room that leads into the auxiliary building corridor.
3-In the third screening comprising several flood scenarios, a 30 minute mitigation assumption :
was postulated. This assumption, based on TU Electric " System Interaction Program's"
. intemal flooding analyses for areas containing safety related equipment, limits duration of j flood flow and the resultant volume of water released and affected components. .
I
\
Each building has its own dedicated building auxiliary operator whose duty is to perform routine plant surveillance, monitor and manipulate equipment at the discretion of the control- ;
j room operators. Both security and fire watch brigades are required to routinely monitor every area within the plant. Additionally, the plant has its normal complement of personnel
- providing maintenance, inspection and other tasks who are trained to report any unusual l occurrence. The operators in the control room are alerted to flood conditions via sump and I
drain tank alarms, system tank level alarms, and system flow and pressure alarms. A factor
- was added to each cutset to reflect failure to terminate the break within the time allotted and
' was assigned a probability of 1 E-01 based on the screening methodology for human recovery
. actions used in the main stream lira. Ills outside the control room were evaluated l
! consistent with the criteria stated above for the second screening or refined quantification l process.
l For internal floods, the basic events file was modified to change all ex-control room actions to 1.0 prior to scenario quantification. S'equence cutsets were reviewed and based on the scenario, those actions were either changed to the modified HI value shown below or left as I 1.0. The following list provides those HIs found in the cutsets and their values.
e
, Human Aq1 ion IPE Value Flood Value 4
4 &CHTROTTLE 3E-01 1.0 AFTDMAN 1E-02 2E-02 or 1.0 CISTARTX SE-02 SE-01 or 1.0 i CISTARTX01/02. IE-01 1.0 i
CS@SSWRECOV - IE-02 2E-02 or 1.0 )
, CSHCV182' 5E-02 lE-Ol or 1.0 I l EPIPC1/2/3/4PP IE-02 1.0
&TWMANUAL lE-01 1.0 e - . - . - - - , __. . - - . , . - - - , . .
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 77 of130 on CPSES IPE Submittal HRA Question 18:
The submittal is unclear on how the HRA was performed for the Level II analysis. Please describe the HRA process used in the Level II analysis and provide the following:
(a) Example calculations of all types of human actions considered in the level II analysis.
(b) A list of the human actions modeled in the level II analysis and their HEPs.
Response
No HRA was performed for the level II analyses. HEPs were assigned values of unity.
=- __
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 78 of 130 on CPSES IPE Submittal Questions for Level 2 Review References for Responses to Level 2 Questions:
[1] II. da Silva, " Individual Plant Examination Submittal: Comanche Peak Electric Station Volume II: Back-End Analysis." RXE-92-01B, October,1992.
[2] Z. Mendoza et. al., "Gener.c Framework for IPE Back-End Analysis Volume 1: Main Report," NSAC/159, October 1991.
[3] Attachment 15 to TXX-96390, " Probability Analysis for Off-Site Power Non-Recovery Events" Level 2 Question 1:
RCS Depressurization - The RCS depressurization mechanisms considered in th: IPE include stuck-open SRV, RCP seal failure after core damage, steam generator tube rupture, hot leg / surge line failure and operator action. According to the IPE submittal, RCS depressurization is dominated by operator actions. However, the values used for these mechanisms are not provided in the submittal. Please provide these values and discuss their basis.
Response
The logic tree describing the RCS depressurization, top event DP, is given in Figure 4.5-2 of[1]. As discussed at the top of Section 4.5.2 [1], there is one containment event tree (CET) per plant damage state (PDS), for which the containment is not bypassed and is successfully isolated during core melt. Therefore, there is one DP logic tree for each of these PDS. Thus, the requested information, namely the BE probability values, are provided for each of these PDS: 1,2,3,4,5,6 (E, F, H) and 3 & 4 SBO. It is acknowledged that an miement of subjectivity necessarily exists in some of these basic events (BE) probability values. For that reason, a sensitivity study was conducted, in order to evaluate the robustness of the overall results. As discussed in 4.6.3.2 a of[1], the top event probability DP is dominated by operator action so that this subjectivity does not dictate the overall
I Attachment I to TXX-96390_ Response to NRC Request for Additional Information'.
Page 79 of 130 , on CPSES IPE Submittal ,
conclusions. !
l t
bcic Event Probabilities for Top Event DP for PDS 1 & 2 (E. F. Hi i
The BE for this tree are seen in Figure 4.5-2 [1]. For the DP top event, most BE probabilities ,
are PDS-wise the same? Therefore the rationale for each of these BE probabilities is discussed under ;
the same heading, where appropriate.
l Since these PDS are small LOCA PDS, by definition the probability that the RCS is at l
medium pmssure at vessel failure is one, and the probability that it is at high pressure is zero. Thus, j "the BEs on the high pressure side of the tree (ANDed with QHP=0) are irrelevant for these PDS. l The relevant BE probability values are: j t
I (a) QMP: SEQUENCE IS A MEDIUM PRESSURE PDS ]'
Is defined:
OMP- 1E.1F.11t2P 7F.2H = 1. and l l
(b) QHP: SEQUENCE IS A HIGH PRESSURE PDS Is defined:
OHP- 1E.1F.1H.2E.2F.2H = 0.
Also:
(c) PRHLSLOKl: HOT LEG AND SURGE LINE REMAIN INTACT Is defined:
PRHLSLOK1- 1E.1F.1H.2E.2F.2H = 0.95 Although high pressure sequence calculations using STCP (NUREG/CR-4624) show RCS gas temperatures approaching 4000 F for high pressure sequences, threatening the hot legs, plant and sequence-specific MAAP calculations show much lower temperatures around 600 F for these small break LOCAs, where the pressums are lower. Since the natural circulation mechanism that induces these failures typically occur at high pressures and since these PDS are for intermediate pressures, and in'LOCA situations where the natural circulation is likely to be disrupted, the engineering judgement is made that this event is likely to very likely. This was translated
-- numerically to OSS per TABLE 5-1 of [2].
- ' E e
Attachment I to TXX-96390 Response to NRC Request for Additional Information '!
Page 80 of 130'- on CPSES IPE Submittal j And: ;
L (d) HOP:DP OPERATOR FAILS TO DEPRESSURIZE RCS l I
i is defined -
! HOP-DP- 1E.1F.11L2R2H = SES !
! HOP-DP- 2F = 9E-1 h These values are obtained by a weighed average of the frequencies of the functional !
4- ~ sequences binned into each PDS. These are shown in TABLE 4.3-3 of [1]. The weights are: (a) the l
- Level I screening value of SE-2 (since the action is proceduralized) for those functional sequences - ;
- where the equipment for depressurization is available, and, (b) 1.0 when any needed equipment is l unavailable. The availability of equipment needed for depressurization was determined by Level !
$ I analysts based on an examination of the cutsets in each functional sequence. The results above -l indicate that only for PDS 2F were there functional sequences where equipment needed for ;
- . depressurization was unavailable. That sequence was SCM1 which had a frequency of1.49E-6. The :
- other sequence binned into 2F was ISCM1 with a frequency of 2.14E-7. The weighted average ,
, approach is thus applied as follows: i
! IlOP-DP - 2F = [(1.49E-6)x1.0 +(2.14e-7)x0.05]/[(1.49E-6)+(2.14e-7)] = 0.9 l 4 l g Basic Event Probabilities for Top Event DP for PDS 3 AND 4 (E. F. Hh The basic events (BE) for this tree are seen in Figure 4.5-2 [1]. For the DP top event, most i BE probabilities are PDS-wise the same. Therefore the rationale for each of these BE probabilities ]
is discussed under the same heading, where appropriate.
PDS 3 and 4 lead to RCS' pressures at vessel failure above 2000 psia range, which is ;
considemd high. Bin 3 holds sequences where there is early core melt. This results from failure of AFW at the time of reactor trip and/or failure of the ECCS to inject. Bin 4 holds sequences where there is late melt. This results from ECCS failure at recirculation having successfully injected and sequences where AFW is available for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
In these high pressure PDS cases, by definition the probability that the RCS is at medium
- pressure at vessel failure is zero, and the probability that it is at high pmssure is one. Thus, the BEs on the medium pressure side of the tree (ANDed with QMP=0) , in this case only PRHLSLOK1,
1 Attachment I to TXX-96390 Response to NRC Request for Additional Information
. Page 81'of 130 on CPSES IPE Submittal i . are irrelevant for these PDS. The relevant BE probability values are:
~
i (a) QMP: SEQUENCE IS A MEDIUM PRESSURE PDS l i Is defined:
l OMP- 3E.3F.3H.4E.4F.4H = 0.0 and i !
- ~ (b) QHP
- SEQUENCE IS A HIGH PRESSURE PDS !
l .
Is defined: .
1 OHP- 3E.3F.3H.4E.4F.4H = 1.0 t i i t
2 i And:
(c) HOP:DP OPERATOR FAILS TO DEPRESSURIZE RCS Is defined:
l HOP-DP- 3E.4E = 1.0 l l HOP-DP- 3H = 0.73 i
HOP-DP- 3F = 0.17 HOP-DP- 4H = 0.95 i
- HOP-DP- 4F = 0.99 i i- i i The weighed average method discussed for the Small Break LOCA PDS was applied here as well. ,
. i l
(d) PRSGOK: STEAM GENERATOR TUBES DO NOT RUPTURE
! Is defined: )
PRSGOK- 3E. 3F. 3H. 4E. 4F. 4H = 0.98 The following discussion is taken from page 5-9 of[2]. Steam Generator tubes do not rupture before hot leg failure occurs. The Steun Generators heat up after the hot legs and surge line because they are downstream of those areas. This BE is assigned the probability 0.98 which is higher than j the hot leg probability given below. NUREG-1150 assigned a range of 0.995 to 0.95 for the BE. 1 (e) PRSEALOK: RCP SEALS REMAIN INTACT Is defined:
PRSEALOK- 3E. 3F. 3H. 4E. 4F.4H = 0.7 RCP seal performance is somewhat factored into the PDS definition. In the case of PDS 3 and 4 RCP seals are either intact or their leak rate is not sufficient to bring the pressure below 2000
)
l
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 82 of 130 on CPSES IPE Submittal psia before core uncovery (60 GPM/PMP or 0.6 inch diameter equivalent). However, it should be noted that the seal performance factored into the PDS definition is prior to core damage. After core damage the seals are exposed to much higher temperatures (~800 F) for an increased time period.
Therefore, the probability that they might still remain effective i.e. allowing leak rates ofless than 60 GPM/PMP isjudged to be indeterminate and is assigned the value of 0.7 per TABLE 5-1 of [2].
Based on [2], NUREG-1150 used 0.3 for Surry, but the better Westinghouse seal design justifies an increase.
(f) PRCSRVS: SRV ARE NOT STUCK OPEN Is defined:
PRCSRVS- 3E. 3F. 3H. 4E. 4F. 4H = 0.7 As for PRSEALOK, PORV and SRV performance prior to vessel failure (VF) are already factored into the PDS definition. It is also assumed it is indeterminate whether these valves may stick open between core damage and vessel failure. This leads to the value of 0.7 (g) PRHLSLOK: HOT LEG AND SURGE LINE REMAIN INTACT GIVEN RCS IIIGH PRESSURE Is defined:
PRHLSLOK - 3E. 3F. 3H. 4E. 4F. 4H = 0.3 Plant-specific and PDS-specific MAAP calculations show temperatures around 1600"F
(~1200"K , see Figure 4.6-14 of[1]). Given these temperatures and since the natural circulation mechanisms that induce these failures typically occur at high pressures, and since these PDS are for high pressures it is assumed that the probability that the hot leg or the surge line do not fail is unlikely i.e. 0.3 to 0.05 per TABLE 5-1 of [2]. A similar discussion supporting this same range is given in page 5-9 of[2].
(h) PRHLSLOK2: HOT LEG AND SURGE LINE REMAIN INTACT GIVEN A MEDIUM RCS PRESSURE Is defined:
PRHLSLOK2 - 3E. 3F. 3H. 4E. 4F. 4H = 0.5 This is a situation where the pressure is higher than the small break cases (PDS 1 &2 ) in the medium pressure range (ANDed with QMP=1) but where pressures are lower than in the situation discussed immediately above. Therefore, the likelihood that the hot legs or surge line will fail is judged to be less than the case where the RCS is near the SRV set point (0.3, above), but more than the medium pressure PDS cases (0.95, for PDS 1 & 2). This event is therefore assumed of
Attachment I to TXX-96390 Response to NRC Request for Additional Informaticn Page 83 of130 on CPSES IPE Submittal indeterminate likelyhood and the failure probability of this event is assigned a probability of 0.3 to 0.7 perTABLE 5-1 of [2].
Basic Event Probabilities for Ton Event DP for PDS 3SBO AND 4SBO PDS 3SBO and 4SBO,just as the Transient PDS 3H and 4H, lead to RCS pressures at vessel failure above 2000 psia range, which is considered high. Bin 3SBO holds sequences where there is early core melt. This results from failure of all AFW at the time of reactor trip. ECCS is not available in either of the station blackout PDS, so that only the RCS inventory ends up in )
containment leading to a PDS much similar to PDS 3H, with the exception of the possibility of recovery which is higher here. Bin 4SBO holds sequences where there is late melt. This occurs when the turbine driven AFW is available for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, failing after that due to depletion of unreplenished air supply to the turbine controllers.
I As in the previous high pressure PDS cases, by definition the probability that the RCS is at medium pressure at vessel failure is zero, and the probability that it is at high pressure is one. Thus, ;
the BEs on the medium pressure side of the tree (ANDed with QMP=0) , in this case only PRHLSLOK1, are irrelevant for these PDS. Furthermore, the relevant BE probability values are the same as those for PDS 3 & 4 (E, F, H) except for the following:
(a)llOP:DP OPERATOR FAILS TO DEPRESSURIZE RCS is defined:
IIOP-DP- 4SBOHR = 1.0 HOP-DP- 3SBOHR = SE-2 These probabilities are obtained as by the weighed averaging discussed under PDS 1 & 2 (E, F, H).
Basic Event Probabilities for Ton Event DP for PDS 5 AND 6 (E. F. Hh Core damage bins 5 and 6 hold large break LOCA sequences. Bin 5 holds sequences where the ECCS fails at injection leading to early core melt and bin 6 holds late melt sequences due to failure at recirculation. Containment safeguards bins reflecting containment sprays on during injection only (E), injection and recirculation (F) and failed (H) are combined with core damage bins 5 and 6 to form the PDS considered in this Section.
i Attachment 1 to TXX-96390 Response to NRC Request for Additional Information j Page 84 of130 on CPSES IPE Submittal ;
For the DP top event all BE probabilities are PDS-wise the same. Therefore the rationale for l these BE probabilities are discussed under the same heading.
i Since these are large LOCA PDS, the probability that the RCS is not depressurized prior to
! vessel failure is zero. There are two BE in this LT which ensure that the DP (top event) probability l
! is indeed zero: i 4 I i :
) (a) QMP: SEQUENCE IS A MEDIUM PRESSURE PDS ,
l (b) QHP: SEQUENCE IS A HIGli PRESSURE PDS i
? :
l This is done by defining: ;
i i
- QMP- 5E,5F,5H,6E,6F,6H = 0. and QHP- 5E,5F,5H,6E,6F,6H = 0.
J >
Having done this, the LT structure itself then ensures that: ;
f
- DP- 5E,5F,511,6E,6F,611 = 0. l The remaining BE for these PDS do not affect the value of DP and are set to 1.0 for computation.
. 4 i
i u
i i
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 85 of130 on CPSES IPE Submittal Level 2 Question 2:
Coolant Recovery Before Vessel Breach -- According to the IPE submittal, the issues considered in the logic tree for CET top event REC (Coolant Not Recovered In-Vessel Before Breach) include (1) the availability of coolant injection upon depressurization, and (2) recovery of electric power. The logic tree (or fault tree) is provided in Figure 4.5-3 of the IPE submittal. Please explain how the values of the various basic events regarding ac power recovery and the recovery of the various injection systems are determined in the IPE.
Please also discuss the value used for basic event PRCOOLDBIV (coolable debris bed not formed in-vessel) and its basis.
Response
As discussed at the top of Section 4.5.2 [1], there is one containment event tree (CET) per plant damage state (PDS), for which the containment .s not bypassed and is successfully isolated during core melt. Therefore, there is one REC logic tree for each of these PDS. Thus, the requested information, namely the BE probability values, are provided for each of these PDS: 1,2,3,4,5,6 (E, F, H) and 3 & 4 SBO. BE PRCOOLDBIV is in the VF logic tree , Figure 4.5-4 of(1], rather than the REC tree, but, per request, its value will be discussed here as well.
Please note however, that although there is an element of subjectivity in the determination of these probabilities, top event VF is only relevant if top event REC is successful, i.e. it acts to reduce the likelyhood of a successful in vessel recovery. Furthermore, top event REC is only allowed to be successful for station blackout PDS 3SBO and 4SBO. Given the small frequencies of these PDS (Table 4.3-3 of[1]) and the small recovery fractions, the influence of any snbjectivity in the final conclusion is largely irrelevant.
Basic Event Probabilities for Ton Event REC & PRCOOLDBIV for PDS 1 & 2 (E. F. H)
This top event deals with the probability of recovering coolant injection prior to vessel failure. It should be noted that any recovery which prevents core uncovery is part of the Level I analysis. Recovery from the Level 11 perspective is that recovery which occurs after core uncovery has taken place. For these PDS,1 & 2 (E, F, H), recovery is presently neglected as seen by the
i i
' Attachment 1. to TXX-96390' Response to NRC Request for AdditionalInformation Page 86 of 130 - on CPSES IPE Submittal '
i choices of BE discussed below. As indicated in Figure 4.5-3 of[1], there are two components to this' top event: j t
. (a) ECCS recovery and >
(b) AC power recovery.
(a) ECCS Recoverv:
It is appropriate to remember that in order to be in one of these PDS, the core must necessarily have uncovered.
i In core damage bin 1, the time between vessel failure and core uncovery is a little over one hour based upon the plant specific MAAP analyses. In these cases, where equipment has failed at :
injection after having been called upon to inject automatically, the recovery from the malfunction !
must involve a repair, as opposed to an operator action. Therefore, recovery in such a short time !
window should not be and is not credited. ;
It should be noted that two other reasons for recovery could exist: (1) The Level I recovery actions failed due to lack of time and (2) passive actuation of RHR could occur if depressurization -
(DP) occurs. Both cases are conservatively neglected for small break LOCA PDS, where ECCS fails l at injection.
In core damage bin 2, the time window between uncovery and vessel failure is a little over 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> based upon the plant specific MAAP analyses. This time is also too short for recovery t actions associated with repairing equipment. However, since these PDS involve failure to switchover to recirculation, there are operator errors involved as well. Therefore, it would be possible to credit recovery when entry into the PDS is associated with operator error. However, l recovery will also be neglected for bin 2 at this time. This is done in the interest of expediency, it is not expected to sacrifice accuracy and is a conservative approximation. If these PDS turn out to be important to the overall risk, it is possible to revisit these BE and to take credit for recovery as outlined above.
)
l In terms of BE probabilities the above considerations imply: i
' SHP-SISI - 1E,1F,1H,2E,2F,2H = 1.0
~ , - - - - . . . - . . . - -- - .. - - . . -
3 l
l
. Attachment 1 to TXX-96390 - Response to NRC Request for Additional Information
~
Page 87 of130 on CPSES IPE Submittal :
- Furthermore, since there are no alternative systems:~ j
- SALT-SISI- 1 E,lF,1H,2E,2F,2H = 1.0 .
Finally it should be noted that the probability that low pressure systems are not recovered 1
would depend on the cutsets, on whether depressurization occurs i.e. whether DP is successful (if -
j depressurization doesn't occur, the vessel fails at a pressure above the RHR shutoff head) and on whether the PDS corresponds to an ECCS failure at injection or recirculation (for ECCS or failure I
. at recirculation the RHR woilld not be recoverable either). In view of these considerations it should i be noted that: ;
i SLP-SISI-2E,2F,2H = 1.0 l I For other PDS its is possible that passive injection of RHR would occur along the path of !
- successful depressurization. However, for the sake of simr'Sity it will be conservatively assumed that: )
i- SLP-SIS 1-lE, IF, lH = 1.0 (b) AC Power Recoverv:
Since some of the cut sets binned in the PDS under consideration may involve loss of AC
' power, namely some induced seal LOCA sequences with leak rates higher than 60 GPM/PMP (0.6 inch) it is appropriate to note that recovery of the fraction of total frequencies which correspond to l- those cut sets would be possible. However, separate PDS have been reserved for station blackout sequences where recovery will be considered. To repeat, in the small break LOCA bins, recovery is not credited. However since power is always available in the small break PDS, the probability that i AC power is not restored or available is postulated to be 0.0 for bins 1 and 2, i.e.:
SACPOWER 1E.1F.1H.2E.2F.2H = 0.0
. (c) Top Event (REC) Probability:
Having defined these BE probabilities as outlined above, the LT structure then ensures that:
- j. REC- IE, IF,1H,2E,2F,2H = 1.
1 4
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 88 of130 on CPSES IPE Submittal l l
along both event tree paths: that of successful, as well as that of unsuccessful depressurization, since .
recovery will not be considered for Small Break LOCA PDS. !
Along the success path of the REC top event, it is also necessary to consider the BE:
PRCOOLDBlV: COOLABLE DEBRIS BED NOT FORMED IN-VESSEL '
However, as noted above and at the top of page 4-136 of [1], the top event VF is on'y relevant if recovery is successful which is only allowed for PDS 3SBO and 4 SBO. Therefore the probability j'11COOLDBIV 1E. IF.1H. 2E. 2F. 2H are NOT RELEVANT I
This probability has no bearing on the VF top event for small break LOCA PDS because it is only significant along the success path of the REC top event, which in this IPE for these PDS has j 0.0 probability. j Basic Event Probabilities for Top Event REC & PRCOOLDBIV for PDS 3. 4.5. 6 (E.F.H)
Considering the discussion for the SBLOCA PDS 1 & 2 (E,F,H) presented above and, based upon the fact the recovery is not allowed for any of these PDS either, it is sufficient to write:
SLP-SIS 1 - 3E,3F,3H,4E,4F,4H,5E,5F,5H,6E,6F,6H = 1.0 SHP-SIS 1 - 3E,3F,3H,4E,4F,4H,5E,5F,5H,6E,6F,6H = 1.0 SALT-SIS 1- 3E,3F,3H,4E,4F,4H,5E,5F,5H,6E,6F,6H = 1.0 SACPOWER- 3E.3F.3H.4E.4F.4H.5E.5F.5H.6E.6F.6H = 0.0 REC- 3E. 3F. 3E. 4E. 4F. 4H,5E.5F.5H.6E.6F.6H = 1.
, Basic Event Probabilities for Top Event REC & PRCOOLDBIV for PDS 3SBO A,4SIlQ l
There are two components to the recovery (REC) top event: l F
i 1
. .- . . . - . . . - . - . - - - ~ .
1 Attachment 1.to TXX-96390 ' Response to NRC Request for Additional Information j Page 89 of130 ~ on CPSES IPE Submittal j
)
. (a) ECCS recovery and j
-(b) AC power recovery. l
- (a) ECCS Recoverv
- ,
These are Station Blackout PDS where lack'of ECCS injection resulted from unavailability l of electrical power to these systems. Therefore the probability of not recovering these systems is f
simply their unavailability as determined in the Level I analysis. These considerations imply very i low values for the following BE probabilities, which are for simplicity assigned a value of 0.0 SLP-SISI - 3SBOIIR,4SBOHR = 0.0 :
SHP-SISI - 3SBOHR,4SBOHR = 0.0 Except for the alternative systems which do not exist, i.e. !
SALT-SISl- 3SBOHR,4SBOHR = 1.0 (b) AC Power Recoverv: f Separate PDS have been reserved for Station Blackout sequences where recovery is considered and the probability that AC power is not restored or available is determined as an j extension of the Level I analysis. Note that for the Level II analysis the time windov' for recovery !
is between the time of core uncovery and the time of vessel failure. The assumption is that recovery j has not been successful up to the time of core uncovery, otherwise it would have been recovery in !
Level 1. Also, recovery after vessel failure is not relevant to this BE. Thus, the time window for recovery of AC powerin-vesselis : f f
I (a) 1.28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br /> between 1.81 and 3.09 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for 3SBO, and 1'
(b) 1.96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> between 7.81 and 9.77 hours8.912037e-4 days <br />0.0214 hours <br />1.273148e-4 weeks <br />2.92985e-5 months <br /> for 4SBO which are derived from the key times resulting from the CPSES-specific MAAP analyses. l i
i Based upon these time windows, the probability of recovery of power is determined using !
the methodology and the results of [3] which is attached to this response. These results are ;
summarized in the table below:
)
I i
)
Attachment I to TXX-96390 Response to NRC Request for Additional Infonnation Page 90 of130 on CPSES IPE Submittal PROBABILITIES OF RECOVERY OF ELECTRIC POWER (from Table 2 in [3])
1 Event Description Time in Hours Probability of Recovery of Electrical Power [3]
Core Uncovery for 3SBO 1.81 0.7991 Vessel Failure for 3SBO 3.09 0.8956 Core Uncovery for 4SBO 7.81 0.98324 Vessel Failure for 4SBO 9.77 0.99107 Use of these values then results in:
SACPOWER (3SBOHR) = 1 - (0.8956 - 0.7991)=1-0.0965= 0.9035 SACPOWER (4SBOHR1 = 1 - (0.99107 - 0.98324)=1-0.00783= 0.99217 Along the success path of the REC top event however, it is also necessary to consider the BE:
PRCOOLDDIV: COOLABLE DEBRIS BED NOT FORMED IN-VESSEL whose probability is defined:
PRCOOLDBIV- 3SBOHR. 4SBOHR = 0.6 Engineering judgement is used to make the following assumptions that are felt to be both
)
reasonable and conservative: (1) it is unlikely (0.175, mid-range, TABLE 5-I of [2]) that a coolable debris bed will not fonn if power is recovered after core uncovery but before core melt and (2) it is very likely (0.9725, mid-range, per TABLE 5-1 of [2]) that a coolable debris bed will not form if )
power is recovered after core melt but befbre vessel failure. Using these probabilities as weights to J determine the overall probabilities using the time windows obtained in the CPSES-specific MAAP Station Blackout analyses results in the following for each PDS:
(a) For 3SBOHR: I time of(core uncovery - core melt) = 0.58 hours6.712963e-4 days <br />0.0161 hours <br />9.589947e-5 weeks <br />2.2069e-5 months <br /> I time of(core melt - vessel failure) = 0.70 hours8.101852e-4 days <br />0.0194 hours <br />1.157407e-4 weeks <br />2.6635e-5 months <br />
-. - -. - . - -. = - . - - - . - - . . . =- - .-. . .
i i
i Attachment I to TXX-96390 Response to NRC Request for Additional Information !
- Page 91 of130 on CPSES IPE Submittal l Then, PRCOOLDBIV = [(0.175x0.58)+(0.9725x0.70)]/[0.58+0.70] = 0.61 :
(b) For 4SBOliR:
time of(core uncovery - core melt) = 0.94 hours0.00109 days <br />0.0261 hours <br />1.554233e-4 weeks <br />3.5767e-5 months <br /> ' 1 time of(core melt - vessel failure) = 1.02 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> .
Then, PRCOOLDBIV = [(0.175x0.94)+(0.9725x1.02)]/[1.02+0.94] = 0.59 t
h e
i d
e J
i i 4
i
-(
j i
j
. Attachment I to TXX-96390 Response to NRC Request for Additional Information _
Page 92 of130 ; on CPSES IPE Submittal i Level 2 Question 3:-
External Cooling of the RPV -- The fault tree for top event VF (Vessel Failure' Occurs, Figure 4.5-4) includes in-vessel recovery due to lower head cooling via ex-vessel heat removal. It is stated in the IPE submittal that "Ilowever, this external cooling was not -
credited for CPSES. .. This is felt to be a conservative assumption." Since this mechanism may delay, if not terminate, vessel penetration, fission product production and release paths .
are affected (e.g., in-vessel release from a dry debris bed versus ex-vessel release from a
' debris bed covered by water). The release of fission products to the environment may actually' increase if the containment fails and external cooling was accounted for in the wurce term calculation. Please discuss the likelihood of a submerged vessel for the various j
- PDSs (not limited to sequences that satisfy this particular CET branch where VF is j questioned). Please discuss the effect of external cooling on source term definition for the various release categories. Please also discuss the effec; of external vessel cooling (which ;
results in maintaining the RCS at high temperature for a longer time) on the probability of l creep rupture of RCS boundaries and steam generator tubes, and consequently, the effect on ;
containment performance and source terms for CPSES. l l
Rispense:
(a) Likelihood of Submerged Vessel for the Various PDS PDS 1E. 2E.1E,AE.JE.fE There are no sequences binned into these PDS as shown in Table 4.3-3 of[1]. Therefore, the likelihood of a submerged vessel for these PDS is irrelevant.
PDS 1H. 311. SIL 3SBO. 4SBO These are PDS where there was failure of ECCS and of containment spray in the injection phase. Therefore, the RWST was not injected into the containment. In these PDS, even including the large break LOCAs whoc all four accumulators inject successfully, the water level in the cavity barely touches the ver.,el if at all. That is not enough for ex-vessel cooling, which therefore is not
. possible for these PDS.
L
I Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 93 of 130 on CPSES IPE Submittal PDS 1 F. 2F. 3F. 4F. 5F. 6F These are PDS where the containment spray is successful both during injection and recirculation. In the case of CPSES, ex-vessel cooling is possible in all cases. However, since the -
containment spray is working in all these PDS, the containment will remain intact and there is no unscrubbed release possibility. Therefore, ex-vessel cooling is irrelevant for these PDS as well. The induced steam generator tube rupture (ISGTR) issue is addressed in a separate heading.
PDS 2H. 4H. 6H These are PDS where ECCS injection is successful but fails in the recirculation phase and containment sprays fail to inject. In these cases, the RWST is injected into the containment and for CPSES that means that ex-vessel cooling is possible. The concern that," in-vessel releases from a dry debris bed, might have been accounted for as ex-vessel releases from a debris bed covered by water," only applies to these PDS and is discussed below under the heading: "Effect of External Cooling on Source Term Definition for the Various Release Categories." ISGTR concems are addressed in a separate heading.
(b) Effect of External Cooling on Source Term Definition for The Various Release Categories Based on the discussion of the previous section, it is clear that this discussion is only necessary for PDS 2H,4H,6H.
PDS 2H. 4H. 6H The combined frequency of these PDS binned into release category (RC) X, which corresponds to "ex-vessel releases from a debris bed covered by water" is, from Table 4.7-2 of [1]:
1.2E-7 + 2.17E-7 + 5.75E-7 = 9.12E-7. This total corresponds to only 2% of the core damage frequency, as shown in Figure 7.1 of[1]. Instead of changing the source term definition for RC X, the effect of ex-vessel cooling can be evaluated in a bounding way if, instead of binning these sequences into RC X, they were to be binned into RC VI. RC VI corresponds to an unscrubbed core-concrete interaction (CCl) release and is worse than an "in-vessel release from a dry debris bed".
If this were done, the total frequency of RC VI would go up from 2.03E-5 to 2.12E-5. That increase
-does not afTect any of the IPE conclusions.
1
Attachment I to TXX-96390 Re:,ponse to NRC Request for Additional Information Page 94 of130 on CPSES IPE Submittal (c) Effect of External Vessel Cooling on The Probability of Creep Rupture of RCS Boundaries and Steam Generator Tubes These concerns apply only to high pressure PDS, where the RWST injected into the containment. Based on the discussion in the section on Likelihood of A Submerged Vessel for the Various PDS and on the PDS defmitions, these would be PDS 3F,4F,4H.
PDS 3F. 4F. 4H The first thing to note is that all these failure modes have already been considered for these !
PDS. The issue is an increase in their frequency because the ex-vessel cooling might allow longer times at high pressure.
The next thing to consider is that an increase in the frequency of hot leg or surge line or even reactor vessel creep rupture failures for ex-vessel cooling is not relevant because all these PDS are already assumed to result in high pressure core melt and vessel failure. Even if they weren't assumed to fail, there would be no effect on release categories or source terms as illustrated in the previous two sections of this response. One: because 3F and 4F have containment sprays going ind: finitely and, two: 4H can be binned into RC VI with no significant increase in RC VI frequency.
Thus, an increase in ISGTR frequency for PDS 3F,4F and 4H remains the only concern for CPSES, when ex-vessel cooling is allowed. In order to address this, assume the entire frequency of these three PDS that is binned into any release category is now forced to undergo either: hot leg /
surge line failure or ISGTR. Based on Table 4.7-2 that combined frequency is 4.07E-7 + 4.68E-7
+ 3.22E-7 = 1.2E-6. Apportion this entire frequency between these only permissible failure modes -
hot leg / surge line failure and ISGTR. Do this based on the BE probabilities:
PRHLSLOK - 3E. 3F. 3H. 4E. 4F. 4H = 0.3 PRSGOK- 3E. 3F. 3H. 4E. 4F. 4H = 0.98 l
These are given in response to question 1 of this document. The apportioning would be based on ;
the complement of these probabilities. Thus:
1 HL/SL:(1-0.3)=0.7 ISGTR:(1-0.98)=0.02 i
d
- Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 95 of130 on CPSES IPE Submittal
' This apportioning would result in an additional ISGTR frequency of: ,
l l [0.02/(0.02+0.7)]* 1.2E-6 = 0.028'l.2E-6 = 3.33E-8.
, r This apportioning isjustifiable because ex-vessel cooling does not make any of these mechanisms more likely than the other. Therefore, their relative likelihood is preserved with this assumption.
In conclusion, the IPE ISGTR frequency is 5.57E-8 (Table 4.6-19 and p.4-271 of [1]).
4 Adding 3.33 E-8 and thus taking it to 8.9E-8 is not a significant increase, particularly when compared to the total steam generator tube frequency of 3.48E-6 from Table 4.7-2 of[1] .
4 1
i 1
l a 1
~
l i
i Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 96 of 130 on CPSES IPE Submittal j i
Level 2 Question 4:
4 Containment Failure Modes - The following requested information pertains to the treatment i of the containment failure modes.
(a) The probabilities of containment failure size are determined in the CET by basic events PR-RUPWCFL and PR-RUPWCFE. Please provide the values, and their basis for these events.
d
. (b) For the quantification of the CET for PDS lE (or PDS IH), it is stated in the submittal (p4-183) that "For CONTAINMENT FAILURE MODES, CFM2=5.04E-01, CFM3=5.00E-1, if the failure is early." These values do not seem to be consistent with the results of CET end state probabilities obtained from the CET quantification presented in Table 4.6-3. Substituting the values of D5-L, D5-R, D6- l L, and D6-R from Table 4.6-3 into the CET end states as given in Figure 4.5-1, we obtain the value of CFM3 as 0.73. Similar substitution of the values of D3-L, D3-R, D4-L, and D4-R to the CET results in a value of CFM2 of 1.00. Please clarify these apparent inconsistencies.
Response
(a) HE Probability Values for PR-RUPWCFE & PR-RUPWCFL for ALL PDS 1
PR-RUPWCFE- ALL PJ)J = 0J This is the probability that the containment fails early by rupture due to effects other than alpha and rocket. Alpha and rocket events are considered to have a 1.0 probability of resulting in a rupture failure mode. Overpressure failures that are induced by high pressure melt ejection and/or Ilydrogen buming loads are judged indetenninate in NUREG/CR-4551 and that value is kept here, 0.5 per TABLE 5-1 of [2]. ,
PR-RUPWCFL- 1E. IF.1 H. 2E. 2F. 2H = 0.005 This is the probability that the containment fails late by rupture. Overpressure failures resulting from steam and non-condensible generation are considered highly likely (0.995 per TABLE 5-1 of [2]) to result in leakage versus rupture containment failures.
~i Attachment I to TXX-96390 Response to NRC Request for Additional Information
' Page 97 of 130 - on CPSES IPE Submittal (b) CET " Split Fractions" Versus Logic Tree Top Event Probabilities The CET of Figure 4.5-1 is not solved as an " event tree", i.e. by multiplication of top event probabilities. As mentioned on page 4-182 of[1], the method for solving the CETs is fault tree linking. In this approach, the various logic trees of Figures 4.5-2 through 4.5-23 are linked according to the CET of Figure 4.5-1. This approach is necessary in order to account for dependencies from earlier CET events on later events.
The present question is exactly an example of such a dependency. Because of a dependency, the value of the top event probability, CFM2=5.04E-01, is not a split fraction in an event tree methodology. This is because of the dependency from earlier CET question CFEl on later question CFM2. The value of top event CFM2 is PR-RUPWCFE=0.5 ORed with PRALPHAL=8e-3, which is then (0.5+8e-3-0.5*8e-3)=0.504. Based on Figure 4.5-22, this value simply says that given an early containment failure, with the RCS at low pressure, the chance of rupture versus leakage is i 0.504, when the cause of the early containment failure is unknown.. Now at the top of page 4-183 of[1] it is stated that all of the CFEl=8.0E-3 frequency is due to the occurrence of a low pressure i alpha event. This means the mode of failure of the containment is already known for all cutsets l along the lower branch of CFEl: it is an alpha event. That is why the split between D3-L, D3-R, and D4-L, and D4-R is 1.0. In other words, the cutsets reaching CFM2 have AL-LOW =True (Figure 4.5-22), because those are the only cutsets that made it through the lower branch CFEl.
The case of the split fraction between D5-L, DS-R, D6-L, and D6-R being 0.73 while CFM3=0.5 is analogous. Previous event top CFE2 includes cutsets for which the alpha or rocket failure modes are true. For these cutsets the split fraction between leakage "L" and rupture "R" is 1.0, i.e if alpha or rocket occurred the failure mode has to be rupture, by dermition. For other cutsets where alpha or rocket are not true, the split fraction of 0.5 applies. Roughly speaking, from page !
4-183 of[1], CFE2=1.8e-3. The probability of alpha at high pressure is 8e-4, all of which results in rupture. In addition,50% of the remaining early failures, namely: 0.5(1.8e-3-8e-4), are by ruptum. Based on these considerations, the number of ruptures divided by the total number of early failures for this case is: 18e-4 + 0.5(1.8e-3-8e-4)]/1.8e-3=0.72. This compares well with the 0.73 split fraction between D5-L, DS-R, D6-L, and D6-R.
~ _ _ _ _ . _ _ _ . _. _ . . _ _ . . _ __ _ . _ _ _ __ - ._ _
k i ,
j i Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 98 of130 on CPSES IPE Submittal .
Level 2 Question 5:
i
- - Induced SGTR 'Ihe following requested information pertains to induced steam generator !
tube rupture (ISGTR): !
4 (a)' The frequency ofinduced SGTR (ISGTR), a containment bypass failure, is 1.7E-7
- (p4-129). According to the IPE submittal, bypass failure is discussed separately (in Section 4.5.1) and not evaluated in the containment event trees (CETs). It is stated in the IPE submittal that "the ISGTR frequency was determined from the fraction of l the non-depressurized high pressure PDS frequencies for which the SG tubes fail' l l prior to the hot leg or the pressurizer eurge line."(p4-129). The quantification of l
ISGTR is further discussed in Section 4.6.2.1. According to the IPE submittal,"The
!- ISGTR frequency was calculated by subtracting the probability of depressurizing in !
the CET (1-(top event DP probability)) as calculated for the base case (i.e., the case I where the tubes could fail, BE PRSGOK = .982) from the case where the tubes are ,
4 intact (BE PRSGOK = 1.0). This difference is due to the induced failure of the f' i- tubes." It is noted that the value referred above (.982) is the same as the mean
! probability value for no-ISGTR used in NUREG-/CR-4551 for Surry. However, in l the Surry evaluation, this is used directly for the high pressure sequences to obtain :
l i the probability ofISGTR (i.e., the conditional probability for ISGTR for sequences at high pressure is .012). The procedure used in the CPSES IPE is more complicated (e.g., in the DP fault tree, hot leg and surge line may fail after an ISGTR by event PRHLSLOK2) and yields conditional probability values much less than .012 (from 3E-4 to SE-3, Table 4.6-18). Please discuss the data used in the IPE for ISGTR determination (i.e., all the basic events in the DP fault tree) and their basis.
- If NUREG/CR-4551 is the basis for ISGTR determination, then please discuss the
{ reasons for the difference in conditional probabilities used in NUREG/CR-4551 and the values obtained and used in the IPE.
(b) In some IPEs, the probability ofinduced SGTR increases as the RCP is restarted following the direction of procedures. Please discuss the probability of RCP 4
operation and the effect of RCP operation on the probability ofinduced SGTR.
4
i
- r .-
- : Attachment I to TXX-96390 Response to NRC Request for Additional Information l
Response: -,
- . (a) Frequency ofInduced SGTR (ISGTR) t 1
~
Unfortunately the ISGTR frequency quoted on page 4-129 of [1], namely,1.7E-7 is a typographical error. The correct ISGTR value as calculated in the manner described in the IPE )
j- report [1] is 5.57 E-8. The correct value of 5.57 E-8 is given in Table 4.6-19 and at the bottom of
' page 4-271. .e Utilizing the high pressure sequence frequencies listed in Table 4.6-18 of[1], it is possible
{ to calculate a bounding ISGTR frequency based on the discussion in part (a) of the question above.
[ That would give: l
- . i t (7.%E-6 + 5.05E-6 + 1.12E-6 + 4.4E-6 + 1.85E-7 + 5.02E-7 )
- 0.012 = 2.2E-7 This upper bound value,2.2E-7, is still more than one order of magnitude less than when the SGTR
- is the initiator, as shown in SGTR = 3.5E-6 page 4-129 of[1] and also Table 4.6-14 and 4.6-15 of ,
[1].
3 Therefore, none ofIPE conclusions would be affected if the approach suggested in part (a) i F of the question above had been adopted.
i
. Although the approach used to determine the ISGTR frequency does not impact the CPSES
~
IPE conclusions, it is still believed that the approach used in the IPE is more accurate than the I bounding approach illustrated above. This is because the bounding approach described above does
' not take into consideration successful operator action to depressurize the RCS. If such action is 1
successful, then ISGTR is pre-empted, simply because the sequence is now a low pressure sequence.
. Therefore, at a minimum, the 0.012 factor should only apply to the non-depressurized-by-operator fraction of the high pressure PDS. Utilizing the BE HOP-DP, Figure 4.5-2 of[1] as an approximate factor would now give for the ISGTR frequency:
- i. (0.73 *7.06E-6 + 0.17*5.05E-6 + 0.95* 1.12E-6 + 0.99*4.4E-6 + 0.05
- 1.85E-7 + 1.*5.02E-7)
- 0.012 = 1.4E-7 This value,1.4E-7 is almost exactly intermediate between 2.2E-7 and 5.6 E-8. Still it does not
t
, Attachment I to TXX-96390 Response to NRC Request for Additional Information i Page 100 of130 on CPSES IPE Submittal -
)
account for post core damage reactor coolant' pump seal failure or safety relief valves that could
'I
~
- stick open. Either one would also depressurize the RCS and pre-empt ISGTR. Furthermore, neither j one involves the natural circulation and creep rupture mechanisms that'cause hot leg or surge hne l
i 2 failure or ISGTR. Now, utilizing the BE PRSEALOK=0.7 and PRCSRVS=0.7 Figure 4.5-2 of[1]
as approximate factors would now give for the ISGTR frequency- l i
- - 0.7*0.7'(0.73*7.06E-6 + 0.17*5.05E-6 + 0.95*1.12E-6 + 0.99*4.4E-6 + 0.05* 1.85E-7 +
l + 1.0*5.02E-7 )
- 0.012 = 6.9E-8 :
j
- j. This value 6.9E-8 is close to the IPE value of 5.6 E-8. The main difference is that 6.9E-8 does not ,
?
1 . consider that hot leg or surge line failure could pre-empt ISGTR because, as pointed out in the
, question above, the 0.012 factor already assumes that hot leg or surge line failure did not occur. ;
i Therefore, the value of 6.9E-8 is a value that in our view,'more accurately accounts for the concem l raised in the question than the 2.2E-7 value. Since this 6.9E-8 result is similar to that obtained in l the IPE, namely 5.6 E-8, it is our view that the existing approach described in [1] remains preferable fe CPSES. l Nevertheless, it is important to re-iterate that IPE conclusions are unaffected by the preferred l approach taken to estimate the ISGTR frequency, as demonstrated at the top of this response. p 4
I
}.
(b) Probability of RCP Operation and its Effect on the Probability ofInduced SGTR l,
In any of the PDS under consideration for ISGTR, the procedure FRC-0.1B RESPONSE TO l
INADEQUATE CORE COOLING would be used. In Step 18, when the desired response of core
- exit thermocouples less than 1200 F is not obtained, this procedure states
- (a) " Start RCPs as ,
necessary until core exit thermocouples are less than 1200 F" and (b) "if core exit thermocouples are 5
greater than1200 F and all available RCPs running then open all pressurizer PORVs and block valves. " ,
Since ISGTR is only a concern if RCS is at high pressure, it is necessary to consider the likelihood that the operators will not depressurize the RCS, given that depressurization action is required in the same procedural step that calls for restarting the RCPs. Considering the low failure pmbability of the redundant 2 PORVs and block valves to open (~2E-5), this failure to depressurize !
is dominated by operator action (~lE-3). This low value for an operator action failure isjustified E.___.__ - - - i
1 4.
Attachment I to TXX-96390 - Response to NRC Request for Additional Information i Page 101 of 130 on CPSES IPE Submittal l 2
4 given that the action is proceduralized and that the operator is postulated to have performed an action
' in the same step in the procedure. Therefore, utilizing the logic of section (a) above where it is assumed that successful operator depressurization preempts ISGTR and assuming ISGTR likelihood
. increases by a factor of two if the RCPs are on gives the following additional ISGTR frequency due j to RCP operation:
- (0.001 *7.06E-6 + 0.001 *5.05E-6 + 0.001 *l.12E-6 ~+ 0.001 *4.4E-6 + 0.001* l.85E-7 +
f + 0.001*5.02E-7 ) * (0.012*2) = 4.4E-10 3
This increase in ISGTR frequency is not significant either in itself nor in comparison with the frequency of SGTRs as initiators,3.5E-6.
l l
i I
e t
t t
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information l Page 102 of 130 on CPSES IPE St bmittal
-t
, Level 2 Question 6: :
Equipment Survivability -- The evaluation of the general requirements for equipment l survivability are discussed in the IPE submittal (p4-27 to p4-28). However, details are not - [
provided. In NUREG-1335 it is stated that ' Documentation should be provided to support
- the availability and survivability of systems and components with potentially significant impact on the CET or the radionuclide release.' Please discuss the equipment identified in the IPE as potentially having a significant effect on accident progression and discuss how its
- survivability under severe accident conditions is addressed in the Comanche Peak IPE. ;
' Response:
The only systems and components with potentially significant impact on the CET or the radionuclide release are those related to containment spray. The CPSES IPE did not credit fan coolers or hydrogen recombiners. The containment spray system is safety related equipment required to mitigate the consequences of LOCA or MSLB and therefore has been environmentally >
and seismically qualified under the provisions of 10 CFR50.49. The environments these equipments
- are qualified for are as follows: Temp =345 F , Pressure =64.7 Psia, Radiation =2E8 Rad TID and pH=8.5 to 10.5. The plant damage states with non-zero frequency, for which containment sprays ?
- are credited in the IPE are: IF,2F,3F,4F,5F,6F. In all these cases the containment environment
, is within the limits listed above.
1 4
i d
n
l l
Attachment I to TXX-96390 - Response to NRC Request for Additional Information l Page 103 of130 on CPSES IPE Submittal . ]
4 Level 2 Question 7: i
] Ex-Vessel Debris Coolability - The probabilities of the formation of a coolable debris bed
- in the reactor cavity under various conditions are treated as basic events in the CET (i.e.', BE PRCDB-LPSE, PRCDB-LPNS, and PRCDB-HP). The probability ofbasemat melt-through 1 is determined by basic events PRMTl and PRMT2. Please discu.ss the basis for the values -
for these basic events used in the CET quantification, i
Response
i PRCDB-LPSE for All PDS = 0.05 ,
j Reference [2] judges it unlikely (0.2, per TABLE 5-1 of [2]) that a coolable debris bed would not 4
form given an ex-vessel steam explosion following a vessel failure at low pressure. Given the CPSES cavity configuration, where a large surface area (see Figure 4.1-17 of [1]) is available it is l judged that this probability should be somewhat smaller and therefore lie between unlikely and very unlikely (0.05, per TABLE 5-1 of [2]).
PRCDB-LPNS for All PDS = 0.1 1 Reference [2] quotes NUIEG-1150 Surry analysts asjudging it indeterminate (0.5, per TABLE 5-1
. of [2]) that a coolable debris bed would not form following a vessel failure at low pressure without i an ex-vessel steam explosion. Given the CPSES cavity configuration, where a large surface area l (see Figure 4.1-17 of[1]) is available it is judged that this probability should be at the lower range of the unlikely (0.1, per TABLE 5-1 of [2]).
An unlikely (0.2, per TABLE 5-1 of [2]) value was assigned in Reference [2] for high pressure sequences. Based on the same cavity geometry considerations presented above for the low pressure cases an unlikely to very unlikely value (0.05 per TABLE 5-1 of [2]) is judged to be more
- appropriate for CPSES.
L 4
i Discussion on Basemat Melt-through Versus Overpressure Two cases are considered: (a) with and (b) without formation of a coolable debris bed.
'?
w--
r
- Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 104 of 130 on CPSES IPE Submittal (a) COOLABLE DEBRIS BED IS FORMED MAAP analyses for CPSES show that in sequences which maximize concrete attack (e.g.
large break LOCA with failure of all ECC injection and containment sprays) the depth of penetration ,
into the basemat at 2.3 days is calculated to be 1.5 m (similar result is observed in a fast station ;
- blackout case, i.e.' l .1 m in 2.5 days). The time when containment is expected to fail by overpressure -
l is approximately: (a) 38 hours4.398148e-4 days <br />0.0106 hours <br />6.283069e-5 weeks <br />1.4459e-5 months <br /> (1.6 days) when the RWST is injected into the containment, (b) never when the sprays operate during injection and recirculation and the debris is coolable and (c) 3.2 days (77 hours8.912037e-4 days <br />0.0214 hours <br />1.273148e-4 weeks <br />2.92985e-5 months <br />) when only RCS water is in the containment. This depth (1.5 m) is insignificant in ,
comparison with the 4.4 m basemat thickness.
Different concrete erosion depths associated with different computational tools and assumptions cannot yield basemat melt through occurrence prior to the time of overpressure failure. i in order to illustrate this point consider the following simplified conservative estimate oflong term concrete erosion, done by assuming a simple relationship for decay power, a 50% upward-downward ,
I split, and one-dimensional erosion .
Decay power is given approximately by:
i Q, = fa . Qo . 0.13 .1 42n where fa is the fraction len in the debris, Qo is the initial power, and t is in seconds. The erosion rate is given by: l 1
-)
(dx/dt) = f, . Qa /( rho . h . A )
i' 1
where f, is the fraction of energy directed into erosion (not upward or sideward conduction loss), rho is the concrete density and h is the total erosion enthalpy (including chemical reaction, melting and j sensible heat), and A is the area eroded. The area is considered approximately constant for the sake j of simplicity. Choosmg:
)
.fo = 0.8 !
f, = 0.5 4
). Qo = 3411E6 W
! rho = 2300 Kg/m' l h = 2.6E6 J/Kg 4
f j
l
.i
.1 Attachment I to TXX-96390 Response to NRC Request for Additional Information I Page 105 of130 on CPSES IPE Submittal ,
3 A L = 60 m 2.
. results in:
42:3 (dx/dt) _= 4.95E-4 t (x - xo ) = 6.91 E-4 (t" - to")
The earliest time of cavity dry out in sequences with no ECCS injection and in which a l
- coolable debris bed is formed approximately 72000 seconds based on the MAAP analyses . The table ,
L below presents the erosion distance for the case in which there is no water in the cavity after 72000 seconds and an initial penetration of xo = 0.2 m is assumed corresponding to Zircalloy-oxidation-
' driven attack prior to steady-state erosion.
TABLE: SIMPLIFIED ESTIMATES OF CONCRETE PENETRATION DEPTHS (No = 0.2 M) I TIME FROM SCRAM ATTACK DEPTH (M)
C00LA8LE DEBRIS BED SECONOS DAYS (Te = 72000 SEC)
PDS 1H 100 E3 1.2 0.76 150 E3 1.7 1.65 200 E3 2.3 2.47 250 E3 2.9 3.23 300 E3 3.2 3.94 3
i The results shown in the table are conservative. The simplified calculation yields a 3.2 m
. erosion at 2.5E5 sec (2.9 days) while the corresponding value calculated in the MAAP DECOMP
- subroutine is 1,1 m. The main reason for the diffelence is that DECOMP calculates lateral as well
- as downward erosion (assumed equal). (The A factor in the simplified expression for dx/dt above
- would increase with time resulting in an erosion rate which decreases with time).
f .
j
l l
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 106 of130 on CPSES IPE Submittal !
- These conservative values show that containment failure from basemat penetration cannot take place in less than three days, even in sequences where there is no ECC injection. In these sequences overpressure failure is calculated to occur in 3 days caused by superheated steam and the non-condensible gases generated in the core-concrete attack. Therefore overpressure failure is taken to precede basemat penetration with a 1.0 probability if the debris is assumed to be coolable, i.e. along the success path for event DC.
In sequences where there is ECCS injection and in which a coolable debris bed is formed, the CPSES cavity is full. In these sequences, significant core-concrete attack is delayed until the cavity is dry. This results in less erosion because the attack starts much later, if at all (f,, the fraction of energy directed into erosion is minimal while the pool is covered with water, because of the high value of the critical heat flux at the corium-water interface). Furthermore, the containment pressurizes more rapidly in sequences where there is ECCS injection, due to steam generation, than e it does due to non-condensible generation during the concrete attack associated with sequences where there is no ECC injection. Therefore, in ECCS injection sequences with a coolable debris bed formed there is even a greater margin of certainty when stating that overpressure failure will precede i basemat penetration with a 1.0 probability.
(b) COOLABLE DEBRIS BED NOT FORMED If a coolable debris bed is not formed, two CCI-related mechanisms are in competition to cause late containment failure: (t) overpressure due to non-condensibles generated in the attack and (2) basemat melt through. In order to determine which mechanism prevails at CPSES, a non-coolable debris bed situation maximizing CCI was simulated with MAAP. This was done by obtaining the earliest possible vessel failure time and a completely dry cavity. The earliest vessel failure time was obtained by a large break LOCA initiator with no ECCS and no Accumulators. The dry cavity was obtained by shutting off all sprays and introducing a fictitious 4.0m curb between the lower compartment and the cavity to prevent all water originating in the LOCA and not flashing to steam from flowing to the cavity. It was clear, from the calculation, that even if the debris is non-coolable, that it would take over 20 days to erode the 4.0m thick basemat. On the other hand, overpressurization due to non-condensibles would occur m about 7 days. Therefore, while there are uncertainties involved, it is felt that due to the factor of three between failure times for these modes that basemat melt-through would be very unlikely (0.05 probability per TABLE 5-1 of [2]) at CPSES. Thus:
t Attachment I to TXX-96390 Response to NRC Request for Additional Information ;
Page 107 of 130 on CPSES IPE Submittal ,
PRMT1- 1E.1 F.1H. 2E. 2F. 2H = 0.05 PRMT2- 1E.1F.1H. 2E. 2F. 2H = 0.05 ,
i These are BE probabilities that BASEMAT MELT-THROUGH OCCURS GIVEN DEBRIS NOT COOLABLE AND SPRAYS ON (1) AND OFF (2). The value entered for these BE is justified in the discussion above
, .i .e : it is very unlikely (0
. ,05 TABLE 5-1 of [2]) that the basemat would be completely eroded prior to containment failure due to the overpressurization from the non-condensibles generated in the CCI. See also the discussion in page 4-230 of[1].
i i
l i
4 s
i
)
i d
e j
I T
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 108 of130 on CPSES IPE Submittal Level 2 Question 8:
Late Containment Failure -- The following requested information pertains to the treatment oflate containment failure:
(a) In the fault trees for top event CFL (Late Containment Failure Occurs, Figures 4.5-15,4.5-17, and 4.5-19), Event STM-FAIL (Steam Generation Fails Containment) requires the occurrence of both Event PRSTM-OCCUR (steam generation occus) ud Event DHR1 (insuflicient decay heat removal). In the same fault trees, Event HR-INCONT (insufficient decay heat removal from containment) requires the occurrence of both Event DHR-ACT (decay heat rate exceeds active heat transfer to containment) and Event CDHR-PASS (decay heat rate exceeds passive heat transfer to containment). These events seem to indicate that steam may not be generated in sufficient quantity and passive heat sinks can prevent containment failure under certain conditions. Please discuss the definition of Event PRSTM-OCCUR and Event CDHR-PASS, the values used for these two basic events, and the basis for these values.
(b) Please also discuss whether a mission time is used in the determination of the probability oflate containment failure, and, if a n.ission time is not used, please discuss the effect the use of a mission time (e.g.,48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />) would have on the probability oflate containment failure.
Response
The order of the responses is reversed in this question because part of the response for item (a) relies on the discussion provided for item (b)
(b) Containment Mission Time The containment mission time is assumed to be infinite for sequences where containment failure is a result of core-concrete interaction (CCI) . These are 49.1% of the containment
- performance as shown in Figure 7-1 of(1]. These CCI-induced failures include situations where:
(1) the debris was originally coolable but the water dried out (e.g. ECC fails at injection) and, (2) the debris is postulated to be non-coolable even when covered with water. Ei:her of these situations include containment failure: (a) by overpressurization due to non-condensibles generated during CCI
, s J
l Attachment I to TXX-96390 Response to NRC Request for Additional Information l Page 109 of130 on CPSES IPE Submittal !
l and (b) basemat melt-through. In any of these cases the containment mission time is assumed to be i 4
infinite, so that for example basemat failures, which might take 90 hours0.00104 days <br />0.025 hours <br />1.488095e-4 weeks <br />3.4245e-5 months <br /> are assigned a 1.0 l containment failure probability. Thus a conservative infinite mission time is applied to the vast - l j majority of the containment failures. The rationale for the infinite mission time is a postulated inevitability of the failure. If the debris is postulated to be non-coolable then the failure must be j inevitable, since nothing can happen to change the debris into a coolable configuration. The i j assumption is overly conservative when it is applied to situations where the debris was coolable but l l the water dried out. In such cases, if water were re-injected it would be reasonable to assume that I the debris would remain coolable. Nevertheless, no distinction was made between these cases and ;
I ?
! once CCI occurs the mission time is taken to be infinite. :
1 :
Cases where the debris is in a coolable configuration and there is enough water in the. l i containment that the overpressure failure is caused by overpressurization due to steam alone (e.g.- ,
1 i
4 ECC fails at recirculation) and where no significant CCI non-condensible generation occurs are l labeled steam-induced late failures. These represent only 2.1% of the containment performance as seen in Figure 7-1 of[1]. In these cases it is felt that there should be a different failure probability
. for cases in which the ultimate pressure is reached within say 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and cases where it is reached say within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. For these steam-induced cases, representing only 2.1% of the containment !
{
- performance as seen in Figure 7-1 of[1], the concept of a mission function was used instead of a !
, mission time. The following discussion describes the mission function concept, used only for ,
j steam-induced overpressure failures.
i A given containment /reador might reach its failure pressure from steam overpressurization ,
[ within a few hours of vessel failure, while another might reach it only after several days. If an
) infinite mission time is defined, this difference is not seen in the late containment failure probability
] from steam overpressurization, which would be 1.0 in either case.
b The difficulty in defining a mission time lies in the fact that the late containment failure j
- probability would be either 0.0 or 1.0 depending on the mission time. If the mission time is too short ;
i no failures would occur. Ifit is too long even the slowest boil off situation will yield a 1.0 i
- probability of no late containment failure.
i .
j In order to smooth the dependency of the late containment failure probability on the mission .j time definition, while generating a late containment failure probability which decreases as the time l
{. '
to reach the mean containment failure pressure increases, it is first necessary to recognize that a f
i
- 4. 1 l
- Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 110 of130 on CPSES IPE Submittal
" mission time" as described above is in effect a " mission step function", having a zero probability ')
of pressurization arrest prior to the " mission time", and a 1.0 probability afler that time. 'Having l recognized this, it is easy to see that a smoother mission function for the probability of arresting I l
pressurization as a function of time after vessel failure can be used in lieu of a step function or
" mission time" to determine late containment failure probability due to overpressurization.
In order to do this, the time at which the containment failure pressure is reached is ndted, for any -
given sequence ofinterest. The probability of arresting pressurization at that time could then be j directly read from the mission function and used in the appropriate CET logic trees.
. This approach would reflect the fact that if the containment pressurization rate is very slow, it ;
- will take a long time to reach the overpressure limit and the late containment failure probability ;
! would not be 1.0 as it would be if an infimite " mission time" were used. This approach also reflects )
i the fact that even if the time to reach overpressure is very long, there is still some probability that i 1
i the containment will fail, which would not be seen if that time were greater than a " mission time".
- j. In summary, this approach provides values oflate containment failure probabilities which vary l continuously with the time between vessel failure and containment pressurization to its overpressure I limit in contrast to the mission time concept which is a partienk < case of the mission function
- concept where the function is a step function.
The difficulty cf the approach just described lies, of course, in the determination of the t i pressurization arrest probability versus time afler vessel failure. Nevertheless, it is well known that I an appropriate function can be wel! approximated by a Weibull distribution. Thus, it is possible to generate a curve, for the probability of arresting pressurization versus time afler vessel failure, which l will yield probabilities that are expected to be conservative. This is accomplished by making conservative assumptions about points through which the distribution would be fitted. These will become evident in the following discussion on the derivation of the mission time function.
j The mathematical form of the Weibull density function is :
f(t) = abt64exp(-atb) where a and b are the two parameters of the distribution. The corresponding probability distribution f . over an interval of time (0,t) can be calculated as:
4
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information Page 111 of130 on CPSES IPE Submittal F(t) = j'o(abt*8)exp(-at6)]dt = 1 - exp(-at6)
In order to estimate the two parameters a and b in the Weibull distribution, the following calculation formulas have been developed:
at t = t i , F(t=t i) = A, and at t = t2 , F(t=t2 ) = B, then b= In[In(1-A)/In(1-B)]/In(t i/t2) 6 a = -In (l-A)/t i The corresponding mean and variance of the distribution are Variance 0 2= a-2/6[P(1+2/b) = p2 (1+1/b)]
In order to make the curve conservative, the two time periods and the recovery probabilities in these j two periods are conservatively assumed such that the probability of recovery at 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is 95% but the probability of recovery at 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is only 5%. This gives:
t i = 72 hr, A = 95%, and I 12 = 6 hr, B = 5%. l l
l Substituting these data points into the equations for a and b yields. i l
b = 2.573 a = 4.990E-5 )
l The mean and variance of the distribution are then.
Mean = 41 hr Variance = 3783 hr2 The corresponding probability cumulative probability function for arresting overpressurization of the containment is given in Figure 1.
At t = 37 hr, for example, the recovery probability is I
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 112 of 130 on CPSES IPE Submittal F(t = 37 hr) = 39.3% and the corresponding late containment failure probability is 60.7%.
Contrast this with a mission time of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> for which the late containment failure probability would be zero. On the other hand if the containment mission time were defined at 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> then the failure probability would be 1.0, which is not much greater that 0.61.
It should be noted that: The mission time curve discussed above is only used for overpressurization due to steam. In the case of basemat melt through and/or overpressurization from non-condensibles resulting fron. CCI. an infinite mission time is assumed.
Figure 1 - Comparison of Mission Time and Mission Function Mission Time = Step Function Mission Function = Weibull 1 .
J I 0.8 -
il g _.
g 0.6
/
8 __
0 .4 i
3 ,
/ -
d a 0.2 0
0 0 20 40 60 80 100 Time in Hours The effect of using a reasonable mission time, e.g. 41 hours4.74537e-4 days <br />0.0114 hours <br />6.779101e-5 weeks <br />1.56005e-5 months <br /> which is the mean of the distribution, instead of the mission function shown in Figure 1, would not be significant. It would
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 113 of 130 on CPSES IPE Submittal reduce the CCI failures somewhat, since these currently assume an infinite mission time. It might increase the steam-induced faihires by a small amount. However, since the CCI induced failures are 49.1% of the containment performance and , the steam-induced only 2.1% and, since the CCI-induced failures typically occur later in time, the use of a reasonable mission time might: (a) increase the no-containment failure fraction in Figure 7-1 of[1] or, (b) simply cause a small redistribution of the failure fraction from CCI-induced to steam-induced. Either situation is bounded by the current approach.
(a) Basic Events CDHR-PASS and PRSTM-OCCUR CDHR-PASS- All PDS = 1.0.
Heat generation always exceeds passive heat transfer to containment heat sinks. Passive heat transfer is not a containment failure prevention mechanism at CPSES.
PRSTM-OCC- 2H = 0.95 PRSTM-OCC- 1 E. 2E = 0.65 Reference [2] defines this BE as STEAM GENERATION OCCURS. Given the configuration of the CPSES cavity, steam generation will always occur if decay heat removal is not available. The intent of this event is to establish whether steam generation will fail the containment. Therefore, this event for CPSES is taken to mean SUFFICIENT STEAM GENERATION TO FAIL CONTAINMENT OCCURS. For the small break LOCA sequences in which ECCS injects successfully and/or the containment sprays inject successfully (IE,1F,2E,2F,2H), the RWST floods the containment. Under these circumstances, it is shown in MAAP analyses that, in the absence of successful switchover to recirculation or without RHR heat exchangers (PDS lE,2E, 2H), the water in the contaimnent is heated up to its saturation temperature, boiled and steam generation eventually fr.ils the containment.
. The time at which the containment reaches its mean failure pressure measured from the time of vessel failure for these PDS based on MAAP calculations , and the respective pmbabilities of containment failure due to steam overpressure obtained from Figure 1 are:
l Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 114 of130 on CPSES IPE Submittal
! FAILURE ;
PDS TIME PROBABILITY lE 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> (1-0.35) :
s n
- 2E 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> (1-0.35) l' 21I 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> (1-0.05) 4 i
PRSTM-OCC- 1H = 0.
It is also shown in MAAP analyses that, for the sequences in which neither the containment sprays nor ECCS inject successfully, steam generation alone cannot fail the containment, it must be !
aided by the non-condensible gases generated in the CCI. j i
i V
4 i
PRSTM-OCC- 1F. 2F = 0.
Finally, it is also shown in MAAP analyses that, for the sequences in which sprays operate i successfully during injection and recirculation including RHR heat exchangers during the
. recirculation phase (IF,2F), there is sufficient decay heat removal capability to prevent vapor ,
- j. generation, and the cavity remains flooded. {
4 1
- 1. ;
8 l
PRSTM OCC- 3SBOHR. 4SBOHR = 0.0 l 1 For the sequences involving successful recovery, the ECCS injects successfully and/or the ]
containment sprays inject successfully assuming successful switchover to recirculation there is no !
< steam generation and this would be zero. For the sequences where recovery is not successful there l i is not enough water in the RCS plus accumulators to cause the containment to fail from steam overpressure, so the value is also 0.0 in these cases.
4 j
PRSTM-OCC- 3E = 0.65. 4E = 0.40. 4H = 0.25 i The time at which the containment reaches its mean failure pressure, measured from the time
[ of vessel failure, as calculated via MAAP is given below, along with the respective probabilities of
- containment failure due to steam overpressure which are obtained from Figure 1
4 l
I i
i i
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 115 of130 on CPSES IPE Submittal i
3E 38 1-0.35 l 4E 44 1-0.6 4H -53 1-0.75 -
b PRSTM-OCC- 3H = 0. !
It is also shown in MAAP analyses that, for the sequences in which neither the containment sprays nor ECCS inject successfully, steam generation alone cannot fail the containment, it must be' l
aided by the non-condensible gases generated in the CCI.
PRSTM-OCC- 3F. 4F = 0.
Finally, it is also shown in MAAP analyses that, for the sequences in which sprays operate successfully during injection and recirculation including RHR heat exchangers during the j recirculation phase (IF,2F), there is sufficient decay heat removal capability to prevent vapor ;
generation, and the cavity remains flooded. [
PRSTM.OCC- SE = 0.65. 6E = 0.65. 6H = 0.70 f The time at which the containment reaches its mean failure pressure measured from the time of vessel failure as calculated via MAAP is given below along with the respective probabilities of containment failure due to steam overpressure which are obtained from Figure 1.
l i
l I
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 116 of130 on CPSES IPE Submittal PDS TIME (IIR) PROBABILITY SE 35 1-0.35 6E 34 1-0.35 611 31 1-0.30 PRSTM-OCC- 511 = 0.
It is also shown in MAAP analyses that, for the sequences in which neither the containment sprays nor ECCS inject successfully, steam generation alone cannot fail the containment, it must be aided by the non-condensible gases generated in the CCI.
PRSTM-OCC- SF. 6F = 0.
Finally, it is also shown in MAAP analyses that, for the sequences in which sprays operate successfully during injection and recirculation including RIIR heat exchangers during the recirculation phase (5F,6F), there is sufficient decay heat removal capability to prevent vapor generation, and the cavity remains flooded.
s i
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 117 of130 on CPSES IPE Submittal Level 2 Question 9:
Isolation Failure -- The following requested information pertains to the treatment ofisolation f failure:
(a) In the Comanche Peak IPE, the probability of containment isolation failure is determined in the Level 1 analysis and not evaluated as part of the CET. However, an induced isolation failure, caused by the opening of the purge valves following the direction of the combustible gas >
control procedures, is included in the fault tree for the CET top events CFE (Early containment Failure Occurs). It is stated in the IPE submittal that "this issue was found negligible at CPSES," and detailed discussion is not provided in the submittal. Please provide more detailed discussion on this issue.
(b) According to the CET, early containment failure is assumed not to occur, and thus not evaluated, if vessel failure is prevented. Thus, induced containment isolation failure is not evaluated for cases in which core damage occurs but in-vessel recovery is successful. Since hydrogen is produced during the core damage state, combustible gas control procedures may be carried out and therefore induced isolation failure may occur even without vessel failure. l Please discuss the probability of this release mode and the potential environmental release ifit is not negligible. l l
l l
Response
(a) Induced Isolation Failure, Caused by Opening of Purge Valves Procedure in effect would be FRZ-0.1: RESPONSE TO HIGH CONTAINMENT PRESSURE.
Nowhere in that procedure is there an instruction to vent the containment. Consultation to operations has myealed no procedural instruction to vent the containment during a severe accident. Therefore the probability of BE PRCI is 0.
The BE PRCI in logic trees CFEl & CFE2 was left from the generic trees developed in [2] and j should have been removed for the CPSES-specific trees. The event is not applicable to CPSES because all isolation failures, including induced isolation failures were intended to be treated in the
i Attachment I to TXX-96390 Response to NRC Request for Additional Information -
Page 118 of 130 on CPSES IPE Submittal Level I analysis. In fact, induced failure of the containment pressure relief valves is included in isolation failure frequencies obtained from the Level I analysis. This means that if those valves are j used to relieve containment pressure, their induced failure is already included in the isolation failure i frequency. The induced failure of the 11 purge 2 valves is not included because that action is not ;
proceduralized during a severe accident as stated in the first paragraph. Nevertheless, an evaluation shows that the extra frequency from this type of failure would increase the isolation frequency by approximately a factor of 3. That would take the total CI failure frequency listed in the bottom line of Table 4.3-3 from 9.9E-9 to 3.2 E-8. That is still not a significant CI failure frequency. ;
(h) Early Containment Failure If Vessel Failure Is Prevented i i
As stated in page 4-135 of [1], in-vessel recovery is not credited with the exception of station ,
blackouts: 3SBO (1.8E-7, Table 4.3-3 of [1]) and 4SBO (5.0E-7, Table 4.3-3 of [1]). The ;
conditional frequency of successful recovery that did not already result in early containment failure can be obtained by adding the following end state probabilities in Table 4.6-5 (see Figure 4.5-1 of j
[1]): NCF(A0),A1,A2,NCF(BO),B1,B2-L,B2-R,NCF1,Cl-L,Cl-R,C2-L.C2-R. Other end states, either did not have successful recovery or already lead to early containment failure. ,
Dividing each sum by the total conditional frequency given at the bottom of Table 4.6-5 gives:
4.2E-3/0.82 = 5.12 E-3 for 3SBO and 2.1E-4/0.983 = 2.1E-4 for 4SBO. These are the fractions of each SB0 PDS frequency that are eligible for the scenario described in the question. The actual eligible frequency is then: 1.8E-7*5.12E-3 + 5.0E-7*2.lE-4 = IE-9. Bottom line: successfully recovered sequences that did not already result in early containment failure are not statistically '
, significant.
i l
l A
- - - - y ry 7y & == wr== rw--- --- <- = ,,--, -.,,r- r- - --r-v -
m- ' - e , - *
- Attachment I to TXX-96390 Response to NRC Request for Additional Information l Page 119 of130 on CPSES IPE Submittal 1 Level 2 Question 10:
Responses to CPI Recommendations and Local Hydrogen Burns-- The CPI recommendation for PWR dry containments is the evaluation of containment and equipment j I
vulnerabilities to localized hydrogen combustion and the need for improvements (including accident management procedures). This issue is not specifically addressed in the IPE submittal.
Please discuss whether plant walkdowns have been performed to determine the probable locations of hydrogen releases into the containment. Including the use of walkdowns, discuss the process used to assure that: (1) local deflagrations would not translate to detonations given an unfavorable nearby geometry, and (2) the containment boundary, including penetrations, would not be challenged by hydrogen burns.
Please identify potential reactor hydrogen release points and vent paths. Estimates of compartment free volumes and vent path flow areas should also be provided. Please specifically address how this information is used in your assessment of hydrogen pocketing and detonatioa.
Your discussion (including important assumptions) should cover the likelihood of local detonation and potentials for missile generation as a result oflocal detonation.
Response
(a) Ilydrogen Mixing and Potential Ilydrogen Release Points and Vent Paths The CPSES containment subcompartments have been designed to allow proper venting to preclude hydrogen pocketing and to promote good mixing. In order to substantiate this point, Section 6.2.5.3.2 of the CPSES FSAR, entitled IIydrogen Mixing,is transcribed below. The section also includes a discussion on potential hydrogen release points which are primarily: steam generator compartments, reactor cavity and pressurizer relief tank.
6.2.5.3.2 Hydrogen Mixing As described in Subsection 6.2.5.1.1, all subcompartments are provided with vents to aid in hydrogen mixing and to avoid high concentration pockets of hydrogen. These vent s
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 120 of 130- on CPSES IPE Submittal-cause'a stack effect which maint'ains the subcompartments at virtually the same hydroge n concentration as the remainder of the Containment.
This stack effect is governed by the following formula:
7.2A ht where-Q- air flow (ft'/ min)
A-area of bottom or top openings, whichever is smaller (ft 2) h-height from bottom to top openings (ft)
't-temperature difference between the subcompartment and the bulk Containment atmosphere (F) 7.2 -constant of proportionality, for conditions not favorable At a minimum temperature gradient of l'F. the number of air changes per hour is always in the range of 2 to 3.
With regard to mixing of post-LOCA hydrogen, the following aspects have been considered .
- 1. Mixing in the bulk Containment above operating floor at elevation of 905 ft 9 in.
Experimental results from spray experiments conducted at Oak Ridge National Laboratories have substantiated the adequacy of t he sprays to ensure mixing in the bulk Containment volume. These results apply to the Region A described in Section 6.5, Figure 6.5-2,
- 2. Subcompartments are enclosed between floor elevations 808 ft 0 in. 832 ft 6 in..
860 ft 0 -in. , and 905 ft 9 in.
IThese regions are described in Section 6.5 and shown on Figure 6.5-2, where they are referenced as Region B. C. and D. To avoid accumulation of hydrogen between floors, each of them is provided with openings to permit mixing with the bulk
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 121 of130 on CPSES IPE Submittal Containment.
Between the Region D and the other regions, the t otal opening is approximately 900 ft .2 Although the hottest su bcompartment is the steam generator subcompartment, a temperature difference between the upper Containment and the lower floors exists as a result of the cold water sprayed in the dome which induces natural convection.
This natural convection ensures a general mixing of hydrogen in the Containment.
These three regions are partially sprayed by nozzles (see Section 6.5. Table 6.5-5 )
during the injection and recirculation phases. In addition, the driving force of falling drops enhances air circulation.
- 3. Subcompartments Where LOCA Occurs These subcompartments are the steam gcnerator sub compartments, the connecting pipe
< tunnel to reactor vessel cavity, and the pressurizer relief tank subcompartment.
A large part of the hydrogen generated in the Containment is released in the subcompartment where the break occurs, as a result of radiolysis in the core.
After 30 days, the hydrogen flow rate from core r adiolysis is 0.65 scfm. The flow rates from sump radiolysis and corrosion are 0.159 scfm, and 2.34 scfm, respectively.
- a. Steam Generator Subcompartments Each steam generator subcompartment is fully open at the top and provided with two main openings in the bottom (for communication with another steam generator subcompartment and personnel access). This arran gement has the following effects:
l
- 1) Coverage of the steam generator subcompartment with spray, ensuring a mixing within the subcompartment i
l
- 2) Release of hydrogen through the top as a result of its low atomic weight I
1 1
Attachment I to TXX-96390 Response to NRC R.equest for AdditionalInfonnation Page 122 of 130 on CPSES IPE Submittal
- 3) Mixing of the contents of the steam generator subcompartment with the contents of the bulk Containment through natural convection effects. A sensible energy is introduced during the long-term with the core recirculation flow in the subcompartment and provides the driving forces for mixing
- b. Reactor Cavity Reactor coolant pipe tunnels connecting the steam generator subcompartments with the reactor vessel cavity have postulated pipe break locations as discussed in Section 6.2.1. If a break occurs in the cavity seal, a very limited space, the reactor coolant pipe weld inspection plugs blow o ut to limit the peak differential pressure. Part of the fluid spilled out of the break and part of the water volume
, sprayed in the refueling cavity fill the reactor cavity. Hydrogen generated in th e cavity by radiolysis is released through the gap around the reactor vessel and through the relief openings located in each floor (elevations 808 ft 0 in. , 832 ft 6 in. . and 849 ft 0 in.).
- c. Pressurizer Relief Tank Subcompartment This subcompartment has a bottom drain opening of 100 ft 2 Hydrogen released within the subcompartment and hydrogen entering the subcompartment is vented through the top vents.
- 4. Subcompartments Where There Is No LOCA
- a. Pressurizer Subcompartment Hydrogen entering this subcompartment is vented through a 36-ft ' top vent. This opening is in the vertical wall underneath the slab. Hydrogen is released above elevation 905 ft 9 in, in Region A, which is the bulk Containment volume (see Section 6.5. Figure 6.5-2).
- b. Cubicles at Elevation 808 ft 0 in.
d
- Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 123 of130 on CPSES IPE Submittal I
These cubicles are for excess letdown heat exchanger, reactor coolant drain tank and pumps, and reactor coolant drain tank heat exchanger. The Containment Buildin g )
j arrangement is such that the sump water will enter these cubicles and will generat e-hydrogen which could accumulate in the upper parts.
Consequently, all cubicles located at elevation 808 ft 0 in. are provided with a vent at their highest points to avoid local high level hydrogen concentration.
(b) Estimate of Compartment Free Volumes and Flow Paths:
1 A description of the compartment volumes and flow paths can best be seen in the CPSES FSAR
- Section 6.5.2.2.4, transcribed below. This containment spray section explains the venting design that ensures optimum mixing. Please note that there is a 6 inch gap between the floor and the containment wall. A walkdown of the CPSES containment was performed for the IPE and no hydrogen pocketing concerns were identified. This FSAR section refers to Figure 6.5-2 of the FSAR )
which is similar to Figure 4.1-19 of[1] Figure 6.5-4 of the FSAR is similar to Figures 4.1-25.1 i through 4.1-25.7 of [1].
6.5.2.2.4 Containment Coverage Figure 6.5-2 is a schematic of the Containment that shows the locations of the spray nozzles and sprayed regions, labeled A. B. C, and D.
l l
The calculation of the spray removal coefficient is presented in Subsection 6.5.2.3 l
)
The spray system characteristics for each region inside the Containment are described '
in Table 6.5-5.
- 1. Bulk Containment Volume ]
I Region A is covered by 274 (minimum 272 for Unit 1) nozzles per train (Figures 6.5- 2 and 6.5-4. Sheets 1 and 2). The nozzle orientation and spacing is such that the volume covered is maximized. The spray density throughout the Containment is as uniform as possible. The design of the lowest ring headers located in the
.- .- . .. . - - - . .. .. . = - - -
Attachment I to TXX-96390 Response to NRC Request for Additional Information -
4 Page 124 of130 on CPSES IPE Submittal . ,
, Containment dome is such that the following result': .
- e
- a. The minimum fall height is 117.ft 1 in, and 115 ft 9 in. for the lowest ring !
! header 'of trains A and B, respectively, considering the operating floor at 905 ft ,
9 in. :
, b. The area covered on the operating floor by a nozzle spraying vertically. ;
downward is approximately tangent to the Containment wall to minimize spraying of the walls and also to avoid a large unsprayed annulus.
$- The ring headers are located less than two ft from- the Containment liner to facilitate the piping support design. Each Containment sprdy train is provided wit ' h nozzles spraying horizontally, vertically downward, upward at 45 degrees, and l downward at 45 degrees. <
The spray nozzle layout at elevation 905 ft 9 in. is shown on Figures 6.5-2 and 6.5-4, Sheet 3. By using nozzles spraying upward at 45' degrees, the zone between l l the ring headers and the Containment liner in the dome is covered by spray.
- ~
l 2. Volume Underneath Operating Floor f Regions B, C, and D (see Figure 6.5-4) (Sheets 3, 4 and 5) are partially covered i by spray. The sprayed volume for each region is described in Table 6.5-5. .
t I
- 3. Containment Free Volumes 6
The total Containment free volume is 3.031 x 10 ft This volume consists of the-
- following as shown on Figure 6.5-2:
Region A a.
l The total volume of region A is 2.309 x 10' ft of which 1.665 x 106 ft' is covered by spray (72.1 percent). includes the following volumes:
l
. 1) Above operating floor 905 ft 9 in. 1
, l f
- 2) Above refueling cavity between 905 ft 9 in and 860 ft 0 in.
i .
i Attachment I to TXX-96390 l Response to NRC Request for Additional Information .
Page 125 of130 - on CPSES IPE Submittal !
3)- Refueling cavity *
- 4) Fuel ' storage area ;
- 5) Reactor vessel head storage area -
r
- 6) Steam generator compartments ;
b .- Region B This volume is 0,168 x 106 ft 8. of which 0.035 x 10 6 ft' (20.9 percent) are covered a by spray. ~ The volume is located between 905 ft 9 in. and 860 ft 0 in. (between th e !
secondary shield wall and the Containment wall).
- c. Region C l This volume is 0.073 x 105 ft 8. of which 0.003 x 10' fts (3.6 percent) are covered by spray. The volume is located between 860 ft 0 in. and 832 ft 6 in. (between th e secondary shield wall and the Containment wall).
- d. Region D This volume is 0.125 x 10' ft 8. of which 0.003 x 10' fta (2.7 percent) are covered by spray. The volume is located between 832 ft 6 in, and 808 ft 0 in. (between th e secondary shield wall and the Containment wall).
- e. Region E All sub volumes included in the Containment total free volume and not calculated to be part of Regions A-D are combined together i n Region E as "unsprayed volume".
These sub-volumes are separate from each other, but linked to Regions A-D by flow paths which permit varying degrees of convective mixing. The sub-volumes which ar e less open to convective mixing, such as the react or cavity, are separated from the Containment-liner (and potential leakage paths) by the six inch radial gap which
-is open to convective mixing. Region E has a total volume of 0.356 x 10 ' ft8and
. includes the following compartments:
Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 126 of130 on CPSES IPE Submittal
-1) Cavity beneath reactor vessel
- 2) Elevator
- 3) Rod position indication room (860 ft 0 in.)
- 4) Pressurizer relief tank compartment 5). Pressurizer compartment
- 6) In-core instrumentation room (849 ft 0 in.)
- 7) Seal table room (832 ft 6 in.)
- 8) Neutron flux detector operating room (808 ft 0 in.)
- 9) Heat exchanger compartments
- 10) Miscellaneous passageways The effective spray volume consists of the spraye d volumes in regions A B C, and D.
The total sprayed volume from all sprayed regions is 1.706 x 10 ' ft' This volume represents 56.3 percent of the Containment free volume.
Regions A. B, C and D are linked to each other and to the various sub-regions whic h comprise region E via numerous air flowpaths (e.g , six inch radial gap between the concrete floors and the inner wall of the containment building . gated doors, floo r grating, etc.). These flowpaths are sufficient to allow an assumption that convective mixing occurs between the sprayed and unsprayed volumes at a rate of tw o turnovers per hour.
(c) How this Information Is Used in IPE Assessment of Hydrogen Pocketing and Detonation Based upon the design of the CPSES containment described above, the likelihood of local detonation and potentials for missile generation as a result oflocal detonation, any of which failing
'I r
Attachment 1 to TXX-96390 Response to NRC Request for Additional Information ;
Page 127 of 130 on CPSES IPE Submittal the containment, arejudged too small to quantify independently of the global burn concems already factored into the IPE. One key factor for this assessment is the chimney effect, which forces hydrogen from any potential release path up into the dome region of the containment, as described !
in the FSAR section 6.2.5.3.2, transcribed above.
I i
r r
I, u
i i
e i
1
=
. ,i
- Attachment I to TXX-96390 Response to NRC Request for Additional Information l Page 128 of130 on CPSES IPE Submittal ;
i !
] ' Level 2 Question 11:
Release Category Frequencies and Conditional Probabilities -- In the IPE submittal, the i j ' absolute unconditional frequencies' and the ' relative conditional frequencies' for the release categories are provided in Tables 4.7-3 and 4.7-4, respectively. However, the values presented :
in these two tables are not consistent. For example, according to Table 4.7-3, Release Category l Vi has an absolute frequency of 2.03E-5. This is 76.03% of the total release frequency of l 2.67E-5. However, the conditional frequency presented in Table 4.7-4 for this release category !
is 36.21%. Please clarify this inconsistency.
l Response: l
'Ihe absolute unconditional frequency for the release categories (RC) (Table 4.7-3) includes the i frequency ofeach plant damage state (PDS) binned into the RC. Thus, Table 4.7-3 isjust the bottom t 2 - line of Table 4.7-2 sorted in decreasing frequency order, i l
1 1
- The relative conditional frequency for RC (Table 4.7-4) does not include the frequency of each ;
i PDS, it assumes that all PDS have the same frequency of 1.0. In order to obtain Table 4.7-4, divide i each line in Table 4.7-2 by its PDS frequency, which can be obtained from the bottom line of Table ;
4.3-3. Then add up the columns to obtain totals for each RC and finally, divide each total by the )
grand total in the bottom right hand corner, which will become 100%, when divided by itself.
l Sorting these numbers in decreasing order gives Table 4.7-4. !
i l
l 4
+
7 er--9 9 - , m-, .- - sr --e=-a=-+- w - +^--- -- --^--- -
b
- \
l . Attachment I to TXX-96390 Response to NRC Request for Additional Information ,
Page 129 of 130 on CPSES IPE Submittal i
Leve! 2 Question 12: I Penetration Seal Failure -- Regarding penetration seal failure the only information provided ,
- in the IPE submittal is in the Purge and Vent System isolation valve discussion (p4-102), where -i j- - the following statement is made
- " Figure 4.4-5 shows seal life as a function of time for various ;
materials and temperatures. The materials used for pressure seals at CPSES are all silicone !
based. It is evident from the figure that significant purge leakage is not expected for the CPSES ~ !
I because silicone based seals show excellent temperature resistance (over 1000 hrs at 400oF)."- ;
Please list the seal materials for all the penetrations that are considered in the IPE for seal failure .
} l and discuss their property values. ,
3 4 . Response: j The seal materials at CPSES have been qualified to the requirements of 10CFR50.49. These materials are: ,
- 1. Polysulphone (sealant)
> 2. Kepton (conductor insulation)
- 3. Kynar (cablejacket-coax, triax) ;
{ -4. Rexolite (Dielectric connectors-coax, triax) ;
- 5. Teflon (Dielectric connectors-coax, triax) (
- 6. Viton (Aperture seal) ;
- 8. Aperture seals (silicone rubber) j
- 9. Support plates (epoxi laminants) i
- 10. Blank modules (Fibright) i i
4 The environments to v nich these pentrations are qualified for are:
Temp: 346'F -
- - Pressure
- 113 psig Radiation: 2E10 Rad TID pH: 8.5-10.5 t
-- - .. _ _ _ J
4 Attachment I to TXX-96390 Response to NRC Request for Additional Information Page 130 of130 on CPSES IPE Submittal Level 2 Question 13:
Containment Sumps - Table 4.1.2-2 of the IPE submittal shows that there are two containment sumps in the containment and Figure 4.1-1 shows an emergency sump. Please l'
- discuss how many sumps are in the Comanche Peak containment, their locations, and whether core debris can get into the sumps after vessel breach. Please also discuss whether there are ,
drain lines and pump soction lines in the sump area and, if there are, the effect of core debris on ;
the proper isolation of the drain lines and the proper operation of the suction lines.-
- Response:
Figure 4.1-1 of the IPE submittal is a general plant schematic. The sump shown there is merely a representation for the two Containment Spray Recirculation Sumps (one for each safety train) that
- are used to collect and recirculate water within containment following an accident. A better view of these sumps is provided in Figures 4.1-22.1, 4.1-22.2 and 4.1-25-3. As shown in these figures, ;
the sumps are physically separated and are located at the lowest elevation of the Containment i Building. They are also located outside of the Steam Generator compartments and reactor cavity, :
where most of the debris would be generated and accumulate. There are no drain lines within the sumps. Sump covers are provided to protect the sumps against falling debris. Trash racks and screens are provided to preclude clogging of the recirculation lines and any of the system's components. The covers are of Stainless Steel construction and consist of a solid horizontal deck, ;
vertical trash racks, behind which are two screens: an outer coarser and an inner finer. The fine !
screen has 0.115 inch openings. This size was selected to ensure that the 3/8 inch diameter spray nozzle orifices and the grid assemblies in the reactor core do not clog. The suction piping to the Containment Recirculation Pumps are arranged such that vortices do not occur. .
There are three other smaller sumps within containment that are part of the Vents and Drains system f that are used to collect and monitor containment leaks, but those sumps do not provide a safety
- function. j 4
t l
AttcChaent 2 to TXX-96390 / Page 1 of 83 Leval I QuestiCn 8 ALL ACC. SED. LOGIC I T O' PSI b-I I ANY CORE OAMAGE FAILURE OF CONTAINMENT SPRAY SEQUENCE CONTAINNENT FAILS TO PROVIOE ISOLATION . SPRAY OURING INJECTION OR RECIRC.
I ST'O P i lCZ1000 I ICibt i Page 2 TITLE Accident Sequence Fault Tree ,
ORAWING NUMBER DATE Page 1 7-17-92
. . , , .; -: .;: -l ir' i-2 .
e 9 -
c 7 -
n 1 ee
=
s ue qr e7 T.
o eT S
.t tl nu 8 ea n n
e dF e2 e
n i
t i u s
e c "e S
" g Q
u E
c I L A I
"a a
l T
I T
aP D
e v
e L
. . si s .
i i n i i i
3 k.
I A.
.e i.
A .
.g s
e.
. i g .
e.
i g '
p' E
6 a
n at .
Dc 3
8 f
E Re Oo h
[
o Csc i o
T 3 . > . . i 2 M A . . . . . .
'e9 . . .
.r g g a . ,
g.
, l >
P A. >
A . '
A
, i . '
A,,,
i.
. . i
/ i. i. . . '
I i . . . '
0 9
. 3 6
9 X
X T
o t
2 t
n e
m
. h c
a
. t
. t A
' : . 4 ,
' Attachment 2 to TXX-96390 / Page 3 of 83 Level I Question 8 Page 2 a
a SEQUENCE el1CNI SE0uENCE et1Cse2 I e T l'EN 1 I i eT t'CN2 I E I E
5 FAILURE TO FAILURE TO REACTOR TRIP FAILURE TO FAILURE TO REACTOR THIP ESTA8LISH SECareARY ESTAaLISN BLEED AND INITIATING EwENT ESTABLISH SECONDARY ESTASLISH INITIATING EWENT RECIRCULATION FRE0uENCY SYSTEN M AT REMOWAL FEED F N OUENCY SYSTEN HEAT RENov&L PRIOR TO AN S SIGesAL PRIOR TO AN $ SIGNAL E 55 gem 01 1 I SRC Emo t I 155GEmot I 15aF a'm01 1 Page 4 Page 77 Page 4 Page 5 5 5 TITLE Accident Sequence Fault Tree ORAWING NUMBER DATE Page 3 7-17-92
Attachment 2 to TXX-96390 / Page 4 of 83 LEVal I Question 8 SSGXXO! Outputs:
Page 77 Page 79. Page 33 Page 23 Page 3 Page 3 Page 8 Page 8 Page 9 Page 9. Page 10 Page 10 Page 11. Page it. Page 12. Page 12. Page 13 Page 13 Page 14 Page 14 Page 15 Page 15 Page 17 Page 17 F AILt WF_ TO ESTABLIrJ1 SECONDARY SYSTEM HEAT REMOVAL PRIOR TO AN S SIGNAL 5ee Ootput ! "O' I List c 4 FAILtKk TO PROVIDE 460 GPM TO STEAM GENERATORS lAF1000 l b
TITLE Accident Sequence Fault Tree ORAMING NUMBER DATE Page 4 7-17-92
-a.... -_a.-_._.m m_____ __._. m__.___u__.- -.-m._ _ _ . _ . - - .__._A__.____ _ _ _ . . _ _ _ . __________ ___- -__- _ _ _ _ 6- -- -m 2 w- *++---m.;; 4-Mem eiw rv'- w ac - -- u gs -*.e--+ _"'+-++smzia -- m+m avwww.
-Attcchment 2 to TXX-96390 / Page 5 of 83 L0 Vel I Questicn 8
$BFXXOi Outputs:
Page 79, Page 70 Page 3. Page 6. Page 7 Page 8. Page 38 Page 9. Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 17 FAILURE TO ESTABLISH BLEED AND FEED I x01 i See Output List i i FAILURE OF PORVS TO FAILURE TO PROVIDE OPERATOR FAILS TO OPEN ON NANUAL INTERMEDIATE AND INITIATE FEED AND ACTUATION HIGH HEAD INJECTION BLEED IRC2'OOO I ISOFxx02 I IGBFXX NITNY I II i i FAILORE TO PROVIDE FAILURE TO PROVIDE HIGH HEAD INJECTION INTERMEDIATE HEAD SAFETY INJECTION I CSGE000 l = ISIt000 I b b TITLE
. Accident Sequence Fault Tree DRAWING NUMBFR DATE Page 5 7-17-92
Attachment 2 to TXX-96390 / Page 6 of 83 Level I Questicn 8 m
SEQUENCE #I3CN1 SEQUENCE eT3CM2 I e T NN A I I eT 3'CN2 I u a a
e FAILURE OF FAILURE TO INADVERIENT SI AS FAILURE OF FAILURE TO INaovERTENT Slas INITIATING EVENT SECOMOaRY HEAT ESt&8LISH BLEED are IN11taTIPG EVENT SEcopeaRY # EAT ESta8LISH RECIRCULATION FREGUENCY REMOVAL &FTER AN S FEED FFEGUEKY RENovat aFTER AN 5 $IGNat StGMAL ~
~ ~
I E5Gs mOl5 I
~
I SRC m m 0 t I I ESGw noi5 I I 58F uuO t I
, g .. 5, g .... n ,
g....S. g5 TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 6 7-17-92
. . -- . . . - - . _ . . . . . .- - .~
Attachment 2 to TXX-96390 / Page 7 of 83 Level I Question 8 s
P.ge 2 a
m SEGUENCE diaCM2 SEGUENCE #TeCMI I eT a'CM1 I I eTeCM2 I a
a s a
FAILURE TD seAIN STE AM LINE FAILUE OF FalLURE 10 MalM STE AM LINE FAILURE OF SECONDARY WAT ESTA8LISH SLEED A86 SECONDARY W AT ESTABLISH BREAK IMITIATING SREAK INITIATING RECIRCULATION EVENT FRE0uENCY REMOVAL AFTER AM S FEED EVENT FMORENCY REMOVAL AFTER AM S SIGNAL SIGNAL ~
MD e I 55Ex mC 15 I I BBFERDI I I 55Ga'uD15 I g .. .. g .... n , g.... g.
TITLE l ,
Accident Sequence Fault Tree DRAWING NUMBER DATE i
Page 7 7-17-92 l
Attachment 2 to TXX-96390 / Page 8 of 83 Level I Questicn 8-E I
5EQUENCE ei6Cle2 SEQUENCE stSCM3 I eT6k.M2 I I eTECM1 I I
I E I
FAILURE TO LOSS OF WW - NO F AILURE 10 FAILURE TO LOSS OF WW = NO FAILURE TO TA#kJ#v !?Sta' Era"*.O ad'la'ib 74,.'?'FkJ#v tiSta' Era 7c'"l PRIOR TO AN S SIEiHAL A ' '" a "" "*
t PRIOR TO AN $ SIGNAL 155 Gam 01 I 155FN' IDS I g.....
E55Gm:01 I I SAC u' n o t I
$ g..... g .... n S g ... .
TITLE Accident Sequence Fault Tree _
ORAWING NUMBER DATE Page 8 7-17-92
Atttchment 2 to TXX-96390 / Page 9 of 83 Level I Question 8 R... .
i SEQUENCE 9X$CM3 SEGUEMCE ea1CN.
I #11'EtG I I eX iCM1 I a a u _
i FAILURE TO F AILURE TO LOSS OF a OC SUS FaILUM TO FeILURE 10 LOSS OF a OC SUS ESTABLISH SECONDARY ESTastt5n STEED AND IMIT . EvfMT FNO. Esf a9LISH SECONDARY ESTasLISH IMIT. EVENT FREO.
SYSTEM eEAT removal RECIRCULATION SYSTEM Deaf removal FEED PRIOR TO AN $ SIGNat PRIOR 70 aN $ SIGNAL
~
I SRC u n D I I E 155Ga'uOi I I EEFRIDI I g,a 155Gk mDi I g ... . g ... T, g5 g..... g.
i l
l TITLE ,
Accident Sequence Fault Tree ORAWING NUMBER DATE Page 9 7-17-92
Attachment 2 to TXX-96390 / Page 10 of 83 Level I Question 8
... 2 s
i SEOUENCE WR2 CMS SEQUENCE #R2CM2 I e n 2'CM1 I I em2'Cm2 I g
y I E F AILURE TO F AILURE TO LOSS OF iT HvaC FAILURE TO FAILURE TO LOSS OF TW HwAC ESTABLISH KEED AND Sv51EM INIT. EVENT ESTAGLISH SECONDARY ESTABLISH Sv$iEM INIT. EVENT EST ABL ISH SECONDARY FREO. SYSTEM HEAT REMOVAL RECIRCULATION FREO. SYSTEM eEAT Removal FEED PRIOR TO AN S SIGNAL PRIOR TO AN $ SIGNAL I 55Gm'u01 I I S5F a'uD t I g....,
I SRCm'm01 I g .. .
I 556mm0 t 1 g,a g .. . g....TT gen i
l I
(
l TITLE Accident Sequence
- Fault Tree
' DRAWING NUMBER DATE l Page 10 7-17 l l
Attachment 2 to TXX-96390 / Page 11 of 83 Level I Question 8 h.
._ a . . , ._ a ..
. . . i. , ,
. . . a- ,
E b) R E Q) I DE RE REC ON F lE A4.
F 5 55Gu'uO1 1 E 5HF u'n o t I g,a 155Ga'nQi I g ... .
E SAC a'uG B I g....,, g,a - 3 .. . g .. .
TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 11 7-17-92
Attachment 2 to TXX-96390 / Page 12 of 83 Leval'I Question 8 R... .
- .- =.-
i exitssi i nexacenz a z a a
a
's[oNtut YENT Esfa l SE ARY ES mett a B INI N ESTa lh SE Y ESTa l al D ase FREO. 75 M DEAT RE at RECIRCULATION FREG. YS M IEat RE FEED i nssumon i i mRcinoa i i uscimoi a i zwison i g,4 g .. . g .. ,, g,me 3 n.
g n. .
t .
l l
l TITLE i
Accident Sequence l
Fault Tree 1 DATE i
DRAWING NUNBER Page 12 7-17-92 t
- --. . . . . . . _ . ~
Attachment 2 to TXX-96390 /_Page 13 of 83 Level I Question 8
- .- a.-
I endN1 I EWIN342I I E E
E FAILURE TO FAILURE TO LOSS OF PROTECTION FAILuf4E TO FAILURE TO LOSS OF PROTECTIost NT F G. S dea RE ON NT 0 5S NEa NO EE Pit!OR 10 AN S SIGNAL PRIOR TO AN $ SIGNAL 15SGNx01 I 15ACEE01 I a ISSGun01I I WanDa I a
, g .. . g .... n , g. g.
TITLE Accident Sequence Fault Tree ORAWING NUMBER DATE Page 13 7-17-92 e+e
Attachment 2 to TXX-96390 / Page 14 of 83 LQvel I Qusstion 8 Page 2 3
I SEQUENCE 8x5 CMS SE(RJENCE SE6CM2 Ienf[CM1 1 I ouf:d'M2 I a a s
a FAILURE TO F AILURE TO LOSS OF COMPONENT FAILURE TO F AILtJRE TO LOSS OF COMPONENT l ESTABLISH SECONDARY ESTa9LISH SECONDARY ESTABLISH SLEED Are COOLING MATER ESTABLISH COOLING WATER SYSTEN HEAT removal RECIRCULATION SYSTEM INIT. EVENT. SYSTEM HEAT RENovat FEED SYSTEM IN11. EVENT. FREO. PRIOR TO AN $ SIGNAL F RE O . PRIOR TO AN $ SIGNAL u ISSGEu01 I I SRC E
- 01 I a I SSGEno t i I 58F n'ac t I Page 4 Page 77 Page 4 Page S g g TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 1A 7-17-92
. Attachment 2 to TXX-96390 / Page 15 of 83 Level I Question 8 e
P.g. 2 E
I SEGUENCE ex7 CMS .SEOUENCE ex7CM2 t ex7cus I R es7tm2 I E E E E
LOSS OF ST Afl0N FAILUAE TO FAILURE TO LOSS OF STATION F4ILURE TO F AILURE TO ESTA8LISH SECOMOARY ESTABLISH SERw1CE MATER INIT. ESTABLISH SEcopCART ESTABLISH SLEED AMO SERVICE MATER INIT. SYSTEM HEAT REMOVAL FEED EVENT FREO. SYSTEM HEAT REMOwAL RECIRCULATION EVENT FREQ. .
I PRIOR TO AN S $1GNAL PRIOR TO AN $ SIGNAL I 55Gn a0 t I I SRC m'm01 I a I 55Gu n01 1 I EBFEEDI I gR... .
g R. .
,,- , g e. A g R. .
TITLE Accident Sequence Fault Tree DRAWING HUMBER DATE Page 15 7-17-92
_ _ _ _ _ _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ . _ _ _ _ . _ _ = _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . , , . . , _ , . , -.
i~ , I 2
e 9 c 7 7
n 1 ee -
ue e7 qr T n
o eT S
t tl .
nu -
8 n
ea en6
. c dF s1 n
i i o t n s
e c s e
Q u c ug E r
_ I LA .e
=
_ l T
I T
nP o
e v
e L
2 9 9 4 5 ,
7 ,
4 6 e e e e e g
g g g g a ,
g'
. a a a P P p P I
l P I 7
I S 5 E u s
I 3 E T
S I
I W I
W I
M
. k B
I 3 1 8 ,
f o
+ *
, 2 3 ,
_ 6 8 0 2 ,
, 1 2 2 1 ,
e e e e e ,
g g g e
g g
g a a a I
a ,,
P P P P O P '
. a , i l 1 I E C
. P e s e s J
_-; /
ig n
s '9 I
I h t
I
'9 I
. t
'ce x
e 0 i
_ 9 3
6 9
X X
T o
t 2
. t n
. e m
h
_ c a
t t
A
Attachment 2 to TXX-96390 / Page 17 of 83 Level I Question 8 i
l Page 16 i
m SEQUENCE #ABCN1 St0UCNCE em80H2 I eadN1 I I sadm2 B E I I
E FAILURE TO F AILURE TO LOSS OF INSTRUMENT FAILURE TO Fatt.URE TO LOSS OF INSTRUNENT ESTABLISM BLEED Are AIR INIT. EVENT ESTABLISH SECOrOARY ESTABLISH AIR INIT. EVENT EST ABLISH SECONDARY SYSTEN # EAT RENOv&L RECIRCULATION FREQ. SYSTEN NEAT RENovAL FEED FREQ. PRIOR TO AN $ SIGNAL PRIOR TO AN S SIGNAL m I SSGEn01 I l_V< E mo t I = I SSGEmot I 15BF E u 0 s i Page 4 Page 77 5 Page 4 Pese 5 3
TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 17 7-17-92
Attachment 2 tO TXX-96390 / PQge 18 Of 83 Level I Question 8 Page 16 i i SEQUENCE #ACM1 SEQUENCE fACH2 1 # ACM1 1 I # AbM2 I r3 f3 II I
TT I I I LARGE BREAK LOCA FAILURE TO LARGE BREAK LOCA FAILURE OF INIT. EVENT FREO. ESTABLISH LOW HEAD INIT. EVENT FREO. INJECTION ON LBLOCA RECIRCULATION EA ISLACx01 I RA ISSIxx02 1 Page 19 2 2 INAOEQUATE COOLING INAOEQUATE COOLING FROM RHR TO RCS HOT FROM RHR TO ACS LEGS RECIRCULATION COLO LEGS RECIRCULATION IRHG201l l RHG'100 i b b TITLE
, Accident Sequence Fault Tree ORAWING NUMBER OATE Page 18 7-17-92
AtttCheent 2 to TXX-96390 / Page 19 of 83 Leval I Question 8 FAILURE OF-INJECTION ON LBLOCA Page 18 Page 76 I I FAILURE OF HIGH AND INADEGUATE RHR FLOW FAILURE OF 2 INTERMEDIATE HEAD TO RCS COLD LEGS ACCUMULATORS TO INJECTION (INJECTION) DISCHARGE ON DEMAND lSSixx02A I IAMG1 I ISI5'000 I II b b I I FAILURE TO PROVIDE FAILURE TO PROVIDE HIGH HEAD INJECTION INTERMEDIATE HEAD SAFETY INJECTION ICSGEOOOI ISIt'000 l A A TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 19 7-17-92
Attachment 2 to TXX-96390 / Page 20 of 83 Level I Questien 8 Page 16 i i SEQUENCE #MCM1 SEQUENCE eMCM2 i eMUM1 1 I *MEM2 I r
1 i i s MEDIUM BAEAK LOCA FAILUAE TO MEDIUM BREAK LOCA FAILURE OF INIT. EVENT ESTABLISH INIT. EVENT INJECTION DUAING FREQUENCY RECIRCULATION FREQUENCY %Q MBLOCA I SACAx01 I %M i SSI5x01 I Page 77 Page 21 3 3 TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 20 7-17-92
Atttchment 2 to TXX-96390 / Page 21 of 83 Level I Qu:stien 8 FAILURE OF INJECTION DURING HBLOCA ISSixxotl p ,9 , y Page 20 I ,
FAILURE OF CCPS AND FAILURE OF 2 SIPS ON INJECTION ACCUMULATORS TO DISCHARGE ON DEMANO I$SIx'XO1A I IS15000 l f3 rr ,
FAILURE TO PROVIDE FAILURE TO PROVIDE HIGH HEAD INJECTION INTERMLDIATE HEAD SAFETY INJECTION ICSG1000 I . I SI t000 I A A TITLE
. Accident Sequence Fault Tree DRAWING NUMBER DATE Page 21 7-17-92
AttaCheent 2 to TXX-96390 / Page 22 of 83 Level I Questien 8 Page 16 i I ,
SEQUENCE #SCM1 SEQUENCE eSCM2 l eSCM1 I l
- SUM 2 I r, r TT , ,
SMALL BREAK LOCA FAILURE TO SMALL BREAK LOCA FAILURE OF INIT. EVENT FREQ. ESTABLISH INIT. EVENT FREO. INJECTION ON SOLOCA RECIRCULATION I SACEx01 1 % 1 SSI5x0YI C 3 Agoo.27 3 g'e...
i TITLE
, Accident Sequence Fault Tree DRAWING NUMBER DATE Page 22 7-17-92
_ _ - - _ _ _ _ - _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ - - _ . _ - - _ - - . _ - _ . _ _ _ _ _ _ _ _ _ _ _ _ _ - - - - - - - -- - _, m -. _-- _ _ - - - _- -_.
Attachment 2 to TXX-96390 / Page 23 of 83 Level I Question 8
./
e A.s / / ~
.I An
..A..
. p.
=m n u m a .ve.,
mu1>I Ii_ iI g .. ,,
E: ,,
g......
1 I y,-. ,
OPERaIORS F AIL TO I E Rhelasa l lON E DULPMENT F AILS.
- ISOLATE gNEAK floes ,
IN 2 MOUR$ AND OPERATOR ralLS 70 cOPf E L5GI-iO t E I E5G I=)I & I g g .. ., ,
TITLE-Accident Sequence Fault Tree ORAWING HUMBER DATE Page 42 7-17-92
l Attachment 2 to TXX-96390 / Page 43 of 83 Level I Question 8 TEfleeINATICD4 EOu!PnENT F AILS.
AND OPERATOR FAILS TO COPE
,,,, , I15GiRO:AI i
W i I 15ETRO1EmJIP I I 15GTRE(FE I STEAM RELIEF PeWESSURIZER CANNOT OPERATOR F AILS TO RHR CLOSE LOOP seAIN STEAu EQUIPMENT ISOLATION valves L.peAv AIL ABLE BE OEPRESSURIZEO ENTER CLOSED LOOP COOLING ON RHR tasavAI AL ABLE AND OPE FAIL TO CLOSE ON RATORS FAIL TO COPE DEseANO _
I15GTAPAZ I I E5GTRO3 I I 55GTREOUIP I g
I M5GO25 I I55GTR5TM I g -
g 3.....S o E I E E STE AM OLDIP floes F AILW TO FAOwlOE OPERAIORS F AIL TO PATH tpeAVAILABLE CONTROLLEO ERTEND INJECTION DEPRESSURIZATION AFTER F AILL8tE OF WIA tee ARvS RECI8ec CAPASILITY ;
I 15GTR5TMS I I M5G'075 I - I RHG'300 I IECA-I.1I A '* " A O O TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 43 7-17-92
Att:chment 2 to TXX-96390 / Pcge 44 of 83 LeVal I Questicn 8 STEAM DUMP FLOW PATH UNAVAILABLE
\ ,,ee,4 ,M, ,
I I STEAM DUMP SYSTEM FAILURE OF MSIV #1 UNAVAILABLE TO CLOSE ON DEMANO i
1 MSG 3OO l l MSG'035 I A O TITLE Accident Sequence Fault Tree ORAWING NUMBER DATE Page 44 7-17-92
Attachment 2 to TXX-96390 / Page 45 of 83 Level I Question 8 PRESSURIZER CANNOT BE DEPRESSURIZED' Page 43
\
Page 46 II I I FAILURE OF 2/2 FAILURE OF PORVS TO OPEN (1/2 PRESSURIZER SPRAY NEEDED) l RC[OOO I lRC6000l A O o
l TITLE Accident Sequence i
Fault Tree DRAWING NUMBER DATE Page 45 7-17-92 i
l
Attachment 2 tO TXX-96390 / Page 46 Of 83 Level I Question 8 SEQUENCE #RCN4 Page 42 I i STEAN GENERATOR FAILURE OF FAILURE TO ISOLATE TUBE RUPTURE INIT. INJECTION ON SBLOCA BREAK FLOW AFTER EVENT FREO, LOSS OF INJECTION I SSI Ax03 I I SSG RO2 I '
g Page 75 I I 'I I OPERATORS FAIL TO NAIN STEAN STEAN RELIEF PRESSURIZER CANNOT ISOLATE BREAK FLOW ISOLATION VALVES UNAVAILABLE BE OEPRESSURIZEO AFTER LOSS OF FAIL TO CLOSE ON INJECTION DENANO I ESGT A02 I I MSG 025 I ISSGiASIM I I SSGI'APR2 1 Page 43 Page 45 TITLE -
Accident Sequence .
Fault Tree DRAWING HUMBER DATE Page 46 7-17-92
' Atttchment 2 tO TXX-%390 / Page 47 Of 83 LevelJI Quisticn 8 SEQUENCE ORCN3 Page 42 I I STEAM GENERATOR FAILURE OF FAILURE OF BLEEO TUBE RUPTURE INIT. SECONDARY HEAT ANO FEEO AFTER EVENT FREO. RENOVAL AFTER AN S SBLOCA SIGNAL ISSGXx01SI lSHHLhCA02l Page 69 6
. . i FAILURE OF PORYS TO OPERATOR FAILS TO OPEN ON NANCAL INITIATE FEEO AND ACTUATION BLEED IRC2'000 l IGBFXX NITNY l
~
b b TITLE Accident Sequence Fault Tree DRAWING NUMBER ~ DATE Page 47 7-17-92
Attachment 2 to TXX-96390 / Page 48 of 83 Levej g-Question 8
~
j' I
./ . _
t i
SEQUENCf#RCM Page 42 b
(
'~
3 TT I STEAM GENERATOR FAILURE OF FAILURE OF -
TUBE RUPTURE INIT. INJECTION ON SOLOCA SECONDARY HEAT EVENT FREO. REMOVAL AFTER AN S ;
SIGNAL U lSSIxx03l lSSGXxOSS I age 75 Page 69 6
TITLE Accident Sequence Fault Tree ORAMING HUMBER DATE Page 48 7-17-92
9 Attachment 2 to TXX-96390 / Page 49 of,83 Level'I Question.8 t a
i Page 16 l
I I SEQUENCE eATCM1 ,
SEQUENCE eATCMS
'*~
/
/
IeAT'CMI I I e AT' CMS I Page 50 Page 65 I I SEQUENCE eATCM2 SEOUENCE eATCM6 l r i IeAT'CM2 I I#AT'CM6 I Page 54 Page 66
! SEQUENCE eATCH3 SEQUENCE eATCM7 ,
a
' ? t S '
i I # AT'CM3 I I#AT'CM7 l Page 55 Page 67 i
i I [ .
SEcuENCE eA 4 SEQUENCE eATple8 TITLE
/ l i eAiCa i i EAT'CMG i Accident Sequence d "'" ** O "'" ** Fault Tree ORAWING NUMBER DATE Page 49 17-92 ,
. . . _ . ._ ._ . . _ . . . . . _ . . _ _ _ _ . _ . _.__..__ _ . . . _ _ _ m. __ __...._._._.. ._ __ . .
Attachment 2 to TXX-96390 / Page 50 of 83 Level'I-Question 8 i
i SEGL4asCE salCN3 P .. ,
a e a a u Thans$IENT LEaOS To TRIP SIEastEft$ F AIL - mam sIEacTOR TAIP FaILUBE & Somalgtpa im!P WEastEns FAIL TO OPEN (pe FatLS aFrEn auto 10 OpEn ON LOCAL tut BEeutsES fEaCitpl esamajat OEssase imIP auTOsn4 TIC SIOpeAL TRIP F AILIAIE n usuTxsolaa m aP T ,
s I mRTa501a2 E a
P.g. 65 a
p j
u T !
OPEstaTOR FAILS TO SAEastER5 FAIL TO F AILt#IE 10 PROv!OE FaltusE TO PetovtEM OPEN One taaseJat meP!D SORailON maPIO eOmaigose TRIP IEaCTOR AFIER auto TRIP FAILtAEE REse01E TRIP. DOTH SmIIDES _
R EPT u ma na2 i W, P.g. 53 FaILLftE & leaped OPEmattyt F AILS to [
SORA T10pe INITIaiE EaE810EreCY a
80RailDM j
i Y b i
TITLE Accident Sequence Fault Tree .
DRAWING MUMBER OATE
~
i Page 50 7-17-92
Attachment 2 to TXX-96390 / Page 51' of 83 ' Level I Qu2sticn 8 f
TRANSIENT LEAOS TO $RTXXOlat Outputs:
OR REOUI,RES REACTOR Page 50 Page 54 Page.55 Page 64 Page 65.' Page 66 Page 67.' Page 68 R BRTN 50141 1 See output List
~
E i K aCTEpt TRIP vfRY SMaLL mREAM INITIATING EVENT LOCA TNITIATIses FEGUENCY EwENT E I INaOwERTENT SIAS LOSS OF TE NwaC INITIATING EVENT SYSTEN INIT. EwENT FmouENCY FREO.
t i
i i NAIN STEAM LINE LOSS OF A DeON-v1TAL mREAM INITIATING AC SUS INIT. EVENT EwENT FREOuENCY FREO.
E I LOSS OF NFW - NO LOSS OF OFFSITE '
NFW AVAIL. INIT. POWER INIT. EVENT EVENT FREOUENCY FREO.
I E DEOIUM BREAK LOCA STEAN GENERATOR INIT. EVENT TueE RUPTURE INIT. '
FREOUENCY EVENT FREO.
TITLE sNAu. EAn tOCA TRANSIENT REOUI= S OR LEAOS TO REACTOR Accident' Sequence ,
INIT. EVENT F M G.
Fau1t Tree !
="""";g ,, onaur u.een oaTe O Page 51 7-17-92 i
. _ _ . . _ . . . ~
Attachment 2 to TXX-96390 / Pcge 52 of 83 Level I Question 8 T
4 TRANSIENT REQUIRES OR LEAOS TO REACTOR TRIP (CONTINUEO) b P,,, ,,
, SR , . 0 , . . . ,
.i LOSS OF INSTRUNENT LOSS OF A OC SUS AIR INIT. EVENT INIT. EVENT FREO.
FREO.
. SSB EE 5 5 l
i I LOSS OF CONDENSER LOSS OF COMPONENT VACUUN INITIATING COOLING WATER EVENT FREQUENCY SYSTEN INIT. EVENT.
l FREO.
! tv t$6 l 5 5 I I LOSS OF PROTECTION LOSS OF STATION CNAMNEL 1PC1-INIT SERVICE WATER INIT.
EVENT FREO. EVENT FREO.
EE x7 5 5 TITLE Accident l Sequence Fault Tree DRAWING NUMBER DATE Page 52 7-17-92
Attachment 2 to TXX-96390 / Page 53 of 83 Leval I Question 8 FAILUREE TO PROVIDE RAPID BORATION Page 50 FAILURE TD PROVIDE HIGH HEAD INJECTION I CSG5000 l A
l TITLE Accident' Sequence Fault-Tree DRAWING HUMBER DATE Page 53 7-17-92
Atttchment 2 to .TXX-96390 / Page 54 of 83 Level-I Question 8 SE0uENCE earCMa a, ..A.~.
I IRaNS3ENT LEaOS TO E
TRIP SmaaERS FAIL MANUAL REACIOR TRIP E
9 I MatM FEE 0maIER falls E
FaILimE OF SORai!ON I
IRIP SMaaERS Fait OR M ou!RES REACTOR TO OPEN ON FAILS AFTER auto TO OPEN ON LOCAL TRIP AUTOMATIC SIGNAL IRIP Fa! LURE Manual DEMANO IERTn50tatI I RTIOOO I I sat m E01a2 I . ECF 1001 I ELT5EBORON I RRT2OOOI 3 .. S. g g...50g;;;;;
I g E 3 .a 50 g
LOSS OF MFW = NO Na]N FEEDwaTER NFW avail. INII. STSTEN FAILS OURING EVENT FREQUENCY AIWS I
ICFOOOI U* O TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 54 7-17-92
c AttCChaent 2 tO -TXX-96390 / Page 55 of 83 Leval I Questien 8 '
SEQUENCE #ATCN3 ,
Page 49 d
i i TRANSIENT LEAOS TO MAIN FEEDWATER FAILS OR REQUIRES REACTOR TRIP NTxNO1 A1 l l$CF100 I Page 51 Page 54 i __
I TRIP BREAKERS FAIL RCS OVERPRESSURIZATI TO OPEN ON ON FROM FAILURES OF AUTOMATIC SIGNAL AFW, PORVS OR TIME I N LIFE I R T 3'O OO I lSATxxO6 I
- Page 56
- MANUAL REACTOR TRIP FAILS AFTER AUTO TRIP FAILURE l
i I$RTxx01A2I Page 50 l
TITLE Accident Sequence Fault Tree ORAWING NUMBER DATE Page 55 7-17-92
. _ . . . __ _ _ _ . _ . . _ _ . . _ __ . . . _ _ m.. __
Attscheent 2 to TXX-96390 / Page 56 of 83 Level I Question 8 ACS OwEspMS$ditars Oue Fse0M FattuutES OF o Mu PODv5 OR IIe( l i es t VFE P.g. SS a I .
sich pts p a st upE TO pm0wicE asse saaElv sett tEF Ac5 OwEppaE 55# t l a1304 e60 GPe to Tee watet FatL5 to crEen OwEp*84ES5untratt0N OvE mpsES5up t rat ICro altee eens u $ff ass ti(sef eaf ast$ sps esI6ee petE55upeE aF TER FFu sen t af fER S aFes and) est F a si (WiE s
OPEpalte e att$ so posto comentonat tose pattuME to 8% Wlut POmv5 r a tt to OPEse [EBRE LEFE 45 ese 6pm to 14 (De solese PsIES$ust usur awommeL E me tte tes5Ent m005 FatttmE5 (Ea0 TO eing. FaFu seG #0"w5 e*assuatt y as tee at=S OVE snaaE55uutillcre % Tease edgmatosas Bart mEE0EDs I id it a ' :
a0tn posew$ OPEss (pg PLpv QPEsas, But SQfee POpub 8 e tt to auf Capactre 55 Capacite 35 OPEse ost caGactfe 35 lee 5urF [CIEns ps5ut s ICIE NI Inesur t ICIEul EELIa ;se I E iaT a - -3 E E la, ,s I g . . ., g .. . g. 5, t
TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 56 7-17-92 ,
t
Attachment 2 to TXX-%390 / Page 57 Of 83 Laval I Questien 8 BOTH PORVS OPEN.
BUT CAPACITY IS INSUFFICIENT
\
Page 56 CORE LIFE IS UNFAVORABLE WITH FAFH. NO MRI. BOTH PORvS .
I I 4
k TITLE l ,
Accident Sequence i Fault Tree i ORANING NUMBER DATE Page'57 7-17-92
. Attachment 2 to TXX-96390 / Page 58 of 83 Leval-I Questicn 8 -l ONE PORY OPENS. BUT CAPACITY IS INSUFFICIENT Page 56 II I I FAILURE OF 2/2 CORE LIFE IS PORvS TO OPEN (1/2 UNFAVORABLE WITH NEEOEO) FAFW. NO MRI. 1 PORV l RCIOOO I I LE T 8 I A O t
TITLE Accident Sequence l
Fault Tree DRAWING NUMBER DATE I Page 58 7-17-92 l
l
AttaChaent 2 to TXX-96390 / Page 59 of 83 Level I Question 8 i
BOTH PORYS FAIL TO OPEN OR CAPACITY IS INSUFFICIENT Page 56 .
II I I PORvS FAIL TO OPEN CORE LIFE ON HIGH PRESSURE UNFAVORABLE WITH .
(1/2 NEEOEO) FAFW. NO HRI. NO j POAVS IRC1000 l I UE T9 I A O TITLE
. Accident Sequence Fault Tree ORAWING NUMBER DATE Page 59 7-17 _ - _ - - - _ _ _ _ _ _ _
Attachment 2 to TXX-96390 / Page 60 of 83 Level I Question 8
~!
- CS OVERPPESSURIZ ATION WITH HaFW I EstTaA20 I R
Fa! LUBE OF ANY AF W W I RCS PLasp OvERPEESSURIZ AIION DUE 10 PORW Fait URE asa0 11esE OF LIFE I WI5 m21 i x
a OvE849ESSURIZei!OM OVEfFRESSURI2aTION DESPITE HaFM, seRI sFTER HaFu aND ps0 MI I EPT a'm21 a i I 5RT u s21B I Dwf fumESSURI taIIDM 9 OVERPRES$URIZATION DvE RPRE SSURIZ A T ION 9 .
OPERaIOR falls TO AFTER MO PORWS (PEN DUE TO PORW FalLURE IseSERI RODS ESPITE OPEN!986 9 AND 119eE OF LIFE sea: ALLY AFTER alwS PORV IEfqTum21411 E BRTFk2 ta2 E E SRT u k2151 I g SI go 3 .e ,
TITLE Accident Sequence Fault Tree DRAWING NUNBER DATE ,
Page 60 7-17-92 T
f Attichment 2 to TXX-96390 / Page 61 of 83 Level I Questien 8 OVERPRESSURIZATION DESPITE OPENING 1 PORV
,,,;, ,,P,j,,., ,
I TT I FAILURE OF 2/2 CORE LIFE
-PORVS TO OPEN (1/2 UNFAVORABLE WITH NEEOEO) HAFW, MRI. 1 PORV I RciOOO 1 I UE'T5 l A O T
i TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 6i -17-92
Attachment 2 tO TXX-96390 / Page 62 of 83 Leval I Question 8 OVERPRESSURIZATION AFTER NO PORYS OPEN Page 60 II i i PORVS FAIL TO OPEN CORE LIFE ON HIGH PRESSURE ONFAVORABLE WITH (1/2 NEEDED) HAFW. MRI. NO PORVS lRC1000 l lUET6 l A O TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page-62 7-17-92
Attachment 2 to TXX-96390 / Page 63 of 83 Laval I Quasticn 8 OVERPRESSURIZATION OUE TO PORY FAILURE a ANO TIME OF LIFE I SRI x
- 2 t B 1 1 p g DvERPRESSURIZTION i i OYERPRESSURIZATION 9 a OVERPRESSURIZATION DESPITE BOTH PORYS DESPITE I POAV AFTER NO PORYS OPEN OPENING OPENING
~
I 5AI X m'? t BI A 1 i SRTa n21B1B 1 I 5RTau'2181C I a I s s
FAILURE OF 2/2 CORE LIFE PORvS FAIL TO OPEN CORE LIFE CORE LIFE UNFAVORABLE WITH LpFAVORABLE WITH PORvS TO OPEN (1/2 Ur#AVORABLE WITH ON HIGH PRESSURE HAFW. NO NRI. 2 NEEOEO) HAFW. Ps0 NRi. 1 PORY (3/2 NEEOEO) HAFW. NO NRI. NO PORvS PORYS IUEi10 I IRC7'000 I M I RC s'OOO I O A O A -
i TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 63 7-17-92
Attrchment 2 tO TXX-96390 / Page 64 of 83 Level I Questicn 8 ,
SEQUENCE #ATCM4 Page 49 T I I
TRANSIENT LEAOS TO CONTROL ROOS FAIL FAILURE OF BORATION OR REOUIRES REACTOR TO INSERT OUE TO TRIP MECHANICAL FAILURE t
iSATxxotAt l IRT4000l ISLTS50RONl Page 51 page 50 TITLE Accident Sequence Fault Tree DRAWING PAJMBER DATE Page 64 7-17-92
, , , , . ~ . -.
Attccheent 2 to TXX-96390 / Page 65 of 83 - Level I Question 8 SEQUENCE 8ATCMS Page 49 g I
TT I I I
TRANSIENT LEADS TO CONTROL ROOS FAIL MAIN FEEDWATER FAILS FAILURE OF BORATION OR REQUIRES REACTOR TO INSERT DUE TO TRIP MECHANICAL FAILURE -
ISRTxxotAt i I HTiOOO I lSCF100 1 1$LTS50RON]
Page 51 Page 54 Page 50 TITLE
, Accident Sequence Fault Tree i
DRAWING NUMBER DATE Page 65 7-17-92
_,wn Attachment 2 to TXX-96390 / Page 66 Of 83 Level I Questicn 8 SEQUENCE #ATCMS Page 49 g II i i i s TRANSIENT LEADS TO CONTROL RODS FAIL MAIN FEEOwATER FAILS FAILURE OF ANY AFW OR REQUIRES REACTOR TO INSERT OUE TO PUMP TRIP MECHANICAL FAILURE I$RTxx01A1 l lRT4000l l $CF 100 l lAF6000 i Page 51 Page 54 TITLE Accident Sequence Fault Tree DRAWING NUMBER OATE Page 66 7-17-92
Attachment 2 tO TXX-96390 / Page 67 of 83 Level-I Questicn 8 SEQUENCE #ATCM7 Page 49 ,
T .
TRANSIENT LEADS TO TRIP BREAKERS FAIL TURBINE TRIP OR REOUIRES REACTOR TO OPEN ON FAILURE FOLLOWING TRIP AUTOMATIC SIGNAL ATHS ISRTxNO1A1 I IRT3'000 l lSTUA5TRIPI
- 9' 3 Page 51 T I I
OPERATOR FAILS TO TRIP BREAKERS FAIL AMSAC CIRCUITRY TRIP THE TURBINE TO OPEN ON FAILS TO PROVIDE FROM THE CONTROL AUTOMATIC SIGNAL TURBINE TRIP SIGNAL ROOM AFTER ATHS ON LOW LOW S/G LEVEL I &TUR51 RIP I IRT3'OOO I RESA$SACI O A O TITLE l
Accident Sequence Fault Tree l DATE DRAWING NUMBER f
l Page 67 7-17-92 :
Attachment 2 to TXX-96390 / Page 68 of 83 Leval I Questien 8 SEQUENCE #ATCMB Page 49 TT i I
TRANSIENT LEADS TO CONTROL ROOS FAIL TURBINE TRIP OR REQUIRES REACTOR TO INSERT DUE TO FAILURE FOLLOWING-TRIP MECHANICAL FAILURE ATWS I$RTxx01A1 l lRT4000 l lSTOR$ TRIP l Page 51 Page 67 TITLE Accident Sequence '
Fault Tree-DRAWING NUMBER DATE Page 68 7-17_-92
Attachment 2 to TXX-96390 / Page 69 of 83 Level I Questien 8
$5GXX015 Outputs:
Page 70, Page 72 Page 73. Page 42 Page 47 Page 48 Page 6 Page 6, Page 7 Page 7 Page 37 Page 38, Page 40 Page 41
..h..
E y .~ T .. p ,, p ,,
. . . a .. . . . _ . . . _ . .
.ifLtik .M*d"" a:' s oft l.ctib y ,, p ,, T.; a :-
- y. ,,
.
T TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 69 7-17-92
, , _ . . _ . - . - - o ' ' ~'
Attachment 2 to TXX-96390 / Page 70 of 83 Level I Questicn 8 l
1 Page 69 k" '
TT l l
FAII.URE OF FAILURE TO SECONDARY HEAT ESTABLISH BLEED AND REMOVAL AFTER AN S FEED SIGNAL -
ISILdCA1 I lSSGXXO1S I I SOF $x01 1 Page 33 Page 69 Page 5 l
TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 70 7-17-92
2 e 9 c 7 n 1 ee -
ue E 7
qr T A
D eT S
t tl nu 8 ea R 1 E
n o dF B7 M
i i U t
s e c N G
e Q
u E
c N g I
LA T
Wa A
I l
I T
RP O
e v
e 5 L A 7 C
O e L g F B S ia O 3 P N O I
EO R $
X UN L
I I O S I
A T S I
FC E
J N
' I
" I I
3 8 #
' 3 .
f 3 o e 1 g 7 I a
9 1 P e
g \6 A a C P e I U .
g L
/ a I P S I
0 9
3 6
9 X
X T
o t
2 -
t n -
e m
h c .
a t
t A .
h
_ _. .. . __m. . . . . ,
Attcchment 2.to TXX-96390 / Page 72 of 83 Ley;l I Questicn 8 X
Page 69 I
TT I FAILURE OF FAILURE OF INJECTION ON S8LOCA SECONDARY HEAT REMOVAL AFTER AN S GIGNAL l $1L CA1 l l $$1XXO3 I I$SGXXO1SI Page 33 Page 75 Page 69 TITLE
, Accident Sequence Fault Tree DRAWING NUMBER DATE Page 72 7-17-92
Attachment 2 to TXX-96390 / Page 73 Of 83 Level I Questien 8
\
Page 69 I
TT i 1 I
FAILURE OF TAG INDICATING FAILURE OF INJECTION ON SBLOCA BATTERY OEPLETION SECONDARY HEAT AT 4 HOURS REMOVAL AFTER AN 5 SIGNAL I$1LUCA1 I I $SI$x03 l lEPBAT'TOEPL l l $SGxxOIS I Page 33 Page 75 Page 69 TITLE Accident Sequence Fault Tree ORAWING HUMBER DATE Page 73 7-17-92
2 e 9 c 7 n 1 ee -
ue qr E
T 7 A _
D eT S
t 1
2 tl G
N e nu 8
FR I
i g
a ea R4 E
c n OU OA 1
0 P dF B7 M
i E C x i U RNO t $ N e
I UOL s
e LIO ITM I
S c G Q
I E
c N g I
I J
N L A Wa A
l I
T I
T RP D
e I v 2 e M I L I N
l I
e I
3 2
e g
I a
3 P ,
A C
I d
L I
S I
3 8 "
' ~
f o '
7 4 7 7
N e e
g O g
OHI 1 a a 6 T ST 1 P P 0 *
\ 1 E IALL x
/ e I R BU N g U AC C a L A I TR 0
9 P A SI S 3
6 F EC E I
9 R X
X I T t o M I t I d l I
2 e t I 3
n 2 e e a g h I a
C P
- 3 A
t t C A I d
L I
S I
Attachment 2 to TXX-96390 / Page 75 of 83 Level I Questien 8 SSIxXO3 Outputs:
Page 71 Page 72, Page 73'. Page 46. Page 48 Page 22 Page % Page 49: Page 1 Page IS I I I
- I S'CM 1 1 I e IS'CM2 I I I I I FAILURE TO FAILURE OF ESTABLISH INJECTION ON SSLOCA HECIRCULATION I SILdCA2 I ISRCNx01 1 I SILdCA2 I I SSIEx011 c/
Page 23 Page 77 Page h *t i n ,
FAILURE TO PROVIDE FAILURE TO PROVIDE' HIGH HEAD INJECTION INTERMEDIATE HEAD SAFETY INJECTION ICSG5000I s I SI t'000 I ;
TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 75 7-17-92
- l !
2 e 9 _
c 7 n 1 ee -
ue qr E7 T _
A _
D 9 eT _
7 e
S _
1 g
a t 2
P tl M
C nu .
8 n
w C
e ea R6E c I dF D7 N
i t i U s
e c N G
e _
Q u
E c N g I
I I
V LA W A
a _
l E
C T
I T
RP O _
e I .
v 7 _
e 7 L
e g
1 a 1
P _
M
, C .
v C .
e i 1
A 9 1
C O e _
t g _
F 8 I a OL 2 P _
E ON 0 x
I I R 5 2
U L N I
I O S _
- A T I S _
3
' FC I _
E _
8 I J N .
f_ I o l 2 -
6 H I 7 s C 6 L I e
g i 1 X e
a e I P g a -
/ P A C
0 O 9 L I 3 E 6 V L 9 I I
E
- S S X S I X E T I C
X L
o I 5 E t 9 1
2 t
n e
a h
C c
t t A A C 1 O L I 1
M E L V k L I K S S
- S I I E C
X E
AttaChaent 2 to TXX-96390 / Page 77 of 83 Level I Question 8
$RCXX01 Outputs:
Page 74 Page 75. Page 69. Page 69 Page 20 Page 42. Page 22 Page 3 Page 6 Page 7 Page 8 Page 37 Page 37 Page 9. Page 10 Page St. Page 12. Page 13 Page 14 Page.15. Page 17 Page 76 T .
LOSS OF CONOENSER FAILURE TO FAILURE TO VACUUM INITIATING ESTABLISH SECONDARY ESTABLISH EVENT FREOUENCY SYSTEM HEAT REMOVAL RECIRCULATION PRIOR TO AN S SIGNAL SCv i SSGXx01 I I $RCx xO f I p,
Page List S
I I SYSTEM FAILURES OPERATOR FAILS TO
> LEAD TO FAILUPE OF REALIGN CCPS. SIPS.
l RECIRC. AND RHPS TO RECIRC.
(HOT OR COLO)
. I 5ACx'x01 A I IERCxx01I Page 78 i
l i
i TITLE l
Accident Sequence Fault' Tree l
DRAWING NUMBER DATE l
l Page 77 7-17-92
Attachment 2 t0 TXX-96390 / Page 78 of 83 Level I Quasticn 8 l
l SYSTEM FAILURES LEAD TO FAILURE OF RECIRC.
Page 77 I
TT I FAILURE TO FAILURE TO OPERATORS FAIL TO ESTABLISH HIGH HEAD ESTABLISH EXTENO INJECTION RECIRCULATION INTERMEDIATE HEAD AFTER FAILURE OF RECIRCULATION RECIRC. CAPABILITY ISACEx02I I SACEx03 I IECA l t .1 i LOSS OF HIGH FAILURE TO PROYIDE PRESSURE COLO LEG INTERMEDIATE COLO RECIRCULATION LEG RECIRC.
ICSGEOOOI . ISI2OOO I b b TITLE
. Accident Sequence Fault Tree DRAWING NUMBER DATE Page 78 7-17 _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ - _ _ _ - _ ._ _ . . - .-
Attichment 2 to TXX-96390 / Page 79 Of 83 1.cv01 I Questien 8
\
Page 76 l
TT l LOSS OF CONOENSER FAILURE TO FAILURE TO VACUUN INITIATING ESTABLISH SECONDARY ESTABLISH BLEEO AND EVENT FREQUENCY SYSTEM HEAT REMOVAL FEEO PRIOR TO AN S SIGNAL
- 2dv iSSGEx01 l l$8Fkx01 1 Page 4 Page 5 5
TITLE
~
, Accident Sequence.
Fault Tree ORAWING MUMBER OATE Page 79 7-17-92
. . . -- .- - - . . - . . - - . . - - --. - _-.- -- . - - . - ---. .~..~_-~ - . . -. .
Attachment 2 to TXX-96390 / Page 80 of 83 ' Level I Question 8 Gate / Event Name Pane Zone ' Gate / Event Name Pace Lamt Gate / Event Name Paae Zone Gate / Event N===
CACM1 18 WIVSCMS 69 Etat Zone 3 2
_#X4CM1 12 $ILOCA1 72
- ACM2 18 #IVSCMS 72 #X4CH2 12' SILOCA1 73 GATCMi- 49 #IVSCM6 69 #X5CM1 13- SILOCA2 '23 CATCM1: 50 #IVSCM6 73 #X5CM2 13 $ILOCA2 RM5 OATCM2 49 #MCM1 20~ #X6CM1- 14 $ILOCA2 75
- ATCM2 54 #MCH2 20 #X6CM2 14- $ILOCA3 23
- ATCM3 49 .#RCM1 42 #X7CM1 15 $1LOCA3 74
- ATCM3 55 #RCM2 42 #X7CM2 15 $1LOCA3 74
- ATCM4 49 #RCM3 42 #X8CM1 .1 '7 $LRCX01 18
- ATCM4 64 #RCM3 47 #X8CM2 17 SLTS80RON 50
- ATCM6 49 #RCM5 42 $8FXX01 3 SLTS80RON 65
- ATCM6 66- #RCMS 48 $8FXX01 5 SLTSRAPIO 50
- ATCM7 49 #SCM1 22 $8FXX01 6 SLTSS 50
- ATCM7- 67 #SCM2 22 $8FXX01 7 $LTSS 53
- ATCMG 49 #TICM1 3 $8FXX01 8' $NLXXO2 26
- ATCM8 68 #TICM2 3 $8FXX01 9 $NLXXO3 30
- CVCM1 76 '#T3CM1 6 $8FXX01 10 $NLXXO3A 30 .
- CVCM1 77 #T3CM2 6 $8FXX01 11 $NLXXO4 23 '
- CVCM2 76 #T4CM1 7 $8FXX01 12 $NLXXO4 23 CCVCM2 79 #T4CM2 7 $8FXX01 13 $NLXXO4 25 OIMCM1 74 #T6CMI 8 $8FXX01 14 $NLXXO4 33
- IMCM2 74 #TSCM2 8 $8FXX01 15 $NLXXO4 33'
- INO1 33 #VSCM1 37 $8FXXO2 17 $NLXXOS 26
- INO2 23 #VSCM2 37 $8FXX01 38. $NLXXOB 26 OINO3 33 #VSCM3 37 $8FXX01 70 $NLXXOB 27
- INO4 23 #VSCM3 38 SBFXX01 79 $NLXX08 31
- 1N05 23 #VSCM4 37 $8FXX02 5 $NLXXOSX. 27 '
- IN05 26 #VSCM4 39 $CF100 54 $NLXXOBX 28 OINOS 23 #VSCMS 37 $CF100 55 $NLXXO9 30 OIN06 30 #VSCM5 40 $CF100 65 $NLXXO9 31
- ISCM1 75 #VSCMS 37 $CF100 66 $NLXX10 25 OISCH2 75 #VSCM6 41 $HNLOCA02 47 $NLXX11 25 l #IVSCM1 69 #X1CM1 -
9 $ILOCA1 23 $NLXX12 25 l GIVSCM2 69 #X1CM2 9 $ILOCA1 33 $NLXX12 35
- IVSCM3 69 #X2CM1 10 $ILOCA1 69 $NLXX13 25 i
- IVSCM3 70 #X2CH2 10 $ILOCA1 69 $NLXX14 25
- IVSCM4 69 #X3CM1 11 $ILOCA1 70 $NLXX14 36
- IVSCM4' 71 #X3CM2 11 $1LOCA1 71 $NLXX16' 30
. i
~
TITLE Accident Sequence l
- Fault Tree ,
ORAMING NUMBER DATE Page 80 '7-17-92 l
i
l Attachment 2 to TXX-96390 / Page 81 of 83 Level I Questien 8 Gate / Event Name Pace Zone Gate / Event Name Pace Zone Gate / Event Name Pace Innt Gate / Event Name Pane Zone SNLXX16 32 SRSIXO1A 29 $SFLARGE1 23 $SGXX01 33 j $NLXX17 27 $ATXX01A1 50 SSFLARGE2 33 SSGXX01 77 i $NLXX17A 27 $RTXX01A1 51 $SFSMALL1 33 '5SGXX01 79 l $NONLOCAINIT 23 $RTXX01A1 54 SSFSMALL2 23 $SGXXOSS 6
$NONLOCAINIT' 23 $RTXXO!A1 55 $5GTRO1 42 $5GXXO1S 6
$NONLOCAINIT 24 $R7Xx01A1 64 $SGTRO1A 42 $5GXXO1S 7
$NONLOCAINIT 26 $RTXX01A1 65 $SGTR01A 43 $SGXXOSS 7
$NONLOCAINIT 30 $RTXX01A1 66 $SGTR01 EQUIP 43 $5GXXOSS 37-
$NONLOCAINIT 33 $RTXX01A1 67 $SGTR02 46 $5GXX01S 38
$NONLOCAINIT. 33 $RTXX01A1 68 $SGTRCOPE 43 SSGXX01S 40
$NONLOCAINTA 24 $RTXX01A1A 51 $5GTREQUIP 43 $SGXXOSS 41
$NONLOCAINTA 34 $RTXX01A1A 52 SSGTRPRZ 43 $5GXXO1S 42
$RCXX01 3 $RTXX01A2 50 $SGTRPRZ 45 $SGXXO1S 47
$RCXX01 6 $RTXX01A2 54 $SGTRPRZ 46 $SGXXOSS 48-SRCXXOi 7 $RTXX01A2 55 $SGTRSTM 43 $SGXXOSS 69
$RCXX01 8 $RTXXO6 55 SSGTRSTM 46 $5GXX01S 70 SRCXX01 9 $RTXXOS 56 $SGTRSTM1 43 $5GXXO1S 72
$RCXX01 10 $RTXXO7 56 $SGTRSTM1 44 $SGXXO1S 73 SRCXXO1 11 $RTXXOB 56 $SGXX01 3 $SIXX01 20 SRCXX01 12 $RTXXO9 56 $SGXX01 3 $SIXX01 21
$RCXX01 13 $RTXXO9A 56 SSGXX01 4 $SIXX01 74
$RCXX01 14 $RTXXO9A 57 $SGXX01 8 $SIXX01A 21
$RCXX01 15 $RTXXO98 56 $SGXX01 8 SSIXXO2 18
$RCXXOi 17 $RTXXO98 58 $SGXX01 9 $SIXX02 19
$RCXX01 20 $RTXXO9C 56 $SGXX01 9 $SIXX02 76
$RCXX01 22 $RTXXO9C 59 $SGXX01 10 SSIXXO2A 19
$RCXXOi 37 $RTXX20 56 $5GXX01 10 $SIXXO3 22
$ACXX01 37 $RTXX20 60 SSGXX01 11- $5IXXO3 39
$RCXX01 42 $RTXX21 60 $5GXX01 11 SSIXXO3 40
$RCXXOi 69 SRTXX21A 60 SSGXX01 12 $SIXXO3 41
$RCXX01 69 SRTXX21A1 60 $SGXX01 12 $SIXX03 46
$RCXX01 74 $RTXX21A1 61 SSGXX01 13 $5IXXO3 48 SRCXX01 75 $RTXX21A2 60 $SGXX01 13 $51XXO3 71 SRCXXOi 77 $RTXX21A2 '
62 $SGXX01 14 $SIXX03- 72 CRCXXO1A 77 $RTXX218 60 SSGXX01 14 $SIXXO3 73 SRCXXO1A 17 8 $RTXX2181 60 SSGXX01 15 $SIXXO3 75 SRCXXO2 78 SRTXX2181 63 $SGXX01 15 STURBTRIP 67
$RCXXO3 78 $RTXX2181A 63 $SGXX01 17 STURBTRIP 68
$RSIX01 27 $RTXX21B1B 63 SSGXX01 17 XA 18 SRSIX01 29 $RTXX21B1C 63 $SGXX01 23 XA 18 TITLE Accident Sequence Fault Tree DRAWING HUMBER DATE Page 81 7-17-92
Attachment 2 to TXX-96390 / Pcge 82 of 83 Level I Question 8 Gate / Event Name Page Zone Gate / Event Name Paae Zone Gate / Event Name Page Zang. Gate / Event NaMC_ Pace Znnt.
XCV 27 %VS 38 XX8 17 ST3 2
%CV 34 %VS 39 XX8 17 ST3 6 XCV 52 %VS 40 XX8 27 ST4 2 XCV 77 XVS 41 XX8 34 DT4 7
%CV 79 %VS 51 XX8 52 ST6 2 XM 20 %X1 9 XXL 76 DT6 8 XM 20 %X1 9 XXL 76 GTOP 1 XM 51 %X1 24 GBFXXINITNY 5 GTOP 2 XR 42 XX1 28 EBFXXINITNY 47 OTOP1 2 XR 42 XX1 52 ELTS 50 DTDP 1 16
%R 46 XX2 10 GMRI 56 OTOP2 16 XR 47 %X2 10 GMRI 60 GTOP2 76 XR 48 %X2 24 ERCXX01 77 OVS 16 XR 51 %X2 28 SRSIXENDSINY 29 GVS 37 XS 22 %X2 51 GRTXX01A2 50 eX1 2
%S 22 %X3 11 ESGTRO1 42 @X1 9
%S 51 %X3 11 GSGTR02 46 @X2 2 XT1 3 %X3 24 GSGTR03 43 9X2 10 XT1 3 %X3 27 GTUR8 TRIP 67 eX3 2 24 %X3 51 9A 16 CX3 11
%T1 28 %X4 12 @A 18 @X4 2 XT1
%T1 51 %X4 12 @AT 16 dX4 12 XT3 6 %X4 24 @AT 49 @XS 2 XT3 6 XX4 28 @CV 76 @XS 13 24 %X4 51 @IM 16 @XS 2
%T3 XT3 29 %XS 13 @IM 74 @X6 14 51 %XS 13 @ INDUCED 16 @X7 2
%T3 XT4 7 %XS 24 @ INDUCED 23 @X7 15 XT4 7 XX5 28 @IS 16 @X8 16 XT4 24 %XS 52 @IS 75 @X8 17
%T4 29 %XS 14 @IVS 16 @XL 76 51 %XS 14 @IVS 69 AF1000 4
%T4 XT6 8 %XS 24 @M 16 AF1000 69 XTS 8 %XS 28 @M 20 AF4000 56
%T6 24 %X6
~
52 @R 16 AF4000 56 XTS 27 %X7 15 @R 42 AF6000 60
%T6 51 %X7 15 @S 16 AF6000 66
%TS 54 %X7 24 @S 22 CC3000 25 XVS 37 %X7 28 @T1 2 CFG300 54 XVS 37 XX7 52 @T1 3 CSG1 25 TITLE Accident Sequence Fault Tree DRAWING NUMBER DATE Page 82 7-17-92
Attachment 2 to TXX-96390 / Page 83 of 83 Level I Questicn 8 Gate / Event Name Edge Zone Gate / Event Name Paae Zone Sate / Event Name Paae Zone Gate / Event Nama Pane InGL CSG10 25 RC7000 63 CSG1C00' 5 RCB100 25-CSG1C00 19 RC8200' 35 CSGSC00 21 RCO300 25 CSG1C00 53 RC8400 36 CSG1000 75- RHG1 19 CSG20 35 RHG100 18 CSG2000 78 RHG201 18 CSG30 25 RHG300 43 CSG40 36 RT1000 50 CSG4000 50 RT2000 50 CTG 1 1 RT2000 54 CZ1000 1 RT3000 50 ECA- 43 RT3000 54 ECA - 78 RT3000 55 EP8ATIDEPL 41 RT3000 67 EP8ATTDEPL 73 RT3000 67 ESAMSAC 67 RT4000 64 MSGU25 43 RT4000 65 MSG 025 46 RT4000 66 MSG 035 44 RT4000 68 MSG 075 27 sis 000 5 MSGO75 43- sit 000 19 MSG 300 27 sit 000 21 MSG 300 44 SIl000 75 RC1000 31 SI2000 78 RC1000 56 S15000 19 RC1000 59 SIS 000 P1 RC1000 62 TOPS 1 RC1000 63 UET10 63 RC2000 .5 UET11 53 RC2000 47 UET12 63 RC3000 26 UET3 56 1 RC4000 32 UETS '
61 RC4500 56 UET6 52 RC5000 32 UET7 57 RC6000 45 UET8 58 RC7000 45 UET9 59 RC7000 58 RC7030 61 TITLE Accident Sequence Fault Tree DRAWING NUMBER _ DATE Page 83 7-17-92 j,
. . . _-. - - . ..J
Attachment 3 to TXX-96390 LGvel I Qu2stion 15 Page 1 of 2 RCP SEAL FIRST STAGE FIRST STAGE SECOND STAGE SECOND STAGE LEAK RATE PATH LOCA MODEL SEAL RING O-RING SEAL RING O-RING I
1-12(t) 21 gun 1 .704 1 gun 2 .037 1-11(t) 12(t) = .05 ( A) 2.00E-01 182 gun 3 .185 1-f3(t) 61 gun 4 .037 l
gun 5 .002 -
gig,3 83(t) = .05 ( A) 2.00E-01 250 gun 6 .010 76 gun 7 .019 1-ti(t) 2.50E-02 9Pm 8 .001 81(l) = .05 ( A) 2.00E-01 480 gpm 9 .005 1-1bUKt; A Event tree used by all 3 NUREG-1150 experts to determine the probabilities of different leak rates for a single reactor coolant pump. The time independent branch fractions arc those for NUREG-1150 expert A. The time dependent fractions are this work's judgements for: (A) early core melt hence short period without sea'l cooling.
_. . . __ ..__ . . ._. . . . . _ _ _ . _ _ _ . _ .-_.. . . . ._ - . ~ ._ _ _ . _ _. __ . .. ._ _ __ _ -. __ _ ._. _ _ _ _ _
Attachment 3 to TXX-96390 Level I Question 15 ,
.Page 2 of 2 RCP SEAL FIRST STAGE FIRST STAGE SECOND STAGE SECOND STAGE LEAK RATE PATH LOCA MODEL SEAL RING O-RING SEAL RING O-RING 21 p m 1 .070 1-12(t) 1 pm 2 .164 i.,j g,3 12(t) = .7 (B) 2 00E-01 182 gpm 3' .059 61 ym 4 .164 1-f3(t) p 5 .382 tigij 83(') = .7 (B) f 2.00E-01 250 p m 8 .137 i
76 p m 7 .006 -!
1-11(t) i 2m2 250 p m 8 .014 IIII) = .7 (B) 2.00E-01 480 p m 9 .005 l I
FIGURE B
~
Event tree used by all 3 NUREG-1150 experts to determine the probabilities of different leak rates for a single reactor coolant pump. The time independent branch fractions are those for NUREG-1150 expert A. The time dependent fractions are this work's judgements for: (B) long period without seal cooling.
I 1
1 Attachment 4 to TXX 96390 Figure HRA 01 1 SCREENING Page 1 of 1 ANALYSIS o Type A o Type CP 1
m '
TYPE A TYPE CP o Generic Esthnates o Decision Trees l l
3 Generic Estimates Decision Trees NUREG/CR-1278 o Pre-defined Tree,
& 4772 T&M o Pre-denned Tree, ;
Calibration i o Generated Tree Pre-defined Tree Pre-defined Tree Generated o Test & Maint. o Calibration o Test & Maint.
o Calibration o Fixed Probabilities o Fixed Probabilities Not Developed Further i
o Scaled Probabilities o Scaled Probabilities The double boxes cover the NRC sponsored methods. These are not available in this version.of the Calculator (see Section 3).
A-3
. _ .. . ...m__ - . . _ _ _ . . . . _ . =. _ ~ .. _ . . _ ._ . . . _ . _ _ __ . . _ _. _ . _ . _ . _ . _ _ _ .
i Attachment 5 to TXX-96390 Figure HRA-07-1 Page 1 of 4 ;
e 1
NO AFWFRObs TDAFW SEGAENT C3
-- 7 ]_.. .
AF1200
, 1
~k _ _ r ~-~.r.~ ZZZ ~ _ _
- T_:71'.i 'TT_."'-'_ -._t. . _ . _ _ _
FAILURE OF TDN NO STEAas TO TUR9 WEE NO MW FROM SEGtdENT TDAFW FAILS TDAFW UNAVAdLASLE CCF TDWWP STEAAA GNEN OVERFILL OF SGe 1 DfuWEN PubEP C2 DUE TO . ADadtS$80N VALVES TO OR4 TESTAAMNTENANCE OPEN 1-g
...y 3____ ___ _, _
[sifoi] f4 2= 1 [a,ri22_a] --- - - z 3secca 3 3)~~ iArseGcaml (usvaccrec2]
6 A A [u_& O O a
b
- ,, .~ m , ., - - - - - - - - - _ - - - _ _ . - . - - - . - -
.. ~ . -
1 Attachment 5 to TXX-96390 Figure HRA-Q7 : Page 2 of 4 I.
FAKUftE OF 1DAFVF GNEN FWEftFEL OF SGs t Oft 4 1
{AF1201]
- =. - ..
PftORAetITY TDAFVuP TDAFVF F AES DUE TO FAILS TO OPEftATE ON SG OWERFLE OF OWEftFEL GENEftATORS SUPPLY 98G STEAM TO fahDaFwPseH l {[_FT l O LV 0
l t ,
_ . . _ _ _ _ _ . . _m.-_- _.__.-.__...m._- - _ - - -. _m ___ . - - - _ _ - - - - - - - - - _-.- -- - - - - - ~ ~ -'~-- -- - - - ' * - - ' - ~ - - ~ - ' ' ' " + ~ " " - " * - - - * - - "'
. to TXX-%390 Figure HRA-Q7-1 Page 3 of 4 NO STEAM TO TURINNE DRNEM PUMP 1.-
s ,2 3, FAILURE OF SOTH STEAM b 3====-
LOSS OF MAIN STEAM
==_=.e.
SOTH TDAFVuP STEAM SUPPLIES FOLLONNG A STEAM A0h*tSSOs t reES LDIE BREAK UPMVAILABLE OUE TO LATENT HUMAN ERROR
- - - ^ - ' ' --
I * $23=l I~ M * '~
5TE
("O (*.cM)WPMdl +" Example Of a t:- -
f'] < _ _ _ _ _ .__ .2.
n- i
( common cause human error
=O Sam rRoM STEM =O Sirm FROu STEM LOSS Or M su= Oue M m STE m isOtAT o. [AFCTDAFWPNX]
OEMERATOR91 GENERATOR M TO A STEAM tree BREAK , VALVES F AIL TO CLOSE EWNT ON DEMAND
.u T r_ , -- 1 - -~
[M1231] (rt .)
AF1232 l _ . _1AFSTEAMLOSSJ [MSGQ25 l A ] g -- }/}-
O I
h.
' t 4
4
__ -- _ _ _ _ _ _ _ _ . _ _ _ . _ _ _ _ - __ .- _ _ . . _ _ . - _ _ _____m >. - -- .i. - e w - * - v- - e- + -em 4-.
Attachment 5 to TXX-96390 9 Page 4 of 4 NO STEAas froes STEAAA GEteERATOR #1 I Ait23i)
/^
L
., 1r ,
TDMw STEAAA SUPPLY SAdLURE TOSAAmeTAme
, i FROts SG et useAVAdLASLE TDMW STEAte SUPPLY LOSS OF TDMW TRApe A STEAto GEedE8tATOM s1 FROas SG 81 F AstS NO MW FtOW TO STEAnd l DUE TO START $aGeeALS .
PRESSURE GENERATORet (FROas TESTaendNTEteAfeCE
. . _ . g _,F _ _ -
TDP)
I . TI '
(MSEGCOTR8]
.'[^TTt00G000]' 1 h0EGCS.1l lMSTARTTDA l
[ AF1234 l
< . - .= =r__-- -
- c-- --
= .r- n ,
temfeUAL VALVE 1483-13F taANUAL VALVE 140$-128 ,
FAILS TO OPEN Oss PLUGOED TDMW STEAas SUPPLY PNEURAAraC VALVE PLUGGEO McEURAATC VALVE i DEtense LWeE FROne SG4 1+fV-2452-2 TRANSFER $
peADVERTEtsTLY t +fV 2452 2 F AR.S TO !
CLOSED OPEN ON DEt4AND y ,
,g-_---_---i I oesmaLED {
3 - -
_; y 7 l l AFCVCatS142Neg l _. _y -
l M...CVJEhe$t_3FFN ] l A_FCVuesS120FN l l MCVA24522NX l g
l MCVA24S22Fi4 l l MCVA24522NN f
t Example of an independent human error
[AFCVA24522NX]
b L____ _ .____x_ .--- -a-----~" - = - ' " ' - ' - ~ ' ' ' ' ~ ~ ^ ^ ^ ' ' _ __ _ _ _ _- - - - - - - - - - -
Attachment 6 to TXX 96390 Figure HRA 09-1 Page 1 of 1 2
J 4
TYPE C o Procedure-driven (Type CP) o Recoveries (Type CR) l 1mmmmmmmu
, TYPE CP TYPE CR o Cognitive response (P )
e o Manipulative response (%)
j o Combine P & P
' E 6
- COGNITIVE MANIPULATIVE
' MANIPULATIVE RESPONSE (Pc ) RESPONSE (PE )
RESPONSE (PE )
! e Time Reliability Curves I
(11me Cdtical HIs) o NP 6560L o hTREG/CR-1278
~
o Decision trees o Expertjudgement & 4712 (THERP) e ExpertJudgement o NUREG/CR-3309 o
- 4 5 1
i a
A-5
. . -. ... . _ . . . -. . . .. . . - _ . . . . - - . .. . . . . . . . .u .- . - . - . - . ... . ..- .. . -... .
f M
Attachment 7 to TXX %390 Figure HRA-Q13-l' Page 1 of.1 !
peCR fransit by access Control fransit by Inspection Discuss State Perfore .
Crew - munitiary - - aualtiary -- of Eosignment - with seca crew - action Diagnosis Operator Operator and confirm Card /Rediologicet actices c !
e s
~p o
.- - . ,-. ~, , , . . - - . . . . , , . . .._s . ~ . . , - -, , .
SBO: TDAFW CONTROLS FAIL AT TIME O SG OVERFILLS THEN TDAFW FAILS Ek 1.7E+07 -''''l l 'd"""
Ek M7 1.5E+07< {_aP e cos- Pgessuns en me Paww sysrEM - -
- Paassune in Ba.oxe4 Loo r steun Eme,urre(
~
ol r*
1.3E+07 p D PUS Ressues 14 un-eeoxsw tooP steam - cn 1.1E+07 --
- o P -
A 9.0E+06 :- _ _
y N C h
~
~
Z 7.OE+06 _
e 2 g; 5.0E+06 F _
_ e 2
3.0E+06 F -
1.0E+06 F, , , , , , , , , l , , , , , , , , , l , , , , , , , , ,4 0.0 1.0E+04 2.0E+04 3.0E+04 Time in S 1.8E+01 i i i i i i i i_
_ i
, , , , i i i l
i i i i i i e i I
e gt= """"
1.6E+01 oZ - Da>dcomE* WE' '" WE BKo KEM Loo P STtAM 6CNER4TUA.
A US DowMComcR LEJEL IM U M - B R.0 K EM Leo P Srt A m GENEttixD A.s T 1.4E+01 --
7 1.2E+01 --
C H 1.0E+01 <- _
l 8.0E+00 --
C 6.0E+00 -
C 4.OE+00 - -
2.OE+00 i 2 0.0E+00 ' ' ' ' ' ' ' ' ' ' ' ' ' 0 ':. ' ' b .:. ' ' ' 2 ' ' ch ' ' 3. k*
0.0 1.OE+04 2.0E+04 3.0E+04 x me M S SAIC MAAP PLOT 1.0 Page 1 of 2 o" Data File: CHRIS).41 , ,
Plotted: 5/01/92 13: 43
- lion: 5/0t/92 12:58
i Attachment 9 to TXX-96390 Table HRA-015-1 i Pa9e 1 of 2
SUMMARY
OF MAAP BASELINE CALCULATIONS FOR TRANSIENT INITIATORS (A. CASES WITH NO FEEDWATER)
I Seer Assummen Een Cass Meat DJssi Bw3T Camisseneses Unsowww Fedess Desisted faham Cels. Segmence Teses M TimmeSw) Tune Ger) Tuse M Time M label E , No. Tiens (br) i Pure IBGr VF71 IRCSPnel lRCSPnel NO FW, MO R8R, i PORY G 20 mia,4 ACC,2 CCP,2 S.lt 6.33 7.78 TRAN01 38P,2 CSP, hiest het Feil e Resist, RCP erip G uncovery 2 (Yeel 18745 penal 6.67 ll02 peiel 5.38 32.03 NO FW NO R8R. I FORV G 20 esia,4 ACC,2 CCP.O Never 16.01 18.39 TRAN02 Sr. O CSP, hiest but Fail e Racise, RCP esip e t=0 0 [Nol 1500 peial 19.94 [145 panel 13.75 38.41 l NO FW. NO RIR. I FORV e Uncovery,4 ACC,2 CCP, Never 17.36 19.85 TRANO3 0 SIP, O CSP. hiscs but Feil e Racist, RCP arip G t=0 0 lNol 1544 panel 18.06 (1991 15 09 39 63 i
TRAN04 NO FW, MO RIR, FORV Esiis to eyes,4 ACC,2 CCP,0 Never 1.77 3.00 (PDS 3H) SIP, O CSP, hiest stor VF & Feil G Recisc, RCP erip g t=0 0 INot (2250 panel 2.36 12250 paial 15.22 44 22 Samme se TRAN03 eacept am $1 sigent accure.1 bis is achieved Never N/A N/A N/A N/A N/A TRAN05 by W she seems duoupe langer en lower RCS m 0 [Not Samus as TRA'805 eacept 2 Se eso else elle=ed so ispect but Never N/A N/A N/A N/A N/A ,
TRAN06 ese shes eN whom the FORV is opened 0 lNel !
1RAN07 MO FW, MO RIsl. FORY Seits se apen,4 ACC,2 CCF,0 3.06 E.77 3.06 ,
(FD5 380 Sr. 2 CSP. huest ease VF & Feil e Resisc. RCP erir G e=0 2 INol 12250 peial 2.28 12250peiel 3 61- 41.39 NO FW, MO Rim, FORV tmite no spee,4 ACC 2 CCF,0 3.06 1.77 3.06 TRANOS 38P,2 CSP himes eher VF & Feil e Reuisc (The 2 CSP 2 2.28 3 64 NEVER (FDs 3F) awashower-- " , in shie ceae), RCP seig G t=0. lNel 12250 paial 12250 paial l
- 1. Tseasemens savolveeg Seal IDCA etless shoe 60 GFM/FMP meassenen RCS peesame above 2000 pois proclading St ispection.Treasseems wish anel LOCA grenser then 60 GPM/FMP are ceasedesed $seell
)
Rseek EDCA (Seceise 1). Seal IDCA ch ese r ' ' wids Semeien RIsckout Andysee (Secessa 4)
- 2. I FORV anemael acessenen sedeces RCS yasemese showing =paes a= This sures en spreye before weasel breech wish med wahaut fee cooler acmassion. i
_ _ - _ - _ - - _-_ _ _ _ _ _ _ - _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ - - _ _ _ - - - _. - - _ _ _ _ -_____ . _ _ . _ _ _ _ _ _ _ _ _ - . _ _ _ = .
Attachment 9 to TXX-96390 Table HRA-015-1 Page 2 of 2
SUMMARY
OF MAAP BASELINE CALCULATIONS FOR TRANSIENT INITIATORS (B. CASES WITH 4 HOURS OF TURBINE DRIVEN AUXILIARY FEEDWATER) l Sorny Anueues CoIS Core Meh Veeent M Connessansas Uncoverv Feehsrc Deelsted Fashine
= -:=-
Label Descripeson No. Time (hr) i . Pmpe lefr VF7l lRCS Pres] (RCS Pres l 4 HRS TDAFW, MO RHR. I PORV e Uncovery. 4 ACC. 2 CCP. Never 0 SIP,0 CSP,14ect bus Feil e Recies. RCP trip G t=0. RCS 23.33 26.11 TRANil resenwe rose.ame high and these is no Si mesil peeluesmery uncovery 0 [Nol 24.44 20 83 58.94 occare as 7 bouwe when the PORV is opened 1508 pees) ll10 pesej 4 HRS TDAFW, NO RHR. I PORV e Uncovery 4 ACC 2 CCP, Never GT 42 TRAN12 0 SIP O CSP,Impct haea Fail e Recirc, RCP ene c =0. Saeem lLT 200 Not Nos Nos dusupe used to lower RCS pressure end obsein SI before uncovery. 0 [Not ps.el Evehsened Evenumeed 36.94 Evehested 4 HRS TDAFW, NO RHR. I PORV e Uncovery.4 ACC,2 CCP, Never GT 42 TRAN t3 0 SIP, O CSP. Isvect but Feil e Recirc. RCP mas tripped. Psamuruer lLT 200 Not Not Nos spreys used to lower RCS preseme to chemia $1 beinse uncovery. 0 lNol poesl Evehsened Eval =a d 40.55 Evaluesed TRAN14 4 HRS TDAFW, I PORV e Uncovery,4 ACC,2 CCP,2 RHR. O Never 19.44 21.67 SIP, O CSP. Isect but Feil e Recisc, RCP trip g t=0. O INol (508 paial 20 1110paal 16.67 53 6:
4 HRS TDAFW, NO RHR, PORV fails to opea. 4 ACC. 2 CCP,0 Never 7.75 9.86 TRAN15 SIP,0 CSP, Ispact hua Feil e Recies, RCP trip 8 t=0. RCS (PDS 4H) poemesse ressesas high and there is no Si maail eAer the vessel fails. O INol 12250 panel 8.75 12250 peial 22.22 62.5 TRANI6 Same as TRANI6 except 2 CSP issect om deemmed but fait es 9.86 7.75 9 86 (PDS 4E) owischover to recirculeason mode. 2 lNel 12250 peial 8.75 12250 paial 10.27 54.16 TRANI7 Some as TRANI7 escape the CSP iesect and ecy meccessently 9.86 7.75 9 86 (PDS 4F) ownched to socirculssian anode. 2 lNol 12250 peial 8.75 12250 poel 10.27 Never
- 1. Treasisese involving Seal IDCA of less thea 60 GPM/FMP anaissain RCS preneure above 2000 peig prectuoing Si injection. Trenesenne =mh seal LOCA greater shen 60 GPM/PMP era conendered Saisit Break IDCA (Section 1). Seal LOCA calcieletioen ese perfonned with Samtion Blackout Analysee (Section 4)
- 2. I PORV senesel acasetion reduces RCS pressure allowing injection. This auras on spreye before veneel breech wah and without fan cooler acaustion.
^
9 Attachment 10 to TXX-96390 Table HRA-Q15-2 Page 1 of 2
SUMMARY
OF MAAP CALCULATIONS FOR REPRESENTATIVE SEQUENCES CONTAINMENT Core M Vessel FhvsT Contommen Cak:. Uncovery Meg Feelure Depleted I Label Sequence Tme (hr) Tune (tv) Tsme thr) Fedure
[PDS) Desorpeson Time (hr) Time (hr)
FR h@
Mode W. Psa [ CS [RCS Pres)
Pres]
SB021 SBO,250 GPM/PMP assi LOCA,4 hrs TDAFW NO ECCS. 2.70 3.71
[1H] Late, nonamdens40e induced (OCI), overpressure fadure. L 21.7 (1100 psa) 32 [796 psa] N/A 38.54 S8022 Same as S0021 except a bum was formd to yield 21.7 2.70 3 71
[1H) contenment fedure by rupeure tenhor then leshage. L [1100 psa) 32 [798 psa) N/A 29.1 S8031 SOO,60 GPM/PMP seel LOCA, NO AFW, ECCS recovers 29.0 1.06 2.55 RECRC
[3SBO] but vessel fads. HPME fads contamment with spreys on. R [2300 psa] 2.08 [2300] OK 2.55 SBO41 Some as SBO31 but spreys are faded to yield unscrubbed 29 0 1.66 2.55 RECRC
[3S80) release. R [2300 psia) 2.06 - [2300 psa] OK 2.55 2CB Saeem Generator Tube Rupture, ECCS injects, operators BY- 16.76 18 60 (2C81) fad to stop break flow by depressurization, SG owefdis, SG PASS 14.7 [2100 psa] 17.78 [800 psia) 10 15 16.76 safety sticks open. (L) vi V Sequence smuseason.10" CL LBLOCA, no pumped BY- NO
[1CB) ECCS,4 Accumulators PASS N/A 0.04 0.5 0.83 ECCS 0.
(R) t I
1 1__-_-_-___---_---________-______-___________-_-___---.
- - _ = _ _ _ - _ - - - .-. . _ _ _ _ _ _ - - _ - - _ _ _ _ _ _ -
i l Attachment 10 to TXX-96390 Table HRA-Q15 !
l Page 2 of 2 l
SUMMARY
OF MAAP CALCULATIONS FOR REPRESENTATIVE SEOUENCES l
Colc.
CONTA8NhENT ggs Cgg vesee RWST Cortsnmen Uricowery Msg Femure Depleted
! Label %irym [
Time (hr) Tsme (hr) Time (hr) Fedure
[PDS] Descrtpean ,
p,,,_ g Time (tv) Time (hr)
I I -[
Mode VF,Pse P'**I Presi i
SB2H4 AFW, O FtR,4 ACC,1 CCP, O SIP O CSP, inject but Fed 24.08 262 I [2H] @ Rococ, inte stemvWnduced overpsecoure feiksre. R 83.42 (1100 psse] 25.6 [435 psse] 21.46 38.1 SB2PE Same as SB2H4. Model Peremeters modmed to yield 127 t 25.27 30.46-
[2H] sontenment toitwo et W thse to HPRE. R [1100 psse] 26.4 [1100 psie] 21.71 30.46 TRAN21 NO FW.1 PORV @ 20 min for F88,4 ACC,1 CCP, 94 3 21158 23.78
[4H] O SIP, O CSP. O f46, Feil 9 Racerc,21 GPM/PMP. L [2300 pse] 2222 [2300) 18S4 29112 less steam-enduced overpreamse failuse. ,
TRAN22 Some es 1RAN21. unne=1 Parameters moddied to yee4d 943 21Ai8 23.78
[4H] contenment feiture et VF due to HPME. L [2300 pase] 22.22 [2300 psie] 18 S4 2316 VSB4F1 21 GPM/PMP seel LOCA. OCCP,2RPE,2 SIP, ALL AFW.
[4F] 2 CSP.Coe melt from CST dryout not lesi of SIP N/A Never N/A N/A N/A N/A N/A penetratiorarw=== attene modified bened on 1has runJShours wrapaaaed= HPME & Bl.RN feiture w/o (X:t N spreys on.
r VSB3F1 21 GPM/PMP seal LOCA. ALL ECCS & AFW FAE 2 CSP.
' 26 1E3 2.05 2.53 NO OVER
[3F] Non raal= hie debrie Confeguration. N/A [2300] [2300] ECCS 220.0' CT OK VS83F2 Restert of VSB3F1 wilh a forced Burn at 208 hours0.00241 days <br />0.0578 hours <br />3.439153e-4 weeks <br />7.9144e-5 months <br />. 26 1.63 2.53 NO '
[3F] L [2300 psse] 2.05 [2300 pse] ECCS- 208.33 -[
CT OK
- VSB3F3 Restet of VSB3F1 with a forced Bum at 83' hours. 26 1.63 2.53 NO
[3F] R 2.06 *
[2300] ECCS 8334
[No] [2250 psie) [2250 pse] CT OK t
Basemat 4m thickness was reached at 90 hours0.00104 days <br />0.025 hours <br />1.488095e-4 weeks <br />3.4245e-5 months <br />.
Attachcent 11 to TXX.96390 Table HRA 015 3 Pag 9 1 of 1 4
4 Design-Basis SGTR - Steen Generator Overfill Event Timeline i
Time Event 4
- 5.00 sec. Begin SGTR l 5.05 min. Reactor trip utt icw pressuriser pressure, i
turbine trip, AFW initiation, loss of offsite power 5.13 min. Begin Main FW isolation 6.96 min. Iow pressurizer pressure - SIAS 13.08 min. Operator Action.- Close MSIV, Loop 4 Throttle AFW, I4op 1 15.08 min. Isolate AFV, Loop 4 '
20.08 min. Begin huimum rate RCS cooldown 31.38 min. End h ximum rate RCS cooldown i i 33.38 min. Begin RCS depressurisation to refill pressuriser 36.67 min. End RCS depressurization to refill pressuriser
! 37.67 min. Terminato ECCS flow 40.00 min. End transient simulation 4
j l
l i
- _ . - =-_
Attach 2:nt 12 to TXX 96390 Table HRA 01.5 4 Page 1 of 1 Design-Basis SCTR - Steam Generator Overfill Key to Figures 10-1 through 10-10 Point Event A
Reactor trip on low pressurizer pressure, turbine trip, AFV initiation, loss of offsite power B
Low pressuriser pressure - SIAS C
Operator Action - Close MSIV, Loop 4 Throttle AFV, Loop 1 D Isolate AFV, Loop 4 E
Begin maximum rate RCS cooldown j F End maximum rate RCS cooldown G
Begin RCS depressurization to refill j
pressuriser 1 H End RCS depressurization to refill pressuriser J
, Terminate ECCS flow K
4 4
End transient simulation a
d 4
a f
Attachment 13 to TXX 96390 Figures HRA 015 2 and HRA 015 3 Page1pf1 PRExamzet entssusts I 2.2 - A D
, S C 3~ b1 1.s - C a
t.s -
L.
s 1.4 -
1.2 - #
g
- 1-c.a - "
o.s -
0.4 - l 1
a.2 -
0- , , s ,
o 20 4o t TIut (INN)
CPSES1 Design-Basis SCTR, Overfill - Pressurizar Pressure
- too - PRessumzet uML waCAfloN so -
4 1
u-m-
, $ m. aJ g ,
5 so -
l A
l i
3e = ', 1
, l co
" no - N I i l
(
t 1o.-
0- , ,
0 m l a '
TIME 0880 CPSESL Design-Basis SCTR, Overfill - Pressuriser Level
.__..__.___.._.___._-_______.._._.__.___.___._.__..-_._..-..__.______._....m -
Attachment 14 to TXX-%390 N9#8 I Page 1 of 1 Figure 5. SENSITIVITY OF PLANTS WITH VARIOUS PORV CAPACITIES TO PORV OPENING TIME PORV Capacity (Ib/hr)/MWt '
300 h - Core Romeins Covered *.
h - Core Exhibits Sustained Uncovery l ,
- 250 - ' !
200 -
hl' i
l' High Pressure
~ Plants 150 -
- 140 (LBMW! /Hr) 1 100 -
@ @ W @ ll -@SG Liquid Mass Deplet j 50 I I I ' I O 10 20 30 40 50 i PORV Opening Time (Minutes) 800A Dvf0SO37 22A i
l' i
i Attachment 15 to TXX-%390 -
Page 1 of 9
- 1. Purpose The purpose of this analysis is to quantify the Off-Site Power Non-Recovery (OSPNR) events for the Comanche Peak Steam Electric Station (CPSES). The method used to perform the quantification is the >
Convolution Analysis Methodology. The results of this study will be used in the recovery analysis for the Comanche Peak Individual Plant Examination (IPE) project.
- 2. Method -
I
'Ihe main objective of this study is to understand and apply the Convolution Analysis Methodology. The procedures of applying the methodology are summarized in the following a stions.
2.1 Identification and Categorization of Loss Off-Site Power Cutsets The analysis was initiated by identifying the dominant Loss Off-Site Power (LOSP) cutsets. Since the convolution process involves the integration of the cutset failures over the mission interval, the component failures in each cutset are categorized into two types, ,
- Type 1: mission time independent failures (standby, demand, etc.). Human failures whether prior to or during the accident, are assumed to be Type i failures.
- Type 2: mission time dependent failures ( fail to operate during the accident toission).
2.2 ' Off-Site Power Non-Recovery Probability Distribution f ;
j The off-site power non-recovery (OSPNR) probability distribution in this analysis is assumed to be a two-j parameter Weibull distribution, and are determined based on the generic data given in NUREG/CR-5032 s 8
(Ref.1). Table 1 (next page) lists the generic data which consists of the time (in hours) to recovery of loss i of off-site power (LOSP) for 63 reported events at U.S. nuclear power plants through .fune 1987.
- i The mathematical form of the weibull density function is f(t) = abt6dexp(-at*) (1)
! The two parameters a and b in the Weibull distribution can be obtained by using the following two equations i j (Ref.1):
a = [(Et,6)/N]l (i = 1,2...N) (2)
(Et,* log t)/(Et,6)-1/b-(Elog t,)/N = 0 (i= 1,2...N) (3)
I where t, is the recovery time of the i-th event, and N is the total number of the loss of power events.
l i
'f
_, . . , ,-~ -,.--,.m ~ -- - - - ,, , r. -
e-+ n - - - e
I l
I Attachment 15 to TXX-96390 i Page 2 of 9 l TABLE 1.
TIME TO RECOVERY (IN IIOURS) LOSS OF OFF-SITE POWER EVENTS PLANT CENTERED' (NUMBER OF EVENTS = 43) 0.002 0.003 0.003 0.004 0.013 0.015 0.017 0.020 0.067 0.070 0.080 0.083 0.130 0.150 0.167 0.183 0.200 0.250 0.250 0.250 0.270 0.280 0.330 0.334 0.400 0.430 0.480 0.500 0.500 0.500 0.570 0.670 0.767 0.900 0.900 0.930 1.030 1.150 1.480 1.667 1.750 2.750 7.467 GRID 2 (NUMBER OF EVFNI'S = 13) 0.130 0.I80 0.250 0.300 0.330 0.330 0.550 0.920 1.030 1.500 2.000 2.083 6.470 SEVERE WEATIIER3 (NUMBER OF EVENTS = 7) 1.750 2.667 4.000 4.317 5.000 5.500 8.900
- 1. PLANT CENTERED EVENTS: NON-WEATilER-INDUCED OFF-SITE POWER INTERRUPTIONS INITIATED WITillN TIIE PLANT BOUNDARY.
- 2. GRID RELATED EVENTS: NON-WEATIIER-INDUCED OFF-SITE POWER INTERRUITIONS INITIATED BEYOND TIIE PLANT BOUNDARY.
- 3. WEATilER INDUCED EVENTS: OFF-SITE POWER INITIATED BY SEVERE WEATIIER
- k a
5 to TXX-96390 Page 3 of 9 in this study, the effects of the three LOSP categories listed in Table I are not distinguished. All the data in Table I are used to estimate an average distribution on the likelihood and duration of the recovery LOSP events.
The data listed in Table I were substituted into equations 2 and 3 to calculate the two parameters of the Weibull density function. liere a = 1.0981 b = 0.63%
The corresponding mean and variance of the recovery of off-site power are (Ref.2)
- p = a 4* I'(1 + 1/b) = 1.202 hr 2
o = a'2*[l'(1 +2/b)-1"(l + 1/b)] = 3.439 hr
'Ihe probability of not recovering off-site power over a interval of time (0, t +Ta) can be calculated as
~
P(t +T ) =I [(abt)exp(-at 6)]dt = exp[(-a(t+T,)6] (4) t + Td where To is the time to core damage after the last failure at time 1.
The calculational results for the probabilities of not recovering off-site power at various time intervals are listed in the following table.
TABLE 2. PROBABILITY OF NOT RECOVERING OFF-SITE POWER Weibull Distribution: a = 1.0981, b =0.63%
Time Interval (hrs.) Prob. of Non-Recovery 0.0 - 1.81 2.009E-1
]
0.0 - 3.09 1.044E-1 0.0 - 7.81 1.676E-2 j 0.0 - 9.77 8.931E-3 0.0 24.00 2.286F-4 0.0 - 61.37 2.304E-7 0.0 - 72.20 4.320E-8 l
I l
Attachment 15 to TXX-96390 l
' Page 4 of 9 i i
2.3 Component Failure Probability Density Functions The probability density functions (pdf) for the components with Type 2 failures are assumed to be exponential I distributions of the form, ;
i E(A,t) = lexp(-At) (5) j i
where A is the component failure rate. The values of the component failure rates for various components and failure modes can be obtained from the CPSES IPE component data base.
2.4 Convolution Once the components with Type 2 failures in each LOSP cutset are identified, the time dependent component failure probability density functions (Eq. 5) are convoluted with the OSPNR probability distribution (Eq. 4).
Consider the following example of the LOSP core damage cutset, T
- DlS
- D2R
- P (6)
I where, T: LOSP initiating event.
DIS: Diesel-Generator i fails to start.
l D2R: Diesel-Generator 2 fails to run.
P: OSPNR probability prior to core damage. ]
In this cutset, T and DlS are the Type i failures D2R is the Type 2 failure. The convolution integral of the l cutset can be written as:
Tm Td F(Convolution) = T
- DlS
- f P(t+T 4)*E(A 4,t) dt (7) where 1, is the failure rate of D2R, T is the mission time, and the functions P(t+T ) and ego,t) have been j defined in Eqs. 4 and 5.
It is convenient to use the ratio of the core damage probability associated with a given LOSP cutset and the corresponding CAFTA-generated LOSP cutset probability for the quantification in the recovery analysis.
- This ratio is defined as the Off-Site Power Non-Recovery (R) factor
R = F(Convolution)/F(CAFTA) (8)
The CAFTA-generated cutset probability in this example is
. F(CAFTA) = T
- DlS
- AoT, (9)
Substituting Eqs. 7 and 9 into Eq. 8, we get 1
Tm.Td R = 1/(AaT )
- f P(t+T.)*E(1,t) dt (10) 4 s
. _ .. _ . _ _ _ _ . _ 5 to TXX-96390 Page 5 of 9 2.5 Identification of the Representative Cutsets In order to reduce the calculational effort of evaluating a convolution integral for each cutset, representative cutsets which have the same convolution integral need to be identified. The representative cutsets in this study are listed below:
- 1. Y
- 2. Y
- DGR
- 3. Y
- DGR
- DGR
- 4. Y
- 5. Y
- DGR
- 6. Y
- DGR
- DGR
- 7. Y
- CDGR
- 8. Y
- CDGR
- TDR where, 5
Y: Type 1 failures / events.
DGR: Diesel generator fails to run.
TDR: TD pump fails to run.
CDGR: Diesel generators fail to run due to common cause failures.
The failure events such as battery depletion or tank inventory depletion are not explicitly shown in the representative cutsets, however, the effects caused by these failure events have been considered to determine the values of T (time to core damage after last failure) for various scenarios.
The equations for calculating the Off-Site Power Non-Recovery (R) factors of the identified representative cutsets are given by,
- 1. X Ri = exp(-aT/) i l
2 Y
- DGR l Tm Td R2 = 1/(A dT )
- f P(t+T,)E(1,t) 4 dt ,
l
- 3. Y
- DGR
- DGR Tm-To 12 R = 1/(1,T )2
- 2f f P(t +T,)E(A,,ta-t i)E(1,t )dti dt 4 i 2
- 4. Y
- TDR Tm-Td R4 = 1/(1,T )
- f P(t+T,)E(1,,t) dt 1
i i
1
. . _ _ . . . . . . 5 to TXX-%390 Page 6 of 9
- 5. Y
- DGR
- TDR TnTd G R3 = 1/(1,A,T,2) * [f f P(t +T 2 )E(A 4 ,tri 4 )E(1,,t i )dt i i dt 2 Tm-Td t2
+ f f P(t +T )E(1,,trt )E(1,t i i 4 )dt i idt2 }
o o
- 6. Y
- DGR
- DGR
- TDR TwTd d d R6 = 1/(121,T 4 ')
- 2[f f JP(t +T.)E(la,t 3 -t 3)E(A 2 ,t4 -t2 )E(1,,t i )dt i idt2 dt 3
TwTd t3 4
+ J f JP(t +T,)E(1,trt 3 4 )E(A,,t2 -t 2)E(A i ,t4 )dt i idtzdt3 o o 0 i TwTd d d
+ f f JP(t +T3 )E(A,,trt4 )E(A 2 ,t4 -t2 )E(1,t i 4 )dt 3 idt2 dt 3]
o o o 7, Y
- CDGR inTd R, = 1/(laT.)
- f P(t+T 4)E(la,t) dt
- 8. Y
- CDGR
- TDR TOTd d R. = 1/(Aal,T,2) * [f f P(ta +T )E(la,t 4 -t2 )E(1,,t i )dt i i dt 2 Tm-Td d
+ f f P(t +T.)E(A,,trt 2 )E(la,t i )dt i idtz) o o where, 1:4 Failure rate for DGR.
1,: Failure rate for TDR.
Aa: Failure rate for CDGR.
T: Mission time (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in this study)
T,: Time to core damage after the last failure.
In order to determine the values of T, for each representative cutset, an event tree for the LOSP recovery analysis has been created (next page). The values of T for each scenario in the event tree are calculated via MAAP 3.0 B Rev.16.
E h 1 A
N e g
Q a E
S P L l E
O 0 0 0 0 0 0 0 R 0 0+ 0+ 0+ 0+ 0+ 0+ 0+
0 P E E E E E E E lB O E 0 0 0 0 0 0 0 0 A
E 0 0 0 0 0 0 0 0 7 S f 1 0 0 0 0 0 0 0 l E
K l P W E V T F N R A 0 T.
D 1
$ V T
- O 0
h C E
R O O T B T E S A E S
\
P U L E V R A E F T F R A T D \
T A T
F A
V C F \:
A E E D d U S L l W R A h
0 T F -
3 E -
Z I
S A
C O O B L
L S A N M O R .
E V
F W A E E O S U S P R R L A E U 7 T F O
M T
I S
4 F F
0 O 9 A F .
3 C O E
O L S L
Y R
L A X A E
F E V
. X S O -
T C
- o E -
t R 5
1
_ tn 9 0 -
ef 3 .
3 h7 mo .
, t ca eg t a AP -
' i 1 1
Attachment 15 to TXX-96390 Page 8 of 9
- 3. Resuks The final results for each representadve cutset are summanzed in the following tabic.
TA8LE 3. OSPNR FACTORS R REPRESETATIVE TIME TO CORE DAMAGE 100 MIN. 110 MIN. 170 MIN. 300 MIN. 330 MIN. 470 MIN.
R1 Y 2.178E-1 1.986E-1 1.181E-1 4.624E-2 3.811E-2 1.665E-2 R2 Y
- DGR 2.014E-2 1.876E-2 1.239E-2 5.615E-3 4.746E-3 2.271E-3 R3 Y
- DGR
- DGR 4.541E-3 4.283E-3 3.017E-3 1.496E-3 1.282E-3 6.395E-4 R4 Y
- TDR NA 1.884E-2 NA NA NA NA R5 Y
- DGR
- TDR NA 4.303E-3 NA NA NA NA R6 Y
- DGR
- DGR
- TDR NA 1.646E-3 NA NA NA NA R7 Y
- CDGR 2.028E-2 1.889E-2 1.248E-2 5.659E-3 4.784E-3 2.290E-3 R8 Y
- CDGR
- TDR NA 4.335E-3 NA NA NA NA Y: TYPE 1 FAILURES / EVENTS.
DGR: DG FAILS TO RUN.
TDR: TD PUMP FAILS TO RUN.
CDGR: COMMON CAUSE FAILURE FOR DGs FAIL TO RUN.
._ _ _ _ . .-. . -- y w-.. .
i
. Attachment 15 to TXX-%390 Page 9 of 9 ,
' 4.
References
- 1. NUREG/CR-5032, "Modeling Time to Recovery and initiating Event Frequency for less of Off-site Power Incidents at Nuclear Power Plants", January 1988. >
j 2. K. C. Kapur, L. R. Lamberson, " Reliability in Engineering Design", John Wiley & Sons, Inc.,
1977.
- l J !
r t
+
b i
4 l
7 :
.~
l l
+
k P
Y l
' )
- - w